CN110210213A - The method and device of filtering fallacious sample, storage medium, electronic device - Google Patents
The method and device of filtering fallacious sample, storage medium, electronic device Download PDFInfo
- Publication number
- CN110210213A CN110210213A CN201910346162.3A CN201910346162A CN110210213A CN 110210213 A CN110210213 A CN 110210213A CN 201910346162 A CN201910346162 A CN 201910346162A CN 110210213 A CN110210213 A CN 110210213A
- Authority
- CN
- China
- Prior art keywords
- sample
- malice sample
- malice
- target
- label
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000001914 filtration Methods 0.000 title claims abstract description 42
- 244000035744 Hura crepitans Species 0.000 claims abstract description 61
- 230000003068 static effect Effects 0.000 claims abstract description 53
- 238000012360 testing method Methods 0.000 claims abstract description 23
- 238000004458 analytical method Methods 0.000 claims description 23
- 230000015654 memory Effects 0.000 claims description 20
- 238000001514 detection method Methods 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 15
- 230000003542 behavioural effect Effects 0.000 claims description 14
- 230000006399 behavior Effects 0.000 claims description 13
- 238000010586 diagram Methods 0.000 claims description 10
- 238000012217 deletion Methods 0.000 claims description 5
- 230000037430 deletion Effects 0.000 claims description 5
- 238000012546 transfer Methods 0.000 claims description 5
- 238000012544 monitoring process Methods 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 abstract description 8
- 239000002699 waste material Substances 0.000 abstract description 3
- 230000008569 process Effects 0.000 description 14
- 238000012545 processing Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 6
- 238000000605 extraction Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 239000000284 extract Substances 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000010365 information processing Effects 0.000 description 2
- 230000009545 invasion Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000003612 virological effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The present invention provides a kind of method and devices of filtering fallacious sample, storage medium, electronic device, wherein this method comprises: obtaining multiple malice samples;Using the multiple malice sample of network ontology language OWL rule-based filtering, filtered target malice sample is thrown to static sandbox;The target malice sample is detected by static sandbox, obtains testing result.Through the invention, the technical issues of waste bandwidth when handling magnanimity malice sample in the related technology is solved.
Description
Technical field
The present invention relates to network safety fileds, method and device, storage in particular to a kind of filtering fallacious sample
Medium, electronic device.
Background technique
Network attack is the attack that hacker or viral wooden horse etc. initiate electronic equipment, gives user by steal files etc.
Bring massive losses.
When threatening (Advanced Persistent Threat, APT) clique to be tracked discovery advanced duration,
The attacks such as main malicious file, fishing mail according in Internet communication carry out context relation analysis.Attacker utilizes malice
Program carries out invasion control to network and information system, achievees the purpose that steal sensitive data and destruction system and network environment,
It is in urgent need to be improved to the malice pattern detection rate and batch quantity analysis ability propagated in enterprise network.
In the related technology, in computer safety field, network attack becomes more and more specialized and specific aim at present.Face
To such attack, often lack the entirety understanding to the attack, and it is defendd to be also to fight separately, not
Form a good defense system.For example APT (advanced duration threat) is attacked or " shake net " virus, this attack is that have
Purpose and targetedly only just has aggressiveness to specific industry or certain goal systems.And work as currently without scheme
These attacks can obtain threat information when a small range occurs in advance, and in a wide range of interior progress early warning and defence.
The defence of network attack is caused to lag.
For the above problem present in the relevant technologies, at present it is not yet found that the solution of effect.
Summary of the invention
The embodiment of the invention provides a kind of method and devices of filtering fallacious sample, storage medium, electronic device.
According to one embodiment of present invention, a kind of method of filtering fallacious sample is provided, comprising: obtain multiple malice
Sample;Using the multiple malice sample of network ontology language OWL rule-based filtering, filtered target malice sample is thrown to
Static sandbox;The target malice sample is detected by static sandbox, obtains testing result.
It optionally, include: for the multiple evil using the multiple malice sample of network ontology language OWL rule-based filtering
Meaning sample, parses the sample label of each malice sample;Judge each malice sample sample label whether include it is preset can
Beacon label, wherein the credible label includes public loophole and exposure CVE label;In the multiple malice sample, retain packet
Malice sample containing the credible label, and reject the malice sample for not including the credible label.
Optionally, detecting the target malice sample by static sandbox includes: to start the target in static sandbox
Malice sample;Detect the behavioural analysis figure and network behavior figure when the target malice sample is run in the static sandbox.
Optionally, the behavioural analysis figure includes: progress information, application programming interface API state, mutex, writes
The registry entry of the file, write-in that enter, the file of creation, the catalogue of creation, the registry entry of deletion, family dynamic link library
DLL list, order line, existing file, the file of opening, the file of operation failure, the file of reading, reading registration table
?;The network behavior figure includes: domain name system DNS information, session information, hypertext transfer protocol HTTP information, flow number
According to packet.
Optionally, the target malice sample is being detected by static sandbox, after obtaining testing result, the method is also
It include: that the target malice sample and the testing result are stored according to data type;The target malice sample is marked, is generated
The diagram data relationship of the target malice sample;It carries out opening up line with the MD5 nodal information of the target malice sample, obtain and institute
State that target malice sample is relevant to capture index IOC related information and history access record;According to the IOC related information and institute
State the identity information of history access record retrospect APT clique.
According to another embodiment of the invention, a kind of device of filtering fallacious sample is provided, comprising: module is obtained,
For obtaining multiple malice samples;Filtering module, for using the multiple malice sample of network ontology language OWL rule-based filtering
This, is thrown to static sandbox for filtered target malice sample;Detection module, for detecting the target by static sandbox
Malice sample, obtains testing result.
Optionally, the filtering module includes: resolution unit, for being directed to the multiple malice sample, parses each evil
The sample label of meaning sample;Judging unit, for judge each malice sample sample label whether include it is preset can beacon
Label, wherein the credible label includes public loophole and exposure CVE label;Filter element, in the multiple malice sample
In, retain the malice sample comprising the credible label, and reject the malice sample for not including the credible label.
Optionally, the detection module includes: start unit, for starting the target malice sample in static sandbox
This;Monitoring unit, for detecting behavioural analysis figure and network when the target malice sample is run in the static sandbox
Behavior figure.
Optionally, the behavioural analysis figure includes: progress information, application programming interface API state, mutex, writes
The registry entry of the file, write-in that enter, the file of creation, the catalogue of creation, the registry entry of deletion, family dynamic link library
DLL list, order line, existing file, the file of opening, the file of operation failure, the file of reading, reading registration table
?;The network behavior figure includes: domain name system DNS information, session information, hypertext transfer protocol HTTP information, flow number
According to packet.
Optionally, described device further include: memory module, for passing through described in static sandbox detection in the detection module
Target malice sample after obtaining testing result, stores the target malice sample and the testing result according to data type;
Generation module generates the diagram data relationship of the target malice sample for marking the target malice sample;Wire module is opened up,
For carrying out opening up line with the MD5 nodal information of the target malice sample, capture relevant to the target malice sample is obtained
Index IOC related information and history access record;Tracing module, for being accessed according to the IOC related information and the history
The identity information of record retrospect APT clique.
According to still another embodiment of the invention, a kind of storage medium is additionally provided, meter is stored in the storage medium
Calculation machine program, wherein the computer program is arranged to execute the step in any of the above-described embodiment of the method when operation.
According to still another embodiment of the invention, a kind of electronic device, including memory and processor are additionally provided, it is described
Computer program is stored in memory, the processor is arranged to run the computer program to execute any of the above-described
Step in embodiment of the method.
Through the invention, multiple malice samples are obtained, the multiple evil of network ontology language OWL rule-based filtering is then used
Meaning sample, is thrown to static sandbox for filtered target malice sample, detects the target malice sample by static sandbox,
Testing result is obtained, by filtering fallacious sample, qualified malice sample is only reported, the malice sample reported is divided
Class processing, greatly reduces the pressure to magnanimity information processing, while smaller to the occupancy of bandwidth, solves and locate in the related technology
When managing magnanimity malice sample the technical issues of waste bandwidth, network bandwidth has been saved.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes part of this application, this hair
Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is a kind of hardware block diagram of the server of filtering fallacious sample of the embodiment of the present invention;
Fig. 2 is a kind of flow chart of the method for filtering fallacious sample according to an embodiment of the present invention;
Fig. 3 is the schematic diagram of behavioural analysis figure in the embodiment of the present invention;
Fig. 4 is the complete service logic figure of the embodiment of the present invention;
Fig. 5 is the business process map of the embodiment of the present invention;
Fig. 6 is the structural block diagram of the device of filtering fallacious sample according to an embodiment of the present invention.
Specific embodiment
In order to make those skilled in the art more fully understand application scheme, below in conjunction in the embodiment of the present application
Attached drawing, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that described embodiment is only
The embodiment of the application a part, instead of all the embodiments.Based on the embodiment in the application, ordinary skill people
Member's every other embodiment obtained without making creative work, all should belong to the model of the application protection
It encloses.It should be noted that in the absence of conflict, the features in the embodiments and the embodiments of the present application can be mutual group
It closes.
It should be noted that the description and claims of this application and term " first " in above-mentioned attached drawing, "
Two " etc. be to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should be understood that using in this way
Data be interchangeable under appropriate circumstances, so as to embodiments herein described herein can in addition to illustrating herein or
Sequence other than those of description is implemented.In addition, term " includes " and " having " and their any deformation, it is intended that cover
Cover it is non-exclusive include, for example, the process, method, system, product or equipment for containing a series of steps or units are not necessarily limited to
Step or unit those of is clearly listed, but may include be not clearly listed or for these process, methods, product
Or other step or units that equipment is intrinsic.
Embodiment 1
Embodiment of the method provided by the embodiment of the present application one can mobile terminal, terminal, server or
It is executed in similar arithmetic unit.For running on the server, Fig. 1 is a kind of filtering fallacious sample of the embodiment of the present invention
Server hardware block diagram.As shown in Figure 1, server 10 may include one or more (only showing one in Fig. 1)
(processor 102 can include but is not limited to the processing dress of Micro-processor MCV or programmable logic device FPGA etc. to processor 102
Set) and memory 104 for storing data, optionally, above-mentioned server can also include setting for the transmission of communication function
Standby 106 and input-output equipment 108.It will appreciated by the skilled person that structure shown in FIG. 1 is only to illustrate,
The structure of above-mentioned server is not caused to limit.For example, server 10 may also include it is more or less than shown in Fig. 1
Component, or with the configuration different from shown in Fig. 1.
Memory 104 can be used for storing computer program, for example, the software program and module of application software, such as this hair
The corresponding computer program of method of the filtering fallacious sample of one of bright embodiment, processor 102 are stored in by operation
Computer program in reservoir 104 realizes above-mentioned method thereby executing various function application and data processing.Storage
Device 104 may include high speed random access memory, may also include nonvolatile memory, as one or more magnetic storage device,
Flash memory or other non-volatile solid state memories.In some instances, memory 104 can further comprise relative to processing
The remotely located memory of device 102, these remote memories can pass through network connection to server 10.The example of above-mentioned network
Including but not limited to internet, intranet, local area network, mobile radio communication and combinations thereof.
Transmitting device 106 is used to that data to be received or sent via a network.Above-mentioned network specific example may include
The wireless network that the communication providers of server 10 provide.In an example, transmitting device 106 includes a network adapter
(Network Interface Controller, referred to as NIC), can be connected by base station with other network equipments so as to
It is communicated with internet.In an example, transmitting device 106 can be radio frequency (Radio Frequency, referred to as RF)
Module is used to wirelessly be communicated with internet.
A kind of method of filtering fallacious sample is provided in the present embodiment, and Fig. 2 is one kind according to an embodiment of the present invention
The flow chart of the method for filtering fallacious sample, as shown in Fig. 2, the process includes the following steps:
Step S202 obtains multiple malice samples;
The malice sample of the present embodiment refers to using loophole existing for network or hardware entities and safety defect to network
Hardware, software and its code of the attack of the data progress in system of system, software, program, file etc..
After obtaining multiple malice samples, also detects the file type of malice sample or run setting for the malice sample
Standby type, wherein file type includes publicly-owned file, and privately owned file sends out malice sample when malice sample is publicly-owned file
It send to common cloud server, when malice sample is privately owned file, malice sample is sent to privately owned cloud server
Or local server, on the other hand, in equipment (such as government bodies, the secrecy such as financial structure that device type is designated environment
The equipment of the stronger unit of property) when, malice sample is sent to privately owned cloud server or local server, in device type
For general environment equipment when, malice sample is sent to common cloud server.Wherein, common cloud server, it is private
Some cloud servers or local server are provided with engine and static sandbox for running OWL rule.
Step S204 is disliked filtered target using the multiple malice sample of network ontology language OWL rule-based filtering
Meaning sample is thrown to static sandbox;
The OWL rule of the present embodiment is the detection content of static sandbox.
Step S206 detects the target malice sample by static sandbox, obtains testing result.
Through the above steps, multiple malice samples are obtained, it is then the multiple using network ontology language OWL rule-based filtering
Filtered target malice sample is thrown to static sandbox by malice sample, detects the target malice sample by static sandbox
This, obtain testing result, by filtering fallacious sample, only report qualified malice sample, to the malice sample reported into
Row classification processing greatly reduces the pressure to magnanimity information processing, while smaller to the occupancy of bandwidth, solves the relevant technologies
When middle processing magnanimity malice sample the technical issues of waste bandwidth, network bandwidth has been saved.
In one embodiment of the present embodiment, using the multiple malice sample of network ontology language OWL rule-based filtering
Include:
S11 parses the sample label of each malice sample for the multiple malice sample;
S12 judges whether the sample label of each malice sample includes preset credible label, wherein it is described can beacon
Label include CVE (Common Vulnerabilities&Exposures, public loophole and exposure) label;
S13 retains the malice sample comprising the credible label, and reject and do not include in the multiple malice sample
The malice sample of the credible label.
In the present embodiment, detecting the target malice sample by static sandbox includes: to start institute in static sandbox
State target malice sample;Detect the behavioural analysis figure and network row when the target malice sample is run in the static sandbox
For figure.Wherein, the behavioural analysis figure include: progress information (e.g., process title, process path, process ID, order line, father into
Journey title), application programming interface API state, mutex, the file of write-in, the registry entry of write-in, creation file,
The catalogue of creation, the registry entry of deletion, the dynamic link library (DLL) list of family, order line, existing file, opening text
Part, the file of operation failure, the file of reading, reading registry entry;Fig. 3 is that behavioural analysis figure shows in the embodiment of the present invention
It is intended to, behavioural analysis figure specifically includes main behavior and related information between each progress information and process etc..
The network behavior figure includes: domain name system DNS information (parsing domain name, IP address, IP ownership place, ASN), session
Information (agreement, port, IP address, IP ownership place, ASN), hypertext transfer protocol HTTP information (URL, request method, user
Agency), data on flows packet.
Optionally, the target malice sample is being detected by static sandbox, after obtaining testing result, further includes: root
The target malice sample and the testing result are stored according to data type;The target malice sample is marked, the mesh is generated
Mark the diagram data relationship of malice sample;It carries out opening up line with the MD5 nodal information of the target malice sample, obtain and the target
Malice sample is relevant to capture index IOC related information and history access record;According to the IOC related information and the history
The identity information of access record retrospect APT clique.
A kind of APT analysis method based on malice sample of the present embodiment is related to field of computer information security.It is whole and
Speech by providing the fallacious message of a kind of pair of mass file extraction, and extracts related ATP and organizes IOC (Indicators of
Compromise captures indicator, captures index or invasion index) and TTP (Tactics, Techniques, and
Procedures, means technical process) maintenance of information (such as by the IOC indication information feature extraction to each inquiry, carried out
Marking, Metadata Extraction processing, while related APT organizational information and associated context information are extracted, while recording tactics, war
The relevant informations such as skill), at the same to mail sample, malicious file sample carry out metadata extraction management, provide malice sample and
The specimen discerning and result of malious email information are shown.The IP and attack process information for recording affected user simultaneously, will attack
Activity and contextual information are recorded in data storing platform, are associated analysis to the interaction of paper sample.By the method,
Attack analysis and the operation that APT clique is carried out to malice sample reach the discovery to attack clique and keep track, which will
The efficiency of sample analysis and operation greatly improves.
In a complete embodiment of the present embodiment, including following functions module, it is respectively as follows: network according to timing
Collector, static sandbox, dynamic sandbox, height confrontation sandbox cluster, information matching module, event response module.
Network collector: sample input is docked by automation mode, such as delivering mail attachment, original document is criticized
Amount automation is delivered, and sandbox interface is uploaded to;
Static sandbox: static detection is carried out to sample file first by static sandbox, matches malicious file static rule.
By extraction document metadata carry out acquisition of information, including filename, file type, file type matching degree, file size,
MD5 (Message Digest 5, Message-Digest Algorithm), SHA (Secure Hash Algorithm, secure hash
Algorithm) 1, SHA256, SHA512, SSDeep etc..Pass through OWL (Ontology Wed Language, online Ontology Language) simultaneously
Static engine rule, carries out the detection and screening of file;
Dynamic sandbox: simulation Dynamic Execution, screenshot when analyzing Host behavior and obtaining network behavior and operation grab simultaneously
Network flow and sample;
Height confrontation sandbox cluster: storage mass data and each testing result information, while being stored including file type data, institute
There are sandbox result relevant historical data and file type data storage in the cluster;
Information matching module: sandbox detection module matches IOC as a result, after associated context, obtains family's information and visit
Malice domain name and history the parsing address asked, the family's information and APT clique that can more accurately navigate to malice sample are closed
Connection analysis.Such as by inquiring some malice sample in sandbox, association threatens information and WHOIS, and (one kind is used to inquiry field
The transport protocol of the information such as the IP and the owner of name) historical information, the relevant all information of this document can be given;
Event response module: statistics and disposition present analysis sample as a result, provide case management and event correlation simultaneously,
Secondary production under the real-time update of each engine and detected rule, for information.
Fig. 4 is the complete service logic figure of the embodiment of the present invention, and Fig. 5 is the business process map of the embodiment of the present invention, comprising:
Flow collection process is responsible for the sample of collection carrying out automation collection and batch is delivered, predominantly flow collection
Device and sample collecting device;
Sandbox testing process: it is divided into static detection sandbox and dynamic detection sandbox.Sandbox cluster is fought by height, use is quiet
State OWL filtering extracts engine and carries out text semantic analysis and screening, wherein static OWL rule is based on semantic and file member letter
Breath carries out Detection and Extraction to text data, and OWL engine can identify file type, extracts corresponding member according to various file types
Information data, for example, PE (Portable Executable, i.e., transplantable execution body) how many section, whether have signature, label
What, PDB (Program Database File, program data library file) path name be, is delivered to corresponding static and dynamic
Among sandbox;
Data storage and responding process: the APT family information association and case for being responsible for sandbox are put in storage, and produce new feelings
Report.
Optionally, the executing subject of above-mentioned steps can be the one or more clients of connection or the cloud service of server
Device etc., client can be mobile terminal, PC etc., but not limited to this.
Through the above description of the embodiments, those skilled in the art can be understood that according to above-mentioned implementation
The method of example can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but it is very much
In the case of the former be more preferably embodiment.Based on this understanding, technical solution of the present invention is substantially in other words to existing
The part that technology contributes can be embodied in the form of software products, which is stored in a storage
In medium (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that a terminal device (can be mobile phone, calculate
Machine, server or network equipment etc.) execute method described in each embodiment of the present invention.
Embodiment 2
A kind of device of filtering fallacious sample is additionally provided in the present embodiment, can be terminal or server, the device
For realizing above-described embodiment and preferred embodiment, the descriptions that have already been made will not be repeated.As used below, term
The combination of the software and/or hardware of predetermined function may be implemented in " module ".Although device is preferably described in following embodiment
It is realized with software, but the realization of the combination of hardware or software and hardware is also that may and be contemplated.
Fig. 6 is the structural block diagram of the device of filtering fallacious sample according to an embodiment of the present invention, can be applied in client
Or in server, as shown in fig. 6, the device includes: to obtain module 60, filtering module 62, detection module 64, wherein
Module 60 is obtained, for obtaining multiple malice samples;
Filtering module 62 will be filtered for using the multiple malice sample of network ontology language OWL rule-based filtering
Target malice sample is thrown to static sandbox;
Detection module 64 obtains testing result for detecting the target malice sample by static sandbox.
Optionally, the filtering module includes: resolution unit, for being directed to the multiple malice sample, parses each evil
The sample label of meaning sample;Judging unit, for judge each malice sample sample label whether include it is preset can beacon
Label, wherein the credible label includes public loophole and exposure CVE label;Filter element, in the multiple malice sample
In, retain the malice sample comprising the credible label, and reject the malice sample for not including the credible label.
Optionally, the detection module includes: start unit, for starting the target malice sample in static sandbox
This;Monitoring unit, for detecting behavioural analysis figure and network when the target malice sample is run in the static sandbox
Behavior figure.
Optionally, the behavioural analysis figure includes: progress information, application programming interface API state, mutex, writes
The registry entry of the file, write-in that enter, the file of creation, the catalogue of creation, the registry entry of deletion, family dynamic link library
DLL list, order line, existing file, the file of opening, the file of operation failure, the file of reading, reading registration table
?;The network behavior figure includes: domain name system DNS information, session information, hypertext transfer protocol HTTP information, flow number
According to packet.
Optionally, described device further include: memory module, for passing through described in static sandbox detection in the detection module
Target malice sample after obtaining testing result, stores the target malice sample and the testing result according to data type;
Generation module generates the diagram data relationship of the target malice sample for marking the target malice sample;Wire module is opened up,
For carrying out opening up line with the MD5 nodal information of the target malice sample, capture relevant to the target malice sample is obtained
Index IOC related information and history access record;Tracing module, for being accessed according to the IOC related information and the history
The identity information of record retrospect APT clique.
It should be noted that above-mentioned modules can be realized by software or hardware, for the latter, Ke Yitong
Following manner realization is crossed, but not limited to this: above-mentioned module is respectively positioned in same processor;Alternatively, above-mentioned modules are with any
Combined form is located in different processors.
Embodiment 3
The embodiments of the present invention also provide a kind of storage medium, computer program is stored in the storage medium, wherein
The computer program is arranged to execute the step in any of the above-described embodiment of the method when operation.
Optionally, in the present embodiment, above-mentioned storage medium can be set to store by executing based on following steps
Calculation machine program:
S1 obtains multiple malice samples;
S2, using the multiple malice sample of network ontology language OWL rule-based filtering, by filtered target malice sample
It is thrown to static sandbox;
S3 detects the target malice sample by static sandbox, obtains testing result.
Optionally, in the present embodiment, above-mentioned storage medium can include but is not limited to: USB flash disk, read-only memory (Read-
Only Memory, referred to as ROM), it is random access memory (Random Access Memory, referred to as RAM), mobile hard
The various media that can store computer program such as disk, magnetic or disk.
The embodiments of the present invention also provide a kind of electronic device, including memory and processor, stored in the memory
There is computer program, which is arranged to run computer program to execute the step in any of the above-described embodiment of the method
Suddenly.
Optionally, above-mentioned electronic device can also include transmission device and input-output equipment, wherein the transmission device
It is connected with above-mentioned processor, which connects with above-mentioned processor.
Optionally, in the present embodiment, above-mentioned processor can be set to execute following steps by computer program:
S1 obtains multiple malice samples;
S2, using the multiple malice sample of network ontology language OWL rule-based filtering, by filtered target malice sample
It is thrown to static sandbox;
S3 detects the target malice sample by static sandbox, obtains testing result.
