CN105718792A - Sandbox based two-dimensional code detection method and system - Google Patents
Sandbox based two-dimensional code detection method and system Download PDFInfo
- Publication number
- CN105718792A CN105718792A CN201510495080.7A CN201510495080A CN105718792A CN 105718792 A CN105718792 A CN 105718792A CN 201510495080 A CN201510495080 A CN 201510495080A CN 105718792 A CN105718792 A CN 105718792A
- Authority
- CN
- China
- Prior art keywords
- quick response
- response code
- information
- sandbox
- level
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a sandbox based two-dimensional code detection method. The sandbox based two-dimensional code detection method comprises the following steps of inputting a two-dimensional code to a simulation sandbox for running when a scanning tool is scanning the two-dimensional code; acquiring correlation behavior information of the two-dimensional code, and judging whether the correlation behavior information is possessed with a threat, if yes, giving out a threat level; monitoring the stability of the simulation sandbox in real time, and giving out an abnormal level if abnormality occurs; and comprehensively judging whether the two-dimensional code is malicious or not according to the thread level and the abnormal level, if yes, intercepting the two-dimensional code and generating a behavior report, otherwise allowing a terminal to open the two-dimensional code. The invention also discloses a sandbox based two-dimensional code detection system. With the technical scheme disclosed by the invention, the limitation of static detection can be made up, and a better detection effect can be achieved.
Description
Technical field
The present invention relates to field of information security technology, particularly relate to a kind of Quick Response Code detection method based on sandbox and system.
Background technology
The utilization rate of current Quick Response Code is more and more higher, is almost seen everywhere.Relatively common Quick Response Code content is usually network address, file (download app), WIFI login etc., but actually common text, individual business card, picture, note, phone etc. can be fabricated to Quick Response Code, and it is very low to make threshold.
The detection of malice Quick Response Code is but without more perfect method, but the form of malice Quick Response Code is varied, is currently based on the static detection method such as black and white lists and condition code and is not enough to safeguard the safety of Quick Response Code.
Summary of the invention
Technical solutions according to the invention are run by being put into by the Quick Response Code of scanning in simulation sandbox, by monitoring the corelation behaviour information of described Quick Response Code and providing threat level;Meanwhile, the stability of monitoring simulation sandbox, if occurring abnormal, provide exception level, whether maliciously Quick Response Code described in final synthetic determination, is only finally judged to that safe Quick Response Code is just permitted to open.Therefore, technical solutions according to the invention compensate for the hysteresis quality of traditional static feature detection and the problem that rate of false alarm is higher, and testing result is more accurate.
The present invention adopts and realizes with the following method: a kind of Quick Response Code detection method based on sandbox, including:
When finding that barcode scanning instrument is scanning Quick Response Code, then described Quick Response Code is put in simulation sandbox and run;
Obtain the corelation behaviour information of described Quick Response Code, and provide threat level based on described corelation behaviour information;
The stability of monitor in real time simulation sandbox, if occurring abnormal, then provides exception level;
According to described threat level and exception level comprehensive descision, maliciously whether Quick Response Code, if so, then intercepts and generate behavior report, otherwise allows terminal to open described Quick Response Code.
Further, the corelation behaviour information of described Quick Response Code, including: network behavior, local behavior, developer's information, plugin information, running background information on services, self-starting mode, authority information, embedded file situation, association URL or API Calls situation.
Further, according to described threat level and exception level comprehensive descision, maliciously whether Quick Response Code, particularly as follows: set weights according to described threat level and exception level, and judge weights and whether exceed predetermined threshold value, if exceeding, then it is malice, is otherwise safety.
Further, described interception the behavior that generates also include: extract the static nature of described Quick Response Code and add virus characteristic storehouse after reporting.
The present invention can adopt following system to realize: a kind of Quick Response Code based on sandbox detects system, including:
Monitoring module, for when finding that barcode scanning instrument is scanning Quick Response Code, then putting into described Quick Response Code in simulation sandbox and run;
Threat judgment module, for obtaining the corelation behaviour information of described Quick Response Code, and provides threat level based on described corelation behaviour information;
Unusual determination module, simulates the stability of sandbox for monitor in real time, if occurring abnormal, then provides exception level;
For Quick Response Code according to described threat level and exception level comprehensive descision whether maliciously synthetic determination module, if so, then intercept and generate behavior report, otherwise allow terminal to open described Quick Response Code.
Further, the corelation behaviour information of described Quick Response Code, including: network behavior, local behavior, developer's information, plugin information, running background information on services, self-starting mode, authority information, embedded file situation, association URL or API Calls situation.
Further, according to described threat level and exception level comprehensive descision, maliciously whether Quick Response Code, particularly as follows: set weights according to described threat level and exception level, and judge weights and whether exceed predetermined threshold value, if exceeding, then it is malice, is otherwise safety.
Further, described interception the behavior that generates also include: extract the static nature of described Quick Response Code and add virus characteristic storehouse after reporting.
As it has been described above, the present invention provides a kind of Quick Response Code detection method based on sandbox and system, first by etc. Quick Response Code to be opened put into simulation sandbox in;The terminal environments that described simulation sandboxing techniques Quick Response Code runs runs described Quick Response Code;The corelation behaviour information that monitoring now produces, and provide threat level based on these corelation behaviour information;Meanwhile, monitoring simulation sandbox is in the stability of Quick Response Code run duration, and provides exception level;It is based ultimately upon described threat level and described exception level judges whether maliciously described Quick Response Code.
Beneficial effect: traditional static detection method has some limitations and hysteresis quality, has Detection capability only for known malicious Quick Response Code, then helpless for unknown malice Quick Response Code;The present invention compensate for the deficiencies in the prior art, when terminal scanning Quick Response Code, first it is run in simulation sandbox and provides final result of determination and provide corresponding behavior to report, providing the user more comprehensively information, and auxiliary user judges and decision-making;Thus avoiding user to open malice Quick Response Code, and system itself will not be hurt, safer.
Accompanying drawing explanation
In order to be illustrated more clearly that technical scheme, the accompanying drawing used required in embodiment will be briefly described below, apparently, the accompanying drawing that the following describes is only some embodiments recorded in the present invention, for those of ordinary skill in the art, under the premise not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is a kind of Quick Response Code detection method embodiment flow chart based on sandbox provided by the invention;
Fig. 2 is that a kind of Quick Response Code based on sandbox provided by the invention detects system embodiment structure chart.
Detailed description of the invention
The present invention gives a kind of Quick Response Code detection method based on sandbox and system embodiment, in order to make those skilled in the art be more fully understood that the technical scheme in the embodiment of the present invention, and it is understandable to enable the above-mentioned purpose of the present invention, feature and advantage to become apparent from, below in conjunction with accompanying drawing, technical scheme in the present invention is described in further detail:
Present invention firstly provides a kind of Quick Response Code detection method embodiment based on sandbox, as it is shown in figure 1, include:
Described Quick Response Code when finding that barcode scanning instrument is scanning Quick Response Code, is then put in simulation sandbox and is run by S101;
Wherein, utilize simulation sandbox to open Quick Response Code, do not worry harm security of system;
S102 obtains the corelation behaviour information of described Quick Response Code, and provides threat level based on described corelation behaviour information;
Wherein, utilize simulation sandbox to carry out Simulated movable terminal system environment, and then described Quick Response Code content is opened in simulation, and the corelation behaviour information of described Quick Response Code is monitored and obtained to the moment, based on the menace that described behavioural information reflects, provides threat level;Thus 2 D code information is intuitively shown in front of the user;
The stability of S103 monitor in real time simulation sandbox, if occurring abnormal, then provides exception level;
Wherein, the monitoring means of the stability of described monitoring simulation sandbox, including: monitoring associated process, or the response for simulated operation;Described occur abnormal, including: process collapse, the response abnormality of simulated operation or blue screen etc.;Difference according to these abnormal phenomenas, sets exception level;
Whether maliciously S104 Quick Response Code according to described threat level and exception level comprehensive descision, if so, then intercepts and generates behavior report, otherwise allows terminal to open described Quick Response Code.
Wherein, the present invention finally will provide for a behavior report, it is provided that the detailed behavioral data of malice Quick Response Code, allows user more can be visually seen malicious act, thus making decision-making more accurately.
Preferably, the corelation behaviour information of described Quick Response Code, including: network behavior, local behavior, developer's information, plugin information, running background information on services, self-starting mode, authority information, embedded file situation, association URL or API Calls situation.
