CN103618626A - Method and system for generating safety analysis report on basis of logs - Google Patents

Abstract

The invention discloses a method and system for generating a log-based security analysis report. The method includes: monitoring and recording the running process of the client and the files involved in the running or downloading of the client in real time; After comparing the above process and files with the preset black and white list, record the same or similar content as the preset black and white list, and make statistics to generate a security analysis report. The invention can record the user's specific operations in a period of time in detail, and can warn and prompt for operations with safety risks, which solves the problem that the security software does not record and repeatedly warns and prompts for dangerous operations such as users ignoring risk warnings; at the same time, through Cloud security technology, which transmits the security analysis report records to the cloud security center to make a judgment on its security, can quickly identify dangerous processes or files in the security analysis report, and give corresponding evaluation scores for operations within a period of time .

Description

A method and system for generating a log-based security analysis report

technical field

The invention relates to the field of system safety analysis reports, in particular to a log-based method and system for generating safety analysis reports.

Background technique

With the rapid development of network technology, the way people obtain information has changed: from traditional books, newspapers, TV, radio, etc., to Internet access. In particular, the Internet transmits and shares rich and comprehensive information such as shopping, entertainment, news, advertisements, chats, etc. Even if people stay at home, they can also learn about the world. As a result, the Internet has become an irreplaceable and important way for people to learn, socialize, and entertain.

At present, because the Internet provides a free and open platform, coupled with the low production cost of Internet-related applications (software) and websites, various websites emerge in an endless stream, and more and more applications are available. mixed. Especially now that online shopping is becoming more and more popular, people use their various bank card information more and more frequently on the Internet, leading criminals to use online shopping Trojans to steal users' bank card information, and online shopping Trojans are updated faster and faster, phishing There are more and more websites, and scams are emerging in an endless stream.

In the prior art, the user is very likely to click into a suspicious website or download a suspicious file due to improper operation, which may cause the client to be infected by malicious software such as an online shopping Trojan horse, causing the user's personal information and property safety to be threatened. At this time, the security software will prompt the user with a risk warning, but if the user ignores the risk warning given to the security software, the security software will no longer prompt, and cannot record the user's security operations, nor can it be based on the severity of the user's security operations. Generate different levels of security behavior warnings. As a result, users ignore the risk warnings of security software for a long time, and security software does not repeatedly warn users of dangerous operations, then the possibility of users being infected by malware will become higher and higher, resulting in the leakage of personal information and property. Loss.

Contents of the invention

To this end, the present invention proposes a new method and system for generating a log-based security analysis report that can solve at least part of the above-mentioned problems.

According to one aspect of the present invention, a method for generating a log-based security analysis report is provided, a method for generating a log-based security analysis report, including:

Real-time monitoring and recording of the process running on the client and the files involved in running or downloading on the client;

After comparing the processes and files recorded above with the preset black and white lists, record the same or similar content as those in the preset black and white lists, and make statistics to generate a security analysis report.

Preferably, after comparing the above-mentioned recorded process and files with the preset black and white list, record the same or similar content as the preset black and white list, and perform statistics to generate a security analysis report, further as follows:

After synchronizing the process and files recorded above to the cloud service, after comparing with the black and white list preset on the cloud service, record the same or similar content as the black and white list preset on the cloud service, and Perform statistics to generate a security analysis report to feed back to the client.

Preferably, performing statistics to generate a security analysis report, further:

Make statistics, and generate a safety analysis report after performing safety ratings on the statistics according to the preset safety factor rules;

The safety factor rule is to set a corresponding level benchmark score and a corresponding operation benchmark score according to the monitoring and recording of the process running on the client and the files involved in running or downloading on the client.

Preferably, the process further includes: a service operation process, a start-up process, and a creation process.

Preferably, the client is running or downloading the files involved, further comprising:

Transmission files on the client, files on the client’s external storage device, files received on the client based on instant messaging tools and/or emails, and files downloaded on the client through downloading tools; ,

The type of described file comprises: executable file and non-executable file, and described executable file comprises: file suffix is called the file of exe, script file, batch processing file and link file; Described non-executable file is office file .

Preferably, it is characterized in that the preset black and white lists further include: a black list and a white list, wherein,

The blacklist and the whitelist respectively include: characteristic codes or characteristic scripts in the process, path information of the starting method of the process, the level of the dynamic link library executed when the process is loaded, and the level of the uniform resource locator contained in the access URL or characteristic information.

According to an aspect of the present invention, a system for generating a log-based security analysis report is also provided, including: a monitoring unit, an analysis unit, and a reporting unit, wherein,

The monitoring unit is used to monitor and record the running process of the client and the files involved in running or downloading on the client in real time;

The analysis unit is configured to compare the process and files recorded by the monitoring unit with the preset black and white lists, and record the same or similar content as those in the preset black and white lists;

The reporting unit is configured to generate a security analysis report by making statistics on the same or similar content recorded by the analysis unit as in the preset black and white list.

Preferably, the analysis unit is further configured to synchronize the process and files recorded by the monitoring unit to the cloud service, and after comparing with the preset black and white lists on the cloud service, the records are compared with those on the cloud service. The same or similar content in the preset black and white lists, and make statistics to generate a security analysis report to feed back to the client.

Preferably, the reporting unit is further configured to perform statistics on the contents recorded by the analysis unit that are the same as or similar to those in the preset black and white lists, and perform safety ratings on the statistics according to the preset safety factor rules Then generate a security analysis report; among them,

The safety factor rule is to set a corresponding level benchmark score and a corresponding operation benchmark score according to the monitoring and recording of the process running on the client and the files involved in running or downloading on the client.

Preferably, the process further includes: a service operation process, a start-up process, and a creation process.

Preferably, the client is running or downloading the files involved in the monitoring unit, further comprising:

Transmission files on the client, files on the client’s external storage device, files received on the client based on instant messaging tools and/or emails, and files downloaded on the client through downloading tools; ,

The type of described file comprises: executable file and non-executable file, and described executable file comprises: file suffix is called the file of exe, script file, batch processing file and link file; Described non-executable file is office file .

Preferably, it is characterized in that the preset black and white lists further include: a black list and a white list, wherein,

The blacklist and the whitelist respectively include: characteristic codes or characteristic scripts in the process, path information of the starting method of the process, the level of the dynamic link library executed when the process is loaded, and the level of the uniform resource locator contained in the access URL or characteristic information.

Compared with the prior art, a method and system for generating a log-based security analysis report according to the present invention achieves the following effects:

1) The present invention adopts the method of generating a security analysis report, which can record in detail the specific security operations of the user within a period of time, and can warn and prompt the user for operations with security risks, effectively solving the problem of dangerous operations such as users ignoring risk warnings , the security software does not record and repeats the warning prompts;

2) The present invention transmits the content recorded in the security analysis report to the server of the corresponding cloud security center through the cloud security technology, and the cloud security center makes a judgment on its security, which can quickly identify dangerous processes or files in the security analysis report , and according to the recognition results, give corresponding evaluation scores to the user's operations within a period of time, so that users can intuitively and clearly understand whether they have dangerous operations and how many dangerous operations, thereby increasing the user experience.

Description of drawings

The accompanying drawings described here are used to provide a further understanding of the present invention, and constitute a part of the present invention. The schematic embodiments of the present invention and their descriptions are used to explain the present invention, and do not constitute improper limitations to the present invention. In the attached picture:

FIG. 1 is a flowchart of a method for generating a log-based security analysis report according to Embodiment 1 of the present invention.

FIG. 2 is a flowchart of a method for generating a log-based security analysis report according to Embodiment 2 of the present invention.

FIG. 3 is a structural block diagram of a system for generating a log-based security analysis report according to Embodiment 4 of the present invention.

Detailed ways

Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided for more thorough understanding of the present disclosure, and to fully convey the scope of the present disclosure to those skilled in the art.

Embodiments of the invention may be applied to computer systems/servers that are operational with numerous other general purpose or special purpose computing system environments or configurations. Examples of well-known computing systems, environments and/or configurations suitable for use with computer systems/servers include, but are not limited to: personal computer systems, server computer systems, thin clients, thick clients, handheld or laptop devices, Microprocessor systems, set-top boxes, programmable consumer electronics, network personal computers, small computer systems, large computer systems, and distributed cloud computing technology environments including the above systems, etc.

Computer systems/servers may be described in the general context of computer system-executable instructions, such as program modules, being executed by the computer system. Generally, program modules may include routines, programs, objects, components, logic, data structures, etc., that perform particular tasks or implement particular abstract data types. The computer system/server can be practiced in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computing system storage media including storage devices.

In order to adapt to the update speed of malicious programs and quickly identify and kill malicious programs, current security protection software increasingly uses cloud security technology to intercept malicious programs. The so-called cloud security technology is to transmit the characteristics of suspicious files on the client side to the server of the cloud security center, and the cloud security center makes a judgment on its security, and then the client security software reports and monitors the Trojan horse according to the information sent back by the cloud security center. deal with. A cloud fabric is a large client/server (CS) architecture. The core idea of the present invention is to collect the behaviors of various programs (it can be a single behavior or a combination of a group of behaviors) through a large number of client computers, especially the behaviors of suspicious programs, and associate the behaviors of the programs with the characteristics of the programs , while the characteristics of a program and its corresponding behavior records can be recorded in the server-side database. In this way, on the server side, it can be summarized and analyzed in the database according to the program behavior or program characteristics or a group of program behavior and program characteristics, thus helping to classify software or programs into black and white. Further, it is also possible to formulate corresponding removal or recovery measures for the malicious software in the blacklist. The program behavior may be, for example, a driver loading behavior, a file generation behavior, a program or code loading behavior, a system startup item addition behavior, or a file or program modification behavior, etc., or a combination of a series of behaviors. The program feature can be MD5 verification code obtained through MD5 (Message-Digest Algorithm5, information-digest algorithm), or SHA1 code, or CRC (Cyclic Redundancy Check, cyclic redundancy check) code, etc., which can uniquely identify the original program Signature codes, etc.

The present invention will be described in further detail below in conjunction with the accompanying drawings, but it is not intended to limit the present invention.

Embodiment one

As shown in FIG. 1 , it is a method flow for generating a log-based security analysis report according to Embodiment 1 of the present invention, including:

Step 101 , monitor and record the running process of the client and the files involved in running or downloading on the client in real time.

Step 102, after comparing the above recorded process and files with the preset black and white lists, record the same or similar content as those in the preset black and white lists, and make statistics to generate a security analysis report.

Wherein, the process further includes: a service operation process, a start-up process, and a creation process.

Here, the service operation process may be background operation process information corresponding to content such as desktop information and “My Documents” information seen by the user through the display interface.

Here, the starting and running process may be the process information formed by the corresponding combination of codes or scripts executed by programs or modules executed after the client is started.

The process created here may be process information created by a third-party device that runs after the client starts and resides on the local client.

Where the client is running or downloading the files involved, further includes:

Transmission files on the client (IM (Instant Messenger, instant messaging) files), files on the client’s external storage device, files received on the client based on instant messaging tools and/or emails, and files on the client The file downloaded by the client through the download tool; among them,

The type of the file includes: an executable file (PE, Portable Execute) and a non-executable file, and the executable file includes: a file with a file extension of exe, a script file, a batch file and a link file; the non-executable file Executable files are files such as office files (such as: office files), and other types of files may also be included here, which is not specifically limited.

In step 102, after comparing the process and files of the above-mentioned records with the preset black and white lists, record the same or similar content as the preset black and white lists, and perform statistics to generate a security analysis report, further as follows:

After synchronizing the process and files recorded above to the cloud service, after comparing with the black and white list preset on the cloud service, record the same or similar content as the black and white list preset on the cloud service, and Regularly (the time period can be set by the user, such as one week, one month or a specific time interval, which is not specifically limited here), statistics are generated to generate a security analysis report and fed back to the client.

In addition, the blacklist and whitelist preset in step 102 further include: blacklist and whitelist, wherein,

The blacklist and whitelist respectively include: characteristic codes or characteristic scripts in the process, path information of the starting method of the process, the level of the dynamic link library (DLL, Dynamic LinkLibrary) executed when the process is loaded, and the URL contained in the access URL. Uniform Resource Locator (Uniform ResourceLocator, URL) level or characteristic information.

In addition, the preset black and white list may also include: suspicious files or processes, unknown files or processes.

Wherein, the file on the external storage device of the client is obtained by initiating a query operation connected to the current device through the application program interface API function of the operating system through the location information of the file in the external storage device.

For the technical solution of the present invention, in actual situations, some malicious programs package files such as CMD, or bat files, or shortcuts in a compressed package, or transfer a single file (pif), icon , may be an application file, or VBS (a script file), create a folder and place a folder configuration file (desktop.ini), use scheduled tasks, or use simulated mouse clicks, etc., or even online shopping Trojans, etc. A compressed package will be sent, and then decompressed to the client desktop. If the user actively clicks or accidentally double-clicks to start, the files contained in the compressed package will be dangerous. Therefore, in the solution of the present invention, it is necessary to set up a black and white list as described above to screen the contents of the monitoring records of the client, so as to discover the above dangers and effectively avoid problems.

When a user accesses a website, clicks on a link address, or enters information on a website through the client, the corresponding service operation process in the client, the process initiated by the user, and the process created by the third-party program will all be involved. Therefore, through the real-time monitoring of the client, the user's operation can be further monitored, and if the user's Internet operation behavior is risky, it can be quickly and accurately known through the corresponding process.

In addition to the above-mentioned records, in this embodiment, step 101 also includes real-time monitoring and recording of the compressed package file (including the download source of the compressed package, the storage path of the compressed package, the characteristic identification of the compressed package, etc.), which is Because: some malicious software will have a Trojan horse (or malicious program) CMD file (command prompt file), batch file, shortcut file, program information file, icon, application file, VBS (a script file) or The shortcut is compressed to generate a compressed file (a folder can also be generated and a folder configuration file named "desktop.ini" is placed), which is transmitted and subsequently decompressed to the client, thereby infecting the client.

In addition, in step 102, statistics are regularly performed to generate a security analysis report, which is further:

Statistics are carried out regularly, and a safety analysis report is generated after performing safety ratings on the statistics according to the preset safety factor rules (the safety factor rules will be further explained in the following embodiment three).

Among them, in practical applications, the process or file for recording is stored in a local database (it can be an in-memory database, a cache database, etc., which is not limited here), and for files: in addition to recording all devices to be protected in the database ( For example: In addition to the files downloaded in the client), some special files (such as: files contained in the compressed package) are also recorded. When the compressed package is decompressed, the decompression path and temporary decompression path of the compressed package are recorded. For the process: in addition to recording the service operation process, the process started by the user and the process created by the third-party program, the database also records a process tree representing the parent-child relationship between the processes. Or, directly upload the recorded process or file to the cloud service (cloud) according to the aforementioned method.

Embodiment two

As shown in FIG. 2 , it is a method flow for generating a log-based security analysis report according to Embodiment 2 of the present invention, including:

Step 201 , monitor and record the running process of the client and the files involved in running or downloading on the client in real time.

Step 202: Synchronize the process and files recorded above to the cloud service, and after comparing with the black and white lists preset on the cloud service, record the same or similar content, and regularly make statistics, and generate a safety analysis report after performing safety ratings on the statistics according to the preset safety factor rules.

Wherein, the specific way of comparing in step 202 can be to carry out the detection and comparison of the black and white list mode through the local security rules:

If the signature of the unknown program downloaded by user A is the same as or similar to the signature of the known program in the existing black/white list, the unknown program signature and its program behavior are both included in the black/white list.

Of course, as a preferred method, the preset black and white list can also be stored in the cloud service server, and the recorded process of the client running and the files involved in the download operation process are sent to the cloud service for comparison, That is, cloud query, as described in step 202.

The preset black and white lists further include: black list and white list, among which,

The blacklist and the whitelist respectively include: characteristic codes or characteristic scripts in the process, path information of the starting method of the process, the level of the dynamic link library executed when the process is loaded, and the level of the uniform resource locator contained in the access URL or characteristic information. Can also include: Suspicious files or processes, Unknown files or processes.

It should be noted that when performing a service (also called a cloud query), it is necessary to perform an operation (specifically, a query) according to the corresponding cloud rules. The cloud rules are aimed at the files and processes, including: file names, File size, file feature information, file icon information, product name, internal name, original file name, process command line, process path, parent process path, etc. are compared with the preset content to search. Of course, other processes or files can also be compared in other ways, which does not constitute a limitation to the present application.

For example: when a process performs a dangerous operation, the DLL (DynamicLink Library, dynamic link library) file corresponding to the recorded process will be detected by the security engine and/or the cloud security engine. The detection operations specifically include:

1, detect whether to write into the registry and carry out automatic loading and modify the registry, the dangerous process further causes the damage of the registry by changing the registry, therefore, in the present embodiment, all DLL files that may start automatically are monitored, and To monitor a specific registry, thereby realizing the protection of the registry;

2. Detect whether to modify the system files and modify the specified application files to ensure that the operating system-related files of the device to be protected are not tampered with, and some application files with relatively large loads are not tampered with;

3. Detect whether process injection is performed. Said process injection means that a dangerous process inserts and executes specific code in another process, and protects the safe process by listing the process injection operation as a dangerous operation;

4. Check whether the process is terminated. Dangerous processes usually end the instant messaging process and intercept user information by re-login. Therefore, by listing this operation as a dangerous operation, the dangerous process is prevented from obtaining user information;

5. Detect whether to modify the content of the webpage in the browser. The dangerous process will point the link in the webpage to the phishing website by modifying the webpage, or load the virus file into the browser, and protect the browser by listing this operation as a dangerous operation; and Record keystrokes.

Among them, the detection of whether to modify the system file and the modification of the specified application file is mainly judged by detecting the characteristic level of the file. The feature levels here are specifically divided according to: MD5 (Message Digest Algorithm5, the fifth edition of the message digest algorithm) and qvm (Qihoo Support Vector Machine, Qihoo Support Vector Machine) feature levels of the file.

The starting mode path information of the process is specifically obtained through the call relationship of the process, that is, by recording the parent-child relationship between the processes to form a process tree (the information of each process is recorded in the process tree), thereby obtaining The path information of the startup method of different processes. For example, the startup mode path information of the process is determined through the process loading level such as the creation time of the process, the process name, and the process family relationship information.

Further in step 202, record the same or similar content as in the blacklist and blacklist preset on the cloud service, specifically, record the same webpage features and similar webpages as those in the blacklist and whitelist preset on the cloud service signatures, identical files, similar files or file characteristics, and files whose detection results are unknown.

At the same time, in step 202, the safety factor rule is to set the corresponding level reference score and the corresponding operation reference score according to the monitoring and recording of the client running process and the files involved in the client running or downloading . After the safety rating is performed through the safety factor rules, it will be output in the form of numerical value and/or percentage, and the output can be in the form of prompting, displaying and/or popping up a dialog box on the client interface.

Embodiment Three

The specific application of the method for generating the log-based security analysis report is described in detail below:

Setting: User A downloads file a (malicious file) and file b (safe file) by visiting URLs http://xxx (suspicious website), http://yyy (safe website) and http://zzz (safe website) respectively. ) and c (unknown file), it should be noted that user A does not know the security of the above-mentioned website and file.

First, real-time monitoring and recording of the running process of user A's client and the files involved in running or downloading on the client;

Afterwards, the above-mentioned recorded process and files are synchronized to the cloud service, and after comparing with the preset black and white list on the cloud service, record the same or similar content as the preset black and white list on the cloud service , and make statistics on a regular basis, and generate a safety analysis report after performing safety ratings on the statistics according to the preset safety factor rules.

Specifically:

When user A visits the URL http://xxx to download file a through the client, the browser process running on user A's client is monitored and recorded in real time. When user A visits, the corresponding browser process is triggered, and the URL http://xxx is downloaded. ://xxx for recording.

Then, compare the recorded browser process in the client of user A with the preset black and white lists. When it is identified that the recorded content is the browser process of user A's client, the browser process (ie URL http://xxx) corresponds to the starting method path information of the process, the corresponding file level when the process is loaded, The link code level loaded by the process or the web page feature corresponding to the link code is sent to the cloud service server, compared with the dangerous process stored in the cloud service server, and the query result is returned: URL http://xxx is detected as suspicious website, a security analysis report is generated, and the URL is written into the security analysis report. And a corresponding prompt window is generated on the browser interface, prompting user A that the website is a suspicious website, and it is risky to continue to visit.

At this time, by monitoring the download process in the browser process of the user A client, it is found that user A chooses to continue to visit the website http://xxx, and downloads file a, then records it, and records the feature level corresponding to file a ( MD5 value) sent to the cloud service server and compared with the MD5 value of the dangerous file, it is found that the suffix of file a is "Trojan" and the program code of file a is consistent with malware code, that is, file a is a malicious file. Delete through security software, and write file a into the security analysis report. A corresponding prompt window is generated on the browser interface to prompt user A that the file a is a malicious file.

Similarly, the browser process run by the client of user A is monitored and recorded in real time. When user A visits the website http://yyy, a corresponding browser process is triggered to record the website http://yyy. Then query and compare the process startup mode of the browser process in user A's client, the corresponding file level when the process is loaded, the link code level loaded by the process, or the web page features corresponding to the link code with the preset dangerous process , it is found that the URL http://yyy is a secure website, and user A can freely access the URL. Such security operations are recorded but not written into the security analysis report.

At this time, by monitoring the download process in the browser process of user A's client, it is found that user A has downloaded file b from the website http://yyy, records it, and sends the recorded file b to the cloud service server to compare with the dangerous file. After comparison, it is found that file b is a safe file, so only the file b is recorded, but the safety analysis report is not written.

Monitor and record the browser process running on user A's client in real time. When user A visits the website http://zzz, the corresponding browser process is triggered and the website http://zzz is recorded. Then query and compare the process startup mode of the browser process in user A's client, the corresponding file level when the process is loaded, the link code level loaded by the process, or the web page features corresponding to the link code with the preset dangerous process , it is found that the website http://zzz is a secure website, and user A can freely access the website. Such security operations are recorded but not written into the security analysis report.

At this time, by monitoring the download process in the browser process of user A's client, it is found that user A has downloaded file c from the website http://zzz, records it, and sends the recorded file c to the cloud service server to compare with the dangerous file. After the comparison, the file c is an unknown file, and it is difficult to judge the security of the file c, so the file c is written into the security analysis report. And a corresponding prompt window is generated on the browser interface to remind the user A that the security of the file c is unknown. At the same time, the subdirectory where the file c is located is scanned in the background, and dangerous files are detected to be deleted through security software.

Therefore, through the above steps, the security analysis report records the number of dangerous processes and dangerous files (including files with unknown security) in user A's client within a period of time, further reflecting whether user A's operating habits are safe .

In addition, in this embodiment, according to the statistics of the number of files that are the same as or similar to the preset dangerous processes or files recorded in the safety analysis report, and after the safety rating is performed on the statistics according to the safety factor rule output.

The safety factor rule is a relationship between the number of files that are the same as or similar to dangerous processes or files in the security analysis report that is preset and based on historical statistics, and the ratio of the infection damage to the client.

After the safety rating is performed through the safety factor rules, it will be output in the form of numerical value and/or percentage, and the output can be in the form of prompting, displaying and/or popping up a dialog box on the client interface.

For example: in this embodiment, for the safety factor rule:

The safety factor rule is to set a corresponding level benchmark score and a corresponding operation benchmark score according to the monitoring and recording of the process running on the client and the files involved in running or downloading on the client. Specifically:

Set the overall score range as 0-10 points (security documents are not included in the score calculation);

Set the file level detection benchmark score: for files, processes and URLs, -10 points for Trojan horses, 5 points for unknown (security), and -8 points for risk;

Set benchmark scores for user behavior operations: the score for deleting behavior is 1.5 points; the score for ignoring behaviors is: -1.5 points for Trojan horses, 1 point for unknown (safety) and 1 point for risks.

Thus, according to the safety factor rules, a safety rating can be performed:

Deletion operations involving Trojan horses can get 10*1.5 points, if ignored, 10*(-1.5) points; deletion operations involving (security) unknowns can get 5*1.5 points, if ignored, 5*1 points; 8*1.5 points will be awarded for the deletion operation of the risk, and -8*1 points if ignored.

Of course, it is also possible to further obtain the score of each operation by calculating the total score f(x)=ax+f(x-1) within a period of time, that is, f(x)/(number of operations)=score.

It should be noted that, those whose scores exceed 10 points are recorded as 10 points, and those whose points are lower than 0 points are recorded as 0 points.

Embodiment four

As shown in FIG. 3 , it is a system for generating a log-based security analysis report according to Embodiment 4 of the present invention, which is coupled with a client and includes: a monitoring unit 301, an analysis unit 302, and a reporting unit 303, wherein,

The monitoring unit 301, coupled with the client and the analysis unit 302, is used for real-time monitoring and recording of the running process of the client and the files involved in running or downloading at the client, and sending the monitoring results to the The above analysis unit 302.

The processes run by the client are specifically processes related to Internet operations (such as browser processes and download processes, etc.), so that different processes correspond to different Internet addresses. Therefore, only need to record the Internet address corresponding to the corresponding process and the path of the downloaded file, the corresponding process and file can be obtained.

When the user performs Internet operations such as website access, clicking on link addresses, and inputting information on the website through the client, the corresponding process in the client will be started. Therefore, the monitoring unit 301 performs real-time monitoring of the client. Monitoring can further monitor the user's operations. If the user's Internet operation behavior is risky, it can be quickly and accurately known through the corresponding process. Correspondingly, when a download process is triggered, the files involved in the download operation process are monitored and recorded.

The analysis unit 302 is coupled with the monitoring unit 301 and the reporting unit 303, and is used to compare the process and files recorded by the monitoring unit 301 with the preset black and white lists, and record and preset The same or similar content in the black and white list, and send it to the reporting unit 303;

The reporting unit 303 is coupled with the analyzing unit 302, and is used for periodically making statistics on the contents recorded by the analyzing unit 302 that are the same as or similar to those in the preset blacklist and whitelist, and generating a security analysis report. The specific steps are: to conduct statistics regularly, and to generate a safety analysis report after performing safety rating on the statistics according to the preset safety factor rules.

Wherein the analysis unit 302 is further used to synchronize the process and files recorded by the monitoring unit 301 to the cloud service, and after comparing with the preset black and white lists on the cloud service, the records are compared with those on the cloud service. The same or similar content in the pre-set black and white lists, and regularly conduct statistics to generate security analysis reports to feed back to the client.

The process further includes: a service operation process, a start-up process, and a creation process.

Wherein, in the monitoring unit 301, the client is running or downloading the involved files, further comprising:

Transmission files on the client, files on the client’s external storage device, files received on the client based on instant messaging tools and/or emails, and files downloaded on the client through downloading tools; ,

The type of described file comprises: executable file and non-executable file, and described executable file comprises: file suffix is called the file of exe, script file, batch processing file and link file; Described non-executable file is office file .

In this embodiment, the preset black and white lists can be stored locally (client) or in a cloud service server, so that the process running on the client and the download operation process of the client are involved Files can be compared locally or sent to cloud services for comparison. Of course, those skilled in the art can understand that the storage location and comparison method of the preset blacklist and whitelist do not constitute a limitation of the present invention.

Wherein, the feature level of the file specifically includes: MD5 (Message Digest Algorithm5, message digest algorithm fifth edition) and qvm (Qihoo Support Vector Machine, Qihoo Support Vector Machine) feature level of the file.

The starting mode path information of the process is specifically obtained through the call relationship of the process, that is, by recording the parent-child relationship between the processes to form a process tree (the information of each process is recorded in the process tree), thereby obtaining The path information of the startup method of different processes. For example, the startup mode path information of the process is determined through the process loading level such as the creation time of the process, the process name, and the process family relationship information.

Further, the reporting unit 303 will output the safety rating in the form of numerical values and/or percentages after passing the safety factor rules, and the output can be in the form of prompting, displaying and/or popping up dialog boxes on the client interface .

Compared with the prior art, a method and system for generating a log-based security analysis report according to the present invention achieves the following effects:

1) The present invention adopts the method of generating a security analysis report, which can record in detail the specific security operations of the user within a period of time, and can warn and prompt the user for operations with security risks, effectively solving the problem of dangerous operations such as users ignoring risk warnings , the security software does not record and repeats the warning prompts;

2) The present invention transmits the content recorded in the security analysis report to the server of the corresponding cloud security center through the cloud security technology, and the cloud security center makes a judgment on its security, which can quickly identify dangerous processes or files in the security analysis report , and according to the recognition results, give corresponding evaluation scores to the user's operations within a period of time, so that users can intuitively and clearly understand whether they have dangerous operations and how many dangerous operations, thereby increasing the user experience.

It should be noted that among the various components of the system of the present invention, the components are logically divided according to the functions to be realized, but the present invention is not limited thereto, and each component can be re-divided as required Or combined, for example, some components can be combined into a single component, or some components can be further broken down into more subcomponents.

The various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art should understand that a microprocessor or a digital signal processor (DSP) may be used in practice to implement some or all functions of some or all components in the system according to the embodiments of the present invention. The present invention can also be implemented as an apparatus or an apparatus program (for example, a computer program and a computer program product) for performing a part or all of the methods described herein. Such a program for realizing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such a signal may be downloaded from an Internet site, or provided on a carrier signal, or otherwise provided.

It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The use of the words first, second, and third, etc. does not indicate an order. These words can be interpreted as names.

The invention discloses A1 a method for generating a log-based security analysis report, comprising:

Real-time monitoring and recording of the process running on the client and the files involved in running or downloading on the client;

After comparing the processes and files recorded above with the preset black and white lists, record the same or similar content as those in the preset black and white lists, and make statistics to generate a security analysis report.

A2. The method for generating a log-based security analysis report as claimed in claim A1, wherein, after comparing the processes and files of the above-mentioned records with the preset black and white lists, the records are compared with the preset black and white lists. The same or similar content, and make statistics to generate a safety analysis report, further:

After synchronizing the process and files recorded above to the cloud service, after comparing with the black and white list preset on the cloud service, record the same or similar content as the black and white list preset on the cloud service, and Perform statistics to generate a security analysis report to feed back to the client.

A3, the method that the security analysis report based on log as claimed in claim A1 generates, is characterized in that, performing statistics to generate security analysis report, further is:

Make statistics, and generate a safety analysis report after performing safety ratings on the statistics according to the preset safety factor rules;

The safety factor rule is to set a corresponding level benchmark score and a corresponding operation benchmark score according to the monitoring and recording of the process running on the client and the files involved in running or downloading on the client.

A4. The method for generating a log-based security analysis report according to claim A1, wherein the process further comprises: a service operation process, a start-up process, and a creation process.

A5, the method that the security analysis report based on log as claimed in claim A1 generates, is characterized in that, in this client is running or downloads involved file, further comprises:

Transmission files on the client, files on the client’s external storage device, files received on the client based on instant messaging tools and/or emails, and files downloaded on the client through downloading tools; ,

The type of described file comprises: executable file and non-executable file, and described executable file comprises: file suffix is called the file of exe, script file, batch processing file and link file; Described non-executable file is office file .

A6. The method for generating a log-based security analysis report according to any one of claims A1 or A2, wherein the preset black and white lists further include: a black list and a white list, wherein,

The blacklist and the whitelist respectively include: characteristic codes or characteristic scripts in the process, path information of the starting method of the process, the level of the dynamic link library executed when the process is loaded, and the level of the uniform resource locator contained in the access URL or feature information.

The present invention also discloses A7 a system for generating safety analysis reports based on logs, including: a monitoring unit, an analysis unit and a reporting unit, wherein,

The monitoring unit is used to monitor and record the running process of the client and the files involved in running or downloading on the client in real time;

The analysis unit is configured to compare the process and files recorded by the monitoring unit with the preset black and white lists, and record the same or similar content as those in the preset black and white lists;

The reporting unit is configured to generate a security analysis report by making statistics on the same or similar content recorded by the analysis unit as in the preset black and white list.

A8. The system for generating a log-based security analysis report as claimed in claim A7, wherein the analysis unit is further configured to synchronize the process and files recorded by the monitoring unit to cloud services, by communicating with After comparing the black and white lists preset on the cloud service, record the same or similar content as the black and white lists preset on the cloud service, and make statistics to generate a security analysis report to feed back to the client.

A9. The system for generating a log-based security analysis report according to claim A7, wherein the report unit is further used to record the same or similar items in the preset black and white lists recorded by the analysis unit. Content, make statistics, and generate a safety analysis report after performing safety ratings on the statistics according to the preset safety factor rules; among them,

The safety factor rule is to set a corresponding level benchmark score and a corresponding operation benchmark score according to the monitoring and recording of the process running on the client and the files involved in running or downloading on the client.

A10. The system for generating a log-based security analysis report according to claim A7, wherein the process further includes: a service operation process, a start-up operation process, and a creation process.

A11, the system that the safety analysis report based on log as claimed in claim A7 generates, is characterized in that, in described monitoring unit, the file involved in this client is running or downloading, further comprises:

Transmission files on the client, files on the client’s external storage device, files received on the client based on instant messaging tools and/or emails, and files downloaded on the client through downloading tools; ,

The type of described file comprises: executable file and non-executable file, and described executable file comprises: file suffix is called the file of exe, script file, batch processing file and link file; Described non-executable file is office file .

A12. The system for generating a log-based security analysis report as claimed in any one of claims A7 or A8, wherein the preset black and white lists further include: a black list and a white list, wherein,

The blacklist and the whitelist respectively include: characteristic codes or characteristic scripts in the process, path information of the starting method of the process, the level of the dynamic link library executed when the process is loaded, and the level of the uniform resource locator contained in the access URL or characteristic information.

Claims (10)

1. A method for generating a log-based security analysis report, comprising: Real-time monitoring and recording of the process running on the client and the files involved in running or downloading on the client; After comparing the processes and files recorded above with the preset black and white lists, record the same or similar content as those in the preset black and white lists, and make statistics to generate a security analysis report. 2. the method for generating based on the security analysis report of log as claimed in claim 1, is characterized in that, after the described process of above-mentioned record and file and preset black and white list are compared, record and preset black and white list The same or similar content, and make statistics to generate a safety analysis report, further: After synchronizing the process and files recorded above to the cloud service, after comparing with the black and white list preset on the cloud service, record the same or similar content as the black and white list preset on the cloud service, and Perform statistics to generate a security analysis report to feed back to the client. 3. the method that the security analysis report based on log as claimed in claim 1 generates, is characterized in that, carries out statistical generation security analysis report, is further: Make statistics, and generate a safety analysis report after performing safety ratings on the statistics according to the preset safety factor rules; The safety factor rule is to set a corresponding level benchmark score and a corresponding operation benchmark score according to the monitoring and recording of the process running on the client and the files involved in running or downloading on the client. 4. The method for generating a log-based security analysis report according to claim 1, wherein the process further comprises: a service operation process, a start-up process, and a creation process. 5. the method that the safety analysis report based on log as claimed in claim 1 generates, is characterized in that, in this client is running or downloads involved file, further comprises: Transmission files on the client, files on the client’s external storage device, files received on the client based on instant messaging tools and/or emails, and files downloaded on the client through downloading tools; , The type of described file comprises: executable file and non-executable file, and described executable file comprises: file suffix is called the file of exe, script file, batch processing file and link file; Described non-executable file is office file . 6. A system for generating a log-based security analysis report, comprising: a monitoring unit, an analysis unit, and a reporting unit, wherein, The monitoring unit is used to monitor and record the running process of the client and the files involved in running or downloading on the client in real time; The analysis unit is configured to compare the process and files recorded by the monitoring unit with the preset black and white lists, and record the same or similar content as those in the preset black and white lists; The reporting unit is configured to generate a security analysis report by making statistics on the same or similar content recorded by the analysis unit as in the preset black and white list. 7. The system for generating a log-based security analysis report as claimed in claim 6, wherein the analysis unit is further configured to synchronize the process and files recorded by the monitoring unit to cloud services, by communicating with After comparing the black and white lists preset on the cloud service, record the same or similar content as the black and white lists preset on the cloud service, and make statistics to generate a security analysis report to feed back to the client. 8. The system for generating a log-based security analysis report as claimed in claim 6, wherein the report unit is further used to record the same or similar items in the preset black and white lists recorded by the analysis unit. Content, make statistics, and generate a safety analysis report after performing safety ratings on the statistics according to the preset safety factor rules; among them, The safety factor rule is to set a corresponding level benchmark score and a corresponding operation benchmark score according to the monitoring and recording of the process running on the client and the files involved in running or downloading on the client. 9. The system for generating a log-based security analysis report according to claim 6, wherein the process further comprises: a service operation process, a start-up process and a creation process. 10. the system that the safety analysis report based on log as claimed in claim 6 generates, is characterized in that, in described monitoring unit, is running or downloads involved file in this client, further comprises: Transmission files on the client, files on the client’s external storage device, files received on the client based on instant messaging tools and/or emails, and files downloaded on the client through downloading tools; , The type of described file comprises: executable file and non-executable file, and described executable file comprises: file suffix is called the file of exe, script file, batch processing file and link file; Described non-executable file is office file .

Images