CN110188538A - Using the method and device of sandbox cluster detection data - Google Patents
Using the method and device of sandbox cluster detection data Download PDFInfo
- Publication number
- CN110188538A CN110188538A CN201910345232.3A CN201910345232A CN110188538A CN 110188538 A CN110188538 A CN 110188538A CN 201910345232 A CN201910345232 A CN 201910345232A CN 110188538 A CN110188538 A CN 110188538A
- Authority
- CN
- China
- Prior art keywords
- sample data
- sandbox
- static
- file
- cluster
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
Abstract
The present invention provides a kind of method and devices using sandbox cluster detection data, wherein this method comprises: collecting sample data, wherein the sample data includes mail sample and malicious file;The sample data is delivered to sandbox cluster, wherein the sandbox cluster includes static sandbox and dynamic sandbox;The sample data is detected using the sandbox cluster, and will test the information database for being stored after result is associated with the sample data to advanced duration and threatening APT attack.Through the invention, the technical issues of information database inefficiency for collecting APT attack in the related technology is solved.
Description
Technical field
The present invention relates to network safety filed, in particular to a kind of method using sandbox cluster detection data and
Device.
Background technique
Network attack is the attack that hacker or viral wooden horse etc. initiate electronic equipment, gives user by steal files etc.
Bring massive losses.
When threatening (Advanced Persistent Threat, APT) clique to be tracked discovery advanced duration,
The attacks such as main malicious file, fishing mail according in Internet communication carry out context relation analysis.Attacker utilizes malice
Program carries out invasion control to network and information system, achievees the purpose that steal sensitive data and destruction system and network environment,
It is in urgent need to be improved to the malice pattern detection rate and batch quantity analysis ability propagated in enterprise network.
In the related technology, in computer safety field, network attack becomes more and more specialized and specific aim at present.Face
To such attack, often lack the entirety understanding to the attack, and it is defendd to be also to fight separately, not
Form a good defense system.For example APT (advanced duration threat) is attacked or " shake net " virus, this attack is that have
Purpose and targetedly only just has aggressiveness to specific industry or certain goal systems.And work as currently without scheme
These attacks can obtain threat information when a small range occurs in advance, and in a wide range of interior progress early warning and defence.
The defence of network attack is caused to lag.
For the above problem present in the relevant technologies, at present it is not yet found that the solution of effect.
Summary of the invention
The embodiment of the invention provides a kind of method and devices using sandbox cluster detection data.
According to one embodiment of present invention, a kind of method using sandbox cluster detection data is provided, comprising: acquisition
Sample data, wherein the sample data includes mail sample and malicious file;The sample data is delivered to sandbox collection
Group, wherein the sandbox cluster includes static sandbox and dynamic sandbox;The sample data is detected using the sandbox cluster,
And it will test the information database for being stored after result is associated with the sample data to advanced duration and threatening APT attack.
Optionally, the sample data is delivered to sandbox cluster includes: the static OWL detected rule for judging static sandbox
Whether the sample data is matched;When the static OWL detected rule of static sandbox matches the sample data, by the sample
Data delivery is to static sandbox;When the static OWL detected rule of static sandbox mismatches the sample data, by the sample
Data delivery is to dynamic sandbox.
Optionally, detecting the sample data using the sandbox cluster includes: to be based on semanteme using the sandbox cluster
And file meta-information carries out Detection and Extraction to the sample data, identifies the file information of the sample data, wherein the text
Part information includes at least one of: filename, file type, file type matching degree, file size, Message Digest 5
MD5, secure hash algorithm SHA1, SHA256, SHA512, fuzzy hash algorithm SSDeep;Institute is extracted according to the file information
State the metamessage of sample data, wherein the metamessage includes at least one of: the transplantable byte number for executing body PE,
Signing messages, the path program data library file PDB.
Optionally, detecting the sample data using the sandbox cluster includes: by dynamic sandboxing techniques virtual environment;
The sample data is run in the virtual environment, and it is all from process initiation to end to record and analyze the sample data
Behavior act, and grab the flow packet in implementation procedure, generating process report.
Optionally, after storing the information database attacked to APT after will test result and being associated with the sample data,
The method also includes: the attack source APT is tracked and positioned according to the information database.
According to another embodiment of the invention, a kind of device using sandbox cluster detection data is provided, comprising: adopt
Collect module, is used for collecting sample data, wherein the sample data includes mail sample and malicious file;Delivery module is used for
The sample data is delivered to sandbox cluster, wherein the sandbox cluster includes static sandbox and dynamic sandbox;Handle mould
Block for detecting the sample data using the sandbox cluster, and will test after result is associated with the sample data and store
The information database of APT attack is threatened to advanced duration.
Optionally, the delivery module includes: judging unit, for judging that the static OWL detected rule of static sandbox is
The no matching sample data;Delivery unit matches the sample data for the static OWL detected rule in static sandbox
When, the sample data is delivered to static sandbox;The sample data is mismatched in the static OWL detected rule of static sandbox
When, the sample data is delivered to dynamic sandbox.
Optionally, the processing module includes: recognition unit, for being based on semantic and file member using the sandbox cluster
Information carries out Detection and Extraction to the sample data, identifies the file information of the sample data, wherein the file information packet
Include at least one of: filename, file type, file type matching degree, file size, Message Digest 5 MD5, safety dissipate
Column algorithm SHA1, SHA256, SHA512, fuzzy hash algorithm SSDeep;Extracting unit, for being extracted according to the file information
The metamessage of the sample data, wherein the metamessage includes at least one of: the transplantable byte for executing body PE
Number, signing messages, the path program data library file PDB.
Optionally, the processing module includes: analogue unit, for passing through dynamic sandboxing techniques virtual environment;Processing is single
Member records and analyzes the sample data from process initiation to knot for running the sample data in the virtual environment
All behavior acts of beam, and grab the flow packet in implementation procedure, generating process report.
Optionally, described device further include: tracing module, for will test result and the sample in the processing module
After storing the information database attacked to APT after data correlation, APT attack is tracked and positioned according to the information database
Source.
According to still another embodiment of the invention, a kind of storage medium is additionally provided, meter is stored in the storage medium
Calculation machine program, wherein the computer program is arranged to execute the step in any of the above-described embodiment of the method when operation.
According to still another embodiment of the invention, a kind of electronic device, including memory and processor are additionally provided, it is described
Computer program is stored in memory, the processor is arranged to run the computer program to execute any of the above-described
Step in embodiment of the method.
Through the invention, then the sample data is delivered to sandbox cluster by collecting sample data, wherein the sand
Case cluster includes static sandbox and dynamic sandbox, finally detects the sample data using the sandbox cluster, and will test knot
Fruit stores to advanced duration the information database for threatening APT attack after being associated with the sample data, by static sandbox
Operation result carry out the maintenance of log analysis rule, dynamic sandbox core confrontation result tracked, can be to suspect object
More accurately filtering and positioning is carried out, solves the technology for the information database inefficiency for collecting APT attack in the related technology
Problem.OA operation analysis personnel are greatly improved to the analysis tracing and positioning ability of malice sample, APT attack is tracked to Security Officer
The identity information of person has great help.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes part of this application, this hair
Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is a kind of hardware block diagram of server using sandbox cluster detection data of the embodiment of the present invention;
Fig. 2 is a kind of flow chart of method using sandbox cluster detection data according to an embodiment of the present invention;
Fig. 3 is the complete service logic figure of the embodiment of the present invention;
Fig. 4 is the business process map of the embodiment of the present invention;
Fig. 5 is the structural block diagram of the device according to an embodiment of the present invention using sandbox cluster detection data.
Specific embodiment
In order to make those skilled in the art more fully understand application scheme, below in conjunction in the embodiment of the present application
Attached drawing, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that described embodiment is only
The embodiment of the application a part, instead of all the embodiments.Based on the embodiment in the application, ordinary skill people
Member's every other embodiment obtained without making creative work, all should belong to the model of the application protection
It encloses.It should be noted that in the absence of conflict, the features in the embodiments and the embodiments of the present application can be mutual group
It closes.
It should be noted that the description and claims of this application and term " first " in above-mentioned attached drawing, "
Two " etc. be to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should be understood that using in this way
Data be interchangeable under appropriate circumstances, so as to embodiments herein described herein can in addition to illustrating herein or
Sequence other than those of description is implemented.In addition, term " includes " and " having " and their any deformation, it is intended that cover
Cover it is non-exclusive include, for example, the process, method, system, product or equipment for containing a series of steps or units are not necessarily limited to
Step or unit those of is clearly listed, but may include be not clearly listed or for these process, methods, product
Or other step or units that equipment is intrinsic.
Embodiment 1
Embodiment of the method provided by the embodiment of the present application one can execute in server or similar arithmetic unit.
For running on the server, Fig. 1 is a kind of the hard of server using sandbox cluster detection data of the embodiment of the present invention
Part structural block diagram.As shown in Figure 1, server 10 may include one or more (only showing one in Fig. 1) processor 102 (places
Reason device 102 can include but is not limited to the processing unit of Micro-processor MCV or programmable logic device FPGA etc.) and for storing
The memory 104 of data, optionally, above-mentioned server can also include the transmission device 106 and input for communication function
Output equipment 108.It will appreciated by the skilled person that structure shown in FIG. 1 is only to illustrate, not to above-mentioned service
The structure of device causes to limit.For example, server 10 may also include the more perhaps less component than shown in Fig. 1 or have
The configuration different from shown in Fig. 1.
Memory 104 can be used for storing computer program, for example, the software program and module of application software, such as this hair
One of bright embodiment uses the corresponding computer program of method of sandbox cluster detection data, and processor 102 passes through operation
The computer program being stored in memory 104 realizes above-mentioned side thereby executing various function application and data processing
Method.Memory 104 may include high speed random access memory, may also include nonvolatile memory, as one or more magnetism is deposited
Storage device, flash memory or other non-volatile solid state memories.In some instances, memory 104 can further comprise opposite
In the remotely located memory of processor 102, these remote memories can pass through network connection to server 10.Above-mentioned network
Example include but is not limited to internet, intranet, local area network, mobile radio communication and combinations thereof.
Transmitting device 106 is used to that data to be received or sent via a network.Above-mentioned network specific example may include
The wireless network that the communication providers of server 10 provide.In an example, transmitting device 106 includes a network adapter
(Network Interface Controller, referred to as NIC), can be connected by base station with other network equipments so as to
It is communicated with internet.In an example, transmitting device 106 can be radio frequency (Radio Frequency, referred to as RF)
Module is used to wirelessly be communicated with internet.
A kind of method using sandbox cluster detection data is provided in the present embodiment, and Fig. 2 is to implement according to the present invention
The flow chart of a kind of method using sandbox cluster detection data of example, as shown in Fig. 2, the process includes the following steps:
Step S202, collecting sample data, wherein the sample data includes mail sample and malicious file;
The sample data of the present embodiment is using loophole existing for network or hardware entities and safety defect to network system
Hardware, software and its code of the attack of the data progress in system of system, software, program, file etc..
After obtaining sample data, the file type of sample data or the equipment class of the operation sample data are also detected
Type, wherein file type includes publicly-owned file, and sample data is sent to by privately owned file when sample data is publicly-owned file
Sample data is sent to privately owned cloud server or sheet when sample data is privately owned file by common cloud server
Ground server, on the other hand, device type be designated environment equipment (such as government bodies, the confidentiality such as financial structure compared with
The equipment of strong unit) when, sample data is sent to privately owned cloud server or local server, is logical in device type
When with the equipment of environment, sample data is sent to common cloud server.Wherein, common cloud server, it is privately owned
Cloud server or local server are provided with sandbox cluster, and sandbox cluster includes the static sandbox for static detection and is used for
The dynamic sandbox of dynamic detection.
The sample data is delivered to sandbox cluster by step S204, wherein the sandbox cluster include static sandbox and
Dynamic sandbox;
Step S206 detects the sample data using the sandbox cluster, and will test result and the sample data
It is stored after association to advanced duration and threatens the information database of APT attack.
The report database of the present embodiment includes IOC indication information, the organizational information of APT, member identities' information and APT
Attack means, range, time, the information such as object.
Through the above steps, then the sample data is delivered to sandbox cluster, wherein described by collecting sample data
Sandbox cluster includes static sandbox and dynamic sandbox, finally detects the sample data using the sandbox cluster, and will test
As a result it is stored after being associated with the sample data to advanced duration and threatens the information database of APT attack, by static husky
The operation result of case carries out the maintenance of log analysis rule, the core confrontation result of dynamic sandbox is tracked, can be to suspicious right
As carrying out more accurately filtering and positioning, by static analysis and dynamic debugging, malice sample precisely and is efficiently detected
This information reduces the erroneous judgement of manual analysis and improves efficiency, and solves the information database effect for collecting APT attack in the related technology
The low technical problem of rate.OA operation analysis personnel are greatly improved to the analysis tracing and positioning ability of malice sample, to safe people
The identity information of member tracking APT attacker has great help.
In the present embodiment, it includes: to judge that the static OWL of static sandbox is detected that the sample data, which is delivered to sandbox cluster,
Whether rule matches the sample data;It, will be described when the static OWL detected rule of static sandbox matches the sample data
Sample data is delivered to static sandbox;It, will be described when the static OWL detected rule of static sandbox mismatches the sample data
Sample data is delivered to dynamic sandbox.
In an embodiment of the present embodiment, static sandbox mainly runs static rule, handles metadata, adopts
Detecting the sample data with the sandbox cluster includes:
S11 is based on semantic and file meta-information using the sandbox cluster and carries out Detection and Extraction to the sample data, knows
The file information of the not described sample data, wherein the file information includes at least one of: filename, file type, text
Part type matching degree, file size, Message Digest 5 MD5, secure hash algorithm SHA1, SHA256, SHA512, fuzzy Hash
Algorithm SSDeep;
S12 extracts the metamessage of the sample data according to the file information, wherein the metamessage includes following
At least one: transplantable byte number, the signing messages, the path program data library file PDB for executing body PE.
In the another embodiment of the present embodiment, is executed by dynamic sandboxing techniques virtual environment, analyze all samples
Originally all behaviors from process initiation to after having executed, while flow packet capturing and process record and report in generating process.
Detecting the sample data using the sandbox cluster includes:
S21 passes through dynamic sandboxing techniques virtual environment;
S22 runs the sample data in the virtual environment, records and analyze the sample data from process initiation
To all behavior acts of end, and grab the flow packet in implementation procedure, generating process report.
The behavior act of record can be, but not limited to carry out a process and wherein (be likely to code injection
Decompression), kernel debugger is detected, query procedure list changes the tracking setting of file or console, distributes read-write execution
Memory headroom, executable file is created in file system, creates a suspicious process, collects information to system of fingerprints
(unique identifier, product IDs, BIOS time).
Other than the detection of static sandbox and the detection of dynamic sandbox, people can also be carried out to the result sample that can not be detected
The failure sample analysis of labour movement row, and the information database that APT is attacked is added by result is analyzed.
Optionally, after storing the information database attacked to APT after will test result and being associated with the sample data,
Further include: the attack source APT is tracked and positioned according to the information database.
A kind of APT analysis method based on malice sample of the present embodiment is related to field of computer information security.It is whole and
Speech by providing the fallacious message of a kind of pair of mass file extraction, and extracts related ATP and organizes IOC (Indicators of
Compromise captures indicator, captures index or invasion index) and TTP (Tactics, Techniques, and
Procedures, means technical process) maintenance of information (such as by the IOC indication information feature extraction to each inquiry, carried out
Marking, Metadata Extraction processing, while related APT organizational information and associated context information are extracted, while recording tactics, war
The relevant informations such as skill), at the same to mail sample, malicious file sample carry out metadata extraction management, provide malice sample and
The specimen discerning and result of malious email information are shown.The IP and attack process information for recording affected user simultaneously, will attack
Activity and contextual information are recorded in data storing platform, are associated analysis to the interaction of paper sample.By the method,
Attack analysis and the operation that the attack source APT is carried out to malice sample reach the discovery to attack clique and keep track, the device
The efficiency of sample analysis and operation is greatly improved.
In a complete embodiment of the present embodiment, including following functions module, it is respectively as follows: network according to timing
Collector, static sandbox, dynamic sandbox, height confrontation sandbox cluster, information matching module, event response module.
Network collector: sample input is docked by automation mode, such as delivering mail attachment, original document is criticized
Amount automation is delivered, and sandbox interface is uploaded to;
Static sandbox: static detection is carried out to sample file first by static sandbox, matches malicious file static rule.
By extraction document metadata carry out acquisition of information, including filename, file type, file type matching degree, file size,
MD5 (Message Digest 5, Message-Digest Algorithm), SHA (Secure Hash Algorithm, secure hash
Algorithm) 1, SHA256, SHA512, SSDeep etc..Pass through OWL (Ontology Wed Language, online Ontology Language) simultaneously
Static engine rule, carries out the detection and screening of file;
Dynamic sandbox: simulation Dynamic Execution, screenshot when analyzing Host behavior and obtaining network behavior and operation grab simultaneously
Network flow and sample;
Height confrontation sandbox cluster: storage mass data and each testing result information, while being stored including file type data, institute
There are sandbox result relevant historical data and file type data storage in the cluster;
Information matching module: sandbox detection module matches IOC as a result, after associated context, obtains family's information and visit
Malice domain name and history the parsing address asked, can more accurately navigate to family's information and the attack source APT of malice sample
Association analysis.Such as by inquiring some malice sample in sandbox, association threatens information and WHOIS, and (one kind is used to inquire
The transport protocol of the information such as the IP and the owner of domain name) historical information, the relevant all information of this document can be given;
Event response module: statistics and disposition present analysis sample as a result, provide case management and event correlation simultaneously,
Secondary production under the real-time update of each engine and detected rule, for information.
Fig. 3 is the complete service logic figure of the embodiment of the present invention, and Fig. 4 is the business process map of the embodiment of the present invention, comprising:
Flow collection process is responsible for the sample of collection carrying out automation collection and batch is delivered, predominantly flow collection
Device and sample collecting device;
Sandbox testing process: it is divided into static detection sandbox and dynamic detection sandbox.Sandbox cluster is fought by height, use is quiet
State OWL filtering extracts engine and carries out text semantic analysis and screening, wherein static OWL rule is based on semantic and file member letter
Breath carries out Detection and Extraction to text data, and OWL engine can identify file type, extracts corresponding member according to various file types
Information data, for example, PE (Portable Executable, i.e., transplantable execution body) how many section, whether have signature, label
What, PDB (Program Database File, program data library file) path name be, is delivered to corresponding static and dynamic
Among sandbox;
Data storage and responding process: the APT family information association and case for being responsible for sandbox are put in storage, and produce new feelings
Report.
Optionally, the executing subject of above-mentioned steps can be the one or more clients of connection or the cloud service of server
Device or local server etc., client can be mobile terminal, PC etc., but not limited to this.
Through the above description of the embodiments, those skilled in the art can be understood that according to above-mentioned implementation
The method of example can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but it is very much
In the case of the former be more preferably embodiment.Based on this understanding, technical solution of the present invention is substantially in other words to existing
The part that technology contributes can be embodied in the form of software products, which is stored in a storage
In medium (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that a terminal device (can be mobile phone, calculate
Machine, server or network equipment etc.) execute method described in each embodiment of the present invention.
Embodiment 2
A kind of device using sandbox cluster detection data is additionally provided in the present embodiment, can be server, the dress
It sets for realizing above-described embodiment and preferred embodiment, the descriptions that have already been made will not be repeated.As used below, art
The combination of the software and/or hardware of predetermined function may be implemented in language " module ".Although device described in following embodiment is preferable
Ground is realized with software, but the realization of the combination of hardware or software and hardware is also that may and be contemplated.
Fig. 5 is the structural block diagram of the device according to an embodiment of the present invention using sandbox cluster detection data, can be applied
In the server, as shown in figure 5, the device includes: acquisition module 50, delivery module 52, processing module 54, wherein
Acquisition module 50 is used for collecting sample data, wherein the sample data includes mail sample and malicious file;
Delivery module 52, for the sample data to be delivered to sandbox cluster, wherein the sandbox cluster includes static state
Sandbox and dynamic sandbox;
Processing module 54 for detecting the sample data using the sandbox cluster, and will test result and the sample
The information database for threatening APT attack is stored to advanced duration after notebook data association.
Optionally, the delivery module includes: judging unit, for judging that the static OWL detected rule of static sandbox is
The no matching sample data;Delivery unit matches the sample data for the static OWL detected rule in static sandbox
When, the sample data is delivered to static sandbox;The sample data is mismatched in the static OWL detected rule of static sandbox
When, the sample data is delivered to dynamic sandbox.
Optionally, the processing module includes: recognition unit, for being based on semantic and file member using the sandbox cluster
Information carries out Detection and Extraction to the sample data, identifies the file information of the sample data, wherein the file information packet
Include at least one of: filename, file type, file type matching degree, file size, Message Digest 5 MD5, safety dissipate
Column algorithm SHA1, SHA256, SHA512, fuzzy hash algorithm SSDeep;Extracting unit, for being extracted according to the file information
The metamessage of the sample data, wherein the metamessage includes at least one of: the transplantable byte for executing body PE
Number, signing messages, the path program data library file PDB.
Optionally, the processing module includes: analogue unit, for passing through dynamic sandboxing techniques virtual environment;Processing is single
Member records and analyzes the sample data from process initiation to knot for running the sample data in the virtual environment
All behavior acts of beam, and grab the flow packet in implementation procedure, generating process report.
Optionally, described device further include: tracing module, for will test result and the sample in the processing module
After storing the information database attacked to APT after data correlation, APT attack is tracked and positioned according to the information database
Source.
It should be noted that above-mentioned modules can be realized by software or hardware, for the latter, Ke Yitong
Following manner realization is crossed, but not limited to this: above-mentioned module is respectively positioned in same processor;Alternatively, above-mentioned modules are with any
Combined form is located in different processors.
Embodiment 3
The embodiments of the present invention also provide a kind of storage medium, computer program is stored in the storage medium, wherein
The computer program is arranged to execute the step in any of the above-described embodiment of the method when operation.
Optionally, in the present embodiment, above-mentioned storage medium can be set to store by executing based on following steps
Calculation machine program:
S1, collecting sample data, wherein the sample data includes mail sample and malicious file;
The sample data is delivered to sandbox cluster by S2, wherein the sandbox cluster includes that static sandbox and dynamic are husky
Case;
S3 detects the sample data using the sandbox cluster, and will test after result is associated with the sample data
It stores to advanced duration and threatens the information database of APT attack.
Optionally, in the present embodiment, above-mentioned storage medium can include but is not limited to: USB flash disk, read-only memory (Read-
Only Memory, referred to as ROM), it is random access memory (Random Access Memory, referred to as RAM), mobile hard
The various media that can store computer program such as disk, magnetic or disk.
The embodiments of the present invention also provide a kind of electronic device, including memory and processor, stored in the memory
There is computer program, which is arranged to run computer program to execute the step in any of the above-described embodiment of the method
Suddenly.
Optionally, above-mentioned electronic device can also include transmission device and input-output equipment, wherein the transmission device
It is connected with above-mentioned processor, which connects with above-mentioned processor.
Optionally, in the present embodiment, above-mentioned processor can be set to execute following steps by computer program:
S1, collecting sample data, wherein the sample data includes mail sample and malicious file;
The sample data is delivered to sandbox cluster by S2, wherein the sandbox cluster includes that static sandbox and dynamic are husky
Case;
S3 detects the sample data using the sandbox cluster, and will test after result is associated with the sample data
It stores to advanced duration and threatens the information database of APT attack.
Optionally, the specific example in the present embodiment can be with reference to described in above-described embodiment and optional embodiment
Example, details are not described herein for the present embodiment.
Above-mentioned the embodiment of the present application serial number is for illustration only, does not represent the advantages or disadvantages of the embodiments.
In above-described embodiment of the application, all emphasizes particularly on different fields to the description of each embodiment, do not have in some embodiment
The part of detailed description, reference can be made to the related descriptions of other embodiments.
In several embodiments provided herein, it should be understood that disclosed technology contents can pass through others
Mode is realized.Wherein, the apparatus embodiments described above are merely exemplary, such as the division of the unit, only
A kind of logical function partition, there may be another division manner in actual implementation, for example, multiple units or components can combine or
Person is desirably integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed is mutual
Between coupling, direct-coupling or communication connection can be through some interfaces, the INDIRECT COUPLING or communication link of unit or module
It connects, can be electrical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, each functional unit in each embodiment of the application can integrate in one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list
Member both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product
When, it can store in a computer readable storage medium.Based on this understanding, the technical solution of the application is substantially
The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words
It embodies, which is stored in a storage medium, including some instructions are used so that a computer
Equipment (can for personal computer, server or network equipment etc.) execute each embodiment the method for the application whole or
Part steps.And storage medium above-mentioned includes: that USB flash disk, read-only memory (ROM, Read-Only Memory), arbitrary access are deposited
Reservoir (RAM, Random Access Memory), mobile hard disk, magnetic or disk etc. be various to can store program code
Medium.
The above is only the preferred embodiment of the application, it is noted that for the ordinary skill people of the art
For member, under the premise of not departing from the application principle, several improvements and modifications can also be made, these improvements and modifications are also answered
It is considered as the protection scope of the application.
Claims (10)
1. a kind of method using sandbox cluster detection data characterized by comprising
Collecting sample data, wherein the sample data includes mail sample and malicious file;
The sample data is delivered to sandbox cluster, wherein the sandbox cluster includes static sandbox and dynamic sandbox;
The sample data is detected using the sandbox cluster, and will test stored after result is associated with the sample data it is supreme
Grade duration threatens the information database of APT attack.
2. the method according to claim 1, wherein the sample data be delivered to sandbox cluster including:
Judge whether the static OWL detected rule of static sandbox matches the sample data;
When the static OWL detected rule of static sandbox matches the sample data, the sample data is delivered to static sand
Case;When the static OWL detected rule of static sandbox mismatches the sample data, it is husky that the sample data is delivered to dynamic
Case.
3. the method stated according to claim 1, which is characterized in that detecting the sample data using the sandbox cluster includes:
Semantic and file meta-information is based on using the sandbox cluster, Detection and Extraction are carried out to the sample data, identifies the sample
The file information of notebook data, wherein the file information includes at least one of: filename, file type, file type
With degree, file size, Message Digest 5 MD5, secure hash algorithm SHA1, SHA256, SHA512, fuzzy hash algorithm
SSDeep;
The metamessage of the sample data is extracted according to the file information, wherein the metamessage includes at least one of:
Transplantable byte number, the signing messages, the path program data library file PDB for executing body PE.
4. the method stated according to claim 1, which is characterized in that detecting the sample data using the sandbox cluster includes:
Pass through dynamic sandboxing techniques virtual environment;
The sample data is run in the virtual environment, records and analyze the sample data from process initiation to end
All behavior acts, and grab the flow packet in implementation procedure, generating process report.
5. the method stated according to claim 1, which is characterized in that stored after it will test result and be associated with the sample data to
After the information database of APT attack, the method also includes:
The attack source APT is tracked and positioned according to the information database.
6. a kind of device using sandbox cluster detection data characterized by comprising
Acquisition module is used for collecting sample data, wherein the sample data includes mail sample and malicious file;
Delivery module, for the sample data to be delivered to sandbox cluster, wherein the sandbox cluster include static sandbox and
Dynamic sandbox;
Processing module for detecting the sample data using the sandbox cluster, and will test result and the sample data
It is stored after association to advanced duration and threatens the information database of APT attack.
7. device according to claim 6, which is characterized in that the delivery module includes:
Judging unit, for judging whether the static OWL detected rule of static sandbox matches the sample data;
Delivery unit, for static sandbox static OWL detected rule match the sample data when, by the sample data
It is delivered to static sandbox;When the static OWL detected rule of static sandbox mismatches the sample data, by the sample data
It is delivered to dynamic sandbox.
8. the device stated according to claim 6, which is characterized in that the processing module includes:
Recognition unit is mentioned for carrying out detection to the sample data based on semantic and file meta-information using the sandbox cluster
It takes, identifies the file information of the sample data, wherein the file information includes at least one of: filename, files classes
Type, file type matching degree, file size, Message Digest 5 MD5, secure hash algorithm SHA1, SHA256, SHA512, mould
Paste hash algorithm SSDeep;
Extracting unit, for extracting the metamessage of the sample data according to the file information, wherein the metamessage includes
At least one of: transplantable byte number, the signing messages, the path program data library file PDB for executing body PE.
9. a kind of storage medium, which is characterized in that be stored with computer program in the storage medium, wherein the computer
Program is arranged to perform claim when operation and requires method described in 1 to 5 any one.
10. a kind of electronic device, including memory and processor, which is characterized in that be stored with computer journey in the memory
Sequence, the processor are arranged to run the computer program in method described in perform claim 1 to 5 any one of requirement.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910345232.3A CN110188538B (en) | 2019-04-26 | 2019-04-26 | Method and device for detecting data by adopting sandbox cluster |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910345232.3A CN110188538B (en) | 2019-04-26 | 2019-04-26 | Method and device for detecting data by adopting sandbox cluster |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110188538A true CN110188538A (en) | 2019-08-30 |
CN110188538B CN110188538B (en) | 2021-07-20 |
Family
ID=67715260
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910345232.3A Active CN110188538B (en) | 2019-04-26 | 2019-04-26 | Method and device for detecting data by adopting sandbox cluster |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110188538B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112528273A (en) * | 2020-12-29 | 2021-03-19 | 天津开心生活科技有限公司 | Medical data detection method, device, medium and electronic equipment |
CN113992443A (en) * | 2021-12-28 | 2022-01-28 | 北京微步在线科技有限公司 | Cloud sandbox flow processing method and device |
CN113987521A (en) * | 2021-12-28 | 2022-01-28 | 北京安华金和科技有限公司 | Scanning processing method and device for database bugs |
US11379578B1 (en) * | 2020-10-16 | 2022-07-05 | Trend Micro Incorporated | Detecting malware by pooled analysis of sample files in a sandbox |
CN115037523A (en) * | 2022-05-17 | 2022-09-09 | 浙江工业大学 | APT detection method for heterogeneous terminal log fusion |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101022377A (en) * | 2007-01-31 | 2007-08-22 | 北京邮电大学 | Interactive service establishing method based on service relation body |
CN102004767A (en) * | 2010-11-10 | 2011-04-06 | 北京航空航天大学 | Abstract service logic-based interactive semantic Web service dynamic combination method |
JP6210998B2 (en) * | 2012-11-15 | 2017-10-11 | 一般財団法人化学及血清療法研究所 | Infectious disease prevention method by combined use of vector vaccine and live vaccine |
CN108009425A (en) * | 2017-11-29 | 2018-05-08 | 四川无声信息技术有限公司 | File detects and threat level decision method, apparatus and system |
CN109190657A (en) * | 2018-07-18 | 2019-01-11 | 国家计算机网络与信息安全管理中心 | Sample homogeneous assays method based on data slicer and image hash combination |
-
2019
- 2019-04-26 CN CN201910345232.3A patent/CN110188538B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101022377A (en) * | 2007-01-31 | 2007-08-22 | 北京邮电大学 | Interactive service establishing method based on service relation body |
CN102004767A (en) * | 2010-11-10 | 2011-04-06 | 北京航空航天大学 | Abstract service logic-based interactive semantic Web service dynamic combination method |
JP6210998B2 (en) * | 2012-11-15 | 2017-10-11 | 一般財団法人化学及血清療法研究所 | Infectious disease prevention method by combined use of vector vaccine and live vaccine |
CN108009425A (en) * | 2017-11-29 | 2018-05-08 | 四川无声信息技术有限公司 | File detects and threat level decision method, apparatus and system |
CN109190657A (en) * | 2018-07-18 | 2019-01-11 | 国家计算机网络与信息安全管理中心 | Sample homogeneous assays method based on data slicer and image hash combination |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11379578B1 (en) * | 2020-10-16 | 2022-07-05 | Trend Micro Incorporated | Detecting malware by pooled analysis of sample files in a sandbox |
CN112528273A (en) * | 2020-12-29 | 2021-03-19 | 天津开心生活科技有限公司 | Medical data detection method, device, medium and electronic equipment |
CN112528273B (en) * | 2020-12-29 | 2023-06-06 | 天津开心生活科技有限公司 | Medical data detection method, device, medium and electronic equipment |
CN113992443A (en) * | 2021-12-28 | 2022-01-28 | 北京微步在线科技有限公司 | Cloud sandbox flow processing method and device |
CN113987521A (en) * | 2021-12-28 | 2022-01-28 | 北京安华金和科技有限公司 | Scanning processing method and device for database bugs |
CN113987521B (en) * | 2021-12-28 | 2022-03-22 | 北京安华金和科技有限公司 | Scanning processing method and device for database bugs |
CN113992443B (en) * | 2021-12-28 | 2022-04-12 | 北京微步在线科技有限公司 | Cloud sandbox flow processing method and device |
CN115037523A (en) * | 2022-05-17 | 2022-09-09 | 浙江工业大学 | APT detection method for heterogeneous terminal log fusion |
Also Published As
Publication number | Publication date |
---|---|
CN110188538B (en) | 2021-07-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110188538A (en) | Using the method and device of sandbox cluster detection data | |
CN110198303A (en) | Threaten the generation method and device, storage medium, electronic device of information | |
US9661003B2 (en) | System and method for forensic cyber adversary profiling, attribution and attack identification | |
US9628507B2 (en) | Advanced persistent threat (APT) detection center | |
CN110149319B (en) | APT organization tracking method and device, storage medium and electronic device | |
CN106375331B (en) | Attack organization mining method and device | |
CN108683687B (en) | Network attack identification method and system | |
CN108881263B (en) | Network attack result detection method and system | |
CN110210213B (en) | Method and device for filtering malicious sample, storage medium and electronic device | |
CN108183888B (en) | Social engineering intrusion attack path detection method based on random forest algorithm | |
CN110149318B (en) | Mail metadata processing method and device, storage medium and electronic device | |
CN101605074A (en) | The method and system of communication behavioural characteristic monitoring wooden horse Network Based | |
CN113691566B (en) | Mail server secret stealing detection method based on space mapping and network flow statistics | |
CN106713335B (en) | Malicious software identification method and device | |
CN111786950A (en) | Situation awareness-based network security monitoring method, device, equipment and medium | |
WO2019084072A1 (en) | A graph model for alert interpretation in enterprise security system | |
CN110113350A (en) | A kind of monitoring of Internet of things system security threat and system of defense and method | |
CN110035062A (en) | A kind of network inspection method and apparatus | |
CN110543506A (en) | Data analysis method and device, electronic equipment and storage medium | |
CN111859374A (en) | Method, device and system for detecting social engineering attack event | |
CN113886829B (en) | Method and device for detecting defect host, electronic equipment and storage medium | |
CN110224975A (en) | The determination method and device of APT information, storage medium, electronic device | |
CN110188537B (en) | Data separation storage method and device, storage medium and electronic device | |
CN114301659A (en) | Network attack early warning method, system, device and storage medium | |
KR101048991B1 (en) | Botnet Behavior Pattern Analysis System and Method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: 100032 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing Applicant after: Qianxin Technology Group Co., Ltd. Address before: 100032 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing Applicant before: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD. |
|
CB02 | Change of applicant information | ||
GR01 | Patent grant | ||
GR01 | Patent grant |