CN109472142A - A kind of automatic method of disposal of malicious code and system - Google Patents
A kind of automatic method of disposal of malicious code and system Download PDFInfo
- Publication number
- CN109472142A CN109472142A CN201711471900.4A CN201711471900A CN109472142A CN 109472142 A CN109472142 A CN 109472142A CN 201711471900 A CN201711471900 A CN 201711471900A CN 109472142 A CN109472142 A CN 109472142A
- Authority
- CN
- China
- Prior art keywords
- malice sample
- disposal
- malice
- sample
- circulation way
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention proposes a kind of automatic method of disposal of malicious code and systems, comprising: capture network packet restores entity file according to message content;The entity file for scanning reduction, judges whether there is malice sample;Malice sample if it exists then determines the hazard rating and circulation way of malice sample;According to hazard rating and circulation way, network side and terminal side equipment are sent to by the method for set algorithm Response to selection from disposal method library, and by response method.Each link of the present invention interconnects, and forms a closed-loop control stream, and the operation of next step is automatically determined according to algorithm, reduces artificial interference and Deal with Time.
Description
Technical field
The present invention relates to field of information security technology more particularly to a kind of automatic methods of disposal of malicious code and system.
Background technique
During existing malicious code disposition, required all data derives from different equipment, and the process of disposition needs
It manually performs, and carries out secondary disposition after modifying disposal method according to effect, it is final to realize that the basic malicious code that terminates is propagated
Purpose.In this process, the source of malicious code sample and propagation condition are provided by file reduction apparatus, are determined, are propagated
Mode is analyzed by detection device and artificial comprehensive judgement, and blocking propagation is carried out by the network equipment or manually performed in each terminal.
Each link is independent mutually, links up connection and nowadays relies on manual operation, and efficiency is lower, and depends on the experience of staff,
More difficult large-scale promotion.
Summary of the invention
For above-mentioned problems of the prior art, the invention proposes a kind of automatic method of disposal of malicious code and it is
System.Specifically summary of the invention includes:
A kind of automatic method of disposal of malicious code, comprising:
Network packet is captured, entity file is restored according to message content;
The entity file for scanning reduction, judges whether there is malice sample;
Malice sample if it exists then determines the hazard rating and circulation way of malice sample;
According to hazard rating and circulation way, by the method for set algorithm Response to selection from disposal method library, and will response
Method sends network side and terminal side equipment to;In Response to selection method, big principle is that hazard rating assessment is higher, is more inclined to
It is on the contrary then select to negatively affect small method in using quick, broad covered area method;Main selection gist is then according to evil
The method of blocking propagation is capable of in the circulation way selection of meaning sample.
Further, the malice sample if it exists then determines the hazard rating and circulation way of malice sample,
Specifically: malice sample if it exists then further judges whether malice sample is known;If it is known that then passing through malice sample
Database matching obtains the hazard rating and circulation way of the malice sample;Otherwise, sound state is carried out to the malice sample
Quickly analysis, obtains its hazard rating and circulation way.
Further, after sending response method to network side and terminal side equipment, if malice sample continues to propagate,
Response method then is reselected from the disposal method library, and sends network side and terminal side equipment to again;If by rule
After fixing time, the propagation of malice sample is not controlled still, then issues alarm signal to administrator.
Further, the procedural information disposed every time and the response method taken are dynamically added disposal method library, and right
Data in disposal method library carry out machine learning;While reducing disposal method library data redundancy, learn automatically optimal out
Disposal Strategies can provide the disposal method being more bonded according to set algorithm when system discovery has new samples.
A kind of automatic disposal system of malicious code, comprising:
Flow recovery module restores entity file according to message content for capturing network packet;
Malice determination module judges whether there is malice sample for scanning the entity file of reduction;
Comprehensive analysis module then determines the hazard rating and circulation way of malice sample for malice sample if it exists;
Scheme issues module, rings for being selected from disposal method library by set algorithm according to hazard rating and circulation way
The method answered, and send response method to network side and terminal side equipment;In Response to selection method, big principle is harm etc.
Grade assessment is higher, more tends to using quick, broad covered area method, on the contrary then select to negatively affect small method;Mainly
Selection gist is then the method for capableing of blocking propagation according to the selection of the circulation way of malice sample.
Further, institute's malice determination module is specifically used for: malice sample if it exists, then further judges that malice sample is
No is known;If it is known that then obtaining hazard rating and the propagation side of the malice sample by malice sample data storehouse matching
Formula;Otherwise, sound state is carried out to the malice sample quickly to analyze, obtain its hazard rating and circulation way.
Further, after sending response method to network side and terminal side equipment, if malice sample continues to propagate,
It then re-calls scheme and issues module, reselect response method from the disposal method library, and send network side to again
And terminal side equipment;If the propagation of malice sample is not controlled still after the stipulated time, then issues and alarm to administrator
Signal.
Further, the procedural information disposed every time and the response method taken are dynamically added disposal method library, and right
Data in disposal method library carry out machine learning;While reducing disposal method library data redundancy, learn automatically optimal out
Disposal Strategies can provide the disposal method being more bonded according to set algorithm when system discovery has new samples.
A kind of electronic equipment including memory, processor and stores the meter that can be run on a memory and on a processor
Calculation machine program, the processor realize the automatic method of disposal when executing described program.
A kind of computer readable storage medium, for storing computer program, the computer program can be held by processor
The row automatic method of disposal.
The beneficial effects of the present invention are:
Each link of the present invention interconnects, and forms a closed-loop control stream, and the operation of next step, system are automatically determined according to algorithm
All data needed for automatic collection disposition is automatically selected by existing scheme base and algorithm and according to effect optimization, raising
Disposal efficiency, reduces artificial interference and Deal with Time;Each all disposal process of link all record, and accumulate a large amount of number
According to, optimal method of disposal, continuous optimization can be selected for big data and machine learning as trained material, and
It can guarantee that disposition is also timely and effective when facing newest malicious code according to the variation tendency real-time update of malice sample
's;Do not repel manual intervention simultaneously, realizes manual analysis and what is automatically analyzed effectively combines and realize maximum efficiency.
Detailed description of the invention
It, below will be to embodiment or the prior art in order to illustrate more clearly of the present invention or technical solution in the prior art
Attached drawing needed in description is briefly described, it should be apparent that, the accompanying drawings in the following description is only in the present invention
The some embodiments recorded for those of ordinary skill in the art without creative efforts, can be with
It obtains other drawings based on these drawings.
Fig. 1 is a kind of method flow diagram that malicious code is disposed automatically of the present invention;
Fig. 2 is a kind of system construction drawing that malicious code is disposed automatically of the present invention.
Specific embodiment
Technical solution in embodiment in order to enable those skilled in the art to better understand the present invention, and make of the invention
Above objects, features, and advantages can be more obvious and easy to understand, makees with reference to the accompanying drawing to technical solution in the present invention further detailed
Thin explanation.
The present invention gives a kind of embodiments of the method that malicious code is disposed automatically, as shown in Figure 1, comprising:
S101: capture network packet restores entity file according to message content;
S102: scanning the entity file of reduction, judges whether there is malice sample;
S103: malice sample if it exists then determines the hazard rating and circulation way of malice sample;
S104: according to hazard rating and circulation way, pass through the method for set algorithm Response to selection from disposal method library;It is selecting
When selecting response method, big principle is that hazard rating assessment is higher, is more tended to using quick, broad covered area method, on the contrary
It then selects to negatively affect small method;Main selection gist is then being capable of blocking propagation according to the selection of the circulation way of malice sample
Method;
S105: response method is sent to network side and terminal side equipment.
Preferably, the malice sample if it exists then determines the hazard rating and circulation way of malice sample have
Body are as follows: malice sample if it exists then further judges whether malice sample is known;If it is known that then passing through malice sample number
The hazard rating and circulation way of the malice sample are obtained according to storehouse matching;Otherwise, fast to malice sample progress sound state
Speed analysis, obtains its hazard rating and circulation way.
Preferably, after sending response method to network side and terminal side equipment, if malice sample continues to propagate,
Response method is reselected from the disposal method library, and sends network side and terminal side equipment to again;If by regulation
After time, the propagation of malice sample is not controlled still, then issues alarm signal to administrator.
Preferably, the procedural information disposed every time and the response method taken are dynamically added disposal method library, and to place
The data set in scheme base carry out machine learning;While reducing disposal method library data redundancy, learn optimal place out automatically
Strategy is set, when system discovery there are new samples, the disposal method being more bonded can be provided according to set algorithm.
The present invention gives a kind of system embodiment that malicious code is disposed automatically, as shown in Figure 2, comprising:
Flow recovery module 201 restores entity file according to message content for capturing network packet;
Malice determination module 202 judges whether there is malice sample for scanning the entity file of reduction;
Comprehensive analysis module 203 then sentences the hazard rating and circulation way of malice sample for malice sample if it exists
It is fixed;
Scheme issues module 204, for being selected from disposal method library by set algorithm according to hazard rating and circulation way
The method of response, and send response method to network side and terminal side equipment;In Response to selection method, big principle is harm
Grade assessment is higher, more tends to using quick, broad covered area method, on the contrary then select to negatively affect small method;It is main
Wanting selection gist then is the method for capableing of blocking propagation according to the selection of the circulation way of malice sample.
Further, institute's malice determination module 202 is specifically used for: malice sample if it exists, then further judges malice sample
Whether this is known;If it is known that then obtaining the hazard rating and biography of the malice sample by malice sample data storehouse matching
Broadcast mode;Otherwise, sound state is carried out to the malice sample quickly to analyze, obtain its hazard rating and circulation way.
Further, after sending response method to network side and terminal side equipment, if malice sample continues to propagate,
It then re-calls scheme and issues module 204, reselect response method from the disposal method library, and send network to again
Side and terminal side equipment;If the propagation of malice sample is not controlled still after the stipulated time, then issues and report to administrator
Alert signal.
Further, the procedural information disposed every time and the response method taken are dynamically added disposal method library, and right
Data in disposal method library carry out machine learning;While reducing disposal method library data redundancy, learn automatically optimal out
Disposal Strategies can provide the disposal method being more bonded according to set algorithm when system discovery has new samples.
In addition, The present invention gives a kind of computer equipment of embodiment, including memory, processor and it is stored in memory
Computer program that is upper and can running on a processor when the processor executes described program, is realized in above-described embodiment certainly
The method of dynamic disposition;It is also possible that the communication interface for memory and processor communication simultaneously;The memory may wrap
Containing RAM memory, it is also possible to further include nonvolatile memory (non-volatile memory), for example, at least a disk
Memory;The processor may be a central processing unit (Central Processing Unit, referred to as CPU), or
It is specific integrated circuit (Application Specific Integrated Circuit, referred to as ASIC), or is matched
It is set to the one or more integrated circuits for implementing the embodiment of the present invention;The memory, processor can be disposed independently, can also be with
It integrates on one chip.
In order to realize above-described embodiment, the present invention gives a kind of non-transitorycomputer readable storage medium, thereon
It is stored with computer program, the computer program realizes the method disposed automatically in above-described embodiment when being executed by processor.
The embodiment of method is described in a progressive manner in this specification, for the embodiment of system, due to it
It is substantially similar to embodiment of the method, so being described relatively simple, the relevent part can refer to the partial explaination of embodiments of method.
The invention proposes a kind of automatic method of disposal of malicious code and systems, comprising: capture network packet, according to message content pair
Entity file is restored;The entity file for scanning reduction, judges whether there is malice sample;Malice sample if it exists, then it is right
The hazard rating and circulation way of malice sample are determined;According to hazard rating and circulation way, through set algorithm from
The method for setting Response to selection in scheme base, and send response method to network side and terminal side equipment.Each link of the present invention is mutual
It is connected, forms a closed-loop control stream, the operation of next step is automatically determined according to algorithm, needed for the disposition of system automatic collection
All data, automatically selects by existing scheme base and algorithm and according to effect optimization, improves disposal efficiency, reduces people
Work interference and Deal with Time;Each all disposal process of link all record, and accumulate a large amount of data, can be for big data and machine
Learn the material as training, selects optimal method of disposal, continuous optimization, and can be according to the variation of malice sample
Trend real-time update guarantees that disposition is also timely and effectively when facing newest malicious code;Do not repel manual intervention simultaneously,
It realizes manual analysis and what is automatically analyzed effectively combines and realize maximum efficiency.
Although depicting the present invention by embodiment, it will be appreciated by the skilled addressee that the present invention there are many deformation and
Variation is without departing from spirit of the invention, it is desirable to which the attached claims include these deformations and change without departing from of the invention
Spirit.
Claims (10)
1. a kind of automatic method of disposal of malicious code characterized by comprising
Network packet is captured, entity file is restored according to message content;
The entity file for scanning reduction, judges whether there is malice sample;
Malice sample if it exists then determines the hazard rating and circulation way of malice sample;
According to hazard rating and circulation way, by the method for set algorithm Response to selection from disposal method library, and will response
Method sends network side and terminal side equipment to.
2. the method as described in claim 1, which is characterized in that the malice sample if it exists, then to the harm of malice sample
Grade and circulation way determined, specifically: malice sample if it exists, then further judge malice sample whether be known to;
If it is known that then obtaining the hazard rating and circulation way of the malice sample by malice sample data storehouse matching;Otherwise, right
The malice sample carries out sound state and quickly analyzes, and obtains its hazard rating and circulation way.
3. method according to claim 1 or 2, which is characterized in that send response method to network side and terminal side equipment
Afterwards, if malice sample continues to propagate, response method is reselected from the disposal method library, and send net to again
Network side and terminal side equipment;If the propagation of malice sample is not controlled still after the stipulated time, then issued to administrator
Alarm signal.
4. method as claimed in claim 3, which is characterized in that move the procedural information disposed every time and the response method taken
Disposal method library is added in state, and carries out machine learning to the data in disposal method library.
5. a kind of automatic disposal system of malicious code characterized by comprising
Flow recovery module restores entity file according to message content for capturing network packet;
Malice determination module judges whether there is malice sample for scanning the entity file of reduction;
Comprehensive analysis module then determines the hazard rating and circulation way of malice sample for malice sample if it exists;
Scheme issues module, rings for being selected from disposal method library by set algorithm according to hazard rating and circulation way
The method answered, and send response method to network side and terminal side equipment.
6. system as claimed in claim 5, which is characterized in that institute's malice determination module is specifically used for: malice sample if it exists,
Then further judge whether malice sample is known;If it is known that then obtaining the malice by malice sample data storehouse matching
The hazard rating and circulation way of sample;Otherwise, sound state is carried out to the malice sample quickly to analyze, obtain its hazard rating
And circulation way.
7. such as system described in claim 5 or 6, which is characterized in that send response method to network side and terminal side equipment
Afterwards, if malice sample continues to propagate, the scheme of re-calling issues module, reselects sound from the disposal method library
Induction method, and send network side and terminal side equipment to again;If the propagation of malice sample does not have still after the stipulated time
It is controlled, then issues alarm signal to administrator.
8. system as claimed in claim 7, which is characterized in that move the procedural information disposed every time and the response method taken
Disposal method library is added in state, and carries out machine learning to the data in disposal method library.
9. a kind of electronic equipment including memory, processor and stores the calculating that can be run on a memory and on a processor
Machine program, which is characterized in that the processor realizes the automatic disposition as described in claim 1-4 is any when executing described program
Method.
10. a kind of computer readable storage medium, for storing computer program, which is characterized in that the computer program can
It is executed by processor the automatic method of disposal as described in claim 1-4 is any.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711471900.4A CN109472142A (en) | 2017-12-29 | 2017-12-29 | A kind of automatic method of disposal of malicious code and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711471900.4A CN109472142A (en) | 2017-12-29 | 2017-12-29 | A kind of automatic method of disposal of malicious code and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109472142A true CN109472142A (en) | 2019-03-15 |
Family
ID=65657999
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711471900.4A Withdrawn CN109472142A (en) | 2017-12-29 | 2017-12-29 | A kind of automatic method of disposal of malicious code and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109472142A (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102594783A (en) * | 2011-01-14 | 2012-07-18 | 中国科学院软件研究所 | Network security emergency responding method |
CN103294951A (en) * | 2012-11-29 | 2013-09-11 | 北京安天电子设备有限公司 | Malicious code sample extraction method and system based on document type bug |
US8959643B1 (en) * | 2013-08-09 | 2015-02-17 | Narus, Inc. | Detecting malware infestations in large-scale networks |
CN105323247A (en) * | 2015-10-13 | 2016-02-10 | 华中科技大学 | Intrusion detection system for mobile terminal |
CN105718798A (en) * | 2015-08-18 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Private network information amplification based automatic malicious code analysis method and system |
-
2017
- 2017-12-29 CN CN201711471900.4A patent/CN109472142A/en not_active Withdrawn
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102594783A (en) * | 2011-01-14 | 2012-07-18 | 中国科学院软件研究所 | Network security emergency responding method |
CN103294951A (en) * | 2012-11-29 | 2013-09-11 | 北京安天电子设备有限公司 | Malicious code sample extraction method and system based on document type bug |
US8959643B1 (en) * | 2013-08-09 | 2015-02-17 | Narus, Inc. | Detecting malware infestations in large-scale networks |
CN105718798A (en) * | 2015-08-18 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Private network information amplification based automatic malicious code analysis method and system |
CN105323247A (en) * | 2015-10-13 | 2016-02-10 | 华中科技大学 | Intrusion detection system for mobile terminal |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107832355B (en) | A kind of method and device that the agency of crawlers obtains | |
CN105872654A (en) | Method and device for switching Bluetooth connection in audio playing system, and system | |
KR20110131094A (en) | Identifying communities in an information network | |
TW200950545A (en) | Method and apparatus for determining gaps in cellular phone area coverage | |
CN108009497A (en) | Image recognition monitoring method, system, computing device and readable storage medium storing program for executing | |
CN105354042A (en) | Application installation processing method and apparatus | |
CN106649342A (en) | Data processing method and apparatus in data acquisition platform | |
CN105790801A (en) | Pairing testing method and testing apparatus for electronic equipment and bluetooth equipment | |
CN104254090B (en) | A kind of method, terminal, base station and system realizing Automatic Neighboring Relation and establishing | |
CN109472142A (en) | A kind of automatic method of disposal of malicious code and system | |
CN110351273B (en) | Method, device and system for network tracking long chain attack | |
CN103580951B (en) | Output comparative approach, test migration householder method and the system of multiple information systems | |
CN106254150B (en) | Network failure processing method and system | |
CN112468509A (en) | Deep learning technology-based automatic flow data detection method and device | |
CN106911662B (en) | System and method for high-interaction to low-interaction conversion of malicious sample culture | |
CN107888693A (en) | NB IOT apparatus debugging methods and server | |
CN109699041A (en) | A kind of RRU channel failure diagnosis processing method and RRU device | |
CN115045702A (en) | Intelligent coal caving control method and system based on multi-mode data | |
JP5959148B2 (en) | Processing device and monitoring system | |
CN108810935A (en) | A kind of flow forwarding method and device | |
CN104735097A (en) | Information collecting method and system | |
CN106921464A (en) | A kind of information method of adjustment and device | |
CN106339797A (en) | Point inspection data processing method and device | |
CN106713016A (en) | Fault reasoning method and apparatus of indoor distribution system | |
CN110086580A (en) | A kind of environment monitoring method and device based on artificial intelligence |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20190315 |