CN102004877B - Method for monitoring source of computer virus - Google Patents

Method for monitoring source of computer virus Download PDF

Info

Publication number
CN102004877B
CN102004877B CN 201010552333 CN201010552333A CN102004877B CN 102004877 B CN102004877 B CN 102004877B CN 201010552333 CN201010552333 CN 201010552333 CN 201010552333 A CN201010552333 A CN 201010552333A CN 102004877 B CN102004877 B CN 102004877B
Authority
CN
China
Prior art keywords
file
download
monitoring
method
computer
Prior art date
Application number
CN 201010552333
Other languages
Chinese (zh)
Other versions
CN102004877A (en
Inventor
刘鹏
黄声声
孟槟榔
陈睿
Original Assignee
珠海市君天电子科技有限公司
珠海金山软件有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 珠海市君天电子科技有限公司, 珠海金山软件有限公司 filed Critical 珠海市君天电子科技有限公司
Priority to CN 201010552333 priority Critical patent/CN102004877B/en
Publication of CN102004877A publication Critical patent/CN102004877A/en
Application granted granted Critical
Publication of CN102004877B publication Critical patent/CN102004877B/en

Links

Abstract

本发明涉及监控计算机病毒来源的方法,其特征在于,包括以下步骤:(1)在进入计算机系统的源头设置网络监控组件,对进入计算机系统的文件提取下载特征K1;(2)在计算机系统中加入文件监控组件,对计算机系统中新创建或者改变的文件进行监控;(3)对步骤(2)中所述的新创建或者改变的文件进行检查,寻找是否有与步骤(1)中所述提取的下载特征匹配的文件,如果有,则将新创建或者改变的文件视为进入系统的新文件,在下载关系数据库中记录对应的关联关系。 The present invention relates to a method for monitoring a computer virus origin, characterized by comprising the steps of: (1) setting network monitoring components at the source into the computer system, the extraction of download K1 file into the computer system; (2) a computer system in the accession monitoring component, the file newly created in the computer system or to monitor changes; the file (2) (3) a step of newly created or altered checks to find whether there is in step (1) in the Download the file extraction feature matching, if any, will be newly created or changed files as new files into the system, record the corresponding relationship in the download relational database. 本发明相比现有技术其有益效果主要体现在:①是通用方法,不需要各个下载工具为此提供专门的支持;②是全局的方法,可以监控整个计算机系统的文件进入来源。 Compared to the prior art, the beneficial effect of the invention is mainly reflected in: ① is a general method, the individual does not need to download the tool for this purpose to provide specialized support; ② is a global method that can monitor the entire computer system into the source file.

Description

监控计算机病毒来源的方法 Monitoring methods source of computer viruses

技术领域 FIELD

[0001] 本发明涉及计算机信息安全技术领域,具体涉及监控计算机病毒来源的方法。 [0001] The present invention relates to computer technology field of information security, particularly relates to a method for monitoring a computer virus origin.

背景技术 Background technique

[0002] 中国200910086688. 9号发明专利申请公开了一种获取远程计算机信息的方法及装置,其中揭露了实现在病毒入侵的第一时间准确报警并对病毒来源进行定位、进而可以实现对病毒的迅速拦截及对病毒来源进行管理和维护的技术方案。 [0002] 9 Chinese invention patent application No. 200910086688. discloses a method and apparatus for obtaining information on the remote computer, wherein exposing the alarm and to achieve accurate positioning of viral origin viruses at a first time, and then the virus can be achieved rapid interception of viral origin and technical program management and maintenance. 该专利申请中,监控病毒来源的方法只局限在通过操作系统远程文件读写操作来传播的病毒,形象一点说就是:其只拦截那种如果不开可写的共享目录,那么就不会中的病毒。 The patent application, monitoring virus-derived method is only limited by the operating system to read and write files to a remote transmission of the virus, the image point that is this: it is only intercepted that if you do not open the shared directory writable, then it will not in virus. 因此,其技术方案是一种有效的,但是适用范围很狭窄的防御手段,不能拦截从ftp下载的病毒,也不能拦截从网站上 Therefore, it is an effective technical solution, but the scope is very narrow means of defense, can not stop viruses from ftp download, it can not be intercepted from the site

下载的病毒。 Download the virus. 此外,该专利申请所公开的技术方案的实现原理完全基于具体操作系统的实现方式,更具体点说,完全是基于非文档化的目前几个版本的Windows操作系统特性(使用了单一的srv. sys模块负责远程文件读写)而设计的,其应用范围受到很大的限制。 In addition, the realization of the principle of the patent application disclosed technical solution based entirely on the implementation of specific operating system, and more specifically, is entirely based on the current Windows operating system features non-documented several versions (using a single srv. sys module is responsible for remote file reading and writing) and design, its application is greatly limited.

[0003]目前来讲,还没有一种通用的方式能够获取整个计算机系统所有新进入的程序文件的来源。 [0003] For now, there is not a common way to be able to get into the source of all new program files across computer systems. 尽管某些下载工具有下载来源的记录,但是它依赖于各个产品自身的功能实现,并且难以做到统一记录,比如“迅雷”和“快车”等下载工具,其原理是下载工具在开始下载任务时记录用户要求下载的URL (统一资源定位符,英语Uniform / Universal ResourceLocator的缩写,也被称为网页地址,是因特网上标准的资源的地址)以及下载文件存放的位置。 Although some download tools to download recorded sources, but it depends on the individual product's own functions to achieve, and it is difficult to achieve a unified record, such as "Thunder" and "Express" and other download tools, the principle is to download the tools to start the download tasks when recording the user asked to download a URL (uniform resource locator, abbreviated English uniform / Universal ResourceLocator, also known as web address is the address of a resource on the Internet standard) and the location where you downloaded the file is stored. 但是,很多下载工具并不支持此类的下载记录功能,比如IE浏览器等。 However, many download tools do not support the download of such recording function, such as IE browsers. 因此,当在某个目录下发现病毒时,难以确定这个病毒到底是哪个下载工具下载的,以及从哪里下载的。 Therefore, when a virus is found in a directory, the virus is difficult to determine what is in the end of the download tool to download and where to download. 此外,目前的杀毒软件在查杀病毒时,无法追踪分析这个病毒究竟是如何进入用户系统的,因而也无法向用户给出更好的防御指导。 In addition, the current anti-virus software at the time of killing the virus, the virus can not be traced analyze exactly how to enter the user's system, and therefore can not give better guidance to the user of the defense.

发明内容 SUMMARY

[0004] 本发明的目的是提供一种通用的、统一的机制,监控进入计算机的程序文件及其来源,而不依赖于各自下载软件自身的实现。 [0004] The object of the present invention is to provide a common, unified mechanism for monitoring the computer program into the file and its source, independent of their own download software implemented.

[0005] 本发明的目的由以下技术方案实现:一种监控计算机病毒来源的方法,其特征在于,包括以下步骤:(I)在进入计算机系统的源头设置网络监控组件,对进入计算机系统的文件提取下载特征Kl ; (2)在计算机系统中加入文件监控组件,对计算机系统中新创建或者改变的文件进行监控;(3)对步骤(2)中所述的新创建或者改变的文件进行检查,寻找是否有与步骤(I)中所述提取的下载特征匹配的文件,如果有,则将新创建或者改变的文件视为进入系统的新文件,在下载关系数据库中记录对应的关联关系。 [0005] The object of the present invention is achieved by the following technical solution: A method for monitoring computer viral origin, characterized by comprising the steps of: (the I) is provided at the source components into the network monitoring a computer system, access to computer files on the system extraction of download Kl; (2) accession monitoring components in a computer system, the new creation or modification of a file on the computer system monitoring; (3) step (2) in the newly created or changed files to check , file download feature matching to find out whether there is the step (I) in the extract, if any, will be newly created or changed files as new files into the system, record the corresponding relationship in the download relational database.

[0006] 所述步骤(I)中对进入计算机系统的文件提取下载特征的具体方法为:网络监控组件在发现某个进程X发出请求发送下载文件的网络请求,并且从服务器返回的数据流中包含可执行文件的头部,则记录网络请求的内容,并从服务器返回的数据流中提取相对文件头部有固定偏移的固定长度的数据作为下载特征Ki并记录。 [0006] The steps of a specific method (I) is extracted into the file download feature is a computer system: network monitoring components found in a process X requesting a network request to download a file, and returns the data stream from the server header contains the executable file, the network requests the content recording, and extracted from the data stream returned by the server in the file header has a relatively fixed-length data as fixed offset Ki of download and record. [0007] 所述记录的网络请求的内容包括下载地址U。 [0007] The content recording request includes the network Download U.

[0008] 所述下载特征Kl的提取方式如下:(1)从所述服务器返回的数据流中,去除前面作为各个协议头部的数据内容,留下协议头部之后的数据,即下载到文件的头部;(2)从下载文件头部开始计算,偏移d个字节开始提取数据,一共提取η个字节。 [0008] The download Kl feature extraction manner as follows: (1) from the data stream returned by the server, and as data contents is removed in front of each protocol header, the data left after the protocol headers, i.e., to download the file the head portion; (2) start to download a file from the header, a byte offset d to extract data, extracting a total of η bytes.

[0009] 所述步骤(2)中对计算机系统中新创建或者改变的文件进行监控的方法为:文件监控组件在发现系统中某个进程X创建了一个新的文件F时,首先根据文件格式检查这个文件是否为可执行文件,如果是,则在新创建的文件中提取一个文件特征Κ2。 When the file system monitoring components found in a process X creates a new file F, according to the first format file: a file monitoring method of [0009] the step (2) the newly created or altered in the computer system is check whether the file is an executable file, and if so, to extract a file feature Κ2 in the newly created file.

[0010] 所述文件特征Κ2的提取方式如下:从新建的文件F最开始的第d个字节开始提取数据,一共提取η个字节。 The [0010] embodiment Κ2 file feature extraction as follows: F d of the beginning byte starts extracting data from the newly created file, extracting a total of η bytes.

[0011] 所述下载特征Kl与文件特征Κ2分别相对其文件头的偏移是相同的;所述文件特征Κ2与下载特征Kl选取的长度是相同的。 [0011] The download file feature Κ2 wherein Kl and which are relatively offset in the file header is the same; the downloaded files and characteristic features Κ2 Kl selected length is the same.

[0012] 所述对步骤(3)中对所述的新创建或者改变的文件进行检查,寻找是否有与步骤 [0012] The step (3) to check the newly created or changed files, to find whether there is the step of

(I)中所述提取的下载特征Kl匹配的文件,其具体方法为:用文件特征Κ2与所述的网络监控组件记录的所有下载特征Kl进行匹配,如果有Kl == Κ2,就认为新创建或者改变的文件与下载特征Kl所代表的下载行为有关,就得到相应的下载地址U ;如果没有找到与Κ2匹配的下载特征Κ1,则说明这个文件不是从网上下载的。 Download wherein (I) extracted in the matching file Kl, the specific method is: All components of download Kl network monitoring recorded by the 2 higher document feature matches, if Kl == Κ2, considered new create or change a file download behavior with download features Kl represented about, you get the corresponding Download U; if the download feature Κ1 and Κ2 match is not found, then the file is not downloaded from the internet.

[0013] 本发明提供方法适用广泛,无论是http下载还是ftp下载,都可以截获,通过适当的协议扩充,可以支持更多的协议。 [0013] The present invention provides a method widely applicable, either http or ftp download download, can be intercepted, the expansion through the appropriate protocol, can support more protocols. 而且,方案不依赖于任何非“微软公司”官方承认的操作系统特性,因此适用性更好。 Moreover, the scheme does not depend on any other than "Microsoft" officially recognized by the operating system characteristics, and therefore better applicability. 本发明相比现有技术其有益效果主要体现在:①是通用方法,不需要各个下载工具为此提供专门的支持;②是全局的方法,可以监控整个计算机系统的文件进入来源(是通过网络还是通过U盘,如果是网络下载,记录究竟是从哪个网址下载的)。 Compared to the prior art the beneficial effects of the present invention mainly includes: ① general procedure is no need to devote the respective downloader support; ② a global method, the computer system can monitor the entire file into the source (via network or through the U disk, network download if it is, what is the record from which the download URL).

附图说明 BRIEF DESCRIPTION

[0014] 图I为实施例提供的监控计算机病毒来源的方法的技术方案原理图。 [0014] Figure I is a schematic diagram of a method embodiment of the aspect of the supervisory computer provided in viral origin.

具体实施方式 Detailed ways

[0015] 如图I所示,网络监控组件、文件监控组件及下载关系数据库是实现本发明监控计算机病毒来源的系统的三个组成部分,下面详细描述各部分的功能及方法的实现: [0015] FIG I, the network monitoring components, the monitoring component and to download the file is a relational database system for implementing the monitoring computer virus-derived three components of the present invention, and the method realize the function of each part described in detail below:

[0016] 网络监控组件,是指可用于监控指定程序网络访问请求的软件模块,其可以采用的技术方案包括但不限于以下方式: [0016] The network monitoring component, refers to a software module for the specified program to monitor network access request, which may be employed include, but are not limited to the technical solutions in the following ways:

[0017] I、在计算机系统中安装网络驱动程序,监控系统中所有的网络通信,当发现某个进程X发出请求发送下载文件的网络请求,并且从服务器返回的数据流中包含可执行文件的头部,则记录网络请求的内容,并从服务器返回的数据流中提取相对文件头部有固定偏移的固定长度的数据作为下载特征Kl并记录。 [0017] I, the network driver installed in a computer system, all network traffic monitoring system, as found in a process X transmits a network request is a request to download a file, and contains an executable file from a data stream returned by the server head, records the requested content network, and the server returns the data extracted from the stream file header has a relatively fixed-length data as fixed offset of download record and Kl.

[0018] 2、挂接(Hook)计算机系统中所有进程的网络操作API,比如send、WSASend、revc、WSARecv等,截获所有进程的网络请求,当某个进程X发出请求发送下载文件的网络请求,并且从服务器返回的数据流中包含可执行文件的头部,则记录网络请求的内容,并从服务器返回的数据流中提取相对文件头部有固定偏移的固定长度的数据作为下载特征Kl并记录。 [0018] 2, articulated (Hook) computer network operating system API all the processes, such as send, WSASend, revc, WSARecv the like, intercepts all network request processes, a process X when requesting a network request to download the file and comprises a data stream returned from the server in the executable file header, the network requests the content recording, and extracted from the data stream returned by the server in the file header has a relatively fixed-length data as fixed offset of download Kl and recorded.

[0019] 记录网络请求的内容主要指下载地址U,记录D的下载特征Kl供后续操作进行匹配。 [0019] The recorded content requested network mainly refers Download U, D of download records of Kl for subsequent matching operations. 此时所知道的关系如下: At this point we know the relationship as follows:

[0020] {进程X、下载地址U} —〉下载特征Kl [0020] The process {X, Download U} -> download feature Kl

[0021] 文件监控组件,是指可用于监控指定程序文件访问请求的软件模块,可以采用的技术方案包括但不限于以下方式: [0021] The file monitoring component, means for monitoring the software module may specify the file access request, the technical solution may be employed include but are not limited to, the following:

[0022] I、使用文件过滤驱动监控计算机系统中所有进程的文件操作请求(创建/删除文件、读写文件)实现文件监控。 [0022] I, using a file system filter driver monitoring computer file operation request all processes (create / delete files, read and write files) to monitor the implementation file. [0023] 2、挂接(Hook)计算机系统中所有进程的文件操作API,比如CreateFileW、CopyFileff等,截获所有进程的文件操作请求实现文件监控。 [0023] 2, articulated (Hook) the computer file system processes all the API operations, such CreateFileW, CopyFileff other intercepted file operation request file monitoring all processes implemented.

[0024] 文件监控组件在发现系统中某个进程X新创建或者改变了一个新的文件F时,首先根据文件格式检查这个文件是否为可执行文件,如果是,则在新创建或者改变的文件中提取一个文件特征K2。 [0024] file system monitoring components in the discovery process in a newly created X or change a new file F, according to first check the file format of this file is an executable file, and if so, in newly created or changed files extract a file feature K2. 此时所知道的关系如下: At this point we know the relationship as follows:

[0025] {进程X、新文件F}- >文件特征K2 [0025] {process X, the new file F} -> File Characteristics K2

[0026] 然后,用文件K2与前面所述的网络监控组件记录的所有下载特征Kl进行匹配,如果匹配成功,即有Kl == K2,则文件特征K2就找到了对应的下载特征K1,此时就认为X进程创建的这个程序文件与Kl所代表的下载行为有关,然后由此取得对应的下载地址U,即: [0026] Then, all of download by the network monitoring component Kl K2 file recorded previously of the match, if the matching succeeds, that is == Kl K2, K2 characteristics to find the file download feature corresponding K1, this when I think X download behavior of the process of creating this program file and Kl represents about and thus obtain the corresponding download address U, namely:

[0027] {进程X、新文件F } —〉文件特征K2 - >下载特征Kl 一> {进程X、下载地址U} [0027] {process X, the new file F} -> File Characteristics K2 - Download wherein> a Kl> process {X, U} Download

[0028] 如果没有找到新文件F (也即K2)对应的下载特征K1,则说明这个文件不是从网上下载的。 [0028] If the new file F (ie K2) did not find the corresponding download feature K1, then the file is not downloaded from the Internet.

[0029] 由上可知,可以将文件的创建与这个文件的下载关联起来。 [0029] From the above, you can download the file and create the file associates. 关联完成后,就可以用将如下的文件关系记录在下载关系数据库中了: After the association is complete, you can use the following file relationships recorded in a relational database downloads:

[0030] [0030]

文件:F File: F

鹏者:文件X (进程XE文件I 下賴址:U Peng by: File X (XE file I process at Lai Address: U

[0031] 上述整个过程实现的具体实例如下: [0031] Specific examples of the above-described overall process to achieve the following:

[0032] 截获的进程网络请求数据: [0032] intercepted the process request data network:

[0033] GET /wireshark/win32/wireshark-win32-l. 4. O. exe HTTP/1. I [0033] GET / wireshark / win32 / wireshark-win32-l. 4. O. exe HTTP / 1. I

[0034] Accept: image/jpeg, appl icat ion/x-ms-app I i cat ion, image/gif,application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/χ-shockwave-flash,氺/氺 [0034] Accept: image / jpeg, appl icat ion / x-ms-app I i ​​cat ion, image / gif, application / xaml + xml, image / pjpeg, application / x-ms-xbap, application / χ-shockwave -flash, Shui / Shui

[0035] Accept-Language: zh_CN [0035] Accept-Language: zh_CN

[0036] User-Agent: Mozilla/4. 0 (compatible; MSIE 8. 0; Windows NT 6. I;Trident/4. 0; SLCC2; .NET CLR 2. 0. 50727; . NET CLR 3. 5. 30729; .NET CLR 3. 0. 30729;MALC) [0036] User-Agent:... Mozilla / 4 0 (compatible; MSIE 8. 0; Windows NT 6. I; Trident / 4 0; SLCC2; .NET CLR 2. 0. 50727; NET CLR 3. 5. 30729; .NET CLR 3. 0. 30729; MALC)

[0037] Accept-Encoding: gzip, deflate [0037] Accept-Encoding: gzip, deflate

Figure CN102004877BD00061

[0072] 返回的这段数据中,按照固定偏移选取一段数据作为下载特征。 [0072] This data is returned, according to some fixed offset data selected as the download feature.

[0073] 在用户新创建的文件中,按照同样偏移选取一段数据作为文件特征: [0073] In the newly created user files, selected according to the same period of the offset data as a file wherein:

[0074] [0074]

Figure CN102004877BD00071

[0075] 在上述整个过程中,需要提取两个特征,下载特征Kl和文件特征K2,这两个特征的含义是相同的,都是表示被下载的文件。 [0075] In the whole process, it is necessary to extract two features, a file download feature wherein Kl and K2, the meaning of these two features are the same, are represented in the file is downloaded. 只不过Kl是从网络数据流中提取的,而K2是从本地创建的新文件中提取的,当Kl与K2相匹配的时候,可以确认本地创建的新文件即是来源于特定的网络数据流中。 Kl is simply extracted from the network data stream, while K2 is extracted from the new files locally created when Kl and K2 matches can confirm that the new files created locally that is derived from a particular network data stream in. 因此,为了便于匹配,Kl与K2相对于文件头的偏移必须是固定的,将其记为d。 Accordingly, in order to facilitate matching, Kl and K2 relative to the offset in the file header must be fixed, it is referred to as d.

[0076] 另外,为了确保辨识度,特征必须有一个足够的长度,以包含足够的信息量。 [0076] Further, in order to ensure recognition, the features must have a sufficient length to contain enough information. 很明显,根据上面的实现原理,K2与Kl 一般都选取相同的特征长度,将其记为η。 Obviously, according to an implementation of the above principle, K2 and Kl are generally selected the same characteristic length, referred to as η.

[0077] Kl的特征提取方式如下:(1)从要提取特征的返回数据流中,去除前面作为各个协议头部的数据内容(IP、TCP、HTTP),留下HTTP协议头部之后的数据,这个数据即下载到的文件的头部;(2)从文件头部开始计算,偏移d个字节开始提取该连接返回的数据作为特征,一共提取η个字节,这η个字节即本次下载的下载特征Kl。 Data (1) to be returned from the extracted feature data stream, removal of the front and as data contents of the respective protocol headers (IP, TCP, HTTP), HTTP protocol header after leaving: [0077] Kl feature extraction as follows , i.e., this data is downloaded to the head of the file; (2) calculated from the file header, the start byte offset d of the connection back extracted data as a feature, a total extraction η bytes which bytes η i.e. Kl of download this download.

[0078] Κ2特征的提取方式如下:从新建的文件F中,从该文件最开始的第d个字节开始提取数据,一共提取η个字节,这η个字节即这个文件的文件特征Κ2。 Extraction method [0078] Κ2 characteristics are as follows: file F from a new start of the file to extract data from the beginning of the d byte, total extract η bytes, which η bytes of the file, document features Κ2.

[0079] 在具体实现时为了保证监控效果,需谨慎选择η与d的值,确保所提取的特征可以有效区别不同的文件,同时又不至于过度增加实现的复杂度。 [0079] In specific implementation in order to ensure monitoring results, and the need to carefully select the value η d is to ensure that the extracted features can effectively distinguish different documents, while not overly increasing the complexity of implementation.

[0080] 以上所揭露的实施例仅为本发明总体构思的具体示例,对于所属技术领域的普通技术人员来说,一些未经创造性劳动得到的、基于本发明构思所做的简单变更,仍应当不脱本发明保护的范围。 [0080] Specific examples of the general concept of the present invention, the above disclosed embodiments only, those of ordinary skill in the art, some obtained without creative labor based on the concept of the present invention is made by simple changes, should still not from the scope of the present invention.

Claims (11)

1. 一种监控计算机病毒来源的方法,其特征在于,包括以下步骤:(1)在进入计算机系统的源头设置网络监控组件,对进入计算机系统的文件提取下载特征K1,具体方法为:网络监控组件在发现某个进程X发出请求发送下载文件的网络请求,并且从服务器返回的数据流中包含可执行文件的头部,则记录网络请求的内容,并从服务器返回的数据流中提取相对文件头部有固定偏移的固定长度的数据作为下载特征Kl并记录;(2)在计算机系统中加入文件监控组件,对计算机系统中新创建或者改变的文件进行监控;(3)对步骤(2)中所述的新创建或者改变的文件进行检查,寻找是否有与步骤(I)中所述提取的下载特征匹配的文件,如果有,则将新创建或者改变的文件视为进入系统的新文件,在下载关系数据库中记录对应的关联关系。 1. A method of monitoring computer viral origin, characterized by comprising the steps of: (1) at the source is provided into the computer system network monitoring components, extracting the file download feature K1 access to computer systems, and specifically to a method: network monitoring X components found a process requesting a network request to download a file, and contains an executable file header from the data stream returned by the server, the network requests the content is recorded, and extracts from the file server returns the relative data stream the head has a fixed data length as the fixed offset of download record and Kl; (2) adding a file monitoring components in a computer system, the new creation or modification of a file on the computer system monitoring; (3) step (2 ) in the newly created or changed files to check whether there looking for the file in step (I) in the extracted download feature matching, if any, will be newly created or changed files as new entrants into the system documents, records, correspondence relationship in the download relational database.
2.如权利要求I所述的监控计算机病毒来源的方法,其特征在于,所述记录的网络请求的内容包括下载地址U。 2. The method for monitoring a computer virus origin of claim I, wherein the content of the recorded network address request includes downloading U.
3.如权利要求2所述的监控计算机病毒来源的方法,其特征在于,所述网络监控组件为在计算机系统中安装的网络驱动程序。 The computer method for monitoring the viral origin as claimed in claim 2, wherein said assembly is a network monitoring network driver installed in the computer system.
4.如权利要求2所述的监控计算机病毒来源的方法,其特征在于,所述网络监控组件为挂接计算机系统中所有进程的网络操作API。 4. A method for monitoring the source computer viruses claim 2, wherein said hook assembly is a network monitoring a computer network operating system API all processes.
5.如权利要求2所述的监控计算机病毒来源的方法,其特征在于,所述下载特征Kl的提取方式如下:a.从所述服务器返回的数据流中,去除前面作为各个协议头部的数据内容,留下协议头部之后的数据,即下载到文件的头部;b.从下载文件头部开始计算,偏移d个字节开始提取数据,一共提取η个字节。 5. A method for monitoring the source computer viruses claim 2, wherein said download Kl feature extraction manner as follows:. A server returned from the data stream, each protocol header is removed as the front content data, the data left after the protocol headers, i.e., to download the file to the head;. B start to download a file from the header, a byte offset d to extract data, extracting a total of η bytes.
6.如权利要求5所述的监控计算机病毒来源的方法,其特征在于,所述步骤(2)中对计算机系统中新创建或者改变的文件进行监控的方法为:文件监控组件在发现系统中某个进程X创建了一个新的文件F时,首先根据文件格式检查这个文件是否为可执行文件,如果是,则在新创建的文件中提取一个文件特征Κ2。 6. The method for monitoring a computer virus origin according to claim 5, wherein said method step (2) the newly created or altered in the computer system for monitoring file: a file monitoring components found in the system X when a process creates a new file F, according to the first file format to check whether a file is an executable file, and if so, to extract a file feature Κ2 in the newly created file.
7.如权利要求6所述的监控计算机病毒来源的方法,其特征在于,所述文件监控组件是通过文件过滤驱动监控计算机系统中所有进程的文件操作请求实现文件监控。 7. A method for monitoring the source computer viruses claim 6, wherein said monitoring component file by the file system filter driver file operation monitoring computer processes all the requests to monitor the implementation file.
8.如权利要求6所述的监控计算机病毒来源的方法,其特征在于,所述文件监控组件是通过挂接计算机系统中所有进程的文件操作API,截获所有进程的文件操作请求实现文件监控。 8. A method for monitoring the source computer viruses claim 6, wherein said monitoring component files by a computer system attached files for all the API operation process, all processes of the intercepted file operation request to monitor the implementation file.
9.如权利要求6所述的监控计算机病毒来源的方法,其特征在于,所述文件特征K2的提取方式如下:从新建的文件F最开始的第d个字节开始提取数据,一共提取η个字节。 9. A method for monitoring the source computer viruses claim 6, wherein the document feature extraction method K2 as follows: taking out data from the beginning of the new file F of d bytes, total extraction η bytes.
10.如权利要求9所述的监控计算机病毒来源的方法,其特征在于,所述下载特征Kl与文件特征Κ2分别相对其文件头的偏移是相同的;所述文件特征Κ2与下载特征Kl选取的长度是相同的。 10. A method of monitoring the source computer viruses claim 9, wherein the file download feature Kl Κ2 are characterized with respect to its offset in the file header are the same; wherein the file download feature and Kl Κ2 selected length is the same.
11.如权利要求10所述的监控计算机病毒来源的方法,其特征在于,所述对步骤(3)中对所述的新创建或者改变的文件进行检查,寻找是否有与步骤(I)中所述提取的下载特征Kl匹配的文件,其具体方法为:用文件特征Κ2与所述的网络监控组件记录的所有下载特征Kl进行匹配,如果有Κ1==Κ2,就认为新创建或者改变的文件与下载特征Kl所代表的下载行为有关,就得到相应的下载地址U ;如果没有找到与Κ2匹配的下载特征Kl,则说明这个文件不是从网上下载的。 The method of monitoring computer virus derived as claimed in claim 10, wherein said step (3) of the newly created file or the change is checked to find whether there is a step (I), Kl said extracted feature matching file download, the specific method is: 2 higher for matching all file download feature wherein Kl and network monitoring components of the records, if Κ1 == Κ2, is considered a newly created or altered file download behavior with download features Kl represented about, you get the corresponding Download U; if the download feature Kl and Κ2 match is not found, then the file is not downloaded from the internet.
CN 201010552333 2010-11-19 2010-11-19 Method for monitoring source of computer virus CN102004877B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201010552333 CN102004877B (en) 2010-11-19 2010-11-19 Method for monitoring source of computer virus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201010552333 CN102004877B (en) 2010-11-19 2010-11-19 Method for monitoring source of computer virus

Publications (2)

Publication Number Publication Date
CN102004877A CN102004877A (en) 2011-04-06
CN102004877B true CN102004877B (en) 2013-01-23

Family

ID=43812232

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201010552333 CN102004877B (en) 2010-11-19 2010-11-19 Method for monitoring source of computer virus

Country Status (1)

Country Link
CN (1) CN102004877B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103685135B (en) 2012-08-30 2018-09-07 腾讯科技(深圳)有限公司 Download file for security monitoring method and system
CN103414758B (en) * 2013-07-19 2017-04-05 北京奇虎科技有限公司 Method and apparatus for processing logs
CN103685233B (en) * 2013-11-15 2016-09-14 中国人民解放军91635部队 Trojan monitoring method based on the Windows kernel driver
CN105404537A (en) * 2015-12-24 2016-03-16 北京金山安全软件有限公司 Method and device for unloading application program
CN106022100A (en) * 2016-05-17 2016-10-12 北京金山安全软件有限公司 Method and apparatus for intercepting installation of malicious program and electronic device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101122934A (en) 2006-08-11 2008-02-13 珠海金山软件股份有限公司 Device for preventing and treating computer virus by real-time monitoring for file and its upgrading method
CN101158999A (en) 2007-11-20 2008-04-09 北京派瑞根科技开发有限公司 Method and device for preventing from computer virus

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7565550B2 (en) * 2003-08-29 2009-07-21 Trend Micro, Inc. Automatic registration of a virus/worm monitor in a distributed network
US7975304B2 (en) * 2006-04-28 2011-07-05 Trend Micro Incorporated Portable storage device with stand-alone antivirus capability

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101122934A (en) 2006-08-11 2008-02-13 珠海金山软件股份有限公司 Device for preventing and treating computer virus by real-time monitoring for file and its upgrading method
CN101158999A (en) 2007-11-20 2008-04-09 北京派瑞根科技开发有限公司 Method and device for preventing from computer virus

Also Published As

Publication number Publication date
CN102004877A (en) 2011-04-06

Similar Documents

Publication Publication Date Title
JP5475762B2 (en) Streaming malware definition updates
CN1163831C (en) Computer readable recorded medium on which image file is recorded, device for producing recorded medium and medium on which image file creating program is recorded
CN102272757B (en) Method for server-side logging of client browser state through markup language
US8019882B2 (en) Content identification for peer-to-peer content retrieval
JP4396242B2 (en) Document link structure information creating apparatus and method
CN101203832B (en) System and method for providing content aggregation platform
US9456229B2 (en) Parsing single source content for multi-channel publishing
US7461319B2 (en) System and method for downloading files over a network with real time verification
US9992220B2 (en) Graphical display of events indicating security threats in an information technology system
CN100478944C (en) Automatic task generator method and system
CN102419808B (en) Method, device and system for detecting safety of download link
CN102160048A (en) Collecting and analyzing malware data
CN100357900C (en) Automatic extraction and analysis for formwork based on heterogenerous logbook
JP2002501254A (en) Access to content via a network for addressable data
US9455892B2 (en) Data loss monitoring of partial data streams
CN1243317C (en) Information providing system and identification information adding unit
US8543683B2 (en) Remote monitoring of local behavior of network applications
CN101039177A (en) Apparatus and method for on-line searching virus
JP5586425B2 (en) System and method for processing the object-related data multiple applications to use management
US6185615B1 (en) Method and system for consolidating related partial operations into a transaction log
US20070038637A1 (en) Optimized network cache for virus scanning by examining the magic bytes of a file
CN102597993B (en) Managing application state information by means of uniform resource identifier (URI)
CN101388911A (en) Off-line data collecting method for network application program
CN102333122B (en) Downloaded resource provision method, device and system
CN103235913B (en) A system for identifying, intercepting the bundle, the apparatus and method

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C14 Granted