CN106650425B - A kind of control method and device of security sandbox - Google Patents
A kind of control method and device of security sandbox Download PDFInfo
- Publication number
- CN106650425B CN106650425B CN201611111596.8A CN201611111596A CN106650425B CN 106650425 B CN106650425 B CN 106650425B CN 201611111596 A CN201611111596 A CN 201611111596A CN 106650425 B CN106650425 B CN 106650425B
- Authority
- CN
- China
- Prior art keywords
- operating system
- parameter
- virtual machine
- control
- control device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 244000035744 Hura crepitans Species 0.000 title claims abstract description 113
- 238000000034 method Methods 0.000 title claims abstract description 56
- 230000004048 modification Effects 0.000 claims abstract description 13
- 238000012986 modification Methods 0.000 claims abstract description 13
- 238000012544 monitoring process Methods 0.000 claims description 20
- 238000004088 simulation Methods 0.000 claims description 8
- 241000208340 Araliaceae Species 0.000 claims description 3
- 235000005035 Panax pseudoginseng ssp. pseudoginseng Nutrition 0.000 claims description 3
- 235000003140 Panax quinquefolius Nutrition 0.000 claims description 3
- 235000008434 ginseng Nutrition 0.000 claims description 3
- 238000004458 analytical method Methods 0.000 abstract description 15
- 230000006399 behavior Effects 0.000 description 49
- 230000006870 function Effects 0.000 description 29
- 230000004224 protection Effects 0.000 description 11
- 230000002265 prevention Effects 0.000 description 10
- 238000004891 communication Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 238000007726 management method Methods 0.000 description 6
- 238000003860 storage Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 5
- 241000700605 Viruses Species 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 4
- 230000008676 import Effects 0.000 description 4
- 230000006855 networking Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 239000011800 void material Substances 0.000 description 4
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000009826 distribution Methods 0.000 description 3
- 239000007787 solid Substances 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 230000033001 locomotion Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000008439 repair process Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- TVEXGJYMHHTVKP-UHFFFAOYSA-N 6-oxabicyclo[3.2.1]oct-3-en-7-one Chemical compound C1C2C(=O)OC1C=CC2 TVEXGJYMHHTVKP-UHFFFAOYSA-N 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000000712 assembly Effects 0.000 description 1
- 238000000429 assembly Methods 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 201000010099 disease Diseases 0.000 description 1
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000013468 resource allocation Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Abstract
The embodiment of the present invention provides a kind of control method and device of security sandbox, is related to network safety filed, can be improved the analysis efficiency of security sandbox.This method comprises: the control device of security sandbox obtains control information, the control information includes the first control instruction and configuration parameter, first control instruction is used to indicate the security sandbox and generates first virtual machine with specified operating system, which is used to modify the system parameter of the operating system;The control device generates first virtual machine with the specified operating system according to first control instruction;The control device specifies the system parameter of operating system to modify this according to the configuration parameter, so that the specified operating system after modification parameter forms dry run environment, the dry run environment is for running program to be monitored.
Description
Technical field
The present invention relates to network safety filed more particularly to a kind of control method and device of security sandbox.
Background technique
Security sandbox is the analysis tool that the behavior of a kind of pair of unknown program is analyzed, and can effectively analyze unknown journey
Whether sequence, which has the host or operating system of user, threatens, and in the safety for finding to analyze the unknown program when threatening and being utilized
Loophole, attack mode, threat degree etc. to help user to judge whether the unknown program should be blocked, and help user
Find the solution for coping with the unknown program.
The Typical Disposition that traditional security sandbox is typically based on specific one operating system is arranged for running unknown journey
The running environment of sequence.For example, when the Typical Disposition of windows operating system is that windows operating system is just installed,
The default system parameter configuration of windows operating system, including windows carry firewall configuration, allow using agreement,
Open port etc..But as user uses operating system, various application software are installed in host, in this process,
The system parameter of host may be with the operation change of user.For example, windows operating system default closes the port TELNET,
And with the installation of certain application software, cause the port TELNET of the host to be opened.Assuming that certain program utilizes the port TELNET
Other network equipments are controlled, since the running environment in traditional security sandbox is that the typical case based on windows operating system matches
It installs, therefore, traditional security sandbox can not just find the program using operation performed by the port TELNET, to lead
Apply family can not determine the program be the program with threat.Therefore, the analysis efficiency of traditional security sandbox is lower.
Summary of the invention
The embodiment of the present invention provides a kind of control method and device of security sandbox, can be improved the analysis of security sandbox
Efficiency.
In order to achieve the above objectives, the embodiment of the present invention adopts the following technical scheme that
In a first aspect, the embodiment of the present invention provides a kind of control method of security sandbox, which comprises
The control device of security sandbox obtains control information, and the control information includes the first control instruction and configuration ginseng
Number, first control instruction is used to indicate the security sandbox and generates first virtual machine with specified operating system, described
Configuration parameter is used to modify the system parameter of the operating system;
The control device generates first void with the specified operating system according to first control instruction
Quasi- machine;
The control device is modified according to system parameter of the configuration parameter to the specified operating system, so that
The specified operating system after parameter must be modified forms dry run environment, and the dry run environment is to be monitored for running
Program.
In the first possible implementation of the first aspect, the number of first virtual machine is M, M first
The first virtual machine of each of virtual machine has a kind of specified operating system, and M > 1, M are integer,
The control device is modified according to system parameter of the configuration parameter to the specified operating system, packet
It includes:
The control device is according to what the configuration parameter each specified operating system to M specified operating system
System parameter is modified;
The control information further includes the second control instruction, and second control instruction connects for controlling the control device
The M the first virtual machines are connect, the control device is specified to each of M specified operating system according to the configuration parameter
After the system parameter of operating system is modified, the method also includes:
The M the first virtual machines are attached by the control device according to second control instruction, so that institute
Stating dry run environment includes the specified operating system after M modification parameter.
The possible implementation of with reference to the above first aspect the first, it is in the second possible implementation, described
Controlling information further includes third control instruction, and the third control instruction generates background traffic for controlling the control device,
After the M the first virtual machines are attached by the control device according to second control instruction, the method is also wrapped
It includes:
The control device controls M first virtual machine according to the third control instruction and generates the background stream
Amount, so that there are the background traffics for the dry run environment.
With reference to the above first aspect, in a third possible implementation of the first aspect, the control information is also wrapped
The 4th control instruction is included, the 4th control instruction is used to indicate the control device and is connected at least one second virtual machine
In the dry run environment, the second virtual machine of each of at least one described second virtual machine is provided with a kind of network function
Can, it is described after the control device is modified according to system parameter of the configuration parameter to the specified operating system
Method further include:
At least one described second virtual machine is connected to the mould according to the 4th control instruction by the control device
In quasi- running environment so that the dry run environment include the specified operating system after modifying parameter and it is described at least
A kind of network function.
With reference to the above first aspect or the first possible implementation of first aspect to the third of first aspect can
Any implementation in the implementation of energy, in the third possible implementation, the control device form described
After dry run environment, the method also includes:
The control device receives the program to be monitored;
The control device control described program is run in the dry run environment;
The control device records and analyzes the behavior generated when described program is run in the dry run environment, with
Obtain the behavior monitoring report of described program;
The control device shows the behavior monitoring report.
Second aspect, the embodiment of the present invention provide a kind of control device of security sandbox, comprising:
Acquiring unit, for obtaining control information, the control information includes the first control instruction and configuration parameter, described
First control instruction is used to indicate the security sandbox and generates first virtual machine with specified operating system, the configuration parameter
For modifying the system parameter of the operating system;
The configuration unit, first control instruction for being obtained according to the acquiring unit, which generates, has the finger
Determine first virtual machine of operating system;
The configuration unit, the configuration parameter for being obtained according to the acquiring unit is to the specified operating system
System parameter modify so that the specified operating system after modification parameter forms dry run environment, the mould
Quasi- running environment is for running program to be monitored.
In the first possible implementation of the second aspect, first virtual machine that the configuration unit generates
Number is M, and the first virtual machine of each of M first virtual machines has a kind of specified operating system, and M > 1, M are integer,
The configuration unit, specifically for being grasped according to the configuration parameter is specified to each of M specified operating system
The system parameter for making system is modified;
The control information that the acquiring unit obtains further includes the second control instruction, and second control instruction is used for
It controls the configuration unit and connects M first virtual machine,
The configuration unit is also used to grasp according to the configuration parameter is specified to each of M specified operating system
Make system system parameter modify after, the M the first virtual machines are attached according to second control instruction,
So that the dry run environment includes the described M specified operating system modified after parameter after modifying parameter.
It is in the second possible implementation, described in conjunction with the first possible implementation of above-mentioned second aspect
The control information that acquiring unit obtains further includes third control instruction, and the third control instruction is for controlling the configuration
Unit generates background traffic,
The configuration unit is also used to be attached the M the first virtual machines according to second control instruction
Later, M first virtual machine is controlled according to the third control instruction and generates the background traffic, so that the simulation
There are the background traffics for running environment.
In conjunction with above-mentioned second aspect, in the third possible implementation of the second aspect, the acquiring unit is obtained
The control information further include the 4th control instruction, the 4th control instruction is used to indicate at least one the second virtual machine
It is connected in the dry run environment, the second virtual machine of each of at least one described second virtual machine is provided with a kind of net
Network function,
The configuration unit is also used to carry out according to system parameter of the configuration parameter to the specified operating system
After modification, at least one described second virtual machine is connected to by the dry run environment according to the 4th control instruction
In, so that the dry run environment includes specified operating system and at least one network function after modifying parameter.
The third in conjunction with the possible implementation of the first of above-mentioned second aspect or second aspect to second aspect can
Any implementation in the implementation of energy, in the third possible implementation, the control device further include: control
Unit, analytical unit and display unit processed,
The acquiring unit is also used to after the configuration unit forms the dry run environment, receive it is described to
The program of monitoring;
Described control unit is transported in the dry run environment for controlling the described program that the acquiring unit obtains
Row;
The analytical unit, for recording and analyzing the row generated when described program is run in the dry run environment
For to obtain the behavior monitoring report of described program;
The display unit, the behavior monitoring report obtained for showing the analytical unit.
The third aspect, the embodiment of the present invention provide a kind of control device of security sandbox, including processor, memory, are
Bus of uniting and communication interface.
For the memory for storing computer executed instructions, the processor is total by the system with the memory
Line connection, when control device operation, the processor executes the computer executed instructions of the memory storage,
So that the control device executes the controlling party of the security sandbox as described in any optional way of first aspect or first aspect
Method.
Fourth aspect, the embodiment of the present invention provides a kind of readable medium, including computer executed instructions, when security sandbox
When the processor of control device executes the computer executed instructions, control mounted box executes such as above-mentioned first aspect or the
The control method of security sandbox described in any one implementation of one side.
The control method and device of security sandbox provided in an embodiment of the present invention, can be by control information to security sandbox
It is controlled, so that the control device of the security sandbox can be generated according to the control information has the of specified operating system
One virtual machine, and modify the system parameter of the specified operating system to form dry run environment.Use this hair
The control method that bright embodiment provides can control the operation that security sandbox is formed with run in actual host by control information
The identical specified operating system of the system parameter of system is as dry run environment.Therefore, compared in existing security sandbox
Fixed running environment, the dry run environment and reality that security sandbox is formed under the control of control information in the embodiment of the present invention
The current operating environment of the operating system run in the host of border has higher similarity, to import by program to be monitored
After the dry run environment, behavior when which runs in the dry run environment can more really react the journey
The sequence behavior in running environment in this prior, and then can more accurately judge whether the program can be to running in actual host
Operating system generate harmful act, improve the analysis efficiency of the security sandbox.
Detailed description of the invention
Fig. 1 is a kind of function system block diagram of security sandbox provided in an embodiment of the present invention;
Fig. 2 be it is provided in an embodiment of the present invention it is a kind of based on software defined network (Software Defined Network,
SDN physical system block diagram);
Fig. 3 is a kind of control method flow chart one of security sandbox provided in an embodiment of the present invention;
Fig. 4 is a kind of control method flow chart two of security sandbox provided in an embodiment of the present invention;
Fig. 5 is a kind of control method flow chart three of security sandbox provided in an embodiment of the present invention;
Fig. 6 is a kind of control method flow chart four of security sandbox provided in an embodiment of the present invention;
Fig. 7 is a kind of control method flow chart five of security sandbox provided in an embodiment of the present invention;
Fig. 8 is a kind of structural schematic diagram one of the control device of security sandbox provided in an embodiment of the present invention;
Fig. 9 is a kind of structural schematic diagram two of the control device of security sandbox provided in an embodiment of the present invention;
Figure 10 is a kind of hardware structural diagram of the control device of security sandbox provided in an embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention is clearly retouched
It states, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.
It should be noted that the terms "and", a kind of only incidence relation for describing affiliated partner, expression can be with
There are three kinds of relationships, for example, A and B, can indicate: individualism A exists simultaneously A and B, these three situations of individualism B.Separately
Outside, character "/" herein typicallys represent the relationship that forward-backward correlation object is a kind of "or".
