CN107679399A - A kind of Malicious Code Detection sandbox system and detection method based on container - Google Patents
A kind of Malicious Code Detection sandbox system and detection method based on container Download PDFInfo
- Publication number
- CN107679399A CN107679399A CN201710978630.XA CN201710978630A CN107679399A CN 107679399 A CN107679399 A CN 107679399A CN 201710978630 A CN201710978630 A CN 201710978630A CN 107679399 A CN107679399 A CN 107679399A
- Authority
- CN
- China
- Prior art keywords
- container
- malicious code
- program
- host computer
- malicious
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Storage Device Security (AREA)
Abstract
The present invention relates to a kind of Malicious Code Detection sandbox system and detection method based on container, it is characterised in that comprises the following steps:Initiate the Malicious Code Detection for suspect program;Container Management Systematic selection container mirror configuration container;Container Management system starts container, and triggers the opening of suspect program in container or perform operation;System is called Hook kernel modules to intercept the system of container and called, and system call information is sent into rogue program analysis engine;Malicious act analysis engine is modeled and analyzed to suspect program by the system call information of said vesse, generates analysis report, and whether determining program is containing malicious code, updates malicious code sample database, and notify host computer system;Host computer system is according to the analysis result of malicious act analysis engine, it is determined whether stops container operation, and removes service data.
Description
Technical field
The invention belongs to field of information security technology, and in particular to a kind of Malicious Code Detection sandbox system based on container
And detection method.
Background technology
In the last few years, Malware had largely used the code protection machines such as multi-enciphering shell, driving association shell, deformation shell
The new technology such as system and polymorphic and deformation, makes traditional malicious code Static Analysis Technology by serious challenge.And it is based on
The dynamic behaviour analytical technology of Sandboxing turns into identification unknown malicious code, resists advanced continuation and threatens(APT)It is effective
Method.
Existing Sandboxing, it is generally divided into two kinds:
A kind of is the sandbox based on Hook technologies.By carrying out Hook to the means such as kernel filtration drive and DLL injections, interception can
Program is doubted to system resource(Such as, process object, file, registration table, internal memory and network etc.)Operation, writing for suspect program
Enter operation to be redirected among the isolation environment of sandbox, avoid destruction of the suspect program to real system environment.Based on Hook skills
The sandbox security and isolation of art be not strong, carries out sandbox escape with vulnerability exploit easily by sandbox detection, destroys sandbox
Validity.
Another kind is the sandbox based on virtualization technology.Suspect program is placed in single virtual machine and run, passes through void
Planization mechanism realizes the isolation of running environment.Sandbox based on virtualization technology relies on complete virtual machine, causes system resource
Larger, the problem of virtual machine toggle speed is slower is consumed, practicality deficiency.This is the deficiencies in the prior art part.
The content of the invention
It is an object of the present invention to design a kind of evil based on container in view of the above-mentioned drawbacks of the prior art, providing
Code detection sandbox system of anticipating and detection method, to solve above-mentioned technical problem.
In order to achieve the above object, the technical scheme is that;
A kind of Malicious Code Detection sandbox system based on container, including host computer system, malicious act analysis engine, Container Management
System and several containers;
Host computer system, for managing and running container, and the system in container running is called and is intercepted and is filtered, and
System call operation information is sent to malicious act analysis engine;
Malicious act analysis engine, the containment system recalls information intercepted for Receiving Host system, and carry out malicious act point
Analysis generation analysis report;
Container Management system operation is in host computer system, for being managed to the life cycle of container;
Also include one or more container mirror images, Container Management system is according to the type selecting cell therefor mirror image of suspect program
Dispensing containers, realize the isolation of operating system environment.
Further, the system also includes system kernel, and the system kernel is the kernel that host computer system is shared with container;
System kernel includes system and calls Hook kernel modules, and system calls Hook kernel modules, is called for generation system
Hook mechanism;
Host computer system calls Hook mechanism by system, and the system calling of container is intercepted and filtered, record container is
System invoked procedure information, is sent to malicious act analysis engine.
Further, the system also includes malicious code sample database;
Malicious code sample database, for preserving the malicious act analysis result of suspect program, externally provide inquiry service.
Further, system call the implementation including linux system of Hook mechanism seccomp-bpf mechanism,
The filtration drive mode of kprobe mechanism and system call address substitute mode and Windows systems.
A kind of malicious code detecting method based on container, comprises the following steps:
Initiate the Malicious Code Detection for suspect program;
Container Management Systematic selection container mirror image, dispensing containers;
Container Management system starts container, and triggers the opening of suspect program in container or perform operation;
System is called Hook kernel modules to intercept the system of container and called, and system call information is sent into rogue program analysis
Engine;
Malicious act analysis engine is modeled and analyzed to suspect program by the system call information of said vesse, generation point
Whether analysis report, determining program are containing malicious code, update malicious code sample database, and notify host computer system;
Host computer system is according to the analysis result of malicious act analysis engine, it is determined whether stops container operation, and removes operation number
According to.
Further, step is initiated in the Malicious Code Detection for suspect program, manual by user's selection procedure file
Triggering, initiate to be directed to the Malicious Code Detection of suspect program or triggered automatically according to preset strategy by host computer system, initiate to be directed to
The Malicious Code Detection of suspect program.
Further, step Container Management Systematic selection container mirror image, in dispensing containers:
Container Management system operation is managed in host computer system to the life cycle of container, and one is run in host computer system
Or multiple containers;Container Management system selects cell therefor mirror image, configures different system fortune according to the type of suspect program
Row environment.
Further, step Container Management system starts container, and triggers the opening of suspect program in container or perform behaviour
Also include:
Suspect program then triggers the execution of suspect program if executable program;Suspect program if not executable program,
According to its file type, corresponding software is selected to open.
Further, step system is called Hook kernel modules to intercept the system of container and called, and by system call information
Rogue program analysis engine is sent to specifically include:
Host computer system calls the system of Hook kernel modules to call Hook mechanism by the system of system kernel, to the system of container
Calling is intercepted and filtered, and is recorded the system invoked procedure information of container, is sent to malicious act analysis engine;
System calls the implementation of Hook mechanism to include seccomp-bpf mechanism, kprobe mechanism and the system of linux system
The filtration drive mode of call address substitute mode and Windows systems.
Further, the behavioural analysis result of malicious code sample database purchase suspect program sample, and externally provide
Inquiry service;Rogue program analysis engine may operate in host computer system, virtual machine or container, can also operate in long-range clothes
It is engaged on device.
Start container on the host computer system, open in a reservoir or perform suspect program, host computer system is called by system
The system call operation of Hook technical intercepts and filtering container, and the system invoked procedure information of container is sent to malicious act
Analysis engine, malicious act analysis engine call behavior to be analyzed in real time the system of suspect program, generate analysis report, more
New rogue program sample database, and notify host computer system to be handled.
The beneficial effects of the present invention are, invention realizes being effectively isolated for suspect program running environment by container technique,
There is more preferable security and isolation compared to write-in redirecting technique sandbox, meanwhile, compared to virtualization sandbox, there is system money
Source consumption is small, and toggle speed is fast, manages the features such as convenient, has taken into account security and operational efficiency, so as to improve practicality.This
Invention realizes the security isolation of malicious code running environment, improves the security of sandbox system, while reduce sandbox system
System documentation's consumption, the toggle speed of sandbox system is accelerated, so as to improve the practicality of malicious code analysis sandbox.
In addition, design principle of the present invention is reliable, and it is simple in construction, there is very extensive application prospect.
As can be seen here, the present invention compared with prior art, has prominent substantive distinguishing features and significantly improved, it is implemented
Beneficial effect be also obvious.
Brief description of the drawings
Fig. 1 is that a kind of Malicious Code Detection sandbox system based on container provided in an embodiment of the present invention connects structural representation
Figure.
Fig. 2 is a kind of malicious code detecting method flow chart based on container provided in an embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawings and the present invention will be described in detail by specific embodiment, and following examples are to the present invention
Explanation, and the invention is not limited in implementation below.
As shown in figure 1, a kind of Malicious Code Detection sandbox system based on container provided in an embodiment of the present invention, including master
Machine system, malicious act analysis engine, Container Management system and several containers;
Host computer system, for managing and running container, and the system in container running is called and is intercepted and is filtered, and
System call operation information is sent to malicious act analysis engine;
Malicious act analysis engine, the containment system recalls information intercepted for Receiving Host system, and carry out malicious act point
Analysis generation analysis report;
Container Management system operation is in host computer system, for being managed to the life cycle of container;
Also include one or more container mirror images, Container Management system is according to the type selecting cell therefor mirror image of suspect program
Dispensing containers, realize the isolation of operating system environment.
The system also includes system kernel, and the system kernel is the kernel that host computer system is shared with container;
System kernel includes system and calls Hook kernel modules, and system calls Hook kernel modules, is called for generation system
Hook mechanism;
Host computer system calls Hook mechanism by system, and the system calling of container is intercepted and filtered, record container is
System invoked procedure information, is sent to malicious act analysis engine.
The system also includes malicious code sample database;
Malicious code sample database, for preserving the malicious act analysis result of suspect program, externally provide inquiry service.
System call the seccomp-bpf mechanism of the implementation including linux system of Hook mechanism, kprobe mechanism and
The filtration drive mode of system call address substitute mode and Windows systems.
Host computer system is to support the Windows or (SuSE) Linux OS of container, there is provided the operation of user's miscellaneous service software
Environment;
System kernel, the kernel that host computer system is shared with container;
Container, it is to share kernel with host machine system, passes through control group(cgroups), NameSpace(namespace)And joint
File system(Overlayfs, aufs or unionfs etc.)It is a kind of light etc. the isolation that technology realizes operating system environment
Magnitude operating system virtualization technology, such as Docker, LXC and Windows Server containers;
Container Management system, is operated in host computer system, and the life cycle of container is managed, including:Configuration, start and close
Close;
Container mirror image, it is a basic operating system mirror image, is the basic file system for supporting application program operation, wherein
Without system kernel file;
The file system of container, be by union file system module, it is and writeable using container mirror image as read-only file system
Temporary file system be overlapped, form complete writeable container file system;Appearance will not be changed in container running
Device mirror image, container mirror image can be shared by multiple containers;The data in writeable temporary file system are removed, container rolls back to initially
State.
As shown in Fig. 2 a kind of malicious code detecting method based on container provided in an embodiment of the present invention, including following step
Suddenly:
Step 101:Initiate the Malicious Code Detection for suspect program;
In step 101, by user's selection procedure file, the Malicious Code Detection for suspect program is initiated in triggering manually, or by
Host computer system triggers automatically according to preset strategy, initiates the Malicious Code Detection for suspect program;
Step 102:Container Management Systematic selection container mirror image, dispensing containers;
In step 102, Container Management system operation is managed in host computer system to the life cycle of container, including:Match somebody with somebody
Put, start and close;Host computer system is to support the Windows or (SuSE) Linux OS of container technique, can in host computer system
To run one or more containers;Container Management system can select cell therefor mirror image, configuration according to the type of suspect program
Different system running environments;
Step 103:Container Management system starts container, and triggers the opening of suspect program in container or perform operation;
In step 103, suspect program then triggers the execution of suspect program if executable program;Suspect program is not if
Executable program, according to its file type, corresponding software is selected to open;
Step 104:Host computer system calls the system of Hook block intercepts said vesses to call by system kernel system, and will be
System recalls information is sent to rogue program analysis engine;
In step 104, system calls Hook to have a variety of implementations, including the seccomp-bpf mechanism of linux system,
The mode such as kprobe mechanism and the replacement of system call address, and the filtration drive mode of Windows systems;Rogue program is analyzed
Engine may operate in host computer system, virtual machine or container, can also run on the remote server;
Step 105:Malicious act analysis engine is modeled and divided to suspect program by the system call information of said vesse
Analysis, analysis report is generated, whether determining program is containing malicious code, updates rogue program sample database, and notify main frame
System;
In step 105, the behavioural analysis result of rogue program sample database purchase suspect program sample, and inquiry is externally provided
Service;
Step 106:Host computer system is according to the analysis result of malicious act analysis engine, it is determined whether stop container operation, and clearly
Except service data.
Disclosed above is only the preferred embodiment of the present invention, but the present invention is not limited to this, any this area
What technical staff can think does not have creative change, and some improvement made without departing from the principles of the present invention and
Retouching, should all be within the scope of the present invention.
Claims (10)
1. a kind of Malicious Code Detection sandbox system based on container, it is characterised in that analyzed including host computer system, malicious act
Engine, Container Management system and several containers;
Host computer system, for managing and running container, and the system in container running is called and is intercepted and is filtered, and
System call operation information is sent to malicious act analysis engine;
Malicious act analysis engine, the containment system recalls information intercepted for Receiving Host system, and carry out malicious act point
Analysis generation analysis report;
Container Management system operation is in host computer system, for being managed to the life cycle of container;
Also include one or more container mirror images, Container Management system is according to the type selecting cell therefor mirror image of suspect program
Dispensing containers, realize the isolation of operating system environment.
A kind of 2. Malicious Code Detection sandbox system based on container according to claim 1, it is characterised in that the system
Also include system kernel, the system kernel is the kernel that host computer system is shared with container;
System kernel includes system and calls Hook kernel modules, and system calls Hook kernel modules, is called for generation system
Hook mechanism;
Host computer system calls Hook mechanism by system, and the system calling of container is intercepted and filtered, record container is
System invoked procedure information, is sent to malicious act analysis engine.
A kind of 3. Malicious Code Detection sandbox system based on container according to claim 2, it is characterised in that the system
Also include malicious code sample database;
Malicious code sample database, for preserving the malicious act analysis result of suspect program, externally provide inquiry service.
4. a kind of Malicious Code Detection sandbox system based on container according to claim 3, it is characterised in that system is adjusted
Seccomp-bpf mechanism, kprobe mechanism and the system call address for including linux system with the implementation of Hook mechanism are replaced
Change the filtration drive mode of mode and Windows systems.
5. a kind of malicious code detecting method based on container, it is characterised in that comprise the following steps:
Initiate the Malicious Code Detection for suspect program;
Container Management Systematic selection container mirror image, dispensing containers;
Container Management system starts container, and triggers the opening of suspect program in container or perform operation;
System is called Hook kernel modules to intercept the system of container and called, and system call information is sent into rogue program analysis
Engine;
Malicious act analysis engine is modeled and analyzed to suspect program by the system call information of said vesse, generation point
Whether analysis report, determining program are containing malicious code, update malicious code sample database, and notify host computer system;
Host computer system is according to the analysis result of malicious act analysis engine, it is determined whether stops container operation, and removes operation number
According to.
6. a kind of malicious code detecting method based on container according to claim 5, it is characterised in that step initiates pin
To in the Malicious Code Detection of suspect program, being triggered manually by user's selection procedure file, the malice for suspect program is initiated
Code detection is triggered automatically by host computer system according to preset strategy, initiates the Malicious Code Detection for suspect program.
A kind of 7. malicious code detecting method based on container according to claim 6, it is characterised in that step container tube
Systematic selection container mirror image is managed, in dispensing containers:
Container Management system operation is managed in host computer system to the life cycle of container, and one is run in host computer system
Or multiple containers;Container Management system selects cell therefor mirror image, configures different system fortune according to the type of suspect program
Row environment.
A kind of 8. malicious code detecting method based on container according to claim 7, it is characterised in that step container tube
Reason system starts container, and triggers in container the opening of suspect program or perform operation and also include:
Suspect program then triggers the execution of suspect program if executable program;Suspect program if not executable program,
According to its file type, corresponding software is selected to open.
9. a kind of malicious code detecting method based on container according to claim 8, it is characterised in that step system is adjusted
The system that container is intercepted with Hook kernel modules is called, and system call information is sent into rogue program analysis engine and specifically wrapped
Include:
Host computer system calls the system of Hook kernel modules to call Hook mechanism by the system of system kernel, to the system of container
Calling is intercepted and filtered, and is recorded the system invoked procedure information of container, is sent to malicious act analysis engine;
System calls the implementation of Hook mechanism to include seccomp-bpf mechanism, kprobe mechanism and the system of linux system
The filtration drive mode of call address substitute mode and Windows systems.
A kind of 10. malicious code detecting method based on container according to claim 9, it is characterised in that malicious code
The behavioural analysis result of sample data library storage suspect program sample, and inquiry service is externally provided.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710978630.XA CN107679399A (en) | 2017-10-19 | 2017-10-19 | A kind of Malicious Code Detection sandbox system and detection method based on container |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710978630.XA CN107679399A (en) | 2017-10-19 | 2017-10-19 | A kind of Malicious Code Detection sandbox system and detection method based on container |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107679399A true CN107679399A (en) | 2018-02-09 |
Family
ID=61140727
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710978630.XA Pending CN107679399A (en) | 2017-10-19 | 2017-10-19 | A kind of Malicious Code Detection sandbox system and detection method based on container |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107679399A (en) |
Cited By (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108898012A (en) * | 2018-05-23 | 2018-11-27 | 华为技术有限公司 | The method and apparatus for detecting illegal program |
CN109214186A (en) * | 2018-08-29 | 2019-01-15 | 厦门快快网络科技有限公司 | A kind of interception trojan horse system and method based on inner nuclear layer |
CN109271409A (en) * | 2018-11-08 | 2019-01-25 | 成都索贝数码科技股份有限公司 | Database fragmentation execution method based on container resource allocation |
CN109446800A (en) * | 2018-11-15 | 2019-03-08 | 珠海市知安全科技有限公司 | A kind of sample sandbox analysis method and device |
CN109784055A (en) * | 2018-12-29 | 2019-05-21 | 上海高重信息科技有限公司 | A kind of method and system of quick detection and preventing malice software |
CN109828824A (en) * | 2018-12-29 | 2019-05-31 | 东软集团股份有限公司 | Safety detecting method, device, storage medium and the electronic equipment of mirror image |
WO2019174193A1 (en) * | 2018-03-16 | 2019-09-19 | 华为技术有限公司 | Container escape detection method, apparatus and system, and storage medium |
CN110311901A (en) * | 2019-06-21 | 2019-10-08 | 南京尓嘉网络科技有限公司 | A kind of lightweight network sandbox setting method based on container technique |
CN110392081A (en) * | 2018-04-20 | 2019-10-29 | 武汉安天信息技术有限责任公司 | Virus base method for pushing and device, computer equipment and computer storage medium |
CN110851824A (en) * | 2019-11-13 | 2020-02-28 | 哈尔滨工业大学 | Detection method for malicious container |
CN111079146A (en) * | 2019-12-10 | 2020-04-28 | 苏州浪潮智能科技有限公司 | Malicious software processing method and device |
CN111221625A (en) * | 2019-12-31 | 2020-06-02 | 北京健康之家科技有限公司 | File detection method, device and equipment |
CN112084005A (en) * | 2020-09-09 | 2020-12-15 | 北京升鑫网络科技有限公司 | Container behavior auditing method, device, terminal and storage medium |
CN112187747A (en) * | 2020-09-15 | 2021-01-05 | 中信银行股份有限公司 | Remote container login method and device and electronic equipment |
CN112395617A (en) * | 2019-08-15 | 2021-02-23 | 奇安信安全技术(珠海)有限公司 | Method and device for protecting docker escape vulnerability, storage medium and computer equipment |
CN113221103A (en) * | 2021-05-08 | 2021-08-06 | 山东英信计算机技术有限公司 | Container safety protection method, system and medium |
CN113672918A (en) * | 2021-08-04 | 2021-11-19 | 安天科技集团股份有限公司 | Malicious code detection method and device, storage medium and electronic equipment |
CN114707149A (en) * | 2022-03-18 | 2022-07-05 | 安芯网盾(北京)科技有限公司 | Puppet process detection method and device, electronic device and storage medium |
CN114707150A (en) * | 2022-03-21 | 2022-07-05 | 安芯网盾(北京)科技有限公司 | Malicious code detection method and device, electronic equipment and storage medium |
CN114780168A (en) * | 2022-03-30 | 2022-07-22 | 全球能源互联网研究院有限公司南京分公司 | Method and device for dynamically changing security policy of intelligent terminal container and electronic equipment |
US11522905B2 (en) | 2019-09-11 | 2022-12-06 | International Business Machines Corporation | Malicious virtual machine detection |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101873318A (en) * | 2010-06-08 | 2010-10-27 | 国网电力科学研究院 | Application and data security method aiming at application system on application basis supporting platform |
CN102810143A (en) * | 2012-04-28 | 2012-12-05 | 天津大学 | Safety detecting system and method based on mobile phone application program of Android platform |
US9117078B1 (en) * | 2008-09-17 | 2015-08-25 | Trend Micro Inc. | Malware behavior analysis and policy creation |
CN105389197A (en) * | 2015-10-13 | 2016-03-09 | 北京百度网讯科技有限公司 | Operation capture method and apparatus for container based virtualized system |
CN106326733A (en) * | 2015-06-26 | 2017-01-11 | 中兴通讯股份有限公司 | Method and apparatus for managing applications in mobile terminal |
CN106897611A (en) * | 2017-03-03 | 2017-06-27 | 金光 | Secure virtual mobile applications running environment system and method and application without root authority |
-
2017
- 2017-10-19 CN CN201710978630.XA patent/CN107679399A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9117078B1 (en) * | 2008-09-17 | 2015-08-25 | Trend Micro Inc. | Malware behavior analysis and policy creation |
CN101873318A (en) * | 2010-06-08 | 2010-10-27 | 国网电力科学研究院 | Application and data security method aiming at application system on application basis supporting platform |
CN102810143A (en) * | 2012-04-28 | 2012-12-05 | 天津大学 | Safety detecting system and method based on mobile phone application program of Android platform |
CN106326733A (en) * | 2015-06-26 | 2017-01-11 | 中兴通讯股份有限公司 | Method and apparatus for managing applications in mobile terminal |
CN105389197A (en) * | 2015-10-13 | 2016-03-09 | 北京百度网讯科技有限公司 | Operation capture method and apparatus for container based virtualized system |
CN106897611A (en) * | 2017-03-03 | 2017-06-27 | 金光 | Secure virtual mobile applications running environment system and method and application without root authority |
Cited By (33)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019174048A1 (en) * | 2018-03-16 | 2019-09-19 | 华为技术有限公司 | Container escape detection method, apparatus and system, and storage medium |
CN111819556A (en) * | 2018-03-16 | 2020-10-23 | 华为技术有限公司 | Container escape detection method, device and system and storage medium |
CN111819556B (en) * | 2018-03-16 | 2024-04-09 | 华为云计算技术有限公司 | Container escape detection method, device, system and storage medium |
US11989283B2 (en) | 2018-03-16 | 2024-05-21 | Huawei Cloud Computing Technologies Co., Ltd. | Container escape detection method, apparatus, and system, and storage medium |
WO2019174193A1 (en) * | 2018-03-16 | 2019-09-19 | 华为技术有限公司 | Container escape detection method, apparatus and system, and storage medium |
CN110392081B (en) * | 2018-04-20 | 2022-08-30 | 武汉安天信息技术有限责任公司 | Virus library pushing method and device, computer equipment and computer storage medium |
CN110392081A (en) * | 2018-04-20 | 2019-10-29 | 武汉安天信息技术有限责任公司 | Virus base method for pushing and device, computer equipment and computer storage medium |
CN108898012A (en) * | 2018-05-23 | 2018-11-27 | 华为技术有限公司 | The method and apparatus for detecting illegal program |
CN108898012B (en) * | 2018-05-23 | 2021-01-29 | 华为技术有限公司 | Method and apparatus for detecting illegal program |
CN109214186A (en) * | 2018-08-29 | 2019-01-15 | 厦门快快网络科技有限公司 | A kind of interception trojan horse system and method based on inner nuclear layer |
CN109271409A (en) * | 2018-11-08 | 2019-01-25 | 成都索贝数码科技股份有限公司 | Database fragmentation execution method based on container resource allocation |
CN109271409B (en) * | 2018-11-08 | 2021-11-02 | 成都索贝数码科技股份有限公司 | Database fragmentation execution method based on container resource allocation |
CN109446800A (en) * | 2018-11-15 | 2019-03-08 | 珠海市知安全科技有限公司 | A kind of sample sandbox analysis method and device |
CN109784055B (en) * | 2018-12-29 | 2021-01-08 | 上海高重信息科技有限公司 | Method and system for rapidly detecting and preventing malicious software |
CN109828824A (en) * | 2018-12-29 | 2019-05-31 | 东软集团股份有限公司 | Safety detecting method, device, storage medium and the electronic equipment of mirror image |
CN109784055A (en) * | 2018-12-29 | 2019-05-21 | 上海高重信息科技有限公司 | A kind of method and system of quick detection and preventing malice software |
CN110311901A (en) * | 2019-06-21 | 2019-10-08 | 南京尓嘉网络科技有限公司 | A kind of lightweight network sandbox setting method based on container technique |
CN110311901B (en) * | 2019-06-21 | 2022-03-08 | 北京雅客云安全科技有限公司 | Lightweight network sandbox setting method based on container technology |
CN112395617A (en) * | 2019-08-15 | 2021-02-23 | 奇安信安全技术(珠海)有限公司 | Method and device for protecting docker escape vulnerability, storage medium and computer equipment |
US11522905B2 (en) | 2019-09-11 | 2022-12-06 | International Business Machines Corporation | Malicious virtual machine detection |
CN110851824A (en) * | 2019-11-13 | 2020-02-28 | 哈尔滨工业大学 | Detection method for malicious container |
CN111079146A (en) * | 2019-12-10 | 2020-04-28 | 苏州浪潮智能科技有限公司 | Malicious software processing method and device |
CN111221625A (en) * | 2019-12-31 | 2020-06-02 | 北京健康之家科技有限公司 | File detection method, device and equipment |
CN111221625B (en) * | 2019-12-31 | 2023-08-04 | 北京水滴科技集团有限公司 | File detection method, device and equipment |
CN112084005A (en) * | 2020-09-09 | 2020-12-15 | 北京升鑫网络科技有限公司 | Container behavior auditing method, device, terminal and storage medium |
CN112187747A (en) * | 2020-09-15 | 2021-01-05 | 中信银行股份有限公司 | Remote container login method and device and electronic equipment |
CN113221103B (en) * | 2021-05-08 | 2022-09-20 | 山东英信计算机技术有限公司 | Container safety protection method, system and medium |
CN113221103A (en) * | 2021-05-08 | 2021-08-06 | 山东英信计算机技术有限公司 | Container safety protection method, system and medium |
CN113672918A (en) * | 2021-08-04 | 2021-11-19 | 安天科技集团股份有限公司 | Malicious code detection method and device, storage medium and electronic equipment |
CN114707149A (en) * | 2022-03-18 | 2022-07-05 | 安芯网盾(北京)科技有限公司 | Puppet process detection method and device, electronic device and storage medium |
CN114707150A (en) * | 2022-03-21 | 2022-07-05 | 安芯网盾(北京)科技有限公司 | Malicious code detection method and device, electronic equipment and storage medium |
CN114780168A (en) * | 2022-03-30 | 2022-07-22 | 全球能源互联网研究院有限公司南京分公司 | Method and device for dynamically changing security policy of intelligent terminal container and electronic equipment |
CN114780168B (en) * | 2022-03-30 | 2023-04-28 | 全球能源互联网研究院有限公司南京分公司 | Method and device for dynamically changing security policy of intelligent terminal container and electronic equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107679399A (en) | A kind of Malicious Code Detection sandbox system and detection method based on container | |
Ustiugov et al. | Benchmarking, analysis, and optimization of serverless function snapshots | |
CN101655798B (en) | Method for deployment and operation of application in computer and virtual machine environments | |
US6557168B1 (en) | System and method for minimizing inter-application interference among static synchronized methods | |
CN102821158B (en) | A kind of method and cloud system realizing virtual machine (vm) migration | |
CN104008340B (en) | Virus scanning and killing method and device | |
CN109558211A (en) | The method for protecting the interaction integrality and confidentiality of trusted application and common application | |
CN103077071B (en) | The acquisition methods of a kind of KVM virtual machine progress information and system | |
CN101788915A (en) | White list updating method based on trusted process tree | |
CN102024114B (en) | Malicious code prevention method based on unified extensible fixed interface | |
US7793266B2 (en) | Method, apparatus and computer program product for optimizing access to the content of a virtual application container on a fixed, read-only medium | |
CN101873318B (en) | Application and data security method aiming at application system on application basis supporting platform | |
CN104321748A (en) | Methods, systems and apparatus to capture error conditions in lightweight virtual machine managers | |
CN104598823A (en) | Kernel level rootkit detection method and system in Andriod system | |
CN102150105A (en) | Deployment and management of virtual containers | |
CN101095111A (en) | A method of maintaining applications in a computing device | |
CN102165431A (en) | On-the-fly replacement of physical hardware with emulation | |
CN110096333A (en) | A kind of container performance accelerated method based on nonvolatile memory | |
US20040123278A1 (en) | Persistent cache apparatus and methods | |
CN103065090A (en) | Method and device for intercepting malicious advertisements of application program | |
CN102810070A (en) | High-performance professional ability packaging process engine and process control method thereof | |
CN104166575B (en) | The decision method and device of startup item handling result | |
CN108090360A (en) | The Android malicious application sorting technique and system of a kind of Behavior-based control feature | |
US11416277B2 (en) | Situation-aware virtual machine migration | |
CN109359092A (en) | File management method, desktop display method, device, terminal and medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180209 |
|
RJ01 | Rejection of invention patent application after publication |