CN104618427A - Method and device for monitoring file via network - Google Patents
Method and device for monitoring file via network Download PDFInfo
- Publication number
- CN104618427A CN104618427A CN201410790513.7A CN201410790513A CN104618427A CN 104618427 A CN104618427 A CN 104618427A CN 201410790513 A CN201410790513 A CN 201410790513A CN 104618427 A CN104618427 A CN 104618427A
- Authority
- CN
- China
- Prior art keywords
- information
- monitoring
- monitored object
- file
- monitored
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Abstract
The invention aims to provide a method and a device for monitoring file via network. The method comprises the following steps: obtaining the security attribute information of the monitoring object; when the security attribute information of the monitoring object meets the real time processing monitoring condition, confirming the monitoring mode corresponding to the monitoring object as the real time processing monitoring; reporting the object monitoring information corresponding to the monitoring object and the monitoring mode to the corresponding network; executing corresponding processing operation to the monitoring object according to the received processing scheme fed back of the network device based on the object monitoring information.
Description
Technical field
The present invention relates to field of computer technology, particularly relate to a kind of method and apparatus for being carried out file monitor by network.
Background technology
In prior art, in the process of cloud killing, in order to not affect the systematic function of client device, the pattern of the asynchronous cloud scanning of general employing, namely cloud killing server can identify the suspect program such as virus, but client device cannot be made immediately to stop the startup of suspect program, and therefore according to the mode of prior art, the client device of cloud killing cannot perform in time before Virus starts removes the operation that virus waits process virus.
Summary of the invention
The object of this invention is to provide a kind of method and apparatus for being carried out file monitor by network.
According to an aspect of the present invention, provide a kind of method for being carried out file monitor by network, wherein, said method comprising the steps of:
The security attribute information of-acquisition monitored object;
-when the described security attribute information of described monitored object meets real-time process monitoring condition, determine that the monitoring mode corresponding with this monitored object is for process monitoring in real time;
-the object monitor information corresponding to this monitored object and monitoring mode are reported to the corresponding network equipment;
-according to received, that the described network equipment feeds back based on described object monitor information processing scheme, described monitored object is performed and processes operation accordingly.
According to an aspect of the present invention, additionally providing a kind of for having assisted the method for network killing, wherein, said method comprising the steps of:
-receive from subscriber equipment for the object monitor information of monitored object and the monitoring mode of this monitored object;
-when monitoring mode is process monitoring in real time, to the processing scheme that described subscriber equipment feedback is corresponding with the object monitor information of this monitored object.
According to an aspect of the present invention, additionally provide a kind of monitoring processing unit for being carried out file scan by network, wherein, described monitoring processing unit comprises:
For obtaining the device of the security attribute information of monitored object;
For when meeting real-time process monitoring condition according to the security attribute information of monitored object, determine that the monitoring mode corresponding with this monitored object is process the device monitored in real time;
For the object monitor information corresponding to this monitored object and monitoring mode being reported to the device of the corresponding network equipment;
For according to received, that the described network equipment feeds back based on described object monitor information processing scheme, carry out the device described monitored object being performed to corresponding process operation.
According to an aspect of the present invention, additionally provide a kind of for having assisted the network equipment of network killing, wherein, the described network equipment comprises:
For receiving the device for the object monitor information of monitored object and the monitoring mode of this monitored object from subscriber equipment;
During for being process monitoring in real time when monitoring mode, feed back the device of the processing scheme corresponding with the object monitor information of this monitored object to described subscriber equipment.
Compared with prior art, the present invention has the following advantages: in the process of cloud killing, can judge program to be launched whether is determined to monitor scan pattern accordingly further by safe enough according to client device of the present invention, and determined monitoring scan pattern is reported to server.Such as, to the pattern that the program of safe enough takes asynchronous cloud to scan, and to the doubtful pattern being viral program and taking same buyun to scan.Further, doubtfully in program to be launched at once corresponding processing scheme can be fed back to client device for when virus according to server of the present invention.Therefore, effectively can tackle the startup of Virus according to the solution of the present invention, reduce client device by the risk of virus infections.
Accompanying drawing explanation
By reading the detailed description done non-limiting example done with reference to the following drawings, other features, objects and advantages of the present invention will become more obvious:
Fig. 1 illustrates according to a kind of method flow diagram for being carried out file monitor by network of the present invention;
Fig. 2 is illustrated according to a kind of monitoring processing unit for being carried out file monitor by network of the present invention and for having assisted the structural representation of the network equipment of network killing.
In accompanying drawing, same or analogous Reference numeral represents same or analogous parts.
Embodiment
Below in conjunction with accompanying drawing, the present invention is described in further detail.
Fig. 1 is illustrated according to a kind of method flow diagram for being carried out file scan by network of the present invention.Method according to the present invention comprises the step S101, step S102, step S103 and the step S104 that are performed by subscriber equipment, and the step S201 performed by network equipment and step S202.
Wherein, method according to the present invention is realized by the monitoring processing unit be contained in computer equipment.Described computer equipment comprise a kind of can according in advance setting or the instruction stored, automatically carry out the electronic equipment of numerical computations and/or information processing, its hardware includes but not limited to microprocessor, application-specific integrated circuit (ASIC) (ASIC), programmable gate array (FPGA), digital processing unit (DSP), embedded device etc.Described computer equipment comprises the network equipment and/or subscriber equipment.Wherein, the described network equipment includes but not limited to the server group that single network server, multiple webserver form or the cloud be made up of a large amount of main frame or the webserver based on cloud computing (Cloud Computing), wherein, cloud computing is the one of Distributed Calculation, the super virtual machine be made up of a group loosely-coupled computer collection.Described subscriber equipment includes but not limited to that any one can to carry out the electronic product of man-machine interaction with user by modes such as keyboard, mouse, remote controller, touch pad or voice-operated devices, such as, and personal computer, panel computer, smart mobile phone etc.Wherein, described subscriber equipment and the network residing for the network equipment include but not limited to the Internet, wide area network, metropolitan area network, local area network (LAN), VPN etc.
It should be noted that; described subscriber equipment, the network equipment and network are only citing; other subscriber equipment that is existing or that may occur from now on, the network equipment and networks, as being applicable to the present invention, within also should being included in scope, and are contained in this with way of reference.
With reference to Fig. 1, in step S101, monitoring processing unit obtains the security attribute information of monitored object.
Wherein, described monitored object includes but not limited to need monitored application program in subscriber equipment.Preferably, described monitored object comprises the process image file of program to be launched in described subscriber equipment, such as, and instant communication software to be launched, again such as, office software etc. to be launched.
Wherein, described security attribute information comprises following at least any one Back ground Information:
1) scanning result information is inspired; Wherein, this inspiration scanning result information comprise by monitored object is performed obtain after inspirational education, be used to indicate the information that this monitored object is the possibility of virus.
Preferably, this inspiration scanning result information comprise be used to indicate monitored object for virus may sexual enlightenment weights.
More preferably, described inspiration weights scan weighted value corresponding to feature based on the instruction etc. of the multinomial operation that performs with each such as monitored object respectively or use to be determined, wherein, every weighted value is respectively used to indicate and performs the result after inspirational education based on corresponding scanning feature.More preferably, described inspiration weights comprise this multinomial inspiration weights sum.
Preferably, described inspiration scanning result information also comprises the indication information whether described inspiration weights are greater than predetermined warning weights.
Wherein, " trigger-initiated scanning technology " refers to " ability of self-discovery " or " fortune by some way or method go to judge the knowledge and skills technology of things ", and it is often used in software test and Viral diagnosis.
Preferably, in Viral diagnosis, inspire scanning technique by the command sequence of routine analyzer, reach and indirectly learn each submodule Action logic object of program, calculate and mate each object appearance order and weights, thus learn in analyzed program whether exist malice behavior.
Such as, in Viral diagnosis, adopt the scanning engine of trigger-initiated scanning technology by identifying and detecting many suspicious code instructions sequences, progressively understood by the decompiling of the command sequence to monitored object and determine its real motive contained, and then judging the suspicious degree of this monitored object.
Preferably, described inspiration scanning result information also comprises the indication information inspiring weights whether to be greater than predetermined warning weights.
2) scanning result information is infected; Wherein, described infection scanning result information comprises based on to what obtain after monitored object execution infection scanning, is used to indicate the information of the infected possibility of monitored object.
Wherein, infect scanning technique and comprise by monitored object and the sample in such as virus base equal samples database are compared, whether there is based on this monitored object the feature of one or more sample, judge the mode whether monitored object is infected by sample.
3) object adds shell information.Whether this object to be used to indicate monitored object be the program adding shell if adding shell information.
Wherein, add shell described in and comprise the operation such as compression or encryption executable file or dynamic link library file carried out by specific algorithm.When operation is added the program of shell, its shell is first performed, and then original program decompresses thus runs this original program by this shell in internal memory.
Particularly, processing unit obtains monitored object security attribute information by corresponding scanning engine is monitored.Such as, by calling the inspiration weights inspiring scanning engine to obtain monitored object.Again such as, obtain by calling shelling engine the information whether monitored object add shell.
Preferably, described security attribute information also comprises classification relevant information, and described classification relevant information is used for auxiliary judgment monitored object whether safety.
Wherein, described classification relevant information is determined based on following at least any one:
1) file type information; The classified information of the determined file of the attribute based on file, such as, the executable file etc. of self-extracting, again such as, based on file suffixes such as extension name " .exe " determined file type information etc.
2) document size information.
Preferably, described monitoring processing unit first can obtain the classification relevant information of each file, and screens file based on obtained classification relevant information, and obtains its respective primary attribute further to the file filtered out.
More preferably, described monitoring processing unit based on preset judgment condition, progressively can obtain the one or more security attribute information corresponding with the Rule of judgment in each deterministic process, and without the need to once obtaining all security attribute information.
Such as, monitoring processing unit is first based on file type, judge that whether it is the executable file of self-extracting, if, then obtain its file size further, and judge whether its file size is greater than predetermined threshold, when being not more than predetermined threshold, obtain the one or more primary attribute information of this file further.
Preferably, also comprise step S105 (not shown) according to the solution of the present invention, described step S101 comprises step S1011 (not shown) further.
In step S105, monitoring processing unit judges a monitored object whether safety based on the routing information comprised in the path-related information of monitored object and Safe Cache.
Wherein, described path-related information includes but not limited to following at least any one:
1) routing information of described monitored object;
2) cryptographic Hash etc. of the routing information of described monitored object.
Particularly, monitoring processing unit whether in Safe Cache, when its path-related information is in Safe Cache, judges this monitored object safety according to the path-related information of described monitored object, otherwise, then judge that this monitored object is dangerous.
Then, in step S1011, when described monitored object is dangerous, monitoring processing unit obtains the security attribute information of described monitored object.
Such as, before startup MSN, monitoring processing unit first checks that the file path of this MSN is whether in Safe Cache, when its file path is not in Safe Cache, monitoring processing unit judges that this MSN is dangerous, and obtains the security attribute information of this MSN.
Preferably, according to the solution of the present invention, monitoring processing unit, by initialization procedure, will be judged as the path-related information of each safe file stored in Safe Cache in subscriber equipment.
According to the method for this preferred version, wherein, monitoring processing unit, by performing step S106 (not shown) and step S107 (not shown), performs initialization operation.
In step s 106, the file path information that file object to be scanned determined by processing unit is monitored;
Then, in step s 107, monitoring processing unit scans the one or more file objects corresponding to described file path information, to determine the object type of described one or more file object respectively.
Wherein, described object type include but not limited to following at least any one:
1) Security Object, this Security Object comprises file trusty.
2) dangerous object, this dangerous object comprises virus or the doubtful file for virus;
3) medium object, that is the file object between above-mentioned Security Object and above-mentioned dangerous object.
Preferably, described object type can comprise the black-white-gray attribute of file object further, such as, and black file representative dangerous object, white file representative Security Object, the file object of grey file representative between Security Object and dangerous object.Particularly, monitor processing unit and first scan one or more file objects corresponding to described file path information to filter out one or more file object.Then, monitoring processing unit performs network killing, to determine the object type of each file object in this one or more file object respectively to described one or more file object.
Preferably, described network killing includes but not limited to perform cloud killing to each file object.
More preferably, described monitoring processing unit scans the one or more file objects corresponding to described file path information, and therefrom filters out one or more executable object file; Then, monitoring processing unit performs cloud killing, to determine the object type of each file object in this one or more file object respectively to this one or more executable object file.
Such as, monitoring processing unit obtains the MD5 code of the executable object file under each file path respectively, and each MD5 code is uploaded to high in the clouds respectively, to obtain the object type of each MD5 code difference correspondence fed back in high in the clouds.
According to preferred version of the present invention, monitoring processing unit determine the mode of one or more monitored object include but not limited to following any one:
1) using the All Files object that can scan as monitored object;
2) file object of medium object will be defined as based on initialization operation as monitored object.Wherein, when described object type comprises Security Object, the method according to this preferred version also comprises step S108 (not shown) after described step 107.
In step s 107, when file object is Security Object, the path-related information of described Security Object is added in Safe Cache by monitoring processing unit.
When file object is dangerous object, monitoring processing unit performs the operation of corresponding virus treated, to remove this dangerous object.Such as, also remove the operation of this file by playing window report poison simultaneously.
According to the first example of the present invention, when monitoring processing unit is mounted to user equipment (UE) _ 1, perform initialization operation.In step s 106, this monitoring processing unit obtains the routing information of the program in the program of the routing information of all current process image files in this user equipment (UE) _ 1, start menu pointed by all shortcuts, and the routing information of the program pointed by all shortcuts in desktop.Then, in step s 107, this monitoring processing unit scans under each system top level catalogue corresponding to each file path information obtained that (this system top level catalogue includes but not limited to windows catalogue, windows system32 catalogue, windows syswow64 catalogue, program files catalogue, program files catalogue etc.) All Files object, the file suffixes filtered out wherein is the executable object file of " .exe ", and by carrying out Anti-Virus Engine scanning to all executable file objects, determine its object type respectively, wherein, object type comprises text of an annotated book part, ash file and black file.Then, in step S108, the cryptographic Hash in the path and path that are defined as the file object of text of an annotated book part is added in Safe Cache by monitoring processing unit, to the file object of grey file be defined as monitored object, and, monitoring processing unit performs virus treated operation, to remove this file object to the file object being defined as black file.
Preferably, after monitoring processing unit completes initialization, that sets up initialization operation completes mark, and when detecting that this completes mark, no longer repeats this initialization operation.
Then, in step s 102, when the security attribute information of monitored object meets real-time process monitoring condition, monitoring processing unit determines that the monitoring mode corresponding with this monitored object is for process monitoring in real time.
Wherein, described real-time process monitoring condition for judging described monitored object whether doubtful for dangerous object.
Wherein, every Back ground Information that described real-time process monitoring condition comprises described monitored object meets corresponding prerequisite.Described Back ground Information comprises variously directly can judge the whether doubtful security attribute information for dangerous object of described object.
Such as, prerequisite comprises the inspiration weights got and is greater than predetermined threshold value; Again such as, prerequisite comprises and determines that a certain file adds shelf document.
Preferably, when described security attribute information also comprises classification relevant information, the classification relevant information that described real-time monitoring condition also comprises described monitored object belongs to predtermined category.
Preferably, monitoring processing unit can based on the predetermined rule for determining monitoring mode, first obtain the classification relevant information of described monitored object, then, based on obtained classification relevant information, obtain the Back ground Information corresponding with this classification relevant information judge whether meet process monitoring condition in real time.
Continue to be described foregoing First example, the prerequisite in monitoring processing unit comprises: if file size is less than 1.5M, and it inspires, and weights breath is satisfied processes monitoring condition in real time; Or file size is greater than 1.5M, and infect scanning result and add shell information meet process monitoring condition in real time.Then when program program_1 is selected will run time, monitoring processing unit, first based on this prerequisite, obtains the file size " 1.1M " of this program program_1, then obtains the inspiration value value_1 of this program program_1.Wherein, monitor predetermined real-time process monitoring condition in processing unit to comprise: inspire weights to be greater than 1/5th of predetermined warning weights; Or file is added shell; Or infecting scanning result is " doubtful infected ".Then, monitoring processing unit is greater than the situation of 1/5th of predetermined warning weights based on the inspiration value value_1 of this program program_1, judges that this program program_1 meets and processes monitoring condition in real time.Then in step s 102, monitor processing unit and determine that the monitoring mode corresponding with this program program_1 is for process monitoring in real time.
Then, in step s 103, monitor processing unit and the object monitor information corresponding to this monitored object and monitoring mode are reported to the corresponding network equipment.
Wherein, described object monitor information includes but not limited to following at least any one information:
1) every behavioural information of monitored object; Such as, information reading, information output, copy propagation etc.
2) the feature relevant information of monitored object; Such as, the Hash codes, MD5 code etc. of monitored object can be used for the relevant information of this monitored object of unique identification.
Then, in step s 201, the network equipment receive from subscriber equipment for the object monitor information of monitored object and the monitoring mode of this monitored object, to determine the processing scheme corresponding with this monitored object based on obtained object monitor information.Wherein, described processing scheme include but not limited to following at least any one:
1) path-related information of this monitored object is added in Safe Cache;
2) clear operation is performed to this monitored object;
3) continuous surveillance operation.
Preferably, the network equipment first determines the object type of monitored object, and determines the processing scheme to this monitored object further.
Then, in step S202, when monitoring mode is process monitoring in real time, the network equipment feeds back the processing scheme corresponding with the object monitor information of this monitored object to described subscriber equipment.
Then, in step S104, monitoring processing unit, according to received, that the described network equipment feeds back based on described object monitor information processing scheme, performs described monitored object and processes operation accordingly.
Continue to be described foregoing First example, in step s 103, the MD5 code corresponding with this program program_1 and monitoring mode " are processed monitoring mode " and report to the corresponding network equipment by monitoring processing unit in real time.Then, the network equipment in step s 201, receives that this subscriber equipment reports, and " processes monitoring mode in real time " for the MD5 code of program program_1 and the monitoring mode of this program program_1.Further, that the comprehensive multiple subscriber equipment of the network equipment feeds back, to this program program_1 MD5 code, judges that this program program_1 determines that the processing mode of its correspondence comprises " removing immediately " as dangerous object.Then, in step S202, the network equipment " processes monitoring mode " in real time based on the monitoring mode to this program program_1, feeds back the processing scheme corresponding with the MD5 code of this program program_1: remove this program program_1 to user equipment (UE) _ 1.Then, in step S104, the monitoring processing unit in user equipment (UE) _ 1, according to received, that the network equipment feeds back processing scheme, performs the operation of removing this program program_1.
Preferably, when monitoring processing unit and not meeting described real-time monitoring condition according to the security attribute information of monitored object, the step S109 (not shown) and step S110 (not shown) that are performed by subscriber equipment is also comprised according to method of the present invention, and the step S203 (not shown) performed by the network equipment.
In step S109, when not meeting described real-time monitoring condition according to the security attribute information of monitored object, monitoring processing unit determines that the monitoring mode corresponding with this monitored object is that Non real-time processing is monitored.
Then, monitor processing unit and the object monitor information corresponding to this monitored object and monitoring mode are reported to the corresponding network equipment.
Then, in step S203, after meeting predetermined process trigger condition, the network equipment feeds back the processing scheme corresponding with the object monitor information of this monitored object to described subscriber equipment.
Then, in step s 110, monitoring processing unit, according to received, that the described network equipment feeds back based on described object monitor information processing scheme, performs described monitored object and processes operation accordingly.
Wherein, described predetermined process trigger condition include but not limited to following at least any one:
1) time triggered condition; Such as, every predetermined amount of time etc.
2) trigger conditions.Such as, when receive from subscriber equipment for obtaining the request of processing scheme time etc.
According to the second example of the present invention, monitoring processing unit obtains the security attribute information of program program_2 in step S101.Then, monitoring condition when processing unit judges that this program program_2 is discontented with full is monitored.Then in step S109, monitoring processing unit determines that the monitoring mode corresponding with this program program_2 is that Non real-time processing is monitored.Then, monitor processing unit and the object monitor information corresponding with this program program_2 and monitoring mode are sent to the network equipment.The network equipment determines that it is Security Object based on the scanning monitored results of this program program_2, and determines that the processing scheme corresponding with it comprises: be added in Safe Cache by its path-related information.
Then over time, when the network equipment receive in step S203 from subscriber equipment for obtain processing scheme request after, the network equipment is to this computer feedback processing scheme corresponding with the object monitor information of this program program_2: added in Safe Cache by the path-related information of this program program_2.Then monitor processing unit in step s 110, according to the processing scheme that the received network equipment feeds back, the path-related information of this program program_2 is added in Safe Cache.
According to method of the present invention, in the process of cloud killing, can judge program to be launched whether is determined to monitor scan pattern accordingly further by safe enough according to client device of the present invention, and determined monitoring scan pattern is reported to server.Such as, to the pattern that the program of safe enough takes asynchronous cloud to scan, and to the doubtful pattern being viral program and taking same buyun to scan.Further, doubtfully in program to be launched at once corresponding processing scheme can be fed back to client device for when virus according to server of the present invention.Therefore, effectively can tackle the startup of Virus according to method of the present invention, reduce client device by the risk of virus infections.
Fig. 2 is illustrated according to a kind of monitoring processing unit for being carried out file scan by network of the present invention and for having assisted the structural representation of the network equipment of network killing.Monitoring processing unit according to the present invention comprises: for obtaining the device (hereinafter referred to as " attribute acquisition device 101 ") of the security attribute information of monitored object; When processing monitoring condition in real time for meeting when the described security attribute information of described monitored object, determine that the monitoring mode corresponding with this monitored object is process the device (hereinafter referred to as " first mode determining device 102 ") monitored in real time; For the object monitor information corresponding to this monitored object and monitoring mode being reported to the device (hereinafter referred to as " dispensing device 103 ") of the corresponding network equipment; For according to received, that the described network equipment feeds back based on described object monitor information processing scheme, carry out the device (hereinafter referred to as " the first processing unit 104 ") described monitored object being performed to corresponding process operation.The network equipment according to the present invention comprises: for receive from subscriber equipment for the object monitor information of monitored object and the monitoring mode of this monitored object, to determine the device (hereinafter referred to as " receiving system 201 ") of the processing scheme corresponding with this monitored object based on obtained object monitor information; During for being process monitoring in real time when monitoring mode, feed back the device (hereinafter referred to as " the first feedback device 202 ") of the processing scheme corresponding with the object monitor information of this monitored object to described subscriber equipment.
With reference to Fig. 2, attribute acquisition device 101 obtains the security attribute information of monitored object.
Wherein, described monitored object includes but not limited to need monitored application program in subscriber equipment.Preferably, described monitored object comprises program to be launched in described subscriber equipment, such as, and instant communication software to be launched, again such as, office software etc. to be launched.
Wherein, described security attribute information comprises following at least any one Back ground Information:
1) scanning result information is inspired; Wherein, this inspiration scanning result information comprise by monitored object is performed obtain after inspirational education, be used to indicate the information that this monitored object is the possibility of virus.
Preferably, this inspiration scanning result information comprise be used to indicate monitored object for virus may sexual enlightenment weights.
More preferably, described inspiration weights scan weighted value corresponding to feature based on the instruction etc. of the multinomial operation that performs with each such as monitored object respectively or use to be determined, wherein, every weighted value is respectively used to indicate and performs the result after inspirational education based on corresponding scanning feature.More preferably, described inspiration weights comprise this multinomial inspiration weights sum.
Preferably, described inspiration scanning result information also comprises the indication information whether described inspiration weights are greater than predetermined warning weights.
Wherein, " trigger-initiated scanning technology " refers to " ability of self-discovery " or " fortune by some way or method go to judge the knowledge and skills technology of things ", and it is often used in software test and Viral diagnosis.
Preferably, in Viral diagnosis, inspire scanning technique by the command sequence of routine analyzer, reach and indirectly learn each submodule Action logic object of program, calculate and mate each object appearance order and weights, thus learn in analyzed program whether exist malice behavior.
Such as, in Viral diagnosis, adopt the scanning engine of trigger-initiated scanning technology by identifying and detecting many suspicious code instructions sequences, progressively understood by the decompiling of the command sequence to monitored object and determine its real motive contained, and then judging the suspicious degree of this monitored object.
2) scanning result information is infected; Wherein, described infection scanning result information comprises based on to what obtain after monitored object execution infection scanning, is used to indicate the information of the infected possibility of monitored object.
Wherein, infect scanning technique and comprise by monitored object and the sample in such as virus base equal samples database are compared, whether there is based on this monitored object the feature of one or more sample, judge the mode whether monitored object is infected by sample.
3) object adds shell information.Whether this object to be used to indicate monitored object be the program adding shell if adding shell information.
Wherein, add shell described in and comprise the operation such as compression or encryption executable file or dynamic link library file carried out by specific algorithm.When operation is added the program of shell, its shell is first performed, and then original program decompresses thus runs this original program by this shell in internal memory.
Particularly, attribute acquisition device 101 obtains the security attribute information of monitored object by corresponding scanning engine.Such as, by calling the inspiration weights inspiring scanning engine to obtain monitored object.Again such as, obtain by calling shelling engine the information whether monitored object add shell.
Preferably, described security attribute information also comprises classification relevant information, and described classification relevant information is used for auxiliary judgment monitored object whether safety.
Wherein, described classification relevant information is determined based on following at least any one:
1) file type information; The classified information of the determined file of the attribute based on file, such as, the executable file etc. of self-extracting, again such as, based on file suffixes such as extension name " .exe " determined file type information etc.
2) document size information.
Preferably, attribute acquisition device 101 first can obtain the classification relevant information of each file, and screens file based on obtained classification relevant information, and obtains its respective primary attribute further to the file filtered out.
More preferably, attribute acquisition device 101 based on preset judgment condition, progressively can obtain the one or more security attribute information corresponding with the Rule of judgment in each deterministic process, and without the need to once obtaining all security attribute information.
Such as, attribute acquisition device 101 is first based on file type, judge that whether it is the executable file of self-extracting, if, then obtain its file size further, and judge whether its file size is greater than predetermined threshold, when being not more than predetermined threshold, obtain the one or more primary attribute information of this file further.
Preferably, monitoring processing unit according to the present invention also comprises for judging that based on the routing information comprised in the path-related information of monitored object and Safe Cache (figure does not show the device of a monitored object whether safety, hereinafter referred to as " judgment means "), described attribute acquisition device 101 comprises for when described monitored object is dangerous further, obtain the device (figure does not show, hereinafter referred to as " sub-acquisition device ") of the security attribute information of described monitored object.
Judgment means judges a monitored object whether safety based on the routing information comprised in the path-related information of monitored object and Safe Cache.
Wherein, described path-related information includes but not limited to following at least any one:
1) routing information of described monitored object;
2) cryptographic Hash etc. of the routing information of described monitored object.
Particularly, judgment means whether in Safe Cache, when its path-related information is in Safe Cache, judges this monitored object safety according to the path-related information of described monitored object, otherwise, then judge that this monitored object is dangerous.
When described monitored object is dangerous, sub-acquisition device obtains the security attribute information of described monitored object.
Such as, before startup MSN, judgment means first checks that the file path of this MSN is whether in Safe Cache, when its file path is not in Safe Cache, judgment means judges that this MSN is dangerous, then sub-acquisition device obtains the security attribute information of this MSN.
Preferably, according to the solution of the present invention, monitoring processing unit, by initialization procedure, will be judged as the path-related information of each safe file stored in Safe Cache in subscriber equipment.
Wherein, pass through to determine for monitoring processing unit that the device of file path information to be scanned (schemes not show according to the monitoring processing unit of preferred version, hereinafter referred to as " path determining device ") and for scanning the one or more file objects corresponding to described file path information, to determine that (figure does not show the device of the object type of described one or more file object respectively, hereinafter referred to as " scanning means "), perform initialization operation.
Path determining device determines the file path information of file object to be scanned.
Then, scanning means scans the one or more file objects corresponding to described file path information, to determine the object type of described one or more file object respectively.
Wherein, described object type include but not limited to following at least any one:
1) Security Object, this Security Object comprises file trusty.
2) dangerous object, this dangerous object comprises virus or the doubtful file for virus;
3) medium object, that is the file object between above-mentioned Security Object and above-mentioned dangerous object.
Preferably, described object type can comprise the black-white-gray attribute of file object further, such as, and black file representative dangerous object, white file representative Security Object, the file object of grey file representative between Security Object and dangerous object.Particularly, scanning means first scans one or more file objects corresponding to described file path information to filter out one or more file object.Then, scanning means performs network killing, to determine the object type of each file object in this one or more file object respectively to described one or more file object.。
Preferably, described network killing includes but not limited to perform cloud killing to each file object.
More preferably, described scanning means scans the one or more file objects corresponding to described file path information, and therefrom filters out one or more executable object file; Then, scanning means performs cloud killing, to determine the object type of each file object in this one or more file object respectively to this one or more executable object file.
Such as, scanning means obtains the MD5 code of the executable object file under each file path respectively, and each MD5 code is uploaded to high in the clouds respectively, to obtain the object type of each MD5 code difference correspondence fed back in high in the clouds.
According to preferred version of the present invention, scanning means determine the mode of one or more monitored object include but not limited to following any one:
1) using the All Files object that can scan as monitored object;
2) file object of medium object will be defined as based on initialization operation as monitored object.
Wherein, when described object type comprises Security Object, also comprise for when file object is Security Object according to the monitoring processing unit of this preferred version, the path-related information of described Security Object is added into the device (figure does not show, hereinafter referred to as " Safe Cache device ") in Safe Cache.
When file object is Security Object, the path-related information of described Security Object is added in Safe Cache by Safe Cache device.
When file object is dangerous object, monitoring processing unit performs the operation of corresponding virus treated, to remove this dangerous object.Such as, also remove the operation of this file by playing window report poison simultaneously.
According to the first example of the present invention, when monitoring processing unit is mounted to user equipment (UE) _ 1, perform initialization operation.Path determining device obtains the routing information of the program in the program of the routing information of all current process image files in this user equipment (UE) _ 1, start menu pointed by all shortcuts, and the routing information of the program pointed by all shortcuts in desktop.Then, scanning means scans under each system top level catalogue corresponding to each file path information obtained that (this system top level catalogue includes but not limited to windows catalogue, windows system32 catalogue, windows syswow64 catalogue, program files catalogue, program files catalogue etc.) All Files object, the file suffixes filtered out wherein is the executable object file of " .exe ", and by carrying out Anti-Virus Engine scanning to all executable file objects, determine its object type respectively, wherein, object type comprises text of an annotated book part, ash file and black file.Then, the cryptographic Hash in path and path that Safe Cache device is just defined as the file object of text of an annotated book part is added in Safe Cache, and monitoring processing unit performs virus treated operation, to remove this file object to the file object being defined as black file.
Preferably, after monitoring processing unit completes initialization, that sets up initialization operation completes mark, and when detecting that this completes mark, no longer repeats this initialization operation.
Then, when the security attribute information of monitored object meets real-time process monitoring condition, first mode determining device 102 determines that the monitoring mode corresponding with this monitored object is for process monitoring in real time.
Wherein, described real-time process monitoring condition for judging described monitored object whether doubtful for dangerous object.
Wherein, every Back ground Information that described real-time process monitoring condition comprises described monitored object meets corresponding prerequisite.Described Back ground Information comprises variously directly can judge the whether doubtful security attribute information for dangerous object of described object.
Such as, prerequisite comprises the inspiration weights got and is greater than predetermined threshold value; Again such as, prerequisite comprises and determines that a certain file adds shelf document.
Preferably, when described security attribute information also comprises classification relevant information, the classification relevant information that described real-time monitoring condition also comprises described monitored object belongs to predtermined category.
Preferably, first mode determining device 102 can based on the predetermined rule for determining monitoring mode, first obtain the classification relevant information of described monitored object, then, based on obtained classification relevant information, obtain the Back ground Information corresponding with this classification relevant information judge whether meet process monitoring condition in real time.
Continue to be described foregoing First example, the prerequisite in monitoring processing unit comprises: if file size is less than 1.5M, and it inspires, and weights breath is satisfied processes monitoring condition in real time; Or file size is greater than 1.5M, and infect scanning result and add shell information meet process monitoring condition in real time.Then when program program_1 is selected will run time, first mode determining device 102, first based on this prerequisite, obtains the file size " 1.1M " of this program program_1, then obtains the inspiration value value_1 of this program program_1.Wherein, monitor predetermined real-time process monitoring condition in processing unit to comprise: inspire weights to be greater than 1/5th of predetermined warning weights; Or file is added shell; Or infecting scanning result is " doubtful infected ".Then, first mode determining device 102 is greater than the situation of 1/5th of predetermined warning weights based on the inspiration value value_1 of this program program_1, judges that this program program_1 meets and processes monitoring condition in real time.Then first mode determining device 102 determines that the monitoring mode corresponding with this program program_1 is for process monitoring in real time.
Then, the object monitor information corresponding to this monitored object and monitoring mode are reported to the corresponding network equipment by dispensing device 103.
Wherein, described object monitor information includes but not limited to following at least any one information:
1) every behavioural information of monitored object; Such as, information reading, information output, copy propagation etc.
2) the feature relevant information of monitored object; Such as, the Hash codes, MD5 code etc. of monitored object can be used for the relevant information of this monitored object of unique identification.
Then, the receiving system 201 in network equipment receive from subscriber equipment for the object monitor information of monitored object and the monitoring mode of this monitored object, to determine the processing scheme corresponding with this monitored object based on obtained object monitor information.Wherein, described processing scheme include but not limited to following at least any one:
1) path-related information of this monitored object is added in Safe Cache;
2) clear operation is performed to this monitored object;
3) continuous surveillance operation.
Preferably, the network equipment first determines the object type of monitored object, and determines the processing scheme to this monitored object further.
Then, when monitoring mode is process monitoring in real time, the first feedback device 202 in the network equipment feeds back the processing scheme corresponding with the object monitor information of this monitored object to described subscriber equipment.
Then, the first processing unit 104, according to received, that the described network equipment feeds back based on described object monitor information processing scheme, performs described monitored object and processes operation accordingly.
Continue to be described foregoing First example, the MD5 code corresponding with this program program_1 and monitoring mode " are processed monitoring mode " and report to the corresponding network equipment by dispensing device 103 in real time.Then, the receiving system 201 in the network equipment receives that this subscriber equipment reports, and " processes monitoring mode in real time " for the MD5 code of program program_1 and the monitoring mode of this program program_1.Further, that the comprehensive multiple subscriber equipment of the network equipment feeds back, to this program program_1 MD5 code, judges that this program program_1 determines that the processing mode of its correspondence comprises " removing immediately " as dangerous object.Then, the first feedback device 202 " processes monitoring mode " in real time based on the monitoring mode to this program program_1, feeds back the processing scheme corresponding with the MD5 code of this program program_1: remove this program program_1 to user equipment (UE) _ 1.Then, the first processing unit 104 in user equipment (UE) _ 1, according to received, that the network equipment feeds back processing scheme, performs the operation of removing this program program_1.
Preferably, when the security attribute information of described monitored object does not meet described real-time monitoring condition, monitoring processing unit according to the present invention also comprises for when the security attribute information of described monitored object does not meet described real-time monitoring condition, determine that the monitoring mode corresponding with this monitored object is that the device that Non real-time processing is monitored (schemes not show, hereinafter referred to as " the second pattern determining device "), and for when meeting predetermined process trigger condition, according to received, the processing scheme that the described network equipment feeds back based on described object monitor information, (figure does not show to process operation accordingly to described monitored object execution, hereinafter referred to as " the second processing unit "), also comprise for after meeting predetermined process trigger condition according to the network equipment of the present invention, to the processing scheme that described subscriber equipment feedback is corresponding with the object monitor information of this monitored object.(figure does not show, hereinafter referred to as " the second feedback device ").
When not meeting described real-time monitoring condition according to the security attribute information of monitored object, the second pattern determining device determines that the monitoring mode corresponding with this monitored object is that Non real-time processing is monitored.
Then, the object monitor information corresponding to this monitored object and monitoring mode are reported to the corresponding network equipment by dispensing device 103.
Then, after meeting predetermined process trigger condition, the second feedback device feeds back the processing scheme corresponding with the object monitor information of this monitored object to described subscriber equipment.
Then, the second processing unit, according to received, that the described network equipment feeds back based on described object monitor information processing scheme, performs described monitored object and processes operation accordingly.
Wherein, described predetermined process trigger condition include but not limited to following at least any one:
1) time triggered condition; Such as, every predetermined amount of time etc.
2) trigger conditions.Such as, when receive from subscriber equipment for obtaining the request of processing scheme time etc.
According to the second example of the present invention, the first acquisition device 101 obtains the security attribute information of program program_2.Then, monitoring condition when processing unit judges that this program program_2 is discontented with full is monitored.Then the second pattern determining device determines that the monitoring mode corresponding with this program program_2 is that Non real-time processing is monitored.Then, the object monitor information corresponding with this program program_2 and monitoring mode are sent to the network equipment by dispensing device 103.The network equipment determines that it is Security Object based on the scanning monitored results of this program program_2, and determines that the processing scheme corresponding with it comprises: be added in Safe Cache by its path-related information.
Then over time, when the network equipment receive from subscriber equipment for obtain processing scheme request after, the second feedback device in the network equipment is to this subscriber equipment feedback processing scheme corresponding with the object monitor information of this program program_2: added in Safe Cache by the path-related information of this program program_2.The processing scheme that the second processing unit then in subscriber equipment feeds back according to the received network equipment, adds the path-related information of this program program_2 in Safe Cache.
According to the solution of the present invention, in the process of cloud killing, can judge program to be launched whether is determined to monitor scan pattern accordingly further by safe enough according to client device of the present invention, and determined monitoring scan pattern is reported to server.Such as, to the pattern that the program of safe enough takes asynchronous cloud to scan, and to the doubtful pattern being viral program and taking same buyun to scan.Further, doubtfully in program to be launched at once corresponding processing scheme can be fed back to client device for when virus according to server of the present invention.Therefore, effectively can tackle the startup of Virus according to the solution of the present invention, reduce client device by the risk of virus infections.
Software program of the present invention can perform to realize step mentioned above or function by processor.Similarly, software program of the present invention (comprising relevant data structure) can be stored in computer readable recording medium storing program for performing, such as, and RAM memory, magnetic or CD-ROM driver or floppy disc and similar devices.In addition, steps more of the present invention or function can adopt hardware to realize, such as, as coordinating with processor thus performing the circuit of each function or step.
In addition, a part of the present invention can be applied to computer program, such as computer program instructions, when it is performed by computer, by the operation of this computer, can call or provide according to method of the present invention and/or technical scheme.And call the program command of method of the present invention, may be stored in fixing or moveable recording medium, and/or be transmitted by the data flow in broadcast or other signal bearing medias, and/or be stored in the working storage of the computer equipment run according to described program command.At this, comprise a device according to one embodiment of present invention, this device comprises the memory for storing computer program instructions and the processor for execution of program instructions, wherein, when this computer program instructions is performed by this processor, trigger this plant running based on the aforementioned method according to multiple embodiment of the present invention and/or technical scheme.
To those skilled in the art, obviously the invention is not restricted to the details of above-mentioned one exemplary embodiment, and when not deviating from spirit of the present invention or essential characteristic, the present invention can be realized in other specific forms.Therefore, no matter from which point, all should embodiment be regarded as exemplary, and be nonrestrictive, scope of the present invention is limited by claims instead of above-mentioned explanation, and all changes be therefore intended in the implication of the equivalency by dropping on claim and scope are included in the present invention.Any Reference numeral in claim should be considered as the claim involved by limiting.In addition, obviously " comprising " one word do not get rid of other unit or step, odd number does not get rid of plural number.Multiple unit of stating in system claims or device also can be realized by software or hardware by a unit or device.First, second word such as grade is used for representing title, and does not represent any specific order.
Claims (22)
1., for being carried out a method for file monitor by network, wherein, said method comprising the steps of:
The security attribute information of-acquisition monitored object;
-when the described security attribute information of described monitored object meets real-time process monitoring condition, determine that the monitoring mode corresponding with this monitored object is for process monitoring in real time;
-the object monitor information corresponding to this monitored object and monitoring mode are reported to the corresponding network equipment;
-according to received, that the described network equipment feeds back based on described object monitor information processing scheme, described monitored object is performed and processes operation accordingly.
2. method according to claim 1, wherein, described method is further comprising the steps of:
-when the security attribute information of described monitored object does not meet described real-time monitoring condition, determine that the monitoring mode corresponding with this monitored object is that Non real-time processing is monitored;
Wherein, described method is further comprising the steps of after the object monitor information corresponding to this monitored object and monitoring mode are reported to the step of the corresponding network equipment;
-when meeting predetermined process trigger condition, according to received, that the described network equipment feeds back based on described object monitor information processing scheme, described monitored object is performed and processes operation accordingly.
3. method according to claim 1 and 2, wherein, described security attribute information comprises following at least any one Back ground Information:
-inspire scanning result information;
-infect scanning result information;
-object adds shell information;
Wherein, every Back ground Information that described real-time monitoring condition comprises in the security attribute information of described monitored object meets corresponding prerequisite.
4. method according to claim 3, wherein, described security attribute information also comprises following classification relevant information, and wherein, described classification relevant information is determined based on following at least any one:
-file type information;
-document size information;
Wherein, described real-time monitoring condition also comprises the classification relevant information of described monitored object is predtermined category.
5. method according to any one of claim 1 to 4, wherein, described method is further comprising the steps of, to complete initialization operation:
-determine the file path information of file object to be scanned;
-scan one or more file objects corresponding to described file path information, to determine the object type of described one or more file object respectively.
6. method according to claim 5, wherein, described object type comprises Security Object, the one or more file objects of described method corresponding to described scanning described file path information, with further comprising the steps of after the step determining the object type of described one or more file object respectively:
-path-related information of the file object being defined as Security Object is added in Safe Cache.
7. the method according to claim 5 or 6, wherein, described object type also comprises medium object, the one or more file objects of described method corresponding to described scanning described file path information, with further comprising the steps of after the step determining the object type of described one or more file object respectively:
-will the file object of medium object be defined as monitored object.
8. method according to any one of claim 1 to 7, wherein, described method is further comprising the steps of before the step of security attribute information obtaining monitored object:
-judge whether a monitored object is Security Object;
Wherein, the step of the security attribute information of described acquisition monitored object comprises the following steps:
-when described monitored object is not Security Object, obtain the security attribute information of described monitored object.
9. method according to any one of claim 1 to 8, wherein, described process operation comprise following any one;
-path-related information of this monitored object is added in Safe Cache;
-remove this monitored object.
10., for having assisted a method for network killing, wherein, said method comprising the steps of:
-receive from subscriber equipment for the object monitor information of monitored object and the monitoring mode of this monitored object, to determine the processing scheme corresponding with this monitored object based on obtained object monitor information;
-when monitoring mode is process monitoring in real time, to the processing scheme that described subscriber equipment feedback is corresponding with the object monitor information of this monitored object.
11. methods according to claim 10, wherein, described method is further comprising the steps of:
-when described monitoring mode is Non real-time processing monitoring, after meeting preset trigger condition, to the processing scheme that described subscriber equipment feedback is corresponding with the object monitor information of this monitored object.
12. 1 kinds for being carried out the monitoring processing unit of file scan by network, wherein, described monitoring processing unit comprises:
For obtaining the device of the security attribute information of monitored object;
When processing monitoring condition in real time for meeting when the described security attribute information of described monitored object, determine that the monitoring mode corresponding with this monitored object is process the device monitored in real time;
For the object monitor information corresponding to this monitored object and monitoring mode being reported to the device of the corresponding network equipment;
For according to received, that the described network equipment feeds back based on described object monitor information processing scheme, carry out the device described monitored object being performed to corresponding process operation.
13. monitoring processing unit according to claim 12, wherein, described monitoring processing unit also comprises:
For when the security attribute information of described monitored object does not meet described real-time monitoring condition, determine that the monitoring mode corresponding with this monitored object is the device that Non real-time processing is monitored;
Wherein, described monitoring processing unit also comprises;
For when meeting predetermined process trigger condition, according to received, that the described network equipment feeds back based on described object monitor information processing scheme, carry out the device described monitored object being performed to corresponding process operation.
14. monitoring processing unit according to claim 12 or 13, wherein, described security attribute information comprises following at least any one Back ground Information, and wherein, every Back ground Information that described real-time monitoring condition comprises described monitored object meets corresponding prerequisite:
-inspire scanning result information;
-infect scanning result information;
-object adds shell information.
Wherein, every Back ground Information that described real-time monitoring condition comprises in the security attribute information of described monitored object meets corresponding prerequisite.
15. monitoring processing unit according to claim 14, wherein, described security attribute information also comprises following classification relevant information, and wherein, described classification relevant information is determined based on following at least any one:
-file type information;
-document size information;
Wherein, described real-time monitoring condition also comprises the classification relevant information of described monitored object is predtermined category.
16. according to claim 12 to the monitoring processing unit according to any one of 15, and wherein, described monitoring processing unit also comprises with lower device, to complete initialization operation:
For determining the device of the file path information of file object to be scanned;
For scanning the one or more file objects corresponding to described file path information, to determine the device of the object type of described one or more file object respectively.
17. monitoring processing unit according to claim 16, wherein, described object type comprises Security Object, and described monitoring processing unit also comprises:
For the path-related information of the file object being defined as Security Object being added into the device in Safe Cache.
18. monitoring processing unit according to claim 16 or 17, wherein, described object type also comprises medium object, and described monitoring processing unit also comprises:
For will the device of file object as monitored object of medium object be defined as.
19. according to claim 12 to the monitoring processing unit according to any one of 18, and wherein, described monitoring processing unit also comprises:
For judging that whether a monitored object is the device of Security Object;
Wherein, the device of the described security attribute information for obtaining monitored object is used for:
When described monitored object is not Security Object, obtain the device of the security attribute information of described monitored object.
20. according to claim 12 to the monitoring processing unit according to any one of 19, wherein, described process operation comprise following any one:
-path-related information of this monitored object is added in Safe Cache;
-remove this monitored object.
21. 1 kinds for having assisted the network equipment of network killing, wherein, the described network equipment comprises:
For receive from subscriber equipment for the object monitor information of monitored object and the monitoring mode of this monitored object, to determine the device of the processing scheme corresponding with this monitored object based on obtained object monitor information;
During for being process monitoring in real time when monitoring mode, feed back the device of the processing scheme corresponding with the object monitor information of this monitored object to described subscriber equipment.
22. network equipments according to claim 21, wherein, the described network equipment also comprises:
During for being Non real-time processing monitoring when described monitoring mode, after meeting preset trigger condition, feed back the device of the processing scheme corresponding with the object monitor information of this monitored object to described subscriber equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410790513.7A CN104618427B (en) | 2014-12-17 | 2014-12-17 | A kind of method and apparatus for carrying out file monitor by network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410790513.7A CN104618427B (en) | 2014-12-17 | 2014-12-17 | A kind of method and apparatus for carrying out file monitor by network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104618427A true CN104618427A (en) | 2015-05-13 |
| CN104618427B CN104618427B (en) | 2016-08-24 |
Family
ID=53152702
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410790513.7A Active CN104618427B (en) | 2014-12-17 | 2014-12-17 | A kind of method and apparatus for carrying out file monitor by network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104618427B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105430001A (en) * | 2015-12-18 | 2016-03-23 | 北京奇虎科技有限公司 | Detecting method, terminal device, server and system of APT (Advanced Persistent Threat) attack |
| CN110233859A (en) * | 2019-07-01 | 2019-09-13 | 上海冰鉴信息科技有限公司 | A kind of novel air prosecutor method and air control system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101098226A (en) * | 2006-06-27 | 2008-01-02 | 飞塔信息科技(北京)有限公司 | Online real-time virus processing system and method |
| CN102194073A (en) * | 2011-06-03 | 2011-09-21 | 奇智软件(北京)有限公司 | Scanning method and device of antivirus software |
| CN102457495A (en) * | 2010-10-21 | 2012-05-16 | 中华电信股份有限公司 | Method and system for defending network virus |
| CN103905459A (en) * | 2014-04-14 | 2014-07-02 | 上海电机学院 | Cloud-based intelligent security defense system and defense method |
-
2014
- 2014-12-17 CN CN201410790513.7A patent/CN104618427B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101098226A (en) * | 2006-06-27 | 2008-01-02 | 飞塔信息科技(北京)有限公司 | Online real-time virus processing system and method |
| CN102457495A (en) * | 2010-10-21 | 2012-05-16 | 中华电信股份有限公司 | Method and system for defending network virus |
| CN102194073A (en) * | 2011-06-03 | 2011-09-21 | 奇智软件(北京)有限公司 | Scanning method and device of antivirus software |
| CN103905459A (en) * | 2014-04-14 | 2014-07-02 | 上海电机学院 | Cloud-based intelligent security defense system and defense method |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105430001A (en) * | 2015-12-18 | 2016-03-23 | 北京奇虎科技有限公司 | Detecting method, terminal device, server and system of APT (Advanced Persistent Threat) attack |
| CN110233859A (en) * | 2019-07-01 | 2019-09-13 | 上海冰鉴信息科技有限公司 | A kind of novel air prosecutor method and air control system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104618427B (en) | 2016-08-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20200177552A1 (en) | Methods and apparatus for malware threat research | |
| US9294486B1 (en) | Malware detection and analysis | |
| US8291500B1 (en) | Systems and methods for automated malware artifact retrieval and analysis | |
| EP2754081B1 (en) | Dynamic cleaning for malware using cloud technology | |
| US8695096B1 (en) | Automatic signature generation for malicious PDF files | |
| US10652274B2 (en) | Identifying and responding to security incidents based on preemptive forensics | |
| US20130167236A1 (en) | Method and system for automatically generating virus descriptions | |
| CN107241296B (en) | Webshell detection method and device | |
| CN107786564B (en) | Attack detection method and system based on threat intelligence and electronic equipment | |
| CN107896219B (en) | Method, system and related device for detecting website vulnerability | |
| CN107547490B (en) | Scanner identification method, device and system | |
| KR20160125960A (en) | Virus processing method, apparatus, system and device, and computer storage medium | |
| WO2011112348A1 (en) | System and method for host-level malware detection | |
| KR101132197B1 (en) | Apparatus and Method for Automatically Discriminating Malicious Code | |
| EP3531329B1 (en) | Anomaly-based-malicious-behavior detection | |
| JP2017021777A (en) | System and method for detecting harmful files executable on virtual stack machine | |
| CN106713335B (en) | Malicious software identification method and device | |
| CN110855649A (en) | Method and device for detecting abnormal process in server | |
| US8726377B2 (en) | Malware determination | |
| US10169579B1 (en) | Malicious PDF detection | |
| CN104618427A (en) | Method and device for monitoring file via network | |
| CN113114609A (en) | Webshell detection evidence obtaining method and system | |
| CN109800568B (en) | Security protection method, client, system and storage medium for document file | |
| US20220164449A1 (en) | Classifer generator | |
| CN117411702A (en) | Network security detection method, system and storage medium based on big data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |