CN110188538B - Method and device for detecting data by adopting sandbox cluster - Google Patents
Method and device for detecting data by adopting sandbox cluster Download PDFInfo
- Publication number
- CN110188538B CN110188538B CN201910345232.3A CN201910345232A CN110188538B CN 110188538 B CN110188538 B CN 110188538B CN 201910345232 A CN201910345232 A CN 201910345232A CN 110188538 B CN110188538 B CN 110188538B
- Authority
- CN
- China
- Prior art keywords
- sample data
- sandbox
- static
- file
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention provides a method and a device for detecting data by adopting a sandbox cluster, wherein the method comprises the following steps: collecting sample data, wherein the sample data comprises a mail sample and a malicious file; delivering the sample data to a sandbox cluster, wherein the sandbox cluster comprises a static sandbox and a dynamic sandbox; and detecting the sample data by adopting the sandbox cluster, associating the detection result with the sample data, and storing the detection result and the sample data into an intelligence database of advanced persistent threat APT attack. The invention solves the technical problem of low efficiency of collecting the information database of the APT attack in the related technology.
Description
Technical Field
The invention relates to the field of network security, in particular to a method and a device for detecting data by adopting a sandbox cluster.
Background
The network attack is an attack initiated by a hacker or a virus trojan and the like on the electronic equipment, and brings huge loss to a user by stealing files and the like.
When the Advanced Persistent Threat (APT) group is traced and discovered, context correlation analysis is mainly carried out according to attacks such as malicious files, phishing mails and the like in network propagation. An attacker utilizes a malicious program to carry out intrusion control on a network and an information system, so that the purposes of stealing sensitive data and destroying the system and the network environment are achieved, and the detection rate and the batch analysis capability of malicious samples spread in an enterprise network are urgently needed to be improved.
In the related art, network attacks are becoming more specialized and targeted in the field of computer security. In the face of such attack events, overall knowledge of the attack events is often lacked, but defense of the attack events is also achieved respectively, and a good defense system is not formed. Such as APT (advanced persistent threat) attacks or "seismic net" viruses, which are targeted and only aggressive to a particular industry or to certain target systems. However, no scheme is available at present, when the attack events occur in a small range, threat information can be obtained in advance, and early warning and defense can be carried out in a large range. Resulting in a lag in the defense against network attacks.
In view of the above problems in the related art, no effective solution has been found at present.
Disclosure of Invention
The embodiment of the invention provides a method and a device for detecting data by adopting a sandbox cluster.
According to an embodiment of the present invention, there is provided a method for detecting data by using sandbox cluster, including: collecting sample data, wherein the sample data comprises a mail sample and a malicious file; delivering the sample data to a sandbox cluster, wherein the sandbox cluster comprises a static sandbox and a dynamic sandbox; and detecting the sample data by adopting the sandbox cluster, associating the detection result with the sample data, and storing the detection result and the sample data into an intelligence database of advanced persistent threat APT attack.
Optionally, delivering the sample data to a sandbox cluster includes: judging whether a static OWL detection rule of the static sandbox is matched with the sample data; when the static OWL detection rule of the static sandbox is matched with the sample data, delivering the sample data to the static sandbox; and when the static OWL detection rule of the static sandbox does not match the sample data, delivering the sample data to the dynamic sandbox.
Optionally, the detecting the sample data by using the sandbox cluster includes: detecting and extracting the sample data by adopting the sandbox cluster based on semantics and file meta information, and identifying file information of the sample data, wherein the file information comprises at least one of the following: file name, file type matching degree, file size, message digest algorithm MD5, secure hash algorithm SHA1, SHA256, SHA512 and fuzzy hash algorithm SSdeep; extracting meta-information of the sample data according to the file information, wherein the meta-information comprises at least one of the following: the number of bytes, signature information and program database file PDB path of the portable executive PE.
Optionally, the detecting the sample data by using the sandbox cluster includes: simulating a virtual environment through a dynamic sandbox; and running the sample data in the virtual environment, recording and analyzing all behavior actions of the sample data from process starting to finishing, capturing a flow packet in the execution process, and generating a process report.
Optionally, after the detection result is associated with the sample data and then stored in an intelligence database of the APT attack, the method further includes: and tracking and positioning the APT attack source according to the intelligence database.
According to another embodiment of the present invention, there is provided an apparatus for detecting data using a sandbox cluster, including: the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring sample data, and the sample data comprises a mail sample and a malicious file; a delivery module, configured to deliver the sample data to a sandbox cluster, where the sandbox cluster includes a static sandbox and a dynamic sandbox; and the processing module is used for detecting the sample data by adopting the sandbox cluster, associating the detection result with the sample data and storing the detection result into an intelligence database of advanced persistent threat APT attack.
Optionally, the delivery module includes: the judging unit is used for judging whether the static OWL detection rule of the static sandbox is matched with the sample data; the delivery unit is used for delivering the sample data to the static sandbox when the static OWL detection rule of the static sandbox is matched with the sample data; and when the static OWL detection rule of the static sandbox does not match the sample data, delivering the sample data to the dynamic sandbox.
Optionally, the processing module includes: the identification unit is used for detecting and extracting the sample data based on semantics and file meta information by adopting the sandbox cluster, and identifying file information of the sample data, wherein the file information comprises at least one of the following: file name, file type matching degree, file size, message digest algorithm MD5, secure hash algorithm SHA1, SHA256, SHA512 and fuzzy hash algorithm SSdeep; an extracting unit, configured to extract meta information of the sample data according to the file information, where the meta information includes at least one of: the number of bytes, signature information and program database file PDB path of the portable executive PE.
Optionally, the processing module includes: the simulation unit is used for simulating the virtual environment through the dynamic sandbox; and the processing unit is used for operating the sample data in the virtual environment, recording and analyzing all behavior actions of the sample data from process starting to finishing, capturing a flow packet in the execution process and generating a process report.
Optionally, the apparatus further comprises: and the tracking module is used for tracking and positioning an APT attack source according to the intelligence database after the processing module correlates the detection result with the sample data and stores the correlation result into the intelligence database of the APT attack.
According to a further embodiment of the present invention, there is also provided a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
According to yet another embodiment of the present invention, there is also provided an electronic device, including a memory in which a computer program is stored and a processor configured to execute the computer program to perform the steps in any of the above method embodiments.
According to the invention, sample data is collected, then the sample data is delivered to a sandbox cluster, wherein the sandbox cluster comprises a static sandbox and a dynamic sandbox, finally the sandbox cluster is adopted to detect the sample data, a detection result is associated with the sample data and then stored in an advanced persistent APT attack threat intelligence database, log analysis rule maintenance is carried out on an operation result of the static sandbox, and a core countermeasure result of the dynamic sandbox is tracked, so that a suspicious object can be more accurately filtered and positioned, and the technical problem of low efficiency of the APT attack collection intelligence database in the related technology is solved. The analysis, tracking and positioning capacity of operation and analysis personnel on malicious samples is greatly improved, and the tracking of the identity information of APT attackers by security personnel is greatly facilitated.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a block diagram of a hardware architecture of a server for detecting data using sandbox clusters according to an embodiment of the present invention;
FIG. 2 is a flow diagram of a method for detecting data using sandboxed clusters in accordance with an embodiment of the present invention;
FIG. 3 is a complete business logic diagram of an embodiment of the present invention;
FIG. 4 is a business flow diagram of an embodiment of the invention;
fig. 5 is a block diagram of an apparatus for detecting data using sandboxed clusters according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
The method provided by the first embodiment of the present application may be executed in a server or a similar computing device. Taking an example of running on a server, fig. 1 is a block diagram of a hardware structure of a server that detects data by using a sandbox cluster according to an embodiment of the present invention. As shown in fig. 1, the server 10 may include one or more (only one shown in fig. 1) processors 102 (the processors 102 may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 104 for storing data, and optionally may also include a transmission device 106 for communication functions and an input-output device 108. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration, and is not intended to limit the structure of the server. For example, the server 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be used to store a computer program, for example, a software program and a module of an application software, such as a computer program corresponding to a method for detecting data by using sandbox cluster in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the computer program stored in the memory 104, so as to implement the method described above. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, memory 104 may further include memory located remotely from processor 102, which may be connected to server 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the server 10. In one example, the transmission device 106 includes a Network adapter (NIC), which can be connected to other Network devices through a base station so as to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
In this embodiment, a method for detecting data by using sandbox cluster is provided, and fig. 2 is a flowchart of a method for detecting data by using sandbox cluster according to an embodiment of the present invention, as shown in fig. 2, the flowchart includes the following steps:
step S202, collecting sample data, wherein the sample data comprises an email sample and a malicious file;
the sample data of this embodiment is a code, software, program, file, etc. for attacking hardware, software of a network system and data in the system thereof by using vulnerabilities and security flaws existing in a network or a hardware entity.
After the sample data is acquired, the file type of the sample data or the equipment type for operating the sample data is detected, wherein the file type comprises a public file and a private file, the sample data is sent to a public cloud server when the sample data is the public file, the sample data is sent to a private cloud server or a local server when the sample data is the private file, on the other hand, the sample data is sent to the private cloud server or the local server when the equipment type is equipment in a specified environment (such as equipment in a unit with high confidentiality such as a government organization and a financial structure), and the sample data is sent to the public cloud server when the equipment type is equipment in a general environment. The public cloud server, the private cloud server or the local server are provided with a sandbox cluster, and the sandbox cluster comprises a static sandbox for static detection and a dynamic sandbox for dynamic detection.
Step S204, delivering the sample data to a sandbox cluster, wherein the sandbox cluster comprises a static sandbox and a dynamic sandbox;
and S206, detecting the sample data by adopting the sandbox cluster, associating the detection result with the sample data, and storing the detection result and the sample data to an intelligence database of advanced persistent threat APT attack.
The report database of this embodiment includes IOC index information, APT organization information, membership information, and APT attack means, range, time, object, and other information.
Through the steps, sample data is collected and then is delivered to a sandbox cluster, wherein the sandbox cluster comprises a static sandbox and a dynamic sandbox, the sandbox cluster is finally adopted to detect the sample data, a detection result and the sample data are stored in an advanced persistent APT attack threat information database after being associated, log analysis rule maintenance is carried out on an operation result of the static sandbox, and a core countermeasure result of the dynamic sandbox is tracked, so that a suspicious object can be accurately filtered and positioned, malicious sample information is accurately and efficiently detected through static analysis and dynamic debugging technologies, misjudgment of manual analysis is reduced, efficiency is improved, and the technical problem that the efficiency of the APT attack collection information database in the related technology is low is solved. The analysis, tracking and positioning capacity of operation and analysis personnel on malicious samples is greatly improved, and the tracking of the identity information of APT attackers by security personnel is greatly facilitated.
In this embodiment, delivering the sample data to a sandbox cluster includes: judging whether a static OWL detection rule of the static sandbox is matched with the sample data; when the static OWL detection rule of the static sandbox is matched with the sample data, delivering the sample data to the static sandbox; and when the static OWL detection rule of the static sandbox does not match the sample data, delivering the sample data to the dynamic sandbox.
In an embodiment of this embodiment, a static sandbox mainly runs a static rule, and processes metadata, and detecting the sample data using the sandbox cluster includes:
s11, detecting and extracting the sample data by adopting the sandbox cluster based on semantics and file meta information, and identifying file information of the sample data, wherein the file information comprises at least one of the following: file name, file type matching degree, file size, message digest algorithm MD5, secure hash algorithm SHA1, SHA256, SHA512 and fuzzy hash algorithm SSdeep;
s12, extracting the meta information of the sample data according to the file information, wherein the meta information comprises at least one of the following: the number of bytes, signature information and program database file PDB path of the portable executive PE.
In another embodiment of this embodiment, a dynamic sandbox is used to simulate the execution of a virtual environment, analyze all the behaviors of all samples from the process start to the execution, and generate the traffic capture packet in the process and the process record and report. Detecting the sample data using the sandbox cluster comprises:
s21, simulating a virtual environment through the dynamic sandbox;
and S22, operating the sample data in the virtual environment, recording and analyzing all behavior actions of the sample data from process starting to finishing, capturing a flow packet in the execution process, and generating a process report.
The recorded behavior may be, but is not limited to, performing a process and injecting code into it (possibly at decompression), checking a kernel debugger, querying a process list, changing trace settings for files or consoles, allocating memory space for read-write execution, creating an executable file in a file system, creating a suspicious process, and collecting information into a fingerprint system (unique identifier, product ID, BIOS time).
Besides static sandbox detection and dynamic sandbox detection, manual operation failure sample analysis can be performed on a result sample which cannot be detected, and an analysis result is added into an information database of APT attack.
Optionally, after the detecting result is associated with the sample data and then stored in an intelligence database of the APT attack, the method further includes: and tracking and positioning the APT attack source according to the intelligence database.
An APT analysis method based on malicious samples in the embodiment relates to the field of computer information security. Generally speaking, malicious information extracted from mass files is provided, and related ATP organization IOC (Indicators of compliance, attack and sink Indicators, or intrusion Indicators) and TTP (Tactics, technologies, and products, means and technology processes) information maintenance (for example, by extracting, labeling, and metadata extracting, processing, extracting related APT organization information and related context information, and recording related information such as Tactics and Tactics) from the IOC indicator information features of each query, and metadata extraction management is performed on the mail samples and the malicious file samples, so as to provide sample identification and result display of malicious samples and malicious mail information. And simultaneously recording the IP and the attack process information of the affected user, recording the attack activity and the context information in the data storage platform, and performing correlation analysis on the interaction of the file sample. By the method, the attack analysis and operation of the APT attack source are carried out on the malicious sample, the attack group is found and continuously tracked, and the sample analysis and operation efficiency is greatly improved by the device.
In a complete implementation of this embodiment, the following functional modules are included, and according to time sequence, the following functional modules are respectively: the system comprises a network collector, a static sandbox, a dynamic sandbox, a high-pair-resistance sandbox cluster, an information matching module and an event response module.
A network collector: sample input is butted in an automatic mode, such as mail attachments are delivered, original files are automatically delivered in batches and uploaded to a sandbox interface;
static sandbox: the sample file is firstly subjected to static detection through the static sandbox, and the static rules of the malicious file are matched. Information acquisition is performed by extracting file metadata, including file name, file type matching degree, file size, MD5 (Message-Digest Algorithm), SHA (Secure Hash Algorithm) 1, SHA256, SHA512, SSDeep, and the like. Meanwhile, the files are detected and screened through an OWL (Ontology Language) static engine rule;
dynamic sandbox: simulating dynamic execution, analyzing the host behavior, obtaining a network behavior and a screenshot in operation, and simultaneously capturing network flow and a sample;
high-confrontation sandbox clustering: storing mass data and information of each detection result, and simultaneously storing file type data, wherein historical data and file type data related to all sandbox results are stored in a cluster;
the information matching module: the sandbox detection module matches the IOC result, obtains family information, an accessed malicious domain name and a historical analysis address after associating the context, and can more accurately position the family information of a malicious sample and the association analysis of the APT attack source. For example, by searching a certain malicious sample in a sandbox, associating threat intelligence information and WHOIS (a transmission protocol for searching information such as IP (Internet protocol) of a domain name and an owner) historical information, all information related to the file can be provided;
an event response module: and counting and processing the result of the current analysis sample, providing case management and event association, and performing secondary production of information under the real-time update of each engine and detection rule.
Fig. 3 is a complete service logic diagram of the embodiment of the present invention, and fig. 4 is a service flow diagram of the embodiment of the present invention, including:
the flow collection process is responsible for automatically collecting and delivering collected samples in batches, and mainly comprises a flow collector and a sample collector;
sandbox detection process: the method comprises a static detection sandbox and a dynamic detection sandbox. The text semantic analysis and screening are carried out by adopting a static OWL filtering extraction engine through a high-countermeasure sandbox cluster, wherein a static OWL rule is used for detecting and extracting text data based on semantic and File meta-information, the OWL engine can identify File types, corresponding meta-information data is extracted according to various File types, such as the number of sections of PE (Portable Executable), whether a signature exists, what the signature exists, and PDB (Program Database File) paths, and the sections are delivered to corresponding static and dynamic sandboxes;
data storage and response flow: and the method is responsible for APT family information association of the sandbox and case warehousing, and produces new information.
Optionally, the execution subject of the above steps may be a cloud server or a local server connected to one or more clients or servers, and the clients may be mobile terminals, PCs, and the like, but are not limited thereto.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
Example 2
In this embodiment, a device for detecting data by using a sandbox cluster is further provided, which may be a server, and the device is used to implement the foregoing embodiments and preferred embodiments, and is not described again after being described. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 5 is a block diagram of an apparatus for detecting data by using sandbox cluster according to an embodiment of the present invention, which may be applied in a server, as shown in fig. 5, the apparatus includes: an acquisition module 50, a delivery module 52, a processing module 54, wherein,
the acquisition module 50 is configured to acquire sample data, where the sample data includes a mail sample and a malicious file;
a delivery module 52, configured to deliver the sample data to a sandbox cluster, where the sandbox cluster includes a static sandbox and a dynamic sandbox;
and the processing module 54 is configured to detect the sample data by using the sandbox cluster, associate the detection result with the sample data, and store the associated detection result in an intelligence database of the advanced persistent threat APT attack.
Optionally, the delivery module includes: the judging unit is used for judging whether the static OWL detection rule of the static sandbox is matched with the sample data; the delivery unit is used for delivering the sample data to the static sandbox when the static OWL detection rule of the static sandbox is matched with the sample data; and when the static OWL detection rule of the static sandbox does not match the sample data, delivering the sample data to the dynamic sandbox.
Optionally, the processing module includes: the identification unit is used for detecting and extracting the sample data based on semantics and file meta information by adopting the sandbox cluster, and identifying file information of the sample data, wherein the file information comprises at least one of the following: file name, file type matching degree, file size, message digest algorithm MD5, secure hash algorithm SHA1, SHA256, SHA512 and fuzzy hash algorithm SSdeep; an extracting unit, configured to extract meta information of the sample data according to the file information, where the meta information includes at least one of: the number of bytes, signature information and program database file PDB path of the portable executive PE.
Optionally, the processing module includes: the simulation unit is used for simulating the virtual environment through the dynamic sandbox; and the processing unit is used for operating the sample data in the virtual environment, recording and analyzing all behavior actions of the sample data from process starting to finishing, capturing a flow packet in the execution process and generating a process report.
Optionally, the apparatus further comprises: and the tracking module is used for tracking and positioning an APT attack source according to the intelligence database after the processing module correlates the detection result with the sample data and stores the correlation result into the intelligence database of the APT attack.
It should be noted that, the above modules may be implemented by software or hardware, and for the latter, the following may be implemented, but not limited to: the modules are all positioned in the same processor; alternatively, the modules are respectively located in different processors in any combination.
Example 3
Embodiments of the present invention also provide a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
Alternatively, in the present embodiment, the storage medium may be configured to store a computer program for executing the steps of:
s1, collecting sample data, wherein the sample data comprises a mail sample and a malicious file;
s2, delivering the sample data to a sandbox cluster, wherein the sandbox cluster comprises a static sandbox and a dynamic sandbox;
and S3, detecting the sample data by adopting the sandbox cluster, associating the detection result with the sample data, and storing the detection result and the sample data into an intelligence database of the APT attack.
Optionally, in this embodiment, the storage medium may include, but is not limited to: various media capable of storing computer programs, such as a usb disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk.
Embodiments of the present invention also provide an electronic device comprising a memory having a computer program stored therein and a processor arranged to run the computer program to perform the steps of any of the above method embodiments.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, collecting sample data, wherein the sample data comprises a mail sample and a malicious file;
s2, delivering the sample data to a sandbox cluster, wherein the sandbox cluster comprises a static sandbox and a dynamic sandbox;
and S3, detecting the sample data by adopting the sandbox cluster, associating the detection result with the sample data, and storing the detection result and the sample data into an intelligence database of the APT attack.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments and optional implementation manners, and this embodiment is not described herein again.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present application, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.
Claims (8)
1. A method for detecting data by adopting a sandbox cluster is characterized by comprising the following steps: collecting sample data, wherein the sample data comprises a mail sample and a malicious file; delivering the sample data to a sandbox cluster, wherein the sandbox cluster comprises a static sandbox and a dynamic sandbox; detecting the sample data by adopting the sandbox cluster, associating a detection result with the sample data, and storing the detection result and the sample data into an information database of advanced persistent threat APT attack;
wherein delivering the sample data to a sandbox cluster comprises: judging whether a static OWL detection rule of the static sandbox is matched with the sample data; when the static OWL detection rule of the static sandbox is matched with the sample data, delivering the sample data to the static sandbox; and when the static OWL detection rule of the static sandbox does not match the sample data, delivering the sample data to the dynamic sandbox.
2. The method of claim 1, wherein detecting the sample data using the sandboxed cluster comprises: detecting and extracting the sample data by adopting the sandbox cluster based on semantics and file meta information, and identifying file information of the sample data, wherein the file information comprises at least one of the following: file name, file type matching degree, file size, message digest algorithm MD5, secure hash algorithm SHA1, SHA256, SHA512 and fuzzy hash algorithm SSdeep; extracting meta-information of the sample data according to the file information, wherein the meta-information comprises at least one of the following: the number of bytes, signature information and program database file PDB path of the portable executive PE.
3. The method of claim 1, wherein detecting the sample data using the sandboxed cluster comprises: simulating a virtual environment through a dynamic sandbox; and running the sample data in the virtual environment, recording and analyzing all behavior actions of the sample data from process starting to finishing, capturing a flow packet in the execution process, and generating a process report.
4. The method of claim 1, wherein after associating the detection result with the sample data and storing the associated sample data in an intelligence database of an APT attack, the method further comprises: and tracking and positioning the APT attack source according to the intelligence database.
5. An apparatus for detecting data using a sandbox cluster, comprising: the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring sample data, and the sample data comprises a mail sample and a malicious file; a delivery module, configured to deliver the sample data to a sandbox cluster, where the sandbox cluster includes a static sandbox and a dynamic sandbox; the processing module is used for detecting the sample data by adopting the sandbox cluster, associating a detection result with the sample data and storing the detection result and the sample data into an information database of advanced persistent threat APT attack;
wherein the delivery module comprises: the judging unit is used for judging whether the static OWL detection rule of the static sandbox is matched with the sample data; the delivery unit is used for delivering the sample data to the static sandbox when the static OWL detection rule of the static sandbox is matched with the sample data; and when the static OWL detection rule of the static sandbox does not match the sample data, delivering the sample data to the dynamic sandbox.
6. The apparatus of claim 5, wherein the processing module comprises: the identification unit is used for detecting and extracting the sample data based on semantics and file meta information by adopting the sandbox cluster, and identifying file information of the sample data, wherein the file information comprises at least one of the following: file name, file type matching degree, file size, message digest algorithm MD5, secure hash algorithm SHA1, SHA256, SHA512 and fuzzy hash algorithm SSdeep; an extracting unit, configured to extract meta information of the sample data according to the file information, where the meta information includes at least one of: the number of bytes, signature information and program database file PDB path of the portable executive PE.
7. A storage medium, in which a computer program is stored, wherein the computer program is arranged to perform the method of any of claims 1 to 4 when executed.
8. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, and wherein the processor is arranged to execute the computer program to perform the method of any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910345232.3A CN110188538B (en) | 2019-04-26 | 2019-04-26 | Method and device for detecting data by adopting sandbox cluster |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910345232.3A CN110188538B (en) | 2019-04-26 | 2019-04-26 | Method and device for detecting data by adopting sandbox cluster |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110188538A CN110188538A (en) | 2019-08-30 |
| CN110188538B true CN110188538B (en) | 2021-07-20 |
Family
ID=67715260
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910345232.3A Active CN110188538B (en) | 2019-04-26 | 2019-04-26 | Method and device for detecting data by adopting sandbox cluster |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110188538B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11379578B1 (en) * | 2020-10-16 | 2022-07-05 | Trend Micro Incorporated | Detecting malware by pooled analysis of sample files in a sandbox |
| CN112528273B (en) * | 2020-12-29 | 2023-06-06 | 天津开心生活科技有限公司 | Medical data detection method, device, medium and electronic equipment |
| CN113992443B (en) * | 2021-12-28 | 2022-04-12 | 北京微步在线科技有限公司 | Cloud sandbox flow processing method and device |
| CN113987521B (en) * | 2021-12-28 | 2022-03-22 | 北京安华金和科技有限公司 | Scanning processing method and device for database bugs |
| CN115037523B (en) * | 2022-05-17 | 2024-05-17 | 浙江工业大学 | APT detection method for heterogeneous terminal log fusion |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101022377A (en) * | 2007-01-31 | 2007-08-22 | 北京邮电大学 | Interactive service establishing method based on service relation body |
| CN102004767A (en) * | 2010-11-10 | 2011-04-06 | 北京航空航天大学 | Abstract service logic-based interactive semantic Web service dynamic combination method |
| JP6210998B2 (en) * | 2012-11-15 | 2017-10-11 | 一般財団法人化学及血清療法研究所 | Infectious disease prevention method by combined use of vector vaccine and live vaccine |
| CN108009425A (en) * | 2017-11-29 | 2018-05-08 | 四川无声信息技术有限公司 | File detects and threat level decision method, apparatus and system |
| CN109190657B (en) * | 2018-07-18 | 2021-11-02 | 国家计算机网络与信息安全管理中心 | Sample homologous analysis method based on data slice and image hash combination |
-
2019
- 2019-04-26 CN CN201910345232.3A patent/CN110188538B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN110188538A (en) | 2019-08-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110188538B (en) | Method and device for detecting data by adopting sandbox cluster | |
| CN109829310B (en) | Similar attack defense method, device, system, storage medium and electronic device | |
| Arshad et al. | SAMADroid: a novel 3-level hybrid malware detection model for android operating system | |
| US9661003B2 (en) | System and method for forensic cyber adversary profiling, attribution and attack identification | |
| CN110210213B (en) | Method and device for filtering malicious sample, storage medium and electronic device | |
| CN110149319B (en) | APT organization tracking method and device, storage medium and electronic device | |
| CN108471429B (en) | Network attack warning method and system | |
| CN106375331B (en) | Attack organization mining method and device | |
| US9628507B2 (en) | Advanced persistent threat (APT) detection center | |
| CN108683687B (en) | Network attack identification method and system | |
| CN108881263B (en) | Network attack result detection method and system | |
| CN110149318B (en) | Mail metadata processing method and device, storage medium and electronic device | |
| CN107295021B (en) | Security detection method and system of host based on centralized management | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| CN108833185B (en) | Network attack route restoration method and system | |
| CN110691080B (en) | Automatic tracing method, device, equipment and medium | |
| CN111221625B (en) | File detection method, device and equipment | |
| CN107302586B (en) | Webshell detection method and device, computer device and readable storage medium | |
| CN110198303A (en) | Threaten the generation method and device, storage medium, electronic device of information | |
| US20220200959A1 (en) | Data collection system for effectively processing big data | |
| CN110868403B (en) | Method and equipment for identifying advanced persistent Attack (APT) | |
| CN107666464B (en) | Information processing method and server | |
| CN115883223A (en) | User risk portrait generation method and device, electronic equipment and storage medium | |
| CN110224975B (en) | APT information determination method and device, storage medium and electronic device | |
| Fatemi et al. | Threat hunting in windows using big security log data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 100032 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing Applicant after: Qianxin Technology Group Co., Ltd. Address before: 100032 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing Applicant before: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |