CN108183920A - A kind of industrial control system malicious code defending system and its defence method - Google Patents

A kind of industrial control system malicious code defending system and its defence method Download PDF

Info

Publication number
CN108183920A
CN108183920A CN201810063288.5A CN201810063288A CN108183920A CN 108183920 A CN108183920 A CN 108183920A CN 201810063288 A CN201810063288 A CN 201810063288A CN 108183920 A CN108183920 A CN 108183920A
Authority
CN
China
Prior art keywords
module
file
move media
white list
malicious code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810063288.5A
Other languages
Chinese (zh)
Other versions
CN108183920B (en
Inventor
李佐民
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Net Technology Co Ltd
Original Assignee
Beijing Net Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Net Technology Co Ltd filed Critical Beijing Net Technology Co Ltd
Priority to CN201810063288.5A priority Critical patent/CN108183920B/en
Publication of CN108183920A publication Critical patent/CN108183920A/en
Application granted granted Critical
Publication of CN108183920B publication Critical patent/CN108183920B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of industrial control system malicious code defending systems, including virus investigation engine modules, Anti- Virus Engine are called to complete malicious code identification;White list module is checked according to file white list library;Library upgraded module, local upgrade and online upgrading for virus base and white list library;Resource-area module, for the file download of the storage region of large capacity, upload, deletion;Carry area module, for USB flash disk carry, unloading;Isolated area module is for doubtful malicious code file download, upload, deletion;Authentication module, for user, user group management;Log audit module, for virus investigation daily record, operation log, white list daily record, the retrieval of file journalization, backup;Move media module, to the user by authentication and the readable of user group distribution move media, read-write, disabling permission.The present invention can improve the deficiencies in the prior art, improve the ability that malicious code is defendd in industrial control network.

Description

A kind of industrial control system malicious code defending system and its defence method
Technical field
The present invention relates to industrial control system Prevention-Security technical field, especially a kind of industrial control system malicious code System of defense and its defence method.
Background technology
Industrial control system environment belongs to a kind of specific information-based application scenarios.A large amount of factory's missing malicious codes at present Mean of defense.Part factory deploys the antivirus software of construction period configuration, since antivirus software company, industry control enterprise can not comment Estimate influence of the new strategy to industrial host, therefore the antivirus software of industry control enterprise field deployment cannot carry out virus characteristic update. The validity and promptness of antivirus software processing virus can not all ensure.Program white list software is a kind of to establish program white list List, the software that non-white list Program is forbidden to perform.Program white list is prefixed the performance of program that operation performs.In real time The execution entrance of hook procedure during defence judges the current program that performs whether in white list library, to perform preset behavior.But It is that system kernel, which intercepts, to be needed in driving stage development function code.Code quality, system version, function compatibility etc., which can be brought, is The problems such as system blue screen or industrial control system disabler.Industrial host can not receive such realization method bring it is not expectable Property.Antivirus software realizes System hook under meeting many places, hooking system service call.And white list software can also be supervised in routine call, USB flash disk The hooks such as control.Antivirus software, the white list software install, operated on industrial host is required for occupying industrial host limited Cpu, memory source.And industrial host belongs to the particular device of allied industry control system, itself does not have excessive resource. Existing items technology, is all that malicious code defending is carried out on industrial host.Resource is few in the configuration of industrial host, stability will It asks under high requirement, the contradiction of promptness, validity and stability that virus excludes in real time can not be solved.
Invention content
The technical problem to be solved in the present invention is to provide a kind of industrial control system malicious code defending system and its defence Method can solve the deficiencies in the prior art, improve the ability that malicious code is defendd in industrial control network.
In order to solve the above technical problems, the technical solution used in the present invention is as follows.
A kind of industrial control system malicious code defending system, including,
Virus investigation engine modules call Anti- Virus Engine to complete the identification of the malicious codes such as virus, wooden horse;
White list module is checked in real time according to file white list library;
Library upgraded module, local upgrade and online upgrading for virus base and white list library;
Resource-area module, for the file download of the storage region of large capacity, upload, deletion;
Carry area module, for USB flash disk carry, unloading;
Isolated area module is for doubtful malicious code file download, upload, deletion;
Authentication module, for user, user group management;
Log audit module, for the retrieving of the information such as virus investigation daily record, operation log, white list daily record, file journalization, standby Part;
Move media module, to the user by authentication and the readable of user group distribution move media, read-write, disabling Etc. permissions.
A kind of defence method of above-mentioned industrial control system malicious code defending system, includes the following steps:
A, the use of move media is authorized;
B, it is on the defensive to the process that move media is used to swap file;
C, the process that file is swapped to industrial Intranet is on the defensive.
Preferably, in step A, including,
A1, authentication module establish user and the user group using industrial control system malicious code defending system;
A2, judge whether user is needed using move media in industrial environment, if you do not need to then terminating, if necessary Go to step A3;
A3, move media is inserted into industrial control system malicious code defending system;
A4, move media module, which calculate, obtains move media mark, and mark has uniqueness;
A5, move media module judge that current move media is identified whether in mapping table, if going to step if Rapid A2, if not going to step A6 if;
A6, move media module obtain user or the group that current move media needs assign, and establish designated user or group With the correspondence of current move media, step A2 is gone to;
A7, log audit module record above-mentioned each portion's operation, provide the inquiry audit of operation.
Preferably, in step B, including,
Move media is inserted into industrial control system malicious code defending system by B1, user;
B2, move media module obtain the mark of move media, and judge whether user licenses move media, if With no authorized then exits, and step B3 is gone to if authorizing;