When the embodiment of the present invention refers to term " includes " and " having " and their any deformations, it is intended that covering is not
Exclusive includes.Such as it contains the process, method, system, product or equipment of a series of steps or units and is not limited to
The step of listing or unit, but optionally further comprising the step of not listing or unit, or optionally further comprising for these
The intrinsic other step or units of process, method, product or equipment.
As shown in Figure 1, being a kind of system functional block diagram of security sandbox provided in an embodiment of the present invention, including user circle
Face, network function virtualization (Network Function Virtual, NFV) management and composer, controller and virtualization
Functional database.
Wherein, user interface provides human-computer interaction function, can provide a user corresponding service interface, including but unlimited
It is imported in operating system selection, network architecture design, suspect program, analytic function selection, analysis result exports and system shape
It is one or more in the service interfaces such as state monitoring.User can input relevant control by the user interface according to actual needs
Information processed, to control the dry run environment that the security sandbox forms response.
NFV management is responsible for forming dry run environment according to the control information of the input of user with composer, including but not
It is limited to the generation of virtual machine, the position distribution of virtual machine, between the resource allocation of virtual machine, the parameter configuration of virtual machine, virtual machine
Interface configuration, the closing of virtual machine and the collection of log information, summarize and analyze work etc., wherein log information includes
The behavior generated when program operation on each virtual machine of record.
Controller can be SDN controller and be responsible for the generation of flow, flow scheduling, the building of communication link, control instruction
Issue and analyze result upload etc..
Wherein, the user interface, NFV management constitute the control device of the security sandbox with composer and controller.
Virtualization database is responsible for providing the information of each type operating system, passes through tune with composer for NFV management
The first virtual machine that operation has respective operations system is generated with the information of corresponding operation system, can specifically include but be not limited to
The information of the operating systems such as Windows, Linux, Android, iOS, Unix and Netware;The virtualization database
It is also responsible for providing the second virtual machine for having disparate networks function, for example, having virtual router, virtual switch, distribution
Refusing service is (Distributed Denial of service, DDOS) protection, firewall, intruding detection system
(Intrusion Detection Systems, IDS)/intrusion prevention system (Intrusion Prevention System,
), and the second virtual machine of the network functions such as virus, wooden horse, worm killing IPS.
As shown in Fig. 2, being a kind of physical system based on SDN provided in an embodiment of the present invention, including open virtual is handed over
It changes planes (open vSwitch) and generic server, security sandbox provided in an embodiment of the present invention can be based on the physical assemblies system
System is realized.
Wherein, data forwarding tool of the open virtual interchanger as the security sandbox, in the more generic servers
A generic server for realizing the control function of the security sandbox, i.e., the security sandbox include NFV management composer,
Controller and user interface and virtualization library can realize in same generic server, remaining generic service
Device is used to dispose each virtual machine that the security sandbox is generated according to the control information that user inputs.
Illustratively, above-mentioned generic server can be x86 server.It is understood that working as the number of generic server
When amount or performance are unable to satisfy the requirement of the security sandbox, more generic servers directly can be connected to virtual switch
Machine, a part as security sandbox system.
Based on above-mentioned security sandbox as shown in Figure 1, as shown in figure 3, the embodiment of the present invention provides a kind of security sandbox
Control method, this method may include:
The control device acquisition control information of S101, security sandbox, which includes the first control instruction and configuration
Parameter.
Wherein, the first control instruction is used to indicate the control device and generates first virtual machine with specified operating system,
The specified operating system is the operating system (hereinafter abbreviation practical OS's) run in actual host, which uses
In the system parameter for modifying the specified operating system, so that the parameter of first virtual machine and the practical OS's are current
System parameter is identical.
In one example, which can be the series of instructions that user is inputted by user interface, example
Such as, the selection instruction including operating system and determine instruction etc..In this example, user can be according to running in actual host
Operating system clicks the icon of selection operation system from the icon for the operating system that the user interface is presented, and completes in selection
It clicks afterwards and determines icon, thus the selection instruction that the control device can be inputted according to user by the icon of clicking operation system
It determines the specified operating system, and determines that the determine instruction of icon input determines by clicking according to user and start to generate that have should
First virtual machine of specified operating system.
It in one example, also may include the mark of the specified operating system in first control instruction, so that should
Control device can specify the mark of operating system to determine specified operating system according to this.
The configuration parameter is identical as the current system parameter of practical OS's, is that user is current according to practical OS's
System parameter setting, the control device is then inputted by the user interface, to control the control device can be according to this
Configuration parameter specifies the system parameter of operating system to modify this, so that the system parameter and reality of the specified operating system
The system parameter of border operating system is identical.
S102, the control device generate first virtual machine with the specified operating system according to first control instruction.
In one example, the NFV layout in the control device and controller can be according to first control instructions, from void
The information of the specified operating system is called in quasi-ization functional database, and generating according to the information, there is this to specify operating system
First virtual machine.
S103, the control device specify the system parameter of operating system to modify this according to the configuration parameter, so that
The specified operating system after parameter must be modified forms dry run environment, and the dry run environment is for running journey to be monitored
Sequence.
Illustratively, by taking windows operating system as an example, which has according to what the first control instruction generated
First virtual machine of widows operating system, at this point, the system parameter of the widows operating system on first virtual machine is
The system configuration parameter of windows operating system default.It is assumed that in the system configuration parameter of windows operating system default
TELNET port parameter is the parameter for indicating the TELNET port shutdown.And the windows operating system run in actual host
Current TELNET port parameter is the parameter for indicating the TELNET open-ended.The configuration parameter that the control device obtains is real
The current TELNET port parameter of the windows operating system run on the host of border, the control device will according to the configuration parameter
The TELNET port parameter of windows operating system in first virtual machine is revised as the windows run in actual host
The current TELNET port parameter of operating system, so that the windows operating system in the first virtual machine has and actual host
The identical program execution environments of windows operating system of upper operation.
In one example, can be with what controller executed specified operating system by the NFV layout in the control device
The modification operation for parameter of uniting.
In embodiments of the present invention, by the way that the specified operating system after parameter will be modified as dry run environment, so that
The dry run environment is identical as the current operating environment of practical OS's, in this way, program to be monitored is inputted the mould
After quasi- running environment operation, behavior when which runs in the dry run environment can reflect more true and reliablely
The behavior when program is run in current operating environment, when so as to be run in the dry run environment according to the program
Behavior, can more accurately judge the program whether can to current operating environment generate harmful act, improve this point
Analyse efficiency.
Optionally, security sandbox provided in an embodiment of the present invention can also provide the dry run environment of on-line environment.Tool
Body, in one example, the number for the first virtual machine that the control device of the security sandbox generates is M, and M first virtual
The first virtual machine of each of machine has a kind of specified operating system, and M > 1, M are integer, i.e., in this example, the first control
Instruction specifically can serve to indicate that the control device generates M first virtual machines with specified operating system.To in conjunction with such as
Fig. 3, as shown in figure 4, can specifically include in above-mentioned S103:
S103a, the control device are to the specified operating system of each of M specified operating system according to configuration parameter
System parameter is modified.
Further, as shown in figure 4, in above-mentioned S101, the control information that control device obtains can also include second
Control instruction, second control instruction connect the M the first virtual machines for controlling the control device.After above-mentioned S103a,
This method can also include:
The M the first virtual machines are attached by S104, the control device according to second control instruction, so that simulation
Running environment includes the specified operating system after M modification parameter.
In this example, control device generates M the first virtual machines, and specifies operation system for the M according to configuration parameter
After the system parameter of system is revised as parameter identical with the system parameter of M practical OS's, it can be referred to according to the second control
It enables and is attached the M the first virtual machines, to form dry run environment, i.e., at this point, the dry run environment includes M repairs
Specified operating system after changing parameter.Wherein, M practical OS's can be the M operation run in same actual host
System is also possible to be separately operable in M operating system of M actual host.
In this way, when the security sandbox receives program to be monitored, and the program is controlled in the simulation by the control device
When being run in running environment, the behavior which generates when can not only be run in the simulated environment according to the program,
It analyzes whether the program can generate attack to single operating, the program can also be analyzed in M the first virtual machines
Whether the network behavior generated when operation has harm.
Wherein, network behavior may include the mode that the program is propagated between M the first virtual machines, for example, utilizing master
The loophole of machine obtains the trust or permission of other equipment in network, by the program copy into other equipment to realize communication effect
Deng the circulation way (for example, circulation way of virus or wooden horse) with harmfulness.Illustratively, if the program using virus or
The circulation way of wooden horse is propagated between the M the first virtual machines, and the program is rogue program, then the program can be to this
Multiple first virtual machines in dry run environment generate attack.Illustrate, when current operating environment is by multiple practical main
When the operating system run on machine is constituted, if the behaviour that will be run in some actual host in program importing current operating environment
Make in system, then the program not only can generate attack to the operating system, it is also possible to its in the current operating environment
The operating system run in his actual host generates attack.
Network behavior can also include
It is no to attempt to log in other first virtual machines in the dry run environment by the port SSH, the port TELNET etc. to obtain management
The behaviors such as member's permission.Illustratively, it if the program is run in the specified operating system in some first virtual machine, attempts logical
It crosses the port TELNET and transmits TELNET flow to other first virtual machine facilities, then it represents that the program is attempted to utilize the port TELNET
Control other the first virtual machines.Illustrate, if by being run in some actual host that the program imports in current operating environment
Operating system, then the program may utilize other actual hosts in the TELNET port controlling current operating environment.
In embodiments of the present invention, control device can obtain data packet at random in the data that the program is triggered, and
The information such as agreement used in the program, port are obtained, from the data packet of acquisition to exist by these information analyses program
Whether the network behavior generated when running in the dry run environment has harm.Middle security sandbox only needle compared with the prior art
To the running environment of single operation system, security sandbox can be formed under the control of control information and is directed in the embodiment of the present invention
The dry run environment of M practical OS's, so that program after being imported the dry run environment by the control device, moreover it is possible to
It is enough that the network behavior of the program is analyzed, further improve the analysis efficiency of security sandbox.
Optionally, in conjunction with Fig. 4, as shown in figure 5, the control information that the control device obtains in above-mentioned S101 further includes third
Control instruction, which generates background traffic for controlling the control device, and after above-mentioned S104, the present invention is real
The control method of security sandbox for applying example offer can also include:
S105, the control device control the M the first virtual machines according to the third control instruction and generate background traffic, so that
Obtaining the dry run environment, there are the background traffics.
Wherein, background traffic refers to the flow generated when user's normal use network in current operating environment, according to difference
Purposes, the corresponding industry of network system (i.e. actual motion environment) etc. there is different traffic characteristics.For example, in department of banking
The data of Virtual Private Network (Virtual Private Network, VPN) transmission encryption are generallyd use in system, between equipment
Flow;In the voice communication system of operator, usual transmitting audio data stream amount between equipment;In equity (Peer-to-
Peer, P2P) in system, in cloud data center that P2P download service is provided, it will usually which transmission uses the data of P2P transport protocol
Flow.Some rogue programs may generate some harmful networks based on the transmission of the background traffic in current operating environment
Behavior.
In embodiments of the present invention, it can control to be formed in security sandbox by third control instruction and there is background traffic
Dry run environment.Illustratively, which may include the mark of traffic characteristic, flow forwarding strategy and visit
Ask control strategy etc., M the first virtual machines of control device control for being used to indicate the security sandbox generate the mark of the traffic characteristic
Know corresponding background traffic, and carries out the biography of the background traffic according to specified flow forwarding strategy and access control policy
It is defeated, so that there is background traffic identical with current operating environment in the dry run environment formed in the security sandbox.This
Sample, when it is subsequent program to be monitored is imported in the dry run environment run when, can be according to the program in the dry run
Behavior when running in environment, analyzes whether the program can generate harmful network behavior based on the transmission of the background traffic.
In one example, the life of background traffic in dry run environment can be executed by the controller of the security sandbox
At the controller can send instruction to the M the first virtual machines, control the M the first virtual machines according to third control instruction
Specified background traffic is generated, and according to Network status such as the operating status of a first virtual machine of the M and network bandwidths and is somebody's turn to do
The flow forwarding strategy and access control policy of third control instruction instruction control the M the first virtual machines to the background stream
Amount is forwarded so that the background traffic is transmitted in dry run environment, with further increase the dry run environment with
The similarity of current operating environment, to further increase the analysis efficiency of the security sandbox.
Optionally, security sandbox provided in an embodiment of the present invention can also be by least one with particular network functions
Two virtual machines be connected to as Fig. 3-5 it is any shown in the dry run environment that is formed in method, at least one second virtual machine
Each of the second virtual machine be provided with a kind of network function.For example, it may be having router, firewall, IDS/IPS, disease
Second virtual machine of the network functions such as malicious killing, wooden horse killing.
Illustratively, in conjunction with Fig. 3, as shown in fig. 6, the control information that control device obtains in above-mentioned S101 can also include
4th control instruction, the 4th control instruction are used to indicate the control device and at least one second virtual machine are connected to the simulation
In running environment.To which after above-mentioned S103, the control method of security sandbox provided in an embodiment of the present invention can also be wrapped
It includes:
By this, at least one second virtual machine is connected to simulation fortune according to the 4th control instruction for S106, the control device
In row environment, so that the dry run environment includes specified operating system and at least one network function after modifying parameter.
Illustratively, the 4th control instruction may include the mark and line instruction of at least one the second virtual machine, should
4th control instruction can be what user was inputted by user interface.The control device at least one second virtual machine according to this
Mark, transfers at least one corresponding second virtual machine from the virtualization database of the security sandbox, and then basis should
At least one second virtual machine is connected in dry run environment by line instruction, i.e., at least one second virtual machine and repairs this
The first virtual machine after changing parameter is connected to form dry run environment.
Optionally, the 4th control instruction also may include the mark and networking stencil-chosen of at least one the second virtual machine
Instruction.In this example, user can be according to the networking model of current operating environment, from the group net stencil of user interface presentation
List in click selection corresponding group of net stencil, with input networking stencil-chosen instruction, so that the control device can basis
The networking stencil-chosen, which instructs, determines corresponding group of net stencil, and then the control device is according to the mark of at least one the second virtual machine
Know after determining corresponding at least one second virtual machine, can by this after at least one second virtual machine and modification parameter first
Virtual machine is connected according to this group of net stencil, forms dry run environment.
Illustratively, the group net stencil which provides may include: based on star, annular, bus-type, tree-like etc.
The group net stencil of basic network topological structure, based on application environments such as private network access internet, home network, data centers
Group net stencil, and the group net stencil based on terminal types such as Android device access model, ios device access models.
It in one example, can also include network configuration parameters in the 4th control instruction, which can root
It modifies according to network parameter of the network configuration parameters to the second virtual machine, for example, the IP address of the second virtual machine of modification,
MAC Address etc. can also modify different network configurations to different types of second virtual machine, can be with for example, for server
It modifies type of server, for firewall, protection rule, white list, blacklist etc. can be modified.
It is worth noting that in embodiments of the present invention, can control control device by the 4th control instruction will have
Router, firewall, IDS the network functions such as IPS, DDOS protection, checking and killing virus, wooden horse killing, worm killing it is second virtual
Machine is added in dry run environment, in this way, when it is subsequent program to be monitored is imported in the dry run environment run when, can
To be analyzed by the network function with function of safety protection in the dry run environment the program to be monitored, also
Can be according to behavior of the program in the dry run environment, whether analyze the program can be to the fire prevention in current operating environment
The network equipments such as wall, router have an impact, for example, the system configuration of modification interchanger, router, backstage login firewall,
The permission etc. for modifying firewall, to further improve the analysis efficiency of the security sandbox.
In one example, the second virtual machine which provides can also include different brands, and different vendor is raw
Virtual machine corresponding to the security protection product of production includes different brands, firewall, the abnormal flow prison of different vendor's production
Survey the second virtual machine corresponding with security protections products such as cleaning device, IDS/IPS.When user needs to produce some security protections
When product are tested for the property, corresponding second virtual machine can be connected in dry run environment, then rogue program is imported
In the dry run environment, whether it is able to detect to detect second virtual machine and intercepts the rogue program.
For example, user has purchased a set of intrusion prevention system, it is desirable to detect the intrusion prevention system to it is certain specific enter
Invade whether mode has protective capacities, then the user can control the security sandbox for corresponding second void of the intrusion prevention system
Quasi- machine is connected in dry run environment, then is transported being imported in the dry run environment using the program of the specific invasion mode
Row, if the security sandbox, which fails, intercepts the program, the control device of the security sandbox can according to the program this
The behavior generated when running in two virtual machines, is analyzed in the realization principle and the intrusion prevention system of the intrusion behavior of the program
Existing loophole.For example, if the Intrusion Prevention System does not have the function of TELNET port-guard, then utilizing the port TELNET
The program invaded can be by corresponding second virtual machine of the Intrusion Prevention System, and control device can pass through analysis at this time
The behavior that the program is run in second virtual machine finds that the program is to carry out Network Intrusion by the port TELNET, and be somebody's turn to do
Intrusion Prevention System does not detect the port TELNET, thus allow users to accurately determine the program Attack Theory and
Counter-measure.
Further, in embodiments of the present invention, dry run ring is successfully formed when the security sandbox is based on control information
After border, program to be monitored can be imported the security sandbox, so that the security sandbox can control the program in the mould
The behavior generated when running in quasi- running environment, and running in the dry run environment to the program recorded, analyze with
The behavior monitoring report of the program is obtained, and behavior monitoring report is shown to user by user interface, to inform
It whether user's program can cause damages to actual motion environment, cause damages type, the mode to cause damages and causes
The severity etc. of harm.
Illustratively, in conjunction with Fig. 6, as shown in fig. 7, the control method of security sandbox provided in an embodiment of the present invention can be with
Include:
S107, the control device receive the program to be monitored.
Illustratively, the user interface of the security sandbox provides suspect program and imports interface, so that user can be by this
Suspect program imports interface and the program program is imported the security sandbox.
S108, the control device control the program and run in the dry run environment.
After control device receives the program of user's importing, which can control the program to transport in the simulation
It is run in row environment, for example, to can control the virtual machine in the dry run environment (including above-mentioned for the controller of the control device
First virtual machine and the second virtual machine), corresponding data traffic is generated according to the instruction of the program, and carry out to the data traffic
Forwarding etc..
S109, the control device record and analyze the behavior generated when the program is run in the dry run environment, with
Obtain the behavior monitoring report of the program.
Illustratively, which can be transported the program in each virtual machine by log module with log enable function
The behavior record generated when row is synchronized to NFV layout and controller into log information, and by the log information, by VNF layout
The behavior generated when running with controller to the program recorded in these log informations is summarized and is analyzed, and determines the program
Whether can cause damages, and in the case where the program can cause damages to current operating environment, analyze to current operating environment
Then the type to cause damages, the mode to cause damages and the severity to cause damages etc. are obtained according to these analysis results
Behavior monitoring to the program is reported.
Wherein, each virtual machine in the log module and the dry run environment affixes one's name to the example on different physical resources
Such as, based on physical system as shown in Figure 2, the log module can be disposed in an individual generic server, it can also be with
By the log module and the control device (including controller, NFV layout and controller and user interface) and virtualization number
It is deployed in same generic server according to library, so that the virtual machine in the dry run environment be avoided to collapse under the attack of the program
It bursts, the control device is caused to be unable to learn in time the behavior generated when the program is run in virtual machine.
S110, the control device show behavior monitoring report.
It is understood that will can be somebody's turn to do simultaneously after NFV layout and controller obtain and save behavior monitoring report
Behavior monitoring report is sent to user interface, is shown to user, which can also be inputted by user interface and transfer instruction, with
Behavior monitoring report is checked in request from the NFV layout and controller.
Security sandbox can be controlled by controlling information, so that the control device of the security sandbox being capable of basis
The control information generates first virtual machine with specified operating system, and carries out to the system parameter of the specified operating system
Modification is to form dry run environment.Control information control peace can be passed through using control method provided in an embodiment of the present invention
Full sandbox forms specified operating system identical with the system parameter of the operating system run in actual host as dry run
Environment.Therefore, compared to running environment fixed in existing security sandbox, security sandbox is believed in control in the embodiment of the present invention
The current operating environment of the operating system run in the dry run environment and actual host formed under the control of breath has higher
Similarity, so that the program is transported in the dry run environment after program to be monitored is imported the dry run environment
Behavior when row can more really react behavior of the program in this prior in running environment, and then can be more accurate
Judge whether the program can generate harmful act to the operating system that runs in actual host, improve point of the security sandbox
Analyse efficiency.
As shown in figure 8, the embodiment of the present invention provides a kind of control device of security sandbox, execute as Fig. 3-6 is any shown
Security sandbox control method the step of, the control device of the security sandbox can integrate in the security sandbox, exemplary
, the control device of the security sandbox includes:
Acquiring unit 10, for obtaining control information, the control information includes the first control instruction and configuration parameter, institute
Stating the first control instruction and being used to indicate configuration unit 11 and generate has the first virtual machine for specifying operating system, the configuration parameter
For modifying the system parameter of the operating system.
The configuration unit 11, first control instruction for being obtained according to the acquiring unit 10, which generates, has institute
State first virtual machine of specified operating system.
The configuration unit 11, the configuration parameter for being obtained according to the acquiring unit 10 is to the specified operation
The system parameter of system is modified, so that the specified operating system after modification parameter forms dry run environment, institute
Dry run environment is stated for running program to be monitored.
Optionally, the number for first virtual machine that the configuration unit 11 generates is M, in M the first virtual machines
Each of the first virtual machine have a kind of specified operating system, M > 1, M are integer.
The configuration unit 11, specifically for specified to each of M specified operating system according to the configuration parameter
The system parameter of operating system is modified.
The control information that the acquiring unit 10 obtains further includes the second control instruction, and second control instruction is used
The M the first virtual machine are connected in controlling the configuration unit 11
The configuration unit 11 is also used to specified to each of M specified operating system according to the configuration parameter
After the system parameter of operating system is modified, the M the first virtual machines are connected according to second control instruction
It connects, so that the dry run environment includes the described M specified operating system modified after parameter after modifying parameter.
Optionally, the control information that the acquiring unit 10 obtains further includes third control instruction, the third control
System instruction generates background traffic for controlling the configuration unit 11.
The configuration unit 11 is also used to connected the M the first virtual machines according to second control instruction
After connecing, M first virtual machine is controlled according to the third control instruction and generates the background traffic, and to the background
Flow is forwarded, so that there are the background traffics for the dry run environment.
Optionally, the control information that the acquiring unit 10 obtains further includes the 4th control instruction, the 4th control
System instruction, which is used to indicate, is connected at least one the second virtual machine in the dry run environment, at least one described second void
The second virtual machine of each of quasi- machine is provided with a kind of network function.
The configuration unit 11, be also used to according to the configuration parameter to the system parameter of the specified operating system into
After row modification, at least one described second virtual machine is connected to by the dry run environment according to the 4th control instruction
In, so that the dry run environment includes the specified operating system and at least one network function after modifying parameter.
Optionally, in conjunction with Fig. 8, as shown in figure 9, the control device further include: control unit 12, analytical unit 13 and
Display unit 14,
The acquiring unit 10 is also used to after the configuration unit 11 forms the dry run environment, receives institute
State program to be monitored.
Described control unit 12, for controlling the described program of the acquisition of acquiring unit 10 in the dry run environment
Middle operation.
The analytical unit 13 generates when described program is run in the dry run environment for recording and analyzing
Behavior, to obtain the behavior monitoring report of described program.
The display unit 14, the behavior monitoring report obtained for showing the analytical unit 13.
A kind of control device of security sandbox provided in an embodiment of the present invention, can by control information to security sandbox into
Row control, so that the control device of the security sandbox can be generated according to the control information has the first of specified operating system
Virtual machine, and modify the system parameter of the specified operating system to form dry run environment.I.e. using the present invention
The control method that embodiment provides can control the operation system that security sandbox is formed with run in actual host by control information
The identical specified operating system of the system parameter of system is as dry run environment.Therefore, solid compared in existing security sandbox
Fixed running environment, the dry run environment and reality that security sandbox is formed under the control of control information in the embodiment of the present invention
The current operating environment of the operating system run in host has higher similarity, thus should importing program to be monitored
After dry run environment, behavior when which runs in the dry run environment can more really react the program
Behavior in running environment in this prior, and then can more accurately judge whether the program can be to running in actual host
Operating system generates harmful act, improves the analysis efficiency of the security sandbox.
As shown in Figure 10, the embodiment of the present invention provides a kind of control device of security sandbox, comprising: processor 20, storage
Device 21, system bus 22 and communication interface 23.
The memory 21 passes through described for storing computer executed instructions, the processor 20 with the memory 21
System bus 22 connects, and when the operation of the control device of the security sandbox, the processor 20 executes the memory 21 and deposits
Storage the computer executed instructions so that the security sandbox control device execute as Fig. 3 to Fig. 7 arbitrarily one of as described in
The control method of security sandbox.The control method of specific security sandbox can be found in it is above-mentioned as Fig. 3 to Fig. 7 one of arbitrarily shown in
Associated description in embodiment, details are not described herein again.
The present embodiment also provides a kind of storage medium, which may include the memory 21.
The processor 20 can be central processing unit (English: central processing unit, abbreviation: CPU).
The processor 20 can also be other general processors, digital signal processor (English: digital signal
Processing, abbreviation DSP), specific integrated circuit (English: application specific integrated
Circuit, abbreviation ASIC), field programmable gate array (English: field-programmable gate array, referred to as
FPGA) either other programmable logic device, discrete gate or transistor logic, discrete hardware components etc..General procedure
Device can be microprocessor or the processor is also possible to any conventional processor etc..
The processor 20 can be application specific processor, which may include that there is the control of security sandbox to fill
Set the chip of other dedicated processes functions.
The memory 21 may include volatile memory (English: volatile memory), such as arbitrary access is deposited
Reservoir (English: random-access memory, abbreviation: RAM);The memory 21 also may include nonvolatile memory
(English: non-volatile memory), such as read-only memory (English: read-only memory, abbreviation: ROM), fastly
Flash memory (English: flash memory), hard disk (English: hard disk drive, abbreviation: HDD) or solid state hard disk (English
Text: solid-state drive, abbreviation: SSD);The memory 21 can also include the combination of the memory of mentioned kind.
The system bus 22 may include data/address bus, power bus, control bus and signal condition bus etc..This reality
It applies for clear explanation in example, various buses is all illustrated as system bus 22 in Figure 10.
The communication interface 23 specifically can be on the control device of security sandbox the processor 20 by setting with other
The standby interface communicated.
During specific implementation, it is above-mentioned as Fig. 3 to Fig. 7 it is one of any shown in each step in method flow can be with
It is realized by the computer executed instructions that the processor 20 of example, in hardware executes the software form stored in memory 21.To avoid
It repeats, details are not described herein again.
A kind of control device of security sandbox provided in an embodiment of the present invention, can by control information to security sandbox into
Row control, so that the control device of the security sandbox can be generated according to the control information has the first of specified operating system
Virtual machine, and modify the system parameter of the specified operating system to form dry run environment.I.e. using the present invention
The control method that embodiment provides can control the operation system that security sandbox is formed with run in actual host by control information
The identical specified operating system of the system parameter of system is as dry run environment.Therefore, solid compared in existing security sandbox
Fixed running environment, the dry run environment and reality that security sandbox is formed under the control of control information in the embodiment of the present invention
The current operating environment of the operating system run in host has higher similarity, thus should importing program to be monitored
After dry run environment, behavior when which runs in the dry run environment can more really react the program
Behavior in running environment in this prior, and then can more accurately judge whether the program can be to running in actual host
Operating system generates harmful act, improves the analysis efficiency of the security sandbox.
It is apparent to those skilled in the art that for convenience and simplicity of description, only with above-mentioned each function
The division progress of module can according to need and for example, in practical application by above-mentioned function distribution by different function moulds
Block is completed, i.e., the internal structure of device is divided into different functional modules, to complete all or part of function described above
Energy.The specific work process of the system, apparatus, and unit of foregoing description, can be with reference to corresponding in preceding method embodiment
Journey, details are not described herein.
In several embodiments provided herein, it should be understood that disclosed system, device and method can be with
It realizes by another way.For example, the apparatus embodiments described above are merely exemplary, for example, the module or
The division of unit, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units
Or component can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, institute
Display or the mutual coupling, direct-coupling or communication connection discussed can be through some interfaces, device or unit
Indirect coupling or communication connection.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list
Member can be realized in the form of software functional units.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product
When, it can store in a computer readable storage medium.Based on this understanding, all or part of the technical solution
It can be embodied in the form of software products, which is stored in a storage medium, including several fingers
It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) or processor execute
All or part of the steps of the method according to each embodiment of the present invention.The storage medium is non-transitory (English: non-
Transitory) medium, comprising: flash memory, mobile hard disk, read-only memory, random access memory, magnetic disk or light
The various media that can store program code such as disk.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
Those familiar with the art in the technical scope disclosed by the present invention, can easily think of the change or the replacement, and should all contain
Lid is within protection scope of the present invention.Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. a kind of control method of security sandbox, which is characterized in that the described method includes:
The control device of security sandbox obtains control information, and the control information includes the first control instruction and configuration parameter, institute
Stating the first control instruction and being used to indicate the security sandbox and generate has the first virtual machine for specifying operating system, the specified behaviour
Making system is the operating system run in actual host, and the configuration parameter is used to modify the system ginseng of the specified operating system
Number;
The control device generates first virtual machine with the specified operating system according to first control instruction,
The system parameter of specified operating system on first virtual machine is the system configuration parameter of the specified operating system default;
The control device is modified according to system parameter of the configuration parameter to the specified operating system, so that institute
State the current system ginseng of the operating system run in the system parameter and actual host of the specified operating system on the first virtual machine
Number is identical, and the specified operating system after modifying parameter forms dry run environment, and the dry run environment is for running
Program to be monitored.
2. M first empty the method according to claim 1, wherein the number of first virtual machine is M
The first virtual machine of each of quasi- machine has a kind of specified operating system, and M > 1, M are integer,
The control device is modified according to system parameter of the configuration parameter to the specified operating system, comprising:
The control device is joined according to system of the configuration parameter to the specified operating system of each of M specified operating system
Number is modified;
The control information further includes the second control instruction, and second control instruction is for controlling control device connection institute
M the first virtual machines are stated, the control device is according to the configuration parameter to the specified operation of each of M specified operating system
After the system parameter of system is modified, the method also includes:
The M the first virtual machines are attached by the control device according to second control instruction, so that the mould
Quasi- running environment includes the specified operating system after M modification parameter.
3. described according to the method described in claim 2, it is characterized in that, the control information further includes third control instruction
Third control instruction generates background traffic for controlling the control device, and the control device is according to second control instruction
After the M the first virtual machines are attached, the method also includes:
The control device controls M first virtual machine according to the third control instruction and generates the background traffic, with
So that there are the background traffics for the dry run environment.
4. described the method according to claim 1, wherein the control information further includes the 4th control instruction
4th control instruction is used to indicate the control device and at least one second virtual machine is connected in the dry run environment,
The second virtual machine of each of at least one second virtual machine is provided with a kind of network function, and the control device is according to institute
It states after configuration parameter modifies to the system parameter of the specified operating system, the method also includes:
At least one described second virtual machine is connected to the simulation according to the 4th control instruction and transported by the control device
In row environment, so that the dry run environment includes the specified operating system and at least one network after modifying parameter
Function.
5. method according to claim 1-4, which is characterized in that the control device forms the dry run
After environment, the method also includes:
The control device receives the program to be monitored;
The control device control described program is run in the dry run environment;
The control device records and analyzes the behavior generated when described program is run in the dry run environment, to obtain
The behavior monitoring of described program is reported;
The control device shows the behavior monitoring report.
6. a kind of control device of security sandbox characterized by comprising
Acquiring unit, for obtain control information, the control information include the first control instruction and configuration parameter, described first
Control instruction is used to indicate configuration unit and generates first virtual machine with specified operating system, and the specified operating system is real
The operating system run on the host of border, the configuration parameter are used to modify the system parameter of the specified operating system;
The configuration unit, first control instruction for being obtained according to the acquiring unit, which generates, has the specified behaviour
Make first virtual machine of system, the system parameter of the specified operating system on first virtual machine is the specified operation
The system configuration parameter of system default;
The configuration unit, the configuration parameter for being obtained according to the acquiring unit are to the specified operating system
System parameter is modified, so that running in the system parameter and actual host of the specified operating system on first virtual machine
Operating system it is current system parameter it is identical, the specified operating system after modifying parameter forms dry run environment, institute
Dry run environment is stated for running program to be monitored.
7. control device according to claim 6, which is characterized in that first virtual machine that the configuration unit generates
Number be M, the first virtual machine of each of M first virtual machines has a kind of specified operating system, and M > 1, M are integer,
The configuration unit, specifically for being to the specified operation of each of M specified operating system according to the configuration parameter
The system parameter of system is modified;
The control information that the acquiring unit obtains further includes the second control instruction, and second control instruction is for controlling
The configuration unit connects M first virtual machine,
The configuration unit is also used to operating system according to the configuration parameter is specified to each of M specified operating system
After the system parameter of system is modified, the M the first virtual machines are attached according to second control instruction, so that
Obtaining the dry run environment includes the described M specified operating system modified after parameter after modifying parameter.
8. control device according to claim 7, which is characterized in that the control information that the acquiring unit obtains is also
Including third control instruction, the third control instruction generates background traffic for controlling the configuration unit,
The configuration unit is also used to after being attached the M the first virtual machines according to second control instruction,
M first virtual machine is controlled according to the third control instruction and generates the background traffic, so that the dry run
There are the background traffics for environment.
9. control device according to claim 6, which is characterized in that the control information that the acquiring unit obtains is also
Including the 4th control instruction, the 4th control instruction, which is used to indicate, is connected to the simulation fortune at least one the second virtual machine
In row environment, the second virtual machine of each of at least one described second virtual machine is provided with a kind of network function,
The configuration unit is also used to modify according to system parameter of the configuration parameter to the specified operating system
Later, at least one described second virtual machine is connected in the dry run environment according to the 4th control instruction, with
So that the dry run environment includes the specified operating system and at least one network function after modifying parameter.
10. according to the described in any item control devices of claim 6-9, which is characterized in that the control device further include: control
Unit, analytical unit and display unit,
The acquiring unit is also used to after the configuration unit forms the dry run environment, is received described to be monitored
Program;
Described control unit is run in the dry run environment for controlling the described program that the acquiring unit obtains;
The analytical unit, for recording and analyzing the behavior generated when described program is run in the dry run environment,
To obtain the behavior monitoring report of described program;
The display unit, the behavior monitoring report obtained for showing the analytical unit.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611111596.8A CN106650425B (en) | 2016-12-06 | 2016-12-06 | A kind of control method and device of security sandbox |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611111596.8A CN106650425B (en) | 2016-12-06 | 2016-12-06 | A kind of control method and device of security sandbox |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106650425A CN106650425A (en) | 2017-05-10 |
CN106650425B true CN106650425B (en) | 2019-08-09 |
Family
ID=58818445
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611111596.8A Active CN106650425B (en) | 2016-12-06 | 2016-12-06 | A kind of control method and device of security sandbox |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106650425B (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108875362B (en) * | 2017-12-28 | 2021-03-23 | 北京安天网络安全技术有限公司 | Sample behavior obtaining method and device, storage medium and electronic equipment |
CN108919774B (en) * | 2018-06-01 | 2019-11-29 | 温岭市海奔光电科技股份有限公司 | Mixed electrical automobile safety traffic control method |
CN110515670A (en) * | 2019-09-03 | 2019-11-29 | 深圳市路畅科技股份有限公司 | A kind of operation method of embedded device, system and a kind of host computer |
CN111541675B (en) * | 2020-04-17 | 2022-05-17 | 国家计算机网络与信息安全管理中心山东分中心 | Network security protection method, device and equipment based on white list |
CN113778991A (en) * | 2021-09-14 | 2021-12-10 | 珠海市新德汇信息技术有限公司 | Method for realizing resource access control of big data |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102387044A (en) * | 2011-06-27 | 2012-03-21 | 中国商用飞机有限责任公司 | Method for testing communication network |
CN102662727A (en) * | 2012-04-05 | 2012-09-12 | 北京天地云箱科技有限公司 | Virtual machine creating method and virtual machine creating device |
CN103248535A (en) * | 2013-04-28 | 2013-08-14 | 华为技术有限公司 | Cloud system testing method and device |
CN105306594A (en) * | 2015-11-19 | 2016-02-03 | 国云科技股份有限公司 | Method for managing virtual unit through multiple strategies |
-
2016
- 2016-12-06 CN CN201611111596.8A patent/CN106650425B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102387044A (en) * | 2011-06-27 | 2012-03-21 | 中国商用飞机有限责任公司 | Method for testing communication network |
CN102662727A (en) * | 2012-04-05 | 2012-09-12 | 北京天地云箱科技有限公司 | Virtual machine creating method and virtual machine creating device |
CN103248535A (en) * | 2013-04-28 | 2013-08-14 | 华为技术有限公司 | Cloud system testing method and device |
CN105306594A (en) * | 2015-11-19 | 2016-02-03 | 国云科技股份有限公司 | Method for managing virtual unit through multiple strategies |
Also Published As
Publication number | Publication date |
---|---|
CN106650425A (en) | 2017-05-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Baykara et al. | A novel honeypot based security approach for real-time intrusion detection and prevention systems | |
Elsayed et al. | InSDN: A novel SDN intrusion dataset | |
US11546360B2 (en) | Cyber security appliance for a cloud infrastructure | |
CN106650425B (en) | A kind of control method and device of security sandbox | |
US10904277B1 (en) | Threat intelligence system measuring network threat levels | |
US10560434B2 (en) | Automated honeypot provisioning system | |
CN107667505B (en) | System and method for monitoring and managing data center | |
CN110784476A (en) | Power monitoring active defense method and system based on virtualization dynamic deployment | |
US8458301B1 (en) | Automated configuration of network devices administered by policy enforcement | |
US20170093910A1 (en) | Dynamic security mechanisms | |
Jero et al. | Beads: Automated attack discovery in openflow-based sdn systems | |
US11681804B2 (en) | System and method for automatic generation of malware detection traps | |
US11265336B2 (en) | Detecting anomalies in networks | |
US20170134400A1 (en) | Method for detecting malicious activity on an aircraft network | |
JP2016508353A (en) | Improved streaming method and system for processing network metadata | |
CN109144023A (en) | A kind of safety detection method and equipment of industrial control system | |
JP2013500668A (en) | Identification of idle network devices | |
Krishnan et al. | OpenStackDP: a scalable network security framework for SDN-based OpenStack cloud infrastructure | |
Rezvani | Assessment methodology for anomaly-based intrusion detection in cloud computing | |
KR102088308B1 (en) | Cloud security analysing apparatus, apparatus and method for management of security policy based on nsfv | |
US9774628B2 (en) | Method for analyzing suspicious activity on an aircraft network | |
Demırcı et al. | Virtual security functions and their placement in software defined networks: A survey | |
US11297081B2 (en) | Methods and systems for eliminating and reducing attack surfaces through evaluating reconfigurations | |
Mai et al. | Implementation of content poisoning attack detection and reaction in virtualized NDN networks | |
Putra et al. | Infrastructure as code for security automation and network infrastructure monitoring |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |