CN110502892A - A kind of the determination method, apparatus and system of abnormality test process - Google Patents
A kind of the determination method, apparatus and system of abnormality test process Download PDFInfo
- Publication number
- CN110502892A CN110502892A CN201910615692.3A CN201910615692A CN110502892A CN 110502892 A CN110502892 A CN 110502892A CN 201910615692 A CN201910615692 A CN 201910615692A CN 110502892 A CN110502892 A CN 110502892A
- Authority
- CN
- China
- Prior art keywords
- sample
- tested
- address
- test
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3684—Test management for test design, e.g. generating new test cases
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3688—Test management for test execution, e.g. scheduling of test suites
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Abstract
The application provides the determination method, apparatus and system of a kind of abnormality test process, is related to technical field of network security, and bug excavation efficiency and accuracy can be improved, and reduces assault and loses and influence caused by society.This method comprises: determining sample to be tested;The sample input sandbox group to be tested is obtained into multiple test sample information, the sandbox group is used to simulate running environment of the application software of the corresponding different editions of the sample to be tested under corresponding operating system, when the test sample information includes the sample to be tested operation, test process of the application software of at least one version in the application software of the different editions under corresponding operating system;The test sample information comprising abnormality test process is determined from the multiple test sample information, the test sample information comprising abnormality test process is for determining loophole position.
Description
Technical field
This application involves the determination method, apparatus of technical field of network security more particularly to a kind of abnormality test process and
System.
Background technique
With the continuous development of internet, people are further frequent for the use of network.However network is bringing people just
While sharp, also along with the generation of various network safety events, such as assault.These network safety events can be given
Personal, even country, enterprise brings huge loss and threat.
Assault is the loophole using application software or operating system in logical design mostly to complete.Leakage
The coverage in hole is very big, including system itself and its support programs, network client, server software, network router and peace
Full firewall etc..It is constituted between different types of hardware and software device, between the different editions of equipment of the same race, by distinct device
Not between homologous ray and homogeneous system is under the conditions of different settings, can all there are problems that respectively different loopholes.
Loophole and timely patching bugs are actively discovered, the success rate of network attack can be greatly reduced, reduce network attack
To the even national bring loss of personal, enterprise and threaten.Therefore, how effectively, comprehensively to the loophole in internet into
Row excavates and detection, is current urgent problem to be solved.
Summary of the invention
The application provides the determination method, apparatus and system of a kind of abnormality test process, and bug excavation efficiency can be improved
And accuracy, it reduces assault and loses and influence caused by society.
In order to achieve the above objectives, the application adopts the following technical scheme that
In a first aspect, the application provides a kind of determination method of abnormality test process, this method comprises:
Determine sample to be tested;The sample input sandbox group to be tested is obtained into multiple test sample information, the sand
Case group is used to simulate fortune of the application software of the corresponding different editions of the sample to be tested under corresponding operating system
Row environment, when the test sample information includes the sample to be tested operation, in the application software of the different editions extremely
Test process of the application software of a few version under corresponding operating system;From the multiple test sample information
Determine the test sample information comprising abnormality test process, the test sample information comprising abnormality test process is for determining
Loophole position.
Second aspect, the application provide a kind of determining device of abnormality test process, which includes determination unit, are used for
Determine sample to be tested;Input unit, for the sample input sandbox group to be tested to be obtained multiple test sample information, institute
Sandbox group is stated for simulating the application software of the corresponding different editions of the sample to be tested under corresponding operating system
Running environment, when the test sample information includes the sample to be tested operation, in the application software of the different editions
At least one version test process of the application software under corresponding operating system;The determination unit, is also used to
From the multiple test sample information determine include abnormality test process test sample information, it is described comprising abnormality test into
The test sample information of journey is for determining loophole position.
The third aspect, the application provide a kind of determination system of abnormality test process, the determination of the abnormality test process
System includes the determining device of abnormality test process described in multiple above-mentioned second aspects.
Fourth aspect, the application provide a kind of computer readable storage medium, are stored in computer readable storage medium
Instruction, when computer executes the instruction, which, which executes in above-mentioned first aspect and its various optional implementations, appoints
Method described in one of meaning.
5th aspect, the application provides a kind of computer program product comprising instruction, when the computer program product
When running on computers so that the computer execute in above-mentioned first aspect and its various optional implementations it is any it
Method described in one.
6th aspect, provides a kind of determining device of abnormality test process, comprising: processor and communication interface, it is described logical
Believe interface and processor coupling, the processor is for running computer program or instruction, to execute above-mentioned first aspect
The method.
The present invention provides a kind of determination method, apparatus of abnormality test process and systems, by the way that sample to be tested is defeated
Enter the available multiple test sample information of sandbox group, and further determining from multiple test sample information includes abnormality test
The test sample information of process should be used to determine loophole position comprising the test sample information of abnormality test process.Pass through setting
Sandbox group can simulate different user environments, and the triggering environment of more accurate determination sample to be tested sheet improves loophole digging
The validity of pick.
Detailed description of the invention
Fig. 1 is the architecture diagram of the determination system of abnormality test process provided by the embodiments of the present application;
Fig. 2 is the architecture diagram one of distributed sandbox system provided by the embodiments of the present application;
Fig. 3 is the flow diagram one of the determination method of abnormality test process provided by the embodiments of the present application;
Fig. 4 is the flow diagram two of the determination method of abnormality test process provided by the embodiments of the present application;
Fig. 5 is the architecture diagram two of distributed sandbox system provided by the embodiments of the present application;
Fig. 6 is the structural schematic diagram one of the determining device of abnormality test process provided by the embodiments of the present application;
Fig. 7 is the structural schematic diagram two of the determining device of abnormality test process provided by the embodiments of the present application;
Fig. 8 is the structural schematic diagram three of the determining device of abnormality test process provided by the embodiments of the present application.
Specific embodiment
The determination method, apparatus to abnormality test process provided by the embodiments of the present application and system carry out with reference to the accompanying drawing
It describes in detail.
In the description of the present application, unless otherwise indicated, "/" indicates the meaning of "or", for example, A/B can indicate A or B.
"and/or" herein is only a kind of incidence relation for describing affiliated partner, indicates may exist three kinds of relationships, for example, A
And/or B, can indicate: individualism A exists simultaneously A and B, these three situations of individualism B.In addition, "at least one" is
Refer to one or more, " multiple " refer to two or more.
In addition, the term " includes " being previously mentioned in the description of the present application and " having " and their any deformation, it is intended that
It is to cover and non-exclusive includes.Such as the process, method, system, product or equipment for containing a series of steps or units do not have
It is defined in listed step or unit, but optionally further comprising the step of other are not listed or unit, or optionally
It further include the other step or units intrinsic for these process, methods, product or equipment.
It should be noted that in the embodiment of the present application, " illustrative " or " such as " etc. words make example, example for indicating
Card or explanation.Be described as in the embodiment of the present application " illustrative " or " such as " any embodiment or design scheme do not answer
It is interpreted than other embodiments or design scheme more preferably or more advantage.Specifically, " illustrative " or " example are used
Such as " word is intended to that related notion is presented in specific ways.
Since application software or operating system may have some loopholes in logical design, led in network security
Domain, these loopholes are often utilized by illegal person, by modes attack servers such as implantation wooden horse, viruses, destroy or steal clothes
Be engaged in device in capsule information and information, or even cause server system paralysis etc. seriously affect.The coverage of loophole is very big, packet
Include the application software installed on server system itself and server system.It is corresponded in different server system different using soft
When part, may all there be different loophole safety problems.
Due to can all be generated largely daily on major website may trigger application software or Loopholes of OS can
Sample is doubted, is all based on black box, debugger or fuzz testing greatly for the bug excavation of application software and operating system at present
Method, efficiency is very low, can not cope with the suspicious sample of magnanimity.
And due to these softwares or system be for bug excavation person it is closed, can not be from code level
Check the defect in its design.
With reference to Fig. 1, the embodiment of the present application provides a kind of determination system of abnormality test process, including controller 10, sandbox
Group 20 and Hole Detection server 30.Controller 10 is for obtaining and handling sample to be tested, treated sample to be tested
Available test sample information after this input sandbox group 20, Hole Detection server 30 can be true according to the test sample information
Loophole present in fixed sample to be tested.
It should be noted that multiple sandbox groups 20 can form distributed sandbox system 200 with reference to Fig. 2, the distribution sandbox
System 200 is the subsystem of the determination system of abnormality test process.Distributed sandbox system 200 may include multiple identical sand
Case group 20.For example, if distributed sandbox system includes 6 sandbox groups.With in the period, controller 10 can issue 6 it is to be tested
Sample, and be input in 6 sandbox groups correspondingly, after the completion of detection, then 6 samples to be tested are issued, reciprocation cycle mentions
High testing efficiency.
The embodiment of the present application provides a kind of determination method of abnormality test process, and the executing subject of this method is controller
10, controller 10 can be any network equipment with coffret and data processing function, which can be clothes
Business device, or client, with reference to Fig. 3, this method may include S101-S103:
S101, sample to be tested is determined.
Sample to be tested may include one or more samples, which, which can be, carries loophole triggering machine
The sample of system is also possible to not carry the sample of loophole trigger mechanism.It can only could be detected by executing normal operation program
Whether the sample carries loophole trigger mechanism out.When the sample for carrying loophole trigger mechanism passes through corresponding version on an operating system
When this application software operation, the loopholes trigger event such as system blue screen, software crash will be triggered.
For example, the loophole of the software can be triggered when playing by corresponding software if sample to be tested is video cartoon;
If sample to be tested is text, the loophole of the software can be triggered when opening by corresponding software.
The loophole trigger mechanism is also possible to for preset operating system or default version application software.For example, if to
Test sample is a word text, when the text is run on the office2013 under window7 system, occurs to dodge and move back,
And will not then occur to dodge to move back in other versions, then it can determine that the word text is the sample for carrying loophole trigger mechanism, it can
To trigger the design loophole of office2013 under window7 system.
S102, sample to be tested input sandbox group is obtained into multiple test sample information.
Sandbox group is used to simulate the application software of the corresponding different editions of sample to be tested in corresponding operating system
Under running environment, when test sample information includes this operation of sample to be tested, at least one of application software of different editions
Test process of the application software of version under corresponding operating system.
Sandbox can simulate true user environment, i.e., open the sample to be tested by modelling customer behavior.Sandbox group
It is made of multiple sandboxs, multiple sandboxs each provide different running environment, such as can be installation identical version and answer
With the different operating system of software, the same operating system of installation different editions application software, it is also possible to rule of thumb preset
The most used operating system and Software Edition combination.
In sandbox other than necessary application software, it is also equipped with a variety of monitoring softwares, such as the monitoring software can be with
Including Windows debugger windbg, process manager process monitor, network package analysis software wireshark with
And other are from the monitoring software and tool that grind.
The monitoring software can monitor sample operation process in real time, such as can record network process by wireshark
And obtain abnormal behaviour.Test sample information refers to the set of sample operation action record to be tested, includes different running environment
Under, the log of sample to be tested.The log can be normal behaviour record, be also possible to abnormal behaviour record.
S103, the test sample information comprising abnormality test process is determined from multiple test sample information.
Test sample information comprising abnormality test process is determined for loophole position.For example, an if office
When being opened after file a.doc input sandbox, an a.exe file, and the process that the a.exe file is performed automatically are released
In, there is external network connection.The abnormal behaviour indicates file a.doc, and there are loophole trigger mechanisms.Pass through parsing a.exe text
Part can determine loophole position.
The embodiment of the present application provides a kind of determination method of abnormality test process, by the way that sample to be tested is inputted sandbox group
Available multiple test sample information, and the sample comprising abnormality test process is further determined from multiple test sample information
This test information should be used to determine loophole position comprising the test sample information of abnormality test process.It can by setting sandbox group
To simulate different user environments, the triggering environment of more accurate determination sample to be tested sheet improves the effective of bug excavation
Property.
In one possible implementation, the specific implementation of S102 includes:
Determine the classification of sample to be tested, sample to be tested may include two categories, and one is paper sample, this documents
Sample refers to the sample that can directly open by corresponding application software, such as can be the sample of word and pdf type.Separately
One is address sample, the address sample refer to by browser open sample, such as can be flash, java, url,
HTML, JS etc..
Sample to be tested includes two categories, correspondingly, sandbox group also may include two categories, respectively with file sample
This corresponding file sandbox group and address sandbox group corresponding with address sample.
With reference to Fig. 5, it should be noted that including distributed document sandbox system 201 and distribution in distributed sandbox system 200
Formula address sandbox system 202, distributed document sandbox system 201 include multiple file sandbox groups, distributed address sandbox system
202 include multiple address sandbox groups.File sandbox group includes multiple sandboxs that different operating system and software version are constituted, example
Property, the sandbox of sandbox, Win7_office2007 composition that file sandbox group 1 is constituted including WinXP_office2003,
What the sandbox and Win7_office2016 of sandbox, Win7_office2013 composition that Win7_office2010 is constituted were constituted
Sandbox.Address sandbox group includes different operating system and multiple sandboxs that different browsers version is constituted, and illustratively, address is husky
The sandbox that sandbox, the Win7_IE10 of sandbox, Win7_IE9 composition that case group 1 is constituted including Win7_IE8 are constituted.
Controller 10 inputs sample to be tested according to the classification of sample to be tested corresponding with the classification of sample to be tested
Sandbox group obtains different test sample information.It, can will be multiple when same category of sample size to be tested is more than one
Paper sample inputs distributed document sandbox system 201, and multiple address samples are inputted distributed address sandbox system 202.From
And the output capacity for improving test sample efficiency, increasing loophole.
With reference to Fig. 4, in one possible implementation, this method further include:
S104, from suspicious sample upload platform obtain paper sample, by crawler technology from suspicious sample upload platform or
Other threat information stations with script obtain address sample.
Suspicious sample is uploaded platform and refers to the network platform for being scanned Analysis Service to file using multiple antivirus softwares,
It is stored with one or more apocrypha samples.User is during using internet, can by this if discovery apocrypha
Doubtful sample is submitted to the suspicious sample and uploads platform, and the safety of sample is ensured by scanning analysis.For example, on the suspicious sample
Passing platform can be the website VirusTotal or the website VirSCAN.
The a large amount of texts of platform acquisition can be uploaded from the suspicious sample by uploading the api interface that platform provides by the suspicious sample
A possibility that part sample, the paper sample obtained in this way carries loophole trigger mechanism, is very big.
Similarly, platform or other prestige with script can be uploaded from suspicious sample by crawler technology for address sample
Information station is coerced to obtain.Crawler is a kind of automatic program for obtaining web page contents, is the important component of search engine.
Script be using specific descriptive language, according to the executable file that certain format is write, it is also referred to as macro or
Autoexec usually temporarily can be called and be executed by application program.All kinds of scripts are widely used in webpage at present and set
In meter, it not only can reduce the scale of webpage using script and improve web page browsing speed, but also the performance of webpage can be enriched,
Such as animation, sound.
Exactly because the These characteristics of script are often utilized by some malicious persons, such as one are added in script
The order of a little destruction of computer systems.When user browses webpage, once calling the script, the system of user will be made to be attacked
It hits.
Therefore, the threat information station with script is also to carry the very big website of loophole trigger mechanism possibility.Except this it
Outside, which is also possible to the new website set up in default historical time section, such as the default historical time section can be with
It is past one month.This kind of website is shorter due to setting up the time, and there may be various deficiencies in design, therefore by malice
A possibility that file is attacked is very big.
It should be noted that above-mentioned suspicious sample uploads platform and other threat information stations with script, refer to storage
There is maximum probability to carry the network platform of loophole trigger mechanism file, its purpose is to reduce the seeking scope of sample to be tested,
Efficiently determine unknown loophole, therefore, the embodiment of the present application for the network platform without limitation.
With continued reference to Fig. 4, in one possible implementation, this method further include:
S105, the sample to be tested is pre-processed.
After getting a large amount of sample to be tested by S104, which need to be pre-processed.After pretreatment
Sample to be tested do not include repeated sample or comprising preset loophole sample.
Wherein, repeated sample, which refers to, repeats the sample uploaded or by same user in default historical time by different user
The sample repeatedly uploaded in section improves detection efficiency, identical sample need to only retain one to avoid repeating detecting.
Loophole may include two kinds of known bugs and unknown loophole (0day loophole).
Default loophole, that is, known bugs, it is known that loophole, which refers to, to be had been found to and announce in such as public loophole and exposure
Loophole on CVE, the loophole with CVE title is due to having existed corresponding patch, it is therefore not necessary to be detected again.
Due to known bugs usually all have specific feature (PoC), and these PoC be all it is disclosed, therefore, Ke Yitong
PoC information is crossed whether to determine in a sample to be tested comprising known bugs.
0day loophole, which refers to, not to be disclosed, and the not loophole of associated patch.The purpose of the embodiment of the present application exists
0day loophole is detected in sample to be tested, therefore is the sample that possible include 0day loophole by pretreated sample to be tested.
In addition to this, it for some non-targeted files, is also required to be filtered during pretreated, such as Jar text
Part, the safety coefficient of itself is very high, and there is no need to be detected again.
In one possible implementation, when sample to be tested is address sample, if address sample is comprising accessing road
The address sample then directly can be inputted sandbox group corresponding with address sample and obtain corresponding sample survey by the address sample of diameter
Try information.
With reference to Fig. 6, if address sample is the address sample not comprising access path, for example, it may be the classes such as jar, flash
The address sample of type then needs to determine the access path of address sample by presetting Website server 40, i.e., by the address sample
It is embedded in the address of the types such as sha1, swf, html.The corresponding sandbox group 20 of access path input address sample is obtained into phase again
The test sample information answered.
Specifically, being illustrated by taking flash file as an example, which generally will not such as be double-clicked by directly executing
It opens, but accesses the mode of webpage (webpage embedded flash) by using browser to open.Therefore, controller 10
The flash file is embedded into one a.swf file of generation in swf, then the a.swf file is uploaded into address and is
192.168.54.12 default Website server 40 finally sends the address of sample a.swf to be tested to sandbox group 20
http://192.168.54.12/a.swf。
After test starts, sandbox group 20 can open file in such a way that default Website server 40 accesses the address
A.swf, to obtain corresponding test sample information.
With continued reference to Fig. 4, in one possible implementation, this method further include:
S106, the test sample information comprising abnormality test process is sent to Hole Detection server.
Hole Detection server is used to determine loophole position according to the test sample information comprising abnormality test process.Due to
Determine that loophole position can only be by way of manually adding testing tool at present, low efficiency, human cost is high, therefore the application is implemented
The method that example provides can reduce the quantity of sample to be tested to greatest extent, improve the digging efficiency of bug excavation person.
A kind of possible structure that Fig. 7 shows the determining device of abnormality test process involved in above-described embodiment is shown
It is intended to.The device 300 includes:
Determination unit 301, for determining sample to be tested.
Input unit 302, for the sample input sandbox group to be tested to be obtained multiple test sample information, the sand
Case group is used to simulate fortune of the application software of the corresponding different editions of the sample to be tested under corresponding operating system
Row environment, when the test sample information includes the sample to be tested operation, in the application software of the different editions extremely
Test process of the application software of a few version under corresponding operating system.
The determination unit 301 is also used to determine the sample comprising abnormality test process from the multiple test sample information
This test information, the test sample information comprising abnormality test process is for determining loophole position.
Optionally, input unit 302 are specifically used for:
Determine that the classification of sample to be tested, the classification of the sample to be tested include paper sample and address sample;According to
The sample to be tested is inputted sandbox group corresponding with the classification of the sample to be tested and obtained by the classification of the sample to be tested
To the test sample information.
Optionally, which further includes acquiring unit 303, is used for:
Upload platform from suspicious sample and obtain the paper sample, the suspicious sample upload be stored in platform one or
Multiple apocrypha samples;Platform or other threat information stations with script are uploaded from the suspicious sample by crawler technology
Obtain the address sample.
Optionally, which further includes pretreatment unit 304, is used for:
Pre-process the sample to be tested, the pretreated sample to be tested does not include repeated sample or comprising default
The sample of loophole, the default loophole include public loophole and exposure CVE.
Optionally, when the sample to be tested is address sample, input unit 302 is specifically used for:
If the address sample is the address sample comprising access path, by address sample input and the address
The corresponding sandbox group of sample obtains the test sample information;If the address sample is the address sample not comprising access path
This, then determine the access path of the address sample by presetting Website server;The access path is inputted into the address
The corresponding sandbox group of sample obtains the test sample information.
Optionally, which further includes transmission unit 305, is used for:
The test sample information comprising abnormality test process is sent to Hole Detection server, the Hole Detection
Server is used to determine loophole position according to the test sample information comprising abnormality test process.
Fig. 8 shows another possible structure of the determining device of abnormality test process involved in above-described embodiment
Schematic diagram.The device 400 includes: processor 402.Processor 402 is for carrying out control management, example to the movement of the device 400
Such as, the step of above-mentioned determination unit 301, input unit 302 and pretreatment unit 304 execute is executed, and/or for executing sheet
Other processes of technology described in text.
Above-mentioned processor 402 can be realization or execute to combine and various illustratively patrols described in present disclosure
Collect box, module and circuit.The processor can be central processing unit, general processor, digital signal processor, dedicated integrated
Circuit, field programmable gate array or other programmable logic device, transistor logic, hardware component or it is any
Combination.It, which may be implemented or executes, combines various illustrative logic blocks, module and electricity described in present disclosure
Road.The processor be also possible to realize computing function combination, such as comprising one or more microprocessors combine, DSP and
The combination etc. of microprocessor.
Optionally, which can also include communication interface 403, memory 401 and bus 404, communication interface 403
For supporting the communication of device 400 Yu other network entities, for example, execute above-mentioned acquiring unit 303, transmission unit 305 executes
Step, and/or other processes for executing techniques described herein.Memory 401 is used to store the program of the device 400
Code and data.
Wherein, memory 401 can be the memory in device 400, which may include volatile memory, example
Such as random access memory;The memory also may include nonvolatile memory, such as read-only memory, flash memory,
Hard disk or solid state hard disk;The memory can also include the combination of the memory of mentioned kind.
Bus 404 can be expanding the industrial standard structure (Extended Industry Standard
Architecture, EISA) bus etc..Bus 404 can be divided into address bus, data/address bus, control bus etc..For convenient for table
Show, only indicated with a thick line in Fig. 8, it is not intended that an only bus or a type of bus.
Through the above description of the embodiments, it is apparent to those skilled in the art that, for description
It is convenienct and succinct, only the example of the division of the above functional modules, in practical application, can according to need and will be upper
It states function distribution to be completed by different functional modules, i.e., the internal structure of device is divided into different functional modules, to complete
All or part of function described above.The specific work process of the system, apparatus, and unit of foregoing description, before can referring to
The corresponding process in embodiment of the method is stated, details are not described herein.
The embodiment of the present application provides a kind of computer program product comprising instruction, when the computer program product is being counted
When being run on calculation machine, so that the computer executes the determination method of abnormality test process described in above method embodiment.
The embodiment of the present application also provides a kind of computer readable storage medium, and finger is stored in computer readable storage medium
It enables, when the network equipment executes the instruction, which executes network in method flow shown in above method embodiment and set
The standby each step executed.
Wherein, computer readable storage medium, such as electricity, magnetic, optical, electromagnetic, infrared ray can be but not limited to or partly led
System, device or the device of body, or any above combination.The more specific example of computer readable storage medium is (non-poor
The list of act) it include: the electrical connection with one or more conducting wires, portable computer diskette, hard disk, random access memory
(Random Access Memory, RAM), read-only memory (Read-Only Memory, ROM), erasable type may be programmed read-only
It is memory (Erasable Programmable Read Only Memory, EPROM), register, hard disk, optical fiber, portable
Compact disc read-only memory (Compact Disc Read-Only Memory, CD-ROM), light storage device, magnetic memory
The computer readable storage medium of part or above-mentioned any appropriate combination or any other form well known in the art.
A kind of illustrative storage medium is coupled to processor, to enable a processor to from the read information, and can be to
Information is written in the storage medium.Certainly, storage medium is also possible to the component part of processor.Pocessor and storage media can be with
In application-specific IC (Application Specific Integrated Circuit, ASIC).In the application
In embodiment, computer readable storage medium can be any tangible medium for including or store program, which can be referred to
Enable execution system, device or device use or in connection.
The above, the only specific embodiment of the application, but the protection scope of the application is not limited thereto, it is any
Change or replacement within the technical scope of the present application should all be covered within the scope of protection of this application.Therefore, this Shen
Protection scope please should be subject to the protection scope in claims.
Claims (16)
1. a kind of determination method of abnormality test process characterized by comprising
Determine sample to be tested;
The sample input sandbox group to be tested is obtained into multiple test sample information, the sandbox group is described to be measured for simulating
Running environment of the application software of the corresponding different editions of sample sheet under corresponding operating system, the test sample letter
When breath includes the sample to be tested operation, the application software of at least one version in the application software of the different editions exists
Test process under corresponding operating system;
The test sample information comprising abnormality test process is determined from the multiple test sample information, it is described to be surveyed comprising abnormal
The test sample information of examination process is for determining loophole position.
2. the method according to claim 1, wherein described obtain sample for the sample input sandbox group to be tested
This test information, comprising:
Determine that the classification of sample to be tested, the classification of the sample to be tested include paper sample and address sample;
It is according to the classification of the sample to be tested that the sample input to be tested is corresponding with the classification of the sample to be tested
Sandbox group obtains the test sample information.
3. according to the method described in claim 2, it is characterized in that, the method is also wrapped before determination sample to be tested
It includes:
Platform is uploaded from suspicious sample and obtains the paper sample, and the suspicious sample, which uploads in platform, is stored with one or more
Apocrypha sample;
Platform is uploaded from the suspicious sample by crawler technology or other threat information stations with script obtain the address
Sample.
4. the method according to claim 1, wherein the method is also wrapped before determination sample to be tested
It includes:
Pre-process the sample to be tested, the pretreated sample to be tested does not include repeated sample or comprising presetting loophole
Sample, the default loophole include public loophole and exposure CVE.
5. according to the method described in claim 2, it is characterized in that, the sample to be tested be address sample when,
If the address sample is the address sample comprising access path, by address sample input and the address sample
Corresponding sandbox group obtains the test sample information;
If the address sample is the address sample not comprising access path, the address is determined by default Website server
The access path of sample;
The access path is inputted into the corresponding sandbox group of the address sample and obtains the test sample information.
6. the method according to claim 1, wherein the method also includes:
The test sample information comprising abnormality test process is sent to Hole Detection server, the Hole Detection service
Device is used to determine loophole position according to the test sample information comprising abnormality test process.
7. a kind of determining device of abnormality test process characterized by comprising
Determination unit, for determining sample to be tested;
Input unit, for the sample input sandbox group to be tested to be obtained multiple test sample information, the sandbox group is used
In simulating running environment of the application software of the corresponding different editions of the sample to be tested under corresponding operating system,
When the test sample information includes the sample to be tested operation, at least one of application software of different editions version
Test process of this application software under corresponding operating system;
The determination unit is also used to determine the test sample comprising abnormality test process from the multiple test sample information
Information, the test sample information comprising abnormality test process is for determining loophole position.
8. device according to claim 7, which is characterized in that the input unit is specifically used for:
Determine that the classification of sample to be tested, the classification of the sample to be tested include paper sample and address sample;
It is according to the classification of the sample to be tested that the sample input to be tested is corresponding with the classification of the sample to be tested
Sandbox group obtains the test sample information.
9. device according to claim 8, which is characterized in that described device further includes acquiring unit, is used for:
Platform is uploaded from suspicious sample and obtains the paper sample, and the suspicious sample, which uploads in platform, is stored with one or more
Apocrypha sample;
Platform is uploaded from the suspicious sample by crawler technology or other threat information stations with script obtain the address
Sample.
10. device according to claim 7, which is characterized in that described device further includes pretreatment unit, is used for:
Pre-process the sample to be tested, the pretreated sample to be tested does not include repeated sample or comprising presetting loophole
Sample, the default loophole include public loophole and exposure CVE.
11. device according to claim 8, which is characterized in that when the sample to be tested is address sample, the input
Unit is specifically used for:
If the address sample is the address sample comprising access path, by address sample input and the address sample
Corresponding sandbox group obtains the test sample information;
If the address sample is the address sample not comprising access path, the address is determined by default Website server
The access path of sample;
The access path is inputted into the corresponding sandbox group of the address sample and obtains the test sample information.
12. device according to claim 7, which is characterized in that described device further includes transmission unit, is used for:
The test sample information comprising abnormality test process is sent to Hole Detection server, the Hole Detection service
Device is used to determine loophole position according to the test sample information comprising abnormality test process.
13. a kind of determination system of abnormality test process, which is characterized in that
Including multiple determining devices such as the described in any item abnormality test processes of claim 7-12.
14. a kind of determining device of abnormality test process, which is characterized in that described device includes: processor and communication interface, institute
Communication interface and processor coupling are stated, the processor is for running computer program or instruction, to realize as right is wanted
Seek the described in any item methods of 1-6.
15. a kind of computer readable storage medium, it is stored with instruction in computer readable storage medium, is referred to when computer executes this
When enabling, which executes method described in any one of the claims 1-6.
16. a kind of computer program product comprising instruction, when the computer program product is run on computers, the meter
Calculation machine executes method described in any one of the claims 1-6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910615692.3A CN110502892A (en) | 2019-07-09 | 2019-07-09 | A kind of the determination method, apparatus and system of abnormality test process |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910615692.3A CN110502892A (en) | 2019-07-09 | 2019-07-09 | A kind of the determination method, apparatus and system of abnormality test process |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110502892A true CN110502892A (en) | 2019-11-26 |
Family
ID=68585565
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910615692.3A Pending CN110502892A (en) | 2019-07-09 | 2019-07-09 | A kind of the determination method, apparatus and system of abnormality test process |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110502892A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112597494A (en) * | 2020-12-21 | 2021-04-02 | 成都安思科技有限公司 | Behavior white list automatic collection method for malicious program detection |
CN113590394A (en) * | 2021-07-09 | 2021-11-02 | 深圳Tcl新技术有限公司 | Joint debugging test method and device, electronic equipment and storage medium |
CN115994361A (en) * | 2023-03-22 | 2023-04-21 | 北京升鑫网络科技有限公司 | Container vulnerability detection method, system, electronic device and readable storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102541729A (en) * | 2010-12-31 | 2012-07-04 | 航空工业信息中心 | Detection device and method for security vulnerability of software |
CN104462962A (en) * | 2013-09-13 | 2015-03-25 | 北京安赛创想科技有限公司 | Method for detecting unknown malicious codes and binary bugs |
CN106055975A (en) * | 2016-05-16 | 2016-10-26 | 杭州华三通信技术有限公司 | Document detection method and sandbox |
WO2017068334A1 (en) * | 2015-10-20 | 2017-04-27 | Sophos Limited | Mitigation of anti-sandbox malware techniques |
CN107346390A (en) * | 2017-07-04 | 2017-11-14 | 深信服科技股份有限公司 | A kind of malice sample testing method and device |
US10176325B1 (en) * | 2016-06-21 | 2019-01-08 | Symantec Corporation | System and method for dynamic detection of command and control malware |
-
2019
- 2019-07-09 CN CN201910615692.3A patent/CN110502892A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102541729A (en) * | 2010-12-31 | 2012-07-04 | 航空工业信息中心 | Detection device and method for security vulnerability of software |
CN104462962A (en) * | 2013-09-13 | 2015-03-25 | 北京安赛创想科技有限公司 | Method for detecting unknown malicious codes and binary bugs |
WO2017068334A1 (en) * | 2015-10-20 | 2017-04-27 | Sophos Limited | Mitigation of anti-sandbox malware techniques |
CN106055975A (en) * | 2016-05-16 | 2016-10-26 | 杭州华三通信技术有限公司 | Document detection method and sandbox |
US10176325B1 (en) * | 2016-06-21 | 2019-01-08 | Symantec Corporation | System and method for dynamic detection of command and control malware |
CN107346390A (en) * | 2017-07-04 | 2017-11-14 | 深信服科技股份有限公司 | A kind of malice sample testing method and device |
Non-Patent Citations (1)
Title |
---|
张震 等: "《食品药品监管信息化工程概论》", 31 January 2018, 电子科技大学出版社 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112597494A (en) * | 2020-12-21 | 2021-04-02 | 成都安思科技有限公司 | Behavior white list automatic collection method for malicious program detection |
CN113590394A (en) * | 2021-07-09 | 2021-11-02 | 深圳Tcl新技术有限公司 | Joint debugging test method and device, electronic equipment and storage medium |
CN115994361A (en) * | 2023-03-22 | 2023-04-21 | 北京升鑫网络科技有限公司 | Container vulnerability detection method, system, electronic device and readable storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8621613B1 (en) | Detecting malware in content items | |
Carmony et al. | Extract Me If You Can: Abusing PDF Parsers in Malware Detectors. | |
US7594142B1 (en) | Architecture for automated detection and analysis of security issues | |
US20220229906A1 (en) | High-confidence malware severity classification of reference file set | |
CN103186740A (en) | Automatic detection method for Android malicious software | |
US20110219454A1 (en) | Methods of identifying activex control distribution site, detecting security vulnerability in activex control and immunizing the same | |
RU2697950C2 (en) | System and method of detecting latent behaviour of browser extension | |
CN110502892A (en) | A kind of the determination method, apparatus and system of abnormality test process | |
Tran et al. | Tracking the trackers: Fast and scalable dynamic analysis of web content for privacy violations | |
US20130160124A1 (en) | Disinfection of a File System | |
Schlumberger et al. | Jarhead analysis and detection of malicious java applets | |
CN113168472A (en) | Network security vulnerability repairing method and system based on utilization | |
US10129278B2 (en) | Detecting malware in content items | |
Zhang et al. | An execution-flow based method for detecting cross-site scripting attacks | |
US20100037033A1 (en) | Exploit nonspecific host intrusion prevention/detection methods and systems and smart filters therefor | |
Wei et al. | A comprehensive study on security bug characteristics | |
Li et al. | LogicScope: Automatic discovery of logic vulnerabilities within web applications | |
CN113177205A (en) | Malicious application detection system and method | |
Khoury et al. | Execution trace analysis using ltl-fo | |
Daghmehchi Firoozjaei et al. | Memory forensics tools: a comparative analysis | |
Krumnow et al. | How gullible are web measurement tools? a case study analysing and strengthening OpenWPM's reliability | |
Liu et al. | Evaluating the privacy policy of android apps: A privacy policy compliance study for popular apps in china and europe | |
CN112446030B (en) | Method and device for detecting file uploading vulnerability of webpage end | |
US10002253B2 (en) | Execution of test inputs with applications in computer security assessment | |
Lee et al. | Analysis of application installation logs on android systems |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191126 |
|
RJ01 | Rejection of invention patent application after publication |