CN102968592A - Computer-virus detecting method and device - Google Patents

Computer-virus detecting method and device Download PDF

Info

Publication number
CN102968592A
CN102968592A CN2012104785276A CN201210478527A CN102968592A CN 102968592 A CN102968592 A CN 102968592A CN 2012104785276 A CN2012104785276 A CN 2012104785276A CN 201210478527 A CN201210478527 A CN 201210478527A CN 102968592 A CN102968592 A CN 102968592A
Authority
CN
China
Prior art keywords
password
client
error event
password error
identification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2012104785276A
Other languages
Chinese (zh)
Inventor
杨鹏
高献伟
柳敬武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2012104785276A priority Critical patent/CN102968592A/en
Publication of CN102968592A publication Critical patent/CN102968592A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The embodiment of the invention provides a computer-virus detecting method and device. The computer-virus detecting method comprises the following steps of: recording password error events, wherein the password error event comprises a client-side identifier, a process identifier and a time identifier; counting the times of the password error events of in the same process of the same client side in preset time; judging whether the times of the password error events in the same process of the client side in the preset time in exceed the preset threshold time; and if the times of the password error events in the same process of the client side in the preset time is over the preset threshold, determining that the process is a computer-virus source. The method has the advantages that the accuracy rate of computer-virus detection adopting the password as an attack means can be obviously increased, simultaneously the detection method is low in computation complexity, only adopts the time and the process as dimensionality, and is simple in detection standard and easy in maintenance and optimization.

Description

Computer Virus Detection Method and device
Technical field
The present invention relates to computer realm, relate in particular to a kind of Computer Virus Detection Method and device.
Background technology
Computer virus (Computer Virus) is the destruction computer function that inserts in computer program of organizer or destroys data, affect computing machine use and one group of computer instruction or program code that can self-replacation.Different from medically " virus ", computer virus is not naturally occurring, is one group of instruction set or program code that some people utilizes the intrinsic fragility establishment of computer software and hardware.It can hide by certain approach inner at the storage medium (or program) of computing machine, when reaching certain condition, be activated, by the method for revising other programs the accurate copy of oneself or the form that may develop are put into other programs, thereby infect other programs, computer resource is destroyed.
At present, have a class to guess solution as the computer virus of attack means take password, after the operation, virus can with oneself copying under the computer system catalogue, by the dictionary that accesses to your password, attempt using other computing machines of cryptographic acess in the dictionary one by one.Be that it can attempt guessing the administrator's password of separating other computing machines in the network, in case guess to separate successfully and just send virus document to these computing machines, virus is with Internet relay chat (the Internet Relay Chat of specific pet name login appointment, abbreviation IRC) channel is accepted hacker's Long-distance Control, and the hacker can handle poisoning computer and offensive attack.
At present, method for detecting virus commonly used comprises: feature code method, behavior monitoring method etc.The feature code method is to detect the simplest, the method that expense is minimum of known viruse.Its realization is to gather the known viruse sample, sets up virus database.When virus detects beginning, open detected file, hereof search checks the virus pattern code that whether contains in the file in the virus database.If find to have virus pattern code in the detected file, because feature code is corresponding one by one with virus, just can conclude, is looked into and suffered from which kind of virus in the file.
The behavior monitoring method namely utilizes the peculiar behavioural characteristic of virus to monitor viral method.By to virus observation, research for many years, it is joint acts of virus that some behaviors are arranged, and more special.In normal procedure, these behaviors are rarer.When program is moved, monitor its behavior, if found virus behavior, report to the police immediately.
But above-mentioned method for detecting virus is extensive solution, and this type of method for detecting virus is for guessing that take password the computer virus of solution as attack means is difficult to detect.
Summary of the invention
One embodiment of the invention provides a kind of Computer Virus Detection Method and device, can accurately detect take password to guess that solution is as the computer virus of attack means.
On the one hand, provide a kind of Computer Virus Detection Method, comprising: record password error event, described password error event comprises client identification, process identification (PID) and time marking; The same process password of same client error event number of times in the statistics Preset Time; Judge whether the same process password of same client error event number of times exceeds pre-set threshold value in the described Preset Time; If the same process password of same client error event number of times exceeds pre-set threshold value in the described Preset Time, determine that then described process is the computer virus source.
In the first embodiment in conjunction with first aspect, described record password error event comprises: receive the password error event that the first client reports; Record the password error event that described the first client reports.
In the second embodiment in conjunction with first aspect or first aspect the first embodiment, described password error event comprises: the second client is accessed the time marking that the employed password of described the second client is bad password and described the first client identification, described process identification (PID) and password mistake time of origin to described the first client one process of the first client feedback.
Second aspect provides a kind of computer virus to detect server, comprising: logging modle, be used for record password error event, and described password error event comprises client identification, process identification (PID) and time marking; Statistical module is used for the password error event according to described logging modle record, the same process password of same client error event number of times in the statistics Preset Time; Judge module is used for judging whether the same process password of same client error event number of times exceeds pre-set threshold value in the described Preset Time; Processing module when being used for that the same process password of same client error event number of times exceeds pre-set threshold value in described judge module is determined described Preset Time, determines that described process is the computer virus source.
The third aspect provides a kind of computer virus to detect client, comprising: receiver module, be used for receiving the password error event, and described password error event comprises process identification (PID) and time marking; Logging modle is used for recording described password error event; Statistical module is used for according to same process password error event number of times in the password error event statistics Preset Time of described logging modle record; Judge module is used for judging whether same process password error event number of times exceeds pre-set threshold value in the described Preset Time; Processing module when being used for that same process password error event number of times exceeds pre-set threshold value in described judge module is determined described Preset Time, determines that described process is the computer virus source.
Fourth aspect also provides a kind of computer virus to detect client, comprising: receiving element, be used for receiving the password error event that the second client is returned, and described password error event comprises the first client identification, process identification (PID) and time marking; Transmitting element is used for described password error event is sent to the logout server, so that described logout server is processed described process according to the same process password of same client error event number of times.
The Computer Virus Detection Method of the embodiment of the invention is by adding up the password error event in the same process Preset Time, if the password error event number of times in the same process Preset Time exceeds normal value, think that then this process is the viral source process, the method can significantly improve the calculating virus Detection accuracy take password as attack means, simultaneously, this detection method computation complexity is low, only take time, process as dimension, examination criteria is simple, is easy to safeguard and optimize.
Description of drawings
In order to be illustrated more clearly in the technical scheme of the embodiment of the invention, the below will do to introduce simply to the accompanying drawing of required use in the embodiment of the invention, apparently, below described accompanying drawing only be some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the Computer Virus Detection Method schematic flow diagram of one embodiment of the invention;
Fig. 2 is the Computer Virus Detection Method schematic flow diagram of another embodiment of the present invention;
Fig. 3 is the again Computer Virus Detection Method schematic flow diagram of embodiment of the present invention one;
Fig. 4 A is that the computer virus of one embodiment of the invention detects server schematic construction block diagram;
Fig. 4 B is the in addition computer virus detection server schematic construction block diagram of embodiment of the present invention one;
Fig. 5 A is that the computer virus of one embodiment of the invention detects client schematic construction block diagram;
Fig. 5 B is that the computer virus of another embodiment of the present invention detects client schematic construction block diagram.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that obtains under the creative work prerequisite.
Fig. 1 is the Computer Virus Detection Method schematic flow diagram of one embodiment of the invention, and as shown in Figure 1, the Computer Virus Detection Method of one embodiment of the invention comprises:
101, record password error event, this password error event comprises client identification, process identification (PID) and time marking;
Optionally, the logout server also received the password error event that the first client sends before record password error event.
Concrete, the first client is provided with supervising device, can monitor all processes of the first client and being connected of other clients, when certain process of the first client attempts using certain cryptographic acess second client, the password that the second client is used according to this process carries out authentication to the access of this process, in case the password that the password that this process is used and the second client preset is inconsistent, then to the first client feedback password error event, this password error event also comprises the first client identification, the time that the process identification (PID) of this process and password error event occur, the first client is after receiving the password error event of the second client feedback, can arrange according to the password authentification in the procotol, confirm that this password error event is the password error event that the second client is returned after password authentification, and this password error event reported the logout server, the logout server carries out record with the password error event that the first client reports.
Optionally, also can directly report the password error event to the logout server by the second client.
102, the same process password of same client error event number of times in the statistics Preset Time.
Concrete, by network management system the time range of statistics can be set in advance, for example: can the timing statistics scope be set in 1 minute.The logout server is added up same process password error event number of times in the interior same client of this time range according to default time range.
It should be noted that this time range can be shorter in order to improve accuracy of detection, but this time range does not limit in the present invention.
Optionally, the logout server is according to the process identification (PID) in the password error event, client identification and time marking, in Preset Time, the password error event that client identification is same and process identification (PID) is same is cumulative, obtains password error event number of times in this process Preset Time scope.
103, judge whether the same process password of same client error event number of times exceeds pre-set threshold value in this Preset Time;
Concrete, can the threshold values that the logout server is judged password error event number of times be set by network management system, such as being set to 200 times.The logout server is according to judging whether the password error event of the same process of same client in the Preset Time exceeds this pre-set threshold value by default threshold values.Be that the same process password of same client error event number of times is greater than pre-set threshold value and exceeds pre-set threshold value, be less than or equal to be not exceed pre-set threshold value.
It should be noted that as improving to check precision, this pre-set threshold value can according to detecting the effect real-time update, not be construed as limiting pre-set threshold value in the embodiment of the invention.
If the same process password of same client error event number of times exceeds pre-set threshold value in 104 Preset Times, determine that then this process is the computer virus source.
Logout server same process password error event in judging Preset Time exceeds pre-set threshold value, determines that then this process is the computer virus source.
Optionally, the logout server can return to this process place client with this process identification (PID) and this process place client identification, and this process place client shows this viral source process, prompting user.
Aforesaid Computer Virus Detection Method, by the password error event in the same process Preset Time is added up, if the password error event number of times in the same process Preset Time exceeds normal value, think that then this process is the viral source process, the method can significantly improve the calculating virus Detection accuracy take password as attack means, in the actual test, use this detection method to detect well-known computer-based worms Conficker, accuracy rate is not less than 95%.Simultaneously, this detection method computation complexity is low, and only take time, process as dimension, examination criteria is simple, is easy to safeguard and optimize.
The below is take customer end A process A.Pa as example, and the Computer Virus Detection Method of the embodiment of the invention is described further.
Fig. 2 is the Computer Virus Detection Method schematic flow diagram of another embodiment of the present invention, and as shown in Figure 2, this Computer Virus Detection Method comprises:
201, customer end A process A.Pa uses first password access client B;
Optionally, the password that can from cryptographic libraries, choose at random for A.Pa of this first password.
202, to process A.Pa authentication, failed authentication returns the password error event to customer end A to customer end B according to this first password.
Concrete, customer end B can be in advance and customer end A agreement access code, if it is inconsistent with the password of arranging in advance that customer end A process A.Pa is used for the password of access client B, then customer end B is returned the password error event to customer end A, inform customer end A, the employed password of process A.Pa access client B is bad password.
203, customer end A records time and the process A.Pa sign of this password error event and the generation of this password error event.
Optionally, customer end A also can report the logout server with this password error event, by this password error event of logout server record.
204, process A.Pa password error event number of times in the customer end A statistics Preset Time;
Concrete, the time range of statistics can be set in advance, for example: can the timing statistics scope be set in 1 minute in customer end A.Customer end A is added up same process password error event number of times in this time range according to default time range.
It should be noted that this time range can be shorter in order to improve accuracy of detection, but this time range does not limit in the present invention.
205, customer end A judges whether process A.Pa password error event number of times exceeds pre-set threshold value in this Preset Time;
Concrete, the threshold values that customer end A is judged password error event number of times can be set in advance, such as being set to 200 times.Customer end A is according to judging whether the password error event of same process in the Preset Time exceeds this pre-set threshold value by default threshold values.Be that same process password error event number of times is greater than pre-set threshold value and exceeds pre-set threshold value, be less than or equal to be not exceed pre-set threshold value.
It should be noted that as improving to check precision, this pre-set threshold value can according to detecting the effect real-time update, not be construed as limiting pre-set threshold value in the embodiment of the invention.
If same process password error event number of times exceeds this pre-set threshold value in 206 these Preset Times, then customer end A determines that this process A.Pa is the computer virus source.
Optionally, customer end A same process password error event in judging Preset Time exceeds pre-set threshold value, determine that this process A.Pa is the computer virus source after, can show this viral source process A.Pa by display device, with prompting user.
Aforesaid Computer Virus Detection Method, by the password error event in the same process Preset Time is added up, if the password error event number of times in the same process Preset Time exceeds normal value, think that then this process is the viral source process, the method can significantly improve the calculating virus Detection accuracy take password as attack means, in the actual test, use this detection method to detect well-known computer-based worms Conficker, accuracy rate is not less than 95%.Simultaneously, this detection method computation complexity is low, and only take time, process as dimension, examination criteria is simple, is easy to safeguard and optimize.
Fig. 3 is the again Computer Virus Detection Method schematic flow diagram of embodiment of the present invention one, and as shown in Figure 3, this Computer Virus Detection Method comprises:
301, receive the password error event, this password error event comprises client identification, process identification (PID) and time marking;
Concrete, the logout server receives the password error event that the second client sends, when the first client process is used certain cryptographic acess second client, the second client is carried out authentication according to this password to this process, the access code that to be the first client arrange in advance with the second client if the password that this process is used is non-, then return the password error event to the logout server, inform that it is bad password that this process of logout server the first client is accessed the employed password of the second client, also carries the first client identification in this password error event, the time that this process identification (PID) and this password error event occur.
302, record this password error event;
Concrete, the time that the password error event that logout server record the second client reports, the first client identification, this process identification (PID) and this password error event occur.
303, same process password error event number of times in the statistics Preset Time;
Concrete, by network management system the time range of statistics can be set in advance, for example: can the timing statistics scope be set in 1 minute.The logout server is added up same process password error event number of times in this time range according to default time range.
304, judge whether the same process password of same client error event number of times exceeds pre-set threshold value in this Preset Time;
Concrete, can the threshold values that the logout server is judged password error event number of times be set by network management system, such as being set to 200 times.The logout server is according to judging whether the password error event of the same process of same client in the Preset Time exceeds this pre-set threshold value by default threshold values.Be that the same process password of same client error event number of times is greater than pre-set threshold value and exceeds pre-set threshold value, be less than or equal to be not exceed pre-set threshold value.
If the same process password of same client error event number of times exceeds pre-set threshold value in the 305 described Preset Time scopes, determine that then this process is the computer virus source.
Optionally, the logout server same process password of same client error event in judging Preset Time exceeds pre-set threshold value, determine that then this process is the computer virus source and this process identification (PID) and this process place the first client identification are returned to this process place the first client, this process place first client shows this process, take this process of prompting user as the viral source process.
Optionally, the logout server also can return to the second client with this process identification (PID) and this process place the first client identification, show this viral source process and the first client identification by the second client, have viral source to attempt attacking the second client with prompting user the first client.
Fig. 4 A is that the computer virus of one embodiment of the invention detects server schematic construction block diagram, and shown in Fig. 4 A, this computer virus detects server and comprises:
Receiver module 401 is used for receiving the password error event that the first client reports;
Logging modle 402 is used for the password error event that record receiver module 401 receives, and described password error event comprises client identification, process identification (PID) and time marking;
Statistical module 403 is used for the password error event according to described logging modle 402 records, same process password error event number of times in the statistics Preset Time;
Judge module 404 is used for judging whether the same process password of same client error event number of times exceeds pre-set threshold value in the described Preset Time;
Processing module 405 is used for determining that described process is the computer virus source when described judge module 404 determines that the same process password of same client error event number of times exceeds pre-set threshold value in the described Preset Time;
Optionally, this server comprises that also sending module 406 is used for described process identification (PID) being sent to the first client being shown when processing module 405 determines that described process is the computer virus source.
It should be noted that this computer virus detects server and can carry out function such as the illustrated logout server of Fig. 1 or Fig. 3.
Fig. 4 B is the in addition computer virus detection server schematic construction block diagram of embodiment of the present invention one, and shown in Fig. 4 B, this computer virus detects server and comprises:
Processor 501, storer 502, communication interface 504 and bus 503 connect by described bus 503 between described processor 501, storer 502 and the communication interface 504 and finish mutual communication.
Processor 501 may be monokaryon or multinuclear CPU (central processing unit) (Central Processing Unit, CPU), perhaps be specific integrated circuit (Application Specific Integrated Circuit, be called for short ASIC), perhaps for being configured to implement one or more integrated circuit of the embodiment of the invention.
Storer 502 can be the high-speed RAM storer, also can be nonvolatile memory (non-volatile memory), for example at least one magnetic disk memory.
Storer 502 is used for depositing program 505.Concrete, can comprise program code in the program 505, described program code comprises computer-managed instruction.
Processor 501 working procedures 505 are to participate in carrying out the Computer Virus Detection Method such as Fig. 1 or 3 descriptions.
Concrete, the computer virus server of the embodiment of the invention can participate in carrying out the described embodiment example such as Fig. 1-Fig. 3, repeats no more herein.
Fig. 5 A is that the computer virus of one embodiment of the invention detects client schematic construction block diagram, and as shown in Figure 5, this computer virus detects client and comprises:
Receiver module 601 is used for receiving the password error event, and described password error event comprises process identification (PID) and time marking;
Logging modle 602 is used for the password error event that record receiver module 601 receives;
Statistical module 603 is used for according to same process password error event number of times in the password error event statistics Preset Time of logging modle 602 records;
Judge module 604 is used for according to same process password error event number of times in the password error event statistics Preset Time of described logging modle record;
Processing module 605 when being used for that same process password error event number of times exceeds pre-set threshold value in described judge module is determined described Preset Time, determines that described process is the computer virus source and is shown by display module;
Optionally, this client can also comprise display module 606, is used for showing that this computer virus originating process is with prompting user.
Optionally, the computer virus in another embodiment of the present invention detects in the client and can only comprise:
Receiving element and transmitting element, wherein receiving element is used for receiving the password error event that the second client is returned, described password error event comprises the first client identification, process identification (PID) and time marking, this transmitting element is used for described password error event is sent to the logout server, so that described logout server is processed described process according to the same process password of same client error event number of times.
The computer virus detection client that it should be noted that the embodiment of the invention can be used for carrying out the as shown in Figure 2 function of customer end A, repeats no more herein.
Fig. 5 B is that the computer virus of another embodiment of the present invention detects client schematic construction block diagram, and shown in Fig. 5 B, this client comprises:
Processor 701, storer 702, communication interface 704 and bus 703 connect by described bus 703 between described processor 701, storer 702 and the communication interface 704 and finish mutual communication.
Processor 701 may be monokaryon or multinuclear CPU (central processing unit) (Central Processing Unit, CPU), perhaps be specific integrated circuit (Application Specific Integrated Circuit, be called for short ASIC), perhaps for being configured to implement one or more integrated circuit of the embodiment of the invention.
Storer 702 can be the high-speed RAM storer, also can be nonvolatile memory (non-volatile memory), for example at least one magnetic disk memory.
Storer 702 is used for depositing program 707.Concrete, can comprise program code in the program 707, described program code comprises computer-managed instruction.
Processor 701 working procedures 705 are to participate in carrying out the Computer Virus Detection Method of describing such as Fig. 2.
Concrete, the computer virus server of the embodiment of the invention can participate in carrying out as described in Figure 2 embodiment example, repeats no more herein.
Aforesaid computer virus detects client and server, by the password error event in the same process Preset Time is added up, if the password error event number of times in the same process Preset Time exceeds normal value, think that then this process is the viral source process, the method can significantly improve the calculating virus Detection accuracy take password as attack means, in the actual test, use this detection method to detect well-known computer-based worms Conficker, accuracy rate is not less than 95%.Simultaneously, this detection method computation complexity is low, and only take time, process as dimension, examination criteria is simple, is easy to safeguard and optimize.
Those of ordinary skills can recognize, unit and the algorithm steps of each example of describing in conjunction with embodiment disclosed herein, can realize with electronic hardware, computer software or the combination of the two, for the interchangeability of hardware and software clearly is described, composition and the step of each example described in general manner according to function in the above description.These functions are carried out with hardware or software mode actually, depend on application-specific and the design constraint of technical scheme.The professional and technical personnel can specifically should be used for realizing described function with distinct methods to each, but this realization should not thought and exceeds scope of the present invention.
The those skilled in the art can be well understood to, and for the convenience described and succinct, the specific works process of the system of foregoing description, device and unit can with reference to the corresponding process among the preceding method embodiment, not repeat them here.
In several embodiment that the application provides, should be understood that disclosed system, apparatus and method can realize by another way.For example, device embodiment described above only is schematic, for example, the division of described unit, only be that a kind of logic function is divided, during actual the realization other dividing mode can be arranged, for example a plurality of unit or assembly can in conjunction with or can be integrated into another system, or some features can ignore, or do not carry out.In addition, the shown or coupling each other discussed or direct-coupling or communication connection can be indirect coupling or the communication connections by some interfaces, device or unit, also can be electric, machinery or other form connect.
Described unit as separating component explanation can or can not be physically to separate also, and the parts that show as the unit can be or can not be physical locations also, namely can be positioned at a place, perhaps also can be distributed on a plurality of network element.Can select according to the actual needs wherein some or all of unit to realize the purpose of embodiment of the invention scheme.
In addition, each functional unit in each embodiment of the present invention can be integrated in the processing unit, also can be that the independent physics of unit exists, and also can be that two or more unit are integrated in the unit.Above-mentioned integrated unit both can adopt the form of hardware to realize, also can adopt the form of SFU software functional unit to realize.
If described integrated unit is realized with the form of SFU software functional unit and during as independently production marketing or use, can be stored in the computer read/write memory medium.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words, perhaps all or part of of this technical scheme can embody with the form of software product, this computer software product is stored in the storage medium, comprise that some instructions are with so that a computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out all or part of step of the described method of each embodiment of the present invention.And aforesaid storage medium comprises: USB flash disk, portable hard drive, ROM (read-only memory) (ROM, Read-Only Memory), the various media that can be program code stored such as random access memory (RAM, Random Access Memory), magnetic disc or CD.
The above; it only is the specific embodiment of the present invention; but protection scope of the present invention is not limited to this; anyly be familiar with those skilled in the art in the technical scope that the present invention discloses; can expect easily modification or the replacement of various equivalences, these modifications or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection domain of claim.

Claims (14)

1. a Computer Virus Detection Method is characterized in that, comprising:
Record password error event, described password error event comprises client identification, process identification (PID) and time marking;
The same process password of same client error event number of times in the statistics Preset Time;
Judge whether the same process password of same client error event number of times exceeds pre-set threshold value in the described Preset Time;
If the same process password of same client error event number of times exceeds pre-set threshold value in the described Preset Time, determine that then described process is the computer virus source.
2. the method for claim 1 is characterized in that, described record password error event comprises:
Receive the password error event that the first client reports;
Record the password error event that described the first client reports.
3. method as claimed in claim 1 or 2 is characterized in that, described password error event comprises:
The second client is accessed the time marking that the employed password of described the second client is bad password and described the first client identification, described process identification (PID) and password mistake time of origin to described the first client one process of the first client feedback.
4. method as claimed in claim 3 is characterized in that, described password error event also comprises: described the first client identification.
5. a Computer Virus Detection Method is characterized in that, comprising:
Receive the password error event, described password error event comprises process identification (PID) and time marking;
Record described password error event;
Same process password error event number of times in the statistics Preset Time;
Judge whether same process password error event number of times exceeds pre-set threshold value in the described Preset Time;
If same process password error event number of times exceeds pre-set threshold value in the described Preset Time, determine that then described process is the computer virus source and is shown.
6. the method for claim 1 is characterized in that, described reception password error event comprises:
Described the first client one process of the first client the second client feedback is accessed the time marking that the employed password of described the second client is bad password and described process identification (PID) and password mistake time of origin.
7. method as claimed in claim 6 is characterized in that, described password error event also comprises: described the first client identification.
8. a computer virus detects server, it is characterized in that, comprising:
Logging modle is used for record password error event, and described password error event comprises client identification, process identification (PID) and time marking;
Statistical module is used for the password error event according to described logging modle record, the same process password of same client error event number of times in the statistics Preset Time;
Judge module is used for judging whether the same process password of same client error event number of times exceeds pre-set threshold value in the described Preset Time;
Processing module when being used for that the same process password of same client error event number of times exceeds pre-set threshold value in described judge module is determined described Preset Time, determines that described process is the computer virus source.
9. server as claimed in claim 8 is characterized in that, also comprises:
Receiver module is used for receiving the password error event that the first client reports;
Sending module is used for described process identification (PID) being sent to the first client being shown when processing module determines that described process is the computer virus source.
10. server as claimed in claim 8 or 9 is characterized in that, the password error event that described receiver module receives comprises:
The second client is accessed the time marking that the employed password of described the second client is bad password and described the first client identification, described process identification (PID) and password mistake time of origin to described the first client one process of the first client feedback.
11. a computer virus detects client, it is characterized in that, comprising:
Receiver module is used for receiving the password error event, and described password error event comprises process identification (PID) and time marking;
Logging modle is used for recording described password error event;
Statistical module is used for according to same process password error event number of times in the password error event statistics Preset Time of described logging modle record;
Judge module is used for judging whether same process password error event number of times exceeds pre-set threshold value in the described Preset Time;
Processing module when being used for that same process password error event number of times exceeds pre-set threshold value in described judge module is determined described Preset Time, determines that described process is the computer virus source.
12. client as claimed in claim 11, it is characterized in that the password error event that described receiver module receives comprises: described client one process of described client the second client feedback is accessed the time marking that the employed password of described the second client is bad password and described process identification (PID) and password mistake time of origin.
13. client as claimed in claim 11 is characterized in that, also comprises:
Display module is used for the viral source process that determination module is determined is shown.
14. a computer virus detects client, it is characterized in that, comprising:
Receiving element is used for receiving the password error event that the second client is returned, and described password error event comprises the first client identification, process identification (PID) and time marking;
Transmitting element is used for described password error event is sent to the logout server, so that described logout server is processed described process according to the same process password of same client error event number of times.
CN2012104785276A 2012-11-22 2012-11-22 Computer-virus detecting method and device Pending CN102968592A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2012104785276A CN102968592A (en) 2012-11-22 2012-11-22 Computer-virus detecting method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2012104785276A CN102968592A (en) 2012-11-22 2012-11-22 Computer-virus detecting method and device

Publications (1)

Publication Number Publication Date
CN102968592A true CN102968592A (en) 2013-03-13

Family

ID=47798729

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2012104785276A Pending CN102968592A (en) 2012-11-22 2012-11-22 Computer-virus detecting method and device

Country Status (1)

Country Link
CN (1) CN102968592A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105809034A (en) * 2016-03-07 2016-07-27 成都驭奔科技有限公司 Malicious software identification method
CN106897639A (en) * 2017-01-06 2017-06-27 奇酷互联网络科技(深圳)有限公司 The method and apparatus of mobile terminal and its safety verification

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030088680A1 (en) * 2001-04-06 2003-05-08 Nachenberg Carey S Temporal access control for computer virus prevention
CN101018373A (en) * 2007-01-22 2007-08-15 华为技术有限公司 Method for locking the mobile station device, mobile station device and network device
CN101047522A (en) * 2006-03-31 2007-10-03 腾讯科技(深圳)有限公司 Method for automatic adding member and its system
CN102104611A (en) * 2011-03-31 2011-06-22 中国人民解放军信息工程大学 Promiscuous mode-based DDoS (Distributed Denial of Service) attack detection method and device
CN102761872A (en) * 2012-08-01 2012-10-31 成都四方信息技术有限公司 Spam message intercepting method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030088680A1 (en) * 2001-04-06 2003-05-08 Nachenberg Carey S Temporal access control for computer virus prevention
CN101047522A (en) * 2006-03-31 2007-10-03 腾讯科技(深圳)有限公司 Method for automatic adding member and its system
CN101018373A (en) * 2007-01-22 2007-08-15 华为技术有限公司 Method for locking the mobile station device, mobile station device and network device
CN102104611A (en) * 2011-03-31 2011-06-22 中国人民解放军信息工程大学 Promiscuous mode-based DDoS (Distributed Denial of Service) attack detection method and device
CN102761872A (en) * 2012-08-01 2012-10-31 成都四方信息技术有限公司 Spam message intercepting method

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105809034A (en) * 2016-03-07 2016-07-27 成都驭奔科技有限公司 Malicious software identification method
CN106897639A (en) * 2017-01-06 2017-06-27 奇酷互联网络科技(深圳)有限公司 The method and apparatus of mobile terminal and its safety verification
CN106897639B (en) * 2017-01-06 2020-12-22 奇酷互联网络科技(深圳)有限公司 Mobile terminal and security verification method and device thereof

Similar Documents

Publication Publication Date Title
US11601475B2 (en) Rating organization cybersecurity using active and passive external reconnaissance
EP2988468B1 (en) Apparatus, method, and program
US9712555B2 (en) Automated responses to security threats
US9462009B1 (en) Detecting risky domains
CN108156174A (en) Botnet detection method, device, equipment and medium based on the analysis of C&C domain names
US10868823B2 (en) Systems and methods for discriminating between human and non-human interactions with computing devices on a computer network
CN110519208B (en) Anomaly detection method, device and computer readable medium
CN104519032A (en) Internet account safety policy and system
US20210281609A1 (en) Rating organization cybersecurity using probe-based network reconnaissance techniques
US10341182B2 (en) Method and system for detecting network upgrades
JP2016152594A (en) Network attack monitoring device, network attack monitoring method, and program
US10262122B2 (en) Analysis apparatus, analysis system, analysis method, and analysis program
Greenwald et al. Toward Undetected Operating System Fingerprinting.
CN110868403B (en) Method and equipment for identifying advanced persistent Attack (APT)
CN110753038A (en) Self-adaptive authority control system and method for anomaly detection
GB2544608A (en) Network monitoring device, network monitoring method, and network monitoring program
EP3281114A1 (en) Cyber security system and method using intelligent agents
CN110798428A (en) Detection method, system and related device for violent cracking behavior of account
US10623428B2 (en) Method and system for detecting suspicious administrative activity
CN102968592A (en) Computer-virus detecting method and device
CN107124330B (en) Data downloading control method and system
CN113110980B (en) Method and device for identifying and intercepting violent cracking behaviors
CN112738006B (en) Identification method, equipment and storage medium
CN116415142A (en) Network attack behavior detection method and system
CN114363059A (en) Attack identification method and device and related equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20130313