CN103824017A - Method and platform for monitoring rogue programs - Google Patents
Method and platform for monitoring rogue programs Download PDFInfo
- Publication number
- CN103824017A CN103824017A CN201210466934.5A CN201210466934A CN103824017A CN 103824017 A CN103824017 A CN 103824017A CN 201210466934 A CN201210466934 A CN 201210466934A CN 103824017 A CN103824017 A CN 103824017A
- Authority
- CN
- China
- Prior art keywords
- virus document
- doubtful virus
- period
- mentioned
- warning information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Abstract
An embodiment of the invention discloses a method and a platform for monitoring rogue programs. The method includes: receiving monitoring information of a suspected virus file reported from host computers, making statistic on the number of the host computers reporting the monitoring information of the suspected virus file in a first time period, and issuing warning information for explosion of the suspected virus file if the number of the host computers in the statistics exceeds a first threshold value, wherein the suspected virus file is installed, stored or run on the host computers, and the monitoring information includes a timestamp, a host logo and a logo of the suspected virus file. By the aid of the embodiment of the method and the platform, capability of warning computer virus explosion is improved.
Description
Technical field
The present invention relates to networking technology area, be specifically related to method and the monitor supervision platform of monitor malicious program.
Background technology
Computer virus not only itself has destructiveness, and more harmful is to have infectiousness, once virus is replicated or mutates, conventionally the making us soon of its speed is difficult to prevention.Virus may cause the normal procedure of poisoning computer system to move, system resource is consumed in a large number, file is deleted or be subject to other damage in various degree.
At present, in the computer systems such as cloud computing system, normally by the virtual infrastructure of open source software tool monitors, and discovery automatically, monitoring and management software service etc.Practice is found, at least there is following technical matters in prior art: existing monitoring technique is directed to the monitoring of performance or software mostly, also cannot realize at present the monitoring for viral epidemic situation outbreak situation, and this just makes effectively to take precautions against becoming difficult to achieve of computer virus.
Summary of the invention
The embodiment of the present invention provides method and the monitor supervision platform of monitor malicious program, to improving the pre-alerting ability of epidemic situation of computer virus outburst.
The embodiment of the present invention provides a kind of method of monitor malicious program on the one hand, can comprise:
The monitor message of the doubtful virus document that Receiving Host reports, wherein, described main frame is installed or is stored or moved described doubtful virus document, and described monitor message comprises: the mark of timestamp, host identification and described doubtful virus document;
Statistics has reported the host number of the monitor message of described doubtful virus document within the first period;
If the described host number counting exceedes first threshold, issue the warning information of described doubtful virus document outburst.
The embodiment of the present invention provides a kind of monitor supervision platform on the other hand, can comprise:
Receiving element, the monitor message of the doubtful virus document reporting for Receiving Host, wherein, described main frame is installed or is stored or moved described doubtful virus document, and described monitor message comprises: the mark of timestamp, host identification and described doubtful virus document;
Statistic unit, for adding up the host number that has reported the monitor message of described doubtful virus document within the first period;
Release unit, if the host number counting for described statistic unit exceedes first threshold, issues the warning information of described doubtful virus document outburst.
Therefore, in embodiment of the present invention scheme, the monitor message of the doubtful virus document reporting by Receiving Host, wherein, monitor message comprises the mark of timestamp, host identification and doubtful virus document; Doubtful virus document is installed or stored or moved to main frame, and statistics has reported the host number of the monitor message of doubtful virus document within the first period; If the host number counting exceedes first threshold, issue the warning information of doubtful virus document outburst.Due to doubtful virus document the spread condition in main frame monitor, add up when section reports the host number of the monitor message of doubtful virus document to exceed alarm threshold at a time, issue the warning information of doubtful virus document outburst, therefore, can break out alarm according to the spread condition of doubtful virus document timely, be conducive to improve the pre-alerting ability of epidemic situation of computer virus outburst.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skills, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the schematic flow sheet that the embodiment of the present invention provides a kind of method of monitor malicious program;
Fig. 2 is that the embodiment of the present invention provides a kind of network system architecture schematic diagram;
Fig. 3 is the schematic diagram of a kind of monitor supervision platform of providing of the embodiment of the present invention;
Fig. 4 is the schematic diagram of the another kind of monitor supervision platform that provides of the embodiment of the present invention;
Fig. 5 is the schematic diagram of a kind of security protection system of providing of the embodiment of the present invention.
Embodiment
The embodiment of the present invention provides a kind of method and monitor supervision platform of monitor malicious program, to improving the pre-alerting ability of epidemic situation of computer virus outbreak situation.
In order to make those skilled in the art person understand better the present invention program, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the embodiment of a part of the present invention, rather than whole embodiment.Based on the embodiment in the present invention, those of ordinary skills, not making the every other embodiment obtaining under creative work prerequisite, should belong to the scope of protection of the invention.
Below be elaborated respectively.
Term " first " in instructions of the present invention and claims and above-mentioned accompanying drawing, " second ", " the 3rd " " 4th " etc. (if existence) are for distinguishing similar object, and needn't be used for describing specific order or precedence.The data that should be appreciated that such use suitably can exchanged in situation, so as embodiments of the invention described herein for example can with except diagram here or describe those order enforcement.In addition, term " comprises " and " having " and their any distortion, intention is to cover not exclusive comprising, for example, those steps or unit that process, method, system, product or the equipment that has comprised series of steps or unit is not necessarily limited to clearly list, but can comprise clearly do not list or for these processes, method, product or equipment intrinsic other step or unit.
An embodiment of the method for monitor malicious program of the present invention, method can comprise: the monitor message of the doubtful virus document that Receiving Host reports, this main frame is installed or is stored or moved this doubtful virus document, and monitor message comprises the mark of timestamp, host identification and this doubtful virus document; Statistics has reported the host number of the monitor message of this doubtful virus document within the first period; If the host number counting exceedes first threshold, issue the warning information of this doubtful virus document outburst.
Referring to Fig. 1, the method for a kind of monitor malicious program that the embodiment of the present invention provides can comprise:
The monitor message of the doubtful virus document that 101, monitor supervision platform Receiving Host reports;
Wherein, above-mentioned main frame is installed or is stored or moved above-mentioned doubtful virus document, and above-mentioned monitor message comprises the mark of timestamp, host identification and above-mentioned doubtful virus document.
