CN109472142A - A kind of automatic method of disposal of malicious code and system - Google Patents

A kind of automatic method of disposal of malicious code and system Download PDF

Info

Publication number
CN109472142A
CN109472142A CN201711471900.4A CN201711471900A CN109472142A CN 109472142 A CN109472142 A CN 109472142A CN 201711471900 A CN201711471900 A CN 201711471900A CN 109472142 A CN109472142 A CN 109472142A
Authority
CN
China
Prior art keywords
malice sample
disposal
malice
sample
circulation way
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201711471900.4A
Other languages
Chinese (zh)
Inventor
王沛然
韩文奇
王小丰
肖新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Ahtech Network Safe Technology Ltd
Original Assignee
Beijing Ahtech Network Safe Technology Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Ahtech Network Safe Technology Ltd filed Critical Beijing Ahtech Network Safe Technology Ltd
Priority to CN201711471900.4A priority Critical patent/CN109472142A/en
Publication of CN109472142A publication Critical patent/CN109472142A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention proposes a kind of automatic method of disposal of malicious code and systems, comprising: capture network packet restores entity file according to message content;The entity file for scanning reduction, judges whether there is malice sample;Malice sample if it exists then determines the hazard rating and circulation way of malice sample;According to hazard rating and circulation way, network side and terminal side equipment are sent to by the method for set algorithm Response to selection from disposal method library, and by response method.Each link of the present invention interconnects, and forms a closed-loop control stream, and the operation of next step is automatically determined according to algorithm, reduces artificial interference and Deal with Time.

Description

A kind of automatic method of disposal of malicious code and system
Technical field
The present invention relates to field of information security technology more particularly to a kind of automatic methods of disposal of malicious code and system.
Background technique
During existing malicious code disposition, required all data derives from different equipment, and the process of disposition needs It manually performs, and carries out secondary disposition after modifying disposal method according to effect, it is final to realize that the basic malicious code that terminates is propagated Purpose.In this process, the source of malicious code sample and propagation condition are provided by file reduction apparatus, are determined, are propagated Mode is analyzed by detection device and artificial comprehensive judgement, and blocking propagation is carried out by the network equipment or manually performed in each terminal. Each link is independent mutually, links up connection and nowadays relies on manual operation, and efficiency is lower, and depends on the experience of staff, More difficult large-scale promotion.
Summary of the invention
For above-mentioned problems of the prior art, the invention proposes a kind of automatic method of disposal of malicious code and it is System.Specifically summary of the invention includes:
A kind of automatic method of disposal of malicious code, comprising:
Network packet is captured, entity file is restored according to message content;
The entity file for scanning reduction, judges whether there is malice sample;
Malice sample if it exists then determines the hazard rating and circulation way of malice sample;
According to hazard rating and circulation way, by the method for set algorithm Response to selection from disposal method library, and will response Method sends network side and terminal side equipment to;In Response to selection method, big principle is that hazard rating assessment is higher, is more inclined to It is on the contrary then select to negatively affect small method in using quick, broad covered area method;Main selection gist is then according to evil The method of blocking propagation is capable of in the circulation way selection of meaning sample.
Further, the malice sample if it exists then determines the hazard rating and circulation way of malice sample, Specifically: malice sample if it exists then further judges whether malice sample is known;If it is known that then passing through malice sample Database matching obtains the hazard rating and circulation way of the malice sample;Otherwise, sound state is carried out to the malice sample Quickly analysis, obtains its hazard rating and circulation way.
Further, after sending response method to network side and terminal side equipment, if malice sample continues to propagate, Response method then is reselected from the disposal method library, and sends network side and terminal side equipment to again;If by rule After fixing time, the propagation of malice sample is not controlled still, then issues alarm signal to administrator.
Further, the procedural information disposed every time and the response method taken are dynamically added disposal method library, and right Data in disposal method library carry out machine learning;While reducing disposal method library data redundancy, learn automatically optimal out Disposal Strategies can provide the disposal method being more bonded according to set algorithm when system discovery has new samples.
A kind of automatic disposal system of malicious code, comprising:
Flow recovery module restores entity file according to message content for capturing network packet;
Malice determination module judges whether there is malice sample for scanning the entity file of reduction;
Comprehensive analysis module then determines the hazard rating and circulation way of malice sample for malice sample if it exists;
Scheme issues module, rings for being selected from disposal method library by set algorithm according to hazard rating and circulation way The method answered, and send response method to network side and terminal side equipment;In Response to selection method, big principle is harm etc. Grade assessment is higher, more tends to using quick, broad covered area method, on the contrary then select to negatively affect small method;Mainly Selection gist is then the method for capableing of blocking propagation according to the selection of the circulation way of malice sample.
Further, institute's malice determination module is specifically used for: malice sample if it exists, then further judges that malice sample is No is known;If it is known that then obtaining hazard rating and the propagation side of the malice sample by malice sample data storehouse matching Formula;Otherwise, sound state is carried out to the malice sample quickly to analyze, obtain its hazard rating and circulation way.
Further, after sending response method to network side and terminal side equipment, if malice sample continues to propagate, It then re-calls scheme and issues module, reselect response method from the disposal method library, and send network side to again And terminal side equipment;If the propagation of malice sample is not controlled still after the stipulated time, then issues and alarm to administrator Signal.
Further, the procedural information disposed every time and the response method taken are dynamically added disposal method library, and right Data in disposal method library carry out machine learning;While reducing disposal method library data redundancy, learn automatically optimal out Disposal Strategies can provide the disposal method being more bonded according to set algorithm when system discovery has new samples.
A kind of electronic equipment including memory, processor and stores the meter that can be run on a memory and on a processor Calculation machine program, the processor realize the automatic method of disposal when executing described program.
A kind of computer readable storage medium, for storing computer program, the computer program can be held by processor The row automatic method of disposal.
The beneficial effects of the present invention are:
Each link of the present invention interconnects, and forms a closed-loop control stream, and the operation of next step, system are automatically determined according to algorithm All data needed for automatic collection disposition is automatically selected by existing scheme base and algorithm and according to effect optimization, raising Disposal efficiency, reduces artificial interference and Deal with Time;Each all disposal process of link all record, and accumulate a large amount of number According to, optimal method of disposal, continuous optimization can be selected for big data and machine learning as trained material, and It can guarantee that disposition is also timely and effective when facing newest malicious code according to the variation tendency real-time update of malice sample 's;Do not repel manual intervention simultaneously, realizes manual analysis and what is automatically analyzed effectively combines and realize maximum efficiency.
Detailed description of the invention
It, below will be to embodiment or the prior art in order to illustrate more clearly of the present invention or technical solution in the prior art Attached drawing needed in description is briefly described, it should be apparent that, the accompanying drawings in the following description is only in the present invention The some embodiments recorded for those of ordinary skill in the art without creative efforts, can be with It obtains other drawings based on these drawings.
Fig. 1 is a kind of method flow diagram that malicious code is disposed automatically of the present invention;
Fig. 2 is a kind of system construction drawing that malicious code is disposed automatically of the present invention.
Specific embodiment
Technical solution in embodiment in order to enable those skilled in the art to better understand the present invention, and make of the invention Above objects, features, and advantages can be more obvious and easy to understand, makees with reference to the accompanying drawing to technical solution in the present invention further detailed Thin explanation.
The present invention gives a kind of embodiments of the method that malicious code is disposed automatically, as shown in Figure 1, comprising:
S101: capture network packet restores entity file according to message content;
S102: scanning the entity file of reduction, judges whether there is malice sample;
S103: malice sample if it exists then determines the hazard rating and circulation way of malice sample;
S104: according to hazard rating and circulation way, pass through the method for set algorithm Response to selection from disposal method library;It is selecting When selecting response method, big principle is that hazard rating assessment is higher, is more tended to using quick, broad covered area method, on the contrary It then selects to negatively affect small method;Main selection gist is then being capable of blocking propagation according to the selection of the circulation way of malice sample Method;
S105: response method is sent to network side and terminal side equipment.
Preferably, the malice sample if it exists then determines the hazard rating and circulation way of malice sample have Body are as follows: malice sample if it exists then further judges whether malice sample is known;If it is known that then passing through malice sample number The hazard rating and circulation way of the malice sample are obtained according to storehouse matching;Otherwise, fast to malice sample progress sound state Speed analysis, obtains its hazard rating and circulation way.
Preferably, after sending response method to network side and terminal side equipment, if malice sample continues to propagate, Response method is reselected from the disposal method library, and sends network side and terminal side equipment to again;If by regulation After time, the propagation of malice sample is not controlled still, then issues alarm signal to administrator.
Preferably, the procedural information disposed every time and the response method taken are dynamically added disposal method library, and to place The data set in scheme base carry out machine learning;While reducing disposal method library data redundancy, learn optimal place out automatically Strategy is set, when system discovery there are new samples, the disposal method being more bonded can be provided according to set algorithm.
The present invention gives a kind of system embodiment that malicious code is disposed automatically, as shown in Figure 2, comprising:
Flow recovery module 201 restores entity file according to message content for capturing network packet;
Malice determination module 202 judges whether there is malice sample for scanning the entity file of reduction;
Comprehensive analysis module 203 then sentences the hazard rating and circulation way of malice sample for malice sample if it exists It is fixed;
Scheme issues module 204, for being selected from disposal method library by set algorithm according to hazard rating and circulation way The method of response, and send response method to network side and terminal side equipment;In Response to selection method, big principle is harm Grade assessment is higher, more tends to using quick, broad covered area method, on the contrary then select to negatively affect small method;It is main Wanting selection gist then is the method for capableing of blocking propagation according to the selection of the circulation way of malice sample.
Further, institute's malice determination module 202 is specifically used for: malice sample if it exists, then further judges malice sample Whether this is known;If it is known that then obtaining the hazard rating and biography of the malice sample by malice sample data storehouse matching Broadcast mode;Otherwise, sound state is carried out to the malice sample quickly to analyze, obtain its hazard rating and circulation way.
Further, after sending response method to network side and terminal side equipment, if malice sample continues to propagate, It then re-calls scheme and issues module 204, reselect response method from the disposal method library, and send network to again Side and terminal side equipment;If the propagation of malice sample is not controlled still after the stipulated time, then issues and report to administrator Alert signal.
Further, the procedural information disposed every time and the response method taken are dynamically added disposal method library, and right Data in disposal method library carry out machine learning;While reducing disposal method library data redundancy, learn automatically optimal out Disposal Strategies can provide the disposal method being more bonded according to set algorithm when system discovery has new samples.
In addition, The present invention gives a kind of computer equipment of embodiment, including memory, processor and it is stored in memory Computer program that is upper and can running on a processor when the processor executes described program, is realized in above-described embodiment certainly The method of dynamic disposition;It is also possible that the communication interface for memory and processor communication simultaneously;The memory may wrap Containing RAM memory, it is also possible to further include nonvolatile memory (non-volatile memory), for example, at least a disk Memory;The processor may be a central processing unit (Central Processing Unit, referred to as CPU), or It is specific integrated circuit (Application Specific Integrated Circuit, referred to as ASIC), or is matched It is set to the one or more integrated circuits for implementing the embodiment of the present invention;The memory, processor can be disposed independently, can also be with It integrates on one chip.
In order to realize above-described embodiment, the present invention gives a kind of non-transitorycomputer readable storage medium, thereon It is stored with computer program, the computer program realizes the method disposed automatically in above-described embodiment when being executed by processor.
The embodiment of method is described in a progressive manner in this specification, for the embodiment of system, due to it It is substantially similar to embodiment of the method, so being described relatively simple, the relevent part can refer to the partial explaination of embodiments of method. The invention proposes a kind of automatic method of disposal of malicious code and systems, comprising: capture network packet, according to message content pair Entity file is restored;The entity file for scanning reduction, judges whether there is malice sample;Malice sample if it exists, then it is right The hazard rating and circulation way of malice sample are determined;According to hazard rating and circulation way, through set algorithm from The method for setting Response to selection in scheme base, and send response method to network side and terminal side equipment.Each link of the present invention is mutual It is connected, forms a closed-loop control stream, the operation of next step is automatically determined according to algorithm, needed for the disposition of system automatic collection All data, automatically selects by existing scheme base and algorithm and according to effect optimization, improves disposal efficiency, reduces people Work interference and Deal with Time;Each all disposal process of link all record, and accumulate a large amount of data, can be for big data and machine Learn the material as training, selects optimal method of disposal, continuous optimization, and can be according to the variation of malice sample Trend real-time update guarantees that disposition is also timely and effectively when facing newest malicious code;Do not repel manual intervention simultaneously, It realizes manual analysis and what is automatically analyzed effectively combines and realize maximum efficiency.
Although depicting the present invention by embodiment, it will be appreciated by the skilled addressee that the present invention there are many deformation and Variation is without departing from spirit of the invention, it is desirable to which the attached claims include these deformations and change without departing from of the invention Spirit.

Claims (10)

1. a kind of automatic method of disposal of malicious code characterized by comprising
Network packet is captured, entity file is restored according to message content;
The entity file for scanning reduction, judges whether there is malice sample;
Malice sample if it exists then determines the hazard rating and circulation way of malice sample;
According to hazard rating and circulation way, by the method for set algorithm Response to selection from disposal method library, and will response Method sends network side and terminal side equipment to.
2. the method as described in claim 1, which is characterized in that the malice sample if it exists, then to the harm of malice sample Grade and circulation way determined, specifically: malice sample if it exists, then further judge malice sample whether be known to; If it is known that then obtaining the hazard rating and circulation way of the malice sample by malice sample data storehouse matching;Otherwise, right The malice sample carries out sound state and quickly analyzes, and obtains its hazard rating and circulation way.
3. method according to claim 1 or 2, which is characterized in that send response method to network side and terminal side equipment Afterwards, if malice sample continues to propagate, response method is reselected from the disposal method library, and send net to again Network side and terminal side equipment;If the propagation of malice sample is not controlled still after the stipulated time, then issued to administrator Alarm signal.
4. method as claimed in claim 3, which is characterized in that move the procedural information disposed every time and the response method taken Disposal method library is added in state, and carries out machine learning to the data in disposal method library.
5. a kind of automatic disposal system of malicious code characterized by comprising
Flow recovery module restores entity file according to message content for capturing network packet;
Malice determination module judges whether there is malice sample for scanning the entity file of reduction;
Comprehensive analysis module then determines the hazard rating and circulation way of malice sample for malice sample if it exists;
Scheme issues module, rings for being selected from disposal method library by set algorithm according to hazard rating and circulation way The method answered, and send response method to network side and terminal side equipment.
6. system as claimed in claim 5, which is characterized in that institute's malice determination module is specifically used for: malice sample if it exists, Then further judge whether malice sample is known;If it is known that then obtaining the malice by malice sample data storehouse matching The hazard rating and circulation way of sample;Otherwise, sound state is carried out to the malice sample quickly to analyze, obtain its hazard rating And circulation way.
7. such as system described in claim 5 or 6, which is characterized in that send response method to network side and terminal side equipment Afterwards, if malice sample continues to propagate, the scheme of re-calling issues module, reselects sound from the disposal method library Induction method, and send network side and terminal side equipment to again;If the propagation of malice sample does not have still after the stipulated time It is controlled, then issues alarm signal to administrator.
8. system as claimed in claim 7, which is characterized in that move the procedural information disposed every time and the response method taken Disposal method library is added in state, and carries out machine learning to the data in disposal method library.
9. a kind of electronic equipment including memory, processor and stores the calculating that can be run on a memory and on a processor Machine program, which is characterized in that the processor realizes the automatic disposition as described in claim 1-4 is any when executing described program Method.
10. a kind of computer readable storage medium, for storing computer program, which is characterized in that the computer program can It is executed by processor the automatic method of disposal as described in claim 1-4 is any.
CN201711471900.4A 2017-12-29 2017-12-29 A kind of automatic method of disposal of malicious code and system Withdrawn CN109472142A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711471900.4A CN109472142A (en) 2017-12-29 2017-12-29 A kind of automatic method of disposal of malicious code and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711471900.4A CN109472142A (en) 2017-12-29 2017-12-29 A kind of automatic method of disposal of malicious code and system

Publications (1)

Publication Number Publication Date
CN109472142A true CN109472142A (en) 2019-03-15

Family

ID=65657999

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711471900.4A Withdrawn CN109472142A (en) 2017-12-29 2017-12-29 A kind of automatic method of disposal of malicious code and system

Country Status (1)

Country Link
CN (1) CN109472142A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102594783A (en) * 2011-01-14 2012-07-18 中国科学院软件研究所 Network security emergency responding method
CN103294951A (en) * 2012-11-29 2013-09-11 北京安天电子设备有限公司 Malicious code sample extraction method and system based on document type bug
US8959643B1 (en) * 2013-08-09 2015-02-17 Narus, Inc. Detecting malware infestations in large-scale networks
CN105323247A (en) * 2015-10-13 2016-02-10 华中科技大学 Intrusion detection system for mobile terminal
CN105718798A (en) * 2015-08-18 2016-06-29 哈尔滨安天科技股份有限公司 Private network information amplification based automatic malicious code analysis method and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102594783A (en) * 2011-01-14 2012-07-18 中国科学院软件研究所 Network security emergency responding method
CN103294951A (en) * 2012-11-29 2013-09-11 北京安天电子设备有限公司 Malicious code sample extraction method and system based on document type bug
US8959643B1 (en) * 2013-08-09 2015-02-17 Narus, Inc. Detecting malware infestations in large-scale networks
CN105718798A (en) * 2015-08-18 2016-06-29 哈尔滨安天科技股份有限公司 Private network information amplification based automatic malicious code analysis method and system
CN105323247A (en) * 2015-10-13 2016-02-10 华中科技大学 Intrusion detection system for mobile terminal

Similar Documents

Publication Publication Date Title
CN107832355B (en) A kind of method and device that the agency of crawlers obtains
CN105872654A (en) Method and device for switching Bluetooth connection in audio playing system, and system
KR20110131094A (en) Identifying communities in an information network
TW200950545A (en) Method and apparatus for determining gaps in cellular phone area coverage
CN108009497A (en) Image recognition monitoring method, system, computing device and readable storage medium storing program for executing
CN105354042A (en) Application installation processing method and apparatus
CN106649342A (en) Data processing method and apparatus in data acquisition platform
CN105790801A (en) Pairing testing method and testing apparatus for electronic equipment and bluetooth equipment
CN104254090B (en) A kind of method, terminal, base station and system realizing Automatic Neighboring Relation and establishing
CN109472142A (en) A kind of automatic method of disposal of malicious code and system
CN110351273B (en) Method, device and system for network tracking long chain attack
CN103580951B (en) Output comparative approach, test migration householder method and the system of multiple information systems
CN106254150B (en) Network failure processing method and system
CN112468509A (en) Deep learning technology-based automatic flow data detection method and device
CN106911662B (en) System and method for high-interaction to low-interaction conversion of malicious sample culture
CN107888693A (en) NB IOT apparatus debugging methods and server
CN109699041A (en) A kind of RRU channel failure diagnosis processing method and RRU device
CN115045702A (en) Intelligent coal caving control method and system based on multi-mode data
JP5959148B2 (en) Processing device and monitoring system
CN108810935A (en) A kind of flow forwarding method and device
CN104735097A (en) Information collecting method and system
CN106921464A (en) A kind of information method of adjustment and device
CN106339797A (en) Point inspection data processing method and device
CN106713016A (en) Fault reasoning method and apparatus of indoor distribution system
CN110086580A (en) A kind of environment monitoring method and device based on artificial intelligence

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20190315