摘要
本文对基于沙箱技术的恶意文件与APT攻击检测方法进行了研究,并提出一种轻量级多元融合检测方法。该方法利用虚拟机技术结合内核驱动实现轻量化的容器,在一个虚拟机中同时对多个可疑文件进行检测,互不干扰,达到快速检测的目的;通过加强沙箱逃逸对抗,提高检出率。此方法可以采集和分析网络流量,识别其中的可疑C&C IP/URL,根据APT攻击各个阶段的行为特征,从多个维度进行深层次的分析检测。测试结果表明,本文方法大大提高了恶意文件检测速率和检出比例,有效降低检测结果误报比率。
The detection method of malicious files and APT attacks based on sandbox technology is researched,and a lightweight multi-fusion detection method is proposed.This method uses virtual machine technology combined with kernel driver to realize lightweight container,multiple suspicious files are detected in one virtual machine at the same time without interference,so as to achieves the purpose of rapid detection;by strengthening the sandbox escape confrontation,the detection rate is inproved.This method can collect and analyze network traffic,identify suspicious C&C IPs/URLs,and conduct in-depth analysis and detection from multiple dimensions according to the behavioral characteristics of APT attacks at various stages.The test results show that it greatly improves the detection rate and detection ratio of malicious files,and effectively reduces the false positive ratio of detection results.
作者
张威武
朱江
马峥巍
王攀
赵康
ZHANG Weiwu;ZHU Jiang;MA Zhengwei;WANG Pan;ZHAO Kang(Hangzhou Public Security Bureau,Hangzhou 310002,China;Hangzhou Anheng Information Technology Co.,Ltd.,Hangzhou 310051,China)
出处
《智能物联技术》
2022年第5期23-31,42,共10页
Technology of Io T& AI
关键词
沙箱技术
恶意文件
APT攻击检测
逃逸对抗
物联网
信息安全
sandbox technology
malicious files
APT attack detection
escape confrontation
IoT
information safety
