CN109784052A - The management method and server-side, terminal, system of software action detection - Google Patents
The management method and server-side, terminal, system of software action detection Download PDFInfo
- Publication number
- CN109784052A CN109784052A CN201811640645.6A CN201811640645A CN109784052A CN 109784052 A CN109784052 A CN 109784052A CN 201811640645 A CN201811640645 A CN 201811640645A CN 109784052 A CN109784052 A CN 109784052A
- Authority
- CN
- China
- Prior art keywords
- software action
- software
- testing result
- detection
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention discloses the management methods and server-side, terminal, system of a kind of detection of software action, are related to communication and information technology field, and main purpose is to solve the problem of that accurate judgement can not be carried out to unknown software action when operation maintenance personnel audits software action.Include: the software action that terminal obtains software operation, and identifies the operating status of the software action according to preset behavior collection;If identifying the operating status failure, the software action information of the software action is uploaded to server-side;Server-side receives software action information to be detected;The software action information is classified, and is distributed according to classification results to test side;If receiving the testing result of the test side feedback, the testing result is fed back into the terminal;Terminal receives testing result, and is handled according to the testing result the software action.
Description
Technical field
The present invention relates to communication and information technology fields, more particularly to the management method and clothes of a kind of detection of software action
Business end, terminal, system.
Background technique
With the continuous development of cloud control technology, it is anti-that the security department of enterprise can carry out safety to the computer of enterprises
The monitoring of shield can carry out security monitoring to the operation action for the software disposed on each computer.
Currently, the management of existing software action detection is to be examined by carrying out manual examination and verification respectively to each computer
Measure whether software action exception occurs, still, operation maintenance personnel, can not be to not when auditing the software action on each computer
The software action known carries out accurate judgement, to reduce the efficiency of management of software action detection.
Summary of the invention
In view of this, the present invention provides a kind of management method that software action detects and the management method that software action detects
And server-side, terminal, system, main purpose are to solve operation maintenance personnel when auditing the software action on each computer, nothing
The problem of method carries out accurate judgement to unknown software action.
According to the present invention on one side, a kind of management method of software action detection is provided, comprising:
Software action information to be detected is received, the software action information identifies for terminal according to preset behavior collection soft
There are the information of abnormal behaviour for part operation;
The software action information is classified, and is distributed according to classification results to test side, so that the detection
End determines testing result according to the operating status of the software action infomation detection software action;
If receiving the testing result of the test side feedback, the testing result is fed back into the terminal, so that
It obtains the terminal to handle the software action according to the testing result, the testing result is anti-after test side is detected
It is fed to the way to manage of the software action detection of server-side.
Further, described that the software action information is classified, and distribute according to classification results to test side and wrap
It includes:
Classify according to behavior monitoring type to the software action information, the behavior monitoring type includes process prison
Control class, file monitor class, network monitoring class, registry monitoring class, driving monitoring class;
The equipment number of test side is calculated, and determines test side corresponding with the equipment number according to preset allocation rule
The method of salary distribution, the preset allocation rule is that the identification information of the equipment number and the terminal, the behavior are supervised
Control the corresponding relationship between type;
Sorted software action information will be carried out according to the method for salary distribution to distribute into the test side.
Further, the equipment number for calculating test side, and it is determining a with the equipment according to preset allocation rule
The method of salary distribution of the corresponding test sides of number includes:
Calculate test side equipment number, according to the behavior monitoring type to the corresponding test side of the equipment number into
Row Type division matches the test side after division with the identification information, and the corresponding relationship after matching is determined
For the method for salary distribution of the test side.
Further, if the testing result for receiving the test side feedback, the testing result is fed back to
After the terminal, the method also includes:
Record the testing result, by the corresponding relationship between the testing result and the software action information store to
In preset storage location.
Further, the method also includes:
According to preset time interval receive testing result inquiry request, if in the preset storage location exist with it is described soft
The corresponding testing result of part behavioural information then extracts the testing result from the preset storage location and feeds back to the end
It holds, carries software action information to be checked in the testing result inquiry request.
According to the present invention on one side, the management method of another software action detection is provided, comprising:
The software action of software operation is obtained, and identifies the operating status of the software action according to preset behavior collection;
If identifying the operating status failure, the software action information of the software action is uploaded to server-side, institute
Stating software action information is to identify that there are the behavioural informations corresponding to abnormal behaviour according to the preset behavior collection;
Testing result is received, and the software action is handled according to the testing result, the testing result is
The way to manage of the software action detection of server-side is fed back to after the detection of test side.
Further, the software action for obtaining software operation, and the software action is identified according to preset behavior collection
Operating status before, the method also includes:
Determine that the operating status of software action, the operating status include dangerous fortune according to the software action of runs software
Capable and legal operation;
The software action that can determine operating status is updated to the preset behavior to concentrate, so that according to the preset row
The operating status of all software actions is identified for collection.
Further, the reception testing result, and the software action is carried out according to the testing result to handle it
Before, the method also includes:
Testing result inquiry request is sent, software action letter to be checked is carried in the testing result inquiry request
Breath.
According to the present invention on one side, a kind of server-side is provided, comprising:
Receiving unit, for receiving software action information to be detected, the software action information is terminal according to preset
Behavior collection identifies software operation, and there are the information of abnormal behaviour;
Taxon for the software action information to be classified, and is distributed according to classification results to test side, with
So that the test side determines testing result according to the operating status of the software action infomation detection software action;
Feedback unit, if the testing result for receiving the test side feedback, the testing result is fed back to
The terminal, so that the terminal is handled the software action according to the testing result, the testing result is
The way to manage of the software action detection of server-side is fed back to after the detection of test side.
Further, the taxon includes:
Categorization module, for classifying according to behavior monitoring type to the software action information, the behavior monitoring
Type includes process monitoring class, file monitor class, network monitoring class, registry monitoring class, driving monitoring class;
Computing module, for calculating the equipment number of test side, and it is determining a with the equipment according to preset allocation rule
The method of salary distribution of the corresponding test side of number, the preset allocation rule are the identity letter of the equipment number and the terminal
Corresponding relationship between breath, the behavior monitoring type;
Distribution module is distributed for that will carry out sorted software action information according to the method for salary distribution to the detection
In end.
Further,
The computing module, specifically for calculating the equipment number of test side, according to the behavior monitoring type to described
The corresponding test side of equipment number carries out Type division, and the test side after division is matched with the identification information,
Corresponding relationship after matching is determined as to the method for salary distribution of the test side.
Further, the server-side further include:
Recording unit will be between the testing result and the software action information for recording the testing result
Corresponding relationship is stored into preset storage location.
Further, the server-side further include:
Extraction unit, for receiving testing result inquiry request according to preset time interval, if the preset storage location
It is middle to there is testing result corresponding with the software action information, then the testing result is extracted from the preset storage location
The terminal is fed back to, software action information to be checked is carried in the testing result inquiry request.
According to the present invention on one side, a kind of terminal is provided, comprising:
Acquiring unit identifies the software action for obtaining the software action of software operation, and according to preset behavior collection
Operating status;
Uploading unit, if for identifying the operating status failure, it will be in the software action information of the software action
Server-side is reached, the software action information is to identify that there are the behaviors corresponding to abnormal behaviour according to the preset behavior collection
Information;
Receiving unit is handled the software action for receiving testing result, and according to the testing result, institute
Stating testing result is that the way to manage of the software action detection of server-side is fed back to after test side is detected.
Further, the terminal further include:
Determination unit, for determining the operating status of software action, the operation according to the software action of runs software
State includes dangerous operation and legal operation;
Updating unit is concentrated for the software action that can determine operating status to be updated to the preset behavior, so that
The operating status of all software actions is identified according to the preset behavior collection.
Further, the terminal further include:
Transmission unit carries to be checked for sending testing result inquiry request in the testing result inquiry request
Software action information.
According to an aspect of the present invention, a kind of storage medium is provided, at least one is stored in the storage medium to hold
Row instruction, the executable instruction execute processor such as a kind of above-mentioned corresponding operation of manager of software action detection.
According to an aspect of the present invention, provide a kind of computer equipment, comprising: processor, memory, communication interface and
Communication bus, the processor, the memory and the communication interface complete mutual communication by the communication bus;
For the memory for storing an at least executable instruction, it is above-mentioned that the executable instruction executes the processor
A kind of corresponding operation of manager of software action detection.
According to an aspect of the present invention, another storage medium is provided, at least one is stored in the storage medium can
It executes instruction, the executable instruction makes processor execute the corresponding behaviour of manager such as above-mentioned another software action detection
Make.
According to an aspect of the present invention, another computer equipment is provided, comprising: processor, memory, communication interface
And communication bus, the processor, the memory and the communication interface complete mutual lead to by the communication bus
Letter;
For the memory for storing an at least executable instruction, it is above-mentioned that the executable instruction executes the processor
Another management method corresponding operation of software action detection.
According to an aspect of the present invention, a kind of management system of software action detection is provided, comprising: server, terminal,
The terminal identifies the software action for obtaining the software action of software operation, and according to preset behavior collection
Operating status;
The terminal, if being also used to identify the operating status failure, by the software action information of the software action
It is uploaded to server-side, the software action information is to identify that there are the rows corresponding to abnormal behaviour according to the preset behavior collection
For information;
The server-side, for receiving software action information to be detected, the software action information is terminal according to pre-
The behavior collection of setting identifies software operation, and there are the information of abnormal behaviour;
The server-side is also used to classify the software action information, and distributes according to classification results to detection
End, so that the test side determines testing result according to the operating status of the software action infomation detection software action;
The server-side, it is if being also used to receive the testing result of the test side feedback, the testing result is anti-
It is fed to the terminal, so that the terminal is handled the software action according to the testing result, the detection knot
Fruit is the way to manage that the software action detection of server-side is fed back to after test side is detected;
The terminal is also used to receive testing result, and is handled according to the testing result the software action,
The testing result is that the way to manage of the software action detection of server-side is fed back to after test side is detected.
By above-mentioned technical proposal, technical solution provided in an embodiment of the present invention is at least had the advantage that
The present invention provides the management method and server-side, terminal, system of a kind of detection of software action, terminal first is obtained
The software action of software operation, and identify according to preset behavior collection the operating status of the software action;If identifying the operation
State failure, then be uploaded to server-side for the software action information of the software action, the software action information is according to institute
It states preset behavior collection and identifies that there are the behavioural informations corresponding to abnormal behaviour;Server-side receives software action letter to be detected
Breath, the software action information be terminal according to preset behavior collection identify software operation there are the information of abnormal behaviour;By institute
It states software action information to classify, and distributes according to classification results to test side, so that the test side is according to described soft
The operating status of part behavioural information inspection software behavior, determines testing result;If receiving the detection knot of the test side feedback
The testing result is then fed back to the terminal by fruit, so that the terminal is according to the testing result to the software row
To be handled, the testing result is that the manager of the software action detection of server-side is fed back to after test side is detected
Formula;Terminal receives testing result, and is handled according to the testing result the software action, and the testing result is inspection
The way to manage that the software action of server-side detects is fed back to after surveying end detection.With existing software action detection management be
It is to detect whether software action exception occurs and compare, the present invention is implemented by carrying out manual examination and verification respectively to each computer
Example carries out Preliminary detection to software action using preset behavior collection by terminal and sends out if the operating status of behavior can not be determined
It send to server-side, server-side is by being managed the software action information of upload, distribution to detection corresponding with different classifications
End is detected, and realizes the automatic detection to exception software behavior, so that software action is allocated detection according to unified standard,
And the scheduling detected to unknown software action is completed, improve the efficiency of management detected to software action.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention,
And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can
It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field
Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention
Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows a kind of management method flow chart of software action detection provided in an embodiment of the present invention;
Fig. 2 shows the management method flow charts of another software action detection provided in an embodiment of the present invention;
Fig. 3 shows the management method flow chart of another software action detection provided in an embodiment of the present invention;
Fig. 4 shows the management method flow chart of another software action detection provided in an embodiment of the present invention;
Fig. 5 shows a kind of device block diagram of server-side provided in an embodiment of the present invention;
Fig. 6 shows the device block diagram of another server-side provided in an embodiment of the present invention;
Fig. 7 shows a kind of terminal installation block diagram provided in an embodiment of the present invention;
Fig. 8 shows another terminal installation block diagram provided in an embodiment of the present invention;
Fig. 9 shows a kind of computer equipment structural schematic diagram provided in an embodiment of the present invention;
Figure 10 shows a kind of computer equipment structural schematic diagram provided in an embodiment of the present invention;
Figure 11 shows a kind of structural schematic diagram of the management system of software action detection provided in an embodiment of the present invention.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
It is fully disclosed to those skilled in the art.
The embodiment of the invention provides a kind of management methods of software action detection, as shown in Figure 1, which comprises
101, software action information to be detected is received.
Wherein, the software action information be terminal according to preset behavior collection identify software operation there are abnormal behaviours
Information includes the process category information, file category information, feature category information for abnormal conditions occur, process category information includes process
Chain, process path, process context, process call relation etc., files classes information include file chain, file attribute, file attribute
It including filename, file size and executable file PE structural information, i.e., whether is PE file etc., feature category information includes
Action message, window information etc., for example, action message can for whether be process creation, whether be document creation, whether be net
Network inquiry etc., window information is in the case where there is interface, and the size etc. of window, the embodiment of the present invention is not specifically limited.
It should be noted that current service end can correspond to multiple terminals, each terminal can have pre- according to oneself
Set whether behavior collection identification software behavioural information abnormal conditions occurs, and in embodiments of the present invention, preset behavior, which is concentrated, to be saved
Have and may determine that whether software action is legal or dangerous behavioral standard, if can not identify software row according to preset behavior collection
For be it is legal or dangerous, then illustrate this software action be it is abnormal, need server-side to be further processed, therefore,
Each terminal, which can will be present the corresponding software action information of abnormal behaviour and be uploaded to server-side, to be handled, to service termination
Receive software action information to be detected.In addition, the software in the embodiment of the present invention is the application for being suitable for different application platforms
Program software can execute corresponding purpose by runs software.
102, the software action information is classified, and distributed according to classification results to test side.
For the ease of the management to different types of software action information, so that the test side is according to the software row
For the operating status of infomation detection software action, testing result is determined, need to classify to the software action information received,
The mode of classification may include process monitoring class, file monitor class, network monitoring class, registry monitoring class, driving monitoring class etc.,
The embodiment of the present invention is not specifically limited.In addition, being detected for the ease of operation personnel, used for different operation personnel
Sorted software action information is issued to different classes of test side by terminal, so as to operation personnel with targetedly into
Row detection.
It should be noted that each test side after receiving the software action information that distribution comes, can choose artificial examine
Core also can choose the automatic audit that prosthetic is carried out according to preset detected rule, according to the operation of the software action detected
State determines testing result.Wherein, operating status includes legal operation and dangerous operation, and testing result includes intercepting and putting
Row, manual examination and verification are the testing result for being shown software action information in test side, and receiving operation personnel's input,
Automatic audit is the judgment formula for selecting software action information that can be identified according to preset detected rule, as window size is
No to be less than 2*2 pixel, if so, determining that the operating status of this software action information is dangerous operation, testing result is to intercept,
If more than 2*2 pixel, it is determined that the operating status of this software action information is legal operation, and testing result is to let pass.
If 103, receiving the testing result of the test side feedback, the testing result is fed back into the terminal.
For the embodiment of the present invention, after test side obtains testing result, test side can feed back testing result to server-side,
So that server-side is fed back after receiving testing result to terminal, so that the terminal is according to the testing result to institute
Software action is stated to be handled.
The present invention provides a kind of management methods of software action detection, receive software action information to be detected first,
The software action information be terminal according to preset behavior collection identify software operation there are the information of abnormal behaviour;It will be described soft
Part behavioural information is classified, and is distributed according to classification results to test side, so that the test side is according to the software row
For the operating status of infomation detection software action, testing result is determined;If receiving the testing result of the test side feedback,
The testing result is fed back into the terminal, so that the terminal carries out the software action according to the testing result
Processing, the testing result are that the way to manage of the software action detection of server-side is fed back to after test side is detected.With it is existing
The management for having software action to detect is to detect whether software action goes out by carrying out manual examination and verification respectively to each computer
Now abnormal to compare, the embodiment of the present invention carries out Preliminary detection to software action using preset behavior collection by terminal, if can not be true
The operating status for determining behavior is then sent to server-side, and server-side is by being managed the software action information of upload, and distribution is extremely
Test side corresponding with different classifications is detected, and realizes automatic detection to exception software behavior so that software action according to
Unified standard is allocated detection, improves the efficiency of management detected to software action.
The embodiment of the invention provides the management methods of another software action detection, as shown in Fig. 2, the method packet
It includes:
201, software action information to be detected is received.
This step is identical as step 101 method shown in FIG. 1, and details are not described herein.
202, classify according to behavior monitoring type to the software action information.
Wherein, the behavior monitoring type includes process monitoring class, file monitor class, network monitoring class, registry monitoring
Class, driving monitoring class, for example, software action information includes process category information, file category information, feature category information, further,
Process category information is divided into process monitoring class, file category information is divided into class file monitoring class, and according in feature category information
Specifying information division of teaching contents be network monitoring class, registry monitoring class, driving monitoring class, the embodiment of the present invention do not do specific limit
It is fixed.By being divided according to behavior monitoring class, further the detection for test side improves detection efficiency, and has unified detection
Standard.
203, the equipment number of test side is calculated, and determines inspection corresponding with the equipment number according to preset allocation rule
Survey the method for salary distribution at end.
Wherein, the preset allocation rule is the identification information of the equipment number and the terminal, the behavior
Corresponding relationship between monitoring type, in order to calculate the equipment number of test side, current service end can be to can be detected
Test side send detection message request and if receiving feedback record the information such as the device number fed back to, set to carry out calculating
Standby number, can also determine the equipment number for the test side that can be detected, the embodiment of the present invention is not by artificially inputting
It is specifically limited.In addition, the identification information can be the IP section of terminal, it can also be the equipment of the unique identification of terminal
Number etc., to carry in software action information, the embodiment of the present invention is not when terminal sends software action information to server-side
It is specifically limited.
It should be noted that since equipment number can be greater than the number of the software action information detected,
It can be less than or equal to, it, can be according to software action information can arbitrarily being distributed according to type to can carry out when being greater than
When being less than, can be ranked up according to identification information in the corresponding test side of monitoring type, and will sort
Software action message loop is respectively allocated in test side corresponding with behavior monitoring type, and the embodiment of the present invention is not done specifically
It limits.
For example, the number for being calculated as the test side of operation personnel's operation is 20,6 monitor class for detection procedure
Test side, 10 for detecting the test side of file monitor class, 4 for detecting the test side of network monitoring class, it is to be detected
Software action information number be 10, behavior monitoring type is respectively 5 process monitoring classes, 2 file monitor classes, 3
Network monitoring class, then can be monitored class software action information for 5 and arbitrarily distribute to 6 and be used for detection procedure monitoring class
Test side, and so on, it repeats no more.
The embodiment of the present invention is specifically as follows to step 203 further refinement and extension: calculating setting for test side
Standby number carries out Type division to the corresponding test side of the equipment number according to the behavior monitoring type, after division
Test side is matched with the identification information, and the corresponding relationship after matching is determined as to the distribution side of the test side
Formula.
For example, the equipment number of test side is 10, obtained after carrying out behavior monitoring Type division, 2 process monitoring classes,
2 file monitor classes, 4 network monitoring classes, 2 registry monitoring classes, the software action information of pending detection include 10
Chain of processes, the identity having are 001-010, and 20 file sizes, the identity having is 020-040,10 windows
Information, the identity having be 040-050, after being matched to get to will have identity 001-010 corresponding 10
Cycle assignment will have 020-040 pairs of identity into the corresponding test side of 2 process monitoring classes after a chain of processes sequence
Cycle assignment will have the 040-050 of identity into 2 file monitor class test sides after the 20 file sizes sequence answered
It distributes and is set in 2 network monitoring class test sides after corresponding 10 window informations sequence.
204, sorted software action information will be carried out according to the method for salary distribution to distribute into the test side.
If 205, receiving the testing result of the test side feedback, the testing result is fed back into the terminal.
This step is identical as step 103 method shown in FIG. 1, and details are not described herein.
It should be noted that can carry and be examined in testing result after testing result feeds back to current service end
The test side device number of survey, so that software can be tracked when occurring needing to recall determining software action infomation detection situation
Behavioural information is specifically what which test side was detected, to improve the efficiency and diversity of detection.
206, the testing result is recorded, the corresponding relationship between the testing result and the software action information is deposited
Storage is into preset storage location.
For the embodiment of the present invention, in order to which software row can be directly determined when receiving same software behavioural information next time
For the testing result of information, detection efficiency is improved, reduces detecting step, improves server-side to the pipe for receiving software action information
Manage efficiency, record the corresponding testing result of software action information that each feeds back, and by this testing result with it is corresponding
Corresponding relationship between software action information is stored into preset storage location, and the preset storage location can be to be locally stored
Position, or in cloud storage, the embodiment of the present invention is not specifically limited.
Further, the embodiment of the invention also includes: according to preset time interval receive testing result inquiry request, if institute
It states and there is testing result corresponding with the software action information in preset storage location, then mentioned from the preset storage location
It takes the testing result to feed back to the terminal, software action letter to be checked is carried in the testing result inquiry request
Breath.
It can be according to preset time interval in order to improve the efficiency that terminal obtains testing result for the embodiment of the present invention
The testing result inquiry request that terminal is sent is received, so as to when there are the corresponding detections of software action information in preset storage location
When as a result, directly extracts testing result and feed back in terminal, so that increasing terminal obtains the speed of testing result.And it preset ought deposit
Storage space set in there is no testing result when, illustrate that testing result is also made in test side, terminal needed to continue waiting for, until service
Termination receives the testing result of test side feedback.
The present invention provides the management method of another software action detection, the management with the detection of existing software action is
By carrying out manual examination and verification respectively to each computer, detect whether software action exception occurs and compare, the embodiment of the present invention
Preliminary detection is carried out to software action using preset behavior collection by terminal to send if the operating status of behavior can not be determined
To server-side, server-side is by being managed the software action information of upload, distribution to test side corresponding with different classifications
It is detected, realization proposes the automatic detection of exception software behavior so that software action is allocated detection according to unified standard
The efficiency of management that height detects software action.
The embodiment of the invention provides the management methods of another software action detection, as shown in figure 3, the method packet
It includes:
301, the software action of software operation is obtained, and identifies the operation shape of the software action according to preset behavior collection
State.
Wherein, the software action is generated specific movement in software running process, including operation process, reading text
Part etc., the operating status include legal operation, dangerous operation, and the preset behavior is concentrated comprising may determine that software action
Whether it is legal or dangerous behavioral standard, i.e., is compared by the software action for concentrating software action with preset behavior,
It can determine that this software action is legal operation or dangerous operation.
If 302, identifying the operating status failure, the software action information of the software action is uploaded to service
End.
Wherein, the software action information is to identify that there are the rows corresponding to abnormal behaviour according to the preset behavior collection
For information, in the embodiment of the present invention, abnormal behaviour is identify not Chu it is that legal operation or danger are transported by preset behavior collection
Capable software action, i.e., the behavioral standard that preset behavior is concentrated are non-black i.e. white.When terminal passes through the behavior concentrated with preset behavior
After standard is identified, when can not determine that software action is legal or dangerous, that is, need to upload this software action information
Into server-side, detected by server-side.
It should be noted that being carried in software action information to prepare to determine the software action information that terminal uploads
There is the identification information of terminal, can accurately to obtain testing result when sending testing result inquiry request.
303, testing result is received, and the software action is handled according to the testing result.
Wherein, the testing result is that the manager of the software action detection of server-side is fed back to after test side is detected
Formula, the way to manage are the exit-entry operation to software action or intercept operation, and the embodiment of the present invention is not specifically limited.
In the embodiment of the present invention, multiple terminals are corresponding to send software action information to a server-side, so as to server-side into
Row unified management, improves the accuracy and efficiency of software action infomation detection.
The present invention provides the management methods of another software action detection, obtain the software action of software operation first,
And the operating status of the software action is identified according to preset behavior collection;It, will be described soft if identifying the operating status failure
The software action information of part behavior is uploaded to server-side, and the software action information is to be identified to deposit according to the preset behavior collection
Behavioural information corresponding to abnormal behaviour;Testing result is received, and the software action is carried out according to the testing result
Processing, the testing result are that the way to manage of the software action detection of server-side is fed back to after test side is detected.With it is existing
The management for having software action to detect is to detect whether software action goes out by carrying out manual examination and verification respectively to each computer
Now abnormal to compare, the embodiment of the present invention carries out Preliminary detection to software action using preset behavior collection by terminal, if can not be true
The operating status for determining behavior is then sent to server-side, and server-side is by being managed the software action information of upload, and distribution is extremely
Test side corresponding with different classifications is detected, and realizes automatic detection to exception software behavior so that software action according to
Unified standard is allocated detection, improves the efficiency of management detected to software action.
The embodiment of the invention provides the management methods of another software action detection, as shown in figure 4, the method packet
It includes:
401, the operating status of software action is determined according to the software action of runs software.
It is soft to having run in order to accurately mark off the software action of dangerous operation and legal operation in the embodiment of the present invention
The software action of part defines operating status, and the operating status includes dangerous operation and legal operation.Wherein, to software action
Definition can obtain behavioural characteristic by being run in different platform to certain software and be counted, it can by file, into
The behavior of five types such as journey, network, registration table, driving is counted, and the behavior gone out according to type statistics is drawn according to general character
Separate the behavioural characteristic of specific dangerous operation and legal operation, such as black behavior or Bai Hangwei.If with above-mentioned dangerous operation and conjunction
The behavioural characteristic of method operation is not consistent, then is defined as grey behavior, the embodiment of the present invention is not specifically limited.
402, the software action that can determine operating status the preset behavior is updated to concentrate.
For the embodiment of the present invention, in order to enhance determining software action operation action accuracy, and avoid preset row
To concentrate the operating status of software action excessively outmoded, need in time to be updated preset behavior collection, so that according to described
Preset behavior collection identifies the operating status of all software actions.
It should be noted that the centrally stored software action of preset behavior is after being run by the software to batch,
Carry out obtaining after general character statistics respectively according to five types such as file, process, network, registration table, driving, have it is obvious it is black,
The behavior that Bai Tezheng is divided.
403, the software action of software operation is obtained, and identifies the operation shape of the software action according to preset behavior collection
State.
This step is identical as step 301 method shown in Fig. 3, and details are not described herein.
If 404, identifying the operating status failure, the software action information of the software action is uploaded to service
End.
This step is identical as step 302 method shown in Fig. 3, and details are not described herein.
405, testing result is received, and the software action is handled according to the testing result.
This step is identical as step 303 method shown in Fig. 3, and details are not described herein.
Further, in order to avoid server-side feedback testing result not in time, or because of inevitable factor causes to examine
Result is surveyed not feed back, the embodiment of the invention also includes: testing result inquiry request is sent, is taken in the testing result inquiry request
With software action information to be checked.
The present invention provides the management method of another software action detection, the management with the detection of existing software action is
By carrying out manual examination and verification respectively to each computer, detect whether software action exception occurs and compare, the embodiment of the present invention
Preliminary detection is carried out to software action using preset behavior collection by terminal to send if the operating status of behavior can not be determined
To server-side, server-side is by being managed the software action information of upload, distribution to test side corresponding with different classifications
It is detected, realization proposes the automatic detection of exception software behavior so that software action is allocated detection according to unified standard
The efficiency of management that height detects software action.
Further, as the realization to method shown in above-mentioned Fig. 1, the embodiment of the invention provides a kind of server-sides, such as
Shown in Fig. 5, which includes: receiving unit 51, taxon 52, feedback unit 53.
Receiving unit 51, for receiving software action information to be detected, the software action information is terminal according to pre-
The behavior collection of setting identifies software operation, and there are the information of abnormal behaviour;
Taxon 52 for the software action information to be classified, and is distributed according to classification results to test side,
So that the test side determines testing result according to the operating status of the software action infomation detection software action;
Feedback unit 53, if the testing result for receiving the test side feedback, the testing result is fed back
The extremely terminal, so that the terminal is handled the software action according to the testing result, the testing result
To feed back to the way to manage that the software action of server-side detects after the detection of test side.
The present invention provides a kind of server-sides, receive software action information to be detected, the software action information first
For terminal according to preset behavior collection identify software operation there are the information of abnormal behaviour;The software action information is divided
Class, and distribute according to classification results to test side, so that the test side is according to the software action infomation detection software row
For operating status, determine testing result;It is if receiving the testing result of the test side feedback, the testing result is anti-
It is fed to the terminal, so that the terminal is handled the software action according to the testing result, the detection knot
Fruit is the way to manage that the software action detection of server-side is fed back to after test side is detected.With the detection of existing software action
Management is to detect whether software action exception occurs and compare, this hair by carrying out manual examination and verification respectively to each computer
Bright embodiment carries out Preliminary detection to software action using preset behavior collection by terminal, if the operation shape of behavior can not be determined
State is then sent to server-side, and for server-side by being managed to the software action information of upload, distribution is extremely corresponding with different classifications
Test side detected, automatic detection to exception software behavior is realized, so that software action is divided according to unified standard
With detection, the efficiency of management detected to software action is improved.
Further, as the realization to method shown in above-mentioned Fig. 2, the embodiment of the invention provides another server-side,
As shown in fig. 6, the server-side includes: receiving unit 61, taxon 62, feedback unit 63, recording unit 64, extraction unit
65。
Receiving unit 61, for receiving software action information to be detected, the software action information is terminal according to pre-
The behavior collection of setting identifies software operation, and there are the information of abnormal behaviour;
Taxon 62 for the software action information to be classified, and is distributed according to classification results to test side,
So that the test side determines testing result according to the operating status of the software action infomation detection software action;
Feedback unit 63, if the testing result for receiving the test side feedback, the testing result is fed back
The extremely terminal, so that the terminal is handled the software action according to the testing result, the testing result
To feed back to the way to manage that the software action of server-side detects after the detection of test side.
Further, the taxon 62 includes:
Categorization module 6201, for classifying according to behavior monitoring type to the software action information, the behavior
Monitoring type includes process monitoring class, file monitor class, network monitoring class, registry monitoring class, driving monitoring class;
Computing module 6202 for calculating the equipment number of test side, and is determined according to preset allocation rule and is set with described
The method of salary distribution of the standby corresponding test side of number, the preset allocation rule are the identity mark of the equipment number and the terminal
Know the corresponding relationship between information, the behavior monitoring type;
Distribution module 6203 is distributed for that will carry out sorted software action information according to the method for salary distribution to described
In test side.
Further, the computing module 6202 is supervised specifically for calculating the equipment number of test side according to the behavior
It controls type and Type division is carried out to the corresponding test side of the equipment number, the test side after division is believed with the identity
Breath is matched, and the corresponding relationship after matching is determined as to the method for salary distribution of the test side.
Further, the server-side further include:
Recording unit 64 will be between the testing result and the software action information for recording the testing result
Corresponding relationship store into preset storage location.
Further, the server-side further include:
Extraction unit 65, for receiving testing result inquiry request according to preset time interval, if the preset storage position
Middle presence testing result corresponding with the software action information is set, then extracts the detection knot from the preset storage location
Fruit feeds back to the terminal, and software action information to be checked is carried in the testing result inquiry request.
The present invention provides another server-sides, and the management with the detection of existing software action is by each computer
Manual examination and verification are carried out respectively, detect whether software action exception occurs and compare, and the embodiment of the present invention is utilized preset by terminal
Behavior collection carries out Preliminary detection to software action, if the operating status of behavior can not be determined, is sent to server-side, server-side is logical
It crosses and the software action information of upload is managed, distribution to test side corresponding with different classifications is detected, and is realized to different
The automatic detection of normal software action is improved and is detected to software action so that software action is allocated detection according to unified standard
The efficiency of management.
Further, as the realization to method shown in above-mentioned Fig. 3, the embodiment of the invention provides a kind of terminals, such as Fig. 7
Shown, which includes: acquiring unit 71, uploading unit 72, receiving unit 73.
Acquiring unit 71 identifies the software row for obtaining the software action of software operation, and according to preset behavior collection
For operating status;
Uploading unit 72, if for identifying the operating status failure, by the software action information of the software action
It is uploaded to server-side, the software action information is to identify that there are the rows corresponding to abnormal behaviour according to the preset behavior collection
For information;
Receiving unit 73 is handled the software action for receiving testing result, and according to the testing result,
The testing result is that the way to manage of the software action detection of server-side is fed back to after test side is detected.
The present invention provides a kind of terminals, the first software action of acquisition software operation, and are identified according to preset behavior collection
The operating status of the software action;If the operating status failure is identified, by the software action information of the software action
It is uploaded to server-side, the software action information is to identify that there are the rows corresponding to abnormal behaviour according to the preset behavior collection
For information;Testing result is received, and the software action is handled according to the testing result, the testing result is inspection
The way to manage that the software action of server-side detects is fed back to after surveying end detection.With existing software action detection management be
It is to detect whether software action exception occurs and compare, the present invention is implemented by carrying out manual examination and verification respectively to each computer
Example carries out Preliminary detection to software action using preset behavior collection by terminal and sends out if the operating status of behavior can not be determined
It send to server-side, server-side is by being managed the software action information of upload, distribution to detection corresponding with different classifications
End is detected, and realizes the automatic detection to exception software behavior, so that software action is allocated detection according to unified standard,
Improve the efficiency of management detected to software action.
Further, as the realization to method shown in above-mentioned Fig. 4, the embodiment of the invention provides another terminals, such as
Shown in Fig. 8, which includes: acquiring unit 81, uploading unit 82, receiving unit 83, determination unit 84, updating unit 85, hair
Send unit 86.
Acquiring unit 81 identifies the software row for obtaining the software action of software operation, and according to preset behavior collection
For operating status;
Uploading unit 82, if for identifying the operating status failure, by the software action information of the software action
It is uploaded to server-side, the software action information is to identify that there are the rows corresponding to abnormal behaviour according to the preset behavior collection
For information;
Receiving unit 83 is handled the software action for receiving testing result, and according to the testing result,
The testing result is that the way to manage of the software action detection of server-side is fed back to after test side is detected.
Further, the terminal further include:
Determination unit 84, for determining the operating status of software action, the fortune according to the software action of runs software
Row state includes dangerous operation and legal operation;
Updating unit 85 is concentrated for the software action that can determine operating status to be updated to the preset behavior, so that
Obtain the operating status that all software actions are identified according to the preset behavior collection.
Further, the terminal further include:
Transmission unit 86 carries to be checked for sending testing result inquiry request in the testing result inquiry request
The software action information of inquiry.
The present invention provides a kind of terminal, the management with the detection of existing software action is by distinguishing each computer
Manual examination and verification are carried out, detect whether software action exception occurs and compare, the embodiment of the present invention utilizes preset behavior by terminal
Collection carries out Preliminary detection to software action, if the operating status of behavior can not be determined, is sent to server-side, server-side by pair
The software action information of upload is managed, and distribution to test side corresponding with different classifications is detected, and is realized to abnormal soft
The automatic detection of part behavior improves the pipe detected to software action so that software action is allocated detection according to unified standard
Manage efficiency.
A kind of storage medium is provided according to an embodiment of the present invention, and it is executable that the storage medium is stored at least one
The management method of the detection of the software action in above-mentioned any means embodiment can be performed in instruction, the computer executable instructions.
Fig. 9 shows a kind of structural schematic diagram of the computer equipment provided according to an embodiment of the present invention, the present invention
Specific embodiment does not limit the specific implementation of computer equipment.
As shown in figure 9, the computer equipment may include: processor (processor) 902, communication interface
(Communications Interface) 904, memory (memory) 906 and communication bus 908.
Wherein: processor 902, communication interface 904 and memory 906 complete mutual lead to by communication bus 908
Letter.
Communication interface 904, for being communicated with the network element of other equipment such as client or other servers etc..
Processor 902 can specifically execute in the management implementation example that above-mentioned software action detects for executing program 910
Correlation step.
Specifically, program 910 may include program code, which includes computer operation instruction.
Processor 902 may be central processor CPU or specific integrated circuit ASIC (Application
Specific Integrated Circuit), or be arranged to implement the integrated electricity of one or more of the embodiment of the present invention
Road.The one or more processors that computer equipment includes can be same type of processor, such as one or more CPU;?
It can be different types of processor, such as one or more CPU and one or more ASIC.
Memory 906, for storing program 910.Memory 906 may include high speed RAM memory, it is also possible to further include
Nonvolatile memory (non-volatile memory), for example, at least a magnetic disk storage.
Program 910 specifically can be used for so that processor 902 executes following operation:
Software action information to be detected is received, the software action information identifies for terminal according to preset behavior collection soft
There are the information of abnormal behaviour for part operation;
The software action information is classified, and is distributed according to classification results to test side, so that the detection
End determines testing result according to the operating status of the software action infomation detection software action;
If receiving the testing result of the test side feedback, the testing result is fed back into the terminal, so that
It obtains the terminal to handle the software action according to the testing result, the testing result is anti-after test side is detected
It is fed to the way to manage of the software action detection of server-side.
A kind of storage medium is provided according to an embodiment of the present invention, and it is executable that the storage medium is stored at least one
The management method of the detection of the software action in above-mentioned any means embodiment can be performed in instruction, the computer executable instructions.
Figure 10 shows a kind of structural schematic diagram of the computer equipment provided according to an embodiment of the present invention, the present invention
Specific embodiment does not limit the specific implementation of computer equipment.
As shown in Figure 10, which may include: processor (processor) 1002, communication interface
(Communications Interface) 1004, memory (memory) 1006 and communication bus 1008.
Wherein: processor 1002, communication interface 1004 and memory 1006 are completed each other by communication bus 1008
Communication.
Communication interface 1004, for being communicated with the network element of other equipment such as client or other servers etc..
Processor 1002 can specifically execute the management implementation example of above-mentioned software action detection for executing program 1010
In correlation step.
Specifically, program 1010 may include program code, which includes computer operation instruction.
Processor 1002 may be central processor CPU or specific integrated circuit ASIC (Application
Specific Integrated Circuit), or be arranged to implement the integrated electricity of one or more of the embodiment of the present invention
Road.The one or more processors that computer equipment includes can be same type of processor, such as one or more CPU;?
It can be different types of processor, such as one or more CPU and one or more ASIC.
Memory 1006, for storing program 1010.Memory 1006 may include high speed RAM memory, it is also possible to also
Including nonvolatile memory (non-volatile memory), for example, at least a magnetic disk storage.
Program 1010 specifically can be used for so that processor 1002 executes following operation:
The software action of software operation is obtained, and identifies the operating status of the software action according to preset behavior collection;
If identifying the operating status failure, the software action information of the software action is uploaded to server-side, institute
Stating software action information is to identify that there are the behavioural informations corresponding to abnormal behaviour according to the preset behavior collection;
Testing result is received, and the software action is handled according to the testing result, the testing result is
The way to manage of the software action detection of server-side is fed back to after the detection of test side.
The embodiment of the invention provides a kind of management systems of software action detection, as shown in figure 11, comprising: service 1101
Device, terminal 1102,
The terminal 1102 identifies the software for obtaining the software action of software operation, and according to preset behavior collection
The operating status of behavior;
The terminal 1102, if being also used to identify the operating status failure, by the software action of the software action
Information is uploaded to server-side, and the software action information is to identify that there are corresponding to abnormal behaviour according to the preset behavior collection
Behavioural information;
The server-side 1101, for receiving software action information to be detected, the software action information is terminal root
Identifying software operation according to preset behavior collection, there are the information of abnormal behaviour;
The server-side 1101 is also used to classify the software action information, and according to classification results distribute to
Test side, so that operating status of the test side according to the software action infomation detection software action, determines detection knot
Fruit;
The server-side 1101 ties the detection if being also used to receive the testing result of the test side feedback
Fruit feeds back to the terminal, so that the terminal is handled the software action according to the testing result, the inspection
Surveying result is that the way to manage of the software action detection of server-side is fed back to after test side is detected;
The terminal 1102 is also used to receive testing result, and is carried out according to the testing result to the software action
Processing, the testing result are that the way to manage of the software action detection of server-side is fed back to after test side is detected.
The present invention provides a kind of management system of software action detection, terminal first obtains the software row that software is run
For, and identify according to preset behavior collection the operating status of the software action;It, will be described if identifying the operating status failure
The software action information of software action is uploaded to server-side, and the software action information is to be identified according to the preset behavior collection
There are the behavioural informations corresponding to abnormal behaviour;Server-side receives software action information to be detected, the software action information
For terminal according to preset behavior collection identify software operation there are the information of abnormal behaviour;The software action information is divided
Class, and distribute according to classification results to test side, so that the test side is according to the software action infomation detection software row
For operating status, determine testing result;It is if receiving the testing result of the test side feedback, the testing result is anti-
It is fed to the terminal, so that the terminal is handled the software action according to the testing result, the detection knot
Fruit is the way to manage that the software action detection of server-side is fed back to after test side is detected;Terminal receives testing result, and
The software action is handled according to the testing result, the testing result is to feed back to server-side after test side is detected
The software action detection way to manage.Management with the detection of existing software action is by distinguishing each computer
Manual examination and verification are carried out, detect whether software action exception occurs and compare, the embodiment of the present invention utilizes preset behavior by terminal
Collection carries out Preliminary detection to software action, if the operating status of behavior can not be determined, is sent to server-side, server-side by pair
The software action information of upload is managed, and distribution to test side corresponding with different classifications is detected, and is realized to abnormal soft
The automatic detection of part behavior improves the pipe detected to software action so that software action is allocated detection according to unified standard
Manage efficiency.
Algorithm and display are not inherently related to any particular computer, virtual system, or other device provided herein.
Various general-purpose systems can also be used together with teachings based herein.As described above, it constructs required by this kind of system
Structure be obvious.In addition, the present invention is also not directed to any particular programming language.It should be understood that can use various
Programming language realizes summary of the invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention
Example can be practiced without these specific details.In some instances, well known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this specification.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of the various inventive aspects,
Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the disclosed method should not be interpreted as reflecting the following intention: i.e. required to protect
Shield the present invention claims features more more than feature expressly recited in each claim.More precisely, as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself
All as a separate embodiment of the present invention.
Those skilled in the art will understand that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more devices different from this embodiment.It can be the module or list in embodiment
Member or component are combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or
Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it can use any
Combination is to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so disclosed
All process or units of what method or apparatus are combined.Unless expressly stated otherwise, this specification is (including adjoint power
Benefit require, abstract and attached drawing) disclosed in each feature can carry out generation with an alternative feature that provides the same, equivalent, or similar purpose
It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included certain features rather than other feature, but the combination of the feature of different embodiments mean it is of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed
Meaning one of can in any combination mode come using.
Various component embodiments of the invention can be implemented in hardware, or to run on one or more processors
Software module realize, or be implemented in a combination thereof.It will be understood by those of skill in the art that can be used in practice
Microprocessor or digital signal processor (DSP) realize the management method and dress of asset data according to an embodiment of the present invention
The some or all functions of some or all components in setting.The present invention is also implemented as described here for executing
Method some or all device or device programs (for example, computer program and computer program product).This
The program that the realization of sample is of the invention can store on a computer-readable medium, or can have one or more signal
Form.Such signal can be downloaded from an internet website to obtain, and perhaps be provided on the carrier signal or with any other
Form provides.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability
Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real
It is existing.In the unit claims listing several devices, several in these devices can be through the same hardware branch
To embody.The use of word first, second, and third does not indicate any sequence.These words can be explained and be run after fame
Claim.
The embodiment of the invention also includes:
The management method that A1, a kind of software action detect, comprising:
Software action information to be detected is received, the software action information identifies for terminal according to preset behavior collection soft
There are the information of abnormal behaviour for part operation;
The software action information is classified, and is distributed according to classification results to test side, so that the detection
End determines testing result according to the operating status of the software action infomation detection software action;
If receiving the testing result of the test side feedback, the testing result is fed back into the terminal, so that
It obtains the terminal to handle the software action according to the testing result, the testing result is anti-after test side is detected
It is fed to the way to manage of the software action detection of server-side.
A2, method according to a1, it is described that the software action information is classified, and distributed according to classification results
Include: to test side
Classify according to behavior monitoring type to the software action information, the behavior monitoring type includes process prison
Control class, file monitor class, network monitoring class, registry monitoring class, driving monitoring class;
The equipment number of test side is calculated, and determines test side corresponding with the equipment number according to preset allocation rule
The method of salary distribution, the preset allocation rule is that the identification information of the equipment number and the terminal, the behavior are supervised
Control the corresponding relationship between type;
Sorted software action information will be carried out according to the method for salary distribution to distribute into the test side.
A3, the method according to A2, it is described calculate test side equipment number, and according to preset allocation rule determine with
The method of salary distribution of the corresponding test side of the equipment number includes:
Calculate test side equipment number, according to the behavior monitoring type to the corresponding test side of the equipment number into
Row Type division matches the test side after division with the identification information, and the corresponding relationship after matching is determined
For the method for salary distribution of the test side.
A4, method according to a1 or a2 will be described if the testing result for receiving the test side feedback
Testing result is fed back to after the terminal, the method also includes:
Record the testing result, by the corresponding relationship between the testing result and the software action information store to
In preset storage location.
A5, method according to a4, the method also includes:
According to preset time interval receive testing result inquiry request, if in the preset storage location exist with it is described soft
The corresponding testing result of part behavioural information then extracts the testing result from the preset storage location and feeds back to the end
It holds, carries software action information to be checked in the testing result inquiry request.
The management method that B6, a kind of software action detect, comprising:
The software action of software operation is obtained, and identifies the operating status of the software action according to preset behavior collection;
If identifying the operating status failure, the software action information of the software action is uploaded to server-side, institute
Stating software action information is to identify that there are the behavioural informations corresponding to abnormal behaviour according to the preset behavior collection;
Testing result is received, and the software action is handled according to the testing result, the testing result is
The way to manage of the software action detection of server-side is fed back to after the detection of test side.
B7, the method according to B6, the software action for obtaining software operation, and institute is identified according to preset behavior collection
Before the operating status for stating software action, the method also includes:
Determine that the operating status of software action, the operating status include dangerous fortune according to the software action of runs software
Capable and legal operation;
The software action that can determine operating status is updated to the preset behavior to concentrate, so that according to the preset row
The operating status of all software actions is identified for collection.
B8, the method according to B7, the reception testing result, and according to the testing result to the software action
Before being handled, the method also includes:
Testing result inquiry request is sent, software action letter to be checked is carried in the testing result inquiry request
Breath.
C9, a kind of server-side, comprising:
Receiving unit, for receiving software action information to be detected, the software action information is terminal according to preset
Behavior collection identifies software operation, and there are the information of abnormal behaviour;
Taxon for the software action information to be classified, and is distributed according to classification results to test side, with
So that the test side determines testing result according to the operating status of the software action infomation detection software action;
Feedback unit, if the testing result for receiving the test side feedback, the testing result is fed back to
The terminal, so that the terminal is handled the software action according to the testing result, the testing result is
The way to manage of the software action detection of server-side is fed back to after the detection of test side.
C10, the server-side according to C9, the taxon include:
Categorization module, for classifying according to behavior monitoring type to the software action information, the behavior monitoring
Type includes process monitoring class, file monitor class, network monitoring class, registry monitoring class, driving monitoring class;
Computing module, for calculating the equipment number of test side, and it is determining a with the equipment according to preset allocation rule
The method of salary distribution of the corresponding test side of number, the preset allocation rule are the identity letter of the equipment number and the terminal
Corresponding relationship between breath, the behavior monitoring type;
Distribution module is distributed for that will carry out sorted software action information according to the method for salary distribution to the detection
In end.
C11, the server-side according to C10,
The computing module, specifically for calculating the equipment number of test side, according to the behavior monitoring type to described
The corresponding test side of equipment number carries out Type division, and the test side after division is matched with the identification information,
Corresponding relationship after matching is determined as to the method for salary distribution of the test side.
C12, the server-side according to C8 or C9, the server-side further include:
Recording unit will be between the testing result and the software action information for recording the testing result
Corresponding relationship is stored into preset storage location.
C13, the server-side according to C12, the server-side further include:
Extraction unit, for receiving testing result inquiry request according to preset time interval, if the preset storage location
It is middle to there is testing result corresponding with the software action information, then the testing result is extracted from the preset storage location
The terminal is fed back to, software action information to be checked is carried in the testing result inquiry request.
D14, a kind of terminal, comprising:
Acquiring unit identifies the software action for obtaining the software action of software operation, and according to preset behavior collection
Operating status;
Uploading unit, if for identifying the operating status failure, it will be in the software action information of the software action
Server-side is reached, the software action information is to identify that there are the behaviors corresponding to abnormal behaviour according to the preset behavior collection
Information;
Receiving unit is handled the software action for receiving testing result, and according to the testing result, institute
Stating testing result is that the way to manage of the software action detection of server-side is fed back to after test side is detected.
D15, the terminal according to D14, the terminal further include:
Determination unit, for determining the operating status of software action, the operation according to the software action of runs software
State includes dangerous operation and legal operation;
Updating unit is concentrated for the software action that can determine operating status to be updated to the preset behavior, so that
The operating status of all software actions is identified according to the preset behavior collection.
D16, the terminal according to D15, the terminal further include:
Transmission unit carries to be checked for sending testing result inquiry request in the testing result inquiry request
Software action information.
E17, a kind of storage medium are stored with an at least executable instruction, the executable instruction in the storage medium
The corresponding operation of management method for the software action detection for executing processor as described in any one of A1-A5.
F18, a kind of computer equipment, comprising: processor, memory, communication interface and communication bus, the processor,
The memory and the communication interface complete mutual communication by the communication bus;
The memory executes the processor such as storing an at least executable instruction, the executable instruction
The corresponding operation of management method of the detection of software action described in any one of A1-A5.
G19, a kind of storage medium are stored with an at least executable instruction, the executable instruction in the storage medium
The corresponding operation of management method for the software action detection for executing processor as described in any one of B6-B8.
H20, a kind of computer equipment, comprising: processor, memory, communication interface and communication bus, the processor,
The memory and the communication interface complete mutual communication by the communication bus;
The memory executes the processor such as storing an at least executable instruction, the executable instruction
The corresponding operation of management method of the detection of software action described in any one of B6-B8.
The management system that I21, a kind of software action detect, comprising: the described in any item server-sides of C9-C13 and D14-D16
Described in any item terminals.
Claims (10)
1. a kind of management method of software action detection characterized by comprising
Software action information to be detected is received, the software action information identifies that software is transported according to preset behavior collection for terminal
There are the information of abnormal behaviour for row;
The software action information is classified, and is distributed according to classification results to test side, so that the test side root
According to the operating status of the software action infomation detection software action, testing result is determined;
If receiving the testing result of the test side feedback, the testing result is fed back into the terminal, so that institute
It states terminal and the software action is handled according to the testing result, the testing result is to feed back to after test side is detected
The way to manage of the software action detection of server-side.
2. the method according to claim 1, wherein described classify the software action information, and pressing
It distributes according to classification results to test side and includes:
Classify according to behavior monitoring type to the software action information, the behavior monitoring type includes process monitoring
Class, file monitor class, network monitoring class, registry monitoring class, driving monitoring class;
The equipment number of test side is calculated, and determines point of test side corresponding with the equipment number according to preset allocation rule
With mode, the preset allocation rule is identification information, the behavior monitoring class of the equipment number and the terminal
Corresponding relationship between type;
Sorted software action information will be carried out according to the method for salary distribution to distribute into the test side.
3. a kind of management method of software action detection characterized by comprising
The software action of software operation is obtained, and identifies the operating status of the software action according to preset behavior collection;
If identifying the operating status failure, the software action information of the software action is uploaded to server-side, it is described soft
Part behavioural information is to identify that there are the behavioural informations corresponding to abnormal behaviour according to the preset behavior collection;
Testing result is received, and the software action is handled according to the testing result, the testing result is detection
The way to manage of the software action detection of server-side is fed back to after the detection of end.
4. a kind of server-side characterized by comprising
Receiving unit, for receiving software action information to be detected, the software action information is terminal according to preset behavior
Collection identifies software operation, and there are the information of abnormal behaviour;
Taxon for the software action information to be classified, and is distributed according to classification results to test side, so that
The test side determines testing result according to the operating status of the software action infomation detection software action;
Feedback unit, if the testing result for receiving the test side feedback, the testing result is fed back to described
Terminal, so that the terminal is handled the software action according to the testing result, the testing result is detection
The way to manage of the software action detection of server-side is fed back to after the detection of end.
5. a kind of terminal characterized by comprising
Acquiring unit for obtaining the software action of software operation, and identifies according to preset behavior collection the fortune of the software action
Row state;
Uploading unit, if being uploaded to the software action information of the software action for identifying the operating status failure
Server-side, the software action information are to identify that there are the letters of the behavior corresponding to abnormal behaviour according to the preset behavior collection
Breath;
Receiving unit is handled the software action for receiving testing result, and according to the testing result, the inspection
Surveying result is that the way to manage of the software action detection of server-side is fed back to after test side is detected.
6. a kind of storage medium, it is stored with an at least executable instruction in the storage medium, the executable instruction makes to handle
Device executes the corresponding operation of management method such as software action of any of claims 1-2 detection.
7. a kind of computer equipment, comprising: processor, memory, communication interface and communication bus, the processor described are deposited
Reservoir and the communication interface complete mutual communication by the communication bus;
The memory executes the processor as right is wanted for storing an at least executable instruction, the executable instruction
The corresponding operation of management method for asking software action described in any one of 1-2 to detect.
8. a kind of storage medium, it is stored with an at least executable instruction in the storage medium, the executable instruction makes to handle
Device executes the corresponding operation of management method of software action detection as claimed in claim 3.
9. a kind of computer equipment, comprising: processor, memory, communication interface and communication bus, the processor described are deposited
Reservoir and the communication interface complete mutual communication by the communication bus;
The memory executes the processor as right is wanted for storing an at least executable instruction, the executable instruction
The corresponding operation of management method of the detection of software action described in asking 3.
10. a kind of management system of software action detection characterized by comprising server-side and right as claimed in claim 4
It is required that terminal described in 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811640645.6A CN109784052B (en) | 2018-12-29 | 2018-12-29 | Management method for software behavior detection, server, terminal and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811640645.6A CN109784052B (en) | 2018-12-29 | 2018-12-29 | Management method for software behavior detection, server, terminal and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109784052A true CN109784052A (en) | 2019-05-21 |
| CN109784052B CN109784052B (en) | 2021-07-20 |
Family
ID=66499464
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811640645.6A Active CN109784052B (en) | 2018-12-29 | 2018-12-29 | Management method for software behavior detection, server, terminal and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109784052B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113553588A (en) * | 2021-07-28 | 2021-10-26 | 中国南方电网有限责任公司 | Terminal software management method |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105072045A (en) * | 2015-08-10 | 2015-11-18 | 济南大学 | Wireless router capable of discovering malicious software network behaviors |
| CN105069355A (en) * | 2015-08-26 | 2015-11-18 | 厦门市美亚柏科信息股份有限公司 | Static detection method and apparatus for webshell deformation |
| CN106230772A (en) * | 2016-07-07 | 2016-12-14 | 国网青海省电力公司 | Industry internet Deviant Behavior excavates scheme |
| EP3222207A1 (en) * | 2016-03-23 | 2017-09-27 | Thomson Licensing | System and method for non-intrusive detection and monitoring of parkinson's disease symptoms |
| CN107315952A (en) * | 2016-04-26 | 2017-11-03 | 华为技术有限公司 | Method and apparatus for determining application program suspicious actions |
| CN109033828A (en) * | 2018-07-25 | 2018-12-18 | 山东省计算中心(国家超级计算济南中心) | A kind of Trojan detecting method based on calculator memory analytical technology |
-
2018
- 2018-12-29 CN CN201811640645.6A patent/CN109784052B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105072045A (en) * | 2015-08-10 | 2015-11-18 | 济南大学 | Wireless router capable of discovering malicious software network behaviors |
| CN105069355A (en) * | 2015-08-26 | 2015-11-18 | 厦门市美亚柏科信息股份有限公司 | Static detection method and apparatus for webshell deformation |
| EP3222207A1 (en) * | 2016-03-23 | 2017-09-27 | Thomson Licensing | System and method for non-intrusive detection and monitoring of parkinson's disease symptoms |
| CN107315952A (en) * | 2016-04-26 | 2017-11-03 | 华为技术有限公司 | Method and apparatus for determining application program suspicious actions |
| CN106230772A (en) * | 2016-07-07 | 2016-12-14 | 国网青海省电力公司 | Industry internet Deviant Behavior excavates scheme |
| CN109033828A (en) * | 2018-07-25 | 2018-12-18 | 山东省计算中心(国家超级计算济南中心) | A kind of Trojan detecting method based on calculator memory analytical technology |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113553588A (en) * | 2021-07-28 | 2021-10-26 | 中国南方电网有限责任公司 | Terminal software management method |
| CN113553588B (en) * | 2021-07-28 | 2024-05-24 | 中国南方电网有限责任公司 | Terminal software management method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109784052B (en) | 2021-07-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110399925B (en) | Account risk identification method, device and storage medium | |
| CN110414242A (en) | For detecting the method, apparatus, equipment and medium of service logic loophole | |
| CN110362473B (en) | Test environment optimization method and device, storage medium and terminal | |
| CN104750469B (en) | Source code statistical analysis technique and system | |
| CN108170580A (en) | A kind of rule-based log alarming method, apparatus and system | |
| CN108256706B (en) | Task allocation method and device | |
| CN110278201B (en) | Security policy evaluation method and device, computer readable medium and electronic device | |
| CN106874135B (en) | Method, device and equipment for detecting machine room fault | |
| CN109120428B (en) | Method and system for wind control analysis | |
| CA2389253A1 (en) | Method and system for remotely managing communication of data used for predicting malfunctions in a plurality of machines | |
| CN114726654B (en) | Data analysis method and server for coping with cloud computing network attack | |
| CN110298662A (en) | Transaction repeats the automated detection method and device submitted | |
| CN110717189A (en) | Data leakage identification method, device and equipment | |
| CN106453320A (en) | Malicious sample identification method and device | |
| CN113360376A (en) | Buried point testing method and device | |
| CN106059860A (en) | Method and device for testing network cards | |
| CN109784352A (en) | A kind of method and apparatus for assessing disaggregated model | |
| CN109324959A (en) | A kind of method, server and the computer readable storage medium of automatic transfer data | |
| CN110310028B (en) | Method and apparatus for crowdsourcing | |
| CN110968479B (en) | Service level full-link monitoring method and server for application program | |
| CN116319777A (en) | Intelligent gateway service processing method based on edge calculation | |
| CN109409780B (en) | Change processing method, device, computer equipment and storage medium | |
| CN109784052A (en) | The management method and server-side, terminal, system of software action detection | |
| WO2021071696A1 (en) | Automatic triaging of network data loss prevention incident events | |
| CN110716778A (en) | Application compatibility testing method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province Patentee after: Qianxin Safety Technology (Zhuhai) Co.,Ltd. Patentee after: Qianxin Technology Group Co., Ltd Address before: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province Patentee before: 360 ENTERPRISE SECURITY TECHNOLOGY (ZHUHAI) Co.,Ltd. Patentee before: Beijing Qianxin Technology Co., Ltd |
|
| CP01 | Change in the name or title of a patent holder |