Preferably, according to described threat level and exception level comprehensive descision, maliciously whether Quick Response Code, particularly as follows: set weights according to described threat level and exception level, and judges weights and whether exceedes predetermined threshold value, if exceeding, is then malice, is otherwise safety.Wherein, set different weights for each threat level with exception level, finally utilize weights and determine whether malice, it is possible to reduce wrong report or fail to report, improving accuracy.
Preferably, described interception the behavior that generates also include: extract the static nature of described Quick Response Code and add virus characteristic storehouse after reporting.Assisting Static Detection with this, updating virus characteristic storehouse, thus realizing more fully Detection results.
Present invention also offers a kind of Quick Response Code based on sandbox and detect system embodiment, as in figure 2 it is shown, include:
Monitoring module 201, for when finding that barcode scanning instrument is scanning Quick Response Code, then putting into described Quick Response Code in simulation sandbox and run;
Threat judgment module 202, for obtaining the corelation behaviour information of described Quick Response Code, and provides threat level based on described corelation behaviour information;
Unusual determination module 203, simulates the stability of sandbox for monitor in real time, if occurring abnormal, then provides exception level;
For Quick Response Code according to described threat level and exception level comprehensive descision whether maliciously synthetic determination module 204, if so, then intercept and generate behavior report, otherwise allow terminal to open described Quick Response Code.
Preferably, the corelation behaviour information of described Quick Response Code, including: network behavior, local behavior, developer's information, plugin information, running background information on services, self-starting mode, authority information, embedded file situation, association URL or API Calls situation.
Preferably, according to described threat level and exception level comprehensive descision, maliciously whether Quick Response Code, particularly as follows: set weights according to described threat level and exception level, and judges weights and whether exceedes predetermined threshold value, if exceeding, is then malice, is otherwise safety.
Preferably, described interception the behavior that generates also include: extract the static nature of described Quick Response Code and add virus characteristic storehouse after reporting.
As it has been described above, traditional Quick Response Code detection method is based on the means such as signature detection, or black and white lists coupling mostly, and these detection methods are not enough to safeguard the safety of Quick Response Code.In order to make up the deficiency of traditional detection method, the invention provides a kind of Quick Response Code detection method based on sandbox and system, run by the Quick Response Code of scanning is put in simulation sandbox, thus avoiding harm system, safer;Monitoring simulation sandbox, obtains corelation behaviour information and provides threat level based on this;If it is abnormal to find that simulation sandbox occurs, then provide exception level;It is based ultimately upon threat level and exception level provides final judgement;So not only provide final conclusion, and provide more directly perceived and objective class information and check for user;Thus assisting user to make decision-making more accurately, and compensate for the deficiency of Static Detection;Simultaneously, it is possible to finally provide behavior report, thus allowing user more accurately obtain the detailed behavioural information of malice Quick Response Code.
Above example is in order to illustrative not limiting technical scheme.Without departing from any modification or partial replacement of spirit and scope of the invention, all should be encompassed in the middle of scope of the presently claimed invention.
Claims (8)
1. the Quick Response Code detection method based on sandbox, it is characterised in that including:
When finding that barcode scanning instrument is scanning Quick Response Code, then described Quick Response Code is put in simulation sandbox and run;
Obtain the corelation behaviour information of described Quick Response Code, and provide threat level based on described corelation behaviour information;
The stability of monitor in real time simulation sandbox, if occurring abnormal, then provides exception level;
According to described threat level and exception level comprehensive descision, maliciously whether Quick Response Code, if so, then intercepts and generate behavior report, otherwise allows terminal to open described Quick Response Code.
2. method as claimed in claim 1, it is characterized in that, the corelation behaviour information of described Quick Response Code, including: network behavior, local behavior, developer's information, plugin information, running background information on services, self-starting mode, authority information, embedded file situation, association URL or API Calls situation.
3. method as claimed in claim 1, it is characterized in that, according to described threat level and exception level comprehensive descision, maliciously whether Quick Response Code, particularly as follows: set weights according to described threat level and exception level, and judge weights and whether exceed predetermined threshold value, if exceeding, then it is malice, is otherwise safety.
4. method as claimed in claim 1, it is characterised in that described interception the behavior that generates also include: extract the static nature of described Quick Response Code and add virus characteristic storehouse after reporting.
5. the Quick Response Code based on sandbox detects system, it is characterised in that including:
Monitoring module, for when finding that barcode scanning instrument is scanning Quick Response Code, then putting into described Quick Response Code in simulation sandbox and run;
Threat judgment module, for obtaining the corelation behaviour information of described Quick Response Code, and provides threat level based on described corelation behaviour information;
Unusual determination module, simulates the stability of sandbox for monitor in real time, if occurring abnormal, then provides exception level;
For Quick Response Code according to described threat level and exception level comprehensive descision whether maliciously synthetic determination module, if so, then intercept and generate behavior report, otherwise allow terminal to open described Quick Response Code.
6. system as claimed in claim 5, it is characterized in that, the corelation behaviour information of described Quick Response Code, including: network behavior, local behavior, developer's information, plugin information, running background information on services, self-starting mode, authority information, embedded file situation, association URL or API Calls situation.
7. system as claimed in claim 5, it is characterized in that, according to described threat level and exception level comprehensive descision, maliciously whether Quick Response Code, particularly as follows: set weights according to described threat level and exception level, and judge weights and whether exceed predetermined threshold value, if exceeding, then it is malice, is otherwise safety.
8. system as claimed in claim 5, it is characterised in that described interception the behavior that generates also include: extract the static nature of described Quick Response Code and add virus characteristic storehouse after reporting.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510495080.7A CN105718792A (en) | 2015-08-13 | 2015-08-13 | Sandbox based two-dimensional code detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510495080.7A CN105718792A (en) | 2015-08-13 | 2015-08-13 | Sandbox based two-dimensional code detection method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105718792A true CN105718792A (en) | 2016-06-29 |
Family
ID=56144859
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510495080.7A Pending CN105718792A (en) | 2015-08-13 | 2015-08-13 | Sandbox based two-dimensional code detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105718792A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108009425A (en) * | 2017-11-29 | 2018-05-08 | 四川无声信息技术有限公司 | File detects and threat level decision method, apparatus and system |
| CN109450619A (en) * | 2018-10-07 | 2019-03-08 | 杭州安恒信息技术股份有限公司 | A kind of two-dimension code safe means of defence and system |
| CN109726551A (en) * | 2017-10-31 | 2019-05-07 | 武汉安天信息技术有限责任公司 | The methods of exhibiting and system of preceding bad behavior are installed in a kind of application |
| WO2020098326A1 (en) * | 2018-11-15 | 2020-05-22 | 中兴通讯股份有限公司 | Information management method and processing method, device and storage medium |
| US10970378B2 (en) * | 2019-05-13 | 2021-04-06 | Cyberark Software Ltd. | Secure generation and verification of machine-readable visual codes |
| WO2021214597A1 (en) * | 2020-04-23 | 2021-10-28 | International Business Machines Corporation | Deep packet analysis |
| CN115002685A (en) * | 2022-07-14 | 2022-09-02 | 深圳市利诺威科技有限公司 | Method and system for transmitting image data |
| CN116861412A (en) * | 2023-06-26 | 2023-10-10 | 深圳市赛凌伟业科技有限公司 | Information security analysis method and system based on big data |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102819723A (en) * | 2011-12-26 | 2012-12-12 | 哈尔滨安天科技股份有限公司 | Method and system for detecting malicious two-dimension codes |
| CN103984697A (en) * | 2014-04-08 | 2014-08-13 | 百度在线网络技术(北京)有限公司 | Barcode information processing method, device and system |
| CN104766011A (en) * | 2015-03-26 | 2015-07-08 | 国家电网公司 | Sandbox detection alarming method and system based on main engine characteristic |
-
2015
- 2015-08-13 CN CN201510495080.7A patent/CN105718792A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102819723A (en) * | 2011-12-26 | 2012-12-12 | 哈尔滨安天科技股份有限公司 | Method and system for detecting malicious two-dimension codes |
| CN103984697A (en) * | 2014-04-08 | 2014-08-13 | 百度在线网络技术(北京)有限公司 | Barcode information processing method, device and system |
| CN104766011A (en) * | 2015-03-26 | 2015-07-08 | 国家电网公司 | Sandbox detection alarming method and system based on main engine characteristic |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109726551A (en) * | 2017-10-31 | 2019-05-07 | 武汉安天信息技术有限责任公司 | The methods of exhibiting and system of preceding bad behavior are installed in a kind of application |
| CN108009425A (en) * | 2017-11-29 | 2018-05-08 | 四川无声信息技术有限公司 | File detects and threat level decision method, apparatus and system |
| CN109450619A (en) * | 2018-10-07 | 2019-03-08 | 杭州安恒信息技术股份有限公司 | A kind of two-dimension code safe means of defence and system |
| CN109450619B (en) * | 2018-10-07 | 2022-08-19 | 杭州安恒信息技术股份有限公司 | Two-dimensional code safety protection method and system |
| WO2020098326A1 (en) * | 2018-11-15 | 2020-05-22 | 中兴通讯股份有限公司 | Information management method and processing method, device and storage medium |
| US10970378B2 (en) * | 2019-05-13 | 2021-04-06 | Cyberark Software Ltd. | Secure generation and verification of machine-readable visual codes |
| WO2021214597A1 (en) * | 2020-04-23 | 2021-10-28 | International Business Machines Corporation | Deep packet analysis |
| GB2604797A (en) * | 2020-04-23 | 2022-09-14 | Kyndryl Inc | Deep packet analysis |
| US11563761B2 (en) | 2020-04-23 | 2023-01-24 | Kyndryl, Inc. | Deep packet analysis |
| US11757912B2 (en) | 2020-04-23 | 2023-09-12 | Kyndryl, Inc. | Deep packet analysis |
| CN115002685A (en) * | 2022-07-14 | 2022-09-02 | 深圳市利诺威科技有限公司 | Method and system for transmitting image data |
| CN116861412A (en) * | 2023-06-26 | 2023-10-10 | 深圳市赛凌伟业科技有限公司 | Information security analysis method and system based on big data |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105718792A (en) | Sandbox based two-dimensional code detection method and system | |
| CN106055980B (en) | A kind of rule-based JavaScript safety detecting method | |
| CN106570399B (en) | A kind of detection method of across App inter-module privacy leakage | |
| CN109660502A (en) | Detection method, device, equipment and the storage medium of abnormal behaviour | |
| CN103996007A (en) | Testing method and system for Android application permission leakage vulnerabilities | |
| US20140123289A1 (en) | Computing Device to Detect Malware | |
| CN105306610B (en) | Network identity detection method and device | |
| CN105447388B (en) | A kind of Android malicious code detection system based on weight and method | |
| CN105049592B (en) | Mobile intelligent terminal voice safety protection method and system | |
| CN106599688B (en) | A kind of Android malware detection method based on applicating category | |
| CN104462973B (en) | The dynamic malicious act detecting system and method for application program in mobile terminal | |
| CN104346566A (en) | Method, device, terminal, server and system for detecting privacy authority risks | |
| CN104462970A (en) | Android application program permission abuse detecting method based on process communication | |
| CN103927483A (en) | Decision model used for detecting malicious programs and detecting method of malicious programs | |
| CN104008332A (en) | Intrusion detection system based on Android platform | |
| CN104901962B (en) | A kind of detection method and device of web page attacks data | |
| CN108804912A (en) | A kind of application program based on authority set difference is gone beyond one's commission detection method | |
| CN105069354A (en) | Attack tree model based Android software hybrid detection method | |
| CN106452955B (en) | A kind of detection method and system of abnormal network connection | |
| CN102801706A (en) | Terminal and security processing method for information contents | |
| CN103905423A (en) | Harmful advertisement piece detecting method and system based on dynamic behavior analysis | |
| CN109698809A (en) | A kind of recognition methods of account abnormal login and device | |
| CN104504337A (en) | Method for detecting malicious application disclosing Android data | |
| CN105825129A (en) | Converged communication malicious software identification method and system | |
| CN104809046B (en) | A kind of application program networking control method and application program networking control device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 150028 Building 7, Innovation Plaza, Science and Technology Innovation City, Harbin High-tech Industrial Development Zone, Heilongjiang Province (838 Shikun Road) Applicant after: Harbin antiy Technology Group Limited by Share Ltd Address before: 506 room 162, Hongqi Avenue, Nangang District, Harbin Development Zone, Heilongjiang, 150090 Applicant before: Harbin Antiy Technology Co., Ltd. |
|
| CB02 | Change of applicant information | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20160629 |
|
| WD01 | Invention patent application deemed withdrawn after publication |