CN101656632A - Virus monitoring method and virus monitoring device in large network - Google Patents
Virus monitoring method and virus monitoring device in large network Download PDFInfo
- Publication number
- CN101656632A CN101656632A CN200810041937A CN200810041937A CN101656632A CN 101656632 A CN101656632 A CN 101656632A CN 200810041937 A CN200810041937 A CN 200810041937A CN 200810041937 A CN200810041937 A CN 200810041937A CN 101656632 A CN101656632 A CN 101656632A
- Authority
- CN
- China
- Prior art keywords
- virus
- antivirus software
- equipment
- server
- agent side
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a virus monitoring device in a large network, which comprises a client, a proxy end and a server, wherein the client is used as a system management platform of the virus monitoring device to realize the interaction with a terminal user; the proxy end is connected to one or more antivirus software servers to realize the scanning of the whole network and the monitoring of viruses; and the server performs data communication with the client and the proxy end, receives data related to the scanning and the viruses from the proxy end for processing and saving, and provides theprocessed data to the client. The invention also discloses a virus monitoring method in the large network.
Description
Technical field
The present invention relates to information security technology, more particularly, relate to virus monitoring method and device in the catenet.
Background technology
The strick precaution of virus is the important means of guarantee information system safety stable operation, is the key subjects of information security field.Financial industry particularly, the safety problem of information system is most important.At present, antivirus software manufacturer has released many antivirus software products both at home and abroad, as Symantec, Kill, McAfee etc.These antivirus softwares are except there being standalone version, the server-based network version is also arranged, with realize to the V-ALert situation of each computer in the network monitor, upgrading manages and other all kinds of management and monitoring function to virus base, all prevention and cure of viruses client-side informations all are forwarded in the prevention and cure of viruses data in server storehouse.
But still there are the problem that can't satisfy financial industry actual management and monitoring demand in the management of the prevention and cure of viruses software that uses and monitoring function at present, and for example report capability is incomplete, audit function is not enough, the network monitoring scope is little etc.; And, the server end of antivirus software has been installed the machine of antivirus software client in can only monitoring network, can't manage the client that antivirus software or other antivirus software are not installed, the blind area that this has just caused prevention and cure of viruses has stayed hidden danger to computer system security.For financial industry, this hidden danger especially needs to be paid attention to.
Summary of the invention
The present invention aims to provide a kind of virus monitoring device and virus monitoring method that is used for catenet, to satisfy the anti-virus demand of complicated catenet, especially financial industry network.
According to embodiments of the invention, the virus monitoring device in a kind of catenet is provided, comprising:
Client, client are as the system management platform of virus monitoring device, and realization is mutual with the terminal use's;
Agent side is connected to one or several antivirus software servers, realizes to the scanning of whole network and to the monitoring of virus;
Server carries out data communication with client and agent side, receives relevant scanning and viral data from agent side, handle and preserve, and the data after will handling offers client.
According to an embodiment, agent side scans each subnet in the network, terminal equipment in the subnet is divided into four following classes: inactive equipment, installed antivirus software equipment, antivirus software is not installed, but have the equipment of operating system and the equipment of installing operating system not.
According to an embodiment, agent side uses the NMAP technology that subnet is scanned, wherein: if terminal equipment then is categorized as inactive equipment to not response of ping order; If terminal equipment has response to ping order, and the antivirus software private port can connect, and then is categorized as the equipment that antivirus software has been installed, and agent side further parses the host name of terminal equipment; If terminal equipment has response to ping order, the antivirus software private port can not connect, but the operating system port can connect, then be categorized as antivirus software is not installed, but the equipment with operating system, agent side further parses the host name of terminal equipment; Order has response if terminal equipment is to ping, and the antivirus software private port can not connect, and the operating system port also can not connect, and then is categorized as the not equipment of installing operating system.
Agent side can be mounted in the application program on the antivirus software server.
Server can comprise following several modules: the abnormal alarm module, to the virus of discovery or reporting to the police unusually of antivirus software server; The supervision and management module, the upgrade case of the virus base of monitoring antivirus software server; The information inquiry module is carried out the inquiry of Virus Info; The Information Statistics module is added up Virus Info.
According to embodiments of the invention, the virus monitoring method that this provides in a kind of catenet comprises:
Realize mutual with the terminal use by a client;
By a server,, indicate an agent side to carry out to the scanning of network and to the monitoring of virus according to client and terminal use's interaction results;
Agent side is connected to one or several antivirus software servers, realizes to the scanning of network and to the monitoring of virus by the antivirus software server;
Server receives relevant scanning and viral data from agent side, handle and preserve, and the data after will handling offers client;
Client feeds back to the terminal use with described data.
According to an embodiment, agent side scans each subnet in the network, terminal equipment in the subnet is divided into four following classes: inactive equipment, installed antivirus software equipment, antivirus software is not installed, but have the equipment of operating system, the equipment of installing operating system not.
According to an embodiment, agent side uses the NMAP technology that subnet is scanned, wherein: at first use ping order connecting terminal equipment, if terminal equipment then is categorized as inactive equipment to not response of ping order; Order has response if terminal equipment is to ping, then connects the antivirus software private port, if the antivirus software private port can connect, then is categorized as the equipment that antivirus software has been installed, and agent side further parses the host name of terminal equipment; If the antivirus software private port can not connect, then the attended operation system port can connect, and can connect if the operating system port can connect, and then is categorized as antivirus software is not installed, but the equipment with operating system, agent side further parse the host name of terminal equipment; If the operating system port can not connect, then be categorized as the not equipment of installing operating system.
Agent side can be mounted in the application program on the antivirus software server.
The function that server is achieved as follows: abnormal alarm, to the virus of discovery or reporting to the police unusually of antivirus software server; Supervision and management, the upgrade case of the virus base of monitoring antivirus software server; The inquiry of Virus Info is carried out in information inquiry; Information Statistics are added up Virus Info.
Virus monitoring device of the present invention and virus monitoring method have adopted a series of advanced persons' information security, network management and data analysis technique and instrument, adopt the design concept of safety management system, integration and development forms, the real-time monitoring and the management of situation that whole network inner virus is prevented and treated have been realized, make the network management personnel fully grasp the prevention and cure of viruses situation in the whole catenet, this has very important meaning to system safety.
Description of drawings
The above and other feature of the present invention, essence, advantage will become more obvious by the description below in conjunction with drawings and Examples, in the accompanying drawings, identical Reference numeral is represented identical feature all the time, wherein:
Fig. 1 has disclosed the structure chart according to the virus monitoring device of one embodiment of the invention;
Fig. 2 has disclosed the flow chart according to the virus monitoring method of one embodiment of the invention.
Embodiment
Term definition, in the present invention, following english abbreviation is defined as,
AVMC:(Anti Virus Monitoring Center) anti-virus Surveillance center;
KILL: " safe armour " anti-virus software of Computer Associates International Inc. company exploitation;
NMAP:Network Mapper, a kind of network sweep and smell the spy instrument.
Virus monitoring device of the present invention promptly is an AVMC, and according to the present invention, this AVMC uses the NMAP technology.At present, NMAP (Network Mapper) is the network sweep of using always and smells the spy instrument.NMAP can help the network management personnel deeply to survey UDP or tcp port, until the employed operating system of main frame; All result of detections can also be recorded in the daily record of various forms, be the system safety service.Its basic function has three, and the one, whether survey one group of main frame online; Next is the scanning host port, smells the network service that spy provides; Can also infer the operating system that main frame is used.NMAP can be used for scanning the LAN that two nodes are only arranged, until 500 networks more than the node.NMAP also allows customization scanning skill.Usually, the ping of the simple ICMP of a use agreement operates and can satisfy primary demand; Also can deeply survey UDP or tcp port, until the employed operating system of main frame; All result of detections can also be recorded in the daily record of various forms operation for further analysis.AVMC has just adopted some basic principles of NMAP, and has done certain expansion, makes scanning result more accurate.Utilize these results, judge further whether intrasystem windows machine has installed antivirus software; If the KILL antivirus software has been installed, further its prevention and cure of viruses is monitored in real time, if more great virus event system can in time report to the police.
AVMC has carried out in detail comprehensively collection, analysis and merger to viral real time monitoring in the database and scanning daily record, no matter be the prevention and cure of viruses situation of every machine or infect number of times rank virus the preceding, perhaps the prevention and cure of viruses situation of a hundreds of subbranch and department's inner machine can be carried out query statistic, and gives and Realtime Alerts for high-risk virus infections situation according to self-defined flexibly.
With reference to shown in Figure 1, the virus monitoring device in this catenet comprises:
Client 100, client 100 are as the system management platform of virus monitoring device, and realization is mutual with the terminal use's;
Agent side 102 is connected to one or several antivirus software servers 200, realizes to the scanning of whole network and to the monitoring of virus;
Server 104 carries out data communication with client 100 and agent side 102, receives relevant scanning and viral data from agent side 102, handle and preserve, and the data after will handling offers client 100.Server 104 can have database.
According to an embodiment, each subnet in 102 pairs of networks of agent side scans, terminal equipment in the subnet is divided into four following classes: inactive equipment, installed antivirus software equipment, antivirus software is not installed, but have the equipment of operating system and the equipment of installing operating system not.
According to an embodiment, agent side 102 uses the NMAP technology that subnet is scanned, wherein: if terminal equipment then is categorized as inactive equipment to not response of ping order; If terminal equipment has response to ping order, and the antivirus software private port can connect, and then is categorized as the equipment that antivirus software has been installed, and agent side further parses the host name of terminal equipment; If terminal equipment has response to ping order, the antivirus software private port can not connect, but the operating system port can connect, then be categorized as antivirus software is not installed, but the equipment with operating system, agent side further parses the host name of terminal equipment; Order has response if terminal equipment is to ping, and the antivirus software private port can not connect, and the operating system port also can not connect, and then is categorized as the not equipment of installing operating system.
Agent side can be mounted in the application program on the antivirus software server, such as an Agent.
In the network that uses Windows operating system and KILL antivirus software, the process of above-mentioned subnet scanning can be achieved as follows:
The NMAP technology is adopted in subnet scanning, is foundation with the subnet that has issued, and subnet carries out one by one, reaches (1) and obtains more new situation of the installation of KI LL client and virus signature; (2) understand the more purpose of new situation and range of management of KILL server virus signature.
Each subnet is scanned the preceding network address and mask according to setting calculate the IP scope that to retouch the machine of sweeping.Sweep limits as this network segment of 30.0.184.0/255.255.255.0 is 30.0.184.1~30.0.184.254.254 addresses are scanned one by one.Scanning back machine is divided into four classes:
Inactive machine;
The machine of KILL is installed;
The windows machine of KILL is not installed;
Non-windows machine.
The flow process of scanning is as follows:
At first Agent ping remote machine if can not lead to by ping, is then represented the machine inertia; If ping is logical, remove 42510 ports of linking objective machine, this port is the private port of KILL antivirus software; If 42510 ports can connect, obtain the machine name of remote machine again with the IP address, judge that so this machine installed the KILL antivirus software, parse host name by NET BIOS technology simultaneously, and from the KILL database, take out corresponding Sig Version information, be prerequisite with " machine of KILL is installed " in the lump, information write database, in the data in server storehouse; If 42510 ports can not connect, reattempt so and use 3389 (network ports that SQL Server uses), the 9594 further connection judgment of port such as (the used network ports of Dandesk software); If these ports can connect, judge that so this machine is the WINDOWS machine, same use NETBIOS technology parses host name, and is prerequisite with " the WI NDOWS machine of KILL is not installed ", information is write database, such as the data in server storehouse; If can't be communicated with above-mentioned port, then judge whether it is the WINDOWS machine with the NMAP instrument again, if words, same use NETBIOS technology parses host name, and be prerequisite with " the WINDOWS machine of KILL is not installed ", information is write database, such as the data in server storehouse; If not, be prerequisite then with " non-WINDOWS machine ", information is write database, such as the data in server storehouse.
Server 104 can comprise following several modules, and is same with reference to shown in Figure 1: abnormal alarm module 140, to the virus of discovery or reporting to the police unusually of antivirus software server; Supervision and management module 142, the upgrade case of the virus base of monitoring antivirus software server; Information inquiry module 144 is carried out the inquiry of Virus Info; Information Statistics module 146 is added up Virus Info.
Wherein, the abnormal alarm function of abnormal alarm module 140 realizations comprises:
Do not remove virus (discovery of KILL real-time monitor);
The antivirus server process exception;
The AVMC Agent TssAgent service of antivirus server end is unusual;
Antivirus server property abnormality: CPU, internal memory, disk space utilance are crossed threshold values.
The supervision and management function that supervision and management module 142 realizes comprises:
The KILL client is installed, the virus base upgrade case;
Antivirus server virus base upgrade case.
The information searching function that information inquiry module 144 realizes comprises:
(in real time) Virus Logs (detail) inquiry;
Analyze the virus infections source: list and infect certain viral machine at first.
The Information Statistics function that Information Statistics module 146 realizes comprises:
Prevention and cure of viruses situation form (is objects of statistics with the sub-network);
Virus infections number of times rank (is objects of statistics with the Virus Name).
Virus monitoring device of the present invention can also be realized Realtime Alerts and the log collection of prevention and cure of viruses software for the virus infections situation of real time monitoring sweep test generation, is example with the KILL antivirus software, and process is as follows:
The Virus Logs of herein mentioning comprises the Virus Logs that Virus Logs that the KILL client sends to the KILL server also comprises KILL server itself.Agent is by monitoring this variation with the database of these journal files, in case find to have new daily record to produce, this information is obtained by Agent immediately, Agent carries out the alert event coupling with information and filters in this locality, do not realize reporting to the police as " removing virus ", mail to server then, server carries out standardization to the information that needs are reported to the police immediately, be presented on client, the system manager can handle accordingly according to these information, the Virus Logs information that need not to report to the police then writes in the database, makes things convenient for the system manager to have access in the future.
This virus monitoring device can be realized: (in real time) Virus Logs (detail) inquiry; Analyze the virus infections source, list and infect certain viral machine at first; Prevention and cure of viruses situation form (with department/Zhi Hangwei objects of statistics); Virus infections number of times rank (is objects of statistics with the Virus Name).
Similar with " Virus Logs is reported to the police and gathered ", trigger the Agent acquisition function with " regularly " mechanism, realize: antivirus server process exception prison, the AVMC Agent TssAgent service of antivirus server end is unusual, and antivirus server property abnormality: CPU, internal memory, disk space utilance are crossed the supervision and the warning of threshold values.
The prevention and cure of viruses server virus signature escalation process of virus monitoring device of the present invention is as follows, is example with KILL antivirus software server equally:
The server that virus monitoring device (AVMC) is paid close attention to KILL is when new condition code issue (sharing) to be come out to upgrade to client.So Agent monitors the catalogue (the Outgoing catalogue under the KILL installation directory) of KILL server issue condition code.A file siglist.txt is arranged under this catalogue, this file logging the version information of the condition code issued.Agent just by monitor this file find KILL server issue new condition code.
Siglist.txt is the file that characterizes KILL virus signature upgrade information, also is one of file in the KILL anti-virus software AKU.The KILL server number judges whether and need carry out upgrade mechanism for server by checking the Sig Version that identifies in this part file, the AVMC system has also utilized the characteristics of this file just, in a single day Agent TssAgent finds that the siglist.txt modification time changes, at once relatively in this document with Sig Version whether consistent when checking with last time, if find to have version updating, at once send relevant daily record to server database, otherwise, then continue to wait for that next transformation period remakes judgement.
Agent side has the remote auto update mechanism such as Agent TssAgent.Agent among the present invention has been realized the auto-update function.If TssAgent has newly added function and has carried out relevant disease is set puts into the refresh routine bag on upgrade server, so, the KILL server can be automatically triggers the edition upgrading that obtains the refresh routine bag and finish TssAgent by the FTP mode with the form of plan target.
The auto-update module of Agent is by operating system, such as the plan target driving of WINDOWS.Once check every day, if find to have the AKU of redaction just to download and carry out upgrading by the mode of FTP automatically.The plan target of carrying out auto-update is: " TssAgentAutoUpdate ".
Fig. 2 has disclosed according to one embodiment of the invention, the flow chart of virus monitoring method 200, and this method comprises:
202. pass through the mutual of client realization and terminal use;
204. by a server,, indicate an agent side to carry out to the scanning of network and to the monitoring of virus according to client and terminal use's interaction results;
206. agent side is connected to one or several antivirus software servers, realizes to the scanning of network and to the monitoring of virus by the antivirus software server;
208. server receives relevant scanning and viral data from agent side, handle and preserve, and the data after will handling offers client;
210. client feeds back to the terminal use with described data.
Same, according to an embodiment, agent side scans each subnet in the network, terminal equipment in the subnet is divided into four following classes: inactive equipment, installed antivirus software equipment, antivirus software is not installed, but have the equipment of operating system, the equipment of installing operating system not.
According to an embodiment, agent side uses the NMAP technology that subnet is scanned, wherein: at first use ping order connecting terminal equipment, if terminal equipment then is categorized as inactive equipment to not response of ping order; Order has response if terminal equipment is to ping, then connects the antivirus software private port, if the antivirus software private port can connect, then is categorized as the equipment that antivirus software has been installed, and agent side further parses the host name of terminal equipment; If the antivirus software private port can not connect, then the attended operation system port can connect, and can connect if the operating system port can connect, and then is categorized as antivirus software is not installed, but the equipment with operating system, agent side further parse the host name of terminal equipment; If the operating system port can not connect, then be categorized as the not equipment of installing operating system.
Agent side can be mounted in the application program on the antivirus software server.
The function that server is achieved as follows: abnormal alarm, to the virus of discovery or reporting to the police unusually of antivirus software server; Supervision and management, the upgrade case of the virus base of monitoring antivirus software server; The inquiry of Virus Info is carried out in information inquiry; Information Statistics are added up Virus Info.
The minutia of the specific implementation of this method is corresponding with above-described device, just no longer specifically describes here.
Sum up, the present invention has adopted the virus monitoring architecture of agent side-client-server.This architecture is used for distributed network, has realized under complicated Wide Area Network situation monitoring and analysis to the anti-virus situation of network inner machine.
The present invention has created the network sweep technology.System adopts the network sweep technology of original creation and in conjunction with the NMAP network sweep, has expanded scans content, can judge the information such as operating system of various computing machine in the system.Catenet, especially the business network situation of financial industry is very complicated, be divided into and produce net and office net two macroreticular types, the computer that wherein comprises different operating systems such as DOS, WINDOWS, LINUX, UNIX also has all kinds of special machines such as the network printer, ATM device, IP terminal.This network sweep technology can be judged WIN DOWS machine wherein efficiently, and can analyze each WINDOWS machine whether the KILL antivirus software has been installed.
The invention provides variation, intelligentized Agent end.The agent side program is a WINDOWS application program, and it is installed on the KILL SERVER with the form of system service, the scanning of the machine in the network segment of realizing KILL SERVER is administered and monitoring in real time.This Agent can upgrade by remote auto, does not need manual intervention; Except being installed in KILL safety armour software server end, can also revising interface and be installed in other antivirus software systems such as Symantec.
The present invention adopts advanced data mining and data analysis technique, has realized analyzing and processing and tens kinds of report printings to the result of virus.
Prevention and cure of viruses technology of the present invention combines with the network sweep technology, has realized the centralized management of large complicated network antivirus software situation, the Realtime Alerts of virus event.
Virus monitoring device of the present invention and virus monitoring method have following advantage: system stability is reliable, Agent is with the form operation of system service, for memory overflow and the internal memory loss situation that prevents to be prone on the operating system platform, Agent can regularly restart service automatically, and these measures have further strengthened the stability of system.System intelligent degree height, easy to operate, the processing of Virus Info is finished automatically by system fully, and Agent can be finished renewal automatically simultaneously.Scanning result is accurate, even also can scan accurately in extremely complicated network.
The foregoing description provides to being familiar with the person in the art and realizes or use of the present invention; those skilled in the art can be under the situation that does not break away from invention thought of the present invention; the foregoing description is made various modifications or variation; thereby protection scope of the present invention do not limit by the foregoing description, and should be the maximum magnitude that meets the inventive features that claims mention.
Claims (10)
1. the virus monitoring device that catenet is interior is characterized in that, comprising:
Client, described client are as the system management platform of virus monitoring device, and realization is mutual with the terminal use's;
Agent side is connected to one or several antivirus software servers, realizes to the scanning of whole network and to the monitoring of virus;
Server carries out data communication with described client and agent side, receives relevant scanning and viral data from agent side, handle and preserve, and the data after will handling offers described client.
2. virus monitoring device as claimed in claim 1 is characterized in that, described agent side scans each subnet in the network, and the terminal equipment in the subnet is divided into four following classes:
Inactive equipment;
The equipment of antivirus software has been installed;
Antivirus software is not installed, but the equipment with operating system;
The equipment of installing operating system not.
3. virus monitoring device as claimed in claim 2 is characterized in that, described agent side uses the NMAP technology that subnet is scanned, wherein:
If terminal equipment then is categorized as inactive equipment to not response of ping order;
If terminal equipment has response to ping order, and the antivirus software private port can connect, and then is categorized as the equipment that antivirus software has been installed, and agent side further parses the host name of terminal equipment;
If terminal equipment has response to ping order, the antivirus software private port can not connect, but the operating system port can connect, then be categorized as antivirus software is not installed, but the equipment with operating system, agent side further parses the host name of terminal equipment;
Order has response if terminal equipment is to ping, and the antivirus software private port can not connect, and the operating system port also can not connect, and then is categorized as the not equipment of installing operating system.
4. as each described virus monitoring device among the claim 1-3, it is characterized in that described agent side is mounted in the application program on the antivirus software server.
5. virus monitoring device as claimed in claim 1 is characterized in that, described server comprises:
The abnormal alarm module is to the virus of discovery or reporting to the police unusually of antivirus software server;
The supervision and management module, the upgrade case of the virus base of monitoring antivirus software server;
The information inquiry module is carried out the inquiry of Virus Info;
The Information Statistics module is added up Virus Info.
6. the virus monitoring method that catenet is interior is characterized in that, comprising:
Realize mutual with the terminal use by a client;
By a server,, indicate an agent side to carry out to the scanning of network and to the monitoring of virus according to described client and terminal use's interaction results;
Described agent side is connected to one or several antivirus software servers, realizes to the scanning of network and to the monitoring of virus by described antivirus software server;
Described server receives relevant scanning and viral data from agent side, handle and preserve, and the data after will handling offers described client;
Described client feeds back to the terminal use with described data.
7. virus monitoring method as claimed in claim 6 is characterized in that, described agent side scans each subnet in the network, and the terminal equipment in the subnet is divided into four following classes:
Inactive equipment;
The equipment of antivirus software has been installed;
Antivirus software is not installed, but the equipment with operating system;
The equipment of installing operating system not.
8. virus monitoring method as claimed in claim 7 is characterized in that, described agent side uses the NMAP technology that subnet is scanned, wherein:
At first use ping order connecting terminal equipment, if terminal equipment then is categorized as inactive equipment to not response of ping order;
Order has response if terminal equipment is to ping, then connects the antivirus software private port, if the antivirus software private port can connect, then is categorized as the equipment that antivirus software has been installed, and agent side further parses the host name of terminal equipment;
If the antivirus software private port can not connect, then the attended operation system port can connect, and can connect if the operating system port can connect, and then is categorized as antivirus software is not installed, but the equipment with operating system, agent side further parse the host name of terminal equipment;
If the operating system port can not connect, then be categorized as the not equipment of installing operating system.
9. as each described virus monitoring method among the claim 6-8, it is characterized in that described agent side is mounted in the application program on the antivirus software server.
10. virus monitoring method as claimed in claim 6 is characterized in that, described server is realized:
Abnormal alarm is to the virus of discovery or reporting to the police unusually of antivirus software server;
Supervision and management, the upgrade case of the virus base of monitoring antivirus software server;
The inquiry of Virus Info is carried out in information inquiry;
Information Statistics are added up Virus Info.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200810041937A CN101656632A (en) | 2008-08-21 | 2008-08-21 | Virus monitoring method and virus monitoring device in large network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200810041937A CN101656632A (en) | 2008-08-21 | 2008-08-21 | Virus monitoring method and virus monitoring device in large network |
Publications (1)
Publication Number | Publication Date |
---|---|
CN101656632A true CN101656632A (en) | 2010-02-24 |
Family
ID=41710738
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN200810041937A Pending CN101656632A (en) | 2008-08-21 | 2008-08-21 | Virus monitoring method and virus monitoring device in large network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101656632A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101827104A (en) * | 2010-04-27 | 2010-09-08 | 南京邮电大学 | Multi anti-virus engine-based network virus joint defense method |
CN102647302A (en) * | 2012-04-28 | 2012-08-22 | 浪潮电子信息产业股份有限公司 | Monitoring and managing method aiming at cluster node network and ports |
CN102708325A (en) * | 2012-05-17 | 2012-10-03 | 中国科学院计算技术研究所 | Method and system for killing viruses of virtual desktop environment file |
CN103929323A (en) * | 2013-12-16 | 2014-07-16 | 汉柏科技有限公司 | Health degree monitoring method of cloud network equipment |
CN107426166A (en) * | 2017-05-17 | 2017-12-01 | 北京启明星辰信息安全技术有限公司 | A kind of acquisition methods of information, device and electronic equipment |
CN108551449A (en) * | 2018-04-13 | 2018-09-18 | 上海携程商务有限公司 | Anti-virus manages system and method |
-
2008
- 2008-08-21 CN CN200810041937A patent/CN101656632A/en active Pending
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101827104A (en) * | 2010-04-27 | 2010-09-08 | 南京邮电大学 | Multi anti-virus engine-based network virus joint defense method |
CN101827104B (en) * | 2010-04-27 | 2013-01-02 | 南京邮电大学 | Multi anti-virus engine-based network virus joint defense method |
CN102647302A (en) * | 2012-04-28 | 2012-08-22 | 浪潮电子信息产业股份有限公司 | Monitoring and managing method aiming at cluster node network and ports |
CN102708325A (en) * | 2012-05-17 | 2012-10-03 | 中国科学院计算技术研究所 | Method and system for killing viruses of virtual desktop environment file |
CN103929323A (en) * | 2013-12-16 | 2014-07-16 | 汉柏科技有限公司 | Health degree monitoring method of cloud network equipment |
CN107426166A (en) * | 2017-05-17 | 2017-12-01 | 北京启明星辰信息安全技术有限公司 | A kind of acquisition methods of information, device and electronic equipment |
CN107426166B (en) * | 2017-05-17 | 2019-11-29 | 北京启明星辰信息安全技术有限公司 | A kind of acquisition methods of information, device and electronic equipment |
CN108551449A (en) * | 2018-04-13 | 2018-09-18 | 上海携程商务有限公司 | Anti-virus manages system and method |
CN108551449B (en) * | 2018-04-13 | 2021-02-05 | 上海携程商务有限公司 | Anti-virus management system and method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107454109B (en) | Network privacy stealing behavior detection method based on HTTP traffic analysis | |
US10645110B2 (en) | Automated forensics of computer systems using behavioral intelligence | |
CN104509034B (en) | Pattern merges to identify malicious act | |
US7197762B2 (en) | Method, computer readable medium, and node for a three-layered intrusion prevention system for detecting network exploits | |
CN103563302B (en) | Networked asset information management | |
KR100831483B1 (en) | Methods and systems for managing security policies | |
CN101350745B (en) | Intrude detection method and device | |
US7293287B2 (en) | Method and system for modeling, analysis and display of network security events | |
US7444679B2 (en) | Network, method and computer readable medium for distributing security updates to select nodes on a network | |
US20030084328A1 (en) | Method and computer-readable medium for integrating a decode engine with an intrusion detection system | |
US20030188189A1 (en) | Multi-level and multi-platform intrusion detection and response system | |
US20040250133A1 (en) | Computer security event management system | |
AU2002348415A1 (en) | A method and system for modeling, analysis and display of network security events | |
WO2020081603A1 (en) | Multi-dimensional periodicity detection of iot device behavior | |
CN101656632A (en) | Virus monitoring method and virus monitoring device in large network | |
KR100401088B1 (en) | Union security service system using internet | |
WO2004051929A1 (en) | Audit platform system for application process based on components | |
CN112383573B (en) | Security intrusion playback equipment based on multiple attack stages | |
KR20020075319A (en) | Intelligent Security Engine and Intelligent and Integrated Security System Employing the Same | |
RU2630415C2 (en) | Method for detecting anomalous work of network server (options) | |
Debar et al. | Security information management as an outsourced service | |
CN1196296C (en) | Easy-to-expand network invasion detecting and safety auditing system | |
Yongle et al. | A cooperative intrusion detection system based on autonomous agents | |
Kahai et al. | Forensic profiling system | |
Wu et al. | Integrated vulnerability management system for enterprise networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C12 | Rejection of a patent application after its publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20100224 |