CN106022115A - Method for tracing risk program - Google Patents
Method for tracing risk program Download PDFInfo
- Publication number
- CN106022115A CN106022115A CN201610571928.4A CN201610571928A CN106022115A CN 106022115 A CN106022115 A CN 106022115A CN 201610571928 A CN201610571928 A CN 201610571928A CN 106022115 A CN106022115 A CN 106022115A
- Authority
- CN
- China
- Prior art keywords
- program
- risk
- behavior
- file
- time
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/54—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Abstract
The invention discloses a method for tracing risk program. The method comprises the following steps: determining the program behavior to identify the currently existing high-risk program of a system; then performing detailed searching identification on program starting time, time for executing high-risk behavior operation, program saving path, time of writing program in system and the document writing administrator; and generating warning information to enable administrators to quickly locate and solve problems. According to the method, the risk program is captured by adopting a currently developed risk program behavior identification technology, and the whole risk program identifying and tracing process is completed by program, so that the process of manually analyzing, tracing and verifying the source can be reduced.
Description
Technical field
The present invention relates to risk Programmable detection technical field, be specifically related to a kind of risk program source tracing method.
Background technology
Along with the new techniques such as cloud computing, Internet of Things and mobile Internet, the constantly appearance of new opplication and development, information security will be faced with new challenges, and whole industry also will be stepped into period of transfer.The most in recent years, disparate networks threatens event frequently to occur, and has driven market to safety information product and the sustainable growth of demand for services;Various computer virus checking and killing softwares emerge in an endless stream, but checking and killing virus identification technology used is also nothing more than procedures risk Activity recognition, then sends early warning.For virus killing risk identification present situation at present, simply have recorded risk behavior and simple risk program file path, also need to file carries out the artificial source tracing confirmation risk program for solving the manager of risk program.
Summary of the invention
The technical problem to be solved in the present invention is: the present invention is directed to problem above, a kind of risk program source tracing method is provided, by the risk program behavior identification technology using current comparative maturity, risk program is captured, then the risk behavior to finding is tracked further, program deposited path, the time of program writing system and the write manager of risk program, the check information of program, and the startup time of program, abnormal risk behavior and behavior are initiated the time and are carried out detailed inquiry identification.Then generate corresponding warning information and send early warning.
The technical solution adopted in the present invention is:
A kind of risk program source tracing method, described method is by the judgement to program behavior, the high risk program that the system of identifying there is currently, then to startup time of program, perform the time of very dangerous behavior operation, the manager depositing path, the time of program writing system and write file of program carries out detailed inquiry identification, then warning information is generated, it is easy to the faster orientation problem of manager, solves problem.
The behavior of described high risk program includes: the hostile network behaviors such as the attributes such as frequent written document, amendment file permission, change system start-up item, dns resolution, http access, file download, Email login, mail transmission.
Described risk procedure identification and trace back process are completed by program:
The risk behavior that software program automatic recognition system there is currently is (such as: the frequently attribute such as written document, amendment file permission, change system start-up item, the hostile network behaviors such as dns resolution, http access, file download, Email login, mail transmission), if risk behavior record program name, behavior and time of the act;
Again the risk program captured is inquired about in detail, the executable file of acquisition program deposits the detailed fileinfo such as path and the owner of file, file size, check value, the time of file writing system, writer, modification time, reviser, then the record finish message of these information summary records with logging program before is preserved, then the information of preservation is sent, give management user's alarm.Eliminate the process artificially analyzing, trace, confirm source.
Described method relates to functional module and includes: risk behavior contrast module, program file data obtaining module, record risk behavior module, warning information assembly memory module, warning information send display module.
The invention have the benefit that
Risk program is captured by the present invention by the risk program behavior identification technology using current comparative maturity, then the risk behavior to finding is tracked further, depositing program path, the time of program writing system and writing the manager of risk program, the check information of program, the startup time of program, abnormal risk behavior and behavior initiation time carry out detailed inquiry identification, then generate corresponding warning information and send early warning.Whole risk procedure identification and trace back process are completed by program, eliminate the process artificially analyzing, trace, confirm source.
Accompanying drawing explanation
Fig. 1 is that risk program of the present invention is traced to the source workflow diagram.
Detailed description of the invention
Below in conjunction with the accompanying drawings, according to detailed description of the invention, the present invention is further described:
Embodiment 1:
As shown in Figure 1, a kind of risk program source tracing method, described method is by the judgement to program behavior, the high risk program that the system of identifying there is currently, then to startup time of program, perform the time of very dangerous behavior operation, the manager depositing path, the time of program writing system and write file of program carries out detailed inquiry identification, then generate warning information, it is simple to the faster orientation problem of manager, solve problem.
Embodiment 2
On the basis of embodiment 1, the behavior of high risk program described in the present embodiment includes: the hostile network behaviors such as the attributes such as frequent written document, amendment file permission, change system start-up item, dns resolution, http access, file download, Email login, mail transmission.
Embodiment 3
On the basis of embodiment 1 or 2, described in the present embodiment, risk procedure identification and trace back process are completed by program:
The risk behavior that software program automatic recognition system there is currently is (such as: the frequently attribute such as written document, amendment file permission, change system start-up item, the hostile network behaviors such as dns resolution, http access, file download, Email login, mail transmission), if risk behavior record program name, behavior and time of the act;
Again the risk program captured is inquired about in detail, the executable file of acquisition program deposits the detailed fileinfo such as path and the owner of file, file size, check value, the time of file writing system, writer, modification time, reviser, then the record finish message of these information summary records with logging program before is preserved, then the information of preservation is sent, give management user's alarm.Eliminate the process artificially analyzing, trace, confirm source.
Embodiment 4
On the basis of embodiment 3, method described in the present embodiment relates to functional module and includes: risk behavior contrast module, program file data obtaining module, record risk behavior module, warning information assembly memory module, warning information send display module.
Embodiment is merely to illustrate the present invention; and not limitation of the present invention; those of ordinary skill about technical field; without departing from the spirit and scope of the present invention; can also make a variety of changes and modification; the technical scheme of the most all equivalents falls within scope of the invention, and the scope of patent protection of the present invention should be defined by the claims.
Claims (4)
1. a risk program source tracing method, it is characterized in that: described method is by the judgement to program behavior, the high risk program that the system of identifying there is currently, then to startup time of program, perform the time of very dangerous behavior operation, the manager depositing path, the time of program writing system and write file of program carries out detailed inquiry identification, then warning information is generated, it is easy to the faster orientation problem of manager, solves problem.
A kind of risk program source tracing method the most according to claim 1, it is characterised in that: the behavior of described high risk program includes: frequently written document, amendment file permission, change system start-up item, dns resolution, http access, file download, Email login, mail send.
A kind of risk program source tracing method the most according to claim 1 and 2, it is characterised in that described risk procedure identification and trace back process are completed by program:
The risk behavior that software program automatic recognition system there is currently, if risk behavior record program name, behavior and time of the act;
Again the risk program captured is inquired about in detail, the executable file of acquisition program deposits path and the owner of file, file size, check value, the time of file writing system, writer, modification time, the fileinfo of reviser, then the record finish message of these information summary records with logging program before is preserved, then the information of preservation is sent, give management user's alarm.
A kind of risk program source tracing method the most according to claim 3, it is characterised in that: described method relates to functional module and includes: risk behavior contrast module, program file data obtaining module, record risk behavior module, warning information assembly memory module, warning information send display module.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610571928.4A CN106022115A (en) | 2016-07-20 | 2016-07-20 | Method for tracing risk program |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610571928.4A CN106022115A (en) | 2016-07-20 | 2016-07-20 | Method for tracing risk program |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106022115A true CN106022115A (en) | 2016-10-12 |
Family
ID=57116066
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610571928.4A Pending CN106022115A (en) | 2016-07-20 | 2016-07-20 | Method for tracing risk program |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106022115A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112260931A (en) * | 2020-09-18 | 2021-01-22 | 冠群信息技术(南京)有限公司 | Circulation traceability method and system based on e-mail |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1801031A (en) * | 2004-12-31 | 2006-07-12 | 福建东方微点信息安全有限责任公司 | Method for judging whether a know program has been attacked by employing program behavior knowledge base |
CN1885224A (en) * | 2005-06-23 | 2006-12-27 | 福建东方微点信息安全有限责任公司 | Computer anti-virus protection system and method |
CN102110220A (en) * | 2011-02-14 | 2011-06-29 | 宇龙计算机通信科技(深圳)有限公司 | Application program monitoring method and device |
US20130333036A1 (en) * | 2005-06-24 | 2013-12-12 | International Business Machines Corporation | System, method and program for identifying and preventing malicious intrusions |
CN104753946A (en) * | 2015-04-01 | 2015-07-01 | 浪潮电子信息产业股份有限公司 | Security analysis framework based on network traffic meta data |
CN105376245A (en) * | 2015-11-27 | 2016-03-02 | 杭州安恒信息技术有限公司 | Rule-based detection method of ATP attack behavior |
-
2016
- 2016-07-20 CN CN201610571928.4A patent/CN106022115A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1801031A (en) * | 2004-12-31 | 2006-07-12 | 福建东方微点信息安全有限责任公司 | Method for judging whether a know program has been attacked by employing program behavior knowledge base |
CN1885224A (en) * | 2005-06-23 | 2006-12-27 | 福建东方微点信息安全有限责任公司 | Computer anti-virus protection system and method |
US20130333036A1 (en) * | 2005-06-24 | 2013-12-12 | International Business Machines Corporation | System, method and program for identifying and preventing malicious intrusions |
CN102110220A (en) * | 2011-02-14 | 2011-06-29 | 宇龙计算机通信科技(深圳)有限公司 | Application program monitoring method and device |
CN104753946A (en) * | 2015-04-01 | 2015-07-01 | 浪潮电子信息产业股份有限公司 | Security analysis framework based on network traffic meta data |
CN105376245A (en) * | 2015-11-27 | 2016-03-02 | 杭州安恒信息技术有限公司 | Rule-based detection method of ATP attack behavior |
Non-Patent Citations (1)
Title |
---|
高雷: "事件告警分析引擎的设计与实现", 《中国优秀博硕士学位论文全文数据库 信息科技辑》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112260931A (en) * | 2020-09-18 | 2021-01-22 | 冠群信息技术(南京)有限公司 | Circulation traceability method and system based on e-mail |
CN112260931B (en) * | 2020-09-18 | 2022-06-14 | 冠群信息技术(南京)有限公司 | Circulation traceability method and system based on e-mail |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3497609B1 (en) | Detecting scripted or otherwise anomalous interactions with social media platform | |
US10084869B2 (en) | Metering user behaviour and engagement with user interface in terminal devices | |
US11218510B2 (en) | Advanced cybersecurity threat mitigation using software supply chain analysis | |
US20190026212A1 (en) | Metering user behaviour and engagement with user interface in terminal devices | |
US11797877B2 (en) | Automated self-healing of a computing process | |
JP2017504121A5 (en) | ||
WO2018035163A1 (en) | Techniques for determining threat intelligence for network infrastructure analysis | |
US20200067980A1 (en) | Increasing security of network resources utilizing virtual honeypots | |
US20180069897A1 (en) | Visualization of security entitlement relationships to identify security patterns and risks | |
US20120185337A1 (en) | System and method for streamlining social media marketing | |
US20210406368A1 (en) | Deep learning-based analysis of signals for threat detection | |
US10678915B2 (en) | Method, device and program for checking and killing a backdoor file, and readable medium | |
US20170061133A1 (en) | Automated Security Vulnerability Exploit Tracking on Social Media | |
CN107463839A (en) | A kind of system and method for managing application program | |
CN107360155A (en) | A kind of automatic source tracing method of network attack and system based on threat information and sandbox technology | |
US20150089300A1 (en) | Automated risk tracking through compliance testing | |
US11848830B2 (en) | Techniques for detection and analysis of network assets under common management | |
Kourouklidis et al. | Towards a low-code solution for monitoring machine learning model performance | |
CN111371757A (en) | Malicious communication detection method and device, computer equipment and storage medium | |
US11552896B2 (en) | Filtering network traffic from automated scanners | |
CN106022115A (en) | Method for tracing risk program | |
US10115168B2 (en) | Integrating metadata from applications used for social networking into a customer relationship management (CRM) system | |
US10671725B2 (en) | Malicious process tracking | |
US20230214848A1 (en) | Verifying and flagging negative feedback | |
US11704362B2 (en) | Assigning case identifiers to video streams |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161012 |
|
RJ01 | Rejection of invention patent application after publication |