TWI827203B - Verification system and verification method for malicious file of container - Google Patents
Verification system and verification method for malicious file of container Download PDFInfo
- Publication number
- TWI827203B TWI827203B TW111131111A TW111131111A TWI827203B TW I827203 B TWI827203 B TW I827203B TW 111131111 A TW111131111 A TW 111131111A TW 111131111 A TW111131111 A TW 111131111A TW I827203 B TWI827203 B TW I827203B
- Authority
- TW
- Taiwan
- Prior art keywords
- container
- interface
- file
- transcription
- running
- Prior art date
Links
- 238000012795 verification Methods 0.000 title claims abstract description 37
- 238000000034 method Methods 0.000 title claims abstract description 13
- 230000002159 abnormal effect Effects 0.000 claims abstract description 30
- 230000004044 response Effects 0.000 claims abstract description 17
- 238000013518 transcription Methods 0.000 claims description 82
- 230000035897 transcription Effects 0.000 claims description 82
- 238000004458 analytical method Methods 0.000 claims description 75
- 238000012545 processing Methods 0.000 claims description 27
- 238000010586 diagram Methods 0.000 description 10
- 230000015572 biosynthetic process Effects 0.000 description 6
- 238000003786 synthesis reaction Methods 0.000 description 6
- 230000003321 amplification Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000003199 nucleic acid amplification method Methods 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
Description
本發明是有關於一種容器(container)之惡意檔案的驗證系統和驗證方法。 The present invention relates to a verification system and verification method for malicious files in a container.
容器(例如:Docker容器)包含了應用程式以及執行該應用程式所需要的環境(例如:程式庫或組態檔等)。容器具有可攜性高的優點,可被部署到任何硬體設備以執行。當容器包含惡意檔案時,執行容器可能導致容器毀損。因此,如何判斷容器是否包含會導致發生異常的惡意檔案,是本領域重要的課題之一。 A container (such as a Docker container) contains an application and the environment required to execute the application (such as a program library or configuration file, etc.). Containers have the advantage of high portability and can be deployed to any hardware device for execution. When the container contains malicious files, executing the container may cause the container to be damaged. Therefore, how to determine whether a container contains malicious files that can cause anomalies is one of the important topics in this field.
本發明提供一種容器之惡意檔案的驗證系統和驗證方法,可驗證容器是否包含惡意檔案。 The present invention provides a verification system and verification method for malicious files in a container, which can verify whether the container contains malicious files.
本發明的一種容器之惡意檔案的驗證系統,包含儲存媒體以及處理器。儲存媒體儲存多個模組。處理器耦接儲存媒體和收發器,並且存取和執行多個模組,其中多個模組包含容器轉錄 管理介面、容器轉錄介面以及容器運行分析介面。容器轉錄管理介面自容器的容器運行介面取得運行參數,並且複製容器運行介面以產生容器轉錄介面。容器轉錄介面存取容器的容器檔案系統以根據容器檔案系統和運行參數運行,從而產生輸出參數。容器運行分析介面根據輸出參數判斷是否發生異常事件,並且響應於判斷發生異常事件而判斷容器包含惡意檔案並禁止容器運行。 The present invention provides a verification system for malicious files in containers, including a storage medium and a processor. Storage media stores multiple modules. The processor is coupled to the storage medium and the transceiver, and accesses and executes a plurality of modules, wherein the plurality of modules include container transcription Management interface, container transcription interface and container operation analysis interface. The container transcription management interface obtains operating parameters from the container's container runtime interface, and copies the container runtime interface to generate a container transcription interface. The container transcription interface accesses the container's container file system to operate according to the container file system and operating parameters, thereby generating output parameters. The container running analysis interface determines whether an abnormal event occurs based on the output parameters, and in response to determining that an abnormal event occurs, determines that the container contains a malicious file and prohibits the container from running.
在本發明的一實施例中,上述的容器運行分析介面響應於判斷未發生異常事件而指示容器運行。 In one embodiment of the present invention, the above container operation analysis interface instructs the container to run in response to determining that no abnormal event has occurred.
