WO2017113948A1 - 一种实现样本分析的方法、装置及动态引擎设备 - Google Patents
一种实现样本分析的方法、装置及动态引擎设备 Download PDFInfo
- Publication number
- WO2017113948A1 WO2017113948A1 PCT/CN2016/102884 CN2016102884W WO2017113948A1 WO 2017113948 A1 WO2017113948 A1 WO 2017113948A1 CN 2016102884 W CN2016102884 W CN 2016102884W WO 2017113948 A1 WO2017113948 A1 WO 2017113948A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- sample
- analysis
- file
- sample file
- dynamic
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Definitions
- the invention relates to the field of security analysis, in particular to a method, a device and a dynamic engine device for implementing sample analysis.
- APT not only uses traditional viruses and Trojans as a means of attack, but also conducts "pilot attacks” in the social engineering way such as mail, and sends the user a carefully constructed use of 0Day (0day means to quickly "unlock” in the shortest time, and Web publishing, which really means "instant release") malicious files.
- 0Day 0.day means to quickly "unlock” in the shortest time, and Web publishing, which really means "instant release" malicious files.
- APT attack detection and defense technology is a research hotspot of next-generation network security.
- the detection methods used in APT attacks mainly include: static engine analysis, dynamic engine analysis, and analysis including both static engine and dynamic engine.
- the analysis including static engine and dynamic engine has been widely used.
- sample detection is performed according to the method of static engine analysis and dynamic engine analysis first.
- static engine analysis if it is detected When the sample is abnormal, real-time protection can be performed according to the detected abnormality, and the abnormality detection is realized by dynamic engine analysis for the sample with no abnormality, and the combination of the two analysis is realized.
- the confirmation of the degree of threat of the sample improves the effectiveness of the sample test.
- Figure 1 is a schematic diagram of the flow of analysis of the existing sample files.
- the network traffic of the ingress/egress network is converted to mirrored traffic by bypass mirroring and then exported to the sample collection device.
- the sample collection device parses and extracts the mirrored traffic.
- the static engine device After obtaining the sample file and sending the extracted sample file to the static engine device, the static engine device performs static analysis. Specifically, each sample file is matched according to its own feature database, and static analysis is performed on the sample file output with abnormality detection. Reporting; sample files that do not detect anomalies are sent to the dynamic engine device for dynamic analysis.
- the dynamic engine device uses the independent and protected virtual analysis system to simulate the actual environment and user behavior to operate on the sample files. If the sample file is a malicious file, the attack of the malicious file can be used to identify the attack behavior such as exploit, file release, and system modification, thereby realizing the detection of the APT attack.
- the analysis of static engine equipment can effectively detect the threatened samples, thereby reducing the number of samples sent to the dynamic engine equipment; but after static engine equipment analysis, send to the dynamic engine
- the sample of the device is still very large.
- the resources of the dynamic engine device are often easily occupied by a large number of low-threat sample detection, which reduces the efficiency of effective detection of samples, and high-threat samples.
- Fast detection is not possible; in addition, as time goes by, the detection speed of dynamic engine devices is also unable to meet the sample files that are accumulating higher and higher due to the sample detection process.
- the present invention provides a method, a device and a dynamic engine device for implementing sample analysis, which can improve the effective detection efficiency of a sample.
- the present invention provides a method of implementing sample analysis, including: for all sample files,
- sample files are sorted according to the results of the comprehensive evaluation of all sample documents to determine the priority of each sample file for inspection;
- the sample files are sent to the dynamic analysis engine for dynamic analysis according to the sorting of each sample file.
- the method further includes:
- the dynamic engine device receives an external command, performs configuration of each sample file dynamic engine configuration parameter according to the received external command, and performs dynamic engine analysis on each sample file according to the configured dynamic engine configuration parameter;
- the dynamic engine device performs configuration of each sample file dynamic engine configuration parameter according to a preset configuration policy, and performs dynamic analysis of each sample file according to the configured dynamic engine configuration parameter.
- the sample file is a sample file from the front end
- the front end includes: one or more static engine devices, and/or a web page WEB end, and/or other server that analyzes the sample file for analysis information output.
- the preset evaluation strategies include:
- a comprehensive evaluation of each sample file is determined by the evaluation statistics of each of the analysis information.
- the analysis parameters include: whether the sample file is packed, and/or whether the sample file is a trusted vendor version, and/or a file type of the sample file, and/or whether the executable file entropy is when the sample file is an executable file Whether the executable file load address is normal when the normal, and/or sample files are executable files.
- the evaluation statistics of the analysis information of the sample file are respectively multiplied by the comprehensive evaluation weight corresponding to each analysis information, and then accumulated, and the accumulated result is used as the comprehensive evaluation of the sample file.
- sorting the sample files includes:
- the sample files are sorted in descending order of priority according to the priority level of each of the sample files.
- the method further includes:
- the analysis information of the sample file is received, and the analysis information of each sample file is separately saved.
- distinguishing and analyzing the analysis information of each sample file includes:
- the analysis information of the newly added sample file is saved by using a preset file identifier
- the analysis information is saved by using the file identifier of the existing sample file;
- the analysis information and the related record of the analysis information are deleted.
- sorting all sample files specifically includes:
- the sample files are sorted according to the results of the comprehensive evaluation of all sample files.
- the method further includes:
- the level of the comprehensive evaluation value is proportional to the priority of the inspection.
- the method further includes:
- the sample files sorted after the load threshold are deleted from the sort according to the order sent to the dynamic analysis engine;
- the sample files are sorted in descending order of the priority of the inspection.
- the method further includes processing the related information of the sample file in which the dynamic analysis has been completed in the sorting of the sample file according to the first preset period.
- the method further includes: performing, according to the second preset period, the analysis result of the sample file that has completed the dynamic analysis.
- the dynamic engine configuration parameter includes: an analysis duration and an analysis environment of each sample file by the dynamic engine device.
- the present application further provides an apparatus for implementing sample analysis, including: an evaluation unit, a determining unit, and a sending unit; wherein
- the evaluation unit is configured to perform comprehensive evaluation on one or more analysis information corresponding to each sample file according to a preset evaluation strategy
- the determining unit is configured to sort the sample files according to the results of the comprehensive evaluation of all the sample files to determine the priority of the inspection of each sample file;
- the sending unit is configured to send the sample file to the dynamic analysis engine for dynamic analysis according to the sorting of each sample file.
- the device further includes: generating, by the configuration unit, the dynamic engine configuration parameter of each sample file according to the sending priority of each sample file, and sending the dynamic engine configuration parameter to the dynamic engine device, Having the dynamic engine device perform dynamic analysis on each sample file according to the dynamic engine configuration parameter;
- the dynamic engine configuration parameter includes: an analysis duration and an analysis environment of each sample file by the dynamic engine device.
- the sample file is a sample file from the front end
- the front end includes: one or more static engine devices, and/or a web page WEB end, and/or other server that analyzes the sample file for analysis information output.
- the evaluation unit is specifically configured to
- a comprehensive evaluation of each sample file is determined by the evaluation statistics of each of the analysis information
- the analysis parameters include: whether the sample file is packed, and/or whether the sample file is a trusted vendor version, and/or the file type of the sample file, and/or whether the executable file entropy is normal when the sample file is an executable file, and/or Or the executable file load address is normal when the sample file is an executable file.
- the evaluation unit is specifically configured to
- the evaluation statistics of the analysis information of the sample file are respectively multiplied by the comprehensive evaluation weight corresponding to each analysis information, and then accumulated, and the accumulated result is used as the comprehensive evaluation of the sample file.
- the determining unit is specifically configured to
- the sample files are sorted in descending order of priority to determine the priority of each sample file for inspection.
- the device further includes a receiving and holding unit configured to receive the analysis information of the sample file before performing the comprehensive evaluation, and separately distinguish and save the analysis information of each sample file.
- a receiving and holding unit configured to receive the analysis information of the sample file before performing the comprehensive evaluation, and separately distinguish and save the analysis information of each sample file.
- the receiving and holding unit is specifically configured to: before performing the comprehensive evaluation,
- the analysis information of the newly added sample file is saved by using a preset file identifier
- the analysis information is saved by using the file identifier of the existing sample file;
- the analysis information and the related record of the analysis information are deleted.
- the determining unit is specifically configured to sort the sample files according to the result of the comprehensive evaluation of all the sample files based on the file identifier.
- the device further includes a first deleting unit configured to
- the level of the comprehensive evaluation value is proportional to the priority of the inspection.
- the device further includes a second deleting unit configured to
- the sample files sorted after the load threshold are deleted from the sort according to the order sent to the dynamic analysis engine;
- the sample files are sorted in descending order of the priority of the inspection.
- the apparatus further includes a first period cleaning unit configured to process related information of the sample file in which the dynamic analysis has been completed in the sorting of the sample file according to the first preset period.
- the apparatus further includes a second period cleaning unit configured to clean the analysis result of the sample file that has completed the dynamic analysis according to the second preset period.
- the present application further provides a dynamic engine device that implements sample analysis, including: a receiving unit, a configuration unit, and an analyzing unit; wherein
- the receiving unit is configured to receive sample files sorted according to the comprehensive evaluation
- the analyzing unit is configured to perform dynamic analysis on each sample file according to the configured dynamic engine configuration parameter.
- a storage medium is also provided.
- the storage medium is arranged to store program code for performing the following steps:
- the storage medium is further arranged to store program code for performing the following steps:
- the technical solution of the present application includes: comprehensively evaluating one or more analysis information corresponding to each sample file according to a preset evaluation strategy; and sorting the sample files according to the results of the comprehensive evaluation of all the sample files, The priority of each sample file is determined; the sample file is sent to the dynamic analysis engine for dynamic analysis according to the order of each sample file.
- the method of the invention comprehensively evaluates each sample file through the analysis information of the sample file, performs dynamic analysis according to the order of the comprehensive evaluation results, reduces the occupation of the dynamic engine equipment by the low threat sample files, and improves the efficiency of effective sample detection.
- Figure 1 is a schematic flow chart of analysis of existing sample files
- FIG. 2 is a flowchart of a method for implementing sample file analysis according to an embodiment of the present invention
- FIG. 3 is a structural block diagram of an apparatus for implementing sample analysis according to an embodiment of the present invention.
- FIG. 4 is a structural block diagram of a dynamic engine device for implementing sample analysis according to an embodiment of the present invention
- FIG. 5 is a flowchart of a method for applying an example of the present invention.
- FIG. 2 is a flowchart of a method for implementing sample file analysis according to an embodiment of the present invention. As shown in FIG. 2, the method includes:
- Step 200 Perform comprehensive evaluation on one or more analysis information corresponding to each sample file according to a preset evaluation strategy.
- sample file of the embodiment of the present invention is a sample file from the front end
- the front end includes: one or more static engine devices, and/or a web page WEB end, and/or other server that analyzes the sample file for analysis information output.
- the preset evaluation strategies include:
- the analysis information included in the sample file is separately evaluated and counted.
- a comprehensive assessment of each sample file is determined by the evaluation results of the analysis information.
- the analysis parameters include: whether the sample file is packed, and/or whether the sample file is a trusted vendor version, and/or a file type of the sample file, and/or whether the executable file entropy is when the sample file is an executable file Whether the executable file load address is normal when the normal, and/or sample files are executable files.
- setting the corresponding evaluation value for each analysis parameter may be determined according to experience analysis by those skilled in the art; the priority of the inspection may be determined by the file priority of the sample file or the threat level of the sample file; for example, if The high threat level is indicated by the high evaluation value. When the sample file is packed, the threat is higher than when the sample file is unpacked. Based on this, the evaluation parameter can be set as the sample file when the sample file is packed.
- the evaluation value is 1; the sample file is unpacked, the evaluation value is 0; similarly, the sample file is a trusted vendor version, the threat level is low, the evaluation value can be set to 0; the sample file is not a trusted vendor version, the threat The degree is high, the evaluation value can be set to 1; the executable file entropy is normal when the sample file is an executable file, the threat level is low, and the evaluation value can be set to 0; the executable file entropy is abnormal when the sample file is an executable file, and the threat level is High, you can set the evaluation value to 1; when the sample file is an executable file, the executable file loading address is normal, threatening Low, you can set the evaluation value to 0; when the sample file is an executable file, the executable file loading address is abnormal, the threat level is high, and the evaluation value can be set to 1; in addition, the evaluation values of different analysis parameters can be different, for example, sample files When the shell is added, the threat is high, and the evaluation value is 1.
- the embodiment of the present invention can perform comprehensive evaluation by using the priority level of the file type of the sample file, that is, the evaluation value of the file type of the sample file is used as the priority level. in accordance with.
- each sample file is determined to include:
- the comprehensive evaluation weight of each analysis information can be analyzed and determined according to whether the analysis parameters included in the analysis information are detailed, and the degree of correlation between the analysis parameters and the degree of threat analysis. The more detailed the analysis parameters, the higher the comprehensive evaluation weight; The stronger the correlation between the parameter and the threat degree, the higher the comprehensive evaluation weight, and the specific comprehensive evaluation weight setting can be set according to the actual situation according to the actual situation.
- Step 201 Sort the sample files according to the results of the comprehensive evaluation of all the sample files to determine the priority of the inspection of each sample file;
- Sorting the sample files includes:
- the sample files are sorted in order of priority from highest to lowest according to the priority of each sample file.
- Step 202 Send a sample file according to the sorting of each sample file to a dynamic analysis engine for dynamic analysis.
- the method of the embodiment of the present invention further includes:
- the dynamic engine device receives the external command, performs configuration of each sample file dynamic engine configuration parameter according to the received external command, and performs dynamic analysis on each sample file according to the configured dynamic engine configuration parameter;
- the dynamic engine device performs configuration of each sample file dynamic engine configuration parameter according to a preset configuration policy, and performs dynamic analysis of each sample file according to the configured dynamic engine configuration parameter.
- the comprehensive evaluation value of the sample file is high, it means that the sample file is sent for inspection. If the priority is high, the analysis time in the dynamic engine configuration parameter is longer than the analysis time of the sample file with lower priority, and the analysis environment has more analysis environment than the sample file with lower priority. The longer analysis time and more analysis environment can enhance the detection of the sample file and determine whether the sample file contains malicious files; the preset configuration strategy or external instructions are set based on the above analysis of the analysis duration and the configuration of the analysis environment.
- the method of the embodiment of the present invention further includes:
- the analysis information of the sample file is received, and the analysis information of each sample file is separately saved.
- distinguishing and analyzing the analysis information of each sample file includes:
- the analysis information of the newly added sample file is saved by using the preset file identifier
- the analysis information is saved by the file identifier of the existing sample file;
- sorting all sample files specifically includes:
- the sample files are sorted based on the results of the comprehensive evaluation of all sample files.
- the sample file is deleted from the ranking sent to the dynamic analysis engine;
- the level of the comprehensive evaluation value is directly proportional to the priority of the inspection.
- the size of the evaluation threshold is determined according to the real-time analysis capability of the dynamic engine device. If the dynamic engine device analysis capability is sufficient for analysis of all sample files, the evaluation threshold may be set to be small enough to evaluate the threshold setting. It is to delete the sample files that the dynamic engine device cannot meet the analysis real-time requirements, and avoid the accumulation of sample files. In addition, such as If the comprehensive evaluation level is inversely proportional to the priority of the inspection priority, the comprehensive evaluation of the sample file larger than the defined new definition evaluation threshold is performed in the sorting process.
- the sample files sorted after the load threshold are deleted from the sort according to the sorting sent to the dynamic analysis engine;
- the sample files are sorted in descending order of priority.
- the size of the load threshold is determined according to the real-time analysis capability of the dynamic engine device.
- the load threshold is set to delete the sample file that the dynamic engine device cannot meet the analysis real-time requirement, and avoid sample file accumulation.
- the method of the embodiment of the present invention further includes: processing the related information of the sample file that has been dynamically analyzed in the sorting of the sample file according to the first preset period.
- the memory size and the analysis capability of the dynamic engine device are determined.
- the larger the memory the larger the first preset period; the stronger the analysis capability of the dynamic engine device, the smaller the first preset period.
- the specific setting may be determined by a person skilled in the art according to the actual memory size and the analysis capability of the dynamic engine device.
- the larger the memory is the larger the first preset period is.
- the stronger the analysis capability of the dynamic engine device is, the more the first preset period is. small.
- the specific settings can be set according to actual analysis according to those skilled in the art.
- the method of the embodiment of the present invention further includes: cleaning the analysis result of the sample file that has been dynamically analyzed according to the second preset period.
- the specific setting of the second preset period size can be determined according to actual analysis according to those skilled in the art.
- the specific setting of the second preset period size of the second preset period size may be determined according to actual analysis according to those skilled in the art.
- the method of the invention comprehensively evaluates each sample file through the analysis information of the sample file, performs dynamic analysis according to the order of the comprehensive evaluation results, reduces the occupation of the dynamic engine equipment by the low threat sample files, and improves the efficiency of effective sample detection.
- FIG. 3 is a structural block diagram of an apparatus for implementing sample analysis according to an embodiment of the present invention, as shown in FIG. 3, The method includes: an evaluation unit, a determining unit, and a sending unit; wherein
- the evaluation unit is configured to perform comprehensive evaluation on one or more analysis information corresponding to each sample file according to a preset evaluation strategy; here, the sample file is a sample file from the front end;
- the front end includes: one or more static engine devices, and/or a web page WEB end, and/or other server that analyzes the sample file for analysis information output.
- the evaluation unit is specifically set to
- the analysis information included in the sample file is separately evaluated and counted.
- a comprehensive assessment of each sample file is determined by the evaluation results of the analysis information
- the analysis parameters include: whether the sample file is packed, and/or whether the sample file is a trusted vendor version, and/or the file type of the sample file, and/or whether the executable file entropy is normal when the sample file is an executable file, and/or Or the executable file load address is normal when the sample file is an executable file.
- the evaluation unit is specifically set to
- the analysis information included in the sample file is separately evaluated and counted.
- the evaluation statistics of each analysis information of the sample file are respectively multiplied by the comprehensive evaluation weights of the respective analysis information, and then accumulated, and the accumulated results are used as a comprehensive evaluation of the sample files.
- the determining unit is configured to sort the sample files according to the results of the comprehensive evaluation of all the sample files to determine the priority of the inspection of each sample file;
- the determining unit is specifically set to,
- the sample files are sorted in descending order of priority to determine the priority of each sample file.
- the determining unit is specifically configured to determine the priority level of each sample file according to the value of the comprehensive evaluation
- the sample files are sorted in order of priority from highest to lowest according to the priority of each sample file.
- the sending unit is configured to send the sample file to the dynamic analysis engine for dynamic analysis according to the sorting of each sample file.
- the device of the present invention further includes a generating configuration unit configured to generate dynamic engine configuration parameters of each sample file according to the sending priority of each sample file before the dynamic analysis, and send the dynamic engine configuration parameters to the dynamic engine device, so that the dynamic engine device configures the parameters according to the dynamic engine. Dynamic analysis of each sample file.
- the apparatus of the embodiment of the present invention further includes a receiving and holding unit configured to receive the analysis information of the sample file before performing the comprehensive evaluation, and separately store and save the analysis information of each sample file.
- the receiving and holding unit is specifically set to perform comprehensive evaluation before
- the analysis information of the newly added sample file is saved by using the preset file identifier
- the analysis information is saved by the file identifier of the existing sample file;
- the sample file is deleted from the ranking sent to the dynamic analysis engine;
- the level of the comprehensive evaluation value is directly proportional to the priority of the inspection.
- the sample files sorted after the load threshold are deleted from the sort according to the sorting sent to the dynamic analysis engine;
- the sample files are sorted in descending order of priority.
- the apparatus of the embodiment of the present invention further includes a first period cleaning unit configured to process related information of the sample file that has been dynamically analyzed in the sorting of the sample file according to the first preset period.
- the apparatus of the embodiment of the present invention further includes a second period cleaning unit configured to clean the analysis result of the sample file that has been dynamically analyzed according to the second preset period.
- the device in the embodiment of the present invention may exist independently, communicate with the dynamic engine device, or directly integrate with the dynamic analysis engine.
- FIG. 4 is a structural block diagram of a dynamic engine device that implements sample analysis according to an embodiment of the present invention. As shown in FIG. 4, the method includes: a receiving unit, a configuration unit, and an analyzing unit;
- the receiving unit is configured to receive sample files sorted according to the comprehensive evaluation
- the analysis unit is configured to perform dynamic analysis of each sample file according to the configured dynamic engine configuration parameters.
- the application priority of this application example is determined according to the level of threat, and it is assumed that the high evaluation value of the analysis parameter indicates that the threat level is high, and the corresponding analysis information has a high comprehensive evaluation value, and the threat level is high; when the comprehensive evaluation value of the sample file is low, the threat level is low;
- the comprehensive evaluation weight of each analysis information is set according to the kind of analysis parameters in the analysis information, that is, the more analysis parameters in the analysis information, the comprehensive evaluation The greater the weight value is estimated;
- a method flow diagram of the application example of the application example, as shown in FIG. 5, includes:
- Step 500 Receive analysis information of the sample file, and save and analyze the analysis information of each sample file.
- distinguishing and analyzing the analysis information of each sample file includes:
- the analysis information of the newly added sample file is saved by using the preset file identifier
- the analysis information is saved by the file identifier of the existing sample file;
- the sample file is a sample file from the front end; the front end includes: one or more static engine devices, and/or a web page WEB end, and/or other server that analyzes the sample file for analysis information output.
- each sample text is comprehensively evaluated according to a preset evaluation strategy for one or more analysis information included in each sample file;
- the preset evaluation strategies include:
- the evaluation statistics of each analysis information of the sample file are respectively multiplied by the comprehensive evaluation weights of the respective analysis information, and then accumulated, and the accumulated results are used as a comprehensive evaluation of the sample files.
- the analysis parameters include: whether the sample file is packed, and/or whether the sample file is a trusted vendor version, and/or a file type of the sample file, and/or the sample file is an executable file. Whether the executable file entropy is normal, and/or whether the executable file load address is normal when the sample file is an executable file.
- the sample file is packed with a high degree of threat, the evaluation value is 1; the sample file is unpacked, the threat level is low, the evaluation value is 0; the sample file is a trusted vendor version, the threat level is low, and the evaluation is set.
- the value is 0; the sample file is not a trusted vendor version, the threat level is high, the evaluation value is set to 1; the executable file entropy is normal when the sample file is an executable file, the threat level is low, the evaluation value is 0; the sample file is executable.
- the executable file entropy is abnormal, the threat is high, and the evaluation value is set to 1; when the sample file is an executable file, the executable file loading address is normal, the threat level is low, and the evaluation value is 0; the sample file is an executable file.
- the executable file loading address is abnormal, the threat level is high, and the evaluation value is set to 1.
- the evaluation values of different analysis parameters in the application example may be different. For example, when the sample file is packed, the identification threat is high, and the evaluation value may be used. 1 indicates; the sample file is not a trusted vendor version, and the threat level is also high. You can set an evaluation value table that is different from the sample file packer. , For example, the assessed value of 1.2 is provided.
- Step 502 Sort the sample files according to the results of the comprehensive evaluation of all the sample files; here, the priority of the sample files may be determined by the sorting of the comprehensive evaluation;
- sorting from high to low according to the comprehensive evaluation value means that the sample files are sorted according to the threat level from high to low, and the corresponding inspection priority is also high. Sort to low;
- the numerical value of the comprehensive evaluation of the sample files can be sorted according to the file identifier. And sorting the sample files by recording the file identification and rating through the database.
- Step 503 when the value of the comprehensive evaluation of the sample file is less than a preset evaluation threshold, deleting the sample file from the order sent to the dynamic analysis engine;
- the size of the evaluation threshold is determined according to the real-time analysis capability of the dynamic engine device. If the dynamic engine device analysis capability is sufficient for analysis of all sample files, the evaluation threshold can be set small enough, and the evaluation threshold is set. In order to delete the sample files that the dynamic engine device cannot meet the analysis real-time requirements, the sample file stacking is avoided. In addition, if When the comprehensive score is inversely proportional to the level of the threat, the sample file whose comprehensive score is larger than the defined evaluation threshold is subjected to the deletion processing from the sort.
- Step 504 When the number of sorted sample files is greater than a preset load threshold, the sample files sorted after the load threshold are deleted from the sort according to the order sent to the dynamic analysis engine.
- the sorting of the sample files is performed in descending order of the degree of threat, that is, the sample files are sorted in descending order of the priority of the check.
- the size of the load threshold is determined according to the real-time analysis capability of the dynamic engine device.
- the load threshold is set to delete the sample file that the dynamic engine device cannot meet the analysis real-time requirement, and avoid sample file accumulation.
- Step 505 Generate dynamic engine configuration parameters of each sample file according to the sending priority of each sample file and send the dynamic engine configuration parameters to the dynamic engine device.
- the dynamic engine configuration parameters include: the analysis time and analysis environment of each sample file by the dynamic engine device.
- Step 506 Send a sample file according to the sorting of each sample file to a dynamic analysis engine for dynamic analysis.
- This application example method also includes:
- the related information of the sample file in which the dynamic engine analysis has been completed in the sorting of the sample file is processed.
- the analysis result of the sample file that has completed the dynamic engine analysis is cleaned up.
- one or more pieces of analysis information corresponding to each sample file are comprehensively evaluated according to a preset evaluation strategy; the sample files are sorted according to the results of the comprehensive evaluation of all sample files to determine each sample file.
- the priority of the inspection is sent; the sample file is sent to the dynamic analysis engine for dynamic analysis according to the sorting of each sample file.
- the method of the invention comprehensively evaluates each sample file through the analysis information of the sample file, performs dynamic analysis according to the order of the comprehensive evaluation results, reduces the occupation of the dynamic engine equipment by the low threat sample files, and improves the efficiency of effective sample detection.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Automatic Analysis And Handling Materials Therefor (AREA)
Abstract
本发明公开了一种实现样本分析的方法、装置及动态引擎设备,包括:按照预设的评估策略对各样本文件对应的一个或一个以上分析信息进行综合评估;根据所有样本文件的综合评估的结果对样本文件进行排序,以确定各样本文件的送检优先级;根据各样本文件的排序发送样本文件到动态分析引擎进行动态分析。本发明方法通过样本文件的分析信息对各样本文件进行综合评估,根据综合评估结果的排序进行动态分析,降低了低威胁性的样本文件对动态引擎设备的占用,提高了样本有效检测的效率。
Description
本发明涉及安全分析领域,尤指一种实现样本分析的方法、装置及动态引擎设备。
极光攻击、震网攻击、夜龙攻击、RSA(RSA是1977年由罗纳德·李维斯特(Ron Rivest)、阿迪·萨莫尔(Adi Shamir)和伦纳德·阿德曼(Leonard Adleman)一起提出的。1987年首次公布,当时他们三人都在麻省理工学院工作;RSA就是他们三人姓氏开头字母拼在一起组成的)令牌种子窃取等重大网络安全事件使得一种具有攻击手法高级、持续时间长、攻击目标明确等特征的攻击类型出现在公众视野中,国际上称之为高级持续性威胁攻击(APT,Advanced Persistent Threat)。APT不仅使用传统的病毒、木马作为攻击手段,更以邮件等社会工程学方式进行“先导攻击”,向用户发送精心构造使用0Day(0day是说在最短的时间内迅速地“解锁”,并在网上发布,其真正意思是“即时发布”)漏洞的恶意文件。一旦用户打开恶意文件,漏洞就会被触发,攻击代码注入到用户系统,并进行后续其它病毒的下载、木马操作等,以进行长期潜伏作业。而传统防火墙、企业反病毒软件等对此类无特征签名的恶意文件或恶意文件代码的检测和防护能力非常有限。
APT攻击检测防御技术是新一代网络安全的研究热点;其中,APT攻击所采用的检测方法主要包括:静态引擎分析、动态引擎分析及同时包括静态引擎和动态引擎的分析。为了实现有效的样本检测,同时包括静态引擎和动态引擎的分析得到了广泛的应用,一般的,按照先进行静态引擎分析再进行动态引擎分析的方式进行样本检测,进行静态引擎分析时,如果检测到样本异常,即可根据检测到的异常进行实时防护,对没有发现异常的样本通过动态引擎分析实现异常检测,通过两种分析的结合实现了对
样本威胁程度的确认,提高了样本检测的有效性。图1为现有样本文件分析流向示意图,如图1所示,进/出网络的网络流量通过旁路镜像方式转换为镜像流量后导出到样本采集设备,样本采集设备对镜像流量进行解析并提取获得样本文件,将提取的样本文件发往静态引擎设备后,由静态引擎设备进行静态分析,具体的:根据自身的特征库对每个样本文件进行匹配,对检测出异常的样本文件输出静态分析报告;未检测出异常的样本文件发往动态引擎设备进行动态分析,具体的,动态引擎设备接收到样本文件后,利用独立且受保护的虚拟分析系统模拟实际环境和用户行为对样本文件进行操作,如果样本文件为恶意文件,则可通过恶意文件的操作进行漏洞利用、文件释放、系统修改等攻击行为的识别,实现APT攻击的检测。
在同时包括静态分析和动态分析分析方法中,静态引擎设备的分析可以对存在威胁的样本进行有效的检测,从而减少发往动态引擎设备的样本数量;但是经过静态引擎设备分析后发往动态引擎设备的样本依然十分庞大,在不扩展动态引擎设备性能的条件下,动态引擎设备的资源往往容易被大量的进行威胁性低的样本检测所占用,降低了样本有效检测的效率,高威胁的样本无法实现快速检测;另外,随着时间的增长,动态引擎设备的检测速度也存在无法满足由于样本检测过程中堆积得越来越高的样本文件。
发明内容
为了解决上述技术问题,本发明提供一种实现样本分析的方法、装置及动态引擎设备,能够提高样本有效检测效率。
为了达到本发明目的,本发明提供了一种实现样本分析的方法,包括:对所有样本文件,
按照预设的评估策略对各样本文件对应的一个或一个以上分析信息进行综合评估;
根据所有样本文件的综合评估的结果对样本文件进行排序,以确定各样本文件的送检优先级;
根据各样本文件的排序发送样本文件到动态分析引擎进行动态分析。
可选的,动态分析之前,该方法还包括:
根据各所述样本文件的送检优先级生成各所述样本文件的动态引擎配置参数并发往动态引擎设备,以使动态引擎设备根据所述动态引擎配置参数对各样本文件进行动态分析;或,
所述动态引擎设备接收外部指令,根据接收的外部指令进行各所述样本文件动态引擎配置参数的配置,并根据配置的所述动态引擎配置参数进行各样本文件进行动态引擎分析;或,
所述动态引擎设备按照预先设置的配置策略进行各所述样本文件动态引擎配置参数的配置,并根据配置的所述动态引擎配置参数进行各样本文件的动态分析。
可选的,样本文件为来自前端的样本文件;
所述前端包括:一个或一个以上静态引擎设备、和/或网页WEB端、和/或其他对样本文件进行分析信息输出的服务端。
可选的,预设的评估策略包括:
为所述分析信息中的各分析参数设置相应的评估值;
根据设置的各所述分析参数的评估值对所述样本文件包含的各分析信息分别进行评估统计;
以各所述分析信息的评估统计结果确定各样本文件的综合评估。
可选的,分析参数包括:样本文件是否加壳、和/或样本文件是否为可信任厂商版本、和/或样本文件的文件类型、和/或样本文件为可执行文件时可执行文件熵是否正常、和/或样本文件为可执行文件时可执行文件载入地址是否正常。
可选的,确定各样本文件的综合评估包括:
对各样本文件,预先设置样本信息各所述分析信息对应的评估统计相应的综合评估权重;
将所述样本文件的各分析信息的评估统计分别乘以各分析信息相应的所述综合评估权重后进行累加,以累加结果作为样本文件的所述综合评估。
可选的,对样本文件进行排序包括:
根据所述综合评估的数值大小确定各所述样本文件的优先级高低;
根据各所述样本文件的优先级高低,对所述样本文件按照优先级由高到低的顺序进行排序。
可选的,进行综合评估之前,该方法还包括:
接收样本文件的分析信息,并对各样本文件的分析信息进行区分保存。
可选的,对各样本文件的分析信息进行区分保存包括:
当接收的所述分析信息为新增样本文件的分析信息时,通过预设的文件标识保存所述新增样本文件的分析信息;
当接收的所述分析信息为已有样本文件的来自不同前端的分析信息时,以已有样本文件的文件标识保存所述分析信息;
当接收的所述分析信息出现异常或超时,删除所述分析信息和所述分析信息的相关记录。
可选的,对所有样本文件的进行排序具体包括:
基于所述文件标识,根据所有样本文件的综合评估的结果对所述样本文件进行排序。
可选的,该方法还包括:
当样本文件的所述综合评估的数值小于预设的评估阈值时,将该样本文件从发往动态分析引擎的排序中删除;
所述综合评估数值的高低与所述送检优先级成正比。
可选的,该方法还包括:
排序的所述样本文件的数量大于预设的负载阈值时,按照发往动态分析引擎的排序,将排序在负载阈值之后的样本文件从排序中删除;
所述样本文件按照送检优先级由高到低的顺序进行排序。
该方法还该方法还包括:按照第一预设周期,对样本文件的排序中已完成所述动态分析的样本文件的相关信息进行处理。
可选的,该方法还包括:按照第二预设周期,对已完成所述动态分析的所述样本文件的分析结果进行清理。
可选的,动态引擎配置参数包括:所述动态引擎设备对各样本文件的分析时长和分析环境。
另一方面,本申请还提供一种实现样本分析的装置,包括:评估单元、确定单元及送检单元;其中,
评估单元设置为,按照预设的评估策略对各样本文件对应的一个或一个以上分析信息进行综合评估;
确定单元设置为,根据所有样本文件的综合评估的结果对样本文件进行排序,以确定各样本文件的送检优先级;
送检单元设置为,根据各样本文件的排序发送样本文件到动态分析引擎进行动态分析。
可选的,该装置还包括生成配置单元设置为,所述动态分析之前,根据各所述样本文件的送检优先级生成各所述样本文件的动态引擎配置参数并发往动态引擎设备,以使动态引擎设备根据所述动态引擎配置参数对各样本文件进行动态分析;
所述动态引擎配置参数包括:所述动态引擎设备对各样本文件的分析时长和分析环境。
可选的,样本文件为来自前端的样本文件;
所述前端包括:一个或一个以上静态引擎设备、和/或网页WEB端、和/或其他对样本文件进行分析信息输出的服务端。
可选的,评估单元具体设置为,
为所述分析信息中的各分析参数设置相应的评估值;
根据设置的各所述分析参数的评估值对所述样本文件包含的各分析信息分别进行评估统计,
以各所述分析信息的评估统计结果确定各样本文件的综合评估;
分析参数包括:样本文件是否加壳、和/或样本文件是否为可信任厂商版本、和/或样本文件的文件类型、和/或样本文件为可执行文件时可执行文件熵是否正常、和/或样本文件为可执行文件时可执行文件载入地址是否正常。
可选的,评估单元具体设置为,
为所述分析信息中的各分析参数设置相应的评估值;
根据设置的各所述分析参数的评估值对所述样本文件包含的各分析信息分别进行评估统计,
对各样本文件,预先设置样本信息各所述分析信息对应的评估统计相应的综合评估权重;
将所述样本文件的各分析信息的评估统计分别乘以各分析信息相应的所述综合评估权重后进行累加,以累加结果作为样本文件的所述综合评估。
可选的,确定单元具体设置为,
根据所述综合评估的数值大小确定各所述样本文件的优先级高低;
根据各所述样本文件的优先级高低,对所述样本文件按照优先级由高到低的顺序进行排序,以确定各样本文件的送检优先级。
可选的,该装置还包括接收保存单元,设置为所述进行综合评估之前,接收所述样本文件的分析信息,并对各样本文件的分析信息进行区分保存。
可选的,接收保存单元具体设置为,所述进行综合评估之前,
当接收的所述分析信息为新增样本文件的分析信息时,通过预设的文件标识保存所述新增样本文件的分析信息;
当接收的所述分析信息为已有样本文件的来自不同前端的分析信息时,以已有样本文件的文件标识保存所述分析信息;
当接收的所述分析信息出现异常或超时,删除所述分析信息和所述分析信息的相关记录。
可选的,确定单元具体设置为,基于所述文件标识,根据所有样本文件的综合评估的结果对所述样本文件进行排序。
可选的,该装置还包括第一删除单元设置为,
当样本文件的所述综合评估的数值小于预设的评估阈值时,将该样本文件从发往动态分析引擎的排序中删除;
所述综合评估数值的高低与所述送检优先级成正比。
可选的,该装置还包括第二删除单元设置为,
排序的所述样本文件的数量大于预设的负载阈值时,按照发往动态分析引擎的排序,将排序在负载阈值之后的样本文件从排序中删除;
所述样本文件按照送检优先级由高到低的顺序进行排序。
该装置还该装置还包括第一周期清理单元,设置为按照第一预设周期,对样本文件的排序中已完成所述动态分析的样本文件的相关信息进行处理。
可选的,该装置还包括第二周期清理单元,设置为按照第二预设周期,对已完成所述动态分析的所述样本文件的分析结果进行清理。
还一方面,本申请还提供一种实现样本分析的动态引擎设备,包括:接收单元、配置单元和分析单元;其中,
接收单元设置为,接收按照综合评估进行排序的样本文件;
根据接收的外部根据接收的外部指令或预先设置的配置策略进行各所述样本文件动态引擎配置参数的配置;
分析单元设置为,根据配置的所述动态引擎配置参数进行各样本文件进行动态分析。
根据本发明的又一个实施例,还提供了一种存储介质。该存储介质设置为存储用于执行以下步骤的程序代码:
按照预设的评估策略对各样本文件对应的一个或一个以上分析信息进行综合评估;根据所有样本文件的综合评估的结果对样本文件进行排序,以确定各样本文件的送检优先级;根据各样本文件的排序发送样本文件到动态分析引擎进行动态分析。
可选地,存储介质还设置为存储用于执行以下步骤的程序代码:
根据各所述样本文件的送检优先级生成各所述样本文件的动态引擎配置参数并发往动态引擎设备,以使动态引擎设备根据所述动态引擎配置参数对各样本文件进行动态分析;或,所述动态引擎设备接收外部指令,根据接收的外部指令进行各所述样本文件动态引擎配置参数的配置,并根据配置的所述动态引擎配置参数进行各样本文件进行动态引擎分析;或,所述动态引擎设备按照预先设置的配置策略进行各所述样本文件动态引擎配置参数的配置,并根据配置的所述动态引擎配置参数进行各样本文件的动态分析。
与现有技术相比,本申请技术方案包括:按照预设的评估策略对各样本文件对应的一个或一个以上分析信息进行综合评估;根据所有样本文件的综合评估的结果对样本文件进行排序,以确定各样本文件的送检优先级;根据各样本文件的排序发送样本文件到动态分析引擎进行动态分析。本发明方法通过样本文件的分析信息对各样本文件进行综合评估,根据综合评估结果的排序进行动态分析,降低了低威胁性的样本文件对动态引擎设备的占用,提高了样本有效检测的效率。
此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:
图1为现有样本文件分析流向示意图;
图2为本发明实施例实现样本文件分析的方法的流程图;
图3为本发明实施例实现样本分析的装置的结构框图;
图4为本发明实施例实现样本分析的动态引擎设备的结构框图;
图5为本发明应用示例的方法流程图。
为使本发明的目的、技术方案和优点更加清楚明白,下文中将结合附图对本发明的实施例进行详细说明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。
图2为本发明实施例实现样本文件分析的方法的流程图,如图2所示,包括:
步骤200、按照预设的评估策略对各样本文件对应的一个或一个以上分析信息进行综合评估。
可选的,本发明实施例样本文件为来自前端的样本文件;
前端包括:一个或一个以上静态引擎设备、和/或网页WEB端、和/或其他对样本文件进行分析信息输出的服务端。
本步骤中,预设的评估策略包括:
为分析信息中的各分析参数设置相应的评估值;
根据设置的各分析参数的评估值对样本文件包含的各分析信息分别进行评估统计,
以各分析信息的评估统计结果确定各样本文件的综合评估。
可选的,分析参数包括:样本文件是否加壳、和/或样本文件是否为可信任厂商版本、和/或样本文件的文件类型、和/或样本文件为可执行文件时可执行文件熵是否正常、和/或样本文件为可执行文件时可执行文件载入地址是否正常。
需要说明的是,为各分析参数设置相应的评估值可以根据本领域技术人员的经验分析进行确定;送检优先级可以通过样本文件的文件优先级或样本文件的威胁程度高低确定;例如、如果威胁程度高通过评估值高来表示,则样本文件加壳时比样本文件未加壳时威胁程度更高,以此为依据设置分析参数为样本文件是否加壳时的评估值可以是:样本文件加壳,评估值为1;样本文件未加壳,评估值为0;同理,样本文件为可信任厂商版本,威胁程度低,可以设置评估值为0;样本文件不是可信任厂商版本,威胁程度高,可以设置评估值为1;样本文件为可执行文件时可执行文件熵正常,威胁程度低,可以设置评估值为0;样本文件为可执行文件时可执行文件熵不正常,威胁程度高,可以设置评估值为1;样本文件为可执行文件时可执行文件载入地址正常,威胁程度低,可以设置评估值为0;样本文件为可执行文件时可执行文件载入地址不正常,威胁程度高,可以设置评估值为1;另外,不同分析参数的评估值可以不同,例如样本文件加壳时,标识威胁程度高,可以采用评估值为1表示;样本文件不是可信任厂商版本,威胁程度也为高,可以设置与样本文件加壳不一样的评估值表示,例如设置评估值为1.2。
另外,当只有样本文件的文件类型一个分析参数时,本发明实施例可以以样本文件的文件类型的优先级等级进行综合评估,即以样本文件的文件类型的评估值高低作为优先级等级的判断依据。
进一步地,确定各样本文件的综合评估包括:
对各样本文件,预先设置样本信息各分析信息对应的评估统计相应的综合评估权重;
将样本文件的各分析信息的评估统计分别乘以各分析信息相应的综
合评估权重后进行累加,以累加结果作为样本文件的综合评估。
需要说明的是,各分析信息的综合评估权重可以根据分析信息包含的分析参数是否详尽,以及分析参数与威胁程度高低分析的关联程度进行分析确定,分析参数越详尽,综合评估权重越高;分析参数与威胁程度关联性越强,综合评估权重越高,具体综合评估权重数值设置可以根据本领域技术人员根据实际情况进行分析设置。
步骤201、根据所有样本文件的综合评估的结果对样本文件进行排序,以确定各样本文件的送检优先级;
可选的,
对样本文件进行排序包括:
根据综合评估的数值大小确定各样本文件的优先级高低;
根据各样本文件的优先级高低,对样本文件按照优先级由高到低的顺序进行排序。
步骤202、根据各样本文件的排序发送样本文件到动态分析引擎进行动态分析。
动态分析之前,本发明实施例方法还包括:
根据各样本文件的送检优先级生成各样本文件的动态引擎配置参数并发往动态引擎设备,以使动态引擎设备根据动态引擎配置参数对各样本文件进行动态分析;或,
动态引擎设备接收外部指令,根据接收的外部指令进行各样本文件动态引擎配置参数的配置,并根据配置的动态引擎配置参数进行各样本文件进行动态分析;或,
动态引擎设备按照预先设置的配置策略进行各所述样本文件动态引擎配置参数的配置,并根据配置的所述动态引擎配置参数进行各样本文件的动态分析。
需要说明的是,如果样本文件的综合评估数值高表示样本文件的送检
优先级高,则动态引擎配置参数中的分析时长较送检优先级低的样本文件的分析时长更长,分析环境较送检优先级低的样本文件的分析环境更多。通过更长的分析时长及更多的分析环境可以增强对样本文件的检测,确定样本文件是否包含恶意文件;预先设置的配置策略或外部指令基于以上对分析时长和分析环境的配置进行设置。
进行综合评估之前,本发明实施例方法还包括:
接收样本文件的分析信息,并对各样本文件的分析信息进行区分保存。
可选的,对各样本文件的分析信息进行区分保存包括:
当接收的分析信息为新增样本文件的分析信息时,通过预设的文件标识保存新增样本文件的分析信息;
当接收的分析信息为已有样本文件的来自不同前端的分析信息时,以已有样本文件的文件标识保存分析信息;
当接收的分析信息出现异常或超时,删除分析信息和分析信息的相关记录。
可选的,对所有样本文件的进行排序具体包括:
基于文件标识,根据所有样本文件的综合评估的结果对样本文件进行排序。
本发明实施例方法还包括:
当样本文件的综合评估的数值小于预设的评估阈值时,将该样本文件从发往动态分析引擎的排序中删除;
综合评估数值的高低与送检优先级成正比。
需要说明的是,评估阈值的大小根据动态引擎设备的实时分析能力进行确定,如果动态引擎设备分析能力足以进行所有样本文件的分析时,则评估阈值可以设定为足够小,评估阈值的设定是为了对动态引擎设备无法满足分析实时性需求的样本文件进行删除,避免样本文件堆积。另外,如
果综合评估高低与送检优先级高低成反比时,综合评估大于定义的新定义的评估阈值的样本文件进行从排序中的删除处理。
本发明实施例方法还包括:
排序的样本文件的数量大于预设的负载阈值时,按照发往动态分析引擎的排序,将排序在负载阈值之后的样本文件从排序中删除;
样本文件按照送检优先级由高到低的顺序进行排序。
需要说明的是,负载阈值的大小根据动态引擎设备的实时分析能力进行确定,负载阈值的设定是为了对动态引擎设备无法满足分析实时性需求的样本文件进行删除,避免样本文件堆积。
本发明实施例方法还包括:按照第一预设周期,对样本文件的排序中已完成动态分析的样本文件的相关信息进行处理。
内存大小、动态引擎设备的分析能力进行确定,内存越大,第一预设周期越大;动态引擎设备的分析能力越强,第一预设周期越小。具体设置可以根据本领域技术人员根据实际分内存大小、动态引擎设备的分析能力进行确定,内存越大,第一预设周期越大;动态引擎设备的分析能力越强,第一预设周期越小。具体设置可以根据本领域技术人员根据实际分析进行设置。
本发明实施例方法还包括:按照第二预设周期,对已完成动态分析的样本文件的分析结果进行清理。
第二预设周期大小的具体设置可以根据本领域技术人员根据实际分析进行确定。第二预设周期大小的第二预设周期大小的具体设置可以根据本领域技术人员根据实际分析进行确定。
本发明方法通过样本文件的分析信息对各样本文件进行综合评估,根据综合评估结果的排序进行动态分析,降低了低威胁性的样本文件对动态引擎设备的占用,提高了样本有效检测的效率。
图3为本发明实施例实现样本分析的装置的结构框图,如图3所示,
包括:评估单元、确定单元及送检单元;其中,
评估单元设置为,按照预设的评估策略对各样本文件对应的一个或一个以上分析信息进行综合评估;这里,样本文件为来自前端的样本文件;
前端包括:一个或一个以上静态引擎设备、和/或网页WEB端、和/或其他对样本文件进行分析信息输出的服务端。
评估单元具体设置为,
为分析信息中的各分析参数设置相应的评估值;
根据设置的各分析参数的评估值对样本文件包含的各分析信息分别进行评估统计,
以各分析信息的评估统计结果确定各样本文件的综合评估;
分析参数包括:样本文件是否加壳、和/或样本文件是否为可信任厂商版本、和/或样本文件的文件类型、和/或样本文件为可执行文件时可执行文件熵是否正常、和/或样本文件为可执行文件时可执行文件载入地址是否正常。
评估单元具体设置为,
为分析信息中的各分析参数设置相应的评估值;
根据设置的各分析参数的评估值对样本文件包含的各分析信息分别进行评估统计,
对各样本文件,预先设置样本信息各分析信息对应的评估统计相应的综合评估权重;
将样本文件的各分析信息的评估统计分别乘以各分析信息相应的综合评估权重后进行累加,以累加结果作为样本文件的综合评估。
确定单元设置为,根据所有样本文件的综合评估的结果对样本文件进行排序,以确定各样本文件的送检优先级;
确定单元具体设置为,
根据综合评估的数值大小确定各样本文件的优先级高低;
根据各样本文件的优先级高低,对样本文件按照优先级由高到低的顺序进行排序,以确定各样本文件的送检优先级。
确定单元具体设置为,根据综合评估的数值大小确定各样本文件的优先级高低;
基于文件标识,根据各样本文件的优先级高低对样本文件按照优先级由高到低的顺序进行排序。
送检单元设置为,根据各样本文件的排序发送样本文件到动态分析引擎进行动态分析。
本发明装置还包括生成配置单元设置为,动态分析之前,根据各样本文件的送检优先级生成各样本文件的动态引擎配置参数并发往动态引擎设备,以使动态引擎设备根据动态引擎配置参数对各样本文件进行动态分析。
本发明实施例装置还包括接收保存单元,设置为进行综合评估之前,接收样本文件的分析信息,并对各样本文件的分析信息进行区分保存。
接收保存单元具体设置为,进行综合评估之前,
当接收的分析信息为新增样本文件的分析信息时,通过预设的文件标识保存新增样本文件的分析信息;
当接收的分析信息为已有样本文件的来自不同前端的分析信息时,以已有样本文件的文件标识保存分析信息;
当接收的分析信息出现异常或超时,删除分析信息和分析信息的相关记录。
本发明实施例装置还包括第一删除单元设置为,
当样本文件的综合评估的数值小于预设的评估阈值时,将该样本文件从发往动态分析引擎的排序中删除;
综合评估数值的高低与送检优先级成正比。
本发明实施例装置还包括第二删除单元设置为,
排序的样本文件的数量大于预设的负载阈值时,按照发往动态分析引擎的排序,将排序在负载阈值之后的样本文件从排序中删除;
样本文件按照送检优先级由高到低的顺序进行排序。
本发明实施例装置还包括第一周期清理单元,设置为按照第一预设周期,对样本文件的排序中已完成动态分析的样本文件的相关信息进行处理。
本发明实施例装置还包括第二周期清理单元,设置为按照第二预设周期,对已完成动态分析的样本文件的分析结果进行清理。
需要说明的是,本发明实施例装置可以独立存在,与动态引擎设备进行通信连接,也可以直接与动态分析引擎进行融合设置。
图4为本发明实施例实现样本分析的动态引擎设备的结构框图,如图4所示,包括:接收单元、配置单元和分析单元;其中,
接收单元设置为,接收按照综合评估进行排序的样本文件;
根据接收的外部根据接收的外部指令或预先设置的配置策略进行各样本文件动态引擎配置参数的配置;
分析单元设置为,根据配置的动态引擎配置参数进行各样本文件进行动态分析。
以下通过具体应用示例对本发明方法进行清楚详细的说明,应用示例仅用于陈述本发明,并不用于限定本发明方法的保护范围。
应用示例
本应用示例送检优先级根据威胁程度高低确定,并假设分析参数评估值高表示威胁程度高,相应的分析信息综合评估数值高时,威胁程度高;样本文件的综合评估数值低时,威胁程度低;
本应用示例进行综合评估计算时,根据分析信息中分析参数的种类多少设定各分析信息的综合评估权重,即分析信息中分析参数越多,综合评
估权重数值越大;
应用示例的方应用示例的方法流程图,如图5所示,包括:
步骤500、接收样本文件的分析信息,并对各样本文件的分析信息进行区分保存。
可选的,对各样本文件的分析信息进行区分保存包括:
当接收的分析信息为新增样本文件的分析信息时,通过预设的文件标识保存新增样本文件的分析信息;
当接收的分析信息为已有样本文件的来自不同前端的分析信息时,以已有样本文件的文件标识保存分析信息;
当接收的分析信息出现异常或超时,删除分析信息和分析信息的相关记录。
本应用示例,样本文件为来自前端的样本文件;前端包括:一个或一个以上静态引擎设备、和/或网页WEB端、和/或其他对样本文件进行分析信息输出的服务端。
按照预设的评估策略对各样本文按照预设的评估策略对各样本文件包含的一个或一个以上分析信息进行综合评估;
这里,预设的评估策略包括:
为分析信息中的各分析参数设置相应的评估值;
根据设置的各分析参数的评估值对样本文件包含的各分析信息分别进行评估统计;
对各样本文件,预先设置样本信息各分析信息对应的评估统计相应的综合评估权重;
将样本文件的各分析信息的评估统计分别乘以各分析信息相应的综合评估权重后进行累加,以累加结果作为样本文件的综合评估。
可选的,分析参数包括:样本文件是否加壳、和/或样本文件是否为可信任厂商版本、和/或样本文件的文件类型、和/或样本文件为可执行文件
时可执行文件熵是否正常、和/或样本文件为可执行文件时可执行文件载入地址是否正常。
本应用示例设定:样本文件加壳时,威胁程度高,评估值为1;样本文件未加壳,威胁程度低,评估值为0;样本文件为可信任厂商版本,威胁程度低,设置评估值为0;样本文件不是可信任厂商版本,威胁程度高,设置评估值为1;样本文件为可执行文件时可执行文件熵正常,威胁程度低,设置评估值为0;样本文件为可执行文件时可执行文件熵不正常,威胁程度高,设置评估值为1;样本文件为可执行文件时可执行文件载入地址正常,威胁程度低,设置评估值为0;样本文件为可执行文件时可执行文件载入地址不正常,威胁程度高,设置评估值为1;应用示例中不同分析参数的评估值可以不同,例如、样本文件加壳时,标识威胁程度高,可以采用评估值为1表示;样本文件不是可信任厂商版本,威胁程度也为高,可以设置与样本文件加壳不一样的评估值表示,例如设置评估值为1.2。
步骤502、根据所有样本文件的综合评估的结果对样本文件进行排序;这里,通过综合评估的排序可以确定各样本文件的送检优先级;
本应用示例,综合评估数值高时表示威胁程度高,因此,按照综合评估数值由高到低排序是指是将样本文件按照威胁程度由高到低进行排序,相应的送检优先级也是由高到低进行排序;
本应用示例,基于文件标识,可以根据文件标识对样本文件的综合评估的数值大小进行排序。及通过数据库记录文件标识及评分,进行样本文件的排序。
步骤503、当样本文件的综合评估的数值小于预设的评估阈值时,将该样本文件从发往动态分析引擎的排序中删除;
本应用示例,评估阈值的大小根据动态引擎设备的实时分析能力进行确定,如果动态引擎设备分析能力足以进行所有样本文件的分析时,则评估阈值可以设定为足够小,评估阈值的设定是为了对动态引擎设备无法满足分析实时性需求的样本文件进行删除,避免样本文件堆积。另外,如果
综合评分高低与威胁程度高低成反比时,综合评分大于定义的另一评估阈值的样本文件进行从排序中的删除处理。
步骤504、排序的样本文件的数量大于预设的负载阈值时,按照发往动态分析引擎的排序,将排序在负载阈值之后的样本文件从排序中删除。
这里,样本文件的排序按照威胁程度有大到小顺序进行,即样本文件按照送检优先级由高到低的顺序进行排序。
需要说明的是,负载阈值的大小根据动态引擎设备的实时分析能力进行确定,负载阈值的设定是为了对动态引擎设备无法满足分析实时性需求的样本文件进行删除,避免样本文件堆积。
步骤505、根据各样本文件的送检优先级生成各样本文件的动态引擎配置参数并发往动态引擎设备。
动态引擎配置参数包括:动态引擎设备对各样本文件的分析时长和分析环境。
步骤506、根据各样本文件的排序发送样本文件到动态分析引擎进行动态分析。
本应用示例方法还包括:
按照第一预设周期,对样本文件的排序中已完成动态引擎分析的样本文件的相关信息进行处理。
按照第二预设周期,对已完成动态引擎分析的样本文件的分析结果进行清理。
可选地,本实施例中的具体示例可以参考上述实施例及可选实施方式中所描述的示例,本实施例在此不再赘述。
显然,本领域的技术人员应该明白,上述的本发明的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执
行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。
以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。
通过本发明实施例的方案,按照预设的评估策略对各样本文件对应的一个或一个以上分析信息进行综合评估;根据所有样本文件的综合评估的结果对样本文件进行排序,以确定各样本文件的送检优先级;根据各样本文件的排序发送样本文件到动态分析引擎进行动态分析。本发明方法通过样本文件的分析信息对各样本文件进行综合评估,根据综合评估结果的排序进行动态分析,降低了低威胁性的样本文件对动态引擎设备的占用,提高了样本有效检测的效率。
Claims (29)
- 一种实现样本分析的方法,包括:对所有样本文件,按照预设的评估策略对各样本文件对应的一个或一个以上分析信息进行综合评估;根据所有样本文件的综合评估的结果对样本文件进行排序,以确定各样本文件的送检优先级;根据各样本文件的排序发送样本文件到动态分析引擎进行动态分析。
- 根据权利要求1所述的方法,其中,所述动态分析之前,该方法还包括:根据各所述样本文件的送检优先级生成各所述样本文件的动态引擎配置参数并发往动态引擎设备,以使动态引擎设备根据所述动态引擎配置参数对各样本文件进行动态分析;或,所述动态引擎设备接收外部指令,根据接收的外部指令进行各所述样本文件动态引擎配置参数的配置,并根据配置的所述动态引擎配置参数进行各样本文件进行动态引擎分析;或,所述动态引擎设备按照预先设置的配置策略进行各所述样本文件动态引擎配置参数的配置,并根据配置的所述动态引擎配置参数进行各样本文件的动态分析。
- 根据权利要求1或2所述的方法,其中,所述样本文件为来自前端的样本文件;所述前端包括:一个或一个以上静态引擎设备、和/或网页WEB端、和/或其他对样本文件进行分析信息输出的服务端。
- 根据权利要求1所述的方法,其中,所述预设的评估策略包括:为所述分析信息中的各分析参数设置相应的评估值;根据设置的各所述分析参数的评估值对所述样本文件包含的各分析信息分别进行评估统计;以各所述分析信息的评估统计结果确定各样本文件的综合评估。
- 根据权利要求4所述的方法,其中,所述分析参数包括:样本文件是否加壳、和/或样本文件是否为可信任厂商版本、和/或样本文件的文件类型、和/或样本文件为可执行文件时可执行文件熵是否正常、和/或样本文件为可执行文件时可执行文件载入地址是否正常。
- 根据权利要求4或5所述的方法,其中,所述确定各样本文件的综合评估包括:对各样本文件,预先设置样本信息各所述分析信息对应的评估统计相应的综合评估权重;将所述样本文件的各分析信息的评估统计分别乘以各分析信息相应的所述综合评估权重后进行累加,以累加结果作为样本文件的所述综合评估。
- 根据权利要求6所述的方法,其中,所述对样本文件进行排序包括:根据所述综合评估的数值大小确定各所述样本文件的优先级高低;根据各所述样本文件的优先级高低,对所述样本文件按照优先级由高到低的顺序进行排序。
- 根据权利要求1、2、4或5所述的方法,其中,所述进行综合评估之前,该方法还包括:接收所述样本文件的分析信息,并对各样本文件的分析信息进行区分保存。
- 根据权利要求8所述的方法,其中,所述对各样本文件的分析信息进行区分保存包括:当接收的所述分析信息为新增样本文件的分析信息时,通过预设的文件标识保存所述新增样本文件的分析信息;当接收的所述分析信息为已有样本文件的来自不同前端的分析信息时,以已有样本文件的文件标识保存所述分析信息;当接收的所述分析信息出现异常或超时,删除所述分析信息和所述分析信息的相关记录。
- 根据权利要求9所述的方法,其中,所述对所有样本文件的进行排序具体包括:基于所述文件标识,根据所有样本文件的综合评估的结果对所述样本文件进行排序。
- 根据权利要求1、2、4或5所述的方法,其中,该方法还包括:当样本文件的所述综合评估的数值小于预设的评估阈值时,将该样本文件从发往动态分析引擎的排序中删除;所述综合评估数值的高低与所述送检优先级成正比。
- 根据权利要求1、2、4或5所述的方法,其中,该方法还包括:排序的所述样本文件的数量大于预设的负载阈值时,按照发往动态分析引擎的排序,将排序在负载阈值之后的样本文件从排序中删除;所述样本文件按照送检优先级由高到低的顺序进行排序。
- 根据权利要求1、2、4或5所述的方法,其中,该方法还包括:按照第一预设周期,对样本文件的排序中已完成所述动态分析的样本文件的相关信息进行处理。
- 根据权利要求1、2、4或5所述的方法,其中,该方法还包括:按照第二预设周期,对已完成所述动态分析的所述样本文件的分析结果进行清理。
- 根据权利要求2所述的方法,其中,所述动态引擎配置参数包括:所述动态引擎设备对各样本文件的分析时长和分析环境。
- 一种实现样本分析的装置,包括:评估单元、确定单元及送检单元;其中,评估单元设置为,按照预设的评估策略对各样本文件对应的一个或一个以上分析信息进行综合评估;确定单元设置为,根据所有样本文件的综合评估的结果对样本文件进行排序,以确定各样本文件的送检优先级;送检单元设置为,根据各样本文件的排序发送样本文件到动态分析引擎进行动态分析。
- 根据权利要求16所述的装置,其中,该装置还包括生成配置单元设置为,所述动态分析之前,根据各所述样本文件的送检优先级生成各所述样本文件的动态引擎配置参数并发往动态引擎设备,以使动态引擎设备根据所述动态引擎配置参数对各样本文件进行动态分析;所述动态引擎配置参数包括:所述动态引擎设备对各样本文件的分析时长和分析环境。
- 根据权利要求16或17所述的装置,其中,所述样本文件为来自前端的样本文件;所述前端包括:一个或一个以上静态引擎设备、和/或网页WEB端、和/或其他对样本文件进行分析信息输出的服务端。
- 根据权利要求16所述的装置,其中,所述评估单元具体设 置为,为所述分析信息中的各分析参数设置相应的评估值;根据设置的各所述分析参数的评估值对所述样本文件包含的各分析信息分别进行评估统计,以各所述分析信息的评估统计结果确定各样本文件的综合评估;所述分析参数包括:样本文件是否加壳、和/或样本文件是否为可信任厂商版本、和/或样本文件的文件类型、和/或样本文件为可执行文件时可执行文件熵是否正常、和/或样本文件为可执行文件时可执行文件载入地址是否正常。
- 根据权利要求19所述的装置,其中,所述评估单元具体设置为,为所述分析信息中的各分析参数设置相应的评估值;根据设置的各所述分析参数的评估值对所述样本文件包含的各分析信息分别进行评估统计,对各样本文件,预先设置样本信息各所述分析信息对应的评估统计相应的综合评估权重;将所述样本文件的各分析信息的评估统计分别乘以各分析信息相应的所述综合评估权重后进行累加,以累加结果作为样本文件的所述综合评估。
- 根据权利要求20所述的装置,其中,所述确定单元具体设置为,根据所述综合评估的数值大小确定各所述样本文件的优先级高低;根据各所述样本文件的优先级高低,对所述样本文件按照优先级由高到低的顺序进行排序,以确定各样本文件的送检优先级。
- 根据权利要求16、17、19或20所述的装置,其中,该装置还包括接收保存单元,设置为所述进行综合评估之前,接收所述样本文件的分析信息,并对各样本文件的分析信息进行区分保存。
- 根据权利要求22所述的装置,其中,所述接收保存单元具体设置为,所述进行综合评估之前,当接收的所述分析信息为新增样本文件的分析信息时,通过预设的文件标识保存所述新增样本文件的分析信息;当接收的所述分析信息为已有样本文件的来自不同前端的分析信息时,以已有样本文件的文件标识保存所述分析信息;当接收的所述分析信息出现异常或超时,删除所述分析信息和所述分析信息的相关记录。
- 根据权利要求23所述的装置,其中,所述确定单元具体设置为,基于所述文件标识,根据所有样本文件的综合评估的结果对所述样本文件进行排序。
- 根据权利要求16、17、19或20所述的装置,其中,该装置还包括第一删除单元设置为,当样本文件的所述综合评估的数值小于预设的评估阈值时,将该样本文件从发往动态分析引擎的排序中删除;所述综合评估数值的高低与所述送检优先级成正比。
- 根据权利要求16、17、19或20所述的装置,其中,该装置还包括第二删除单元设置为,排序的所述样本文件的数量大于预设的负载阈值时,按照发往动态分析引擎的排序,将排序在负载阈值之后的样本文件从排序中删除;所述样本文件按照送检优先级由高到低的顺序进行排序。
- 根据权利要求16、17、19或20所述的装置,其中,该装置还包括第一周期清理单元,设置为按照第一预设周期,对样本文件的排序中已完成所述动态分析的样本文件的相关信息进行处理。
- 根据权利要求16、17、19或20所述的装置,其中,该装置还包括第二周期清理单元,设置为按照第二预设周期,对已完成所述动态分析的所述样本文件的分析结果进行清理。
- 一种实现样本分析的动态引擎设备,包括:接收单元、配置单元和分析单元;其中,接收单元设置为,接收按照综合评估进行排序的样本文件;配置单元设置为,根据接收的外部指令或预先设置的配置策略进行各所述样本文件动态引擎配置参数的配置;分析单元设置为,根据配置的所述动态引擎配置参数进行各样本文件进行动态分析。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201511027438.X | 2015-12-31 | ||
CN201511027438.XA CN106934285A (zh) | 2015-12-31 | 2015-12-31 | 一种实现样本分析的方法、装置及动态引擎设备 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2017113948A1 true WO2017113948A1 (zh) | 2017-07-06 |
Family
ID=59224456
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2016/102884 WO2017113948A1 (zh) | 2015-12-31 | 2016-10-21 | 一种实现样本分析的方法、装置及动态引擎设备 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN106934285A (zh) |
WO (1) | WO2017113948A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111385281A (zh) * | 2019-12-26 | 2020-07-07 | 中科信息安全共性技术国家工程研究中心有限公司 | 一种基于资源负载均衡的自动化漏洞挖掘系统及方法 |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3557261B1 (en) * | 2018-04-20 | 2021-12-08 | F. Hoffmann-La Roche AG | Just in time availability of analytical test results |
CN111259451A (zh) * | 2020-01-23 | 2020-06-09 | 奇安信科技集团股份有限公司 | 文件安全等级鉴定方法及装置 |
CN114386034B (zh) * | 2021-12-21 | 2023-01-31 | 中国电子科技集团公司第三十研究所 | 动态迭代的多引擎融合恶意代码检测方法、设备及介质 |
CN115327065B (zh) * | 2022-10-17 | 2022-12-27 | 中大智能科技股份有限公司 | 一种水利水电工程样本检测方法及系统 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101833575A (zh) * | 2010-04-27 | 2010-09-15 | 南京邮电大学 | 一种网络病毒报告排序方法 |
CN103902883A (zh) * | 2013-09-24 | 2014-07-02 | 北京安天电子设备有限公司 | 一种基于驱动级程序的apt预防方法及系统 |
US20150244733A1 (en) * | 2014-02-21 | 2015-08-27 | Verisign Inc. | Systems and methods for behavior-based automated malware analysis and classification |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101894230B (zh) * | 2010-07-14 | 2013-04-10 | 国网电力科学研究院 | 一种基于静态和动态分析技术的主机系统安全评估方法 |
CN102137115A (zh) * | 2011-04-22 | 2011-07-27 | 南京邮电大学 | 通信网恶意代码攻击效果评估方法 |
CN103685150B (zh) * | 2012-09-03 | 2015-08-12 | 腾讯科技(深圳)有限公司 | 上传文件的方法和装置 |
US9171160B2 (en) * | 2013-09-30 | 2015-10-27 | Fireeye, Inc. | Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses |
CN103825888A (zh) * | 2014-02-17 | 2014-05-28 | 北京奇虎科技有限公司 | 网络威胁处理方法及设备 |
-
2015
- 2015-12-31 CN CN201511027438.XA patent/CN106934285A/zh not_active Withdrawn
-
2016
- 2016-10-21 WO PCT/CN2016/102884 patent/WO2017113948A1/zh active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101833575A (zh) * | 2010-04-27 | 2010-09-15 | 南京邮电大学 | 一种网络病毒报告排序方法 |
CN103902883A (zh) * | 2013-09-24 | 2014-07-02 | 北京安天电子设备有限公司 | 一种基于驱动级程序的apt预防方法及系统 |
US20150244733A1 (en) * | 2014-02-21 | 2015-08-27 | Verisign Inc. | Systems and methods for behavior-based automated malware analysis and classification |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111385281A (zh) * | 2019-12-26 | 2020-07-07 | 中科信息安全共性技术国家工程研究中心有限公司 | 一种基于资源负载均衡的自动化漏洞挖掘系统及方法 |
CN111385281B (zh) * | 2019-12-26 | 2022-04-22 | 中科信息安全共性技术国家工程研究中心有限公司 | 一种基于资源负载均衡的自动化漏洞挖掘系统及方法 |
Also Published As
Publication number | Publication date |
---|---|
CN106934285A (zh) | 2017-07-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2017113948A1 (zh) | 一种实现样本分析的方法、装置及动态引擎设备 | |
Mohaisen et al. | Unveiling zeus: automated classification of malware samples | |
TWI547823B (zh) | 惡意程式碼分析方法與系統、資料處理裝置及電子裝置 | |
EP3108395B1 (en) | Targeted attack protection using predictive sandboxing | |
US9628507B2 (en) | Advanced persistent threat (APT) detection center | |
WO2015120752A1 (zh) | 网络威胁处理方法及设备 | |
WO2017152877A1 (zh) | 网络威胁事件评估方法及装置 | |
IL257849B1 (en) | Systems and methods for detecting and scoring anomalies | |
KR20200052881A (ko) | 멀웨어 호스트 넷플로우 분석 시스템 및 방법 | |
CN113728581B (zh) | 用于siem规则分类和条件执行的系统和方法 | |
CN108573146A (zh) | 一种恶意url检测方法及装置 | |
WO2018066221A1 (ja) | 分類装置、分類方法及び分類プログラム | |
Xiao et al. | From patching delays to infection symptoms: Using risk profiles for an early discovery of vulnerabilities exploited in the wild | |
US11847216B2 (en) | Analysis device, analysis method and computer-readable recording medium | |
JP7005936B2 (ja) | 評価プログラム、評価方法および情報処理装置 | |
JP2017142744A (ja) | 情報処理装置、ウィルス検出方法及びプログラム | |
Kim et al. | Behavior-based anomaly detection on big data | |
US10965693B2 (en) | Method and system for detecting movement of malware and other potential threats | |
CA2961695A1 (en) | Correlation-based detection of exploit activity | |
Liu et al. | A system call analysis method with mapreduce for malware detection | |
Almousa et al. | Identification of ransomware families by analyzing network traffic using machine learning techniques | |
US20240171598A1 (en) | Systems and methods for prioritizing url review for sandboxing based on accelerated velocities of url features in network traffic | |
US9239907B1 (en) | Techniques for identifying misleading applications | |
Kumaravel et al. | Multi-classification approach for detecting network attacks | |
US11321453B2 (en) | Method and system for detecting and classifying malware based on families |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16880740 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 16880740 Country of ref document: EP Kind code of ref document: A1 |