CN115438338A - Sample file detection method and device and computer readable storage medium - Google Patents

Sample file detection method and device and computer readable storage medium Download PDF

Info

Publication number
CN115438338A
CN115438338A CN202211056146.9A CN202211056146A CN115438338A CN 115438338 A CN115438338 A CN 115438338A CN 202211056146 A CN202211056146 A CN 202211056146A CN 115438338 A CN115438338 A CN 115438338A
Authority
CN
China
Prior art keywords
environment
target
sample file
detection result
operating environment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211056146.9A
Other languages
Chinese (zh)
Inventor
吴灿强
孙贝
李光耀
杨施俊
张志华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hillstone Networks Co Ltd
Original Assignee
Hillstone Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hillstone Networks Co Ltd filed Critical Hillstone Networks Co Ltd
Priority to CN202211056146.9A priority Critical patent/CN115438338A/en
Publication of CN115438338A publication Critical patent/CN115438338A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application discloses a method and a device for detecting a sample file and a computer readable storage medium. Wherein, the method comprises the following steps: acquiring a sample file to be detected and a target operating environment corresponding to the sample file, wherein the target operating environment is a first type of operating environment or a second type of operating environment; when the target operation environment is the second type of operation environment, detecting whether a first operation environment corresponding to the target operation environment exists in the first storage area; under the condition that a first operation environment exists in the first storage area, detecting whether a first history detection result exists in the second storage area or not; and when the first historical detection result exists in the second storage area, determining that the first historical detection result is a target detection result of the sample file in a target operation environment. The method and the device solve the technical problem that in the prior art, the detection efficiency of the sample file is low due to the fact that the detection result cannot be reused.

Description

Sample file detection method and device and computer readable storage medium
Technical Field
The present application relates to the field of information security, and in particular, to a method and an apparatus for detecting a sample file, and a computer-readable storage medium.
Background
In the field of information security, a tester will usually test a sample file under a specific operating environment to identify whether the sample file is an abnormal sample file. In the prior art, a virtual operating environment is generally generated through a container technology, then a sample file to be detected is operated in the virtual operating environment, and whether the sample file is an abnormal sample file is determined by obtaining operation record data of the sample file after the sample file is operated in the virtual operating environment.
However, in the prior art, even though a user has previously detected a sample file in a virtual operating environment and generated a historical detection result, the prior art does not support direct multiplexing of the historical detection result, so that a large number of repeated detection processes exist in the process of detecting the sample file, and the detection efficiency of the sample file is low.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the application provides a method and a device for detecting a sample file and a computer readable storage medium, so as to at least solve the technical problem that the detection efficiency of the sample file is low because a detection result cannot be reused in the prior art.
According to an aspect of an embodiment of the present application, there is provided a method for detecting a sample file, including: acquiring a sample file to be detected and a target operation environment corresponding to the sample file, wherein the target operation environment is an operation environment for detecting whether the sample file is abnormal, the target operation environment is a first type of operation environment or a second type of operation environment, the first type of operation environment is an operation environment obtained after environment adjustment is carried out on the basis of the second type of operation environment, and the environment adjustment at least comprises adjustment of an operating system and/or adjustment of software; when the target operation environment is the second type of operation environment, detecting whether a first operation environment corresponding to the target operation environment exists in the first storage area, wherein the first operation environment is a first type of operation environment obtained after environment adjustment is carried out on the basis of the target operation environment; under the condition that a first operating environment exists in a first storage area, detecting whether a first historical detection result exists in a second storage area, wherein the first historical detection result is a historical detection result obtained when a sample file is detected in the first operating environment, the first storage area is used for storing all operating environments, and the second storage area is used for storing all historical detection results; and when the first historical detection result exists in the second storage area, determining that the first historical detection result is a target detection result of the sample file in a target operation environment.
Further, the method for detecting the sample file further comprises the following steps: each first type of execution environment corresponds to a creation user identification, and the state of each first type of execution environment is a shared state, wherein the creation user identification is used for characterizing the user creating the execution environment, the shared state is used for characterizing the execution environment to be visible to all users, and each user can detect the sample file by using the execution environment.
Further, the method for detecting the sample file further comprises the following steps: when the target operation environment is a second type of operation environment, if the first operation environment does not exist in the first storage area or the first historical detection result does not exist in the second storage area, detecting whether a second historical detection result exists in the second storage area, wherein the second historical detection result is a historical detection result obtained when the sample file is detected in the target operation environment; when a second historical detection result exists in the second storage area, determining that the second historical detection result is a target detection result of the sample file in a target operation environment; and when the second historical detection result does not exist in the second storage area, the sample file is conveyed to the target operation environment for detection, and the target detection result of the sample file in the target operation environment is obtained.
Further, the method for detecting the sample file further comprises the following steps: after a sample file to be detected and a target operation environment corresponding to the sample file are obtained, detecting whether a second historical detection result exists in a second storage area or not when the target operation environment is a first type of operation environment; when a second historical detection result exists in the second storage area, determining that the second historical detection result is a target detection result of the sample file in a target operation environment; and when the second historical detection result does not exist in the second storage area, the sample file is conveyed to a target operation environment for detection, and a target detection result of the sample file in the target operation environment is obtained.
Further, the method for detecting the sample file further comprises the following steps: the target operation environment is stored in a first storage area in the form of a virtual machine file, the target operation environment is converted into a virtual machine, and a sample file is operated on the virtual machine; acquiring running record data of a sample file when the sample file runs in a virtual machine; performing data filtering processing on the operation recorded data to obtain target data, wherein the data filtering processing is used for filtering invalid data in the operation recorded data; and analyzing the target data to obtain a target detection result.
Further, the method for detecting the sample file further comprises the following steps: acquiring the running time of a sample file in a virtual machine; and when the running time is longer than the preset time, prohibiting the sample file from continuing to run, and updating the running state of the sample file to be a running completion state.
Further, the method for detecting the sample file further comprises the following steps: a plurality of target operation environments corresponding to the sample files are obtained, and a plurality of target detection results are obtained, wherein each target detection result corresponds to one target operation environment; comprehensively analyzing a plurality of target detection results to obtain comprehensive analysis results; and generating a target detection report according to the comprehensive analysis result, and sending the target detection report to the target equipment.
Further, the method for detecting the sample file further comprises the following steps: after a plurality of target detection results are obtained, generating a detection report according to each target detection result to obtain a plurality of detection reports; and comprehensively analyzing the plurality of detection reports to obtain a target detection report, and sending the target detection report to the target equipment.
According to another aspect of the embodiments of the present application, there is also provided a device for detecting a sample file, including: the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring a sample file to be detected and a target operation environment corresponding to the sample file, the target operation environment is used for detecting whether the sample file is abnormal, the target operation environment is a first type of operation environment or a second type of operation environment, the first type of operation environment is an operation environment obtained after environment adjustment is carried out based on the second type of operation environment, and the environment adjustment at least comprises adjustment of an operating system and/or adjustment of software; the first detection module is used for detecting whether a first operating environment corresponding to the target operating environment exists in the first storage area or not when the target operating environment is the second type of operating environment, wherein the first operating environment is a first type of operating environment obtained after environment adjustment is carried out on the basis of the target operating environment; the second detection module is used for detecting whether a first historical detection result exists in the second storage area under the condition that a first operation environment exists in the first storage area, wherein the first historical detection result is a historical detection result obtained when the sample file is detected in the first operation environment, the first storage area is used for storing all operation environments, and the second storage area is used for storing all historical detection results; and the determining module is used for determining that the first historical detection result is the target detection result of the sample file in the target operation environment when the first historical detection result exists in the second storage area.
According to another aspect of the embodiments of the present application, there is also provided a computer-readable storage medium, in which a computer program is stored, wherein the computer program is configured to execute the above-mentioned detection method when running.
In the application, a first historical detection result is reused as a target detection result of a sample file in a target operation environment, the sample file to be detected and the target operation environment corresponding to the sample file are firstly obtained, whether a first operation environment corresponding to the target operation environment exists in a first storage area is detected when the target operation environment is a second type of operation environment, whether a first historical detection result exists in a second storage area is detected when the first operation environment exists in the first storage area, and the first historical detection result is determined to be the target detection result of the sample file in the target operation environment when the first historical detection result exists in the second storage area. The method comprises the steps that a target operation environment is used for detecting whether a sample file is abnormal or not, the target operation environment is a first type of operation environment or a second type of operation environment, the first type of operation environment is an operation environment obtained after environment adjustment is carried out on the basis of the second type of operation environment, and the environment adjustment at least comprises adjustment of an operating system and/or adjustment of software; the first operating environment is a first type of operating environment obtained after environmental adjustment is carried out on the basis of the target operating environment; the first historical detection result is a historical detection result obtained when the sample file is detected in the first operation environment, the first storage area is used for storing all the operation environments, and the second storage area is used for storing all the historical detection results.
It can be known from the above content that, according to the present application, on one hand, the exception detection on the sample file is implemented by providing the second type of operation environment, and on the other hand, the user is supported to create the operation environment (corresponding to the first type of operation environment) to perform the exception detection on the sample file based on the second type of operation environment, and because the first type of operation environment is closer to the actual application scenario of the user, the detection result obtained by the first operation environment created based on the target operation environment is also closer to the actual application scenario.
Therefore, by the technical scheme, the aim of reusing the historical detection result as the target detection result of the sample file to be detected at present is fulfilled, so that the effects of improving the quality of the target detection result and improving the acquisition efficiency are achieved, and the technical problem that the detection efficiency of the sample file is low due to the fact that the detection result cannot be reused in the prior art is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a flow chart of an alternative method of detecting a sample document according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a design of a custom operating environment according to an embodiment of the present application;
FIG. 3 is a schematic view of an alternative sample document inspection system according to an embodiment of the present application;
FIG. 4 is a timing diagram of detecting a sample file in an alternative multi-run environment according to embodiments of the application;
FIG. 5 is an exemplary diagram of test results in an alternative multi-operational environment according to an embodiment of the present application;
FIG. 6 is a timing diagram of a custom runtime environment being converted into a virtual machine according to an embodiment of the present application;
FIG. 7 is a schematic diagram of a preference setting condition according to an embodiment of the present application;
FIG. 8 is a schematic view of an alternative apparatus for detecting a sample document according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions of the present application better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only some embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the accompanying drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
In addition, it should be noted that the relevant information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for presentation, analyzed data, etc.) referred to in the present disclosure are information and data authorized by the user or sufficiently authorized by each party. For example, an interface is provided between the system and the relevant user or institution, and before obtaining the relevant information, an obtaining request needs to be sent to the user or institution through the interface, and after receiving the consent information fed back by the user or institution, the relevant information needs to be obtained.
Example 1
In accordance with an embodiment of the present application, there is provided an embodiment of a method for detecting a sample file, it is noted that the steps illustrated in the flowchart of the drawings may be performed in a computer system such as a set of computer executable instructions, and that while a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be performed in an order different than that illustrated herein.
Fig. 1 is a flowchart of an alternative method for detecting a sample file according to an embodiment of the present application, and as shown in fig. 1, the method includes the following steps:
step S101, a sample file to be detected and a target operation environment corresponding to the sample file are obtained.
In step S101, the target operating environment is an operating environment for detecting whether the sample file has an abnormality, the target operating environment is a first type of operating environment or a second type of operating environment, the first type of operating environment is an operating environment obtained after performing an environment adjustment based on the second type of operating environment, and the environment adjustment at least includes an adjustment of an operating system and/or an adjustment of software.
Alternatively, the sample file may be various types of files, such as a program script, a video file, a compressed package file, and a mail. The second type of operating environment is a fixed operating environment pre-deployed in the sample file detection system, and the second type of operating environment may be understood as an operating environment of the sample file detection system itself when a user uses the sample file detection system for the first time. The first type of runtime environment is a new runtime environment obtained after the user has made environmental adjustments based on a second type of runtime environment, in other words, the first type of runtime environment can be understood as a new runtime environment custom-created by the user based on the second type of runtime environment.
In an optional embodiment, the method supports a user to create a custom runtime environment (corresponding to the runtime environment of the first type) based on a pre-deployed fixed runtime environment (corresponding to the runtime environment of the second type). Fig. 2 is a schematic design diagram illustrating a custom operating environment according to an embodiment of the present application, and in fig. 2, the operating environment template is a second type of operating environment. The custom runtime environment in FIG. 2 is then a first type of runtime environment. Specifically, in the present application, the runtime environment template is mainly characterized by three aspects, namely, an operating system, a system service, and software installation.
As shown in fig. 2, the operating system is differentiated by the system version and the system bit number, for example, the Windows operating system has multiple versions such as Windows 7 and Windows 10, and the system of the Windows 7 version has a division of 32 bits and 64 bits at the same time; the Linux system has a plurality of versions of Ubuntu 16.04, ubuntu 18.04, centos 7 and the like, wherein Ubuntu 16.04 has a division of 32 bits and 64 bits at the same time. The system services are distinguished by system self-service and custom service, the system self-service mainly represents which services are started and stopped, and the custom service mainly represents whether some services are newly added for managing individual applications and programs after the system self-service is removed. The installed software is distinguished by software name and software version, for example, a pdf file can be opened by various application software or some systems with a browser, but the underlying system calls which may be triggered by different software opening the same pdf file are different, so that different software opening the same sample file may correspond to different detection results. Meanwhile, with the continuous development of software technology, different versions of software also affect different detection results, for example, for the same software, an abnormal sample file can successfully attack a low version of the software, but cannot successfully attack a high version of the software, so that two different detection results can be generated. In addition, like system service, the user can also adjust the environment of the operating environment template through adding and deleting software.
It is easy to notice that, because the behavior of the sample file is closely related to the environment of the sample file, the application supports the user to customize the operating environment, so as to better discover weak points in the existing operating environment for the user and better explain the attack possibility of a certain sample file on the existing operating environment for the user. Compared with the discovery of a general malicious sample, the discovery of a malicious sample having an offensive property to the operating environment of the user is more important, and the method achieves the malicious sample by customizing the operating environment.
As shown in FIG. 2, the main features of the custom runtime environment are also represented in the aspects of an operating system, system services, and installation software. In contrast, the custom runtime environment can only be customized based on the runtime environment template. The process of self-defining the operating environment is to select an operating environment template corresponding to an operating system of a specific type and version, then reconfigure system services on the operating environment template, including which services are started and stopped and which services are newly added, and manage installation software, for example, installing reader software to run a pdf file to replace the setting of opening the pdf file through a browser in the operating environment template. Therefore, the customization of the operating environment is realized, so that the customized environment is close to and restores the actual office environment of the user as much as possible.
It should be noted that, in the present application, the customized operating environment can only be set based on a certain operating environment template, mainly considering the following three points, that is, the operating environment template is a calibrated environment, which includes various complicated settings and adjustments for system configuration, and is a platform more suitable for sample files to represent malicious behaviors; secondly, when the user-defined operation environment is created based on the operation environment template, the user does not need to perform complicated system configuration, so that the user-friendly operation environment is more friendly, and the configuration difficulty of the user-defined operation environment is reduced; thirdly, when the running environment for detecting the sample file is configured, some configuration parameters are difficult to find by those skilled in the art, especially for a system with hidden configurations such as a Windows system, wherein if a certain configuration is not started, the sample file may fail to run and the sample performance cannot be observed. Based on the above three considerations, the operating environment template for which the system configuration adjustment is completed is deployed in advance, and a user only needs to perform a series of simple operating system adjustments and/or software adjustments based on the operating environment template to obtain a user-defined operating environment.
In addition, the final purpose of the method is to improve the probability of finding malicious samples by means of a plurality of running environments, so that the operating system cannot be completely consistent with the user environment sometimes when being configured. For example, a user environment is a firewall is opened or some antivirus software is installed, and in such an environment, it is generally difficult for a malicious sample file to exhibit malicious behavior or even be unable to be started and run normally. Thus, if one were to maximize the restoration of the user environment, one would lose that, the end result may be that malicious files cannot be accurately detected.
Therefore, the custom operation environment in the application may not be an operation environment identical to the user environment, but an environment which has a dependency relationship with the operation environment template and makes individual adjustment on the characteristics of both system service and installation software relative to a certain operation environment template.
In addition, in the prior art, the sample file is usually only conveyed to one operation environment for detection, and the application also supports the sample file to be conveyed to a plurality of operation environments for detection at the same time, so that more detection results can be obtained, the sample file can be detected more fully and comprehensively, and the detection effect on the sample file is improved.
Step S102, when the target operating environment is the second type of operating environment, detecting whether a first operating environment corresponding to the target operating environment exists in the first storage area.
In step S102, the first operating environment is a first type of operating environment obtained after environmental adjustment is performed based on the target operating environment.
In step S103, in the case where the first operating environment exists in the first storage area, it is detected whether or not the first history detection result exists in the second storage area.
In step S103, the first historical detection result is a historical detection result obtained when the sample file is detected in the first operating environment, the first storage area is used to store all operating environments, and the second storage area is used to store all historical detection results.
And step S104, when the first historical detection result exists in the second storage area, determining that the first historical detection result is a target detection result of the sample file in the target operation environment.
Optionally, it is assumed that the target operating environment corresponding to the sample file 1 is an operating environment 2, where the operating environment 2 is a second type of operating environment, and meanwhile, the first storage area stores an operating environment 3 in addition to the operating environment 2, and the operating environment 3 is a first type of operating environment created by a user in a customized manner based on the operating environment 2. On this basis, the operating environment 3 is the first operating environment corresponding to the operating environment 2. Based on the premise background, if a user has previously conveyed the sample file 1 to the operating environment 3 for detection and generated a first historical detection result a, in order to improve the detection efficiency, the first historical detection result a may be directly determined as the target detection result of the sample file 1 in the operating environment 2.
It should be noted that, because the operation environment 3 is an operation environment that is generated by the user based on the self-definition of the operation environment 2, compared with the operation environment 2, the operation environment 3 is actually closer to the actual application scene of the user, on this basis, the present application directly determines the first historical detection result a of the sample file 1 in the operation environment 3 as the target detection result of the sample file 1 in the operation environment 2, and can actually improve the accuracy of the target detection result, that is, the present application actually utilizes the self-definition of the user to optimize the detection result of the sample file, and directly multiplexes the optimized detection result to other users for use, thereby not only improving the quality of the detection result, but also improving the detection efficiency.
In addition, in the present application, each first type of execution environment corresponds to a creation user identifier, and the state of each first type of execution environment is a shared state, where the creation user identifier is used to characterize the user who created the execution environment, the shared state is used to characterize the execution environment as visible to all users, and each user can detect the sample file by using the execution environment.
In an alternative embodiment, a sample file detection system may be used as an execution subject of the sample file detection method in the present application, as shown in fig. 3, the sample file detection system at least includes a management server and a node server, where two servers are in a one-to-many relationship, that is, one management server may correspond to multiple node servers. For convenience of description, the following description will be given by taking one node server as an example, since the function design and the management responsibilities of the plurality of node servers are identical.
Optionally, the management server at least includes a preference configuration management module, a sample and report management module, an operating environment management module, a scheduling management module, a detection result management module, a node management module, and other functional modules.
As shown in fig. 3, the preference configuration management module is used for processing a preference setting request from a user, and recording and maintaining preference setting conditions. The preference setting condition is used for representing the specified relation between the file type of the sample file and the operating environment, and the two are in one-to-many relation, namely one file type can correspond to a plurality of operating environments. When a user designates a plurality of operating environments for a certain file type, the management server regards a sample file of the file type uploaded by the user subsequently as a multi-environment detection task and processes the sample file. For file types for which the user does not explicitly specify the execution environment, the preference configuration management module provides a preset execution environment determination policy, wherein the execution environment determination policy may be understood as a default preference policy that is not changeable by the user. When the file type of the sample file uploaded by the user has no corresponding preference setting condition, the preference configuration management determines the policy according to the preset operation environment and appoints the default operation environment for the sample file.
The sample and report management module is used for receiving the sample file uploaded by the user, returning a sample detection result for the user and providing a detection report downloading function. The sample and report management module comprises a sample management submodule and a report management submodule. The sample management submodule is mainly responsible for preprocessing the sample files, storing the sample files, maintaining relevant information of the samples and the like. After receiving the sample file uploaded by the user, the sample management sub-module identifies the file type of the file, records relevant information of the sample, including which user the sample is from, the sample uploading time, the sample file type, the sample MD5/SHA1/SHA256 and the like, and stores the sample file. The MD5/SHA1/SHA256 sample can uniquely correspond to a specific sample file. The report management submodule is mainly responsible for storing the sample detection report, and processing and maintaining the corresponding relation between the report and the sample. In addition, in order to reduce the sample detection time and realize the maximum multiplexing of the detection results to save resources, the report management submodule in the sample and report management module can also be used as a report cache resource library. After receiving the sample file uploaded by the user, the sample management sub-module queries whether an existing detection report can be used in the report cache resource library through the report management sub-module, if so, the detection report is returned to the user, and if not, the sample file is submitted to the scheduling management module for processing. The report cache resource library maintains the corresponding relation among the detection report, the sample file and the operation environment, and records which sample file the detection report corresponds to and which operation environment the sample file is detected in. The report management submodule generates a detection report which is displayed for a user and is downloaded by the user by processing the detection result from the detection result management module, and the detection report in the application has a fixed style, such as an HTML report or a PDF report.
The operating environment library management module is a first storage area in the application, and is used for storing and maintaining an operating environment template (corresponding to the second type of operating environment) for downloading by a user. Meanwhile, the operation environment management module receives the user-defined operation environment (corresponding to the first type of operation environment) uploaded by the user, and records and maintains the relevant information of the user-defined operation environment and the corresponding relation with the user. The operation environment refers to an operating system environment in which the sample file is started to operate in a subsequent detection process, and is distinguished by the contents of an operating system type, a system service which is started/stopped, and software which is installed to assist the sample file to operate or load the sample file. The operation environment template is provided by default by the operation environment library management module, so that in order to ensure the detection correctness of the malicious sample and reduce the missing report, the operation environment template can optimize the use of the system services of different operation systems, intentionally close some system-level protective measures and provide a good system environment for the operation of the malicious sample, and therefore, a user is not allowed to modify and change the operation environment template. It should be noted that the design of the custom operation environment allows a user to perform some adjustment close to the actual office ecological environment on the basis of the operation environment template, so that the sample file can be detected and analyzed in the actual use environment relatively close to the user, the corresponding detection result obtained in the custom operation environment is of greater reference significance to the user, and the user can be helped to discover weak points in the existing actual office ecological environment in time.
The scheduling management module is used for scheduling the detection and analysis of the sample files, planning a scheduling strategy for the sample files and sample related information uploaded by the sample and report management module based on the preference setting conditions of the preference setting module, scheduling the sample files to each node server for detection and analysis through a load balancing strategy, or multiplexing historical detection results in the detection result management module.
The detection result management module is a second storage area in the application, and is configured to receive detection results of the sample files returned from each node server in a single operation environment, process and summarize all the detection results, record and maintain the correspondence between the detection results and the sample files, the correspondence between the detection results and the operation environment, and the like, so that the subsequent scheduling management module can conveniently reuse historical detection results. It should be noted that the difference and relation between the detection result and the target detection report are that the detection result is an operation result of the sample file in a single operation environment, is original data of behaviors expressed in the operation process of the sample, and is not in a fixed expression form, such as a JSON file; the target detection report can be a combination of detection results in a plurality of operating environments, and the representation of the combination is generally obtained by further refining, processing and summarizing the detection results in a plurality of single operating environments, and is finally embodied in a certain fixed form. In short, the test results are raw data and the report is in the form of a representation.
The node management module is responsible for managing each node server and synchronizing the user-defined operation environment uploaded by the user to each node server, and then each node server converts the user-defined operation environment into a specific virtual machine for subsequently operating a sample file and executing a sample detection and analysis task. It should be noted that when a new node server joins the sample file detection system of the present application, registration at the node management module needs to be completed first. After the registration is finished, the node management module is responsible for synchronizing each running environment and indicating a new node server to complete the configuration management of the virtual machine according to the default configuration information of the virtual machine, so that the node management module records and maintains the corresponding relationship and the quantity relationship between the existing running environment and the virtual machine on each node server. In addition, the node management module is responsible for synchronization of the operating environment and management work of the node servers, and can also count the number of the virtual machines running on each node server in real time and provide data support for load balancing of the scheduling management module.
In another alternative embodiment, as shown in fig. 3, each node server at least includes functional modules such as a detection management module, a virtual machine management module, and a running record analysis module, and also includes at least one virtual machine converted according to a running environment.
The detection management module is used for receiving the sample file and the specified running environment information uploaded by the scheduling management module in the management server, transmitting the sample file to the specified virtual machine for running with the assistance of the virtual machine management module, receiving the detection result generated by the running record analysis module, and transmitting the detection result to the detection result management module in the management server for continuous processing. When the virtual machines corresponding to the specified operating environment are busy, the detection management module is further used for realizing queue buffering and temporarily buffering the current sample file. And when an idle virtual machine exists in the virtual machines corresponding to the specified running environment, the cached sample file is conveyed to the idle virtual machine for running analysis.
The virtual machine management module is used as an assisting module of the detection management module, and is used for receiving the sample file from the detection management module and starting the virtual machine corresponding to the specified running environment for the detection management module so as to run the sample file on the virtual machine. After the sample file is run, the virtual machine management module collects the running record data of the sample file on the virtual machine and sends the running record data to the running record analysis module. In addition, the virtual machine management module is further configured to receive the running environment synchronized by the management server, and convert the running environment into a preset number of virtual machines according to default virtual machine information. For example, in fig. 3, a virtual machine 1 converted from a runtime environment 1, a virtual machine 2 converted from a runtime environment 2, and a virtual machine 3 are deployed on a node server 1.
The operation record analysis module is responsible for processing the operation record data, after the operation record data is obtained, the operation record analysis module can eliminate redundant information and redundant information according to established logic, further simplifies and summarizes effective information to form a clear and readable detection result, and then sends the detection result to the detection management module. It should be noted that the running record data not only comes from the record data on the virtual machine, but also includes the record data from the environment surrounding the virtual machine. The virtual machine peripheral environment comprises peripheral equipment such as a virtual network card of the virtual machine, and the running record data comprises but is not limited to log files, screenshot files, network flow files, memory binary files, tampered configuration record files of the system and the like.
In an alternative embodiment, assume that user A customizes and uploads a custom runtime environment C according to runtime environment template B. And the user A sets a preference setting condition, and specifies that the sample files of the sample file type F are sent to the running environment C and the running environment D for detection at the same time. The running environment D may be a running environment template or a custom running environment uploaded by other users. Then, the user A submits a sample file E, and the file type corresponding to the sample file E is a file type F. And the sample file E is simultaneously sent to the virtual machines corresponding to the operating environment C and the operating environment D for detection and analysis. After the detection is finished, the sample file detection system obtains a detection result C of the sample file E in the operating environment C and a detection result D of the sample file E in the operating environment D, and meanwhile, the operating environment C is derived from the template operating environment B, so that the detection result C of the sample file E in the operating environment C can be regarded as the detection result of the sample file E in the operating environment B.
As can be seen from the above, the sample file detection system directly obtains the detection result C of the sample file E in the operating environment C and the detection result D of the sample file E in the operating environment D, and indirectly obtains the detection result of the sample file E in the operating environment B (i.e., the detection result C of the sample file E in the operating environment C). Finally, user a will obtain a target detection report containing detection result C and detection result D.
Further, assuming that the user H sets a preference setting condition, the sample file of the specified sample file type F is sent to the runtime environment B for testing. Then, the user H also submits a sample file E, and since the file type corresponding to the sample file E is the file type F, theoretically, the sample file E should be operated in the operation environment B to obtain the corresponding detection result. However, since the sample file detection system already maintains the detection result of the sample file E in the operating environment B (i.e. the detection result C described above), the sample file detection system directly multiplexes the detection result C and starts generating the target detection report. Finally, user H will obtain a test report containing test result C.
It should be noted that by multiplexing the detection result, the problem of resource waste caused by the user-defined operation environment is solved, so that the detection result of the user-defined operation environment can be multiplexed by other detection tasks, the detection efficiency can be improved, and the cost of subsequent detection on resources can be reduced.
In an optional embodiment, when the target operating environment is the second type of operating environment, if the first operating environment does not exist in the first storage area or the first historical detection result does not exist in the second storage area, the sample file detection system may detect whether the second historical detection result exists in the second storage area, where the second historical detection result is a historical detection result obtained when the sample file is detected in the target operating environment. When the second historical detection result exists in the second storage area, the sample file detection system determines that the second historical detection result is a target detection result of the sample file in the target operation environment. When the second historical detection result does not exist in the second storage area, the sample file detection system can convey the sample file to the target operation environment for detection, and the target detection result of the sample file in the target operation environment is obtained.
Optionally, when the target operating environment is the first type of operating environment, the sample file detection system may also detect whether the second storage area has the second history detection result. And when the second historical detection result exists in the second storage area, the sample file detection system determines that the second historical detection result is a target detection result of the sample file in the target operation environment. And when the second historical detection result does not exist in the second storage area, the sample file detection system transmits the sample file to the target operation environment for detection, so that a target detection result of the sample file in the target operation environment is obtained.
Specifically, fig. 4 shows a timing diagram of detecting a sample file in an optional multiple-operation environment according to an embodiment of the present application, where fig. 4 also relates to a content about allocating, by a call management module, a virtual machine to the sample file according to a load balancing policy, which is specifically as follows:
step S401, a user A configures preference setting conditions through a configuration setting management module, and sets a binding relationship between a certain file type and a target operating environment;
step S402, a user A uploads a sample file B of the file type;
step S403, after receiving the sample file B, the sample and report management module identifies the file type and judges whether a history detection report is reusable, if yes, the step S620 is skipped, and if not, the step S604 is skipped;
step S404, the sample and report management module transfers the sample file B to the scheduling management module for processing;
step S405, the scheduling management module obtains the preference setting content related to the sample file B from the preference setting management module, submits the preference setting content to the detection result management module for inquiry, and expects that the detection result management module assists in judging whether a historical detection result is reusable. If yes, jumping to step S418, and if not, jumping to step S406;
step S406, the detection result management module informs the scheduling management module that the sample file B has no history detection result and can be reused under the specified preference setting content;
step S407, the scheduling management module itself maintains the ratio of detection tasks currently borne by each node server, and allocates subsequent sample files to which node server to perform detection according to the statistical data. After receiving the feedback of the detection result management module, the scheduling management module hands over the sample file B and the target operation environment information specified by the sample file B to the detection management module on the node server selected by the decision of the scheduling management module for processing, and the node server is assumed to be a server C;
step S408, when the detection management module of the server C has an available idle virtual machine, the sample file B and the specified target running environment information are transferred to the virtual machine management module for processing;
step S409, the virtual machine management module allocates a virtual machine corresponding to the specified target running environment for the sample file B and starts the computer, and the virtual machine is assumed to be a virtual machine D;
step S410, the virtual machine management module sends the sample file B to the virtual machine D for running. The mode of delivering the sample file to the virtual machine includes, but is not limited to, communication modes such as HTTP and FTP, which specifically depend on a specific deployment and management scheme of the virtual machine;
step S411, waiting for the sample file B to finish running. In the application, the sample operation is finished, namely timing is started from the time when the sample file is started to operate, and when the operation time of the sample file exceeds a preset time, the sample operation life cycle is forcibly ended, and the sample operation is considered to be finished; and when the running time of the sample file does not reach the preset time, the running process of the sample self automatically stops the running life cycle, and the sample is considered to be run completely.
Step S412, after the sample file B is operated, the virtual machine management module collects operation record data of the virtual machine about the operation process of the sample file B and submits the operation record data to the operation record analysis module for analysis and processing;
step S413, the operation record analysis module eliminates redundant and redundant information from the operation record data according to established logic, and further simplifies, summarizes and summarizes the effective information to form an easily-readable, clear and comprehensive detection result;
step S414, the operation record analysis module returns the detection result to the detection management module;
step S415, the detection management module returns the detection result to the detection result management module of the management server;
step S416, after receiving the detection result of the sample file B, the detection result management module updates the detection result record, so that the detection result can be used as a historical detection result for multiplexing other detection tasks;
step S417, the detection result management module integrates the detection results corresponding to the target operation environments of the sample file B, transfers the integrated detection results to the sample and report management module for processing, and jumps to step S619;
step S418, the detection result management module transfers the reusable historical analysis result to a sample and report management module;
step S419, the sample and report management module is responsible for converting the integrated detection result into a target detection report and updating the history detection report record, so that the target detection report can be used as a history report for multiplexing other detection tasks subsequently;
step S420, the sample and report management module returns a target detection report to the user a, and ends the detection process of the sample file B.
As can be seen from the above, the present application is designed to multiplex the results for both the management of the detection results and the management of the sample reports. In an actual application environment, a plurality of scenes for uploading the same file for a plurality of times are uploaded in the local area network. The reuse of the use result has two advantages, one is to save resources, and the other is to accelerate the detection speed. Meanwhile, the user is allowed to define the running environment by the application, so that the detection result is strongly related to the refined running environment, and if result multiplexing is not realized, the running result of a plurality of defined running environments can only be applied to the current detection task, so that the waste of detection resources is caused. According to the method and the device, the detection result and the report are bound with the layered operation environment, and whether the historical result can be reused or not can be judged according to the layer according to the specific operation environment requirement when the same sample file is analyzed again in the follow-up process, so that the detection efficiency is improved.
To further illustrate the multiplexing logic of the detection results in the present application, the following description is made with reference to the accompanying drawings, wherein fig. 5 shows an exemplary diagram of the detection results in an alternative multi-operation environment according to an embodiment of the present application. As shown in fig. 5, the illustration is mainly used to illustrate the application and management of detection results in multi-environment detection tasks. Firstly, a user must configure preference setting conditions and submit sample files of corresponding file types to form a multi-environment detection task. This sample file is referred to as sample file a in the following description. The user's preference setting condition is that the sample file a is sent to the runtime environment 2 and the runtime environment 3 simultaneously for detection.
Optionally, a precondition background is shown in fig. 5: two detection results of the sample file A are currently maintained in the detection result management module, namely a detection result 1 and a detection result 2. The detection result 1 is a detection result of the sample file a in the operating environment 1, and since the operating environment 1 is a custom environment based on the operating environment template 1, the detection result 1 can be regarded as a detection result corresponding to the operating environment template 1 at the same time; the detection result 2 is a detection result of the sample file a in the operating environment 2, and since the operating environment 2 is a custom environment based on the operating environment template 2, the detection result 2 can be regarded as a detection result corresponding to the operating environment template 2 at the same time. In addition, two detection reports are currently maintained in the sample and report management module, wherein one detection report is a multi-environment detection report, and is specifically generated according to a detection result obtained by integrating the detection result 1 and the detection result 2, in other words, the detection report is a target detection report obtained after the sample file a operates in the two environments of the operating environment 1 and the operating environment 2; the other detection report is a single environment detection report and is generated according to the detection result 2, that is, the detection report is a detection report of the sample file a in the single environment of the operating environment 2, and since the operating environment 2 is a custom environment based on the operating environment template 2, the detection report can be regarded as a detection report of the sample file a after being operated in the operating environment template 2 at the same time.
Based on the above premise background, as shown in fig. 5, the processing logic of the present application after the sample file a is sent to the runtime environment 2 and the runtime environment 3 simultaneously for detection is: as for the detection result of the sample file a after running in the running environment 2, the detection result 2 described above may be directly multiplexed. Regarding the detection result of the sample file a after running in the running environment 3, the sample file a needs to be sent to the virtual machine corresponding to the running environment 3 for detection and analysis, and after waiting for the generation of the detection result 3 corresponding to the running environment 3, the sample and report management module completes integration of the detection result 2 and the detection result 3, so as to further generate a target detection report according to the integration result and present the target detection report to a user. After the detection result 3 is generated, the detection result 3 is also taken as a historical detection result and is included in a detection result library for management, and is correspondingly bound as a detection result of the sample file a in the running environment 3. And finally, taking the generated target detection report as a historical report, incorporating the historical report into a sample and report management module for management, and correspondingly binding the historical report into a detection report of the sample file A under the environment of multiple environments including an operating environment 2 and an operating environment 3.
In another alternative embodiment, it is assumed that the user a and the user B submit the same sample file 1 successively, and when the user B submits the sample file 1, the sample file 1 submitted by the user a has finished generating the detection report. Wherein, the preference setting condition of the user a for the file type of the sample file 1 is to correspond to the execution environment 1 and the execution environment 2. The user B does not configure a corresponding preference setting condition for the file type of the sample file 1, so that when the user B uploads the sample file 1, the preference setting module determines the operating environment of the sample file 1 by using a preset operating environment determination policy, and it is assumed that the operating environment determination policy determines the operating environment template 2. On this basis, since the running environment 1 is a customized running environment customized based on the running environment template 1, and the running environment 2 is a customized running environment customized based on the running environment template 2, when the detection result management module receives the detection result 2 of the sample file 1 in the running environment 2, the detection result 2 is automatically associated with the detection result of the running environment template 2 by the definition of the running environment 2, so that when the user B submits the sample file 1, the detection report generated by the detection result 2 generated by the user a in the running environment 2 when submitting the sample file 1 is actually used.
It should be noted that, in the present application, the starting point of the multiplexing of the detection result is to save the detection resource and improve the detection efficiency. Specifically, the detection result can be reused, and firstly, the malicious behavior expression of some samples is strongly related to the operating system and is unrelated to the installation of software and the like, for example, the starting and running of the exe of the Windows executable file do not depend on third-party software, that is, the running of the exe file is not affected by the software installed in the running environment; secondly, for part of users, the users do not pay attention to how the sample is operated and what software starts to operate, and on the contrary, the part of users pay more attention to the sample detection result. The method combines the fact that the user-defined operation environment and the operation environment template have the same operation system, a preset operation environment determining strategy binds two functional design points of the assignment relation between part of file types and a certain operation environment template, one detection result based on a certain user-defined operation environment is also suitable for the operation environment template related to the user-defined operation environment and can be used as the detection result of the operation environment template, and therefore result multiplexing is achieved, part of detection tasks can multiplex historical detection results, more detection resources in the following process do not need to be occupied, rapid output of reports is achieved, and detection efficiency is indirectly improved.
In an optional embodiment, the target running environment is stored in the first storage area in the form of a virtual machine file, the sample file detection system firstly converts the target running environment into a virtual machine, runs the sample file on the virtual machine, and then obtains running record data of the sample file when the sample file runs in the virtual machine; and performing data filtering processing on the operation record data to obtain target data, wherein the data filtering processing is used for filtering invalid data in the operation record data. And finally, analyzing the target data by the sample file detection system to obtain a target detection result.
