CN106856477A - A kind of threat treating method and apparatus based on LAN - Google Patents
A kind of threat treating method and apparatus based on LAN Download PDFInfo
- Publication number
- CN106856477A CN106856477A CN201611248756.3A CN201611248756A CN106856477A CN 106856477 A CN106856477 A CN 106856477A CN 201611248756 A CN201611248756 A CN 201611248756A CN 106856477 A CN106856477 A CN 106856477A
- Authority
- CN
- China
- Prior art keywords
- threat
- treatment
- target
- user
- target terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 796
- 230000008569 process Effects 0.000 claims abstract description 752
- 230000002159 abnormal effect Effects 0.000 claims abstract description 29
- 238000012545 processing Methods 0.000 claims description 61
- 238000012544 monitoring process Methods 0.000 claims description 34
- 238000002955 isolation Methods 0.000 claims description 28
- 230000008439 repair process Effects 0.000 claims description 25
- 230000008859 change Effects 0.000 claims description 17
- 238000003672 processing method Methods 0.000 claims description 14
- 238000013507 mapping Methods 0.000 claims description 13
- 230000006399 behavior Effects 0.000 description 135
- 230000005540 biological transmission Effects 0.000 description 79
- 238000001514 detection method Methods 0.000 description 13
- 238000004458 analytical method Methods 0.000 description 12
- 230000008901 benefit Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 230000004044 response Effects 0.000 description 5
- 241000700605 Viruses Species 0.000 description 4
- 230000009471 action Effects 0.000 description 4
- 238000003780 insertion Methods 0.000 description 4
- 230000037431 insertion Effects 0.000 description 4
- 238000004886 process control Methods 0.000 description 4
- 230000008929 regeneration Effects 0.000 description 4
- 238000011069 regeneration method Methods 0.000 description 4
- 230000026676 system process Effects 0.000 description 4
- 206010065954 Stubbornness Diseases 0.000 description 3
- 230000001010 compromised effect Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 241000208340 Araliaceae Species 0.000 description 2
- 235000005035 Panax pseudoginseng ssp. pseudoginseng Nutrition 0.000 description 2
- 235000003140 Panax quinquefolius Nutrition 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000007717 exclusion Effects 0.000 description 2
- 235000008434 ginseng Nutrition 0.000 description 2
- 208000015181 infectious disease Diseases 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 230000002123 temporal effect Effects 0.000 description 2
- 241000196324 Embryophyta Species 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000001035 drying Methods 0.000 description 1
- 230000001771 impaired effect Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 230000033001 locomotion Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Debugging And Monitoring (AREA)
Abstract
A kind of threat treating method and apparatus based on LAN are the embodiment of the invention provides, method therein is specifically included:For the target terminal user in LAN, impended treatment for threat process;After the treatment that impended for threat process, if exception does not occur in target terminal user, for whole user terminals of the process influence that is on the hazard in LAN, processed with the threat of target terminal user identical;Wherein, in target terminal user, the first threat treatment is carried out for threat process;After the first threat treatment is carried out for threat process, if exception occurs in target terminal user, the second threat treatment is carried out for threat process in target terminal user.The embodiment of the present invention can be by because threatening treatment to occur in the range of abnormal user terminal scope control to target terminal user, and the whole user terminals therefore, it is possible to be prevented effectively from LAN the process influence that is on the hazard occur abnormal because above-mentioned threat is processed.
Description
Technical field
The present invention relates to computer security technique field, more particularly to a kind of threat processing method based on LAN and
A kind of threat processing unit based on LAN.
Background technology
With the rapid popularization of internet, LAN has turned into an essential part in enterprise development.However, for
While enterprise offers convenience, LAN is also faced with various attacks and threat, such as confidential leak, loss of data, net
Network abuse, identity are falsely used, illegal invasion etc..
At present, can be reported based on user terminal and/or server analysis mode, obtain LAN in threat feelings
Report, and impended treatment for the user terminal attacked by the threat information.The existing threat treatment side based on LAN
Case, generally on the user terminal attacked by the threat information, threat file corresponding to the threat information is carried out at isolation
Reason.
Inventor has found that the existing threat processing scheme based on LAN is at least present such as in the practice of the invention
Lower problem:For the threat of such as infection type virus, have that obstinate, power of regeneration is strong due to it, in insertion system process
The features such as, therefore after isolation processing is carried out to the corresponding threat file of infection type virus, user terminal will inevitably occur
The system failures such as file is abnormal, systemic-function exception, will so influence the normal of user terminal using;Also, when by the prestige
When the quantity of the user terminal that side of body information is attacked is more, a large number of users terminal in LAN will be caused the system failure occur, entered
And made troubles to enterprise.
The content of the invention
In view of the above problems, it is proposed that the present invention so as to provide one kind overcome above mentioned problem or at least in part solve on
State a kind of the threat processing method and a kind of threat processing unit based on LAN based on LAN of problem.
According to one aspect of the present invention, there is provided a kind of threat processing method based on LAN, including:
For the target terminal user in LAN, impended treatment for threat process;Wherein, the targeted customer
Terminal is the certain customers' terminal influenceed by the threat process in the LAN;
After the treatment that impended for threat process, if exception does not occur in the target terminal user, for the office
Whole user terminals for being influenceed by the threat process in the net of domain, carry out with the target terminal user identical threat
Reason;
Wherein, the target terminal user in LAN, for threat process impend treatment the step of, bag
Include:
In the target terminal user, the first threat treatment is carried out for threat process;
After the first threat treatment is carried out for threat process, if exception occurs in the target terminal user, described
In target terminal user the second threat treatment is carried out for the threat process.
Alternatively, the first threat treatment includes:Isolation processing, the second threat treatment includes:System repair place
Reason or system refitting treatment.
Alternatively, it is described in the target terminal user, the step of carrying out the first threat for threat process and process, bag
Include:
In the target terminal user, the threat process is killed;
After the threat process is killed, the threat process is isolated in the target terminal user.
Alternatively, methods described also includes:After the first threat treatment is carried out for threat process, monitor the target and use
Whether family terminal there is exception;
Whether the monitoring target terminal user there is abnormal step, including:
In preset time period after the first threat treatment is carried out for threat process, the target terminal user is monitored
The working condition of operating system, judges whether the target terminal user exception occurs according to the working condition;And/or
In preset time period after the first threat treatment is carried out for threat process, according to the feedback information of user, sentence
Whether the target terminal user of breaking there is exception.
Alternatively, the target terminal user in LAN, for threat process impend treatment the step of,
Also include:
After the second threat treatment is carried out for the threat process in the target terminal user, if the target is used
There is exception in family terminal, then carry out the 3rd threat treatment to the threat process in the target terminal user.
Alternatively, it is described for the whole user terminals influenceed by the threat process in the LAN, carry out with
The step of target terminal user identical threatens treatment, including:
After the first threat treatment is carried out for threat process, if exception does not occur in the target terminal user, in institute
State on the whole user terminals influenceed by the threat process in LAN, the threat process is carried out at the first threat
Reason;Or
After the second threat treatment is carried out for threat process, if exception does not occur in the target terminal user, in institute
State on the whole user terminals influenceed by the threat process in LAN, carried out at the second threat for the threat process
Reason;Or
After the 3rd threat treatment is carried out to threat process, if exception does not occur in the target terminal user, described
On the whole user terminals influenceed by the threat process in LAN, carried out at the 3rd threat for the threat process
Reason.
Alternatively, the threat process in the LAN is obtained as follows:
Receive the process behavior that the user terminal in the LAN is reported;
According to the process behavior, the user terminal is set up in process tree not in the same time and the process tree
Mapping relations between each process and process behavior;
The target process for meeting preset process behavior pattern is obtained from the process tree;
According to the process behavior of the target process, judge whether the target process is threat process.
Alternatively, the preset process behavior pattern includes:
File associated process starts non-OS process;And/or
In process change file system after the first file, access the second file and encrypt.
Alternatively, the process behavior according to the target process, judges whether the target process is threat process
The step of, including:
Corresponding warning information is sent for the target process, so that administrator is directed to the warning information, according to
According to the process behavior of the target process, judge whether the target process is threat process;And/or
Using descendants's process of the target process or the target process as process to be analyzed, treated described in point
The execution parameter of the process behavior of analysis process, judges whether the target process is threat process.
Alternatively, the user terminal influenceed by the threat process in the LAN is determined as follows:
File transmission events to be analyzed corresponding with the threat process are obtained from the advance file transmission events for obtaining;
Wherein, the file transmission events are the event that the user terminal in the LAN is reported;
Information to the file transmission events to be analyzed is analyzed, to obtain being subject to the threat in the LAN
The user terminal of process influence.
According to another aspect of the present invention, there is provided a kind of threat processing unit based on LAN, including:
Part threatens processing module, for for the target terminal user in LAN, being impended for threat process
Treatment;Wherein, the target terminal user is the certain customers' terminal influenceed by the threat process in the LAN;With
And
The overall situation threatens processing module, for after the treatment that impended for threat process, if the target terminal user
There is not exception, for the whole user terminals influenceed by the threat process in the LAN, carry out and the target
The threat of user terminal identical is processed;
Wherein, the part threat processing module includes:
First threatens treatment submodule, in the target terminal user, the first threat being carried out for threat process
Treatment;
Second threatens treatment submodule, for after the first threat treatment is carried out for threat process, if the target is used
There is exception in family terminal, then carry out the second threat treatment for the threat process in the target terminal user.
Alternatively, the first threat treatment includes:Isolation processing, the second threat treatment includes:System repair place
Reason or system refitting treatment.
Alternatively, the first threat treatment submodule includes:
Process killing unit, in the target terminal user, killing the threat process;
Process isolation unit, for after the threat process is killed, to the threat in the target terminal user
Process is isolated.
Alternatively, described device also includes:For after the first threat treatment is carried out for threat process, monitoring the mesh
Whether mark user terminal there is abnormal exception monitoring module;
The exception monitoring module includes:
First exception monitoring submodule, for the preset time period after the first threat treatment is carried out for threat process
It is interior, the working condition of the operating system of the target terminal user is monitored, judge the targeted customer according to the working condition
Whether terminal there is exception;And/or
Second exception monitoring submodule, for the preset time period after the first threat treatment is carried out for threat process
It is interior, according to the feedback information of user, judge whether the target terminal user exception occurs.
Alternatively, the part threat processing module also includes:
3rd threatens treatment submodule, and second is carried out for the threat process in the target terminal user for working as
After threat treatment, if exception occurs in the target terminal user, the threat process is entered in the target terminal user
The threat of row the 3rd is processed.
Alternatively, the global threat processing module includes:
First global threat processes submodule, for after the first threat treatment is carried out for threat process, if the mesh
There is not exception in mark user terminal, then right on the whole user terminals for being influenceed by the threat process in the LAN
The threat process carries out the first threat treatment;Or
Second global threat processes submodule, for after the second threat treatment is carried out for threat process, if the mesh
There is not exception in mark user terminal, then on the whole user terminals for being influenceed by the threat process in the LAN, pin
Second threat treatment is carried out to the threat process;Or
3rd global threat processes submodule, for after the 3rd threat treatment is carried out to threat process, if the target
There is not exception in user terminal, then on the whole user terminals for being influenceed by the threat process in the LAN, for
The threat process carries out the 3rd threat treatment.
Alternatively, described device also includes:Threat process for obtaining the threat process in the LAN obtains mould
Block;
The threat process acquisition module includes:
Receiving submodule, for receiving the process behavior that the user terminal in the LAN is reported;
Setting up submodule, for according to the process behavior, set up the user terminal process tree not in the same time, with
And the mapping relations in the process tree between each process and process behavior;
Target process acquisition submodule, the target that preset process behavior pattern is met for being obtained from the process tree is entered
Journey;
Threat verdict submodule, for the process behavior according to the target process, judge the target process whether be
Threat process.
Alternatively, the preset process behavior pattern includes:
File associated process starts non-OS process;And/or
In process change file system after the first file, access the second file and encrypt.
Alternatively, the Threat verdict submodule includes:
First Threat verdict unit, for sending corresponding warning information for the target process, so that keeper uses
Family is directed to the warning information, according to the process behavior of the target process, judges whether the target process is threat process;
And/or
Second Threat verdict unit, for using descendants's process of the target process or the target process as treating
Analysis process, according to the execution parameter of the process behavior of the process to be analyzed, judge the target process whether be threaten into
Journey.
Alternatively, described device also includes:For the user for determining to be influenceed by the threat process in the LAN
The terminal deciding module of terminal;
The terminal deciding module includes:
Transmission events acquisition submodule, for being obtained and the threat process phase from the advance file transmission events for obtaining
The file transmission events to be analyzed answered;Wherein, the file transmission events are the thing that the user terminal in the LAN is reported
Part;
Transmission events analyze submodule, are analyzed for the information to the file transmission events to be analyzed, to obtain
The user terminal influenceed by the threat process in the LAN.
A kind of threat treating method and apparatus based on LAN according to embodiments of the present invention, due to ensuring at threat
In the case that reason will not cause target terminal user exception occur, can just be influenceed by the threat process for LAN is interior
Whole user terminals, processed with the target terminal user identical threat, and above-mentioned target terminal is to be received in LAN
To certain customers' terminal of threat process influence, so, the embodiment of the present invention can be by because threatening treatment exception occur
In the range of user terminal scope control to target terminal user, therefore, it is possible to be prevented effectively from LAN be subject to it is described threaten into
Whole user terminals of journey influence occur exception because above-mentioned threat is processed, and then can effectively ensure that a large amount of use in LAN
The availability of family terminal.
Also, target terminal user of the embodiment of the present invention in for LAN, impend place for threat process
During reason, the threat that can be directed to threat process is carried out repeatedly is processed, specifically, can first at targeted customer's end
On end, the first threat treatment is carried out for threat process, if after the first threat treatment is carried out for threat process, the target
There is exception in user terminal, then carry out the second threat treatment for the threat process;Wherein, above-mentioned first treatment and the are threatened
Two threats treatment can be different treatment, because the embodiment of the present invention can be carried out at threat repeatedly by threat process
Reason, thus can be directed to stubbornness, power of regeneration that threat process possess by force, in insertion system process the features such as, by prestige repeatedly
Side of body treatment obtains that target terminal user will not be caused abnormal threat processing means occur, therefore, it is possible to successfully realize targeted customer
The threat treatment of terminal, and then can realize at the threat of whole user terminals that is influenceed by the threat process in LAN
Reason.
Described above is only the general introduction of technical solution of the present invention, in order to better understand technological means of the invention,
And can be practiced according to the content of specification, and in order to allow the above and other objects of the present invention, feature and advantage can
Become apparent, below especially exemplified by specific embodiment of the invention.
Brief description of the drawings
By reading the detailed description of hereafter optional embodiment, various other advantages and benefit is common for this area
Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of optional embodiment, and is not considered as to the present invention
Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings:
The step of Fig. 1 shows a kind of threat processing method based on LAN according to an embodiment of the invention flow
Schematic diagram;
The step of Fig. 2 shows a kind of threat processing method based on LAN according to an embodiment of the invention flow
Schematic diagram;
The step of Fig. 3 shows a kind of threat processing method based on LAN according to an embodiment of the invention flow
Schematic diagram;
Fig. 4 shows a kind of structural representation of process tree of the invention;
The step of Fig. 5 shows a kind of threat processing method based on LAN according to an embodiment of the invention flow
Schematic diagram;And
Fig. 6 shows that a kind of structure of threat processing unit based on LAN according to an embodiment of the invention is shown
Meaning.
Specific embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
Limited.Conversely, there is provided these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure
Complete conveys to those skilled in the art.
Reference picture 1, shows a kind of step of threat processing method based on LAN according to an embodiment of the invention
Rapid flow chart, specifically may include steps of:
Step 101, for the target terminal user in LAN, impended treatment for threat process;Wherein, it is described
Target terminal user is the certain customers' terminal influenceed by the threat process in the LAN;
Step 102, impended for threat process treatment after, if there is not exception, pin in the target terminal user
On the whole user terminals influenceed by the threat process in the LAN, carry out and the target terminal user identical
Threat is processed;
Wherein, the target terminal user in LAN, for threat process impend treatment the step of
101, can include:
Step 111, in the target terminal user, carry out the first threat treatment for threat process;
Step 112, after the first threat treatment is carried out for threat process, if the target terminal user occur it is abnormal,
Then the second threat treatment is carried out in the target terminal user for the threat process.
The embodiment of the present invention can apply in the LANs such as enterprise network, government's net, campus network;In above-mentioned LAN,
The server refers to the equipment for controlling other user terminals to carry out safety detection in LAN, and the user terminal refers to
The control instruction of response server in LAN, with the terminal that server carries out data interaction.In actual applications, can be in clothes
Business device deployment server proxy module, in user terminal deployment software client modules, with similar C/S (client/server,
Client/Server framework), realizes control function of the LAN server to user terminal, and, the control of user terminal
System response and communication function.Wherein, can be by standard agreement or privately owned association between above-mentioned server and above-mentioned user terminal
View is communicated, wherein, proprietary protocol has the advantages that closure and safe;It is appreciated that the embodiment of the present invention for
Specific communication mode between server and user terminal is not any limitation as.
In actual applications, the user of server can be that network manager waits the height with certain network security knowledge
Level user, therefore, the user of server can flexibly set corresponding according to the current safety demand and actual conditions of LAN
Control instruction.
In the embodiment of the present invention, threat process can be used to represent there is process that is abnormal or there is threat.It is of the invention real
The threat processing method of the LAN of example is applied, can be first against the certain customers influenceed by the threat process in LAN
Terminal (namely target terminal user) impends treatment, after the treatment that impended to threat process, if above-mentioned targeted customer
There is not exception in terminal, and can be directed to the whole user terminals influenceed by the threat process in the LAN is carried out and institute
State target terminal user identical threat treatment;Due to the embodiment of the present invention ensure threat treatment will not cause targeted customer's end
In the case that exception occurs in end, can just be directed to whole user terminals for being influenceed by the threat process in LAN, carry out with
The target terminal user identical threat treatment;And above-mentioned target terminal is what is influenceed by the threat process in LAN
Certain customers' terminal, so, the embodiment of the present invention can be by because threatening treatment abnormal user terminal scope control to mesh occur
In the range of mark user terminal, therefore, it is possible to be prevented effectively from LAN the whole user terminals influenceed by the threat process
There is exception because of above-mentioned threat treatment, and then can effectively ensure that the availability of a large number of users terminal in LAN.
Also, target terminal user of the embodiment of the present invention in for LAN, impend place for threat process
During reason, the threat that can be directed to threat process is carried out repeatedly is processed, specifically, can first at targeted customer's end
On end, the first threat treatment is carried out for threat process, if after the first threat treatment is carried out for threat process, the target
There is exception in user terminal, then carry out the second threat treatment for the threat process;Wherein, above-mentioned first treatment and the are threatened
Two threats treatment can be different treatment, because the embodiment of the present invention can be carried out at threat repeatedly by threat process
Reason, thus can be directed to stubbornness, power of regeneration that threat process possess by force, in insertion system process the features such as, by prestige repeatedly
Side of body treatment obtains that target terminal user will not be caused abnormal threat processing means occur, therefore, it is possible to successfully realize targeted customer
The threat treatment of terminal, and then can realize at the threat of whole user terminals that is influenceed by the threat process in LAN
Reason.
In the embodiment of the present invention, target terminal user is the certain customers' end influenceed by the threat process in LAN
End, it will be understood that the user of server can determine the number of above-mentioned target terminal user according to practical application request, for example,
The number of above-mentioned target terminal user can be 1,2,3 even N/M etc., wherein, N is that the threat process shadow is subject in LAN
The number of loud whole user terminals, M is positive integer more than or equal to 2 etc., and the embodiment of the present invention is for above-mentioned targeted customer
The specific number of terminal is not any limitation as.
In the embodiment of the present invention, a kind of first control instruction may be used to indicate target terminal user and be carried out for threat process
Threat process, first control instruction can carry threat process information and threaten treatment information, wherein, threaten into
The information of journey can include:The message such as title, the PID (process identification (PID), progress identity) of threat process, at threat
The information of reason can include:The information of processing means is threatened, for example, first threatens information for the treatment of or the second threat treatment etc.
Deng.Alternatively, first control instruction can include:First treatment control instruction and second processing control instruction etc..Server
The first treatment control instruction can be issued to target terminal user first, to indicate target terminal user to be carried out for threat process
First threat is processed, and the first treatment control instruction can carry the information of threat process and the information of the first threat treatment.
Then, after the first threat treatment is carried out for threat process, server can monitor whether the target terminal user occurs
It is abnormal, if so, then second processing control instruction can be issued to target terminal user, to indicate target terminal user for threat
Process carries out the second threat treatment.If it is appreciated that after the first threat treatment is carried out for threat process, if the target is used
There is not exception in family terminal, then can be sent out to for the whole user terminals influenceed by the threat process in the LAN
Serve and state the first treatment control instruction.It is appreciated that the embodiment of the present invention for server to target terminal user or whole
The specific control flow of user terminal is not any limitation as.
In a kind of alternative embodiment of the invention, the first threat treatment can include:Isolation processing, described second
Threat treatment can include:System repair process or system refitting are processed.That is, carrying out isolation processing to threat process
Afterwards, if exception occurs in the target terminal user, can be to the threat process in the target terminal user
System repair process or system refitting treatment.Wherein, above-mentioned isolation processing can be used for threat process and be isolated, and said system is repaiied
Multiple treatment can be used to repair impaired operating system, and said system refitting system can be used to update operating system.
Still optionally further, it is described in the target terminal user, carry out the first threat treatment for threat process
Step 111, can include:In the target terminal user, the threat process is killed;After the threat process is killed,
The threat process is isolated in the target terminal user.It is alternatively possible to pass through to terminate or stop to threaten into
The mode of journey, kills the threat process.It is alternatively possible to by way of forbidding threat process, at targeted customer's end
The threat process is isolated on end.It is appreciated that the embodiment of the present invention is for killing the threat process and to institute
The detailed process that threat process isolated is stated not to be any limitation as.
In a kind of alternative embodiment of the invention, the method for the embodiment of the present invention can also include:For threaten into
After the threats of Cheng Jinhang first treatment, monitor whether the target terminal user exception occurs;
Wherein, whether the monitoring target terminal user there is the exception monitoring mode that abnormal step is used,
Can include:
In exception monitoring mode 1, the preset time period after the first threat treatment is carried out for threat process, monitoring is described
The working condition of the operating system of target terminal user, judges whether the target terminal user occurs according to the working condition
It is abnormal;And/or
In exception monitoring mode 2, the preset time period after the first threat treatment is carried out for threat process, according to user
Feedback information, judge whether the target terminal user exception occurs.
Wherein, after the first threat treatment is carried out for threat process, exception occurs in the target terminal user can wrap
Include:There is exception in the operating system of target terminal user, for example, the kernel of operating system collapse or operating system is absorbed in extremely
Circulation namely deadlock etc..
Exception monitoring mode 1 can be monitored in the preset time period after carrying out the first threat treatment for threat process
The working condition of the operating system of the target terminal user, judges that the target terminal user is with according to the working condition
It is no exception occur.Alternatively, exception monitoring mode 1 can (such as CPU, internal memory, I/O set with the resource utilization of monitor operating system
Standby actually used ratio), the working index such as system response time (the time required to response is input to), and refer to according to the work
Mark judges whether target terminal user exception occurs.It is alternatively possible to judge to monitor the working index for obtaining whether in default finger
In the range of mark, if it is not, it is abnormal etc. then to can be determined that target terminal user occurs.It is appreciated that the embodiment of the present invention is for work
The specific monitoring mode for making situation is not any limitation as.
Exception monitoring mode 2 can judge whether the target terminal user exception occurs according to the feedback information of user.
Wherein, as the user of target terminal user, (such as operating system collapses the exception that it can clearly perceive target terminal user
Burst or the kernel of operating system be absorbed in endless loop etc.) situation, therefore after the exception for perceiving target terminal user, can be to mesh
Mark user terminal sends corresponding feedback information, so that target terminal user reports above-mentioned feedback information to server.
In the embodiment of the present invention, preset time period can be the time period of random length, for example, the length of the preset time period
Degree can be 1 day, even 7 days etc. 2 days, in 1 day, 2 days or even 7 days after the first threat treatment is carried out for threat process,
If exception occurs in target terminal user, the exception that the first threat treatment causes is construed as.
In a kind of alternative embodiment of the invention, the target terminal user in LAN, for threaten into
Journey impend treatment the step of, can also include:When carrying out for the threat process in the target terminal user
After two threats treatment, if exception occurs in the target terminal user, to the threat process in the target terminal user
Carry out the 3rd threat treatment.Wherein, the 3rd threat treatment can be to threaten treatment and second to threaten the different place for the treatment of from first
Reason.For example, the first threat is processed as isolation processing, the second threat is processed as system repair process, and the 3rd threat is processed as system
Refitting treatment etc..Alternatively, said system refitting processing procedure can include:It is standby data to be carried out for each target terminal user
After part, the operating system of each target terminal user is reset;For example, the user data of target terminal user can be copied into non-system
Overall or safe mobile device, and system is reset in target terminal user.It is appreciated that the embodiment of the present invention is for tool
The system refitting processing procedure of body is not any limitation as.
It is appreciated that after the second threat treatment is carried out to threat process, it is also possible to which monitoring the target terminal user is
It is no exception occur, similarly, after the 3rd threat treatment is carried out to threat process, it is also possible to whether monitor the target terminal user
Occur abnormal.For exception monitoring process after for carrying out the second threat treatment or the 3rd threat treatment to threat process,
Due to its with carry out that the exception monitoring process after the first threat treatment is similar for threat process, and therefore not to repeat here, mutually
With reference to.
It is described for being influenceed by the threat process in the LAN in a kind of alternative embodiment of the invention
Whole user terminals, carry out threatening the step of processing 102 with the target terminal user identical, it is possible to achieve with the target
User terminal identical threatens synchronization of the treatment in LAN, and in actual applications, can be directed to can be with the LAN
User terminal influenceed by the threat process, in addition to above-mentioned target terminal user is carried out and the target terminal user
Identical threat is processed, and corresponding threat processing procedure can include:
After the first threat treatment is carried out for threat process, if exception does not occur in the target terminal user, in institute
State on the whole user terminals influenceed by the threat process in LAN, the threat process is carried out at the first threat
Reason;Or
After the second threat treatment is carried out to threat process, if exception does not occur in the target terminal user, described
On the whole user terminals influenceed by the threat process in LAN, carried out at the second threat for the threat process
Reason;Or
After the 3rd threat treatment is carried out to threat process, if exception does not occur in the target terminal user, described
On the whole user terminals influenceed by the threat process in LAN, carried out at the 3rd threat for the threat process
Reason.
To sum up, the threat processing method based on LAN of the embodiment of the present invention, due to ensure threat treatment will not lead
In the case of causing target terminal user exception occur, the whole users influenceed by the threat process in LAN can be just directed to
Terminal, processed with the target terminal user identical threat, and above-mentioned target terminal is that the prestige is subject in LAN
Certain customers' terminal of side of body process influence, so, the embodiment of the present invention can be by because threatening treatment abnormal user terminal occur
In the range of scope control to target terminal user, therefore, it is possible to be prevented effectively from LAN what is influenceed by the threat process
Whole user terminals occur extremely because above-mentioned threat is processed, and then can effectively ensure that a large number of users terminal in LAN
Availability.
Also, target terminal user of the embodiment of the present invention in for LAN, impend place for threat process
During reason, the threat that can be directed to threat process is carried out repeatedly is processed, specifically, can first at targeted customer's end
On end, the first threat treatment is carried out for threat process, if after the first threat treatment is carried out for threat process, the target
There is exception in user terminal, then carry out the second threat treatment for the threat process;Wherein, above-mentioned first treatment and the are threatened
Two threats treatment can be different treatment, because the embodiment of the present invention can be carried out at threat repeatedly by threat process
Reason, thus can be directed to stubbornness, power of regeneration that threat process possess by force, in insertion system process the features such as, by prestige repeatedly
Side of body treatment obtains that target terminal user will not be caused abnormal threat processing means occur, therefore, it is possible to successfully realize targeted customer
The threat treatment of terminal, and then can realize at the threat of whole user terminals that is influenceed by the threat process in LAN
Reason.
Reference picture 2, shows a kind of step of threat processing method based on LAN according to an embodiment of the invention
Rapid flow chart, specifically may include steps of:
Step 201, server the selected section user from the user terminal influenceed by the threat process in LAN
Terminal, as target terminal user;
Step 202, server issue isolation processing control instruction to above-mentioned target terminal user, to indicate targeted customer's end
Hold the isolation processing of the process that impends;
Alternatively, the isolation processing control instruction can carry the information of threat process and the information of isolation processing.
Step 203, target terminal user are isolated after above-mentioned isolation processing control instruction is received to threat process
Treatment;
Step 204, after target terminal user carries out isolation processing to threat process, targeted customer described in monitoring server
Whether terminal there is exception, if so, then performing step 207, otherwise performs step 205;
Wherein, in the preset time period after isolation processing is carried out to threat process, targeted customer described in monitoring server
Whether terminal there is exception.
Step 205, server send isolation processing control instruction to other users terminal, to indicate other users terminal to enter
The isolation processing of row threat process;
Wherein, other users terminal is used to representing in the whole user terminals influenceed by the threat process in LAN
User terminal in addition to above-mentioned target terminal user.
Step 206, after above-mentioned isolation processing control instruction is received, other users terminal-pair threaten process isolated
Treatment;
Step 207, server send system repair process control instruction to above-mentioned target terminal user, to indicate target to use
Family terminal impends the system repair process of process;
Step 208, target terminal user are carried out after said system repair process control instruction is received to threat process
System repair process;
Step 209, after target terminal user carries out system repair process to threat process, target described in monitoring server
Whether user terminal there is exception, if so, then performing step 212, otherwise performs step 210;
Step 210, server send system repair process control instruction to other users terminal, to indicate other users end
Hold the system repair process of the process that impends;
Step 211, after said system repair process control instruction is received, other users terminal-pair threaten process carry out
System repair process;
Step 212, server send system weight to the whole user terminals influenceed by the threat process in LAN
Dress treatment control instruction, to indicate whole user terminals for being influenceed by the threat process to impend the system refitting of process
Treatment;
Step 213, the target complete user terminal influenceed by the threat process are being received at said system refitting
After reason control instruction, system refitting treatment is carried out.
It should be noted that because system refitting treatment is related to the renewal of operating system, will not generally cause user terminal
Exception, therefore, the embodiment of the present invention is after target terminal user carries out system repair process to threat process, if the target
There is exception in user terminal, then can be directly against the target complete user terminal influenceed by the threat process
System refitting treatment.
To sum up, the threat processing method based on LAN of the embodiment of the present invention, according to threaten process isolation processing-
The priority of system repair process-system refitting treatment, impends treatment for threat process;Due to being processed according to threat
Required time cost order from small to large impends treatment, therefore, it is possible to a large number of users terminal in LAN is effectively ensured
Availability, and can reduce to a certain extent threat treatment needed for running cost.
It is appreciated that the priority of the isolation processing of above-mentioned threat process-system repair process-system refitting treatment is only
It is the alternative embodiment of the priority processed as various threats of the embodiment of the present invention, in fact, those skilled in the art can
Other priority for processing are threatened using various with according to practical application request, such as isolation processing-system refitting treatment is preferential
Level etc., it will be understood that the embodiment of the present invention is not any limitation as various specific priority for threatening treatment.
In actual applications, server can obtain the threat process in LAN by any-mode.For example, can lead to
Cross the threat process that the mode of user terminal feedback is obtained in LAN.In a kind of application example of the invention, it is assumed that certain use
There is system exception after certain Email attachment " buying table .doc " is downloaded in family terminal, then user terminal can be by the Email attachment
" buying table .doc " corresponding process is reported as threat process.
In a kind of alternative embodiment of the invention, the process behavior that can be reported according to user terminal, detection described in enter
The corresponding processes of Cheng Hangwei are with the presence or absence of threat.
Reference picture 3, shows the acquisition methods of the threat process in a kind of LAN according to an embodiment of the invention
The step of flow chart, specifically may include steps of:
The process behavior that user terminal in step 301, the reception LAN is reported;
Step 302, according to the process behavior, set up the user terminal in process tree not in the same time and described
Mapping relations in process tree between each process and process behavior;
Step 303, obtained from the process tree and meet the target process of preset process behavior pattern;
Step 304, the process behavior according to the target process, judge whether the target process is threat process.
In the embodiment of the present invention, a kind of second control instruction may be used to indicate user terminal and report process row to server
For, then user terminal can be monitored after second control instruction is received to the process behavior of local process, and to clothes
Business device reports the process behavior for monitoring.Alternatively, the embodiment of the present invention can not influence user for user terminal just
In the case of normal use, the process behavior of simultaneously report of user terminal is captured, therefore the experience of user can not be influenceed.
Alternatively, above-mentioned process behavior can be included but is not limited to:Process start and stop behavior, internal memory behavior and change behavior
In at least one.Wherein, above-mentioned internal memory behavior can include:Process injection behavior, file access behavior and network connection
Behavior;Above-mentioned network connection behavior can include:URL (URL, Uniform Resource Locator) is visited
Ask behavior, IP (agreement interconnected between network, Internet Protocol) is accessed, port accesses and DNS (domain name systems
System, Domain Name System) at least one in behavior such as access.Above-mentioned change behavior can include:System variation row
It is (establishment, deletion and the modification of registration table), Account Changes (establishment of account, the change of account authority) behavior and file
Change behavior.It is appreciated that the embodiment of the present invention is not any limitation as specific process behavior.
After the process behavior that each user terminal is reported is received, the information of the process behavior that server can be to receiving is entered
Row record.Alternatively, the information of process behavior can be included but is not limited to:The information of process, execution parameter of process behavior etc.
The information of field.
In the embodiment of the present invention, process tree is the relation between process on a kind of user terminal, its generally by parent process and
Subprocess two parts are constituted.After the operation of some program process, other processes can be created or called, thus constitute a process
Tree.Reference picture 4, shows a kind of structural representation of process tree of the invention, wherein, the child node B and C of node A are node A
The subprocess for creating or calling, as parent process, node B and node C be respectively created again or have invoked respective subprocess D, E,
And F and G.The information of each process can include in process tree:The characteristic value and process of process title, process correspondence program
Parent process etc., it will be understood that the embodiment of the present invention is not any limitation as the specifying information of each process in process tree.In reality
In the application of border, the title of each node can or difference identical with the process title of each process, the embodiment of the present invention in process tree
The main title by each node in process tree can it is identical with the process title of each process as a example by illustrate.
In a kind of alternative embodiment of the invention, can be according to the process start and stop behavior included by stroke behavior, it is proposed that
Above-mentioned user terminal is in process tree not in the same time.Alternatively, process start and stop behavior can include:The startup time of each process,
The information such as dwell time and each process creation or the process called, so, can obtain process tree according to process start and stop behavior
In each node.For example, the startup time of process A, process B and process C is respectively moment 1, moment 2 and moment 3, it is assumed that process
A be system in first process, then can obtain the root node A in process tree, it is assumed that process A create or have invoked process B and
Process C, then can obtain the child node B and C of root node A, and the process tree shown in Fig. 4 can be obtained according to above-mentioned flow.Need
Illustrate, process tree can change with the change of process start and stop behavior, it is hereby achieved that user terminal is when different
The process tree at quarter, also, contrasted by the process tree to the front and rear moment, the change of process start and stop behavior can be obtained.
In another alternative embodiment of the invention, the method for the present embodiment can also include:Receive user's end
The system snapshot at certain moment that end reports;It is then described according to the process behavior, the user terminal is set up not in the same time
Process tree the step of 302, can include:On the basis of the system snapshot, the use is set up according to above-mentioned process behavior
Family terminal is in process tree not in the same time.In the embodiment of the present invention, system snapshot can be used to represent that user terminal moment T is
System state, the system mode can include:The state such as process that certain moment T systems are included and its behavior, registration table, file, can
To think, the system snapshot can include the process tree of certain moment T, therefore the embodiment of the present invention is on the basis of the system snapshot
On, the user terminal is set up in process tree not in the same time according to above-mentioned process behavior, can reduce process tree sets up institute
The operand for needing, improve process tree sets up efficiency.
In another alternative embodiment of the invention, the system snapshot can be the user terminal at the first moment
The system mode of T1, the process behavior can include:Process start and stop behavior, then it is described on the basis of the system snapshot,
The user terminal is set up the step of not process tree in the same time according to above-mentioned process behavior, can be included:According to described
Process start and stop behavior after one moment T1, obtains process tree of the user terminal in the second moment T2.Wherein, T2 is later than
T1, that is, can be added or deletion of node, to obtain the T2 moment on the basis of said system snapshot correspondence process tree 1
Process tree.Alternatively, T1 can be os starting after the completion of any time, for example, os starting complete when
It is T0 to carve, and is the subsequent time of T0 in T1;Certainly, the embodiment of the present invention is not any limitation as specific T1.
In a kind of alternative embodiment of the invention, the process behavior can include:Process start and stop behavior and/or internal memory
A series of behaviors produced after the process initiation such as behavior and/or change behavior, then it is described according to the process behavior, set up described
In process tree 302 the step of mapping relations between each process and process behavior, can include:For respectively entering in the process tree
Journey, sets up it with the mapping relations between process start and stop behavior and/or internal memory behavior and/or change behavior.
User terminal each process and process in process tree not in the same time and the process tree are set up in step 302
After mapping relations between behavior, step 303 can obtain the mesh for meeting preset process behavior pattern from the process tree
Mark process.
Preset behavior pattern can be used to represent the suspicious actions pattern or malicious act pattern of process behavior.Actually should
In, any preset behavior pattern that those skilled in the art can be according to needed for practical application request determines.Of the invention
In a kind of alternative embodiment, above-mentioned preset behavior pattern can be that file associated process starts non-OS process, for example
The subprocess of winword process initiation Liao Fei Microsofts, wherein, winword processes are file associated process.Of the invention another
Plant in alternative embodiment, above-mentioned preset behavior pattern can be, in process change file system after the first file, access the second text
Part is simultaneously encrypted.For example, after process changes the file in MFT (big file transmission, Managed File Transfer), it is quick to visit
Ask office documents;The preset behavior pattern belongs to the behavior that malicious process extorts software, and the malicious process is deleted in MFT first
File record, so that file record cannot recover, then begins look for document and is encrypted.
In actual applications, each process in process tree can be traveled through, and for the current process that obtains of traversal, from
Corresponding current process behavior is obtained in above-mentioned mapping relations, and judges whether the current behavior pattern meets preset behavior mould
Formula, it will be understood that the embodiment of the present invention meets the target process of preset process behavior pattern for being obtained from the process tree
Detailed process be not any limitation as.
The process behavior of the target process that step 304 can be obtained according to step 303, according to the process of the target process
Behavior, judges whether the target process is threat process.
The embodiment of the present invention can provide the process behavior according to the target process, judge the target process whether be
The following judgment mode of threat process;
Judgment mode 1, corresponding warning information is sent for the target process, so that administrator is directed to the announcement
Alert information, according to the process behavior of the target process, judges whether the target process is threat process;And/or
Judgment mode 2, using descendants's process of the target process or the target process as process to be analyzed, according to
According to the execution parameter of the process behavior of the process to be analyzed, judge whether the target process is threat process.
Wherein, judgment mode 1 can send corresponding warning information for the target process, so that administrator connects
The warning information is received, and judges whether the target process is threat process by manual type.For example, can be by artificial
Mode is analyzed to process behavior, and judges whether the target process is threat process according to analysis result, corresponding point
Analysis process can include:The exclusion of the specific fields such as the execution parameter of behavior behavior and statistical operation etc..
Judgment mode 2 can be using descendants's process of the target process or the target process as process to be analyzed, then
The execution parameter of the process behavior of the process to be analyzed may indicate that target process performs which behavior that generates, or mesh
Whether which behavior is descendants's process of mark process generate, and so, can judge the target process according to above-mentioned execution parameter
To threaten process.
In a kind of alternative embodiment of the invention, the process behavior according to the process to be analyzed performs ginseng
Number, the step of whether judge the target process be threat process, can include:
If the order line script environment parameter that the execution parameter is included is related to script encryption behavior, the target process
Safety detection result for dangerous;And/or
If the strategy that the execution parameter is included excludes parameter to be related to bypass the behavior for performing restriction strategy, the target
The safety detection result of process is dangerous.
Wherein, powershell can be a kind of example of order line script environment parameter, if the operation of powershell
Parameter includes the script encryption behavior of the parameter of such as enc, it is believed that the safety detection result of target process is uneasiness
Entirely.
Excludepolicy can be a kind of example that strategy excludes parameter, if Excludepolicy is related to bypass execution
The behavior of restriction strategy, then it is considered that the safety detection result of target process is dangerous.Wherein, performing restriction strategy is
One group policy, in the case where limitation is opened, can prevent from performing order by powershell, but have many methods can
Above-mentioned execution restriction strategy is performed to bypass, this allows malicious process to have an opportunity to take advantage of.The embodiment of the present invention is according to described to be analyzed
The execution parameter to be analyzed of the process behavior of process, during detecting the security of the target process, can perform and treat point
The execution parameter to be analyzed of the process behavior of analysis process, in the case where restriction strategy unlatching limitation is performed, if performing above-mentioned treating
Analytical parameters can then send corresponding prompt message, and the embodiment of the present invention can by EDR (end-point detection is responded,
Endpoint detection and response) the above-mentioned prompt message of elements capture, if acquisition success, it is believed that
Excludepolicy is related to bypass the behavior for performing restriction strategy, it is further believed that the safety detection result of target process is
It is dangerous.
It is appreciated that the order line script environment parameter that above-mentioned execution parameter is included is related to script encryption behavior and performs ginseng
It is of the invention that the strategy exclusion parameter that number is included is related to the corresponding detection process of behavior for bypassing execution restriction strategy to be intended only as
Alternative embodiment, in fact, those skilled in the art can also be according to practical application request, to performing other rows that parameter is included
To be detected, the embodiment of the present invention detects the mesh for the execution parameter of the process behavior according to the process to be analyzed
The detailed process of the security of mark process is not any limitation as.Additionally, it is appreciated that in the embodiment of the present invention, the peace of target process
Full property testing result can also include:Safety.
To sum up, the safety detection method based on LAN of the embodiment of the present invention, based on user terminal not in the same time
The analysis of the mapping relations in process tree and the process tree between each process and process behavior, acquisition meets preset process
The target process of behavior pattern, and according to the process behavior of the target process, detect the security of the target process;Cause
This, relative to traditional virus characteristic storehouse, the embodiment of the present invention can be by each in process tree not in the same time, the process tree
Mapping relations between process and process behavior and characterize the suspicious actions pattern or malicious act pattern of process behavior
Preset behavior pattern, detects unknown threat and the potential safety hazard of LAN such that it is able to improve safety detection more in time
Promptness, and effective prevention of virus can be realized.
In actual applications, server can determine to be subject to the threat process shadow in the LAN by any-mode
Loud user terminal.For example, can determine to be subject to the threat process in the LAN by way of user terminal feeds back
The user terminal of influence.In a kind of application example of the invention, it is assumed that certain user terminal is downloading certain Email attachment " buying
Occurs system exception after table .doc ", then user terminal can be using Email attachment " buying table .doc " the corresponding process as prestige
Side of body process is reported;Server then can be using the corresponding user terminal of threat process as being subject to the threat process in LAN
The user terminal of influence.
In a kind of alternative embodiment of the invention, the file transmission events that can be reported by user terminal, more in time
Detect the affected user terminal of compromised process influence in LAN, therefore can realize as soon as possible impacted for above-mentioned
The repair process of terminal, so, can not only in time prevent threat process for the influence of user terminal, and can be certain
The user of user terminal is effectively protected in degree.
Reference picture 5, shows in a kind of determination LAN according to an embodiment of the invention and is subject to the threat
Process influence user terminal method the step of flow chart, specifically may include steps of:
Step 501, from the advance file transmission events for obtaining obtain file to be analyzed corresponding with the threat process
Transmission events;Wherein, the file transmission events are the event that the user terminal in the LAN is reported;
Step 502, the information to the file transmission events to be analyzed are analyzed, to obtain being subject in the LAN
The user terminal of the threat process influence.
In the embodiment of the present invention, a kind of 3rd control instruction may be used to indicate user terminal and be transmitted to server reporting file
Event, then user terminal local file transmission events can be monitored after the 3rd control instruction is received, and to
Server reports the file transmission events for monitoring.
In the embodiment of the present invention, file transmission events can be used to represent the circulation event of subscriber terminal side file, alternatively,
The information of file transmission events can include at least one in following information:Temporal information, channel information, fileinfo, text
Part transmission direction and end message.Wherein, temporal information can be used to represent the time of origin of file transmission events;Channel information can
Passage for representing file transmission events, alternatively, the channel information can be the corresponding application program of file transmission events
Information or site information;Fileinfo can be used to identify file, and alternatively, this document information can be included but is not limited to:Text
Part name, file path, file characteristic, for example, this document feature can be such as MD5 (Message Digest 5 the 5th edition, Message
Digest Algorithm5) feature, it will be understood that the embodiment of the present invention is not any limitation as specific file characteristic;Text
Part transmission direction can include:Enter direction or outgoing direction;End message can be used to represent the user that file transmission events occur
The information of terminal.
In a kind of application example of the invention, above-mentioned file transmission events can include:The transmission of browser file, IM
The transmission of (instant messaging, Instant Messaging) file, email attachment file transmission, USB flash disk (USB flash drive, USB flash
Disk at least one during) file transmission and download tool file are transmitted.Each file transmission events of subscriber terminal side
It is reported to server, while what is reported can include:The information of each file transmission events.
After the file transmission events that each user terminal is reported are received, server can be to the file transmission events of reception
Information recorded, it is necessary to illustrated, the embodiment of the present invention can only such as filename of log file transmission events,
The fileinfo of file path or file characteristic;Because above-mentioned fileinfo is enough to realize the file propagation path of file
Follow the trail of, therefore the embodiment of the present invention can realize the record of the information for file transmission events in the case where file is not preserved,
Therefore, it is possible to save the memory space of server.
After threat process is obtained, step 501 can be obtained and the process of threat from the advance file transmission events for obtaining
Corresponding file transmission events to be analyzed.It is alternatively possible to the abnormal document information that threat process is related to is transmitted with each file
The information of event is matched, if the match is successful, the file transmission events that the match is successful is transmitted into thing as file to be analyzed
Part.For example, the file characteristic of abnormal document and the file characteristic of file transmission events match etc., Ke Yili
Solution, the embodiment of the present invention is passed for obtaining file to be analyzed corresponding with the process of threat from the advance file transmission events for obtaining
The detailed process of defeated event is not any limitation as.
The information of the file transmission events to be analyzed that step 502 can be obtained to step 501 is analyzed, to obtain local
The user terminal influenceed by the threat process in net.
Can be used to represent the circulation event of subscriber terminal side file, each text of subscriber terminal side due to file transmission events
Part transmission events are all reported to server, therefore the embodiment of the present invention can be based on pair to be analyzed file related to the process of threat
The analysis of the information of transmission events, obtains the user terminal influenceed by the threat process in LAN;That is, the present invention is real
The file transmission events that example can be reported by user terminal are applied, compromised process influence in LAN is detected more in time
Affected user terminal, therefore the repair process for above-mentioned impacted terminal can be as soon as possible realized, so, can not only be timely
Threat process is prevented for the influence of user terminal, and can effectively protect the user of user terminal to a certain extent.
In a kind of alternative embodiment of the invention, the above-mentioned information to the file transmission events to be analyzed is analyzed
The step of 502, can include:According to the end message of the file transmission events to be analyzed, obtain being subject in the LAN
The user terminal of the threat process influence.Because file transmission events to be analyzed are corresponding with threat process, therefore foundation is treated
The end message of Study document transmission events can obtain the user terminal influenceed by the threat process in LAN.At this
In a kind of application example of invention, it is assumed that abnormal document is " buying table .doc ", its first file transmission in LAN
Event is transmitted by the Email attachment of mailbox, it is assumed that first user of file transmission events 1 is further by IM modes
Second file transmission events is generated, and user 2 is given by abnormal document transmission, user 2 is further by the postal of mailbox
Part annex generates the 3rd file transmission events, and gives user 3 by abnormal document transmission ... further, user 1, user
2 and user 3 also trigger alternative document transmission events, it is assumed that the quantity of file transmission events be N, N is positive integer, then the present invention
Embodiment can consider that the corresponding terminal of the N number of file transmission events is impacted terminal.
In another alternative embodiment of the invention, the method for the present embodiment can also include:To the impacted use
Family terminal carries out early warning treatment.For example, above-mentioned early warning treatment can send first to the user terminal for storing above-mentioned abnormal document
Notification message, the USB flash disk to storing above-mentioned abnormal document sends second notification message etc., to realize the closure for propagation path.
To sum up, the safety detection method based on LAN of the embodiment of the present invention, because file transmission events can be used for table
Show the circulation event of subscriber terminal side file, each file transmission events of subscriber terminal side are reported to server, therefore this
Inventive embodiments can be based on the analysis pair the information of the to be analyzed file transmission events related to the process of threat, examine more in time
The affected user terminal of compromised process influence in LAN is measured, therefore can be realized as soon as possible for above-mentioned impacted terminal
Repair process, so, can not only in time prevent threat process for the influence of user terminal, and can be to a certain degree
The user of upper effectively protection user terminal.
For embodiment of the method, in order to be briefly described, therefore it is all expressed as a series of combination of actions, but this area
Technical staff should know that the embodiment of the present invention is not limited by described sequence of movement, because implementing according to the present invention
Example, some steps can sequentially or simultaneously be carried out using other.Secondly, those skilled in the art should also know, specification
Described in embodiment belong to alternative embodiment, necessary to the involved action not necessarily embodiment of the present invention.
Reference picture 6, shows a kind of knot of threat processing unit based on LAN according to an embodiment of the invention
Structure block diagram, can specifically include such as lower module:
Part threatens processing module 601, for for the target terminal user in LAN, prestige being carried out for threat process
Side of body treatment;Wherein, the target terminal user is the certain customers' terminal influenceed by the threat process in the LAN;
And
The overall situation threatens processing module 602, for after the treatment that impended for threat process, if targeted customer's end
There is not exception in end, for the whole user terminals influenceed by the threat process in the LAN, carries out and the mesh
The threat treatment of mark user terminal identical;
Wherein, the part threat processing module 601 can include:
First threatens treatment submodule 611, in the target terminal user, the first prestige being carried out for threat process
Side of body treatment;
Second threatens treatment submodule 612, for after the first threat treatment is carried out for threat process, if the target
There is exception in user terminal, then carry out the second threat treatment for the threat process in the target terminal user.
Alternatively, the first threat treatment can include:Isolation processing, the second threat treatment can include:System
System repair process or system refitting treatment.
Alternatively, the first threat treatment submodule 611 can include:
Process killing unit, in the target terminal user, killing the threat process;
Process isolation unit, for after the threat process is killed, to the threat in the target terminal user
Process is isolated.
Alternatively, described device can also include:For after the first threat treatment is carried out for threat process, monitoring institute
State whether target terminal user abnormal exception monitoring module occurs;
The exception monitoring module can include:
First exception monitoring submodule, for the preset time period after the first threat treatment is carried out for threat process
It is interior, the working condition of the operating system of the target terminal user is monitored, judge the targeted customer according to the working condition
Whether terminal there is exception;And/or
Second exception monitoring submodule, for the preset time period after the first threat treatment is carried out for threat process
It is interior, according to the feedback information of user, judge whether the target terminal user exception occurs.
Alternatively, the part threat processing module 601 can also include:
3rd threatens treatment submodule, and second is carried out for the threat process in the target terminal user for working as
After threat treatment, if exception occurs in the target terminal user, the threat process is entered in the target terminal user
The threat of row the 3rd is processed.
Alternatively, the global threat processing module 602 can include:
First global threat processes submodule, for after the first threat treatment is carried out for threat process, if the mesh
There is not exception in mark user terminal, then right on the whole user terminals for being influenceed by the threat process in the LAN
The threat process carries out the first threat treatment;Or
Second global threat processes submodule, for after the second threat treatment is carried out for threat process, if the mesh
There is not exception in mark user terminal, then on the whole user terminals for being influenceed by the threat process in the LAN, pin
Second threat treatment is carried out to the threat process;Or
3rd global threat processes submodule, for after the 3rd threat treatment is carried out to threat process, if the target
There is not exception in user terminal, then on the whole user terminals for being influenceed by the threat process in the LAN, for
The threat process carries out the 3rd threat treatment.
Alternatively, described device can also include:Threat process for obtaining the threat process in the LAN is obtained
Modulus block;
The threat process acquisition module can include:
Receiving submodule, for receiving the process behavior that the user terminal in the LAN is reported;
Setting up submodule, for according to the process behavior, set up the user terminal process tree not in the same time, with
And the mapping relations in the process tree between each process and process behavior;
Target process acquisition submodule, the target that preset process behavior pattern is met for being obtained from the process tree is entered
Journey;
Threat verdict submodule, for the process behavior according to the target process, judge the target process whether be
Threat process.
Alternatively, the preset process behavior pattern can include:
File associated process starts non-OS process;And/or
In process change file system after the first file, access the second file and encrypt.
Alternatively, the Threat verdict submodule can include:
First Threat verdict unit, for sending corresponding warning information for the target process, so that keeper uses
Family is directed to the warning information, according to the process behavior of the target process, judges whether the target process is threat process;
And/or
Second Threat verdict unit, for using descendants's process of the target process or the target process as treating
Analysis process, according to the execution parameter of the process behavior of the process to be analyzed, judge the target process whether be threaten into
Journey.
Alternatively, described device can also include:For determining what is influenceed by the threat process in the LAN
The terminal deciding module of user terminal;
The terminal deciding module can include:
Transmission events acquisition submodule, for being obtained and the threat process phase from the advance file transmission events for obtaining
The file transmission events to be analyzed answered;Wherein, the file transmission events are the thing that the user terminal in the LAN is reported
Part;
Transmission events analyze submodule, are analyzed for the information to the file transmission events to be analyzed, to obtain
The user terminal influenceed by the threat process in the LAN.
For device embodiment, because it is substantially similar to embodiment of the method, so description is fairly simple, it is related
Part is illustrated referring to the part of embodiment of the method.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein.
Various general-purpose systems can also be used together with based on teaching in this.As described above, construct required by this kind of system
Structure be obvious.Additionally, the present invention is not also directed to any certain programmed language.It is understood that, it is possible to use it is various
Programming language realizes the content of invention described herein, and the description done to language-specific above is to disclose this hair
Bright preferred forms.
In specification mentioned herein, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention
Example can be put into practice in the case of without these details.In some instances, known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify one or more that the disclosure and helping understands in each inventive aspect, exist
Above to the description of exemplary embodiment of the invention in, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor
The application claims of shield features more more than the feature being expressly recited in each claim.More precisely, such as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, and wherein each claim is in itself
All as separate embodiments of the invention.
Those skilled in the art are appreciated that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment
Unit or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit exclude each other, can use any
Combine to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed appoint
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power
Profit is required, summary and accompanying drawing) disclosed in each feature can the alternative features of or similar purpose identical, equivalent by offer carry out generation
Replace.
Although additionally, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments
In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment required for protection is appointed
One of meaning mode can be used in any combination.
All parts embodiment of the invention can be realized with hardware, or be run with one or more processor
Software module realize, or with combinations thereof realize.It will be understood by those of skill in the art that can use in practice
Microprocessor or digital signal processor (DSP, Digital Signal Process) are according to embodiments of the present invention to realize
The threat treating method and apparatus based on LAN in some or all parts some or all functions.The present invention
Be also implemented as perform method as described herein some or all equipment or program of device (for example,
Computer program and computer program product).It is such to realize that program of the invention be stored on a computer-readable medium,
Or can have the form of one or more signal.Such signal can be downloaded from Internet platform and obtained, or
There is provided on carrier signal, or provided in any other form.
It should be noted that above-described embodiment the present invention will be described rather than limiting the invention, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol being located between bracket should not be configured to limitations on claims.Word " including " do not exclude the presence of not
Element listed in the claims or step.Word "a" or "an" before element is not excluded the presence of as multiple
Element.The present invention can come real by means of the hardware for including some different elements and by means of properly programmed computer
It is existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame
Claim.
The invention discloses A1, a kind of threat processing method based on LAN, including:
For the target terminal user in LAN, impended treatment for threat process;Wherein, the targeted customer
Terminal is the certain customers' terminal influenceed by the threat process in the LAN;
After the treatment that impended for threat process, if exception does not occur in the target terminal user, for the office
Whole user terminals for being influenceed by the threat process in the net of domain, carry out with the target terminal user identical threat
Reason;
Wherein, the target terminal user in LAN, for threat process impend treatment the step of, bag
Include:
In the target terminal user, the first threat treatment is carried out for threat process;
After the first threat treatment is carried out for threat process, if exception occurs in the target terminal user, described
In target terminal user the second threat treatment is carried out for the threat process.
A2, the method as described in A1, the first threat treatment include:Isolation processing, the second threat treatment includes:
System repair process or system refitting are processed.
A3, the method as described in A2, it is described in the target terminal user, carried out at the first threat for threat process
The step of reason, including:
In the target terminal user, the threat process is killed;
After the threat process is killed, the threat process is isolated in the target terminal user.
A4, the method as described in any in A1 to A3, methods described also include:The first threat is being carried out for threat process
After treatment, monitor whether the target terminal user exception occurs;
Whether the monitoring target terminal user there is abnormal step, including:
In preset time period after the first threat treatment is carried out for threat process, the target terminal user is monitored
The working condition of operating system, judges whether the target terminal user exception occurs according to the working condition;And/or
In preset time period after the first threat treatment is carried out for threat process, according to the feedback information of user, sentence
Whether the target terminal user of breaking there is exception.
A5, the method as described in A1, the target terminal user in LAN impend for threat process
The step for the treatment of, also include:
After the second threat treatment is carried out for the threat process in the target terminal user, if the target is used
There is exception in family terminal, then carry out the 3rd threat treatment to the threat process in the target terminal user.
A6, the method as described in A1 or A5, it is described for the whole influenceed by the threat process in the LAN
User terminal, carries out threatening the step of processing with the target terminal user identical, including:
After the first threat treatment is carried out for threat process, if exception does not occur in the target terminal user, in institute
State on the whole user terminals influenceed by the threat process in LAN, the threat process is carried out at the first threat
Reason;Or
After the second threat treatment is carried out for threat process, if exception does not occur in the target terminal user, in institute
State on the whole user terminals influenceed by the threat process in LAN, carried out at the second threat for the threat process
Reason;Or
After the 3rd threat treatment is carried out to threat process, if exception does not occur in the target terminal user, described
On the whole user terminals influenceed by the threat process in LAN, carried out at the 3rd threat for the threat process
Reason.
A7, the method as described in A1 or A2 or A3 or A5, obtain the threat process in the LAN as follows:
Receive the process behavior that the user terminal in the LAN is reported;
According to the process behavior, the user terminal is set up in process tree not in the same time and the process tree
Mapping relations between each process and process behavior;
The target process for meeting preset process behavior pattern is obtained from the process tree;
According to the process behavior of the target process, judge whether the target process is threat process.
A8, the method as described in A7, the preset process behavior pattern include:
File associated process starts non-OS process;And/or
In process change file system after the first file, access the second file and encrypt.
Whether A9, the method as described in A7, the process behavior according to the target process judge the target process
The step of to threaten process, including:
Corresponding warning information is sent for the target process, so that administrator is directed to the warning information, according to
According to the process behavior of the target process, judge whether the target process is threat process;And/or
Using descendants's process of the target process or the target process as process to be analyzed, treated described in point
The execution parameter of the process behavior of analysis process, judges whether the target process is threat process.
A10, the method as described in A1 or A2 or A3 or A5, determine to be subject to the prestige in the LAN as follows
The user terminal of side of body process influence:
File transmission events to be analyzed corresponding with the threat process are obtained from the advance file transmission events for obtaining;
Wherein, the file transmission events are the event that the user terminal in the LAN is reported;
Information to the file transmission events to be analyzed is analyzed, to obtain being subject to the threat in the LAN
The user terminal of process influence.
The invention discloses B11, a kind of threat processing unit based on LAN, including:
Part threatens processing module, for for the target terminal user in LAN, being impended for threat process
Treatment;Wherein, the target terminal user is the certain customers' terminal influenceed by the threat process in the LAN;With
And
The overall situation threatens processing module, for after the treatment that impended for threat process, if the target terminal user
There is not exception, for the whole user terminals influenceed by the threat process in the LAN, carry out and the target
The threat of user terminal identical is processed;
Wherein, the part threat processing module includes:
First threatens treatment submodule, in the target terminal user, the first threat being carried out for threat process
Treatment;
Second threatens treatment submodule, for after the first threat treatment is carried out for threat process, if the target is used
There is exception in family terminal, then carry out the second threat treatment for the threat process in the target terminal user.
B12, the device as described in B11, the first threat treatment include:Isolation processing, described second threatens treatment bag
Include:System repair process or system refitting are processed.
B13, the device as described in B12, the first threat treatment submodule include:
Process killing unit, in the target terminal user, killing the threat process;
Process isolation unit, for after the threat process is killed, to the threat in the target terminal user
Process is isolated.
B14, the device as described in any in B11 to B13, described device also include:For being carried out for threat process
After first threat treatment, monitor whether the target terminal user abnormal exception monitoring module occurs;
The exception monitoring module includes:
First exception monitoring submodule, for the preset time period after the first threat treatment is carried out for threat process
It is interior, the working condition of the operating system of the target terminal user is monitored, judge the targeted customer according to the working condition
Whether terminal there is exception;And/or
Second exception monitoring submodule, for the preset time period after the first threat treatment is carried out for threat process
It is interior, according to the feedback information of user, judge whether the target terminal user exception occurs.
B15, the device as described in B11, the part threat processing module also include:
3rd threatens treatment submodule, and second is carried out for the threat process in the target terminal user for working as
After threat treatment, if exception occurs in the target terminal user, the threat process is entered in the target terminal user
The threat of row the 3rd is processed.
B16, the device as described in B11 or B15, the global threat processing module include:
First global threat processes submodule, for after the first threat treatment is carried out for threat process, if the mesh
There is not exception in mark user terminal, then right on the whole user terminals for being influenceed by the threat process in the LAN
The threat process carries out the first threat treatment;Or
Second global threat processes submodule, for after the second threat treatment is carried out for threat process, if the mesh
There is not exception in mark user terminal, then on the whole user terminals for being influenceed by the threat process in the LAN, pin
Second threat treatment is carried out to the threat process;Or
3rd global threat processes submodule, for after the 3rd threat treatment is carried out to threat process, if the target
There is not exception in user terminal, then on the whole user terminals for being influenceed by the threat process in the LAN, for
The threat process carries out the 3rd threat treatment.
B17, the device as described in B11 or B12 or B13 or B15, described device also include:For obtaining the LAN
The threat process acquisition module of interior threat process;
The threat process acquisition module includes:
Receiving submodule, for receiving the process behavior that the user terminal in the LAN is reported;
Setting up submodule, for according to the process behavior, set up the user terminal process tree not in the same time, with
And the mapping relations in the process tree between each process and process behavior;
Target process acquisition submodule, the target that preset process behavior pattern is met for being obtained from the process tree is entered
Journey;
Threat verdict submodule, for the process behavior according to the target process, judge the target process whether be
Threat process.
B18, the device as described in B17, the preset process behavior pattern include:
File associated process starts non-OS process;And/or
In process change file system after the first file, access the second file and encrypt.
B19, the device as described in B17, the Threat verdict submodule include:
First Threat verdict unit, for sending corresponding warning information for the target process, so that keeper uses
Family is directed to the warning information, according to the process behavior of the target process, judges whether the target process is threat process;
And/or
Second Threat verdict unit, for using descendants's process of the target process or the target process as treating
Analysis process, according to the execution parameter of the process behavior of the process to be analyzed, judge the target process whether be threaten into
Journey.
B20, the device as described in B11 or B12 or B13 or B15, described device also include:For determining the LAN
The terminal deciding module of the interior user terminal influenceed by the threat process;
The terminal deciding module includes:
Transmission events acquisition submodule, for being obtained and the threat process phase from the advance file transmission events for obtaining
The file transmission events to be analyzed answered;Wherein, the file transmission events are the thing that the user terminal in the LAN is reported
Part;
Transmission events analyze submodule, are analyzed for the information to the file transmission events to be analyzed, to obtain
The user terminal influenceed by the threat process in the LAN.
Claims (10)
1. a kind of threat processing method based on LAN, including:
For the target terminal user in LAN, impended treatment for threat process;Wherein, the target terminal user
It is the certain customers' terminal influenceed by the threat process in the LAN;
After the treatment that impended for threat process, if exception does not occur in the target terminal user, for the LAN
The interior whole user terminals influenceed by the threat process, processed with the target terminal user identical threat;
Wherein, the target terminal user in LAN, for threat process impend treatment the step of, including:
In the target terminal user, the first threat treatment is carried out for threat process;
After the first threat treatment is carried out for threat process, if exception occurs in the target terminal user, in the target
On user terminal the second threat treatment is carried out for the threat process.
2. the method for claim 1, it is characterised in that the first threat treatment includes:Isolation processing, described second
Threat treatment includes:System repair process or system refitting are processed.
3. method as claimed in claim 2, it is characterised in that described in the target terminal user, for the process of threat
The step of carrying out the first threat and process, including:
In the target terminal user, the threat process is killed;
After the threat process is killed, the threat process is isolated in the target terminal user.
4. the method as described in any in claims 1 to 3, it is characterised in that methods described also includes:For the process of threat
After carrying out the first threat treatment, monitor whether the target terminal user exception occurs;
Whether the monitoring target terminal user there is abnormal step, including:
In preset time period after the first threat treatment is carried out for threat process, the operation of the target terminal user is monitored
The working condition of system, judges whether the target terminal user exception occurs according to the working condition;And/or
In preset time period after the first threat treatment is carried out for threat process, according to the feedback information of user, institute is judged
State whether target terminal user exception occurs.
5. the method for claim 1, it is characterised in that the target terminal user in LAN, for prestige
Side of body process impend treatment the step of, also include:
After the second threat treatment is carried out for the threat process in the target terminal user, if targeted customer's end
There is exception in end, then carry out the 3rd threat treatment to the threat process in the target terminal user.
6. the method as described in claim 1 or 5, it is characterised in that it is described for be subject in the LAN it is described threaten into
Whole user terminals of journey influence, carry out threatening the step of processing with the target terminal user identical, including:
After the first threat treatment is carried out for threat process, if exception does not occur in the target terminal user, in the office
On the whole user terminals influenceed by the threat process in the net of domain, the first threat treatment is carried out to the threat process;Or
Person
After the second threat treatment is carried out for threat process, if exception does not occur in the target terminal user, in the office
On the whole user terminals influenceed by the threat process in the net of domain, the second threat treatment is carried out for the threat process;
Or
After the 3rd threat treatment is carried out to threat process, if exception does not occur in the target terminal user, in the local
On the whole user terminals influenceed by the threat process in net, the 3rd threat treatment is carried out for the threat process.
7. the method as described in claim 1 or 2 or 3 or 5, it is characterised in that obtain as follows in the LAN
Threat process:
Receive the process behavior that the user terminal in the LAN is reported;
According to the process behavior, set up the user terminal and respectively enter in process tree not in the same time and the process tree
Mapping relations between journey and process behavior;
The target process for meeting preset process behavior pattern is obtained from the process tree;
According to the process behavior of the target process, judge whether the target process is threat process.
8. method as claimed in claim 7, it is characterised in that the preset process behavior pattern includes:
File associated process starts non-OS process;And/or
In process change file system after the first file, access the second file and encrypt.
9. method as claimed in claim 7, it is characterised in that the process behavior according to the target process, judges institute
The step of whether state target process be threat process, including:
Corresponding warning information is sent for the target process, so that administrator is directed to the warning information, according to institute
The process behavior of target process is stated, judges whether the target process is threat process;And/or
Using descendants's process of the target process or the target process as process to be analyzed, according to it is described it is to be analyzed enter
The execution parameter of the process behavior of journey, judges whether the target process is threat process.
10. a kind of threat processing unit based on LAN, including:
Part threatens processing module, for for the target terminal user in LAN, is impended treatment for threat process;
Wherein, the target terminal user is the certain customers' terminal influenceed by the threat process in the LAN;And
The overall situation threatens processing module, for after the treatment that impended for threat process, if the target terminal user does not go out
It is now abnormal, for the whole user terminals influenceed by the threat process in the LAN, carry out and the targeted customer
The threat of terminal identical is processed;
Wherein, the part threat processing module includes:
First threatens treatment submodule, in the target terminal user, the first threat treatment being carried out for threat process;
Second threatens treatment submodule, for after the first threat treatment is carried out for threat process, if targeted customer's end
There is exception in end, then carry out the second threat treatment for the threat process in the target terminal user.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611248756.3A CN106856477B (en) | 2016-12-29 | 2016-12-29 | Threat processing method and device based on local area network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611248756.3A CN106856477B (en) | 2016-12-29 | 2016-12-29 | Threat processing method and device based on local area network |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106856477A true CN106856477A (en) | 2017-06-16 |
CN106856477B CN106856477B (en) | 2020-05-19 |
Family
ID=59126600
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611248756.3A Active CN106856477B (en) | 2016-12-29 | 2016-12-29 | Threat processing method and device based on local area network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106856477B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109189584A (en) * | 2018-07-05 | 2019-01-11 | 北京三快在线科技有限公司 | Communication means, device, electronic equipment and storage medium between application program |
CN112866291A (en) * | 2021-03-03 | 2021-05-28 | 哈尔滨安天科技集团股份有限公司 | Method and device for generating threat disposal script and computer readable medium |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080091681A1 (en) * | 2006-10-12 | 2008-04-17 | Saket Dwivedi | Architecture for unified threat management |
EP2234046A2 (en) * | 2009-03-27 | 2010-09-29 | Bank of America Corporation | Methods and apparatuses for communicating preservation notices |
CN103618626A (en) * | 2013-11-28 | 2014-03-05 | 北京奇虎科技有限公司 | Method and system for generating safety analysis report on basis of logs |
CN103886256A (en) * | 2012-12-21 | 2014-06-25 | 珠海市君天电子科技有限公司 | Method and system for dynamically intercepting computer viruses on basis of checking and killing |
CN103929413A (en) * | 2013-12-16 | 2014-07-16 | 汉柏科技有限公司 | Method and device for preventing cloud network from being attacked |
US20140201807A1 (en) * | 2013-01-07 | 2014-07-17 | Optio Labs, Inc. | Systems and methods for enforcing security in mobile computing |
CN104216811A (en) * | 2013-05-30 | 2014-12-17 | 腾讯科技(深圳)有限公司 | Log collecting method and system of application program |
CN104539611A (en) * | 2014-12-26 | 2015-04-22 | 北京奇虎科技有限公司 | Method, device and system for managing shared file |
CN105630636A (en) * | 2016-01-26 | 2016-06-01 | 陈谦 | Dynamical recovery method and device for operating system of intelligent electronic device |
CN105868627A (en) * | 2016-04-11 | 2016-08-17 | 北京金山安全软件有限公司 | User terminal control method and user terminal |
CN105915556A (en) * | 2016-06-29 | 2016-08-31 | 北京奇虎科技有限公司 | Method and equipment for determining attack surfaces of terminals |
-
2016
- 2016-12-29 CN CN201611248756.3A patent/CN106856477B/en active Active
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080091681A1 (en) * | 2006-10-12 | 2008-04-17 | Saket Dwivedi | Architecture for unified threat management |
EP2234046A2 (en) * | 2009-03-27 | 2010-09-29 | Bank of America Corporation | Methods and apparatuses for communicating preservation notices |
CN103886256A (en) * | 2012-12-21 | 2014-06-25 | 珠海市君天电子科技有限公司 | Method and system for dynamically intercepting computer viruses on basis of checking and killing |
US20140201807A1 (en) * | 2013-01-07 | 2014-07-17 | Optio Labs, Inc. | Systems and methods for enforcing security in mobile computing |
CN104216811A (en) * | 2013-05-30 | 2014-12-17 | 腾讯科技(深圳)有限公司 | Log collecting method and system of application program |
CN103618626A (en) * | 2013-11-28 | 2014-03-05 | 北京奇虎科技有限公司 | Method and system for generating safety analysis report on basis of logs |
CN103929413A (en) * | 2013-12-16 | 2014-07-16 | 汉柏科技有限公司 | Method and device for preventing cloud network from being attacked |
CN104539611A (en) * | 2014-12-26 | 2015-04-22 | 北京奇虎科技有限公司 | Method, device and system for managing shared file |
CN105630636A (en) * | 2016-01-26 | 2016-06-01 | 陈谦 | Dynamical recovery method and device for operating system of intelligent electronic device |
CN105868627A (en) * | 2016-04-11 | 2016-08-17 | 北京金山安全软件有限公司 | User terminal control method and user terminal |
CN105915556A (en) * | 2016-06-29 | 2016-08-31 | 北京奇虎科技有限公司 | Method and equipment for determining attack surfaces of terminals |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109189584A (en) * | 2018-07-05 | 2019-01-11 | 北京三快在线科技有限公司 | Communication means, device, electronic equipment and storage medium between application program |
CN112866291A (en) * | 2021-03-03 | 2021-05-28 | 哈尔滨安天科技集团股份有限公司 | Method and device for generating threat disposal script and computer readable medium |
CN112866291B (en) * | 2021-03-03 | 2023-02-28 | 安天科技集团股份有限公司 | Method and device for generating threat disposal script and computer readable medium |
Also Published As
Publication number | Publication date |
---|---|
CN106856477B (en) | 2020-05-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Zhang et al. | An IoT honeynet based on multiport honeypots for capturing IoT attacks | |
US10623440B2 (en) | Method and system for protecting web applications against web attacks | |
CN106650436B (en) | A kind of safety detection method and device based on local area network | |
Vasilescu et al. | Practical malware analysis based on sandboxing | |
Hand et al. | Active security | |
Sood et al. | Dissecting SpyEye–Understanding the design of third generation botnets | |
Dahbul et al. | Enhancing honeypot deception capability through network service fingerprinting | |
CN105939311A (en) | Method and device for determining network attack behavior | |
Dondossola et al. | Effects of intentional threats to power substation control systems | |
CN114826662B (en) | Custom rule protection method, device, equipment and readable storage medium | |
Efendi et al. | A survey on deception techniques for securing web application | |
Gupta | HoneyKube: designing a honeypot using microservices-based architecture | |
CN106856478A (en) | A kind of safety detection method and device based on LAN | |
CN106856477A (en) | A kind of threat treating method and apparatus based on LAN | |
Alqahtani et al. | An intelligent intrusion prevention system for cloud computing (SIPSCC) | |
Yagi et al. | Investigation and analysis of malware on websites | |
CN109218315B (en) | Safety management method and safety management device | |
Betts et al. | Developing a state of the art methodology and toolkit for ICS SCADA forensics | |
Joshi et al. | A Detailed Evaluation of SQL Injection Attacks, Detection and Prevention Techniques | |
Achbarou et al. | Cloud security: a multi agent approach based intrusion detection system | |
Barika et al. | Agent IDS based on misuse approach | |
Jillepalli et al. | Operational characteristics of modern malware: Pco threats | |
CN106657102A (en) | LAN based threat processing method and device | |
Katsinis et al. | A framework for intrusion deception on web servers | |
Meetei | Mathematical model of security approaches on cloud computing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information | ||
CB02 | Change of applicant information |
Address after: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Applicant after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Applicant after: QAX Technology Group Inc. Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Applicant before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Applicant before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd. |
|
GR01 | Patent grant | ||
GR01 | Patent grant |