CN102480483A - Server, user device and malware detection methods for server and user device - Google Patents
Server, user device and malware detection methods for server and user device Download PDFInfo
- Publication number
- CN102480483A CN102480483A CN201010573905XA CN201010573905A CN102480483A CN 102480483 A CN102480483 A CN 102480483A CN 201010573905X A CN201010573905X A CN 201010573905XA CN 201010573905 A CN201010573905 A CN 201010573905A CN 102480483 A CN102480483 A CN 102480483A
- Authority
- CN
- China
- Prior art keywords
- server
- user
- rogue program
- user device
- client modules
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a server, a user device and malware detection methods for the server and the user device. The server is connected with the user device through a network and can record a performing record of the user device timely. According to the history of the performing record of the user device, the server can detect whether the user device has malware and determine a subsequent required information security protection measure performed on the user device according to a judgment result.
Description
Technical field
The invention relates to a kind of server, user's device and rogue program (malware) detection method thereof.More specifically, server of the present invention, user's device and rogue program detection method thereof can be passed through the mode by the executive logging of server record user device, and then detect and use dress person device whether to have rogue program.
Background technology
In the mode of protecting information safety, generally utilize antivirus software to be directed against Virus and detect at present.In detail, stolen or destroyed, carried antivirus software in the general computer usually with virus database for fear of data.Wherein, virus database is in order to write down known Virus condition code (signature) at present.Thus, antivirus software detects the mode of condition code comparison capable of using one by one to the archives in the computer.If comparison result finds that the archives identical with condition code are arranged, then can confirm as Virus.
Yet along with developing rapidly of Virus, the speed of the virus database of antivirus software renewal Virus condition code will be not enough to deal with the growth rate of Virus.In other words, rely the mode of comparing with virus database to accomplish because can antivirus software detect the Virus end, if virus database can't obtain the condition code of new virus program immediately, then the result of comparison will cause erroneous judgement.On the other hand; Due to illness the stored condition code of malicious database will get over expansion along with the quantity of Virus; If, will cause the burden of the lower or device that storage volume is less of capacity ability so on general household PC or individual action device, continue to carry out the protection of Virus with the mode that expands virus database.
In view of the above; The antivirus software of existing existing part; Utilize high in the clouds to calculate the mode of (cloud computing), virus database is stored in the strong and bigger far-end server of capacity of computing capability, and carry out the Virus detection of end-point devices through the mode of network connectivity.Yet, maybe can avoid the burden of end-point devices through this kind mode, but the foundation that detects as Virus with the condition code of virus database, still there be the problem of the signature update speed of virus database far away from the Virus growth rate in it.Therefore, no matter antivirus software is the virus database of itself or the virus database of far-end is carried out the detection of Virus, and the erroneous judgement risk that it still has suitable high level causes information security serious leak to occur.
In sum, how reaching instant, efficient and complete Virus and detect, is the target that industry is needed effort badly.
Summary of the invention
For solving the problem of aforementioned information security protection scarce capacity; The object of the present invention is to provide a kind of server, user's device and rogue program detection method thereof; It mainly is the executive logging through server record user device; Use dress person device whether to have suspicious behavior, further to determine the required means of taking of follow-up security protection so as to judging.
For accomplishing aforementioned purpose, the present invention provides a kind of rogue program detection method that is used for server, and server is through network and first user's device line.The rogue program detection method comprises the following step: (a) make server receive at least one first executive logging from first client modules of first user's device; (b) make this server that at least one first executive logging of first user's device is stored to record sheet; (c) make this server according to this record sheet, confirm that this first user device is to have a rogue program (malware), and transmit rogue program notice to this first user device.
For accomplishing aforementioned purpose, the present invention provides a kind of server that rogue program detects that is used for again.Server is through network and first user's device line.Server comprises transceiver, memory and processing unit.Wherein, transceiver receives at least one first executive logging in order to first client modules from first user's device.Memory is in order to the store recording table, and record sheet is in order to write down at least one first executive logging.Processing unit confirms that in order to according to this record sheet this first user device is to have a rogue program, and transmits rogue program notice to this first user device through this transceiver.
For accomplishing aforementioned purpose, the present invention provides a kind of rogue program detection method of the user's of being used for device in addition, and user's device is through network and server line.The rogue program detection method comprises the following step: (a) make the client modules of user's device transmit at least one executive logging to this server; (b) client modules that makes user's device receives the rogue program notice from server in step (a) afterwards, and wherein, rogue program is notified in order to notify user's device to have rogue program.
For accomplishing aforementioned purpose, the present invention provides a kind of user's device that rogue program detects that is used for again.User's device is through network and server line.User's device comprises transceiver and client modules.Wherein, client modules is in order to transmitting at least one executive logging to server through transceiver, and receives rogue program notice through transceiver from server, and rogue program is notified in order to notify user's device to have rogue program.
Through the above-mentioned technical characterictic that discloses, but server of the present invention and judges according to this whether user's device has rogue program with the behavior pattern of instant recording user device.Server more can determine the follow-up required protecting information safety means that user's device is taked according to the result who judges.
Description of drawings
For let above-mentioned purpose of the present invention, feature and advantage can be more obviously understandable, elaborate below in conjunction with the accompanying drawing specific embodiments of the invention, wherein:
Figure 1A is the sketch map of the server of the first embodiment of the present invention;
Figure 1B is first user's schematic representation of apparatus of the first embodiment of the present invention;
Fig. 1 C is the network connectivity sketch map of the first embodiment of the present invention;
Fig. 2 A is the sketch map of the server of the second embodiment of the present invention;
Fig. 2 B is first user's schematic representation of apparatus of the second embodiment of the present invention;
Fig. 2 C is the network connectivity sketch map of the second embodiment of the present invention;
Fig. 3 A is the sketch map of the server of the third embodiment of the present invention;
Fig. 3 B is first user's schematic representation of apparatus of the third embodiment of the present invention;
Fig. 3 C is the network connectivity sketch map of the third embodiment of the present invention;
Fig. 4 A is the sketch map of the server of the fourth embodiment of the present invention;
Fig. 4 B is first user's schematic representation of apparatus of the fourth embodiment of the present invention;
Fig. 4 C is second user's schematic representation of apparatus of the fourth embodiment of the present invention;
Fig. 4 D is the flow chart of the service transmission method of the fourth embodiment of the present invention;
Fig. 5 is the flow chart of the rogue program detection method of the fifth embodiment of the present invention;
Fig. 6 is the flow chart of the rogue program detection method of the sixth embodiment of the present invention;
Fig. 7 is the flow chart of the rogue program detection method of the seventh embodiment of the present invention; And
Fig. 8 is the flow chart of the rogue program detection method of the eighth embodiment of the present invention.
The main element symbol description:
1: network 11: server
110: rogue program removes notifies 111: transceiver
112: malicious act notifies 113: memory
1130: record sheet 115: processing unit
130: the first executive loggings of 13: the first user's devices
131: transceiver 139: client modules
170: the second executive loggings of 17: the second user's devices
171: transceiver 179: client modules
Embodiment
Below will explain content of the present invention through embodiment.Yet embodiments of the invention are not to need can implement like the described any environment of embodiment, application or mode in order to restriction the present invention.Therefore, be merely explaination the object of the invention about the explanation of embodiment, but not in order to direct restriction the present invention.Need the expositor, in following examples and the diagram, omit and do not illustrate with the non-directly related element of the present invention.
At first, please refer to Figure 1A and Figure 1B, it describes a server 11 of first embodiment of the invention and the sketch map of one first user's device 13 respectively.Server 11 comprises a transceiver 111, has a memory 113 and a processing unit 115 of a record sheet 1130.First user's device 13 comprises a transceiver 131 and a client modules 139.What must specify is, the client modules 139 of first user's device 13 can be a system module that is installed on system bottom, and it can be through modes such as independent running or system be read-only, the characteristic of having of making virus-free (virus-free).And the function and the interaction of server 11 and 13 each hardware modules of first user's device will specify in following content.
Please in the lump with reference to figure 1C, server 11 is through a network 1 and user's device 13 lines.What must stress is, the line that the server 11 among Fig. 1 C, first user's device 13 and network are 1 is merely illustrative, and it is not only can be used for wireless or only can be used for wired mode in order to limit network environment of the present invention.At first, first user's device 13 will respond various active programs and carry out exercises, and when carrying out exercises, will trigger executive logging.Wherein, Executive logging can be the record of various forms of triggering behaviors; And understand technical characterictic of the present invention for those skilled in the art can more be known, and the executive logging of subsequent implementation example can be regarded as system calling (system call) with it, and so it is not the aspect in order to the restriction executive logging.
Then, after first user's device 13 triggered at least one first executive logging 130, the client modules 139 of first user's device 13 just was sent to server 11 with at least one first executive logging 130 through transceiver 131.In other words, the transceiver 111 of server 11 just receives at least one first executive logging 130 from the client modules 139 of first user's device 13.Then, server 11 just is stored at least one first executive logging 130 in the record sheet 1130 of memory 113.Subsequently; The processing unit 115 of server 11 is just according to 1130 content recorded of record sheet of memory 113; Confirm that first user's device 13 has a rogue program (not illustrating), and transmit a rogue program through transceiver 111 and notify 140 to first user's devices 13.Then, the client modules 139 of first user's device 13 receives rogue program from server 11 and notifies 140 just through transceiver 131.Wherein, rogue program notify 140 in order to inform first user's device 13 it has this rogue program.
In detail, at least one first executive logging 130 that the processing unit 115 of server 11 can be write down according to the record sheet 1130 of memory 113 judges whether the system calling of these at least one first executive logging, 130 representatives is that rational behavior triggers.In other words, be not that rational behavior triggers if processing unit 115 is judged the system calling of at least one first executive logging, 130 representatives, then the program of this at least one first executive logging 130 of expression initiation is a rogue program.Otherwise if the system calling of at least one first executive logging, 130 representatives of processing unit 115 judgements is that rational behavior triggers, then the program also unquestionable behavior at present of this at least one first executive logging 130 is initiated in expression.
What need to specify is, the present invention mainly is through server, filters to the executive logging of user's device, and therefore, aforesaid content is not in order to limit the record executive logging and to judge whether user's device has an order of rogue program.In detail; With first embodiment; When the transceiver 111 of server 11 after the client modules 139 of first user's device 13 receives at least one first executive logging 130, the processing unit 115 of server 11 also can be earlier according to the content of at least one first executive logging 130, confirms whether first user's device 13 has a sharp practice; So as to judging that first user's device 13 has this rogue program, and send rogue program and notify 140 to first user's devices 13.And after judging completion, server 11 is stored at least one first executive logging 130 in the record sheet 1130 of memory 113 again, for follow-up judgement.
Through aforesaid content, server 11 described in the invention can pass through instant behavior monitoring, judges whether first user's device 13 has rogue program, carries out follow-up security protection for server 11 and handles.And follow-up embodiment will further set forth the aspect of security protection processing mode.
Then, please with reference to Fig. 2 A-2C, it is the sketch map of second embodiment of the invention.Earlier explanation is, the mode in order to the detection of malicious program among second embodiment is identical with the described mode of first embodiment, and the also identical effect of tool of the element with same-sign, so the details that will repeat no more.Below the content of second embodiment will stress the aspect of follow-up security protection.
Particularly, in second embodiment, after server 11 judges that first user's device 13 has this rogue program, the transceiver 111 of server 11 will notify the client modules 139 of first user's device 13 to remove this rogue program.In detail; After the processing unit 115 of server 11 confirms that first user's device 13 has this rogue program; The processing unit 115 of server 11 will send a rogue program through transceiver 111 and remove the client modules 139 of notifying 110 to first user's devices 13, make the client modules 139 of first user's device 13 remove this rogue program.
In other words, the client modules 139 of first user's device 13 is through transceiver 131, removes from server 11 reception rogue programs and notifies 110.Immediately, the client modules 139 of first user's device 13 just can remove according to rogue program and notify 110, knows this rogue program that first user's device 13 is had, the action that the step of going forward side by side removes.Thus, through the described mode of second embodiment, can make the client modules 139 of the operative installations 13 of winning remove the rogue program that is stored in first user's device 13, to guarantee the fail safe of follow-up behavior.
Then, please with reference to Fig. 3 A-3C, it is the sketch map of third embodiment of the invention.Likewise, the mode in order to the detection of malicious program among the 3rd embodiment is identical with the described mode of first embodiment, and the also identical effect of tool of the element with same-sign, so the details that will repeat no more.Below the content of the 3rd embodiment will stress another aspect of follow-up security protection.
Particularly; In the 3rd embodiment; After server 11 judges that first user's device 13 has this rogue program; The processing unit 115 of server 11 more can be further according to the record sheet 1130 of memory 113, judges this rogue program performed at least one malicious act in first user's device 13.In detail; At least one first executive logging 130 that the processing unit 115 of server 11 can be further write down according to the record sheet 1130 of memory 113; Judge which kind of system calling this rogue program once carried out in first user's device 13, and confirm this at least one malicious act according to this.
Subsequently, the processing unit 115 of server 11 just can transmit the client modules 139 that a malicious act is notified 112 to first user's devices 13 through transceiver 111 according to this at least one malicious act.In other words, the client modules 139 of first user's device 13 receives malicious act through transceiver 131 from server 11 and notifies 112.In view of the above, the client modules 139 of first user's device 13 can be learnt this rogue program performed this at least one malicious act in first user's device 13 a little earlier, and carry out a recovery routine according to this.For instance; If this rogue program was once stolen a keying material in first user's device 13; Then the client modules 139 of first user's device 13 can notify 112 by malicious act; Learn the behavior that this rogue program snatches password, then first user's device 13 can carry out the correction of password according to this.
Through the described mode of the 3rd embodiment, can make the operative installations 13 of winning learn the action of the performed mistake of this rogue program, and carry out the relative program that subsequent correction is recovered according to this.
Then, please with reference to Fig. 4 A-4D, it is the sketch map of fourth embodiment of the invention.Likewise, the mode in order to the detection of malicious program among the 4th embodiment is identical with the described mode of first embodiment, and the also identical effect of tool of the element with same-sign, so the details that will repeat no more.Difference between the 4th embodiment and first embodiment is that among the 4th embodiment, server 11 can be united the action of protection between a plurality of user's devices.
At first, please be earlier with reference to Fig. 4 C, it is the sketch map of one second user's device 17 of fourth embodiment of the invention.Second user's device 17 comprises a transceiver 171 and a client modules 179.Similarly, the client modules 179 of second user's device 17 is similarly a system module that is installed on system bottom, and they can be through means such as independent running or system are read-only, and what make has a virus-free characteristic.Then please with reference to Fig. 4 D, server 11 is more through network 1 and second user's device, 17 lines.
With first operative installations 13 similarly, second user's device 17 triggers executive logging in the lump when carrying out exercises.And after second user's device 17 triggered at least one second executive logging 170, the client modules 179 of second user's device 17 just was sent to server 11 with at least one second executive logging 170 through transceiver 171.In other words, the transceiver 111 of server 11 just receives at least one second executive logging 170 from the client modules 179 of second user's device 17.Then, server 11 just is stored at least one second executive logging 170 in the record sheet 1130 of memory 113.
Through above-mentioned content; At least one first executive logging 130 and at least one second executive logging 170 that server 11 just can be write down by the record sheet 1130 of memory 113 judge whether this rogue program of first user's device 13 is copied in second user's device 17.In detail, if this rogue program of first user's device 13 is copied to the triggering behavior of second user's device 17, it will produce the system calling of duplicate copy.In other words; At least one first executive logging 130 that the client modules 139 of first user's device 13 and the client modules 179 of second user's device 17 are transmitted and at least one second executive logging 170 are with writing down the duplicate copy record of this rogue program in 17 in first user's device 13 and second user's device.
In view of the above; The processing unit 115 of server 11 just can judge that this rogue program is to be copied to second user's device 17 via first user's device 13 by at least one first executive logging 130 in the record sheet that is recorded in memory 113 1130 and at least one second executive logging 170.In like manner; On the contrary; The processing unit 115 of server 11 also can be judged this rogue program or be copied to second user's device 13 via second user's device 17 by at least one first executive logging 130 in the record sheet that is recorded in memory 113 1130 and at least one second executive logging 170.
Thus, server 11 can be borrowed above-mentioned mode, carry out the described security protection behavior of previous embodiment to first user's device 13 and second user's device 17 simultaneously, unite the protection effect to reach between a plurality of user's devices.
One the 5th embodiment of the present invention is a rogue program detection method, and its flow chart please refer to Fig. 5.The method of the 5th embodiment is used for a server and one first user's device (the for example server 11 of previous embodiment and first user's device 13), and this server is through a network and this first user device line.The detailed step of the 5th embodiment is described below.
Execution in step 501 makes a client modules of this first user device transmit at least one first executive logging to this server.Execution in step 502 makes this server receive this at least one first executive logging from the client modules of this first user device.Execution in step 503 makes this server that this at least one first executive logging of this first user device is stored to a record sheet.Execution in step 504 makes this server according to this record sheet, confirms that this first user device is to have a rogue program, and transmits rogue program notice to this first user device.Execution in step 505 makes the client modules of this first user device receive this rogue program notice from this server.Wherein, it has this rogue program to this rogue program notice in order to inform this first user device.
Likewise, what need to specify is, therefore, aforesaid flow process is not in order to limit the record executive logging and to judge whether user's device has an order of rogue program.Specifically, with the 5th embodiment, the order of step 503, step 504 and step 505 can be exchanged; In other words, when step 502 execution, this server is after the client modules of this first user device receives this at least one first executive logging; Step 504 can be carried out earlier; Make this server earlier according to the content of this at least one first executive logging, confirm that whether this first user device has a sharp practice, has this rogue program so as to judging this first user device; Execution in step 505 subsequently, send this rogue program notice to this first user device.And after judging completion, execution in step 503, this server is stored to this at least one first executive logging in the record sheet of this memory again, for follow-up judgement.
Through aforesaid content, rogue program detection method server capable of using described in the invention carries out instant behavior monitoring, judges whether user's device has rogue program, makes server carry out follow-up security protection and handles.
One the 6th embodiment of the present invention is a rogue program detection method, and its flow chart please refer to Fig. 6.What must specify is that the flow process in order to the judgement rogue program among the 6th embodiment is identical to step 505 with the described step 501 of the 5th embodiment, so the details that will repeat no more.Sixth embodiment of the invention will be stressed the aspect of follow-up security protection.
In the 6th embodiment, after execution of step 501 arrived step 505, execution in step 506 made this server send a rogue program and removes notice to this first user device.Execution in step 507 makes the client modules of this first user device remove notice from this this rogue program of server reception.Execution in step 508, the client modules that makes this first user device removes notice according to this rogue program and removes this rogue program.Thus, can make the client modules of this first operative installations remove this rogue program that is stored in this first user device, to guarantee the fail safe of follow-up behavior.
One the 7th embodiment of the present invention is a rogue program detection method, and its flow chart please refer to Fig. 7.What must specify is that the flow process in order to the judgement rogue program among the 7th embodiment is identical to step 505 with the described step 501 of the 5th embodiment, so the details that will repeat no more.Seventh embodiment of the invention will be stressed another aspect of follow-up security protection.
In the 7th embodiment, after execution of step 501 arrived step 505, execution in step 509 made this server according to this record sheet, judges this rogue program performed at least one malicious act in this first user device.Execution in step 510 makes this server according to this at least one malicious act, transmits this client modules of malicious act notice to this first user device.Execution in step 511 makes the client modules of this first user device receive this malicious act notice from this server.Execution in step 512 makes the client modules of this first user device, carries out a recovery routine according to this malicious act notice.
Through the described mode of the 7th embodiment, can make this first operative installations learn the action of the performed mistake of this rogue program, and carry out the relative program that subsequent correction is recovered according to this.
One the 8th embodiment of the present invention is a rogue program detection method, and its flow chart please refer to Fig. 8.What must specify is, it is identical to arrive step 505 in order to the flow process of judging this rogue program and the described step 501 of the 5th embodiment among the 8th embodiment, so the details that will repeat no more.Eighth embodiment of the invention will explain how how the present invention carries out safe joint defence in a plurality of user's devices.Wherein, this server of the 8th embodiment is more through this network and one second user's device (for example second user's device 17 of previous embodiment) line.The detailed step of the 8th embodiment is described below.
In the 8th embodiment, after execution of step 501 arrived step 505, execution in step 513 made a client modules of this second user device transmit at least one second executive logging to this server.Execution in step 514 makes this server receive this at least one second executive logging from the client modules of this second user device.Execution in step 515 makes this server that this at least one second executive logging of this second user device is stored to this record sheet.Execution in step 516 makes this server according to this record sheet, judges that this rogue program is to be copied to this second user device via this first user device, or is copied to this first user device by this second user device.
Need special instruction person, the time point that this second user device sends this at least one second executive logging is not to be limited to this first user device to send after this at least one first executive logging.In detail; The 8th embodiment is mainly in order to stress that this server can write down the executive logging of this first user device and this second user device simultaneously; And judgement according to this has or not the connection relationship of rogue program between the two; Therefore, the time point of this this at least one second executive logging of second user device transmission also can send the time point of this at least one first executive logging prior to this first user device.Thus, this server can be borrowed above-mentioned mode, further carry out the described security protection behavior of previous embodiment to this first user device and this second user device, unite the protection effect to reach between a plurality of user's devices.
In sum; Server of the present invention, user's device and rogue program detection method can be effectively after antivirus software detect the virus failure; Form second road protection further, and the historical content through executive logging, server can assist user's device to carry out follow-up protection and Hotfix; Thus, the information security of user's device will obtain more complete protection.
Though the present invention discloses as above with preferred embodiment; Right its is not that any those skilled in the art are not breaking away from the spirit and scope of the present invention in order to qualification the present invention; When can doing a little modification and perfect, so protection scope of the present invention is when being as the criterion with what claims defined.
Claims (16)
1. rogue program detection method that is used for a server, this server is through a network and one first user's device line, and this rogue program detection method comprises the following step:
(a) make this server receive at least one first executive logging from a client modules of this first user device;
(b) make this server that this at least one first executive logging of this first user device is stored to a record sheet;
(c) make this server according to this record sheet, confirm that this first user device is to have a rogue program, and transmit rogue program notice to this first user device.
2. rogue program detection method as claimed in claim 1 is characterized in that, more comprises the following step afterwards in step (c):
(d) make this server send a rogue program and remove notice this client modules, make this client modules of this first user device remove this rogue program to this first user device.
3. rogue program detection method as claimed in claim 1 is characterized in that, more comprises the following step afterwards in step (c):
(d) make this server according to this record sheet, judge this rogue program performed at least one malicious act in this first user device;
(e) make this server according to this at least one malicious act, transmit this client modules of malicious act notice to this first user device, make this client modules of this first user device carry out a recovery routine.
4. rogue program detection method as claimed in claim 1 is characterized in that, this server is that this rogue program detection method more comprises the following step through this network and one second user's device line:
(d) make this server receive at least one second executive logging from a client modules of this second user device;
(e) make this server that this at least one second executive logging of this second user device is stored to this record sheet;
(f) make this server according to this record sheet, judge that this rogue program is to be copied to this second user device via this first user device.
5. rogue program detection method as claimed in claim 1 is characterized in that, this server is that this rogue program detection method more comprises the following step through this network and one second user's device line:
(d) make this server receive at least one second executive logging from a client modules of this second user device;
(e) make this server that this at least one second executive logging of this second user device is stored to this record sheet;
(f) make this server according to this record sheet, judge that this rogue program is to be copied to this first user device via this second user device.
6. one kind is used for the server that rogue program detects, and through a network and one first user's device line, this server comprises:
One transceiver receives at least one first executive logging in order to a client modules of this first user device certainly;
One memory, in order to store a record sheet, this record sheet is in order to this at least one first executive logging of record;
One processing unit in order to according to this record sheet, confirms that this first user device is to have a rogue program, and transmits rogue program notice to this first user device through this transceiver.
7. server as claimed in claim 6; It is characterized in that; This processing unit more sends a rogue program through this transceiver and removes notice this client modules to this first user device, makes this client modules of this first user device remove this rogue program.
8. server as claimed in claim 6; It is characterized in that; This processing unit more in order to according to this record sheet that is stored in this memory, is judged this rogue program performed at least one malicious act in this first user device, and in order to this at least one malicious act of basis; Transmit a malicious act through this transceiver and notify this client modules, make this client modules of this first user device carry out a recovery routine to this first user device.
9. server as claimed in claim 6; It is characterized in that; This server is more through this network and one second user's device line, and this transceiver more receives at least one second executive logging in order to a client modules of this second user device certainly, and this record sheet of this memory is more in order to write down this at least one second executive logging; This processing unit more in order to according to this record sheet, judges that this rogue program is to be copied to this second user device via this first user device.
10. server as claimed in claim 6; It is characterized in that; This server is more through this network and one second user's device line, and this transceiver more receives at least one second executive logging in order to a client modules of this second user device certainly, and this record sheet of this memory is more in order to write down this at least one second executive logging; This processing unit more in order to according to this record sheet, judges that this rogue program is to be copied to this first user device via this second user device.
11. a rogue program detection method that is used for user's device, this user's device is through a network and a server line, and this rogue program detection method comprises the following step:
(a) make a client modules of this user's device transmit at least one executive logging to this server;
(b) this client modules that makes this user's device in step (a) afterwards, this server receives rogue program notice certainly, wherein, this rogue program notice is in order to notify this user's device to have a rogue program.
12. rogue program detection method as claimed in claim 11 is characterized in that, more comprises the following step afterwards in step (b):
(c) make this client modules of this user's device receive a rogue program and remove notice from this server;
(d) this client modules that makes this user's device removes notice according to this rogue program and removes this rogue program.
13. rogue program detection method as claimed in claim 11 is characterized in that, more comprises the following step afterwards in step (b):
(c) make this client modules of this user's device receive malicious act notice from this server;
(d) make this client modules of this user's device, carry out a recovery routine according to this malicious act notice.
14. one kind is used for user's device that rogue program detects, through a network and a server line, this user's device comprises:
One transceiver;
One client modules in order to transmitting at least one executive logging to this server through this transceiver, and receives rogue program notice through this transceiver from this server, and this rogue program notice is in order to notify this user's device to have a rogue program.
15. user's device as claimed in claim 14 is characterized in that, this client modules is more in order to through this transceiver, and this server receives a rogue program and removes notice certainly, and this client modules removes notice according to this rogue program and removes this rogue program.
16. user's device as claimed in claim 14 is characterized in that, more in order to pass through this transceiver, this server receives malicious act notice to this client modules certainly, and this client modules carries out a recovery routine according to this malicious act notice.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010573905XA CN102480483A (en) | 2010-11-22 | 2010-11-22 | Server, user device and malware detection methods for server and user device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010573905XA CN102480483A (en) | 2010-11-22 | 2010-11-22 | Server, user device and malware detection methods for server and user device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102480483A true CN102480483A (en) | 2012-05-30 |
Family
ID=46092965
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010573905XA Pending CN102480483A (en) | 2010-11-22 | 2010-11-22 | Server, user device and malware detection methods for server and user device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102480483A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1737722A (en) * | 2005-08-03 | 2006-02-22 | 珠海金山软件股份有限公司 | System and method for detecting and defending computer worm |
| CN101388056A (en) * | 2008-10-20 | 2009-03-18 | 成都市华为赛门铁克科技有限公司 | Method, system and apparatus for preventing worm |
| US20100154059A1 (en) * | 2008-12-11 | 2010-06-17 | Kindsight | Network based malware detection and reporting |
| CN101859349A (en) * | 2009-04-13 | 2010-10-13 | 珠海金山软件有限公司 | File screening system and file screening method for searching and killing malicious programs |
-
2010
- 2010-11-22 CN CN201010573905XA patent/CN102480483A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1737722A (en) * | 2005-08-03 | 2006-02-22 | 珠海金山软件股份有限公司 | System and method for detecting and defending computer worm |
| CN101388056A (en) * | 2008-10-20 | 2009-03-18 | 成都市华为赛门铁克科技有限公司 | Method, system and apparatus for preventing worm |
| US20100154059A1 (en) * | 2008-12-11 | 2010-06-17 | Kindsight | Network based malware detection and reporting |
| CN101859349A (en) * | 2009-04-13 | 2010-10-13 | 珠海金山软件有限公司 | File screening system and file screening method for searching and killing malicious programs |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11588837B2 (en) | Secured automated or semi-automated system | |
| US9256739B1 (en) | Systems and methods for using event-correlation graphs to generate remediation procedures | |
| CN103034807B (en) | Malware detection methods and device | |
| CN104392175A (en) | System and method and device for processing cloud application attack behaviors in cloud computing system | |
| CN110011848B (en) | Mobile operation and maintenance auditing system | |
| CN107103238A (en) | System and method for protecting computer system to exempt from malicious objects activity infringement | |
| CN107864676A (en) | System and method for detecting unknown leak in calculating process | |
| CN109167781A (en) | A kind of recognition methods of network attack chain and device based on dynamic associated analysis | |
| WO2015102730A2 (en) | Secured automated or semi-automated systems | |
| CN114666088A (en) | Method, device, equipment and medium for detecting industrial network data behavior information | |
| CN108933658A (en) | White list base establishing method and device based on industrial control equipment fingerprint | |
| EP3042284A1 (en) | Means of protection for industrial computerized systems | |
| CN110502875A (en) | A kind of security of computer software guard system | |
| CN112235304A (en) | Dynamic security protection method and system for industrial internet | |
| CN106416178A (en) | Transport accelerator implementing extended transmission control functionality | |
| CN102480483A (en) | Server, user device and malware detection methods for server and user device | |
| Shyamasundar | Security and protection of SCADA: a bigdata algorithmic approach | |
| CN109740351A (en) | A kind of leak detection method, device and the equipment of embedded firmware | |
| CN114095227A (en) | Credible authentication method and system for data communication gateway and electronic equipment | |
| CN113901454A (en) | Remote control method, computing device and storage medium | |
| CN106572083A (en) | Log processing method and system | |
| CN106096402A (en) | Information interception method and device | |
| CN113312626A (en) | System and method for evaluating the impact of software on an industrial automation and control system | |
| CN113411288A (en) | Equipment security detection method and device and storage medium | |
| JP6819610B2 (en) | Diagnostic equipment, diagnostic methods, and diagnostic programs |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20120530 |