CN106650423A - Object sample file detecting method and device - Google Patents

Object sample file detecting method and device Download PDF

Info

Publication number
CN106650423A
CN106650423A CN201611065436.4A CN201611065436A CN106650423A CN 106650423 A CN106650423 A CN 106650423A CN 201611065436 A CN201611065436 A CN 201611065436A CN 106650423 A CN106650423 A CN 106650423A
Authority
CN
China
Prior art keywords
sample file
target sample
sandbox
file
event
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611065436.4A
Other languages
Chinese (zh)
Inventor
邱鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201611065436.4A priority Critical patent/CN106650423A/en
Publication of CN106650423A publication Critical patent/CN106650423A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses an object sample file detecting method. The method comprises the steps of receiving an object sample file from a data source, and delivering the object sample file to a sandbox for running; monitoring whether a process attribute modifying event occurs or not in the running process of the object sample file in the sandbox; if yes, determining that the object sample file is a threatening sample file; if no, determining that the object sample file is not the threatening sample file. According to the method, the object sample file runs with the sandbox as a virtual carrier, all running tracks of the object sample file can be clearly detected, feature information associated with the object sample file can be obtained through comprehensive analysis, according to the feature information associated with the object sample file, it can be more accurately judged whether the process attribute modifying event occurs in the running process of the object sample file in a virtual machine or not, and then the threatening sample file is determined, and a reference and a basis are provided for safety protection of subsequent information.

Description

A kind of detection method and device of target sample file
Technical field
The present invention relates to Internet technical field, and in particular to a kind of detection method and device of target sample file.
Background technology
With the continuous development of Internet technology, people are further frequent for the use of network, can be carried out by network Many matters such as work, study, life, amusement, have brought great convenience.However, current internet technology In there is system-level kernel leak, to malice developer with opportunity, malice developers are by threatening sample for these leaks Presents is attacked the terminal that various clients, service end are located using these leaks, obtains the personal information of user, prestige The loss of the aspects such as the information security of side of body user, the person, property to user.Wherein especially, malice developers are by prestige During side of body sample file carries out vulnerability exploit, usually system-level authority is obtained further using the means of modification Process Attributes Perform illegal operation.
Therefore, how effectively, the suspicious sample comprehensively to carrying out vulnerability exploit attack in the Internet is excavated, detected And process, it is current major issue urgently to be resolved hurrily.
The content of the invention
In view of the above problems, it is proposed that the present invention so as to provide one kind overcome the problems referred to above or at least in part solve on State the detection method and device of the target sample file of problem.
According to one aspect of the present invention, there is provided a kind of detection method of target sample file, including:
From data sources target sample file, the target sample file is rendered in sandbox and is run;
Monitor and whether Process Attributes modification event occurs during the target sample file runs in sandbox;
It is then, to determine that the target sample file is to threaten sample file;
Otherwise, it determines the target sample file is not to threaten sample file.
Alternatively, it is described the target sample file is rendered in sandbox operation to include:
The corresponding process of the target sample file is created in sandbox, the target sample file is performed by the process Operation in sandbox;
In the corresponding process of the establishment target sample file, the first of the corresponding process of the target sample file is recorded Beginning property value.
Alternatively, whether described monitoring there are Process Attributes and repaiies during the target sample file runs in sandbox The event of changing includes:
Monitor the assigned operation event that the target sample file is performed in sandbox;
When the generation of assigned operation event is listened to, the assigned operation event is intercepted, obtain presently described target sample The specified attribute value of the corresponding process of file;
The specified attribute value of the corresponding process of presently described target sample file is corresponding with the target sample file The initial attribute value of process is matched, if at least one matching is unsuccessful, determines the target sample file in sandbox There is Process Attributes modification event during operation;Otherwise, it determines the process that the target sample file runs in sandbox In do not occur Process Attributes modification event.
Alternatively, the initial attribute value of the corresponding process of the target sample file includes following one or more: Privileges property values, UserSID property values, OwnerSID property values;
The specified attribute value of the corresponding process of the presently described target sample file includes following one or more:It is described Privileges property values, TokenUser property values, TokenOwner category in the token of the corresponding process of target sample file Property value.
Alternatively, whether described monitoring there are Process Attributes and repaiies during the target sample file runs in sandbox The event of changing includes:
Monitor the assigned operation event that the target sample file is performed in sandbox;
When the generation of assigned operation event is listened to, the assigned operation event is intercepted;
Judge whether the accesses control list of the token of the corresponding process of presently described target sample file is in and be empty shape State, is then, to determine that the target sample file occurs Process Attributes modification event during running in sandbox;Otherwise, really There is no Process Attributes modification event during running in sandbox in the fixed target sample file.
Alternatively, the method is further included:
When it is determined that the target sample file is forced when there is Process Attributes modification event during running in sandbox Terminate the assigned operation event;
When it is determined that the target sample file is permitted when there is no Process Attributes modification event during running in sandbox Perhaps described assigned operation event is continued executing with.
Alternatively, the assigned operation event includes:The event that the function for performing assigned operation is called;
The assigned operation includes:Internal memory in sandbox, privilege, registration table, process, thread, and/or file are created The operation built and/or read and write.
Alternatively, the assigned operation event that the monitoring target sample file is performed in sandbox includes:
The carry Hook Function on the function for performing assigned operation, intercepts and indicates that the function to performing the assigned operation enters The message that row is called;
Whether the sender for judging the message that the function indicated to performing the assigned operation is called is described Target sample file;
It is that then, it is determined that listening to the assigned operation event that the target sample file is performed in sandbox, otherwise let pass institute State the message for indicating that the function to performing the command operating is called.
Alternatively, the method is further included:
Record the running log that the target sample file runs in sandbox;
When it is determined that the target sample file is to threaten sample file, transported in sandbox according to the target sample file Capable running log obtains the related characteristic information of the target sample file;
The related characteristic information of the target sample is put in threat data storehouse.
Alternatively, the related characteristic information of the target sample file includes:
The static nature information of target sample file,
And/or,
The behavior characteristic information of target sample file.
Alternatively, the method is further included:
The related characteristic information of the target sample is fed back to into data source.
According to another aspect of the present invention, there is provided a kind of detection means of target sample file, including:
Sample reception unit, is suitable to from data sources target sample file;
Detection process unit, is suitable to the target sample file be rendered in sandbox and runs, and monitors the target sample Whether file there is Process Attributes modification event during running in sandbox;It is then, to determine that the target sample file is Threaten sample file;Otherwise, it determines the target sample file is not to threaten sample file.
Alternatively, the detection process unit, is suitable to create the corresponding process of the target sample file in sandbox, leads to Cross the process and perform operation of the target sample file in sandbox;Creating the corresponding process of the target sample file When, record the initial attribute value of the corresponding process of the target sample file.
Alternatively, the detection process unit, is adapted for listening for the specified behaviour that the target sample file is performed in sandbox Make event;When the generation of assigned operation event is listened to, the assigned operation event is intercepted, obtain presently described target sample text The specified attribute value of the corresponding process of part;By the specified attribute value and the mesh of the corresponding process of presently described target sample file The initial attribute value of the corresponding process of standard specimen presents is matched, if at least one matching is unsuccessful, determines the target There is Process Attributes modification event during running in sandbox in sample file;Otherwise, it determines the target sample file exists There is no Process Attributes modification event during running in sandbox.
Alternatively, the initial attribute value of the corresponding process of the target sample file includes following one or more: Privileges property values, UserSID property values, OwnerSID property values;
The specified attribute value of the corresponding process of the presently described target sample file includes following one or more:It is described Privileges property values, TokenUser property values, TokenOwner category in the token of the corresponding process of target sample file Property value.
Alternatively, the detection process unit, is adapted for listening for the specified behaviour that the target sample file is performed in sandbox Make event;When the generation of assigned operation event is listened to, the assigned operation event is intercepted;Judge presently described target sample text Whether the accesses control list of the token of the corresponding process of part, in state is empty, is then, to determine that the target sample file exists There is Process Attributes modification event during running in sandbox;Otherwise, it determines the target sample file runs in sandbox During do not occur Process Attributes modification event.
Alternatively, the detection process unit, is further adapted for when the determination target sample file runs in sandbox During occur Process Attributes modification event when, pressure terminate the assigned operation event;When it is determined that the target sample is literary When there is no Process Attributes modification event in part, it is allowed to which the assigned operation event is continued executing with during running in sandbox.
Alternatively, the assigned operation event includes:The event that the function for performing assigned operation is called;
The assigned operation includes:Internal memory in sandbox, privilege, registration table, process, thread, and/or file are created The operation built and/or read and write.
Alternatively, the detection process unit, is suitable to the carry Hook Function on the function for performing assigned operation, and interception refers to Show the message that the function to performing the assigned operation is called;Judge the function indicated to performing the assigned operation Whether the sender of the message being called is the target sample file;It is then, it is determined that listening to the target sample file The assigned operation event performed in sandbox, otherwise lets pass what the function indicated to performing the command operating was called Message.
Alternatively, the detection process unit, is further adapted for recording what the target sample file ran in sandbox Running log;When it is determined that the target sample file is to threaten sample file, according to the target sample file in sandbox The running log of operation obtains the related characteristic information of the target sample file;By the related characteristic information of the target sample In being put into threat data storehouse.
Alternatively, the related characteristic information of the target sample file includes:
The static nature information of target sample file,
And/or,
The behavior characteristic information of target sample file.
Alternatively, the detection process unit, is further adapted for feeding back to the related characteristic information of the target sample Data source.
From the foregoing, technology according to the present invention scheme will render to sandbox from the target sample file of data sources In detected, when detect target sample file in sandbox run during occur Process Attributes modification event when, really The sample file that sets the goal is threat sample file.This programme is using sandbox as virtual carrier operational objective sample file, Neng Gouqing All running orbits of target sample file are detected clearly, and analysis comprehensively obtains the related characteristic information of target sample file, Can more precisely judge that the target sample file is transported in virtual machine according to the characteristic information that target sample file is related Whether there is Process Attributes modification event in capable process, and then determine threat sample file, be follow-up security protection Reference and foundation are provided.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, And can be practiced according to the content of description, and in order to allow the above and other objects of the present invention, feature and advantage can Become apparent, below especially exemplified by the specific embodiment of the present invention.
Description of the drawings
By the detailed description for reading hereafter preferred implementation, various other advantages and benefit is common for this area Technical staff will be clear from understanding.Accompanying drawing is only used for illustrating the purpose of preferred implementation, and is not considered as to the present invention Restriction.And in whole accompanying drawing, it is denoted by the same reference numerals identical part.In the accompanying drawings:
Fig. 1 shows a kind of flow chart of the detection method of target sample file according to an embodiment of the invention;
Fig. 2 shows a kind of schematic diagram of the detection means of target sample file according to an embodiment of the invention.
Specific embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure and should not be by embodiments set forth here Limited.On the contrary, there is provided these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure Complete conveys to those skilled in the art.
Fig. 1 shows a kind of flow chart of the detection method of target sample file according to an embodiment of the invention.Such as Shown in Fig. 1, the method includes:
Step S110, from data sources target sample file.
Step S120, the target sample file is rendered in sandbox and is run;The target sample file is monitored in sand Whether Process Attributes modification event there is during running in case.
Step S130, is then, to determine that the target sample file is to threaten sample file.
Step S140, otherwise, it determines the target sample file is not to threaten sample file.
It can be seen that, the method shown in Fig. 1 will be rendered in sandbox from the target sample file of data sources and detected, when Detect that target sample file, when there is Process Attributes modification event during running in sandbox, determines target sample file To threaten sample file.This programme can be clearly detected target using sandbox as virtual carrier operational objective sample file All running orbits of sample file, comprehensively analysis obtains the related characteristic information of target sample file, according to target sample text The related characteristic information of part can more precisely judge the target sample file run in virtual machine during whether Generation Process Attributes change event, and then determine threat sample file, and for follow-up security protection reference and foundation are provided.
In one embodiment of the invention, the method shown in Fig. 1 is further included:Record the target sample file to exist The running log run in sandbox;When it is determined that the target sample file is to threaten sample file, according to the target sample The running log that file runs in sandbox obtains the related characteristic information of the target sample file;By the target sample phase The characteristic information of pass is put in threat data storehouse.
Wherein, believed by analyzing the feature of the target sample file correlation that the corresponding running log of target sample file is obtained Breath includes:The static nature information of target sample file, and/or, the behavior characteristic information of target sample file.That is, For the target sample file for being put into operation in sandbox, the either static nature of the target sample file, or the target sample Dynamic behaviour feature of the presents in running, can be deconstructed out, can from the view of this programme to, The complete archives of a target sample file have been grasped, and then for whether the target sample file has the prestige for threatening The side of body sample, if threaten sample how the suspicious sample is prevented, killing the problems such as can find accurate answer.
With the continuous enforcement of this programme, the archives of the target sample file grasped constantly are completed, i.e. threat data Data in storehouse are constantly completed.In one embodiment of the invention, it is above-mentioned to be judged to threaten the target sample text of sample The related characteristic information of part is put into threat data storehouse to be included:According to the spy for being judged to and threatening the suspicious sample of sample related Reference breath is updated to original data in threat data storehouse.
Further, the related characteristic information of the target sample can also be fed back to data source by the method described in Fig. 1. Can see, in this programme, from data sources target sample file, detection be carried out to target sample file and is realized to threatening Data base's supplements renewal, and threat data storehouse pushes to data source mends the related characteristic information of target sample file, data source root Carry out getting record ready according to the related characteristic information of the target sample file of the push, more accurately intercept, record target sample text Part, and result is pushed to threat data storehouse feedback, positive feedback closed loop is defined, can constantly expand and improve various types of The management of the complete characteristic information of target sample file, the characteristic information of target sample file is more perfect clear, more can look for The strategy of sample is threatened to prevention killing, it is possible to threaten the strategy unification of sample to be pushed in data source prevention killing in time For the prevention killing strategy of each data source carries out unified adjustment, it is established that very tight Security mechanism, from more High general layout ensures internet information safety.
In one embodiment of the invention, during this programme detects that the target sample file runs in sandbox Whether Process Attributes modification event occurs includes following two schemes:
Scheme one, the target sample file is rendered to operation in sandbox by step S120 to be included:Institute is created in sandbox The corresponding process of target sample file is stated, operation of the target sample file in sandbox is performed by the process;Creating During the corresponding process of the target sample file, the initial attribute value of the corresponding process of the target sample file is recorded.
Then step S120 is monitored and whether Process Attributes occur during the target sample file runs in sandbox repaiies The event of changing includes:
Step S121, monitors the assigned operation event that the target sample file is performed in sandbox.
Step S122, when the generation of assigned operation event is listened to, intercepts the assigned operation event, obtains presently described The specified attribute value of the corresponding process of target sample file.
Step S123, by the specified attribute value of the corresponding process of presently described target sample file and target sample text The initial attribute value of the corresponding process of part is matched, if at least one matching is unsuccessful, determines the target sample file There is Process Attributes modification event during running in sandbox;Otherwise, it determines the target sample file is transported in sandbox There is no Process Attributes modification event in capable process.
Scheme two, whether step S120 is monitored there is process category during the target sample file runs in sandbox Property modification event include:
Step S121 ', monitor the assigned operation event that the target sample file is performed in sandbox.
Step S122 ', when the generation of assigned operation event is listened to, intercept the assigned operation event.
Step S123 ', whether judge the accesses control list of token of the corresponding process of presently described target sample file It is then, to determine that the target sample file occurs Process Attributes modification thing during running in sandbox in state is empty Part;Otherwise, it determines there is no Process Attributes modification event during running in sandbox in the target sample file.
On the basis of such scheme one or scheme two, further, said process also includes:
Step S124, when it is determined that there is Process Attributes modification thing during the target sample file runs in sandbox During part, pressure terminates the assigned operation event.
, there is no Process Attributes modification during it is determined that the target sample file runs in sandbox in step S125 During event, it is allowed to which the assigned operation event is continued executing with.
Wherein specifically, above-mentioned assigned operation event includes:The event that the function for performing assigned operation is called;Institute Stating assigned operation includes:Internal memory in sandbox, privilege, registration table, process, thread, and/or file are created and/or read The operation write.Then above-mentioned steps S121 or step S121 ' in monitor the specified behaviour that the target sample file is performed in sandbox Include as event:The carry Hook Function on the function for performing assigned operation, intercepts the letter indicated to performing the assigned operation The message that number is called;Judging the sender of the message that the function indicated to performing the assigned operation is called is It is no for the target sample file;It is then, it is determined that listening to the assigned operation thing that the target sample file is performed in sandbox Part, the message that the function indicated to performing the command operating of otherwise letting pass is called.
The implementation process of this programme is illustrated by a specific example:Threat sample based on malice in prior art File is usually taken and the mode that own process attribute is modified is obtained System Privileges, and then performs malicious operation harm user The means of information security, this programme is intended to server side and creates sandbox as the virtual operation carrier of target sample file, leads to Cross and whether Process Attributes modification event occurs during monitoring objective sample file runs in sandbox to know whether to occur The event of kernel vulnerability exploit, i.e., dynamically determine target sample text by threatening behavior characteristicss of the sample file in sandbox Whether part is to threaten sample file.In this example, sandbox includes 4 modules:Agent.exe, virtual machine communication agent module is born The reception of duty detection module and sample file, the establishment of Analyzer processes is counted in real time with virtual machine external server end process Transmit according to interaction, daily record and file.Analyzer.exe, internal schedule management and control module, responsible sample file type identification, The establishment of LoadHP processes, inside detection timeouts and restriction, operating system screen simulation is clicked on and realized, screen interception reality It is existing, the data communication with Agent.LoadHP.exe, detects auxiliary operation module, is responsible for loading detection primary module driver, Each detection functional switch is controlled by Profile option, is communicated between nucleus module driver and is interacted, sample file The startup of process.Nucleus module is realized in Honeypot.sys, detection, and driver is realized.Arrange in operating system nucleus into Journey creates readjustment and notifies, specified core A PI is linked up with, and whether determinating processes put forward power in HOOK processes function, gets ready and raw Into testing result daily record etc..
In this part from data sources to target sample, target sample file is rendered in sandbox and is run, then this example exists Under the interaction of tri- modules of Agent.exe, Analyzer.exe and Honeypot.sys, using Honeypot.sys drivers Detect whether there is Process Attributes modification event during running in sandbox to target sample file, idiographic flow It is as follows:
1st, Honeypot.sys drivers in loading the necessary related data structures object of initialization driver and Variable.
2nd, Honeypot.sys drivers are initialized, according to the IO controls that user's layer process LoadHP.exe sends Code performs related initialization operation, creates log recording thread.Honeypot is labeled as receiving " kernel is using monitoring " IO control codes when, according to the data of incoming Buffer, select to enter in corresponding distribution processor routine.Monitor the target sample The assigned operation event that presents is performed in sandbox, concrete mode is:To the internal memory in sandbox, privilege, note in HOOK SSDT Volume table, process, thread, and/or file are created and/or are read and write etc. the sensitive API of operation, and are arranged new process creation and led to Know callback routines.
3rd, Honeypot.sys drivers open monitoring, and according to corresponding I CTL that LoadHP.exe sends kernel is opened Layer behavior monitoring master control switch.
4. notify and record, in the new process of system creation, enter the process creation notification routines for above arranging, will newly enter Journey is added to process creation record LIST, and, the initial attribute value of the new process for creating is recorded in this routine, such as in target When the corresponding process of sample file is created, following one or more initial attribute of the corresponding process of target sample file is recorded Value:The property values such as Privileges property values, UserSID property values, OwnerSID property values.
5. monitor and detect, whether detection target sample file occurs system process order during running in virtual machine Board replaces event:By the HOOK of each sensitive API to aforementioned assigned operation behavior, when above-mentioned sensitive API entering in new establishment When being called in journey, intercept this and call event, in first jumping to the Fake functions of this programme oneself realization, sentence in Fake functions Whether disconnected current process is in process LIST above safeguarded, because what is recorded in process LIST is the process of system creation, Then the current purpose that judges be judge currently to call event initiator be whether the corresponding process of target sample file or The no process created by target sample file, if it does, explanation is the operation performed by target sample file, be The detection that system process Token is replaced.
Specifically, before former API is called, obtain the following a kind of of the corresponding process of presently described target sample file or Various specified attribute values:Privileges property values, TokenUser in the token of the corresponding process of the target sample file Property value, TokenOwner property values.By the specified attribute value and the mesh of the corresponding process of presently described target sample file The initial attribute value of the corresponding process of standard specimen presents is matched, that is, compare what is recorded when this 3 data and the process creation Whether initial p rivileges, UserSID, OwnerSID are identical, if at least one matching is unsuccessful, judge to detect the sample This process puies forward power, determines that the target sample file occurs Process Attributes modification event, target during running in sandbox Sample file is got ready and generates testing result daily record according to form to threaten sample file, and daily record Buffer insertion daily records are delayed Rush LIST;Otherwise, it determines there is no Process Attributes modification event, mesh during running in sandbox in the target sample file Standard specimen presents is not to threaten sample file.After then if detection terminates, if target sample data are not to threaten sample, Call former sensitive API to continue executing with Fake functions, and the value of its return is returned to Caller.
The final step of detection process, when it is determined that target sample file is to threaten file:
6. whether daily record is generated, in Honeypot log recording threads, continuously in audit log buffering LIST New daily record Buffer insertions again.New daily record Buffer is added the configuration file for being written to specified path in config option In, and discharge the node of daily record Buffer in log buffer LIST.
Details to generating testing result daily record in this example is illustrated:It is slow that the program gets detection daily record generation form ready The mode of depositing is got ready.Detection daily record is temporary in log buffer LIST.Log recording thread poll log buffer LIST and according to Each Journal node is processed successively according to the mode of FIFO, and testing result log content is added into write log record file In actions.log, the journal file is obtained and processed by outside correlation scheduler module process upon completion of the assays.Wherein, examine The data of getting ready surveyed in result log include:Environment and document base information, detection function point trigger data etc..Wherein environment and , with the output of the forms such as flowing water daily record, detection function point trigger data is with the shape of user behaviors log actions.log for document base information Formula is exported.As testing result daily record includes:1. environment and document base information:Sample process file MD5, enters sample journey file Path, major system modules title and FileVersion etc..2. detection function point trigger data:For the inspection of process Token property value For survey, process ID, Thread Id, Privileges masks describe sequence, UserSID, OwnerSID, and be located Hooked during detection API etc..
In one embodiment of the invention, during except detecting that the target sample file runs in virtual machine Whether occur outside kernel vulnerability exploit, also related auxiliary testing process, including detection procedure protection mechanism and detection text Part protection mechanism:
Detection procedure protection mechanism is used to protect detection module associated process address space, prevents from being escaped by virtual machine sandbox Malice sample process access, release or leak, cause detection module confidential information stolen.Preliminary preparation includes: 1.LoadHP.exe, after the completion of the LoadHP process load driver stages, in reading Honeypot.ini configuration files The value of fields such as " ourproc ", and the process name for obtaining one or more detection modules is parsed, detection mould is obtained by process name The PID of each process of block, passes sequentially through IO control code modes and is sent to Honeypot drivers.2.Honeypot.sys, Honeypot is obtained when time transmission when the IO control codes for being labeled as " process ID filtration " are received from input Buffer The value of PID, and correspondence process EPROCESS address is obtained according to PID, the EPROCESS pointers insertion process is filtered into LIST. On the basis of this, aided detection process includes:The crucial NTAPI that HOOK is operated to process, thread, memory address space, in Fake For the EPROCESS addresses and the EPROCESS addresses of operation target process of upper and lower background text place process in function, above-mentioned Process is filtered and matched in LIST.If up and down background text process EPROCESS address is not filtered in LIST in process, and is grasped Make target process EPROCESS addresses successful match in process filters LIST, then can determine that other processes attempt to access that detection mould Certain process in each process sets of block.Prevented, returned the conditional code of denied access, do not continue to call downwards, to terminate working as Front upper and lower background text process is called to the API.Failing to successful match, then belong to other feelings of corresponding A PI normal call Condition.Do not prevented, continue to call former API to perform downwards, and the value of its return is returned to Caller.
Detection file protection schemes are used to protect detection module each file directory related to testing result daily record, prevent by certain A little sample processes are accessed, distort, encrypt, damaged, and cause detection failure or results abnormity, affect sandbox system stability and performance. Preliminary preparation includes:1.LoadHP.exe, after the completion of the LoadHP process load driver stages, reads The value of fields such as " ourpath " in Honeypot.ini configuration files, and parse and obtain one or more testing result daily records Directory pathname, passes sequentially through each path Buffer IO control code modes and is sent to Honeypot drivers. 2.Honeypot.sys, Honeypot are obtained when the IO control codes for being labeled as " privately owned catalogue " are received from input Buffer Take as time Buffer of the directory path of transmission, and UNICODE_STRING strings are constructed according to Buffer, by the word Symbol string object inserts privately owned catalogue LIST.On this basis, aided detection process includes:Registration file system filter, realizes each Main IRP distributions function.In READ, WRITE, CREATE, SET_INFORMATION, DIRECTORY_CONTROL decile is sent a letter Several realizes in function body certainly, and whether the file path UNICODE_STRING objects for judging FILE_OBJECT in current IRP can Enough successful match in privately owned catalogue LIST.Failing to successful match, then current operation is not to detecting Log Directory or inspection Survey what module directory was carried out, skip current stack cell, and IRP is continued into distribution downwards.If successful match, it is meant that when above Part operation is strictly carried out for detection Log Directory or detection module catalogue.At this moment upper and lower background text process is obtained EPROCESS addresses, and judge whether the EPROCESS addresses can filter LIST in the process in " detection procedure protection " mechanism Middle successful match.If successful match, judgement belongs to detection module process itself to detecting Log Directory and detection module mesh The access of record, skips current stack cell, and IRP is continued into distribution downwards.Failing to successful match, it is meant that belong to third party Process access detection Log Directory or detection module catalogue.The error codes such as the I/O state domain denied access of assignment IRP, complete The I/O request of IRP, returns current IRP and distributes function, makes current file access operation fail.
Fig. 2 shows a kind of schematic diagram of the detection means of target sample file according to an embodiment of the invention.Such as Shown in Fig. 2, the detection means 200 of target sample file includes:
Sample reception unit 210, is suitable to from data sources target sample file.
Detection process unit 220, is suitable to the target sample file be rendered in sandbox and runs, and monitors the target sample Whether presents there is Process Attributes modification event during running in sandbox;It is then, to determine the target sample file It is to threaten sample file;Otherwise, it determines the target sample file is not to threaten sample file.
It can be seen that, the device shown in Fig. 2 will be rendered in sandbox from the target sample file of data sources and detected, when Detect that target sample file, when there is Process Attributes modification event during running in sandbox, determines target sample file To threaten sample file.This programme can be clearly detected target using sandbox as virtual carrier operational objective sample file All running orbits of sample file, comprehensively analysis obtains the related characteristic information of target sample file, according to target sample text The related characteristic information of part can more precisely judge the target sample file run in virtual machine during whether Generation Process Attributes change event, and then determine threat sample file, and for follow-up security protection reference and foundation are provided.
In one embodiment of the invention, detection process unit 220, is suitable to create the target sample text in sandbox The corresponding process of part, by the process operation of the target sample file in sandbox is performed;Creating the target sample During the corresponding process of file, the initial attribute value of the corresponding process of the target sample file is recorded.
Then, detection process unit 220, is adapted for listening for the assigned operation thing that the target sample file is performed in sandbox Part;When the generation of assigned operation event is listened to, the assigned operation event is intercepted, obtain presently described target sample file pair The specified attribute value of the process answered;By the specified attribute value of the corresponding process of presently described target sample file and the target sample The initial attribute value of the corresponding process of presents is matched, if at least one matching is unsuccessful, determines the target sample There is Process Attributes modification event during running in sandbox in file;Otherwise, it determines the target sample file is in sandbox There is no Process Attributes modification event during middle operation.
Wherein, the initial attribute value of the corresponding process of the target sample file includes following one or more: Privileges property values, UserSID property values, OwnerSID property values;The presently described target sample file is corresponding The specified attribute value of process includes following one or more:In the token of the corresponding process of the target sample file Privileges property values, TokenUser property values, TokenOwner property values.
In another embodiment of the present invention, detection process unit 220, is adapted for listening for the target sample file in sand The assigned operation event performed in case;When the generation of assigned operation event is listened to, the assigned operation event is intercepted;Judge to work as Whether the accesses control list of the token of the corresponding process of the front target sample file, in state is empty, is then, to determine institute State and occur during target sample file runs in sandbox Process Attributes modification event;Otherwise, it determines the target sample There is no Process Attributes modification event during running in sandbox in file.
Further, detection process unit 220, is further adapted for the mistake run in sandbox when the determination target sample file When there is Process Attributes modification event in journey, pressure terminates the assigned operation event;When it is determined that the target sample file exists When there is no Process Attributes modification event during running in sandbox, it is allowed to which the assigned operation event is continued executing with.
Wherein, the assigned operation event includes:The event that the function for performing assigned operation is called;It is described to specify Operation includes:The behaviour for internal memory in sandbox, privilege, registration table, process, thread, and/or file being created and/or being read and write Make.
Specifically, detection process unit 220, is suitable to the carry Hook Function on the function for performing assigned operation, and interception refers to Show the message that the function to performing the assigned operation is called;Judge the function indicated to performing the assigned operation Whether the sender of the message being called is the target sample file;It is then, it is determined that listening to the target sample file The assigned operation event performed in sandbox, otherwise lets pass what the function indicated to performing the command operating was called Message.
In one embodiment of the invention, detection process unit 220, is further adapted for recording the target sample file The running log run in sandbox;When it is determined that the target sample file is to threaten sample file, according to the target sample The running log that presents runs in sandbox obtains the related characteristic information of the target sample file;By the target sample Related characteristic information is put in threat data storehouse.
Wherein, the related characteristic information of the target sample file includes:The static nature information of target sample file, And/or, the behavior characteristic information of target sample file.
In one embodiment of the invention, detection process unit 220, is further adapted for target sample correlation Characteristic information feeds back to data source.
It should be noted that the specific embodiment of Fig. 2 shown devices is corresponding identical with each embodiment of method shown in Fig. 1, Above have been carried out describing in detail, will not be described here.
In sum, technical scheme will be rendered in sandbox from the target sample file of data sources and carried out Detection, when target sample file is detected in generation Process Attributes modification event during running in sandbox, determines target Sample file is threat sample file.This programme can be examined clearly using sandbox as virtual carrier operational objective sample file All running orbits of target sample file are measured, analysis comprehensively obtains the related characteristic information of target sample file, according to mesh The related characteristic information of standard specimen presents can more precisely judge the mistake that the target sample file runs in virtual machine Whether there is Process Attributes modification event in journey, and then determine threat sample file, for follow-up security protection ginseng is provided Examine and foundation.
It should be noted that:
Provided herein algorithm and display be not inherently related to any certain computer, virtual bench or miscellaneous equipment. Various fexible units can also be used together based on teaching in this.As described above, construct required by this kind of device Structure be obvious.Additionally, the present invention is also not for any certain programmed language.It is understood that, it is possible to use it is various Programming language realizes the content of invention described herein, and the description done to language-specific above is to disclose this Bright preferred forms.
In description mentioned herein, a large amount of details are illustrated.It is to be appreciated, however, that the enforcement of the present invention Example can be put into practice in the case of without these details.In some instances, known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help understand one or more in each inventive aspect, exist Above in the description of the exemplary embodiment of the present invention, each feature of the present invention is grouped together into single enforcement sometimes In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor The more features of feature that the application claims ratio of shield is expressly recited in each claim.More precisely, such as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself All as the separate embodiments of the present invention.
Those skilled in the art are appreciated that can be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment Unit or component are combined into a module or unit or component, and can be divided in addition multiple submodule or subelement or Sub-component.In addition at least some in such feature and/or process or unit is excluded each other, can adopt any Combine to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification is (including adjoint power Profit is required, summary and accompanying drawing) disclosed in each feature can it is identical by offers, be equal to or the alternative features of similar purpose carry out generation Replace.
Although additionally, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention Within the scope of and form different embodiments.For example, in the following claims, embodiment required for protection appoint One of meaning can in any combination mode using.
The present invention all parts embodiment can be realized with hardware, or with one or more processor operation Software module realize, or with combinations thereof realization.It will be understood by those of skill in the art that can use in practice Microprocessor or digital signal processor (DSP) are realizing the detection means of target sample file according to embodiments of the present invention In some or all parts some or all functions.The present invention is also implemented as described herein for performing Some or all equipment of method or program of device (for example, computer program and computer program).So Realization the present invention program can store on a computer-readable medium, or can have one or more signal shape Formula.Such signal can be downloaded from internet website and obtained, or be provided on carrier signal, or with any other shape Formula is provided.
It should be noted that above-described embodiment the present invention will be described rather than limits the invention, and ability Field technique personnel can design without departing from the scope of the appended claims alternative embodiment.In the claims, Any reference markss between bracket should not be configured to limitations on claims.Word "comprising" is not excluded the presence of not Element listed in the claims or step.Word "a" or "an" before element does not exclude the presence of multiple such Element.The present invention can come real by means of the hardware for including some different elements and by means of properly programmed computer It is existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and be run after fame Claim.
The invention discloses A1, a kind of detection method of target sample file, wherein, including:
From data sources target sample file, the target sample file is rendered in sandbox and is run;
Monitor and whether Process Attributes modification event occurs during the target sample file runs in sandbox;
It is then, to determine that the target sample file is to threaten sample file;
Otherwise, it determines the target sample file is not to threaten sample file.
A2, the method as described in A1, wherein, it is described the target sample file is rendered in sandbox operation to include:
The corresponding process of the target sample file is created in sandbox, the target sample file is performed by the process Operation in sandbox;
In the corresponding process of the establishment target sample file, the first of the corresponding process of the target sample file is recorded Beginning property value.
A3, the method as described in A2, wherein, described monitoring during the target sample file runs in sandbox is No generation Process Attributes modification event includes:
Monitor the assigned operation event that the target sample file is performed in sandbox;
When the generation of assigned operation event is listened to, the assigned operation event is intercepted, obtain presently described target sample The specified attribute value of the corresponding process of file;
The specified attribute value of the corresponding process of presently described target sample file is corresponding with the target sample file The initial attribute value of process is matched, if at least one matching is unsuccessful, determines the target sample file in sandbox There is Process Attributes modification event during operation;Otherwise, it determines the process that the target sample file runs in sandbox In do not occur Process Attributes modification event.
A4, the method as described in A3, wherein, the initial attribute value of the corresponding process of the target sample file includes as follows One or more:Privileges property values, UserSID property values, OwnerSID property values;
The specified attribute value of the corresponding process of the presently described target sample file includes following one or more:It is described Privileges property values, TokenUser property values, TokenOwner category in the token of the corresponding process of target sample file Property value.
A5, the method as described in A1, wherein, described monitoring during the target sample file runs in sandbox is No generation Process Attributes modification event includes:
Monitor the assigned operation event that the target sample file is performed in sandbox;
When the generation of assigned operation event is listened to, the assigned operation event is intercepted;
Judge whether the accesses control list of the token of the corresponding process of presently described target sample file is in and be empty shape State, is then, to determine that the target sample file occurs Process Attributes modification event during running in sandbox;Otherwise, really There is no Process Attributes modification event during running in sandbox in the fixed target sample file.
A6, the method as described in A3 or A5, wherein, the method is further included:
When it is determined that the target sample file is forced when there is Process Attributes modification event during running in sandbox Terminate the assigned operation event;
When it is determined that the target sample file is permitted when there is no Process Attributes modification event during running in sandbox Perhaps described assigned operation event is continued executing with.
A7, the method as described in A6, wherein, the assigned operation event includes:Function to performing assigned operation is carried out The event called;
The assigned operation includes:Internal memory in sandbox, privilege, registration table, process, thread, and/or file are created The operation built and/or read and write.
A8, the method as described in A7, wherein, it is described to monitor the assigned operation that the target sample file is performed in sandbox Event includes:
The carry Hook Function on the function for performing assigned operation, intercepts and indicates that the function to performing the assigned operation enters The message that row is called;
Whether the sender for judging the message that the function indicated to performing the assigned operation is called is described Target sample file;
It is that then, it is determined that listening to the assigned operation event that the target sample file is performed in sandbox, otherwise let pass institute State the message for indicating that the function to performing the command operating is called.
A9, the method as described in A1, wherein, the method is further included:
Record the running log that the target sample file runs in sandbox;
When it is determined that the target sample file is to threaten sample file, transported in sandbox according to the target sample file Capable running log obtains the related characteristic information of the target sample file;
The related characteristic information of the target sample is put in threat data storehouse.
A10, the method as described in A9, wherein, the related characteristic information of the target sample file includes:
The static nature information of target sample file,
And/or,
The behavior characteristic information of target sample file.
A11, the method as described in A9, wherein, the method is further included:
The related characteristic information of the target sample is fed back to into data source.
The invention also discloses B12, a kind of detection means of target sample file, wherein, including:
Sample reception unit, is suitable to from data sources target sample file;
Detection process unit, is suitable to the target sample file be rendered in sandbox and runs, and monitors the target sample Whether file there is Process Attributes modification event during running in sandbox;It is then, to determine that the target sample file is Threaten sample file;Otherwise, it determines the target sample file is not to threaten sample file.
B13, the device as described in B12, wherein,
The detection process unit, is suitable to create the corresponding process of the target sample file in sandbox, is entered by this Operation of the target sample file in sandbox described in Cheng Zhihang;In the corresponding process of the establishment target sample file, record The initial attribute value of the corresponding process of the target sample file.
B14, the device as described in B13, wherein,
The detection process unit, is adapted for listening for the assigned operation event that the target sample file is performed in sandbox; When the generation of assigned operation event is listened to, the assigned operation event is intercepted, obtain presently described target sample file correspondence Process specified attribute value;By the specified attribute value and the target sample of the corresponding process of presently described target sample file The initial attribute value of the corresponding process of file is matched, if at least one matching is unsuccessful, determines the target sample text There is Process Attributes modification event during running in sandbox in part;Otherwise, it determines the target sample file is in sandbox There is no Process Attributes modification event during operation.
B15, the device as described in B14, wherein, the initial attribute value of the corresponding process of the target sample file include as It is lower one or more:Privileges property values, UserSID property values, OwnerSID property values;
The specified attribute value of the corresponding process of the presently described target sample file includes following one or more:It is described Privileges property values, TokenUser property values, TokenOwner category in the token of the corresponding process of target sample file Property value.
B16, the device as described in B12, wherein,
The detection process unit, is adapted for listening for the assigned operation event that the target sample file is performed in sandbox; When the generation of assigned operation event is listened to, the assigned operation event is intercepted;Judge presently described target sample file correspondence Process token accesses control list whether in state is empty, be then, to determine the target sample file in sandbox There is Process Attributes modification event during operation;Otherwise, it determines the process that the target sample file runs in sandbox In do not occur Process Attributes modification event.
B17, the device as described in B14 or B16, wherein,
The detection process unit, is further adapted for during determining that the target sample file runs in sandbox During generation Process Attributes modification event, pressure terminates the assigned operation event;When it is determined that the target sample file is in sandbox When there is no Process Attributes modification event during middle operation, it is allowed to which the assigned operation event is continued executing with.
B18, the device as described in B17, wherein, the assigned operation event includes:Function to performing assigned operation enters The event that row is called;
The assigned operation includes:Internal memory in sandbox, privilege, registration table, process, thread, and/or file are created The operation built and/or read and write.
B19, the device as described in B18, wherein,
The detection process unit, is suitable to the carry Hook Function on the function for performing assigned operation, intercepts and indicates to holding The message that the function of the row assigned operation is called;Judge that the function indicated to performing the assigned operation is adjusted Whether the sender of message is the target sample file;It is then, it is determined that listening to the target sample file in sandbox The assigned operation event of middle execution, the message that the function indicated to performing the command operating of otherwise letting pass is called.
B20, the device as described in B12, wherein,
The detection process unit, is further adapted for recording the operation day that the target sample file runs in sandbox Will;When it is determined that the target sample file is to threaten sample file, run in sandbox according to the target sample file Running log obtains the related characteristic information of the target sample file;The related characteristic information of the target sample is put into into prestige In side of body data base.
B21, the device as described in B20, wherein, the related characteristic information of the target sample file includes:
The static nature information of target sample file,
And/or,
The behavior characteristic information of target sample file.
B22, the device as described in B20, wherein,
The detection process unit, is further adapted for for the related characteristic information of the target sample feeding back to data source.

Claims (10)

1. a kind of detection method of target sample file, wherein, including:
From data sources target sample file, the target sample file is rendered in sandbox and is run;
Monitor and whether Process Attributes modification event occurs during the target sample file runs in sandbox;
It is then, to determine that the target sample file is to threaten sample file;
Otherwise, it determines the target sample file is not to threaten sample file.
2. it is the method for claim 1, wherein described the target sample file is rendered in sandbox operation to include:
The corresponding process of the target sample file is created in sandbox, the target sample file is performed in sand by the process Operation in case;
In the corresponding process of the establishment target sample file, the initial category of the corresponding process of the target sample file is recorded Property value.
3. method as claimed in claim 2, wherein, it is described to monitor during the target sample file runs in sandbox Whether Process Attributes modification event occurs includes:
Monitor the assigned operation event that the target sample file is performed in sandbox;
When the generation of assigned operation event is listened to, the assigned operation event is intercepted, obtain presently described target sample file The specified attribute value of corresponding process;
By the specified attribute value of the corresponding process of presently described target sample file process corresponding with the target sample file Initial attribute value matched, if at least one matching is unsuccessful, determine that the target sample file runs in sandbox During occur Process Attributes modification event;Otherwise, it determines the target sample file run in sandbox during not Generation Process Attributes change event.
4. method as claimed in claim 3, wherein, the initial attribute value of the corresponding process of the target sample file include as It is lower one or more:Privileges property values, UserSID property values, OwnerSID property values;
The specified attribute value of the corresponding process of the presently described target sample file includes following one or more:The target Privileges property values, TokenUser property values in the token of the corresponding process of sample file, TokenOwner attributes Value.
5. during the method for claim 1, wherein the monitoring target sample file runs in sandbox Whether Process Attributes modification event occurs includes:
Monitor the assigned operation event that the target sample file is performed in sandbox;
When the generation of assigned operation event is listened to, the assigned operation event is intercepted;
Judge that the accesses control list of token of the corresponding process of presently described target sample file, whether in state is empty, is Then, determine that the target sample file occurs Process Attributes modification event during running in sandbox;Otherwise, it determines described There is no Process Attributes modification event during running in sandbox in target sample file.
6. a kind of detection means of target sample file, wherein, including:
Sample reception unit, is suitable to from data sources target sample file;
Detection process unit, is suitable to the target sample file be rendered in sandbox and runs, and monitors the target sample file Whether Process Attributes modification event there is during running in sandbox;It is then, to determine that the target sample file is to threaten Sample file;Otherwise, it determines the target sample file is not to threaten sample file.
7. device as claimed in claim 6, wherein,
The detection process unit, is suitable to create the corresponding process of the target sample file in sandbox, is held by the process Operation of the row target sample file in sandbox;In the corresponding process of the establishment target sample file, record is described The initial attribute value of the corresponding process of target sample file.
8. device as claimed in claim 7, wherein,
The detection process unit, is adapted for listening for the assigned operation event that the target sample file is performed in sandbox;Work as prison When hearing that assigned operation event occurs, intercept the assigned operation event, obtain presently described target sample file it is corresponding enter The specified attribute value of journey;By the specified attribute value of the corresponding process of presently described target sample file and the target sample file The initial attribute value of corresponding process is matched, if at least one matching is unsuccessful, determines that the target sample file exists There is Process Attributes modification event during running in sandbox;Otherwise, it determines the target sample file runs in sandbox During do not occur Process Attributes modification event.
9. device as claimed in claim 8, wherein, the initial attribute value of the corresponding process of the target sample file include as It is lower one or more:Privileges property values, UserSID property values, OwnerSID property values;
The specified attribute value of the corresponding process of the presently described target sample file includes following one or more:The target Privileges property values, TokenUser property values in the token of the corresponding process of sample file, TokenOwner attributes Value.
10. device as claimed in claim 6, wherein,
The detection process unit, is adapted for listening for the assigned operation event that the target sample file is performed in sandbox;Work as prison When hearing that assigned operation event occurs, the assigned operation event is intercepted;Judge presently described target sample file it is corresponding enter Whether the accesses control list of the token of journey, in state is empty, is then, to determine that the target sample file runs in sandbox During occur Process Attributes modification event;Otherwise, it determines the target sample file run in sandbox during not Generation Process Attributes change event.
CN201611065436.4A 2016-11-28 2016-11-28 Object sample file detecting method and device Pending CN106650423A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611065436.4A CN106650423A (en) 2016-11-28 2016-11-28 Object sample file detecting method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611065436.4A CN106650423A (en) 2016-11-28 2016-11-28 Object sample file detecting method and device

Publications (1)

Publication Number Publication Date
CN106650423A true CN106650423A (en) 2017-05-10

Family

ID=58812836

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611065436.4A Pending CN106650423A (en) 2016-11-28 2016-11-28 Object sample file detecting method and device

Country Status (1)

Country Link
CN (1) CN106650423A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107171894A (en) * 2017-06-15 2017-09-15 北京奇虎科技有限公司 The method of terminal device, distributed high in the clouds detecting system and pattern detection
CN107566401A (en) * 2017-09-30 2018-01-09 北京奇虎科技有限公司 The means of defence and device of virtualized environment
CN111161097A (en) * 2019-12-31 2020-05-15 四川大学 Method and device for detecting switch event based on event detection algorithm of hypothesis test
CN111669386A (en) * 2020-05-29 2020-09-15 武汉理工大学 Access control method and device based on token and supporting object attribute

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103116723A (en) * 2013-02-06 2013-05-22 北京奇虎科技有限公司 Method, device and system of web site interception process
CN103116722A (en) * 2013-02-06 2013-05-22 北京奇虎科技有限公司 Processing method, processing device and processing system of notification board information
CN104200161A (en) * 2014-08-05 2014-12-10 杭州安恒信息技术有限公司 Method for achieving intelligent sandbox file detection and intelligent sandbox detection system based on method
CN105117645A (en) * 2015-07-29 2015-12-02 杭州安恒信息技术有限公司 Method for operating multiple samples of sandbox virtual machine based on file system filtering drive
CN105184169A (en) * 2015-09-14 2015-12-23 电子科技大学 Method for vulnerability detection in Windows operating environment based on instrumentation tool
CN105224868A (en) * 2014-06-03 2016-01-06 腾讯科技(深圳)有限公司 The detection method that system vulnerability is attacked and device
CN106055976A (en) * 2016-05-16 2016-10-26 杭州华三通信技术有限公司 Document detection method and sandbox controller
CN106055975A (en) * 2016-05-16 2016-10-26 杭州华三通信技术有限公司 Document detection method and sandbox

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103116723A (en) * 2013-02-06 2013-05-22 北京奇虎科技有限公司 Method, device and system of web site interception process
CN103116722A (en) * 2013-02-06 2013-05-22 北京奇虎科技有限公司 Processing method, processing device and processing system of notification board information
CN105224868A (en) * 2014-06-03 2016-01-06 腾讯科技(深圳)有限公司 The detection method that system vulnerability is attacked and device
CN104200161A (en) * 2014-08-05 2014-12-10 杭州安恒信息技术有限公司 Method for achieving intelligent sandbox file detection and intelligent sandbox detection system based on method
CN105117645A (en) * 2015-07-29 2015-12-02 杭州安恒信息技术有限公司 Method for operating multiple samples of sandbox virtual machine based on file system filtering drive
CN105184169A (en) * 2015-09-14 2015-12-23 电子科技大学 Method for vulnerability detection in Windows operating environment based on instrumentation tool
CN106055976A (en) * 2016-05-16 2016-10-26 杭州华三通信技术有限公司 Document detection method and sandbox controller
CN106055975A (en) * 2016-05-16 2016-10-26 杭州华三通信技术有限公司 Document detection method and sandbox

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
WANGYOUCAO31: "MS Windows Token Kidnapping本地提权的解", 《HTTPS://BLOG.51CTO.COM/PLAYSKY/124565》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107171894A (en) * 2017-06-15 2017-09-15 北京奇虎科技有限公司 The method of terminal device, distributed high in the clouds detecting system and pattern detection
CN107566401A (en) * 2017-09-30 2018-01-09 北京奇虎科技有限公司 The means of defence and device of virtualized environment
CN107566401B (en) * 2017-09-30 2021-01-08 北京奇虎科技有限公司 Protection method and device for virtualized environment
CN111161097A (en) * 2019-12-31 2020-05-15 四川大学 Method and device for detecting switch event based on event detection algorithm of hypothesis test
CN111161097B (en) * 2019-12-31 2023-07-25 四川大学 Method and device for detecting switch event by event detection algorithm based on hypothesis test
CN111669386A (en) * 2020-05-29 2020-09-15 武汉理工大学 Access control method and device based on token and supporting object attribute
CN111669386B (en) * 2020-05-29 2021-06-04 武汉理工大学 Access control method and device based on token and supporting object attribute

Similar Documents

Publication Publication Date Title
CN103559446B (en) Dynamic virus detection method and device for equipment based on Android system
US8402547B2 (en) Apparatus and method for detecting, prioritizing and fixing security defects and compliance violations in SAP® ABAP™ code
US7587724B2 (en) Kernel validation layer
Felt et al. Android permissions demystified
US8707385B2 (en) Automated compliance policy enforcement in software systems
US10025688B2 (en) System and method for detecting data extrusion in software applications
CN111488578A (en) Continuous vulnerability management for modern applications
US8925094B2 (en) Automatic synthesis of unit tests for security testing
EP3236354A1 (en) System analysis and management
US10733296B2 (en) Software security
US20120311709A1 (en) Automatic management system for group and mutant information of malicious codes
CN105593870A (en) Complex scoring for malware detection
US20070072661A1 (en) Windows message protection
CN106650423A (en) Object sample file detecting method and device
CN108595952A (en) A kind of detection method and system of electric power mobile application software loophole
CN106713277A (en) Method and apparatus for detecting target sample file
CN109255235B (en) Mobile application third-party library isolation method based on user state sandbox
CN106682513A (en) Detection method for target sample file and device
CN104537308A (en) System and method for providing application security auditing function
CN111191246A (en) Spring annotation based security development verification method
CN105760761A (en) Software behavior analyzing method and device
Zhou et al. Demystifying diehard android apps
CN106650424A (en) Method and device for detecting target sample file
El-Rewini et al. Dissecting residual APIs in custom android ROMs
Di Angelo et al. Evolution of automated weakness detection in Ethereum bytecode: a comprehensive study

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170510

RJ01 Rejection of invention patent application after publication