CN107679399A - A kind of Malicious Code Detection sandbox system and detection method based on container - Google Patents

A kind of Malicious Code Detection sandbox system and detection method based on container Download PDF

Info

Publication number
CN107679399A
CN107679399A CN201710978630.XA CN201710978630A CN107679399A CN 107679399 A CN107679399 A CN 107679399A CN 201710978630 A CN201710978630 A CN 201710978630A CN 107679399 A CN107679399 A CN 107679399A
Authority
CN
China
Prior art keywords
container
malicious code
program
host computer
malicious
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710978630.XA
Other languages
Chinese (zh)
Inventor
陈煜文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou Yunhai Information Technology Co Ltd
Original Assignee
Zhengzhou Yunhai Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhengzhou Yunhai Information Technology Co Ltd filed Critical Zhengzhou Yunhai Information Technology Co Ltd
Priority to CN201710978630.XA priority Critical patent/CN107679399A/en
Publication of CN107679399A publication Critical patent/CN107679399A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to a kind of Malicious Code Detection sandbox system and detection method based on container, it is characterised in that comprises the following steps:Initiate the Malicious Code Detection for suspect program;Container Management Systematic selection container mirror configuration container;Container Management system starts container, and triggers the opening of suspect program in container or perform operation;System is called Hook kernel modules to intercept the system of container and called, and system call information is sent into rogue program analysis engine;Malicious act analysis engine is modeled and analyzed to suspect program by the system call information of said vesse, generates analysis report, and whether determining program is containing malicious code, updates malicious code sample database, and notify host computer system;Host computer system is according to the analysis result of malicious act analysis engine, it is determined whether stops container operation, and removes service data.

