CN104200161A - Method for achieving intelligent sandbox file detection and intelligent sandbox detection system based on method - Google Patents
Method for achieving intelligent sandbox file detection and intelligent sandbox detection system based on method Download PDFInfo
- Publication number
- CN104200161A CN104200161A CN201410381591.1A CN201410381591A CN104200161A CN 104200161 A CN104200161 A CN 104200161A CN 201410381591 A CN201410381591 A CN 201410381591A CN 104200161 A CN104200161 A CN 104200161A
- Authority
- CN
- China
- Prior art keywords
- file
- module
- detection
- detected
- sandbox
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Debugging And Monitoring (AREA)
- Stored Programmes (AREA)
Abstract
The invention relates to the field of malicious code detection, and provides a method for achieving intelligent sandbox file detection and an intelligent sandbox detection system based on the method. The method for achieving intelligent sandbox file detection includes the steps that when a sandbox conducts file behavior detection, after a detected file is submitted to the sandbox and operated, a detection module calls the detected file, the operating behavior of a program is monitored through an API HOOK module, and meanwhile the operating condition of the detected file in the real environment is fully restored through an intelligent simulation module of the detection module. Manual operation simulation is achieved through the proprietary program, and the problem that in the current dynamic behavior analysis process, the program operating trajectory cannot be completely restored, so that malicious acts fail to be reported is solved. The problem of anti-virtualization operation of the detected file in the file detecting process is solved through the API HOOK hijacking technology.
Description
Technical field
The invention relates to malicious code detection field, particularly a kind of method and sandbox intelligent checking system thereof of realizing sandbox Intelligent Measurement file.
Background technology
Present Malware can use some skills, for example insert rubbish code, code position is exchanged, the modes such as register is redistributed, equivalent code replacement are hidden the detection of traditional anti-malware based on signature, in order to solve this class problem, numerous manufacturers adopt the mode of sandbox to strengthen the detectability to malicious code attack.
Carry out in the process of malicious code detection at use sandbox, the judgement of malicious act is substantially all based on characteristic matching, for example, at Chinese patent, method and device that a kind of malicious code sample is processed automatically, in the patented claim of CN201410032004.8, propose to adopt the method for extracting static nature coupling, adopted behavioral characteristics to mate as a supplement simultaneously.Although a lot of sandboxs also adopt the method for performance analysis, in performance analysis process, there is the problem of detected running paper track of cannot truly reducing under sandbox environment.
In the process that uses sandbox as file analysis, how to judge that current file has completed detection, also there is the standard of oneself in each producer, practices well is to set the longest run time of a program, in the time that program reaches the longest run time, decision procedure has detected, and finishes current detection task.The problem that this method exists is that Single document document time is long, even if file also needs to wait for that without subsequent operation operation is overtime, causes having useless work in testing process, has reduced detection efficiency.
Summary of the invention
Fundamental purpose of the present invention is to overcome deficiency of the prior art, and a kind of method and system thereof that realizes sandbox Intelligent Measurement file is provided.For solving the problems of the technologies described above, solution of the present invention is:
A kind of method that realizes sandbox Intelligent Measurement file is provided, for file being carried out to the detection of file act of execution, specifically comprises the steps:
Step 1: sandbox module receives file to be detected, generate Detection task, and by Detection task write into Databasce, Detection task status indication is to be detected according to rule;
Described Detection task comprises from the task ID that increases type, detect file storing path and the file type of file (obtains file type by Magic mode in conjunction with file suffixes: if Magic mode can obtain file type, the file type as current file by the type getting in Magic mode, if when Magic cannot get program file type, use the file type of filename suffix as executable file), detect file proof test value (use hash algorithm to obtain and detect the proof test value of file), specify when the detection time of time detecting file; Step 1 repeats;
Step 2: sandbox module connects and Query Database, and whether having Detection task state in Query Database is task to be detected, if without the Detection task of this state, sandbox module re-starts query manipulation after waiting for special time;
If it is task to be detected that sandbox module inquires Detection task state, sandbox module is called the open interface function (for example using VBoxManage showvminfo function to obtain the current running status of fictitious host computer) of fictitious host computer and is inquired about the current fictitious host computer (fictitious host computer of having cut out or having preserved all can be used for carrying out Detection task) that can be used for carrying out Detection task that whether exists: if current fictitious host computer all cannot carry out task detection, sandbox module waits for that special time obtains fictitious host computer state again, if current existence can be used for carrying out the fictitious host computer of task detection, call the open interface (for example using VBoxManage startvm) of fictitious host computer and start fictitious host computer,
After fictitious host computer starts, the detection module together starting with fictitious host computer starts the monitoring work (listening port number can be specified in detection module program) of designated port; Sandbox module connects the listening port of fictitious host computer, and sandbox module, by network mode, is given job invocation to be detected the detection module of the fictitious host computer detecting for this subtask; Sandbox module will be submitted to when the task status of submit is labeled as, and keep connection wait detection module data to return;
Whether detection module receives Detection task, reads the file type in task, and inquire about in current system and exist corresponding executive routine to can be used for carrying out this file to be detected, returns to initialization success if exist, otherwise returns to initialization failure;
Step 3: the initialization information that in sandbox module receiving step two, detection module returns, whether successfully judge according to initialization whether this fictitious host computer can carry out current detection task, if initialization success represents to detect current file, continue the processing of step 4; If initialization failure represents to carry out current detection task, Detection task finishes; Sandbox module is labeled as the current detection task status in database can not detect;
Step 4: sandbox module is uploaded file to be detected to detection module by network mode, and file transfer to be detected is complete, the preservation of sandbox module is connected with fictitious host computer, is used for receiving testing result information; Sandbox module marks current task state is in detecting;
Step 5: the detection module in fictitious host computer receives file to be detected, calculate the effect value of file to be detected, and compare with the effect value in Detection task, confirm file to be detected whether complete (effect value unanimously represents that data transmission is complete), if file transfer to be detected is imperfect, detection module and sandbox module communication, requires sandbox module to retransmit file to be detected, if file transfer to be detected is complete, detection module starts file to be detected, and uses suspend parameter to suspend this file process, starts timer simultaneously and records the time that this file has been carried out, file is suspended after operation, and detection module calls that in the running space that API HOOK module is injected into detected file, (API HOOK typical case is applied as the process monitor of microsoft, and the present invention uses same thought to carry out API HOOK operation, API HOOK module in the present invention operates on fictitious host computer, be mainly used in the system function on HOOK fictitious host computer, include but not limited to create process function, reading and writing of files function, deleted file function, network contiguous function, access registry functions, and the relevant operation information of the detected file of record is exported to detection module, API HOOK function has also been realized the access of partial document access has been kidnapped to operation simultaneously, in the time that detected file is attempted the specific resources of access system, for example, when detection module is attempted the VBoxService file of accesses virtual main frame, API HOOK module is kidnapped this request of access, directly backspace file is accessed unsuccessfully, reach and prevent that detected file from judging that by accesses virtual machine tag file current running environment is whether as the object of virtual machine taking this, the typical case that API kidnaps is applied as the file fire wall that part antivirus software uses, this example is used its identical thinking to realize), after API HOOK module is injected successfully, detection module recovers detected running paper, the corelation behaviour information of the detected file of API HOOK module records also returns to detection module by testing result, API HOOK module does not detect that in special time detected file calls the system function of HOOK in API HOOK module, return to " special time is without operation " to detection module, detection module judges that according to this feature file has detected, and jumps to step 7 and carries out, the file behavior information exchange that detection module returns to the API HOOK module receiving is crossed network mode and is transferred to sandbox module, detect and finish if file start failure to be detected or API HOOK module are injected unsuccessfully, return simultaneously and detect exceptional instructions to sandbox module, sandbox module detects after failed information receiving, and in registration database, current detection task status, for to detect unsuccessfully, and jumps to step 7 execution,
Step 6: detection module starts artificial intelligence module, artificial intelligence module refers to identify by program mode (PM) the human window of detected file (file is exe type), and by obtaining button and button title in window, (title setting in advance is some button titles that need to operate that set in advance in artificial intelligence module to the title setting in advance in the window title that contrast gets and program, and these titles include but not limited to " yes ", " ok ", " install ", " agree ", " run ", " continue ", " finish ", " accept ", " extract ", " acceptance ", " agreement ", " next step ", " complete ") whether consistent, for judging whether that need to implement manual simulation to detected file intervenes, reach the object of reduction running paper environment, attempt obtaining detected running paper window, subwindow and window button (obtain program human window, subwindow, the typical case of button associative operation is applied as the SPY++ instrument of microsoft, and the present invention uses the thinking identical with it to carry out relevant information and obtains),
If artificial intelligence module is obtained detected running paper window, subwindow and window button success, the window button title that coupling gets mates with the title setting in advance: if the match is successful, artificial intelligence module rolling mouse is to matching on the button of title, carry out left mouse button single-click operation, then repeated execution of steps six; If mate unsuccessful, to judge when the detection time arranging in time Detection task whether detected running paper finishes, if within detection time, program normally exits, perform step eight, if the detected running paper time reaches the detection time arranging in Detection task, detected file, still in operation, performs step seven;
Step 7: detection module calls Processkill function and finishes detected file;
Step 8: detection module returns and detected instruction to sandbox module;
Step 9: if sandbox module receives the detection exceptional instructions that detection module returns, mark is when time Detection task is for detecting extremely;
If sandbox module does not receive detection exceptional instructions receiving before having detected instruction, sandbox module marks is when time Detection task is for to have detected, preserve file testing result to file, and testing result file path is attached in current detection task, use for other programs;
Sandbox module is receiving after the instruction having detected, and calls the open interface function (for example VBoxManage controlvm) of fictitious host computer and closes the fictitious host computer of carrying out current detection task;
After fictitious host computer has cut out, sandbox module is called image recovery function (for example VBoxManage snapshot) and is recovered fictitious host computer mirror image, when inferior Detection task completes, and repeated execution of steps two.
The sandbox intelligent checking system that a kind of method that realizes sandbox Intelligent Measurement file based on described is provided, comprises sandbox module, fictitious host computer; Sandbox module and fictitious host computer have formed the main body of sandbox; Database is contained in sandbox module, and detection module and attached artificial intelligence module, API HOOK module thereof run in fictitious host computer;
Described sandbox module is the main body module of sandbox intelligent checking system, is responsible for receiving file to be detected and generates Detection task, management Detection task, the detection of initiation file, scheduling managing virtual main frame, reception and preserve testing result;
Described database can adopt the database of any type, for storing Detection task, generates Detection task and manages Detection task for sandbox module;
Described detection module is the detection executive routine operating on fictitious host computer, for and sandbox module communication, obtain Detection task and detected file, execute file detects and pass through API HOOK module monitors file implementation, with network mode return be detected running paper behavioral data to sandbox module; Detection module is built in fictitious host computer, together starts with fictitious host computer system; Wherein, file to be detected refers to the file that there is no submitted detection in Detection task, when this file is submitted to and detects in fictitious host computer, is called as detected file;
Described fictitious host computer is the operating system (the windows operating system of for example moving in VirtualBox virtualization software) that operates in the virtualization program under sandbox environment and move under virtualization program, and the state after starting is saved as restoration point by fictitious host computer.
Principle of work of the present invention: in the time that sandbox carries out file behavior detection, detected file is submitted to after sandbox operation, detection module calls detected file, and by the operation action of API HOOK module monitors program, fully reduce and be detected the ruuning situation of file under true environment by the artificial intelligence module of detection module simultaneously.
Compared with prior art, the invention has the beneficial effects as follows:
Realized analog manual operation by proprietary program, solved in current dynamic behaviour analytic process cannot full backup program running orbit and cause malicious act to be failed to report problem; Solve the detected virtualized problem of file reverse in file testing process by API HOOK abduction technology.
Brief description of the drawings
Fig. 1 is the main process figure that file of the present invention detects.
Fig. 2 is the process flow diagram of realizing Intelligent Measurement of the present invention.
Fig. 3 is that file type contrasts chart with executive routine.
Embodiment
First it should be noted that, the present invention relates to malicious code detection technique, is the one application of computer technology in field of information security technology.In implementation procedure of the present invention, can relate to the application of multiple software function modules.Applicant thinks, as reading over application documents, accurate understanding is of the present invention realize principle and goal of the invention after, in conjunction with existing known technology in the situation that, those skilled in the art can use the software programming technical ability of its grasp to realize the present invention completely.Aforementioned software functional module comprises but is not limited to: sandbox module, detection module, API HOOK module, artificial intelligence module, and this category of all genus that all the present patent application files are mentioned, applicant will not enumerate.
Below in conjunction with accompanying drawing and embodiment, the present invention is described in further detail:
Realize a method for sandbox Intelligent Measurement file, for file to be detected is detected, specifically comprise the steps:
Step 1: the circulation of sandbox module receives detected file, (obtain file type by Magic mode in conjunction with file suffixes according to rule, Magic mode can obtain file type, the type getting in this kind of mode is as the file type of current file, when Magic cannot get program file type, use the file type of filename suffix as executable file; Use hash algorithm to obtain the proof test value of file to be detected; Specify the detection time when time task to be detected) generate task to be detected, be to be detected by Detection task status indication, and task write in the task table of mysql database.
Step 2: sandbox module connects mysql data, inquiry task table, it is Detection task to be detected that Detection task state is obtained in trial, if having Detection task state is Detection task to be detected, sandbox module is called the current fictitious host computer of having closed or be suspended that whether exists of VBoxManage showvminfo functional query can be for current detection task, if current fictitious host computer is all in running status, sandbox modular spacing obtains fictitious host computer state for 1 second again, if current existence can for detection of fictitious host computer, call virtual VBoxManage startvm function and start fictitious host computer, sandbox module attempts connecting 8000 ports (8000 ports are the port that communicates monitoring after detection module starts) of fictitious host computer, port successful connection, sandbox passes through http agreement uploading detection task to detection module in the mode of file, Detection task has been uploaded, in sandbox module amendment mysql database, current task to be detected, for submitting to, is waited for the initialization result that detection module is passed back simultaneously,
Detection module starts with fictitious host computer, and start 8000 ports and communicate monitoring, detection module receives after the Detection task file that sandbox module uploads, read when time Detection task file, file type executive mode according to the file type in Detection task file in conjunction with the definition of program inside, judges whether this file can normally move, when above-mentioned condition meets, sandbox master routine is successfully given in detection module passback initialization, continues the processing of step 3; If initialization failure, the information of detection module passback initialization failure is to sandbox module, and sandbox module receives after the information of initialization failure, and the Detection task state in amendment mysql database, for detecting, performs step six;
Step 3: sandbox module receives after the information of initialization success, sandbox module is uploaded file to be detected to detection module by http mode, detection module completes after the reception work of file to be detected, calculate the proof test value of file to be detected, and with Detection task file in the file verification value that records contrast, represent that file uploads extremely if proof test value is inconsistent, detection module passback file is given sandbox module extremely, requires sandbox module to retransmit detected file; Upload successfully if proof test value unanimously represents file, detection module uses suspend parameter mode to carry out file to be detected, and detection module calls the time of timer function log file operation simultaneously; After file to be detected is performed and suspends, detection module calls APIHook module and injects the running space that is detected file, API HOOK module is injected successfully, detection module recovers the operation of detected file, and receive the file behavioural information of the detected file that API HOOK module passes back, these behaviors are returned to sandbox module by http mode; If API HOOK module is injected unsuccessfully, detection module sends and injects failed information to sandbox module, and in sandbox module amendment mysql database, current task state is for to detect unsuccessfully; Execution step four;
Carry out in detected file process at detection module, if API HOOK module within the specific time, do not detect detected file call API HOOK module in the system function of HOOK, API HOOK module is returned to " special time is without operation " to detection module; Detection module is receiving after " special time is without operation " that API HOOK module returns, execution step four;
Carry out in detected file process at detection module, if when API HOOK module monitors is obtained fictitious host computer correlated characteristic file to detected file request, API hook technology by Windows is kidnapped this file request, and returns to the non-existent object information of demand file to detected file;
Wherein, the detailed process that detection module detects detected file act of execution is:
A, detection module use suspend mode to start detected file;
B, sandbox module generate timer, in order to logging program working time;
After C, detected file are suspended, detection module calls API HOOK module executive process implant operation, and after process is injected successfully, API HOOK module starts to filter and log file behavioural information, and associated documents behavioural information is returned to detection module;
After D, program injecting program, detection module calls artificial intelligence module, and artificial intelligence module specific works comprises:
A, obtain program human window information by EnumWindows function and EnumWindowsProc function;
B, obtain visual windows by IsWindowVisible function;
C, obtain subwindow by EnumChildWindows;
D, obtain by GetClassName function the window that window attribute is Button;
E, obtain the text message of Button by GetWindowsText;
F, obtain the coordinate range in the relative upper left corner of screen of Button by GetWindowRect;
In the text list whether the button text that g, contrast get sets in advance at detection module, (text list is: { yes, ok, install, agree, run, continue, finish, accept, extract, accepts, and agrees to, next step, complete), if Button text, within the scope of text list, calls SetForegroundWindow function current window is preposition, call SetCursorPos function current mouse is moved to current Button coordinate range, call mouse_event function and carry out left mouse button single-click operation; If Button text is not collected together within the scope of text list, continue to obtain next Button fileinfo;
H, repeated execution of steps D;
If in E step D implementation, detected file exits, and performs step six;
If F API HOOK module do not detect detected file and have the behavior of file operation in special time, API HOOK module is put back to " special time is without operation " to detection module; Detection module is receiving after this feature that APIHOOK module returns, execution step four;
If G step D does not get at the text message being present in text list, or do not complete and detect and quit a program in the time range set at Detection task of detected file, perform step four;
Step 4: detection module calls ExitProcess function and finishes current detected file executive process
Step 5: detection module returns and detected instruction to sandbox module;
Step 6: if sandbox module receives the detection exceptional instructions that detection module returns, mark is when time Detection task is for detecting extremely; If sandbox module does not receive detection exceptional instructions receiving before having detected instruction, sandbox module marks is when time Detection task is for to have detected, preserve file testing result to file, and testing result file path is attached in current detection task, use for other programs;
Sandbox module is receiving after the instruction having detected, and calls the open interface function VBoxManage controlvm of fictitious host computer and closes the fictitious host computer of carrying out current detection task;
After fictitious host computer has cut out, sandbox module is called image recovery function VBoxManage snapshot and is recovered fictitious host computer mirror image, when inferior Detection task completes, and repeated execution of steps two;
The sandbox intelligent checking system that the invention provides a kind of method that realizes sandbox Intelligent Measurement file based on described, comprises sandbox, sandbox module, detection module, fictitious host computer; Concrete contact between sandbox, sandbox module, detection module, fictitious host computer is: sandbox module and fictitious host computer have formed the main body of sandbox, detection module is to operate on fictitious host computer, be mainly used in communicating by letter with sandbox, obtain Detection task and file to be detected, carry out the file Detection task of file to be detected, and testing result is returned to sandbox module; Detection module is configured in the starting up of fictitious host computer, together starts with fictitious host computer;
The present invention is only for the file behavior analytic process in intelligent sandbox system, for the malicious code analysis based on file behavior not within the scope of the invention;
The module of sandbox described in the present invention is the main body module of sandbox intelligent checking system, is responsible for receiving file to be detected and generates Detection task, management Detection task, the detection of initiation file, scheduling managing virtual main frame, reception and preserve testing result;
Database described in the present invention can be the database of any type, for storing Detection task, generates Detection task and manages Detection task for sandbox module;
Detection module described in the present invention is the detection executive routine operating on fictitious host computer, for and sandbox module communication, obtain Detection task and detected file, execute file detects and pass through API HOOK module monitors file implementation, with network mode return be detected running paper behavioral data to sandbox module; Detection module is built in fictitious host computer, together starts with fictitious host computer system;
Fictitious host computer described in the present invention is the operating system (the windows operating system of for example moving in VirtualBox virtualization software) that operates in the virtualization program under sandbox environment and move under virtualization program, and the state after starting is saved as restoration point by fictitious host computer;
Described in the present invention, file to be detected refers to the file that there is no submitted detection in Detection task, when this file is submitted to and detects in fictitious host computer, is called as detected file;
The following examples can make this professional professional and technical personnel's comprehend the present invention, but do not limit the present invention in any way.
A kind of sandbox intelligent checking system, this system realizes following function:
Step 1: obtain file to be detected, generate Detection task;
Step 1 is called task and generates step, and task generates step and uses individual threads circulation to carry out.
Wherein task is obtained file type to be detected and is comprised following 4 kinds: the file of the PE Format Type under windows, comprise exe file, the file of dll file, Doctype, comprises word document, excel form, ppt presentation file, PDF document, script file, comprise bat file, cmd file, vbs file, analysis program file, comprise py file, jar file.Document source has 2 classes: a class is by means such as traffic monitorings, adopts flow file separate mode obtain the file of specified type and submit to and detect, and the manual submission of the another kind of technician of being can detect to sandbox system by file.
Task generates step sub-step and comprises:
Step 101, sandbox reads file to be detected, and obtains the complete file storing path of file to be detected.
Step 102, sandbox module is called Magic mode and extracts the file type of file to be detected, cannot obtain file type, uses the file type of filename suffix as this file;
Step 103, sandbox module is used the hash algorithms such as MD5, CRC to calculate the proof test value of file to be detected;
Step 104, sandbox module is obtained the execution time of this subtask of file to be detected, generates when task appointed task execution time not, and sandbox module acquiescence is used to be carried out as file Detection task for 5 minutes;
Step 105, sandbox obtains current time as the job invocation time;
Step 106, sandbox obtains already present the last item task ID in assignment database, and the task ID numerical value of current the last item task is increased progressively to 1 task ID as new task;
Step 107, sandbox module is crossed sql statement by the above-mentioned information exchange getting and is written in the Detection task table in mysql database, generates current detection task, and this task status of mark is state to be detected.
Step 2: sandbox module detects job invocation to be detected to fictitious host computer, and fetch testing result;
Step 2 is called task execution step, can specifically comprise following sub-step.
Step 201, sandbox module judges whether to exist idle fictitious host computer to can be used for carrying out new task detection by detecting fictitious host computer state
If exist fictitious host computer state for closing, preservation state, exist fictitious host computer to can be used for new task and detect, execution step 202
If current fictitious host computer is running status, sandbox module is waited for 1 second time, again inquires about fictitious host computer state, until exist fictitious host computer state for closing, when preservation state, performs step 202
Step 202, the Detection task table of sandbox module inquiry mysql database, searching and whether having task status in Detection task table is task to be detected;
If not having task status in the Detection task table in current mysql database is task to be detected, sandbox module is waited for 1 second time, repeats the searching work of state task to be detected;
If only inquire a task to be detected in Detection task table, sandbox module execution step 203 is carried out job invocation;
If inquire many tasks to be detected in Detection task table, sandbox module is obtained Detection task successively by job invocation order, and execution step 203 is carried out job invocation, with tense marker current task for submitting to; The task quantity of carrying out file detection when sandbox module can be submitted to is at most less than or equal to the quantity of the fictitious host computer configuring in sandbox;
Step 203, sandbox module submission task arrives fictitious host computer, and fetches file detection record, and concrete steps comprise:
Sandbox module executable operations is as follows:
1), sandbox module is called VBoxManage startvm function startup fictitious host computer;
2), sandbox module attempts connecting 8000 ports of fictitious host computer, port successful connection represents that fictitious host computer has started;
3), sandbox module to fictitious host computer, waits for that detection module returns to initialization result by the list of http mode transformation task; If detection module returns to initialization success, perform step 4, if detection module returns to initialization failure, close execution step 204; Sandbox module marks current detection task is for detecting;
Sandbox module, receiving fictitious host computer retrieval system initialization success, reads file to be detected, and by http mode by file transfer to be detected to detection module;
After fictitious host computer starts, executable operations is as follows:
1), fictitious host computer start after, the detection module that is built in fictitious host computer together starts with fictitious host computer;
2), detection module is opened 8000 ports and is carried out port monitoring;
3), detection module receives the task configuration information that sandbox module is uploaded, read configuration file, obtain the file type of file to be detected, and check currently whether exist corresponding program can carry out file to be detected by file type and the executive routine table of comparisons (Fig. 3);
If there is the executive routine that file to be detected is corresponding, detection module returns to initialization successfully to sandbox module by 8000 ports, and expression can receive file to be detected;
If there is not the executive routine that file to be detected is corresponding, detection module returns to initialization unsuccessfully to sandbox module by 8000 ports, represents that current system cannot complete the detection of the type file, detection module execution step 206;
4), detection module completes the reception work of file to be detected, call hash algorithm and calculate file verification value to be detected, and file verification value to be detected in comparative arrangement file, if unanimously representation program is complete for proof test value, carry out 5), if inconsistent deletion of proof test value currently accepted file, and require sandbox module again to transmit this file, until file is complete, carry out 5);
5), detection module carries out file to be detected with suspend parameter mode, after file to be detected is suspended, detection module calls API HOOK module and carries out API HOOK implant operation; If file to be detected is carried out unsuccessfully, or API HOOK injects unsuccessfully, direct step 206;
6) if file to be detected runs succeeded, API HOOK injects successfully, and detection module calls artificial intelligence module and carries out analog detection; Artificial intelligence module execution step refers to the step D in the detailed process that in summary of the invention, detection module detects detected file act of execution, does not repeat them here;
7), in execute file testing process, API HOOK module does not detect that in 10 seconds detected file calls the system function of HOOK in APIHOOK module, returns to " special time is without operation " to detection module, execution step 204;
8), in execute file testing process, if detected file normally exits, execution step 206;
9), in execute file testing process, detected papers continued is carried out, API HOOK module is not returned to " special time is without operation " to detection module, the time of having set in Detection task if reached detection time (being defaulted as 5 minutes), execution step 204;
Step 204, detection module calls ExitProcess function and closes detected file process;
Step 205, detection module returns and detects successfully;
Step 206, sandbox module is called VBoxManage controlvm function and is closed the fictitious host computer of carrying out current detection task; Sandbox module is revised as the current detection task status of Detection task table in mysql database to have detected; Sandbox module is saved to the file behavioural information receiving in the catalogue of disk, and the routing information of this file is added in the task result of Detection task table;
Step 207, sandbox module is used VBoxManage snapshot function to recover fictitious host computer mirror image;
So far, the Detection task of a file to be detected completes.
Finally; it should be noted that above what enumerate is only preferred embodiment of the present invention, not in order to limit the present invention; all distortion that those of ordinary skill in the art can directly derive or associate from content disclosed by the invention, all should be included in protection scope of the present invention.
Claims (2)
1. realize a method for sandbox Intelligent Measurement file, for file being carried out to the detection of file act of execution, it is characterized in that, specifically comprise the steps:
Step 1: sandbox module receives file to be detected, generate Detection task, and by Detection task write into Databasce, Detection task status indication is to be detected according to rule;
Described Detection task comprises from the proof test value of the task ID of increasing type, the file storing path that detects file and file type, detection file, specifies when time detection time of detection file; Step 1 repeats;
Step 2: sandbox module connects and Query Database, and whether having Detection task state in Query Database is task to be detected, if without the Detection task of this state, sandbox module re-starts query manipulation after waiting for special time;
If it is task to be detected that sandbox module inquires Detection task state, sandbox module is called the current fictitious host computer that can be used for carrying out Detection task that whether exists of the open interface function inquiry of fictitious host computer: if current fictitious host computer all cannot carry out task detection, sandbox module waits for that special time obtains fictitious host computer state again, if current existence can be used for carrying out the fictitious host computer of task detection, call the open interface of fictitious host computer and start fictitious host computer;
After fictitious host computer starts, the detection module together starting with fictitious host computer starts the monitoring work of designated port; Sandbox module connects the listening port of fictitious host computer, and sandbox module, by network mode, is given job invocation to be detected the detection module of the fictitious host computer detecting for this subtask; Sandbox module will be submitted to when the task status of submit is labeled as, and keep connection wait detection module data to return;
Whether detection module receives Detection task, reads the file type in task, and inquire about in current system and exist corresponding executive routine to can be used for carrying out this file to be detected, returns to initialization success if exist, otherwise returns to initialization failure;
Step 3: the initialization information that in sandbox module receiving step two, detection module returns, whether successfully judge according to initialization whether this fictitious host computer can carry out current detection task, if initialization success represents to detect current file, continue the processing of step 4; If initialization failure represents to carry out current detection task, Detection task finishes; Sandbox module is labeled as the current detection task status in database can not detect;
Step 4: sandbox module is uploaded file to be detected to detection module by network mode, and file transfer to be detected is complete, the preservation of sandbox module is connected with fictitious host computer, is used for receiving testing result information; Sandbox module marks current task state is in detecting;
Step 5: the detection module in fictitious host computer receives file to be detected, calculates the effect value of file to be detected, and compares with the effect value in Detection task, confirms that whether file to be detected is complete; If file transfer to be detected is imperfect, detection module and sandbox module communication, requires sandbox module to retransmit file to be detected; If file transfer to be detected is complete, detection module starts file to be detected, and uses suspend parameter to suspend this file process, starts timer simultaneously and records the time that this file has been carried out; File is suspended after operation, detection module calls API HOOK module and is injected in the running space that is detected file, after API HOOK module is injected successfully, detection module recovers detected running paper, and the corelation behaviour information of the detected file of APIHOOK module records also returns to detection module by testing result; API HOOK module does not detect that in special time detected file calls the system function of HOOK in API HOOK module, return to " special time is without operation " to detection module, detection module judges that according to this feature file has detected, and jumps to step 7 and carries out; The file behavior information exchange that detection module returns to the API HOOK module receiving is crossed network mode and is transferred to sandbox module; Detect and finish if file start failure to be detected or API HOOK module are injected unsuccessfully, return simultaneously and detect exceptional instructions to sandbox module; Sandbox module detects after failed information receiving, and in registration database, current detection task status, for to detect unsuccessfully, and jumps to step 7 execution;
Step 6: detection module starts artificial intelligence module, artificial intelligence module refers to identify by program mode (PM) the human window of detected file, and by obtaining button and button title in window, whether the window title that contrast gets is consistent with the title setting in advance in program, be used for judging whether that need to implement manual simulation to detected file intervenes, reach the object of reduction running paper environment, attempt obtaining detected running paper window, subwindow and window button;
If artificial intelligence module is obtained detected running paper window, subwindow and window button success, the window button title that coupling gets mates with the title setting in advance: if the match is successful, artificial intelligence module rolling mouse is to matching on the button of title, carry out left mouse button single-click operation, then repeated execution of steps six; If mate unsuccessful, to judge when the detection time arranging in time Detection task whether detected running paper finishes, if within detection time, program normally exits, perform step eight, if the detected running paper time reaches the detection time arranging in Detection task, detected file, still in operation, performs step seven;
Step 7: detection module calls Processkill function and finishes detected file;
Step 8: detection module returns and detected instruction to sandbox module;
Step 9: if sandbox module receives the detection exceptional instructions that detection module returns, mark is when time Detection task is for detecting extremely;
If sandbox module does not receive detection exceptional instructions receiving before having detected instruction, sandbox module marks is when time Detection task is for to have detected, preserve file testing result to file, and testing result file path is attached in current detection task, use for other programs;
Sandbox module is receiving after the instruction having detected, and calls the open interface function of fictitious host computer and closes the fictitious host computer of carrying out current detection task;
After fictitious host computer has cut out, sandbox module is called image recovery function and is recovered fictitious host computer mirror image, when inferior Detection task completes, and repeated execution of steps two.
2. the sandbox intelligent checking system based on a kind of method that realizes sandbox Intelligent Measurement file claimed in claim 1, is characterized in that, comprises sandbox module, fictitious host computer; Sandbox module and fictitious host computer have formed the main body of sandbox; Database is contained in sandbox module, and detection module and attached artificial intelligence module, API HOOK module thereof run in fictitious host computer;
Described sandbox module is the main body module of sandbox intelligent checking system, is responsible for receiving file to be detected and generates Detection task, management Detection task, the detection of initiation file, scheduling managing virtual main frame, reception and preserve testing result;
Described database can adopt the database of any type, for storing Detection task, generates Detection task and manages Detection task for sandbox module;
Described detection module is the detection executive routine operating on fictitious host computer, for and sandbox module communication, obtain Detection task and detected file, execute file detects and pass through API HOOK module monitors file implementation, with network mode return be detected running paper behavioral data to sandbox module; Detection module is built in fictitious host computer, together starts with fictitious host computer system; Wherein, file to be detected refers to the file that there is no submitted detection in Detection task, when this file is submitted to and detects in fictitious host computer, is called as detected file;
Described fictitious host computer is the operating system that operates in the virtualization program under sandbox environment and move under virtualization program, and the state after starting is saved as restoration point by fictitious host computer.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410381591.1A CN104200161B (en) | 2014-08-05 | 2014-08-05 | Method for achieving intelligent sandbox file detection and intelligent sandbox detection system based on method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410381591.1A CN104200161B (en) | 2014-08-05 | 2014-08-05 | Method for achieving intelligent sandbox file detection and intelligent sandbox detection system based on method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104200161A true CN104200161A (en) | 2014-12-10 |
| CN104200161B CN104200161B (en) | 2017-01-25 |
Family
ID=52085452
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410381591.1A Active CN104200161B (en) | 2014-08-05 | 2014-08-05 | Method for achieving intelligent sandbox file detection and intelligent sandbox detection system based on method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104200161B (en) |
Cited By (32)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104410539A (en) * | 2014-12-31 | 2015-03-11 | 中国移动通信集团广东有限公司 | Comprehensive alarm collection method and system based on artificial intelligence |
| CN104766007A (en) * | 2015-03-27 | 2015-07-08 | 杭州安恒信息技术有限公司 | Method for quickly recovering sandbox based on file system filter driver |
| CN104852910A (en) * | 2015-04-24 | 2015-08-19 | 杭州华三通信技术有限公司 | Attack detection method and apparatus |
| CN105117645A (en) * | 2015-07-29 | 2015-12-02 | 杭州安恒信息技术有限公司 | Method for operating multiple samples of sandbox virtual machine based on file system filtering drive |
| CN105630877A (en) * | 2015-12-17 | 2016-06-01 | 北京奇虎科技有限公司 | File cleaning method and system |
| CN105718793A (en) * | 2015-09-25 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Method and system for preventing malicious code from identifying sandbox on the basis of sandbox environment modification |
| CN106301974A (en) * | 2015-05-14 | 2017-01-04 | 阿里巴巴集团控股有限公司 | A kind of website back door detection method and device |
| CN106341282A (en) * | 2016-11-10 | 2017-01-18 | 广东电网有限责任公司电力科学研究院 | Malicious code behavior analyzer |
| CN106547608A (en) * | 2016-09-09 | 2017-03-29 | 北京安天电子设备有限公司 | A kind of sandbox concurrent method and system based on page active folding |
| CN106650423A (en) * | 2016-11-28 | 2017-05-10 | 北京奇虎科技有限公司 | Object sample file detecting method and device |
| CN106650424A (en) * | 2016-11-28 | 2017-05-10 | 北京奇虎科技有限公司 | Method and device for detecting target sample file |
| CN106682500A (en) * | 2016-11-28 | 2017-05-17 | 北京奇虎科技有限公司 | Detection method and device for target sample files |
| CN106778239A (en) * | 2015-11-24 | 2017-05-31 | 阿里巴巴集团控股有限公司 | Method and device for improving Java sandbox securities |
| CN106997436A (en) * | 2017-04-14 | 2017-08-01 | 努比亚技术有限公司 | The detection means and method of application program |
| CN107102937A (en) * | 2016-02-19 | 2017-08-29 | 腾讯科技(深圳)有限公司 | A kind of ui testing method and apparatus |
| CN107357717A (en) * | 2017-06-07 | 2017-11-17 | 阿里巴巴集团控股有限公司 | Detect the method, apparatus and equipment of configuration error |
| CN107483386A (en) * | 2016-06-08 | 2017-12-15 | 阿里巴巴集团控股有限公司 | Analyze the method and device of network data |
| CN107491691A (en) * | 2017-08-08 | 2017-12-19 | 东北大学 | A kind of long-range forensic tools Safety Analysis System based on machine learning |
| CN107609396A (en) * | 2017-09-22 | 2018-01-19 | 杭州安恒信息技术有限公司 | A kind of escape detection method based on sandbox virtual machine |
| CN107729748A (en) * | 2017-09-20 | 2018-02-23 | 杭州安恒信息技术有限公司 | A kind of method for describing file running orbit figure in sandbox |
| CN107943676A (en) * | 2016-10-12 | 2018-04-20 | 腾讯科技(深圳)有限公司 | The performance test data treating method and apparatus of application operating nonvolatile memory |
| CN108595240A (en) * | 2018-04-20 | 2018-09-28 | 北京天融信网络安全技术有限公司 | Grasping means, device, equipment and the readable storage medium storing program for executing of Snipping Tool |
| CN108874658A (en) * | 2017-12-25 | 2018-11-23 | 北京安天网络安全技术有限公司 | A kind of sandbox analysis method, device, electronic equipment and storage medium |
| CN109472140A (en) * | 2017-12-29 | 2019-03-15 | 北京安天网络安全技术有限公司 | The method and system of software cryptography are extorted based on the prevention of forms header checksum |
| CN110825491A (en) * | 2019-10-31 | 2020-02-21 | 福建天晴在线互动科技有限公司 | Virtual environment detection method based on firewall registry characteristics |
| CN110837639A (en) * | 2019-11-08 | 2020-02-25 | 浙江军盾信息科技有限公司 | Active defense method and system for unknown threat |
| CN111460439A (en) * | 2020-03-27 | 2020-07-28 | 中南大学 | Multi-environment-based escape behavior detection method |
| CN112507330A (en) * | 2020-11-04 | 2021-03-16 | 北京航空航天大学 | Malicious software detection system based on distributed sandbox |
| CN112558986A (en) * | 2019-09-25 | 2021-03-26 | 上海哔哩哔哩科技有限公司 | APK installation package online automatic analysis method and system |
| CN113672917A (en) * | 2021-08-04 | 2021-11-19 | 安天科技集团股份有限公司 | Malicious code detection method and device, storage medium and electronic equipment |
| US11288362B2 (en) * | 2018-02-06 | 2022-03-29 | AO Kaspersky Lab | System and method for creating antivirus records for antivirus applications |
| CN117540381A (en) * | 2023-11-13 | 2024-02-09 | 中国人民解放军92493部队信息技术中心 | Detection method and system for anti-virtualization malicious program |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102034050A (en) * | 2011-01-25 | 2011-04-27 | 四川大学 | Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception |
| US20140075187A1 (en) * | 2004-12-03 | 2014-03-13 | Fortinet, Inc. | Selective authorization of the loading of dependent code modules by running processes |
| CN103902903A (en) * | 2013-11-12 | 2014-07-02 | 国家计算机网络与信息安全管理中心 | Malicious code analyzing method and system based on dynamic sandbox environment |
| CN103927484A (en) * | 2014-04-21 | 2014-07-16 | 西安电子科技大学宁波信息技术研究院 | Malicious program behavior capture method based on Qemu |
| CN102314561B (en) * | 2010-07-01 | 2014-07-23 | 电子科技大学 | Automatic analysis method and system of malicious codes based on API (application program interface) HOOK |
-
2014
- 2014-08-05 CN CN201410381591.1A patent/CN104200161B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140075187A1 (en) * | 2004-12-03 | 2014-03-13 | Fortinet, Inc. | Selective authorization of the loading of dependent code modules by running processes |
| CN102314561B (en) * | 2010-07-01 | 2014-07-23 | 电子科技大学 | Automatic analysis method and system of malicious codes based on API (application program interface) HOOK |
| CN102034050A (en) * | 2011-01-25 | 2011-04-27 | 四川大学 | Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception |
| CN103902903A (en) * | 2013-11-12 | 2014-07-02 | 国家计算机网络与信息安全管理中心 | Malicious code analyzing method and system based on dynamic sandbox environment |
| CN103927484A (en) * | 2014-04-21 | 2014-07-16 | 西安电子科技大学宁波信息技术研究院 | Malicious program behavior capture method based on Qemu |
Cited By (45)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104410539A (en) * | 2014-12-31 | 2015-03-11 | 中国移动通信集团广东有限公司 | Comprehensive alarm collection method and system based on artificial intelligence |
| CN104766007A (en) * | 2015-03-27 | 2015-07-08 | 杭州安恒信息技术有限公司 | Method for quickly recovering sandbox based on file system filter driver |
| CN104766007B (en) * | 2015-03-27 | 2017-07-21 | 杭州安恒信息技术有限公司 | A kind of method that the fast quick-recovery of sandbox is realized based on file system filter driver |
| CN104852910A (en) * | 2015-04-24 | 2015-08-19 | 杭州华三通信技术有限公司 | Attack detection method and apparatus |
| CN104852910B (en) * | 2015-04-24 | 2018-11-27 | 新华三技术有限公司 | A kind of method and apparatus of attack detecting |
| CN106301974A (en) * | 2015-05-14 | 2017-01-04 | 阿里巴巴集团控股有限公司 | A kind of website back door detection method and device |
| CN105117645A (en) * | 2015-07-29 | 2015-12-02 | 杭州安恒信息技术有限公司 | Method for operating multiple samples of sandbox virtual machine based on file system filtering drive |
| CN105718793A (en) * | 2015-09-25 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Method and system for preventing malicious code from identifying sandbox on the basis of sandbox environment modification |
| CN106778239B (en) * | 2015-11-24 | 2019-10-29 | 阿里巴巴集团控股有限公司 | For improving the method and device of Java sandbox safety |
| CN106778239A (en) * | 2015-11-24 | 2017-05-31 | 阿里巴巴集团控股有限公司 | Method and device for improving Java sandbox securities |
| CN105630877A (en) * | 2015-12-17 | 2016-06-01 | 北京奇虎科技有限公司 | File cleaning method and system |
| CN107102937B (en) * | 2016-02-19 | 2021-03-02 | 腾讯科技(深圳)有限公司 | User interface testing method and device |
| CN107102937A (en) * | 2016-02-19 | 2017-08-29 | 腾讯科技(深圳)有限公司 | A kind of ui testing method and apparatus |
| CN107483386A (en) * | 2016-06-08 | 2017-12-15 | 阿里巴巴集团控股有限公司 | Analyze the method and device of network data |
| CN106547608A (en) * | 2016-09-09 | 2017-03-29 | 北京安天电子设备有限公司 | A kind of sandbox concurrent method and system based on page active folding |
| CN106547608B (en) * | 2016-09-09 | 2019-09-27 | 北京安天网络安全技术有限公司 | A kind of the sandbox concurrent method and system of the active folding of page based on memory |
| CN107943676B (en) * | 2016-10-12 | 2020-10-30 | 腾讯科技(深圳)有限公司 | Performance test data processing method and device for operating nonvolatile memory by application |
| CN107943676A (en) * | 2016-10-12 | 2018-04-20 | 腾讯科技(深圳)有限公司 | The performance test data treating method and apparatus of application operating nonvolatile memory |
| CN106341282A (en) * | 2016-11-10 | 2017-01-18 | 广东电网有限责任公司电力科学研究院 | Malicious code behavior analyzer |
| CN106682500A (en) * | 2016-11-28 | 2017-05-17 | 北京奇虎科技有限公司 | Detection method and device for target sample files |
| CN106650423A (en) * | 2016-11-28 | 2017-05-10 | 北京奇虎科技有限公司 | Object sample file detecting method and device |
| CN106650424A (en) * | 2016-11-28 | 2017-05-10 | 北京奇虎科技有限公司 | Method and device for detecting target sample file |
| CN106997436A (en) * | 2017-04-14 | 2017-08-01 | 努比亚技术有限公司 | The detection means and method of application program |
| CN107357717A (en) * | 2017-06-07 | 2017-11-17 | 阿里巴巴集团控股有限公司 | Detect the method, apparatus and equipment of configuration error |
| CN107491691A (en) * | 2017-08-08 | 2017-12-19 | 东北大学 | A kind of long-range forensic tools Safety Analysis System based on machine learning |
| CN107729748B (en) * | 2017-09-20 | 2019-11-08 | 杭州安恒信息技术股份有限公司 | A method of description file running track figure in sandbox |
| CN107729748A (en) * | 2017-09-20 | 2018-02-23 | 杭州安恒信息技术有限公司 | A kind of method for describing file running orbit figure in sandbox |
| CN107609396A (en) * | 2017-09-22 | 2018-01-19 | 杭州安恒信息技术有限公司 | A kind of escape detection method based on sandbox virtual machine |
| CN107609396B (en) * | 2017-09-22 | 2020-06-23 | 杭州安恒信息技术股份有限公司 | Escape detection method based on sandbox virtual machine |
| CN108874658A (en) * | 2017-12-25 | 2018-11-23 | 北京安天网络安全技术有限公司 | A kind of sandbox analysis method, device, electronic equipment and storage medium |
| CN109472140B (en) * | 2017-12-29 | 2021-11-12 | 北京安天网络安全技术有限公司 | Method and system for preventing lasso software encryption based on window header verification |
| CN109472140A (en) * | 2017-12-29 | 2019-03-15 | 北京安天网络安全技术有限公司 | The method and system of software cryptography are extorted based on the prevention of forms header checksum |
| US11288362B2 (en) * | 2018-02-06 | 2022-03-29 | AO Kaspersky Lab | System and method for creating antivirus records for antivirus applications |
| CN108595240A (en) * | 2018-04-20 | 2018-09-28 | 北京天融信网络安全技术有限公司 | Grasping means, device, equipment and the readable storage medium storing program for executing of Snipping Tool |
| CN108595240B (en) * | 2018-04-20 | 2021-12-14 | 北京天融信网络安全技术有限公司 | Screen snapshot capturing method, device and equipment and readable storage medium |
| CN112558986A (en) * | 2019-09-25 | 2021-03-26 | 上海哔哩哔哩科技有限公司 | APK installation package online automatic analysis method and system |
| CN110825491A (en) * | 2019-10-31 | 2020-02-21 | 福建天晴在线互动科技有限公司 | Virtual environment detection method based on firewall registry characteristics |
| CN110825491B (en) * | 2019-10-31 | 2022-02-01 | 福建天晴在线互动科技有限公司 | Virtual environment detection method based on firewall registry characteristics |
| CN110837639A (en) * | 2019-11-08 | 2020-02-25 | 浙江军盾信息科技有限公司 | Active defense method and system for unknown threat |
| CN111460439A (en) * | 2020-03-27 | 2020-07-28 | 中南大学 | Multi-environment-based escape behavior detection method |
| CN111460439B (en) * | 2020-03-27 | 2023-03-21 | 中南大学 | Multi-environment-based escape behavior detection method |
| CN112507330A (en) * | 2020-11-04 | 2021-03-16 | 北京航空航天大学 | Malicious software detection system based on distributed sandbox |
| CN112507330B (en) * | 2020-11-04 | 2022-06-28 | 北京航空航天大学 | Malicious software detection system based on distributed sandbox |
| CN113672917A (en) * | 2021-08-04 | 2021-11-19 | 安天科技集团股份有限公司 | Malicious code detection method and device, storage medium and electronic equipment |
| CN117540381A (en) * | 2023-11-13 | 2024-02-09 | 中国人民解放军92493部队信息技术中心 | Detection method and system for anti-virtualization malicious program |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104200161B (en) | 2017-01-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104200161A (en) | Method for achieving intelligent sandbox file detection and intelligent sandbox detection system based on method | |
| US11169906B2 (en) | Extraction of problem diagnostic knowledge from test cases | |
| US8555385B1 (en) | Techniques for behavior based malware analysis | |
| US20190034632A1 (en) | Method and system for static behavior-predictive malware detection | |
| CN101777062B (en) | Context-aware real-time computer-protection systems and methods | |
| CN106055385B (en) | The system and method for monitoring virtual machine process, the method for filtering page fault exception | |
| CN109614203B (en) | Android application cloud data evidence obtaining and analyzing system and method based on application data simulation | |
| CN104182688A (en) | Android malicious code detection device and method based on dynamic activation and behavior monitoring | |
| CN104123495B (en) | A kind of method for being used to remove the Malware for preventing computer from running | |
| CN101788915A (en) | White list updating method based on trusted process tree | |
| CN106330599B (en) | Android application program network flow multithreading acquisition system and method | |
| WO2009143742A1 (en) | Analysis method and system for suspicious file | |
| CN113779585A (en) | Unauthorized vulnerability detection method and device | |
| CN104766007A (en) | Method for quickly recovering sandbox based on file system filter driver | |
| JP2014515858A (en) | Method and apparatus for recombining executing instructions | |
| KR102548985B1 (en) | Methods and apparatus for machine learning modeling for detecting malicious document files | |
| Yoon et al. | Toward detecting compromised mapreduce workers through log analysis | |
| KR101308866B1 (en) | Open type system for analyzing and managing malicious code | |
| CN103902666A (en) | Configuration file collecting and monitoring method based on OGG database replication | |
| CN104135483A (en) | Automatic configuration management system for network security | |
| CN105630636A (en) | Dynamical recovery method and device for operating system of intelligent electronic device | |
| US9722908B2 (en) | Problem determination in a hybrid environment | |
| US20140298002A1 (en) | Method and device for identifying a disk boot sector virus, and storage medium | |
| US9946853B1 (en) | Techniques for application code obfuscation | |
| CN111143839A (en) | Malicious code detection method and device based on virtualization behavior analysis technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310051 and 15 layer Patentee after: Hangzhou Annan information technology Limited by Share Ltd Address before: Hangzhou City, Zhejiang province 310051 Binjiang District and Zhejiang road in the 15 storey building Patentee before: Dbappsecurity Co.,ltd. |