WO2018095099A1 - Procédé et dispositif de traitement d'échantillons suspects - Google Patents

Procédé et dispositif de traitement d'échantillons suspects Download PDF

Info

Publication number
WO2018095099A1
WO2018095099A1 PCT/CN2017/099910 CN2017099910W WO2018095099A1 WO 2018095099 A1 WO2018095099 A1 WO 2018095099A1 CN 2017099910 W CN2017099910 W CN 2017099910W WO 2018095099 A1 WO2018095099 A1 WO 2018095099A1
Authority
WO
WIPO (PCT)
Prior art keywords
suspicious
sample
samples
feature information
suspicious sample
Prior art date
Application number
PCT/CN2017/099910
Other languages
English (en)
Chinese (zh)
Inventor
郑文彬
丁卯胤
Original Assignee
北京奇虎科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京奇虎科技有限公司 filed Critical 北京奇虎科技有限公司
Publication of WO2018095099A1 publication Critical patent/WO2018095099A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting

Definitions

  • the present invention relates to the field of Internet technologies, and in particular, to a method and an apparatus for processing a suspicious sample.
  • the present invention has been made in order to provide a processing method and apparatus for suspicious samples that overcome the above problems or at least partially solve the above problems.
  • a method for processing a suspicious sample comprising: receiving a suspicious sample data stream from a data source; the suspicious sample data stream includes a plurality of suspicious samples; and delivering the received suspicious sample to the sand Running in the box, obtaining the running log corresponding to the suspicious sample; analyzing the running log corresponding to the suspicious sample, obtaining the feature information related to the suspicious sample; determining whether the suspicious sample is a threat sample according to the feature information related to the suspect sample and the preset rule; The feature information related to the suspicious sample determined to be a threat sample is placed in the threat database.
  • a processing apparatus for a suspect sample comprising: a sample receiving unit adapted to receive a suspicious sample data stream from a data source; the suspect sample data stream includes a plurality of suspicious samples; The unit is adapted to send the received suspicious sample to the sandbox for running, and obtain an operation log corresponding to the suspicious sample; the result analyzing unit is adapted to analyze the running log corresponding to the suspicious sample, and obtain characteristic information related to the suspicious sample; The feature information related to the suspicious sample and the preset rule determine whether the suspicious sample is a threat sample; the sample handling unit is adapted to put feature information related to the suspicious sample determined as the threat sample into the threat database.
  • a computer program comprising computer readable code
  • the computer readable code when run on a computing device, causes the computing device to perform a processing method according to the suspicious samples described above.
  • a computer readable medium storing a computer program as described above is provided.
  • the technical solution according to the present invention delivers the suspicious sample received from the data source to the sandbox, and runs the log to record the running process of the suspicious sample in the sandbox, and runs the suspicious sample in the sandbox.
  • the analysis of the process can obtain the characteristic information related to the suspicious sample, and then can clearly determine whether the suspect sample is a threatened threat sample, and put all relevant feature information of the threat sample into the threat database as a supplement and update of the known threat data.
  • An ecological environment-based threat data monitoring center with positive feedback has been formed, which has the following beneficial effects: collecting a large number of suspicious samples from the data source to ensure the source of the data samples is stable; running the suspicious sample with the sandbox as a virtual carrier, clearly Record all running trajectories of suspicious samples, according to which trajectory can obtain more comprehensive information about suspicious samples; when determining a suspicious sample as a threat sample, use the comprehensive feature information related to the suspicious sample obtained from each analysis Constantly looping iteratively to supplement updates Threaten existing database features information about the suspicious sample; and the number of threat data in the database, data type, data accuracy to accumulate, to provide increasingly strong support for follow-up based on database information security threats carried out.
  • FIG. 1 shows a flow chart of a method of processing a suspicious sample in accordance with one embodiment of the present invention
  • FIG. 2 is a block diagram showing a method of processing a suspicious sample in accordance with one embodiment of the present invention
  • FIG. 3 is a data flow diagram showing a method of processing a suspect sample according to an embodiment of the present invention
  • FIG. 4 shows a schematic diagram of a processing device for a suspect sample according to an embodiment of the present invention
  • Figure 5 shows schematically a block diagram of a computing device for performing the method according to the invention
  • Figure 6 shows schematically the storage of program code for maintaining or carrying a method according to the invention. Storage unit.
  • FIG. 1 shows a flow chart of a method of processing a suspicious sample in accordance with one embodiment of the present invention. As shown in Figure 1, the method includes:
  • Step S110 Receive a suspicious sample data stream from a data source; the suspect sample data stream includes a plurality of suspicious samples.
  • step S120 the received suspicious sample is sent to the sandbox to run, and the running log corresponding to the suspicious sample is obtained.
  • Step S130 analyzing an operation log corresponding to the suspicious sample, and obtaining feature information related to the suspicious sample.
  • Step S140 Determine whether the suspicious sample is a threat sample according to the feature information related to the suspicious sample and the preset rule.
  • step S150 the feature information related to the suspicious sample determined as the threat sample is placed in the threat database.
  • the method shown in FIG. 1 administers suspicious samples received from the data source to the sandbox, and runs the log to record the running process of the suspicious samples in the sandbox, by running the suspicious samples in the sandbox.
  • the analysis can obtain the characteristic information related to the suspicious sample, and then can clearly determine whether the suspicious sample is a threatened threat sample, and put all relevant feature information of the threat sample into the threat database as a supplement and update of the known threat data.
  • An ecological environment-based threat data monitoring center with positive feedback has the following beneficial effects: collecting a large number of suspicious samples from the data source to ensure the source of the data samples is stable; running a suspicious sample with the sandbox as a virtual carrier, clearly recording the suspicious According to the running trajectory, the trajectory related to the suspicious sample can be obtained more comprehensively; when a suspicious sample is determined as the threat sample, the comprehensive characteristic information related to the suspicious sample obtained by each analysis is continuously circulated Iteratively supplements the update threat database Some characteristic information of the suspicious sample; and the amount of data in the threat database, the type of data, and the accuracy of the data are continuously accumulated, which provides an increasingly powerful support for the subsequent information security protection according to the threat database.
  • the characteristic information related to the suspicious sample obtained by analyzing the running log corresponding to the suspicious sample includes: Static feature information of the suspect sample, and/or behavioral feature information of the suspect sample. That is to say, for each suspicious sample that is placed in the sandbox, whether it is the static feature of the suspect sample or the dynamic behavior of the suspect sample during the operation, it can be deconstructed. It is observed that the complete file of a suspicious sample is grasped, and whether the suspect sample is a threatened threat sample, and if the threat sample is prevented, the suspected sample can be found accurately. answer.
  • the files of the suspicious samples that are in control are constantly being improved, that is, the data in the threat database is continuously improved.
  • the step S150 in the step S150, the feature information related to the suspicious sample determined as the threat sample is placed in the threat database, and the feature information related to the suspicious sample determined as the threat sample is used in the threat database. The data is updated.
  • the data source may be a client distributed on different terminals of the solution, and the client performs a dot recording on the suspicious sample, and the suspicious sample received by the solution may be uploaded by each client.
  • the data source may also be a third-party security detection platform that cooperates with the solution.
  • the suspicious sample received by the solution may be a suspicious sample uploaded by the third-party security detection platform;
  • the data source may also be other products.
  • the client or the hot patch deployed on the client of other products, the suspicious sample received by the solution may be a suspicious sample uploaded by a client of another product or a hot patch deployed on a client of another product;
  • the suspicious sample data stream received by the program may also include suspicious samples crawled from various websites by crawlers.
  • step S110 shown in FIG. 1 receives the suspicious sample data stream from the data source, including: Read suspicious samples uploaded by the client in a distributed cluster.
  • the method shown in FIG. 1 before the received suspicious sample is put into the sandbox for operation in step S120, the method shown in FIG. 1 further includes: screening the received suspicious samples, screening the valuable suspicious samples and delivering them to the Run in the sandbox to get the running log corresponding to each suspicious sample.
  • the running log of each suspicious sample screened is analyzed to obtain more valuable suspicious sample related feature information to promote the forward feedback of subsequent processing.
  • the filtering the received suspicious sample includes: de-dusting the received suspicious sample; calculating the priority of the de-duplicated suspicious sample according to the associated information of the suspicious sample and the preset policy, and prioritizing Suspicious samples with levels above the first preset threshold are screened out.
  • suspiciously received by comparison The identification information of the suspect sample is used to find the duplicate suspicious sample, and the de-duplication operation is completed; and the associated information of the suspicious sample is some characteristic information of the suspicious sample currently known, wherein the associated data of the suspicious sample includes the following one Kind or multiple: use information, domain name information, website information, IP information, model information, etc.
  • the association information of a suspicious sample includes: a url address, and it is necessary to determine whether the url address hits a preset important website list (the important URL)
  • the list includes the url address of the suspicious sample associated with the government website. If yes, increase the priority of the suspicious sample, otherwise it will not change.
  • the priority of each suspicious sample is compared to select a suspicious sample with a higher priority as a valuable suspicious sample.
  • the solution further includes: structuring the received suspicious samples to make the received suspicious samples
  • the data structure is unified to facilitate subsequent de-duplication and screening.
  • the step S130 analyzes the running log corresponding to the suspicious sample, and obtains the feature information related to the suspicious sample, including: synchronizing the running log corresponding to the suspicious sample into the distributed cluster for storage;
  • the computing framework in the cluster analyzes the running logs corresponding to the suspicious samples in batches, and obtains the feature information related to each suspicious sample.
  • the method shown in FIG. 1 further includes: selecting feature information related to the specified suspicious sample that meets the preset condition from the threat database at a preset time interval; and including the selected specified suspicious
  • the information of the feature information related to the sample is pushed to the data source, so that each data source makes a judgment of the suspicious sample according to the push information.
  • the solution further comprises: receiving feedback information from each data source; the feedback information is a ticker log generated by the data source in the process of determining the suspicious sample according to the push information.
  • the data source includes: a client that performs dot recording on the suspect sample, a third-party security detection platform “VT data source & other”, and a hot patch deployed on a client of another product. "Net shield hot fill”.
  • the client distributed on different terminals uploads suspicious samples to the HDFS distributed file system of the Hadoop distributed cluster for storage.
  • This solution receives suspicious samples from the client by reading suspicious samples from the HDFS.
  • the received suspicious samples are structured, and the suspicious samples with uniform data structures are placed in the detection task data screening module; the detection task data screening module selects valuable samples from the suspicious samples.
  • Suspicious sample the basis for which the screening is based on a suspicious sample
  • Each of the selected suspicious samples is sent to the analysis task module as a pending task; in this embodiment, the analysis task module is implemented by the ElasticSearch distributed search engine, and in order to improve the subsequent processing efficiency, the analysis task module will need to
  • the pending tasks (such as suspicious samples with priority higher than the predetermined threshold and suspicious samples for the current day) are delivered to the task distribution scheduling module; the task distribution scheduling module distributes the received suspicious samples and dispatches each suspicious sample.
  • each suspicious sample runs in parallel in the distributed sandbox system, and obtains the running logs corresponding to each suspicious sample; wherein the distribution rules can be related to the 0Day vulnerability according to the type described in the suspicious sample.
  • Suspicious samples, suspicious samples related to the NDay vulnerability, and malicious software-related suspicious samples are distributed to the distributed sandbox system, which is based on the Mongodb cluster.
  • the running log corresponding to each suspicious sample is returned as result data to the result buffer for caching, and the result data is classified and distributed, and distributed to the result data analysis, and the screening module performs analysis on the running log corresponding to the suspicious sample to obtain a suspicious sample.
  • Feature information determining whether the suspicious sample is a threat sample according to the feature information related to the suspicious sample and a preset rule, and screening the suspicious sample determined as the threat sample; in the embodiment shown in FIG. 2, the pair of result data
  • the process of classifying and distributing to the result data analysis and determination screening module is as follows: synchronizing the running logs corresponding to the suspicious samples into the Hadoop distributed cluster for storage, and using the MapReduce computing framework in the Hadoop distributed cluster to batchly run the suspicious samples.
  • the log is analyzed to obtain the feature information related to each suspicious sample.
  • the MapReduce computing framework in the Hadoop distributed cluster can be used to determine whether the suspicious sample is a threat sample according to the feature information related to the suspicious sample, and the threat is determined as a threat. Suspicious samples of the sample are screened out, and the feature information related to the suspicious sample determined as the threat sample is put into the threat database to supplement and improve the threat database.
  • feature information related to the specified suspicious sample that meets the preset condition is selected from the threat database every day as daily threat data is pushed to each data source, so that each data source performs a suspicious sample according to the push information.
  • the feedback information is a ticker log generated by the data source in the process of determining the suspicious sample according to the push information.
  • FIG. 3 shows a data flow diagram of a method of processing a suspicious sample in accordance with one embodiment of the present invention.
  • Clients distributed on different terminals collect suspicious samples from users, upload suspicious samples to Hadoop distributed clusters for storage, and use MapReduce computing framework in Hadoop distributed clusters.
  • the received suspicious samples are deduplicated, filtered and structured in batches, and the suspicious samples to be processed are obtained as pending tasks.
  • the ElasticSearch distributed search engine is used for task distribution and distributed to the distributed sandbox for operation.
  • the running log corresponding to each suspicious sample is taken as The result data, the result data analysis, the feature information related to each suspicious sample is obtained, and the ruled judgment is performed according to the rule to determine whether the suspicious sample is a threat sample. If the suspicious sample is not a threat sample, it is necessary to re-deliver to the sandbox to run. If not, discard the suspicious sample, and if necessary, re-deliver the suspicious sample to the sandbox; if the suspicious sample is a threat sample, structure the feature information related to the suspicious sample and put it into the threat database.
  • the feature information related to the suspicious sample that meets the push condition is filtered out from the threat database and pushed to the corresponding data source as the threat analysis basis, and the feedback result of the data source is received.
  • the suspicious sample is received from the data source, the suspicious sample is detected to implement the supplementary update to the threat database, and the threat database pushes the characteristic information related to the suspicious sample after the update to the data source, according to the data source.
  • the characteristic information related to the suspicious samples pushed is recorded, more accurately intercepted and recorded suspicious samples and uploaded, and feedback results are fed back to the threat database, forming a positive feedback loop, which can continuously expand and improve the threat data monitoring constructed by the scheme.
  • the Threat Data Monitoring Center can establish the management of complete feature information about various types of threat samples through the threat database. The more complete and clear the feature information of the managed threat samples, the more able to find the strategy to prevent the detection of threat samples. And can promptly push the strategy of preventing the detection of threat samples to the data source to uniformly adjust the prevention and killing strategies of each data source, establish a very strict security protection mechanism, and protect Internet information security from a higher pattern. .
  • the processing device 400 of the suspect sample includes:
  • the sample receiving unit 410 is adapted to receive a suspicious sample data stream from the data source; the suspect sample data stream includes a plurality of suspicious samples.
  • the operation processing unit 420 is adapted to deliver the received suspicious sample to the sandbox for running, and obtain an operation log corresponding to the suspicious sample.
  • the result analyzing unit 430 is adapted to analyze the running log corresponding to the suspicious sample, obtain feature information related to the suspicious sample, and determine whether the suspicious sample is a threat sample according to the feature information related to the suspect sample and the preset rule.
  • the sample processing unit 440 is adapted to put feature information related to the suspicious sample determined as the threat sample into the threat database.
  • the device shown in FIG. 4 delivers the suspicious sample received from the data source to the sandbox, and runs the log to record the running process of the suspicious sample in the sandbox, by running the suspicious sample in the sandbox.
  • the analysis can know the characteristic information related to the suspicious sample, and then can clearly determine whether the suspicious sample is Threatened threat samples, and put all relevant feature information of threat samples into the threat database as a supplement and update of known threat data, forming an ecological environment-based threat data monitoring center with positive feedback, which has the following benefits.
  • the data source comprises: a client distributed over different terminals; and/or a third party security detection platform.
  • the client uploads the suspicious sample to the distributed cluster for storage; the sample receiving unit 410 is adapted to read the client-uploaded from the distributed cluster. Suspicious sample.
  • the operation processing unit 420 is further adapted to filter the received suspicious samples before the suspicious samples to be received are run into the sandbox; then the operation processing unit 420 It is suitable for the selected suspicious samples to be put into the sandbox to run, and the running log corresponding to each suspicious sample is obtained.
  • the operation processing unit 420 is configured to perform deduplication on the received suspicious sample; calculate, according to the association information of the suspicious sample and the preset policy, the priority of the deduplicated suspicious sample, and the priority is higher than the first A suspicious sample of a predetermined threshold is selected; wherein the associated data of the suspicious sample includes one or more of the following: utilization information, domain name information, web address information, IP information, and schema information.
  • the running processing unit 420 is further adapted to perform structured processing on the received suspicious samples before the screening of the received suspicious samples, so that the data structures of the received suspicious samples are unified.
  • the operation processing unit 420 is adapted to perform distribution scheduling on the received suspicious samples, and distribute each suspicious sample into the distributed sandbox system, so that each suspicious sample is in the distributed sandbox system. Run in parallel to get the run log corresponding to each suspicious sample.
  • the result analyzing unit 430 is adapted to synchronize the running logs corresponding to the suspicious samples to the distributed cluster for storage; and use the computing framework in the distributed cluster to batchly run the running logs corresponding to the suspicious samples. Analysis, obtaining feature information related to each suspicious sample.
  • the feature information related to the suspicious sample includes: static feature information of the suspect sample, and/or behavior characteristic information of the suspect sample.
  • the result analyzing unit 430 is further adapted to: after the obtaining the feature information related to the suspect sample, structurally processing the feature information related to the suspect sample, so that the feature information related to the suspect sample is unified The data structure.
  • the sample processing unit 440 is adapted to update the original data in the threat database according to the feature information related to the suspicious sample determined to be the threat sample.
  • the sample processing unit 440 is further configured to select feature information related to the specified suspicious sample that meets the preset condition from the threat database every preset time interval; and the selected specified suspicious sample is included
  • the information of the related feature information is pushed to the data source, so that each data source makes a judgment of the suspicious sample according to the push information.
  • the sample processing unit 440 is further adapted to receive feedback information from each data source; the feedback information is a ticker log generated by the data source in the process of determining the suspicious sample according to the push information.
  • FIG. 4 The embodiment of the device shown in FIG. 4 is the same as the embodiment described in FIG. 1 to FIG. 3 above, and has been described in detail above, and details are not described herein again.
  • the technical solution of the present invention delivers suspicious samples received from a data source into a sandbox, and runs a log to record the running process of suspicious samples in the sandbox, and runs the suspicious samples in the sandbox.
  • the analysis of the process can obtain the characteristic information related to the suspicious sample, and then can clearly determine whether the suspect sample is a threatened threat sample, and put all relevant feature information of the threat sample into the threat database as a supplement and update of the known threat data.
  • An ecological environment-based threat data monitoring center with positive feedback has been formed, which has the following beneficial effects: collecting a large number of suspicious samples from the data source to ensure the source of the data samples is stable; running the suspicious sample with the sandbox as a virtual carrier, clearly Record all running trajectories of suspicious samples, according to which trajectory can obtain more comprehensive information about suspicious samples; when determining a suspicious sample as a threat sample, use the comprehensive feature information related to the suspicious sample obtained from each analysis Constantly iteratively replenishing the number of update threats Existing library feature information of the suspicious sample; and the number of threat data in the database, data type, data accuracy to accumulate, to provide increasingly strong support for follow-up based on database information security threats carried out.
  • modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment.
  • the modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components.
  • any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined.
  • Each feature disclosed in this specification (including the accompanying claims, the abstract and the drawings) may be replaced by alternative features that provide the same, equivalent or similar purpose.
  • the various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof.
  • a microprocessor or digital signal processor may be used in practice to implement some or all of the functionality of some or all of the components of the suspicious sample processing device in accordance with embodiments of the present invention.
  • the invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein.
  • a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
  • Figure 5 shows a block diagram of a computing device for performing the method in accordance with the present invention.
  • the computing device A processor 510 and a computer program product or computer readable medium in the form of a memory 520 are conventionally included.
  • the memory 520 may be an electronic memory such as a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), an EPROM, a hard disk, or a ROM.
  • Memory 520 has a storage space 530 that stores program code 531 for performing any of the method steps described above.
  • the storage space 530 for storing program code may separately store respective program codes 531 for implementing various steps in the above method.
  • the program code can be read from or written to one or more computer program products.
  • These computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks.
  • Such computer program products are typically portable or fixed storage units such as those described in FIG.
  • the storage unit may have storage segments, storage spaces, and the like that are similarly arranged to memory 520 in the computing device of FIG.
  • the program code can be compressed, for example, in an appropriate form.
  • the storage unit stores computer readable program code 531' for performing the steps of the method according to the present invention, ie program code readable by a processor such as 510, when the program code is run by the computing device, resulting in The computing device performs the various steps in the methods described above.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

La présente invention concerne un procédé et un dispositif de traitement d'échantillons suspects. Le procédé consiste à : recevoir un flux de données d'échantillons suspects en provenance d'une source de données, le flux de données d'échantillons suspects comprenant une pluralité d'échantillons suspects (S110) ; mettre les échantillons suspects reçus dans une boîte à sable aux fins d'exécution afin d'obtenir des journaux d'exécution correspondant aux échantillons suspects (S120) ; analyser les journaux d'exécution correspondant aux échantillons suspects pour obtenir des informations caractéristiques relatives aux échantillons suspects (S130) ; selon les informations caractéristiques relatives aux échantillons suspects et selon une règle prédéfinie, déterminer si les échantillons suspects sont des échantillons constituant une menace (S140) ; et mettre, dans une base de données de menaces, des informations caractéristiques relatives aux échantillons suspects déterminés comme étant des échantillons constituant une menace (S150). Il est ainsi possible de former un centre de surveillance de données de menaces avec rétroaction positive. Des échantillons suspects sont exécutés en prenant une boîte à sable en tant que support virtuel et des informations caractéristiques relatives aux échantillons suspects peuvent être intégralement obtenues. Les informations caractéristiques globales relatives aux échantillons suspects sont utilisées pour compléter et mettre à jour en permanence une base de données de menaces au moyen d'une itération bouclée, et une accumulation continue de la base de données de menaces fournit une forte assistance pour une protection ultérieure de la sécurité d'informations.
PCT/CN2017/099910 2016-11-24 2017-08-31 Procédé et dispositif de traitement d'échantillons suspects WO2018095099A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201611045688.0 2016-11-24
CN201611045688.0A CN106709326A (zh) 2016-11-24 2016-11-24 一种可疑样本的处理方法和装置

Publications (1)

Publication Number Publication Date
WO2018095099A1 true WO2018095099A1 (fr) 2018-05-31

Family

ID=58934765

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/099910 WO2018095099A1 (fr) 2016-11-24 2017-08-31 Procédé et dispositif de traitement d'échantillons suspects

Country Status (2)

Country Link
CN (1) CN106709326A (fr)
WO (1) WO2018095099A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112580036A (zh) * 2019-09-30 2021-03-30 奇安信安全技术(珠海)有限公司 病毒防御的优化方法及装置、存储介质、计算机设备

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106709326A (zh) * 2016-11-24 2017-05-24 北京奇虎科技有限公司 一种可疑样本的处理方法和装置
CN107506641A (zh) * 2017-09-30 2017-12-22 北京奇虎科技有限公司 沙箱管理方法及装置、计算设备、存储介质
CN108718293A (zh) * 2018-04-08 2018-10-30 安徽展航信息科技发展有限公司 一种信息安全网络安全实验室系统
CN112597494A (zh) * 2020-12-21 2021-04-02 成都安思科技有限公司 一种用于恶意程序检测的行为白名单自动收集方法
CN112632529A (zh) * 2020-12-23 2021-04-09 北京鸿腾智能科技有限公司 漏洞识别方法、设备、存储介质及装置

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103839003A (zh) * 2012-11-22 2014-06-04 腾讯科技(深圳)有限公司 恶意文件检测方法及装置
CN105205397A (zh) * 2015-10-13 2015-12-30 北京奇虎科技有限公司 恶意程序样本分类方法及装置
CN105718798A (zh) * 2015-08-18 2016-06-29 哈尔滨安天科技股份有限公司 基于私有网络信息放大的恶意代码自动分析方法及系统
CN105743877A (zh) * 2015-11-02 2016-07-06 哈尔滨安天科技股份有限公司 一种网络安全威胁情报处理方法及系统
CN106130966A (zh) * 2016-06-20 2016-11-16 北京奇虎科技有限公司 一种漏洞挖掘检测方法、服务器、装置和系统
CN106709326A (zh) * 2016-11-24 2017-05-24 北京奇虎科技有限公司 一种可疑样本的处理方法和装置

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103839003A (zh) * 2012-11-22 2014-06-04 腾讯科技(深圳)有限公司 恶意文件检测方法及装置
CN105718798A (zh) * 2015-08-18 2016-06-29 哈尔滨安天科技股份有限公司 基于私有网络信息放大的恶意代码自动分析方法及系统
CN105205397A (zh) * 2015-10-13 2015-12-30 北京奇虎科技有限公司 恶意程序样本分类方法及装置
CN105743877A (zh) * 2015-11-02 2016-07-06 哈尔滨安天科技股份有限公司 一种网络安全威胁情报处理方法及系统
CN106130966A (zh) * 2016-06-20 2016-11-16 北京奇虎科技有限公司 一种漏洞挖掘检测方法、服务器、装置和系统
CN106709326A (zh) * 2016-11-24 2017-05-24 北京奇虎科技有限公司 一种可疑样本的处理方法和装置

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112580036A (zh) * 2019-09-30 2021-03-30 奇安信安全技术(珠海)有限公司 病毒防御的优化方法及装置、存储介质、计算机设备
CN112580036B (zh) * 2019-09-30 2024-01-30 奇安信安全技术(珠海)有限公司 病毒防御的优化方法及装置、存储介质、计算机设备

Also Published As

Publication number Publication date
CN106709326A (zh) 2017-05-24

Similar Documents

Publication Publication Date Title
WO2018095099A1 (fr) Procédé et dispositif de traitement d'échantillons suspects
US10805347B2 (en) Systems and methods of detecting email-based attacks through machine learning
US11675915B2 (en) Protecting data based on a sensitivity level for the data
Moustafa et al. Anomaly detection system using beta mixture models and outlier detection
US10437996B1 (en) Classifying software modules utilizing similarity-based queries
EP4270875A2 (fr) Détection et réparation de faiblesse et d'infiltration de sécurité dans un contenu de site web obscurci
US11301578B2 (en) Protecting data based on a sensitivity level for the data
US20190188381A9 (en) Machine learning model for malware dynamic analysis
US20230328080A1 (en) Systems and methods of malware detection
Wang et al. Capturing ddos attack dynamics behind the scenes
US20130054477A1 (en) System to identify multiple copyright infringements
Shukla et al. SDDA-IoT: storm-based distributed detection approach for IoT network traffic-based DDoS attacks
US10248789B2 (en) File clustering using filters working over file attributes
Liu et al. A research and analysis method of open source threat intelligence data
WO2021071696A1 (fr) Triage automatique d'événements d'incidents de prévention de perte de données réseau
EP3361405B1 (fr) Amélioration d'un système de détection d'intrusion
CN115604032A (zh) 一种电力系统复杂多步攻击检测方法及系统
Al Fahdi et al. Towards an automated forensic examiner (AFE) based upon criminal profiling & artificial intelligence
Alnajjar et al. The Enhanced Forensic Examination and Analysis for Mobile Cloud Platform by Applying Data Mining Methods.
Kim et al. Abnormal behavior detection technique based on big data
Whitham Towards a set of metrics to guide the generation of fake computer file systems
Popescu et al. A practical approach for clustering large data flows of malicious URLs
US12003515B2 (en) Systems and method of cyber-monitoring which utilizes a knowledge database
Limprasert et al. Anomaly Detection on Real-Time Security Log Using Stream Processing
Du Alleviating the Digital Forensic Backlog: A Methodology for Automated Digital Evidence Processing

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17873857

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17873857

Country of ref document: EP

Kind code of ref document: A1