Description

A kind of Malicious Code Detection sandbox system and detection method based on container
Technical field
The invention belongs to field of information security technology, and in particular to a kind of Malicious Code Detection sandbox system based on container And detection method.
Background technology
In the last few years, Malware had largely used the code protection machines such as multi-enciphering shell, driving association shell, deformation shell The new technology such as system and polymorphic and deformation, makes traditional malicious code Static Analysis Technology by serious challenge.And it is based on The dynamic behaviour analytical technology of Sandboxing turns into identification unknown malicious code, resists advanced continuation and threatens(APT)It is effective Method.
Existing Sandboxing, it is generally divided into two kinds:
A kind of is the sandbox based on Hook technologies.By carrying out Hook to the means such as kernel filtration drive and DLL injections, interception can Program is doubted to system resource(Such as, process object, file, registration table, internal memory and network etc.)Operation, writing for suspect program Enter operation to be redirected among the isolation environment of sandbox, avoid destruction of the suspect program to real system environment.Based on Hook skills The sandbox security and isolation of art be not strong, carries out sandbox escape with vulnerability exploit easily by sandbox detection, destroys sandbox Validity.
Another kind is the sandbox based on virtualization technology.Suspect program is placed in single virtual machine and run, passes through void Planization mechanism realizes the isolation of running environment.Sandbox based on virtualization technology relies on complete virtual machine, causes system resource Larger, the problem of virtual machine toggle speed is slower is consumed, practicality deficiency.This is the deficiencies in the prior art part.
The content of the invention
It is an object of the present invention to design a kind of evil based on container in view of the above-mentioned drawbacks of the prior art, providing Code detection sandbox system of anticipating and detection method, to solve above-mentioned technical problem.
In order to achieve the above object, the technical scheme is that;
A kind of Malicious Code Detection sandbox system based on container, including host computer system, malicious act analysis engine, Container Management System and several containers;
Host computer system, for managing and running container, and the system in container running is called and is intercepted and is filtered, and System call operation information is sent to malicious act analysis engine;
Malicious act analysis engine, the containment system recalls information intercepted for Receiving Host system, and carry out malicious act point Analysis generation analysis report;
Container Management system operation is in host computer system, for being managed to the life cycle of container;
Also include one or more container mirror images, Container Management system is according to the type selecting cell therefor mirror image of suspect program Dispensing containers, realize the isolation of operating system environment.
Further, the system also includes system kernel, and the system kernel is the kernel that host computer system is shared with container;
System kernel includes system and calls Hook kernel modules, and system calls Hook kernel modules, is called for generation system Hook mechanism;
Host computer system calls Hook mechanism by system, and the system calling of container is intercepted and filtered, record container is System invoked procedure information, is sent to malicious act analysis engine.
Further, the system also includes malicious code sample database;
Malicious code sample database, for preserving the malicious act analysis result of suspect program, externally provide inquiry service.
Further, system call the implementation including linux system of Hook mechanism seccomp-bpf mechanism, The filtration drive mode of kprobe mechanism and system call address substitute mode and Windows systems.
A kind of malicious code detecting method based on container, comprises the following steps:
Initiate the Malicious Code Detection for suspect program;
Container Management Systematic selection container mirror image, dispensing containers;
Container Management system starts container, and triggers the opening of suspect program in container or perform operation;
System is called Hook kernel modules to intercept the system of container and called, and system call information is sent into rogue program analysis Engine;
Malicious act analysis engine is modeled and analyzed to suspect program by the system call information of said vesse, generation point Whether analysis report, determining program are containing malicious code, update malicious code sample database, and notify host computer system;
Host computer system is according to the analysis result of malicious act analysis engine, it is determined whether stops container operation, and removes operation number According to.
Further, step is initiated in the Malicious Code Detection for suspect program, manual by user's selection procedure file Triggering, initiate to be directed to the Malicious Code Detection of suspect program or triggered automatically according to preset strategy by host computer system, initiate to be directed to The Malicious Code Detection of suspect program.
Further, step Container Management Systematic selection container mirror image, in dispensing containers:
Container Management system operation is managed in host computer system to the life cycle of container, and one is run in host computer system Or multiple containers;Container Management system selects cell therefor mirror image, configures different system fortune according to the type of suspect program Row environment.
Further, step Container Management system starts container, and triggers the opening of suspect program in container or perform behaviour Also include:
Suspect program then triggers the execution of suspect program if executable program;Suspect program if not executable program, According to its file type, corresponding software is selected to open.
Further, step system is called Hook kernel modules to intercept the system of container and called, and by system call information Rogue program analysis engine is sent to specifically include:
Host computer system calls the system of Hook kernel modules to call Hook mechanism by the system of system kernel, to the system of container Calling is intercepted and filtered, and is recorded the system invoked procedure information of container, is sent to malicious act analysis engine;
System calls the implementation of Hook mechanism to include seccomp-bpf mechanism, kprobe mechanism and the system of linux system The filtration drive mode of call address substitute mode and Windows systems.
Further, the behavioural analysis result of malicious code sample database purchase suspect program sample, and externally provide Inquiry service;Rogue program analysis engine may operate in host computer system, virtual machine or container, can also operate in long-range clothes It is engaged on device.
Start container on the host computer system, open in a reservoir or perform suspect program, host computer system is called by system The system call operation of Hook technical intercepts and filtering container, and the system invoked procedure information of container is sent to malicious act Analysis engine, malicious act analysis engine call behavior to be analyzed in real time the system of suspect program, generate analysis report, more New rogue program sample database, and notify host computer system to be handled.
The beneficial effects of the present invention are, invention realizes being effectively isolated for suspect program running environment by container technique, There is more preferable security and isolation compared to write-in redirecting technique sandbox, meanwhile, compared to virtualization sandbox, there is system money Source consumption is small, and toggle speed is fast, manages the features such as convenient, has taken into account security and operational efficiency, so as to improve practicality.This Invention realizes the security isolation of malicious code running environment, improves the security of sandbox system, while reduce sandbox system System documentation's consumption, the toggle speed of sandbox system is accelerated, so as to improve the practicality of malicious code analysis sandbox.
In addition, design principle of the present invention is reliable, and it is simple in construction, there is very extensive application prospect.
As can be seen here, the present invention compared with prior art, has prominent substantive distinguishing features and significantly improved, it is implemented Beneficial effect be also obvious.
Brief description of the drawings
Fig. 1 is that a kind of Malicious Code Detection sandbox system based on container provided in an embodiment of the present invention connects structural representation Figure.
Fig. 2 is a kind of malicious code detecting method flow chart based on container provided in an embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawings and the present invention will be described in detail by specific embodiment, and following examples are to the present invention Explanation, and the invention is not limited in implementation below.
As shown in figure 1, a kind of Malicious Code Detection sandbox system based on container provided in an embodiment of the present invention, including master Machine system, malicious act analysis engine, Container Management system and several containers;
Host computer system, for managing and running container, and the system in container running is called and is intercepted and is filtered, and System call operation information is sent to malicious act analysis engine;
Malicious act analysis engine, the containment system recalls information intercepted for Receiving Host system, and carry out malicious act point Analysis generation analysis report;
Container Management system operation is in host computer system, for being managed to the life cycle of container;
Also include one or more container mirror images, Container Management system is according to the type selecting cell therefor mirror image of suspect program Dispensing containers, realize the isolation of operating system environment.
The system also includes system kernel, and the system kernel is the kernel that host computer system is shared with container;
System kernel includes system and calls Hook kernel modules, and system calls Hook kernel modules, is called for generation system Hook mechanism;
Host computer system calls Hook mechanism by system, and the system calling of container is intercepted and filtered, record container is System invoked procedure information, is sent to malicious act analysis engine.
The system also includes malicious code sample database;
Malicious code sample database, for preserving the malicious act analysis result of suspect program, externally provide inquiry service.
System call the seccomp-bpf mechanism of the implementation including linux system of Hook mechanism, kprobe mechanism and The filtration drive mode of system call address substitute mode and Windows systems.
Host computer system is to support the Windows or (SuSE) Linux OS of container, there is provided the operation of user's miscellaneous service software Environment;
System kernel, the kernel that host computer system is shared with container;
Container, it is to share kernel with host machine system, passes through control group(cgroups), NameSpace(namespace)And joint File system(Overlayfs, aufs or unionfs etc.)It is a kind of light etc. the isolation that technology realizes operating system environment Magnitude operating system virtualization technology, such as Docker, LXC and Windows Server containers;
Container Management system, is operated in host computer system, and the life cycle of container is managed, including:Configuration, start and close Close;
Container mirror image, it is a basic operating system mirror image, is the basic file system for supporting application program operation, wherein Without system kernel file;
The file system of container, be by union file system module, it is and writeable using container mirror image as read-only file system Temporary file system be overlapped, form complete writeable container file system;Appearance will not be changed in container running Device mirror image, container mirror image can be shared by multiple containers;The data in writeable temporary file system are removed, container rolls back to initially State.
As shown in Fig. 2 a kind of malicious code detecting method based on container provided in an embodiment of the present invention, including following step Suddenly:
Step 101:Initiate the Malicious Code Detection for suspect program;
In step 101, by user's selection procedure file, the Malicious Code Detection for suspect program is initiated in triggering manually, or by Host computer system triggers automatically according to preset strategy, initiates the Malicious Code Detection for suspect program;
Step 102:Container Management Systematic selection container mirror image, dispensing containers;
In step 102, Container Management system operation is managed in host computer system to the life cycle of container, including:Match somebody with somebody Put, start and close;Host computer system is to support the Windows or (SuSE) Linux OS of container technique, can in host computer system To run one or more containers;Container Management system can select cell therefor mirror image, configuration according to the type of suspect program Different system running environments;
Step 103:Container Management system starts container, and triggers the opening of suspect program in container or perform operation;
In step 103, suspect program then triggers the execution of suspect program if executable program;Suspect program is not if Executable program, according to its file type, corresponding software is selected to open;
Step 104:Host computer system calls the system of Hook block intercepts said vesses to call by system kernel system, and will be System recalls information is sent to rogue program analysis engine;
In step 104, system calls Hook to have a variety of implementations, including the seccomp-bpf mechanism of linux system, The mode such as kprobe mechanism and the replacement of system call address, and the filtration drive mode of Windows systems;Rogue program is analyzed Engine may operate in host computer system, virtual machine or container, can also run on the remote server;
Step 105:Malicious act analysis engine is modeled and divided to suspect program by the system call information of said vesse Analysis, analysis report is generated, whether determining program is containing malicious code, updates rogue program sample database, and notify main frame System;
In step 105, the behavioural analysis result of rogue program sample database purchase suspect program sample, and inquiry is externally provided Service;
Step 106:Host computer system is according to the analysis result of malicious act analysis engine, it is determined whether stop container operation, and clearly Except service data.
Disclosed above is only the preferred embodiment of the present invention, but the present invention is not limited to this, any this area What technical staff can think does not have creative change, and some improvement made without departing from the principles of the present invention and Retouching, should all be within the scope of the present invention.

Claims (10)

1. a kind of Malicious Code Detection sandbox system based on container, it is characterised in that analyzed including host computer system, malicious act Engine, Container Management system and several containers;
Host computer system, for managing and running container, and the system in container running is called and is intercepted and is filtered, and System call operation information is sent to malicious act analysis engine;
Malicious act analysis engine, the containment system recalls information intercepted for Receiving Host system, and carry out malicious act point Analysis generation analysis report;
Container Management system operation is in host computer system, for being managed to the life cycle of container;
Also include one or more container mirror images, Container Management system is according to the type selecting cell therefor mirror image of suspect program Dispensing containers, realize the isolation of operating system environment.
A kind of 2. Malicious Code Detection sandbox system based on container according to claim 1, it is characterised in that the system Also include system kernel, the system kernel is the kernel that host computer system is shared with container;
System kernel includes system and calls Hook kernel modules, and system calls Hook kernel modules, is called for generation system Hook mechanism;
Host computer system calls Hook mechanism by system, and the system calling of container is intercepted and filtered, record container is System invoked procedure information, is sent to malicious act analysis engine.
A kind of 3. Malicious Code Detection sandbox system based on container according to claim 2, it is characterised in that the system Also include malicious code sample database;
Malicious code sample database, for preserving the malicious act analysis result of suspect program, externally provide inquiry service.
4. a kind of Malicious Code Detection sandbox system based on container according to claim 3, it is characterised in that system is adjusted Seccomp-bpf mechanism, kprobe mechanism and the system call address for including linux system with the implementation of Hook mechanism are replaced Change the filtration drive mode of mode and Windows systems.
5. a kind of malicious code detecting method based on container, it is characterised in that comprise the following steps:
Initiate the Malicious Code Detection for suspect program;
Container Management Systematic selection container mirror image, dispensing containers;
Container Management system starts container, and triggers the opening of suspect program in container or perform operation;
System is called Hook kernel modules to intercept the system of container and called, and system call information is sent into rogue program analysis Engine;
Malicious act analysis engine is modeled and analyzed to suspect program by the system call information of said vesse, generation point Whether analysis report, determining program are containing malicious code, update malicious code sample database, and notify host computer system;
Host computer system is according to the analysis result of malicious act analysis engine, it is determined whether stops container operation, and removes operation number According to.
6. a kind of malicious code detecting method based on container according to claim 5, it is characterised in that step initiates pin To in the Malicious Code Detection of suspect program, being triggered manually by user's selection procedure file, the malice for suspect program is initiated Code detection is triggered automatically by host computer system according to preset strategy, initiates the Malicious Code Detection for suspect program.
A kind of 7. malicious code detecting method based on container according to claim 6, it is characterised in that step container tube Systematic selection container mirror image is managed, in dispensing containers:
Container Management system operation is managed in host computer system to the life cycle of container, and one is run in host computer system Or multiple containers;Container Management system selects cell therefor mirror image, configures different system fortune according to the type of suspect program Row environment.
A kind of 8. malicious code detecting method based on container according to claim 7, it is characterised in that step container tube Reason system starts container, and triggers in container the opening of suspect program or perform operation and also include:
Suspect program then triggers the execution of suspect program if executable program;Suspect program if not executable program, According to its file type, corresponding software is selected to open.
9. a kind of malicious code detecting method based on container according to claim 8, it is characterised in that step system is adjusted The system that container is intercepted with Hook kernel modules is called, and system call information is sent into rogue program analysis engine and specifically wrapped Include:
Host computer system calls the system of Hook kernel modules to call Hook mechanism by the system of system kernel, to the system of container Calling is intercepted and filtered, and is recorded the system invoked procedure information of container, is sent to malicious act analysis engine;
System calls the implementation of Hook mechanism to include seccomp-bpf mechanism, kprobe mechanism and the system of linux system The filtration drive mode of call address substitute mode and Windows systems.
A kind of 10. malicious code detecting method based on container according to claim 9, it is characterised in that malicious code The behavioural analysis result of sample data library storage suspect program sample, and inquiry service is externally provided.
CN201710978630.XA 2017-10-19 2017-10-19 A kind of Malicious Code Detection sandbox system and detection method based on container Pending CN107679399A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710978630.XA CN107679399A (en) 2017-10-19 2017-10-19 A kind of Malicious Code Detection sandbox system and detection method based on container

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710978630.XA CN107679399A (en) 2017-10-19 2017-10-19 A kind of Malicious Code Detection sandbox system and detection method based on container

Publications (1)

Publication Number Publication Date
CN107679399A true CN107679399A (en) 2018-02-09

Family

ID=61140727

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710978630.XA Pending CN107679399A (en) 2017-10-19 2017-10-19 A kind of Malicious Code Detection sandbox system and detection method based on container

Country Status (1)

Country Link
CN (1) CN107679399A (en)

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108898012A (en) * 2018-05-23 2018-11-27 华为技术有限公司 The method and apparatus for detecting illegal program
CN109214186A (en) * 2018-08-29 2019-01-15 厦门快快网络科技有限公司 A kind of interception trojan horse system and method based on inner nuclear layer
CN109271409A (en) * 2018-11-08 2019-01-25 成都索贝数码科技股份有限公司 Database fragmentation execution method based on container resource allocation
CN109446800A (en) * 2018-11-15 2019-03-08 珠海市知安全科技有限公司 A kind of sample sandbox analysis method and device
CN109784055A (en) * 2018-12-29 2019-05-21 上海高重信息科技有限公司 A kind of method and system of quick detection and preventing malice software
CN109828824A (en) * 2018-12-29 2019-05-31 东软集团股份有限公司 Safety detecting method, device, storage medium and the electronic equipment of mirror image
WO2019174193A1 (en) * 2018-03-16 2019-09-19 华为技术有限公司 Container escape detection method, apparatus and system, and storage medium
CN110311901A (en) * 2019-06-21 2019-10-08 南京尓嘉网络科技有限公司 A kind of lightweight network sandbox setting method based on container technique
CN110392081A (en) * 2018-04-20 2019-10-29 武汉安天信息技术有限责任公司 Virus base method for pushing and device, computer equipment and computer storage medium
CN110851824A (en) * 2019-11-13 2020-02-28 哈尔滨工业大学 Detection method for malicious container
CN111079146A (en) * 2019-12-10 2020-04-28 苏州浪潮智能科技有限公司 Malicious software processing method and device
CN111221625A (en) * 2019-12-31 2020-06-02 北京健康之家科技有限公司 File detection method, device and equipment
CN112084005A (en) * 2020-09-09 2020-12-15 北京升鑫网络科技有限公司 Container behavior auditing method, device, terminal and storage medium
CN112187747A (en) * 2020-09-15 2021-01-05 中信银行股份有限公司 Remote container login method and device and electronic equipment
CN112395617A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 Method and device for protecting docker escape vulnerability, storage medium and computer equipment
CN113221103A (en) * 2021-05-08 2021-08-06 山东英信计算机技术有限公司 Container safety protection method, system and medium
CN113672918A (en) * 2021-08-04 2021-11-19 安天科技集团股份有限公司 Malicious code detection method and device, storage medium and electronic equipment
CN114707149A (en) * 2022-03-18 2022-07-05 安芯网盾(北京)科技有限公司 Puppet process detection method and device, electronic device and storage medium
CN114707150A (en) * 2022-03-21 2022-07-05 安芯网盾(北京)科技有限公司 Malicious code detection method and device, electronic equipment and storage medium
CN114780168A (en) * 2022-03-30 2022-07-22 全球能源互联网研究院有限公司南京分公司 Method and device for dynamically changing security policy of intelligent terminal container and electronic equipment
US11522905B2 (en) 2019-09-11 2022-12-06 International Business Machines Corporation Malicious virtual machine detection

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101873318A (en) * 2010-06-08 2010-10-27 国网电力科学研究院 Application and data security method aiming at application system on application basis supporting platform
CN102810143A (en) * 2012-04-28 2012-12-05 天津大学 Safety detecting system and method based on mobile phone application program of Android platform
US9117078B1 (en) * 2008-09-17 2015-08-25 Trend Micro Inc. Malware behavior analysis and policy creation
CN105389197A (en) * 2015-10-13 2016-03-09 北京百度网讯科技有限公司 Operation capture method and apparatus for container based virtualized system
CN106326733A (en) * 2015-06-26 2017-01-11 中兴通讯股份有限公司 Method and apparatus for managing applications in mobile terminal
CN106897611A (en) * 2017-03-03 2017-06-27 金光 Secure virtual mobile applications running environment system and method and application without root authority

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9117078B1 (en) * 2008-09-17 2015-08-25 Trend Micro Inc. Malware behavior analysis and policy creation
CN101873318A (en) * 2010-06-08 2010-10-27 国网电力科学研究院 Application and data security method aiming at application system on application basis supporting platform
CN102810143A (en) * 2012-04-28 2012-12-05 天津大学 Safety detecting system and method based on mobile phone application program of Android platform
CN106326733A (en) * 2015-06-26 2017-01-11 中兴通讯股份有限公司 Method and apparatus for managing applications in mobile terminal
CN105389197A (en) * 2015-10-13 2016-03-09 北京百度网讯科技有限公司 Operation capture method and apparatus for container based virtualized system
CN106897611A (en) * 2017-03-03 2017-06-27 金光 Secure virtual mobile applications running environment system and method and application without root authority

Cited By (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019174048A1 (en) * 2018-03-16 2019-09-19 华为技术有限公司 Container escape detection method, apparatus and system, and storage medium
CN111819556A (en) * 2018-03-16 2020-10-23 华为技术有限公司 Container escape detection method, device and system and storage medium
CN111819556B (en) * 2018-03-16 2024-04-09 华为云计算技术有限公司 Container escape detection method, device, system and storage medium
US11989283B2 (en) 2018-03-16 2024-05-21 Huawei Cloud Computing Technologies Co., Ltd. Container escape detection method, apparatus, and system, and storage medium
WO2019174193A1 (en) * 2018-03-16 2019-09-19 华为技术有限公司 Container escape detection method, apparatus and system, and storage medium
CN110392081B (en) * 2018-04-20 2022-08-30 武汉安天信息技术有限责任公司 Virus library pushing method and device, computer equipment and computer storage medium
CN110392081A (en) * 2018-04-20 2019-10-29 武汉安天信息技术有限责任公司 Virus base method for pushing and device, computer equipment and computer storage medium
CN108898012A (en) * 2018-05-23 2018-11-27 华为技术有限公司 The method and apparatus for detecting illegal program
CN108898012B (en) * 2018-05-23 2021-01-29 华为技术有限公司 Method and apparatus for detecting illegal program
CN109214186A (en) * 2018-08-29 2019-01-15 厦门快快网络科技有限公司 A kind of interception trojan horse system and method based on inner nuclear layer
CN109271409A (en) * 2018-11-08 2019-01-25 成都索贝数码科技股份有限公司 Database fragmentation execution method based on container resource allocation
CN109271409B (en) * 2018-11-08 2021-11-02 成都索贝数码科技股份有限公司 Database fragmentation execution method based on container resource allocation
CN109446800A (en) * 2018-11-15 2019-03-08 珠海市知安全科技有限公司 A kind of sample sandbox analysis method and device
CN109784055B (en) * 2018-12-29 2021-01-08 上海高重信息科技有限公司 Method and system for rapidly detecting and preventing malicious software
CN109828824A (en) * 2018-12-29 2019-05-31 东软集团股份有限公司 Safety detecting method, device, storage medium and the electronic equipment of mirror image
CN109784055A (en) * 2018-12-29 2019-05-21 上海高重信息科技有限公司 A kind of method and system of quick detection and preventing malice software
CN110311901A (en) * 2019-06-21 2019-10-08 南京尓嘉网络科技有限公司 A kind of lightweight network sandbox setting method based on container technique
CN110311901B (en) * 2019-06-21 2022-03-08 北京雅客云安全科技有限公司 Lightweight network sandbox setting method based on container technology
CN112395617A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 Method and device for protecting docker escape vulnerability, storage medium and computer equipment
US11522905B2 (en) 2019-09-11 2022-12-06 International Business Machines Corporation Malicious virtual machine detection
CN110851824A (en) * 2019-11-13 2020-02-28 哈尔滨工业大学 Detection method for malicious container
CN111079146A (en) * 2019-12-10 2020-04-28 苏州浪潮智能科技有限公司 Malicious software processing method and device
CN111221625A (en) * 2019-12-31 2020-06-02 北京健康之家科技有限公司 File detection method, device and equipment
CN111221625B (en) * 2019-12-31 2023-08-04 北京水滴科技集团有限公司 File detection method, device and equipment
CN112084005A (en) * 2020-09-09 2020-12-15 北京升鑫网络科技有限公司 Container behavior auditing method, device, terminal and storage medium
CN112187747A (en) * 2020-09-15 2021-01-05 中信银行股份有限公司 Remote container login method and device and electronic equipment
CN113221103B (en) * 2021-05-08 2022-09-20 山东英信计算机技术有限公司 Container safety protection method, system and medium
CN113221103A (en) * 2021-05-08 2021-08-06 山东英信计算机技术有限公司 Container safety protection method, system and medium
CN113672918A (en) * 2021-08-04 2021-11-19 安天科技集团股份有限公司 Malicious code detection method and device, storage medium and electronic equipment
CN114707149A (en) * 2022-03-18 2022-07-05 安芯网盾(北京)科技有限公司 Puppet process detection method and device, electronic device and storage medium
CN114707150A (en) * 2022-03-21 2022-07-05 安芯网盾(北京)科技有限公司 Malicious code detection method and device, electronic equipment and storage medium
CN114780168A (en) * 2022-03-30 2022-07-22 全球能源互联网研究院有限公司南京分公司 Method and device for dynamically changing security policy of intelligent terminal container and electronic equipment
CN114780168B (en) * 2022-03-30 2023-04-28 全球能源互联网研究院有限公司南京分公司 Method and device for dynamically changing security policy of intelligent terminal container and electronic equipment

Similar Documents

Publication Publication Date Title
CN107679399A (en) A kind of Malicious Code Detection sandbox system and detection method based on container
Ustiugov et al. Benchmarking, analysis, and optimization of serverless function snapshots
CN101655798B (en) Method for deployment and operation of application in computer and virtual machine environments
US6557168B1 (en) System and method for minimizing inter-application interference among static synchronized methods
CN102821158B (en) A kind of method and cloud system realizing virtual machine (vm) migration
CN104008340B (en) Virus scanning and killing method and device
CN109558211A (en) The method for protecting the interaction integrality and confidentiality of trusted application and common application
CN103077071B (en) The acquisition methods of a kind of KVM virtual machine progress information and system
CN101788915A (en) White list updating method based on trusted process tree
CN102024114B (en) Malicious code prevention method based on unified extensible fixed interface
US7793266B2 (en) Method, apparatus and computer program product for optimizing access to the content of a virtual application container on a fixed, read-only medium
CN101873318B (en) Application and data security method aiming at application system on application basis supporting platform
CN104321748A (en) Methods, systems and apparatus to capture error conditions in lightweight virtual machine managers
CN104598823A (en) Kernel level rootkit detection method and system in Andriod system
CN102150105A (en) Deployment and management of virtual containers
CN101095111A (en) A method of maintaining applications in a computing device
CN102165431A (en) On-the-fly replacement of physical hardware with emulation
CN110096333A (en) A kind of container performance accelerated method based on nonvolatile memory
US20040123278A1 (en) Persistent cache apparatus and methods
CN103065090A (en) Method and device for intercepting malicious advertisements of application program
CN102810070A (en) High-performance professional ability packaging process engine and process control method thereof
CN104166575B (en) The decision method and device of startup item handling result
CN108090360A (en) The Android malicious application sorting technique and system of a kind of Behavior-based control feature
US11416277B2 (en) Situation-aware virtual machine migration
CN109359092A (en) File management method, desktop display method, device, terminal and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180209

RJ01 Rejection of invention patent application after publication