CN103235918A - Method and system for collecting trusted file - Google Patents
Method and system for collecting trusted file Download PDFInfo
- Publication number
- CN103235918A CN103235918A CN2013101359002A CN201310135900A CN103235918A CN 103235918 A CN103235918 A CN 103235918A CN 2013101359002 A CN2013101359002 A CN 2013101359002A CN 201310135900 A CN201310135900 A CN 201310135900A CN 103235918 A CN103235918 A CN 103235918A
- Authority
- CN
- China
- Prior art keywords
- digital signature
- file
- credible
- database
- signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to the technical field of network communication and discloses a method and a system for collecting a trusted file. The method for collecting the trusted file comprises the steps of obtaining a digital signature of a sample file; determining whether the digital signature is trusted or not; and when the digital signature is determined to be trusted, collecting the sample file into a preset trusted file database. According to the method and the system for collecting the trusted file, the trusted file is collected through obtaining of the digital signature of the sample file and judgment of the credibility of the digital signature. Thus, the problem that the trusted file is not collected timely and the collection lags due to the fact that a large number of sample files are required to be used when credible feature codes are generated through training at the early stage and the training process is time-consuming in the prior art can be solved.
Description
Technical field
The present invention relates to network communications technology field, be specifically related to a kind of collection method and system of trusted file.
Background technology
In " cloud security " system, the collection of trusted file is a difficult problem always, will collect the trusted file of main flow on the one hand as far as possible all sidedly, avoids collecting mistakenly the untrusted file on the other hand again, is contradiction between the two to a certain extent.
At present, whether in traditional trusted file collection mode, it is credible generally to adopt the mode of characteristic codes coupling to differentiate file.In this mode, at first, need carry out sample training by a large amount of trusted file, thereby study produces believable characteristic codes; Then, in follow-up collection process, whether belong to the believable characteristic codes that produces above according to the characteristic codes of waiting to collect file and judge whether file to be collected is credible.
But aforesaid way need be used a large amount of sample files when produce the believed characteristic sign indicating number by training early stage, and training process is comparatively consuming time, causes collecting untimely, relatively lags behind.
Summary of the invention
In view of the above problems, the present invention has been proposed in order to a kind of collection method and system of the trusted file that overcomes the problems referred to above or address the above problem at least in part are provided.
According to one aspect of the present invention, a kind of collection method of trusted file is provided, comprising: the digital signature of obtaining sample file; Determine whether digital signature is credible; When definite digital signature is credible, sample file is collected in the default trusted file database.
Alternatively, determine that digital signature is whether credible specifically to comprise: judge whether digital signature has been stored in the default credible signature database, if judged result is for being to determine that then digital signature is credible.
Alternatively, if judged result is for denying, then said method further comprises step: determine according to default judgment rule whether digital signature is credible, and when determining that according to judgment rule digital signature is credible, further digital signature is stored in the default credible signature database.
Alternatively, Yu She judgment rule comprises one or more in the following rule: judge according to the Business Name that comprises in the digital signature or issuer title whether digital signature belongs to the signature of regular company; Judge in the historical sample that digital signature signs and issues whether have the malice sample according to default hostile signature database, wherein, default hostile signature database is used for storing the digital signature of signing and issuing the malice sample; Before the deadline whether digital signature; And whether the similarity between the digital signature of having stored in digital signature and the credible signature database is greater than predetermined threshold value.
Alternatively, further comprise step after sample file being collected in the default trusted file database: call the file in the antivirus engine periodic scanning trusted file database; Whether when determining to have apocrypha in the trusted file database by scanning, analyzing apocrypha is the malice file; If apocrypha is the malice file, the digital signature of malice file is deleted from credible signature database, and further in the trusted file database, analyze whether all sample files of being signed and issued by the digital signature of malice file are the malice file.
Alternatively, further comprise step after collecting sample file in the default trusted file database: the signing certificate of the digital signature in determining credible signature database lost efficacy, perhaps, when determining the key leakage of digital signature, digital signature is deleted from credible signature database, and further in the trusted file database, analyze whether all sample files of being signed and issued by digital signature are the malice file.
According to another aspect of the present invention, a kind of collection system of trusted file is provided, comprising: acquisition module is suitable for obtaining the digital signature of sample file; Determination module is suitable for determining whether digital signature is credible; Collection module is suitable for when definite digital signature is credible sample file being collected in the default trusted file database.
Alternatively, determination module is suitable for judging whether digital signature has been stored in the default credible signature database, if judged result is for being, determines that then digital signature is credible.
Alternatively, if judged result is for denying, then determination module is further adapted for according to default judgment rule to determine whether digital signature is credible, and when determining that according to judgment rule digital signature is credible, further digital signature is stored in the default credible signature database.
Alternatively, Yu She judgment rule comprises one or more in the following rule: judge according to the Business Name that comprises in the digital signature or issuer title whether digital signature belongs to the signature of regular company; Judge in the historical sample that digital signature signs and issues whether have the malice sample according to default hostile signature database, wherein, default hostile signature database is used for storing the digital signature of signing and issuing the malice sample; Before the deadline whether digital signature; And whether the similarity between the digital signature of having stored in digital signature and the credible signature database is greater than predetermined threshold value.
Alternatively, this system further comprises: scan module is suitable for calling the file in the antivirus engine periodic scanning trusted file database; Analysis module is suitable for when scan module is determined to have apocrypha in the trusted file database, and whether analyze apocrypha is the malice file; The net background module, be suitable for when apocrypha is the malice file, the digital signature of malice file is deleted from credible signature database, and further in the trusted file database, analyze whether all sample files of being signed and issued by the digital signature of malice file are the malice file.
Alternatively, the net background module is further adapted for: the signing certificate of the digital signature in determining credible signature database lost efficacy, perhaps, when determining the key leakage of digital signature, digital signature is deleted from credible signature database, and further in the trusted file database, analyze whether all sample files of being signed and issued by digital signature are the malice file.
According to collection method and the system of trusted file of the present invention, the digital signature by obtaining sample file is also judged digital signature whether believable mode is collected trusted file.Solved thus in the prior art and when produce believed characteristic sign indicating number by training early stage, need use a large amount of sample files, and training process is comparatively consuming time, cause collecting untimely, the problem of Zhi Houing relatively, obtained and directly to have collected trusted file according to digital signature, thereby improved the beneficial effect of collection efficiency.
Above-mentioned explanation only is the general introduction of technical solution of the present invention, for can clearer understanding technological means of the present invention, and can be implemented according to the content of instructions, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Description of drawings
By reading hereinafter detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing only is used for the purpose of preferred implementation is shown, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts with identical reference symbol.In the accompanying drawings:
Fig. 1 shows the process flow diagram of the collection method of the trusted file that the embodiment of the invention provides; And
Fig. 2 shows the structural drawing of the collection system of the trusted file that the embodiment of the invention provides.
Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Though shown exemplary embodiment of the present disclosure in the accompanying drawing, yet should be appreciated that and to realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order to understand the disclosure more thoroughly that these embodiment are provided, and can with the scope of the present disclosure complete convey to those skilled in the art.
Fig. 1 shows the process flow diagram of the collection method of the trusted file that the embodiment of the invention provides.As shown in Figure 1, this method originates in step S110, in step S110, obtains the digital signature of sample file.
Here the sample file of mentioning is the file to be collected that obtains by modes such as downloads.Obtain further to obtain the digital signature that comprises in the sample file after the sample file.Wherein, " digital signature " refers to add to the electronic security(ELSEC) mark in the file, whether use the publisher that digital signature can authenticating documents and help authenticating documents to change after being digitally signed, the software of general regular software vendor issue all has the digital signature of self.Particularly, during the digital signature that in obtaining sample file, comprises, can obtain by the api interface Win-Verify Trust that calls windows and provide.
Get access to by step S110 after the digital signature of sample file, next, in step S120, further whether the digital signature that gets access among the determining step S110 is credible.Particularly, when determining that in step S120 above-mentioned digital signature is whether credible, mainly be to realize by judging whether above-mentioned digital signature has been stored in the default credible signature database, be stored in the default credible signature database if judge above-mentioned digital signature, determined that then above-mentioned digital signature is credible.
Wherein, this default credible signature database is used for the believable digital signature of storage.In embodiments of the present invention, can be in the implementation of trusted file collection method this credible signature database of dynamic creation.Because this credible signature database is dynamic creation, therefore, before handling first sample file by step S120, the credible signature of storing in this credible signature database is for empty, therefore, the digital signature in first sample file of handling among the step S120 must not be stored in this credible signature database.
Correspondingly, when judging above-mentioned digital signature and not being stored in this credible signature database, also need further to carry out following steps: determine according to default judgment rule whether above-mentioned digital signature is credible, and when determining above-mentioned digital signature according to default judgment rule when credible, further above-mentioned digital signature is stored in this credible signature database, thereby realize dynamic creation and the renewal of this credible signature database.
Wherein, Yu She judgment rule can comprise one or more in following four kinds of rules:
(1) judges according to the Business Name that comprises in the above-mentioned digital signature or issuer title whether above-mentioned digital signature belongs to the signature of regular company.
When judging according to this rule, at first need to obtain the Business Name or the issuer title that comprise in the digital signature, wherein, Business Name can be the title that the company of digital signature is signed and issued by Baidu, Tengxun etc. for example, and the issuer title refers to issue for the company of signing and issuing digital signature the title of the upper level company of this digital signature.If the Business Name that comprises in the digital signature or issuer title belong to the title of regular company, can determine that then above-mentioned digital signature belongs to the signature of regular company, thereby determine that this digital signature is believable; Otherwise, determine that then this digital signature is incredible.Wherein, the title of regular company typically refers to some and is the known renowned company of people (for example Baidu, Tengxun etc.), can filter out the title of these companies in advance, and it is stored in the tabulation, so that use in this rule.
Judge by this rule whether believable foundation is digital signature, generally, the digital signature that regular company signs and issues all is the believable digital signature that obtains by regular channel.
(2) judge in the historical sample that above-mentioned digital signature signs and issues whether have the malice sample according to default hostile signature database, wherein, default hostile signature database is used for the digital signature that the malice sample was signed and issued in storage.
When judging according to this rule, need to safeguard in advance a hostile signature database, when finding the malice sample, the digital signature that just will sign and issue this malice sample stores in this hostile signature database, thereby guarantees that nearly all digital signature of signing and issuing the malice sample all is stored in this hostile signature database.Thus one, belong to this hostile signature database if find above-mentioned digital signature, just can determine to have the malice sample in the historical sample that this digital signature signs and issues, and then determine that this digital signature is insincere; Otherwise, illustrate that then this digital signature is credible.
Judge by this rule whether believable foundation is digital signature, generally, a large amount of sample files is is successively signed and issued in a digital Autograph Session, once signed and issued malice sample (correspondingly this digital signature will be stored in the hostile signature database) if find a certain digital signature, just illustrate that this digital signature might be usurped by unauthorized person, thereby the follow-up sample file of signing and issuing of this digital signature also very likely is incredible.
(3) before the deadline whether above-mentioned digital signature.
When judging according to this rule, at first need to obtain signature time of comprising in the digital signature and the term of validity of signing certificate.For example, the signature time is on January 1st, 2013, is valid for three months.Therefore, if current date is on February 2nd, 2013, this digital signature then is described still before the deadline, and then determines that this digital signature is believable; If current date is on April 5th, 2013, this digital signature then is described not before the deadline, and then determines that this digital signature is incredible.
Judge by this rule whether believable foundation is digital signature, generally, the digital signature in the term of validity is legal digital signature, and the outer digital signature of the term of validity then is to have lost efficacy even illegal digital signature.
(4) whether the similarity between the digital signature of having stored in above-mentioned digital signature and the credible signature database is greater than predetermined threshold value.
When judging according to this rule, each digital signature of having stored in above-mentioned digital signature and the credible signature database need be carried out similarity respectively relatively, if the similarity between a certain digital signature of finding to have stored in above-mentioned data signature and the credible signature database is greater than predetermined threshold value, it is credible then can inferring this digital signature; Otherwise it is insincere inferring this digital signature.
Judge by this rule whether believable foundation is digital signature, generally, exist certain similarity between a plurality of digital signature that the company of signing and issuing is identical or issuer is identical, if there is one to be confirmed as believablely in these similar digital signature, remaining severally also is likely believable so.
Four kinds of rules introducing above can be used separately, also can combine use.In addition, except these four kinds of rules, those skilled in the art also can select for use other rule to judge whether digital signature is credible flexibly.
Whether by top mode, it is credible just can to determine digital signature in step S120.In the above among the step S120 of Jie Shaoing, credible signature database is dynamic creation, therefore, when in step S120, handling first sample file, also do not store believable digital signature in the credible signature database, therefore, need judge whether the digital signature in first sample file is credible according to above-mentioned default judgment rule, and when digital signature is credible, this digital signature is added in the credible signature database, the rest may be inferred for follow-up sample file processing procedure.In this way, need not the step of creating credible signature database is painstakingly carried out as an independent step, progressively improve this credible signature database and get final product thereby only need in the deterministic process of each sample file, dynamically add at any time credible signature, saved the operating process of independent this credible signature database of establishment.
But, in actual conditions, also can be pre-created credible signature database as required, that is: filter out believable digital signature by a certain amount of sample file in advance, it is stored in the credible signature database.During concrete the screening, also can screen by four kinds of rules introducing above.Like this, when in step S120, handling first sample file, just can directly obtain judged result according to credible signature database.Though such way needs to create separately credible signature database, can directly use this database in step S120, need not according to default rule each sample file to be judged again, thereby also possess certain advantage.
Perhaps, also above-mentioned dual mode can be combined, filter out the believable digital signature of some in advance, and finish the preliminary establishment of credible signature database according to these digital signature, then, in follow-up step S120, belong to this credible signature database if judge digital signature, can determine that directly this digital signature is credible; Do not belong to this credible signature database if judge digital signature, then continue to judge by default judgment rule above-mentioned, and judging this digital signature when credible, further this digital signature is added in the credible signature database, thereby both can when just having begun to carry out, just can use step S120 this credible signature database, can in follow-up process, carry out this credible signature database again perfect so that the accuracy of improve judging.
After the execution of step S120, in step S130, when definite above-mentioned digital signature is credible, corresponding sample file is collected in the default trusted file database.The foundation of collecting trusted file in step S130 is, generally, is believable if sign and issue the digital signature of sample file, and then this sample file also is believable.
By top mode, just realized the collection of trusted file.In above-mentioned collection mode, identify trusted file by digital signature, because the file that digital Autograph Session is corresponding a large amount of, so can collect the trusted file of greater number like a cork by digital signature, so improved collection efficiency greatly.In addition, because digital signature is difficult to imitation, itself just has antiforge function, and, as long as the digital signature of regular manufacturer is correct, its file of signing and issuing also all is correct usually, so, collect trusted file by digital signature and also improved the accuracy of collecting greatly, thereby guaranteed the accuracy of the collection file of trusted file database.
Further, for the accuracy of the collection file that can guarantee the trusted file database better, avoid collecting mistakenly incredible file, this collection method can further include step S140 after step S130.In step S140, call the file in the antivirus engine periodic scanning trusted file database; Whether when determining to have apocrypha in the trusted file database by scanning, analyzing apocrypha is the malice file; If apocrypha is the malice file, the digital signature of malice file is deleted from credible signature database, and further in the trusted file database, analyze whether all sample files of being signed and issued by the digital signature of this malice file are the malice file.
Wherein, when calling the file in the antivirus engine periodic scanning trusted file database, can realize by conventional antivirus software.When antivirus software passes through the scanning discovery apocrypha, can point out by playing prompting modes such as window usually.Those skilled in the art can arrange the rule that adopts when antivirus software is determined apocrypha as required flexibly, and the present invention does not limit this.After finding apocrypha, whether need further to analyze this apocrypha is the malice file, particularly, can determine whether it is the malice file according to the behavioural characteristic of apocrypha, common malice file comprises wooden horse or virus etc., and the concrete behavior feature of these malice files can be set according to the characteristics of himself.If find to have occurred really in the credible signature database malice file, it might be incredible then can inferring the digital signature of signing and issuing this malice file, thereby the digital signature that will sign and issue this malice file deletes from credible signature database, the digital signature of signing and issuing this malice file can also be deposited in the hostile signature database further.
In addition, because that this digital signature has been estimated to be is incredible, thereby other sample files that this digital signature is signed and issued also very likely are incredible (being potential malice file).To this, can also analyze one by one in the trusted file database further whether all sample files of being signed and issued by this digital signature are the malice file, if the malice file then deletes it from the trusted file database, with the accuracy of the collection file of keeping the trusted file database.Perhaps, in order in the very first time, from the trusted file database, to delete by the malice file that these are potential, with the harm of in time avoiding these potential malice files to be caused, also all sample files that can in the trusted file database this digital signature be signed and issued are earlier all deleted, and then judge by the mode of analyzing one by one whether it is the malice file, if not the malice file, again it is added in the trusted file database again.
By the mode of the periodic scanning among the step S140, just can realize to the making regular check on of trusted file database, in order to reject incredible file.In addition, can also after step S130, further comprise step S150.In step S150, the signing certificate of the digital signature in determining credible signature database lost efficacy, perhaps, when determining the key leakage of digital signature, this digital signature is deleted from credible signature database, and further in the trusted file database, analyze whether all sample files of being signed and issued by this digital signature are the malice file.
Wherein, when whether the signing certificate of the digital signature in determining credible signature database lost efficacy, mainly be to judge according to the CRL of certificate authority person issue.The certificate authority person can regularly publish CRL usually, so that the user in time understands the certificate of being revoked.If the signing certificate of a certain digital signature has been listed in this CRL in the credible signature database, the signing certificate that this digital signature then is described lost efficacy, thereby this digital signature also becomes incredible, so it need be deleted from credible signature database, further, can also this digital signature add in the hostile signature database.
When whether the key of determining digital signature leaks, mainly be to leak out the news to judge according to the online key of issuing.Regular software vendor utilizes this key to sign and issue the malice file in order to prevent the third party when finding that key leaks, and generally can issue the message that key leaks on the net, so that the user in time understands this situation.If the key of a certain digital signature is published on the net in the credible signature database, the key that this digital signature then is described leaks, thereby this digital signature also becomes incredible, so it need be deleted from credible signature database, further, can also this digital signature add in the hostile signature database.
Same, because that this digital signature has been estimated to be is incredible, thereby other sample files that this digital signature is signed and issued also very likely are incredible (being potential malice file).To this, whether also can analyze all sample files of being signed and issued by this digital signature further one by one in the trusted file database in step S150 is the malice file, if malice file, then it is deleted from the trusted file database, with the accuracy of the collection file of keeping the trusted file database.Perhaps, in order in the very first time, from the trusted file database, to delete by the malice file that these are potential, with the harm of in time avoiding these potential malice files to be caused, also all sample files that can in the trusted file database this digital signature be signed and issued are earlier all deleted, and then judge by the mode of analyzing one by one whether it is the malice file, if not the malice file, again it is added in the trusted file database again.
By the processing of step S140 and step S150, just can further improve the accuracy of the collection file of trusted file database, stop sneaking into of insincere file.
In the embodiment of the invention, in order to identify believable digital signature and incredible digital signature, be provided with credible signature database and hostile signature database respectively, in the actual conditions, also credible signature database and hostile signature database can be merged into a database, in this database, for each digital signature a rank is set separately, for example, the rank that should be stored in the digital signature in the credible signature database is set to credible, the rank that should be stored in the digital signature in the hostile signature database is set to insincere, thereby both can realize the management to digital signature, can save the expense of a database again.
Fig. 2 shows the structural drawing of the collection system of the trusted file that the embodiment of the invention provides.As shown in Figure 2, this collection system comprises: acquisition module 21, determination module 22 and collection module 23.Wherein, acquisition module 21 is suitable for obtaining the digital signature of sample file; Determination module 22 is suitable for determining whether digital signature is credible; Collection module 23 is suitable for when definite digital signature is credible sample file being collected in the default trusted file database.
Following mask body is introduced the course of work of each module.
Wherein, acquisition module 21 can obtain by the api interface Win-Verify Trust that calls windows and provide when obtaining the digital signature of sample file.
Wherein, this default credible signature database 31 is used for the believable digital signature of storage.In embodiments of the present invention, can this credible signature database 31 of dynamic creation.Because this credible signature database 31 is dynamic creations, therefore, before determination module 22 is handled first sample file, the credible signature of storing in this credible signature database is for empty, therefore, the digital signature in first sample file of determination module 22 processing must not be stored in this credible signature database 31.
Correspondingly, when determination module 22 is judged above-mentioned digital signature and is not stored in this credible signature database 31, also need further to carry out following the processing: determine according to default judgment rule whether above-mentioned digital signature is credible, and when determining above-mentioned digital signature according to default judgment rule when credible, further above-mentioned digital signature is stored in this credible signature database 31, thereby realize dynamic creation and the renewal of this credible signature database 31.Wherein, but the description of appropriate section among the default judgment rule reference method embodiment repeats no more herein.
By top mode, whether determination module 22 just can be determined digital signature credible.In the above in the mode of Jie Shaoing, credible signature database 31 is dynamic creations, therefore, when determination module 22 is handled first sample file, also do not store believable digital signature in the credible signature database 31, therefore, need judge whether the digital signature in first sample file is credible according to above-mentioned default judgment rule, and when digital signature is credible, this digital signature is added in the credible signature database, the rest may be inferred for follow-up sample file processing procedure.In this way, need not the operation of creating credible signature database is painstakingly carried out as an independent operation, progressively improve this credible signature database and get final product thereby only need in the deterministic process of each sample file, dynamically add at any time credible signature, saved the operating process of independent this credible signature database of establishment.
But, in actual conditions, also can be pre-created credible signature database as required, that is: filter out believable digital signature by a certain amount of sample file in advance, it is stored in the credible signature database.During concrete the screening, also can screen by four kinds of rules introducing above.Like this, when determination module 22 is handled first sample file, just can directly obtain judged result according to credible signature database.Though such way needs to create separately credible signature database, determination module 22 can directly use this database, need not according to default rule each sample file to be judged again, thereby also possesses certain advantage.
Perhaps, also above-mentioned dual mode can be combined, filter out the believable digital signature of some in advance, and finish the preliminary establishment of credible signature database according to these digital signature, then, belong to this credible signature database if determination module 22 is judged digital signature, can determine that directly this digital signature is credible; If judging digital signature, determination module 22 do not belong to this credible signature database, then continue to judge by default judgment rule above-mentioned, and judging this digital signature when credible, further this digital signature is added in the credible signature database.
By cooperatively interacting of above-mentioned module, just realized the collection of trusted file.In said process, identify trusted file by digital signature, because the file that digital Autograph Session is corresponding a large amount of, so can collect the trusted file of greater number like a cork by digital signature, so improved collection efficiency greatly.In addition, because digital signature is difficult to imitation, itself just has antiforge function, and, as long as the digital signature of regular manufacturer is correct, its file of signing and issuing also all is correct usually, so, collect trusted file by digital signature and also improved the accuracy of collecting greatly, thereby guaranteed the accuracy of the collection file of trusted file database.
Further, accuracy for the collection file that can guarantee the trusted file database better, avoid collecting mistakenly incredible file, this collection system can further include: scan module 24 is suitable for calling the file in the antivirus engine periodic scanning trusted file database; Analysis module 25 is suitable for when scan module 24 is determined to have apocrypha in the trusted file database, and whether analyze apocrypha is the malice file; Net background module 26, be suitable for when apocrypha is the malice file, the digital signature of malice file is deleted from credible signature database, and further in the trusted file database, analyze whether all sample files of being signed and issued by the digital signature of malice file are the malice file.About the concrete course of work of scan module 24, analysis module 25 and net background module 26, but the description of step S140 among the reference method embodiment repeats no more herein.
Further, net background module 26 is further adapted for: the signing certificate of the digital signature in determining credible signature database lost efficacy, perhaps, when determining the key leakage of digital signature, digital signature is deleted from credible signature database, and further in the trusted file database, analyze whether all sample files of being signed and issued by digital signature are the malice file.But the description of step S150 repeats no more herein among this process reference method embodiment.
By above-mentioned processing, just can further improve the accuracy of the collection file of trusted file database, stop sneaking into of insincere file.
Further comprise in the embodiment of the invention:
Scan module is suitable for calling the file in the described trusted file database of antivirus engine periodic scanning;
Analysis module is suitable for when described scan module is determined to have apocrypha in the described trusted file database, and whether analyze described apocrypha is the malice file;
The net background module, be suitable for when described apocrypha is the malice file, the digital signature of described malice file is deleted from credible signature database, and further in the trusted file database, analyze whether all sample files of being signed and issued by the digital signature of described malice file are the malice file.
In the embodiment of the invention, described net background module is further adapted for: the signing certificate of the digital signature in determining described credible signature database lost efficacy, perhaps, when determining the key leakage of described digital signature, described digital signature is deleted from described credible signature database, and further in the trusted file database, analyze whether all sample files of being signed and issued by described digital signature are the malice file.
According to collection method and the system of trusted file of the present invention, the digital signature by obtaining sample file is also judged digital signature whether believable mode is collected trusted file.Solved thus in the prior art and when produce believed characteristic sign indicating number by training early stage, need use a large amount of sample files, and training process is comparatively consuming time, cause collecting untimely, the problem of Zhi Houing relatively, obtained and directly to have collected trusted file according to digital signature, thereby improved the beneficial effect of collection efficiency.
Intrinsic not relevant with any certain computer, virtual system or miscellaneous equipment with demonstration at this algorithm that provides.Various general-purpose systems also can be with using based on the teaching at this.According to top description, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also at any certain programmed language.Should be understood that and to utilize various programming languages to realize content of the present invention described here, and the top description that language-specific is done is in order to disclose preferred forms of the present invention.
In the instructions that provides herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can be put into practice under the situation of these details not having.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the description to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes in the above.Yet the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires the more feature of feature clearly put down in writing than institute in each claim.Or rather, as following claims reflected, inventive aspect was to be less than all features of the disclosed single embodiment in front.Therefore, follow claims of embodiment and incorporate this embodiment thus clearly into, wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can adaptively change and they are arranged in one or more equipment different with this embodiment the module in the equipment among the embodiment.Can become a module or unit or assembly to the module among the embodiment or unit or combination of components, and can be divided into a plurality of submodules or subelement or sub-component to them in addition.In such feature and/or process or unit at least some are mutually repelling, and can adopt any combination to disclosed all features in this instructions (comprising claim, summary and the accompanying drawing followed) and so all processes or the unit of disclosed any method or equipment make up.Unless clearly statement in addition, disclosed each feature can be by providing identical, being equal to or the alternative features of similar purpose replaces in this instructions (comprising claim, summary and the accompanying drawing followed).
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included among other embodiment, the combination of features of different embodiment means and is within the scope of the present invention and forms different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with array mode arbitrarily.
Each parts embodiment of the present invention can realize with hardware, perhaps realizes with the software module of moving at one or more processor, and perhaps the combination with them realizes.It will be understood by those of skill in the art that and to use microprocessor or digital signal processor (DSP) to realize according to some or all some or repertoire of parts in the browser client of the embodiment of the invention in practice.The present invention can also be embodied as for part or all equipment or the device program (for example, computer program and computer program) of carrying out method as described herein.Such realization program of the present invention can be stored on the computer-readable medium, perhaps can have the form of one or more signal.Such signal can be downloaded from internet website and obtain, and perhaps provides at carrier signal, perhaps provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment under the situation of the scope that does not break away from claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed in element or step in the claim.Being positioned at word " " before the element or " one " does not get rid of and has a plurality of such elements.The present invention can realize by means of the hardware that includes some different elements and by means of the computing machine of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to come imbody by same hardware branch.Any order is not represented in the use of word first, second and C grade.Can be title with these word explanations.
Claims (10)
1. the collection method of a trusted file comprises:
Obtain the digital signature of sample file;
Determine whether described digital signature is credible;
When definite described digital signature is credible, described sample file is collected in the default trusted file database.
2. the method for claim 1, describedly determine that described digital signature is whether credible and specifically comprise:
Judge whether described digital signature has been stored in the default credible signature database, if judged result is for being, determine that then described digital signature is credible.
3. method as claimed in claim 2, wherein, if judged result for not, then further comprises step:
Determine according to default judgment rule whether described digital signature is credible, and when determining that according to described judgment rule described digital signature is credible, further described digital signature is stored in the described default credible signature database.
4. method as claimed in claim 3, described default judgment rule comprise one or more in the following rule:
Judge according to the Business Name that comprises in the described digital signature or issuer title whether described digital signature belongs to the signature of regular company;
Judge in the historical sample that described digital signature signs and issues whether have the malice sample according to default hostile signature database, wherein, described default hostile signature database is used for the digital signature that the malice sample was signed and issued in storage;
Before the deadline whether described digital signature; And
Whether the similarity between the digital signature of having stored in described digital signature and the described credible signature database is greater than predetermined threshold value.
5. as arbitrary described method among the claim 2-4, described described sample file is collected further comprises step afterwards in the default trusted file database:
Call the file in the described trusted file database of antivirus engine periodic scanning;
Whether when determining to have apocrypha in the described trusted file database by scanning, analyzing described apocrypha is the malice file;
If described apocrypha is the malice file, the digital signature of described malice file is deleted from credible signature database, and further in the trusted file database, analyze whether all sample files of being signed and issued by the digital signature of described malice file are the malice file.
6. as arbitrary described method among the claim 2-5, described described sample file is collected further comprises step afterwards in the default trusted file database:
The signing certificate of the digital signature in determining described credible signature database lost efficacy, perhaps, when determining the key leakage of described digital signature, described digital signature is deleted from described credible signature database, and further in the trusted file database, analyze whether all sample files of being signed and issued by described digital signature are the malice file.
7. the collection system of a trusted file comprises:
Acquisition module is suitable for obtaining the digital signature of sample file;
Determination module is suitable for determining whether described digital signature is credible;
Collection module is suitable for when definite described digital signature is credible described sample file being collected in the default trusted file database.
8. system as claimed in claim 7, described determination module is suitable for judging whether described digital signature has been stored in the default credible signature database, if judged result is for being to determine that then described digital signature is credible.
9. system as claimed in claim 8, wherein, if judged result is for denying, then described determination module is further adapted for according to default judgment rule and determines whether described digital signature is credible, and when determining that according to described judgment rule described digital signature is credible, further described digital signature is stored in the described default credible signature database.
10. system as claimed in claim 9, described default judgment rule comprises one or more in the following rule:
Judge according to the Business Name that comprises in the described digital signature or issuer title whether described digital signature belongs to the signature of regular company;
Judge in the historical sample that described digital signature signs and issues whether have the malice sample according to default hostile signature database, wherein, described default hostile signature database is used for the digital signature that the malice sample was signed and issued in storage;
Before the deadline whether described digital signature; And
Whether the similarity between the digital signature of having stored in described digital signature and the described credible signature database is greater than predetermined threshold value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310135900.2A CN103235918B (en) | 2013-04-18 | 2013-04-18 | The collection method of trusted file and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310135900.2A CN103235918B (en) | 2013-04-18 | 2013-04-18 | The collection method of trusted file and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103235918A true CN103235918A (en) | 2013-08-07 |
| CN103235918B CN103235918B (en) | 2016-05-25 |
Family
ID=48883958
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310135900.2A Active CN103235918B (en) | 2013-04-18 | 2013-04-18 | The collection method of trusted file and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103235918B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103544411A (en) * | 2013-10-16 | 2014-01-29 | 深圳全智达通信股份有限公司 | Software package certificate protection method and device |
| CN104200163A (en) * | 2014-08-27 | 2014-12-10 | 哈尔滨工业大学(威海) | Virus detection method and virus detection engine |
| CN106549766A (en) * | 2016-10-25 | 2017-03-29 | 中国建设银行股份有限公司 | A kind of processing method and relevant device of assessment report |
| CN106559220A (en) * | 2016-10-25 | 2017-04-05 | 中国建设银行股份有限公司 | A kind of processing method and relevant device of guaranty |
| CN108959929A (en) * | 2018-07-23 | 2018-12-07 | 北京奇安信科技有限公司 | Program file processing method and processing device |
| CN111050133A (en) * | 2019-12-23 | 2020-04-21 | 广州公评科技有限公司 | Video data processing system based on block chain technology |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102844750A (en) * | 2010-03-24 | 2012-12-26 | 微软公司 | Executable code validation in a web browser |
| CN102855274A (en) * | 2012-07-17 | 2013-01-02 | 北京奇虎科技有限公司 | Method and device for detecting suspicious progresses |
| CN102982291A (en) * | 2012-11-05 | 2013-03-20 | 北京奇虎科技有限公司 | Methods and device of dependable file digital signature acquisition |
-
2013
- 2013-04-18 CN CN201310135900.2A patent/CN103235918B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102844750A (en) * | 2010-03-24 | 2012-12-26 | 微软公司 | Executable code validation in a web browser |
| CN102855274A (en) * | 2012-07-17 | 2013-01-02 | 北京奇虎科技有限公司 | Method and device for detecting suspicious progresses |
| CN102982291A (en) * | 2012-11-05 | 2013-03-20 | 北京奇虎科技有限公司 | Methods and device of dependable file digital signature acquisition |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103544411A (en) * | 2013-10-16 | 2014-01-29 | 深圳全智达通信股份有限公司 | Software package certificate protection method and device |
| CN104200163A (en) * | 2014-08-27 | 2014-12-10 | 哈尔滨工业大学(威海) | Virus detection method and virus detection engine |
| CN106549766A (en) * | 2016-10-25 | 2017-03-29 | 中国建设银行股份有限公司 | A kind of processing method and relevant device of assessment report |
| CN106559220A (en) * | 2016-10-25 | 2017-04-05 | 中国建设银行股份有限公司 | A kind of processing method and relevant device of guaranty |
| CN108959929A (en) * | 2018-07-23 | 2018-12-07 | 北京奇安信科技有限公司 | Program file processing method and processing device |
| CN111050133A (en) * | 2019-12-23 | 2020-04-21 | 广州公评科技有限公司 | Video data processing system based on block chain technology |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103235918B (en) | 2016-05-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7018920B2 (en) | Confidential information processing methods, devices, servers, and security decision systems | |
| US11750659B2 (en) | Cybersecurity profiling and rating using active and passive external reconnaissance | |
| US11848966B2 (en) | Parametric analysis of integrated operational technology systems and information technology systems | |
| US10728274B2 (en) | Method and system for injecting javascript into a web page | |
| US11095675B1 (en) | System and method for identifying system vulnerabilities | |
| EP2807598B1 (en) | Identifying trojanized applications for mobile environments | |
| CN109937564B (en) | Method and apparatus for detecting fraudulent account usage in a distributed computing system | |
| CN103235918A (en) | Method and system for collecting trusted file | |
| US20060259973A1 (en) | Secure web application development environment | |
| US20110314152A1 (en) | Systems and methods for determining compliance of references in a website | |
| US20220014561A1 (en) | System and methods for automated internet-scale web application vulnerability scanning and enhanced security profiling | |
| CN112703496B (en) | Content policy based notification to application users regarding malicious browser plug-ins | |
| CN110059007B (en) | System vulnerability scanning method and device, computer equipment and storage medium | |
| CN108769070A (en) | One kind is gone beyond one's commission leak detection method and device | |
| US11928605B2 (en) | Techniques for cyber-attack event log fabrication | |
| CN111683047A (en) | Unauthorized vulnerability detection method and device, computer equipment and medium | |
| CN102867147A (en) | File scanning method and device | |
| Rasthofer et al. | Droidsearch: A tool for scaling android app triage to real-world app stores | |
| CN111414402A (en) | Log threat analysis rule generation method and device | |
| CN113190838A (en) | Web attack behavior detection method and system based on expression | |
| Zhu et al. | Detecting privilege escalation attacks through instrumenting web application source code | |
| Ben Jaballah et al. | A grey-box approach for detecting malicious user interactions in web applications | |
| CN106209746B (en) | Security service providing method and server | |
| US10482279B2 (en) | Pattern-less private data detection on data sets | |
| CN113489738B (en) | Method, device, equipment and medium for processing violations of broadband account |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220725 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right |