Optionally, the specific example in the present embodiment can be with reference to described in above-described embodiment and optional embodiment
Example, details are not described herein for the present embodiment.
Above-mentioned the embodiment of the present application serial number is for illustration only, does not represent the advantages or disadvantages of the embodiments.
In above-described embodiment of the application, all emphasizes particularly on different fields to the description of each embodiment, do not have in some embodiment
The part of detailed description, reference can be made to the related descriptions of other embodiments.
In several embodiments provided herein, it should be understood that disclosed technology contents can pass through others
Mode is realized.Wherein, the apparatus embodiments described above are merely exemplary, such as the division of the unit, only
A kind of logical function partition, there may be another division manner in actual implementation, for example, multiple units or components can combine or
Person is desirably integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed is mutual
Between coupling, direct-coupling or communication connection can be through some interfaces, the INDIRECT COUPLING or communication link of unit or module
It connects, can be electrical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, each functional unit in each embodiment of the application can integrate in one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list
Member both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product
When, it can store in a computer readable storage medium.Based on this understanding, the technical solution of the application is substantially
The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words
It embodies, which is stored in a storage medium, including some instructions are used so that a computer
Equipment (can for personal computer, server or network equipment etc.) execute each embodiment the method for the application whole or
Part steps.And storage medium above-mentioned includes: that USB flash disk, read-only memory (ROM, Read-Only Memory), arbitrary access are deposited
Reservoir (RAM, Random Access Memory), mobile hard disk, magnetic or disk etc. be various to can store program code
Medium.
The above is only the preferred embodiment of the application, it is noted that for the ordinary skill people of the art
For member, under the premise of not departing from the application principle, several improvements and modifications can also be made, these improvements and modifications are also answered
It is considered as the protection scope of the application.
Claims (10)
1. a kind of method of filtering fallacious sample characterized by comprising
Obtain multiple malice samples;
Using the multiple malice sample of network ontology language OWL rule-based filtering, filtered target malice sample is thrown to
Static sandbox;
The target malice sample is detected by static sandbox, obtains testing result.
2. the method according to claim 1, wherein the multiple using network ontology language OWL rule-based filtering
Malice sample includes:
For the multiple malice sample, the sample label of each malice sample is parsed;
Whether the sample label for judging each malice sample includes preset credible label, wherein the credible label includes public affairs
Loophole and exposure CVE label altogether;
In the multiple malice sample, retain the malice sample comprising the credible label, and reject not comprising described credible
The malice sample of label.
3. the method according to claim 1, wherein detecting the target malice sample packet by static sandbox
It includes:
Start the target malice sample in static sandbox;
Detect the behavioural analysis figure and network behavior figure when the target malice sample is run in the static sandbox.
4. according to the method described in claim 3, it is characterized in that, wherein,
The behavioural analysis figure include: progress information, application programming interface API state, mutex, write-in file, write
The file of the registry entry, creation that enter, the catalogue of creation, the registry entry of deletion, the dynamic link library (DLL) list of family, life
Enable row, existing file, the file of opening, the file of operation failure, the file of reading, reading registry entry;
The network behavior figure includes: domain name system DNS information, session information, hypertext transfer protocol HTTP information, flow number
According to packet.
5. the method according to claim 1, wherein detecting the target malice sample by static sandbox,
After obtaining testing result, the method also includes:
The target malice sample and the testing result are stored according to data type;
The target malice sample is marked, the diagram data relationship of the target malice sample is generated;
It carries out opening up line with the MD5 nodal information of the target malice sample, obtains capture relevant to the target malice sample
Index IOC related information and history access record;
According to the identity information of the IOC related information and history access record retrospect APT clique.
6. a kind of device of filtering fallacious sample characterized by comprising
Module is obtained, for obtaining multiple malice samples;
Filtering module dislikes filtered target for using the multiple malice sample of network ontology language OWL rule-based filtering
Meaning sample is thrown to static sandbox;
Detection module obtains testing result for detecting the target malice sample by static sandbox.
7. device according to claim 6, which is characterized in that the filtering module includes:
Resolution unit parses the sample label of each malice sample for being directed to the multiple malice sample;
Judging unit, for judging whether the sample label of each malice sample includes preset credible label, wherein it is described can
Beacon label include public loophole and exposure CVE label;
Filter element in the multiple malice sample, retaining the malice sample comprising the credible label, and is rejected not
Malice sample comprising the credible label.
8. device according to claim 6, which is characterized in that the detection module includes:
Start unit, for starting the target malice sample in static sandbox;
Monitoring unit, for detecting behavioural analysis figure and network when the target malice sample is run in the static sandbox
Behavior figure.
9. a kind of storage medium, which is characterized in that be stored with computer program in the storage medium, wherein the computer
Program is arranged to perform claim when operation and requires method described in 1 to 5 any one.