In some embodiments of the invention, monitor supervision platform can be monitored the spread scenarios in the main frame of doubtful virus document in one or more specified domain.For example, in some cloud computings territory, install or storage or to have moved the main frame of above-mentioned doubtful virus document equal, can be initiatively or under monitor supervision platform instruction, periodically or the monitor message of the acyclic doubtful virus document reporting.
102, monitor supervision platform statistics has reported the host number of the monitor message of above-mentioned doubtful virus document within the first period.
In some embodiments of the invention, other duration that the duration of the first period can be 24 hours, 48 hours, 7 days or 12 hours or sets according to actual needs.
In some embodiments of the invention, monitor supervision platform often receives the monitor message of the doubtful virus document that a main frame reports, can generate a monitoring record, and monitoring record can be stored in database, every monitoring record can comprise the information such as the mark of timestamp, host identification and above-mentioned doubtful virus document.
Be appreciated that, for the monitor message for same doubtful virus document reporting at same main frame, monitor supervision platform can only generate a monitoring record within the same period.Every monitor message of the above-mentioned doubtful virus document that certainly also can report for each main frame, generate respectively a monitoring record, the monitoring record period is identical and the mark that comprises same host mark and above-mentioned doubtful virus document is merged into a monitoring record afterwards.
If the host number that 103, monitor supervision platform counts exceedes first threshold, issue the warning information of above-mentioned doubtful virus document outburst.
Wherein, first threshold can be an empirical value for above-mentioned doubtful virus document, or can be also the value obtaining by historical data.
In some embodiments of the invention, first threshold for example equals m1*X1, wherein, above-mentioned m1 is the mean value that has reported the host number of the monitor message of above-mentioned doubtful virus document in N period adjacent before above-mentioned the first period, above-mentioned X2 is greater than 1 and be less than 2, and the each period in the above-mentioned N period is identical with the duration of above-mentioned the first period.Wherein, above-mentioned X1 can be also an empirical value for above-mentioned doubtful virus document, or can be also the value obtaining by historical data.For example, above-mentioned X1 can be greater than 1.29 and be less than 2, certainly also desirable other value of X1.
In other embodiment of the present invention, first threshold equals m2*X2, wherein, above-mentioned m2 is the host number that has reported the monitor message of above-mentioned doubtful virus document in n1 the period in N period adjacent before above-mentioned the first period, wherein, in above-mentioned n1 the period, report the host number of the monitor message of above-mentioned doubtful virus document, be greater than the host number that has reported the monitor message of above-mentioned doubtful virus document in the above-mentioned N period in other any one period, wherein, above-mentioned X2 is greater than 1 and be less than 2, each period in the above-mentioned N period is identical with the duration of the first period.Wherein, above-mentioned X2 can be also an empirical value for above-mentioned doubtful virus document, or can be also the value obtaining by historical data.For example, above-mentioned X2 can be greater than 1.29 and be less than 2, certainly also desirable other value of X2.
In some embodiments of the invention, total duration of an above-mentioned N period is for example less than or equal to 10% or other ratio of above-mentioned doubtful virus document life cycle.For example, suppose that above-mentioned doubtful virus document life cycle is 200 days, the duration of each period is 1 day, and the value of N can be less than or equal to 20 days so, and the span of for example N is within 3 ~ 10 days, to be even 6 ~ 8 days.Or total duration of an above-mentioned N period is less than or equal to 10% or other ratio of the active period of above-mentioned doubtful virus document, or total duration of a described N period is less than or equal to preclinical 10% or other ratio of above-mentioned doubtful virus document.
Certainly, above-mentioned N can be also an empirical value for above-mentioned doubtful virus document, or can be also the value obtaining by historical data.
In some embodiments of the invention, whether the host number that monitor supervision platform can real-time judgement counts exceedes first threshold, or also can judge whether the host number counting exceedes first threshold at setting-up time point (can set according to actual needs this time point).For example, when by monitor data write into Databasce, can judge whether the host number of statistics exceedes first threshold, but also other any time judges whether the host number counting exceedes first threshold certainly.
In some embodiments of the invention, the warning information of issuing above-mentioned doubtful virus document outburst specifically can comprise: the warning information that generates above-mentioned doubtful virus document outburst according to the alarm script file of configuration; Send above-mentioned warning information to assigned address, wherein, the mark of the above-mentioned doubtful virus document of above-mentioned warning information portability and/or the host number counting.
For instance, monitor supervision platform for example can or specify mailbox or designated communication number (as the instant messaging such as cell-phone number or QQ number) to send above-mentioned warning information to Network Management Equipment.Suppose, monitor supervision platform sends a warning message to Network Management Equipment, and Network Management Equipment can carry out corresponding emergency processing, and because doubtful virus document may be about to outburst or break out, therefore emergency processing is timely conducive to reduce loss.
In some embodiments of the invention, before monitor supervision platform is issued the warning information of above-mentioned doubtful virus document outburst, also can judge whether it issued the warning information of above-mentioned doubtful virus document outburst within the first period, if not, monitor supervision platform is issued the warning information of above-mentioned doubtful virus document outburst, if it issued the warning information of above-mentioned doubtful virus document outburst within the first period, monitor supervision platform can no longer be issued the warning information of above-mentioned doubtful virus document outburst within the first period, to avoid the situation that repeats to issue to occur.Further, monitor supervision platform is after each warning information of issuing for certain doubtful virus document outburst, can record publishing log, wherein, publishing log for example can comprise: issue period and doubtful virus document mark, certainly also can further comprise the information such as the host number that counted at that time.Follow-up monitor supervision platform just can judge the warning information of whether having issued above-mentioned doubtful virus document outburst in the current period according to publishing log.
Wherein, monitor supervision platform deployed position can need to determine according to scene, and monitor supervision platform for example can be deployed in Network Management Equipment, or can independently dispose in miscellaneous equipment or also.Between monitor supervision platform and the main frame of its monitoring, can directly or indirectly communicate by letter.
Can find out, in the scheme of the present embodiment, the monitor message of the doubtful virus document reporting by Receiving Host, wherein, monitor message comprises the mark of timestamp, host identification and doubtful virus document; Doubtful virus document is installed or stored or moved to main frame, and statistics has reported the host number of the monitor message of doubtful virus document within the first period; If the host number counting exceedes first threshold, issue the warning information of doubtful virus document outburst.Due to doubtful virus document the spread condition in main frame monitor, add up when section reports the host number of the monitor message of doubtful virus document to exceed alarm threshold at a time, issue the warning information of doubtful virus document outburst, therefore, can break out alarm according to the spread condition of doubtful virus document timely, be conducive to improve the pre-alerting ability of epidemic situation of computer virus outburst.
Further, if determine alarm threshold in the life cycle of the doubtful virus document of reference or active period or latent period, be conducive to like this monitor more accurately the spread condition of doubtful virus document, be conducive to the spread condition according to doubtful virus document more timely and break out alarm, and then be conducive to further improve the pre-alerting ability of epidemic situation of computer virus outburst.
For ease of better understanding and implementing embodiment of the present invention such scheme, application scenes describes for example more below.
Referring to Fig. 2, a kind of network system architecture schematic diagram that Fig. 2 provides for the embodiment of the present invention.
Wherein, monitor supervision platform 210 is connected with some main-machine communications by network, and monitor supervision platform 210 and Network Management Equipment 220 communicate to connect.
Give an example one
The life cycle of supposing doubtful virus document F1 is 150 days, the host number that has reported the monitor message of doubtful virus document F1 for 5 days before the same day is respectively b1, b2, b3, b4 and b5, alarm threshold S1(is as first threshold) be for example set as, the mean value * A%(of the host number that has reported the monitor message of doubtful virus document F1 for 5 days before the same day:
).Install or storage or to have moved the main frame of above-mentioned doubtful virus document equal, can be initiatively or under monitor supervision platform instruction, periodically or the monitor message of the acyclic doubtful virus document F1 reporting to monitor supervision platform 210.Wherein, above-mentioned A% can be greater than 1.29 and be less than 2 or also desirable other value.
The monitor message of the doubtful virus document F1 that monitor supervision platform 210 Receiving Hosts report, statistics had reported the host number of the monitor message of doubtful virus document F1 within the same day.Wherein, monitor supervision platform 210 often receives the monitor message of the doubtful virus document F1 that a main frame reports, can generate a monitoring record, and monitoring record can be stored in database, every monitoring record can comprise the information such as the mark of timestamp, host identification and doubtful virus document F1.Be appreciated that, for the monitor message for doubtful virus document F1 reporting at same main frame, monitor supervision platform can only generate a monitoring record within the same period.Every monitor message of the doubtful virus document F1 that certainly also can report for each main frame, generate respectively a monitoring record, the monitoring record period is identical and the mark that comprises same host mark and doubtful virus document F1 is merged into a monitoring record afterwards.
If reported the host number of the monitor message of doubtful virus document F1 to exceed alarm threshold S1 in the same day that monitor supervision platform 210 counts, monitor supervision platform 210 can be issued to Network Management Equipment 220 warning information of doubtful virus document F1 outburst, wherein, the mark of the doubtful virus document F1 of warning information portability and/or the host number counting.Network Management Equipment 220 can carry out corresponding emergency processing, and because doubtful virus document F1 may be about to outburst or break out, therefore emergency processing is timely conducive to reduce loss.
In some embodiments of the invention, before monitor supervision platform 210 is issued the warning information of doubtful virus document F1 outburst, also can judge whether it issued the warning information of doubtful virus document F1 outburst on the same day, if not, monitor supervision platform 210 is issued the warning information of doubtful virus document F1 outburst, if it had issued the warning information of doubtful virus document F1 outburst on the same day, monitor supervision platform can no longer be issued the warning information of above-mentioned doubtful virus document outburst on the same day, to avoid the situation that repeats to issue to occur.Further, monitor supervision platform 210 is after each warning information of issuing for certain doubtful virus document outburst, can record publishing log, publishing log for example can comprise: issue period and doubtful virus document mark, also can comprise the information such as the host number that counted at that time.Follow-up monitor supervision platform 210 just can judge the warning information of whether having issued above-mentioned doubtful virus document outburst in the current period according to publishing log.
Give an example two
The life cycle of supposing doubtful virus document F2 is 100 days, the host number that has reported the monitor message of doubtful virus document F2 for 7 days before the same day is respectively b1, b2, b3, b4, b5, b6 and b7, alarm threshold S2(is as first threshold) be for example set as, the maximal value * B% of the host number that has reported the monitor message of doubtful virus document F2 for 7 days before the same day, suppose, in b1, b2, b3, b4, b5, b6 and b7, that maximum is b4, S2=B%*b4 so.Install or storage or to have moved the main frame of above-mentioned doubtful virus document equal, can be initiatively or under monitor supervision platform instruction, periodically or the monitor message of the acyclic doubtful virus document F2 reporting to monitor supervision platform 210.
The monitor message of the doubtful virus document F2 that monitor supervision platform 210 Receiving Hosts report, statistics had reported the host number of the monitor message of doubtful virus document F2 within the same day.Wherein, monitor supervision platform 210 often receives the monitor message of the doubtful virus document F2 that a main frame reports, can generate a monitoring record, and monitoring record can be stored in database, every monitoring record can comprise the information such as the mark of timestamp, host identification and doubtful virus document F2.Be appreciated that, for the monitor message for doubtful virus document F2 reporting at same main frame, monitor supervision platform can only generate a monitoring record within the same period.Every monitor message of the doubtful virus document F2 that certainly also can report for each main frame, generate respectively a monitoring record, the monitoring record period is identical and the mark that comprises same host mark and doubtful virus document F2 is merged into a monitoring record afterwards.
If reported the host number of the monitor message of doubtful virus document F2 to exceed alarm threshold S2 in the same day that monitor supervision platform 210 counts, monitor supervision platform 210 can be issued to Network Management Equipment 220 warning information of doubtful virus document F2 outburst, wherein, the mark of the doubtful virus document F1 of warning information portability and/or the host number counting.Network Management Equipment 220 can carry out corresponding emergency processing, and because doubtful virus document F2 may be about to outburst or break out, therefore emergency processing is timely conducive to reduce loss.Monitor supervision platform 210 also can send to designated communication number (as the instant messaging such as cell-phone number or QQ number) warning information of doubtful virus document F2 outburst.
Be understandable that, above-mentioned scene only, for for example, in actual applications, can be carried out adaptations mode according to scene difference.
For ease of better implementing the such scheme of the embodiment of the present invention, be also provided for the relevant apparatus of embodiment scheme below.
Referring to Fig. 3, the present invention also provides a kind of monitor supervision platform 300, can comprise:
Receiving element 310, statistic unit 320 and release unit 330.
Wherein, receiving element 310, the monitor message of the doubtful virus document reporting for Receiving Host.
Wherein, above-mentioned main frame is installed or is stored or moved above-mentioned doubtful virus document, and above-mentioned monitor message comprises the mark of timestamp, host identification and above-mentioned doubtful virus document.
In some embodiments of the invention, monitor supervision platform 300 can be monitored the spread scenarios in the main frame of doubtful virus document in one or more specified domain.For example, in some cloud computings territory, install or storage or to have moved the main frame of above-mentioned doubtful virus document equal, can be initiatively or under monitor supervision platform instruction, periodically or the monitor message of the acyclic doubtful virus document reporting.
In some embodiments of the invention, other duration that the duration of the first period can be 24 hours, 48 hours, 7 days or 12 hours or sets according to actual needs.
In some embodiments of the invention, receiving element 310 often receives the monitor message of the doubtful virus document that a main frame reports, statistic unit 320 can generate a monitoring record, and monitoring record can be stored in database, every monitoring record can comprise the information such as the mark of timestamp, host identification and above-mentioned doubtful virus document.
Be appreciated that, for the monitor message for same doubtful virus document reporting at same main frame, statistic unit 320 can only generate a monitoring record within the same period.Every monitor message of the above-mentioned doubtful virus document that certainly also can report for each main frame, statistic unit 320 generates a monitoring record, and the statistic unit 320 monitoring record period is identical and the mark that comprises same host mark and above-mentioned doubtful virus document is merged into a monitoring record afterwards.
Wherein, first threshold can be an empirical value for above-mentioned doubtful virus document, or can be also the value obtaining by historical data.
In some embodiments of the invention, first threshold for example equals m1*X1, wherein, above-mentioned m1 is the mean value that has reported the host number of the monitor message of above-mentioned doubtful virus document in N period adjacent before above-mentioned the first period, above-mentioned X2 is greater than 1 and be less than 2, and an above-mentioned N period is identical with the duration of above-mentioned the first period.Wherein, above-mentioned X1 can be also an empirical value for above-mentioned doubtful virus document, or can be also the value obtaining by historical data.For example, above-mentioned X1 can be greater than 1.29 and be less than 2, certainly also desirable other value of X1.
In other embodiment of the present invention, first threshold equals m2*X2, wherein, above-mentioned m2 is the host number that has reported the monitor message of above-mentioned doubtful virus document in n1 the period in N period adjacent before above-mentioned the first period, wherein, in above-mentioned n1 the period, report the host number of the monitor message of above-mentioned doubtful virus document, be greater than the host number that has reported the monitor message of above-mentioned doubtful virus document in the above-mentioned N period in other any one period, wherein, above-mentioned X2 is greater than 1 and be less than 2, an above-mentioned N period is identical with the duration of the first period.Wherein, above-mentioned X2 can be also an empirical value for above-mentioned doubtful virus document, or can be also the value obtaining by historical data.For example, above-mentioned X2 can be greater than 1.29 and be less than 2, certainly also desirable other value of X2.
In some embodiments of the invention, total duration of an above-mentioned N period is for example less than or equal to 10% or other ratio of above-mentioned doubtful virus document life cycle.For example, suppose that above-mentioned doubtful virus document life cycle is 200 days, the duration of each period is 1 day, and the value of N can be less than or equal to 20 days so, and the span of for example N is within 3 ~ 10 days, to be even 6 ~ 8 days.Or total duration of an above-mentioned N period is less than or equal to 10% or other ratio of the active period of above-mentioned doubtful virus document, or total duration of an above-mentioned N period is less than or equal to preclinical 10% or other ratio of above-mentioned doubtful virus document.
Certainly, above-mentioned N can be also an empirical value for above-mentioned doubtful virus document, or can be also the value obtaining by historical data.
In some embodiments of the invention, whether the host number that release unit 330 can real-time judgement counts exceedes first threshold, or also can judge whether the host number counting exceedes first threshold at setting-up time point (can set according to actual needs this time point).
In some embodiments of the invention, release unit 330 specifically for, if the above-mentioned host number that statistic unit 320 counts exceedes first threshold, and within the first period, also do not issue the warning information of above-mentioned doubtful virus document outburst, issued the warning information of above-mentioned doubtful virus document outburst.If whether release unit 330 issued the warning information of above-mentioned doubtful virus document outburst within the first period, release unit 330 can no longer be issued the warning information of above-mentioned doubtful virus document outburst within the first period, to avoid the situation that repeats to issue to occur.Further, release unit 330 is after each warning information of issuing for certain doubtful virus document outburst, can record publishing log, publishing log for example can comprise: issue period and doubtful virus document mark, also can comprise the information such as the host number counting at that time, follow-up, release unit 330 just can judge the warning information of whether having issued above-mentioned doubtful virus document outburst in the current period according to publishing log.
In some embodiments of the invention, release unit 330 can be specifically for, if the above-mentioned host number that statistic unit 320 counts exceedes first threshold, generates the warning information of above-mentioned doubtful virus document outburst according to the alarm script file of configuration; Send above-mentioned warning information to assigned address, wherein, the above-mentioned host number that above-mentioned warning message carries the mark of above-mentioned doubtful virus document and/or counts.For instance, release unit 330 for example can or specify mailbox or designated communication number (as the instant messaging such as cell-phone number or QQ number etc.) to send above-mentioned warning information to Network Management Equipment.Suppose, release unit 330 has sent warning information to Network Management Equipment, and Network Management Equipment can carry out corresponding emergency processing, and because doubtful virus document may be about to outburst or break out, therefore emergency processing is timely conducive to reduce loss.
Be understandable that, the function of each functional module of the monitor supervision platform 300 of the present embodiment can be according to the method specific implementation in said method embodiment, and its specific implementation process can, with reference to the associated description of said method embodiment, repeat no more herein.
Can find out, in the scheme of the present embodiment, the monitor message of the doubtful virus document that monitor supervision platform 300 reports by Receiving Host, wherein, monitor message comprises the mark of timestamp, host identification and doubtful virus document; Doubtful virus document is installed or stored or moved to main frame, and statistics has reported the host number of the monitor message of doubtful virus document within the first period; If the host number counting exceedes first threshold, issue the warning information of doubtful virus document outburst.Due to monitor supervision platform 300 to doubtful virus document the spread condition in main frame monitor, add up when section reports the host number of the monitor message of doubtful virus document to exceed alarm threshold at a time, issue the warning information of doubtful virus document outburst, therefore can break out alarm according to the spread condition of doubtful virus document timely, be conducive to improve the pre-alerting ability of epidemic situation of computer virus outburst.
Further, if determine alarm threshold in the life cycle of the doubtful virus document of reference or active period or latent period, be conducive to like this monitor more accurately the spread condition of doubtful virus document, be conducive to the spread condition according to doubtful virus document more timely and break out alarm, and then be conducive to further improve the pre-alerting ability of epidemic situation of computer virus outburst.
Referring to Fig. 4, the present invention also provides a kind of monitor supervision platform 400, can comprise:
Wherein, processor 410 is carried out following steps:
The monitor message of the doubtful virus document that Receiving Host reports, wherein, above-mentioned doubtful virus document is installed or stored or moved to above-mentioned main frame, above-mentioned monitor message comprises the mark of timestamp, host identification and above-mentioned doubtful virus document, and statistics has reported the host number of the monitor message of above-mentioned doubtful virus document within the first period; If the host number counting exceedes first threshold, issue the warning information of above-mentioned doubtful virus document outburst.
In some embodiments of the invention, other duration that the duration of the first period can be 24 hours, 48 hours, 7 days or 12 hours or sets according to actual needs.
In some embodiments of the invention, processor 410 often receives the monitor message of the doubtful virus document that a main frame reports, can generate a monitoring record, and monitoring record can be stored in database, every monitoring record can comprise the information such as the mark of timestamp, host identification and above-mentioned doubtful virus document.Be understandable that, for the monitor message for same doubtful virus document reporting within the same period at same main frame, processor 410 can only generate a monitoring record.Every monitor message of the above-mentioned doubtful virus document that certainly also can report for each main frame, processor 410 generates a monitoring record, and the monitoring record period is identical and the mark that comprises same host mark and above-mentioned doubtful virus document is merged into a monitoring record afterwards.
Wherein, first threshold can be an empirical value for above-mentioned doubtful virus document, or can be also the value obtaining by historical data.
In some embodiments of the invention, first threshold for example equals m1*X1, wherein, above-mentioned m1 is the mean value that has reported the host number of the monitor message of above-mentioned doubtful virus document in N period adjacent before above-mentioned the first period, above-mentioned X2 is greater than 1 and be less than 2, and an above-mentioned N period is identical with the duration of above-mentioned the first period.Wherein, above-mentioned X1 can be also an empirical value for above-mentioned doubtful virus document, or can be also the value obtaining by historical data.For example, above-mentioned X1 can be greater than 1.29 and be less than 2, certainly also desirable other value of X1.
In other embodiment of the present invention, first threshold equals m2*X2, wherein, above-mentioned m2 is the host number that has reported the monitor message of above-mentioned doubtful virus document in n1 the period in N period adjacent before above-mentioned the first period, wherein, in above-mentioned n1 the period, report the host number of the monitor message of above-mentioned doubtful virus document, be greater than the host number that has reported the monitor message of above-mentioned doubtful virus document in the above-mentioned N period in other any one period, wherein, above-mentioned X2 is greater than 1 and be less than 2, an above-mentioned N period is identical with the duration of the first period.Wherein, above-mentioned X2 can be also an empirical value for above-mentioned doubtful virus document, or can be also the value obtaining by historical data.For example, above-mentioned X2 can be greater than 1.29 and be less than 2, certainly also desirable other value of X2.
In some embodiments of the invention, total duration of an above-mentioned N period is for example less than or equal to 10% or other ratio of above-mentioned doubtful virus document life cycle.For example, suppose that above-mentioned doubtful virus document life cycle is 200 days, the duration of each period is 1 day, and the value of N can be less than or equal to 20 days so, and the span of for example N is within 3 ~ 10 days, to be even 6 ~ 8 days.Or total duration of an above-mentioned N period is less than or equal to 10% or other ratio of the active period of above-mentioned doubtful virus document, or total duration of an above-mentioned N period is less than or equal to preclinical 10% or other ratio of above-mentioned doubtful virus document.
Certainly, above-mentioned N can be also an empirical value for above-mentioned doubtful virus document, or can be also the value obtaining by historical data.
In some embodiments of the invention, whether the host number that processor 410 can real-time judgement counts exceedes first threshold, or also can judge whether the host number counting exceedes first threshold at setting-up time point (can set according to actual needs this time point).
In some embodiments of the invention, if the above-mentioned host number counting exceedes first threshold, and within the first period, also do not issue the warning information of above-mentioned doubtful virus document outburst, processor 410 is issued the warning information of above-mentioned doubtful virus document outburst.If processor 410 was issued the warning information of above-mentioned doubtful virus document outburst within the first period, within the first period, can no longer issue the warning information of above-mentioned doubtful virus document outburst, to avoid the situation that repeats to issue to occur.Further, processor 410 is after each warning information of issuing for certain doubtful virus document outburst, can record publishing log and store in storer 420, publishing log for example can comprise: issue period and doubtful virus document mark, also can comprise the information such as the host number counting at that time, follow-up, processor 410 just can judge the warning information of whether having issued above-mentioned doubtful virus document outburst in the current period according to publishing log.
In some embodiments of the invention, if the above-mentioned host number counting exceedes first threshold, processor 410 can generate according to the alarm script file of configuration the warning information of above-mentioned doubtful virus document outburst; Send above-mentioned warning information to assigned address, wherein, the above-mentioned host number that above-mentioned warning message carries the mark of above-mentioned doubtful virus document and/or counts.For instance, processor 410 for example can or specify mailbox or designated communication number (as the instant messaging such as cell-phone number or QQ number etc.) to send above-mentioned warning information to Network Management Equipment.Suppose, processor 410 has sent warning information to Network Management Equipment, and Network Management Equipment can carry out corresponding emergency processing, and because doubtful virus document may be about to outburst or break out, therefore emergency processing is timely conducive to reduce loss.
Be understandable that, the function of each functional module of the monitor supervision platform 400 of the present embodiment can be according to the method specific implementation in said method embodiment, and its specific implementation process can, with reference to the associated description of said method embodiment, repeat no more herein.
Can find out, in the technical scheme of the present embodiment, monitor supervision platform 400 comprises: processor 410, storer 420, input media 430 and output unit 440, the monitor message of the doubtful virus document that wherein processor 410 reports by Receiving Host, wherein, monitor message comprises the mark of timestamp, host identification and doubtful virus document; Doubtful virus document is installed or stored or moved to main frame, and statistics has reported the host number of the monitor message of doubtful virus document within the first period; If the host number counting exceedes first threshold, issue the warning information of doubtful virus document outburst.Due to monitor supervision platform 300 to doubtful virus document the spread condition in main frame monitor, add up when section reports the host number of the monitor message of doubtful virus document to exceed alarm threshold at a time, issue the warning information of doubtful virus document outburst, therefore can break out alarm according to the spread condition of doubtful virus document timely, be conducive to improve the pre-alerting ability of epidemic situation of computer virus outburst.
Further, if determine alarm threshold in the life cycle of the doubtful virus document of reference or active period or latent period, be conducive to like this monitor more accurately the spread condition of doubtful virus document, be conducive to the spread condition according to doubtful virus document more timely and break out alarm, and then be conducive to further improve the pre-alerting ability of epidemic situation of computer virus outburst.
Referring to Fig. 5, a kind of security protection system that the embodiment of the present invention also provides, can comprise:
Wherein, monitor supervision platform 510 for, the monitor message of the doubtful virus document that Receiving Host reports, wherein, above-mentioned doubtful virus document is installed or stored or moved to above-mentioned main frame, above-mentioned monitor message comprises the mark of timestamp, host identification and above-mentioned doubtful virus document, statistics has reported the host number of the monitor message of above-mentioned doubtful virus document within the first period, if the host number counting exceedes first threshold, issue the warning information of above-mentioned doubtful virus document outburst to Network Management Equipment 520.
In some embodiments of the invention, other duration that the duration of the first period can be 24 hours, 48 hours, 7 days or 12 hours or sets according to actual needs.
In some embodiments of the invention, monitor supervision platform 510 often receives the monitor message of the doubtful virus document that a main frame reports, can generate a monitoring record, and monitoring record can be stored in database, every monitoring record can comprise the information such as the mark of timestamp, host identification and above-mentioned doubtful virus document.Be understandable that, for the monitor message for same doubtful virus document reporting within the same period at same main frame, monitor supervision platform 510 can only generate a monitoring record.Every monitor message of the above-mentioned doubtful virus document that certainly also can report for each main frame, generate respectively a monitoring record, the monitoring record period is identical and the mark that comprises same host mark and above-mentioned doubtful virus document is merged into a monitoring record afterwards.
Wherein, first threshold can be an empirical value for above-mentioned doubtful virus document, or can be also the value obtaining by historical data.
In some embodiments of the invention, first threshold for example equals m1*X1, wherein, above-mentioned m1 is the mean value that has reported the host number of the monitor message of above-mentioned doubtful virus document in N period adjacent before above-mentioned the first period, above-mentioned X2 is greater than 1 and be less than 2, and the each period in the above-mentioned N period is identical with the duration of above-mentioned the first period.Wherein, above-mentioned X1 can be also an empirical value for above-mentioned doubtful virus document, or can be also the value obtaining by historical data.For example, above-mentioned X1 can be greater than 1.29 and be less than 2, certainly also desirable other value of X1.
In other embodiment of the present invention, first threshold equals m2*X2, wherein, above-mentioned m2 is the host number that has reported the monitor message of above-mentioned doubtful virus document in n1 the period in N period adjacent before above-mentioned the first period, wherein, in above-mentioned n1 the period, report the host number of the monitor message of above-mentioned doubtful virus document, be greater than the host number that has reported the monitor message of above-mentioned doubtful virus document in the above-mentioned N period in other any one period, wherein, above-mentioned X2 is greater than 1 and be less than 2, each period in the above-mentioned N period is identical with the duration of the first period.Wherein, above-mentioned X2 can be also an empirical value for above-mentioned doubtful virus document, or can be also the value obtaining by historical data.For example, above-mentioned X2 can be greater than 1.29 and be less than 2, certainly also desirable other value of X2.
In some embodiments of the invention, total duration of an above-mentioned N period is for example less than or equal to 10% or other ratio of above-mentioned doubtful virus document life cycle.For example, suppose that above-mentioned doubtful virus document life cycle is 200 days, the duration of each period is 1 day, and the value of N can be less than or equal to 20 days so, and the span of for example N is within 3 ~ 10 days, to be even 6 ~ 8 days.Or total duration of an above-mentioned N period is less than or equal to 10% or other ratio of the active period of above-mentioned doubtful virus document, or total duration of a described N period is less than or equal to preclinical 10% or other ratio of above-mentioned doubtful virus document.
Certainly, above-mentioned N can be also an empirical value for above-mentioned doubtful virus document, or can be also the value obtaining by historical data.
In some embodiments of the invention, whether the host number that monitor supervision platform 510 can real-time judgement counts exceedes first threshold, or also can judge whether the host number counting exceedes first threshold at setting-up time point (can set according to actual needs this time point).
In some embodiments of the invention, monitor supervision platform 510 can generate according to the alarm script file of configuration the warning information of above-mentioned doubtful virus document outburst; Send above-mentioned warning information to assigned address, wherein, the mark of the above-mentioned doubtful virus document of above-mentioned warning information portability and/or the host number counting.
In some embodiments of the invention, before monitor supervision platform 510 is issued the warning information of above-mentioned doubtful virus document outburst, also can judge whether it had issued the warning information of above-mentioned doubtful virus document outburst within the first period, if not, monitor supervision platform 510 is issued the warning information of above-mentioned doubtful virus document outburst, if it issued the warning information of above-mentioned doubtful virus document outburst within the first period, monitor supervision platform 510 can no longer be issued the warning information of above-mentioned doubtful virus document outburst within the first period, to avoid the situation that repeats to issue to occur.
Further, monitor supervision platform 510 is after each warning information of issuing for certain doubtful virus document outburst, can record publishing log, wherein, publishing log for example can comprise: issue period and doubtful virus document mark, certainly also can further comprise the information such as the host number that counted at that time.Follow-up monitor supervision platform 510 just can judge the warning information of whether having issued above-mentioned doubtful virus document outburst in the current period according to publishing log.
Wherein, monitor supervision platform 510 deployed position can need to determine according to scene, and monitor supervision platform for example can be deployed in Network Management Equipment 520, or can independently dispose in miscellaneous equipment or also.Between monitor supervision platform 510 and the main frame of its monitoring, can directly or indirectly communicate by letter.
The embodiment of the present invention also provides a kind of computer-readable storage medium, and wherein, this computer-readable storage medium can have program stored therein, and this program comprises the part or all of step of the method for the monitor malicious program of recording in said method embodiment while execution.
It should be noted that, for aforesaid each embodiment of the method, for simple description, therefore it is all expressed as to a series of combination of actions, but those skilled in the art should know, the present invention is not subject to the restriction of described sequence of movement, because according to the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in instructions all belongs to preferred embodiment, and related action and module might not be that the present invention is necessary.
In the above-described embodiments, the description of each embodiment is all emphasized particularly on different fields, in certain embodiment, there is no the part of detailed description, can be referring to the associated description of other embodiment.
To sum up, in the scheme of the embodiment of the present invention, the monitor message of the doubtful virus document that monitor supervision platform reports by Receiving Host, wherein, monitor message comprises the mark of timestamp, host identification and doubtful virus document; Doubtful virus document is installed or stored or moved to main frame, and statistics has reported the host number of the monitor message of doubtful virus document within the first period; If the host number counting exceedes first threshold, issue the warning information of doubtful virus document outburst.Due to doubtful virus document the spread condition in main frame monitor, add up when section reports the host number of the monitor message of doubtful virus document to exceed alarm threshold at a time, issue the warning information of doubtful virus document outburst, therefore, can break out alarm according to the spread condition of doubtful virus document timely, be conducive to improve the pre-alerting ability of epidemic situation of computer virus outburst.
Further, if determine alarm threshold in the life cycle of the doubtful virus document of reference or active period or latent period, be conducive to like this monitor more accurately the spread condition of doubtful virus document, be conducive to the spread condition according to doubtful virus document more timely and break out alarm, and then be conducive to further improve the pre-alerting ability of epidemic situation of computer virus outburst.
In the several embodiment that provide in the application, should be understood that disclosed device can be realized by another way.For example, device embodiment described above is only schematic, the division of for example described unit, be only that a kind of logic function is divided, when actual realization, can there is other dividing mode, for example multiple unit or assembly can in conjunction with or can be integrated into another system, or some features can ignore, or do not carry out.Another point, shown or discussed coupling each other or direct-coupling or communication connection can be by some interfaces, indirect coupling or the communication connection of device or unit can be electrical or other form.
The described unit as separating component explanation can or can not be also physically to separate, and the parts that show as unit can be or can not be also physical locations, can be positioned at a place, or also can be distributed in multiple network element.Can select according to the actual needs some or all of unit wherein to realize the object of the present embodiment scheme.
In addition, the each functional unit in each embodiment of the present invention can be integrated in a processing unit, can be also that the independent physics of unit exists, and also can be integrated in a unit two or more unit.Above-mentioned integrated unit both can adopt the form of hardware to realize, and also can adopt the form of SFU software functional unit to realize.
If described integrated unit is realized and during as production marketing independently or use, can be stored in a computer read/write memory medium using the form of SFU software functional unit.Based on such understanding, the all or part of of the part that technical scheme of the present invention contributes to prior art in essence in other words or this technical scheme can embody with the form of software product, this computer software product is stored in a storage medium, comprises that some instructions are in order to make a computer equipment (can be personal computer, server or the network equipment etc.) carry out all or part of step of method described in the present invention each embodiment.And aforesaid storage medium comprises: various media that can be program code stored such as USB flash disk, ROM (read-only memory) (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), portable hard drive, magnetic disc or CDs.
The above, above embodiment only, in order to technical scheme of the present invention to be described, is not intended to limit; Although the present invention is had been described in detail with reference to previous embodiment, those of ordinary skill in the art is to be understood that: its technical scheme that still can record aforementioned each embodiment is modified, or part technical characterictic is wherein equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution depart from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (10)
1. a method for monitor malicious program, is characterized in that, comprising:
The monitor message of the doubtful virus document that Receiving Host reports, wherein, described main frame is installed or is stored or moved described doubtful virus document, and described monitor message comprises: the mark of timestamp, host identification and described doubtful virus document;
Statistics has reported the host number of the monitor message of described doubtful virus document within the first period;
If the described host number counting exceedes first threshold, issue the warning information of described doubtful virus document outburst.
2. method according to claim 1, is characterized in that,
Described first threshold equals m1*X1, wherein, described m1 is the mean value that has reported the host number of the monitor message of described doubtful virus document in N period adjacent before described the first period, and described X2 is greater than 1 and be less than 2, and a described N period is identical with the duration of described the first period;
Or,
Described first threshold equals m2*X2, wherein, described m2 is the host number that has reported the monitor message of described doubtful virus document in n1 the period in N period adjacent before described the first period, wherein, in described n1 the period, report the host number of the monitor message of described doubtful virus document, be greater than the host number that has reported the monitor message of described doubtful virus document in the described N period in other any one period, wherein, described X2 is greater than 1 and be less than 2, and the each period in the described N period is identical with the duration of described the first period.
3. method according to claim 2, is characterized in that,
Total duration of a described N period is less than or equal to 10% of described doubtful virus document life cycle,
Or, total duration of a described N period be less than or equal to described doubtful virus document active period 10%, or total duration of a described N period is less than or equal to preclinical 10% of described doubtful virus document.
4. according to the method in claim 2 or 3, it is characterized in that,
The duration of described the first period is 24 hours.
5. according to the method in claim 2 or 3, it is characterized in that,
Described X1 is greater than 1.29 and be less than 2;
And/or described X2 is greater than 1.29 and be less than 2.
6. according to the method described in claims 1 to 3 any one, it is characterized in that,
The warning information of the described doubtful virus document outburst of described issue, comprising:
Generate the warning information of described doubtful virus document outburst according to the alarm script file of configuration;
Send described warning information to assigned address, wherein, the described host number that described warning information carries the mark of described doubtful virus document and/or counts.
7. according to the method described in claims 1 to 3 any one, it is characterized in that,
Before the warning information of the described doubtful virus document outburst of described issue, also comprise: judge the warning information of whether having issued described doubtful virus document outburst within the first period, if not, carry out the step of the warning information of the described doubtful virus document outburst of described issue.
8. a monitor supervision platform, is characterized in that, comprising:
Receiving element, the monitor message of the doubtful virus document reporting for Receiving Host, wherein, described main frame is installed or is stored or moved described doubtful virus document, and described monitor message comprises: the mark of timestamp, host identification and described doubtful virus document;
Statistic unit, for adding up the host number that has reported the monitor message of described doubtful virus document within the first period;
Release unit, if the host number counting for described statistic unit exceedes first threshold, issues the warning information of described doubtful virus document outburst.
9. monitor supervision platform according to claim 8, is characterized in that,
Described release unit specifically for, if the described host number that statistic unit counts exceedes first threshold, generate the warning information of described doubtful virus document outburst according to the alarm script file of configuration; Send described warning information to assigned address, wherein, the described host number that described warning information carries the mark of described doubtful virus document and/or counts.
10. according to the monitor supervision platform described in claim 9 or 8 any one, it is characterized in that,
Release unit specifically for, if the described host number that statistic unit counts exceedes first threshold, and within described the first period, also do not issue the warning information of described doubtful virus document outburst, issue the warning information of described doubtful virus document outburst.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210466934.5A CN103824017A (en) | 2012-11-19 | 2012-11-19 | Method and platform for monitoring rogue programs |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210466934.5A CN103824017A (en) | 2012-11-19 | 2012-11-19 | Method and platform for monitoring rogue programs |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103824017A true CN103824017A (en) | 2014-05-28 |
Family
ID=50759073
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210466934.5A Pending CN103824017A (en) | 2012-11-19 | 2012-11-19 | Method and platform for monitoring rogue programs |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103824017A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104268080A (en) * | 2014-09-25 | 2015-01-07 | 北京金山安全软件有限公司 | Software exception handling method and device |
| CN105631328A (en) * | 2015-12-18 | 2016-06-01 | 北京奇虎科技有限公司 | Detection method and device of unknown risks of browser plugin |
| CN107317799A (en) * | 2017-05-26 | 2017-11-03 | 北京金山安全管理系统技术有限公司 | Viral early-warning processing method and device |
| CN109815702A (en) * | 2018-12-29 | 2019-05-28 | 360企业安全技术(珠海)有限公司 | Safety detection method, device and the equipment of software action |
| CN111625828A (en) * | 2020-07-29 | 2020-09-04 | 杭州海康威视数字技术股份有限公司 | Lesovirus defense method and device and electronic equipment |
| CN113849246A (en) * | 2021-09-24 | 2021-12-28 | 统信软件技术有限公司 | Plug-in identification method, plug-in loading method, computing device and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030097462A1 (en) * | 2001-09-26 | 2003-05-22 | Parent Sean R. | Marked foreign data blocks |
| CN101707539A (en) * | 2009-11-26 | 2010-05-12 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting worm virus and gateway equipment |
| CN101833575A (en) * | 2010-04-27 | 2010-09-15 | 南京邮电大学 | Method for sorting network virus reports |
| CN102591591A (en) * | 2011-12-19 | 2012-07-18 | 杭州瑞网广通信息技术有限公司 | Disk detection system, disk detection method and network storage system |
| WO2012097553A1 (en) * | 2011-01-20 | 2012-07-26 | 中兴通讯股份有限公司 | Virus prevention method and system for intelligent mobile terminal |
-
2012
- 2012-11-19 CN CN201210466934.5A patent/CN103824017A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030097462A1 (en) * | 2001-09-26 | 2003-05-22 | Parent Sean R. | Marked foreign data blocks |
| CN101707539A (en) * | 2009-11-26 | 2010-05-12 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting worm virus and gateway equipment |
| CN101833575A (en) * | 2010-04-27 | 2010-09-15 | 南京邮电大学 | Method for sorting network virus reports |
| WO2012097553A1 (en) * | 2011-01-20 | 2012-07-26 | 中兴通讯股份有限公司 | Virus prevention method and system for intelligent mobile terminal |
| CN102591591A (en) * | 2011-12-19 | 2012-07-18 | 杭州瑞网广通信息技术有限公司 | Disk detection system, disk detection method and network storage system |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104268080A (en) * | 2014-09-25 | 2015-01-07 | 北京金山安全软件有限公司 | Software exception handling method and device |
| CN105631328A (en) * | 2015-12-18 | 2016-06-01 | 北京奇虎科技有限公司 | Detection method and device of unknown risks of browser plugin |
| CN107317799A (en) * | 2017-05-26 | 2017-11-03 | 北京金山安全管理系统技术有限公司 | Viral early-warning processing method and device |
| CN107317799B (en) * | 2017-05-26 | 2020-09-11 | 北京金山安全管理系统技术有限公司 | Virus early warning processing method and device |
| CN109815702A (en) * | 2018-12-29 | 2019-05-28 | 360企业安全技术(珠海)有限公司 | Safety detection method, device and the equipment of software action |
| CN111625828A (en) * | 2020-07-29 | 2020-09-04 | 杭州海康威视数字技术股份有限公司 | Lesovirus defense method and device and electronic equipment |
| CN113849246A (en) * | 2021-09-24 | 2021-12-28 | 统信软件技术有限公司 | Plug-in identification method, plug-in loading method, computing device and storage medium |
| CN113849246B (en) * | 2021-09-24 | 2024-01-23 | 统信软件技术有限公司 | Plug-in identification method, plug-in loading method, computing device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103824017A (en) | Method and platform for monitoring rogue programs | |
| CN102999716B (en) | virtual machine monitoring system and method | |
| US20140229768A1 (en) | Automated detection of a system anomaly | |
| CN103605722A (en) | Method, device and equipment for database monitoring | |
| CN101668012B (en) | Method and device for detecting security event | |
| Nieuwenhuijs et al. | Modeling dependencies in critical infrastructures | |
| CN103905253A (en) | Server monitoring and management method based on Nagios and BMC | |
| JP2011175639A (en) | Method and system for security maintenance in network | |
| Bhaduri et al. | Detecting abnormal machine characteristics in cloud infrastructures | |
| CN113704052B (en) | Operation and maintenance system, method, equipment and medium of micro-service architecture | |
| Uemura et al. | Availability analysis of an intrusion tolerant distributed server system with preventive maintenance | |
| WO2017080161A1 (en) | Alarm information processing method and device in cloud computing | |
| CN104394194A (en) | Cloud system operation and maintenance monitoring method and system based on platform-as-a-service (PaaS) platform | |
| CN103888282A (en) | Network intrusion alarm method and system based on nuclear power plant | |
| CN102404141A (en) | Method and device of alarm inhibition | |
| WO2021190659A1 (en) | System data acquisition method and apparatus, and medium and electronic device | |
| CN104866296A (en) | Data processing method and device | |
| CN103763126A (en) | System and method for monitoring database and database monitoring device | |
| CN102981939A (en) | Disc monitoring method | |
| CN111885094B (en) | Industrial control system network safety protection capability inspection and evaluation system | |
| CN103823743A (en) | Monitoring method and monitoring device of software system | |
| CN109634808B (en) | Chain monitoring event root cause analysis method based on correlation analysis | |
| CN112612685A (en) | Processor alarm message processing method, device, terminal and storage medium | |
| CN110377450A (en) | A kind of hardware anomalies processing method, system and associated component | |
| CN102523221A (en) | Detection method of data message and network safety detection device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140528 |