CN110502892A - A kind of the determination method, apparatus and system of abnormality test process - Google Patents

A kind of the determination method, apparatus and system of abnormality test process Download PDF

Info

Publication number
CN110502892A
CN110502892A CN201910615692.3A CN201910615692A CN110502892A CN 110502892 A CN110502892 A CN 110502892A CN 201910615692 A CN201910615692 A CN 201910615692A CN 110502892 A CN110502892 A CN 110502892A
Authority
CN
China
Prior art keywords
sample
tested
address
test
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910615692.3A
Other languages
Chinese (zh)
Inventor
喻存林
邓圆圆
刘杨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Yaxin Network Security Industry Technology Research Institute Co Ltd
Original Assignee
Chengdu Yaxin Network Security Industry Technology Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Yaxin Network Security Industry Technology Research Institute Co Ltd filed Critical Chengdu Yaxin Network Security Industry Technology Research Institute Co Ltd
Priority to CN201910615692.3A priority Critical patent/CN110502892A/en
Publication of CN110502892A publication Critical patent/CN110502892A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/3684Test management for test design, e.g. generating new test cases
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/3688Test management for test execution, e.g. scheduling of test suites
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Abstract

The application provides the determination method, apparatus and system of a kind of abnormality test process, is related to technical field of network security, and bug excavation efficiency and accuracy can be improved, and reduces assault and loses and influence caused by society.This method comprises: determining sample to be tested;The sample input sandbox group to be tested is obtained into multiple test sample information, the sandbox group is used to simulate running environment of the application software of the corresponding different editions of the sample to be tested under corresponding operating system, when the test sample information includes the sample to be tested operation, test process of the application software of at least one version in the application software of the different editions under corresponding operating system;The test sample information comprising abnormality test process is determined from the multiple test sample information, the test sample information comprising abnormality test process is for determining loophole position.

Description

A kind of the determination method, apparatus and system of abnormality test process
Technical field
This application involves the determination method, apparatus of technical field of network security more particularly to a kind of abnormality test process and System.
Background technique
With the continuous development of internet, people are further frequent for the use of network.However network is bringing people just While sharp, also along with the generation of various network safety events, such as assault.These network safety events can be given Personal, even country, enterprise brings huge loss and threat.
Assault is the loophole using application software or operating system in logical design mostly to complete.Leakage The coverage in hole is very big, including system itself and its support programs, network client, server software, network router and peace Full firewall etc..It is constituted between different types of hardware and software device, between the different editions of equipment of the same race, by distinct device Not between homologous ray and homogeneous system is under the conditions of different settings, can all there are problems that respectively different loopholes.
Loophole and timely patching bugs are actively discovered, the success rate of network attack can be greatly reduced, reduce network attack To the even national bring loss of personal, enterprise and threaten.Therefore, how effectively, comprehensively to the loophole in internet into Row excavates and detection, is current urgent problem to be solved.
Summary of the invention
The application provides the determination method, apparatus and system of a kind of abnormality test process, and bug excavation efficiency can be improved And accuracy, it reduces assault and loses and influence caused by society.
In order to achieve the above objectives, the application adopts the following technical scheme that
In a first aspect, the application provides a kind of determination method of abnormality test process, this method comprises:
Determine sample to be tested;The sample input sandbox group to be tested is obtained into multiple test sample information, the sand Case group is used to simulate fortune of the application software of the corresponding different editions of the sample to be tested under corresponding operating system Row environment, when the test sample information includes the sample to be tested operation, in the application software of the different editions extremely Test process of the application software of a few version under corresponding operating system;From the multiple test sample information Determine the test sample information comprising abnormality test process, the test sample information comprising abnormality test process is for determining Loophole position.
Second aspect, the application provide a kind of determining device of abnormality test process, which includes determination unit, are used for Determine sample to be tested;Input unit, for the sample input sandbox group to be tested to be obtained multiple test sample information, institute Sandbox group is stated for simulating the application software of the corresponding different editions of the sample to be tested under corresponding operating system Running environment, when the test sample information includes the sample to be tested operation, in the application software of the different editions At least one version test process of the application software under corresponding operating system;The determination unit, is also used to From the multiple test sample information determine include abnormality test process test sample information, it is described comprising abnormality test into The test sample information of journey is for determining loophole position.
The third aspect, the application provide a kind of determination system of abnormality test process, the determination of the abnormality test process System includes the determining device of abnormality test process described in multiple above-mentioned second aspects.
Fourth aspect, the application provide a kind of computer readable storage medium, are stored in computer readable storage medium Instruction, when computer executes the instruction, which, which executes in above-mentioned first aspect and its various optional implementations, appoints Method described in one of meaning.
5th aspect, the application provides a kind of computer program product comprising instruction, when the computer program product When running on computers so that the computer execute in above-mentioned first aspect and its various optional implementations it is any it Method described in one.
6th aspect, provides a kind of determining device of abnormality test process, comprising: processor and communication interface, it is described logical Believe interface and processor coupling, the processor is for running computer program or instruction, to execute above-mentioned first aspect The method.
The present invention provides a kind of determination method, apparatus of abnormality test process and systems, by the way that sample to be tested is defeated Enter the available multiple test sample information of sandbox group, and further determining from multiple test sample information includes abnormality test The test sample information of process should be used to determine loophole position comprising the test sample information of abnormality test process.Pass through setting Sandbox group can simulate different user environments, and the triggering environment of more accurate determination sample to be tested sheet improves loophole digging The validity of pick.
Detailed description of the invention
Fig. 1 is the architecture diagram of the determination system of abnormality test process provided by the embodiments of the present application;
Fig. 2 is the architecture diagram one of distributed sandbox system provided by the embodiments of the present application;
Fig. 3 is the flow diagram one of the determination method of abnormality test process provided by the embodiments of the present application;
Fig. 4 is the flow diagram two of the determination method of abnormality test process provided by the embodiments of the present application;
Fig. 5 is the architecture diagram two of distributed sandbox system provided by the embodiments of the present application;
Fig. 6 is the structural schematic diagram one of the determining device of abnormality test process provided by the embodiments of the present application;
Fig. 7 is the structural schematic diagram two of the determining device of abnormality test process provided by the embodiments of the present application;
Fig. 8 is the structural schematic diagram three of the determining device of abnormality test process provided by the embodiments of the present application.
Specific embodiment
The determination method, apparatus to abnormality test process provided by the embodiments of the present application and system carry out with reference to the accompanying drawing It describes in detail.
In the description of the present application, unless otherwise indicated, "/" indicates the meaning of "or", for example, A/B can indicate A or B. "and/or" herein is only a kind of incidence relation for describing affiliated partner, indicates may exist three kinds of relationships, for example, A And/or B, can indicate: individualism A exists simultaneously A and B, these three situations of individualism B.In addition, "at least one" is Refer to one or more, " multiple " refer to two or more.
In addition, the term " includes " being previously mentioned in the description of the present application and " having " and their any deformation, it is intended that It is to cover and non-exclusive includes.Such as the process, method, system, product or equipment for containing a series of steps or units do not have It is defined in listed step or unit, but optionally further comprising the step of other are not listed or unit, or optionally It further include the other step or units intrinsic for these process, methods, product or equipment.
It should be noted that in the embodiment of the present application, " illustrative " or " such as " etc. words make example, example for indicating Card or explanation.Be described as in the embodiment of the present application " illustrative " or " such as " any embodiment or design scheme do not answer It is interpreted than other embodiments or design scheme more preferably or more advantage.Specifically, " illustrative " or " example are used Such as " word is intended to that related notion is presented in specific ways.
Since application software or operating system may have some loopholes in logical design, led in network security Domain, these loopholes are often utilized by illegal person, by modes attack servers such as implantation wooden horse, viruses, destroy or steal clothes Be engaged in device in capsule information and information, or even cause server system paralysis etc. seriously affect.The coverage of loophole is very big, packet Include the application software installed on server system itself and server system.It is corresponded in different server system different using soft When part, may all there be different loophole safety problems.
Due to can all be generated largely daily on major website may trigger application software or Loopholes of OS can Sample is doubted, is all based on black box, debugger or fuzz testing greatly for the bug excavation of application software and operating system at present Method, efficiency is very low, can not cope with the suspicious sample of magnanimity.
And due to these softwares or system be for bug excavation person it is closed, can not be from code level Check the defect in its design.
With reference to Fig. 1, the embodiment of the present application provides a kind of determination system of abnormality test process, including controller 10, sandbox Group 20 and Hole Detection server 30.Controller 10 is for obtaining and handling sample to be tested, treated sample to be tested Available test sample information after this input sandbox group 20, Hole Detection server 30 can be true according to the test sample information Loophole present in fixed sample to be tested.
It should be noted that multiple sandbox groups 20 can form distributed sandbox system 200 with reference to Fig. 2, the distribution sandbox System 200 is the subsystem of the determination system of abnormality test process.Distributed sandbox system 200 may include multiple identical sand Case group 20.For example, if distributed sandbox system includes 6 sandbox groups.With in the period, controller 10 can issue 6 it is to be tested Sample, and be input in 6 sandbox groups correspondingly, after the completion of detection, then 6 samples to be tested are issued, reciprocation cycle mentions High testing efficiency.
The embodiment of the present application provides a kind of determination method of abnormality test process, and the executing subject of this method is controller 10, controller 10 can be any network equipment with coffret and data processing function, which can be clothes Business device, or client, with reference to Fig. 3, this method may include S101-S103:
S101, sample to be tested is determined.
Sample to be tested may include one or more samples, which, which can be, carries loophole triggering machine The sample of system is also possible to not carry the sample of loophole trigger mechanism.It can only could be detected by executing normal operation program Whether the sample carries loophole trigger mechanism out.When the sample for carrying loophole trigger mechanism passes through corresponding version on an operating system When this application software operation, the loopholes trigger event such as system blue screen, software crash will be triggered.
For example, the loophole of the software can be triggered when playing by corresponding software if sample to be tested is video cartoon; If sample to be tested is text, the loophole of the software can be triggered when opening by corresponding software.
The loophole trigger mechanism is also possible to for preset operating system or default version application software.For example, if to Test sample is a word text, when the text is run on the office2013 under window7 system, occurs to dodge and move back, And will not then occur to dodge to move back in other versions, then it can determine that the word text is the sample for carrying loophole trigger mechanism, it can To trigger the design loophole of office2013 under window7 system.
S102, sample to be tested input sandbox group is obtained into multiple test sample information.
Sandbox group is used to simulate the application software of the corresponding different editions of sample to be tested in corresponding operating system Under running environment, when test sample information includes this operation of sample to be tested, at least one of application software of different editions Test process of the application software of version under corresponding operating system.
Sandbox can simulate true user environment, i.e., open the sample to be tested by modelling customer behavior.Sandbox group It is made of multiple sandboxs, multiple sandboxs each provide different running environment, such as can be installation identical version and answer With the different operating system of software, the same operating system of installation different editions application software, it is also possible to rule of thumb preset The most used operating system and Software Edition combination.
In sandbox other than necessary application software, it is also equipped with a variety of monitoring softwares, such as the monitoring software can be with Including Windows debugger windbg, process manager process monitor, network package analysis software wireshark with And other are from the monitoring software and tool that grind.
The monitoring software can monitor sample operation process in real time, such as can record network process by wireshark And obtain abnormal behaviour.Test sample information refers to the set of sample operation action record to be tested, includes different running environment Under, the log of sample to be tested.The log can be normal behaviour record, be also possible to abnormal behaviour record.
S103, the test sample information comprising abnormality test process is determined from multiple test sample information.
Test sample information comprising abnormality test process is determined for loophole position.For example, an if office When being opened after file a.doc input sandbox, an a.exe file, and the process that the a.exe file is performed automatically are released In, there is external network connection.The abnormal behaviour indicates file a.doc, and there are loophole trigger mechanisms.Pass through parsing a.exe text Part can determine loophole position.
The embodiment of the present application provides a kind of determination method of abnormality test process, by the way that sample to be tested is inputted sandbox group Available multiple test sample information, and the sample comprising abnormality test process is further determined from multiple test sample information This test information should be used to determine loophole position comprising the test sample information of abnormality test process.It can by setting sandbox group To simulate different user environments, the triggering environment of more accurate determination sample to be tested sheet improves the effective of bug excavation Property.
In one possible implementation, the specific implementation of S102 includes:
Determine the classification of sample to be tested, sample to be tested may include two categories, and one is paper sample, this documents Sample refers to the sample that can directly open by corresponding application software, such as can be the sample of word and pdf type.Separately One is address sample, the address sample refer to by browser open sample, such as can be flash, java, url, HTML, JS etc..
Sample to be tested includes two categories, correspondingly, sandbox group also may include two categories, respectively with file sample This corresponding file sandbox group and address sandbox group corresponding with address sample.
With reference to Fig. 5, it should be noted that including distributed document sandbox system 201 and distribution in distributed sandbox system 200 Formula address sandbox system 202, distributed document sandbox system 201 include multiple file sandbox groups, distributed address sandbox system 202 include multiple address sandbox groups.File sandbox group includes multiple sandboxs that different operating system and software version are constituted, example Property, the sandbox of sandbox, Win7_office2007 composition that file sandbox group 1 is constituted including WinXP_office2003, What the sandbox and Win7_office2016 of sandbox, Win7_office2013 composition that Win7_office2010 is constituted were constituted Sandbox.Address sandbox group includes different operating system and multiple sandboxs that different browsers version is constituted, and illustratively, address is husky The sandbox that sandbox, the Win7_IE10 of sandbox, Win7_IE9 composition that case group 1 is constituted including Win7_IE8 are constituted.
Controller 10 inputs sample to be tested according to the classification of sample to be tested corresponding with the classification of sample to be tested Sandbox group obtains different test sample information.It, can will be multiple when same category of sample size to be tested is more than one Paper sample inputs distributed document sandbox system 201, and multiple address samples are inputted distributed address sandbox system 202.From And the output capacity for improving test sample efficiency, increasing loophole.
With reference to Fig. 4, in one possible implementation, this method further include:
S104, from suspicious sample upload platform obtain paper sample, by crawler technology from suspicious sample upload platform or Other threat information stations with script obtain address sample.
Suspicious sample is uploaded platform and refers to the network platform for being scanned Analysis Service to file using multiple antivirus softwares, It is stored with one or more apocrypha samples.User is during using internet, can by this if discovery apocrypha Doubtful sample is submitted to the suspicious sample and uploads platform, and the safety of sample is ensured by scanning analysis.For example, on the suspicious sample Passing platform can be the website VirusTotal or the website VirSCAN.
The a large amount of texts of platform acquisition can be uploaded from the suspicious sample by uploading the api interface that platform provides by the suspicious sample A possibility that part sample, the paper sample obtained in this way carries loophole trigger mechanism, is very big.
Similarly, platform or other prestige with script can be uploaded from suspicious sample by crawler technology for address sample Information station is coerced to obtain.Crawler is a kind of automatic program for obtaining web page contents, is the important component of search engine.
Script be using specific descriptive language, according to the executable file that certain format is write, it is also referred to as macro or Autoexec usually temporarily can be called and be executed by application program.All kinds of scripts are widely used in webpage at present and set In meter, it not only can reduce the scale of webpage using script and improve web page browsing speed, but also the performance of webpage can be enriched, Such as animation, sound.
Exactly because the These characteristics of script are often utilized by some malicious persons, such as one are added in script The order of a little destruction of computer systems.When user browses webpage, once calling the script, the system of user will be made to be attacked It hits.
Therefore, the threat information station with script is also to carry the very big website of loophole trigger mechanism possibility.Except this it Outside, which is also possible to the new website set up in default historical time section, such as the default historical time section can be with It is past one month.This kind of website is shorter due to setting up the time, and there may be various deficiencies in design, therefore by malice A possibility that file is attacked is very big.
It should be noted that above-mentioned suspicious sample uploads platform and other threat information stations with script, refer to storage There is maximum probability to carry the network platform of loophole trigger mechanism file, its purpose is to reduce the seeking scope of sample to be tested, Efficiently determine unknown loophole, therefore, the embodiment of the present application for the network platform without limitation.
With continued reference to Fig. 4, in one possible implementation, this method further include:
S105, the sample to be tested is pre-processed.
After getting a large amount of sample to be tested by S104, which need to be pre-processed.After pretreatment Sample to be tested do not include repeated sample or comprising preset loophole sample.
Wherein, repeated sample, which refers to, repeats the sample uploaded or by same user in default historical time by different user The sample repeatedly uploaded in section improves detection efficiency, identical sample need to only retain one to avoid repeating detecting.
Loophole may include two kinds of known bugs and unknown loophole (0day loophole).
Default loophole, that is, known bugs, it is known that loophole, which refers to, to be had been found to and announce in such as public loophole and exposure Loophole on CVE, the loophole with CVE title is due to having existed corresponding patch, it is therefore not necessary to be detected again.
Due to known bugs usually all have specific feature (PoC), and these PoC be all it is disclosed, therefore, Ke Yitong PoC information is crossed whether to determine in a sample to be tested comprising known bugs.
0day loophole, which refers to, not to be disclosed, and the not loophole of associated patch.The purpose of the embodiment of the present application exists 0day loophole is detected in sample to be tested, therefore is the sample that possible include 0day loophole by pretreated sample to be tested.
In addition to this, it for some non-targeted files, is also required to be filtered during pretreated, such as Jar text Part, the safety coefficient of itself is very high, and there is no need to be detected again.
In one possible implementation, when sample to be tested is address sample, if address sample is comprising accessing road The address sample then directly can be inputted sandbox group corresponding with address sample and obtain corresponding sample survey by the address sample of diameter Try information.
With reference to Fig. 6, if address sample is the address sample not comprising access path, for example, it may be the classes such as jar, flash The address sample of type then needs to determine the access path of address sample by presetting Website server 40, i.e., by the address sample It is embedded in the address of the types such as sha1, swf, html.The corresponding sandbox group 20 of access path input address sample is obtained into phase again The test sample information answered.
Specifically, being illustrated by taking flash file as an example, which generally will not such as be double-clicked by directly executing It opens, but accesses the mode of webpage (webpage embedded flash) by using browser to open.Therefore, controller 10 The flash file is embedded into one a.swf file of generation in swf, then the a.swf file is uploaded into address and is 192.168.54.12 default Website server 40 finally sends the address of sample a.swf to be tested to sandbox group 20 http://192.168.54.12/a.swf。
After test starts, sandbox group 20 can open file in such a way that default Website server 40 accesses the address A.swf, to obtain corresponding test sample information.
With continued reference to Fig. 4, in one possible implementation, this method further include:
S106, the test sample information comprising abnormality test process is sent to Hole Detection server.
Hole Detection server is used to determine loophole position according to the test sample information comprising abnormality test process.Due to Determine that loophole position can only be by way of manually adding testing tool at present, low efficiency, human cost is high, therefore the application is implemented The method that example provides can reduce the quantity of sample to be tested to greatest extent, improve the digging efficiency of bug excavation person.
A kind of possible structure that Fig. 7 shows the determining device of abnormality test process involved in above-described embodiment is shown It is intended to.The device 300 includes:
Determination unit 301, for determining sample to be tested.
Input unit 302, for the sample input sandbox group to be tested to be obtained multiple test sample information, the sand Case group is used to simulate fortune of the application software of the corresponding different editions of the sample to be tested under corresponding operating system Row environment, when the test sample information includes the sample to be tested operation, in the application software of the different editions extremely Test process of the application software of a few version under corresponding operating system.
The determination unit 301 is also used to determine the sample comprising abnormality test process from the multiple test sample information This test information, the test sample information comprising abnormality test process is for determining loophole position.
Optionally, input unit 302 are specifically used for:
Determine that the classification of sample to be tested, the classification of the sample to be tested include paper sample and address sample;According to The sample to be tested is inputted sandbox group corresponding with the classification of the sample to be tested and obtained by the classification of the sample to be tested To the test sample information.
Optionally, which further includes acquiring unit 303, is used for:
Upload platform from suspicious sample and obtain the paper sample, the suspicious sample upload be stored in platform one or Multiple apocrypha samples;Platform or other threat information stations with script are uploaded from the suspicious sample by crawler technology Obtain the address sample.
Optionally, which further includes pretreatment unit 304, is used for:
Pre-process the sample to be tested, the pretreated sample to be tested does not include repeated sample or comprising default The sample of loophole, the default loophole include public loophole and exposure CVE.
Optionally, when the sample to be tested is address sample, input unit 302 is specifically used for:
If the address sample is the address sample comprising access path, by address sample input and the address The corresponding sandbox group of sample obtains the test sample information;If the address sample is the address sample not comprising access path This, then determine the access path of the address sample by presetting Website server;The access path is inputted into the address The corresponding sandbox group of sample obtains the test sample information.
Optionally, which further includes transmission unit 305, is used for:
The test sample information comprising abnormality test process is sent to Hole Detection server, the Hole Detection Server is used to determine loophole position according to the test sample information comprising abnormality test process.
Fig. 8 shows another possible structure of the determining device of abnormality test process involved in above-described embodiment Schematic diagram.The device 400 includes: processor 402.Processor 402 is for carrying out control management, example to the movement of the device 400 Such as, the step of above-mentioned determination unit 301, input unit 302 and pretreatment unit 304 execute is executed, and/or for executing sheet Other processes of technology described in text.
Above-mentioned processor 402 can be realization or execute to combine and various illustratively patrols described in present disclosure Collect box, module and circuit.The processor can be central processing unit, general processor, digital signal processor, dedicated integrated Circuit, field programmable gate array or other programmable logic device, transistor logic, hardware component or it is any Combination.It, which may be implemented or executes, combines various illustrative logic blocks, module and electricity described in present disclosure Road.The processor be also possible to realize computing function combination, such as comprising one or more microprocessors combine, DSP and The combination etc. of microprocessor.
Optionally, which can also include communication interface 403, memory 401 and bus 404, communication interface 403 For supporting the communication of device 400 Yu other network entities, for example, execute above-mentioned acquiring unit 303, transmission unit 305 executes Step, and/or other processes for executing techniques described herein.Memory 401 is used to store the program of the device 400 Code and data.
Wherein, memory 401 can be the memory in device 400, which may include volatile memory, example Such as random access memory;The memory also may include nonvolatile memory, such as read-only memory, flash memory, Hard disk or solid state hard disk;The memory can also include the combination of the memory of mentioned kind.
Bus 404 can be expanding the industrial standard structure (Extended Industry Standard Architecture, EISA) bus etc..Bus 404 can be divided into address bus, data/address bus, control bus etc..For convenient for table Show, only indicated with a thick line in Fig. 8, it is not intended that an only bus or a type of bus.
Through the above description of the embodiments, it is apparent to those skilled in the art that, for description It is convenienct and succinct, only the example of the division of the above functional modules, in practical application, can according to need and will be upper It states function distribution to be completed by different functional modules, i.e., the internal structure of device is divided into different functional modules, to complete All or part of function described above.The specific work process of the system, apparatus, and unit of foregoing description, before can referring to The corresponding process in embodiment of the method is stated, details are not described herein.
The embodiment of the present application provides a kind of computer program product comprising instruction, when the computer program product is being counted When being run on calculation machine, so that the computer executes the determination method of abnormality test process described in above method embodiment.
The embodiment of the present application also provides a kind of computer readable storage medium, and finger is stored in computer readable storage medium It enables, when the network equipment executes the instruction, which executes network in method flow shown in above method embodiment and set The standby each step executed.
Wherein, computer readable storage medium, such as electricity, magnetic, optical, electromagnetic, infrared ray can be but not limited to or partly led System, device or the device of body, or any above combination.The more specific example of computer readable storage medium is (non-poor The list of act) it include: the electrical connection with one or more conducting wires, portable computer diskette, hard disk, random access memory (Random Access Memory, RAM), read-only memory (Read-Only Memory, ROM), erasable type may be programmed read-only It is memory (Erasable Programmable Read Only Memory, EPROM), register, hard disk, optical fiber, portable Compact disc read-only memory (Compact Disc Read-Only Memory, CD-ROM), light storage device, magnetic memory The computer readable storage medium of part or above-mentioned any appropriate combination or any other form well known in the art. A kind of illustrative storage medium is coupled to processor, to enable a processor to from the read information, and can be to Information is written in the storage medium.Certainly, storage medium is also possible to the component part of processor.Pocessor and storage media can be with In application-specific IC (Application Specific Integrated Circuit, ASIC).In the application In embodiment, computer readable storage medium can be any tangible medium for including or store program, which can be referred to Enable execution system, device or device use or in connection.
The above, the only specific embodiment of the application, but the protection scope of the application is not limited thereto, it is any Change or replacement within the technical scope of the present application should all be covered within the scope of protection of this application.Therefore, this Shen Protection scope please should be subject to the protection scope in claims.

Claims (16)

1. a kind of determination method of abnormality test process characterized by comprising
Determine sample to be tested;
The sample input sandbox group to be tested is obtained into multiple test sample information, the sandbox group is described to be measured for simulating Running environment of the application software of the corresponding different editions of sample sheet under corresponding operating system, the test sample letter When breath includes the sample to be tested operation, the application software of at least one version in the application software of the different editions exists Test process under corresponding operating system;
The test sample information comprising abnormality test process is determined from the multiple test sample information, it is described to be surveyed comprising abnormal The test sample information of examination process is for determining loophole position.
2. the method according to claim 1, wherein described obtain sample for the sample input sandbox group to be tested This test information, comprising:
Determine that the classification of sample to be tested, the classification of the sample to be tested include paper sample and address sample;
It is according to the classification of the sample to be tested that the sample input to be tested is corresponding with the classification of the sample to be tested Sandbox group obtains the test sample information.
3. according to the method described in claim 2, it is characterized in that, the method is also wrapped before determination sample to be tested It includes:
Platform is uploaded from suspicious sample and obtains the paper sample, and the suspicious sample, which uploads in platform, is stored with one or more Apocrypha sample;
Platform is uploaded from the suspicious sample by crawler technology or other threat information stations with script obtain the address Sample.
4. the method according to claim 1, wherein the method is also wrapped before determination sample to be tested It includes:
Pre-process the sample to be tested, the pretreated sample to be tested does not include repeated sample or comprising presetting loophole Sample, the default loophole include public loophole and exposure CVE.
5. according to the method described in claim 2, it is characterized in that, the sample to be tested be address sample when,
If the address sample is the address sample comprising access path, by address sample input and the address sample Corresponding sandbox group obtains the test sample information;
If the address sample is the address sample not comprising access path, the address is determined by default Website server The access path of sample;
The access path is inputted into the corresponding sandbox group of the address sample and obtains the test sample information.
6. the method according to claim 1, wherein the method also includes:
The test sample information comprising abnormality test process is sent to Hole Detection server, the Hole Detection service Device is used to determine loophole position according to the test sample information comprising abnormality test process.
7. a kind of determining device of abnormality test process characterized by comprising
Determination unit, for determining sample to be tested;
Input unit, for the sample input sandbox group to be tested to be obtained multiple test sample information, the sandbox group is used In simulating running environment of the application software of the corresponding different editions of the sample to be tested under corresponding operating system, When the test sample information includes the sample to be tested operation, at least one of application software of different editions version Test process of this application software under corresponding operating system;
The determination unit is also used to determine the test sample comprising abnormality test process from the multiple test sample information Information, the test sample information comprising abnormality test process is for determining loophole position.
8. device according to claim 7, which is characterized in that the input unit is specifically used for:
Determine that the classification of sample to be tested, the classification of the sample to be tested include paper sample and address sample;
It is according to the classification of the sample to be tested that the sample input to be tested is corresponding with the classification of the sample to be tested Sandbox group obtains the test sample information.
9. device according to claim 8, which is characterized in that described device further includes acquiring unit, is used for:
Platform is uploaded from suspicious sample and obtains the paper sample, and the suspicious sample, which uploads in platform, is stored with one or more Apocrypha sample;
Platform is uploaded from the suspicious sample by crawler technology or other threat information stations with script obtain the address Sample.
10. device according to claim 7, which is characterized in that described device further includes pretreatment unit, is used for:
Pre-process the sample to be tested, the pretreated sample to be tested does not include repeated sample or comprising presetting loophole Sample, the default loophole include public loophole and exposure CVE.
11. device according to claim 8, which is characterized in that when the sample to be tested is address sample, the input Unit is specifically used for:
If the address sample is the address sample comprising access path, by address sample input and the address sample Corresponding sandbox group obtains the test sample information;
If the address sample is the address sample not comprising access path, the address is determined by default Website server The access path of sample;
The access path is inputted into the corresponding sandbox group of the address sample and obtains the test sample information.
12. device according to claim 7, which is characterized in that described device further includes transmission unit, is used for:
The test sample information comprising abnormality test process is sent to Hole Detection server, the Hole Detection service Device is used to determine loophole position according to the test sample information comprising abnormality test process.
13. a kind of determination system of abnormality test process, which is characterized in that
Including multiple determining devices such as the described in any item abnormality test processes of claim 7-12.
14. a kind of determining device of abnormality test process, which is characterized in that described device includes: processor and communication interface, institute Communication interface and processor coupling are stated, the processor is for running computer program or instruction, to realize as right is wanted Seek the described in any item methods of 1-6.
15. a kind of computer readable storage medium, it is stored with instruction in computer readable storage medium, is referred to when computer executes this When enabling, which executes method described in any one of the claims 1-6.
16. a kind of computer program product comprising instruction, when the computer program product is run on computers, the meter Calculation machine executes method described in any one of the claims 1-6.
CN201910615692.3A 2019-07-09 2019-07-09 A kind of the determination method, apparatus and system of abnormality test process Pending CN110502892A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910615692.3A CN110502892A (en) 2019-07-09 2019-07-09 A kind of the determination method, apparatus and system of abnormality test process

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910615692.3A CN110502892A (en) 2019-07-09 2019-07-09 A kind of the determination method, apparatus and system of abnormality test process

Publications (1)

Publication Number Publication Date
CN110502892A true CN110502892A (en) 2019-11-26

Family

ID=68585565

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910615692.3A Pending CN110502892A (en) 2019-07-09 2019-07-09 A kind of the determination method, apparatus and system of abnormality test process

Country Status (1)

Country Link
CN (1) CN110502892A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112597494A (en) * 2020-12-21 2021-04-02 成都安思科技有限公司 Behavior white list automatic collection method for malicious program detection
CN113590394A (en) * 2021-07-09 2021-11-02 深圳Tcl新技术有限公司 Joint debugging test method and device, electronic equipment and storage medium
CN115994361A (en) * 2023-03-22 2023-04-21 北京升鑫网络科技有限公司 Container vulnerability detection method, system, electronic device and readable storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102541729A (en) * 2010-12-31 2012-07-04 航空工业信息中心 Detection device and method for security vulnerability of software
CN104462962A (en) * 2013-09-13 2015-03-25 北京安赛创想科技有限公司 Method for detecting unknown malicious codes and binary bugs
CN106055975A (en) * 2016-05-16 2016-10-26 杭州华三通信技术有限公司 Document detection method and sandbox
WO2017068334A1 (en) * 2015-10-20 2017-04-27 Sophos Limited Mitigation of anti-sandbox malware techniques
CN107346390A (en) * 2017-07-04 2017-11-14 深信服科技股份有限公司 A kind of malice sample testing method and device
US10176325B1 (en) * 2016-06-21 2019-01-08 Symantec Corporation System and method for dynamic detection of command and control malware

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102541729A (en) * 2010-12-31 2012-07-04 航空工业信息中心 Detection device and method for security vulnerability of software
CN104462962A (en) * 2013-09-13 2015-03-25 北京安赛创想科技有限公司 Method for detecting unknown malicious codes and binary bugs
WO2017068334A1 (en) * 2015-10-20 2017-04-27 Sophos Limited Mitigation of anti-sandbox malware techniques
CN106055975A (en) * 2016-05-16 2016-10-26 杭州华三通信技术有限公司 Document detection method and sandbox
US10176325B1 (en) * 2016-06-21 2019-01-08 Symantec Corporation System and method for dynamic detection of command and control malware
CN107346390A (en) * 2017-07-04 2017-11-14 深信服科技股份有限公司 A kind of malice sample testing method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张震 等: "《食品药品监管信息化工程概论》", 31 January 2018, 电子科技大学出版社 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112597494A (en) * 2020-12-21 2021-04-02 成都安思科技有限公司 Behavior white list automatic collection method for malicious program detection
CN113590394A (en) * 2021-07-09 2021-11-02 深圳Tcl新技术有限公司 Joint debugging test method and device, electronic equipment and storage medium
CN115994361A (en) * 2023-03-22 2023-04-21 北京升鑫网络科技有限公司 Container vulnerability detection method, system, electronic device and readable storage medium

Similar Documents

Publication Publication Date Title
US8621613B1 (en) Detecting malware in content items
Carmony et al. Extract Me If You Can: Abusing PDF Parsers in Malware Detectors.
US7594142B1 (en) Architecture for automated detection and analysis of security issues
US20220229906A1 (en) High-confidence malware severity classification of reference file set
CN103186740A (en) Automatic detection method for Android malicious software
US20110219454A1 (en) Methods of identifying activex control distribution site, detecting security vulnerability in activex control and immunizing the same
RU2697950C2 (en) System and method of detecting latent behaviour of browser extension
CN110502892A (en) A kind of the determination method, apparatus and system of abnormality test process
Tran et al. Tracking the trackers: Fast and scalable dynamic analysis of web content for privacy violations
US20130160124A1 (en) Disinfection of a File System
Schlumberger et al. Jarhead analysis and detection of malicious java applets
CN113168472A (en) Network security vulnerability repairing method and system based on utilization
US10129278B2 (en) Detecting malware in content items
Zhang et al. An execution-flow based method for detecting cross-site scripting attacks
US20100037033A1 (en) Exploit nonspecific host intrusion prevention/detection methods and systems and smart filters therefor
Wei et al. A comprehensive study on security bug characteristics
Li et al. LogicScope: Automatic discovery of logic vulnerabilities within web applications
CN113177205A (en) Malicious application detection system and method
Khoury et al. Execution trace analysis using ltl-fo
Daghmehchi Firoozjaei et al. Memory forensics tools: a comparative analysis
Krumnow et al. How gullible are web measurement tools? a case study analysing and strengthening OpenWPM's reliability
Liu et al. Evaluating the privacy policy of android apps: A privacy policy compliance study for popular apps in china and europe
CN112446030B (en) Method and device for detecting file uploading vulnerability of webpage end
US10002253B2 (en) Execution of test inputs with applications in computer security assessment
Lee et al. Analysis of application installation logs on android systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20191126

RJ01 Rejection of invention patent application after publication