10. a kind of electronic device, including memory and processor, which is characterized in that be stored with computer journey in the memory
Sequence, the processor are arranged to run the computer program in method described in perform claim 1 to 5 any one of requirement.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910346162.3A CN110210213B (en) | 2019-04-26 | 2019-04-26 | Method and device for filtering malicious sample, storage medium and electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910346162.3A CN110210213B (en) | 2019-04-26 | 2019-04-26 | Method and device for filtering malicious sample, storage medium and electronic device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110210213A true CN110210213A (en) | 2019-09-06 |
| CN110210213B CN110210213B (en) | 2021-04-27 |
Family
ID=67786367
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910346162.3A Active CN110210213B (en) | 2019-04-26 | 2019-04-26 | Method and device for filtering malicious sample, storage medium and electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110210213B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111159111A (en) * | 2019-12-13 | 2020-05-15 | 深信服科技股份有限公司 | Information processing method, device, system and computer readable storage medium |
| CN111447215A (en) * | 2020-03-25 | 2020-07-24 | 深信服科技股份有限公司 | Data detection method, device and storage medium |
| CN111464526A (en) * | 2020-03-30 | 2020-07-28 | 深信服科技股份有限公司 | Network intrusion detection method, device, equipment and readable storage medium |
| CN112580049A (en) * | 2020-12-23 | 2021-03-30 | 苏州三六零智能安全科技有限公司 | Sandbox-based malicious software monitoring method, sandbox-based malicious software monitoring equipment, storage medium and sandbox-based malicious software monitoring device |
| CN113206850A (en) * | 2021-04-30 | 2021-08-03 | 北京恒安嘉新安全技术有限公司 | Malicious sample message information acquisition method, device, equipment and storage medium |
| CN113395246A (en) * | 2020-03-13 | 2021-09-14 | 中国互联网络信息中心 | Method and system for determining bad domain name |
| CN117896175A (en) * | 2024-03-04 | 2024-04-16 | 北京浩瀚深度信息技术股份有限公司 | Capturing method of malicious sample propagated through loopholes |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100031361A1 (en) * | 2008-07-21 | 2010-02-04 | Jayant Shukla | Fixing Computer Files Infected by Virus and Other Malware |
| CN102314561A (en) * | 2010-07-01 | 2012-01-11 | 电子科技大学 | Automatic analysis method and system of malicious codes based on API (application program interface) HOOK |
| CN105117645A (en) * | 2015-07-29 | 2015-12-02 | 杭州安恒信息技术有限公司 | Method for operating multiple samples of sandbox virtual machine based on file system filtering drive |
| CN105488406A (en) * | 2014-12-29 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Similar malicious sample file matching method and system based on feature vector |
| US20170147819A1 (en) * | 2015-11-20 | 2017-05-25 | Lastline, Inc. | Methods and systems for maintaining a sandbox for use in malware detection |
| CN106919840A (en) * | 2017-03-03 | 2017-07-04 | 努比亚技术有限公司 | The detection method and device of a kind of Malware |
| CN107360155A (en) * | 2017-07-10 | 2017-11-17 | 中国科学院信息工程研究所 | A kind of automatic source tracing method of network attack and system based on threat information and sandbox technology |
| US20170346835A1 (en) * | 2014-12-15 | 2017-11-30 | Sophos Limited | Server drift monitoring |
| CN107563189A (en) * | 2017-08-24 | 2018-01-09 | 东软集团股份有限公司 | One kind applies detection method and terminal |
| CN108376220A (en) * | 2018-02-01 | 2018-08-07 | 东巽科技(北京)有限公司 | A kind of malice sample program sorting technique and system based on deep learning |
| US20190034632A1 (en) * | 2017-07-25 | 2019-01-31 | Trend Micro Incorporated | Method and system for static behavior-predictive malware detection |
-
2019
- 2019-04-26 CN CN201910346162.3A patent/CN110210213B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100031361A1 (en) * | 2008-07-21 | 2010-02-04 | Jayant Shukla | Fixing Computer Files Infected by Virus and Other Malware |
| CN102314561A (en) * | 2010-07-01 | 2012-01-11 | 电子科技大学 | Automatic analysis method and system of malicious codes based on API (application program interface) HOOK |
| US20170346835A1 (en) * | 2014-12-15 | 2017-11-30 | Sophos Limited | Server drift monitoring |
| CN105488406A (en) * | 2014-12-29 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Similar malicious sample file matching method and system based on feature vector |
| CN105117645A (en) * | 2015-07-29 | 2015-12-02 | 杭州安恒信息技术有限公司 | Method for operating multiple samples of sandbox virtual machine based on file system filtering drive |
| US20170147819A1 (en) * | 2015-11-20 | 2017-05-25 | Lastline, Inc. | Methods and systems for maintaining a sandbox for use in malware detection |
| CN106919840A (en) * | 2017-03-03 | 2017-07-04 | 努比亚技术有限公司 | The detection method and device of a kind of Malware |
| CN107360155A (en) * | 2017-07-10 | 2017-11-17 | 中国科学院信息工程研究所 | A kind of automatic source tracing method of network attack and system based on threat information and sandbox technology |
| US20190034632A1 (en) * | 2017-07-25 | 2019-01-31 | Trend Micro Incorporated | Method and system for static behavior-predictive malware detection |
| CN107563189A (en) * | 2017-08-24 | 2018-01-09 | 东软集团股份有限公司 | One kind applies detection method and terminal |
| CN108376220A (en) * | 2018-02-01 | 2018-08-07 | 东巽科技(北京)有限公司 | A kind of malice sample program sorting technique and system based on deep learning |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111159111A (en) * | 2019-12-13 | 2020-05-15 | 深信服科技股份有限公司 | Information processing method, device, system and computer readable storage medium |
| CN113395246A (en) * | 2020-03-13 | 2021-09-14 | 中国互联网络信息中心 | Method and system for determining bad domain name |
| CN113395246B (en) * | 2020-03-13 | 2022-04-26 | 中国互联网络信息中心 | Method and system for determining bad domain name |
| CN111447215A (en) * | 2020-03-25 | 2020-07-24 | 深信服科技股份有限公司 | Data detection method, device and storage medium |
| CN111464526A (en) * | 2020-03-30 | 2020-07-28 | 深信服科技股份有限公司 | Network intrusion detection method, device, equipment and readable storage medium |
| CN112580049A (en) * | 2020-12-23 | 2021-03-30 | 苏州三六零智能安全科技有限公司 | Sandbox-based malicious software monitoring method, sandbox-based malicious software monitoring equipment, storage medium and sandbox-based malicious software monitoring device |
| CN112580049B (en) * | 2020-12-23 | 2022-11-04 | 苏州三六零智能安全科技有限公司 | Sandbox-based malicious software monitoring method, sandbox-based malicious software monitoring equipment, storage medium and sandbox-based malicious software monitoring device |
| CN113206850A (en) * | 2021-04-30 | 2021-08-03 | 北京恒安嘉新安全技术有限公司 | Malicious sample message information acquisition method, device, equipment and storage medium |
| CN113206850B (en) * | 2021-04-30 | 2022-09-16 | 北京恒安嘉新安全技术有限公司 | Malicious sample message information acquisition method, device, equipment and storage medium |
| CN117896175A (en) * | 2024-03-04 | 2024-04-16 | 北京浩瀚深度信息技术股份有限公司 | Capturing method of malicious sample propagated through loopholes |
| CN117896175B (en) * | 2024-03-04 | 2024-08-20 | 北京浩瀚深度信息技术股份有限公司 | Capturing method of malicious sample propagated through loopholes |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110210213B (en) | 2021-04-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110210213A (en) | The method and device of filtering fallacious sample, storage medium, electronic device | |
| MacDermott et al. | Iot forensics: Challenges for the ioa era | |
| US10467411B1 (en) | System and method for generating a malware identifier | |
| CN110198303A (en) | Threaten the generation method and device, storage medium, electronic device of information | |
| US9628507B2 (en) | Advanced persistent threat (APT) detection center | |
| US9503421B2 (en) | Security information and event management | |
| IL262866A (en) | Automated forensics of computer systems using behavioral intelligence | |
| CN110149319B (en) | APT organization tracking method and device, storage medium and electronic device | |
| CN110188538B (en) | Method and device for detecting data by adopting sandbox cluster | |
| US10659335B1 (en) | Contextual analyses of network traffic | |
| CN110113350A (en) | A kind of monitoring of Internet of things system security threat and system of defense and method | |
| CN112073437B (en) | Multi-dimensional security threat event analysis method, device, equipment and storage medium | |
| CN110149318B (en) | Mail metadata processing method and device, storage medium and electronic device | |
| CN113691566B (en) | Mail server secret stealing detection method based on space mapping and network flow statistics | |
| CN110266670A (en) | A kind of processing method and processing device of terminal network external connection behavior | |
| CN115296888B (en) | Data Radar Monitoring System | |
| RU2481633C2 (en) | System and method for automatic investigation of safety incidents | |
| CN110224975A (en) | The determination method and device of APT information, storage medium, electronic device | |
| CN110188537A (en) | Separate-storage method and device, storage medium, the electronic device of data | |
| CN107766737B (en) | Database auditing method | |
| US20230379361A1 (en) | System and method for generating cyber threat intelligence | |
| EP3361405B1 (en) | Enhancement of intrusion detection systems | |
| CN115955333A (en) | C2 server identification method and device, electronic equipment and readable storage medium | |
| Sangher et al. | A systematic review–intrusion detection algorithms optimisation for network forensic analysis and investigation | |
| Hong et al. | Scalable command and control detection in log data through UF-ICF analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 100032 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing Applicant after: QAX Technology Group Inc. Address before: 100032 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing Applicant before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |