CN104618427B - A kind of method and apparatus for carrying out file monitor by network - Google Patents

A kind of method and apparatus for carrying out file monitor by network Download PDF

Info

Publication number
CN104618427B
CN104618427B CN201410790513.7A CN201410790513A CN104618427B CN 104618427 B CN104618427 B CN 104618427B CN 201410790513 A CN201410790513 A CN 201410790513A CN 104618427 B CN104618427 B CN 104618427B
Authority
CN
China
Prior art keywords
monitored
information
monitoring
file
processing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410790513.7A
Other languages
Chinese (zh)
Other versions
CN104618427A (en
Inventor
郭明强
张永成
陈高合
董志强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN201410790513.7A priority Critical patent/CN104618427B/en
Publication of CN104618427A publication Critical patent/CN104618427A/en
Application granted granted Critical
Publication of CN104618427B publication Critical patent/CN104618427B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network-specific arrangements or communication protocols supporting networked applications
    • H04L67/06Network-specific arrangements or communication protocols supporting networked applications adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Abstract

It is an object of the invention to provide a kind of method and apparatus for carrying out file monitor by network.The method according to the invention comprises the following steps: obtain the security attribute information of monitored object;When the described security attribute information of described monitored object meets and processes monitoring condition in real time, determine that the monitoring mode corresponding with this monitored object is for processing monitoring in real time;The object monitor information corresponding with this monitored object and monitoring mode are reported to the corresponding network equipment;According to the processing scheme received, the described network equipment is fed back based on described object monitor information, perform to process operation accordingly to described monitored object.

Description

A kind of method and apparatus for carrying out file monitor by network
Technical field
The present invention relates to field of computer technology, particularly relate to a kind of for being carried out by network The method and apparatus of file monitor.
Background technology
In prior art, during cloud killing, in order to not affect the systematicness of client device Can, the general pattern using the scanning of asynchronous cloud, i.e. cloud killing server are capable of identify that virus etc. is suspicious Program, but client device cannot be made immediately to stop the startup of suspect program, therefore according to existing skill The mode of art, the client device of cloud killing cannot perform to remove disease before Virus starts in time Poison etc. process the operation of virus.
Summary of the invention
It is an object of the invention to provide a kind of method and dress for being carried out file monitor by network Put.
According to an aspect of the invention, it is provided it is a kind of for carrying out file monitor by network Method, wherein, said method comprising the steps of:
The security attribute information of-acquisition monitored object;
-when the described security attribute information of described monitored object meets and processes monitoring condition in real time, Determine that the monitoring mode corresponding with this monitored object is for processing monitoring in real time;
-the object monitor information corresponding with this monitored object and monitoring mode are reported to corresponding The network equipment;
-fed back based on described object monitor information according to received, the described network equipment Processing scheme, performs to process operation accordingly to described monitored object.
According to an aspect of the present invention, a kind of side for having assisted network killing is additionally provided Method, wherein, said method comprising the steps of:
-reception is right from the object monitor information for monitored object and this monitoring of subscriber equipment The monitoring mode of elephant;
-when monitoring mode is to process monitoring in real time, right with this monitoring to described subscriber equipment feedback The processing scheme that the object monitor information of elephant is corresponding.
According to an aspect of the present invention, additionally provide one to sweep for carrying out file by network The monitoring processing means retouched, wherein, described monitoring processing means includes:
For obtaining the device of the security attribute information of monitored object;
For when the security attribute information according to monitored object meets and in real time processes monitoring condition, really The fixed monitoring mode corresponding with this monitored object is the device processing monitoring in real time;
For the object monitor information corresponding to this monitored object and monitoring mode are reported to corresponding The device of the network equipment;
For being fed back based on described object monitor information according to received, the described network equipment Processing scheme, described monitored object is performed the corresponding device processing operation.
According to an aspect of the present invention, a kind of net for having assisted network killing is additionally provided Network equipment, wherein, the described network equipment includes:
For receiving the object monitor information for monitored object from subscriber equipment and this monitoring The device of the monitoring mode of object;
For when monitoring mode is to process monitoring in real time, to described subscriber equipment feedback and this monitoring The device of the processing scheme that the object monitor information of object is corresponding.
Compared with prior art, the invention have the advantages that during cloud killing, according to The client device of the present invention can interpolate that whether safe enough comes the most really program to be launched Calmly monitor scan pattern accordingly, and determined by general, monitoring scan pattern reports to server.Example As, the program of safe enough is taked the pattern that asynchronous cloud scans, and to doubtful be the program of virus Take the pattern that same buyun scans.Further, the server according to the present invention can be in journey to be launched Sequence is doubtful at once feeding back corresponding processing scheme to client device in the case of virus.Therefore, Can effectively intercept the startup of Virus according to the solution of the present invention, reduce client device quilt The risk that virus infects.
Accompanying drawing explanation
The detailed description that non-limiting example is made made with reference to the following drawings by reading, The other features, objects and advantages of the present invention will become more apparent upon:
It is a kind of for carrying out file monitor by network that Fig. 1 illustrates according to the present invention Method flow diagram;
It is a kind of for carrying out file monitor by network that Fig. 2 illustrates according to the present invention Monitor processing means and for having assisted the structural representation of the network equipment of network killing.
In accompanying drawing, same or analogous reference represents same or analogous parts.
Detailed description of the invention
Below in conjunction with the accompanying drawings the present invention is described in further detail.
It is a kind of for carrying out file scan by network that Fig. 1 illustrates according to the present invention Method flow diagram.Step S101 that the method according to the invention includes being performed by subscriber equipment, Step S102, step S103 and step S104, and step S201 performed by network equipment With step S202.
Wherein, the method according to the invention processes dress by the monitoring being contained in computer equipment Put and realize.Described computer equipment include a kind of can be according to the finger being previously set or storing Order, carries out the electronic equipment of numerical computations and/or information processing automatically, and its hardware includes but do not limits At microprocessor, special IC (ASIC), programmable gate array (FPGA), numeral Reason device (DSP), embedded device etc..Described computer equipment includes the network equipment and/or use Family equipment.Wherein, the described network equipment includes but not limited to single network server, multiple net The server group or based on cloud computing (Cloud Computing) by a large number of network server composition The cloud that main frame or the webserver are constituted, wherein, cloud computing is the one of Distributed Calculation, by One super virtual machine of a group loosely-coupled computer collection composition.Described subscriber equipment Include but not limited to any one can with user by keyboard, mouse, remote controller, touch pad, Or the mode such as voice-operated device carries out the electronic product of man-machine interaction, such as, personal computer, flat Plate computer, smart mobile phone etc..Wherein, described subscriber equipment and the network packet residing for the network equipment Include but be not limited to the Internet, wide area network, Metropolitan Area Network (MAN), LAN, VPN etc..
It should be noted that described subscriber equipment, the network equipment and network are only for example, its He is such as applicable to existing or that be likely to occur from now on subscriber equipment, the network equipment and network The present invention, within also should being included in scope, and is incorporated herein with way of reference.
With reference to Fig. 1, in step S101, monitoring processing means obtains the safety of monitored object and belongs to Property information.
Wherein, described monitored object includes but not limited to the application needing in subscriber equipment to be monitored Program.Preferably, entering of the program that described monitored object is to be launched in including described subscriber equipment Journey image file, such as, instant communication software to be launched, the most such as, office to be launched Software etc..
Wherein, described security attribute information includes following at least any of Back ground Information:
1) scanning result information is inspired;Wherein, this inspiration scanning result information includes by right That monitored object performs to obtain after inspirational education, for indicate this monitored object be virus can The information of energy property.
Preferably, this inspiration scanning result information includes that for indicating monitored object be that virus may Sexual enlightenment weights.
It is highly preferred that described inspiration weights perform with each such as monitored object respectively based on multinomial Operation or weighted value corresponding to the scanning feature such as instruction that uses determine, wherein, Ge Xiangjia Weights are respectively used to the result after indicating based on corresponding scanning feature execution inspirational education.More Adding preferably, described inspiration weights include this multinomial inspiration weights sum.
Preferably, described inspiration scanning result information also includes that whether described inspiration weights are more than pre- The instruction information of fixed warning weights.
Wherein, " trigger-initiated scanning technology " refers to " ability of self-discovery " or " transports by some way Or method go judge things knowledge and skills technology ", it is commonly used for software test and virus In detection.
Preferably, in Viral diagnosis, the inspiration scanning technique job sequence by analysis program, Reach indirectly to learn each submodule Action logic purpose of program, calculate and mate each purpose Appearance order and weights, thus learn the behavior that whether there is malice in analyzed program.
Such as, in Viral diagnosis, the scanning engine using trigger-initiated scanning technology can be by knowing Not and detect many suspicious code instructions sequences, by the job sequence to monitored object Decompiling progressively understand and determine its real motive contained, and then judge this monitored object Suspicious degree.
Preferably, whether described inspiration scanning result information also includes inspiring weights more than predetermined The instruction information of warning weights.
2) scanning result information is infected;Wherein, described infection scanning result information include based on Obtained after performing to infect scanning to monitored object, be used for indicating monitored object is infected can The information of energy property.
Wherein, infect scanning technique to include by by monitored object and such as virus base equal samples number Compare according to the sample in storehouse, based on this monitored object, whether there is one or more sample Feature, judges the mode whether monitored object is infected by sample.
3) object shell adding information.Whether this object shell adding information is used for indicating monitored object for adding The program of shell.
Wherein, described shell adding includes by specific algorithm executable file or dynamic link library The operation such as compression that file is carried out or encryption.When running the program by shell adding, its shell First being performed, then original program is decompressed in internal memory thus runs and be somebody's turn to do by this shell Original program.
Specifically, monitoring processing means obtains the peace of monitored object by corresponding scanning engine Full attribute information.Such as, by calling the inspiration power inspiring scanning engine to obtain monitored object Value.The most such as, the information of monitored object whether shell adding is obtained by calling shelling engine.
Preferably, described security attribute information also includes relevant information of classifying, and described classification is correlated with Information is for auxiliary judgment monitored object whether safety.
Wherein, described classification relevant information determines based on following at least any one:
1) file type information;The classification information of file determined by attribute based on file, Such as, the executable file etc. of self-extracting, the most such as, based on file suffixes such as extension name File type information etc. determined by " .exe ".
2) document size information.
Preferably, described monitoring processing means can first obtain the classification relevant information of each file, And based on the classification relevant information obtained, file is screened, and the file filtered out is entered One step obtains its respective primary attribute.
It is highly preferred that described monitoring processing means can based on preset judgment condition, progressively obtain with The one or more security attribute information that Rule of judgment in each judge process is corresponding, and nothing Need to once obtain all security attribute information.
Such as, monitoring processing means is first based on file type, it is judged that its be whether self-extracting can Perform file, if it is, obtain its file size further, and judge that its file size is No more than predetermined threshold, when no more than predetermined threshold, obtain further one of this document or Multinomial primary attribute information.
Preferably, step S105 (not shown), described step are also included according to the solution of the present invention Rapid S101 farther includes step S1011 (not shown).
In step S105, monitoring processing means path-related information based on monitored object with And the routing information comprised in Safe Cache judges a monitored object whether safety.
Wherein, described path-related information includes but not limited to following at least any one:
1) routing information of described monitored object;
2) cryptographic Hash etc. of the routing information of described monitored object.
Specifically, whether monitoring processing means exists according to the path-related information of described monitored object In Safe Cache, when its path-related information is in Safe Cache, it is judged that this monitored object is pacified Entirely, otherwise, then judge that this monitored object is dangerous.
Then, in step S1011, when described monitored object is dangerous, monitoring processes dress Put the security attribute information obtaining described monitored object.
Such as, before starting MSN, monitoring processing means first checks this IMU Whether the file path of news software is in Safe Cache, when its file path is not in Safe Cache Time, monitoring processing means judges that this MSN is dangerous, and it is soft to obtain this instant messaging The security attribute information of part.
Preferably, according to the solution of the present invention, monitoring processing means can pass through initialization procedure, The path-related information being judged as each safe file in subscriber equipment is stored in safety slow In depositing.
According to the method for this preferred version, wherein, monitoring processing means is by performing step S106 (not shown) and step S107 (not shown), perform initialization operation.
In step s 106, monitoring processing means determines the file road of file object to be scanned Footpath information;
Then, in step s 107, monitoring processing means scans described file path information institute Corresponding one or more file objects, to determine the one or more file object respectively Object type.
Wherein, described object type includes but not limited to following at least any of:
1) Security Object, this Security Object includes file trusty.
2) dangerous object, this dangerous object includes the viral or doubtful file for virus;
3) medium object, that is the literary composition between above-mentioned Security Object and above-mentioned dangerous object Part object.
Preferably, described object type can farther include the black-white-gray attribute of file object, example As, black file representative dangerous object, white file representative Security Object, ash file representative is between peace Full file object between object and dangerous object.Specifically, monitoring processing means first scans institute State the one or more file objects corresponding to file path information to filter out one of them Or multiple file object.Then, the one or more file object is held by monitoring processing means Row network killing, to determine the right of each file object in these one or more file objects respectively As type.
Preferably, described network killing includes but not limited to that each file object is performed cloud looks into Kill.
It is highly preferred that described monitoring processing means scans corresponding to described file path information Individual or multiple file objects, and therefrom filter out one or more executable object file;Then, Monitoring processing means performs cloud killing to these one or more executable object files, with the most really The object type of each file object in these one or more file objects fixed.
Such as, monitoring processing means obtains the executable object file under each file path respectively MD5 code, and each MD5 code division is not uploaded to high in the clouds, to obtain what high in the clouds was fed back The object type that each MD5 code division is not corresponding.
According to the preferred version of the present invention, monitoring processing means determines one or more monitored object Mode include but not limited to following any one:
1) using the All Files object that can scan as monitored object;
2) file object of medium object will be defined as based on initialization operation as monitored object. Wherein, when described object type includes Security Object, according to the method for this preferred version in institute Step S108 (not shown) is also included after stating step 107.
In step s 107, when file object is Security Object, monitoring processing means is by institute The path-related information stating Security Object adds to Safe Cache.
When file object is dangerous object, monitoring processing means performs corresponding virus treated behaviour Make, to remove this dangerous object.Such as, by pop-up report poison and concurrently disinfect the behaviour of this document Make.
The first example according to the present invention, monitoring processing means is mounted to user equipment (UE) _ 1 Shi Zhihang initialization operation.In step s 106, this monitoring processing means obtains this user and sets Institute in all routing informations of current process image file, the program of start menu in standby UE_1 There are the routing information of program pointed by shortcut, and all shortcut institutes in desktop The routing information of the program pointed to.Then, in step s 107, this monitoring processing means is swept Retouch (this system under each system top level catalogue corresponding to each file path information obtained Top-level director include but not limited to windows catalogue, windows system32 catalogue, Windows syswow64 catalogue, program files catalogue, program files catalogue etc.) All Files object, filter out the executable file pair that file suffixes therein is " .exe " As, and by all executable file objects are carried out Anti-Virus Engine scanning, distinguish really Its object type fixed, wherein, object type includes text of an annotated book part, ash file and black file.Then, In step S108, monitoring processing means will determine as text of an annotated book part file object path with And the cryptographic Hash in path adds in Safe Cache, will determine as the file object conduct of ash file Monitored object, and, monitoring processing means performs virus to the file object being defined as black file Process operation, to remove this document object.
Preferably, after monitoring processing means completes to initialize, completing of initialization operation is set up Mark, and when detecting that this completes mark, be not repeated to perform this initialization operation.
Then, in step s 102, place in real time is met when the security attribute information of monitored object During reason monitoring condition, monitoring processing means determines that the monitoring mode corresponding with this monitored object is for real Time process monitoring.
Wherein, described real-time process monitoring condition is used for judging that the described monitored object of institute is the most doubtful For dangerous object.
Wherein, described real-time process monitoring condition includes every Back ground Information of described monitored object Meet corresponding prerequisite.Described Back ground Information include various can directly judge described to as if The no doubtful security attribute information for dangerous object.
Such as, prerequisite includes that get inspires weights more than predetermined threshold value;The most such as, Prerequisite includes determining that a certain file is to add shelf document.
Preferably, when described security attribute information also include classify relevant information time, described in real time Monitoring condition also includes that the classification relevant information of described monitored object belongs to predtermined category.
Preferably, monitoring processing means can be used for determining the rule of monitoring mode based on predetermined, First obtain the classification relevant information of described monitored object, then, be correlated with based on acquired classification Information, obtains the Back ground Information corresponding with this classification relevant information and judges whether to meet place in real time Reason monitoring condition.
Continue foregoing First example is illustrated, the prerequisite bag in monitoring processing means Include: if file size is less than 1.5M, and it inspires, and weights breath is satisfied processes monitoring in real time Condition;Or file size is more than 1.5M, and infection scanning result and shell adding information meet real Time process monitoring condition.Then when program program_1 is selected will run time, monitoring process Device, first based on this prerequisite, obtains the file size " 1.1M " of this program program_1, Then inspiration value value_1 of this program program_1 is obtained.Wherein, monitoring processes dress The monitoring condition that processes in real time predetermined in putting includes: inspire weights more than the five of predetermined warning weights / mono-;Or, file is by shell adding;Or, infecting scanning result is " doubtful infected ". Then, monitoring processing means inspiration based on this program program_1 value value_1 is more than The situation of 1/5th of predetermined warning weights, it is judged that this program program_1 meets place in real time Reason monitoring condition.The most in step s 102, monitoring processing means determines and this program Monitoring mode corresponding for program_1 is for processing monitoring in real time.
Then, in step s 103, monitoring processing means is by corresponding with this monitored object right As monitoring information and monitoring mode report to the corresponding network equipment.
Wherein, described object monitor information includes but not limited to following at least any one information:
1) every behavioural information of monitored object;Such as, information reads, information exports, again Propagation processed etc..
2) the feature relevant information of monitored object;Such as, the Hash codes of monitored object, MD5 Code etc. can be used for uniquely identifying the relevant information of this monitored object.
Then, in step s 201, the network equipment receive from subscriber equipment for monitoring The object monitor information of object and the monitoring mode of this monitored object, with right based on obtained As monitoring information determines the processing scheme corresponding with this monitored object.Wherein, described processing scheme Include but not limited to following at least any of:
1) path-related information of this monitored object is added in Safe Cache;
2) this monitored object is performed clear operation;
3) policer operation is continued.
Preferably, the network equipment first determines the object type of monitored object, and further determine that right The processing scheme of this monitored object.
Then, in step S202, when monitoring mode is to process monitoring in real time, network sets The standby process side corresponding with the object monitor information of this monitored object to described subscriber equipment feedback Case.
Then, in step S104, monitoring processing means is according to received, described net The processing scheme that network equipment is fed back based on described object monitor information, comes described monitored object Perform to process operation accordingly.
Continue foregoing First example is illustrated, in step s 103, monitor processing means The MD5 code corresponding with this program program_1 and monitoring mode " are processed monitoring in real time Pattern " report to the corresponding network equipment.Then, the network equipment in step s 201, connects Receive what this subscriber equipment was reported, for MD5 code and this program of program program_1 The monitoring mode of program_1 " processes monitoring mode " in real time.Further, the network equipment is the most MD5 code that individual subscriber equipment is fed back, to this program program_1, it is determined that this program Program_1 is dangerous object and determines that the processing mode of its correspondence includes " removing immediately ".Connect , in step S202, the network equipment is based on the monitoring mode " reality to this program program_1 Time process monitoring mode ", to user equipment (UE) _ 1 feedback and the MD5 of this program program_1 The processing scheme that code is corresponding: remove this program program_1.Then, in step S104, use Monitoring processing means in equipment UE _ 1, family is according to the place received, the network equipment is fed back Reason scheme, performs to remove the operation of this program program_1.
Preferably, it is unsatisfactory for described according to the security attribute information of monitored object when monitoring processing means In real time during monitoring condition, the method according to the invention also includes step S109 performed by subscriber equipment (not shown) and step S110 (not shown), and step S203 performed by the network equipment (not shown).
In step S109, when the security attribute information according to monitored object is unsatisfactory for described real-time prison During control condition, monitoring processing means determines that the monitoring mode corresponding with this monitored object is non real-time place Reason monitoring.
Then, monitoring processing means is by the object monitor information corresponding with this monitored object and prison Control pattern reports to the corresponding network equipment.
Then, in step S203, after meeting predetermined process trigger condition, the network equipment is to institute State the processing scheme that subscriber equipment feedback is corresponding with the object monitor information of this monitored object.
Then, in step s 110, monitoring processing means is according to received, described network The processing scheme that equipment is fed back based on described object monitor information, performs described monitored object Process operation accordingly.
Wherein, described predetermined process trigger condition includes but not limited to following at least any of:
1) Time Triggered condition;Such as, every prescribed time period etc..
2) trigger conditions.Such as, when receive from subscriber equipment for obtaining process During the request of scheme etc..
The second example according to the present invention, monitoring processing means obtains program in step S101 The security attribute information of program_2.Then, monitoring processing means judges this program program_2 It is unsatisfactory for real-time monitoring condition.Then in step S109, monitoring processing means determines and this program Monitoring mode corresponding for program_2 is Non real-time processing monitoring.Then, monitoring processing means will The object monitor information corresponding with this program program_2 and monitoring mode transmission set to network Standby.Network equipment scanning based on this program program_2 monitored results determines that it is Security Object, And determine that corresponding processing scheme includes: its path-related information is added to Safe Cache In.
The most over time, receive from subscriber equipment in step S203 when the network equipment After the request obtaining processing scheme, the network equipment is to this computer feedback and this program The processing scheme that the object monitor information of program_2 is corresponding: by the road of this program program_2 Footpath relevant information adds in Safe Cache.Then monitoring processing means is in step s 110, according to institute The processing scheme that the network equipment received is fed back, is correlated with the path of this program program_2 Information adds in Safe Cache.
The method according to the invention, during cloud killing, according to the client device of the present invention Can interpolate that whether safe enough further determines that corresponding monitoring scanning mould to program to be launched Formula, and determined by general, monitoring scan pattern reports to server.Such as, the journey to safe enough Sequence takes the pattern that asynchronous cloud scans, and to the doubtful mould taking same buyun to scan for the program of virus Formula.Further, according to the server of the present invention can doubtful in program to be launched be the situation of virus Under at once to client device feed back corresponding processing scheme.Therefore, the method according to the invention energy Enough startups effectively intercepting Virus, reduce the risk that client device is infected.
Fig. 2 illustrates a kind of prison for being carried out file scan by network according to the present invention Control processing means and for having assisted the structural representation of the network equipment of network killing.According to The monitoring processing means of the present invention includes: for obtaining the device of the security attribute information of monitored object (hereinafter referred to as " attribute acquisition device 101 ");For when the described safety of described monitored object When attribute information meets real-time process monitoring condition, determine the monitoring mode corresponding with this monitored object For processing the device (hereinafter referred to as " first mode determines device 102 ") of monitoring in real time;For The object monitor information corresponding with this monitored object and monitoring mode are reported to corresponding network The device (hereinafter referred to as " dispensing device 103 ") of equipment;For according to received, institute Stating the processing scheme that the network equipment is fed back based on described object monitor information, it is right to come described monitoring As performing the corresponding device (hereinafter referred to as " the first processing means 104 ") processing operation.Root Include according to the network equipment of the present invention: for receiving right for monitored object from subscriber equipment As monitoring information and the monitoring mode of this monitored object, with based on the object monitor information obtained Determine the device (hereinafter referred to as " receiving device 201 ") of the processing scheme corresponding with this monitored object; For when monitoring mode is to process monitoring in real time, to described subscriber equipment feedback and this monitored object Device (hereinafter referred to as " first feedback device of processing scheme corresponding to object monitor information 202”)。
With reference to Fig. 2, attribute acquisition device 101 obtains the security attribute information of monitored object.
Wherein, described monitored object includes but not limited to the application journey needing in subscriber equipment to be monitored Sequence.Preferably, described monitored object includes program to be launched in described subscriber equipment, such as, Instant communication software to be launched, the most such as, office software etc. to be launched.
Wherein, described security attribute information includes following at least any of Back ground Information:
1) scanning result information is inspired;Wherein, this inspiration scanning result information includes by right That monitored object performs to obtain after inspirational education, for indicate this monitored object be virus can The information of energy property.
Preferably, this inspiration scanning result information includes that for indicating monitored object be that virus may Sexual enlightenment weights.
It is highly preferred that described inspiration weights perform with each such as monitored object respectively based on multinomial Operation or weighted value corresponding to the scanning feature such as instruction that uses determine, wherein, Ge Xiangjia Weights are respectively used to the result after indicating based on corresponding scanning feature execution inspirational education.More Adding preferably, described inspiration weights include this multinomial inspiration weights sum.
Preferably, described inspiration scanning result information also includes that whether described inspiration weights are more than pre- The instruction information of fixed warning weights.
Wherein, " trigger-initiated scanning technology " refers to " ability of self-discovery " or " transports by some way Or method go judge things knowledge and skills technology ", it is commonly used for software test and virus In detection.
Preferably, in Viral diagnosis, the inspiration scanning technique job sequence by analysis program, Reach indirectly to learn each submodule Action logic purpose of program, calculate and mate each purpose Appearance order and weights, thus learn the behavior that whether there is malice in analyzed program.
Such as, in Viral diagnosis, the scanning engine using trigger-initiated scanning technology can be by knowing Not and detect many suspicious code instructions sequences, by the job sequence to monitored object Decompiling progressively understand and determine its real motive contained, and then judge this monitored object Suspicious degree.
2) scanning result information is infected;Wherein, described infection scanning result information include based on Obtained after performing to infect scanning to monitored object, be used for indicating monitored object is infected can The information of energy property.
Wherein, infect scanning technique to include by by monitored object and such as virus base equal samples number Compare according to the sample in storehouse, based on this monitored object, whether there is one or more sample Feature, judges the mode whether monitored object is infected by sample.
3) object shell adding information.Whether this object shell adding information is used for indicating monitored object for adding The program of shell.
Wherein, described shell adding includes by specific algorithm executable file or dynamic link library The operation such as compression that file is carried out or encryption.When running the program by shell adding, its shell First being performed, then original program is decompressed in internal memory thus runs and be somebody's turn to do by this shell Original program.
Specifically, attribute acquisition device 101 obtains monitored object by corresponding scanning engine Security attribute information.Such as, by call inspiration scanning engine obtain opening of monitored object Send out weights.The most such as, the information of monitored object whether shell adding is obtained by calling shelling engine.
Preferably, described security attribute information also includes relevant information of classifying, and described classification is correlated with Information is for auxiliary judgment monitored object whether safety.
Wherein, described classification relevant information determines based on following at least any one:
1) file type information;The classification information of file determined by attribute based on file, Such as, the executable file etc. of self-extracting, the most such as, based on file suffixes such as extension name File type information etc. determined by " .exe ".
2) document size information.
Preferably, attribute acquisition device 101 can first obtain the classification relevant information of each file, And based on the classification relevant information obtained, file is screened, and the file filtered out is entered One step obtains its respective primary attribute.
It is highly preferred that attribute acquisition device 101 can based on preset judgment condition, progressively obtain with The one or more security attribute information that Rule of judgment in each judge process is corresponding, and nothing Need to once obtain all security attribute information.
Such as, attribute acquisition device 101 is first based on file type, it is judged that whether it is self-extracting Executable file, if it is, obtain further its file size, and judge that its file is big Little whether more than predetermined threshold, when no more than predetermined threshold, obtain the one of this document further Item or multinomial primary attribute information.
Preferably, also include for based on monitored object according to the monitoring processing means of the present invention The routing information comprised in path-related information and Safe Cache judges that a monitored object is No safe device (not shown, hereinafter referred to as " judgment means "), described attribute acquisition device 101 farther include for when described monitored object is dangerous, obtaining described monitored object The device (not shown, hereinafter referred to as " sub-acquisition device ") of security attribute information.
Judgment means path-related information based on monitored object and Safe Cache comprise Routing information judges a monitored object whether safety.
Wherein, described path-related information includes but not limited to following at least any one:
1) routing information of described monitored object;
2) cryptographic Hash etc. of the routing information of described monitored object.
Specifically, it is judged that device according to the path-related information of described monitored object whether in safety In caching, when its path-related information is in Safe Cache, it is judged that this monitored object safety, Otherwise, then judge that this monitored object is dangerous.
When described monitored object is dangerous, sub-acquisition device obtains the safety of described monitored object Attribute information.
Such as, before starting MSN, it is judged that device first checks that this instant messaging is soft Whether the file path of part is in Safe Cache, when its file path is not in Safe Cache, Judgment means judges that this MSN is dangerous, and the most sub-acquisition device obtains this instant messaging The security attribute information of software.
Preferably, according to the solution of the present invention, monitoring processing means can pass through initialization procedure, The path-related information being judged as each safe file in subscriber equipment is stored in safety slow In depositing.
Wherein, determine by being used for monitoring processing means according to the monitoring processing means of preferred version The device (not shown, hereinafter referred to as " path determines device ") of file path information to be scanned With for scanning the one or more file objects corresponding to described file path information, with respectively Determine that the device of the object type of the one or more file object is (not shown, hereinafter referred to as " scanning means "), perform initialization operation.
Path determines that device determines the file path information of file object to be scanned.
Then, the scanning means scanning one or more files corresponding to described file path information Object, to determine the object type of the one or more file object respectively.
Wherein, described object type includes but not limited to following at least any of:
1) Security Object, this Security Object includes file trusty.
2) dangerous object, this dangerous object includes the viral or doubtful file for virus;
3) medium object, that is the literary composition between above-mentioned Security Object and above-mentioned dangerous object Part object.
Preferably, described object type can farther include the black-white-gray attribute of file object, example As, black file representative dangerous object, white file representative Security Object, ash file representative is between peace Full file object between object and dangerous object.Specifically, scanning means first scans described literary composition One or more file objects corresponding to part routing information filter out one of them or many Individual file object.Then, the one or more file object execution network is looked into by scanning means Kill, to determine the object type of each file object in these one or more file objects respectively..
Preferably, described network killing includes but not limited to that each file object is performed cloud looks into Kill.
It is highly preferred that described scanning means scanning corresponding to described file path information one or Multiple file objects, and therefrom filter out one or more executable object file;Then, sweep Imaging apparatus to these one or more executable object files perform cloud killing, with determine respectively this one The object type of each file object in individual or multiple file object.
Such as, the executable object file under scanning means obtains each file path respectively MD5 code, and each MD5 code division is not uploaded to high in the clouds, each with obtain that high in the clouds fed back The object type that individual MD5 code division is not corresponding.
According to the preferred version of the present invention, scanning means determines the side of one or more monitored object Formula include but not limited to following any one:
1) using the All Files object that can scan as monitored object;
2) file object of medium object will be defined as based on initialization operation as monitored object.
Wherein, when described object type includes Security Object, according to the monitoring of this preferred version Processing means also includes for when file object is Security Object, by the road of described Security Object Device that footpath relevant information is added to Safe Cache (not shown, hereinafter referred to as " Safe Cache Device ").
When file object is Security Object, Safe Cache device is by the path of described Security Object Relevant information is added to Safe Cache.
When file object is dangerous object, monitoring processing means performs corresponding virus treated behaviour Make, to remove this dangerous object.Such as, by pop-up report poison and concurrently disinfect the behaviour of this document Make.
The first example according to the present invention, monitoring processing means is mounted to user equipment (UE) _ 1 Shi Zhihang initialization operation.Path determine device obtain in this user equipment (UE) _ 1 all currently The routing information of process image file, start menu program in pointed by all shortcuts The routing information of program, and the path letter of the program pointed by all shortcuts in desktop Breath.Then, each corresponding to each file path information that scanning means scanning is obtained is System top-level director under (this system top level catalogue include but not limited to windows catalogue, Windows system32 catalogue, windows syswow64 catalogue, program files mesh Record, program files catalogue etc.) All Files object, filter out file suffixes therein For the executable object file of " .exe ", and by all executable file objects are carried out Anti-Virus Engine scans, and determines its object type respectively, and wherein, object type includes the text of an annotated book Part, ash file and black file.Then, Safe Cache device will will determine as the file of text of an annotated book part The path of object and the cryptographic Hash in path are added to Safe Cache, and, monitoring processes dress Put and the file object being defined as black file is performed virus treated operation, to remove this document pair As.
Preferably, after monitoring processing means completes to initialize, completing of initialization operation is set up Mark, and when detecting that this completes mark, be not repeated to perform this initialization operation.
Then, when the security attribute information of monitored object meets and processes monitoring condition in real time, the One pattern determines that device 102 determines that the monitoring mode corresponding with this monitored object is for processing prison in real time Control.
Wherein, described real-time process monitoring condition is used for judging that the described monitored object of institute is the most doubtful For dangerous object.
Wherein, described real-time process monitoring condition includes every Back ground Information of described monitored object Meet corresponding prerequisite.Described Back ground Information include various can directly judge described to as if The no doubtful security attribute information for dangerous object.
Such as, prerequisite includes that get inspires weights more than predetermined threshold value;The most such as, Prerequisite includes determining that a certain file is to add shelf document.
Preferably, when described security attribute information also include classify relevant information time, described in real time Monitoring condition also includes that the classification relevant information of described monitored object belongs to predtermined category.
Preferably, first mode determines that device 102 can be based on predetermined for determining monitoring mode Rule, first obtain the classification relevant information of described monitored object, then, based on acquired Classification relevant information, obtains the Back ground Information corresponding with this classification relevant information and judges whether full Monitoring condition is processed time full.
Continue foregoing First example is illustrated, the prerequisite bag in monitoring processing means Include: if file size is less than 1.5M, and it inspires, and weights breath is satisfied processes monitoring in real time Condition;Or file size is more than 1.5M, and infection scanning result and shell adding information meet real Time process monitoring condition.Then when program program_1 is selected will run time, first mode Determine that device 102, first based on this prerequisite, obtains the file size of this program program_1 " 1.1M ", then obtains inspiration value value_1 of this program program_1.Wherein, prison The monitoring condition that processes in real time predetermined in control processing means includes: inspire weights to report to the police more than predetermined / 5th of weights;Or, file is by shell adding;Or, it is " doubtful for infecting scanning result Infected ".Then, first mode determines that device 102 is based on this program program_1 and opens Send out the value value_1 situation more than 1/5th of predetermined warning weights, it is judged that this program Program_1 is satisfied processes monitoring condition in real time.Then first mode determine device 102 determine with Monitoring mode corresponding to this program program_1 is for processing monitoring in real time.
Then, dispensing device 103 is by the object monitor information corresponding with this monitored object and prison Control pattern reports to the corresponding network equipment.
Wherein, described object monitor information includes but not limited to following at least any one information:
1) every behavioural information of monitored object;Such as, information reads, information exports, again Propagation processed etc..
2) the feature relevant information of monitored object;Such as, the Hash codes of monitored object, MD5 Code etc. can be used for uniquely identifying the relevant information of this monitored object.
Then, in network equipment receive device 201 receive from subscriber equipment for monitoring The object monitor information of object and the monitoring mode of this monitored object, with right based on obtained As monitoring information determines the processing scheme corresponding with this monitored object.Wherein, described processing scheme Include but not limited to following at least any of:
1) path-related information of this monitored object is added in Safe Cache;
2) this monitored object is performed clear operation;
3) policer operation is continued.
Preferably, the network equipment first determines the object type of monitored object, and further determine that right The processing scheme of this monitored object.
Then the first feedback dress, when monitoring mode is to process monitoring in real time, in the network equipment Put 202 and feed back the place corresponding with the object monitor information of this monitored object to described subscriber equipment Reason scheme.
Then, the first processing means 104 according to received, the described network equipment based on institute State the processing scheme that object monitor information is fed back, described monitored object is performed corresponding place Reason operation.
Continuing to illustrate foregoing First example, dispensing device 103 will be with this program MD5 code corresponding for program_1 and monitoring mode " process monitoring mode in real time " and report to The corresponding network equipment.Then, the reception device 201 in the network equipment receives this subscriber equipment Reported, for the MD5 code of program program_1 and this program program_1 Monitoring mode " processes monitoring mode " in real time.Further, the comprehensive multiple subscriber equipmenies of the network equipment MD5 code that fed back, to this program program_1, it is determined that this program program_1 For dangerous object and determine that the processing mode of its correspondence includes " immediately remove ".Then, first Feedback device 202 is based on the monitoring mode " mould of process monitoring in real time to this program program_1 Formula ", to the place that user equipment (UE) _ 1 feedback is corresponding with the MD5 code of this program program_1 Reason scheme: remove this program program_1.Then, the first process dress in user equipment (UE) _ 1 Put 104 according to the processing scheme received, the network equipment is fed back, perform to remove this journey The operation of sequence program_1.
Preferably, it is unsatisfactory for described real-time monitoring condition when the security attribute information of described monitored object Time, also include for when the security attribute of described monitored object according to the monitoring processing means of the present invention When information is unsatisfactory for described real-time monitoring condition, determine that the monitoring mode corresponding with this monitored object is The device (not shown, hereinafter referred to as " the second pattern determines device ") of Non real-time processing monitoring, And for when meeting predetermined process trigger condition, according to received, the described network equipment The processing scheme fed back based on described object monitor information, to perform described monitored object accordingly Process operation (not shown, hereinafter referred to as " the second processing means ");Net according to the present invention Network equipment also includes for after meeting predetermined process trigger condition, to described subscriber equipment feedback with The processing scheme that the object monitor information of this monitored object is corresponding.(not shown, hereinafter referred to as " the Two feedback devices ").
When the security attribute information according to monitored object is unsatisfactory for described real-time monitoring condition, second Pattern determines that device determines that the monitoring mode corresponding with this monitored object is Non real-time processing monitoring.
Then, dispensing device 103 is by the object monitor information corresponding with this monitored object and prison Control pattern reports to the corresponding network equipment.
Then, after meeting predetermined process trigger condition, the second feedback device is to described subscriber equipment Feed back the processing scheme corresponding with the object monitor information of this monitored object.
Then, the second processing means according to received, the described network equipment based on described object The processing scheme that monitoring information is fed back, performs to process operation accordingly to described monitored object.
Wherein, described predetermined process trigger condition includes but not limited to following at least any of:
1) Time Triggered condition;Such as, every prescribed time period etc..
2) trigger conditions.Such as, when receive from subscriber equipment for obtaining process During the request of scheme etc..
The second example according to the present invention, the first acquisition device 101 obtains program program_2 Security attribute information.Then, monitoring processing means judges that this program program_2 is unsatisfactory in real time Monitoring condition.Then the second pattern determines that device determines the monitoring mould corresponding with this program program_2 Formula is Non real-time processing monitoring.Then, dispensing device 103 will be corresponding with this program program_2 Object monitor information and monitoring mode send to the network equipment.The network equipment is based on this program The scanning monitored results of program_2 determines that it is Security Object, and determines corresponding process Scheme includes: added to Safe Cache by its path-related information.
The most over time, when the network equipment receive from subscriber equipment for obtaining process After the request of scheme, the second feedback device in the network equipment is to this subscriber equipment feedback and this program The processing scheme that the object monitor information of program_2 is corresponding: by the road of this program program_2 Footpath relevant information adds in Safe Cache.Then the second processing means in subscriber equipment is according to being received To the processing scheme fed back of the network equipment, by the path-related information of this program program_2 Add in Safe Cache.
According to the solution of the present invention, during cloud killing, according to the client device of the present invention Can interpolate that whether safe enough further determines that corresponding monitoring scanning mould to program to be launched Formula, and determined by general, monitoring scan pattern reports to server.Such as, the journey to safe enough Sequence takes the pattern that asynchronous cloud scans, and to the doubtful mould taking same buyun to scan for the program of virus Formula.Further, according to the server of the present invention can doubtful in program to be launched be the situation of virus Under at once to client device feed back corresponding processing scheme.Therefore, according to the solution of the present invention energy Enough startups effectively intercepting Virus, reduce the risk that client device is infected.
The software program of the present invention can perform to realize steps described above or merit by processor Energy.Similarly, the software program of the present invention can be stored in (including the data structure being correlated with) In computer readable recording medium storing program for performing, such as, RAM memory, magnetically or optically driver or floppy disc And similar devices.It addition, some steps of the present invention or function can employ hardware to realize, example As, perform the circuit of each function or step as coordinating with processor.
It addition, the part of the present invention can be applied to computer program, such as computer Programmed instruction, when it is computer-executed, by the operation of this computer, can call or The method according to the invention and/or technical scheme are provided.And the program calling the method for the present invention refers to Order, is possibly stored in fixing or movably in record medium, and/or by broadcast or its Data stream in his signal bearing media and be transmitted, and/or be stored in and refer to according to described program In the working storage of the computer equipment that order runs.Here, according to an enforcement of the present invention Example includes a device, and this device includes the memorizer for storing computer program instructions and use In the processor of execution programmed instruction, wherein, when this computer program instructions is held by this processor During row, trigger this plant running method based on aforementioned multiple embodiments according to the present invention and/ Or technical scheme.
It is obvious to a person skilled in the art that the invention is not restricted to above-mentioned one exemplary embodiment Details, and without departing from the spirit or essential characteristics of the present invention, it is possible to other Concrete form realizes the present invention.Which point therefore, no matter from the point of view of, embodiment all should be regarded as Exemplary, and be nonrestrictive, the scope of the present invention by claims rather than Described above limits, it is intended that will fall in the implication of equivalency and scope of claim All changes be included in the present invention.Any reference in claim should be considered as Claim involved by restriction.Furthermore, it is to be understood that " an including " word is not excluded for other unit or step Suddenly, odd number is not excluded for plural number.In system claims, multiple unit or the device of statement can also Realized by software or hardware by a unit or device.The first, the second word such as grade is used for Represent title, and be not offered as any specific order.

Claims (22)

1., for the method carrying out file monitor by network, wherein, said method comprising the steps of:
The security attribute information of-acquisition monitored object, wherein, described security attribute information includes relevant information of classifying, and described monitored object includes the process image file of program to be launched in subscriber equipment;
-when the described security attribute information of described monitored object meets and processes monitoring condition in real time, determine that the monitoring mode corresponding with this monitored object is for processing monitoring in real time;
-the object monitor information corresponding with this monitored object and monitoring mode are reported to the corresponding network equipment;
-according to the processing scheme received, the described network equipment is fed back based on described object monitor information, perform to process operation accordingly to described monitored object.
Method the most according to claim 1, wherein, described method is further comprising the steps of:
-when the security attribute information of described monitored object is unsatisfactory for described real-time monitoring condition, determine that the monitoring mode corresponding with this monitored object is Non real-time processing monitoring;
Wherein, described method is further comprising the steps of after the step that the object monitor information corresponding with this monitored object and monitoring mode report to the corresponding network equipment;
-when meeting predetermined process trigger condition, according to the processing scheme received, the described network equipment is fed back based on described object monitor information, perform to process operation accordingly to described monitored object.
Method the most according to claim 1 and 2, wherein, described security attribute information includes following at least any of Back ground Information:
-inspire scanning result information;
-infect scanning result information;
-object shell adding information;
Wherein, the every Back ground Information during described real-time monitoring condition includes the security attribute information of described monitored object meets corresponding prerequisite.
Method the most according to claim 3, wherein, described security attribute information also includes following classification relevant information, and wherein, described classification relevant information determines based on following at least any one:
-file type information;
-document size information;
Wherein, described real-time monitoring condition also includes that the classification relevant information of described monitored object is predtermined category.
Method the most according to claim 1, wherein, described method is further comprising the steps of, to complete initialization operation:
-determine the file path information of file object to be scanned;
-scan the one or more file objects corresponding to described file path information, to determine the object type of the one or more file object respectively.
Method the most according to claim 5, wherein, described object type includes Security Object, described method at the one or more file objects corresponding to described scanning described file path information, with determine the object type of the one or more file object respectively step after further comprising the steps of:
-the path-related information of file object that will determine as Security Object adds in Safe Cache.
7. according to the method described in claim 5 or 6, wherein, described object type also includes medium object, described method at the one or more file objects corresponding to described scanning described file path information, with determine the object type of the one or more file object respectively step after further comprising the steps of:
-will determine as the file object of medium object as monitored object.
Method the most according to claim 1 and 2, wherein, described method is further comprising the steps of before obtaining the step of security attribute information of monitored object:
-judge whether a monitored object is Security Object;
Wherein, the step of the security attribute information of described acquisition monitored object comprises the following steps:
-when described monitored object is not Security Object, obtain the security attribute information of described monitored object.
Method the most according to claim 1 and 2, wherein, described process operation include following any one;
-path-related information of this monitored object is added in Safe Cache;
-remove this monitored object.
10., for the method having assisted network killing, wherein, said method comprising the steps of:
-receive the object monitor information for monitored object from subscriber equipment and the monitoring mode of this monitored object, to determine the processing scheme corresponding with this monitored object based on the object monitor information obtained, wherein, described monitored object includes the process image file of program to be launched in subscriber equipment;
-when monitoring mode is to process monitoring in real time, to the processing scheme that described subscriber equipment feedback is corresponding with the object monitor information of this monitored object.
11. methods according to claim 10, wherein, described method is further comprising the steps of:
-when described monitoring mode is Non real-time processing monitoring, after meeting preset trigger condition, to the processing scheme that described subscriber equipment feedback is corresponding with the object monitor information of this monitored object.
12. 1 kinds of monitoring processing meanss being used for being carried out file scan by network, wherein, described monitoring processing means includes:
For obtaining the device of the security attribute information of monitored object, wherein, described security attribute information includes relevant information of classifying,Described monitored object includes the process image file of program to be launched in subscriber equipment;
For when the described security attribute information of described monitored object meets and processes monitoring condition in real time, determine that the monitoring mode corresponding with this monitored object is the device processing monitoring in real time;
For the object monitor information corresponding with this monitored object and monitoring mode being reported to the device of the corresponding network equipment;
For according to the processing scheme received, the described network equipment is fed back based on described object monitor information, described monitored object is performed the corresponding device processing operation.
13. monitoring processing meanss according to claim 12, wherein, described monitoring processing means also includes:
For when the security attribute information of described monitored object is unsatisfactory for described real-time monitoring condition, determine the device that the monitoring mode corresponding with this monitored object is Non real-time processing monitoring;
Wherein, described monitoring processing means also includes;
For when meeting predetermined process trigger condition, according to the processing scheme received, the described network equipment is fed back based on described object monitor information, described monitored object is performed the corresponding device processing operation.
14. according to the monitoring processing means described in claim 12 or 13, and wherein, described security attribute information includes following at least any of Back ground Information, and wherein, described real-time monitoring condition includes that every Back ground Information of described monitored object meets corresponding prerequisite:
-inspire scanning result information;
-infect scanning result information;
-object shell adding information;
Wherein, the every Back ground Information during described real-time monitoring condition includes the security attribute information of described monitored object meets corresponding prerequisite.
15. monitoring processing meanss according to claim 14, wherein, described security attribute information also includes following classification relevant information, and wherein, described classification relevant information determines based on following at least any one:
-file type information;
-document size information;
Wherein, described real-time monitoring condition also includes that the classification relevant information of described monitored object is predtermined category.
16. according to the monitoring processing means according to any one of claim 12, and wherein, described monitoring processing means also includes following device, to complete initialization operation:
For determining the device of the file path information of file object to be scanned;
For scanning the one or more file objects corresponding to described file path information, to determine the device of the object type of the one or more file object respectively.
17. monitoring processing meanss according to claim 16, wherein, described object type includes that Security Object, described monitoring processing means also include:
The device to Safe Cache is added for will determine as the path-related information of the file object of Security Object.
18. according to the monitoring processing means described in claim 16 or 17, and wherein, described object type also includes that medium object, described monitoring processing means also include:
For will determine as the file object device as monitored object of medium object.
19. according to the monitoring processing means according to any one of claim 12 or 13, and wherein, described monitoring processing means also includes:
For judging that whether a monitored object is the device of Security Object;
Wherein, the device of the described security attribute information for obtaining monitored object is used for:
When described monitored object is not Security Object, obtain the device of the security attribute information of described monitored object.
20. according to the monitoring processing means according to any one of claim 12 or 13, wherein, described process operation include following any one:
-path-related information of this monitored object is added in Safe Cache;
-remove this monitored object.
21. 1 kinds of network equipments being used for having assisted network killing, wherein, the described network equipment includes:
For receiving the object monitor information for monitored object from subscriber equipment and the monitoring mode of this monitored object, to determine the device of the processing scheme corresponding with this monitored object based on the object monitor information obtained, wherein, described monitored object includes the process image file of program to be launched in subscriber equipment;
For when monitoring mode is to process monitoring in real time, feeding back the device of the processing scheme corresponding with the object monitor information of this monitored object to described subscriber equipment.
22. network equipments according to claim 21, wherein, the described network equipment also includes:
For when described monitoring mode is Non real-time processing monitoring, after meeting preset trigger condition, feeding back the device of the processing scheme corresponding with the object monitor information of this monitored object to described subscriber equipment.
CN201410790513.7A 2014-12-17 2014-12-17 A kind of method and apparatus for carrying out file monitor by network Active CN104618427B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410790513.7A CN104618427B (en) 2014-12-17 2014-12-17 A kind of method and apparatus for carrying out file monitor by network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410790513.7A CN104618427B (en) 2014-12-17 2014-12-17 A kind of method and apparatus for carrying out file monitor by network

Publications (2)

Publication Number Publication Date
CN104618427A CN104618427A (en) 2015-05-13
CN104618427B true CN104618427B (en) 2016-08-24

Family

ID=53152702

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410790513.7A Active CN104618427B (en) 2014-12-17 2014-12-17 A kind of method and apparatus for carrying out file monitor by network

Country Status (1)

Country Link
CN (1) CN104618427B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105430001A (en) * 2015-12-18 2016-03-23 北京奇虎科技有限公司 Detecting method, terminal device, server and system of APT (Advanced Persistent Threat) attack
CN110233859B (en) * 2019-07-01 2021-03-12 上海冰鉴信息科技有限公司 Novel wind control method and wind control system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101098226A (en) * 2006-06-27 2008-01-02 飞塔信息科技(北京)有限公司 Virus online real-time processing system and method
CN102457495A (en) * 2010-10-21 2012-05-16 中华电信股份有限公司 Method and system for defending network virus
CN103905459A (en) * 2014-04-14 2014-07-02 上海电机学院 Cloud-based intelligent security defense system and defense method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102194073B (en) * 2011-06-03 2014-11-26 奇智软件(北京)有限公司 Scanning method and device of antivirus software

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101098226A (en) * 2006-06-27 2008-01-02 飞塔信息科技(北京)有限公司 Virus online real-time processing system and method
CN102457495A (en) * 2010-10-21 2012-05-16 中华电信股份有限公司 Method and system for defending network virus
CN103905459A (en) * 2014-04-14 2014-07-02 上海电机学院 Cloud-based intelligent security defense system and defense method

Also Published As

Publication number Publication date
CN104618427A (en) 2015-05-13

Similar Documents

Publication Publication Date Title
US10505956B1 (en) System and method for detecting malicious links in electronic messages
Zhang et al. Semantics-aware android malware classification using weighted contextual api dependency graphs
Feizollah et al. A study of machine learning classifiers for anomaly-based mobile botnet detection
Shabtai et al. “Andromaly”: a behavioral malware detection framework for android devices
US8479276B1 (en) Malware detection using risk analysis based on file system and network activity
US8468602B2 (en) System and method for host-level malware detection
EP3506139A1 (en) Malware detection in event loops
US20110041179A1 (en) Malware detection
Odusami et al. Android malware detection: A survey
CN106022113A (en) Detecting a malicious file infection via sandboxing
KR101132197B1 (en) Apparatus and Method for Automatically Discriminating Malicious Code
Wang et al. A novel hybrid mobile malware detection system integrating anomaly detection with misuse detection
US10270805B2 (en) System and method thereof for identifying and responding to security incidents based on preemptive forensics
CA2777125A1 (en) Using file prevalence to inform agressiveness of behavioral heuristics
Rana et al. Evaluation of tree based machine learning classifiers for android malware detection
CN104618427B (en) A kind of method and apparatus for carrying out file monitor by network
Shabtai et al. Monitoring, analysis, and filtering system for purifying network traffic of known and unknown malicious content
Sethi et al. A novel malware analysis framework for malware detection and classification using machine learning approach
US9239907B1 (en) Techniques for identifying misleading applications
Krueger et al. Intelligent defense against malicious javascript code
JP6711000B2 (en) Information processing apparatus, virus detection method, and program
Nasman Malware detection based on permissions on android platform using data mining
Apvrille et al. SherlockDroid: a research assistant to spot unknown malware in Android marketplaces
Hemalatha et al. DETECTION OF MOBILE MALWARES USING IMPROVED DEEP CONVOLUTIONAL NEURAL NETWORK
EP3531329B1 (en) Anomaly-based-malicious-behavior detection

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
GR01 Patent grant
C14 Grant of patent or utility model