CN108092795A - A kind of reminding method, terminal device and computer-readable medium - Google Patents
A kind of reminding method, terminal device and computer-readable medium Download PDFInfo
- Publication number
- CN108092795A CN108092795A CN201711111476.2A CN201711111476A CN108092795A CN 108092795 A CN108092795 A CN 108092795A CN 201711111476 A CN201711111476 A CN 201711111476A CN 108092795 A CN108092795 A CN 108092795A
- Authority
- CN
- China
- Prior art keywords
- instruction
- dangerous
- record information
- operation instruction
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 73
- 230000008569 process Effects 0.000 claims description 29
- 231100001261 hazardous Toxicity 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 9
- 238000011022 operating instruction Methods 0.000 claims description 5
- 230000002159 abnormal effect Effects 0.000 abstract description 2
- 230000006399 behavior Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 230000004044 response Effects 0.000 description 4
- 206010033799 Paralysis Diseases 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000001514 detection method Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/18—File system types
- G06F16/1805—Append-only file systems, e.g. using logs or journals to store data
- G06F16/1815—Journaling file systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Data Mining & Analysis (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the invention discloses a kind of reminding method, terminal device and computer-readable medium, wherein method includes:Log information is obtained, the log information includes the record information of at least one operational order;Determine the record information for risky operation instruction whether is included in the log information, the risky operation instruction brings system abnormal operational order for instruction;When including the record information for risky operation instruction in the log information, prompted for risky operation instruction.Using the embodiment of the present invention, it can intelligently find risky operation instruction during hacker attacks, to prompt early warning in time, improve information security.
Description
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a prompting method, a terminal device, and a computer-readable medium.
Background
With the popularization of the internet, people pay more and more attention to information security along with the frequent occurrence of a series of network security events in the using process. One important disaster that causes network security events is hacker intrusion. Usually, a hacker initiates some attacks which are not easy to be detected by traditional antivirus software or an intrusion detection system, and steals private information of a user or causes network paralysis, information loss and other problems under the condition that the user is not aware of the attacks. Therefore, a safety prompt scheme for anti-reconnaissance is needed.
Disclosure of Invention
The embodiment of the invention provides a prompting method, which can intelligently discover dangerous operation instructions during hacker intrusion and prompt early warning in time, so that the information security is improved.
In a first aspect, an embodiment of the present invention provides a method for prompting, where the method includes:
acquiring log recording information, wherein the log recording information comprises recording information of at least one operation instruction;
determining whether the log record information contains record information aiming at a dangerous operation instruction, wherein the dangerous operation instruction is an operation instruction which indicates that an exception is brought to a system;
and when the log record information contains record information aiming at the dangerous operation instruction, prompting aiming at the dangerous operation instruction.
In a second aspect, an embodiment of the present invention provides a terminal device, where the terminal device includes a unit configured to execute the method of the first aspect.
In a third aspect, an embodiment of the present invention provides another terminal device, which includes a processor, an input device, an output device, and a memory, where the processor, the input device, the output device, and the memory are connected to each other, where the memory is used to store a computer program that supports the terminal to execute the foregoing method, and the computer program includes program instructions, and the processor is configured to call the program instructions to execute the foregoing method according to the first aspect.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, in which a computer program is stored, the computer program comprising program instructions, which, when executed by a processor, cause the processor to perform the method of the first aspect.
In the embodiment of the invention, the terminal equipment can obtain log record information, wherein the log record information comprises record information of at least one operation instruction; determining whether the log record information contains record information aiming at a dangerous operation instruction, wherein the dangerous operation instruction is an operation instruction which indicates that an exception is brought to a system; when the log record information contains record information aiming at the dangerous operation instruction, prompting aiming at the dangerous operation instruction; therefore, dangerous operation instructions invaded by hackers can be intelligently discovered, the problems of information leakage, information loss, network paralysis and the like in the prior art are avoided, and the information security is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments are briefly introduced below, the drawings in the description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flow chart of a prompting method provided in an embodiment of the present invention;
FIG. 2 is a schematic flow chart diagram of a hinting method according to another embodiment of the invention;
fig. 3 is a schematic block diagram of a terminal device according to an embodiment of the present invention;
fig. 4 is a schematic block diagram of a terminal device according to another embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the specification of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be further understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.
As used in this specification and the appended claims, the term "if" may be interpreted contextually as "when", "upon" or "in response to a determination" or "in response to a detection". Similarly, the phrase "if it is determined" or "if a [ described condition or event ] is detected" may be interpreted contextually to mean "upon determining" or "in response to determining" or "upon detecting [ described condition or event ]" or "in response to detecting [ described condition or event ]".
In particular implementations, the terminals described in embodiments of the invention include, but are not limited to, other portable devices such as mobile phones, laptop computers, or tablet computers having touch sensitive surfaces (e.g., touch screen displays and/or touch pads). It should also be understood that in some embodiments, the device is not a portable communication device, but is a desktop computer having a touch-sensitive surface (e.g., a touch screen display and/or touchpad).
In the discussion that follows, a terminal that includes a display and a touch-sensitive surface is described. However, it should be understood that the terminal may include one or more other physical user interface devices such as a physical keyboard, mouse, and/or joystick.
The terminal supports various applications, such as one or more of the following: a drawing application, a presentation application, a word processing application, a website creation application, a disc burning application, a spreadsheet application, a gaming application, a telephone application, a video conferencing application, an email application, an instant messaging application, an exercise support application, a photo management application, a digital camera application, a web browsing application, a digital music player application, and/or a digital video player application.
Various applications that may be executed on the terminal may use at least one common physical user interface device, such as a touch-sensitive surface. One or more functions of the touch-sensitive surface and corresponding information displayed on the terminal can be adjusted and/or changed between applications and/or within respective applications. In this way, a common physical architecture (e.g., touch-sensitive surface) of the terminal can support various applications with user interfaces that are intuitive and transparent to the user.
In the process of the present application, the applicant of the present invention finds that there are many execution traces about dangerous operation instructions of a device in the process of hacking a device system (such as a Linux server), and the dangerous operation instructions, if recorded, collected and detected at the first time, have important values for security early warning of the device (such as a server), reasoning about the process of hacking and finding out security holes of the device (server).
The following describes embodiments related to the present invention. Referring to fig. 1, which is a schematic flowchart of a prompting method provided in an embodiment of the present invention, the method shown in fig. 1 may include the following implementation steps:
step S102, the terminal device obtains log record information, wherein the log record information comprises record information of at least one operation instruction.
The log record information refers to an information set formed by arranging all operations and operation results related to the terminal device according to a time sequence, and the log record information can record related description information of one or more operation instructions, which is called as record information of the operation instructions in the application. The recording information includes, but is not limited to, any one or more of the following: the name of the operation instruction, identification information (such as an ID number and a serial number) of the operation instruction, an operation address corresponding to the operation instruction (such as an IP address, which is specifically an operation instruction issued by a device of which IP address), an operation time of the operation instruction, an operation process called by the operation instruction, an addressing mode in the operation instruction, and operation result information.
The terminal device includes, but is not limited to, a server, a cloud server, a service platform, a user device, a smart phone (such as an Android phone, an IOS phone, and the like), a personal computer, a tablet computer, a palm computer, a Mobile Internet device (MID, Mobile Internet Devices), a wearable smart device, and other Internet Devices, which are not limited in the embodiment of the present invention.
In this application, the following description will be made by taking the terminal device as a server as an example.
Step S104, determining whether the log record information contains record information aiming at a dangerous operation instruction, wherein the dangerous operation instruction is an operation instruction which indicates that an exception is brought to a system.
And step S106, when the log record information contains record information aiming at the dangerous operation instruction, prompting aiming at the dangerous operation instruction.
The dangerous operation instruction refers to some operation instructions which may bring dangerousness to a terminal device (server), for example, instructions which may bring problems of data loss, unstable service or system abnormity. The hazardous operation instructions include, but are not limited to, any one or combination of more of the following: the system comprises a user adding instruction useradd, a user deleting instruction userdel, a user executing instruction sudo, a moving instruction mv (move), a deleting instruction rm (move), a killing specified process instruction kill, a terminating process instruction kill, a file downloading instruction wget and a disk formatting instruction mkfs. ext 3. The sudo is used for executing commands by other user identities, and specifically executes instructions by the identity of the root of the system administrator, that is, the instructions executed by the sudo are as if the root is executed in person. kill is used to kill a Process of a specified name and kill is used to kill a Process of a specified Process Identification number (PID). Wget is a text download tool used under the command line. Ext3 is used to format hard disks as ext3 file systems.
The following describes some specific embodiments to which the present invention relates.
In step S102, the server may obtain a command operation performed for the server, and generate corresponding log record information. The server may store the log record information in a local information database, or in an information database in a remote server (e.g., a cloud-side server).
When the server needs to detect dangerous operation instructions, the log record information can be obtained from the information database. For the log record information, reference may be made to the related description in the foregoing embodiments, which is not repeated herein.
In step S104, the server may obtain pre-stored instruction record information from the information database. Wherein the instruction recording information comprises recording information of at least one dangerous operation instruction. The instruction recording information is set by the user side or the terminal equipment side independently, and is not limited. For the dangerous operation command, reference may be made to the related description in the foregoing embodiments, and details are not repeated here.
Further, the server may compare instruction record information in the information database with the log record information, so as to determine whether record information of a dangerous operation instruction is included/present in the log record information, where the dangerous operation instruction is an operation instruction indicating that an abnormality is caused to a system. And if the record information of the dangerous operation instruction exists, prompting the dangerous operation instruction.
In an optional embodiment, the server may match the record information of the operation instruction in the log record information with the record information of the dangerous operation instruction in the information database, and if the matching is successful, determine that the record information of the dangerous operation instruction exists/is included in the log record information.
In step S106, when the server determines that the log record information includes record information for the dangerous operation instruction, the server may prompt the dangerous operation instruction. The present invention is not limited to the specific embodiments described above. For example, the prompt information for the dangerous operation instruction is sent to a pre-stored contact, and specifically, the recorded information of the dangerous operation instruction and the like can be notified to the administrator in the form of a short message, an email, a WeChat message and the like, so that the administrator can browse the recorded dangerous operation instruction through a web management interface, perform security analysis and prevent hacker intrusion.
In an optional embodiment, the server supports to call a WeChat interface to send a prompt message for the dangerous operation instruction to a preset contact person. Compared with the method for calling the short message sending interface, the method for calling the WeChat interface can save cost.
In an optional embodiment, since the number of the dangerous operation instructions may be multiple, when the server detects that the number of the dangerous operation instructions exceeds the first threshold, the server may perform the plurality of dangerous operation instructions, so that the number of times of prompting may be saved, and user fatigue may be reduced. The dangerous operation instruction can be sent out by the same operation address (IP address), so that a user corresponding to the IP address can be considered to send out the dangerous instruction, and the online behavior of the dangerous instruction can be malicious behavior.
In an optional embodiment, the dangerous operation instruction may include a plurality of identical first dangerous operation instructions, and the server prompts for the first dangerous operation instruction when the number of the first dangerous operation instructions exceeds a second threshold. Further, the server may also prohibit starting the operation process corresponding to the first dangerous operation instruction.
In a specific process, when the server detects multiple operations for the same first dangerous operation instruction, that is, when the number of the first dangerous operation instructions exceeds the second threshold, the server may regard that the first dangerous operation instruction is not simply a normal operation or an incorrect operation, and belongs to an abnormal operation behavior (that is, a dangerous operation behavior), and then the server prompts the record information of the second dangerous operation instruction. And further closing and prohibiting the starting of the operation process corresponding to the first dangerous operation instruction. Regarding the Wget instruction, when the server detects the Wget instruction once, the server can consider the normal operation behavior of the user, when the server detects the Wget instruction many times, the server can consider the malicious downloading behavior belonging to a hacker, the server can refuse to respond to the Wget instruction, and the operation process corresponding to the Wget instruction is closed.
In an optional embodiment, the recorded information includes an operation time and an operation address, the dangerous operation instruction includes a second dangerous operation instruction and a third dangerous operation instruction, and the second dangerous instruction and the third dangerous instruction are issued by the same operation address, and the method further includes: denying access to the operation address when the target time interval is less than a second threshold; wherein the target time interval is an interval between an operation time of the second dangerous operation instruction and an operation time of the third dangerous operation instruction.
In a specific process, when the server detects that at least two dangerous operation instructions are sent by the same IP address within a preset time interval, the server may consider that the device corresponding to the IP address is a malicious access, and accordingly the server may deny the access of the IP address.
In an optional embodiment, the first threshold and the second threshold are set autonomously by a user side or a terminal device side. The first dangerous operation instruction, the second dangerous operation instruction and the third dangerous operation instruction may be the same dangerous operation instruction or different dangerous operation instructions, and the present invention is not limited.
When the second dangerous operation instruction is the same as the third dangerous operation instruction, and the server detects two or more dangerous operation instructions sent by the same operation address (IP address) at a preset time interval, the server may consider that the client corresponding to the operation address belongs to malicious internet access operation, and accordingly may deny access to the operation address, or may prompt for the dangerous operation instruction, and the like.
In the embodiment of the invention, the terminal equipment can obtain log record information, wherein the log record information comprises record information of at least one operation instruction; determining whether the log record information contains record information aiming at a dangerous operation instruction, wherein the dangerous operation instruction is an operation instruction which indicates that an exception is brought to a system; when the log record information contains record information aiming at the dangerous operation instruction, prompting aiming at the dangerous operation instruction; therefore, dangerous operation instructions invaded by hackers can be intelligently discovered, the problems of information leakage, information loss, network paralysis and the like in the prior art are avoided, and the information security is improved.
Fig. 2 shows another prompting method according to an embodiment of the present invention. The method as described in fig. 2 may comprise the following implementation steps:
step S202, obtaining log record information, wherein the log record information comprises record information of at least one operation instruction;
step S204, comparing the log record information with the instruction record information in the information database, and determining whether the log record information contains record information aiming at dangerous operation instructions; wherein the information database comprises recorded information of at least one dangerous operation instruction.
And step S206, when the log record information contains record information aiming at the dangerous operation instruction, prompting aiming at the dangerous operation instruction.
In an optional embodiment, the number of the dangerous operation instructions is multiple, and the prompting for the dangerous operation instructions includes: when the number of the dangerous operation instructions exceeds a first threshold value, prompting is conducted on the dangerous operation instructions.
In an optional embodiment, the dangerous operation instruction includes a plurality of identical first dangerous operation instructions, and the prompting for the dangerous operation instruction includes: when the number of the first dangerous operation instructions exceeds a second threshold value, prompting aiming at the first dangerous operation instructions; further comprising: and forbidding starting the operation process corresponding to the first dangerous operation instruction.
In an optional embodiment, the logging information comprises at least one of: identification information, operation address, operation time, operation progress and addressing mode.
Step S208, when the target time interval is smaller than a second threshold value, the access of the operation address is refused; wherein the target time interval is an interval between an operation time of the second dangerous operation instruction and an operation time of the third dangerous operation instruction; the recording information comprises operation time and an operation address, the dangerous operation instruction comprises a second dangerous operation instruction and a third dangerous operation instruction, and the second dangerous instruction and the third dangerous instruction are sent by the same operation address.
In an alternative embodiment, the hazardous operation instructions include at least one of: the method comprises the steps of adding a userded instruction by a user, deleting a userdel instruction by the user, executing a sudo instruction by the user, moving an mv instruction, deleting an rm instruction, killing a specified process kill instruction, terminating a process kill instruction, downloading a wget instruction and formatting a disk mkfs.
For details that are not shown or described in the embodiments of the present invention, reference may be made to the related descriptions in the foregoing embodiments, which are not described herein again.
The embodiment of the invention also provides a terminal device, which is used for executing the unit of the method in any one of the preceding claims. Specifically, referring to fig. 3, it is a schematic block diagram of a terminal device according to an embodiment of the present invention. The terminal device 300 of the present embodiment includes: an acquisition unit 302, a determination unit 304, and a presentation unit 306; wherein,
the obtaining unit 302 is configured to obtain log record information, where the log record information includes record information of at least one operation instruction;
the determining unit 304 is configured to determine whether record information for a dangerous operation instruction is included in the log record information, where the dangerous operation instruction is an operation instruction that indicates that an exception is brought to a system;
the prompting unit 306 is configured to prompt for the dangerous operation instruction when the log record information includes record information for the dangerous operation instruction.
In some of the possible embodiments of the present invention,
the determining unit 304 is configured to compare the log record information with instruction record information in an information database, and determine whether record information for a dangerous operation instruction is included in the log record information;
wherein the information database comprises recorded information of at least one dangerous operation instruction.
In some possible embodiments, the number of the dangerous operation instructions is a plurality,
the prompting unit 306 is configured to prompt for the dangerous operation instructions when the number of dangerous operation instructions exceeds a first threshold.
In some possible embodiments, the critical operation instruction comprises a plurality of identical first critical operation instructions,
the prompting unit 306 is configured to prompt for the first dangerous operation instruction when the number of the first dangerous operation instructions exceeds a second threshold; further comprising: and forbidding starting the operation process corresponding to the first dangerous operation instruction.
In some possible embodiments, the logging information comprises at least one of: identification information, operation address, operation time, operation progress and addressing mode.
In some possible embodiments, the recorded information includes an operation time and an operation address, the dangerous operation instruction includes a second dangerous operation instruction and a third dangerous operation instruction, and the second dangerous instruction and the third dangerous instruction are issued by the same operation address, and further includes a processing unit;
the processing unit is used for refusing the access of the operation address when the target time interval is smaller than a second threshold value; wherein the target time interval is an interval between an operation time of the second dangerous operation instruction and an operation time of the third dangerous operation instruction.
In some possible embodiments, the hazardous operation instructions include at least one of: the method comprises the steps of adding a userded instruction by a user, deleting a userdel instruction by the user, executing a sudo instruction by the user, moving an mv instruction, deleting an rm instruction, killing a specified process kill instruction, terminating a process kill instruction, downloading a wget instruction and formatting a disk mkfs.
The contents that are not shown or described in the embodiments of the present invention may refer to the related descriptions in the foregoing embodiments, and are not described herein again.
Fig. 4 is a schematic block diagram of a terminal device according to another embodiment of the present invention. The terminal device 300 in the present embodiment as shown in the figure may include: one or more processors 801; one or more input devices 802, one or more output devices 803, and memory 804. The processor 801, the input device 802, the output device 803, and the memory 804 described above are connected by a bus 805. The memory 802 is used to store computer programs comprising program instructions, and the processor 801 is used to execute the program instructions stored by the memory 802. Wherein the processor 801 is configured to invoke the program instructions to perform:
acquiring log recording information, wherein the log recording information comprises recording information of at least one operation instruction;
determining whether the log record information contains record information aiming at a dangerous operation instruction, wherein the dangerous operation instruction is an operation instruction which indicates that an exception is brought to a system;
and when the log record information contains record information aiming at the dangerous operation instruction, prompting aiming at the dangerous operation instruction.
In some possible embodiments, the determining whether the log record information contains record information for a dangerous operation instruction includes:
comparing the log record information with instruction record information in an information database, and determining whether the log record information contains record information aiming at dangerous operation instructions;
wherein the information database comprises recorded information of at least one dangerous operation instruction.
In some possible embodiments, the number of the dangerous operation instructions is multiple, and the prompting for the dangerous operation instruction includes:
when the number of the dangerous operation instructions exceeds a first threshold value, prompting is conducted on the dangerous operation instructions.
In some possible embodiments, the dangerous operating instruction comprises a plurality of identical first dangerous operating instructions, and the prompting for the dangerous operating instruction comprises:
when the number of the first dangerous operation instructions exceeds a second threshold value, prompting aiming at the first dangerous operation instructions; further comprising:
and forbidding starting the operation process corresponding to the first dangerous operation instruction.
In some possible embodiments, the logging information comprises at least one of: identification information, operation address, operation time, operation progress and addressing mode.
In some possible embodiments, the recorded information includes an operation time and an operation address, the dangerous operation instruction includes a second dangerous operation instruction and a third dangerous operation instruction, and the second dangerous instruction and the third dangerous instruction are issued from the same operation address, and the method further includes:
denying access to the operation address when the target time interval is less than a second threshold; wherein the target time interval is an interval between an operation time of the second dangerous operation instruction and an operation time of the third dangerous operation instruction.
In some possible embodiments, the hazardous operation instructions include at least one of: the method comprises the steps of adding a userded instruction by a user, deleting a userdel instruction by the user, executing a sudo instruction by the user, moving an mv instruction, deleting an rm instruction, killing a specified process kill instruction, terminating a process kill instruction, downloading a wget instruction and formatting a disk mkfs.
It should be understood that in the present embodiment, the Processor 801 may be a Central Processing Unit (CPU), and the Processor may be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The input device 802 may include a touch pad, a fingerprint sensor (for collecting fingerprint information of a user and direction information of the fingerprint), a microphone, etc., and the output device 803 may include a display (LCD, etc.), a speaker, etc.
The memory 804 may include both read-only memory and random access memory, and provides instructions and data to the processor 801. A portion of the memory 804 may also include non-volatile random access memory. For example, the memory 804 may also store device type information.
In a specific implementation, the processor 801, the input device 802, and the output device 803 described in this embodiment of the present invention may execute the implementation described in the method embodiment provided in this embodiment of the present invention, and may also execute the implementation of the terminal described in this embodiment of the present invention, which is not described herein again.
In a further embodiment of the invention, a computer-readable storage medium is provided, which stores a computer program comprising program instructions, which when executed by a processor, implement all or part of the implementation or implementation steps of the method embodiments described above.
The computer readable storage medium may be an internal storage unit of the terminal according to any of the foregoing embodiments, for example, a hard disk or a memory of the terminal. The computer readable storage medium may also be an external storage device of the terminal, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like provided on the terminal. Further, the computer-readable storage medium may also include both an internal storage unit and an external storage device of the terminal. The computer-readable storage medium is used for storing the computer program and other programs and data required by the terminal. The computer readable storage medium may also be used to temporarily store data that has been output or is to be output.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the terminal and the unit described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed terminal and method can be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may also be an electric, mechanical or other form of connection.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment of the present invention.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention essentially or partially contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a terminal device, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
While the invention has been described with reference to specific embodiments, the invention is not limited thereto, and various equivalent modifications and substitutions can be easily made by those skilled in the art within the technical scope of the invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A method for prompting, the method comprising:
acquiring log recording information, wherein the log recording information comprises recording information of at least one operation instruction;
determining whether the log record information contains record information aiming at a dangerous operation instruction, wherein the dangerous operation instruction is an operation instruction which indicates that an exception is brought to a system;
and when the log record information contains record information aiming at the dangerous operation instruction, prompting aiming at the dangerous operation instruction.
2. The method of claim 1, wherein the determining whether the log record information contains record information for a hazardous operation instruction comprises:
comparing the log record information with instruction record information in an information database, and determining whether the log record information contains record information aiming at dangerous operation instructions;
wherein the information database comprises recorded information of at least one dangerous operation instruction.
3. The method of claim 1, wherein the hazardous operating instruction is plural in number, and wherein the prompting for the hazardous operating instruction comprises:
when the number of the dangerous operation instructions exceeds a first threshold value, prompting is conducted on the dangerous operation instructions.
4. The method of claim 3, wherein the hazardous operation instruction comprises a plurality of identical first hazardous operation instructions, and wherein prompting for the hazardous operation instruction comprises:
when the number of the first dangerous operation instructions exceeds a second threshold value, prompting aiming at the first dangerous operation instructions; further comprising:
and forbidding starting the operation process corresponding to the first dangerous operation instruction.
5. The method of claim 1, wherein the logging information comprises at least one of: identification information, operation address, operation time, operation progress and addressing mode.
6. The method according to claim 1, wherein the recorded information includes an operation time and an operation address, the dangerous operation command includes a second dangerous operation command and a third dangerous operation command, and the second dangerous command and the third dangerous command are issued from the same operation address, and the method further comprises:
denying access to the operation address when the target time interval is less than a second threshold; wherein the target time interval is an interval between an operation time of the second dangerous operation instruction and an operation time of the third dangerous operation instruction.
7. The method according to any one of claims 1-6, wherein the hazardous operation instructions include at least one of: the method comprises the steps of adding a userded instruction by a user, deleting a userdel instruction by the user, executing a sudo instruction by the user, moving an mv instruction, deleting an rm instruction, killing a specified process kill instruction, terminating a process kill instruction, downloading a wget instruction and formatting a disk mkfs.
8. A terminal device, characterized in that it comprises means for performing the method of any of claims 1-7.
9. A terminal device comprising a processor, an input device, an output device and a memory, the processor, the input device, the output device and the memory being interconnected, wherein the memory is configured to store a computer program comprising program instructions, the processor being configured to invoke the program instructions to perform the method according to any one of claims 1 to 7.
10. A computer-readable storage medium, characterized in that the computer storage medium stores a computer program comprising program instructions that, when executed by a processor, cause the processor to perform the method according to any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711111476.2A CN108092795A (en) | 2017-11-09 | 2017-11-09 | A kind of reminding method, terminal device and computer-readable medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711111476.2A CN108092795A (en) | 2017-11-09 | 2017-11-09 | A kind of reminding method, terminal device and computer-readable medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108092795A true CN108092795A (en) | 2018-05-29 |
Family
ID=62172112
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711111476.2A Withdrawn CN108092795A (en) | 2017-11-09 | 2017-11-09 | A kind of reminding method, terminal device and computer-readable medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108092795A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111711642A (en) * | 2020-07-15 | 2020-09-25 | 网易(杭州)网络有限公司 | Protocol request processing method and device, electronic equipment and storage medium |
| CN112416713A (en) * | 2020-11-20 | 2021-02-26 | 泰康保险集团股份有限公司 | Operation auditing system and method, computer readable storage medium and electronic equipment |
| CN114900326A (en) * | 2022-03-30 | 2022-08-12 | 深圳市国电科技通信有限公司 | Method, system and storage medium for monitoring and protecting terminal instruction operation |
-
2017
- 2017-11-09 CN CN201711111476.2A patent/CN108092795A/en not_active Withdrawn
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111711642A (en) * | 2020-07-15 | 2020-09-25 | 网易(杭州)网络有限公司 | Protocol request processing method and device, electronic equipment and storage medium |
| CN112416713A (en) * | 2020-11-20 | 2021-02-26 | 泰康保险集团股份有限公司 | Operation auditing system and method, computer readable storage medium and electronic equipment |
| CN114900326A (en) * | 2022-03-30 | 2022-08-12 | 深圳市国电科技通信有限公司 | Method, system and storage medium for monitoring and protecting terminal instruction operation |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11687653B2 (en) | Methods and apparatus for identifying and removing malicious applications | |
| JP6703616B2 (en) | System and method for detecting security threats | |
| JP6122555B2 (en) | System and method for identifying compromised private keys | |
| CN109376078B (en) | Mobile application testing method, terminal equipment and medium | |
| EP3289515B1 (en) | Systems and methods for evaluating content provided to users via user interfaces | |
| US20060101128A1 (en) | System for preventing keystroke logging software from accessing or identifying keystrokes | |
| CN109690548B (en) | Computing device protection based on device attributes and device risk factors | |
| CN105930726B (en) | A kind of processing method and user terminal of malicious operation behavior | |
| CN107368735B (en) | Application installation method, mobile terminal and computer readable storage medium | |
| US11204994B2 (en) | Injection attack identification and mitigation | |
| CN105095758B (en) | Screen locking applied program processing method, device and mobile terminal | |
| EP3105677B1 (en) | Systems and methods for informing users about applications available for download | |
| CN108092795A (en) | A kind of reminding method, terminal device and computer-readable medium | |
| CN109997138A (en) | For detecting the system and method for calculating the malicious process in equipment | |
| US9313218B1 (en) | Systems and methods for providing information identifying the trustworthiness of applications on application distribution platforms | |
| US11379568B2 (en) | Method and system for preventing unauthorized computer processing | |
| CN110865774A (en) | Information security detection method and device for printing equipment | |
| US9785775B1 (en) | Malware management | |
| US20140059669A1 (en) | Method and mobile terminal for enhancing the security of a mobile terminal | |
| CN106203121A (en) | Method and device for preventing malicious modification of kernel address and terminal | |
| CN110826061A (en) | Method and device for detecting operating environment of mobile terminal | |
| CN110875919B (en) | Network threat detection method and device, electronic equipment and storage medium | |
| CN107463837A (en) | A kind of information processing method and mobile terminal | |
| CN111279339B (en) | Application locking method, terminal equipment and computer readable medium | |
| WO2017197976A1 (en) | Method for hiding/displaying application program, and terminal device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20180529 |
|
| WW01 | Invention patent application withdrawn after publication |