CN109684827A - Sandbox reports filter method and device - Google Patents
Sandbox reports filter method and device Download PDFInfo
- Publication number
- CN109684827A CN109684827A CN201810209007.2A CN201810209007A CN109684827A CN 109684827 A CN109684827 A CN 109684827A CN 201810209007 A CN201810209007 A CN 201810209007A CN 109684827 A CN109684827 A CN 109684827A
- Authority
- CN
- China
- Prior art keywords
- information
- sample file
- analysis report
- file
- running
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Abstract
The present invention provides a kind of sandbox report filter method and devices, the described method comprises the following steps: running sample file under predetermined registration operation environment;Obtain the first information generated when running the sample file;Processing is filtered to the first information based on pre-set criteria, forms the second information;Analysis report is formed based on second information.The problem of present invention, which can solve the prior art, can miss the network information of some operating systems itself, also can accidentally intercept the network information of some samples itself.
Description
Technical field
The present invention relates to malware analysis field, in particular to a kind of sandbox report filter method and device.
Background technique
Sandbox system automates malware analysis system, the malice being currently used primarily under analysis windows platform
Software, but its frame supports Linux and Mac OS simultaneously.It can track all processes of malicious software process and its generation
Win32API calls record;Detect document creation, deletion and the downloading of Malware;The memory of malicious software process can be obtained
Mirror image;System full memory mirror image can be obtained, other tools is facilitated to be further analyzed;Net can be grabbed with pacp format
Network data;Screenshot when Malware operation can be grabbed.
Sandbox System Working Principle is as follows: when a sample file is submitted to sandbox system, sandbox system first can
Start a true Windows system environments set in advance using software virtual machine, then sample file is put into wherein
And it is allowed to run.In sample file operational process, sandbox system can be obtained using the various system probes arranged in advance
The various operation informations of sample file.Sandbox system can recycle these information when analyzing terminates and arrangement can as one
The analysis report of reading.This part of analysis report can finally be stored.
The network information that sandbox system generates during analyzing sample file is used comprising sandbox system among these
The operating system itself network information and the network information that generates at runtime of sample file that generate.This two parts network information
It is usually to mix together, and can be stored among original analysis report.Operation used in sandbox system among these
The network information that system generates, it can interfere with subsequent analysis work.The prior art usually uses some technological means and exists
The behavioural information for intercepting operating system itself in sample file implementation procedure as far as possible, does not allow the row of this part operation system itself
It is written among analysis report for information.The realization difficulty that the prior art can therefrom be given is big, and effect is bad, it will usually
The network information of some operating systems itself is missed, the network information of some samples itself also can be accidentally intercepted.
Summary of the invention
In view of above-mentioned technical problem, the present invention provides a kind of sandbox report filter method and devices, including following step
It is rapid:
A kind of sandbox report filter method comprising:
Sample file is run under predetermined registration operation environment;
Obtain the first information generated when running the sample file;
Processing is filtered to the first information based on pre-set criteria, forms the second information;
Analysis report is formed based on second information.
In a preferred embodiment, under predetermined registration operation environment before operation sample file further include:
Obtain sample file.
In a preferred embodiment, obtaining the first information generated when running the sample file includes following at least one:
It obtains and generates API Calls record when running the sample file, screenshot takes off record and network data recording;
The deletion record of file, newly-built record and Download History when detection runs the sample file;
Obtain the memory mirror of sample file;
System full memory mirror image when obtaining operation sample file.
In a preferred embodiment, processing is filtered to the first information based on pre-set criteria, forms the second information
Include:
Obtain the behavioural information in the sample file operational process;
Filter the network behavior information in the behavioural information due to operating system itself;
The network behavior information generated due to sample file based on reservation forms the second information.
In a preferred embodiment, the method also includes:
When meeting preset condition, the analysis report is stored.
In a preferred embodiment, when meeting preset condition, storing the analysis report includes:
Judge whether the capacity of the analysis report is less than preset threshold;
If so, then storing the analysis report.
In a preferred embodiment, it when the capacity of the analysis report is greater than preset threshold, then deletes therein useless
Data are stored again.
The embodiment of the invention also provides a kind of sandboxs to report filter device comprising:
Processor is configured to run sample file under predetermined registration operation environment, and obtains production when running the sample file
The raw first information;And processing is filtered to the first information based on pre-set criteria, the second information is formed, and be based on institute
It states the second information and forms analysis report.
In a preferred embodiment, the processor is further configured to run sample file under predetermined registration operation environment,
And obtain the first information generated when running the sample file;And place is filtered to the first information based on pre-set criteria
Reason forms the second information, and forms analysis report based on second information.
In a preferred embodiment, the processor is further configured to obtain first generated when running the sample file
Information includes following at least one:
It obtains and generates API Calls record when running the sample file, screenshot takes off record and network data recording;
The deletion record of file, newly-built record and Download History when detection runs the sample file;
Obtain the memory mirror of sample file;
System full memory mirror image when obtaining operation sample file.
Using the embodiment of the present invention, analysis sample can be removed in the virtual machine Windows operating system that sandbox system starts
When file, the behavior of these operating systems itself is filtered out, to be directed to sandbox system virtual machine when analyzing sample file
The garbage that Windows operating system generates is deleted, and can miss some operating systems itself to solve the prior art
The network information, the problem of also accidentally intercepting the network information of some samples itself.
Detailed description of the invention
Fig. 1 is the principle flow chart of the sandbox report filter method in the embodiment of the present invention;
Fig. 2 is the principle assumption diagram of the sandbox report filter device in the embodiment of the present invention.
Specific embodiment
In the following, specific embodiments of the present invention are described in detail in conjunction with attached drawing, but not as the limitation of the invention.
It should be understood that various modifications can be made to disclosed embodiments.Therefore, description above should not regard
To limit, and only as the example of embodiment.Those skilled in the art will expect within the scope and spirit of this
Other modifications.
The attached drawing being included in the description and forms part of the description shows embodiment of the disclosure, and with it is upper
What face provided is used to explain the disclosure together to substantially description and the detailed description given below to embodiment of the disclosure
Principle.
It is of the invention by the description of the preferred form with reference to the accompanying drawings to the embodiment for being given as non-limiting example
These and other characteristic will become apparent.
Although being also understood that invention has been described referring to some specific examples, those skilled in the art
Member realizes many other equivalents of the invention in which can determine, they have feature as claimed in claim and therefore all
In the protection scope defined by whereby.
When read in conjunction with the accompanying drawings, in view of following detailed description, above and other aspect, the feature and advantage of the disclosure will become
It is more readily apparent.
The specific embodiment of the disclosure is described hereinafter with reference to attached drawing;It will be appreciated, however, that the disclosed embodiments are only
Various ways implementation can be used in the example of the disclosure.Known and/or duplicate function and structure and be not described in detail to avoid
Unnecessary or extra details makes the disclosure smudgy.Therefore, specific structural and functionality disclosed herein is thin
Section is not intended to restrictions, but as just the basis of claim and representative basis be used to instructing those skilled in the art with
Substantially any appropriate detailed construction diversely uses the disclosure.
This specification can be used phrase " in one embodiment ", " in another embodiment ", " in another embodiment
In " or " in other embodiments ", it can be referred to one or more of the identical or different embodiment according to the disclosure.
In the following, the embodiment of the present invention is described in detail in conjunction with attached drawing, the embodiment of the invention provides a kind of sandboxs to report
Filtering method.Wherein, sandbox system can generate the network information during analyzing sample file, among these include sandbox system institute
The network information that the network information and sample file that the operating system itself used generates generate at runtime.This two parts network
Information is usually to mix together.It can be rejected inside the network behavior information being collected into through the embodiment of the present invention
Fall the network behavior information of unwanted operating system, only retains network behavior information caused by sample file, thus can
Guarantee the validity of analysis report, while deleting hash therein.
The principle flow chart for reporting filter method for the sandbox in the embodiment of the present invention as shown in Figure 1, wherein may include:
Sample file is run under predetermined registration operation environment;
Obtain the first information generated when running the sample file;
Processing is filtered to the first information based on pre-set criteria, forms the second information;
Analysis report is formed based on second information.
In the embodiment of the present invention, sample file can be arbitrary program file, such as test program, or other programs
File etc. tests the available analysis report for this document by sandbox.Specifically, sandbox is after obtaining sample file,
Corresponding the sample file can be run under predetermined registration operation environment.For example, the predetermined registration operation environment in the embodiment of the present invention can
Think windows operating environment, or may be android environment, Linux and Mac OS environment etc., herein not as this
The limitation of inventive embodiments can be any operating environment.In addition, before running sample file under predetermined registration operation environment also
It may include: acquisition sample file.The mode for wherein obtaining sample file may include obtaining the sample text from other equipment
Part wherein may include the mark of file type in the sample file, can determine what sample file was adapted to based on the mark
Operating environment selects corresponding operating environment then to run the sample file.
In addition, when running the sample file, the network information, i.e., first caused by available operation sample file
Information, the process may include obtaining generation API Calls record, screenshot when running the sample file to take off record and network number
According to record;The deletion record of file, newly-built record and Download History when detection runs the sample file;Obtain sample file
Memory mirror;And at least one of system full memory mirror image when obtaining operation sample file.
After obtaining the first information, the embodiment of the present invention can be filtered processing to the first information, and reservation is therein to be had
With information, i.e. network data caused by sample file.Specifically, the embodiment of the present invention can be based on pre-set criteria to described the
One information is filtered processing, the second information is formed, wherein may include:
Obtain the behavioural information in the sample file operational process;
Filter the network behavior information in the behavioural information due to operating system itself;
The network behavior information generated due to sample file based on reservation forms the second information.
It among these include sandbox system institute since sandbox system can generate the network information during analyzing sample file
The network information that the network information and sample file that the operating system itself used generates generate at runtime.This two parts network
Information is usually to mix together.It can be rejected inside the network behavior information being collected into through the embodiment of the present invention
Fall the network behavior information of unwanted operating system, only retains network behavior information caused by sample file, Lai Shengcheng the
Two information.Then analysis report can be generated based on the second information, after forming analysis report, the embodiment of the present invention can also be right
The analysis report is stored.Such as it can be when meeting preset condition, the analysis report be stored, wherein may include:
Judge whether the capacity of the analysis report is less than preset threshold;
If so, then storing the analysis report.
It, can be to the analysis report for being lower than preset threshold in order to guarantee the utilization rate of memory space in the embodiment of the present invention
It is stored, for example, the preset threshold can be the numerical value in the range of 40-100MB.
In addition, then deleting hash therein when the capacity of the analysis report is greater than preset threshold and being deposited again
Storage.Or stored after compression processing being carried out to analysis report, it thereby may be ensured that the validity of storage.
For example, the format of a complete " original analysis report " is as follows:
| Basic information |
| Signatures information |
| Target information |
| Virustotal information |
| Network information (present invention mainly handles this partial information) |
| Behavior information |
| Metadata information |
| Strings information |
When sandbox dynamic analysis system is using virtual machine analysis executable file, virtual machine Windows operating system can be produced
The network access information of raw some operating systems itself.The network information that this operating system itself generates can also be stored in original
Among beginning analysis report, it can be referred to as " background clutter " of operating system.When next processing original analysis is reported
It waits, this part " background clutter " will be deleted, the relevant information of retention analysis sample.In this way, the later period is using sample text
When the analysis report of part, without considering that oneself body of operating system operates, it is only necessary to be analyzed i.e. for the data in report
It can.
Above-mentioned configuration based on the embodiment of the present invention can be gone in the virtual machine Windows operating system that sandbox system starts
When analyzing sample file, the behavior of these operating systems itself is filtered out, thus for sandbox system when analyzing sample file
The garbage that virtual machine Windows operating system generates is deleted, and can miss some operating systems to solve the prior art
The network information of itself, the problem of also accidentally intercepting the network information of some samples itself.
In addition, as shown in Fig. 2, report the principle assumption diagram of filter device for one of embodiment of the present invention sandbox,
In may include: processor 1 and memory 2.
Wherein, processor 1 is configurable to run sample file under predetermined registration operation environment, and obtains and run sample text
The first information generated when part;And processing is filtered to the first information based on pre-set criteria, the second information is formed, and
Analysis report is formed based on second information.
In the embodiment of the present invention, sample file can be arbitrary program file, such as test program, or other programs
File etc. tests the available analysis report for this document by sandbox.Specifically, sandbox is after obtaining sample file,
Processor 1 corresponding can run the sample file under predetermined registration operation environment.For example, the predetermined registration operation in the embodiment of the present invention
Environment can be windows operating environment, or may be android environment, Linux and Mac OS environment etc., herein not
As the limitation of the embodiment of the present invention, any operating environment can be.In addition, running sample file under predetermined registration operation environment
It before can also include: acquisition sample file.Wherein obtaining the mode of sample file may include obtaining from other equipment
Sample file wherein may include the mark of file type in the sample file, can determine sample file institute based on the mark
The operating environment of adaptation selects corresponding operating environment then to run the sample file.
In addition, when running the sample file, the letter of network caused by the available operation sample file of processor 1
Breath, the i.e. first information, the process may include obtaining generation API Calls record, screenshot when running the sample file to take off record
And network data recording;The deletion record of file, newly-built record and Download History when detection runs the sample file;It obtains
The memory mirror of sample file;And at least one of system full memory mirror image when obtaining operation sample file.
After obtaining the first information, the processor 1 in the embodiment of the present invention can be filtered processing to the first information, protect
Stay useful information therein, i.e. network data caused by sample file.Specifically, processor of the embodiment of the present invention 1 can be with base
Processing is filtered to the first information in pre-set criteria, the second information is formed, wherein may include:
Obtain the behavioural information in the sample file operational process;
Filter the network behavior information in the behavioural information due to operating system itself;
The network behavior information generated due to sample file based on reservation forms the second information.
It among these include sandbox system institute since sandbox system can generate the network information during analyzing sample file
The network information that the network information and sample file that the operating system itself used generates generate at runtime.This two parts network
Information is usually to mix together.It can be rejected inside the network behavior information being collected into through the embodiment of the present invention
Fall the network behavior information of unwanted operating system, only retains network behavior information caused by sample file, Lai Shengcheng the
Two information.Then analysis report can be generated based on the second information.
After forming analysis report, the embodiment of the present invention can also store the analysis report.Such as it can be with full
When sufficient preset condition, the analysis report is stored, wherein may include:
Processor 1 may determine that whether the capacity of the analysis report is less than preset threshold, if so, can then pass through storage
Device 2 stores the analysis report.
It, can be to the analysis report for being lower than preset threshold in order to guarantee the utilization rate of memory space in the embodiment of the present invention
It is stored, for example, the preset threshold can be the numerical value in the range of 40-100MB.
In addition, then deleting hash therein when the capacity of the analysis report is greater than preset threshold and being deposited again
Storage.Or stored after compression processing being carried out to analysis report, it thereby may be ensured that the validity of storage.
Above-mentioned configuration based on the embodiment of the present invention can be gone in the virtual machine Windows operating system that sandbox system starts
When analyzing sample file, the behavior of these operating systems itself is filtered out, thus for sandbox system when analyzing sample file
The garbage that virtual machine Windows operating system generates is deleted, and can miss some operating systems to solve the prior art
The network information of itself, the problem of also accidentally intercepting the network information of some samples itself.
, can be when the virtual machine Windows operating system that sandbox system starts remove analysis sample file using the present invention, mistake
The behavior of these operating systems itself is filtered, so that virtual machine Windows is operated when analyzing sample file for sandbox system
The garbage that system generates is deleted.After analyzing a sample in virtual machine Windows system, go to handle its network
Behavioural information.
Above embodiments are only exemplary embodiment of the present invention, are not used in the limitation present invention, protection scope of the present invention
It is defined by the claims.Those skilled in the art can within the spirit and scope of the present invention make respectively the present invention
Kind modification or equivalent replacement, this modification or equivalent replacement also should be regarded as being within the scope of the present invention.
Claims (10)
1. a kind of sandbox reports filter method characterized by comprising
Sample file is run under predetermined registration operation environment;
Obtain the first information generated when running the sample file;
Processing is filtered to the first information based on pre-set criteria, forms the second information;
Analysis report is formed based on second information.
2. according to the method described in claim 1, wherein, before running sample file under predetermined registration operation environment further include:
Obtain sample file.
3. according to the method described in claim 1, wherein, it includes following for obtaining the first information generated when running the sample file
It is at least one:
It obtains and generates API Calls record when running the sample file, screenshot takes off record and network data recording;
The deletion record of file, newly-built record and Download History when detection runs the sample file;
Obtain the memory mirror of sample file;
System full memory mirror image when obtaining operation sample file.
4. according to the method described in claim 1, wherein, being filtered processing, shape to the first information based on pre-set criteria
Include: at the second information
Obtain the behavioural information in the sample file operational process;
Filter the network behavior information in the behavioural information due to operating system itself;
The network behavior information generated due to sample file based on reservation forms the second information.
5. according to the method described in claim 1, wherein, the method also includes:
When meeting preset condition, the analysis report is stored.
6. according to the method described in claim 5, wherein, when meeting preset condition, storing the analysis report includes:
Judge whether the capacity of the analysis report is less than preset threshold;
If so, then storing the analysis report.
7. according to the method described in claim 6, wherein, when the capacity of the analysis report is greater than preset threshold, then deleting
Hash therein is stored again.
8. a kind of sandbox reports filter device comprising:
Processor is configured to run sample file under predetermined registration operation environment, and obtains and generate when running the sample file
The first information;And processing is filtered to the first information based on pre-set criteria, form the second information, and based on described the
Two information form analysis report.
9. device according to claim 8, wherein the processor is further configured to run under predetermined registration operation environment
Sample file, and obtain the first information generated when running the sample file;And based on pre-set criteria to the first information
It is filtered processing, forms the second information, and analysis report is formed based on second information.
10. device according to claim 8, wherein the processor, which is further configured to obtain, runs the sample file
When the first information that generates include following at least one:
It obtains and generates API Calls record when running the sample file, screenshot takes off record and network data recording;
The deletion record of file, newly-built record and Download History when detection runs the sample file;
Obtain the memory mirror of sample file;
System full memory mirror image when obtaining operation sample file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810209007.2A CN109684827A (en) | 2018-03-14 | 2018-03-14 | Sandbox reports filter method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810209007.2A CN109684827A (en) | 2018-03-14 | 2018-03-14 | Sandbox reports filter method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109684827A true CN109684827A (en) | 2019-04-26 |
Family
ID=66184408
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810209007.2A Pending CN109684827A (en) | 2018-03-14 | 2018-03-14 | Sandbox reports filter method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109684827A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8490086B1 (en) * | 2009-06-30 | 2013-07-16 | Symantec Corporation | Filtering I/O communication of guest OS by inserting filter layer between hypervisor and VM and between hypervisor and devices |
| CN103714137A (en) * | 2013-12-19 | 2014-04-09 | 大唐移动通信设备有限公司 | Method and system for deleting data files |
| CN103824069A (en) * | 2014-03-19 | 2014-05-28 | 北京邮电大学 | Intrusion detection method based on multi-host-log correlation |
| CN107729751A (en) * | 2016-08-12 | 2018-02-23 | 阿里巴巴集团控股有限公司 | data detection method and device |
-
2018
- 2018-03-14 CN CN201810209007.2A patent/CN109684827A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8490086B1 (en) * | 2009-06-30 | 2013-07-16 | Symantec Corporation | Filtering I/O communication of guest OS by inserting filter layer between hypervisor and VM and between hypervisor and devices |
| CN103714137A (en) * | 2013-12-19 | 2014-04-09 | 大唐移动通信设备有限公司 | Method and system for deleting data files |
| CN103824069A (en) * | 2014-03-19 | 2014-05-28 | 北京邮电大学 | Intrusion detection method based on multi-host-log correlation |
| CN107729751A (en) * | 2016-08-12 | 2018-02-23 | 阿里巴巴集团控股有限公司 | data detection method and device |
Non-Patent Citations (1)
| Title |
|---|
| 张俊: "恶意软件的取证分析方法研究", 《湖北警官学院学报》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11625485B2 (en) | Method of malware detection and system thereof | |
| CN109831419B (en) | Method and device for determining permission of shell program | |
| KR101647487B1 (en) | Analysis system and method for patch file | |
| US9003240B2 (en) | Blackbox memory monitoring with a calling context memory map and semantic extraction | |
| CN109583200A (en) | A kind of program exception analysis method based on dynamic tainting | |
| KR20160082644A (en) | Method and apparatus for detecting malware by code block classification | |
| US20160283357A1 (en) | Call stack relationship acquiring method and apparatus | |
| Pagani et al. | Introducing the temporal dimension to memory forensics | |
| DE102012209006A1 (en) | Testing web applications for security vulnerabilities when uploading files | |
| KR20090075861A (en) | On demand virus scan | |
| CN108898012B (en) | Method and apparatus for detecting illegal program | |
| CN108038373B (en) | Data scanning method and system for cloud terminal | |
| CN105868056A (en) | Method, device and safety virtual machine for acquiring deleted files in Windows virtual machines | |
| CN107729751A (en) | data detection method and device | |
| CN105897751B (en) | Threaten the generation method and device of information | |
| KR101308866B1 (en) | Open type system for analyzing and managing malicious code | |
| CN111428240A (en) | Method and device for detecting illegal access of memory of software | |
| CN111783094A (en) | Data analysis method and device, server and readable storage medium | |
| CN109684827A (en) | Sandbox reports filter method and device | |
| JP2010134536A (en) | Pattern file update system, pattern file update method, and pattern file update program | |
| CN109684826B (en) | Application sandbox anti-escape method and electronic equipment | |
| CN106446687B (en) | Malicious sample detection method and device | |
| CN109885455A (en) | A kind of data processing method and electronic equipment based on sandbox system | |
| CN114978963A (en) | Network system monitoring analysis method and device, electronic equipment and storage medium | |
| CN111125701B (en) | File detection method, equipment, storage medium and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190426 |
|
| RJ01 | Rejection of invention patent application after publication |