CN102088379B - Detecting method and device of client honeypot webpage malicious code based on sandboxing technology - Google Patents
Detecting method and device of client honeypot webpage malicious code based on sandboxing technology Download PDFInfo
- Publication number
- CN102088379B CN102088379B CN 201110025474 CN201110025474A CN102088379B CN 102088379 B CN102088379 B CN 102088379B CN 201110025474 CN201110025474 CN 201110025474 CN 201110025474 A CN201110025474 A CN 201110025474A CN 102088379 B CN102088379 B CN 102088379B
- Authority
- CN
- China
- Prior art keywords
- client
- monitoring
- module
- virtual machine
- service end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention provides a detecting method and a device of client honeypot webpage malicious code based on sandboxing technology. The device provided by the invention comprises a service terminal unit, a client terminal management unit and a detecting unit, wherein during the real-time alternation process of a web server, the device detects webpage malicious codes by monitoring the action change of a browser. The detecting method comprises the steps: the service terminal unit firstly receives a detecting parameter from a man-machine interface, and starts a virtual machine application program; after a virtual machine is started by a virtual software, the client terminal management unit establishes the communication between a PC (personal computer) machine in which the service terminal unit is located and the virtual machine; and a browsing appointed webpage of the browser is opened; after the detecting unit monitors the whole browsing process and the client terminal management unit evaluates the monitoring data, the evaluation result is displayed by the service terminal unit via the human machine interface. Compared with the prior art, the method and device provided by the invention can detect and discover the malicious codes existing in the webpage accurately, and improve the detection efficiency of the webpage malicious codes.
Description
Technical field
The present invention relates to a kind of detection method and device of webpage malicious code, exactly, relate to a kind of client honeypot webpage malicious code detecting method and device based on sandbox technology, belong to the technical field of the web application safety detection of a kind of comprehensive sandbox technology, system call and Honeypot Techniques.
Background technology
Along with the fast development of Internet technology, web uses has become the mutual center of the network information gradually.The corresponding problem of the thing followed is: the security incident relevant with the web application is more and more many, and security issues become increasingly urgent.Current, webpage Trojan horse has become one of most common form of wooden horse propagation, and a large amount of panoramic webpage malicious codes are flooded with computer network, with quickish VELOCITY DIFFUSION and propagation; And along with deepening continuously of web application developed and more and more networking, this normal use to network has caused and has seriously influenced, and the various webpage malicious codes of hiding in the network have become an important threat of the network information security.Therefore, detection technique how to identify the webpage malicious code has become the focal issue that industry is paid special attention to.
The webpage malicious code is that the assailant inserts one section malicious code in normal webpage, and when browser was opened webpage, this section malicious code will be carried out thereupon, then downloaded and move rogue program, and then threatened viewer's PC Host Security; Or some deception pictures are set in webpage, download trojan horse program thereby inveigle the user to open; Some swindle links are set, lure that the user accesses the malice web server that the assailant arranges in advance into.
At present, the detection method of webpage malicious code mainly contains following two kinds:
Static Analysis Method is not move in the web page code situation, utilizes analysis engine that static nature and the functional module of web page code are analyzed; It is centered by web page code, only web page code self is judged, and is irrelevant with the behavior of code.Static analysis is the feature of being derived all execution by code content, mates with the malice feature database of having set up again.Since with comparing of carrying out of the good malice feature of predefined be that a kind of misuse detects the mode of (Misuse Detection), therefore need to set up huge database, and need regularly to upgrade and maintenance data base.This method can't detect the unknown malicious code that threatens; For the malicious script of encrypting, often also be at a loss what to do.And static analysis may obtain bulk redundancy information, and the redundant information that analysis result is also obtained by code analysis easily confuses, thereby rate of false alarm is higher.However, static method is present the most ripe, believable webpage malicious code detection technology still, is adopted by most of antivirus softwares and is integrated in the various softwares.
Dynamic analysing method is by opening malicious web pages in controlled running environment, and the behavior after monitor code is carried out and the variation of state are again to the various data analysis in the access process.This method is to detect whether there is the webpage malicious code according to the behavior in the webpage running, can active detecting go out various hiding malicious codes, and in time find hazardous act.Although dynamic analysis can not prove code and necessarily satisfy certain specific attribute that the abnormal attribute that shows in the time of can detecting the web page code operation can also provide the various information relevant with abnormal behaviour.Since this method will be in the environment of simulation real time execution webpage malicious code, therefore Security of the system has been consisted of larger threat, and detect expend time in many.
Honey jar is a frontier of network information security research, and it is a kind of Active Defending System Against that is different from fire compartment wall, intruding detection system, is further improving and replenishing existing safe practice.Honey jar is a specially defective system of design, for self having constructed a virtual environment, simulated operating system or in network, deliberately expose various leaks and weakness with real operating system and application program, the mode of taking the initiative is lured the network attack person is entered the environment of obvious security breaches again, then, various actions are monitored, and Means of Intrusion and invasion instrument etc. is carried out record.
Traditional honey jar proposes all to build in server end, and this honey jar can not detect the abnormal behaviour of user side.And client honeypot can initiatively carry out alternately with malicious server, and its behavioural information of Real-time Obtaining, thereby reaches the purpose of distinguishing normal server and malicious server.Client honeypot is divided into again alternately low and high mutual two types.Low mutual client honeypot uses the client of a simulation to bring in and serve device to carry out not using real client software alternately, for the differentiation of the friendly of server often by simple static analysis.High mutual honey jar is to realize mutual at real operating system use client software and server.From the data that server returns, client software all can normal process; If comprise attack, attack code also can be performed, and then the variation of the system mode behind the analytical attack, to judge malicious server.
System call is the functional interface between the application program of user's space and the operating system nucleus program at kernel spacing; one of its purpose is to allow user program and kernel program be separated; so that kernel program and user program move it with level of privilege ring0 and ring3 respectively; thereby realize separating of the program space and data stack space, play the effect of protection kernel.Two of purpose is relevant equipment control, file system and process control to be provided, to communicate by letter and the function of the aspect such as storage administration for the user by kernel program; thereby make the user needn't understand the internal structure and relevant hardware details of system program, play the effect that alleviates burden for users, protection system and raising resource utilization.
In recent years, the Malware producer conducts in-depth research the Windows system, and the technology that they use is more and more advanced.Revise system service descriptor table SSDT(System Services Descriptor Table) be a kind of advanced technology that present malicious code uses.By the modification to the SSDT of Windows system, Malware can be escaped pursuing and wipe out of antivirus software or anti-malware easily, even can monitor the behavior of antivirus software.SSDT table is the Win32 application programming interface API(Application Programming Interface of user's space ring3) and the core A PI of kernel program space ring0 connect.The X86 architecture provides 4 level of privilege (ring 0,1,2,3), and Windows has only used wherein 2 level of privilege: be respectively ring 0 and ring 3.For security consideration, different processes in the Windows system run on respectively on ring0 or the ring3 level according to authority, when operating in common applications among the ring3 and need to use system core function, the respective function that must provide by calling the kernel program that operates in the ring0 level.
SSDT can carry out index based on the system call numbering, so that the memory address of mapping function.SSDT is in the inside and outside related critical positions of system, for Malware provides an effective way of grasping each class method operation.SSDT comprises a huge function address concordance list and some other useful informations (such as the base address of allocation index, service function number etc.).SSDT is a data structure that is imported to constant offset position in the internal memory by ntoskrnl.exe, Malware can be by revising the entry address of the kernel services function that records among the SSDT, and the code of carrying out during with the specified services function call turns to the malicious software code district.After Malware was revised SSDT, common software just ran under its monitoring, even antivirus software also can be controlled by it.
Sandboxing (SandBox) is a kind of technology of processing malicious code of novelty, it can provide for possible unsafe code a running space, provide one with the similar operating space of actual environment or the mirror image of an actual motion browser directly is provided by virtual technology, allow the program on the network can arbitrarily operation in this space, if the behavior during operation shows that the program of moving is virus or rogue program, then after its feature of sign, system will carry out rolling back action, and all are all turned back to before the program operation; That is to say that how virus or rogue program move all can't cause damage and threaten real system, the sandbox technology characteristics are to find suspicious actions and allow program continue operation, just stop when only confirming as virus.
Summary of the invention
In view of this, the purpose of this invention is to provide a kind of client honeypot webpage malicious code detecting method and device based on sandbox technology, the present invention utilizes client honeypot to open browser in real operating system to visit web server in the network, detects the webpage malicious code by some ANOMALOUS VARIATIONS in the surveillance.On the one hand the isolation of system of main frame and user interactions is come, strengthen the fail safe that detects; On the other hand because in true environment simulation browser and web server mutual, greatly improved the detection efficiency of webpage malicious code.
In order to reach the foregoing invention purpose, the invention provides a kind of client honeypot webpage malicious code checkout gear based on sandbox technology, it is characterized in that: described device is by the service end unit that is divided into two different PC unique host in the same local area network (LAN), client-side management unit and detecting unit form, wherein, the service end unit is positioned at server, client-side management unit and detecting unit are positioned at the virtual machine of client, server is by controlling the web server interactive information of client and internet, with the accuracy that guarantees to detect, and avoid causing this device paralysis because server is subject to the webpage malicious code intrusion, and a plurality of virtual machines that server can be controlled client carry out alternately with web server simultaneously, improve the detection efficiency of webpage malicious code; Wherein,
The service end unit is used for finishing the configuration detection parameter, issues uniform resource position mark URL (Universal Resource Locator) and processing and shows testing result; Be provided with and detect configuration module, service end management and control module, interface module and result treatment module; The function of these modules is:
Interface module is used for accepting detected parameters and the detection request of configuration and sending it to the detection configuration module; The URL signal to be detected that will obtain again sends service end management and control module to, and will detect classification results and give the terminal demonstration;
Detect configuration module, be responsible for arranging the IP address, the absolute path of configuring virtual machine file, the login name of virtual machine and password, and after parameter carried out initialization process, these information are all sent to service end management and control module;
Service end management and control module is responsible for reception interface module and the information that detects configuration module, with client-side management unit interactive communication, opening and closing software virtual machine, issues the scanning url list and submits testing result to the result treatment module;
The result treatment module is used for collecting testing result, and analyzing web page malicious code type sends to interface module with suspicious information and behavior classification results;
The client-side management unit is used for accepting the instruction of service end unit, the web server that the opening and closing browser access is set, and the state variation of monitor client honey pot system provides and the interface of serving end unit and communicating by letter; Be provided with client management and control module and data analysis module; These two functions of modules are:
Client management and control module, be used for receiving service end unit instruction opening and closing browser, and regulate and control parallel work-flow a plurality of or the polytype browser, send the data analysis initialization directive to data analysis module, send respectively the detection trigger processing signals and return the suspicious actions that detect and screen the result to detecting unit and service end unit;
Data analysis module is responsible for collecting various trigger events and is carried out analyzing and processing, monitors the variation of virtual machine state; And return the examination result who comprises suspicious information and behavior to client management and control module; Described trigger event be the monitor data change that comprises the system service dispatch table, file read-write, process newly-built with withdraw from and the corresponding situation of the various variations of the turnover of network port packet;
Detecting unit, be provided with event processing module and the various monitoring modules that comprise SSDT monitoring, file monitor, network monitoring, process monitoring and registry monitoring, be used for collecting and processing various data, finish SSDT monitoring, file monitor, network monitoring, process monitoring and the registry monitoring of kernel level.
In order to reach the foregoing invention purpose, the present invention also provides a kind of detection method of the client honeypot webpage malicious code checkout gear based on sandbox technology, and it is characterized in that: described method comprises following operating procedure:
(1) the service end unit receives input message from human-computer interaction interface, and the configuration and the URL that finish detected parameters arrange, and configuration data is saved as file;
(2) service end cell location software virtual machine installation path, open virtual machine application, to the transfer control instruction of virtual machine interface, and with the system in user login name and the password login virtual machine, restart client-side management unit and detecting unit in the virtual machine;
(3) communicating by letter between the PC main frame at the client-side management unit virtual machine of setting up its place and place, service end unit: place, service end unit PC main frame uses the ping instruction to send data to virtual machine, reply by virtual machine the client-side management unit, confirms survival and realize alternately;
(4) virtual machine of client-side management unit is opened the webpage that browser is browsed setting, and detecting unit carries out Real Time Monitoring to whole navigation process, and will detect data and return the client-side management unit;
(5) the client-side management unit to monitor data analyze with assess after, send to the service end unit, in order to show assessment result at human-computer interaction interface.
Advantage of the present invention is: apparatus of the present invention are based on virtual machine, not only realized main frame and client separating logically, also that main frame and client is separated physically, greatly improved the security performance of main frame, simultaneously after being subject to hanging the horse attack, can be returned to pure state in the short time at the utmost point, the infection that can avoid being subject to the webpage malicious code because of host computer system causes the situation of the paralysis of whole device to occur; Improved the efficient that detects.And technical scheme of the present invention has realized monitoring from kernel level the behavior of browser, has improved greatly the accuracy that detects the webpage malicious code.The present invention is based on sandbox technology, the cutting edge technology that takes full advantage of sandbox research is finished the testing of net horse, compares with common static matching, does not need to set up and safeguard huge rule base, has avoided numerous and disorderly database update and attended operation.The present invention is from SSDT, file, network, process and registration table Real Time Monitoring browser and the mutual behavior of web server, thereby solved Static Analysis Method and can't detect the problem of encrypting script, can more fully detect the malicious code in the webpage.The present invention adopts abnormality detection (Anomaly Detection) and misuse to detect (Misuse Detection) mode, can detect unknown extension horse type, has greatly improved and has hung the accuracy that horse detects.The present invention has also greatly improved the security performance of main frame, after being subject to hanging the horse attack, can be returned to pure state in very short time simultaneously.
Description of drawings
Fig. 1 is that the structure that the present invention is based on the client honeypot webpage malicious code checkout gear of sandbox technology forms schematic diagram.
Fig. 2 is the network design schematic diagram that the present invention is based on the client honeypot webpage malicious code checkout gear of sandbox technology.
Fig. 3 is the detection method flow chart that the present invention is based on the client honeypot webpage malicious code checkout gear of sandbox technology.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with drawings and Examples.
Referring to Fig. 1, the structure of introducing the client honeypot webpage malicious code checkout gear that the present invention is based on sandbox technology forms, and is provided with three parts: service end unit, client-side management unit, detecting unit.
The service end unit is used for finishing the configuration detection parameter, issues uniform resource position mark URL (Universal Resource Locator) and processing and shows testing result; Be provided with and detect configuration module, service end management and control module, interface module and result treatment module.Wherein the function of modules is respectively:
Interface module is used for accepting the detected parameters of configuration and detects request and send it to the detection configuration module; The URL signal to be detected that will obtain again sends service end management and control module to, and will detect classification results and give the terminal demonstration;
Detect configuration module and be responsible for arranging the IP address, the absolute path of configuring virtual machine file, the login name of virtual machine and password, and after parameter carried out initialization, these information are all sent to service end management and control module;
Service end management and control module is responsible for reception interface module and the information that detects configuration module, with client-side management unit interactive communication, opening and closing software virtual machine, issues the scanning url list and submits testing result to the result treatment module;
The result treatment module is used for collecting testing result, and analyzing web page malicious code type sends to interface module with suspicious information and behavior classification results.
The client-side management unit is used for accepting the instruction of service end unit, the web server that the opening and closing browser access is set, and the state variation of monitor client honey pot system provides and the interface of serving end unit and communicating by letter.Be provided with client management and control module and data analysis module, these two functions of modules are respectively:
Client management and control module is used for receiving service end unit instruction opening and closing browser, and regulate and control parallel work-flow a plurality of or the polytype browser, send the data analysis initialization directive to data analysis module, send respectively the detection trigger processing signals and return the suspicious actions that detect and screen the result to detecting unit and service end unit.
Data analysis module is responsible for collecting various trigger events and is carried out analyzing and processing, monitors the variation of virtual machine state; And return the examination result who comprises suspicious information and behavior to client management and control module; Described trigger event be the monitor data change that comprises the system service dispatch table, file read-write, process newly-built with withdraw from and the corresponding situation of the various variations of the turnover of network port packet.
Detecting unit is provided with event processing module and the various monitoring modules that comprise SSDT monitoring, file monitor, network monitoring, process monitoring and registry monitoring, be used for collecting and processing various data, finish SSDT monitoring, file monitor, network monitoring, process monitoring and the registry monitoring of kernel level.Its modules function is respectively:
Event processing module is responsible for the scheduling of each monitoring module and is processed various trigger events, and sends the various data that comprise trigger event ID, place module I D, changed content and event content to client unit;
Subordinate list SSDT(System Services Descriptor Table is described in system service) monitoring module is for after opening browser, and suspicious act of revision is recorded in the variation of supervisory control system service call table, and relevant information is sent to event processing module;
The file monitor module is responsible for the various operations and the suspicious read-write event of record of kill file, monitoring file, and relevant information is sent to event processing module;
The network monitoring module is used for the suspicious event and assessment suspicious data bag of monitor network port, and relevant information is sent to event processing module;
The process monitoring module is used for the establishment of monitoring process and the event of termination, and record suspicious actions wherein, and relevant information is sent to event processing module;
The registry monitoring module is used for the retouching operation and record suspicious information of monitoring registration table, and relevant information is sent to event processing module.
Referring to Fig. 2, introduce apparatus of the present invention and be arranged at situation in the network.The service end unit, client-side management unit and the detecting unit that the present invention is based in the client honeypot webpage malicious code checkout gear of sandbox technology are on two different PC unique host that are separately positioned in the same local area network (LAN), wherein, the service end unit is positioned at server, client-side management unit and detecting unit are positioned at the virtual machine of client, like this, server is realized information interaction by the web server of controlling client and internet.The purpose that so arranges is: should the service end unit and the client-side management unit isolate physically, can guarantee better the fail safe of service end, the attack that can avoid being subject to the webpage malicious code because of service end causes occurring the situation that whole device is paralysed, also so that the present invention is based on virtual machine, the a plurality of virtual machines that make the service end unit can control client carry out alternately with web server simultaneously, thereby greatly improve the detection efficiency of webpage malicious code, guarantee better the accuracy that detects.
In addition, in order to save equipment investment or in some specific occasion, service end unit in apparatus of the present invention, client-side management unit and detecting unit also can be arranged at same PC main frame, this moment is for realizing service end and client physics and isolation in logic, the service end unit is positioned at this PC main frame, and client-side management unit and detecting unit then are positioned at virtual machine.
Referring to Fig. 3, introduce the concrete operation step of the detection method of the client honeypot webpage malicious code checkout gear that the present invention is based on sandbox technology:
Step 1, the service end unit receives input message from human-computer interaction interface, and the configuration and the URL that finish detected parameters arrange, and configuration data is saved as file.Need the detected parameters of configuration to comprise: the IP address of the PC main frame at virtual machine place and the IP address of virtual machine, the absolute path of virtual machine file on the PC main frame at virtual machine place, the user login name of virtual machine and password thereof; The URL that arranges comprises: URL inventory to be detected and the selected browser model (IE, Firefox, Opera) of access URL.
Step 4: to the dummy machine system transfer control instruction of logining, open the browser type of user's appointment and browse named web page by the virtual machine interface.
Step 2, service end cell location software virtual machine installation path is opened virtual machine application, to the transfer control instruction of virtual machine interface, and with the system in user login name and the password login virtual machine, restart client-side management unit and detecting unit in the virtual machine.
Step 3, communicating by letter between the virtual machine that its place is set up in the client-side management unit and the PC main frame at place, service end unit: place, service end unit PC main frame uses the ping instruction to send data to virtual machine, reply by virtual machine the client-side management unit, confirms survival and realize alternately.
Step 4, the virtual machine of client-side management unit is opened the webpage that browser is browsed setting, and detecting unit carries out Real Time Monitoring to whole navigation process, and will detect data and return the client-side management unit.This step comprises following content of operation:
(41) browser of specified type is opened according to monitoring parameter indication virtual machine in the client-side management unit;
(42) browser is browsed the webpage of setting according to url list and monitoring parameter;
(43) detecting unit carries out following Real Time Monitoring to whole navigation process: SSDT monitoring, file monitor, registry monitoring, process monitoring and network monitoring, and will detect data and return the client-side management unit.Wherein the content of operation of the monitor procedure of SSDT monitoring module is as follows: link up with SSDT; The definition monitored object; Monitoring parameter to kernel state carries out the initialization setting, comprises processing the normal behaviour pattern base; Open user's attitude interface; Intercepting system calls; When monitoring defining objects, the behavior path that the record browser is carried out; Again with the behavior path and the normal behaviour pattern base compare; The ends with system calling function withdraws from the malice website.
Step 5, the client-side management unit to monitor data analyze with assess after, send to the service end unit, in order to show assessment result at human-computer interaction interface.In this step, the content of operation that the client-side management unit is carried out is as follows: first monitor data is carried out the examination of suspicious information and behavior, to screening information and the behavior suspicious degree classification of carrying out the webpage malicious code out, again classification results is passed to human-computer interaction interface service end unit, show assessment result by the latter at human-computer interaction interface.
The above only is preferred embodiment of the present invention, and is in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of making, is equal to replacement, improvement etc., all should be included within the scope of protection of the invention.
Claims (8)
1. client honeypot webpage malicious code checkout gear based on sandbox technology, it is characterized in that: described device is by the service end unit that is divided into two different PC unique host in the same local area network (LAN), client-side management unit and detecting unit form, wherein, the service end unit is positioned at server, client-side management unit and detecting unit are positioned at the virtual machine of client, server is by controlling the web server interactive information of client and internet, with the accuracy that guarantees to detect, and avoid causing this device paralysis because server is subject to the webpage malicious code intrusion, and a plurality of virtual machines that server can be controlled client carry out alternately with web server simultaneously, improve the detection efficiency of webpage malicious code; Wherein,
The service end unit is used for finishing the configuration detection parameter, issues uniform resource position mark URL, processes and the displaying testing result; Be provided with and detect configuration module, service end management and control module, interface module and result treatment module; The function of these modules is:
Interface module is used for accepting detected parameters and the detection request of configuration and sending it to the detection configuration module; The URL signal to be detected that will obtain again sends service end management and control module to, and will detect classification results and give the terminal demonstration;
Detect configuration module, be responsible for arranging the IP address, the absolute path of configuring virtual machine file, the login name of virtual machine and password, and after parameter carried out initialization process, these information are all sent to service end management and control module;
Service end management and control module is responsible for reception interface module and the information that detects configuration module, with client-side management unit interactive communication, opening and closing software virtual machine, issues the scanning url list and submits testing result to the result treatment module;
The result treatment module is used for collecting testing result, and analyzing web page malicious code type sends to interface module with suspicious information and behavior classification results;
The client-side management unit is used for accepting the instruction of service end unit, the web server that the opening and closing browser access is set, and the state variation of monitor client honey pot system provides and the interface of serving end unit and communicating by letter; Be provided with client management and control module and data analysis module; These two functions of modules are:
Client management and control module, be used for receiving service end unit instruction opening and closing browser, and regulate and control parallel work-flow a plurality of or the polytype browser, send the data analysis initialization directive to data analysis module, send respectively the detection trigger processing signals and return the suspicious actions that detect and screen the result to detecting unit and service end unit;
Data analysis module is responsible for collecting various trigger events and is carried out analyzing and processing, monitors the variation of virtual machine state; And return the examination result who comprises suspicious information and behavior to client management and control module; Described trigger event be the monitor data change that comprises the system service dispatch table, file read-write, process newly-built with withdraw from and the corresponding situation of the various variations of the turnover of network port packet;
Detecting unit, be provided with event processing module and the various monitoring modules that comprise SSDT monitoring, file monitor, network monitoring, process monitoring and registry monitoring, be used for collecting and processing various data, finish SSDT monitoring, file monitor, network monitoring, process monitoring and the registry monitoring of kernel level.
2. device according to claim 1, it is characterized in that: the modules function in the described detecting unit is:
Event processing module is responsible for the scheduling of each monitoring module and is processed various trigger events, and sends the various data that comprise trigger event ID, place module I D, changed content and event content to client unit;
Subordinate list SSDT(System Services Descriptor Table is described in system service) monitoring module, after being used for opening browser, suspicious act of revision is recorded in the variation of supervisory control system service call table, and relevant information is sent to event processing module;
The file monitor module is responsible for the various operations and the suspicious read-write event of record of kill file, monitoring file, and relevant information is sent to event processing module;
The network monitoring module is used for the suspicious event of monitor network port and assesses the suspicious data bag, and relevant information is sent to event processing module;
The process monitoring module is used for the establishment of monitoring process and the event of termination, and record suspicious actions wherein, and relevant information is sent to event processing module;
The registry monitoring module is used for the retouching operation of monitoring registration table and records suspicious information, and relevant information is sent to event processing module.
3. device according to claim 1, it is characterized in that: described service end unit, client-side management unit and detecting unit can be arranged at same PC main frame, this moment is for realizing service end and client physics and isolation in logic, the service end unit is positioned at this PC main frame, and client-side management unit and detecting unit then are positioned at virtual machine.
4. detection method based on the client honeypot webpage malicious code checkout gear of sandbox technology, it is characterized in that: described method comprises following operating procedure:
(1) the service end unit receives input message from human-computer interaction interface, and the configuration and the URL that finish detected parameters arrange, and configuration data is saved as file;
(2) service end cell location software virtual machine installation path, open virtual machine application, to the transfer control instruction of virtual machine interface, and with the system in user login name and the password login virtual machine, restart client-side management unit and detecting unit in the virtual machine;
(3) communicating by letter between the PC main frame at the client-side management unit virtual machine of setting up its place and place, service end unit: place, service end unit PC main frame uses the ping instruction to send data to virtual machine, reply by virtual machine the client-side management unit, confirms survival and realize alternately;
(4) virtual machine of client-side management unit is opened the webpage that browser is browsed setting, and detecting unit carries out Real Time Monitoring to whole navigation process, and will detect data and return the client-side management unit;
(5) the client-side management unit to monitor data analyze with assess after, send to the service end unit, in order to show assessment result at human-computer interaction interface.
5. method according to claim 4 is characterized in that: in the described step (1), the service end unit comprises from the detected parameters that human-computer interaction interface receives with configuration; The IP address of the PC main frame at virtual machine place and the IP address of virtual machine, the absolute path of virtual machine file on the PC main frame at virtual machine place, the user login name of virtual machine and password thereof; The URL that arranges comprises: URL inventory to be detected and the selected browser model of access URL.
6. method according to claim 4, it is characterized in that: described step (4) further comprises following content of operation:
(41) browser of specified type is opened according to monitoring parameter indication virtual machine in the client-side management unit;
(42) browser is browsed the webpage of setting according to url list and monitoring parameter;
(43) detecting unit carries out following Real Time Monitoring to whole navigation process: SSDT monitoring, file monitor, registry monitoring, process monitoring and network monitoring, and will detect data and return the client-side management unit.
7. method according to claim 4, it is characterized in that: in the described step (5), the content of operation that the client-side management unit is carried out is as follows: first monitor data is carried out the examination of suspicious information and behavior, to screening information and the behavior suspicious degree classification of carrying out the webpage malicious code out, again classification results is passed to human-computer interaction interface service end unit, show assessment result by the latter at human-computer interaction interface.
8. method according to claim 7, it is characterized in that: the monitor procedure of described system service state descriptors table SSDT monitoring module comprises following content of operation: link up with SSDT; The definition monitored object; Monitoring parameter to kernel state carries out the initialization setting, comprises processing the normal behaviour pattern base; Open user's attitude interface; Intercepting system calls; When monitoring defining objects, the behavior path that the record browser is carried out; Again with the behavior path and the normal behaviour pattern base compare; The ends with system calling function withdraws from the malice website.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201110025474 CN102088379B (en) | 2011-01-24 | 2011-01-24 | Detecting method and device of client honeypot webpage malicious code based on sandboxing technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201110025474 CN102088379B (en) | 2011-01-24 | 2011-01-24 | Detecting method and device of client honeypot webpage malicious code based on sandboxing technology |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102088379A CN102088379A (en) | 2011-06-08 |
| CN102088379B true CN102088379B (en) | 2013-03-13 |
Family
ID=44100000
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201110025474 Expired - Fee Related CN102088379B (en) | 2011-01-24 | 2011-01-24 | Detecting method and device of client honeypot webpage malicious code based on sandboxing technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102088379B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104021344A (en) * | 2014-05-14 | 2014-09-03 | 南京大学 | Honey pot mechanism and method used for collecting and intercepting internal storage behaviors of computer |
| US9535731B2 (en) | 2014-11-21 | 2017-01-03 | International Business Machines Corporation | Dynamic security sandboxing based on intruder intent |
Families Citing this family (33)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102955913A (en) * | 2011-08-25 | 2013-03-06 | 腾讯科技(深圳)有限公司 | Method and system for detecting hung Trojans of web page |
| CN102999719B (en) * | 2011-09-19 | 2015-08-26 | 中国科学院软件研究所 | A kind of malicious code on-line analysis based on hardware simulator and system |
| CN102663052B (en) * | 2012-03-29 | 2017-05-24 | 三六零科技股份有限公司 | Method and device for providing search results of search engine |
| CN102831338B (en) * | 2012-06-28 | 2015-09-30 | 北京奇虎科技有限公司 | A kind of safety detection method of Android application program and system |
| CN102768630B (en) * | 2012-06-29 | 2015-07-15 | 腾讯科技(深圳)有限公司 | Method and device for detecting webpage running environment and storage medium |
| CN103701759A (en) * | 2012-09-27 | 2014-04-02 | 西门子公司 | Method and device for detecting malicious website |
| CN103716289A (en) * | 2012-10-08 | 2014-04-09 | 江苏中科慧创信息安全技术有限公司 | Attack control method for protecting service system |
| CN102932433A (en) * | 2012-10-17 | 2013-02-13 | 深圳中兴网信科技有限公司 | Management server, terminal and keyboard recording method |
| CN103810222A (en) * | 2012-11-15 | 2014-05-21 | 北京金山安全软件有限公司 | Sample file processing method and device |
| CN103152323B (en) * | 2013-01-29 | 2016-08-03 | 深圳市深信服电子科技有限公司 | Control client network and access the method and system of behavior |
| CN104253714B (en) * | 2013-06-27 | 2019-02-15 | 腾讯科技(深圳)有限公司 | Monitoring method, system, browser and server |
| CN103679026B (en) * | 2013-12-03 | 2016-11-16 | 西安电子科技大学 | Rogue program intelligence system of defense under a kind of cloud computing environment and defence method |
| CN103905422B (en) * | 2013-12-17 | 2017-04-26 | 哈尔滨安天科技股份有限公司 | Method and system for searching for webshell with assistance of local simulation request |
| CN104182478A (en) * | 2014-08-01 | 2014-12-03 | 北京华清泰和科技有限公司 | Website monitoring pre-warning method |
| US9411959B2 (en) * | 2014-09-30 | 2016-08-09 | Juniper Networks, Inc. | Identifying an evasive malicious object based on a behavior delta |
| US10089095B2 (en) * | 2015-05-06 | 2018-10-02 | Mcafee, Llc | Alerting the presence of bundled software during an installation |
| US20170134405A1 (en) * | 2015-11-09 | 2017-05-11 | Qualcomm Incorporated | Dynamic Honeypot System |
| CN105701399B (en) * | 2015-12-30 | 2018-11-27 | 广东欧珀移动通信有限公司 | A kind of safety detection method and device of application program |
| CN107358095B (en) | 2016-05-10 | 2019-10-25 | 华为技术有限公司 | A kind of threat detection method, device and network system |
| CN106789866B (en) * | 2016-08-04 | 2019-10-08 | 腾讯科技(深圳)有限公司 | A kind of method and device detecting malice network address |
| CN106897121B (en) * | 2017-03-01 | 2019-06-25 | 四川大学 | It is a kind of based on virtualization technology without proxy client process protection method |
| CN107172035A (en) * | 2017-05-11 | 2017-09-15 | 北京安赛创想科技有限公司 | The detection method and device of network attack information |
| CN107196960A (en) * | 2017-06-27 | 2017-09-22 | 四维创智(北京)科技发展有限公司 | A kind of net horse detecting system and its detection method based on sandbox technology |
| CN108363919B (en) * | 2017-10-19 | 2021-04-20 | 北京安天网络安全技术有限公司 | Method and system for generating virus-killing tool |
| CN107872467A (en) * | 2017-12-26 | 2018-04-03 | 中国联合网络通信集团有限公司 | Honey jar active defense method and honey jar Active Defending System Against based on Serverless frameworks |
| CN108256322B (en) * | 2018-01-26 | 2020-10-27 | 平安科技(深圳)有限公司 | Security testing method and device, computer equipment and storage medium |
| CN108563946A (en) * | 2018-04-17 | 2018-09-21 | 广州大学 | A kind of browser digs method, browser plug-in and the system of mine behavioral value |
| US11509691B2 (en) * | 2020-05-15 | 2022-11-22 | Paypal, Inc. | Protecting from directory enumeration using honeypot pages within a network directory |
| CN112261046A (en) * | 2020-10-22 | 2021-01-22 | 胡付博 | Industrial control honeypot identification method based on machine learning |
| CN112580049B (en) * | 2020-12-23 | 2022-11-04 | 苏州三六零智能安全科技有限公司 | Sandbox-based malicious software monitoring method, sandbox-based malicious software monitoring equipment, storage medium and sandbox-based malicious software monitoring device |
| CN113704669B (en) * | 2021-09-01 | 2022-10-14 | 稿定(厦门)科技有限公司 | Data processing method and device for webpage operation |
| CN115189905B (en) * | 2022-05-09 | 2023-05-23 | 济南大学 | Network communication and safety control integrated machine and working method thereof |
| CN117278290B (en) * | 2023-10-07 | 2024-03-08 | 广东励通信息技术有限公司 | Distributed data detection system and method under Internet |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101692267A (en) * | 2009-09-15 | 2010-04-07 | 北京大学 | Method and system for detecting large-scale malicious web pages |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101465770B (en) * | 2009-01-06 | 2011-04-06 | 北京航空航天大学 | Method for disposing inbreak detection system |
| KR101045870B1 (en) * | 2009-04-22 | 2011-07-01 | 주식회사 안철수연구소 | Network-based malware diagnosis method and diagnostic server |
-
2011
- 2011-01-24 CN CN 201110025474 patent/CN102088379B/en not_active Expired - Fee Related
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101692267A (en) * | 2009-09-15 | 2010-04-07 | 北京大学 | Method and system for detecting large-scale malicious web pages |
Non-Patent Citations (2)
| Title |
|---|
| 基于客户端蜜罐的恶意网页检测系统的设计与实现;孙晓妍等;《计算机应用》;20070731;第27卷(第7期);第1613-1615页 * |
| 孙晓妍等.基于客户端蜜罐的恶意网页检测系统的设计与实现.《计算机应用》.2007,第27卷(第7期),1613-1615. |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104021344A (en) * | 2014-05-14 | 2014-09-03 | 南京大学 | Honey pot mechanism and method used for collecting and intercepting internal storage behaviors of computer |
| US9535731B2 (en) | 2014-11-21 | 2017-01-03 | International Business Machines Corporation | Dynamic security sandboxing based on intruder intent |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102088379A (en) | 2011-06-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102088379B (en) | Detecting method and device of client honeypot webpage malicious code based on sandboxing technology | |
| KR102403622B1 (en) | Systems and methods for behavioral threat detection | |
| CN106033514B (en) | A kind of detection method and device of suspicious process | |
| US8479276B1 (en) | Malware detection using risk analysis based on file system and network activity | |
| CN104023034B (en) | Security defensive system and defensive method based on software-defined network | |
| Tien et al. | KubAnomaly: Anomaly detection for the Docker orchestration platform with neural network approaches | |
| CN108780485A (en) | Data set extraction based on pattern match | |
| CN109862003A (en) | Local generation method, device, system and the storage medium for threatening information bank | |
| WO2017071148A1 (en) | Cloud computing platform-based intelligent defense system | |
| CN114584405A (en) | Electric power terminal safety protection method and system | |
| AU2019400060B2 (en) | Systems and methods for behavioral threat detection | |
| Koroniotis et al. | The sair-iiot cyber testbed as a service: A novel cybertwins architecture in iiot-based smart airports | |
| CN108345795A (en) | System and method for the Malware that detects and classify | |
| CN106709343A (en) | Virus monitoring method and device | |
| AU2019398651B2 (en) | Systems and methods for behavioral threat detection | |
| RU2803399C2 (en) | Systems and methods for detecting behavioural threats | |
| RU2778630C1 (en) | Systems and methods for detecting behavioural threats | |
| RU2772549C1 (en) | Systems and methods for detecting behavioural threats | |
| Ghazzawi et al. | Design and Implementation of an Efficient Intrusion Response System for 5G RAN Baseband Units | |
| Hsu et al. | A Cloud-based Protection approach against JavaScript-based attacks to browsers | |
| Gheorghe et al. | Infrastructure for Learning the Behaviour Of Malicious and Abnormal Applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130313 Termination date: 20140124 |