CN108717509A - A kind of method, apparatus, equipment and the readable medium of the extraction procedure derivative in sandbox - Google Patents
A kind of method, apparatus, equipment and the readable medium of the extraction procedure derivative in sandbox Download PDFInfo
- Publication number
- CN108717509A CN108717509A CN201810567953.4A CN201810567953A CN108717509A CN 108717509 A CN108717509 A CN 108717509A CN 201810567953 A CN201810567953 A CN 201810567953A CN 108717509 A CN108717509 A CN 108717509A
- Authority
- CN
- China
- Prior art keywords
- file
- write
- program
- derivative
- sandbox
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Storage Device Security (AREA)
Abstract
The present invention provides a kind of in sandbox, and the method, apparatus, equipment and computer-readable medium, this method of extraction procedure derivative include:Associated steps:The incidence relation between the first file and the first backup file is established in sandbox;Recording step:It is recorded in the first backup file according to the action type to the first file, and changes the reference count of the first file;Program derivative extraction step, by being parsed to the first backup file, to restore every secondary program write-in front and back file content and write sequence, analysis the first file of program pair carries out operating process, and obtains its derivative.By the associated data structure for establishing file and backup file, program write-in front and back file content and write sequence every time can be extracted in sandbox, full content that can be in extraction document operating process, by operating process and derivative analysis, to detect whether as rogue program.
Description
Technical field
The present invention relates to technical field of data security, the method for especially a kind of extraction procedure derivative in sandbox, dress
It sets, equipment and computer-readable medium.
Background technology
With the universal and development of android system, the game between the software and security firm of Android platform is more drilled
Stronger.Either static detection or dynamic detection, program derivative (the new file that program discharges during running) is in detection ring
Section plays considerable effect.Therefore it is one in static state, dynamic detection that can completely extract derivative effectively, as far as possible
Essential flow.
In the prior art, it after program operation is completed, detects and increases file newly, extract derivative;In the program operation phase,
By changing file operation correlative code, after sample is to file operation, extraction document when closing filec descriptor.Although
Above method can extract derivative, but the file obtained is last state, be not necessarily required file (such as program
After certain file is written, after use, hash is written into file again, the file at this time extracted is comprising useless number
According to file).It i.e. in the prior art can not the ablation process of extraction procedure write-in file and the total data of write-in.
Invention content
The present invention is the defects of for the above-mentioned prior art, it is proposed that following technical solution.
A method of the extraction procedure derivative in sandbox, this method include:
Associated steps:The incidence relation between the first file and the first backup file is established in sandbox;
Recording step:It is recorded in the first backup file according to the action type to the first file, and changes described
The reference count of one file;
Program derivative extraction step, by being parsed to the first backup file, before restoring every secondary program write-in
File content afterwards and write sequence, analysis the first file of program pair carries out operating process, and obtains its derivative.
Further, the incidence relation established in sandbox between the first file and the first backup file is in sand
A data structure is created in case, a node of the data structure is used to record the path of the first file, the first backup text
The path of part and the first file reference count.
Further, the data structure is single linked list or double linked list.
Further, in the associated steps, when creating or opening first file, if application program has
There are write permission, and first File Open or establishment file success, the path of first file is stored in data structure
Node in, while creating the corresponding first backup file of first file, and the reference count is added 1, and by the number
It is added in monitoring queue according to structure.
Further, the operation of the recording step is:
Operated file object is judged whether in the monitoring queue, if so, sentencing to the action type
It is disconnected, if the action type is write operation, first file is write data into, after the completion of write operation, ought be advanced
The first backup file is recorded in file pointer, write-in length before journey PID, thread TID, write-in, the data of write-in, if described
Action type is to replicate or repeat opening operation, and the reference count is added 1, will if operation described in fruit is file close operation
The reference count subtracts 1, if reference count is 0, is removed from single linked list or double linked list and to discharge the first file corresponding
Data structure node.
Further, the method further includes:
Analytical procedure judges whether described program is rogue program by analyzing program derivative.
The device of the invention also provides a kind of in sandbox extraction procedure derivative, the device include:
Associative cell:The incidence relation between the first file and the first backup file is established in sandbox;
Recording unit:It is recorded in the first backup file according to the action type to the first file, and changes described
The reference count of one file;
Program derivative extraction unit, by being parsed to the first backup file, before restoring every secondary program write-in
File content afterwards and write sequence, analysis the first file of program pair carries out operating process, and obtains its derivative.
Further, the incidence relation established in sandbox between the first file and the first backup file is in sand
A data structure is created in case, a node of the data structure is used to record the path of the first file, the first backup text
The path of part and the first file reference count.
Further, the data structure is single linked list or double linked list.
Further, in the associated steps, when creating or opening first file, if application program has
There are write permission, and first File Open or establishment file success, the path of first file is stored in data structure
Node in, while creating the corresponding first backup file of first file, and the reference count is added 1, and by the number
It is added in monitoring queue according to structure.
Further, the operation that the recording unit executes is:
Operated file object is judged whether in the monitoring queue, if so, sentencing to the action type
It is disconnected, if the action type is write operation, first file is write data into, after the completion of write operation, ought be advanced
The first backup file is recorded in file pointer, write-in length before journey PID, thread TID, write-in, the data of write-in, if described
Action type is to replicate or repeat opening operation, and the reference count is added 1, will if operation described in fruit is file close operation
The reference count subtracts 1, if reference count is 0, is removed from single linked list or double linked list and to discharge the first file corresponding
Data structure node.
Further, described device further includes:
Analytic unit judges whether described program is rogue program by analyzing program derivative.
The equipment of the invention also provides a kind of in sandbox extraction procedure derivative, the equipment include processor, deposit
Reservoir, the processor are connected with the memory by bus, and machine readable code, the place are stored in the memory
It manages device and executes the machine readable code in memory to execute above-mentioned any one of them method.
The invention also provides a kind of computer readable storage medium, computer program generation is stored on the storage medium
Code can perform above-mentioned any method when the computer program code is computer-executed.
The present invention technique effect be:It, can be in sandbox by establishing the associated data structure of file and backup file
In extract program write-in front and back file content and write sequence every time, you can with the whole in extraction document operating process
Content, the final result after being operated rather than just extraction document, and analyze whether described program is rogue program, to disliking
Programmable detection of anticipating provides foundation.
Description of the drawings
Fig. 1 is a kind of flow chart of the method for extraction procedure derivative in sandbox of the present invention.
Fig. 2 is a kind of structural schematic diagram of the device of extraction procedure derivative in sandbox of the present invention.
Fig. 3 is a kind of structural schematic diagram of the equipment of extraction procedure derivative in sandbox of the present invention.
Specific implementation mode
1-3 is specifically described below in conjunction with the accompanying drawings.
The method that Fig. 1 shows a kind of extraction procedure derivative in sandbox of the present invention, this method include:
Associated steps S11:The incidence relation between the first file and the first backup file is established in sandbox.
Recording step S12:It is recorded in the first backup file according to the action type to the first file, and described in modification
The reference count of first file.
Program derivative extraction step S13 is written by being parsed to the first backup file with restoring every secondary program
Front and back file content and write sequence, analysis the first file of program pair carries out operating process, and obtains its derivative.
In associated steps S11, the incidence relation established in sandbox between the first file and the first backup file be
A data structure is created in sandbox, a node of the data structure is used to record the path of the first file, the first backup
The path of file and the first file reference count, reference count are referred to as reference count value.In general, the data knot
Structure is single linked list or double linked list.The file for needing to monitor in sandbox (is needed to monitor using a single linked list or double linked list
May be multiple first files) be all together in series, file operation after being convenient for monitoring.
One specific embodiment is:Create and safeguard a two-way or individual event chained list, a node of chained list includes text
The path of part A (i.e. the first file), the path of backup file B (i.e. the first backup file), chained list connect different file A
Come, for recording multiple file datas, file A is the file that record is created or opens, and backup file B is logging program to A
Reference count (number being cited for recording A files) is also stored in the node of chained list in the operating process of file.
In the associated steps S11, when creating or opening first file, if application program, which has, writes power
The path of first file, is stored in the node of data structure by limit, and first File Open or establishment file success
In, while the corresponding first backup file of first file is created, and the reference count is added 1, and by the data structure
It is added in monitoring queue.For example, a kind of embodiment is:When creating or opening file A, if application program includes to write power
Limit, and opening or establishment file success, the paths file A are saved in data structure, while creating the corresponding backup of this document
File B, and reference count is added 1.This is one of important inventive point of the application, by the incidence relation, is convenient for subsequent extracted
The derivative of program.
The operation of the recording step S12 is:Operated file object is judged whether in the monitoring queue, if
It is to judge the action type, if the action type is write operation, writes data into first file,
After the completion of write operation, by the file pointer before current process PID, thread TID, write-in, write-in length, the data record of write-in
The reference count is added 1, if fruit institute if the action type is to replicate or repeat opening operation to the first backup file
It is file close operation to state operation, subtracts 1 by the reference count, if reference count is 0, is moved from single linked list or double linked list
It removes and discharges the corresponding data structure node of the first file.As shown in Figure 1, the method further includes:Analytical procedure S14, passes through
Program derivative is analyzed, judges whether described program is rogue program.
One specific embodiment is:When carrying out write operation, if write-in is A files, and is written A successes, just will
Backup file B is recorded in file pointer, write-in length before current process PID, process TID, write-in, the data of write-in.In case of
It replicates or repeats to open A file operations to filec descriptors such as dup, dup2, the reference count in data structure is just added 1.Such as
The file close operations such as close are encountered, just reference count are subtracted 1, if reference count is 0, is removed from chained list and discharges A
Corresponding data structure node.After the All Files descriptor of A is closed, file B just has recorded program being written every time to A
Journey can restore the content of each period A by being parsed to B.
This is one of the important inventive point of the present invention, in recording step S12, passes through the backup text with the first file association
All operating process of the part record to the first file can be extracted in program derivative extraction step S13 and analytical procedure S14
Go out program write-in front and back file content and write sequence every time, you can with the full content in extraction document operating process,
Final result after being operated rather than just extraction document.
Fig. 2 shows a kind of device of extraction procedure derivative in sandbox of the present invention, which includes:
Associative cell 21:The incidence relation between the first file and the first backup file is established in sandbox;
Recording unit 22:It is recorded in the first backup file according to the action type to the first file, and described in modification
The reference count of first file;
Program derivative extraction unit 23 is written by being parsed to the first backup file with restoring every secondary program
Front and back file content and write sequence, analysis the first file of program pair carries out operating process, and obtains its derivative.
In associative cell 21, the incidence relation established in sandbox between the first file and the first backup file is in sand
A data structure is created in case, a node of the data structure is used to record the path of the first file, the first backup text
The path of part and the first file reference count, reference count are referred to as reference count value.In general, the data structure
It is single linked list or double linked list.The file for needing to monitor in sandbox (is needed to monitor using a single linked list or double linked list
May be multiple first files) all it is together in series, the file operation monitoring after being convenient for.
One specific embodiment is:Create and safeguard a two-way or individual event chained list, a node of chained list includes text
The path of part A (i.e. the first file), the path of backup file B (i.e. the first backup file), chained list connect different file A
Come, for recording multiple file datas, file A is the file that record is created or opens, and backup file B is logging program to A
Reference count (number being cited for recording A files) is also stored in the node of chained list in the operating process of file.
In the associative cell 21, when creating or opening first file, if application program has write permission,
And first File Open or establishment file are successful, and the path of first file is stored in the node of data structure,
The corresponding first backup file of first file is created simultaneously, and the reference count is added 1, and the data structure is added
Into monitoring queue.For example, a kind of embodiment is:When creating or opening file A, if application program includes write permission, and
It opens or establishment file is successful, the paths file A are saved in data structure, while creating the corresponding backup file B of this document,
And reference count is added 1.This is one of important inventive point of the application, by the incidence relation, convenient for subsequent extracted program
Derivative.
The operation of the recording unit 22 is:Operated file object is judged whether in the monitoring queue, if
It is to judge the action type, if the action type is write operation, writes data into first file,
After the completion of write operation, by the file pointer before current process PID, thread TID, write-in, write-in length, the data record of write-in
The reference count is added 1, if fruit institute if the action type is to replicate or repeat opening operation to the first backup file
It is file close operation to state operation, subtracts 1 by the reference count, if reference count is 0, is moved from single linked list or double linked list
It removes and discharges the corresponding data structure node of the first file.As shown in Figure 1, described device further includes:Analytic unit 24, by right
Program derivative is analyzed, and judges whether described program is rogue program.
One specific embodiment is:When carrying out write operation, if write-in is A files, and is written A successes, just will
Backup file B is recorded in file pointer, write-in length before current process PID, process TID, write-in, the data of write-in.In case of
It replicates or repeats to open A file operations to filec descriptors such as dup, dup2, the reference count in data structure is just added 1.Such as
The file close operations such as close are encountered, just reference count are subtracted 1, if reference count is 0, is removed from chained list and discharges A
Corresponding data structure node.After the All Files descriptor of A is closed, file B just has recorded program being written every time to A
Journey can restore the content of each period A by being parsed to B.
This is one of the important inventive point of the present invention, in recording unit 22, passes through the backup text with the first file association
All operating process of the part record to the first file can be extracted in program derivative extraction unit 23 and analytic unit 24
Front and back file content and write sequence is written in program every time, you can with the full content in extraction document operating process, and
Final result not only after extraction document operation.
The equipment of the invention also provides a kind of in sandbox extraction procedure derivative, the equipment include processor, deposit
Reservoir, the processor are connected with the memory by bus, and machine readable code, the place are stored in the memory
It manages device and executes the machine readable code in memory to execute above-mentioned any one of them method.
The equipment of the invention also provides a kind of in sandbox extraction procedure derivative, as shown in figure 3, the equipment includes
Processor 31, memory 32, the processor 31 are connected with the memory 32 by bus, are stored in the memory 32
Machine readable code, the machine readable code that the processor 31 executes in memory 32 can perform one of above-mentioned method.
The invention also provides a kind of computer readable storage medium, computer program generation is stored on the storage medium
Code, one of above-mentioned method is can perform when the computer program code is computer-executed.
For convenience of description, it is divided into various units when description apparatus above with function to describe respectively.Certainly, implementing this
The function of each unit is realized can in the same or multiple software and or hardware when application, the present invention in so-called client,
Client refers to identical content, and the server-side, server, server end in the present invention refer to identical content.
As seen through the above description of the embodiments, those skilled in the art can be understood that the application can
It is realized by the mode of software plus required general hardware platform.Based on this understanding, the technical solution essence of the application
On in other words the part that contributes to existing technology can be expressed in the form of software products, the computer software product
It can be stored in a storage medium, such as ROM/RAM, magnetic disc, CD, including some instructions are used so that a computer equipment
(can be personal computer, server either network equipment etc.) executes the certain of each embodiment of the application or embodiment
Method described in part.
It should be noted last that:Above example only illustrates and not to limitation technical scheme of the present invention, although reference
Above-described embodiment describes the invention in detail, it will be understood by those of ordinary skill in the art that:It still can be to this hair
It is bright to be modified or replaced equivalently, it without departing from the spirit or scope of the invention, or any substitutions, should all
Cover in the scope of the claims of the present invention.
Claims (14)
1. a kind of method of the extraction procedure derivative in sandbox, which is characterized in that this method includes:
Associated steps:The incidence relation between the first file and the first backup file is established in sandbox;
Recording step:It is recorded in the first backup file according to the action type to the first file, and changes first text
The reference count of part;
Program derivative extraction step, by being parsed to the first backup file, to restore before and after every secondary program write-in
File content and write sequence, analysis the first file of program pair carries out operating process, and obtains its derivative.
2. the method according to claim 1, which is characterized in that it is described established in sandbox the first file and the first backup file it
Between incidence relation be one data structure of establishment in sandbox, a node of the data structure is for recording the first file
Path, the first backup file path and the first file reference count.
3. method according to claim 2, which is characterized in that the data structure is single linked list or double linked list.
4. method according to claim 3, which is characterized in that literary when creating or opening described first in the associated steps
When part, if application program has write permission, and first File Open or establishment file success, by first file
Path is stored in the node of data structure, while creating the corresponding first backup file of first file, and by the reference
Count is incremented, and the data structure is added in monitoring queue.
5. method according to claim 4, which is characterized in that the operation of the recording step is:
Operated file object is judged whether in the monitoring queue, if so, judging the action type, such as
Action type described in fruit is write operation, writes data into first file, after the completion of write operation, by current process PID,
The first backup file is recorded in file pointer, write-in length before thread TID, write-in, the data of write-in, if the operation class
Type is to replicate or repeat opening operation, and the reference count is added 1, if operation described in fruit is file close operation, is drawn described
Subtract 1 with counting, if reference count is 0, is removed from single linked list or double linked list and discharge the corresponding data knot of the first file
Structure node.
6. the method according to claim 1, which is characterized in that the method further includes:
Analytical procedure judges whether described program is rogue program by analyzing program derivative.
7. a kind of device of the extraction procedure derivative in sandbox, which is characterized in that the device includes:
Associative cell:The incidence relation between the first file and the first backup file is established in sandbox;
Recording unit:It is recorded in the first backup file according to the action type to the first file, and changes first text
The reference count of part;
Program derivative extraction unit, by being parsed to the first backup file, to restore before and after every secondary program write-in
File content and write sequence, analysis the first file of program pair carries out operating process, and obtains its derivative.
8. device according to claim 7, which is characterized in that it is described established in sandbox the first file and the first backup file it
Between incidence relation be one data structure of establishment in sandbox, a node of the data structure is for recording the first file
Path, the first backup file path and the first file reference count.
9. device according to claim 8, which is characterized in that the data structure is single linked list or double linked list.
10. device according to claim 9, which is characterized in that literary when creating or opening described first in the associated steps
When part, if application program has write permission, and first File Open or establishment file success, by first file
Path is stored in the node of data structure, while creating the corresponding first backup file of first file, and by the reference
Count is incremented, and the data structure is added in monitoring queue.
11. device according to claim 10, which is characterized in that the operation that the recording unit executes is:
Operated file object is judged whether in the monitoring queue, if so, judging the action type, such as
Action type described in fruit is write operation, writes data into first file, after the completion of write operation, by current process PID,
The first backup file is recorded in file pointer, write-in length before thread TID, write-in, the data of write-in, if the operation class
Type is to replicate or repeat opening operation, and the reference count is added 1, if operation described in fruit is file close operation, is drawn described
Subtract 1 with counting, if reference count is 0, is removed from single linked list or double linked list and discharge the corresponding data knot of the first file
Structure node.
12. device according to claim 7, which is characterized in that described device further includes:
Analytic unit judges whether described program is rogue program by analyzing program derivative.
13. a kind of equipment of the extraction procedure derivative in sandbox, which is characterized in that the equipment includes processor, memory,
The processor is connected with the memory by bus, and machine readable code, the processor are stored in the memory
Execute any one of them method that the machine readable code in memory requires 1-6 with perform claim.
14. a kind of computer readable storage medium, which is characterized in that it is stored with computer program code on the storage medium,
Any method of 1-6 is required with perform claim when the computer program code is computer-executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810567953.4A CN108717509B (en) | 2018-06-05 | 2018-06-05 | Method, device and equipment for extracting program derivative in sandbox and readable medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810567953.4A CN108717509B (en) | 2018-06-05 | 2018-06-05 | Method, device and equipment for extracting program derivative in sandbox and readable medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108717509A true CN108717509A (en) | 2018-10-30 |
| CN108717509B CN108717509B (en) | 2020-06-23 |
Family
ID=63911660
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810567953.4A Active CN108717509B (en) | 2018-06-05 | 2018-06-05 | Method, device and equipment for extracting program derivative in sandbox and readable medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108717509B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110414220A (en) * | 2019-06-28 | 2019-11-05 | 奇安信科技集团股份有限公司 | Method and device for extracting operation files in dynamic execution process of program in sandbox |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1368683A (en) * | 2001-02-02 | 2002-09-11 | 英业达股份有限公司 | Fault-tolerant method by means of synchronous directory |
| WO2006021033A8 (en) * | 2004-08-23 | 2007-01-04 | Audio Read Pty Ltd | A system for disseminating data |
| CN101989322A (en) * | 2010-11-19 | 2011-03-23 | 北京安天电子设备有限公司 | Method and system for automatically extracting memory features of malicious code |
| CN102521306A (en) * | 2011-12-01 | 2012-06-27 | 苏州迈科网络安全技术股份有限公司 | Application method for data storage system |
| CN103268281A (en) * | 2013-05-07 | 2013-08-28 | 北京天广汇通科技有限公司 | Method and system for detecting vulnerability of source codes |
| US8677491B2 (en) * | 2010-02-04 | 2014-03-18 | F-Secure Oyj | Malware detection |
| CN104811453A (en) * | 2012-09-29 | 2015-07-29 | 北京奇虎科技有限公司 | Active defense method and device |
| CN106127052A (en) * | 2016-06-30 | 2016-11-16 | 北京奇虎科技有限公司 | The recognition methods of rogue program and device |
-
2018
- 2018-06-05 CN CN201810567953.4A patent/CN108717509B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1368683A (en) * | 2001-02-02 | 2002-09-11 | 英业达股份有限公司 | Fault-tolerant method by means of synchronous directory |
| WO2006021033A8 (en) * | 2004-08-23 | 2007-01-04 | Audio Read Pty Ltd | A system for disseminating data |
| US8677491B2 (en) * | 2010-02-04 | 2014-03-18 | F-Secure Oyj | Malware detection |
| CN101989322A (en) * | 2010-11-19 | 2011-03-23 | 北京安天电子设备有限公司 | Method and system for automatically extracting memory features of malicious code |
| CN102521306A (en) * | 2011-12-01 | 2012-06-27 | 苏州迈科网络安全技术股份有限公司 | Application method for data storage system |
| CN104811453A (en) * | 2012-09-29 | 2015-07-29 | 北京奇虎科技有限公司 | Active defense method and device |
| CN103268281A (en) * | 2013-05-07 | 2013-08-28 | 北京天广汇通科技有限公司 | Method and system for detecting vulnerability of source codes |
| CN106127052A (en) * | 2016-06-30 | 2016-11-16 | 北京奇虎科技有限公司 | The recognition methods of rogue program and device |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110414220A (en) * | 2019-06-28 | 2019-11-05 | 奇安信科技集团股份有限公司 | Method and device for extracting operation files in dynamic execution process of program in sandbox |
| CN110414220B (en) * | 2019-06-28 | 2021-08-24 | 奇安信科技集团股份有限公司 | Method and device for extracting operation files in dynamic execution process of program in sandbox |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108717509B (en) | 2020-06-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20190114436A1 (en) | Method for automatically detecting security vulnerability based on hybrid fuzzing, and apparatus thereof | |
| US10120783B2 (en) | Determining test case efficiency | |
| US10235236B1 (en) | Methods and apparatus for remediation workflow | |
| CN109388556B (en) | Method and device for analyzing test process | |
| CN107239457A (en) | Data archiving method and device | |
| KR102011726B1 (en) | Method and apparatus for extracting specific dynamic generated file | |
| NL2026782B1 (en) | Method and system for determining affiliation of software to software families | |
| CN103246566B (en) | The resource monitoring method and device of application program | |
| US10929258B1 (en) | Method and system for model-based event-driven anomalous behavior detection | |
| Pooe et al. | A conceptual model for digital forensic readiness | |
| US20140067360A1 (en) | System And Method For On-Demand Simulation Based Learning For Automation Framework | |
| Dweikat et al. | Digital Forensic Tools Used in Analyzing Cybercrime | |
| CN114090406A (en) | Electric power Internet of things equipment behavior safety detection method, system, equipment and storage medium | |
| CN108717509A (en) | A kind of method, apparatus, equipment and the readable medium of the extraction procedure derivative in sandbox | |
| CN103164649A (en) | Process behavior analysis method and system | |
| CN105207831A (en) | Detection method and apparatus for operation event | |
| CN114357445A (en) | Method, device and storage medium for identifying terminal side attack path | |
| CN106649102A (en) | Graphical interface program testing log record and replay method based on hook function | |
| CN105374131A (en) | Method and device for automatic testing | |
| von der Assen et al. | SecBox: A lightweight container-based sandbox for dynamic malware analysis | |
| CN112953948A (en) | Real-time network transverse worm attack flow detection method and device | |
| US20140298002A1 (en) | Method and device for identifying a disk boot sector virus, and storage medium | |
| CN102982288B (en) | The encryption of data and the equipment of deciphering and method is performed in portable terminal | |
| CN105738737B (en) | A kind of failure wave-recording method | |
| CN110414220A (en) | Method and device for extracting operation files in dynamic execution process of program in sandbox |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |