CN106856477A

CN106856477A - A kind of threat treating method and apparatus based on LAN

Info

Publication number: CN106856477A
Application number: CN201611248756.3A
Authority: CN
Inventors: 潘山; 孟君; 刘学忠
Original assignee: Beijing Qihoo Technology Co Ltd; Beijing Qianxin Technology Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd; Beijing Qianxin Technology Co Ltd
Priority date: 2016-12-29
Filing date: 2016-12-29
Publication date: 2017-06-16
Anticipated expiration: 2036-12-29
Also published as: CN106856477B

Abstract

A kind of threat treating method and apparatus based on LAN are the embodiment of the invention provides, method therein is specifically included：For the target terminal user in LAN, impended treatment for threat process；After the treatment that impended for threat process, if exception does not occur in target terminal user, for whole user terminals of the process influence that is on the hazard in LAN, processed with the threat of target terminal user identical；Wherein, in target terminal user, the first threat treatment is carried out for threat process；After the first threat treatment is carried out for threat process, if exception occurs in target terminal user, the second threat treatment is carried out for threat process in target terminal user.The embodiment of the present invention can be by because threatening treatment to occur in the range of abnormal user terminal scope control to target terminal user, and the whole user terminals therefore, it is possible to be prevented effectively from LAN the process influence that is on the hazard occur abnormal because above-mentioned threat is processed.

Description

A kind of threat treating method and apparatus based on LAN

Technical field

The present invention relates to computer security technique field, more particularly to a kind of threat processing method based on LAN and A kind of threat processing unit based on LAN.

Background technology

With the rapid popularization of internet, LAN has turned into an essential part in enterprise development.However, for While enterprise offers convenience, LAN is also faced with various attacks and threat, such as confidential leak, loss of data, net Network abuse, identity are falsely used, illegal invasion etc..

At present, can be reported based on user terminal and/or server analysis mode, obtain LAN in threat feelings Report, and impended treatment for the user terminal attacked by the threat information.The existing threat treatment side based on LAN Case, generally on the user terminal attacked by the threat information, threat file corresponding to the threat information is carried out at isolation Reason.

Inventor has found that the existing threat processing scheme based on LAN is at least present such as in the practice of the invention Lower problem：For the threat of such as infection type virus, have that obstinate, power of regeneration is strong due to it, in insertion system process The features such as, therefore after isolation processing is carried out to the corresponding threat file of infection type virus, user terminal will inevitably occur The system failures such as file is abnormal, systemic-function exception, will so influence the normal of user terminal using；Also, when by the prestige When the quantity of the user terminal that side of body information is attacked is more, a large number of users terminal in LAN will be caused the system failure occur, entered And made troubles to enterprise.

The content of the invention

In view of the above problems, it is proposed that the present invention so as to provide one kind overcome above mentioned problem or at least in part solve on State a kind of the threat processing method and a kind of threat processing unit based on LAN based on LAN of problem.

According to one aspect of the present invention, there is provided a kind of threat processing method based on LAN, including：

For the target terminal user in LAN, impended treatment for threat process；Wherein, the targeted customer Terminal is the certain customers' terminal influenceed by the threat process in the LAN；

After the treatment that impended for threat process, if exception does not occur in the target terminal user, for the office Whole user terminals for being influenceed by the threat process in the net of domain, carry out with the target terminal user identical threat Reason；

Wherein, the target terminal user in LAN, for threat process impend treatment the step of, bag Include：

In the target terminal user, the first threat treatment is carried out for threat process；

After the first threat treatment is carried out for threat process, if exception occurs in the target terminal user, described In target terminal user the second threat treatment is carried out for the threat process.

Alternatively, the first threat treatment includes：Isolation processing, the second threat treatment includes：System repair place Reason or system refitting treatment.

Alternatively, it is described in the target terminal user, the step of carrying out the first threat for threat process and process, bag Include：

In the target terminal user, the threat process is killed；

After the threat process is killed, the threat process is isolated in the target terminal user.

Alternatively, methods described also includes：After the first threat treatment is carried out for threat process, monitor the target and use Whether family terminal there is exception；

Whether the monitoring target terminal user there is abnormal step, including：

In preset time period after the first threat treatment is carried out for threat process, the target terminal user is monitored The working condition of operating system, judges whether the target terminal user exception occurs according to the working condition；And/or

In preset time period after the first threat treatment is carried out for threat process, according to the feedback information of user, sentence Whether the target terminal user of breaking there is exception.

Alternatively, the target terminal user in LAN, for threat process impend treatment the step of, Also include：

After the second threat treatment is carried out for the threat process in the target terminal user, if the target is used There is exception in family terminal, then carry out the 3rd threat treatment to the threat process in the target terminal user.

Alternatively, it is described for the whole user terminals influenceed by the threat process in the LAN, carry out with The step of target terminal user identical threatens treatment, including：

After the first threat treatment is carried out for threat process, if exception does not occur in the target terminal user, in institute State on the whole user terminals influenceed by the threat process in LAN, the threat process is carried out at the first threat Reason；Or

After the second threat treatment is carried out for threat process, if exception does not occur in the target terminal user, in institute State on the whole user terminals influenceed by the threat process in LAN, carried out at the second threat for the threat process Reason；Or

After the 3rd threat treatment is carried out to threat process, if exception does not occur in the target terminal user, described On the whole user terminals influenceed by the threat process in LAN, carried out at the 3rd threat for the threat process Reason.

Alternatively, the threat process in the LAN is obtained as follows：

Receive the process behavior that the user terminal in the LAN is reported；

According to the process behavior, the user terminal is set up in process tree not in the same time and the process tree Mapping relations between each process and process behavior；

The target process for meeting preset process behavior pattern is obtained from the process tree；

According to the process behavior of the target process, judge whether the target process is threat process.

Alternatively, the preset process behavior pattern includes：

File associated process starts non-OS process；And/or

In process change file system after the first file, access the second file and encrypt.

Alternatively, the process behavior according to the target process, judges whether the target process is threat process The step of, including：

Corresponding warning information is sent for the target process, so that administrator is directed to the warning information, according to According to the process behavior of the target process, judge whether the target process is threat process；And/or

Using descendants's process of the target process or the target process as process to be analyzed, treated described in point The execution parameter of the process behavior of analysis process, judges whether the target process is threat process.

Alternatively, the user terminal influenceed by the threat process in the LAN is determined as follows：

File transmission events to be analyzed corresponding with the threat process are obtained from the advance file transmission events for obtaining； Wherein, the file transmission events are the event that the user terminal in the LAN is reported；

Information to the file transmission events to be analyzed is analyzed, to obtain being subject to the threat in the LAN The user terminal of process influence.

According to another aspect of the present invention, there is provided a kind of threat processing unit based on LAN, including：

Part threatens processing module, for for the target terminal user in LAN, being impended for threat process Treatment；Wherein, the target terminal user is the certain customers' terminal influenceed by the threat process in the LAN；With And

The overall situation threatens processing module, for after the treatment that impended for threat process, if the target terminal user There is not exception, for the whole user terminals influenceed by the threat process in the LAN, carry out and the target The threat of user terminal identical is processed；

Wherein, the part threat processing module includes：

First threatens treatment submodule, in the target terminal user, the first threat being carried out for threat process Treatment；

Second threatens treatment submodule, for after the first threat treatment is carried out for threat process, if the target is used There is exception in family terminal, then carry out the second threat treatment for the threat process in the target terminal user.

Alternatively, the first threat treatment submodule includes：

Process killing unit, in the target terminal user, killing the threat process；

Process isolation unit, for after the threat process is killed, to the threat in the target terminal user Process is isolated.

Alternatively, described device also includes：For after the first threat treatment is carried out for threat process, monitoring the mesh Whether mark user terminal there is abnormal exception monitoring module；

The exception monitoring module includes：

First exception monitoring submodule, for the preset time period after the first threat treatment is carried out for threat process It is interior, the working condition of the operating system of the target terminal user is monitored, judge the targeted customer according to the working condition Whether terminal there is exception；And/or

Second exception monitoring submodule, for the preset time period after the first threat treatment is carried out for threat process It is interior, according to the feedback information of user, judge whether the target terminal user exception occurs.

Alternatively, the part threat processing module also includes：

3rd threatens treatment submodule, and second is carried out for the threat process in the target terminal user for working as After threat treatment, if exception occurs in the target terminal user, the threat process is entered in the target terminal user The threat of row the 3rd is processed.

Alternatively, the global threat processing module includes：

First global threat processes submodule, for after the first threat treatment is carried out for threat process, if the mesh There is not exception in mark user terminal, then right on the whole user terminals for being influenceed by the threat process in the LAN The threat process carries out the first threat treatment；Or

Second global threat processes submodule, for after the second threat treatment is carried out for threat process, if the mesh There is not exception in mark user terminal, then on the whole user terminals for being influenceed by the threat process in the LAN, pin Second threat treatment is carried out to the threat process；Or

3rd global threat processes submodule, for after the 3rd threat treatment is carried out to threat process, if the target There is not exception in user terminal, then on the whole user terminals for being influenceed by the threat process in the LAN, for The threat process carries out the 3rd threat treatment.

Alternatively, described device also includes：Threat process for obtaining the threat process in the LAN obtains mould Block；

The threat process acquisition module includes：

Receiving submodule, for receiving the process behavior that the user terminal in the LAN is reported；

Setting up submodule, for according to the process behavior, set up the user terminal process tree not in the same time, with And the mapping relations in the process tree between each process and process behavior；

Target process acquisition submodule, the target that preset process behavior pattern is met for being obtained from the process tree is entered Journey；

Threat verdict submodule, for the process behavior according to the target process, judge the target process whether be Threat process.

Alternatively, the preset process behavior pattern includes：

File associated process starts non-OS process；And/or

Alternatively, the Threat verdict submodule includes：

First Threat verdict unit, for sending corresponding warning information for the target process, so that keeper uses Family is directed to the warning information, according to the process behavior of the target process, judges whether the target process is threat process； And/or

Second Threat verdict unit, for using descendants's process of the target process or the target process as treating Analysis process, according to the execution parameter of the process behavior of the process to be analyzed, judge the target process whether be threaten into Journey.

Alternatively, described device also includes：For the user for determining to be influenceed by the threat process in the LAN The terminal deciding module of terminal；

The terminal deciding module includes：

Transmission events acquisition submodule, for being obtained and the threat process phase from the advance file transmission events for obtaining The file transmission events to be analyzed answered；Wherein, the file transmission events are the thing that the user terminal in the LAN is reported Part；

Transmission events analyze submodule, are analyzed for the information to the file transmission events to be analyzed, to obtain The user terminal influenceed by the threat process in the LAN.

A kind of threat treating method and apparatus based on LAN according to embodiments of the present invention, due to ensuring at threat In the case that reason will not cause target terminal user exception occur, can just be influenceed by the threat process for LAN is interior Whole user terminals, processed with the target terminal user identical threat, and above-mentioned target terminal is to be received in LAN To certain customers' terminal of threat process influence, so, the embodiment of the present invention can be by because threatening treatment exception occur In the range of user terminal scope control to target terminal user, therefore, it is possible to be prevented effectively from LAN be subject to it is described threaten into Whole user terminals of journey influence occur exception because above-mentioned threat is processed, and then can effectively ensure that a large amount of use in LAN The availability of family terminal.

Also, target terminal user of the embodiment of the present invention in for LAN, impend place for threat process During reason, the threat that can be directed to threat process is carried out repeatedly is processed, specifically, can first at targeted customer's end On end, the first threat treatment is carried out for threat process, if after the first threat treatment is carried out for threat process, the target There is exception in user terminal, then carry out the second threat treatment for the threat process；Wherein, above-mentioned first treatment and the are threatened Two threats treatment can be different treatment, because the embodiment of the present invention can be carried out at threat repeatedly by threat process Reason, thus can be directed to stubbornness, power of regeneration that threat process possess by force, in insertion system process the features such as, by prestige repeatedly Side of body treatment obtains that target terminal user will not be caused abnormal threat processing means occur, therefore, it is possible to successfully realize targeted customer The threat treatment of terminal, and then can realize at the threat of whole user terminals that is influenceed by the threat process in LAN Reason.

Described above is only the general introduction of technical solution of the present invention, in order to better understand technological means of the invention, And can be practiced according to the content of specification, and in order to allow the above and other objects of the present invention, feature and advantage can Become apparent, below especially exemplified by specific embodiment of the invention.

Brief description of the drawings

By reading the detailed description of hereafter optional embodiment, various other advantages and benefit is common for this area Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of optional embodiment, and is not considered as to the present invention Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings：

The step of Fig. 1 shows a kind of threat processing method based on LAN according to an embodiment of the invention flow Schematic diagram；

The step of Fig. 2 shows a kind of threat processing method based on LAN according to an embodiment of the invention flow Schematic diagram；

The step of Fig. 3 shows a kind of threat processing method based on LAN according to an embodiment of the invention flow Schematic diagram；

Fig. 4 shows a kind of structural representation of process tree of the invention；

The step of Fig. 5 shows a kind of threat processing method based on LAN according to an embodiment of the invention flow Schematic diagram；And

Fig. 6 shows that a kind of structure of threat processing unit based on LAN according to an embodiment of the invention is shown Meaning.

Specific embodiment

The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here Limited.Conversely, there is provided these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure Complete conveys to those skilled in the art.

Reference picture 1, shows a kind of step of threat processing method based on LAN according to an embodiment of the invention Rapid flow chart, specifically may include steps of：

Step 101, for the target terminal user in LAN, impended treatment for threat process；Wherein, it is described Target terminal user is the certain customers' terminal influenceed by the threat process in the LAN；

Step 102, impended for threat process treatment after, if there is not exception, pin in the target terminal user On the whole user terminals influenceed by the threat process in the LAN, carry out and the target terminal user identical Threat is processed；

Wherein, the target terminal user in LAN, for threat process impend treatment the step of 101, can include：

Step 111, in the target terminal user, carry out the first threat treatment for threat process；

Step 112, after the first threat treatment is carried out for threat process, if the target terminal user occur it is abnormal, Then the second threat treatment is carried out in the target terminal user for the threat process.

The embodiment of the present invention can apply in the LANs such as enterprise network, government's net, campus network；In above-mentioned LAN, The server refers to the equipment for controlling other user terminals to carry out safety detection in LAN, and the user terminal refers to The control instruction of response server in LAN, with the terminal that server carries out data interaction.In actual applications, can be in clothes Business device deployment server proxy module, in user terminal deployment software client modules, with similar C/S (client/server, Client/Server framework), realizes control function of the LAN server to user terminal, and, the control of user terminal System response and communication function.Wherein, can be by standard agreement or privately owned association between above-mentioned server and above-mentioned user terminal View is communicated, wherein, proprietary protocol has the advantages that closure and safe；It is appreciated that the embodiment of the present invention for Specific communication mode between server and user terminal is not any limitation as.

In actual applications, the user of server can be that network manager waits the height with certain network security knowledge Level user, therefore, the user of server can flexibly set corresponding according to the current safety demand and actual conditions of LAN Control instruction.

In the embodiment of the present invention, threat process can be used to represent there is process that is abnormal or there is threat.It is of the invention real The threat processing method of the LAN of example is applied, can be first against the certain customers influenceed by the threat process in LAN Terminal (namely target terminal user) impends treatment, after the treatment that impended to threat process, if above-mentioned targeted customer There is not exception in terminal, and can be directed to the whole user terminals influenceed by the threat process in the LAN is carried out and institute State target terminal user identical threat treatment；Due to the embodiment of the present invention ensure threat treatment will not cause targeted customer's end In the case that exception occurs in end, can just be directed to whole user terminals for being influenceed by the threat process in LAN, carry out with The target terminal user identical threat treatment；And above-mentioned target terminal is what is influenceed by the threat process in LAN Certain customers' terminal, so, the embodiment of the present invention can be by because threatening treatment abnormal user terminal scope control to mesh occur In the range of mark user terminal, therefore, it is possible to be prevented effectively from LAN the whole user terminals influenceed by the threat process There is exception because of above-mentioned threat treatment, and then can effectively ensure that the availability of a large number of users terminal in LAN.

In the embodiment of the present invention, target terminal user is the certain customers' end influenceed by the threat process in LAN End, it will be understood that the user of server can determine the number of above-mentioned target terminal user according to practical application request, for example, The number of above-mentioned target terminal user can be 1,2,3 even N/M etc., wherein, N is that the threat process shadow is subject in LAN The number of loud whole user terminals, M is positive integer more than or equal to 2 etc., and the embodiment of the present invention is for above-mentioned targeted customer The specific number of terminal is not any limitation as.

In the embodiment of the present invention, a kind of first control instruction may be used to indicate target terminal user and be carried out for threat process Threat process, first control instruction can carry threat process information and threaten treatment information, wherein, threaten into The information of journey can include：The message such as title, the PID (process identification (PID), progress identity) of threat process, at threat The information of reason can include：The information of processing means is threatened, for example, first threatens information for the treatment of or the second threat treatment etc. Deng.Alternatively, first control instruction can include：First treatment control instruction and second processing control instruction etc..Server The first treatment control instruction can be issued to target terminal user first, to indicate target terminal user to be carried out for threat process First threat is processed, and the first treatment control instruction can carry the information of threat process and the information of the first threat treatment. Then, after the first threat treatment is carried out for threat process, server can monitor whether the target terminal user occurs It is abnormal, if so, then second processing control instruction can be issued to target terminal user, to indicate target terminal user for threat Process carries out the second threat treatment.If it is appreciated that after the first threat treatment is carried out for threat process, if the target is used There is not exception in family terminal, then can be sent out to for the whole user terminals influenceed by the threat process in the LAN Serve and state the first treatment control instruction.It is appreciated that the embodiment of the present invention for server to target terminal user or whole The specific control flow of user terminal is not any limitation as.

In a kind of alternative embodiment of the invention, the first threat treatment can include：Isolation processing, described second Threat treatment can include：System repair process or system refitting are processed.That is, carrying out isolation processing to threat process Afterwards, if exception occurs in the target terminal user, can be to the threat process in the target terminal user System repair process or system refitting treatment.Wherein, above-mentioned isolation processing can be used for threat process and be isolated, and said system is repaiied Multiple treatment can be used to repair impaired operating system, and said system refitting system can be used to update operating system.

Still optionally further, it is described in the target terminal user, carry out the first threat treatment for threat process Step 111, can include：In the target terminal user, the threat process is killed；After the threat process is killed, The threat process is isolated in the target terminal user.It is alternatively possible to pass through to terminate or stop to threaten into The mode of journey, kills the threat process.It is alternatively possible to by way of forbidding threat process, at targeted customer's end The threat process is isolated on end.It is appreciated that the embodiment of the present invention is for killing the threat process and to institute The detailed process that threat process isolated is stated not to be any limitation as.

In a kind of alternative embodiment of the invention, the method for the embodiment of the present invention can also include：For threaten into After the threats of Cheng Jinhang first treatment, monitor whether the target terminal user exception occurs；

Wherein, whether the monitoring target terminal user there is the exception monitoring mode that abnormal step is used, Can include：

In exception monitoring mode 1, the preset time period after the first threat treatment is carried out for threat process, monitoring is described The working condition of the operating system of target terminal user, judges whether the target terminal user occurs according to the working condition It is abnormal；And/or

In exception monitoring mode 2, the preset time period after the first threat treatment is carried out for threat process, according to user Feedback information, judge whether the target terminal user exception occurs.

Wherein, after the first threat treatment is carried out for threat process, exception occurs in the target terminal user can wrap Include：There is exception in the operating system of target terminal user, for example, the kernel of operating system collapse or operating system is absorbed in extremely Circulation namely deadlock etc..

Exception monitoring mode 1 can be monitored in the preset time period after carrying out the first threat treatment for threat process The working condition of the operating system of the target terminal user, judges that the target terminal user is with according to the working condition It is no exception occur.Alternatively, exception monitoring mode 1 can (such as CPU, internal memory, I/O set with the resource utilization of monitor operating system Standby actually used ratio), the working index such as system response time (the time required to response is input to), and refer to according to the work Mark judges whether target terminal user exception occurs.It is alternatively possible to judge to monitor the working index for obtaining whether in default finger In the range of mark, if it is not, it is abnormal etc. then to can be determined that target terminal user occurs.It is appreciated that the embodiment of the present invention is for work The specific monitoring mode for making situation is not any limitation as.

Exception monitoring mode 2 can judge whether the target terminal user exception occurs according to the feedback information of user. Wherein, as the user of target terminal user, (such as operating system collapses the exception that it can clearly perceive target terminal user Burst or the kernel of operating system be absorbed in endless loop etc.) situation, therefore after the exception for perceiving target terminal user, can be to mesh Mark user terminal sends corresponding feedback information, so that target terminal user reports above-mentioned feedback information to server.

In the embodiment of the present invention, preset time period can be the time period of random length, for example, the length of the preset time period Degree can be 1 day, even 7 days etc. 2 days, in 1 day, 2 days or even 7 days after the first threat treatment is carried out for threat process, If exception occurs in target terminal user, the exception that the first threat treatment causes is construed as.

In a kind of alternative embodiment of the invention, the target terminal user in LAN, for threaten into Journey impend treatment the step of, can also include：When carrying out for the threat process in the target terminal user After two threats treatment, if exception occurs in the target terminal user, to the threat process in the target terminal user Carry out the 3rd threat treatment.Wherein, the 3rd threat treatment can be to threaten treatment and second to threaten the different place for the treatment of from first Reason.For example, the first threat is processed as isolation processing, the second threat is processed as system repair process, and the 3rd threat is processed as system Refitting treatment etc..Alternatively, said system refitting processing procedure can include：It is standby data to be carried out for each target terminal user After part, the operating system of each target terminal user is reset；For example, the user data of target terminal user can be copied into non-system Overall or safe mobile device, and system is reset in target terminal user.It is appreciated that the embodiment of the present invention is for tool The system refitting processing procedure of body is not any limitation as.

It is appreciated that after the second threat treatment is carried out to threat process, it is also possible to which monitoring the target terminal user is It is no exception occur, similarly, after the 3rd threat treatment is carried out to threat process, it is also possible to whether monitor the target terminal user Occur abnormal.For exception monitoring process after for carrying out the second threat treatment or the 3rd threat treatment to threat process, Due to its with carry out that the exception monitoring process after the first threat treatment is similar for threat process, and therefore not to repeat here, mutually With reference to.

It is described for being influenceed by the threat process in the LAN in a kind of alternative embodiment of the invention Whole user terminals, carry out threatening the step of processing 102 with the target terminal user identical, it is possible to achieve with the target User terminal identical threatens synchronization of the treatment in LAN, and in actual applications, can be directed to can be with the LAN User terminal influenceed by the threat process, in addition to above-mentioned target terminal user is carried out and the target terminal user Identical threat is processed, and corresponding threat processing procedure can include：

After the second threat treatment is carried out to threat process, if exception does not occur in the target terminal user, described On the whole user terminals influenceed by the threat process in LAN, carried out at the second threat for the threat process Reason；Or

To sum up, the threat processing method based on LAN of the embodiment of the present invention, due to ensure threat treatment will not lead In the case of causing target terminal user exception occur, the whole users influenceed by the threat process in LAN can be just directed to Terminal, processed with the target terminal user identical threat, and above-mentioned target terminal is that the prestige is subject in LAN Certain customers' terminal of side of body process influence, so, the embodiment of the present invention can be by because threatening treatment abnormal user terminal occur In the range of scope control to target terminal user, therefore, it is possible to be prevented effectively from LAN what is influenceed by the threat process Whole user terminals occur extremely because above-mentioned threat is processed, and then can effectively ensure that a large number of users terminal in LAN Availability.

Reference picture 2, shows a kind of step of threat processing method based on LAN according to an embodiment of the invention Rapid flow chart, specifically may include steps of：

Step 201, server the selected section user from the user terminal influenceed by the threat process in LAN Terminal, as target terminal user；

Step 202, server issue isolation processing control instruction to above-mentioned target terminal user, to indicate targeted customer's end Hold the isolation processing of the process that impends；

Alternatively, the isolation processing control instruction can carry the information of threat process and the information of isolation processing.

Step 203, target terminal user are isolated after above-mentioned isolation processing control instruction is received to threat process Treatment；

Step 204, after target terminal user carries out isolation processing to threat process, targeted customer described in monitoring server Whether terminal there is exception, if so, then performing step 207, otherwise performs step 205；

Wherein, in the preset time period after isolation processing is carried out to threat process, targeted customer described in monitoring server Whether terminal there is exception.

Step 205, server send isolation processing control instruction to other users terminal, to indicate other users terminal to enter The isolation processing of row threat process；

Wherein, other users terminal is used to representing in the whole user terminals influenceed by the threat process in LAN User terminal in addition to above-mentioned target terminal user.

Step 206, after above-mentioned isolation processing control instruction is received, other users terminal-pair threaten process isolated Treatment；

Step 207, server send system repair process control instruction to above-mentioned target terminal user, to indicate target to use Family terminal impends the system repair process of process；

Step 208, target terminal user are carried out after said system repair process control instruction is received to threat process System repair process；

Step 209, after target terminal user carries out system repair process to threat process, target described in monitoring server Whether user terminal there is exception, if so, then performing step 212, otherwise performs step 210；

Step 210, server send system repair process control instruction to other users terminal, to indicate other users end Hold the system repair process of the process that impends；

Step 211, after said system repair process control instruction is received, other users terminal-pair threaten process carry out System repair process；

Step 212, server send system weight to the whole user terminals influenceed by the threat process in LAN Dress treatment control instruction, to indicate whole user terminals for being influenceed by the threat process to impend the system refitting of process Treatment；

Step 213, the target complete user terminal influenceed by the threat process are being received at said system refitting After reason control instruction, system refitting treatment is carried out.

It should be noted that because system refitting treatment is related to the renewal of operating system, will not generally cause user terminal Exception, therefore, the embodiment of the present invention is after target terminal user carries out system repair process to threat process, if the target There is exception in user terminal, then can be directly against the target complete user terminal influenceed by the threat process System refitting treatment.

To sum up, the threat processing method based on LAN of the embodiment of the present invention, according to threaten process isolation processing- The priority of system repair process-system refitting treatment, impends treatment for threat process；Due to being processed according to threat Required time cost order from small to large impends treatment, therefore, it is possible to a large number of users terminal in LAN is effectively ensured Availability, and can reduce to a certain extent threat treatment needed for running cost.

It is appreciated that the priority of the isolation processing of above-mentioned threat process-system repair process-system refitting treatment is only It is the alternative embodiment of the priority processed as various threats of the embodiment of the present invention, in fact, those skilled in the art can Other priority for processing are threatened using various with according to practical application request, such as isolation processing-system refitting treatment is preferential Level etc., it will be understood that the embodiment of the present invention is not any limitation as various specific priority for threatening treatment.

In actual applications, server can obtain the threat process in LAN by any-mode.For example, can lead to Cross the threat process that the mode of user terminal feedback is obtained in LAN.In a kind of application example of the invention, it is assumed that certain use There is system exception after certain Email attachment " buying table .doc " is downloaded in family terminal, then user terminal can be by the Email attachment " buying table .doc " corresponding process is reported as threat process.

In a kind of alternative embodiment of the invention, the process behavior that can be reported according to user terminal, detection described in enter The corresponding processes of Cheng Hangwei are with the presence or absence of threat.

Reference picture 3, shows the acquisition methods of the threat process in a kind of LAN according to an embodiment of the invention The step of flow chart, specifically may include steps of：

The process behavior that user terminal in step 301, the reception LAN is reported；

Step 302, according to the process behavior, set up the user terminal in process tree not in the same time and described Mapping relations in process tree between each process and process behavior；

Step 303, obtained from the process tree and meet the target process of preset process behavior pattern；

Step 304, the process behavior according to the target process, judge whether the target process is threat process.

In the embodiment of the present invention, a kind of second control instruction may be used to indicate user terminal and report process row to server For, then user terminal can be monitored after second control instruction is received to the process behavior of local process, and to clothes Business device reports the process behavior for monitoring.Alternatively, the embodiment of the present invention can not influence user for user terminal just In the case of normal use, the process behavior of simultaneously report of user terminal is captured, therefore the experience of user can not be influenceed.

Alternatively, above-mentioned process behavior can be included but is not limited to：Process start and stop behavior, internal memory behavior and change behavior In at least one.Wherein, above-mentioned internal memory behavior can include：Process injection behavior, file access behavior and network connection Behavior；Above-mentioned network connection behavior can include：URL (URL, Uniform Resource Locator) is visited Ask behavior, IP (agreement interconnected between network, Internet Protocol) is accessed, port accesses and DNS (domain name systems System, Domain Name System) at least one in behavior such as access.Above-mentioned change behavior can include：System variation row It is (establishment, deletion and the modification of registration table), Account Changes (establishment of account, the change of account authority) behavior and file Change behavior.It is appreciated that the embodiment of the present invention is not any limitation as specific process behavior.

After the process behavior that each user terminal is reported is received, the information of the process behavior that server can be to receiving is entered Row record.Alternatively, the information of process behavior can be included but is not limited to：The information of process, execution parameter of process behavior etc. The information of field.

In the embodiment of the present invention, process tree is the relation between process on a kind of user terminal, its generally by parent process and Subprocess two parts are constituted.After the operation of some program process, other processes can be created or called, thus constitute a process Tree.Reference picture 4, shows a kind of structural representation of process tree of the invention, wherein, the child node B and C of node A are node A The subprocess for creating or calling, as parent process, node B and node C be respectively created again or have invoked respective subprocess D, E, And F and G.The information of each process can include in process tree：The characteristic value and process of process title, process correspondence program Parent process etc., it will be understood that the embodiment of the present invention is not any limitation as the specifying information of each process in process tree.In reality In the application of border, the title of each node can or difference identical with the process title of each process, the embodiment of the present invention in process tree The main title by each node in process tree can it is identical with the process title of each process as a example by illustrate.

In a kind of alternative embodiment of the invention, can be according to the process start and stop behavior included by stroke behavior, it is proposed that Above-mentioned user terminal is in process tree not in the same time.Alternatively, process start and stop behavior can include：The startup time of each process, The information such as dwell time and each process creation or the process called, so, can obtain process tree according to process start and stop behavior In each node.For example, the startup time of process A, process B and process C is respectively moment 1, moment 2 and moment 3, it is assumed that process A be system in first process, then can obtain the root node A in process tree, it is assumed that process A create or have invoked process B and Process C, then can obtain the child node B and C of root node A, and the process tree shown in Fig. 4 can be obtained according to above-mentioned flow.Need Illustrate, process tree can change with the change of process start and stop behavior, it is hereby achieved that user terminal is when different The process tree at quarter, also, contrasted by the process tree to the front and rear moment, the change of process start and stop behavior can be obtained.

In another alternative embodiment of the invention, the method for the present embodiment can also include：Receive user's end The system snapshot at certain moment that end reports；It is then described according to the process behavior, the user terminal is set up not in the same time Process tree the step of 302, can include：On the basis of the system snapshot, the use is set up according to above-mentioned process behavior Family terminal is in process tree not in the same time.In the embodiment of the present invention, system snapshot can be used to represent that user terminal moment T is System state, the system mode can include：The state such as process that certain moment T systems are included and its behavior, registration table, file, can To think, the system snapshot can include the process tree of certain moment T, therefore the embodiment of the present invention is on the basis of the system snapshot On, the user terminal is set up in process tree not in the same time according to above-mentioned process behavior, can reduce process tree sets up institute The operand for needing, improve process tree sets up efficiency.

In another alternative embodiment of the invention, the system snapshot can be the user terminal at the first moment The system mode of T1, the process behavior can include：Process start and stop behavior, then it is described on the basis of the system snapshot, The user terminal is set up the step of not process tree in the same time according to above-mentioned process behavior, can be included：According to described Process start and stop behavior after one moment T1, obtains process tree of the user terminal in the second moment T2.Wherein, T2 is later than T1, that is, can be added or deletion of node, to obtain the T2 moment on the basis of said system snapshot correspondence process tree 1 Process tree.Alternatively, T1 can be os starting after the completion of any time, for example, os starting complete when It is T0 to carve, and is the subsequent time of T0 in T1；Certainly, the embodiment of the present invention is not any limitation as specific T1.

In a kind of alternative embodiment of the invention, the process behavior can include：Process start and stop behavior and/or internal memory A series of behaviors produced after the process initiation such as behavior and/or change behavior, then it is described according to the process behavior, set up described In process tree 302 the step of mapping relations between each process and process behavior, can include：For respectively entering in the process tree Journey, sets up it with the mapping relations between process start and stop behavior and/or internal memory behavior and/or change behavior.

User terminal each process and process in process tree not in the same time and the process tree are set up in step 302 After mapping relations between behavior, step 303 can obtain the mesh for meeting preset process behavior pattern from the process tree Mark process.

Preset behavior pattern can be used to represent the suspicious actions pattern or malicious act pattern of process behavior.Actually should In, any preset behavior pattern that those skilled in the art can be according to needed for practical application request determines.Of the invention In a kind of alternative embodiment, above-mentioned preset behavior pattern can be that file associated process starts non-OS process, for example The subprocess of winword process initiation Liao Fei Microsofts, wherein, winword processes are file associated process.Of the invention another Plant in alternative embodiment, above-mentioned preset behavior pattern can be, in process change file system after the first file, access the second text Part is simultaneously encrypted.For example, after process changes the file in MFT (big file transmission, Managed File Transfer), it is quick to visit Ask office documents；The preset behavior pattern belongs to the behavior that malicious process extorts software, and the malicious process is deleted in MFT first File record, so that file record cannot recover, then begins look for document and is encrypted.

In actual applications, each process in process tree can be traveled through, and for the current process that obtains of traversal, from Corresponding current process behavior is obtained in above-mentioned mapping relations, and judges whether the current behavior pattern meets preset behavior mould Formula, it will be understood that the embodiment of the present invention meets the target process of preset process behavior pattern for being obtained from the process tree Detailed process be not any limitation as.

The process behavior of the target process that step 304 can be obtained according to step 303, according to the process of the target process Behavior, judges whether the target process is threat process.

The embodiment of the present invention can provide the process behavior according to the target process, judge the target process whether be The following judgment mode of threat process；

Judgment mode 1, corresponding warning information is sent for the target process, so that administrator is directed to the announcement Alert information, according to the process behavior of the target process, judges whether the target process is threat process；And/or

Judgment mode 2, using descendants's process of the target process or the target process as process to be analyzed, according to According to the execution parameter of the process behavior of the process to be analyzed, judge whether the target process is threat process.

Wherein, judgment mode 1 can send corresponding warning information for the target process, so that administrator connects The warning information is received, and judges whether the target process is threat process by manual type.For example, can be by artificial Mode is analyzed to process behavior, and judges whether the target process is threat process according to analysis result, corresponding point Analysis process can include：The exclusion of the specific fields such as the execution parameter of behavior behavior and statistical operation etc..

Judgment mode 2 can be using descendants's process of the target process or the target process as process to be analyzed, then The execution parameter of the process behavior of the process to be analyzed may indicate that target process performs which behavior that generates, or mesh Whether which behavior is descendants's process of mark process generate, and so, can judge the target process according to above-mentioned execution parameter To threaten process.

In a kind of alternative embodiment of the invention, the process behavior according to the process to be analyzed performs ginseng Number, the step of whether judge the target process be threat process, can include：

If the order line script environment parameter that the execution parameter is included is related to script encryption behavior, the target process Safety detection result for dangerous；And/or

If the strategy that the execution parameter is included excludes parameter to be related to bypass the behavior for performing restriction strategy, the target The safety detection result of process is dangerous.

Wherein, powershell can be a kind of example of order line script environment parameter, if the operation of powershell Parameter includes the script encryption behavior of the parameter of such as enc, it is believed that the safety detection result of target process is uneasiness Entirely.

Excludepolicy can be a kind of example that strategy excludes parameter, if Excludepolicy is related to bypass execution The behavior of restriction strategy, then it is considered that the safety detection result of target process is dangerous.Wherein, performing restriction strategy is One group policy, in the case where limitation is opened, can prevent from performing order by powershell, but have many methods can Above-mentioned execution restriction strategy is performed to bypass, this allows malicious process to have an opportunity to take advantage of.The embodiment of the present invention is according to described to be analyzed The execution parameter to be analyzed of the process behavior of process, during detecting the security of the target process, can perform and treat point The execution parameter to be analyzed of the process behavior of analysis process, in the case where restriction strategy unlatching limitation is performed, if performing above-mentioned treating Analytical parameters can then send corresponding prompt message, and the embodiment of the present invention can by EDR (end-point detection is responded, Endpoint detection and response) the above-mentioned prompt message of elements capture, if acquisition success, it is believed that Excludepolicy is related to bypass the behavior for performing restriction strategy, it is further believed that the safety detection result of target process is It is dangerous.

It is appreciated that the order line script environment parameter that above-mentioned execution parameter is included is related to script encryption behavior and performs ginseng It is of the invention that the strategy exclusion parameter that number is included is related to the corresponding detection process of behavior for bypassing execution restriction strategy to be intended only as Alternative embodiment, in fact, those skilled in the art can also be according to practical application request, to performing other rows that parameter is included To be detected, the embodiment of the present invention detects the mesh for the execution parameter of the process behavior according to the process to be analyzed The detailed process of the security of mark process is not any limitation as.Additionally, it is appreciated that in the embodiment of the present invention, the peace of target process Full property testing result can also include：Safety.

To sum up, the safety detection method based on LAN of the embodiment of the present invention, based on user terminal not in the same time The analysis of the mapping relations in process tree and the process tree between each process and process behavior, acquisition meets preset process The target process of behavior pattern, and according to the process behavior of the target process, detect the security of the target process；Cause This, relative to traditional virus characteristic storehouse, the embodiment of the present invention can be by each in process tree not in the same time, the process tree Mapping relations between process and process behavior and characterize the suspicious actions pattern or malicious act pattern of process behavior Preset behavior pattern, detects unknown threat and the potential safety hazard of LAN such that it is able to improve safety detection more in time Promptness, and effective prevention of virus can be realized.

In actual applications, server can determine to be subject to the threat process shadow in the LAN by any-mode Loud user terminal.For example, can determine to be subject to the threat process in the LAN by way of user terminal feeds back The user terminal of influence.In a kind of application example of the invention, it is assumed that certain user terminal is downloading certain Email attachment " buying Occurs system exception after table .doc ", then user terminal can be using Email attachment " buying table .doc " the corresponding process as prestige Side of body process is reported；Server then can be using the corresponding user terminal of threat process as being subject to the threat process in LAN The user terminal of influence.

In a kind of alternative embodiment of the invention, the file transmission events that can be reported by user terminal, more in time Detect the affected user terminal of compromised process influence in LAN, therefore can realize as soon as possible impacted for above-mentioned The repair process of terminal, so, can not only in time prevent threat process for the influence of user terminal, and can be certain The user of user terminal is effectively protected in degree.

Reference picture 5, shows in a kind of determination LAN according to an embodiment of the invention and is subject to the threat Process influence user terminal method the step of flow chart, specifically may include steps of：

Step 501, from the advance file transmission events for obtaining obtain file to be analyzed corresponding with the threat process Transmission events；Wherein, the file transmission events are the event that the user terminal in the LAN is reported；

Step 502, the information to the file transmission events to be analyzed are analyzed, to obtain being subject in the LAN The user terminal of the threat process influence.

In the embodiment of the present invention, a kind of 3rd control instruction may be used to indicate user terminal and be transmitted to server reporting file Event, then user terminal local file transmission events can be monitored after the 3rd control instruction is received, and to Server reports the file transmission events for monitoring.

In the embodiment of the present invention, file transmission events can be used to represent the circulation event of subscriber terminal side file, alternatively, The information of file transmission events can include at least one in following information：Temporal information, channel information, fileinfo, text Part transmission direction and end message.Wherein, temporal information can be used to represent the time of origin of file transmission events；Channel information can Passage for representing file transmission events, alternatively, the channel information can be the corresponding application program of file transmission events Information or site information；Fileinfo can be used to identify file, and alternatively, this document information can be included but is not limited to：Text Part name, file path, file characteristic, for example, this document feature can be such as MD5 (Message Digest 5 the 5th edition, Message Digest Algorithm5) feature, it will be understood that the embodiment of the present invention is not any limitation as specific file characteristic；Text Part transmission direction can include：Enter direction or outgoing direction；End message can be used to represent the user that file transmission events occur The information of terminal.

In a kind of application example of the invention, above-mentioned file transmission events can include：The transmission of browser file, IM The transmission of (instant messaging, Instant Messaging) file, email attachment file transmission, USB flash disk (USB flash drive, USB flash Disk at least one during) file transmission and download tool file are transmitted.Each file transmission events of subscriber terminal side It is reported to server, while what is reported can include：The information of each file transmission events.

After the file transmission events that each user terminal is reported are received, server can be to the file transmission events of reception Information recorded, it is necessary to illustrated, the embodiment of the present invention can only such as filename of log file transmission events, The fileinfo of file path or file characteristic；Because above-mentioned fileinfo is enough to realize the file propagation path of file Follow the trail of, therefore the embodiment of the present invention can realize the record of the information for file transmission events in the case where file is not preserved, Therefore, it is possible to save the memory space of server.

After threat process is obtained, step 501 can be obtained and the process of threat from the advance file transmission events for obtaining Corresponding file transmission events to be analyzed.It is alternatively possible to the abnormal document information that threat process is related to is transmitted with each file The information of event is matched, if the match is successful, the file transmission events that the match is successful is transmitted into thing as file to be analyzed Part.For example, the file characteristic of abnormal document and the file characteristic of file transmission events match etc., Ke Yili Solution, the embodiment of the present invention is passed for obtaining file to be analyzed corresponding with the process of threat from the advance file transmission events for obtaining The detailed process of defeated event is not any limitation as.

The information of the file transmission events to be analyzed that step 502 can be obtained to step 501 is analyzed, to obtain local The user terminal influenceed by the threat process in net.

Can be used to represent the circulation event of subscriber terminal side file, each text of subscriber terminal side due to file transmission events Part transmission events are all reported to server, therefore the embodiment of the present invention can be based on pair to be analyzed file related to the process of threat The analysis of the information of transmission events, obtains the user terminal influenceed by the threat process in LAN；That is, the present invention is real The file transmission events that example can be reported by user terminal are applied, compromised process influence in LAN is detected more in time Affected user terminal, therefore the repair process for above-mentioned impacted terminal can be as soon as possible realized, so, can not only be timely Threat process is prevented for the influence of user terminal, and can effectively protect the user of user terminal to a certain extent.

In a kind of alternative embodiment of the invention, the above-mentioned information to the file transmission events to be analyzed is analyzed The step of 502, can include：According to the end message of the file transmission events to be analyzed, obtain being subject in the LAN The user terminal of the threat process influence.Because file transmission events to be analyzed are corresponding with threat process, therefore foundation is treated The end message of Study document transmission events can obtain the user terminal influenceed by the threat process in LAN.At this In a kind of application example of invention, it is assumed that abnormal document is " buying table .doc ", its first file transmission in LAN Event is transmitted by the Email attachment of mailbox, it is assumed that first user of file transmission events 1 is further by IM modes Second file transmission events is generated, and user 2 is given by abnormal document transmission, user 2 is further by the postal of mailbox Part annex generates the 3rd file transmission events, and gives user 3 by abnormal document transmission ... further, user 1, user 2 and user 3 also trigger alternative document transmission events, it is assumed that the quantity of file transmission events be N, N is positive integer, then the present invention Embodiment can consider that the corresponding terminal of the N number of file transmission events is impacted terminal.

In another alternative embodiment of the invention, the method for the present embodiment can also include：To the impacted use Family terminal carries out early warning treatment.For example, above-mentioned early warning treatment can send first to the user terminal for storing above-mentioned abnormal document Notification message, the USB flash disk to storing above-mentioned abnormal document sends second notification message etc., to realize the closure for propagation path.

To sum up, the safety detection method based on LAN of the embodiment of the present invention, because file transmission events can be used for table Show the circulation event of subscriber terminal side file, each file transmission events of subscriber terminal side are reported to server, therefore this Inventive embodiments can be based on the analysis pair the information of the to be analyzed file transmission events related to the process of threat, examine more in time The affected user terminal of compromised process influence in LAN is measured, therefore can be realized as soon as possible for above-mentioned impacted terminal Repair process, so, can not only in time prevent threat process for the influence of user terminal, and can be to a certain degree The user of upper effectively protection user terminal.

For embodiment of the method, in order to be briefly described, therefore it is all expressed as a series of combination of actions, but this area Technical staff should know that the embodiment of the present invention is not limited by described sequence of movement, because implementing according to the present invention Example, some steps can sequentially or simultaneously be carried out using other.Secondly, those skilled in the art should also know, specification Described in embodiment belong to alternative embodiment, necessary to the involved action not necessarily embodiment of the present invention.

Reference picture 6, shows a kind of knot of threat processing unit based on LAN according to an embodiment of the invention Structure block diagram, can specifically include such as lower module：

Part threatens processing module 601, for for the target terminal user in LAN, prestige being carried out for threat process Side of body treatment；Wherein, the target terminal user is the certain customers' terminal influenceed by the threat process in the LAN； And

The overall situation threatens processing module 602, for after the treatment that impended for threat process, if targeted customer's end There is not exception in end, for the whole user terminals influenceed by the threat process in the LAN, carries out and the mesh The threat treatment of mark user terminal identical；

Wherein, the part threat processing module 601 can include：

First threatens treatment submodule 611, in the target terminal user, the first prestige being carried out for threat process Side of body treatment；

Second threatens treatment submodule 612, for after the first threat treatment is carried out for threat process, if the target There is exception in user terminal, then carry out the second threat treatment for the threat process in the target terminal user.

Alternatively, the first threat treatment can include：Isolation processing, the second threat treatment can include：System System repair process or system refitting treatment.

Alternatively, the first threat treatment submodule 611 can include：

Alternatively, described device can also include：For after the first threat treatment is carried out for threat process, monitoring institute State whether target terminal user abnormal exception monitoring module occurs；

The exception monitoring module can include：

Alternatively, the part threat processing module 601 can also include：

Alternatively, the global threat processing module 602 can include：

Alternatively, described device can also include：Threat process for obtaining the threat process in the LAN is obtained Modulus block；

The threat process acquisition module can include：

Alternatively, the preset process behavior pattern can include：

File associated process starts non-OS process；And/or

Alternatively, the Threat verdict submodule can include：

Alternatively, described device can also include：For determining what is influenceed by the threat process in the LAN The terminal deciding module of user terminal；

The terminal deciding module can include：

For device embodiment, because it is substantially similar to embodiment of the method, so description is fairly simple, it is related Part is illustrated referring to the part of embodiment of the method.

Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein. Various general-purpose systems can also be used together with based on teaching in this.As described above, construct required by this kind of system Structure be obvious.Additionally, the present invention is not also directed to any certain programmed language.It is understood that, it is possible to use it is various Programming language realizes the content of invention described herein, and the description done to language-specific above is to disclose this hair Bright preferred forms.

In specification mentioned herein, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention Example can be put into practice in the case of without these details.In some instances, known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.

Similarly, it will be appreciated that in order to simplify one or more that the disclosure and helping understands in each inventive aspect, exist Above to the description of exemplary embodiment of the invention in, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention：I.e. required guarantor The application claims of shield features more more than the feature being expressly recited in each claim.More precisely, such as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, and wherein each claim is in itself All as separate embodiments of the invention.

Those skilled in the art are appreciated that can be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment Unit or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or Sub-component.In addition at least some in such feature and/or process or unit exclude each other, can use any Combine to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed appoint Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power Profit is required, summary and accompanying drawing) disclosed in each feature can the alternative features of or similar purpose identical, equivalent by offer carry out generation Replace.

Although additionally, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention Within the scope of and form different embodiments.For example, in the following claims, embodiment required for protection is appointed One of meaning mode can be used in any combination.

All parts embodiment of the invention can be realized with hardware, or be run with one or more processor Software module realize, or with combinations thereof realize.It will be understood by those of skill in the art that can use in practice Microprocessor or digital signal processor (DSP, Digital Signal Process) are according to embodiments of the present invention to realize The threat treating method and apparatus based on LAN in some or all parts some or all functions.The present invention Be also implemented as perform method as described herein some or all equipment or program of device (for example, Computer program and computer program product).It is such to realize that program of the invention be stored on a computer-readable medium, Or can have the form of one or more signal.Such signal can be downloaded from Internet platform and obtained, or There is provided on carrier signal, or provided in any other form.

It should be noted that above-described embodiment the present invention will be described rather than limiting the invention, and ability Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference symbol being located between bracket should not be configured to limitations on claims.Word " including " do not exclude the presence of not Element listed in the claims or step.Word "a" or "an" before element is not excluded the presence of as multiple Element.The present invention can come real by means of the hardware for including some different elements and by means of properly programmed computer It is existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame Claim.

The invention discloses A1, a kind of threat processing method based on LAN, including：

A2, the method as described in A1, the first threat treatment include：Isolation processing, the second threat treatment includes： System repair process or system refitting are processed.

A3, the method as described in A2, it is described in the target terminal user, carried out at the first threat for threat process The step of reason, including：

In the target terminal user, the threat process is killed；

A4, the method as described in any in A1 to A3, methods described also include：The first threat is being carried out for threat process After treatment, monitor whether the target terminal user exception occurs；

A5, the method as described in A1, the target terminal user in LAN impend for threat process The step for the treatment of, also include：

A6, the method as described in A1 or A5, it is described for the whole influenceed by the threat process in the LAN User terminal, carries out threatening the step of processing with the target terminal user identical, including：

A7, the method as described in A1 or A2 or A3 or A5, obtain the threat process in the LAN as follows：

Receive the process behavior that the user terminal in the LAN is reported；

A8, the method as described in A7, the preset process behavior pattern include：

File associated process starts non-OS process；And/or

Whether A9, the method as described in A7, the process behavior according to the target process judge the target process The step of to threaten process, including：

A10, the method as described in A1 or A2 or A3 or A5, determine to be subject to the prestige in the LAN as follows The user terminal of side of body process influence：

The invention discloses B11, a kind of threat processing unit based on LAN, including：

Wherein, the part threat processing module includes：

B12, the device as described in B11, the first threat treatment include：Isolation processing, described second threatens treatment bag Include：System repair process or system refitting are processed.

B13, the device as described in B12, the first threat treatment submodule include：

B14, the device as described in any in B11 to B13, described device also include：For being carried out for threat process After first threat treatment, monitor whether the target terminal user abnormal exception monitoring module occurs；

The exception monitoring module includes：

B15, the device as described in B11, the part threat processing module also include：

B16, the device as described in B11 or B15, the global threat processing module include：

B17, the device as described in B11 or B12 or B13 or B15, described device also include：For obtaining the LAN The threat process acquisition module of interior threat process；

The threat process acquisition module includes：

B18, the device as described in B17, the preset process behavior pattern include：

File associated process starts non-OS process；And/or

B19, the device as described in B17, the Threat verdict submodule include：

B20, the device as described in B11 or B12 or B13 or B15, described device also include：For determining the LAN The terminal deciding module of the interior user terminal influenceed by the threat process；

The terminal deciding module includes：

Claims

1. a kind of threat processing method based on LAN, including：

For the target terminal user in LAN, impended treatment for threat process；Wherein, the target terminal user It is the certain customers' terminal influenceed by the threat process in the LAN；

After the treatment that impended for threat process, if exception does not occur in the target terminal user, for the LAN The interior whole user terminals influenceed by the threat process, processed with the target terminal user identical threat；

Wherein, the target terminal user in LAN, for threat process impend treatment the step of, including：

After the first threat treatment is carried out for threat process, if exception occurs in the target terminal user, in the target On user terminal the second threat treatment is carried out for the threat process.

2. the method for claim 1, it is characterised in that the first threat treatment includes：Isolation processing, described second Threat treatment includes：System repair process or system refitting are processed.

3. method as claimed in claim 2, it is characterised in that described in the target terminal user, for the process of threat The step of carrying out the first threat and process, including：

In the target terminal user, the threat process is killed；

4. the method as described in any in claims 1 to 3, it is characterised in that methods described also includes：For the process of threat After carrying out the first threat treatment, monitor whether the target terminal user exception occurs；

In preset time period after the first threat treatment is carried out for threat process, the operation of the target terminal user is monitored The working condition of system, judges whether the target terminal user exception occurs according to the working condition；And/or

In preset time period after the first threat treatment is carried out for threat process, according to the feedback information of user, institute is judged State whether target terminal user exception occurs.

5. the method for claim 1, it is characterised in that the target terminal user in LAN, for prestige Side of body process impend treatment the step of, also include：

After the second threat treatment is carried out for the threat process in the target terminal user, if targeted customer's end There is exception in end, then carry out the 3rd threat treatment to the threat process in the target terminal user.

6. the method as described in claim 1 or 5, it is characterised in that it is described for be subject in the LAN it is described threaten into Whole user terminals of journey influence, carry out threatening the step of processing with the target terminal user identical, including：

After the first threat treatment is carried out for threat process, if exception does not occur in the target terminal user, in the office On the whole user terminals influenceed by the threat process in the net of domain, the first threat treatment is carried out to the threat process；Or Person

After the second threat treatment is carried out for threat process, if exception does not occur in the target terminal user, in the office On the whole user terminals influenceed by the threat process in the net of domain, the second threat treatment is carried out for the threat process； Or

After the 3rd threat treatment is carried out to threat process, if exception does not occur in the target terminal user, in the local On the whole user terminals influenceed by the threat process in net, the 3rd threat treatment is carried out for the threat process.

7. the method as described in claim 1 or 2 or 3 or 5, it is characterised in that obtain as follows in the LAN Threat process：

Receive the process behavior that the user terminal in the LAN is reported；

According to the process behavior, set up the user terminal and respectively enter in process tree not in the same time and the process tree Mapping relations between journey and process behavior；

8. method as claimed in claim 7, it is characterised in that the preset process behavior pattern includes：

File associated process starts non-OS process；And/or

9. method as claimed in claim 7, it is characterised in that the process behavior according to the target process, judges institute The step of whether state target process be threat process, including：

Corresponding warning information is sent for the target process, so that administrator is directed to the warning information, according to institute The process behavior of target process is stated, judges whether the target process is threat process；And/or

Using descendants's process of the target process or the target process as process to be analyzed, according to it is described it is to be analyzed enter The execution parameter of the process behavior of journey, judges whether the target process is threat process.

10. a kind of threat processing unit based on LAN, including：

Part threatens processing module, for for the target terminal user in LAN, is impended treatment for threat process； Wherein, the target terminal user is the certain customers' terminal influenceed by the threat process in the LAN；And

The overall situation threatens processing module, for after the treatment that impended for threat process, if the target terminal user does not go out It is now abnormal, for the whole user terminals influenceed by the threat process in the LAN, carry out and the targeted customer The threat of terminal identical is processed；

Wherein, the part threat processing module includes：

First threatens treatment submodule, in the target terminal user, the first threat treatment being carried out for threat process；

Second threatens treatment submodule, for after the first threat treatment is carried out for threat process, if targeted customer's end There is exception in end, then carry out the second threat treatment for the threat process in the target terminal user.