CN102457495A - Method and system for defending network virus - Google Patents

Method and system for defending network virus Download PDF

Info

Publication number
CN102457495A
CN102457495A CN2010105215105A CN201010521510A CN102457495A CN 102457495 A CN102457495 A CN 102457495A CN 2010105215105 A CN2010105215105 A CN 2010105215105A CN 201010521510 A CN201010521510 A CN 201010521510A CN 102457495 A CN102457495 A CN 102457495A
Authority
CN
China
Prior art keywords
virus
network
file
suspicious
client
Prior art date
Application number
CN2010105215105A
Other languages
Chinese (zh)
Inventor
刘威成
吴怡芳
游峰鹏
郑年华
Original Assignee
中华电信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中华电信股份有限公司 filed Critical 中华电信股份有限公司
Priority to CN2010105215105A priority Critical patent/CN102457495A/en
Publication of CN102457495A publication Critical patent/CN102457495A/en

Links

Abstract

The invention relates to a method and a system for defending a network virus. The network virus is a botnet virus or a target attacking virus with pertinence to a virus attacking object. The method comprises the following steps: analyzing a network flow of a client and capturing a suspicious file sample when an existing suspicious file is confirmed while detecting the flow of the client during a process of obtaining a network communication service by the client; analyzing if the botnet virus or virus action thereof exists; generating an analysis report for the botnet virus action; transmitting the suspicious file sample and the analysis report to an antivirus operator so as to create a virus removing program; and meanwhile, supplying a network antivirus service to an infected client according to the analysis report and searching and killing the virus after receiving the virus removing program which is sent back. According to the method, when the client which is infected by the virus is detected, defending measures can be taken in real time, thereby efficiently preventing virus diffusion, preventing the infected client from automatically connecting to a malicious website for performing virus variation, and efficiently reducing the risk of the client suffering in a virus attack.

Description

网络病毒防护方法及系统 Method and system for network virus protection

技术领域 FIELD

[0001] 本发明涉及一种网络病毒侦测及阻断技术,更详细而言,涉及一种涉及防止受到例如是僵尸网络病毒(Botnet)或病毒攻击对象具有针对性的目标式攻击病毒感染的客户端进行病毒的扩散或受病毒控制的网络病毒防护方法及系统。 [0001] The present invention relates to a network virus detection and blocking techniques, and more particularly, to a subject, for example, to preventing botnet virus (the Botnet) or virus attack objects targeted attacks targeted viral infection client by the spread of the virus or virus protection method and system for network control viruses.

背景技术 Background technique

[0002] Botnet俗称僵尸网络(zombie network),于此僵尸网络下的病毒通常会随着email、实时通讯软件或计算机系统漏洞侵入网络用户终端,再藏身于任何一个程序里。 [0002] Botnet commonly known as a botnet (zombie network), under this botnet virus usually as email, instant messaging software or computer system vulnerabilities invasion network user terminal, and then hide in any program. 请参阅图1,僵尸网络通常由三部分所组成,包括控制端11、僵尸网络成员(12a、12b、12c)以及指令发出端13,该指令发出端13即为黑客本身,其下达指令给僵尸网络成员(12a、12b、 12c),僵尸网络成员(12a、12b、12c)是指被遥控的受害计算机,该受害计算机通常不会察觉自己已遭受病毒感染,而成为僵尸网络的一份子;而控制端11则负责管理控制整个僵尸网络,并将该指令发出端13所发出的指令传递给僵尸网络成员。 Please refer to FIG. 1, bots are usually composed of three parts, including a control terminal 11, zombie network members (12a, 12b, 12c) and a command issuing terminal 13, the instruction issuing terminal 13 itself is the hacker, which give instructions to the zombies network members (12a, 12b, 12c), zombie network members (12a, 12b, 12c) refers to the compromised computers to be remotely controlled, the compromised computers are usually not aware that they have suffered a viral infection, and to become part of botnets; and control terminal 11 manages control of the entire network zombie, and issues an instruction issued by the terminal 13 is transmitted to the instruction zombie network members.

[0003] 目前的病毒防护解决方案主要是在用户终端安装防毒软件,但由于防毒程序的病毒特征码是针对全球流量进行抽样,因此仅能提供较为一般化的病毒码,且大部分的病毒分析系统皆以特征码为分析基础,并无法针对具有自我更新能力的僵尸病毒变种后的行为进行实时地防护,也无法针对仅在特定网络区域范围内出现的目标式攻击病毒进行防护, 造成即便大多数用户终端已安装有防毒软件,仍无法阻止僵尸网络的入侵,对全球经济造成重大损失。 [0003] The current virus protection solutions primarily in the majority of virus analysis user terminal to install anti-virus software, but due to virus signature anti-virus program is sampling for global traffic, and therefore can only provide a more generalized pattern, and the system begin with signature based analysis, and can not be real-time protection against acts after the zombie virus variants have self-renewal capacity, can not protect against virus attacks target only occur in a particular network area range, resulting in even large most users already have antivirus software installed terminal, still can not stop the invasion of zombie networks, causing heavy losses to the global economy.

发明内容 SUMMARY

[0004] 为解决上述现有技术的缺点,本发明的目的在于提供一种网络病毒防护系统及方法,可在侦测到客户端的通讯网路中存在恶意文件或僵尸网络病毒行为时,实时地阻断恶意流量,避免病毒的进一步扩散,以及受感染客户端遭受黑客控制。 When [0004] In order to solve the above-described disadvantages of the prior art, an object of the present invention is to provide a network system and a method for virus protection, there may be a file or a malicious bot network behavior to detect viral client communication networks, real-time resistance off malicious traffic, to avoid further spread of the virus, and infected clients suffer hacker control.

[0005] 本发明的另一目的在于提供一种网络病毒防护系统及方法,通过实时阻断与恶意文件相关的网络恶意站点以及僵尸病毒控制主机的网络信道,以克服由于僵尸病毒变种而造成病毒解除程序失效的问题。 [0005] Another object of the present invention is to provide a network system and virus protection methods, through real-time blocking malicious files associated with a network channel bots and malicious site network control host to overcome the resulting virus variants bots releasing a program failure.

[0006] 本发明的又一目的在于提供一种网络病毒防护系统及方法,通过部署于ISP/IDC 网络,可完整分析特定范围的用户网络中所特有的恶意行为与文件,并产生专有的病毒解除程序,可较一般防毒软件更能针对仅出现在特定用户网络中发生的目标式攻击进行侦测及清除。 [0006] A further object of the present invention is to provide a network system and a method for virus protection, deployed by ISP / IDC network, a complete analysis of a specific range may be network specific user behavior and malicious files, and generates a proprietary virus lifting program, can be detect and remove more than the average for the anti-virus software appears only in a particular user network occurs targeted attacks.

[0007] 本发明的再一目的在于提供一种网络病毒防护系统及方法,可强化一般防毒软件所无法提供侦测未知病毒及特殊病毒的能力,有效降低客户端遭受病毒攻击的风险。 [0007] A further object of the present invention is to provide a network virus protection system and method can enhance the ability to provide a general anti-virus software can not detect unknown viruses and specific viruses, reduce the risk of client virus attack.

