CN106055975A - Document detection method and sandbox - Google Patents
Document detection method and sandbox Download PDFInfo
- Publication number
- CN106055975A CN106055975A CN201610325817.5A CN201610325817A CN106055975A CN 106055975 A CN106055975 A CN 106055975A CN 201610325817 A CN201610325817 A CN 201610325817A CN 106055975 A CN106055975 A CN 106055975A
- Authority
- CN
- China
- Prior art keywords
- file
- sandbox
- detected
- running
- activity recognition
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the invention provides a document detection method and a sandbox. The method comprises the steps that a sandbox controller receives a to-be-detected document and detects a document running environment type of the to-be-detected document; according to the detected document running environment type, a target classification sandbox corresponding to the document running environment type can be determined; the to-be-detected document is sent to the target classification sandbox, so that the to-be-detected document can be operated in a virtual environment of the target classification sandbox; a running track of the to-be-detected document sent by the target classification sandbox is received; and when a vicious behavior existing in the running track is detected, an alarm can be sent out. The method and the sandbox provided by the embodiment can enhance detection performance of the sandbox.
Description
Technical field
The present invention relates to file detection technique field, particularly to a kind of file test method and sandbox.
Background technology
Sandbox (Sandboxie), has another name called sand table, is a kind of execution according to security strategy limiting program behavior
Environment, it allows user's operating file in sandbox environment, such as browser or other programs, runs and produced
Raw change can be deleted subsequently.By operating file in sandbox environment, can detect in file and whether deposit
In malicious act, alarm can be sent when finding and file existing malicious act.
In prior art, when receiving file to be detected, generally according to the running environment class of file to be detected
Type creates corresponding virtual environment in sandbox, and makes this file to be detected run in this virtual environment, obtains
Obtain the running orbit of file to be detected, then the malicious act feature of this running orbit with preservation compared,
Whether its running orbit exists malicious act to detect and decides whether alarm.When running paper to be detected
After, the virtual environment in sandbox can return to initial condition, say, that is running literary composition to be detected
During part, produced impact can be eliminated.
But, in actual use, owing to all types of files all can converge in tradition sandbox
Row processes, and adds that sandbox is the most relatively complicated to the judgement flow process of malicious act, and therefore sandbox detection performance is often
Relatively low, and become the performance bottleneck in network topology.
Summary of the invention
The purpose of the embodiment of the present invention there are provided a kind of file test method and sandbox, to improve sandbox
Detection performance.
In order to achieve the above object, the invention discloses a kind of file test method, be applied to sandbox controller,
Described sandbox controller connects at least one classification sandbox, exists and created in each classification sandbox
A kind of virtual execution environment of OS Type, described method includes:
Receive file to be detected, and detect the running paper environmental form of described file to be detected;
The running paper environmental form obtained according to detection, determines corresponding with described running paper environmental form
Target classification sandbox;
Described file to be detected is sent to described target classification sandbox, so that described file to be detected is described
The virtual environment of target classification sandbox is run;
Receive the running orbit of the file described to be detected that described target classification sandbox sends;
When detect there is malicious act in described running orbit time, alert.
The invention also discloses a kind of sandbox, described sandbox includes sandbox controller and at least one sandbox of classifying;
Sandbox controller connects each classification sandbox, there is, in each classification sandbox, the one created
The virtual execution environment of OS Type;
Sandbox controller receives file to be detected, and detects the running paper environmental form of described file to be detected;
Then the running paper environmental form obtained according to detection, determines from each classification sandbox and transports with described file
The target classification sandbox that row environmental form is corresponding, and described file to be detected is sent to described target classification husky
Case;
Target classification sandbox receives the file described to be detected that sandbox controller sends, and at the virtual ring of self
Border is run described file to be detected, then the running orbit of file to be detected is sent to sandbox controller;
After sandbox controller receives described running orbit, enter when detecting and described running orbit existing malicious act
Row alarm.
As seen from the above technical solution, in the embodiment of the present invention, sandbox controller receives file to be detected, and
Detect the running environment type of file to be detected, then according to detecting the running paper environmental form obtained, really
The fixed target classification sandbox corresponding with described running paper environmental form, and described file to be detected is sent extremely
Described target classification sandbox, so that described file to be detected is transported in the virtual environment of described target classification sandbox
OK.Sandbox controller receives the running orbit of the file described to be detected that described target classification sandbox sends, when
Alert when detecting and described running orbit exists malicious act.
It is to say, in the present embodiment, sandbox controller is according to the running paper of the file to be detected received
Environmental form, determines target classification sandbox from the classification sandbox with different types of virtual execution environment,
Making file to be detected run in target classification sandbox, then sandbox controller determines further according to its running orbit
Whether alert.And in prior art, the file of all running environment types all runs in single sandbox,
In the present embodiment, the running paper of different running environment types, in different classification sandboxs, therefore applies this
Embodiment, it is possible to increase the detection performance of sandbox.It addition, when sandbox of classifying breaks down, other classification
Sandbox still can normally detect, and therefore, the present embodiment can also solve single sandbox in prior art to be occurred
The problem that the file of all running environment types cannot be detected during fault.
Certainly, arbitrary product or the method for implementing the present invention it is not absolutely required to reach above-described institute simultaneously
There is advantage.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to enforcement
In example or description of the prior art, the required accompanying drawing used is briefly described.It should be evident that describe below
In accompanying drawing be only some embodiments of the present invention, for those of ordinary skill in the art, do not paying
On the premise of going out creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is a kind of schematic diagram of the system of sandbox work in prior art;
A kind of schematic diagram of the system of the sandbox work that Fig. 2 provides for the embodiment of the present invention;
A kind of schematic flow sheet of the file test method that Fig. 3 provides for the embodiment of the present invention;
The another kind of schematic flow sheet of the file test method that Fig. 4 provides for the embodiment of the present invention;
A kind of structural representation of the sandbox that Fig. 5 provides for the embodiment of the present invention.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clearly
Chu, complete description.Obviously, described embodiment is only a part of embodiment of the present invention, and not
It it is whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making wound
The every other embodiment obtained on the premise of the property made work, broadly falls into the scope of protection of the invention.
In order to understand the applied environment of sandbox, following is a brief introduction of the running environment of sandbox in prior art.
Fig. 1 show the schematic diagram of the system of a kind of sandbox work, including outer net 101, fire wall 102, hands over
Change planes the multiple terminals 1051 in 103, sandbox 104 and Intranet 105 and Intranet 105.In prior art, interior
Network users sends after outer net downloads the request of file, and outer net 101 responds this request, and by corresponding file
11 are sent to switch 103 by fire wall 102, and the file 11 received is separately sent to by switch 103
Intranet 105 and sandbox 104, whether it is detected after receiving file 11 by sandbox 104, and be given and alert
Information.In FIG, sandbox 104 may be located between switch 103 and Intranet 105, switch 103
Sending it to sandbox 104 after receiving file 11, sandbox 104 detects the file received, when no alarm
This document is forwarded to Intranet 105.
Embodiments provide a kind of file test method and sandbox, it is possible to increase the detection performance of sandbox.
In the present embodiment, the system of sandbox 204 work can as in figure 2 it is shown, wherein, outer net 201, fire prevention
Multiple terminals 2051 in wall 202, switch 203 and Intranet 205 and Intranet 205 respectively with in prior art
Outer net 101, fire wall 102, switch 103 and Intranet 105 and Intranet 105 in multiple terminals 1051
Identical, the transmission process of file 21 is the most same as the prior art, the most all repeats no more.Wherein, sandbox 204
Including sandbox controller 2041 and at least one coupled classification sandbox 2042.
Below by specific embodiment, the present invention is described in detail.
A kind of schematic flow sheet of the file test method that Fig. 3 provides for the embodiment of the present invention, is applied to sandbox
Controller, described sandbox controller connects at least one classification sandbox, exists and created in each classification sandbox
The virtual execution environment of a kind of OS Type built, described method includes:
Step S301: receive file to be detected, and detect the running paper environmental classes of described file to be detected
Type.
In actual applications, file to be detected can be that other equipment are sent to sandbox controller, it is also possible to
Being that user selects input, certainly can also is that to adopt and receive in other ways, this is not done by the present invention has
Body limits.Generally, file to be detected is the executable file that can the most directly run.Each
File operationally needs the operating system support of respective type.
It should be noted that the running paper environmental form detecting file to be detected belongs to prior art, its tool
Here is omitted for body process.
Step S302: the running paper environmental form obtained according to detection, determines and described running paper ring
The target classification sandbox that border type is corresponding.
Such as, the running paper environmental form of file to be detected is (SuSE) Linux OS environment, then by
Creating has the classification sandbox of (SuSE) Linux OS to be defined as target classification sandbox.Certainly, in actual applications,
One file is likely to be of two kinds or above running paper environmental form, at this moment, and can be according to preset rules
The file destination running environment class of this document is determined from the two or above running paper environmental form
Type, and determine the target classification sandbox corresponding with this file destination running environment type.Wherein, file destination
Running environment type can include one, it is also possible to includes multiple.It is to say, this document can be made to run
In a classification sandbox, it is also possible to operate in multiple classification sandbox.
In the present embodiment, classification sandbox can include that Linux classification sandbox, Microsoft Windows classify sand
Case, Fructus Mali pumilae MAC classification sandbox and You Nisi Unix classification sandbox etc..Certainly, classification sandbox is all right
Including other kinds of sandbox, this is not limited by the present invention.
It is understood that when the classification sandbox in described sandbox only includes one, i.e. this classification sandbox is only
For detecting the file destination of target operating environment type, say, that such sandbox is served only for detection
File destination, sandbox controller therein can be according to the running environment type of this classification sandbox, to be detected
File determines file destination.
It is understood that when the classification sandbox in described sandbox includes at least two, this sandbox can be real
Now the file of at least two running environment type is detected.
Step S303: described file to be detected is sent to described target classification sandbox, so that described to be checked
Survey file to run in the virtual environment of described target classification sandbox.
Step S304: receive the running orbit of the file described to be detected that described target classification sandbox sends.
Wherein, running orbit includes that file to be detected creates in running, revises, deletes file, with
And create, revise, delete the operation information such as registration table.Certainly, running orbit can also include other kinds
Information, this is not limited by the present invention.
In actual applications, after file to be detected runs in the virtual execution environment of target classification sandbox,
The running orbit of file to be detected directly can be sent to sandbox controller by target classification sandbox.Can also be,
Target classification sandbox, after running paper to be detected, sends to sandbox controller and runs complete mark letter
Breath.Sandbox controller is after receiving the identification information that operation is complete, as required to target classification sandbox rope
Take the running orbit of file to be detected.
Step S305: when detect there is malicious act in described running orbit time, alert.
Malicious act includes uploading file behavior, externally initiating to establish the link behavior, edit the registry behavior etc.
Sensitive behavior.Corresponding, non-sensitive behavior can include locating file behavior, read information behavior etc..When
So, the particular content of the malicious act related in the embodiment of the present invention is not limited to this.
Sandbox controller, according to the running orbit received and the behavior characteristics storehouse of preservation, detects this running orbit
In whether there is malicious act, if it is, alert, otherwise, do not alert, do not process.Tool
Body, when whether there is malicious act in detecting running orbit, can be by running orbit and the row preserved
It is characterized storehouse to contrast, if it find that exist between the running orbit in this running orbit and behavior characteristics storehouse
Including upper transmitting file, externally initiate the behavior differences such as link, edit the registry, then it is believed that this operation
Track exists malicious act.For example, running orbit includes 1,2,3,4,5 these five steps,
Running orbit corresponding in behavior characteristics storehouse includes 1,2,4,5 these four steps, may thereby determine that fortune
Row track has more a step 3 than behavior characteristics storehouse, and step 3 includes the behavior of transmitting file, at this moment,
May determine that in this running orbit and there is malicious act.
More specifically, whether detection running orbit exists malicious act and belongs to prior art, its detailed process
Here is omitted.
In the present embodiment, when detect there is malicious act in described running orbit time, alert, tool
Body may include that and detects the occurrence number of malicious act in described running orbit, it is judged that described occurrence number is
No more than predetermined number threshold value, if it is, alarm;Do not alert.
In the present embodiment, when detect there is malicious act in described running orbit time, alert, tool
Body can also include: detects the behavior kind of malicious act in described running orbit, it is judged that described behavior kind
Whether belong to default behavior kind, if it is, alarm, do not alert.
In the present embodiment, when detect there is malicious act in described running orbit time, alert, also
May include that occurrence number and the behavior kind of malicious act detecting malicious act in described running orbit,
Judge that whether described occurrence number is more than predetermined number threshold value, it is judged that whether described behavior kind belongs to default
Behavior kind, if it is judged that be all yes, then alerts, if it is judged that be all no, does not accuses
Alert.
From foregoing, in the present embodiment, sandbox controller is according to the literary composition of the file to be detected received
Part running environment type, determines that target is divided from the classification sandbox with different types of virtual execution environment
Class sandbox, makes file to be detected run in target classification sandbox, and then sandbox controller detects its operation again
Track, alerts when there is malicious act in this running orbit.And in prior art, all operation rings
The file of border type all runs in single sandbox, in the present embodiment, and the file fortune of different running environment types
Row, in different classification sandboxs, therefore applies the present embodiment, it is possible to increase the detection performance of sandbox.It addition,
When sandbox of classifying breaks down, other classification sandboxs still can normally detect, and therefore, the present embodiment is also
Can solve the problem that cannot the file of all running environment types be entered when in prior art, single sandbox breaks down
The problem of row detection.
In another embodiment of the invention, in the embodiment shown in fig. 3, it is also possible to including:
After alerting when there is malicious act in described running orbit being detected, whether record is for institute
State the information that file to be detected carries out alerting.
In the present embodiment, whether record can be carried out alerting by sandbox controller for file to be detected
Information is saved in file Activity recognition information, in order to avoid duplicate detection in follow-up detection, improves inspection
Survey efficiency.
In another embodiment of the invention, on the basis of embodiment illustrated in fig. 3, described to be checked in detection
Before surveying the running paper environmental form of file, described method can also include:
Detect whether described file to be detected is executable file, treat described in detection if it is, continue executing with
The step of the running paper environmental form of detection file.
Generally, file includes executable file and not executable file.Executable file include suffix be exe,
The file that doc, txt, pdf etc. can run in an operating system, literary composition in addition to executable file in file
Part is properly termed as not executable file.
In embodiments of the present invention, can detect whether file to be detected is to perform literary composition according to the suffix of file
Part, naturally it is also possible to according to other feature detection, this is not limited by the present invention.It should be noted that inspection
Surveying whether file is that executable file belongs to prior art, here is omitted for its detailed process.
In the present embodiment, before detecting the running paper environmental form of file to be detected, detect to be detected
Whether file is executable file, can identify not executable file, it is to avoid will not from file to be detected
Executable file sends and runs to sandbox, and then improves the detection efficiency of sandbox.
In another embodiment of the invention, in order to improve the detection performance of sandbox further, shown in Fig. 3
On the basis of embodiment, before detecting the running paper environmental form of described file to be detected, described method
Can also include the process carried out according to schematic flow sheet shown in Fig. 4, it specifically includes step:
Step S401: obtain the file characteristic of described file to be detected.
Described file characteristic includes the feature that can uniquely determine this document.Concrete, described file to be detected
File characteristic can include the MD5 of file described to be detected that uses eap-message digest MD5 algorithm to calculate
Value.Certainly, the file characteristic of file to be detected can also use additive method to obtain, and this is not done by the present invention
Limit.
Step S402: according to file characteristic and the file Activity recognition of preservation of the file to be detected obtained
Whether the file characteristic of each file in information, detect in described file Activity recognition information and exist with described
The file Activity recognition information that the file characteristic of file to be detected matches, if it is, perform S403,
Otherwise perform S404.
Described sandbox controller is preserved file Activity recognition information, described file Activity recognition information is wrapped
Include: the file characteristic of each file detected and whether carry out the information alerted.May be appreciated
Be, file Activity recognition information can also include file identification i.e. file ID, the running environment of file,
It is whether the occurrence number etc. of malicious act in executable file, running paper track, certainly, file line
For including other information in identification information, this is not limited by the present invention.
Such as, the content of file Activity recognition information can be shown in Table 1.
Table 1
It is to say, after receiving file to be detected, according to the file characteristic of file to be detected, detection
Whether described file Activity recognition information exists the file line that the file characteristic with file to be detected matches
For identifying information, i.e. detect this file to be detected the most tested, if tested, then straight
The information whether alerted of record in the file Activity recognition information according to coupling that connects provides testing result, as
Really this file to be detected was not detected among, then continue to run file to be detected, finally in classification sandbox
Provide result.
Step S403: determine whether for described file to be detected according to the file Activity recognition information of coupling
Alert.
Step S404: detect the running paper environmental form of described file to be detected, continue executing with S302's
Step.
From above content, in the present embodiment, after receiving file to be detected, according to be detected
Whether the file characteristic of file, exist and this document feature in the file Activity recognition information that detection pre-saves
The file Activity recognition information of coupling, if it is present directly give the result whether alerted, so, keeps away
Exempt from file is reruned detection, it is possible to increase the detection performance of sandbox.
In another embodiment of the present embodiment, in the embodiment shown in fig. 4, when described file being detected
Activity recognition information does not exist the file Activity recognition that the file characteristic with described file to be detected matches
During information, continue to run file to be detected in classification sandbox, receive the running orbit of file to be detected,
After the detection of described running orbit is completed, record the file Activity recognition information of described file to be detected.This
Sample, can be continuously increased the quantity of information in file Activity recognition information, improves the matching probability of file characteristic,
And then improve the detection efficiency of sandbox.
It is understood that in the present embodiment, time initial, file Activity recognition information can be empty, so,
When matching files feature, it is impossible to the file characteristic of file to be detected detected from file Activity recognition information,
Thus continue executing with step S302, after whether there is the result of malicious act in obtaining file to be detected,
Then record the file Activity recognition information of described file to be detected.
A kind of structural representation of the sandbox that Fig. 5 provides for the embodiment of the present invention, implements with method shown in Fig. 3
Example is corresponding, and described sandbox includes sandbox controller 501 and at least one sandbox 502 of classifying;
Wherein, sandbox controller 501 connects at least one classification sandbox 502, exists in each classification sandbox
The virtual execution environment of a kind of OS Type created;
Sandbox controller 501 receives file to be detected, and detects the running paper environment of described file to be detected
Type;Then according to the running paper environmental form that obtains of detection, determine from each classification sandbox 502 with
The target classification sandbox 502 that described running paper environmental form is corresponding, and described file to be detected is sent extremely
Described target classification sandbox 502;Target classification sandbox 502 receives and treats described in sandbox controller 501 transmission
Detection file, and in the virtual environment of self, run described file to be detected, then by file to be detected
Running orbit sends to sandbox controller 501;After sandbox controller 501 receives described running orbit, work as inspection
Measure and alert when described running orbit exists malicious act.
In the present embodiment, file Activity recognition information preserved by described sandbox controller 501;Described literary composition
Part Activity recognition information includes: the file characteristic of each file detected and whether alerting
Information;
Sandbox controller 501, before detecting the running paper environmental form of described file to be detected, also obtains
The file characteristic of described file to be detected, and according to the file characteristic of file to be detected obtained and preservation
The file characteristic of each file in file Activity recognition information, detects in described file Activity recognition information and is
The file Activity recognition information that the file characteristic of no existence and described file to be detected matches, if it is,
File Activity recognition information according to coupling determines whether to alert for described file to be detected.
In the present embodiment, described sandbox controller 501, also after the detection of described running orbit is completed,
Record the file Activity recognition information of described file to be detected.
In the present embodiment, described sandbox controller 501, is also detecting the file fortune of described file to be detected
Before row environmental form, detect whether described file to be detected is executable file, if it is, continue inspection
Survey the running paper environmental form of described file to be detected.
Said apparatus embodiment is the most corresponding with embodiment of the method, has the skill identical with embodiment of the method
Art effect, therefore the technique effect of device embodiment does not repeats them here, and may refer to embodiment of the method part
Description.
For device embodiment, owing to itself and embodiment of the method are the most corresponding, so describing
Obtaining fairly simple, relevant part sees the part of embodiment of the method and illustrates.
It should be noted that in this article, the relational terms of such as first and second or the like be used merely to by
One entity or operation separate with another entity or operating space, and not necessarily require or imply these
Relation or the order of any this reality is there is between entity or operation.And, term " includes ", " bag
Contain " or any other variant be intended to comprising of nonexcludability, so that include a series of key element
Process, method, article or equipment not only include those key elements, but also its including being not expressly set out
His key element, or also include the key element intrinsic for this process, method, article or equipment.Do not having
In the case of having more restriction, statement " including ... " key element limited, it is not excluded that including
The process of described key element, method, article or equipment there is also other identical element.
It will appreciated by the skilled person that all or part of step in above-mentioned embodiment is can
Being completed by the hardware that programmed instruction is relevant, described program can be stored in embodied on computer readable storage
In medium.Storage medium designated herein, refers to ROM/RAM, magnetic disc, CD etc..
The foregoing is only presently preferred embodiments of the present invention, be not intended to limit protection scope of the present invention.
All any modification, equivalent substitution and improvement etc. done within the spirit and principles in the present invention, are all contained in
In protection scope of the present invention.
Claims (9)
1. a file test method, it is characterised in that be applied to sandbox controller, described sandbox controller
Connect at least one classification sandbox, each classification sandbox exists a kind of operating system class created
The virtual execution environment of type, described method includes:
Receive file to be detected, and detect the running paper environmental form of described file to be detected;
The running paper environmental form obtained according to detection, determines corresponding with described running paper environmental form
Target classification sandbox;
Described file to be detected is sent to described target classification sandbox, so that described file to be detected is described
The virtual environment of target classification sandbox is run;
Receive the running orbit of the file described to be detected that described target classification sandbox sends;
When detect there is malicious act in described running orbit time, alert.
Detection method the most according to claim 1, it is characterised in that preserve in described sandbox controller
There is file Activity recognition information;Described file Activity recognition information includes: each file detected
File characteristic and whether carry out the information alerted;
Before detecting the running paper environmental form of described file to be detected, described method also includes:
Obtain the file characteristic of described file to be detected;
According to obtain the file characteristic of file to be detected and the file Activity recognition information of preservation in every
Whether the file characteristic of individual file, detect in described file Activity recognition information and exist and described file to be detected
The file Activity recognition information that matches of file characteristic;
If it is, determine whether to enter for described file to be detected according to the file Activity recognition information of coupling
Row alarm;
If it is not, then perform the step of the running paper environmental form of the described file to be detected of described detection.
Detection method the most according to claim 1 and 2, it is characterised in that described method also includes:
After the detection of described running orbit is completed, record the file Activity recognition letter of described file to be detected
Breath.
Detection method the most according to claim 2, it is characterised in that the file of described file to be detected
It is characterized as the MD5 value of the file described to be detected using eap-message digest MD5 algorithm to calculate.
Detection method the most according to claim 1, it is characterised in that detecting described file to be detected
Running paper environmental form before, described method also includes:
Detect whether described file to be detected is executable file, treat described in detection if it is, continue executing with
The step of the running paper environmental form of detection file.
6. a sandbox, it is characterised in that described sandbox includes sandbox controller and at least one sandbox of classifying;
Sandbox controller connects each classification sandbox, there is, in each classification sandbox, the one created
The virtual execution environment of OS Type;
Sandbox controller receives file to be detected, and detects the running paper environmental form of described file to be detected;
Then the running paper environmental form obtained according to detection, determines from each classification sandbox and transports with described file
The target classification sandbox that row environmental form is corresponding, and described file to be detected is sent to described target classification husky
Case;
Target classification sandbox receives the file described to be detected that sandbox controller sends, and at the virtual ring of self
Border is run described file to be detected, then the running orbit of file to be detected is sent to sandbox controller;
After sandbox controller receives described running orbit, enter when detecting and described running orbit existing malicious act
Row alarm.
Sandbox the most according to claim 6, it is characterised in that preserve literary composition in described sandbox controller
Part Activity recognition information;Described file Activity recognition information includes: the literary composition of each file detected
Part feature and whether carry out the information alerted;
Sandbox controller, before detecting the running paper environmental form of described file to be detected, also obtains described
The file characteristic of file to be detected, and according to the file characteristic of file to be detected obtained and the file of preservation
Whether the file characteristic of each file in Activity recognition information, detect in described file Activity recognition information and deposit
In the file Activity recognition information that the file characteristic with described file to be detected matches, if it is, according to
The file Activity recognition information of coupling determines whether to alert for described file to be detected.
8., according to the sandbox described in claim 6 or 7, it is characterised in that described sandbox controller, also exist
After the detection of described running orbit is completed, record the file Activity recognition information of described file to be detected.
Sandbox the most according to claim 7, it is characterised in that described sandbox controller, also in detection
Before the running paper environmental form of described file to be detected, detect whether described file to be detected is to perform
File, if it is, continue to detect the running paper environmental form of described file to be detected.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610325817.5A CN106055975A (en) | 2016-05-16 | 2016-05-16 | Document detection method and sandbox |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610325817.5A CN106055975A (en) | 2016-05-16 | 2016-05-16 | Document detection method and sandbox |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106055975A true CN106055975A (en) | 2016-10-26 |
Family
ID=57177138
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610325817.5A Pending CN106055975A (en) | 2016-05-16 | 2016-05-16 | Document detection method and sandbox |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106055975A (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106650423A (en) * | 2016-11-28 | 2017-05-10 | 北京奇虎科技有限公司 | Object sample file detecting method and device |
| CN106650424A (en) * | 2016-11-28 | 2017-05-10 | 北京奇虎科技有限公司 | Method and device for detecting target sample file |
| CN106650427A (en) * | 2016-12-28 | 2017-05-10 | 北京奇虎科技有限公司 | Sandbox operation environment detection method and device |
| CN106682500A (en) * | 2016-11-28 | 2017-05-17 | 北京奇虎科技有限公司 | Detection method and device for target sample files |
| CN106713277A (en) * | 2016-11-28 | 2017-05-24 | 北京奇虎科技有限公司 | Method and apparatus for detecting target sample file |
| CN107346390A (en) * | 2017-07-04 | 2017-11-14 | 深信服科技股份有限公司 | A kind of malice sample testing method and device |
| CN108363919A (en) * | 2017-10-19 | 2018-08-03 | 北京安天网络安全技术有限公司 | A kind of virus special anti-virus tool generation method and system |
| CN108920943A (en) * | 2018-05-08 | 2018-11-30 | 国家计算机网络与信息安全管理中心 | The method and device of installation binding behavior is detected for application software |
| WO2019184664A1 (en) * | 2018-03-26 | 2019-10-03 | 华为技术有限公司 | Method, apparatus, and system for detecting malicious file |
| CN110502892A (en) * | 2019-07-09 | 2019-11-26 | 成都亚信网络安全产业技术研究院有限公司 | A kind of the determination method, apparatus and system of abnormality test process |
| CN110543759A (en) * | 2019-08-12 | 2019-12-06 | 中国南方电网有限责任公司 | Malicious file detection method and device, computer equipment and storage medium |
| WO2021214597A1 (en) * | 2020-04-23 | 2021-10-28 | International Business Machines Corporation | Deep packet analysis |
| CN113641988A (en) * | 2021-05-26 | 2021-11-12 | 荣耀终端有限公司 | Sandbox initialization method, graphical interface and related device |
| CN113904796A (en) * | 2021-08-27 | 2022-01-07 | 国家计算机网络与信息安全管理中心 | Equipment backdoor detection method of flow for network security detection |
| CN113949579A (en) * | 2021-10-20 | 2022-01-18 | 安天科技集团股份有限公司 | Website attack defense method and device, computer equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101692267A (en) * | 2009-09-15 | 2010-04-07 | 北京大学 | Method and system for detecting large-scale malicious web pages |
| CN102741824A (en) * | 2009-12-15 | 2012-10-17 | 迈克菲股份有限公司 | Systems and methods for behavioral sandboxing |
| CN102902915A (en) * | 2012-09-29 | 2013-01-30 | 北京奇虎科技有限公司 | System for detecting behavior feature of file |
| CN103514401A (en) * | 2011-04-21 | 2014-01-15 | 北京奇虎科技有限公司 | Method and device for defense by utilization of sandbox technology and security browser |
| CN103559441A (en) * | 2013-10-28 | 2014-02-05 | 中国科学院信息工程研究所 | Cross-platform detection method and system for malicious files in cloud environment |
-
2016
- 2016-05-16 CN CN201610325817.5A patent/CN106055975A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101692267A (en) * | 2009-09-15 | 2010-04-07 | 北京大学 | Method and system for detecting large-scale malicious web pages |
| CN102741824A (en) * | 2009-12-15 | 2012-10-17 | 迈克菲股份有限公司 | Systems and methods for behavioral sandboxing |
| CN103514401A (en) * | 2011-04-21 | 2014-01-15 | 北京奇虎科技有限公司 | Method and device for defense by utilization of sandbox technology and security browser |
| CN102902915A (en) * | 2012-09-29 | 2013-01-30 | 北京奇虎科技有限公司 | System for detecting behavior feature of file |
| CN103559441A (en) * | 2013-10-28 | 2014-02-05 | 中国科学院信息工程研究所 | Cross-platform detection method and system for malicious files in cloud environment |
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106650424A (en) * | 2016-11-28 | 2017-05-10 | 北京奇虎科技有限公司 | Method and device for detecting target sample file |
| CN106682500A (en) * | 2016-11-28 | 2017-05-17 | 北京奇虎科技有限公司 | Detection method and device for target sample files |
| CN106713277A (en) * | 2016-11-28 | 2017-05-24 | 北京奇虎科技有限公司 | Method and apparatus for detecting target sample file |
| CN106650423A (en) * | 2016-11-28 | 2017-05-10 | 北京奇虎科技有限公司 | Object sample file detecting method and device |
| CN106650427A (en) * | 2016-12-28 | 2017-05-10 | 北京奇虎科技有限公司 | Sandbox operation environment detection method and device |
| CN106650427B (en) * | 2016-12-28 | 2019-10-22 | 北京奇虎测腾科技有限公司 | The detection method and detection device of sandbox running environment |
| CN107346390A (en) * | 2017-07-04 | 2017-11-14 | 深信服科技股份有限公司 | A kind of malice sample testing method and device |
| CN108363919B (en) * | 2017-10-19 | 2021-04-20 | 北京安天网络安全技术有限公司 | Method and system for generating virus-killing tool |
| CN108363919A (en) * | 2017-10-19 | 2018-08-03 | 北京安天网络安全技术有限公司 | A kind of virus special anti-virus tool generation method and system |
| WO2019184664A1 (en) * | 2018-03-26 | 2019-10-03 | 华为技术有限公司 | Method, apparatus, and system for detecting malicious file |
| US11836253B2 (en) | 2018-03-26 | 2023-12-05 | Huawei Technologies Co., Ltd. | Malicious file detection method, device, and system |
| CN108920943A (en) * | 2018-05-08 | 2018-11-30 | 国家计算机网络与信息安全管理中心 | The method and device of installation binding behavior is detected for application software |
| CN110502892A (en) * | 2019-07-09 | 2019-11-26 | 成都亚信网络安全产业技术研究院有限公司 | A kind of the determination method, apparatus and system of abnormality test process |
| CN110543759A (en) * | 2019-08-12 | 2019-12-06 | 中国南方电网有限责任公司 | Malicious file detection method and device, computer equipment and storage medium |
| WO2021214597A1 (en) * | 2020-04-23 | 2021-10-28 | International Business Machines Corporation | Deep packet analysis |
| GB2604797A (en) * | 2020-04-23 | 2022-09-14 | Kyndryl Inc | Deep packet analysis |
| US11563761B2 (en) | 2020-04-23 | 2023-01-24 | Kyndryl, Inc. | Deep packet analysis |
| US11757912B2 (en) | 2020-04-23 | 2023-09-12 | Kyndryl, Inc. | Deep packet analysis |
| CN113641988A (en) * | 2021-05-26 | 2021-11-12 | 荣耀终端有限公司 | Sandbox initialization method, graphical interface and related device |
| CN113904796A (en) * | 2021-08-27 | 2022-01-07 | 国家计算机网络与信息安全管理中心 | Equipment backdoor detection method of flow for network security detection |
| CN113904796B (en) * | 2021-08-27 | 2023-11-17 | 国家计算机网络与信息安全管理中心 | Equipment back door detection method for network flow safety detection |
| CN113949579A (en) * | 2021-10-20 | 2022-01-18 | 安天科技集团股份有限公司 | Website attack defense method and device, computer equipment and storage medium |
| CN113949579B (en) * | 2021-10-20 | 2024-04-30 | 安天科技集团股份有限公司 | Website attack defense method and device, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106055975A (en) | Document detection method and sandbox | |
| KR101880686B1 (en) | A malware code detecting system based on AI(Artificial Intelligence) deep learning | |
| US10210332B2 (en) | Identifying an evasive malicious object based on a behavior delta | |
| US9418227B2 (en) | Detecting malicious software | |
| US20040123117A1 (en) | Validation for behavior-blocking system | |
| US10783239B2 (en) | System, method, and apparatus for computer security | |
| CN106055976A (en) | Document detection method and sandbox controller | |
| US20150172303A1 (en) | Malware Detection and Identification | |
| CN102663288A (en) | Virus killing method and device thereof | |
| CN110399720B (en) | File detection method and related device | |
| CN103955645A (en) | Method, device and system for detecting malicious process behavior | |
| KR20110088042A (en) | Apparatus and method for automatically discriminating malicious code | |
| CN109492399A (en) | Risk file test method, device and computer equipment | |
| CN112882797A (en) | Container safety detection method based on machine learning | |
| CN109800571A (en) | Event-handling method and device and storage medium and electronic device | |
| CN111723370A (en) | Method and equipment for detecting malicious behavior of container | |
| JP4050253B2 (en) | Computer virus information collection apparatus, computer virus information collection method, and program | |
| CN103095714A (en) | Trojan horse detection method based on Trojan horse virus type classification modeling | |
| CN105868632A (en) | Method and device for intercepting and releasing DHCP (dynamic host configuration protocol) | |
| CN113282923B (en) | Remote control method, computing device and storage medium | |
| CN109472147A (en) | A kind of safety detection method and device of virtual platform | |
| US20220182260A1 (en) | Detecting anomalies on a controller area network bus | |
| CN112948829A (en) | File searching and killing method, system, equipment and storage medium | |
| EP4254241A1 (en) | Method and device for image-based malware detection, and artificial intelligence-based endpoint detection and response system using same | |
| US9767276B1 (en) | Scanning kernel data structure characteristics |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou science and Technology Industrial Park, high tech Industrial Development Zone, Zhejiang Province, No. six and road, No. 310 Applicant before: Huasan Communication Technology Co., Ltd. |
|
| CB02 | Change of applicant information | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161026 |
|
| RJ01 | Rejection of invention patent application after publication |