CN110188538A - Using the method and device of sandbox cluster detection data - Google Patents

Using the method and device of sandbox cluster detection data Download PDF

Info

Publication number
CN110188538A
CN110188538A CN201910345232.3A CN201910345232A CN110188538A CN 110188538 A CN110188538 A CN 110188538A CN 201910345232 A CN201910345232 A CN 201910345232A CN 110188538 A CN110188538 A CN 110188538A
Authority
CN
China
Prior art keywords
sample data
sandbox
static
file
cluster
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910345232.3A
Other languages
Chinese (zh)
Other versions
CN110188538B (en
Inventor
白敏�
白皓文
罗炳聪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qianxin Technology Co Ltd
Original Assignee
Beijing Qianxin Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qianxin Technology Co Ltd filed Critical Beijing Qianxin Technology Co Ltd
Priority to CN201910345232.3A priority Critical patent/CN110188538B/en
Publication of CN110188538A publication Critical patent/CN110188538A/en
Application granted granted Critical
Publication of CN110188538B publication Critical patent/CN110188538B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Abstract

The present invention provides a kind of method and devices using sandbox cluster detection data, wherein this method comprises: collecting sample data, wherein the sample data includes mail sample and malicious file;The sample data is delivered to sandbox cluster, wherein the sandbox cluster includes static sandbox and dynamic sandbox;The sample data is detected using the sandbox cluster, and will test the information database for being stored after result is associated with the sample data to advanced duration and threatening APT attack.Through the invention, the technical issues of information database inefficiency for collecting APT attack in the related technology is solved.

Description

Using the method and device of sandbox cluster detection data
Technical field
The present invention relates to network safety filed, in particular to a kind of method using sandbox cluster detection data and Device.
Background technique
Network attack is the attack that hacker or viral wooden horse etc. initiate electronic equipment, gives user by steal files etc. Bring massive losses.
When threatening (Advanced Persistent Threat, APT) clique to be tracked discovery advanced duration, The attacks such as main malicious file, fishing mail according in Internet communication carry out context relation analysis.Attacker utilizes malice Program carries out invasion control to network and information system, achievees the purpose that steal sensitive data and destruction system and network environment, It is in urgent need to be improved to the malice pattern detection rate and batch quantity analysis ability propagated in enterprise network.
In the related technology, in computer safety field, network attack becomes more and more specialized and specific aim at present.Face To such attack, often lack the entirety understanding to the attack, and it is defendd to be also to fight separately, not Form a good defense system.For example APT (advanced duration threat) is attacked or " shake net " virus, this attack is that have Purpose and targetedly only just has aggressiveness to specific industry or certain goal systems.And work as currently without scheme These attacks can obtain threat information when a small range occurs in advance, and in a wide range of interior progress early warning and defence. The defence of network attack is caused to lag.
For the above problem present in the relevant technologies, at present it is not yet found that the solution of effect.
Summary of the invention
The embodiment of the invention provides a kind of method and devices using sandbox cluster detection data.
According to one embodiment of present invention, a kind of method using sandbox cluster detection data is provided, comprising: acquisition Sample data, wherein the sample data includes mail sample and malicious file;The sample data is delivered to sandbox collection Group, wherein the sandbox cluster includes static sandbox and dynamic sandbox;The sample data is detected using the sandbox cluster, And it will test the information database for being stored after result is associated with the sample data to advanced duration and threatening APT attack.
Optionally, the sample data is delivered to sandbox cluster includes: the static OWL detected rule for judging static sandbox Whether the sample data is matched;When the static OWL detected rule of static sandbox matches the sample data, by the sample Data delivery is to static sandbox;When the static OWL detected rule of static sandbox mismatches the sample data, by the sample Data delivery is to dynamic sandbox.
Optionally, detecting the sample data using the sandbox cluster includes: to be based on semanteme using the sandbox cluster And file meta-information carries out Detection and Extraction to the sample data, identifies the file information of the sample data, wherein the text Part information includes at least one of: filename, file type, file type matching degree, file size, Message Digest 5 MD5, secure hash algorithm SHA1, SHA256, SHA512, fuzzy hash algorithm SSDeep;Institute is extracted according to the file information State the metamessage of sample data, wherein the metamessage includes at least one of: the transplantable byte number for executing body PE, Signing messages, the path program data library file PDB.
Optionally, detecting the sample data using the sandbox cluster includes: by dynamic sandboxing techniques virtual environment; The sample data is run in the virtual environment, and it is all from process initiation to end to record and analyze the sample data Behavior act, and grab the flow packet in implementation procedure, generating process report.
Optionally, after storing the information database attacked to APT after will test result and being associated with the sample data, The method also includes: the attack source APT is tracked and positioned according to the information database.
According to another embodiment of the invention, a kind of device using sandbox cluster detection data is provided, comprising: adopt Collect module, is used for collecting sample data, wherein the sample data includes mail sample and malicious file;Delivery module is used for The sample data is delivered to sandbox cluster, wherein the sandbox cluster includes static sandbox and dynamic sandbox;Handle mould Block for detecting the sample data using the sandbox cluster, and will test after result is associated with the sample data and store The information database of APT attack is threatened to advanced duration.
Optionally, the delivery module includes: judging unit, for judging that the static OWL detected rule of static sandbox is The no matching sample data;Delivery unit matches the sample data for the static OWL detected rule in static sandbox When, the sample data is delivered to static sandbox;The sample data is mismatched in the static OWL detected rule of static sandbox When, the sample data is delivered to dynamic sandbox.
Optionally, the processing module includes: recognition unit, for being based on semantic and file member using the sandbox cluster Information carries out Detection and Extraction to the sample data, identifies the file information of the sample data, wherein the file information packet Include at least one of: filename, file type, file type matching degree, file size, Message Digest 5 MD5, safety dissipate Column algorithm SHA1, SHA256, SHA512, fuzzy hash algorithm SSDeep;Extracting unit, for being extracted according to the file information The metamessage of the sample data, wherein the metamessage includes at least one of: the transplantable byte for executing body PE Number, signing messages, the path program data library file PDB.
Optionally, the processing module includes: analogue unit, for passing through dynamic sandboxing techniques virtual environment;Processing is single Member records and analyzes the sample data from process initiation to knot for running the sample data in the virtual environment All behavior acts of beam, and grab the flow packet in implementation procedure, generating process report.
Optionally, described device further include: tracing module, for will test result and the sample in the processing module After storing the information database attacked to APT after data correlation, APT attack is tracked and positioned according to the information database Source.
According to still another embodiment of the invention, a kind of storage medium is additionally provided, meter is stored in the storage medium Calculation machine program, wherein the computer program is arranged to execute the step in any of the above-described embodiment of the method when operation.
According to still another embodiment of the invention, a kind of electronic device, including memory and processor are additionally provided, it is described Computer program is stored in memory, the processor is arranged to run the computer program to execute any of the above-described Step in embodiment of the method.
Through the invention, then the sample data is delivered to sandbox cluster by collecting sample data, wherein the sand Case cluster includes static sandbox and dynamic sandbox, finally detects the sample data using the sandbox cluster, and will test knot Fruit stores to advanced duration the information database for threatening APT attack after being associated with the sample data, by static sandbox Operation result carry out the maintenance of log analysis rule, dynamic sandbox core confrontation result tracked, can be to suspect object More accurately filtering and positioning is carried out, solves the technology for the information database inefficiency for collecting APT attack in the related technology Problem.OA operation analysis personnel are greatly improved to the analysis tracing and positioning ability of malice sample, APT attack is tracked to Security Officer The identity information of person has great help.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes part of this application, this hair Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is a kind of hardware block diagram of server using sandbox cluster detection data of the embodiment of the present invention;
Fig. 2 is a kind of flow chart of method using sandbox cluster detection data according to an embodiment of the present invention;
Fig. 3 is the complete service logic figure of the embodiment of the present invention;
Fig. 4 is the business process map of the embodiment of the present invention;
Fig. 5 is the structural block diagram of the device according to an embodiment of the present invention using sandbox cluster detection data.
Specific embodiment
In order to make those skilled in the art more fully understand application scheme, below in conjunction in the embodiment of the present application Attached drawing, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that described embodiment is only The embodiment of the application a part, instead of all the embodiments.Based on the embodiment in the application, ordinary skill people Member's every other embodiment obtained without making creative work, all should belong to the model of the application protection It encloses.It should be noted that in the absence of conflict, the features in the embodiments and the embodiments of the present application can be mutual group It closes.
It should be noted that the description and claims of this application and term " first " in above-mentioned attached drawing, " Two " etc. be to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should be understood that using in this way Data be interchangeable under appropriate circumstances, so as to embodiments herein described herein can in addition to illustrating herein or Sequence other than those of description is implemented.In addition, term " includes " and " having " and their any deformation, it is intended that cover Cover it is non-exclusive include, for example, the process, method, system, product or equipment for containing a series of steps or units are not necessarily limited to Step or unit those of is clearly listed, but may include be not clearly listed or for these process, methods, product Or other step or units that equipment is intrinsic.
Embodiment 1
Embodiment of the method provided by the embodiment of the present application one can execute in server or similar arithmetic unit. For running on the server, Fig. 1 is a kind of the hard of server using sandbox cluster detection data of the embodiment of the present invention Part structural block diagram.As shown in Figure 1, server 10 may include one or more (only showing one in Fig. 1) processor 102 (places Reason device 102 can include but is not limited to the processing unit of Micro-processor MCV or programmable logic device FPGA etc.) and for storing The memory 104 of data, optionally, above-mentioned server can also include the transmission device 106 and input for communication function Output equipment 108.It will appreciated by the skilled person that structure shown in FIG. 1 is only to illustrate, not to above-mentioned service The structure of device causes to limit.For example, server 10 may also include the more perhaps less component than shown in Fig. 1 or have The configuration different from shown in Fig. 1.
Memory 104 can be used for storing computer program, for example, the software program and module of application software, such as this hair One of bright embodiment uses the corresponding computer program of method of sandbox cluster detection data, and processor 102 passes through operation The computer program being stored in memory 104 realizes above-mentioned side thereby executing various function application and data processing Method.Memory 104 may include high speed random access memory, may also include nonvolatile memory, as one or more magnetism is deposited Storage device, flash memory or other non-volatile solid state memories.In some instances, memory 104 can further comprise opposite In the remotely located memory of processor 102, these remote memories can pass through network connection to server 10.Above-mentioned network Example include but is not limited to internet, intranet, local area network, mobile radio communication and combinations thereof.
Transmitting device 106 is used to that data to be received or sent via a network.Above-mentioned network specific example may include The wireless network that the communication providers of server 10 provide.In an example, transmitting device 106 includes a network adapter (Network Interface Controller, referred to as NIC), can be connected by base station with other network equipments so as to It is communicated with internet.In an example, transmitting device 106 can be radio frequency (Radio Frequency, referred to as RF) Module is used to wirelessly be communicated with internet.
A kind of method using sandbox cluster detection data is provided in the present embodiment, and Fig. 2 is to implement according to the present invention The flow chart of a kind of method using sandbox cluster detection data of example, as shown in Fig. 2, the process includes the following steps:
Step S202, collecting sample data, wherein the sample data includes mail sample and malicious file;
The sample data of the present embodiment is using loophole existing for network or hardware entities and safety defect to network system Hardware, software and its code of the attack of the data progress in system of system, software, program, file etc..
After obtaining sample data, the file type of sample data or the equipment class of the operation sample data are also detected Type, wherein file type includes publicly-owned file, and sample data is sent to by privately owned file when sample data is publicly-owned file Sample data is sent to privately owned cloud server or sheet when sample data is privately owned file by common cloud server Ground server, on the other hand, device type be designated environment equipment (such as government bodies, the confidentiality such as financial structure compared with The equipment of strong unit) when, sample data is sent to privately owned cloud server or local server, is logical in device type When with the equipment of environment, sample data is sent to common cloud server.Wherein, common cloud server, it is privately owned Cloud server or local server are provided with sandbox cluster, and sandbox cluster includes the static sandbox for static detection and is used for The dynamic sandbox of dynamic detection.
The sample data is delivered to sandbox cluster by step S204, wherein the sandbox cluster include static sandbox and Dynamic sandbox;
Step S206 detects the sample data using the sandbox cluster, and will test result and the sample data It is stored after association to advanced duration and threatens the information database of APT attack.
The report database of the present embodiment includes IOC indication information, the organizational information of APT, member identities' information and APT Attack means, range, time, the information such as object.
Through the above steps, then the sample data is delivered to sandbox cluster, wherein described by collecting sample data Sandbox cluster includes static sandbox and dynamic sandbox, finally detects the sample data using the sandbox cluster, and will test As a result it is stored after being associated with the sample data to advanced duration and threatens the information database of APT attack, by static husky The operation result of case carries out the maintenance of log analysis rule, the core confrontation result of dynamic sandbox is tracked, can be to suspicious right As carrying out more accurately filtering and positioning, by static analysis and dynamic debugging, malice sample precisely and is efficiently detected This information reduces the erroneous judgement of manual analysis and improves efficiency, and solves the information database effect for collecting APT attack in the related technology The low technical problem of rate.OA operation analysis personnel are greatly improved to the analysis tracing and positioning ability of malice sample, to safe people The identity information of member tracking APT attacker has great help.
In the present embodiment, it includes: to judge that the static OWL of static sandbox is detected that the sample data, which is delivered to sandbox cluster, Whether rule matches the sample data;It, will be described when the static OWL detected rule of static sandbox matches the sample data Sample data is delivered to static sandbox;It, will be described when the static OWL detected rule of static sandbox mismatches the sample data Sample data is delivered to dynamic sandbox.
In an embodiment of the present embodiment, static sandbox mainly runs static rule, handles metadata, adopts Detecting the sample data with the sandbox cluster includes:
S11 is based on semantic and file meta-information using the sandbox cluster and carries out Detection and Extraction to the sample data, knows The file information of the not described sample data, wherein the file information includes at least one of: filename, file type, text Part type matching degree, file size, Message Digest 5 MD5, secure hash algorithm SHA1, SHA256, SHA512, fuzzy Hash Algorithm SSDeep;
S12 extracts the metamessage of the sample data according to the file information, wherein the metamessage includes following At least one: transplantable byte number, the signing messages, the path program data library file PDB for executing body PE.
In the another embodiment of the present embodiment, is executed by dynamic sandboxing techniques virtual environment, analyze all samples Originally all behaviors from process initiation to after having executed, while flow packet capturing and process record and report in generating process. Detecting the sample data using the sandbox cluster includes:
S21 passes through dynamic sandboxing techniques virtual environment;
S22 runs the sample data in the virtual environment, records and analyze the sample data from process initiation To all behavior acts of end, and grab the flow packet in implementation procedure, generating process report.
The behavior act of record can be, but not limited to carry out a process and wherein (be likely to code injection Decompression), kernel debugger is detected, query procedure list changes the tracking setting of file or console, distributes read-write execution Memory headroom, executable file is created in file system, creates a suspicious process, collects information to system of fingerprints (unique identifier, product IDs, BIOS time).
Other than the detection of static sandbox and the detection of dynamic sandbox, people can also be carried out to the result sample that can not be detected The failure sample analysis of labour movement row, and the information database that APT is attacked is added by result is analyzed.
Optionally, after storing the information database attacked to APT after will test result and being associated with the sample data, Further include: the attack source APT is tracked and positioned according to the information database.
A kind of APT analysis method based on malice sample of the present embodiment is related to field of computer information security.It is whole and Speech by providing the fallacious message of a kind of pair of mass file extraction, and extracts related ATP and organizes IOC (Indicators of Compromise captures indicator, captures index or invasion index) and TTP (Tactics, Techniques, and Procedures, means technical process) maintenance of information (such as by the IOC indication information feature extraction to each inquiry, carried out Marking, Metadata Extraction processing, while related APT organizational information and associated context information are extracted, while recording tactics, war The relevant informations such as skill), at the same to mail sample, malicious file sample carry out metadata extraction management, provide malice sample and The specimen discerning and result of malious email information are shown.The IP and attack process information for recording affected user simultaneously, will attack Activity and contextual information are recorded in data storing platform, are associated analysis to the interaction of paper sample.By the method, Attack analysis and the operation that the attack source APT is carried out to malice sample reach the discovery to attack clique and keep track, the device The efficiency of sample analysis and operation is greatly improved.
In a complete embodiment of the present embodiment, including following functions module, it is respectively as follows: network according to timing Collector, static sandbox, dynamic sandbox, height confrontation sandbox cluster, information matching module, event response module.
Network collector: sample input is docked by automation mode, such as delivering mail attachment, original document is criticized Amount automation is delivered, and sandbox interface is uploaded to;
Static sandbox: static detection is carried out to sample file first by static sandbox, matches malicious file static rule. By extraction document metadata carry out acquisition of information, including filename, file type, file type matching degree, file size, MD5 (Message Digest 5, Message-Digest Algorithm), SHA (Secure Hash Algorithm, secure hash Algorithm) 1, SHA256, SHA512, SSDeep etc..Pass through OWL (Ontology Wed Language, online Ontology Language) simultaneously Static engine rule, carries out the detection and screening of file;
Dynamic sandbox: simulation Dynamic Execution, screenshot when analyzing Host behavior and obtaining network behavior and operation grab simultaneously Network flow and sample;
Height confrontation sandbox cluster: storage mass data and each testing result information, while being stored including file type data, institute There are sandbox result relevant historical data and file type data storage in the cluster;
Information matching module: sandbox detection module matches IOC as a result, after associated context, obtains family's information and visit Malice domain name and history the parsing address asked, can more accurately navigate to family's information and the attack source APT of malice sample Association analysis.Such as by inquiring some malice sample in sandbox, association threatens information and WHOIS, and (one kind is used to inquire The transport protocol of the information such as the IP and the owner of domain name) historical information, the relevant all information of this document can be given;
Event response module: statistics and disposition present analysis sample as a result, provide case management and event correlation simultaneously, Secondary production under the real-time update of each engine and detected rule, for information.
Fig. 3 is the complete service logic figure of the embodiment of the present invention, and Fig. 4 is the business process map of the embodiment of the present invention, comprising:
Flow collection process is responsible for the sample of collection carrying out automation collection and batch is delivered, predominantly flow collection Device and sample collecting device;
Sandbox testing process: it is divided into static detection sandbox and dynamic detection sandbox.Sandbox cluster is fought by height, use is quiet State OWL filtering extracts engine and carries out text semantic analysis and screening, wherein static OWL rule is based on semantic and file member letter Breath carries out Detection and Extraction to text data, and OWL engine can identify file type, extracts corresponding member according to various file types Information data, for example, PE (Portable Executable, i.e., transplantable execution body) how many section, whether have signature, label What, PDB (Program Database File, program data library file) path name be, is delivered to corresponding static and dynamic Among sandbox;
Data storage and responding process: the APT family information association and case for being responsible for sandbox are put in storage, and produce new feelings Report.
Optionally, the executing subject of above-mentioned steps can be the one or more clients of connection or the cloud service of server Device or local server etc., client can be mobile terminal, PC etc., but not limited to this.
Through the above description of the embodiments, those skilled in the art can be understood that according to above-mentioned implementation The method of example can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but it is very much In the case of the former be more preferably embodiment.Based on this understanding, technical solution of the present invention is substantially in other words to existing The part that technology contributes can be embodied in the form of software products, which is stored in a storage In medium (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that a terminal device (can be mobile phone, calculate Machine, server or network equipment etc.) execute method described in each embodiment of the present invention.
Embodiment 2
A kind of device using sandbox cluster detection data is additionally provided in the present embodiment, can be server, the dress It sets for realizing above-described embodiment and preferred embodiment, the descriptions that have already been made will not be repeated.As used below, art The combination of the software and/or hardware of predetermined function may be implemented in language " module ".Although device described in following embodiment is preferable Ground is realized with software, but the realization of the combination of hardware or software and hardware is also that may and be contemplated.
Fig. 5 is the structural block diagram of the device according to an embodiment of the present invention using sandbox cluster detection data, can be applied In the server, as shown in figure 5, the device includes: acquisition module 50, delivery module 52, processing module 54, wherein
Acquisition module 50 is used for collecting sample data, wherein the sample data includes mail sample and malicious file;
Delivery module 52, for the sample data to be delivered to sandbox cluster, wherein the sandbox cluster includes static state Sandbox and dynamic sandbox;
Processing module 54 for detecting the sample data using the sandbox cluster, and will test result and the sample The information database for threatening APT attack is stored to advanced duration after notebook data association.
Optionally, the delivery module includes: judging unit, for judging that the static OWL detected rule of static sandbox is The no matching sample data;Delivery unit matches the sample data for the static OWL detected rule in static sandbox When, the sample data is delivered to static sandbox;The sample data is mismatched in the static OWL detected rule of static sandbox When, the sample data is delivered to dynamic sandbox.
Optionally, the processing module includes: recognition unit, for being based on semantic and file member using the sandbox cluster Information carries out Detection and Extraction to the sample data, identifies the file information of the sample data, wherein the file information packet Include at least one of: filename, file type, file type matching degree, file size, Message Digest 5 MD5, safety dissipate Column algorithm SHA1, SHA256, SHA512, fuzzy hash algorithm SSDeep;Extracting unit, for being extracted according to the file information The metamessage of the sample data, wherein the metamessage includes at least one of: the transplantable byte for executing body PE Number, signing messages, the path program data library file PDB.
Optionally, the processing module includes: analogue unit, for passing through dynamic sandboxing techniques virtual environment;Processing is single Member records and analyzes the sample data from process initiation to knot for running the sample data in the virtual environment All behavior acts of beam, and grab the flow packet in implementation procedure, generating process report.
Optionally, described device further include: tracing module, for will test result and the sample in the processing module After storing the information database attacked to APT after data correlation, APT attack is tracked and positioned according to the information database Source.
It should be noted that above-mentioned modules can be realized by software or hardware, for the latter, Ke Yitong Following manner realization is crossed, but not limited to this: above-mentioned module is respectively positioned in same processor;Alternatively, above-mentioned modules are with any Combined form is located in different processors.
Embodiment 3
The embodiments of the present invention also provide a kind of storage medium, computer program is stored in the storage medium, wherein The computer program is arranged to execute the step in any of the above-described embodiment of the method when operation.
Optionally, in the present embodiment, above-mentioned storage medium can be set to store by executing based on following steps Calculation machine program:
S1, collecting sample data, wherein the sample data includes mail sample and malicious file;
The sample data is delivered to sandbox cluster by S2, wherein the sandbox cluster includes that static sandbox and dynamic are husky Case;
S3 detects the sample data using the sandbox cluster, and will test after result is associated with the sample data It stores to advanced duration and threatens the information database of APT attack.
Optionally, in the present embodiment, above-mentioned storage medium can include but is not limited to: USB flash disk, read-only memory (Read- Only Memory, referred to as ROM), it is random access memory (Random Access Memory, referred to as RAM), mobile hard The various media that can store computer program such as disk, magnetic or disk.
The embodiments of the present invention also provide a kind of electronic device, including memory and processor, stored in the memory There is computer program, which is arranged to run computer program to execute the step in any of the above-described embodiment of the method Suddenly.
Optionally, above-mentioned electronic device can also include transmission device and input-output equipment, wherein the transmission device It is connected with above-mentioned processor, which connects with above-mentioned processor.
Optionally, in the present embodiment, above-mentioned processor can be set to execute following steps by computer program:
S1, collecting sample data, wherein the sample data includes mail sample and malicious file;
The sample data is delivered to sandbox cluster by S2, wherein the sandbox cluster includes that static sandbox and dynamic are husky Case;
S3 detects the sample data using the sandbox cluster, and will test after result is associated with the sample data It stores to advanced duration and threatens the information database of APT attack.
Optionally, the specific example in the present embodiment can be with reference to described in above-described embodiment and optional embodiment Example, details are not described herein for the present embodiment.
Above-mentioned the embodiment of the present application serial number is for illustration only, does not represent the advantages or disadvantages of the embodiments.
In above-described embodiment of the application, all emphasizes particularly on different fields to the description of each embodiment, do not have in some embodiment The part of detailed description, reference can be made to the related descriptions of other embodiments.
In several embodiments provided herein, it should be understood that disclosed technology contents can pass through others Mode is realized.Wherein, the apparatus embodiments described above are merely exemplary, such as the division of the unit, only A kind of logical function partition, there may be another division manner in actual implementation, for example, multiple units or components can combine or Person is desirably integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed is mutual Between coupling, direct-coupling or communication connection can be through some interfaces, the INDIRECT COUPLING or communication link of unit or module It connects, can be electrical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme 's.
It, can also be in addition, each functional unit in each embodiment of the application can integrate in one processing unit It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list Member both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product When, it can store in a computer readable storage medium.Based on this understanding, the technical solution of the application is substantially The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words It embodies, which is stored in a storage medium, including some instructions are used so that a computer Equipment (can for personal computer, server or network equipment etc.) execute each embodiment the method for the application whole or Part steps.And storage medium above-mentioned includes: that USB flash disk, read-only memory (ROM, Read-Only Memory), arbitrary access are deposited Reservoir (RAM, Random Access Memory), mobile hard disk, magnetic or disk etc. be various to can store program code Medium.
The above is only the preferred embodiment of the application, it is noted that for the ordinary skill people of the art For member, under the premise of not departing from the application principle, several improvements and modifications can also be made, these improvements and modifications are also answered It is considered as the protection scope of the application.

Claims (10)

1. a kind of method using sandbox cluster detection data characterized by comprising
Collecting sample data, wherein the sample data includes mail sample and malicious file;
The sample data is delivered to sandbox cluster, wherein the sandbox cluster includes static sandbox and dynamic sandbox;
The sample data is detected using the sandbox cluster, and will test stored after result is associated with the sample data it is supreme Grade duration threatens the information database of APT attack.
2. the method according to claim 1, wherein the sample data be delivered to sandbox cluster including:
Judge whether the static OWL detected rule of static sandbox matches the sample data;
When the static OWL detected rule of static sandbox matches the sample data, the sample data is delivered to static sand Case;When the static OWL detected rule of static sandbox mismatches the sample data, it is husky that the sample data is delivered to dynamic Case.
3. the method stated according to claim 1, which is characterized in that detecting the sample data using the sandbox cluster includes:
Semantic and file meta-information is based on using the sandbox cluster, Detection and Extraction are carried out to the sample data, identifies the sample The file information of notebook data, wherein the file information includes at least one of: filename, file type, file type With degree, file size, Message Digest 5 MD5, secure hash algorithm SHA1, SHA256, SHA512, fuzzy hash algorithm SSDeep;
The metamessage of the sample data is extracted according to the file information, wherein the metamessage includes at least one of: Transplantable byte number, the signing messages, the path program data library file PDB for executing body PE.
4. the method stated according to claim 1, which is characterized in that detecting the sample data using the sandbox cluster includes:
Pass through dynamic sandboxing techniques virtual environment;
The sample data is run in the virtual environment, records and analyze the sample data from process initiation to end All behavior acts, and grab the flow packet in implementation procedure, generating process report.
5. the method stated according to claim 1, which is characterized in that stored after it will test result and be associated with the sample data to After the information database of APT attack, the method also includes:
The attack source APT is tracked and positioned according to the information database.
6. a kind of device using sandbox cluster detection data characterized by comprising
Acquisition module is used for collecting sample data, wherein the sample data includes mail sample and malicious file;
Delivery module, for the sample data to be delivered to sandbox cluster, wherein the sandbox cluster include static sandbox and Dynamic sandbox;
Processing module for detecting the sample data using the sandbox cluster, and will test result and the sample data It is stored after association to advanced duration and threatens the information database of APT attack.
7. device according to claim 6, which is characterized in that the delivery module includes:
Judging unit, for judging whether the static OWL detected rule of static sandbox matches the sample data;
Delivery unit, for static sandbox static OWL detected rule match the sample data when, by the sample data It is delivered to static sandbox;When the static OWL detected rule of static sandbox mismatches the sample data, by the sample data It is delivered to dynamic sandbox.
8. the device stated according to claim 6, which is characterized in that the processing module includes:
Recognition unit is mentioned for carrying out detection to the sample data based on semantic and file meta-information using the sandbox cluster It takes, identifies the file information of the sample data, wherein the file information includes at least one of: filename, files classes Type, file type matching degree, file size, Message Digest 5 MD5, secure hash algorithm SHA1, SHA256, SHA512, mould Paste hash algorithm SSDeep;
Extracting unit, for extracting the metamessage of the sample data according to the file information, wherein the metamessage includes At least one of: transplantable byte number, the signing messages, the path program data library file PDB for executing body PE.
9. a kind of storage medium, which is characterized in that be stored with computer program in the storage medium, wherein the computer Program is arranged to perform claim when operation and requires method described in 1 to 5 any one.
10. a kind of electronic device, including memory and processor, which is characterized in that be stored with computer journey in the memory Sequence, the processor are arranged to run the computer program in method described in perform claim 1 to 5 any one of requirement.
CN201910345232.3A 2019-04-26 2019-04-26 Method and device for detecting data by adopting sandbox cluster Active CN110188538B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910345232.3A CN110188538B (en) 2019-04-26 2019-04-26 Method and device for detecting data by adopting sandbox cluster

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910345232.3A CN110188538B (en) 2019-04-26 2019-04-26 Method and device for detecting data by adopting sandbox cluster

Publications (2)

Publication Number Publication Date
CN110188538A true CN110188538A (en) 2019-08-30
CN110188538B CN110188538B (en) 2021-07-20

Family

ID=67715260

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910345232.3A Active CN110188538B (en) 2019-04-26 2019-04-26 Method and device for detecting data by adopting sandbox cluster

Country Status (1)

Country Link
CN (1) CN110188538B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112528273A (en) * 2020-12-29 2021-03-19 天津开心生活科技有限公司 Medical data detection method, device, medium and electronic equipment
CN113992443A (en) * 2021-12-28 2022-01-28 北京微步在线科技有限公司 Cloud sandbox flow processing method and device
CN113987521A (en) * 2021-12-28 2022-01-28 北京安华金和科技有限公司 Scanning processing method and device for database bugs
US11379578B1 (en) * 2020-10-16 2022-07-05 Trend Micro Incorporated Detecting malware by pooled analysis of sample files in a sandbox
CN115037523A (en) * 2022-05-17 2022-09-09 浙江工业大学 APT detection method for heterogeneous terminal log fusion

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101022377A (en) * 2007-01-31 2007-08-22 北京邮电大学 Interactive service establishing method based on service relation body
CN102004767A (en) * 2010-11-10 2011-04-06 北京航空航天大学 Abstract service logic-based interactive semantic Web service dynamic combination method
JP6210998B2 (en) * 2012-11-15 2017-10-11 一般財団法人化学及血清療法研究所 Infectious disease prevention method by combined use of vector vaccine and live vaccine
CN108009425A (en) * 2017-11-29 2018-05-08 四川无声信息技术有限公司 File detects and threat level decision method, apparatus and system
CN109190657A (en) * 2018-07-18 2019-01-11 国家计算机网络与信息安全管理中心 Sample homogeneous assays method based on data slicer and image hash combination

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101022377A (en) * 2007-01-31 2007-08-22 北京邮电大学 Interactive service establishing method based on service relation body
CN102004767A (en) * 2010-11-10 2011-04-06 北京航空航天大学 Abstract service logic-based interactive semantic Web service dynamic combination method
JP6210998B2 (en) * 2012-11-15 2017-10-11 一般財団法人化学及血清療法研究所 Infectious disease prevention method by combined use of vector vaccine and live vaccine
CN108009425A (en) * 2017-11-29 2018-05-08 四川无声信息技术有限公司 File detects and threat level decision method, apparatus and system
CN109190657A (en) * 2018-07-18 2019-01-11 国家计算机网络与信息安全管理中心 Sample homogeneous assays method based on data slicer and image hash combination

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11379578B1 (en) * 2020-10-16 2022-07-05 Trend Micro Incorporated Detecting malware by pooled analysis of sample files in a sandbox
CN112528273A (en) * 2020-12-29 2021-03-19 天津开心生活科技有限公司 Medical data detection method, device, medium and electronic equipment
CN112528273B (en) * 2020-12-29 2023-06-06 天津开心生活科技有限公司 Medical data detection method, device, medium and electronic equipment
CN113992443A (en) * 2021-12-28 2022-01-28 北京微步在线科技有限公司 Cloud sandbox flow processing method and device
CN113987521A (en) * 2021-12-28 2022-01-28 北京安华金和科技有限公司 Scanning processing method and device for database bugs
CN113987521B (en) * 2021-12-28 2022-03-22 北京安华金和科技有限公司 Scanning processing method and device for database bugs
CN113992443B (en) * 2021-12-28 2022-04-12 北京微步在线科技有限公司 Cloud sandbox flow processing method and device
CN115037523A (en) * 2022-05-17 2022-09-09 浙江工业大学 APT detection method for heterogeneous terminal log fusion

Also Published As

Publication number Publication date
CN110188538B (en) 2021-07-20

Similar Documents

Publication Publication Date Title
CN110188538A (en) Using the method and device of sandbox cluster detection data
CN110198303A (en) Threaten the generation method and device, storage medium, electronic device of information
US9661003B2 (en) System and method for forensic cyber adversary profiling, attribution and attack identification
US9628507B2 (en) Advanced persistent threat (APT) detection center
CN110149319B (en) APT organization tracking method and device, storage medium and electronic device
CN106375331B (en) Attack organization mining method and device
CN108683687B (en) Network attack identification method and system
CN108881263B (en) Network attack result detection method and system
CN110210213B (en) Method and device for filtering malicious sample, storage medium and electronic device
CN108183888B (en) Social engineering intrusion attack path detection method based on random forest algorithm
CN110149318B (en) Mail metadata processing method and device, storage medium and electronic device
CN101605074A (en) The method and system of communication behavioural characteristic monitoring wooden horse Network Based
CN113691566B (en) Mail server secret stealing detection method based on space mapping and network flow statistics
CN106713335B (en) Malicious software identification method and device
CN111786950A (en) Situation awareness-based network security monitoring method, device, equipment and medium
WO2019084072A1 (en) A graph model for alert interpretation in enterprise security system
CN110113350A (en) A kind of monitoring of Internet of things system security threat and system of defense and method
CN110035062A (en) A kind of network inspection method and apparatus
CN110543506A (en) Data analysis method and device, electronic equipment and storage medium
CN111859374A (en) Method, device and system for detecting social engineering attack event
CN113886829B (en) Method and device for detecting defect host, electronic equipment and storage medium
CN110224975A (en) The determination method and device of APT information, storage medium, electronic device
CN110188537B (en) Data separation storage method and device, storage medium and electronic device
CN114301659A (en) Network attack early warning method, system, device and storage medium
KR101048991B1 (en) Botnet Behavior Pattern Analysis System and Method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 100032 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing

Applicant after: Qianxin Technology Group Co., Ltd.

Address before: 100032 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing

Applicant before: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant