CN109885455A - A kind of data processing method and electronic equipment based on sandbox system - Google Patents
A kind of data processing method and electronic equipment based on sandbox system Download PDFInfo
- Publication number
- CN109885455A CN109885455A CN201910127166.2A CN201910127166A CN109885455A CN 109885455 A CN109885455 A CN 109885455A CN 201910127166 A CN201910127166 A CN 201910127166A CN 109885455 A CN109885455 A CN 109885455A
- Authority
- CN
- China
- Prior art keywords
- data
- api
- report
- target data
- brief
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention discloses a kind of data processing method and electronic equipment based on sandbox system, this method comprises: obtaining the sandbox system is directed to the initial report data that sample generates;It determines multiple API associated by the sample, and obtains target data unit associated by API described in the initial report data, wherein the API is the corresponding API of operating system of sandbox system simulation;By the first filtering regulation, trimming operation is carried out to each target data unit respectively, to form brief data report, wherein the first filtering regulation includes being directed to each different target data unit respectively, carries out filtering sub-operation corresponding thereto.This method can effectively simplify the initial report data of sandbox system generation, additionally it is possible to guarantee that important data reporting therein is not lost, and then save memory space while the quality for the bridging data for not influencing to generate.
Description
Technical field
The present invention relates to data processing field, in particular to a kind of data processing method and electronics based on sandbox system is set
It is standby.
Background technique
Sandbox system is automation malware analysis system, and the analysis that it can be automated simultaneously obtains analysis object (sample
Originally report report).But sandbox system can generate the scale of construction huge analysis report when analyzing some samples, due to
Its bulky, storage when generate it is costly.Such as: certain samples are when operation in meeting scanning computer
All files, at this time sandbox system just record all these files relevant information, this will generate a scale of construction very
Huge analysis report.The analysis report that most of sample generates is in this scale of construction section 3-10MB, but as in above-mentioned example
Sample, it will usually generate the analysis report of the 200-500MB scale of construction, this will occupy a large amount of memory space, will lead to storage
The acceleration in space consumes.
Summary of the invention
The embodiment of the present invention is designed to provide a kind of data processing method and electronic equipment based on sandbox system, should
Method can effectively simplify the initial report data of sandbox system generation, additionally it is possible to guarantee important data reporting therein not
It loses, and then saves memory space while the quality for the bridging data for not influencing to generate.
In order to solve the above-mentioned technical problem, the embodiment of the present invention adopts the technical scheme that a kind of based on sandbox system
The data processing method of system, comprising:
It obtains the sandbox system and is directed to the initial report data that sample generates;
It determines multiple API associated by the sample, and obtains mesh associated by API described in the initial report data
Data cell is marked, wherein the API is the corresponding API of operating system of sandbox system simulation;
By the first filtering regulation, trimming operation is carried out to each target data unit respectively, to form briefly number
It was reported that, wherein the first filtering regulation includes being directed to each different target data unit respectively, is carried out corresponding thereto
Filtering sub-operation.
Preferably, described is provided by the first filtering, cutting behaviour is carried out to each target data unit respectively
Work includes:
The target data unit is analyzed, the critical data is protected when finding critical data, to avoid it
It is cut, wherein the relative recording when critical data is the API collection system sensitive information.
Preferably, the method also includes:
Cold storage is carried out to the critical data of discovery, the critical data is saved offline;
Initial report data are subjected to cold storage, to back up to the initial report data.
Preferably, described is provided by the first filtering, cutting behaviour is carried out to each target data unit respectively
Work includes:
It is protected for first object data cell associated by first kind API, to avoid the first object number
It is cut according to any data in unit;
For the second target data unit associated by Second Type API, it is carried out according to the first filtering regulation
Data are cut, and the data except the core data of second target data unit are cropped, wherein the first object
The weight of data is greater than the weight of second target data.
Preferably, the method also includes:
The scale of construction for analyzing the brief data report, when the scale of construction of brief data report is more than default scale of construction range
When, based on the second filtering regulation, to the target data for having been subjected to trimming operation being related in brief data report
Unit further progress trimming operation, to obtain the brief data report for meeting default scale of construction range.
Preferably, the method also includes:
The specific operation made when the sandbox system is analyzed for sample is obtained, the specific operation is closed
The data of connection crop.
The embodiment of the present application also provides a kind of electronic equipment, comprising:
Module is obtained, is configured to obtain the initial report data that the sandbox system is directed to sample generation;Described in determination
Multiple API associated by sample, and target data unit associated by API described in the initial report data is obtained, wherein
The API is the corresponding API of operating system of sandbox system simulation;
Processing module is configured to respectively cut each target data unit by the first filtering regulation
Operation, to form brief data report, wherein the first filtering regulation includes being directed to each different target data list respectively
Member carries out filtering sub-operation corresponding thereto.
Preferably, the processing module is further configured to:
The target data unit is analyzed, the critical data is protected when finding critical data, to avoid it
It is cut, wherein the relative recording when critical data is the API collection system sensitive information.
Preferably, the processing module is further configured to:
It is protected for first object data cell associated by first kind API, to avoid the first object number
It is cut according to any data in unit;
For the second target data unit associated by Second Type API, it is carried out according to the first filtering regulation
Data are cut, and the data except the core data of second target data unit are cropped, wherein the first object
The weight of data is greater than the weight of second target data.
Preferably, the processing module is further configured to:
The scale of construction for analyzing the brief data report, when the scale of construction of brief data report is more than default scale of construction range
When, based on the second filtering regulation, to the target data for having been subjected to trimming operation being related in brief data report
Unit further progress trimming operation, to obtain the brief data report for meeting default scale of construction range.
The beneficial effect of the embodiment of the present invention is: this method can effectively simplify the initial report of sandbox system generation
Data, additionally it is possible to guarantee that important data reporting therein is not lost, and then in the matter for the bridging data for not influencing to generate
Memory space is saved while amount.
Detailed description of the invention
Fig. 1 is the flow chart of the data processing method based on sandbox system of the embodiment of the present invention;
Fig. 2 is the flow chart of one embodiment of the data processing method of the embodiment of the present invention;
Fig. 3 is the flow chart of step S3 in Fig. 1 of the embodiment of the present invention;
Fig. 4 is the structural block diagram of the electronic equipment of the embodiment of the present invention.
Specific embodiment
Various schemes and feature of the invention are described herein with reference to attached drawing.
It should be understood that various modifications can be made to the embodiment invented herein.Therefore, description above should not regard
To limit, and only as the example of embodiment.Those skilled in the art will expect within the scope and spirit of this invention
Other modifications.
The attached drawing being included in the description and forms part of the description shows the embodiment of the present invention, and with it is upper
What face provided is used to explain the present invention substantially description and the detailed description given below to embodiment of the invention together
Principle.
It is of the invention by the description of the preferred form with reference to the accompanying drawings to the embodiment for being given as non-limiting example
These and other characteristic will become apparent.
Although being also understood that invention has been described referring to some specific examples, those skilled in the art
Member realizes many other equivalents of the invention in which can determine, they have feature as claimed in claim and therefore all
In the protection scope defined by whereby.
When read in conjunction with the accompanying drawings, in view of following detailed description, above and other aspect of the invention, feature and advantage will become
It is more readily apparent.
Specific embodiments of the present invention are described hereinafter with reference to attached drawing;It will be appreciated, however, that the embodiment invented is only
Various ways implementation can be used in example of the invention.Known and/or duplicate function and structure and be not described in detail to avoid
Unnecessary or extra details makes the present invention smudgy.Therefore, the specific structural and functionality invented herein is thin
Section is not intended to restrictions, but as just the basis of claim and representative basis be used to instructing those skilled in the art with
Substantially any appropriate detailed construction diversely uses the present invention.
This specification can be used phrase " in one embodiment ", " in another embodiment ", " in another embodiment
In " or " in other embodiments ", it can be referred to one or more of identical or different embodiment according to the present invention.
A kind of data processing method based on sandbox system of the embodiment of the present invention, is first illustrated sandbox system,
Sandbox system is automation malware analysis system, the analysis that it can be automated and the report for obtaining analysis object (sample)
It accuses.Such as sandbox system can automate and obtain following data: 1, can track malicious software process and its generation it is all into
The API (such as win32API) of journey calls record;2, it is able to detect document creation, deletion and the download information of Malware;3, energy
Enough obtain the memory mirror of malicious software process;4, system full memory mirror image can be obtained, other tools is facilitated to carry out into one
Step analysis;5, network data can be grabbed with pacp format;6, screenshot when Malware operation can be grabbed.Sandbox system tool
Have following working principle: when a sample file is submitted to sandbox system, sandbox system begins with software virtual machine
Start a system environments (the Windows system environments of such as computer electronic equipment) set in advance, then sample text
Part is put into wherein and it is allowed to run.In sample file operational process, sandbox system can utilize the various systems arranged in advance
Probe obtains the various operation informations of sample file.Sandbox system can recycle these information and arrange when analyzing terminates
The analysis report readable as one.
As shown in Figure 1, should data processing method based on sandbox system the following steps are included:
S1 obtains sandbox system and is directed to the initial report data that sample generates.Sample may be rogue program, it may be possible to survey
Try software, it is also possible to which other programs etc., sandbox system can generate initial report data after analyzing sample, the original report
Accuse data include sample analysis data (including identity and effect information) and sandbox system simulation electronic equipment in
The relevant system data of sample, such as system file, system directory, customer documentation obtain the initial report for being directed to sample generating layer
After data, just trimming operation can be carried out to the initial report data, the trimming operation can crop partly or entirely
Data can also retain data according to the actual situation certainly.
S2 determines multiple API associated by sample, and obtains number of targets associated by API described in initial report data
According to unit, wherein API is the corresponding API of operating system of sandbox system simulation.API(Application Programming
Interface, application programming interface) it is some functions predetermined, it is therefore an objective to application program and developer are provided
It is able to the ability of one group of routine of access based on certain software or hardware, and is not necessarily to access source code, or understand internal work mechanism
Details.API in the present embodiment is that (operating system of the simulation can be by the corresponding API of operating system of sandbox system simulation
Operating system identical with the operating system used under true environment), be the own process of sample and generated by the sample its
The relevant multiple API of his process, as a process of the sample can be by an API come calling system data.Each API
It is associated with target data unit corresponding thereto, the target data unit, example can be obtained by the API by characterizing sample
As the first API be _ api_NtReadFile, sample can by this _ api_NtReadFile obtain operating system system text
Part;2nd API be _ api_NtWriteFile, sample can by this _ api_NtWriteFile obtain operating system system
The file of file, customer documentation file and/or itself creation;3rd API is _ api_NtCreateFile, and sample can pass through
This _ api_NtCreateFile obtains the system file and/or the file etc. that is created of starting sample of operating system.And it is above-mentioned
System file, customer documentation, the file of file itself creation and/or the file that is created of starting sample be initial report data
In partial data, namely target data unit associated by respectively corresponding API, many in these target data units
In the case of contain the lower data of a large amount of importance, can be as the object of trimming operation.
S3 is provided by the first filtering, trimming operation is carried out to each target data unit respectively, to form brief data
Report, wherein the first filtering regulation includes being directed to each different target data unit respectively, carries out filtering corresponding thereto
Sub-operation.First filtering regulation may be set according to actual conditions, such as can be simulated according to the type of sample, sandbox system
Operating system type and operating system corresponding to the correlation circumstance of API preset.Such as
The corresponding multiple API of Windows operating system provide to set the first filtering, and the corresponding API of the Windows operating system is closed
Each target data unit of connection carries out trimming operation respectively, and main attention is that trimming operation in this implementation can be mesh
Some or all content clips in mark data cell fall, be also possible to retain in target data unit all data without
Crop any content.First filtering regulation can be directed to each different target data unit, carry out mistake corresponding thereto
Its corresponding target data unit can be carried out trimming operation, crop or retain by filter operation, i.e., each filtering sub-operation
Data are depending on the first filtering regulation.It later being capable of most end form to carry out trimming operation to each target data unit respectively
It is reported at brief data, the data format (being such as changed to JSON format) of brief data report can also be changed in the process,
Facilitate storage and reading.Brief data report is simplified relative to initial report data, reduces brief data report
The scale of construction (in actual use can by the initial report data compaction with the 200-500MB scale of construction to 5-10MB, formed briefly number
It was reported that), and the important number in initial report data can be remained by the first filtering regulation in conjunction with actual use situation
According to, further ensure brief data report quality.
In one embodiment of the invention, first filtering that passes through provides, respectively to each target data unit
Carrying out trimming operation includes: analysis target data unit, is protected when finding critical data to critical data, to avoid it
It is cut, relative recording when wherein critical data is API collection system sensitive information.Critical data is associated by sample
Significant data can be used to determine the data of the sample identity or its clear effect, for example, inquiry windows registration table _
It is unrelated that api_RegQueryValue function (a kind of API) can trigger a large amount of and this sample analysis during process initiation
System sensitive information, and the sample of malice may using the API collect system sensitive information, the system sensitive information with
And relevant sample crawl information is above-mentioned critical data.Critical data is carried out when finding critical data in the present embodiment
Protection.
In one embodiment of the invention, as shown in Fig. 2, should data processing method based on sandbox system further include with
Lower step:
S4 carries out cold storage to the critical data of discovery, critical data is saved offline.For critical data by
It is more important in it, once being destroyed will bring about great losses and (influence brief data report quality), therefore in the present embodiment,
Critical data is subjected to cold storage, i.e., is saved critical data offline, offline electronic equipment is such as stored directly in
Memory in (such as in hard disk), without only storing it on online terminal or network, increase to critical data
Protection.
Initial report data are carried out cold storage, to back up to initial report data by S5.It is in this it is cold storage be also
To the offline preservation that initial report data carry out, initial report data are the output of original sandbox system as a result, if generating
Brief data report be found to have defect due to unpredictable, or have mistake, then can pass through backup
Initial report data generate brief data report again, avoid the loss of data.
In one embodiment of the invention, as shown in figure 3, described is provided by the first filtering, respectively to each mesh
Mark data cell carries out trimming operation
S31 is protected for first object data cell associated by first kind API, to avoid first object number
It is cut according to any data in unit.
S32 carries out it according to the first filtering regulation for the second target data unit associated by Second Type API
Data are cut, and the data except the core data of the second target data unit are cropped, wherein the power of first object data
The great weight in the second target data.
Specifically, the type of API can be preset according to the actual conditions of operating system, the first kind in the present embodiment
The weight of first object data cell associated by type API is higher, is affected to the quality of brief data report, therefore can be with
First object data cell is protected, is cut to avoid any data in first object data cell.Such as the
One type API includes: _ api_NtCreateFile, _ api_RemoveDirectoryA, _ api_
MoveFileWithProgressW, _ api_CopyFileA, _ api_DeleteFileA and _ api_
CreateProcessInternalW etc., when carrying out trimming operation can to associated each first object data cell into
Row protection, avoids data therein from being cut.
And the weight of the second target data unit associated by the Second Type API in the present embodiment is lower, to brief number
It was reported that quality influence it is smaller, therefore can according to first filtering regulation to each second target data unit carry out data sanction
It cuts, the data except the core data of the second target data unit is cropped.Such as Second Type API includes _ api_
NtReadFile, the API are used to obtain all system files (target data unit), can be all by what is obtained to it to this
System file cut, by temporary file therein and it is non-downloading release file crop, to reach reduction target
The purpose of data cell.Certain Second Type API further includes other multiple API, and corresponding cutting method is also more similar,
This is repeated no more.
In one embodiment of the invention, the data processing method based on sandbox system further include: analysis brief data
The scale of construction of report, when the scale of construction of brief data report is more than default scale of construction range, based on the second filtering regulation, to brief data
The target data unit further progress trimming operation for having been subjected to trimming operation being related in report meets default body to obtain
Measure the brief data report of range.Specifically, such as pre- if the scale of construction of the brief data report formed is not met by requirement
Meter is to control the scale of construction of brief data report within 10MB, the brief data formed after first time trimming operation at that time
Protection still 50MB or more (be more than default scale of construction range), then can based on the second filtering regulation, to brief data report into
One step carries out trimming operation, i.e., further to the target data unit for having been subjected to trimming operation being related in brief data report
Trimming operation is carried out, further falls the lesser data pruning of relative weighting, to further decrease the scale of construction of brief data report,
Finally comply with default scale of construction range.
In one embodiment of the invention, the data processing method based on sandbox system is further comprising the steps of: obtaining
The specific operation that sandbox system is made when being analyzed for sample, data associated by specific operation are cropped.It is described
Specific operation be pre-specified operation, it not is important number that these specific operations, which are formed by data and can predefine,
According to, or the data extremely low for weight can directly fall associated data pruning if encountering the specific operation, and
Without making other judgements, cutting efficiency is improved.
The embodiment of the present application also provides a kind of electronic equipment, as shown in Figure 4, comprising:
Module is obtained, is configured to obtain the initial report data that sandbox system is directed to sample generation;Determine that sample is closed
Multiple API of connection, and target data unit associated by API described in initial report data is obtained, wherein API is sandbox system
The corresponding API of the operating system of simulation.Sample may be rogue program, it may be possible to test software, it is also possible to other programs etc.,
Sandbox system can generate initial report data after analyzing sample, which includes the analysis data of sample
System data relevant to sample in the electronic equipment of (including identity and effect information) and sandbox system simulation, such as system
File, system directory, customer documentation etc. just can be to these after obtaining module acquisition for the initial report data of sample generating layer
Initial report data carry out trimming operation, and the trimming operation can crop part or all of data, certainly also being capable of root
Retain data according to actual conditions.
API (Application Programming Interface, application programming interface) is some pre-defined
Function, it is therefore an objective to provide application program and developer based on certain software or hardware be able to access one group of routine ability, and
It is not necessarily to access source code again, or understands the details of internal work mechanism.API in the present embodiment is the operation system of sandbox system simulation
It unites corresponding API (operating system of the simulation can be operating system identical with the operating system used under true environment),
The relevant multiple API of other processes for being the own process of sample and being generated by the sample, as a process of the sample can
With by an API come calling system data.Each API is associated with target data unit corresponding thereto, characterizes sample
Originally the target data unit can be obtained by the API, such as the first API is _ api_NtReadFile, sample can pass through
This _ api_NtReadFile obtain operating system system file;2nd API is _ api_NtWriteFile, and sample can lead to
Cross this _ api_NtWriteFile obtains the file of the system file of operating system, customer documentation file and/or itself creation;The
Three API be _ api_NtCreateFile, sample can by this _ api_NtCreateFile obtain operating system system text
The file etc. that part and/or starting sample are created.And the file of above-mentioned system file, customer documentation, file itself creation
And/or the file that starting sample is created is the partial data in initial report data, namely associated by respectively corresponding API
Target data unit, contain the lower data of a large amount of importance, energy in many cases in these target data units
The object of trimming operation is enough carried out as processing module.
Processing module is configured to carry out trimming operation to each target data unit respectively by the first filtering regulation,
With formed brief data report, wherein first filtering regulation include respectively be directed to each different target data unit, carry out with
Its corresponding filtering sub-operation.First filtering regulation may be set according to actual conditions, such as can according to the type of sample,
The correlation circumstance of API corresponding to the type and operating system of the operating system that sandbox system is simulated is preset.
Such as provided for the corresponding multiple API of Windows operating system to set the first filtering, processing module grasps the Windows
Make the associated each target data unit of the corresponding API of system and carry out trimming operation respectively, main attention is in this implementation
Trimming operation, which can be, falls some or all content clips in target data unit, is also possible to retain target data unit
In all data without cropping any content.First filtering regulation can be directed to each different target data unit,
Carry out filtering sub-operation corresponding thereto, i.e., processing module can be by each filtering sub-operation by its corresponding target data
Unit carries out trimming operation, crops or retains data depending on the first filtering regulation.To which processing module is respectively to each
Target data unit carries out that brief data report can be ultimately formed after trimming operation, can also change in the process briefly
The data format (being such as changed to JSON format) of data report, facilitates storage and reading.The brief data is reported relative to original
Data reporting is simplified, and the scale of construction for reducing brief data report (can will have the 200-500MB scale of construction in actual use
Initial report data compaction to 5-10MB, form brief data report), and can be in conjunction with actual use situation, by the
One filtering regulation remains the significant data in initial report data, further ensures the quality of brief data report.
In one embodiment of the invention, processing module is further configured to: analysis target data unit, when discovery is closed
The critical data is protected when key data, is cut to avoid it, wherein critical data is that API collection system is sensitive
Relative recording when information.Critical data is significant data associated by sample, can be used to determine the sample identity or bright
Really its effect data, for example, inquiry windows registration table _ api_RegQueryValue function (a kind of API) can into
A large amount of and unrelated this sample analysis system sensitive information is triggered in journey start-up course, and the sample of malice may utilize
The system sensitive information that the API is collected, the system sensitive information and relevant sample crawl information are above-mentioned critical data.
Critical data is protected when finding critical data in the present embodiment.
In one embodiment of the invention, processing module is further configured to: carrying out cold deposit to the critical data of discovery
Storage, critical data is saved offline;Initial report data are subjected to cold storage, it is standby to be carried out to initial report data
Part.For critical data since it is more important, (brief data report matter is influenced once being destroyed and will bring about great losses
Amount), therefore in the present embodiment, critical data is carried out cold storage by processing module, i.e., is saved critical data offline, such as will
In its memory for being stored directly in offline electronic equipment (in such as hard disk), without only store it in online terminal or
On person's network, the protection to critical data is increased.Initial report data, which are carried out cold storage, in this processing module is also
To the offline preservation that initial report data carry out, initial report data are the output of original sandbox system as a result, if generating
Brief data report be found to have defect due to unpredictable, or have mistake, then can pass through backup
Initial report data generate brief data report again, avoid the loss of data.
In one embodiment of the invention, processing module is further configured to: for associated by first kind API
One target data unit is protected, and is cut to avoid any data in first object data cell;For the second class
Second target data unit associated by type API carries out data cutting to it according to the first filtering regulation, by the second number of targets
It is cropped according to the data except the core data of unit, wherein the weight of first object data is greater than the power of the second target data
Weight.
Specifically, the type of API can be preset according to the actual conditions of operating system, the first kind in the present embodiment
The weight of first object data cell associated by type API is higher, is affected to the quality of brief data report, therefore handle
Module can protect first object data cell, cropped to avoid any data in first object data cell
Fall.Such as first kind API includes: _ api_NtCreateFile, _ api_RemoveDirectoryA, _ api_
MoveFileWithProgressW, _ api_CopyFileA, _ api_DeleteFileA and _ api_
CreateProcessInternalW etc., when carrying out trimming operation can to associated each first object data cell into
Row protection, avoids data therein from being cut.
And the weight of the second target data unit associated by the Second Type API in the present embodiment is lower, to brief number
It was reported that quality influence it is smaller, therefore processing module can according to first filtering regulation to each second target data unit into
Row data are cut, and the data except the core data of the second target data unit are cropped.Such as Second Type API packet
_ api_NtReadFile is included, which is used to obtain all system files (target data unit), can be with to this processing module
All system files obtained to it are cut, the file of temporary file therein and non-downloading release is cut
Fall, to achieve the purpose that reduce target data unit.Certain Second Type API further includes other multiple API, corresponding to cut
Mode is also more similar, and details are not described herein.
In one embodiment of the invention, processing module is further configured to: the scale of construction of analysis brief data report, when
When the scale of construction of brief data report is more than default scale of construction range, based on the second filtering regulation, to being related in brief data report
The target data unit further progress trimming operation for having been subjected to trimming operation, with obtain meet the brief of default scale of construction range
Data report.Specifically, if the scale of construction of the brief data report formed is not met by requirement, such as estimated is by brief number
It was reported that the scale of construction control within 10MB, the protection of the brief data that was formed after first time trimming operation at that time still exists
50MB or more (being more than default scale of construction range), then processing module can report into one brief data based on the second filtering regulation
Step carries out trimming operation, i.e., to the target data unit for having been subjected to trimming operation that is related in brief data report further into
Row trimming operation further falls the lesser data pruning of relative weighting, to further decrease the scale of construction of brief data report, most
Default scale of construction range is complied with eventually.
In one embodiment of the invention, it obtains module and is further configured to obtain sandbox system and divided for sample
The specific operation made when analysis, so that processing module crops data associated by specific operation.The specific operation
It is pre-specified operation, it not is significant data, Huo Zhewei that these specific operations, which are formed by data and can predefine,
The extremely low data of weight, if obtaining module encounters the specific operation, processing module can directly be cut out associated data
It cuts, without making other judgements, improves cutting efficiency.
Above embodiments are only exemplary embodiment of the present invention, are not used in the limitation present invention, protection scope of the present invention
It is defined by the claims.Those skilled in the art can within the spirit and scope of the present invention make respectively the present invention
Kind modification or equivalent replacement, this modification or equivalent replacement also should be regarded as being within the scope of the present invention.
Claims (10)
1. a kind of data processing method based on sandbox system characterized by comprising
It obtains the sandbox system and is directed to the initial report data that sample generates;
It determines multiple API associated by the sample, and obtains number of targets associated by API described in the initial report data
According to unit, wherein the API is the corresponding API of operating system of sandbox system simulation;
By the first filtering regulation, trimming operation is carried out to each target data unit respectively, to form brief data report
It accuses, wherein the first filtering regulation includes being directed to each different target data unit respectively, carries out mistake corresponding thereto
Filter operation.
2. the method according to claim 1, wherein described is provided by the first filtering, respectively to each institute
Stating target data unit progress trimming operation includes:
The target data unit is analyzed, the critical data is protected when finding critical data, is cut out to avoid it
It cuts, wherein the relative recording when critical data is the API collection system sensitive information.
3. according to the method described in claim 2, it is characterized in that, the method also includes:
Cold storage is carried out to the critical data of discovery, the critical data is saved offline;
Initial report data are subjected to cold storage, to back up to the initial report data.
4. the method according to claim 1, wherein described is provided by the first filtering, respectively to each institute
Stating target data unit progress trimming operation includes:
It is protected for first object data cell associated by first kind API, to avoid the first object data sheet
Any data in member are cut;
For the second target data unit associated by Second Type API, data are carried out to it according to the first filtering regulation
It cuts, the data except the core data of second target data unit is cropped, wherein the first object data
Weight be greater than second target data weight.
5. the method according to claim 1, wherein the method also includes:
The scale of construction for analyzing the brief data report, when the scale of construction of brief data report is more than default scale of construction range, base
In the second filtering regulation, to the target data unit for having been subjected to trimming operation that is related in brief data report into
One step carries out trimming operation, to obtain the brief data report for meeting default scale of construction range.
6. the method according to claim 1, wherein the method also includes:
The specific operation made when the sandbox system is analyzed for sample is obtained, it will be associated by the specific operation
Data crop.
7. a kind of electronic equipment characterized by comprising
Module is obtained, is configured to obtain the initial report data that the sandbox system is directed to sample generation;Determine the sample
Associated multiple API, and target data unit associated by API described in the initial report data is obtained, wherein described
API is the corresponding API of operating system of sandbox system simulation;
Processing module is configured to carry out trimming operation to each target data unit respectively by the first filtering regulation,
To form brief data report, wherein the first filtering regulation includes being directed to each different target data unit respectively, into
The filtering sub-operation of row corresponding thereto.
8. electronic equipment according to claim 7, which is characterized in that the processing module is further configured to:
The target data unit is analyzed, the critical data is protected when finding critical data, is cut out to avoid it
It cuts, wherein the relative recording when critical data is the API collection system sensitive information.
9. electronic equipment according to claim 7, which is characterized in that the processing module is further configured to:
It is protected for first object data cell associated by first kind API, to avoid the first object data sheet
Any data in member are cut;
For the second target data unit associated by Second Type API, data are carried out to it according to the first filtering regulation
It cuts, the data except the core data of second target data unit is cropped, wherein the first object data
Weight be greater than second target data weight.
10. electronic equipment according to claim 7, which is characterized in that the processing module is further configured to:
The scale of construction for analyzing the brief data report, when the scale of construction of brief data report is more than default scale of construction range, base
In the second filtering regulation, to the target data unit for having been subjected to trimming operation that is related in brief data report into
One step carries out trimming operation, to obtain the brief data report for meeting default scale of construction range.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910127166.2A CN109885455A (en) | 2019-02-20 | 2019-02-20 | A kind of data processing method and electronic equipment based on sandbox system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910127166.2A CN109885455A (en) | 2019-02-20 | 2019-02-20 | A kind of data processing method and electronic equipment based on sandbox system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109885455A true CN109885455A (en) | 2019-06-14 |
Family
ID=66928637
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910127166.2A Pending CN109885455A (en) | 2019-02-20 | 2019-02-20 | A kind of data processing method and electronic equipment based on sandbox system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109885455A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110399295A (en) * | 2019-06-28 | 2019-11-01 | 奇安信科技集团股份有限公司 | A kind of applied program testing method and device based on raw filename |
| CN111241035A (en) * | 2020-01-07 | 2020-06-05 | 华为终端有限公司 | Application management method and device and terminal equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102138139A (en) * | 2008-06-30 | 2011-07-27 | 起元技术有限责任公司 | Data logging in graph-based computations |
| CN107729751A (en) * | 2016-08-12 | 2018-02-23 | 阿里巴巴集团控股有限公司 | data detection method and device |
| US20180152470A1 (en) * | 2016-11-29 | 2018-05-31 | Lixin Lu | Method of improving network security by learning from attackers for detecting network system's weakness |
-
2019
- 2019-02-20 CN CN201910127166.2A patent/CN109885455A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102138139A (en) * | 2008-06-30 | 2011-07-27 | 起元技术有限责任公司 | Data logging in graph-based computations |
| CN107729751A (en) * | 2016-08-12 | 2018-02-23 | 阿里巴巴集团控股有限公司 | data detection method and device |
| US20180152470A1 (en) * | 2016-11-29 | 2018-05-31 | Lixin Lu | Method of improving network security by learning from attackers for detecting network system's weakness |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110399295A (en) * | 2019-06-28 | 2019-11-01 | 奇安信科技集团股份有限公司 | A kind of applied program testing method and device based on raw filename |
| CN111241035A (en) * | 2020-01-07 | 2020-06-05 | 华为终端有限公司 | Application management method and device and terminal equipment |
| CN111241035B (en) * | 2020-01-07 | 2023-10-20 | 华为终端有限公司 | Application management method and device and terminal equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9813450B1 (en) | Metadata-based verification of artifact quality policy compliance | |
| CN109885455A (en) | A kind of data processing method and electronic equipment based on sandbox system | |
| CN113949520B (en) | Method, apparatus, computer device and readable storage medium for fraud trapping | |
| CN107608860A (en) | A kind of method, apparatus, the equipment of error log classification storage | |
| CN104881483B (en) | Automatic detection evidence collecting method for the attack of Hadoop platform leaking data | |
| CN113342685A (en) | Precise test method and device, computer equipment and storage medium | |
| JP2016099857A (en) | Fraudulent program handling system and fraudulent program handling method | |
| CN110191097B (en) | Method, system, equipment and storage medium for detecting security of login page | |
| CN112084091A (en) | System behavior auditing method, device, terminal and storage medium | |
| CN116846619A (en) | Automatic network security risk assessment method, system and readable storage medium | |
| CN106201857B (en) | The choosing method and device of test case | |
| CN114491508A (en) | Intelligent contract malicious transaction detection and analysis system and method based on data dynamic storage | |
| CN108959497A (en) | distributed file system log processing method, device, equipment and storage medium | |
| CN108829342A (en) | A kind of log storing method, system and storage device | |
| US9116915B1 (en) | Incremental scan | |
| CN114021115A (en) | Malicious application detection method and device, storage medium and processor | |
| CN107766216A (en) | It is a kind of to be used to obtain the method and apparatus using execution information | |
| CN112084005A (en) | Container behavior auditing method, device, terminal and storage medium | |
| CN117194350B (en) | Document storage method and system in engineering construction stage of data center | |
| CN110968467A (en) | Remote automatic test method for GPU and algorithm | |
| CN113821193B (en) | Information generation method, device and storage medium | |
| CN113946856B (en) | Large-scale dynamic sensitive data auditing method and system capable of arranging plugins | |
| CN115658626B (en) | Distributed network small file storage management method | |
| JP2007133632A (en) | Method and program for setting security policy | |
| CN117093988A (en) | Memory attack detection method, device, terminal, server and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190614 |