CN117688561A

CN117688561A - Virus processing method and device and industrial control equipment

Info

Publication number: CN117688561A
Application number: CN202311585584.9A
Authority: CN
Inventors: 龚亮华; 仪鑫; 毛哲
Original assignee: Fengtai Technology Beijing Co ltd
Current assignee: Fengtai Technology Beijing Co ltd
Priority date: 2023-11-24
Filing date: 2023-11-24
Publication date: 2024-03-12

Abstract

The application belongs to the technical field of virus treatment, and provides a virus treatment method, a device and industrial control equipment, wherein the method comprises the following steps: collecting system current state information of local industrial control equipment; matching the current state information of the system with virus preset data in a virus library; if the current state information of the system is not successfully matched with the virus preset data, whether preset abnormal characteristics exist in the current state information of the system or not is analyzed; and when the current state information of the system has preset abnormal characteristics and the matching of the current state information of the system and a white list program in a preset white list is unsuccessful, carrying out virus processing on the current state information of the system. According to the method and the device, on the basis of eliminating program false detection and guaranteeing normal use of the host by a user, the latest virus existing in the host can be found in time, and the safety of a host system of the user can be effectively guaranteed.

Description

Virus processing method and device and industrial control equipment

Technical Field

The application belongs to the technical field of virus treatment, and particularly relates to a virus treatment method, a device and industrial control equipment.

Background

In the information age, the most important ones for individuals and businesses, while hosts typically store large amounts of sensitive data and important information, such as personal identification information, financial data, business secrets, and the like. If the host is attacked or infected by a virus, the sensitive data may be stolen, destroyed or misused, resulting in serious privacy disclosure and property loss. It is therefore extremely important to secure the host.

Viruses are an important means for attacking a host, and an infected host is usually controlled by an intruder, resulting in data leakage or loss. There are also many defense software on the market, but they mostly defend according to the data of the virus library. Viruses are also continually updated, and we can only defend passively. When a new, previously unseen virus appears, the security measures with the virus library as the standard of defense are not sufficient. Especially for industrial control equipment used for industrial manufacture, if the industrial control equipment is infected with the latest virus, the industrial production of the product is seriously affected, and the quality of the product is difficult to be effectively ensured.

Disclosure of Invention

The embodiment of the application provides a virus processing method, a device and industrial control equipment, and aims to solve the potential safety hazard that a host is actively attacked by the latest virus because a virus library cannot be updated in time due to the fact that the current virus is updated quickly.

In a first aspect, embodiments of the present application provide a method for processing a virus, where the method includes:

collecting system current state information of local industrial control equipment;

matching the current state information of the system with virus preset data in a virus library;

if the current state information of the system is not successfully matched with the virus preset data, whether preset abnormal characteristics exist in the current state information of the system or not is analyzed;

and when the current state information of the system has preset abnormal characteristics and the matching of the current state information of the system and a white list program in a preset white list is unsuccessful, carrying out virus processing on the current state information of the system.

In an embodiment, the analyzing whether the current state information of the system has a preset abnormal feature includes:

comparing the current value of the index in the current state information of the system with a preset abnormal threshold value;

and if the current value of the index is larger than the preset abnormal threshold value, judging that the current state information of the system has preset abnormal characteristics.

acquiring system history state information of the local industrial control equipment;

Calculating baseline threshold information of the local industrial control equipment based on the system history state information;

comparing the current value of the index in the current state information of the system with the baseline threshold information, and if the current value of the index is larger than the baseline threshold information, judging that the current state information of the system has preset abnormal characteristics.

In an embodiment, the matching the current state information of the system with virus preset data in a virus library includes:

using a bloom filter to check the target program service in the current state information of the system and outputting abnormal service characteristics;

matching the abnormal service characteristics with virus preset data in a virus library by using a characteristic matching engine, and judging that the abnormal service characteristics are viruses if the matching is successful; and if the matching fails, executing the step of analyzing whether the current state information of the system has preset abnormal characteristics.

In an embodiment, the bloom filter includes a first hash structure, a second hash structure, and a third hash structure, where the first hash structure, the second hash structure, and the third hash structure are data structures of a vector table having a plurality of elements, each element of the first hash structure includes a number of bits that is smaller than a number of bits that each element of the second hash structure includes, and each element of the second hash structure includes a number of bits that is smaller than a number of bits that each element of the third hash structure includes;

Accordingly, the use of a bloom filter to examine the target program service in the current state information of the system and output abnormal service features includes:

extracting segments of feature binary codes from target program services in current state information of the system, inputting each segment of the feature binary codes into a first hash structure of the bloom filter, treating the segments as word bars in a feature dictionary, and enabling the first hash structure to output appearance positions of the word bars to be detected, wherein the appearance positions of the word bars to be detected represent positions of two adjacent bytes in the feature binary codes;

inputting the appearance position of the character strip to be detected into the second hash structure, so that the second hash structure carries out hash mapping calculation on the character strip to be detected, and the second hash structure outputs the hash value of the character strip to be detected;

and inputting the appearance position of the character strip to be detected and the hash value of the character strip to be detected into the third hash structure, so that the third hash structure outputs the character strip to be detected and the appearance position thereof as an abnormal service feature when determining that the hash value of the character strip to be detected corresponds to the termination position in the feature binary code.

In one embodiment, the virus library comprises a plurality of subsets of virus libraries;

correspondingly, the matching the abnormal service feature with the virus preset data in the virus library by using the feature matching engine comprises the following steps:

acquiring a mapping relation between each appearance position of each character bar to be detected and a virus library subset of the virus library;

determining a target word from the word to be detected according to the mapping relation, and acquiring virus preset data related to the mapping relation;

and matching the target word with the virus preset data, and outputting a matching result.

In an embodiment, the method further comprises:

inputting a training set of virus samples into an initial network model, wherein the initial network model comprises neuron parameters, the virus samples comprise a training set and a verification set, and the virus samples comprise at least one item of metadata information such as file attributes, version information, digital signatures and the like;

training the initial network model through the training set, and fine-tuning the neuron parameters when the training of the initial network model reaches a target preset training condition so as to convert the initial network model into a neural network model;

Correspondingly, the target word is matched with the virus preset data, and after a matching result is output, the method further comprises the steps of:

inputting the characteristic binary codes of the target program service into the neural network model, identifying the characteristic binary codes through the verification set, and outputting a virus identification result;

and carrying out weighted summation processing on the virus identification result and the matching result to obtain a virus final result.

In an embodiment, when the abnormal service feature is successfully matched with the virus preset data in the virus library, determining that the abnormal service feature is a virus;

closing the virus process of the target program service, and performing virus killing treatment on the executable files related to the target program service;

alarming and prompting the current state information of the system and/or the preset abnormal characteristics;

and/or

And uploading virus characteristic information related to the virus process to the virus library for storage.

In a second aspect, embodiments of the present application provide a virus processing apparatus, the apparatus including:

the acquisition module is used for acquiring the current state information of the system of the local industrial control equipment;

The virus identification module is used for matching the current state information of the system with virus preset data in a virus library;

the analysis module is used for analyzing whether preset abnormal characteristics exist in the current state information of the system if the current state information of the system is not successfully matched with the preset virus data;

and the white list module is used for carrying out virus processing on the current state information of the system when the current state information of the system has preset abnormal characteristics and the matching of the current state information of the system and a white list program in a preset white list is unsuccessful.

In a third aspect, the present invention further provides an industrial control device, including a memory, a processor, and an industrial control program stored in the memory and capable of running on the processor, where the processor implements the method as described above when executing the industrial control program.

The beneficial effects of this application lie in: according to the method and the device, on the basis of eliminating program false detection and guaranteeing normal use of the host by a user, the latest virus existing in the host can be found in time, and the safety of a host system of the user can be effectively guaranteed.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the following description will briefly introduce the drawings that are needed in the embodiments or the description of the prior art, it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic flow chart of a virus processing method according to an embodiment of the present application;

FIG. 2 is a schematic flow chart of a virus processing method according to an embodiment of the present disclosure;

FIG. 3 is a schematic diagram of a virus handling apparatus according to an embodiment of the present disclosure;

fig. 4 is a schematic diagram of an industrial control device according to an embodiment of the present application.

Detailed Description

In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system configurations, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.

It should be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.

It should also be understood that the term "and/or" as used in this specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.

As used in this specification and the appended claims, the term "if" may be interpreted as "when..once" or "in response to a determination" or "in response to detection" depending on the context. Similarly, the phrase "if a determination" or "if a [ described condition or event ] is detected" may be interpreted in the context of meaning "upon determination" or "in response to determination" or "upon detection of a [ described condition or event ]" or "in response to detection of a [ described condition or event ]".

In addition, in the description of the present application and the appended claims, the terms "first," "second," "third," and the like are used merely to distinguish between descriptions and are not to be construed as indicating or implying relative importance.

Reference in the specification to "one embodiment" or "some embodiments" or the like means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," and the like in the specification are not necessarily all referring to the same embodiment, but mean "one or more but not all embodiments" unless expressly specified otherwise. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless expressly specified otherwise.

Example 1

In order to solve the above-mentioned problems, the present invention provides a virus processing method, as shown in fig. 1, which mainly includes the following steps:

step S10, collecting system current state information of the local industrial control equipment.

It should be noted that, the execution body of the embodiment is a local industrial control device loaded with data security software, where the data security software may be antivirus software, and the industrial control device may be an automation host device deployed in an industrial factory building. After the local industrial control equipment starts the antivirus software application program, the antivirus software application program can collect the current state information of the system in real time;

the method specifically comprises the step of acquiring the current state information of the current system by acquiring various states of the industrial control equipment. The system current state information at least comprises system current CPU state information, memory state information, network state information, disk state information, process information and service information of local industrial control equipment, wherein the state information can represent a behavior mode of viruses, hash values of specific files, network communication modes and the like and can represent key identifications of the viruses.

And step S20, matching the current state information of the system with virus preset data in a virus library.

In a specific implementation, the present embodiment identifies viruses through the feature matching engine, and creates a dynamic Bloom filter based on pre-collected existing virus features, where the Bloom filter of the present embodiment may be updated periodically, and adds the latest virus features to the Bloom filter.

Specifically, step S20 may be performed by the following two sub-steps of matching the current state information of the system with the virus preset data in the virus library:

sub-step S201, the local industrial control equipment can use a bloom filter to check the target program service in the current state information of the system and output abnormal service characteristics; wherein, the abnormal service features refer to program behavior features which can be matched with viruses in a virus library;

step S202, the local industrial control equipment uses a feature matching engine to verify whether the content output by the bloom filter is truly matched with data in a virus library, and if the matching is successful, the abnormal service feature is judged to be virus; if the matching fails, executing the step of analyzing whether the current state information of the system has the preset abnormal characteristics in the step S30:

The feature matching engine comprises two connected structures: a subset loading structure and a subset exact matching structure; the subset accurate matching unit matches the abnormal service characteristics output by the bloom filter with virus preset data in a virus library, if the matching is successful, the abnormal service characteristics output by the bloom filter are proved to be viruses, the corresponding process of the target program service is considered as a virus process, and when the target program service is considered as the virus process, the target program service is submitted to a virus module for processing. And the virus processing module kills the virus process, and if the virus process is restarted, kills the parent process for creating the virus process, and then acquires the executable file related to the target program service for disinfection.

In a specific implementation, under the condition that the abnormal service characteristics output by the bloom filter are determined to be viruses, as the local industrial control equipment already acquires the current system current state information of the industrial control equipment, the system current state information comprises the current CPU state information, the memory state information, the network state information, the disk state information, the process information and the service information of the system of the local industrial control equipment; therefore, the local industrial control device can determine the process information (virus process) of the program in which the virus is in, further obtain the process controller (PID, process Identifier) of the virus process, and further obtain the relevant information of the virus through the process controller, for example, the relevant information of the virus can include the program name corresponding to the process of the virus process, the starting path of the poisoning program, the parent process of the virus process and other relevant information of the virus.

In the specific implementation, firstly, the virus process is forced to end the process task according to the process controller of the virus process, then an executable file of the poisoning program is found out from the starting path of the poisoning program, the executable file of the poisoning program is isolated or directly deleted, and meanwhile, prompt information can be sent to give an alarm to a user. If the virus process is recovered (automatically restarted) after the task is forcedly ended, the daemon process exists in the virus process, and in this case, the industrial control equipment can simultaneously forcedly end the process task by the parent process (namely the daemon process) for creating the virus and the virus process so as to ensure the normal operation of a local industrial control equipment system.

Further, when the abnormal service feature is determined to be virus, or after the virus killing process is performed on the executable file related to the target program (i.e. the poisoning program) service, virus feature information related to the virus process is uploaded to the virus library (the virus library may be a local virus library or a cloud virus library) for storage, that is, a basic condition of the virus is reported, and the data in the bloom filter is updated in real time. Specifically, the local industrial control device may collect virus characteristic information related to the virus process as a sample, where the virus characteristic information may include information such as a process name, a file path, a file hash value, and the like. Meanwhile, the local industrial control equipment can clear the poisoning program files infected by viruses, and the infected system is deeply cleared. Delete malicious files, repair damaged system files, etc. The local industrial control equipment is helped to take the historical virus event as reference virus data in the future. The local industrial control equipment can check the invasion mode of the virus, if the virus invades the industrial control equipment through the loopholes of the software program, the poisoned software program is isolated and operated, and the method of blocking a certain port of the network equipment or updating a firewall by address IP and the like is adopted to prevent the virus from invading the industrial control equipment through the software program; if the virus invades the industrial control equipment through the patch vulnerability of the host system, the local industrial control equipment can inspect and update the operating system and report the system vulnerability to the cloud in time.

In an embodiment, the bloom filter has the function of automatically updating virus characteristic data, and a user can automatically add, delete and modify virus samples held in the bloom filter, so that the bloom filter is synchronous with the latest virus characteristics, the bloom filter has instantaneity, and the safety of industrial control equipment is further ensured.

Step S30, if the current state information of the system is not successfully matched with the virus preset data, whether the current state information of the system has preset abnormal characteristics or not is analyzed;

it can be appreciated that since the update of the virus library is always behind the update development speed of the virus, if the abnormal service feature in the current state information of the system does not match the data in the virus library, there is still a possibility that the abnormal service feature is a virus. The present embodiment still maintains control over the current state information of the system, specifically may determine whether a preset abnormal feature exists in the current state information of the system, for example, the preset abnormal feature may include detecting a behavior operation of a certain service process to modify important information in a registry, such as adding a startup self-start operation, configuring an operation parameter of an application program, etc., and the system intercepts the important operation and informs a user. If the user requires, it can be configured to be released in the white list. For example, if the service process occupies a lot of resources (for example, a display screen with a certain ultra-high resolution is loaded in the process of running a certain large program), the memory resource is about to be occupied, and the memory resource can be listed as a preset abnormal feature, because the running of the operating system is affected even if the memory resource is not a virus. And also informs the user that if the user's intention is to be performed, it can be put on a white list.

In a specific implementation, by collecting various current state information of a system of a host, and analyzing the collected current state information of the system, mainly judging whether the state of a local industrial control device is abnormal or not, wherein the judging basis is a threshold value of each index of the current state information of the system, the embodiment can analyze whether the current state information of the system has preset abnormal characteristics or not in two ways:

the first way may be: calculating a threshold value of the current state by a method of calculating a baseline, comprising: acquiring system history state information (various history index values) of the local industrial control equipment; calculating baseline threshold information of the local industrial control equipment based on the system history state information (the baseline is a threshold value obtained by a certain algorithm through various history index values of a host); comparing the current value of the index in the current state information of the system with the baseline threshold information, and if the current value of the index is larger than the baseline threshold information, judging that the current state information of the system has preset abnormal characteristics. The baseline can calculate a threshold value according to the state of the prior host, so that the baseline is favorable for accurately determining whether the preset abnormal characteristic exists or not.

For the first mode, in a specific embodiment, for the step of comparing the current value of the index in the current state information of the system with the baseline threshold value information or the preset abnormal threshold value, when an index of the local industrial control device exceeds the threshold value and thus an abnormality occurs, the local industrial control device automatically and comprehensively evaluates other indexes. For example, when the index of the CPU exceeds the threshold, the system may judge according to other indexes and the state of the host, for example, whether the host has information such as access and egress of an external device, whether there is an abnormal process, whether there is an abnormal service, whether the application is self-started, whether the registry is modified, and the like. When the more abnormal states are, the more serious the abnormality is, the probability of biasing the presence of virus increases. The industrial control equipment sends out alarm prompts of different grades according to the abnormal conditions and the abnormal quantity, namely, the more complicated the abnormal conditions and the abnormal quantity are, the higher the industrial control equipment sends out alarm prompts.

The second way may be: the threshold value of the state is manually set by a custom method. Namely, the user manually sets the threshold according to the own requirement, which specifically comprises the following steps: comparing the current value of the index in the current state information of the system with a preset abnormal threshold value; and if the current value of the index is larger than the preset abnormal threshold value, judging that the current state information of the system has preset abnormal characteristics.

For the second mode, in a specific embodiment, for the step of "alert and prompt for the current state information of the system and/or the preset abnormal feature", the user may set the threshold as follows: different levels of classification can be performed according to the current state of the system and the condition of the threshold value, and the different classifications correspond to different alarm prompt levels, for example, under the condition that the CPU utilization rate exceeds the threshold value of the CPU, a user can set the alarm prompt to be an alarm prompt of a common level. When the CPU, memory, network status, etc. all exceed the threshold and a strange process or strange service occurs, the user may set the alert prompt to an alert prompt of a severity level.

Step S40, when the system current state information has preset abnormal characteristics and the system current state information is not successfully matched with a white list program in a preset white list, virus processing is carried out on the system current state information.

Specifically, if the current state information of the system has preset abnormal characteristics, the current state information of the system is matched with a white list program in the preset white list, if the matching is successful, the local industrial control equipment is kept to normally operate, otherwise, virus processing is carried out on the current state information of the system, and alarm prompt is carried out on the current state information of the system and/or the preset abnormal characteristics, namely when an analysis module of the local industrial control equipment obtains the abnormal information of the current state, the alarm is carried out on a user, and the abnormal reason is informed, so that the user can conveniently process the information.

It will be appreciated that, since some actions of the user may also cause abnormality of the system state, these abnormalities are also considered to be of a preset abnormal feature in step S30, for example, when some software is run, the CPU and the memory occupy high resources, but these actions of the user are normal and cannot be determined as abnormal state of the host. Therefore, the user can configure the white list, and when the user adds certain processes or services into the white list, the program in the white list can not give an alarm when the system state is abnormal. If the program determined by the system as the preset abnormal feature in the step S30 is not in the preset white list in the step S40, it is determined that the program belongs to a normal operation, is not a virus feature, and the normal operation of the local industrial control equipment is continuously maintained; whereas if the program determined by the system as the preset abnormal feature in step S30 appears in the preset white list in step S40, it is determined that it is likely to belong to the latest developed virus feature, and virus processing is required for the current state information of the system.

It should be noted that, the preset whitelist configured in this embodiment has a function of advanced configuration. In the prior art, the function of the traditional white list is mainly to detect an application program with abnormal conditions, then process the application program and notify the application program, and a user can add the application program into the traditional white list after seeing the notification, but the traditional white list cannot add the application program which does not exist in the host. The "preset white list" of the present application is different from the "traditional white list" of the prior art in function, and the present application may also add the program that does not exist into the "preset white list" in advance: the user can maintain a white list containing a plurality of white list programs, or download the edited white list from other users and import the white list into the antivirus software of the local industrial control equipment. Because the white list has universality, programs with no white list can be imported into antivirus software of local industrial control equipment, so that the system can normally run. Compared with the traditional white list, which is used for storing the characteristic information of the software passing the inspection, the preset white list can effectively prevent the situation that the software with virus performance (such as excessive memory or CPU occupancy rate) possibly exists from being mistakenly regarded as virus.

The technical scheme of the application improves the mode of finding the latest viruses, and besides finding the existing viruses according to the known virus characteristics in the virus library, the method can also judge whether the latest viruses invade the local industrial control equipment (not in the virus library) or not by monitoring the state information of the host, such as the process, the service, the CPU (central processing unit) utilization rate, the memory utilization rate, the network and the like and matching with the preset abnormal characteristics in the preset white list. And furthermore, the latest host virus existing in the host can be found in time on the basis of eliminating program false detection and guaranteeing normal use of the host by a user, and the safety of a host system of the user can be effectively guaranteed.

Example two

The second embodiment improves the conventional bloom filter, and the bloom filter of the present embodiment uses three hash structures connected together in series, including a first hash structure, a second hash structure, and a third hash structure, where the first hash structure, the second hash structure, and the third hash structure are all data structures (can be understood as a data structure table) having a vector table with multiple elements, and the number of bits contained in each element of the first hash structure is smaller than the number of bits contained in each element of the second hash structure, and the number of bits contained in each element of the second hash structure is smaller than the number of bits contained in each element of the third hash structure;

It should be noted that, in this application, "element" refers to a single entry in the vector table, each element set in this embodiment may contain 3 bits, and "vector" refers to each entry containing 3 bits in the hash structure table.

The substep S201 further comprises:

S201A, extracting fragments of feature binary codes from target program services in the current state information of the system, inputting each fragment of the feature binary codes into a first hash structure of the bloom filter, and regarding the fragments as word bars in a feature dictionary, so that the first hash structure outputs appearance positions of word bars to be detected, wherein the appearance positions of the word bars to be detected represent positions of two adjacent bytes in the feature binary codes.

It will be appreciated that step S201A is a functional step of a first hash structure, which is referred to as double-byte position detection (DBPC, double Byte Position Check), the data structure of which includes a vector table having 64K elements, and the present embodiment may set that each vector of the first hash structure contains 3 bits. For the word bars in the feature dictionary, two adjacent bytes are used as indexes to map one bit in the first hash structure table respectively. The first hash structure is used for the first pass detection in the bloom filter.

It should be noted that, in the present application, a "feature dictionary" refers to a feature binary code segment of a virus, and a "feature dictionary" may be understood as a dictionary storing features of a virus. Each feature binary code segment is a word bar in the feature dictionary. An "element" is understood to be a single entry in a vector table (i.e., hash structure), each element containing 3 bits.

In a specific implementation, the industrial control device may input a code related to the target program service into a first hash structure, perform feature extraction and preprocessing on a segment of a feature binary code corresponding to the target program service through the first hash structure, and then output the segment of the feature binary code to obtain an appearance position of a word to be detected, where the appearance position of the word to be detected represents positions of two adjacent bytes in the feature binary code.

S201B, inputting the appearance position of the to-be-detected character bar into the second hash structure, so that the second hash structure carries out hash mapping calculation on the to-be-detected character bar, and the second hash structure outputs the hash value of the to-be-detected character bar;

it will be appreciated that step S201B is a functional step of a second Hash structure, which is called Hash Map Check (HMC), and the data structure of which, like the first Hash structure described above, includes a vector table with 64K elements, and the present embodiment may set that each vector of the second Hash structure contains 5 bits (more than 3 bits contained in each vector of the first Hash structure).

And for the calculation mode of the hash index, the calculation can be performed by the following modes:

for each word in the feature dictionary, C (i) represents the i-th character of the word, hash (i) represents the i-th Hash value, then define:

hash (0) =0/set initial value/;

hash (i+1) =/calculating the next Hash value;

((hash(i)<<2)|(hash(i)>>14))；

^(C(i)<<8|C(i+1))，

^((hash(i)>>1)|(hash(i)<<15))；

in a specific implementation, the industrial control device may input the appearance position of the to-be-detected word strip output by the first hash structure to the second hash structure, and output a vector table by using the calculation mode of the hash index, where each vector includes 5 bits and is used to represent the hash value of the to-be-detected word strip after hash mapping calculation.

S201C, inputting the appearance position of the character strip to be detected and the hash value of the character strip to be detected into the third hash structure, so that the third hash structure outputs the character strip to be detected and the appearance position thereof as an abnormal service feature when determining that the hash value of the character strip to be detected corresponds to the termination position in the feature binary code.

It will be appreciated that step S201C is a functional step of a third hash structure, referred to as end position detection (EPC, endpoint Position Check), whose data structure, like the first/second hash structures described above, each includes a vector table having 64K elements, and the present embodiment may set that each vector of the third hash structure includes 8 bits (greater than 3 bits included in each vector of the second hash structure). The index of the vector table of the third hash structure uses the same hash value as the second hash structure. The third hash structure is used to indicate whether a position is likely to be the ending position of a feature word.

In a specific implementation, the host may use the appearance position of the to-be-detected word bar output by the first hash structure and the hash value of the to-be-detected word bar output by the second hash structure together as the input of the third hash structure, so that the third hash structure output indicates whether a position is likely to be a final position of the to-be-detected word bar (specifically, a vector table may be output by the third hash structure, where each vector includes 8 bits and is used to indicate whether each position is likely to be a final position of a feature word bar);

correspondingly, the step S202 further includes:

S202A, obtaining a mapping relation between each appearance position of each character bar to be detected and a virus library subset of the virus library, wherein the virus library comprises a plurality of virus library subsets;

S202B, determining a target word from the word to be detected according to the mapping relation, and acquiring virus preset data related to the mapping relation;

S202C, matching the target word with the virus preset data, and outputting a matching result.

It should be noted that, the feature matching engine of this embodiment divides the word strings in the feature dictionary corresponding to the virus library into smaller subsets, obtains the mapping relation between the feature dictionary and the virus library subset of the virus library based on the appearance position of each word string to be detected, determines the target word string from the word string to be detected according to the mapping relation, and the target word string represents each possible matching word string, so that each possible matching word string is mapped to one such virus library subset of the virus library first, the word string to be detected that is mapped successfully is used as the target word string, the index value thereof is the hash value calculated in step S201B, matches the target word string with the virus preset data that is mapped successfully, and determines that the virus exists if the matching is successful.

It can be understood that the output result of the third hash structure can be regarded as a subset pointing to the virus library, the index value of the first feature word of each subset is stored in the data structure of a word index table (SRT: string Reference Table), and all the words of the subset are loaded by the feature matching engine to determine whether the target program service in the current state information of the system has viruses, and referring to fig. 2, the determination result has two cases:

case one: when the matching of the abnormal service feature and the virus preset data in the virus library fails, it is indicated that the abnormal service feature does not belong to the known virus feature, but the possibility that the abnormal service feature is the latest virus feature which is not put in storage is not completely eliminated yet, and then the step of analyzing whether the preset abnormal feature exists in the current state information of the system in the step S30 is executed:

and a second case: and when the abnormal service characteristics are successfully matched with virus preset data in a virus library, judging that the abnormal service characteristics are viruses, closing a virus process of the target program service, and performing virus killing treatment on executable files related to the target program service. And finally, uploading virus characteristic information related to the virus process to the virus library for storage.

The second embodiment improves the traditional bloom filter, enhances the accuracy of virus correct identification, reduces the probability of false identification of antivirus software, and further provides safety guarantee for the safety of local industrial control equipment.

It should be noted that, in an embodiment, after the matching of the target word with the virus preset data in step S202C, the method further includes:

scoring the matching result, associating the result score with the service or process of the detected target program, and recording the association score;

it can be understood that if the target program is detected to be virus, the local industrial control equipment can make negative scores on the target program, the scoring standard can be determined by the speed of the local industrial control equipment for acquiring the matching result, if the speed of the local industrial control equipment for acquiring the matching result is high, the target program is a virus characteristic which is easy to detect, then a score with a lower absolute value of the negative score can be made on the target program to indicate that the target program is easy to detect, and the industrial control equipment does not need to open larger hardware resources according to the recorded association score in the next sterilization, so that the resource consumption is reduced;

if the local industrial control equipment obtains the matching result slowly, which means that the target program is a virus characteristic which is not easy to detect, the target program can be given a score with a higher absolute value of negative score, which means that a longer time is required for identifying the virus, and the local industrial control equipment can start larger hardware resource consumption according to the recorded association score when the virus is disinfected next time, so that the speed of detecting the virus is increased, and the time of a user is saved.

Example III

In the third embodiment, in order to further ensure accuracy of virus judgment and enhance safe operation of local industrial control equipment, the present embodiment combines a bloom filter-related technique with a neural network model (machine learning) -related technique.

Specifically, before the virus is finally processed, the method further includes:

step S01, inputting a training set of a virus sample into an initial network model, wherein the initial network model comprises neuron parameters, the virus sample comprises a training set and a verification set, and the virus sample comprises at least one of file attribute, version information, digital signature and other metadata information so as to improve the accuracy of identifying viruses;

the present embodiment may employ at least the following neural network model Shufflenet, repvgg, efficinetnet, mobilenet, squeezeNet, xception as the initial network model; the optimal backbone model that is best suited for learning the virus sample training set can be selected from the several neural network models described above by employing K-fold cross-validation (K-fold cross-validation). For example, the six neural network models described above may be divided into K equal subsets as a dataset, trained with the data of K-1 subsets, tested with another subset, and repeated K times, each time a different verification subset is selected. And finally, taking the average value of the K test errors as a performance evaluation index of the model, and further selecting an optimal backbone model suitable for learning the virus sample training set, thereby being beneficial to improving the accuracy of the model.

In a specific implementation, the initial network model includes a feature extractor and a feature classifier; the feature extractor comprises a plurality of convolution neural network layers (abbreviated as convolution layers), and can extract sample feature vectors in virus samples by carrying out convolution processing on road image samples for a plurality of times; and the feature classifier comprises a random inactivation layer and a full connection layer; and the random inactivation layer is positioned on the upper layer of the full-connection layer.

Step S02, training the initial network model through the training set, and fine-tuning the neuron parameters when the training of the initial network model reaches a target preset training condition so as to convert the initial network model into a neural network model;

wherein, the preset condition may be: when a certain training iteration number is reached, for example, ten thousands of virus templates are used, one learning round is used for training a model once, if a preset condition is iteration 3000 times, when the training round of the model reaches 3000 times, the neuron parameters are finely adjusted, training sample feature vectors when the target preset training condition is reached are extracted through the convolution layer, the training sample feature vectors are transmitted to the random inactivation layer, and a neural network model for verifying the system current state information of the local industrial control equipment is generated;

Correspondingly, the step S202C matches the target word with the virus preset data, and after outputting the matching result, the method further includes:

step S501, inputting the feature binary code of the target program service to the neural network model, identifying the feature binary code by the verification set, and outputting a virus identification result;

specifically, the convolution layer is used for extracting the characteristic vector of the verification sample in the verification set of the virus sample, the characteristic vector of the verification sample is compared with the characteristic binary code, the comparison result is obtained from the random inactivation layer through the full connection layer, and finally the virus identification result is obtained.

And step S502, carrying out weighted summation processing on the virus identification result and the matching result to obtain a virus final result.

It can be understood that in this embodiment, the characteristic binary code infected with the virus program is analyzed by the neural network model, and the neural network model is a model trained by the training set of the virus sample, and the virus identification result given by the neural network model and the matching result obtained by the bloom filter are respectively given different weights to be combined to obtain the final virus result;

The third embodiment has the beneficial effects that: the bloom filter is matched with the neural network model technology to identify viruses, so that the accuracy and the safety of virus judgment are improved, and whether the service or the process is the viruses can be more comprehensively analyzed and evaluated.

Example IV

As shown in fig. 3, the present invention further provides a virus processing apparatus, including:

the acquisition module 10 is used for acquiring the system current state information of the local industrial control equipment;

the virus identification module 20 is configured to match the current state information of the system with virus preset data in a virus library;

the analysis module 30 is configured to analyze whether the current state information of the system has a preset abnormal feature if the current state information of the system is not successfully matched with the preset virus data;

the whitelist module 40 is configured to perform virus processing on the current state information of the system when the current state information of the system has a preset abnormal characteristic and the matching between the current state information of the system and a whitelist program in a preset whitelist is unsuccessful.

It should be noted that, the above device may be understood as a piece of data security software installed in the local industrial control device; the data security software may be antivirus software. After the local industrial control device opens the antivirus software application, the antivirus software application may execute the collection module 10, the virus identification module 20, the analysis module 30, and the whitelist module 40 in that order.

The content of information interaction and execution process between the above devices/units is based on the same conception as the method embodiment of the present application, and specific functions and technical effects thereof may be found in the method embodiment section, and will not be described herein.

An embodiment of the present invention provides an industrial control device, as shown in fig. 4, and fig. 4 is a schematic structural diagram of the industrial control device provided in an embodiment of the present application. The industrial control device may be an automated host device deployed at an industrial plant.

The industrial control device of this embodiment includes: the system comprises a processor 01, a memory 02 and an industrial control program which is stored in the memory and can run on the processor, wherein the processor realizes the steps in the method embodiment of the application when executing the industrial control program. The industrial control program can be data security software, such as antivirus software applications

It will be appreciated by those skilled in the art that fig. 4 is merely an example of an industrial control device 4 and is not meant to be limiting, and may include more or fewer components than shown, or may combine certain components, or different components.

The processor may be a central processing unit (Central Processing Unit, CPU), the processor 01 may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

The memory may in some embodiments be the internal storage unit, such as a hard disk or a memory of an industrial control device. The memory may also be an external storage device of the industrial control device in other embodiments, for example, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card) or the like.

In the foregoing embodiments, the descriptions of the embodiments are emphasized, and in part, not described or illustrated in any particular embodiment, reference is made to the related descriptions of other embodiments.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

In the embodiments provided in the present application, it should be understood that the disclosed apparatus/network device and method may be implemented in other manners. For example, the apparatus/network device embodiments described above are merely illustrative, e.g., the division of the modules or units is merely a logical functional division, and there may be additional divisions in actual implementation, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection via interfaces, devices or units, which may be in electrical, mechanical or other forms.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

The above embodiments are only for illustrating the technical solution of the present application, and are not limiting; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application.

Claims

1. A method of virus treatment, the method comprising:

2. The method of claim 1, wherein said analyzing whether the system current state information has a preset anomaly characteristic comprises:

3. The method of claim 1, wherein said analyzing whether the system current state information has a preset anomaly characteristic comprises:

4. The method of claim 1, wherein said matching the system current state information with virus preset data in a virus library comprises:

5. The method of claim 4, wherein the bloom filter includes a first hash structure, a second hash structure, and a third hash structure, wherein the first hash structure, the second hash structure, and the third hash structure are each data structures of a vector table having a plurality of elements, each element of the first hash structure includes a smaller number of bits than each element of the second hash structure, and each element of the second hash structure includes a smaller number of bits than each element of the third hash structure;

6. The method of claim 5, wherein the virus library comprises a plurality of subsets of virus libraries;

7. The method of claim 6, further comprising:

inputting a training set of virus samples into an initial network model, the initial network model comprising neuron parameters, wherein the virus samples comprise a training set and a verification set, and the virus samples comprise at least one of file attributes, version information and digital signatures;

8. The method of claim 4, wherein the abnormal service feature is determined to be a virus when the abnormal service feature successfully matches virus preset data in a virus library;

and/or

9. A virus handling device, the device comprising:

10. An industrial control device comprising a memory, a processor and an industrial control program stored in the memory and executable on the processor, wherein the processor implements the method of any one of claims 1 to 8 when executing the industrial control program.