在本發明的一實施例中,上述的多個模組更包含容器檔案特徵資料庫以及容器檔案分析介面。容器檔案特徵資料庫儲存對應於容器檔案系統中的檔案的檔案特徵。容器檔案分析介面讀取檔案的標頭以判斷標頭與檔案特徵是否匹配,並且響應於判斷標頭與檔案特徵匹配而指示容器轉錄管理介面產生容器轉錄介面。 In an embodiment of the present invention, the above-mentioned plurality of modules further include a container file feature database and a container file analysis interface. The container file characteristics database stores file characteristics corresponding to files in the container file system. The container file analysis interface reads the header of the file to determine whether the header matches the file characteristics, and in response to determining that the header matches the file characteristics, instructs the container transcription management interface to generate a container transcription interface.
在本發明的一實施例中,上述的容器檔案分析介面自容器轉錄管理介面取得運行參數,其中容器檔案分析介面判斷運行參數與檔案特徵是否匹配,並且響應於判斷運行參數與檔案特徵匹配而指示容器轉錄管理介面產生容器轉錄介面。 In an embodiment of the present invention, the above-mentioned container file analysis interface obtains operating parameters from the container transcription management interface, wherein the container file analysis interface determines whether the operating parameters match the file characteristics, and indicates in response to determining that the operating parameters match the file characteristics. The container transcription management interface generates a container transcription interface.
在本發明的一實施例中,上述的輸出參數包含容器狀態資訊、中央處理單元使用率資訊以及記憶體使用率資訊。 In an embodiment of the present invention, the above-mentioned output parameters include container status information, central processing unit usage information, and memory usage information.
在本發明的一實施例中,上述的中央處理單元使用率資訊包含當前中央處理單元使用率,其中容器運行分析介面根據容 器狀態資訊判斷容器轉錄介面是否停止運行,並且響應於判斷容器轉錄介面停止運行並且當前中央處理單元使用率不為零而判斷發生異常事件。 In an embodiment of the present invention, the above-mentioned central processing unit usage information includes the current central processing unit usage, wherein the container operation analysis interface is based on the content. The server status information determines whether the container transcription interface stops running, and in response to determining that the container transcription interface stops running and the current central processing unit usage is not zero, it is determined that an abnormal event occurs.
在本發明的一實施例中,上述的記憶體使用率資訊包含當前記憶體使用率,其中容器運行分析介面根據容器狀態資訊判斷容器轉錄介面是否停止運行,並且響應於判斷容器轉錄介面停止運行並且當前記憶體使用率不為零而判斷發生異常事件。 In one embodiment of the present invention, the above memory usage information includes the current memory usage, wherein the container operation analysis interface determines whether the container transcription interface stops running based on the container status information, and in response to determining that the container transcription interface stops running and The current memory usage is not zero and an abnormal event occurs.
在本發明的一實施例中,上述的中央處理單元使用率資訊包含多筆中央處理單元使用率,其中容器運行分析介面響應於多筆中央處理單元使用率的其中之一超出使用率限制而判斷發生異常事件。 In one embodiment of the present invention, the above-mentioned central processing unit usage information includes multiple central processing unit usages, wherein the container operation analysis interface determines in response to one of the multiple central processing unit usages exceeding the usage limit. An unusual event occurs.
在本發明的一實施例中,上述的記憶體使用率資訊包含多筆記憶體使用率,其中容器運行分析介面響應於多筆記憶體使用率的其中之一超出使用率限制而判斷發生異常事件。 In one embodiment of the present invention, the above memory usage information includes multiple memory usages, wherein the container operation analysis interface determines that an abnormal event occurs in response to one of the multiple memory usages exceeding the usage limit. .
在本發明的一實施例中,上述的運行參數包含下列的至少其中之一:容器識別碼、容器指令、容器狀態、中央處理單元使用率以及記憶體使用率。 In an embodiment of the present invention, the above-mentioned operating parameters include at least one of the following: container identification code, container instruction, container status, central processing unit usage, and memory usage.
本發明的一種容器之惡意檔案的驗證方法,包含:自容器的容器運行介面取得運行參數,並且複製容器運行介面以產生容器轉錄介面;由容器轉錄介面存取容器的容器檔案系統以根據容器檔案系統和運行參數運行,從而產生輸出參數;以及根據輸出參數判斷是否發生異常事件,並且響應於判斷發生異常事件而 判斷容器包含惡意檔案並禁止容器運行。 The present invention provides a method for verifying malicious files in a container, which includes: obtaining operating parameters from the container's container running interface, and copying the container running interface to generate a container transcription interface; and using the container transcription interface to access the container file system of the container to generate the container file according to the container's file system. run the system and operating parameters to generate output parameters; and determine whether an abnormal event occurs based on the output parameters, and respond to determining that an abnormal event occurs Determine that the container contains malicious files and prohibit the container from running.
基於上述,本發明揭露一種容器之惡意檔案的驗證系統和驗證方法,可在容器執行容器檔案系統內之檔案前,根據檔案的運行參數以及容器檔案特徵資料庫所記錄的檔案特徵對檔案進行分析。若檔案與檔案特徵匹配,本發明可先轉錄相對應之容器執行環境以使轉錄容器執行環境與原始容器環境隔離,再執行轉錄容器。本發明可依據轉錄容器之執行結果判斷容器內是否包含惡意檔案,從而決定允許或禁止容器運行。如此,可避免包含惡意檔案的容器被執行而導致容器毀損。 Based on the above, the present invention discloses a verification system and verification method for malicious files in a container. Before the container executes the file in the container file system, the file can be analyzed based on the operating parameters of the file and the file characteristics recorded in the container file feature database. . If the file and file characteristics match, the present invention can first transcribe the corresponding container execution environment to isolate the transcribed container execution environment from the original container environment, and then execute the transcribed container. The present invention can determine whether the container contains malicious files based on the execution result of the transcribed container, thereby deciding to allow or prohibit the container from running. In this way, it is possible to prevent the container containing malicious files from being executed and causing the container to be damaged.
10:驗證系統 10: Verification system
100:容器檔案分析介面 100: Container file analysis interface
11:處理器 11: Processor
110:容器可移植性可執行檔頭分析 110:Container portability executable header analysis
12:儲存媒體 12:Storage media
120:容器參數分析介面 120: Container parameter analysis interface
13:收發器 13:Transceiver
200:容器轉錄管理介面 200:Container transcription management interface
21:容器運行介面 21:Container running interface
22:容器檔案系統 22: Container file system
300:容器轉錄介面 300:Container transcription interface
310:容器運行轉錄介面 310:Container running transcription interface
400:容器運行分析介面 400: Container operation analysis interface
410:容器狀態分析介面 410: Container status analysis interface
420:容器資訊合成介面 420: Container information synthesis interface
500:容器檔案特徵資料庫 500: Container profile feature database
S610、S620、S630:步驟 S610, S620, S630: steps
圖1根據本發明的一實施例繪示一種容器之惡意檔案的驗證系統的示意圖。 FIG. 1 is a schematic diagram of a verification system for malicious files in a container according to an embodiment of the present invention.
圖2根據本發明的一實施例繪示驗證系統以及待執行之容器的示意圖。 Figure 2 is a schematic diagram of a verification system and a container to be executed according to an embodiment of the present invention.
圖3根據本發明的一實施例繪示容器檔案分析介面的詳細示意圖。 FIG. 3 is a detailed schematic diagram of a container file analysis interface according to an embodiment of the present invention.
圖4根據本發明的一實施例繪示容器轉錄介面的詳細示意圖。 Figure 4 is a detailed schematic diagram of a container transcription interface according to an embodiment of the present invention.
圖5根據本發明的一實施例繪示容器運行分析介面的詳細示意圖。 Figure 5 is a detailed schematic diagram of a container operation analysis interface according to an embodiment of the present invention.
圖6根據本發明的一實施例繪示一種容器之惡意檔案的驗證方法的流程圖。 FIG. 6 illustrates a flow chart of a method for verifying malicious files in a container according to an embodiment of the present invention.
圖1根據本發明的一實施例繪示一種容器之惡意檔案的驗證系統10的示意圖。驗證系統10可包含處理器11、儲存媒體12以及收發器13。
FIG. 1 is a schematic diagram of a
處理器11例如是中央處理單元(central processing unit,CPU),或是其他可程式化之一般用途或特殊用途的微控制單元(micro control unit,MCU)、微處理器(microprocessor)、數位信號處理器(digital signal processor,DSP)、可程式化控制器、特殊應用積體電路(application specific integrated circuit,ASIC)、圖形處理器(graphics processing unit,GPU)、影像訊號處理器(image signal processor,ISP)、影像處理單元(image processing unit,IPU)、算數邏輯單元(arithmetic logic unit,ALU)、複雜可程式邏輯裝置(complex programmable logic device,CPLD)、現場可程式化邏輯閘陣列(field programmable gate array,FPGA)或其他類似元件或上述元件的組合。處理器11可耦接至儲存媒體12以及收發器13,並且存取和執行儲存於儲存媒體12中的多個模組和各種應用程式。
The
儲存媒體12例如是任何型態的固定式或可移動式的隨機存取記憶體(random access memory,RAM)、唯讀記憶體(read-only
memory,ROM)、快閃記憶體(flash memory)、硬碟(hard disk drive,HDD)、固態硬碟(solid state drive,SSD)或類似元件或上述元件的組合,而用於儲存可由處理器11執行的多個模組或各種應用程式。在本實施例中,儲存媒體12可儲存包含容器檔案分析介面100、容器轉錄管理介面200、容器轉錄介面300、容器運行分析介面400以及容器檔案特徵資料庫500等多個模組,其功能將於後續說明。
The
收發器13以無線或有線的方式傳送及接收訊號。收發器13還可以執行例如低噪聲放大、阻抗匹配、混頻、向上或向下頻率轉換、濾波、放大以及類似的操作。
The
圖2根據本發明的一實施例繪示驗證系統10以及待執行之容器的示意圖。驗證系統10可通過收發器13存取或執行容器的容器運行介面21以及容器檔案系統22,藉以運行容器。容器運行介面21或容器檔案系統22可安裝於儲存媒體12,或可安裝於外部電子裝置。容器運行介面21例如是一種應用程式介面(application programming interface,API)。驗證系統10可通過容器運行介面21與容器進行互動。容器檔案系統22可包含運行容器所需的一或多個檔案。容器檔案系統22可包含二進位執行檔(binaries)或函式庫(libraries)等資料。容器檔案分析介面100可通訊連接至容器檔案系統22以存取或執行容器檔案系統22。容器轉錄管理介面200或容器運行分析介面400可通訊連接至容器運行介面21以存取或執行容器運行介面21。
FIG. 2 is a schematic diagram of the
圖3根據本發明的一實施例繪示容器檔案分析介面100的詳細示意圖。容器檔案分析介面100可包含容器可移植性可執行檔頭分析110以及容器參數分析介面120。容器檔案分析介面100可通過容器可移植性可執行檔頭分析110自容器檔案系統22取得運行容器所需的檔案。容器可移植性可執行檔頭分析110可讀取檔案的標頭,其中所述標頭例如是可移植性可執行(portable executable,PE)標頭。容器參數分析介面120可自容器可移植性可執行檔頭分析110取得標頭。另一方面,容器轉錄管理介面200可存取容器運行介面21以從容器運行介面21取得容器的運行參數。容器參數分析介面120可自容器轉錄管理介面200取得運行參數,其中運行參數可包含容器識別碼、容器指令、容器狀態、中央處理單元使用率或記憶體使用率等資訊。運行參數也可以是由使用者自定義的。
FIG. 3 shows a detailed schematic diagram of the container
容器參數分析介面120可對檔案的標頭或運行參數執行特徵比對,以判斷檔案是否為可允許的類型。具體來說,容器檔案特徵資料庫500可預存對應於容器檔案系統22中的檔案的檔案特徵,其中檔案特徵可包含但不限於標頭中的資訊與附檔名的映射關係、黑名單、白名單、中央處理單元使用率的限制或記憶體使用率的限制等。容器參數分析介面120可判斷檔案的標頭或運行參數與容器的檔案特徵是否匹配。若檔案的標頭或運行參數與檔案特徵匹配,則容器參數分析介面120可判斷檔案是可允許的,進而指示容器轉錄管理介面200執行容器的轉錄作業。若檔案的
標頭或運行參數與檔案特徵不匹配,則容器參數分析介面120可判斷檔案是不可允許的,進而禁止容器運行。如此,可避免包含惡意檔案或被系統管理員禁用之檔案的容器被執行。
The container
舉例來說,若運行容器的檔案為「test.html」,則容器可移植性可執行檔頭分析110可自檔案的標頭取得「HTML document,UTF-8 Unicode text,with very long line」、「容器檔案系統為Docker volume」以及「作業系統為Linux」等標頭資訊。容器可移植性可執行檔頭分析110可將標頭資訊與運行參數整合並傳送至容器參數分析介面120以進行特徵比對。
For example, if the file running the container is "test.html", the container portability
在一實施例中,若檔案的附檔名與標頭之間的映射關係與檔案特徵不匹配,或檔案的名稱不在白名單內,代表檔案為假冒的執行檔。據此,容器參數分析介面120可禁止容器運行。
In one embodiment, if the mapping relationship between the file's file extension name and the header does not match the file characteristics, or the file name is not in the whitelist, it means that the file is a fake executable file. Accordingly, the container
圖4根據本發明的一實施例繪示容器轉錄介面300的詳細示意圖。在容器參數分析介面120判斷檔案是可允許的並指示容器轉錄管理介面200進行轉錄作業後,容器轉錄管理介面200可複製容器運行介面21以及容器以產生容器轉錄介面300,其中容器轉錄介面300可包含複製容器運行介面21所產生的容器運行轉錄介面310以及複製容器所產生的轉錄容器。容器轉錄介面300可為例如Docker或Podman的容器系統,且可支援多種檔案系統中的檔案,諸如各種Unix Like系列之檔案系統及Windows系列之檔案系統。
FIG. 4 shows a detailed schematic diagram of the
容器轉錄介面300可存取容器檔案系統22中的檔案,藉
以根據容器檔案系統22和運行參數運行,從而產生輸出參數。具體來說,容器轉錄管理介面200可使用Docker inspect技術將容器檔案系統22中的檔案共享給容器轉錄介面300,藉以觸發容器轉錄介面300運行。容器轉錄介面300可根據運行參數及其對應的檔案運行轉錄容器,以由轉錄容器產生輸出參數,其中輸出參數可包含容器狀態資訊、中央處理單元使用率資訊或記憶體使用率資訊等資訊。容器轉錄介面300可將輸出參數傳送給容器運行分析介面400。
The
舉例來說,容器轉錄介面300可存取容器檔案系統22可存取容器檔案系統22中的檔案「text.html」,並指示轉錄容器執行檔案「text.html」以產生輸出參數。在檔案「text.html」執行完後,容器轉錄管理介面200可對容器轉錄介面300進行重置作業,釋放容器轉錄介面300所使用的資源(例如:中央處理單元資源或記憶體資源)。容器轉錄管理介面200可取得容器轉錄介面300產生的輸出參數,並將容器的輸出參數和運行參數傳送給容器運行分析介面400。
For example, the
圖5根據本發明的一實施例繪示容器運行分析介面400的詳細示意圖。容器運行分析介面400可包含容器狀態分析介面410以及容器資訊合成介面420。在取得來自容器轉錄介面300的輸出參數後,容器運行分析介面400的容器狀態分析介面410可根據輸出參數判斷是否發生異常事件。若容器狀態分析介面410
判斷發生異常事件,則容器狀態分析介面410可判斷原始的容器或容器檔案系統22包含惡意檔案包含惡意檔案。據此,容器狀態分析介面410可通過收發器13輸出指令以禁止容器運行。另一方面,若容器狀態分析介面410判斷未發生異常事件,則容器狀態分析介面410可判斷原始的容器或容器檔案系統22不包含惡意檔案。據此,容器狀態分析介面410可通過收發器13輸出指令以指示容器運行。
FIG. 5 shows a detailed schematic diagram of the container
在一實施例中,輸出參數的中央處理單元使用率資訊可包含當前中央處理單元使用率。容器狀態分析介面410可根據輸出參數的容器狀態資訊判斷容器轉錄介面300(或轉錄容器)是否停止運行。若容器狀態分析介面410判斷容器轉錄介面300停止運行且當前中央處理單元使用率不為零,代表轉錄容器的運行包含可疑的運算資源使用情形。據此,容器狀態分析介面410可判斷發生異常事件。
In one embodiment, the CPU usage information of the output parameter may include the current CPU usage. The container
在一實施例中,輸出參數的記憶體使用率資訊可包含當前記憶體使用率。容器狀態分析介面410可根據輸出參數的容器狀態資訊判斷容器轉錄介面300(或轉錄容器)是否停止運行。若容器狀態分析介面410判斷容器轉錄介面300停止運行且當前記憶體使用率不為零,代表轉錄容器的運行包含可疑的記憶體資源使用情形。據此,容器狀態分析介面410可判斷發生異常事件。
In one embodiment, the memory usage information of the output parameter may include the current memory usage. The container
在一實施例中,輸出參數的中央處理單元使用率資訊可包含多筆中央處理單元使用率。容器狀態分析介面410可判斷多
筆中央處理單元使用率中的任一者是否超出中央處理單元的使用率限制。若多筆中央處理單元使用率中的任一者超出使用率限制,容器狀態分析介面410可判斷發生異常事件。
In one embodiment, the CPU usage information of the output parameter may include multiple CPU usages. The container
在一實施例中,輸出參數的記憶體使用率資訊可包含多筆記憶體使用率。容器狀態分析介面410可判斷多筆記憶體使用率中的任一者是否超出記憶體的使用率限制。若多筆記憶體使用率中的任一者超出使用率限制,容器狀態分析介面410可判斷發生異常事件。
In one embodiment, the memory usage information of the output parameter may include multiple memory usages. The container
在一實施例中,在容器狀態分析介面410判斷未發生異常事件並指示容器運行後,容器資訊合成介面420可存取容器檔案系統22以取得用以運行容器的檔案,自容器運行介面21取得運行參數,或自容器轉錄介面300取得輸出參數。容器資訊合成介面420可比對檔案的標頭、運行參數或輸出參數等資訊是否與儲存在容器檔案特徵資料庫500中的檔案特徵匹配。若上述的資訊與檔案特徵匹配,則容器資訊合成介面420可通過收發器13輸出指令以指示容器運行。若上述的資訊與檔案特徵不匹配,則容器資訊合成介面420可通過收發器13輸出指令以禁止容器運行。
In one embodiment, after the container
圖6根據本發明的一實施例繪示一種容器之惡意檔案的驗證方法的流程圖,其中所述驗證方法可由如圖1所示的驗證系統10實施。在步驟S610中,自容器的容器運行介面取得運行參數,並且複製容器運行介面以產生容器轉錄介面。在步驟S620中,由容器轉錄介面存取容器的容器檔案系統以根據容器檔案系統和
運行參數運行,從而產生輸出參數。在步驟S630中,根據輸出參數判斷是否發生異常事件,並且響應於判斷發生異常事件而判斷容器包含惡意檔案並禁止容器運行。
FIG. 6 illustrates a flow chart of a method for verifying malicious files in a container according to an embodiment of the present invention, wherein the verification method can be implemented by the
綜上所述,本發明的容器之惡意檔案的驗證系統和驗證方法具有以下的特點及功效:本發明的驗證系統可被部署於企業內用戶端或伺服器,用以為企業預先判斷容器檔案系統內之檔案是否安全無慮,確保欲保護之容器系統運行的可靠性;本發明的容器檔案分析介面可進行容器檔案系統內檔案類型之識別,藉以判斷該檔案為何種應用程式開啟以及需執行於何種容器系統以及作業系統上,協助進行容器轉錄作業;本發明的容器轉錄管理介面可管理使用者欲執行檔案之容器。容器轉錄管理介面可依照檔案執行之容器環境,自動化轉錄對應之容器。此外,容器轉錄管理介面也將容器資訊及檔案傳送其他介面並確保轉錄完成之容器執行過程不影響原始容器;本發明的容器轉錄介面可為Docker以及Podman等容器系統,以支援多種檔案系統內檔案,諸如:各種Unix Like系列之檔案系統及Windows系列之檔案系統;本發明的容器運行分析介面可分析原始容器以及轉錄容器之執行狀態,整合各類資訊並配合容器檔案特徵資料庫以判定轉錄容器是否發生異常。 To sum up, the verification system and verification method of malicious files in containers of the present invention have the following characteristics and effects: the verification system of the present invention can be deployed on the client or server in the enterprise to pre-judge the container file system for the enterprise. Whether the files inside are safe and secure ensures the reliability of the operation of the container system to be protected; the container file analysis interface of the present invention can identify the file type in the container file system, so as to determine what kind of application the file is opened and where it needs to be executed. On various container systems and operating systems, it assists in container transcription operations; the container transcription management interface of the present invention can manage the containers of files that the user wants to execute. The container transcription management interface can automatically transcribe the corresponding container according to the container environment in which the file is executed. In addition, the container transcription management interface also transmits container information and files to other interfaces and ensures that the transcribed container execution process does not affect the original container; the container transcription interface of the present invention can be a container system such as Docker and Podman to support files in a variety of file systems , such as: various Unix Like series file systems and Windows series file systems; the container operation analysis interface of the present invention can analyze the execution status of the original container and the transcribed container, integrate various types of information and cooperate with the container file feature database to determine the transcribed container Whether an exception occurs.
S610、S620、S630:步驟 S610, S620, S630: steps
Claims (10)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW111131111A TWI827203B (en) | 2022-08-18 | 2022-08-18 | Verification system and verification method for malicious file of container |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW111131111A TWI827203B (en) | 2022-08-18 | 2022-08-18 | Verification system and verification method for malicious file of container |
Publications (2)
Publication Number | Publication Date |
---|---|
TWI827203B true TWI827203B (en) | 2023-12-21 |
TW202409872A TW202409872A (en) | 2024-03-01 |
Family
ID=90053386
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW111131111A TWI827203B (en) | 2022-08-18 | 2022-08-18 | Verification system and verification method for malicious file of container |
Country Status (1)
Country | Link |
---|---|
TW (1) | TWI827203B (en) |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101401341A (en) * | 2005-11-18 | 2009-04-01 | 安全第一公司 | Secure data parser method and system |
TW201722109A (en) * | 2015-12-01 | 2017-06-16 | 廣達電腦股份有限公司 | Management systems for managing resources of servers and management methods thereof |
TWI644228B (en) * | 2017-12-25 | 2018-12-11 | 中華電信股份有限公司 | Server and monitoring method thereof |
CN109391602A (en) * | 2017-08-11 | 2019-02-26 | 北京金睛云华科技有限公司 | A kind of zombie host detection method |
TWI656453B (en) * | 2016-11-22 | 2019-04-11 | 財團法人資訊工業策進會 | Detection system and detection method |
CN112905421A (en) * | 2021-03-18 | 2021-06-04 | 中科九度(北京)空间信息技术有限责任公司 | Container abnormal behavior detection method of LSTM network based on attention mechanism |
TW202127285A (en) * | 2020-01-02 | 2021-07-16 | 財團法人資訊工業策進會 | Device, method and non-transitory tangible machine-readable medium for testing a cyber defense mechanism of a device under test |
CN113139176A (en) * | 2020-01-20 | 2021-07-20 | 华为技术有限公司 | Malicious file detection method, device, equipment and storage medium |
CN113282928A (en) * | 2021-06-11 | 2021-08-20 | 杭州安恒信息技术股份有限公司 | Malicious file processing method, device and system, electronic device and storage medium |
-
2022
- 2022-08-18 TW TW111131111A patent/TWI827203B/en active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101401341A (en) * | 2005-11-18 | 2009-04-01 | 安全第一公司 | Secure data parser method and system |
TW201722109A (en) * | 2015-12-01 | 2017-06-16 | 廣達電腦股份有限公司 | Management systems for managing resources of servers and management methods thereof |
TWI656453B (en) * | 2016-11-22 | 2019-04-11 | 財團法人資訊工業策進會 | Detection system and detection method |
CN109391602A (en) * | 2017-08-11 | 2019-02-26 | 北京金睛云华科技有限公司 | A kind of zombie host detection method |
TWI644228B (en) * | 2017-12-25 | 2018-12-11 | 中華電信股份有限公司 | Server and monitoring method thereof |
TW202127285A (en) * | 2020-01-02 | 2021-07-16 | 財團法人資訊工業策進會 | Device, method and non-transitory tangible machine-readable medium for testing a cyber defense mechanism of a device under test |
CN113139176A (en) * | 2020-01-20 | 2021-07-20 | 华为技术有限公司 | Malicious file detection method, device, equipment and storage medium |
CN112905421A (en) * | 2021-03-18 | 2021-06-04 | 中科九度(北京)空间信息技术有限责任公司 | Container abnormal behavior detection method of LSTM network based on attention mechanism |
CN113282928A (en) * | 2021-06-11 | 2021-08-20 | 杭州安恒信息技术股份有限公司 | Malicious file processing method, device and system, electronic device and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20200382302A1 (en) | Security privilege escalation exploit detection and mitigation | |
US11068591B2 (en) | Cybersecurity systems and techniques | |
RU2589862C1 (en) | Method of detecting malicious code in random-access memory | |
RU2571723C2 (en) | System and method of reducing load on operating system when executing antivirus application | |
RU2659737C1 (en) | System and method of managing computing resources for detecting malicious files | |
US7945787B2 (en) | Method and system for detecting malware using a remote server | |
KR101467595B1 (en) | File conversion in restricted process | |
JP6282305B2 (en) | System and method for safe execution of code in hypervisor mode | |
US8225394B2 (en) | Method and system for detecting malware using a secure operating system mode | |
US9053321B2 (en) | Antivirus system and method for removable media devices | |
US9183386B2 (en) | Windows registry modification verification | |
JP2018041438A (en) | System and method for detecting malicious codes in file | |
US20140331037A1 (en) | Secure boot override in a computing device equipped with unified-extensible firmware interface (uefi)-compliant firmware | |
US9208315B2 (en) | Identification of telemetry data | |
RU2531565C2 (en) | System and method for analysing file launch events for determining safety ranking thereof | |
US20190325134A1 (en) | Neural network detection of malicious activity | |
US11275835B2 (en) | Method of speeding up a full antivirus scan of files on a mobile device | |
US10162963B2 (en) | Malware detection and identification using deviations in one or more operating parameters | |
US20180341770A1 (en) | Anomaly detection method and anomaly detection apparatus | |
US11397812B2 (en) | System and method for categorization of .NET applications | |
TWI827203B (en) | Verification system and verification method for malicious file of container | |
US10275596B1 (en) | Activating malicious actions within electronic documents | |
EP2881883B1 (en) | System and method for reducing load on an operating system when executing antivirus operations | |
WO2016095671A1 (en) | Method and device for processing application-based message | |
TW202409872A (en) | Verification system and verification method for malicious file of container |