CN103618626A - Method and system for generating safety analysis report on basis of logs - Google Patents

Method and system for generating safety analysis report on basis of logs Download PDF

Info

Publication number
CN103618626A
CN103618626A CN201310625938.8A CN201310625938A CN103618626A CN 103618626 A CN103618626 A CN 103618626A CN 201310625938 A CN201310625938 A CN 201310625938A CN 103618626 A CN103618626 A CN 103618626A
Authority
CN
China
Prior art keywords
file
client
files
preset
white list
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201310625938.8A
Other languages
Chinese (zh)
Inventor
魏志江
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201310625938.8A priority Critical patent/CN103618626A/en
Publication of CN103618626A publication Critical patent/CN103618626A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a method and system for generating a safety analysis report on the basis of logs. The method includes the steps of monitoring and recording the operation progress of a client in real time and operating or downloading an involved file on the client, recording content identical with or similar to the content in a preset blacklist and a preset whitelist after the file is compared with the preset blacklist and the preset whitelist and carrying out statistic to generate the safety analysis report. According to the method and system, specific operations of a user in a period can be recorded in detail, warning and prompting can be carried out according to operations with safety risks, the problem that safety software does not record or repeat warning when a user neglects a risk prewarning and carries out other dangerous operations is solved, meanwhile, by means of a cloud safety technique, the safety analysis report is recorded and transmitted to a cloud safety center, the safety of the safety analysis report is judged, dangerous courses or files in the safety analysis report can be quickly identified, and corresponding evaluation scores can be given to operations in a period.

Description

Method and system for generating safety analysis report based on log
Technical Field
The invention relates to the field of system security analysis reports, in particular to a method and a system for generating a security analysis report based on a log.
Background
With the rapid development of network technology, the way in which people acquire information has changed: from the traditional way of books, newspapers, television, broadcasting, etc., then, it becomes to acquire through the internet. Particularly, the internet transmits and shares abundant comprehensive information such as shopping, entertainment, news, advertisements, chatting and the like, and people can know the world even though they are out of home. The internet has thus become an irreplaceable and important way for people to learn, socialize, and entertain.
At present, because the internet provides a free and open platform, and the manufacturing cost of applications (software) and websites related to the internet is low, various websites are developed endlessly, the applications are more and more, and various software and websites are mixed with fish eyes. Particularly, online shopping is becoming popular, people use their own bank card information more and more frequently on the internet, which results in lawless persons stealing user's bank card information by using online shopping trojans, and the online shopping trojans are updated more and more quickly, phishing websites are increasing, and fraud means are coming up endlessly.
In the prior art, a user may click to enter a suspicious website or download a suspicious file due to improper operation, which may cause a client to be infected by malicious software such as online shopping trojans and the like, thereby threatening the personal information and property security of the user. At this time, the safety software prompts a user for risk warning, but if the user ignores the risk warning given to the safety software, the safety software does not prompt any more, cannot record the safety operation of the user, and cannot generate safety behavior warnings of different levels according to the severity of the safety operation of the user. Therefore, the risk early warning of the security software is ignored by the user for a long time, and the security software does not give repeated warning for dangerous operation of the user, so that the possibility that the user is infected by malicious software is higher and higher, and further personal information leakage and property loss are caused.
Disclosure of Invention
To this end, the present invention proposes a method and system for new log-based security analysis report generation that may address at least a portion of the above-mentioned problems.
According to an aspect of the present invention, there is provided a method for log-based security analysis report generation, the method for log-based security analysis report generation comprising:
monitoring and recording the process of client operation and the files related to the operation or downloading at the client in real time;
and after comparing the recorded process and file with a preset black and white list, recording the content which is the same as or similar to the content in the preset black and white list, and counting to generate a safety analysis report.
Preferably, after comparing the recorded process and file with a preset black and white list, recording the same or similar content in the preset black and white list, and performing statistics to generate a security analysis report, further comprising:
and synchronizing the recorded processes and files to a cloud service, comparing the recorded processes and files with a black and white list preset on the cloud service, recording the same or similar content in the black and white list preset on the cloud service, counting the content to generate a security analysis report, and feeding the security analysis report back to the client.
Preferably, the statistics are performed to generate a security analysis report, further comprising:
counting, and generating a safety analysis report after carrying out safety rating on the counting according to a preset safety coefficient rule;
and the safety factor rule sets a corresponding level benchmark score and a corresponding operation benchmark score according to the process of monitoring and recording the operation of the client and the files which are operated or downloaded at the client.
Preferably, the process further comprises: servicing an operating process, starting an operating process, and creating a process.
Preferably, the running or downloading of the file concerned at the client further comprises:
the method comprises the steps of transmitting a file at the client, connecting the file on a storage device outside the client, receiving the file based on an instant messaging new tool and/or an email at the client and downloading the file through a downloading tool at the client; wherein,
the types of the file include: an executable file and a non-executable file, the executable file comprising: files with file suffix name exe, script files, batch files and link files; the non-executable file is an office file.
Preferably, the preset black and white list further comprises: a black list and a white list, wherein,
the black list and the white list respectively comprise: the system comprises a characteristic code or a characteristic script in the process, starting mode path information of the process, a dynamic link library level executed when the process is loaded, and a uniform resource locator level or characteristic information contained in an access website.
In accordance with an aspect of the present invention, there is also provided a system for log-based security analytics report generation, comprising: a monitoring unit, an analysis unit and a reporting unit, wherein,
the monitoring unit is used for monitoring and recording the process of the client operation and the files which are operated or downloaded at the client in real time;
the analysis unit is used for comparing the process and the file recorded by the monitoring unit with a preset black and white list and then recording the same or similar content in the preset black and white list;
and the report unit is used for counting the content which is recorded by the analysis unit and is the same as or similar to the content in a preset black and white list to generate a safety analysis report.
Preferably, the analysis unit is further configured to synchronize the process and the file recorded by the monitoring unit to a cloud service, record content that is the same as or similar to a black-and-white list preset on the cloud service after comparing the process and the file with the black-and-white list preset on the cloud service, perform statistics to generate a security analysis report, and feed the security analysis report back to the client.
Preferably, the reporting unit is further configured to count the content recorded by the analyzing unit, which is the same as or similar to the content in a preset black-and-white list, and generate a security analysis report after performing security rating on the count according to a preset security factor rule; wherein,
and the safety factor rule sets a corresponding level benchmark score and a corresponding operation benchmark score according to the process of monitoring and recording the operation of the client and the files which are operated or downloaded at the client.
Preferably, the process further comprises: servicing an operating process, starting an operating process, and creating a process.
Preferably, the monitoring unit is running or downloading the related file at the client, and further includes:
the method comprises the steps of transmitting a file at the client, connecting the file on a storage device outside the client, receiving the file based on an instant messaging new tool and/or an email at the client and downloading the file through a downloading tool at the client; wherein,
the types of the file include: an executable file and a non-executable file, the executable file comprising: files with file suffix name exe, script files, batch files and link files; the non-executable file is an office file.
Preferably, the preset black and white list further comprises: a black list and a white list, wherein,
the black list and the white list respectively comprise: the system comprises a characteristic code or a characteristic script in the process, starting mode path information of the process, a dynamic link library level executed when the process is loaded, and a uniform resource locator level or characteristic information contained in an access website.
Compared with the prior art, the method and the system for generating the safety analysis report based on the log have the following effects that:
1) the method adopts a mode of generating the safety analysis report, can record specific safety operation of the user within a period of time in detail, can warn and prompt aiming at the operation with safety risk of the user, and effectively solves the problems that dangerous operation such as risk early warning is ignored by the user, safety software does not record and repeatedly warns and prompts;
2) according to the cloud security technology, the content recorded by the security analysis report is transmitted to the corresponding server of the cloud security center, the cloud security center judges the security of the server, the dangerous processes or files in the security analysis report can be rapidly identified, and corresponding evaluation scores are given to the operation of the user within a period of time according to the identification result, so that the user can intuitively and clearly know whether the user has dangerous operation and the number of the dangerous operation, and the use experience of the user is improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention and not to limit the invention. In the drawings:
fig. 1 is a flowchart of a method for generating a log-based security analysis report according to an embodiment of the present invention.
Fig. 2 is a flowchart of a method for generating a log-based security analysis report according to a second embodiment of the present invention.
Fig. 3 is a block diagram of a system for generating a log-based security analysis report according to a fourth embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Embodiments of the invention are operational with numerous other general purpose or special purpose computing system environments or configurations. Examples of well known computing systems, environments, and/or configurations that may be suitable for use with the computer system/server include, but are not limited to: personal computer systems, server computer systems, thin clients, thick clients, hand-held or laptop devices, microprocessor-based systems, set top boxes, programmable consumer electronics, networked personal computers, minicomputer systems, mainframe computer systems, distributed cloud computing environments that include the above systems, and the like.
The computer system/server may be described in the general context of computer system-executable instructions, such as program modules, being executed by a computer system. Generally, program modules may include routines, programs, objects, components, logic, data structures, etc. that perform particular tasks or implement particular abstract data types. The computer system/server may be practiced in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computer system storage media including memory storage devices.
In order to adapt to the update speed of the malicious programs and quickly identify and kill the malicious programs, the existing security protection software increasingly uses the cloud security technology to intercept the malicious programs. The cloud security technology is that the characteristics of suspicious files of a client are transmitted to a server of a cloud security center, the cloud security center judges the security of the suspicious files, and then client security software reports and processes trojans according to information transmitted back by the cloud security center. The cloud architecture is a large client/server (CS) architecture. The core idea of the present invention is to collect behaviors (single behavior or combination of a group of behaviors) of various programs, especially behaviors of suspicious programs, through a large number of client computers, and associate the program behaviors to the characteristics of the program, and record the characteristics of a program and its corresponding behavior record in a database at the server. Therefore, at the server side, induction and analysis can be carried out in the database according to the program behavior or the program characteristics or a group of program behaviors and program characteristics, so that the software or the program can be classified and distinguished in a black and white mode. Further, corresponding clearing or recovery measures can be made for the malicious software in the blacklist. The program behavior may be, for example, a driver loading behavior, a file generation behavior, a loading behavior of a program or code, a behavior of adding a system startup item, or a modification behavior of a file or program, or the like, or a combination of a series of behaviors. The program features may be MD5 verification code calculated by MD5 (Message-Digest Algorithm 5), SHA1 code, CRC (Cyclic Redundancy Check) code, and other feature codes that can uniquely identify the original program, and so on.
The present invention will be described in further detail below with reference to the accompanying drawings, but the present invention is not limited thereto.
Example one
As shown in fig. 1, which is a flowchart of a method for generating a log-based security analysis report according to a first embodiment of the present invention, the method includes:
step 101, monitoring and recording the running process of the client and the files being run or downloaded at the client in real time.
And 102, comparing the recorded process and file with a preset black and white list, recording the same or similar content in the preset black and white list, and counting to generate a safety analysis report.
Wherein the process further comprises: servicing an operating process, starting an operating process, and creating a process.
Here, the service operation process may be seen by the user through the display interface as: desktop information, my document information and other contents.
The starting and running process may be process information obtained by correspondingly combining codes or scripts executed by a program or a module that is run after the client is started.
The process created here may be process information created by a third party device that is run after the client is started and resides on the local client.
Wherein, the running or downloading of the related file at the client further comprises:
a file (IM (Instant Messenger) file) transmitted at the client, a file on an external storage device of the client, a file received at the client based on an Instant Messenger and/or an email, and a file downloaded at the client through a download tool; wherein,
the types of the file include: an executable file (PE) and a non-executable file, the executable file comprising: files with file suffix name exe, script files, batch files and link files; the non-executable file is a file such as an office file (e.g., an office document), and other types of files may also be included herein, without being limited specifically.
In step 102, after comparing the recorded process and file with a preset black and white list, recording the same or similar content in the preset black and white list, and performing statistics to generate a security analysis report, further comprising:
synchronizing the recorded process and file to the cloud service, comparing the process and file with a black and white list preset on the cloud service, recording the content which is the same as or similar to the content in the black and white list preset on the cloud service, and periodically (the time limit can be set by a user, for example, a week, a month or a specific time interval is operated, and is not specifically limited herein), counting to generate a security analysis report and feeding the security analysis report back to the client.
In addition, the black and white list preset in step 102 further includes: a black list and a white list, wherein,
the black list and the white list respectively comprise: feature codes or feature scripts in a process, starting mode path information of the process, a level of a Dynamic Link Library (DLL) executed when the process is loaded, and a level or feature information of a Uniform Resource Locator (URL) contained in an access website.
In addition, the preset black and white list may further include: suspicious files or processes, unknown files or processes.
The file on the client external storage device is obtained by initiating a query operation connected with the current device by an Application Program Interface (API) function of an operating system through the position information of the file in the external storage device.
For the technical solution of the present invention, in practical situations, some malicious programs create a folder and place a folder configuration file (desktop.ini), create a planning task, or use a simulated mouse click or the like, even a web shopping Trojan or the like to transmit a compressed package, and then decompress the compressed package onto the client desktop, by packaging a file such as CMD, or a bat file, or a shortcut in a compressed package, or transmitting a single file (pif), an icon, or a file of an application program, or a VBS (a script file) therein, and if the user actively clicks or inadvertently double-clicks to start, the file contained in the compressed package may cause a danger. Therefore, in the scheme of the present invention, the black-and-white form as described above needs to be set to screen the content of the client monitoring record, so as to find out the above dangers, and thus, the problem can be effectively avoided.
When a user performs internet operation behaviors such as website access, link address clicking and information input on a website through a client, the corresponding service operation process, the process started by the user, the process created by a third-party program and the like in the client are involved. Therefore, the operation of the user can be further monitored by monitoring the client in real time, and if the internet operation behavior performed by the user has risks, the user can quickly and accurately know the operation behavior through the corresponding process.
In addition to the above-mentioned recording, in this embodiment, the step 101 further includes real-time monitoring and recording the compressed package file (including the download source of the compressed package, the storage path of the compressed package, the feature identifier of the compressed package, etc.), because: some malware compresses CMD files (command prompt files), batch files, shortcut files, program information files, icons, application files, VBS (a script file), or shortcuts with trojans (or malware) to generate compressed files (which may also generate folders and place folder configuration files named "desktop.
In addition, in step 102, a security analysis report is generated by periodically performing statistics, and further:
and carrying out statistics periodically, and carrying out safety rating on the statistics according to a preset safety factor rule (the safety factor rule is further explained in the third embodiment of the follow-up) to generate a safety analysis report.
In practical application, a process or a file for recording is stored in a local database (which may be a memory database, a cache database, etc., and is not limited herein), and for the file: the database records some special files (such as files contained in a compressed packet) in addition to all files downloaded in a device to be protected (such as a client), and records a decompression path and a temporary decompression path of the compressed packet when the compressed packet is decompressed. For a process: the database records a process tree representing the parent-child relationship among the processes besides a service operation process, a process started by a user and a process created by a third-party program. Or, the recorded process or file is directly uploaded to the cloud service (cloud) in the manner described above.
Example two
As shown in fig. 2, it is a method flow for generating a log-based security analysis report according to a second embodiment of the present invention, and the method flow includes:
in step 201, the process run by the client and the files involved in running or downloading at the client are monitored and recorded in real time.
Step 202, synchronizing the recorded process and file to a cloud service, comparing the recorded process and file with a black and white list preset on the cloud service, recording the content which is the same as or similar to the content in the black and white list preset on the cloud service, periodically counting the content, performing security rating on the counted content according to a preset security factor rule, and generating a security analysis report.
The specific comparison in step 202 may be detection and comparison in a black and white list mode through a local security rule:
if the unknown program characteristics downloaded by the user A are the same as or similar to the known program characteristics in the existing black/white list, the unknown program characteristics and the program behaviors thereof are listed in the black/white list.
Certainly, as a preferred mode, the preset black and white list may also be stored in a cloud service server, and the recorded process run by the client and the file related to the downloading operation process are sent to the cloud service for comparison, that is, cloud query, as in step 202.
A preset black and white list, further comprising: a black list and a white list, wherein,
the black list and the white list respectively comprise: the system comprises a characteristic code or a characteristic script in the process, starting mode path information of the process, a dynamic link library level executed when the process is loaded, and a uniform resource locator level or characteristic information contained in an access website. The method can also comprise the following steps: suspicious files or processes, unknown files or processes.
It should be noted that, when performing an and service (also referred to as cloud query), an operation (specifically, query) needs to be performed according to a corresponding cloud rule, where the cloud rule includes, for the file and the process: and comparing the file name, the file size, the file characteristic information, the file icon information, the product name, the internal name, the original file name, the process command line, the process path, the father process path and the like with preset contents for searching. Of course, other processes or documents may be compared in other ways, and are not limited in this application.
For example: when a process executes dangerous operation, detecting a recorded DLL (dynamic link Library) file corresponding to the process through a security engine and/or a cloud security engine. The detection operation specifically includes:
1. detecting whether a registry is written for automatic loading and modification, wherein the registry is further damaged by a dangerous process through changing the registry, so that in the embodiment, all possible automatically started DLL files are monitored, and a specific registry is monitored, thereby realizing the protection of the registry;
2. detecting whether a system file is modified and a specified application file is modified, and ensuring that files related to an operating system of equipment to be protected are not tampered and application files with large loading capacity are not tampered;
3. detecting whether process injection is executed, wherein the process injection refers to that a dangerous process inserts and executes a specific code in another process, and the process injection operation is classified as dangerous operation to protect a safety process;
4. detecting whether the process is finished or not, wherein the dangerous process usually finishes the instant communication process and intercepts the user information by logging in again, so that the dangerous process is prevented from acquiring the user information by listing the operation as dangerous operation;
5. detecting whether webpage content in a browser is modified or not, wherein a dangerous process points links in the webpage to a phishing website by modifying the webpage or loads a virus file into the browser, and the browser is protected by listing the operation as dangerous operation; and recording keyboard operations.
Whether the system file is modified and the specified application file is modified are detected, and judgment is mainly carried out by detecting the characteristic level of the file. The feature level here is specifically according to: the files are divided by their MD5 (Message Digest Algorithm5, fifth edition of the Message Digest Algorithm) and qvm (qiho supported vector Machine) feature levels.
The starting mode path information of the processes is specifically obtained through the calling relationship of the processes, that is, the parent-child relationship among the processes is recorded to form a process tree (the information of each process is recorded in the process tree), so that the starting mode path information of different processes is obtained. For example: and determining the starting mode path information of the process according to the process loading levels such as the creation time of the process, the name of the process, the family relationship information of the process and the like.
Further in step 202, the content that is the same as or similar to the content in the black-and-white list preset on the cloud service is recorded, specifically, the web page feature that is the same as, the web page feature that is similar to, the file that is the same as, the file that is similar to, the file or the file feature that is similar to, and the file whose detection result is unknown are recorded.
Meanwhile, in step 202, the safety factor rule sets a corresponding level benchmark score and a corresponding operation benchmark score according to the process of monitoring and recording the operation of the client and the file which is operated or downloaded at the client. After the safety rating is carried out through the safety factor rule, the safety rating is output in a numerical value and/or percentage mode, and the output can be in a mode of prompting, displaying and/or popping up a dialog box on a client interface.
EXAMPLE III
The following describes in detail a specific application of the method for generating the log-based security analysis report:
setting: the user A downloads files a (malicious files), b (safe files) and c (unknown files) respectively by accessing websites http:// xxx (suspicious websites), http:// yyy (safe websites) and http:// zzz (safe websites), and it should be noted that the user A does not know the security of the websites and the files.
Firstly, monitoring and recording the process of the client operation of the user A and the files which are operated or downloaded at the client in real time;
and then, synchronizing the recorded process and file to a cloud service, comparing the recorded process and file with a black and white list preset on the cloud service, recording the content which is the same as or similar to the content in the black and white list preset on the cloud service, periodically counting the content, performing security rating on the counted content according to a preset security factor rule, and generating a security analysis report.
The method specifically comprises the following steps:
when a user A accesses a website http:// xxx to download a file a through a client, monitoring and recording a browser process operated by the client of the user A in real time, and when the user A accesses the website http:// xxx, triggering the corresponding browser process to record the website http:// xxx.
Then, the recorded browser process in the client of the user a is compared with a preset black and white list. When the recorded content is identified as the browser process of the client of the user A, sending the starting mode path information of the process corresponding to the browser process (namely the website http:// xxx), the file level corresponding to the process loading, the link code level loaded by the process or the webpage characteristics corresponding to the link code to a cloud service server, inquiring and comparing the webpage characteristics with the dangerous process stored by the cloud service server, and returning an inquiry result: if the website http:// xxx is detected as a suspicious website, generating a security analysis report, and writing the website into the security analysis report. And generating a corresponding prompt window on a browser interface to prompt the user A that the website is a suspicious website and continue to visit at risk.
At the moment, by monitoring a downloading process in a browser process of a client of a user A, the fact that the user A selects to continuously access the website http:// xxx and downloads the file a is discovered, recording is conducted, a feature level (MD 5 value) corresponding to the recorded file a is sent to a cloud service server to be compared with an MD5 value of a dangerous file, the suffix name of the file a is 'Trojan' and a program code of the file a conforms to a malicious software code, namely the file a is a malicious file, the file a is directly deleted through security software, and the file a is written into a security analysis report. And generating a corresponding prompt window on the browser interface to prompt the user A that the file a is a malicious file.
And similarly, monitoring and recording the browser process operated by the client of the user A in real time, and triggering the corresponding browser process to record the website http:// yyy when the user A accesses the website http:// yyy. And then inquiring and comparing the process starting mode of the browser process in the client of the user A, the file level corresponding to the process when the process is loaded, the link code level loaded by the process or the webpage characteristics corresponding to the link code with a preset dangerous process, and inquiring that the website http:// yyy is a safe website, so that the user A can freely access the website. Such security operations are recorded but not written to the security analysis report.
At the moment, the downloading process in the browser process of the client of the user A is monitored, the fact that the user A downloads the file b in the http:// yyy is found, recording is carried out, the recorded file b is sent to the cloud service server to be compared with the dangerous file, the file b is found to be a safe file, and therefore only the file b is recorded, but a safety analysis report is not written.
And monitoring and recording a browser process operated by a client of the user A in real time, and triggering the corresponding browser process to record the website http:// zzz when the user A accesses the website http:// zzz. And then inquiring and comparing the process starting mode of the browser process in the client of the user A, the file level corresponding to the process when the process is loaded, the link code level loaded by the process or the webpage characteristics corresponding to the link code with a preset dangerous process, and inquiring that the website http:// zzz is a safe website, so that the user A can freely access the website. Such security operations are recorded but not written to the security analysis report.
At the moment, the file c is found to be downloaded in the website http:// zzz by monitoring the downloading process in the browser process of the client of the user A, recording is carried out, the recorded file c is sent to the cloud service server to be compared with the dangerous file, the file c is an unknown file, the safety of the file c is difficult to judge, and therefore the file c is written into the safety analysis report. And generating a corresponding prompt window on a browser interface to remind the user A that the security of the file c is unknown. And meanwhile, scanning the subdirectory where the file c is located in the background, and detecting that the dangerous file is deleted through the safety software.
Therefore, through the above steps, the security analysis report records the number of dangerous processes and the number of dangerous files (including security unknown files) in the client of the user a within a period of time, and further reflects whether the operation habit of the user a is safe or not.
In addition, in this embodiment, statistics is performed according to the number of files recorded in the security analysis report, the number of files being the same as or similar to the preset dangerous process or file, and the statistics is output after security rating according to a security factor rule.
And the safety factor rule is a preset corresponding relation between the number of files which are the same as or similar to the dangerous process or the file in the safety analysis report according to historical statistics and the ratio of the client side to be infected and damaged.
After the safety rating is carried out through the safety factor rule, the safety rating is output in a numerical value and/or percentage mode, and the output can be in a mode of prompting, displaying and/or popping up a dialog box on a client interface.
For example: in this embodiment, for the safety factor rule:
and the safety factor rule sets a corresponding level benchmark score and a corresponding operation benchmark score according to the process of monitoring and recording the operation of the client and the files which are operated or downloaded at the client. The method specifically comprises the following steps:
setting the total score interval to be 0-10 points (the security document is not listed in the score calculation);
setting a file level detection reference score: for files, processes and URLs, the content of Trojan horse is-10 points, (the safety) is unknown as 5 points, and the risk is-8 points;
setting a user behavior operation reference score: the score of the deletion behavior is 1.5; the score of the neglect behavior is specifically: trojan involved is rated-1.5, safety involved is not known to be rated 1, and risk involved is rated 1.
Thus, according to the safety factor rule, a safety rating can be performed:
a deletion operation involving a Trojan can obtain 10 x 1.5 points, and if neglected, 10 x (-1.5) points; deletion operations involving (security) unknowns can get a score of 5 x 1.5, if ignored, a score of 5 x 1; deletion operations involving risk may yield 8 x 1.5 points, and-8 x 1 points if ignored.
Of course, the score of each operation, i.e., f (x)/(number of operations) = score, may be further obtained by calculating the total score f (x) = ax + f (x-1) over a period of time.
Note that, for a score of 10 which exceeds 10, a score of 0 which is lower than 0 is considered to be 0.
Example four
As shown in fig. 3, a system for generating a log-based security analysis report according to a fourth embodiment of the present invention is coupled to a client, and includes: a monitoring unit 301, an analyzing unit 302, and a reporting unit 303, wherein,
the monitoring unit 301 is coupled to the client and the analysis unit 302, and configured to monitor and record a process executed by the client and a file being executed or downloaded at the client in real time, and send a monitoring result to the analysis unit 302.
The client runs processes specifically related to internet operations (e.g., a browser process, a download process, etc.), so that different processes correspond to different internet addresses. Therefore, the corresponding process and the corresponding file can be obtained only by recording the internet address corresponding to the corresponding process and the downloaded file path.
When a user performs internet operation behaviors such as website access, link address clicking, information input on a website and the like through a client, corresponding processes in the client are started, so that the monitoring unit 301 can further monitor the operation of the user by monitoring the client in real time, and if the internet operation behaviors performed by the user have risks, the user can quickly and accurately know the corresponding processes. Correspondingly, when a downloading process is triggered, the files related to the downloading operation process are monitored and recorded.
The analysis unit 302 is coupled to the monitoring unit 301 and the reporting unit 303, and configured to compare the process and the file recorded by the monitoring unit 301 with a preset black and white list, record content that is the same as or similar to the content in the preset black and white list, and send the content to the reporting unit 303;
the reporting unit 303 is coupled to the analyzing unit 302, and configured to periodically perform statistics on the content recorded by the analyzing unit 302, which is the same as or similar to the content in a preset black-and-white list, to generate a security analysis report. The method specifically comprises the following steps: and carrying out statistics periodically, and generating a safety analysis report after carrying out safety rating on the statistics according to a preset safety factor rule.
The analysis unit 302 is further configured to synchronize the process and the file recorded by the monitoring unit 301 to a cloud service, record content that is the same as or similar to a black-and-white list preset on the cloud service after comparing the process and the file with the black-and-white list preset on the cloud service, perform statistics periodically, generate a security analysis report, and feed the security analysis report back to the client.
Wherein the process further comprises: servicing an operating process, starting an operating process, and creating a process.
Wherein, the monitoring unit 301 runs or downloads the related file at the client, and further includes:
the method comprises the steps of transmitting a file at the client, connecting the file on a storage device outside the client, receiving the file based on an instant messaging new tool and/or an email at the client and downloading the file through a downloading tool at the client; wherein,
the types of the file include: an executable file and a non-executable file, the executable file comprising: files with file suffix name exe, script files, batch files and link files; the non-executable file is an office file.
In this embodiment, the preset black and white list may be stored in a local (client) or a cloud service server, so that the process run by the client and the file related to the downloading operation process of the client may be compared locally or sent to a cloud service for comparison. Of course, those skilled in the art will understand that the storage location and the comparison manner of the preset black and white list are not to be construed as limiting the present invention.
Wherein the feature level of the file specifically includes: MD5 (Message digest algorithm fifth edition 5) and qvm (qiho Support Vector Machine) feature levels for files.
The starting mode path information of the processes is specifically obtained through the calling relationship of the processes, that is, the parent-child relationship among the processes is recorded to form a process tree (the information of each process is recorded in the process tree), so that the starting mode path information of different processes is obtained. For example: and determining the starting mode path information of the process according to the process loading levels such as the creation time of the process, the name of the process, the family relationship information of the process and the like.
Further, the reporting unit 303 outputs the value and/or percentage after performing security rating according to the security factor rule, and the output may be performed by prompting, displaying and/or popping up a dialog box on a client interface.
Compared with the prior art, the method and the system for generating the safety analysis report based on the log have the following effects that:
1) the method adopts a mode of generating the safety analysis report, can record specific safety operation of the user within a period of time in detail, can warn and prompt aiming at the operation with safety risk of the user, and effectively solves the problems that dangerous operation such as risk early warning is ignored by the user, safety software does not record and repeatedly warns and prompts;
2) according to the cloud security technology, the content recorded by the security analysis report is transmitted to the corresponding server of the cloud security center, the cloud security center judges the security of the server, the dangerous processes or files in the security analysis report can be rapidly identified, and corresponding evaluation scores are given to the operation of the user within a period of time according to the identification result, so that the user can intuitively and clearly know whether the user has dangerous operation and the number of the dangerous operation, and the use experience of the user is improved.
It is noted that, in the components of the system of the present invention, the components are logically divided according to the functions to be implemented, but the present invention is not limited thereto, and the components may be subdivided or combined as needed, for example, some components may be combined into a single component, or some components may be further decomposed into more sub-components.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components in a system according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in some other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate an ordering. These words may be interpreted as names.
The invention discloses a method for generating a safety analysis report based on logs, which comprises the following steps:
monitoring and recording the process of client operation and the files related to the operation or downloading at the client in real time;
and after comparing the recorded process and file with a preset black and white list, recording the content which is the same as or similar to the content in the preset black and white list, and counting to generate a safety analysis report.
A2, the method for generating a log-based security analysis report according to claim a1, wherein after comparing the recorded processes and files with a preset black and white list, recording the same or similar contents as the preset black and white list, and performing statistics to generate a security analysis report, further comprising:
and synchronizing the recorded processes and files to a cloud service, comparing the recorded processes and files with a black and white list preset on the cloud service, recording the same or similar content in the black and white list preset on the cloud service, counting the content to generate a security analysis report, and feeding the security analysis report back to the client.
A3, the method for log-based security analytics report generation of claim a1, wherein the performing statistics generates a security analytics report further comprising:
counting, and generating a safety analysis report after carrying out safety rating on the counting according to a preset safety coefficient rule;
and the safety factor rule sets a corresponding level benchmark score and a corresponding operation benchmark score according to the process of monitoring and recording the operation of the client and the files which are operated or downloaded at the client.
A4, the method for log-based security analytics report generation of claim a1, wherein the process further comprises: servicing an operating process, starting an operating process, and creating a process.
A5, the method for generating a log-based security analytics report of claim a1, wherein the file concerned is running or downloaded at the client, further comprising:
the method comprises the steps of transmitting a file at the client, connecting the file on a storage device outside the client, receiving the file based on an instant messaging new tool and/or an email at the client and downloading the file through a downloading tool at the client; wherein,
the types of the file include: an executable file and a non-executable file, the executable file comprising: files with file suffix name exe, script files, batch files and link files; the non-executable file is an office file.
A6, the method for log-based security analytics report generation as claimed in any one of claims a1 or a2, wherein the preset black and white list further comprises: a black list and a white list, wherein,
the black list and the white list respectively comprise: the system comprises a characteristic code or a characteristic script in the process, starting mode path information of the process, a dynamic link library level executed when the process is loaded, and a uniform resource locator level or characteristic information contained in an access website.
The invention also discloses a system for generating the log-based security analysis report, which comprises the following components: a monitoring unit, an analysis unit and a reporting unit, wherein,
the monitoring unit is used for monitoring and recording the process of the client operation and the files which are operated or downloaded at the client in real time;
the analysis unit is used for comparing the process and the file recorded by the monitoring unit with a preset black and white list and then recording the same or similar content in the preset black and white list;
and the report unit is used for counting the content which is recorded by the analysis unit and is the same as or similar to the content in a preset black and white list to generate a safety analysis report.
A8, the system for generating log-based security analysis report according to claim a7, wherein the analysis unit is further configured to synchronize the process and the file recorded by the monitoring unit to a cloud service, compare the process and the file with a black and white list preset on the cloud service, record the same or similar content in the black and white list preset on the cloud service, and perform statistics to generate a security analysis report to be fed back to the client.
A9, the system for generating log-based security analysis report according to claim A7, wherein the reporting unit is further configured to count the same or similar contents recorded by the analyzing unit in a preset black and white list, and generate the security analysis report after the statistics are security-ranked according to a preset security factor rule; wherein,
and the safety factor rule sets a corresponding level benchmark score and a corresponding operation benchmark score according to the process of monitoring and recording the operation of the client and the files which are operated or downloaded at the client.
A10, the system for log-based security analytics report generation of claim a7, wherein the process further comprises: servicing an operating process, starting an operating process, and creating a process.
A11, the log-based security analytics report generating system of claim a7, wherein the monitoring unit is running or downloading the file concerned at the client, further comprising:
the method comprises the steps of transmitting a file at the client, connecting the file on a storage device outside the client, receiving the file based on an instant messaging new tool and/or an email at the client and downloading the file through a downloading tool at the client; wherein,
the types of the file include: an executable file and a non-executable file, the executable file comprising: files with file suffix name exe, script files, batch files and link files; the non-executable file is an office file.
A12, the system for log-based security analytics report generation as claimed in any one of claims a7 or A8, wherein the preset black and white list further comprises: a black list and a white list, wherein,
the black list and the white list respectively comprise: the system comprises a characteristic code or a characteristic script in the process, starting mode path information of the process, a dynamic link library level executed when the process is loaded, and a uniform resource locator level or characteristic information contained in an access website.

Claims (10)

1. A method of log-based security analytics report generation, comprising:
monitoring and recording the process of client operation and the files related to the operation or downloading at the client in real time;
and after comparing the recorded process and file with a preset black and white list, recording the content which is the same as or similar to the content in the preset black and white list, and counting to generate a safety analysis report.
2. The method of claim 1, wherein comparing the recorded processes and files with a preset black and white list, recording the same or similar contents in the preset black and white list, and performing statistics to generate a security analysis report, further comprising:
and synchronizing the recorded processes and files to a cloud service, comparing the recorded processes and files with a black and white list preset on the cloud service, recording the same or similar content in the black and white list preset on the cloud service, counting the content to generate a security analysis report, and feeding the security analysis report back to the client.
3. The method for log-based security analytics report generation as defined in claim 1, wherein performing statistics generates the security analytics report further by:
counting, and generating a safety analysis report after carrying out safety rating on the counting according to a preset safety coefficient rule;
and the safety factor rule sets a corresponding level benchmark score and a corresponding operation benchmark score according to the process of monitoring and recording the operation of the client and the files which are operated or downloaded at the client.
4. The method of log-based security analytics report generation as claimed in claim 1, wherein said process further comprises: servicing an operating process, starting an operating process, and creating a process.
5. The method for log-based security analytics report generation as claimed in claim 1, wherein the file of interest is running or downloaded at the client, further comprising:
the method comprises the steps of transmitting a file at the client, connecting the file on a storage device outside the client, receiving the file based on an instant messaging new tool and/or an email at the client and downloading the file through a downloading tool at the client; wherein,
the types of the file include: an executable file and a non-executable file, the executable file comprising: files with file suffix name exe, script files, batch files and link files; the non-executable file is an office file.
6. A system for log-based security analytics report generation, comprising: a monitoring unit, an analysis unit and a reporting unit, wherein,
the monitoring unit is used for monitoring and recording the process of the client operation and the files which are operated or downloaded at the client in real time;
the analysis unit is used for comparing the process and the file recorded by the monitoring unit with a preset black and white list and then recording the same or similar content in the preset black and white list;
and the report unit is used for counting the content which is recorded by the analysis unit and is the same as or similar to the content in a preset black and white list to generate a safety analysis report.
7. The system for generating a log-based security analysis report according to claim 6, wherein the analysis unit is further configured to synchronize the processes and files recorded by the monitoring unit to a cloud service, record the same or similar content as the black-and-white list preset on the cloud service after comparing the content with the black-and-white list preset on the cloud service, and perform statistics to generate a security analysis report and feed the security analysis report back to the client.
8. The log-based security analysis report generation system of claim 6, wherein the reporting unit is further configured to count the same or similar contents recorded by the analysis unit in a preset black and white list, and generate a security analysis report after performing security rating on the statistics according to a preset security factor rule; wherein,
and the safety factor rule sets a corresponding level benchmark score and a corresponding operation benchmark score according to the process of monitoring and recording the operation of the client and the files which are operated or downloaded at the client.
9. The log-based security analytics report generating system of claim 6, wherein the process further comprises: servicing an operating process, starting an operating process, and creating a process.
10. The log-based security analytics report generating system of claim 6, wherein the monitoring unit is running or downloading the file of interest at the client, further comprising:
the method comprises the steps of transmitting a file at the client, connecting the file on a storage device outside the client, receiving the file based on an instant messaging new tool and/or an email at the client and downloading the file through a downloading tool at the client; wherein,
the types of the file include: an executable file and a non-executable file, the executable file comprising: files with file suffix name exe, script files, batch files and link files; the non-executable file is an office file.
CN201310625938.8A 2013-11-28 2013-11-28 Method and system for generating safety analysis report on basis of logs Pending CN103618626A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310625938.8A CN103618626A (en) 2013-11-28 2013-11-28 Method and system for generating safety analysis report on basis of logs

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310625938.8A CN103618626A (en) 2013-11-28 2013-11-28 Method and system for generating safety analysis report on basis of logs

Publications (1)

Publication Number Publication Date
CN103618626A true CN103618626A (en) 2014-03-05

Family

ID=50169330

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310625938.8A Pending CN103618626A (en) 2013-11-28 2013-11-28 Method and system for generating safety analysis report on basis of logs

Country Status (1)

Country Link
CN (1) CN103618626A (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105005735A (en) * 2015-08-25 2015-10-28 广东欧珀移动通信有限公司 Downloading management method and downloading management device
CN105096096A (en) * 2014-04-29 2015-11-25 阿里巴巴集团控股有限公司 Task performance evaluation method and system
CN105653947A (en) * 2014-11-11 2016-06-08 中国移动通信集团公司 Method and device for assessing application data security risk
TWI560569B (en) * 2015-07-23 2016-12-01 Chunghwa Telecom Co Ltd
CN106446685A (en) * 2016-09-30 2017-02-22 北京奇虎科技有限公司 Methods and devices for detecting malicious documents
CN106547581A (en) * 2015-09-22 2017-03-29 中国移动通信集团公司 Control method, device, terminal and platform that a kind of application is installed
CN106657102A (en) * 2016-12-29 2017-05-10 北京奇虎科技有限公司 LAN based threat processing method and device
CN106856477A (en) * 2016-12-29 2017-06-16 北京奇虎科技有限公司 A kind of threat treating method and apparatus based on LAN
CN110659491A (en) * 2019-09-23 2020-01-07 深信服科技股份有限公司 Computer system recovery method, device, equipment and readable storage medium
CN110826068A (en) * 2019-11-01 2020-02-21 海南车智易通信息技术有限公司 Safety detection method and safety detection system
CN114282194A (en) * 2021-12-23 2022-04-05 中国建设银行股份有限公司大连市分行 IT risk monitoring method and device and storage medium

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1737722A (en) * 2005-08-03 2006-02-22 珠海金山软件股份有限公司 System and method for detecting and defending computer worm
CN101059829A (en) * 2007-05-16 2007-10-24 珠海金山软件股份有限公司 Device and method for automatically analyzing course risk grade
US20100180344A1 (en) * 2009-01-10 2010-07-15 Kaspersky Labs ZAO Systems and Methods For Malware Classification
CN101924762A (en) * 2010-08-18 2010-12-22 奇智软件(北京)有限公司 Cloud security-based active defense method
CN102082802A (en) * 2011-03-01 2011-06-01 陈彪 Behavior-based mobile terminal security protection system and method
CN102222192A (en) * 2010-12-24 2011-10-19 卡巴斯基实验室封闭式股份公司 Optimizing anti-malicious software treatment by automatically correcting detection rules
CN102982284A (en) * 2012-11-30 2013-03-20 北京奇虎科技有限公司 Scanning equipment, cloud management equipment and method and system used for malicious program checking and killing
CN103034808A (en) * 2012-11-30 2013-04-10 北京奇虎科技有限公司 Scanning method, equipment and system and cloud management method and equipment
US20130097701A1 (en) * 2011-10-18 2013-04-18 Mcafee, Inc. User behavioral risk assessment
CN103384240A (en) * 2012-12-21 2013-11-06 北京安天电子设备有限公司 P2P active defense method and system

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1737722A (en) * 2005-08-03 2006-02-22 珠海金山软件股份有限公司 System and method for detecting and defending computer worm
CN101059829A (en) * 2007-05-16 2007-10-24 珠海金山软件股份有限公司 Device and method for automatically analyzing course risk grade
US20100180344A1 (en) * 2009-01-10 2010-07-15 Kaspersky Labs ZAO Systems and Methods For Malware Classification
CN101924762A (en) * 2010-08-18 2010-12-22 奇智软件(北京)有限公司 Cloud security-based active defense method
CN102222192A (en) * 2010-12-24 2011-10-19 卡巴斯基实验室封闭式股份公司 Optimizing anti-malicious software treatment by automatically correcting detection rules
CN102082802A (en) * 2011-03-01 2011-06-01 陈彪 Behavior-based mobile terminal security protection system and method
US20130097701A1 (en) * 2011-10-18 2013-04-18 Mcafee, Inc. User behavioral risk assessment
CN102982284A (en) * 2012-11-30 2013-03-20 北京奇虎科技有限公司 Scanning equipment, cloud management equipment and method and system used for malicious program checking and killing
CN103034808A (en) * 2012-11-30 2013-04-10 北京奇虎科技有限公司 Scanning method, equipment and system and cloud management method and equipment
CN103384240A (en) * 2012-12-21 2013-11-06 北京安天电子设备有限公司 P2P active defense method and system

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105096096A (en) * 2014-04-29 2015-11-25 阿里巴巴集团控股有限公司 Task performance evaluation method and system
CN105653947A (en) * 2014-11-11 2016-06-08 中国移动通信集团公司 Method and device for assessing application data security risk
TWI560569B (en) * 2015-07-23 2016-12-01 Chunghwa Telecom Co Ltd
CN105005735B (en) * 2015-08-25 2018-01-16 广东欧珀移动通信有限公司 Downloading management method and download management device
CN105005735A (en) * 2015-08-25 2015-10-28 广东欧珀移动通信有限公司 Downloading management method and downloading management device
CN106547581A (en) * 2015-09-22 2017-03-29 中国移动通信集团公司 Control method, device, terminal and platform that a kind of application is installed
CN106446685A (en) * 2016-09-30 2017-02-22 北京奇虎科技有限公司 Methods and devices for detecting malicious documents
CN106657102A (en) * 2016-12-29 2017-05-10 北京奇虎科技有限公司 LAN based threat processing method and device
CN106856477A (en) * 2016-12-29 2017-06-16 北京奇虎科技有限公司 A kind of threat treating method and apparatus based on LAN
CN106856477B (en) * 2016-12-29 2020-05-19 北京奇虎科技有限公司 Threat processing method and device based on local area network
CN110659491A (en) * 2019-09-23 2020-01-07 深信服科技股份有限公司 Computer system recovery method, device, equipment and readable storage medium
CN110826068A (en) * 2019-11-01 2020-02-21 海南车智易通信息技术有限公司 Safety detection method and safety detection system
CN114282194A (en) * 2021-12-23 2022-04-05 中国建设银行股份有限公司大连市分行 IT risk monitoring method and device and storage medium

Similar Documents

Publication Publication Date Title
US11570211B1 (en) Detection of phishing attacks using similarity analysis
CN103618626A (en) Method and system for generating safety analysis report on basis of logs
US20230269259A1 (en) Automated malware family signature generation
US9268946B2 (en) Quantifying the risks of applications for mobile devices
US9306968B2 (en) Systems and methods for risk rating and pro-actively detecting malicious online ads
CN102982284B (en) For the scanning device of rogue program killing, cloud management equipment and method and system
CN103368957B (en) Method and system that web page access behavior is processed, client, server
US10795991B1 (en) Enterprise search
EP2755157B1 (en) Detecting undesirable content
CN103034808B (en) Scan method, equipment and system and cloud management and equipment
CN103617395A (en) Method, device and system for intercepting advertisement programs based on cloud security
US20180082061A1 (en) Scanning device, cloud management device, method and system for checking and killing malicious programs
WO2015139507A1 (en) Method and apparatus for detecting security of a downloaded file
CN103595774A (en) System application uninstalling method and device with terminal based on server side
CN107979573B (en) Risk information detection method, system and server
CN103793649A (en) Method and device for cloud-based safety scanning of files
CN108768934B (en) Malicious program release detection method, device and medium
CN104239798B (en) Mobile terminal, server end in mobile office system and its virus method and system
CN114465741B (en) Abnormality detection method, abnormality detection device, computer equipment and storage medium
US11632378B2 (en) Detecting safe internet resources
CN113595981A (en) Method and device for detecting threat of uploaded file and computer-readable storage medium
US20230319076A1 (en) Method and system for processing data packages
CN111488580A (en) Potential safety hazard detection method and device, electronic equipment and computer readable medium
CN112528286A (en) Terminal device security detection method, associated device and computer program product
CN106529292A (en) Virus checking and killing method and apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20140305

RJ01 Rejection of invention patent application after publication