Optionally, the running environment template and the custom running environment in the present application are expressed as a virtual machine file in storage, and the file format is determined according to the virtualization component used in deployment, for example, if the virtualization component is a KVM component, the expression mode of the running environment template and the custom running environment may be a qcow2 file, or the like; if the virtualized component is a VMWARE component, the representation mode of the running environment template and the custom running environment can be an OVF file or an OVA file, etc.
In addition, each node server is also provided with an operation record analysis module, and the operation record analysis module is used for processing operation record data. Firstly, after the operation record data is obtained, the operation record analysis module rejects invalid data according to a predetermined logic, wherein the invalid data can be understood as redundant information in the operation record data. After invalid data are filtered, the operation record analysis module can obtain target data, and then the operation record analysis module can further simplify and summarize the target data, so that a clear and readable detection result is formed. It should be noted that the running record data not only comes from the record data on the virtual machine, but also includes the record data from the environment surrounding the virtual machine. The virtual machine peripheral environment comprises peripheral equipment such as a virtual network card of the virtual machine, and the running record data comprises but is not limited to log files, screenshot files, network flow files, memory binary files, tampered configuration record files of the system and the like.
In an optional embodiment, the sample file detection system further obtains an operation duration of the sample file in the virtual machine, and when the operation duration is longer than a preset duration, the sample file detection system prohibits the sample file from continuing to operate, and updates the operation state of the sample file to be a state in which the operation is completed.
It should be noted that some abnormal sample files may be a virus program, and abnormal behaviors shown in a target running environment where the abnormal sample files are located may cause the virtual machine to run the abnormal sample files in a dead loop manner.
As can be seen from the above, the sample text is actually executed in a virtual machine, where fig. 6 shows a timing chart of converting a custom execution environment into a virtual machine according to an embodiment of the present application, and taking user a as an example, a process from definition to conversion of the execution environment into a virtual machine includes the following steps:
step S601, checking whether the existing operating environment stored in the operating environment library management module meets the requirement by the user A, if so, directly turning to step S612, and if not, turning to step S602;
step S602, a user A obtains and checks pre-deployed operation environment templates, selects an operation environment template meeting self requirements from the operation environment templates and downloads the operation environment template to the local;
step S603, the user A carries out operation environment self-defining operation on the basis of the downloaded operation environment template, wherein the operation environment self-defining operation comprises environment adjustment such as system service starting and stopping or adding, software adding and updating or unloading and the like;
step S604, the user A uploads the customized user-defined running environment to a running environment management module;
step S605, after receiving the user-defined operation environment uploaded by the user A, the operation environment management module updates the operation environment record to realize the sharing of the operation environment, namely, the operation environment management module is visible to all users;
step S606, the operation environment library management module informs the node management module that the operation environment is updated;
step S607, the node management module synchronizes the new operation environment (i.e. the user-defined operation environment created by the user A) to each node server;
step S608, after the synchronization is completed, the node management module notifies the virtual machine management module on each node server to create the virtual machines of the specified number of the custom operation environment;
step S609, after the virtual machine management module on the node server completes the creation of the virtual machine, the created result is fed back to the node management module;
step S610, the node management module updates and records the type of the virtual machines and the number of each type of virtual machines on the node server;
step S611, the user-defined operating environment takes effect, and all subsequent users can bind the file type with the user-defined operating environment by setting the preference setting condition. Subsequently, go to step S613;
step S612, the existing operating environment can meet the requirements, the user A can directly set preference setting conditions without customizing the operating environment, and the process goes to step S613;
in step S613, the flow ends.
It should be noted that each target operating environment corresponds to a plurality of virtual machines, and each virtual machine is capable of operating a sample file, before the sample file is operated on the virtual machine, the sample file detection system may detect whether a virtual machine in an idle state exists in the plurality of virtual machines, and in a case that a virtual machine in an idle state does not exist in the plurality of virtual machines, monitor an operating state of each virtual machine, and when it is monitored that a virtual machine in an idle state exists, send the sample file to the virtual machine so as to operate the sample file through the virtual machine. Because the number of the virtual machines may be limited, in order to improve the detection efficiency, the management module is called to allocate the virtual machines in the idle state to the sample files to be detected, so that the use efficiency of the virtual machines can be improved.
In an optional embodiment, since each target operating environment corresponds to one detection result, after the sample file is delivered to at least one target operating environment for detection, the sample file detection system finally obtains at least one detection result. On the basis of the method, the sample file detection system can generate a target detection report about the sample file in the following two ways.
The first mode is that a detection report is generated according to the detection result of a sample file in a target operation environment, then all detection reports corresponding to at least one target operation environment are subjected to comprehensive analysis to obtain a target detection report, and the target detection report is sent to target equipment.
It should be noted that, because the user refers to the target detection report through the target device, the user directly sees the target detection report, and does not see the detection report, if the user wants to separately refer to the detection result in a certain target operating environment, the user can send a reference request carrying a target operating environment identifier to the sample file detection system through the target device, and after receiving the reference request, the sample file detection system sends the detection report in the target operating environment corresponding to the target operating environment identifier to the target device, so that the user can refer.
The second method is to perform comprehensive analysis on at least one detection result after obtaining at least one detection result to obtain a comprehensive analysis result, and finally generate a target detection report according to the comprehensive analysis result and send the target detection report to the target device.
It should be noted that, in the second method, the detection report is not generated individually for each detection result, but one target detection result is directly generated after all the detection results are comprehensively analyzed, so that the storage resource can be saved, and the generation efficiency of the target detection report can be improved.
In an alternative embodiment, each user may configure himself to which runtime environments sample files of each file type may be delivered. Specifically, the sample file detection system firstly identifies a file type of a sample file and a user identifier corresponding to the sample file, wherein the user identifier is used for representing a user uploading the sample file, then the sample file detection system determines a preference setting condition corresponding to the sample file according to the file type and the user identifier, wherein the preference setting condition is used for restricting a binding relationship between the file type and at least one target operating environment, each user identifier corresponds to one preference setting condition, and finally, the sample file detection system determines at least one target operating environment from a plurality of operating environments which are deployed in advance according to the preference setting condition and transmits the sample file to the at least one target operating environment for detection.
Alternatively, fig. 7 shows a schematic diagram of a preference setting condition according to an embodiment of the present application. As shown in fig. 7, the preference setting condition is used to characterize the binding relationship between the file type of the sample file and the runtime environment, wherein the runtime environment must be stored in the runtime environment library. Meanwhile, the preference setting conditions are specific to users, different users can set different preference settings, and the preference setting items are managed, including activation and deactivation. The running environment library is shared, namely, the custom running environment uploaded by different users and the preset running environment template are all opened to all users. The operating environment library management module can display respective environment configuration information and relevant description of different operating environments for the user, so that the user can conveniently configure preference setting contents.
In an optional embodiment, as shown in fig. 7, when a user configures a preference setting condition, first, a file type to which the preference setting condition is directed needs to be checked, then, the preference setting module automatically selects all operation environments supporting operation detection of a sample file of the file type in the user-associated operation environment library, so that the user can select the operation environments, and then, the user selects a target operation environment corresponding to each file type by himself, which supports checking multiple operation environments as the target operation environments at the same time. In addition, the newly added preference setting is in an enabled state by default, and the user can disable the enabled reddish setting condition by himself.
In fig. 7, the preference configuration condition of one user includes three bias configuration entries, which are respectively the operating environment 1 and the operating environment 3 corresponding to the file type doc; the target operation environment corresponding to the file type exe64 is an operation environment 2; the target runtime environments corresponding to the file type exe32 are runtime environment 2 and runtime environment 3. The preference setting of file type doc is in an enabled state with the preference setting of file type exe32, and the preference setting of file type exe64 is in a disabled state.
In an optional embodiment, in a case that the preference setting condition corresponding to the sample file is not detected according to the file type and the user identifier, the sample file detection system starts a preset operation environment determination policy, where the operation environment determination policy is used to directly determine one operation environment from the multiple operation environments as the target operation environment.
Optionally, for file types without configuration of preference setting conditions and for file types with configuration of preference setting conditions but with disabled corresponding preference setting entries, the application provides a preset operation environment determination policy, by which an appropriate operation environment can be selected by default for sample files of these file types. For example, the file type of the sample file 1 has no corresponding preference setting condition, and according to a preset operating environment determination policy, the sample file detection system may determine a sample file (assumed to be sample file a) closest to the sample file 1 from a pre-stored sample file library, and then the sample file detection system determines that the operating environment corresponding to the sample file a is the default operating environment corresponding to the sample file 1.
In an alternative embodiment, the following further describes the technical solution of the present application by combining two application scenario examples. The first scene is a scene of multi-operation environment detection. Assuming that the user A sets a preference setting condition, the sample file of the specified sample file type B is sent to the running environment C and the running environment D for detection. And the user A submits a sample file E, and the sample file type corresponding to the sample file E is a sample file type B. According to the technical scheme of the application, the sample file E can be simultaneously sent to the virtual machines corresponding to the running environment C and the running environment D respectively for detection and analysis. The end user a will get a target detection report containing the detection result of the operating environment C and the detection result of the operating environment D. The running environment C may find the malicious behavior of the sample file E, the running environment D may find the malicious behavior of the sample file E, or both the running environments may find the malicious behavior of the sample file E.
It is readily noted that multi-environment detection enables sample files to run in more environments, providing more platforms to represent file behavior for sample files, thereby increasing the likelihood of discovering sample file malicious behavior.
Secondly, the second scenario is an application scenario related to the customized operating environment. Suppose that the user a customizes and uploads a custom runtime environment C according to a pre-deployed runtime environment template B. And setting a preference setting condition by the user A, and simultaneously sending the sample file of the specified sample file type F to the running environment C and the running environment D for detection. The running environment D may be a running environment template of the sample file detection system itself, or may be a custom running environment uploaded by other users. And the user A submits a sample file E, and the sample file type corresponding to the sample file E is a sample file type F. And the sample file E is simultaneously sent to the virtual machines corresponding to the operating environment C and the operating environment D for detection and analysis. The end user a will get a target detection report containing the detection result of the operating environment C and the detection result of the operating environment D.
It should be noted that, by supporting the user-defined operation environment, the method and the device can simulate the actual office ecological environment of the user to the greatest extent so as to discover malicious files with attack risks to the ecology of the user, and further can provide more accurate malicious file discovery service for the user.
Example 2
According to an embodiment of the present application, an embodiment of a device for detecting a sample file is further provided, where fig. 8 is a schematic diagram of an alternative device for detecting a sample file according to an embodiment of the present application, and as shown in fig. 8, the device includes: an acquisition module 801, a first detection module 802, a second detection module 803, and a determination module 804.
The obtaining module 801 is configured to obtain a sample file to be detected and a target operating environment corresponding to the sample file, where the target operating environment is an operating environment for detecting whether the sample file is abnormal, the target operating environment is a first type of operating environment or a second type of operating environment, the first type of operating environment is an operating environment obtained after environment adjustment is performed based on the second type of operating environment, and the environment adjustment at least includes adjustment of an operating system and/or adjustment of software; a first detecting module 802, configured to detect whether a first operating environment corresponding to a target operating environment exists in a first storage area when the target operating environment is a second type of operating environment, where the first operating environment is a first type of operating environment obtained after environment adjustment is performed based on the target operating environment; a second detecting module 803, configured to detect whether a first historical detection result exists in the second storage area when the first storage area has the first operating environment, where the first historical detection result is a historical detection result obtained when the sample file is detected in the first operating environment, the first storage area is used to store all operating environments, and the second storage area is used to store all historical detection results; the determining module 804 is configured to determine, when the first historical detection result exists in the second storage area, that the first historical detection result is a target detection result of the sample file in the target operation environment.
It should be noted that the acquiring module 801, the first detecting module 802, the second detecting module 803, and the determining module 804 correspond to steps S101 to S104 in the foregoing embodiment, and the four modules are the same as the corresponding steps in the implementation example and application scenario, but are not limited to the disclosure in embodiment 1.
Optionally, each first type of execution environment corresponds to a creating user identifier, and the state of each first type of execution environment is a shared state, where the creating user identifier is used to characterize the user creating the execution environment, and the shared state is used to characterize the execution environment as visible to all users and each user can use the execution environment to detect the sample file.
Optionally, the apparatus for detecting a sample file further includes: the device comprises a third detection module, a first determination module and a first conveying module. The third detection module is used for detecting whether a second historical detection result exists in the second storage area if the first operating environment does not exist in the first storage area or the first historical detection result does not exist in the second storage area when the target operating environment is a second type of operating environment, wherein the second historical detection result is a historical detection result obtained when the sample file is detected in the target operating environment; the first determining module is used for determining that the second historical detection result is a target detection result of the sample file in the target operation environment when the second historical detection result exists in the second storage area; and the first conveying module is used for conveying the sample file to a target operation environment for detection when the second historical detection result does not exist in the second storage area, so as to obtain a target detection result of the sample file in the target operation environment.
Optionally, the apparatus for detecting a sample file further includes: the device comprises a fourth detection module, a second determination module and a second conveying module. The fourth detection module is configured to detect whether a second historical detection result exists in the second storage area when the target operating environment is the first type of operating environment, where the second historical detection result is a historical detection result obtained when the sample file is detected in the target operating environment; the second determining module is used for determining that the second historical detection result is a target detection result of the sample file in the target operation environment when the second historical detection result exists in the second storage area; and the second conveying module is used for conveying the sample file to the target operation environment for detection when the second historical detection result does not exist in the second storage area, so as to obtain a target detection result of the sample file in the target operation environment.
Optionally, the apparatus for detecting a sample file further includes: the device comprises a conversion module, a first acquisition module, a data processing module and a first analysis module. The conversion module is used for converting the target running environment into a virtual machine and running the sample file on the virtual machine; the first acquisition module is used for acquiring running record data of the sample file during running in the virtual machine; the data processing module is used for performing data filtering processing on the operation record data to obtain target data, wherein the data filtering processing is used for filtering invalid data in the operation record data; and the first analysis module is used for analyzing the target data to obtain a target detection result.
Optionally, the conversion module further includes: a first acquisition unit and a prohibition unit. The system comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is used for acquiring the running time of a sample file in a virtual machine; and the forbidding unit is used for forbidding the sample file to continue to run when the running time is longer than the preset time, and updating the running state of the sample file to be the running completion state.
Optionally, the apparatus for detecting a sample file further includes: the device comprises a second acquisition module, a second analysis module and a first generation module. The second acquisition module is used for acquiring a plurality of target detection results, wherein each target detection result corresponds to one target operation environment; the second analysis module is used for comprehensively analyzing the multiple target detection results to obtain comprehensive analysis results; and the first generation module is used for generating a target detection report according to the comprehensive analysis result and sending the target detection report to the target equipment.
Optionally, the apparatus for detecting a sample file further includes: the second generation module and the third analysis module. The second generating module is used for generating a detection report according to each target detection result to obtain a plurality of detection reports; and the third analysis module is used for comprehensively analyzing the plurality of detection reports to obtain a target detection report and sending the target detection report to the target equipment.
Example 3
According to another aspect of the embodiments of the present application, there is also provided a computer-readable storage medium, in which a computer program is stored, where the computer program is configured to execute the detection method of the sample file in the above embodiment 1 when running.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present application, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technical content can be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units may be a logical division, and in actual implementation, there may be another division, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit may be implemented in the form of hardware, or may also be implemented in the form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present application, or portions or all or portions of the technical solutions that contribute to the prior art, may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.

Claims (10)

1. A method for detecting a sample file is characterized by comprising the following steps:
acquiring a sample file to be detected and a target operation environment corresponding to the sample file, wherein the target operation environment is an operation environment for detecting whether the sample file is abnormal, the target operation environment is a first type of operation environment or a second type of operation environment, the first type of operation environment is an operation environment obtained after environment adjustment is performed on the basis of the second type of operation environment, and the environment adjustment at least comprises adjustment of an operating system and/or adjustment of software;
when the target operating environment is the second type of operating environment, detecting whether a first operating environment corresponding to the target operating environment exists in a first storage area, wherein the first operating environment is a first type of operating environment obtained after environment adjustment is carried out on the basis of the target operating environment;
under the condition that the first operating environment exists in the first storage area, detecting whether a first historical detection result exists in a second storage area, wherein the first historical detection result is a historical detection result obtained when the sample file is detected under the first operating environment, the first storage area is used for storing all operating environments, and the second storage area is used for storing all historical detection results;
and when the first historical detection result exists in the second storage area, determining that the first historical detection result is a target detection result of the sample file in the target operation environment.
2. The method of claim 1, wherein each runtime environment of the first type corresponds to a creating user identifier, and the state of each runtime environment of the first type is a shared state, wherein the creating user identifier is used for characterizing the user who created the runtime environment, and the shared state is used for characterizing the runtime environment is visible to all users and each user can use the runtime environment to detect the sample file.
3. The method of claim 1, further comprising:
when the target operating environment is the second type of operating environment, if the first operating environment does not exist in the first storage area or the first historical detection result does not exist in the second storage area, detecting whether a second historical detection result exists in the second storage area, wherein the second historical detection result is a historical detection result obtained when the sample file is detected in the target operating environment;
when the second historical detection result exists in the second storage area, determining that the second historical detection result is a target detection result of the sample file in the target operation environment;
and when the second historical detection result does not exist in the second storage area, the sample file is transmitted to the target operation environment for detection, and a target detection result of the sample file in the target operation environment is obtained.
4. The method according to claim 1, wherein after acquiring the sample file to be detected and the target operating environment corresponding to the sample file, the method further comprises:
when the target operation environment is the first type of operation environment, detecting whether a second historical detection result exists in the second storage area, wherein the second historical detection result is a historical detection result obtained when the sample file is detected in the target operation environment;
when the second historical detection result exists in the second storage area, determining that the second historical detection result is a target detection result of the sample file in the target operation environment;
and when the second historical detection result does not exist in the second storage area, the sample file is conveyed to the target operation environment for detection, and a target detection result of the sample file in the target operation environment is obtained.
5. The method according to claim 3 or 4, wherein the target operating environment is stored in the first storage area in a form of a virtual machine file, the sample file is delivered to the target operating environment for detection, and a target detection result of the sample file in the target operating environment is obtained, including:
converting the target running environment into a virtual machine, and running the sample file on the virtual machine;
acquiring running record data of the sample file during running in the virtual machine;
performing data filtering processing on the operation record data to obtain target data, wherein the data filtering processing is used for filtering invalid data in the operation record data;
and analyzing the target data to obtain the target detection result.
6. The method of claim 5, wherein converting the target execution environment into a virtual machine and executing the sample file on the virtual machine comprises:
acquiring the running time of the sample file in the virtual machine;
and when the running time is longer than the preset time, forbidding the sample file to continue running, and updating the running state of the sample file to be the running completion state.
7. The method of claim 1, wherein the sample file corresponds to a plurality of target operating environments, and the method further comprises:
obtaining a plurality of target detection results, wherein each target detection result corresponds to one target operation environment;
comprehensively analyzing the multiple target detection results to obtain comprehensive analysis results;
and generating a target detection report according to the comprehensive analysis result, and sending the target detection report to target equipment.
8. The method of claim 7, wherein after obtaining a plurality of target detection results, the method further comprises:
generating a detection report according to each target detection result, and further obtaining a plurality of detection reports according to the plurality of target detection results;
and comprehensively analyzing the detection reports to obtain the target detection report, and sending the target detection report to the target equipment.
9. An apparatus for detecting a sample document, comprising:
the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring a sample file to be detected and a target operating environment corresponding to the sample file, the target operating environment is used for detecting whether the sample file is abnormal, the target operating environment is a first type of operating environment or a second type of operating environment, the first type of operating environment is an operating environment obtained after environmental adjustment is performed on the basis of the second type of operating environment, and the environmental adjustment at least comprises adjustment of an operating system and/or adjustment of software;
a first detecting module, configured to detect whether a first operating environment corresponding to the target operating environment exists in a first storage area when the target operating environment is the second type of operating environment, where the first operating environment is a first type of operating environment obtained after environment adjustment is performed based on the target operating environment;
the second detection module is configured to detect whether a first historical detection result exists in a second storage area under the condition that the first operating environment exists in the first storage area, where the first historical detection result is a historical detection result obtained when the sample file is detected in the first operating environment, the first storage area is used to store all operating environments, and the second storage area is used to store all historical detection results;
and the determining module is used for determining that the first historical detection result is the target detection result of the sample file in the target operation environment when the first historical detection result exists in the second storage area.
10. A computer-readable storage medium, in which a computer program is stored, wherein the computer program is arranged to execute the method of detecting a sample file according to any one of claims 1 to 8 when running.
CN202211056146.9A 2022-08-31 2022-08-31 Sample file detection method and device and computer readable storage medium Pending CN115438338A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211056146.9A CN115438338A (en) 2022-08-31 2022-08-31 Sample file detection method and device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211056146.9A CN115438338A (en) 2022-08-31 2022-08-31 Sample file detection method and device and computer readable storage medium

Publications (1)

Publication Number Publication Date
CN115438338A true CN115438338A (en) 2022-12-06

Family

ID=84243663

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211056146.9A Pending CN115438338A (en) 2022-08-31 2022-08-31 Sample file detection method and device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN115438338A (en)

Similar Documents

Publication Publication Date Title
US8938523B2 (en) System and method for deploying and maintaining software applications
KR101619557B1 (en) Computer application packages with customizations
CN102682242B (en) For method and the dummy machine system of managing virtual machines system
US9582261B2 (en) Methods and apparatus to update application deployments in cloud computing environments
US8151277B2 (en) Method and system for dynamic remote injection of in-process agents into virtual machine based applications
US8935687B2 (en) Incrementally updating a software appliance
RU2419854C2 (en) Template based service management
US8584119B2 (en) Multi-scenerio software deployment
US7831820B2 (en) System and method for converting a target computing device to a virtual machine in response to a detected event
US8539445B2 (en) Method for generating a robust software signature
CN107832207A (en) Interface performance test method, apparatus, storage medium and computer equipment
US20150264198A1 (en) Automatic installation system and method, information processing apparatus, and image forming apparatus
EP2130164A1 (en) A method and system for populating a software catalogue with related product information
US20090319576A1 (en) Extensible task execution techniques for network management
CN115438338A (en) Sample file detection method and device and computer readable storage medium
CN114070734B (en) Cloud platform adaptation frame, method, equipment and storage medium
US8347315B1 (en) Configuration console for messaging middleware
CN115630359A (en) Sample file processing method and device and computer readable storage medium
AU2022208115A1 (en) Workload configuration extractor
CN113176913B (en) Processing method and device of JAVA agent, terminal equipment and storage medium
US20220129260A1 (en) Automated endpoint product management
EP3220263B1 (en) Evaluation framework for cloud readiness of virtual appliances to enforce the suitability for automated self-provisioning
CN115361436A (en) Starting method and device of personalized service instance and electronic equipment
CN117113344A (en) Container risk detection method, apparatus and computer readable storage medium
CN118092947A (en) Application tool installation method and device, electronic equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination