CN101576947B - Method, device and system for file protection treatment - Google Patents

Method, device and system for file protection treatment Download PDF

Info

Publication number
CN101576947B
CN101576947B CN 200910086495 CN200910086495A CN101576947B CN 101576947 B CN101576947 B CN 101576947B CN 200910086495 CN200910086495 CN 200910086495 CN 200910086495 A CN200910086495 A CN 200910086495A CN 101576947 B CN101576947 B CN 101576947B
Authority
CN
China
Prior art keywords
file
value
reputation
user
query
Prior art date
Application number
CN 200910086495
Other languages
Chinese (zh)
Other versions
CN101576947A (en
Inventor
蒋武
Original Assignee
成都市华为赛门铁克科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 成都市华为赛门铁克科技有限公司 filed Critical 成都市华为赛门铁克科技有限公司
Priority to CN 200910086495 priority Critical patent/CN101576947B/en
Publication of CN101576947A publication Critical patent/CN101576947A/en
Application granted granted Critical
Publication of CN101576947B publication Critical patent/CN101576947B/en

Links

Abstract

The embodiment of the invention relates to a method, a device and a system for file protection treatment, wherein the file protection treatment method comprises the following steps of: obtaining a file requested to be visited by a user; extracting the characteristic value of the file; querying the reputation value corresponding to the file in a prearranged file reputation database according to theextracted characteristic value; and carrying out the protection treatment on the file requested to be visited by the user when the queried reputation value is lower than the prearranged threshold. The method, the device and the system for file protection treatment extract the characteristic value of the file by obtaining the file requested to be visited by the user, query the reputation value ofthe file in the file reputation service equipment according to the extracted characteristic value, and carry out protection treatment on the file requested to be visited by the user when the queried reputation value is lower than the prearranged threshold, thus effectively preventing the large-scale diffusion of vicious files in the network.

Description

文件防护处理方法、装置及系统 Protection file processing method, apparatus and system for

技术领域 FIELD

[0001] 本发明涉及计算机技术,特别涉及一种文件防护处理方法、装置及系统。 [0001] The present invention relates to computer technology, particularly, to a file protection processing method, apparatus and system.

[0002] 随着计算机技术的快速发展,网络安全越来越受到人们的重视,对于恶意代码尤其是非滤过性恶意代码的防范更为重要。 [0002] With the rapid development of computer technology, network security more and more people's attention, in particular, to prevent non-filterable malicious code is more important for malicious code.

[0003]目前,对恶意代码的防范没有标准的方法,目前防范恶意代码通常采用特征代码检测法、校验和法及行为检测法,以校验和法为例,该方法通过对正常文件的内容,计算其校验和,将该校验和写入该文件中或写入其它的文件中保存。 [0003] Currently, there is no standard method for the protection against malicious code, commonly used current protection against malicious code detection feature code, checksum and behavior detection method, and method to verify, for example, by the method normal file content, calculated checksum, the checksum is written to a file or other file stored written. 在该文件使用过程中,定期地或每次使用该文件前,检查该文件现在的内容算出的校验和与原来保存的校验和是否一致,因而可以发现文件是否感染。 In the file using the process, regularly or before each use of the file, check the file contents are now calculated checksum and the preservation of the original check and is consistent with, and can figure out whether the file is infected. 但是上述三种方法都存在一些缺陷,例如校验和法不能识别恶意代码的种类和名称,因而无法防护网络中恶意文件的大规模扩散。 However, the above three methods have some drawbacks, such as a checksum method can not identify the type and name of the malicious code, and therefore can not protect large-scale diffusion network malicious files.

[0004] 本发明实施例提供一种文件防护处理方法、装置及系统,以有效地防护网络中恶意文件的大规模扩散。 [0004] The embodiments of the present invention provides a method of document protection processing, apparatus and system for large-scale diffusion network effectively protect malicious files.

[0005] 本发明实施例提供一种文件防护处理方法,该方法包括: Embodiment [0005] The present invention provides a file processing method of protection, the method comprising:

[0006] 获取用户请求访问的文件; [0006] Gets the user requests access to a file;

[0007] 提取所述文件的特征值;所述特征值为对所述文件的内容利用哈希算法进行计算获得的哈希值; [0007] The feature value extracting file; the hash value calculation characteristic value is obtained using a hash algorithm to the content of the file;

[0008] 根据所提取的特征值在预置的文件信誉数据库中查询所述文件所对应的信誉值,当查询到的信誉值低于预置门限值时,对用户请求访问的文件作防护处理。 [0008] Query reputation value corresponding to the file in a preset file reputation database based on the extracted feature value, when the query to the reputation value lower than the preset threshold value, the user requesting access to files for protection deal with.

[0009] 本发明实施例提供一种文件防护处理装置,该装置包括: [0009] The present invention provides a protective document processing apparatus comprising:

[0010] 获取模块,用于获取用户请求访问的文件; [0010] acquiring module, for acquiring a user requests access to a file;

[0011] 提取模块,用于提取所述文件的特征值;所述特征值为对所述文件的内容利用哈希算法进行计算获得的哈希值; [0011] extraction means for extracting the feature value file; the hash value calculation characteristic value is obtained using a hash algorithm to the content of the file;

[0012] 处理模块,用于根据所提取的特征值在预置的文件信誉数据库中查询所述文件所对应的信誉值,当查询到的信誉值低于预置门限值时,对用户请求访问的文件作防护处理。 [0012] The processing module, configured to query the reputation value corresponding to the file in a preset file reputation database based on the extracted feature value, when the query to the reputation value lower than the preset threshold value, the user request file access for protective treatment.

[0013] 本发明实施例提供一种文件防护处理系统,该系统包括: [0013] The present invention provides a document processing system protection, the system comprising:

[0014] 文件信誉服务设备,用于保存文件的信誉值; [0014] file reputation service device, save the file reputation for value;

[0015] 文件防护处理装置,用于获取用户请求访问的文件,提取所述文件的特征值,根据所提取的特征值在所述文件信誉服务设备中查询所述文件的信誉值,当查询到的信誉值低于预置门限值时,对用户请求访问的文件作防护处理;所述特征值为对所述文件的内容利用哈希算法进行计算获得的哈希值。 [0015] File protection processing means for obtaining a user request to access a file, the file to extract the feature value of the feature value extracted by the query in the file reputation service device file reputation value, when queried when the reputation value lower than the preset threshold value, the user requesting access to the file for protection treatment; characteristic value using the hashing algorithm to the file's contents hash value calculation obtained.

[0016] 上述文件防护处理方法、装置及系统,通过获取用户请求访问的文件,提取所述文件的特征值,根据所提取的特征值在所述文件信誉服务设备中查询所述文件的信誉值,当查询到的信誉值低于预置门限值时,对用户请求访问的文件作防护处理,从而有效地防护了网络中恶意文件的大规模扩散。 [0016] The document protection processing method, apparatus and system, access to the file by obtaining a user request, the feature value extracting file, the file reputation value query the file reputation service apparatus according to the extracted feature value when a query to the reputation value lower than the preset threshold, the user requesting access to file for protective treatment, so as to effectively protect the large-scale diffusion network malicious files.

[0017] 图I本发明文件防护处理系统实施例的结构示意图; [0017] Figure I a schematic structural diagram of an embodiment of the present invention system file protection process;

[0018] 图2本发明文件信誉服务设备实施例的结构示意图;[0019] 图3本发明文件防护处理装置实施例的结构示意图; [0018] FIG configuration diagram of an embodiment of the invention, the file reputation service apparatus 2; schematic structural diagram of [0019] FIG guard disclosure document processing apparatus 3 embodiment;

[0020] 图4为本发明文件防护处理方法实施例一的流程图; A flow diagram [0020] Figure 4 is a protective file processing method according to the invention;

[0021] 图5为本发明文件防护处理方法实施例二的流程图; Example II flowchart file [0021] FIG. 5 embodiment of the present invention, the protective treatment;

[0022] 图6为本发明文件防护处理方法应用场景一的结构示意图; File [0022] FIG. 6 of the present invention, the protective treatment applied structural diagram of a scene;

[0023] 图7为本发明文件防护处理方法应用场景二的结构示意图; [0024] 图8为本发明文件防护处理方法应用场景三的结构示意图; File [0023] FIG. 7 of the present invention, the protective treatment applied structural diagram II scene; scene schematic structural diagram III [0024] FIG. 8 of the present invention, the file protection application processing method;

[0025] 图9为本发明文件防护处理方法应用场景四的结构示意图。 Scene four structural diagram of [0025] FIG. 9 of the present invention, a file processing method of protection applications.

具体实施方式 Detailed ways

[0026] 下面通过附图和实施例,对本发明的技术方案做进一步的详细描述。 [0026] The following drawings and embodiments, detailed description of the further aspect of the present invention.

[0027] 如图I所示,本发明文件防护处理系统实施例的结构示意图,该系统包括文件信誉服务设备I和文件防护处理装置2,其中,文件信誉服务设备I用于提取网络中用户访问的文件的特征值;获取所述文件的信誉值,并存储所述特征值及其对应的信誉值;文件防护处理装置2用于获取用户请求访问的文件,提取所述文件的特征值,根据所提取的特征值在所述文件信誉服务设备I中查询所述文件的信誉值,当查询到的信誉值低于预置门限值时,对用户请求访问的文件作防护处理。 Document processing system of the present invention, the protective structure diagram of an embodiment [0027] shown in FIG. I, the system comprising a file reputation service protective device I documents and processing device 2, wherein the device I file reputation service user access network for extracting characteristic value file; acquiring the file reputation value, and storing the characteristic values ​​and corresponding credit value; file guard processing means 2 for obtaining a user request to access a file, the file to extract the characteristic value, according to the extracted feature value of the credit value query file in the file reputation service apparatus I, when the query to the reputation value is lower than a preset threshold value, the user requesting access to the file for the protective treatment.

[0028] 其中,所述预先设定值可以是具体情况或经验值预先设定;所述防护处理包括返回告警信息和在所述用户根据所述告警信息指示停止文件访问情况下,拦截所述文件,从而起到主动防护的作用。 [0028] wherein, the predetermined value may be a particular situation or empirical value set in advance; include returning the guard processing in the alarm information and user stopped file information available according to the alarm indication, the interception file, and thus play the role of active protection.

[0029] 本发明实施例的文件防护处理系统中,文件防护处理装置可进一步在本地没有缓存信誉数据库的情况下,上传文件的样本信息给文件信誉服务设备,以便文件信誉服务设备对该文件进行信誉评价,获得该文件的信誉值。 [0029] Processing the file protection system according to the present embodiment of the invention, the document processing apparatus may further guard is not cached in the local reputation database, the sample information upload files to the file reputation service device, so that the file to the file reputation service device credit rating, getting credit for the value of the file.

[0030] 本发明实施例的文件防护处理系统中,文件信誉服务设备I可以包括提取模块11、检测模块12和存储模块13 ;其中,提取模块11,用于提取网络中用户访问的文件的特征值;如对文件内容利用哈希算法进行计算,得到文件的特征值,即获取该文件唯一性的属性,如哈希结果。 [0030] File guard processing system according to embodiments of the present invention, the file reputation service may include device I extraction module 11, memory module 12 and detection module 13; wherein the extraction module 11, a network user accesses the file to extract the features value; the contents of the file calculated by the hash algorithm, to obtain the characteristic value file, i.e., obtain the file attributes unique properties, such as the hash result. 提取模块11提取特征值的文件中可能没有当前用户访问的文件,如果提取模块11提取特征值的文件中没有当前用户访问的文件,则文件防护处理装置查询不到当前用户访问的文件所对应的信誉值,此时文件防护处理装置可将当前用户访问的文件的样本信息上报给文件信誉服务设备;文件信誉服务设备可对该上报的文件的样本信息进行信誉评估。 Extracting module file may not access the current user file 11 in the feature value is extracted, if the document extraction module 11 extracts feature values ​​in the current user is not the file, the file processing device query file protection than the current user's access to the corresponding reputation value, the file protection device may report the processing sample information file to the current user's access to the file reputation service device; file reputation service reputation evaluation apparatus may be reported by the sample information file. 文件信誉服务设备的检测模块12,用于获取上述文件的样本信息,对上述获取的文件的样本信息进行检测,并根据检测结果评定所述文件的信誉值;如当检测模块12检测到文件中包含有恶意代码时,给该文件评定一个较低的信誉值;当检测模块12检测到文件中没有恶意代码时,给该文件评定一个较高的信誉数值。 File reputation service device detecting module 12, a sample information acquires the file information of the sample acquired file is detected, and the detection result of the evaluation file reputation value; as when the detection module 12 detects files when contains malicious code, the file to a lower reputation evaluation value; when the detecting module 12 detects that no malicious code file, the file to a higher credibility evaluation value. 存储模块13,用于存储所述文件的信誉值,以备文件防护处理装置2查询文件的信誉值。 Storage module 13 for storing the file reputation value, the device file reputation query file guard processing apparatus 2 value.

[0031] 其中,该文件信誉服务设备评定文件的信誉值主要是采用对网络中用户所访问过的文件进行样本搜集,并对文件所包含内容进行检测分析,识别是否具备恶意性,根据识别结果为文件赋予信誉值。 [0031] wherein the value of the credit document file reputation service evaluation device is mainly used in the document accessed by the user through the network is to collect a sample, and the contents of the file contains detection analysis to identify whether they have maliciousness, according to the recognition result the file given credit value. 如图2所示,文件信誉服务设备通过文件样本搜集模块在网络上搜集用户访问过的文件,然后把文件的内容存在文件样本库中,各个分析引擎如分析引擎 2, the file reputation service module collecting device to collect a sample through the document file on the user visited network, then the contents of the file of file sample database, each of the analysis engine as analysis engine

I、分析引擎2、分析引擎3等则不停的读取从文件下载下来的数据,包括一些小的附件,对这些数据采用下载可执行模块特征检测、文件挂马检测、脚本病毒检测等。 I, analysis engine 2, 3, the analysis engine stop reading data downloaded from the file down, including some small accessory, characterized in downloading an executable module using the detection data, files linked to horse detection, virus detection script. 然后根据检测结果进行评价,获得信誉值,并记录到文件信誉数据库中。 Then the detection result evaluation, the reputation value is obtained and recorded in the file reputation database.

[0032] 上述系统实施例中,文件信誉服务设备存储的文件的特征值及对应的信誉值可统称为信誉数据。 [0032] The above-described system embodiments, characteristic values ​​and the corresponding file reputation service reputation value storage device may be referred to as a file reputation data. 信誉数据可包含如表I所示的信息。 Credibility data may include the information I shown in Table.

[0033] 表I信誉数据结构 [0033] The credibility of the data structure of Table I

[0034] [0034]

Figure CN101576947BD00061

[0035] 其中,文件名称表示传播文件的名称,文件大小表示该文件的大小,初发现时表示该文件最初发现时间,近发现时表示该文件最近发现的时间,哈希结果表示对该文件内容利用哈希算法进行了特定的计算并记录,次数统计表示该文件在网络传播被发现的次数,信誉值表示该文件经过安全评估后的信誉数值; [0035] where the file name represents the name of the spread of the file, the file size represents the size of the file, the file indicates that the initial discovery of the time, the time the file was recently discovered in the past found that early discovery, the hash result indicates that the contents of the file the use of hashing algorithm to calculate and record a specific number of times statistics indicate the number of times the file was found spread in the network, after a credit value represents the value of the safety assessment of the credibility of the document;

[0036] 如图3所示,本发明文件防护处理装置实施例的结构示意图,该文件防护处理装置包括获取模块21、提取模块22和处理模块23 ;其中,获取模块21,用于获取用户请求访问的文件;提取模块22,用于提取所述文件的特征值,如对获取模块21获取的文件内容进行哈希计算,获得该文件的特征值。 [0036] As shown, the file structure diagram of an embodiment of the present invention, guard processing apparatus, which includes a document processing apparatus 3 acquires guard module 21, extraction module 22 and the processing module 23; wherein the obtaining module 21, configured to obtain a user request file access; extraction module 22 for extracting the feature value of the file, such as file acquisition module acquires the content hashed 21 to obtain characteristic values ​​of the file. 处理模块23,用于根据所提取的特征值在预置的文件信誉数据库中查询所述文件所对应的信誉值,当查询到的信誉值低于预置门限值时,对用户请求访问的文件作防护处理。 Processing module 23, configured to query the reputation value corresponding to the file in a preset file reputation database based on the extracted feature value, when the query to the reputation value lower than the preset threshold value, user access request file for protective treatment. 其中,上述文件信誉数据库可以存放于本地缓存中;信誉数值详见上述系统实施例;预置门限值可根据需要进行设置,处理模块在查询到信誉值低于上述预置门限值时,作防护处理。 Wherein the reputation database file can be stored in the local cache; see above value credit system embodiment; preset threshold values ​​can be set as desired, query processing module reputation value is less than the preset threshold value to, for protective treatment.

[0037] 另外,处理模块可以包括:返回单元,用于返回告警信息;拦截单元,用于在所述用户根据所述告警信息指示停止文件访问情况下,拦截所述文件;从而可以实现对恶意文件的防护处理。 [0037] Further, the processing module may include: a return unit for returning the alarm information; intercepting means for stopping the file in the user according to the alarm information indicates available, intercepting the file; thereby enabling malicious protective working with files.

[0038] 上述文件防护处理装置可进一步包括:上传单元,用于在预置的信誉数据库中没有查询到与用户请求访问的文件所对应的信誉值时,上传所述文件的样本信息用以评价该文件的信誉值。 [0038] The document processing apparatus may further include a guard: upload unit configured to query the reputation value is not the user requests access to a file corresponding to the preset credit database, the sample information of the upload file to evaluate the credibility of the value of the file. 且上述文件防护处理装置可以位于各种网关设备中。 Guard and said file processing means may be located in a variety of gateway devices.

[0039] 基于上述文件防护处理装置的文件防护处理方法如图4所示,该方法包括: [0039] FIG file protection guard said document processing method based on the processing apparatus 4, the method comprising:

[0040] 步骤101、获取用户请求访问的文件; [0040] Step 101, the user request to obtain the file access;

[0041] 步骤102、提取上述文件的特征值; [0041] Step 102, the feature value extracting the file;

[0042] 获取用户请求访问的各种文件之后,对文件内容利用哈希算法进行计算获得文件的哈希值; After the [0042] access to a variety of user requests access to a file, the file contents hash value obtained by calculation using the document hash algorithm;

[0043] 步骤103、根据上述特征值查询文件信誉数据库; [0043] Step 103, based on the characteristic value file reputation database query;

[0044] 上述文件信誉数据库保存在文件信誉服务设备即文件信誉中心的缓存中,通过文件信誉中心对外部提供文件的信誉查询服务; [0044] The file reputation database stored in the device cache the file reputation service File reputation center, via the file reputation Center file reputation queries for external services;

[0045] 步骤104、判断文件信誉数据库中是否有与上述文件对应的信誉值,若有,则执行步骤105,否则执行步骤106 ; [0045] Step 104, whether there is credit value and the determined file corresponding to the file reputation database, if so, step 105 is executed, otherwise, Step 106 is executed;

[0046] 步骤105、判断上述文件信誉值是否低于预置的门限值,若低于,则允许上述文件通过,否则,拦截上述文件; [0046] Step 105, determining whether the file reputation value is lower than the preset threshold value, if less than is permitted by the above-mentioned documents, or to intercept said document;

[0047] 在网关拦截上述文件之后,还可以向用户发送告警页面,由用户判断是否继续浏览;[0048] 步骤106、对在预置的文件信誉数据库中没有查询与用户请求访问的文件所对应的信誉值时,将该文件进行样本收集,并将文件的样本信息上报给文件信誉中心以评价该文件的信誉值。 [0047] After the gateway to intercept the above documents, may also send a page alerting the user, the user determines whether to continue browsing; [0048] Step 106, to the preset file reputation database query without user requests access to a file corresponding to when the credit value, the file sample collection, and sample information files reported to the central file reputation value to evaluate the credibility of the file.

[0049] 其中,可以将文件的样本信息上报给用以评价文件信誉的文件信誉中心。 [0049] where you can sample information files reported to the center to evaluate the credibility of the document file reputation.

[0050] 上述文件防护处理方法,通过获取用户请求访问的文件,提取所述文件的特征值,根据所提取的特征值在所述文件信誉服务设备中查询所述文件的信誉值,当查询到的信誉值低于预置门限值时,对用户请求访问的文件作防护处理,从而有效地防护了网络中恶意文件的大规模扩散。 [0050] The method of document protection process, requests access to the file by obtaining a user, extracting a feature value document, query the reputation value file in the file reputation service apparatus in accordance with the extracted feature value, when the query to when the credit value is below a preset threshold, the user requesting access to file for protective treatment, so as to effectively protect the large-scale diffusion network malicious files.

[0051] 如图5所示,为本发明文件防护处理方法实施例二的流程图,该方法包括: [0051] FIG. 5, the file protection process flowchart of a method of the present invention according to the second embodiment, the method comprising:

[0052] 步骤201、获取用户请求访问的文件; [0052] Step 201, the user request to obtain the file access;

[0053] 步骤202、提取所述文件的特征值,并根据所提取的特征值在预置的文件信誉数据库中查询所述文件所对应的信誉值; [0053] Step 202, the feature value extracting file and query the reputation value corresponding to the file in a preset file reputation database based on the extracted characteristic value;

[0054] 步骤203、当查询到的信誉值低于预置门限值时,对用户请求访问的文件作防护处理。 [0054] Step 203, when the query to the reputation value lower than the preset threshold value, the user requesting access to the file for the protective treatment.

[0055] 本实施例通过查询用户的信誉值,并在用于的信誉值较低的情况下进行阻拦,保证了所有用户访问的文件都能够通过查询其信誉值,并根据其预置的门限值进行阻断或放行,有效解决了恶意文件的大规模扩散问题。 [0055] The embodiment of the present embodiment, the lower block and reputation for value or by querying user's reputation value to ensure that the file can be accessed by all users by querying its credit value, and the gate thereof according to the preset limits were blocked or released, an effective solution to the problem of proliferation of large-scale malicious files.

[0056] 本发明实施例提供的文件防护处理方法可应用于如图6、图7、图8及图9所示的部署场景。 File protection method according to an embodiment of the process [0056] The present invention is applicable to FIG. 6, FIG. 7, the deployment scenario shown in FIG. 8 and FIG 9. 图6为本发明实施例文件防护处理方法所应用的文件信誉过滤旁路部署场景示意图,在该场景中,业务监控系统设置在旁路,该业务监控系统包括分流平台a、业务监控网关(SIG)b和文件信誉服务(FileR印utation Service,FRS) C。 Example 6 FIG File reputation file processing method applied protective filter bypass deployment scenario schematic embodiment of the present invention, in this scenario, the business monitoring system is provided in the bypass, the monitoring system comprising a shunt internet service a, service monitoring Gateway (SIG ) b and file reputation service (FileR India utation service, FRS) C. 图7为本发明实施例文件防护处理方法所应用的文件信誉过滤直路接入部署场景示意图,在该场景中,d为网关设备。 Example 7 File reputation file protection filter processing method is applied to a linear-access deployment scenario schematic embodiment of the present invention, in this scenario, d is the gateway device. 图8为本发明实施例文件防护处理方法所应用的文件信誉服务终端安全管理(TSM)终端应用场景示意图,在该场景中,e为虚拟专用网络(VPN)网关,f为域管理服务器,g为防病毒服务器,h为补丁服务器。 FIG 8 File reputation service terminal security management file Example protection processing method applied (TSM) terminal application scenario schematic embodiment of the present invention, in this scenario, e is a virtual private network (VPN) gateway, f is the domain management server, g antivirus server, h is the patch server. 图9为本发明实施例文件防护处理方法所应用的文件信誉服务无线应用场景示意图,在该场景中,网关通用分组无线业务(GPRS)支持节点(GGSN) i和GPRS服务支持节点(SGSN) j相连。 Example 9 FIG File reputation file protection processing method applied serving radio schematic application scenario of the present embodiment of the invention, in this scenario, a gateway general packet radio service (GPRS) support node (GGSN) i and the serving GPRS support node (SGSN) j connected.

[0057] 当本发明实施例提供的文件防护处理方法应用于图6-图9所示场景时,上述步骤202可分别由SIG、网关设备、Secospace SA、GGSN监听用户向因特网发起的文件访问请求,提取文件的特征值,并发送至文件信誉服务设备如文件信誉中心进行信誉查询,文件信誉中心判断后返回信誉值; [0057] When the embodiment of the present invention provide a document processing method of protection is applied to the scenario shown in FIG. 6 to 9, respectively, by the above-described step 202 may SIG, a gateway device, Secospace SA, GGSN monitor user initiates a file access request to the Internet extracting feature value document, and sends the file to the file reputation service device such as a credit inquiry credit center, center return credit file reputation value is determined;

[0058] 上述步骤203中可分别由SIG、网关设备、Secospace SA、GGSN对文件信誉中心返回的信誉数值进行判断,进行防护处理。 [0058] In the above step 203, respectively, a gateway device, Secospace SA, GGSN credibility file reputation value returned by the center judgment by the SIG, protective treatment. 如对信誉数值低于策略设定值的文件直接进行阻拦,或者进一步伪造回应页面对用户进行告警;又或者,还进一步由用户根据告警进行判断是否继续浏览;若用户返回继续浏览的指示,则对此次访问请求不再处理,即对该文件放行;若用户返回不浏览的指示,则对文件进行阻拦。 Policy documents such as lower than the set value of the credit value directly to block or further forged in response to the user page warning; Or, further judge whether to continue browsing by the user according to the warning; if the user returns instructed to continue browsing, you the processing of access requests is no longer that release of the document; if the user does not browse the return indication, then the file is blocked.

[0059] 上述实施例中,文件信誉服务设备通过预先对文件进行检测并设定相应的信誉值供业务监控网关(SIG)、Secospace SC、GGSN等网关设备查询,保证了所有的网关设备都能够根据文件信誉服务设备中存储的信誉数据对文件进行阻拦或放行,避免了恶意网页的侵害。 [0059] The above-described embodiment, the file reputation service device detects in advance the file and set the appropriate values ​​for the credibility of the service monitoring Gateway (SIG), Secospace SC, GGSN other gateway device queries, ensures that all gateway devices can to block or release the file based on file reputation service reputation data stored in the device, to avoid infringement malicious web page.

[0060] 本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:R0M、RAM、磁碟或者光盘等各种可以存储程序代码的介质。 [0060] Those of ordinary skill in the art can be appreciated: realize all or part of the steps of the method described above may be implemented by a program instructing relevant hardware to complete, the program may be stored in a computer readable storage medium, the program execution when, comprising the step of performing the above-described embodiment of the method; and the storage medium comprising: a variety of medium may store program codes R0M, RAM, magnetic disk, or optical disk. [0061] 最后所应说明的是,以上实施例仅用以说明本发明的技术方案而非限制,尽管参照较佳实施例对本发明进行了详细说明,本领域的普通技术人员应当理解,可以对本发明的技术方案进行修改或者等同替换,而不脱离本发明技术方案的精神和范围。 [0061] Finally, it should be noted that the above embodiments are intended to illustrate and not limit the present invention, although the present invention has been described in detail with reference to preferred embodiments, those of ordinary skill in the art should be understood that the present aspect of the invention may be modified or equivalently substituted without departing from the spirit and scope of the technical solutions of the present invention.

Claims (10)

1. 一种文件防护处理方法,其特征在于,包括: 获取用户请求访问的文件; 提取所述文件的特征值;所述特征值为对所述文件的内容利用哈希算法进行计算获得的哈希值; 根据所提取的特征值在预置的文件信誉数据库中查询所述文件所对应的信誉值,当查询到的信誉值低于预置门限值时,对用户请求访问的文件作防护处理。 A file protection processing method comprising: obtaining a user request to access a file; extracting a feature value of the file; the characteristic value is calculated using a hashing algorithm to obtain the contents of the file Ha Xi value; query the reputation value corresponding to the file in a preset file reputation database based on the extracted feature value, when the query to the reputation value lower than the preset threshold value, the user requests access to a file for protection deal with.
2.根据权利要求I所述的文件防护处理方法,其特征在于,所述文件信誉数据库存放于本地缓存中。 The document protection processing method according to claim I, wherein the reputation database file stored in the local cache.
3.根据权利要求I所述的文件防护处理方法,其特征在于,所述当查询到的信誉值低于预置门限值时,对用户请求访问的文件作防护处理包括: 返回告警信息; 在所述用户根据所述告警信息指示停止文件访问情况下,拦截所述文件。 The document protection processing method according to claim I, wherein, when the query to the reputation value lower than the preset threshold value, the user requests access to a file for protection process comprising: Returns alarm information; the user according to the instruction to stop the alarm information file available, the file interception.
4.根据权利要求I所述的文件防护处理方法,其特征在于,还包括: 当在预置的信誉数据库中没有查询到与用户请求访问的文件所对应的信誉值时,上传所述文件的样本信息用以评价该文件的信誉值。 The document protection processing method according to claim I, characterized in that, further comprising: when no preset reputation database query to the user requesting access to a file corresponding to the credit value of the file upload sample information to evaluate the credibility of the value of the file.
5. 一种文件防护处理装置,其特征在于,包括: 获取模块,用于获取用户请求访问的文件; 提取模块,用于提取所述文件的特征值;所述特征值为对所述文件的内容利用哈希算法进行计算获得的哈希值;处理模块,用于根据所提取的特征值在预置的文件信誉数据库中查询所述文件所对应的信誉值,当查询到的信誉值低于预置门限值时,对用户请求访问的文件作防护处理。 A protective document processing apparatus comprising: acquiring means for acquiring a user requests access to a file; extracting means for extracting a feature value of the file; the characteristic value to the file using the content hash algorithm of the hash value obtained by calculation; a processing module, configured to query the reputation value corresponding to the file in a preset file reputation database based on the extracted feature value, when the query to the reputation value below when a preset threshold, the user requesting access to file for protective treatment.
6.根据权利要求5所述的文件防护处理装置,其特征在于,所述文件信誉数据库存放于本地缓存中。 6. File guard processing apparatus as claimed in claim 5, wherein the reputation database file stored in the local cache.
7.根据权利要求5所述的文件防护处理装置,其特征在于,所述处理模块包括: 返回单元,用于返回告警信息; 拦截单元,用于在所述用户根据所述告警信息指示停止文件访问情况下,拦截所述文件。 The guard document processing apparatus according to claim 5, wherein the processing module comprises: return means for returning the alarm information; intercepting means for stopping the file in the user information according to the alarm indication accessing the circumstances, to intercept the file.
8.根据权利要求5所述的文件防护处理装置,其特征在于,还包括: 上传单元,用于在预置的信誉数据库中没有查询到与用户请求访问的文件所对应的信誉值时,上传所述文件的样本信息用以评价该文件的信誉值。 File processing apparatus according guard according to claim 5, characterized in that, further comprising: uploading means for a preset credit database query to the reputation value is not the user requests access to a file corresponding to the time of upload sample evaluation information of the file to the file reputation value.
9. 一种文件防护处理系统,其特征在于,包括: 文件信誉服务设备,用于提取网络中用户访问的文件的特征值;获取所述文件的信誉值,并存储所述特征值及其对应的信誉值; 文件防护处理装置,用于获取用户请求访问的文件,提取所述文件的特征值,根据所提取的特征值在所述文件信誉服务设备中查询所述文件的信誉值,当查询到的信誉值低于预置门限值时,对用户请求访问的文件作防护处理;所述特征值为对所述文件的内容利用哈希算法进行计算获得的哈希值。 A file protection processing system comprising: a file reputation service apparatus for extracting feature value file in the user access network; acquiring the file reputation value, and storing the characteristic values ​​and corresponding the reputation value; file protection processing means for obtaining a user request to access a file, the feature value extracting file, querying the reputation value file in the file reputation service apparatus according to the extracted feature value, when the query when the credit value is lower than a preset threshold value, the user requesting access to the file for protection treatment; the hash value calculation characteristic value is obtained for the content of the file using the hash algorithm.
10.根据权利要求9所述的文件防护处理系统,其特征在于,所述文件信誉服务设备包括:提取模块,用于提取网络中用户访问的文件的特征值; 检测模块,用于获取所述文件的样本信息,对所述获取的文件的样本信息进行检测,并根据检测结果评定所述文件的信誉值; 存储模块,用于存储所述特征值及其对应的信誉值。 10. The document processing system of protection according to claim 9, wherein said file reputation service apparatus comprising: extraction means for extracting characteristic value of the file in the user access network; detecting module, configured to obtain the sample information file, information of the sample acquired file is detected, and to assess the value of the credit document according to the detection result; a storage module for storing the feature value and the corresponding credit value.
CN 200910086495 2009-06-05 2009-06-05 Method, device and system for file protection treatment CN101576947B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200910086495 CN101576947B (en) 2009-06-05 2009-06-05 Method, device and system for file protection treatment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200910086495 CN101576947B (en) 2009-06-05 2009-06-05 Method, device and system for file protection treatment

Publications (2)

Publication Number Publication Date
CN101576947A CN101576947A (en) 2009-11-11
CN101576947B true CN101576947B (en) 2012-08-08

Family

ID=41271881

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200910086495 CN101576947B (en) 2009-06-05 2009-06-05 Method, device and system for file protection treatment

Country Status (1)

Country Link
CN (1) CN101576947B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103150518B (en) * 2013-03-22 2016-02-17 腾讯科技(深圳)有限公司 A method and apparatus for real-time file protection
CN104933059B (en) * 2014-03-18 2019-02-01 华为技术有限公司 File prestige acquisition methods, gateway and file reputation server
US9398036B2 (en) * 2014-09-17 2016-07-19 Microsoft Technology Licensing, Llc Chunk-based file acquisition and file reputation evaluation
CN106411891A (en) * 2016-09-29 2017-02-15 北京小米移动软件有限公司 File processing method, device, server-side and equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1625121A (en) 2003-12-05 2005-06-08 中国科学技术大学 Hierarchical cooperated network virus and malice code recognition method
US20070070921A1 (en) 2005-05-05 2007-03-29 Daniel Quinlan Method of determining network addresses of senders of electronic mail messages
CN1991830A (en) 2005-12-28 2007-07-04 腾讯科技(深圳)有限公司 Webpage mark extracting method
CN101008974A (en) 2007-01-26 2007-08-01 北京飞天诚信科技有限公司 Protection method and system of electronic document
US7523502B1 (en) 2006-09-21 2009-04-21 Symantec Corporation Distributed anti-malware

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1625121A (en) 2003-12-05 2005-06-08 中国科学技术大学 Hierarchical cooperated network virus and malice code recognition method
US20070070921A1 (en) 2005-05-05 2007-03-29 Daniel Quinlan Method of determining network addresses of senders of electronic mail messages
CN1991830A (en) 2005-12-28 2007-07-04 腾讯科技(深圳)有限公司 Webpage mark extracting method
US7523502B1 (en) 2006-09-21 2009-04-21 Symantec Corporation Distributed anti-malware
CN101008974A (en) 2007-01-26 2007-08-01 北京飞天诚信科技有限公司 Protection method and system of electronic document

Also Published As

Publication number Publication date
CN101576947A (en) 2009-11-11

Similar Documents

Publication Publication Date Title
US9747445B2 (en) Method and apparatus for retroactively detecting malicious or otherwise undesirable software as well as clean software through intelligent rescanning
CN101401061B (en) Cascading security architecture
US9288220B2 (en) Methods and systems for malware detection
US20070016951A1 (en) Systems and methods for identifying sources of malware
JP2014519751A (en) Using DNS communication to filter domain names
KR100723867B1 (en) Apparatus and method for blocking access to phishing web page
EP2306357A2 (en) Method and system for detection of previously unknown malware
US7437761B2 (en) Computer virus generation detection apparatus and method
US9462009B1 (en) Detecting risky domains
US9083733B2 (en) Anti-phishing domain advisor and method thereof
US20070282855A1 (en) Access record gateway
US20180063190A1 (en) Method for identifying phishing websites and hindering associated activity
CN102419808B (en) Method, device and system for detecting safety of download link
US20140096246A1 (en) Protecting users from undesirable content
CN100374972C (en) System and method for detecting and defending computer worm
CN102801697B (en) Malicious code detection method and system based on plurality of URLs (Uniform Resource Locator)
US20090064337A1 (en) Method and apparatus for preventing web page attacks
WO2009023315A2 (en) Anti-content spoofing (acs)
US8806622B2 (en) Fraudulent page detection
WO2007092455A2 (en) A method and a system for outbound content security in computer networks
WO2007120383A2 (en) Client side attack resistant phishing detection
CN101924760B (en) Method and system for downloading executable file securely
US8024804B2 (en) Correlation engine for detecting network attacks and detection method
CN101558384B (en) Software vulnerability exploitation shield
CN102082836B (en) DNS (Domain Name Server) safety monitoring system and method

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C14 Granted
C56 Change in the name or address of the patentee

Owner name: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD.

Free format text: FORMER NAME: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD.