An Escape Detection Method Based on Sandbox Virtual Machine

A virtual machine escape and detection method technology, applied in the direction of platform integrity maintenance, etc., can solve problems such as network environment hazards and malicious file missed judgments

Active Publication Date: 2020-06-23
HANGZHOU ANHENG INFORMATION TECH CO LTD
View PDF4 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

That is to say, the logic for malicious files is that the premise of judging malicious files based on malicious behavior is that there must be malicious behavior. However, if the malicious file is found in the sandbox virtual machine, the malicious behavior will not be released, and the malicious file will be judged as Safe, so that some advanced malicious files will be missed, which will cause harm to the network environment

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • An Escape Detection Method Based on Sandbox Virtual Machine

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0033] The present invention will be described in further detail below in conjunction with the examples, but the protection scope of the present invention is not limited thereto.

[0034] The invention relates to an escape detection method based on a sandbox virtual machine, which uses a monitoring program and a comprehensive analysis method to analyze and judge suspicious files. The purpose of the monitoring program is to monitor the process of the target suspicious file and record the operating system called by the process. Behaviors such as APIs and corresponding parameters, the comprehensive analysis method is to judge from the recorded behaviors whether there is a sandbox virtual machine escape behavior in suspicious files.

[0035] The method includes the following steps.

[0036] Step 1: Put the file to be detected into the sandbox virtual machine.

[0037] In the present invention, if the file to be detected is malicious software, there may be behaviors of judging whe...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to an escape detection method based on a sandbox virtual machine. A file to be detected is put into the sandbox virtual machine, a hung mode is used for running or starting the file to be detected, and a process is generated; a monitoring program is injected into the process, the process normally runs, and the monitoring program records a motion operation of the process; whenrunning of the process is completed or the preset time is completed, the process stops, and the recorded motion operation is analyzed; if the motion operation exists and belongs to a malicious file,whether or not the file to be detected in the sandbox virtual machine exists is spontaneously judged currently, whether or not the escape motion exists in the sandbox virtual machine is judged, and the malicious file of the escape motion of the sandbox virtual machine is alarmed. According to the escape detection method, whether or not the escape motion of the sandbox virtual machine exists in suspicious software is judged, a suspicious file executes judgement motion but does not execute malicious motion, whether or not the escape motion of the sandbox virtual machine exists in the suspiciousfile can be judged through the executed judgement motion, reference is provided for the situation that whether or not the suspicious file is a dangerous file is judged, and the malicious file can be more accurately and comprehensively judged.

Description

technical field [0001] The present invention relates to the technical field of security devices for protecting computers, their components, programs or data from unauthorized actions, and in particular to a system that not only judges whether there is harm based on the malicious behavior of suspicious files, but also performs malicious operations based on whether the suspicious files exist. An escape detection method based on a sandbox virtual machine that may potentially perform escape detection. Background technique [0002] The advent of the Internet era has brought convenience to people's life, work, and study, but it is also accompanied by increasingly important network security issues. More and more malicious software is rampant on the Internet, threatening people's life, work, and Learning has brought hidden dangers, and major security vendors are seeking better malicious file detection methods. [0003] Judging malicious files based on malicious behavior analysis mu...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/55G06F21/53
Inventor 孙立范渊李凯
Owner HANGZHOU ANHENG INFORMATION TECH CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products