[0008] 为达上述目的及其它相关的目的,本发明即提供一种网络病毒防护系统,其通过网络系统与各客户端及防毒业者病毒分析中心相连接,该系统包括:用于侦测在各该客户端取得网络通讯服务过程中侦测该用户流量是否存在可疑文件的监测模块;用于当该监测模块监测到取得网络通讯服务过程中的客户端流量存在有可疑文件时,捕捉该客户端流量中的可疑文件样本以供分析该可疑文件样本中是否存在网络病毒以及该网络病毒可能执行的恶意行为,并生成该可疑文件样本对应的网络病毒行为分析报告的分析模块;用于将该监测模块所捕捉到的可疑文件样本以及该分析模块所生成的该可疑文件样本对应的网络病毒行为分析报告传送至该防毒业者病毒分析中心,从而供其据以制作出相适应的病毒解除程序的传输模块;防御模块,依据该监测模块所捕捉 [0008] To achieve the above objects and other related objects, i.e., the present invention provides a network virus protection system, which is connected to each of the client and antivirus industry virus analysis center through the network system, the system comprising: means for detecting the each of the client service process to obtain network communications to detect the presence or absence of user traffic monitoring module suspicious files; for when the monitoring module monitors traffic to the client process to obtain network communications services in the presence of suspicious files, capture the customer sample suspicious file for the end of the traffic network viruses and analyzed for the presence of malicious behavior of the network may perform the suspect virus sample file, and generates a network file corresponding to the suspicious behavior of the virus sample analysis module reports; for the monitoring module the captured suspicious file samples and the analysis module generated by the suspicious file samples corresponding network virus behavior analysis report transmitted to the antivirus industry virus analysis center, such that for its data to produce a compatible virus release program a transmission module; defense module, according to the monitoring module captures 到的可疑文件样本以及该分析模块所生成的该可疑文件样本对应的网络病毒行为分析报告,将分析结果汇入防御模块以针对受该可疑文件样本感染的客户端提供网络端网络防护服务,避免受感染客户端在病毒解毒程序未查杀病毒前进行变种或遭受病毒控制主机控制;以及病毒查杀模块,其用于接收该防毒业者病毒分析中心制作并回传的病毒解除程序,据以针对受感染的客户端执行相应的病毒查杀作业。 To suspicious files and sample analysis module generated by the suspicious behavior of the virus network file corresponding sample analysis, results of the analysis module import defensive end network protection to provide network services for the client by the suspicious file infected samples, to avoid infected clients from viruses or variants of the control panel to control the virus before detoxification program is not killing the virus; and virus killing module for receiving the antivirus industry, and virus analysis center to make the return of the virus lifting program, according to target infected client executes the corresponding virus killing jobs.

[0009] 于本发明的一实施方式中,该监测模块通过监控各该客户端的网络流量,以作为在各该客户端取得网络通讯服务过程中侦测该客户端本端是否下载可疑文件的依据。 [0009] In an embodiment of the present invention, the monitoring module by monitoring each of the client's network traffic, as detected according to the client this end whether to download suspicious files in each of the client obtain network communications service process . 该分析模块将所捕捉到的可疑文件样本移至沙箱(sandbox),从而于该沙箱中开启该可疑文件样本,从而分析该可疑文件样本中是否存在可执行程序,并针对该可执行程序或攻击程序代码进行安全性分析,从而将有危害的可疑文件样本确定为恶意文件,并记录该恶意文件中所存在的网络病毒及其病毒行为模式,且监控该恶意文件是否有网络访问请求,并记录该恶意文件的网络访问路径,据以确定与该恶意文件相关的网络恶意站点以及病毒控制主机的地址信息。 The analysis module will be captured samples of suspicious files moved to the sandbox (sandbox), thus opening the suspicious file samples to the sandbox to analyze whether there is an executable program file that suspicious samples, and for the executable program program code or attack security analysis, which will be hazardous samples of suspicious files identified as malicious files and records network viruses and virus behavior patterns the malicious file exists, and monitor whether the malicious files have network access request, and record network access path to the malicious file, according to the information to determine an address associated with the malicious file is malicious web sites and viruses control host. 该防御模块将该分析模块分析得出该恶意文件中所存在的网络病毒及其病毒行为模式,与该恶意文件相关的网络恶意站点以及病毒控制主机的地址信息数据导入至防御模块的病毒数据库中,针对用户流量进行防护,避免用户计算机与恶意站点以及病毒控制主机联系,使得病毒变种或遭受黑客控制。 The defense module the analysis module determines the network viruses and viral behavior patterns the malicious file exists, the address information of the malicious file data associated with the network control host viruses and malicious site is introduced into the viral defense database module , carried out for the protection of user traffic, avoid contact with the user's computer viruses control host malicious sites, and that mutation of the virus or suffer hacker control.

[0010] 此外,本发明还提供一种网络病毒防护方法,是由一网络病毒防护系统通过网络系统与客户端及防毒业者病毒分析中心相连接,以令该网络病毒防护系统对客户端进行病毒防护处理,其包括以下处理步骤:1)该网络病毒防护系统侦测在取得网络通讯服务过程的客户端流量中是否存在可疑文件;2)该网络病毒防护系统捕捉客户端流量中的可疑文件样本以供分析该可疑文件样本中是否存在网络病毒以及该网络病毒可能执行的恶意行为,并生成对应的网络病毒行为分析报告;3)该网络病毒防护系统依据病毒行为分析报告得针对受该可疑文件样本感染的客户端提供网络端病毒防护服务,由此从网络端阻绝病毒网络行为,避免受感染客户端在病毒解毒程序未查杀病毒前进行变种或遭受病毒控制主机控制,造成更多损害,且该网络病毒防护系统传送所捕捉到 [0010] Further, the present invention further provides a network virus protection methods, it is connected to the client and antivirus industry virus analysis center through the network system composed of a network virus protection system, in order to make the network virus protection system client virus protective treatment, comprising the following process steps: 1) the network virus protection system detects whether there is suspicious files in the process of obtaining network communications services client traffic; 2) the network virus protection system to capture client traffic suspicious file samples for analysis if there are network viruses and malicious behavior of the network virus may execute the suspicious file samples, and generate the corresponding network virus behavior analysis report; 3) the network virus protection system based on virus behavior analysis report was for the suspicious file is the sample is infected clients provide network virus protection service, which block the virus from the network end network behavior, avoid the infected clients before the virus variants detoxification program is not killing the virus or from viruses control host control, causing more damage, the virus protection system and network to transfer the captured 的可疑文件样本及其对应的网络病毒行为分析报告至防毒业者病毒分析中心,从而供该防毒业者病毒分析中心据以制作出相适应的病毒解除程序;以及4)接收防毒业者病毒分析中心制作并回传的病毒解除程序,据以针对处于病毒防护状态操作模式的客户端执行相应的病毒查杀作业。 The suspicious file samples and their corresponding network virus behavior analysis to the anti-virus industry virus analysis center, which for the antivirus industry virus analysis center which to produce adapted virus lifting program; and 4) to receive anti-virus industry virus analysis center produced and return to lift virus program, according to antivirus protection for customers in the state mode of operation then execute the virus killing jobs.

[0011] 于本发明的一实施例中,该方法步骤1)通过监控各该客户端的网络流量,以作为侦测在取得网络通讯服务过程的各该客户端是否下载可疑文件的依据。 [0011] In an embodiment of the present invention, the process step 1) by monitoring the network traffic of each of the client, as a basis for detecting whether to download the file in question has made each of the client network communication service process.

[0012] 该方法步骤2)还包括以下处理步骤:2_1)将所捕捉到的可疑文件样本移至沙箱(sandbox),并于该沙箱中开启该可疑文件样本;2-2)分析该可疑文件样本中是否存在可执行程序或恶意攻击程序代码;2-3)针对该可疑文件样本中所存在的可执行程序或恶意 [0012] The method step 2) further comprises the following process steps: 2_1) to the captured sample suspicious file moved sandbox (sandbox), suspicious file and open it to the sandbox sample; 2-2) Analysis of the whether there is a malicious executable program code or suspicious file samples; 2-3) for the suspicious executable file present in a sample or malicious

5攻击程序代码进行安全性分析,从而将有危害的可疑文件样本确定为恶意文件,并记录该恶意文件中所存在的网络病毒及其病毒行为模式;以及2-4)监控该恶意文件是否有网络访问请求,若有,则记录该恶意文件的网络访问路径,据以确定与该恶意文件相关的网络恶意站点以及病毒控制主机的地址信息。 5 exploit code security analysis, which will be hazardous samples of suspicious files identified as malicious files and records network viruses and virus behavior patterns the malicious file exists; and 2-4) monitor whether the malicious file has network access requests, if any, network access path to the malicious file is recorded, the address information to determine the malicious files related to malicious web sites and viruses control host data.

[0013] 此外,于方法步骤3)中,通过将该分析得出该恶意文件中所存在的网络病毒及其病毒行为模式,与该恶意文件相关的网络恶意站点以及病毒控制主机的地址信息数据导入至该防御模块的病毒数据库中,从网络端阻绝病毒网络行为,避免受感染客户端在病毒解毒程序未查杀病毒前进行变种或遭受病毒控制主机控制,造成更多损害。 [0013] Further,) in step 3 in the process, obtain network viruses and viral behavior patterns the malicious file exists through the analysis of data associated with the address information of the malicious file is malicious web site host and viral control import module to the defense of the virus database, network behavior block the virus from the network, avoid the infected clients from viruses or variants of the control panel to control the virus before detoxification program is not killing the virus, causing more damage.

[0014] 通过本发明的网络病毒防护系统及方法,可针对网络中各种已知或未知的网络攻击及恶意文件进行实时地分析及阻断防御处理,不但可提高病毒查杀的成功效率亦能有效降低客户端遭受病毒攻击的风险,且本发明通过部署至ISP/IDC网络中,可针对僵尸网络病毒或者是对病毒攻击对象具有针对性的目标式攻击病毒进行分析及查杀,因此较一般防毒软件更具有针对性。 [0014], may be directed to a variety of known or unknown network of network attacks and malicious files and analyzed in real time by the processing block defense network virus protection system and method of the present invention, not only to improve the efficiency of virus killing also successfully client can reduce the risk of virus attack, and the present invention is to deploy through the ISP / IDC network, and may be analyzed for killing the virus, or the target botnet virus attacks targeted objects against viruses, it is more general anti-virus software more targeted.

附图说明 BRIEF DESCRIPTION

[0015] 图1为现有僵尸网络病毒的系统架构示意图; [0015] FIG. 1 is a schematic diagram of a system architecture of an existing network viruses zombie;

[0016] 图2为本发明的网络病毒防护系统应用于网络环境中的一实施方式架构示意图; Network virus protection system [0016] FIG. 2 embodiment of the present invention is applied to an embodiment schematic view of the architecture of a network environment;

[0017] 图3为本发明的网络病毒防护系统的系统基本架构及其应用如图2所示的网络环境的一实施例架构方块图; [0017] Network virus protection system of FIG. 3 is an embodiment of its basic architecture of a system block diagram of an embodiment of the application architecture of a network environment as shown in Figure 2;

[0018] 图4为本发明的网络病毒防护方法的处理流程图;以及 [0018] The process flow diagram of network virus protection method of the present invention in FIG. 4; and

[0019] 图5为详细说明图4所示的步骤S130分析网络病毒的处理流程图。 [0019] FIG. 5 is a flowchart illustrating the processing details network virus step shown in FIG. 4 S130 analysis.

[0020]【主要组件符号说明】 [0020] The main component symbol DESCRIPTION

[0021] 11 控制端 [0021] The control terminal 11

[0022] 12a、12b、12c 僵尸网络成员 [0022] 12a, 12b, 12c zombie network members

[0023] 13 指令发出端 [0023] The instruction issue terminal 13

[0024] 20 ISP/IDC 网络 [0024] 20 ISP / IDC network

[0025] 200 网络病毒防护系统 [0025] Virus protection network 200

[0026] 201 数据库 [0026] Database 201

[0027] 210 监测模块 [0027] The monitoring module 210

[0028] 211 可疑文件样本[0029] 220 分析模块 [0028] Sample suspicious files 211 [0029] Analysis module 220

[0030] 221 网络病毒行为分析报告 [0030] 221 network virus behavior analysis report

[0031] 230 传输模块 [0031] The transmission module 230

[0032] 240 防御模块 [0032] Prevention Module 240

[0033] 250 病毒查杀模块 [0033] virus-killing module 250

[0034] 21 客户端 [0034] 21 client

[0035] 22 因特网 [0035] 22 Internet

[0036] 23 防毒业者病毒分析中心 [0036] 23 antivirus industry virus analysis center

[0037] 231 病毒解除程序[0038] S110、S120、S130、S131、S132、S133、S134、S135、S141、S142、 [0037] 231 releasing virus program [0038] S110, S120, S130, S131, S132, S133, S134, S135, S141, S142,

[0039] S151、S152、S160 步骤 [0039] S151, S152, S160 step

具体实施方式 Detailed ways

[0040] 以下通过特定的具体实施方式说明本发明的技术内容,本领域技术人员可由本说明书所揭示的内容轻易地了解本发明的其它优点与功效。 [0040] The following illustrate the technical details of the present invention by certain specific embodiments, those skilled in the art disclosed in the present specification may readily understand the content of other advantages and effects of the present invention. 本发明亦可通过其它不同的具体实施方式加以施行或应用,本说明书中的各项细节亦可基于不同观点与应用,在不背离本发明的精神下进行各种修饰与变更。 The present invention can also be practiced or applied by other different specific embodiments, the details of the specification may also, that various changes and modifications without departing from the spirit of the invention based on various concepts and applications.

[0041] 请参阅图2,为本发明的网络病毒防护系统应用于网络环境中的一实施方式架构示意图,该网络病毒防护系统部署于因特网服务提供者(Internet Service Provider ; ISP)或网络数据中心(Internet Data Center ;IDC)网络20中,以结合该ISP/IDC网络20以及防毒业者病毒分析中心23所建构而成,其主要用于监测分析仅于特定区域出现的新型网络攻击及恶意文件。 [0041] Referring to FIG. 2, a schematic embodiment of a network architecture embodiment virus protection system of the present invention is applied to a network environment, the network virus protection system deployed in the Internet service provider (Internet Service Provider; ISP) or a network data center (Internet Data Center; IDC) network in 20 to 20 combined anti-virus industry, and virus analysis center of the ISP / IDC network constructed from 23, which is mainly used for monitoring and analysis appear only in specific areas of the new network attacks and malicious files. 其中,ISP/IDC网络20提供网络接入服务平台,以供客户端21 经由该ISP/IDC网络20连接至因特网(Internet) 22,并针对该客户端21通讯网路流量进行监控,在当发现于客户端21取得网络通讯服务过程中侦测该客户端21本端存在有恶意文件或病毒行为时,实时地阻断该通讯服务的连接,以避免受感染的客户端21自行连接至Internet 22中的恶意站点执行病毒的更新及扩散(在下文详述)。 Which, ISP / IDC network 20 to provide network access service platform for client 21 via the ISP / IDC network 20 to the Internet (Internet) 22, and monitor 21 for that client communications network traffic, when found in the 21 client communications network to obtain the service process detects the presence of the client when a malicious file or virus behavior, in real time, blocking the communications services connecting 21 end in order to avoid the affected customers connect to the Internet on their own end 21 22 malicious sites perform a virus updates and diffusion (detailed below).

[0042] 此外,该网络病毒除可为上述背景技术所述的僵尸网络病毒外,本发明的网络病毒防护系统亦可应用于病毒攻击对象具有针对性的目标式攻击病毒上,一般来说,前述目标式攻击病毒通常会通过社交工程的手法,通过电子邮件与实时通讯软件攻击某间企业或者某特定族群,例如政府单位、军方单位或电信单位等组织网络,由于此种目标式攻击病毒的攻击事件均发生在受到攻击的组织网络内中,并不会像一般病毒一样对外部扩散,所以一般防毒厂商的病毒分析架构并无法搜集并分析出此类目标式攻击病毒下的可疑文件样本,然而,通过本发明的网络病毒防护方法及系统则可直接从被防护的用户流量中搜集且分析出此类目标式攻击病毒下的可疑文件样本,由此避免受到感染的客户端在其病毒尚未查杀前在组织网络内持续散播病毒,造成组织网络内 [0042] In addition, the network may be a virus other according to the above background art botnet viruses, virus protection network system according to the present invention may also be applied to virus attacks targeted on the target object with the virus attacks, in general, the foregoing objects usually attacks the virus through social engineering tactics, via e-mail and instant messaging software to attack a company or between a particular ethnic group, such as organizational network government agencies, military units or telecommunications units, because the virus attacks such goals the attacks occurred within an organization's network is under attack, and not be the same as the general diffusion of external virus, so the general anti-virus vendors virus analytical framework and can not collect and analyze samples of suspicious files in such targeted attacks virus , however, may be collected through the network virus protection method and system of the present invention directly from the user and the protection traffic is analyzed samples of suspicious files under such attacks target the virus, thereby avoiding infection by the virus in its client yet before killing the virus continued to spread within the organization's network, resulting in the organization's network 部的更多损害。 More damage portion. 请参阅图3,为本发明的网络病毒防护系统的系统基本架构及其应用如图2所示的网络环境的一实施例架构方块图。 Refer to FIG. 3, the present invention is a network virus protection system block diagram of an architecture of one case of the basic structure and application of the network environment shown in FIG. 2. 如图所示,该架设于ISP/IDC网络20上的网络病毒防护系统200通过网络系统与客户端21及防毒业者病毒分析中心23相互连接通讯,其包括监测模块210、分析模块220、传输模块230、防御模块240、病毒查杀模块250以及用于储存数据信息的数据库201。 As shown, the bridged network virus protection system on 20 ISP / IDC communication network 200 connected to each other through the network system and the client 21 and antivirus industry virus analysis center 23, which includes a monitoring module 210, analysis module 220, transmission module 230, defense module 240, a virus-killing module 250 and a database 201 for storing data information.

[0043] 监测模块210用于侦测各客户端21在取得因特网通讯服务的过程中该客户端21 流量中是否存在可疑文件。 [0043] The monitoring module 210 is used to detect the presence or absence of each client 21 suspicious files 21 in the process flow ends made Internet communications services in the client. 监测模块210以监控各客户端21的网络流量方式作为侦测是否下载可疑文件的依据,前述通讯服务例如为电子邮件收发、网页浏览、实时通讯、端对端软件(P2P)文件分享以及FTP文件传输等。 Monitoring module 210 to monitor each client network traffic way 21 as a basis to determine whether they download suspicious files, the aforementioned communication services such as email messaging, web browsing, instant messaging, end to end software (P2P) file sharing and FTP file transmission.

[0044] 分析模块220用于当监测模块210监测到客户端21在取得网络通讯服务过程中该客户端21流量中存在有可疑文件时,例如在取得网络通讯服务过程中客户端发生网络流量异常的情形,捕捉客户端21在取得网络通讯服务过程中的可疑文件的可疑文件样本211,并暂存于数据库201中以供判断该可疑文件样本211中是否存在网络病毒以及该网络病毒可能执行的恶意行为,并生成该可疑文件样本211对应的网络病毒行为分析报告221。 [0044] The analysis module 220 for monitoring when the monitoring module 210 to the client 21 in the process of obtaining the network communication service client suspicious file exists when flow 21, such as a client network traffic anomalies occur in the process of obtaining network communications services case, capturing 21 clients get suspicious files in network communications services in the course of the suspicious file samples 211, 201 and temporarily stored in the database for the existence of the network and the network virus virus may execute the suspicious file to determine sample 211 malicious behavior, suspicious files and generate the sample corresponding to 211 network virus behavior analysis report 221. 该分析模块220先行将所捕捉的各客户端21取得通讯服务过程中所存在的可疑文件样本211移至沙箱(sandbox)中,从而于该沙箱中开启该可疑文件样本211,从而分析该可疑文件样本211中是否会对系统进行攻击而产生可执行的攻击程序,若有,则进一步针对该可执行的攻击程序的安全性进行分析,例如分析该程序是否会尝试修改系统设定、执行漏洞攻击、窃取系统数据以及对外下载更多攻击程序等等恶意程序的行为,故可将含有危害性的可执行程序的可疑文件样本211确定为恶意文件。 The first analysis module 220 of each client terminal 21 acquires captured a suspicious file samples communications services during the existence of 211 is moved sandbox (sandbox) in order to open the 211 samples of suspicious files to the sandbox to analyze the 211 samples of suspicious files in the system whether the attack would generate an executable program of the attack, and if so, further analysis of the safety of the attack executable program, for example, to analyze whether the program will try to modify system settings, perform suspicious file sample exploit, steal system data as well as external download more malicious exploits and so the behavior of the program, it may contain harmful executable program 211 is determined to be malicious. 其次,令该分析模块220通过开启该恶意文件来识别其相应的病毒行为模式,例如已经实施的病毒行为,正在进行的病毒行为以及将要执行的病毒行为等。 Secondly, enabling the analysis module 220 to identify the corresponding viral behavior pattern by opening the malicious file, such as a viral behavior has been implemented, the behavior of the virus and the virus being the behavior to be performed. 接着,再令分析模块220分析该恶意文件是否有网络访问请求,若有则提取该恶意文件的网络访问路径、访问程序名称等信息,并针对该恶意文件的网络访问请求执行监控,以此确定出与该恶意文件相关的网络恶意站点以及病毒控制主机, 前述网络恶意站点以及病毒控制主机即为图1所示的控制端11的地址信息,以主动确定网络病毒控制主机的地址,供后续可实时且有效地执行相关防御措施。 Then, once again making the analysis module 220 analyzes whether the malicious files have network access request, if network access path to the malicious file is extracted, access to the program name and other information, and request access to the network for monitoring the implementation of malicious files, in order to determine the file associated with the malicious web site malicious viruses and control host, the network control host viruses and malicious site information is an address of the control terminal shown in FIG. 11, in order to determine the active control of the network address of the host virus for subsequent can real-time and effective implementation of relevant preventive measures. 在完成上述各步骤地分析后,令分析模块220记录该恶意文件中所存在的网络病毒及其病毒行为模式(如受控制及感染行为),以及与该恶意文件相关的网络恶意站点以及病毒控制主机的地址等信息, 并生成前述网络病毒行为分析报告221。 After completion of the steps above analysis, the analysis module 220 so that the recording mode of network viruses and malicious behavior of the virus present in the file (e.g., by infection control and behavior), and information related to the malicious Web site malicious files and viral control host's address and other information, and analysis reports 221 for generating the network virus behavior.

[0045] 传输模块230用于将监测模块210所捕捉到的可疑文件样本211以及分析模块220所生成的对应的网络病毒行为分析报告221传送至防毒业者病毒分析中心23,从而供其据以制作出相适应的病毒解除程序231。 [0045] The transmission module 230 for the monitoring module 210 to capture the suspect sample files 211 and network virus behavior corresponding to the analysis module 220 generates the analysis report 221 is transmitted to the anti-virus industry virus analysis center 23, so that for its data to produce adapted to release the virus program 231.

[0046] 防御模块240通过将分析模块220分析得出该恶意文件中所存在的网络病毒及其病毒行为模式,与该恶意文件相关的网络恶意站点以及僵尸病毒控制主机的地址信息数据导入至病毒数据库中,以有针对性地对仅受该恶意文件所感染的各客户端21执行相关病毒防护服务,例如,切断各受感染的客户端21地网络连接通路,以避免其自行连接至恶意站点中执行病毒变种,并针对网络病毒行为分析报告221中所记录的恶意站点及病毒控制主机的地址执行屏蔽,从而避免网络中其它客户端21遭受该病毒感染,以防止病毒于该特定网络区域中进一步扩散,换言之,从网络端阻绝病毒网络行为,避免受感染客户端在病毒解毒程序未查杀病毒前进行变种或遭受病毒控制主机控制,造成更多损害。 [0046] Prevention Module 240 by analysis module 220 determines the network viruses and viral behavior patterns the malicious file exists, the address information of the data file associated with the network the malicious bots and malicious site is introduced into the host virus control database, targeted to each client only by the malicious file infected with the end 21 of the implementation of the relevant virus protection services, for example, cut off the infected each client 21 to access the network connection, in order to avoid its own connection to malicious sites perform virus variants, and analyzing malicious sites and viruses control host address reported 221 recorded in the execution shield against network virus behavior, thus avoiding the network to other clients 21 suffering from the virus, to prevent virus to the particular network area further spread, in other words, block the virus from the network end network behavior, avoid the infected clients before the virus variants detoxification program is not killing the virus or from viruses control host control, causing more damage.

[0047] 病毒查杀模块250则用于接收该防毒业者病毒分析中心23制作并回传的病毒解除程序231,据以针对各处于病毒防护状态操作模式的客户端21执行相应的病毒查杀作业,于此,由于防御模块240针对各受感染的客户端21进行了实时地防御措施,因此可避免受感染客户端21中存在的病毒在病毒解除程序制作过程中变种,造成与该病毒解除程序231不同步而无法查杀的情况发生,可有效提高其病毒查杀的成功率,解决传统防毒软件仅通过病毒码更新方式无法查杀变种快速病毒的问题。 Virus [0047] Virus killing module 250 for receiving the antivirus industry Virus production center 23 and 231 return the release program, according to the client for each virus protection state in an operation mode terminal performs a corresponding job virus killing 21 , this, as a defense module 240 customers in real-time defense against infected each end 21, thus avoiding the infected client 21 in the presence of a virus program released in the production process variant virus, the virus causing lifting program 231 can not be synchronized without killing occurred, can effectively improve the success rate of their killing the virus, the traditional anti-virus software can not solve the problem quickly killing variants of the virus signature updates only by the way.

[0048] 图4为本发明的网络病毒防护方法的处理流程图,如图所示,首先执行步骤S110, 侦测各客户端21在取得网络通讯服务过程中该客户端21本端是否存在可疑文件,具体而言,监控各客户端21的网络流量中,如客户端收发电子邮件、浏览网页、实时通讯、端对端软件(P2P)文件分享以及FTP文件传输等的过程是否产生有可疑文件储存于客户端21中, 若是,则进至步骤S120 ;若否,则重复执行步骤S110。 A process flow diagram of network virus protection methods [0048] FIG. 4 of the present invention, as shown in FIG performed first step S110, the client 21 each detect network communications services acquired in the process of the client terminal 21 for suspicious file, in particular, monitor network traffic for each client 21, such as process client e-mail, web browsing, instant messaging, end to end software (P2P) file sharing and FTP file transfers such as whether a suspicious file 21 stored in the client, if yes, proceeds to step S120; if not, repeat step S110.

[0049] 在步骤S120中,捕捉前述网络通讯服务过程中存在的可疑文件的可疑文件样本211并暂存于数据库201中,接着进至步骤S130。 [0049] In step S120, the suspicious files captured during network communications services present in a sample suspected file 211 and temporarily stored in the database 201, and then proceeds to step S130. [0050] 在步骤S130中,分析数据库201中的可疑文件样本211中是否存在网络病毒以及该网络病毒可能执行的病毒行为,并生成对应的网络病毒行为分析报告221,接着进至步骤S141及步骤S142。 [0050] In step S130, whether a suspicious file samples 211 analyzes database 201 in network viruses and viral behavior of the network virus may be performed, and generates the corresponding network virus behavior analysis report 221, and then proceeds to step S141 and step S142.

[0051] 在步骤S141中,将所捕捉到的可疑文件样本211及其对应的网络病毒行为分析报告221传送至防毒业者病毒分析中心23,从而供其据以制作出相适应的病毒解除程序231, 接着进至步骤S151。 [0051] In step S141, the captured suspicious file samples 211 and a corresponding network virus behavior analysis report 221 is transmitted to the anti-virus industry virus analysis center 23, so that for their data to produce the adapted virus release program 231 and then proceeds to step S151.

[0052] 在步骤S151中,接收防毒业者病毒分析中心23制作并回传的病毒解除程序231, 接着进至步骤S160。 [0052] In step S151, the received anti-virus industry virus analysis center 23 virus produced and released program return 231, and then proceeds to step S160.

[0053] 在步骤S142中,于分析出数据库201中的可疑文件样本211中存在网络病毒以及该网络病毒可能执行的恶意行为,并生成对应的网络病毒行为分析报告221后,导入可疑文件样本211及网络病毒行为分析报告221数据至病毒防御模块,接着进至步骤S152。 [0053] In step S142, to analyze the report 221, import suspicious files present in the sample network viruses and malicious behavior of the network virus may perform a suspicious file samples 211 the database 201 and generates a corresponding network virus behavior analysis 211 virus behavior analysis and network data to the virus protection module 221, and then proceeds to step S152.

[0054] 在步骤S152中,防御模块依据网络病毒行为分析报告221中记录的该恶意文件中所存在的网络病毒及其病毒行为模式数据,切断各受感染的客户端21的网络连接通路,以避免其自行连接至恶意站点中执行病毒变种,并针对该网络病毒行为分析报告221中记录的与该恶意文件相关的网络恶意站点以及病毒控制主机的地址执行屏蔽,以避免网络中其它客户端21遭受该病毒感染,以防止病毒于该特定网络区域中进一步扩散,接着进至步骤S160。 [0054] In step S152, the analysis module Defense report the malicious file 221 recorded in the virus and the virus present in the network based on the network behavior pattern data viral behavior, the cutting of each infected client network path 21 is connected to avoid its own connection to a malicious site to perform mutation of the virus, and analysis related to the malicious files network malicious sites and viruses control host address reported 221 recorded in the implementation of shield against the network virus behavior, in order to avoid network other clients 21 suffer from the virus infection, to prevent the further spread of the virus to this particular network area, then proceeds to step S160.

[0055] 在步骤S160中,利用防毒业者病毒分析中心23制作并回传的病毒解除程序231, 据以针对各处于病毒防护状态操作模式的客户端执行相应的病毒查杀作业。 [0055] In step S160, the virus analysis using anti-virus industry production center 23 and return virus program 231 is released, according to the customer for each state in the operation mode antivirus then execute the job virus killing.

[0056] 需说明的是,本发明不同于现有技术是通过病毒特征码的方式来判断可疑文件中是否存在网络病毒,而是通过开启该可疑文件,判断其中是否存在可执行程序、修改系统数据、攻击系统漏洞以及该可疑文件是否存在网络访问请求等信息来判断其是否属于恶意文件或行为,因此,可强化一般防毒软件所无法提供的侦测未知病毒及特殊病毒的能力,如图5所示,其用以详细说明图4所示的步骤S130分析网络病毒的处理流程图,而以下所述网络病毒例如为僵尸网络病毒(Botnet)或病毒攻击对象具有针对性的目标式攻击病毒,首先执行步骤S131,将所捕捉的各该客户端21的网络通讯服务过程中所存在的可疑文件样本移至沙箱(sandbox),并于该沙箱中开启该可疑文件样本,接着进至步骤S132。 [0056] It should be noted that the present invention differs from the prior art by way of virus signatures to determine whether there are suspicious files network virus, but by turning on the suspicious file, which determines whether there is an executable program, to modify the system data, and system vulnerabilities to attack the suspicious file exists information such as network access request to determine whether the file is malicious or behavior, therefore, can enhance the ability of the general anti-virus software can not detect unknown viruses and offer special virus, as shown in , the detailed description thereof is used in step S130 shown in FIG virus analysis process flowchart network, the network and the following viruses such as viruses botnet virus (the botnet) or virus attack objects targeted target type, first to step S131, the captured each of the client network communication service process suspicious files that exist in 21 of the sample is moved sandbox (sandbox), and open the suspicious file samples to the sandbox, then proceeds to step S132.

[0057] 在步骤S132中,判断所开启的该可疑文件样本中是否存在可执行程序或存在攻击程序代码,若是,则进至步骤S133 ;若否,则结束本发明网络病毒防护方法执行分析网络病毒的处理步骤,而可进行图4的步骤S110。 [0057] whether or not there exists an executable program or program code attack the suspicious file sample step S132, it is determined in the open, if yes, it proceeds to step S133; if NO, ends the process of the present invention, virus protection network performing network analysis the processing step of the virus, and may be performed in step S110 of FIG.

[0058] 在步骤S133中,判断该可执行程序或攻击程序代码所执行的行为模式是否安全, 例如观察可疑文件样本是否对系统漏洞进行攻击、非法存取文件系统以及开机扇区等,从而判断该可执行程序是否为恶意文件,若是,则进至步骤S134 ;若否,则结束本发明网络病毒防护方法执行分析网络病毒的处理步骤,而可进行图4的步骤S110。 [0058] In step S133, judgment or behavior of the executable program code executed by the attack is safe, for example, whether the suspicious file sample observation system vulnerability to attack, unauthorized access to the file system boot sector, and the like, to determine the executable program is a malicious file, if yes, proceeds to step S134; if NO, ends the network virus protection method of the present invention performs the process step of analyzing network virus, and step 4 may be performed S110.

[0059] 在步骤S134中,记录该恶意文件中所存在的网络病毒及其病毒行为模式,接着进至步骤S135。 [0059] In step S134, the recording mode of network viruses and the malicious behavior of the virus present in the file, and then proceeds to step S135.

[0060] 在步骤S135中,记录该恶意文件的网络访问路径、访问程序名称等信息,并针对该恶意文件的网络访问请求执行监控,以此确定出与该恶意文件相关的网络恶意站点以及病毒控制主机的地址信息,以主动确定病毒控制主机的位置,供后续可实时且有效地执行相关防御措施。 [0060] In step S135, recording network access paths, access program information such as the name of the malicious file and request access to the network for monitoring the implementation of malicious files, in order to determine the malicious file associated with the web sites and malicious viruses control panel address information to determine the active virus control of the host location for subsequent real-time and effective implementation of relevant preventive measures. 接着结束本发明网络病毒防护方法执行分析网络病毒的处理步骤,并可进行图4的步骤S141及S142。 The method then ends a network virus protection process of the present invention performs the step of analyzing network virus, FIG. 4 and step S141 and S142.

[0061] 综上所述,本发明的网络病毒防护系统及方法具有以下功效: [0061] In summary, the network virus protection system and method of the present invention has the following effects:

[0062] (1)在侦测到客户端于取得网络通讯服务过程中存在可疑文件时,实时地进行防御措施,从而避免未受感染的客户端连接到恶意站点或网络病毒控制主机导致受害,或已受感染的客户端遭受黑客控制从事恶意行为,可防范网络病毒的扩散。 When the [0062] (1) it detects the client in the process of obtaining network communications services in the presence of suspicious files in real-time defense measures in order to avoid uninfected client to connect to a malicious site or network viruses control host lead to the victim, or infected clients suffer from doing malicious hackers to control, can prevent the proliferation of network viruses.

[0063] (2)由于实时切断了受感染计算机连接至恶意站点或病毒控制主机的通讯网路, 因此可防止受感染计算机中的病毒自行执行更新,产生因制作出的病毒解除程序与病毒不同步,而导致病毒查杀失效的情况。 [0063] (2) Since the real-time cut by the infected computer is connected to a malicious site or the control panel communications network virus, thus preventing the virus infected computer to perform the update itself, produce virus released by the created program is not synchronized with the virus , and lead to failure of the virus killing.

[0064] (3)本发明可部署于ISP/IDC网络中,可针对仅于特定区域出现的新型网络攻击及恶意文件进行分析,并产生病毒解除程序来扫除该特有的恶意程序,相比于一般防毒软件更具有针对性。 [0064] (3) The present invention may be deployed in the ISP / IDC network, the new network may be analyzed for attacks and malicious files that occur only in a specific region, and generates a program to remove the virus-specific release malicious program, as compared to general anti-virus software more targeted.

[0065] (4)本发明系通过监控网络流量,并通过直接打开可疑文件针对其中的可执行程序、修改系统数据、攻击系统漏洞及其是否具有网络访问请求进行分析监控,相比于一般防毒软件依靠病毒特征码进行判断而言,本发明可强化一般防毒软件所无法提供的侦测未知病毒及特殊病毒的能力,更可有效地降低客户端遭受病毒攻击的风险。 [0065] (4) The present invention is by monitoring network traffic, and for directly opening a suspicious file executable program, to modify the system data, system vulnerabilities and attack whether the analyzed network access request monitoring, compared to a general anti-virus software relies on virus signatures to judge, the present invention can enhance the ability to detect unknown viruses and specific viruses are generally anti-virus software can not provide, may more effectively reduce the risk of the client from virus attacks.

[0066] 上述仅用以例示说明本发明的网络病毒防护系统及方法的实施方式,非用以限定本发明的实质技术内容的范围。 [0066] In the above-described range only for illustrative embodiment of a network virus protection system and method of the present invention, not intended to limit the spirit of the teachings of the present invention. 本发明的网络病毒防护系统及方法其实质技术内容广义地定义于本发明的权利要求书中,任何他人所完成的技术实体或方法,若与本发明的权利要求书所定义的完全相同,或为等效的变更,均将被视为涵盖在权利要求书所保护的范围内。 Network virus protection system and method of the present invention which is broadly defined essence of the technical content of the invention claimed in the claims, any method or technique entity accomplished by others, the same as if the claims of the present invention as defined by the claims, or equivalent changes, will be regarded as encompassed within the scope of the scope of the claims.

10 10

Claims (9)

1. 一种网络病毒防护系统,其通过网络系统与各客户端及防毒业者病毒分析中心相连接,其特征在于,该系统包括:监测模块,用于在各该客户端取得网络通讯服务过程中侦测该客户端流量中是否存在可疑文件;分析模块,用于当该监测模块监测到取得网络通讯服务过程中的客户端流量中存在有可疑文件时,捕捉该客户端流量中的可疑文件的可疑文件样本以供分析该可疑文件样本中是否存在网络病毒以及该网络病毒可能执行的恶意行为,并生成该可疑文件样本对应的网络病毒行为分析报告;传输模块,用于将该监测模块所捕捉到的可疑文件样本以及该分析模块所生成的可疑文件样本对应的网络病毒行为分析报告传送至该防毒业者病毒分析中心,从而供该防毒业者病毒分析中心据以制作出相适应的病毒解除程序;防御模块,依据该监测模块所捕捉到 A network virus protection system, which is connected to each of the client and antivirus industry virus analysis center through the network system, characterized in that the system comprising: a monitoring module for each of the client process to obtain network communications services the client traffic to detect whether there is suspicious files; analysis module for when the monitoring module to monitor suspicious file exists when client flow process to obtain network communication service, the capture suspicious files to the client traffic in the sample suspicious files for viruses and analyzed for the presence of malicious network to that network may perform the suspect virus sample file, and generates a network file corresponding to the suspicious behavior of the virus sample analysis; transmission means for the monitoring module captures the suspicious file samples and the analysis module generated by suspicious file samples corresponding network virus behavior analysis report transmitted to the antivirus industry virus analysis center, such that for the antivirus industry virus analysis center data to produce the adapted virus release procedure; defense module, according to the monitoring module captured 可疑文件样本以及该分析模块所生成的该可疑文件样本对应的网络病毒行为分析报告,通过该网络系统针对受该可疑文件样本感染的客户端提供网络端病毒防护服务,从而令受感染的该客户端执行病毒防护状态操作模式;以及病毒查杀模块,用于接收该防毒业者病毒分析中心制作并回传的病毒解除程序,据以针对处于病毒防护状态操作模式的客户端执行相应的病毒查杀作业。 Suspicious file samples and analysis module generated by the suspicious file samples corresponding network virus behavior analysis, providing network virus protection service for clients affected by the suspicious file samples infected by the network system, so that by the customers of infection virus protection terminal performs a state mode of operation; and virus killing module, for receiving the central antivirus industry virus virus produced and released in the return procedure for the customer-virus protection state in an operation mode corresponding to execution of the end of virus killing operation.
2.根据权利要求1所述的网络病毒防护系统,其特征在于,该网络病毒为僵尸网络病毒或病毒攻击对象具有针对性的目标式攻击病毒。 2. The network virus protection system according to claim 1, wherein the virus is a network botnet virus or viral attack objects targeted attacks targeted virus.
3.根据权利要求1所述的网络病毒防护系统,其特征在于,该网络病毒防护系统架设于ISP或IDC网络中。 3. The network virus protection system according to claim 1, wherein the bridged network virus protection system in the ISP network or the IDC.
4.根据权利要求1所述的网络病毒防护系统,其特征在于,该分析模块将所捕捉到的可疑文件样本移至沙箱,从而于该沙箱中开启该可疑文件样本,从而分析该可疑文件样本中是否存在可执行程序或攻击程序代码,并进行安全性分析,从而将有危害的可疑文件样本确定为恶意文件,并记录该恶意文件中所存在的网络病毒及其病毒行为模式,且监控该恶意文件是否有网络访问请求,并记录该恶意文件的网络访问路径,据以确定与该恶意文件相关的网络恶意站点以及病毒控制主机的地址信息。 4. The network virus protection system according to claim 1, wherein the analysis module to the captured sample suspicious file moved to the sandbox, thereby opening the suspicious file to the sandbox sample, thereby analyzing the suspicious suspicious files are present in the sample file or executable program code attacks and security analysis, so that the hazardous sample is determined to be malicious files and records network viruses and virus behavior patterns the malicious file exists, and whether there is a network monitoring the malicious file access request, and record network access path to the malicious file, address information to determine the malicious files related to malicious web sites and viruses control host data.
5.根据权利要求4所述的网络病毒防护系统,其特征在于,该防御模块将该分析模块分析得出该恶意文件中所存在的网络病毒及其病毒行为模式,与该恶意文件相关的网络恶意站点以及病毒控制主机的地址信息数据导入至防御模块的病毒数据库中,并由该防御模块通过该网络系统以针对受该恶意文件感染的客户端提供相应的网络端病毒防护服务。 The network virus protection system as claimed in claim 4, wherein the prevention module the analysis module determines the network viruses and viral behavior patterns the malicious file exists, the file associated with the malicious network address information data malicious sites and viruses control host defense is introduced into the virus database module, module by the defense to provide the appropriate network virus protection service for clients infected by the malicious file through the network system.
6. 一种网络病毒防护方法,是由一网络病毒防护系统通过网络系统与客户端及防毒业者病毒分析中心相连接,以令该网络病毒防护系统对客户端进行病毒防护处理,其包括以下步骤:1)该网络病毒防护系统侦测在取得网络通讯服务过程的客户端是否存在可疑文件;2)该网络病毒防护系统捕捉存在可疑文件的客户端的可疑文件样本以供分析该可疑文件样本中是否存在网络病毒以及该网络病毒可能执行的恶意行为,并生成对应的网络病毒行为分析报告;3)该网络病毒防护系统传送所捕捉到的可疑文件样本及其对应的网络病毒行为分析报告至防毒业者病毒分析中心,从而供该防毒业者病毒分析中心据以制作出相适应的病毒解除程序,以及使该网络病毒防护系统依据所捕捉到的可疑文件样本及其对应的网络病毒行为分析报告得针对受该可疑文件样本感染的客 A network virus protection methods, by a network virus protection system is connected to a network system and a client antivirus industry virus analysis center, enabling the network to the client virus protection system protective treatment by virus, comprising the steps of : 1) the network virus protection system detects any suspicious file to obtain network communications services process client; 2) the network virus protection system to capture suspicious file client suspicious file samples for analysis of the suspicious file samples if there is a network virus and malicious behavior of the network virus might perform, and generate the corresponding network virus behavior analysis report; 3) the network virus protection system transmits the captured suspicious file samples and their corresponding network virus behavior analysis to the anti-virus industry virus analysis Center, which for suspicious file samples and their corresponding network virus behavior of the antivirus industry virus analysis center which to produce adapted virus lifting program, and that the network virus protection system based on the captured analytical report was for the subject the samples of suspicious files infected passenger 端提供网络端病毒防护服务,从而令受感染的该客户端执行病毒防护状态操作模式;以及4)该网络病毒防护系统接收防毒业者病毒分析中心制作并回传的病毒解除程序,据以针对处于病毒防护状态操作模式的客户端执行相应的病毒查杀作业。 End provides network virus protection service, so that the client infected end execution virus protection status mode of operation; and 4) the network virus protection system to receive anti-virus industry virus analysis center production and return of the virus lifting program, according to target in virus protection status of the client terminal performs a corresponding operation mode of virus killing operation.
7.根据权利要求6所述的网络病毒防护方法,其特征在于,于该步骤1)中,通过监控各该客户端的网络流量,以作为侦测在取得网络通讯服务过程的各该客户端是否下载可疑文件的依据。 The network virus protection method according to claim 6, wherein, 1) at the step, by monitoring the network traffic of each of the client to detect if a client has made in each of the process network communications services based on download suspicious files.
8.根据权利要求6所述的网络病毒防护方法,其特征在于,该步骤2)还包括以下步骤:2-1)将所捕捉到的可疑文件样本移至沙箱,并于该沙箱中开启该可疑文件样本; 2-2)分析该可疑文件样本中是否存在可执行程序;2-3)针对该可疑文件样本中所存在的可执行程序进行安全性分析,从而将有危害的可执行程序确定为恶意文件,并记录该恶意文件中所存在的网络病毒及其病毒行为模式;以及2-4)监控该恶意文件是否有网络访问请求,若有,则记录该恶意文件的网络访问路径, 据以确定与该恶意文件相关的网络恶意站点以及病毒控制主机的地址信息。 The network virus protection method according to claim 6, wherein the step 2) further comprises the step of: 2-1) The sample captured suspicious files moved to the sandbox, and in the sandbox open the suspicious file samples; 2-2) analyzed for the presence of the suspicious executable file in the sample; 2-3) for safety analysis of the suspicious executable file present in a sample, which will be harmful executable determined as malicious program, and record the network behavior patterns of the virus and the virus present in the malicious file; and 2-4) monitors whether the malicious file access request with a network, if network access path to the malicious file is recorded According to the address information to determine the malicious files related to malicious web sites and viruses control host.
9.根据权利要求6所述的网络病毒防护方法,其特征在于,该网络病毒为僵尸网络病毒或病毒攻击对象具有针对性的目标式攻击病毒。 9. The method of virus protection network according to claim 6, wherein the network virus botnet virus or viral attack objects targeted attacks targeted virus.
CN2010105215105A 2010-10-21 2010-10-21 Method and system for defending network virus CN102457495A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010105215105A CN102457495A (en) 2010-10-21 2010-10-21 Method and system for defending network virus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010105215105A CN102457495A (en) 2010-10-21 2010-10-21 Method and system for defending network virus

Publications (1)

Publication Number Publication Date
CN102457495A true CN102457495A (en) 2012-05-16

Family

ID=46040160

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010105215105A CN102457495A (en) 2010-10-21 2010-10-21 Method and system for defending network virus

Country Status (1)

Country Link
CN (1) CN102457495A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103679015A (en) * 2012-09-04 2014-03-26 江苏中科慧创信息安全技术有限公司 Attacking control method for protecting kernel system
CN103902895A (en) * 2012-12-24 2014-07-02 腾讯科技(深圳)有限公司 Botnet network control protocol mining method and device
CN104123494A (en) * 2013-04-24 2014-10-29 贝壳网际(北京)安全技术有限公司 Early warning method and device of malicious software dynamic behavior analysis system
CN104281806A (en) * 2013-07-01 2015-01-14 宁夏新航信息科技有限公司 Automatic computer virus detection system
CN104618427A (en) * 2014-12-17 2015-05-13 百度在线网络技术(北京)有限公司 Method and device for monitoring file via network
CN105262722A (en) * 2015-09-07 2016-01-20 深信服网络科技(深圳)有限公司 Terminal malicious traffic rule updating method, cloud server and security gateway
CN105915556A (en) * 2016-06-29 2016-08-31 北京奇虎科技有限公司 Method and equipment for determining attack surfaces of terminals
WO2017107616A1 (en) * 2015-12-24 2017-06-29 华为技术有限公司 Method, apparatus and system for detecting security conditions of terminal

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040030913A1 (en) * 2002-08-08 2004-02-12 Trend Micro Incorporated System and method for computer protection against malicious electronic mails by analyzing, profiling and trapping the same
CN101127638A (en) * 2007-06-07 2008-02-20 飞塔信息科技(北京)有限公司 A system and method with active virus automatic prevention and control
CN101827096A (en) * 2010-04-09 2010-09-08 潘燕辉;周勇兵 Cloud computing-based multi-user collaborative safety protection system and method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040030913A1 (en) * 2002-08-08 2004-02-12 Trend Micro Incorporated System and method for computer protection against malicious electronic mails by analyzing, profiling and trapping the same
CN101127638A (en) * 2007-06-07 2008-02-20 飞塔信息科技(北京)有限公司 A system and method with active virus automatic prevention and control
CN101827096A (en) * 2010-04-09 2010-09-08 潘燕辉;周勇兵 Cloud computing-based multi-user collaborative safety protection system and method

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103679015A (en) * 2012-09-04 2014-03-26 江苏中科慧创信息安全技术有限公司 Attacking control method for protecting kernel system
CN103902895A (en) * 2012-12-24 2014-07-02 腾讯科技(深圳)有限公司 Botnet network control protocol mining method and device
CN104123494A (en) * 2013-04-24 2014-10-29 贝壳网际(北京)安全技术有限公司 Early warning method and device of malicious software dynamic behavior analysis system
CN104123494B (en) * 2013-04-24 2017-12-29 贝壳网际(北京)安全技术有限公司 Warning Method malware dynamic behavior analysis systems and equipment
CN104281806A (en) * 2013-07-01 2015-01-14 宁夏新航信息科技有限公司 Automatic computer virus detection system
CN104618427A (en) * 2014-12-17 2015-05-13 百度在线网络技术(北京)有限公司 Method and device for monitoring file via network
CN104618427B (en) * 2014-12-17 2016-08-24 百度在线网络技术(北京)有限公司 A method and apparatus for monitoring a file is performed through the network
CN105262722A (en) * 2015-09-07 2016-01-20 深信服网络科技(深圳)有限公司 Terminal malicious traffic rule updating method, cloud server and security gateway
CN105262722B (en) * 2015-09-07 2018-09-21 深信服网络科技(深圳)有限公司 Terminal malicious traffic rules update method, cloud server and gateway security
WO2017107616A1 (en) * 2015-12-24 2017-06-29 华为技术有限公司 Method, apparatus and system for detecting security conditions of terminal
CN106921608A (en) * 2015-12-24 2017-07-04 华为技术有限公司 Method, device and system for detecting safety status of terminal
CN105915556A (en) * 2016-06-29 2016-08-31 北京奇虎科技有限公司 Method and equipment for determining attack surfaces of terminals
CN105915556B (en) * 2016-06-29 2019-02-12 北京奇虎科技有限公司 A kind of determination method and apparatus in the attack face of terminal

Similar Documents

Publication Publication Date Title
US8443446B2 (en) Method and system for identifying malicious messages in mobile communication networks, related network and computer program product therefor
Gu et al. Bothunter: Detecting malware infection through ids-driven dialog correlation.
US8204984B1 (en) Systems and methods for detecting encrypted bot command and control communication channels
JP5351883B2 (en) System and method for analyzing unauthorized intrusion into a computer network
CN100448203C (en) System and method for identifying and preventing malicious intrusions
US10068091B1 (en) System and method for malware containment
CA2480455C (en) System and method for detecting an infective element in a network environment
US7984493B2 (en) DNS based enforcement for confinement and detection of network malicious activities
CN1946077B (en) System and method for detecting abnormal traffic based on early notification
US10171490B2 (en) System and method for strategic anti-malware monitoring
Geer Malicious bots threaten network security
Antonakakis et al. Understanding the mirai botnet
CN102246490B (en) System and method for classification of unwanted or malicious software
EP2106085B1 (en) System and method for securing a network from zero-day vulnerability exploits
CN101924762B (en) Cloud security-based active defense method
Freiling et al. Botnet tracking: Exploring a root-cause methodology to prevent distributed denial-of-service attacks
US20060015715A1 (en) Automatically protecting network service from network attack
CN101986324B (en) Asynchronous processing of events for malware detection
US8832829B2 (en) Network-based binary file extraction and analysis for malware detection
Hoque et al. Network attacks: Taxonomy, tools and systems
Modi et al. A survey of intrusion detection techniques in cloud
Liu et al. Botnet: classification, attacks, detection, tracing, and preventive measures
US9092823B2 (en) Internet fraud prevention
US8561177B1 (en) Systems and methods for detecting communication channels of bots
Wang et al. Honeypot detection in advanced botnet attacks

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)