Move media is mounted to carry area module, the move media that system identification is currently inserted by B3, move media module;
B4, white list module calculate the hashed value of file in move media, and judge whether in system white list library, such as Fruit is then going to step B8, if not going to step B5 if;
B5, virus investigation engine modules call Anti- Virus Engine to complete file virus investigation, and step is gone to if current file is contaminated B6 goes to step B7 if current file safety;
File in move media is loaded into isolated area by B6, isolated area module, then performs step B10;
The hashed value of file in move media is added in system white list library by B7, white list module;
File in move media is loaded into resource-area by B8, resource-area module;
File after virus investigation is downloaded to industrial host by B9, user from industrial host from resource-area;
B10, the defence of move media swap file terminate;
B11, log audit module record above-mentioned each portion's operation, provide the inquiry audit of operation.
Preferably, in step B6, contamination file is run in isolated area, the behavior for recording file in operational process is special Sign, establishes behavioural characteristic matrix, and establish the mapping relations between different behavioural characteristic matrixes;In step B4, step is being gone to Before rapid B8, behavioural characteristic matrix and mapping relations that file to be loaded is established with isolated area are compared, if to be loaded The behavioural characteristic matrix and the similarity of mapping relations that the behavioural characteristic and mapping relations of file are established with isolated area are higher than threshold value, It then treats load document and carries out quadratic search.
Preferably, in step C, including,
C1, authentication module verify that user operates from the login system of industrial host;
C2, resource-area module, which are performed from host, uploads files to system operatio;
C3, white list module calculation document hashed value, and judge whether in system white list library, if going to step if Rapid C7, if not going to step C4 if;
C4, virus investigation engine modules call Anti- Virus Engine to complete file virus investigation, go to step C5 if file is contaminated, such as Fruit current file then goes to step C6 safely;
C5, isolated area module load files into isolated area, then perform step C10;
The hashed value of file is added in system white list library by C6, white list module;
C7, resource-area module load files into resource-area;
C8, authentication module verify that user operates from the login system of industrial host;
C9, resource-area module, which are performed from system, downloads the file into host service function;
C10, industrial Intranet swap file defence terminate;
C11, log audit module record above-mentioned each portion's operation, provide the inquiry audit of operation.
It is using advantageous effect caused by above-mentioned technical proposal:The present invention is efficiently solved mounted on industrial host Malicious code defending software bring it is unstable, resource occupation is high, virus investigation risk is high the problem of, while effectively increase industrial control The hit rate of Malicious Code Detection in system processed.Have the characteristics that following:
1st, the system deployment of defence malicious code does not consume the limited money of industrial host in the environment of breaking away industrial host Source.
2nd, defence malicious code system deployment in the environment of breaking away industrial host, it may be convenient to carry out virus base and The upgrading in white list library does not need to carry out industrial compatible mainframe test.
3rd, the system deployment of defence malicious code is in the environment of breaking away industrial host, die-filling piece not on industrial host, The stability of industrial host is not interfered with.
4th, the anti-malicious code system of deployment is concentrated to reduce implementation cost, improved work efficiency.
Description of the drawings
Fig. 1 is the systematic schematic diagram of a specific embodiment of the invention.
Fig. 2 is the flow chart that move media uses licensing process in a specific embodiment of the invention.
Fig. 3 is the flow chart of move media swap file defence process in a specific embodiment of the invention.
Fig. 4 is the flow chart of industrial Intranet swap file defence process in a specific embodiment of the invention.
Specific embodiment
With reference to Fig. 1-4, a specific embodiment of the invention includes,
Virus investigation engine modules 1 call Anti- Virus Engine to complete the identification of the malicious codes such as virus, wooden horse;
White list module 2 is checked in real time according to file white list library;
Library upgraded module 3, local upgrade and online upgrading for virus base and white list library;
Resource-area module 4, for the file download of the storage region of large capacity, upload, deletion;
Carry area module 5, for USB flash disk carry, unloading;
Isolated area module 6 is for doubtful malicious code file download, upload, deletion;
Authentication module 7, for user, user group management;
Log audit module 8, retrieval for information such as virus investigation daily record, operation log, white list daily record, file journalizations, Backup;
Move media module 9, to the user by authentication and the readable of user group distribution move media, read-write, taboo With etc. permissions.
A kind of defence method of above-mentioned industrial control system malicious code defending system, includes the following steps:
A, the use of move media is authorized;
B, it is on the defensive to the process that move media is used to swap file;
C, the process that file is swapped to industrial Intranet is on the defensive.
In step A, including,
A1, authentication module 7 establish user and the user group using industrial control system malicious code defending system;
A2, judge whether user is needed using move media in industrial environment, if you do not need to then terminating, if necessary Go to step A3;
A3, move media is inserted into industrial control system malicious code defending system;
A4, move media module 9, which calculate, obtains move media mark, and mark has uniqueness;
A5, move media module 9 judge that current move media is identified whether in mapping table, if going to step if Rapid A2, if not going to step A6 if;
A6, move media module 9 obtain user or the group that current move media needs assign, and establish designated user or group With the correspondence of current move media, step A2 is gone to;
A7, log audit module 8 record above-mentioned each portion's operation, provide the inquiry audit of operation.
In step B, including,
Move media is inserted into industrial control system malicious code defending system by B1, user;
B2, move media module 9 obtain the mark of move media, and judge whether user licenses move media, such as Fruit with no authorized then exits, and step B3 is gone to if authorizing;
Move media is mounted to carry area module 5, mobile Jie that system identification is currently inserted by B3, move media module 9 Matter;
B4, white list module 2 calculate the hashed value of file in move media, and judge whether in system white list library, If going to step B8 if, if step B5 is not gone to if;
B5, virus investigation engine modules 1 call Anti- Virus Engine to complete file virus investigation, and step is gone to if current file is contaminated B6 goes to step B7 if current file safety;
File in move media is loaded into isolated area by B6, isolated area module 6, then performs step B10;
The hashed value of file in move media is added in system white list library by B7, white list module 2;
File in move media is loaded into resource-area by B8, resource-area module 4;
File after virus investigation is downloaded to industrial host by B9, user from industrial host from resource-area;
B10, the defence of move media swap file terminate;
B11, log audit module 8 record above-mentioned each portion's operation, provide the inquiry audit of operation.
In step B6, operation contamination file, records the behavioural characteristic of file in operational process, establishes behavior in isolated area Eigenmatrix, and establish the mapping relations between different behavioural characteristic matrixes;It, will before step B8 is gone in step B4 The behavioural characteristic matrix and mapping relations that file to be loaded is established with isolated area are compared, if the behavior of file to be loaded is special The behavioural characteristic matrix and the similarity of mapping relations that mapping relations of seeking peace are established with isolated area are higher than threshold value, then to text to be loaded Part carries out quadratic search.
In step C, including,
C1, authentication module 7 verify that user operates from the login system of industrial host;
C2, resource-area module 4 perform from host and upload files to system operatio;
C3,2 calculation document hashed value of white list module, and judge whether in system white list library, if being gone to if Step C7, if not going to step C4 if;
C4, virus investigation engine modules 1 call Anti- Virus Engine to complete file virus investigation, and step C5 is gone to if file is contaminated, Step C6 is gone to if current file safety;
C5, isolated area module 6 load files into isolated area, then perform step C10;
The hashed value of file is added in system white list library by C6, white list module 2;
C7, resource-area module 4 load files into resource-area;
C8, authentication module 7 verify that user operates from the login system of industrial host;
C9, resource-area module 4 perform from system and download the file into host service function;
C10, industrial Intranet swap file defence terminate;
C11, log audit module 8 record above-mentioned each portion's operation, provide the inquiry audit of operation.
It is special using the behavior established in isolated area first before whether calculation document is in white list library in step C3 Mapping relations between sign matrix compare file, will compare similarity and be less than the result of threshold value and white list library progress core It is right, if there is deviation, then white list library is updated.
The basic principles, main features and the advantages of the invention have been shown and described above.The technology of the industry Personnel are it should be appreciated that the present invention is not limited to the above embodiments, and the above embodiments and description only describe this The principle of invention, without departing from the spirit and scope of the present invention, various changes and improvements may be made to the invention, these changes Change and improvement all fall within the protetion scope of the claimed invention.The claimed scope of the invention by appended claims and its Equivalent thereof.

Claims (6)

1. a kind of industrial control system malicious code defending system, it is characterised in that:Including,
Virus investigation engine modules (1) call Anti- Virus Engine to complete the identification of the malicious codes such as virus, wooden horse;
White list module (2) is checked in real time according to file white list library;
Library upgraded module (3), local upgrade and online upgrading for virus base and white list library;
Resource-area module (4), for the file download of the storage region of large capacity, upload, deletion;
Carry area module (5), for USB flash disk carry, unloading;
Isolated area module (6) is for doubtful malicious code file download, upload, deletion;
Authentication module (7), for user, user group management;
Log audit module (8), for the retrieving of the information such as virus investigation daily record, operation log, white list daily record, file journalization, standby Part;
Move media module (9), to the user by authentication and the readable of user group distribution move media, read-write, disabling Etc. permissions.
A kind of 2. defence method of industrial control system malicious code defending system described in claim 1, it is characterised in that packet Include following steps:
A, the use of move media is authorized;
B, it is on the defensive to the process that move media is used to swap file;
C, the process that file is swapped to industrial Intranet is on the defensive.
3. the defence method of industrial control system malicious code defending system according to claim 2, it is characterised in that:Step In rapid A, including,
A1, authentication module (7) establish user and the user group using industrial control system malicious code defending system;
A2, judge whether user needs, if you do not need to then terminating, to go to if necessary using move media in industrial environment Step A3;
A3, move media is inserted into industrial control system malicious code defending system;
A4, move media module (9), which calculate, obtains move media mark, and mark has uniqueness;
A5, move media module (9) judge that current move media is identified whether in mapping table, if going to step if A2, if not going to step A6 if;
A6, move media module (9) obtain user or the group that current move media needs assign, and establish designated user or group with The correspondence of current move media, goes to step A2;
A7, log audit module (8) record above-mentioned each portion's operation, provide the inquiry audit of operation.
4. the defence method of industrial control system malicious code defending system according to claim 2, it is characterised in that:Step In rapid B, including,
Move media is inserted into industrial control system malicious code defending system by B1, user;
B2, move media module (9) obtain the mark of move media, and judge whether user licenses move media, if With no authorized then exits, and step B3 is gone to if authorizing;
Move media is mounted to carry area module (5), mobile Jie that system identification is currently inserted by B3, move media module (9) Matter;
B4, white list module (2) calculate the hashed value of file in move media, and judge whether in system white list library, such as Fruit is then going to step B8, if not going to step B5 if;
B5, virus investigation engine modules (1) call Anti- Virus Engine to complete file virus investigation, and step is gone to if current file is contaminated B6 goes to step B7 if current file safety;
File in move media is loaded into isolated area by B6, isolated area module (6), then performs step B10;
The hashed value of file in move media is added in system white list library by B7, white list module (2);
File in move media is loaded into resource-area by B8, resource-area module (4);
File after virus investigation is downloaded to industrial host by B9, user from industrial host from resource-area;
B10, the defence of move media swap file terminate;
B11, log audit module (8) record above-mentioned each portion's operation, provide the inquiry audit of operation.
5. the defence method of industrial control system malicious code defending system according to claim 4, it is characterised in that:Step In rapid B6, operation contamination file, records the behavioural characteristic of file in operational process, establishes behavioural characteristic matrix in isolated area, And establish the mapping relations between different behavioural characteristic matrixes;In step B4, before step B8 is gone to, by text to be loaded The behavioural characteristic matrix and mapping relations that part is established with isolated area are compared, if the behavioural characteristic of file to be loaded and mapping are closed It is secondary then to treat load document progress higher than threshold value for the behavioural characteristic matrix and the similarity of mapping relations that system establishes with isolated area It checks.
6. the defence method of industrial control system malicious code defending system according to claim 2, it is characterised in that:Step In rapid C, including,
C1, authentication module (7) verify that user operates from the login system of industrial host;
C2, resource-area module (4), which are performed from host, uploads files to system operatio;
C3, white list module (2) calculation document hashed value, and judge whether in system white list library, if going to step if Rapid C7, if not going to step C4 if;
C4, virus investigation engine modules (1) call Anti- Virus Engine to complete file virus investigation, go to step C5 if file is contaminated, such as Fruit current file then goes to step C6 safely;
C5, isolated area module (6) load files into isolated area, then perform step C10;
The hashed value of file is added in system white list library by C6, white list module (2);
C7, resource-area module (4) load files into resource-area;
C8, authentication module (7) verify that user operates from the login system of industrial host;
C9, resource-area module (4), which are performed from system, downloads the file into host service function;
C10, industrial Intranet swap file defence terminate;
C11, log audit module (8) record above-mentioned each portion's operation, provide the inquiry audit of operation.
CN201810063288.5A 2018-01-23 2018-01-23 Defense method of industrial control system malicious code defense system Active CN108183920B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810063288.5A CN108183920B (en) 2018-01-23 2018-01-23 Defense method of industrial control system malicious code defense system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810063288.5A CN108183920B (en) 2018-01-23 2018-01-23 Defense method of industrial control system malicious code defense system

Publications (2)

Publication Number Publication Date
CN108183920A true CN108183920A (en) 2018-06-19
CN108183920B CN108183920B (en) 2020-08-11

Family

ID=62551160

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810063288.5A Active CN108183920B (en) 2018-01-23 2018-01-23 Defense method of industrial control system malicious code defense system

Country Status (1)

Country Link
CN (1) CN108183920B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109358508A (en) * 2018-11-05 2019-02-19 杭州安恒信息技术股份有限公司 One kind being based on self study industrial control host safety protecting method and system

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8175276B2 (en) * 2008-02-04 2012-05-08 Freescale Semiconductor, Inc. Encryption apparatus with diverse key retention schemes
CN103500305A (en) * 2013-09-04 2014-01-08 中国航天科工集团第二研究院七〇六所 System and method for malicious code analysis based on cloud computing
CN104917776A (en) * 2015-06-23 2015-09-16 北京威努特技术有限公司 Industrial control network safety protection equipment and industrial control network safety protection method
CN104991526A (en) * 2015-05-04 2015-10-21 中国科学院软件研究所 Industrial control system safe support framework and data safe transmission and storage method thereof
WO2017013622A1 (en) * 2015-07-22 2017-01-26 Arilou Information Security Technologies Ltd. Vehicle communications bus data security
CN107302530A (en) * 2017-06-16 2017-10-27 北京天地和兴科技有限公司 A kind of industrial control system attack detecting device and its detection method based on white list
CN107493265A (en) * 2017-07-24 2017-12-19 南京南瑞集团公司 A kind of network security monitoring method towards industrial control system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8175276B2 (en) * 2008-02-04 2012-05-08 Freescale Semiconductor, Inc. Encryption apparatus with diverse key retention schemes
CN103500305A (en) * 2013-09-04 2014-01-08 中国航天科工集团第二研究院七〇六所 System and method for malicious code analysis based on cloud computing
CN104991526A (en) * 2015-05-04 2015-10-21 中国科学院软件研究所 Industrial control system safe support framework and data safe transmission and storage method thereof
CN104917776A (en) * 2015-06-23 2015-09-16 北京威努特技术有限公司 Industrial control network safety protection equipment and industrial control network safety protection method
WO2017013622A1 (en) * 2015-07-22 2017-01-26 Arilou Information Security Technologies Ltd. Vehicle communications bus data security
CN107302530A (en) * 2017-06-16 2017-10-27 北京天地和兴科技有限公司 A kind of industrial control system attack detecting device and its detection method based on white list
CN107493265A (en) * 2017-07-24 2017-12-19 南京南瑞集团公司 A kind of network security monitoring method towards industrial control system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109358508A (en) * 2018-11-05 2019-02-19 杭州安恒信息技术股份有限公司 One kind being based on self study industrial control host safety protecting method and system

Also Published As

Publication number Publication date
CN108183920B (en) 2020-08-11

Similar Documents

Publication Publication Date Title
CN109871691B (en) Authority-based process management method, system, device and readable storage medium
US9888032B2 (en) Method and system for mitigating the effects of ransomware
CN1308832C (en) Protection method of computer program and data against nonamicable code
CN101295262B (en) System and method for securely updating firmware in devices by using a hypervisor
US8505069B1 (en) System and method for updating authorized software
US9432406B2 (en) System and method for resolving conflicts between application control rules
US11438349B2 (en) Systems and methods for protecting devices from malware
US20100275252A1 (en) Software management apparatus and method, and user terminal controlled by the apparatus and management method for the same
EP2784715B1 (en) System and method for adaptive modification of antivirus databases
EP2515250A1 (en) System and method for detection of complex malware
CN108683652A (en) A kind of method and device of the processing attack of Behavior-based control permission
US20130318610A1 (en) System and Method for Detection and Treatment of Malware on Data Storage Devices
EP2663944B1 (en) Malware detection
CN104573515A (en) Virus processing method, device and system
US10839074B2 (en) System and method of adapting patterns of dangerous behavior of programs to the computer systems of users
CN106650435A (en) Method and apparatus of protecting system
RU2491623C1 (en) System and method of verifying trusted files
US11003772B2 (en) System and method for adapting patterns of malicious program behavior from groups of computer systems
CN108183920A (en) A kind of industrial control system malicious code defending system and its defence method
CN108647516B (en) Method and device for defending against illegal privilege escalation
CN110221991B (en) Control method and system for computer peripheral equipment
CN116226865A (en) Security detection method, device, server, medium and product of cloud native application
US9088604B1 (en) Systems and methods for treating locally created files as trustworthy
DE102019106914A1 (en) Application behavior control
CN105809074B (en) USB data transmission control method, device, control assembly and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant