CN110569645A - System and method for protecting server mine excavation viruses - Google Patents
System and method for protecting server mine excavation viruses Download PDFInfo
- Publication number
- CN110569645A CN110569645A CN201910820990.6A CN201910820990A CN110569645A CN 110569645 A CN110569645 A CN 110569645A CN 201910820990 A CN201910820990 A CN 201910820990A CN 110569645 A CN110569645 A CN 110569645A
- Authority
- CN
- China
- Prior art keywords
- server
- virus
- excavation
- mine
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 241000700605 Viruses Species 0.000 title claims abstract description 72
- 238000000034 method Methods 0.000 title claims abstract description 47
- 238000009412 basement excavation Methods 0.000 title claims description 48
- 238000005516 engineering process Methods 0.000 claims abstract description 22
- 238000005065 mining Methods 0.000 claims abstract description 22
- 238000005206 flow analysis Methods 0.000 claims description 11
- 238000004886 process control Methods 0.000 claims description 9
- 230000000903 blocking effect Effects 0.000 claims description 8
- 238000004458 analytical method Methods 0.000 claims description 7
- 238000004891 communication Methods 0.000 claims description 5
- 230000007123 defense Effects 0.000 claims description 5
- 238000012800 visualization Methods 0.000 claims description 3
- 238000012544 monitoring process Methods 0.000 claims description 2
- 230000001360 synchronised effect Effects 0.000 claims description 2
- 230000009385 viral infection Effects 0.000 claims 1
- 230000006870 function Effects 0.000 abstract description 2
- 230000000694 effects Effects 0.000 abstract 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 3
- 238000001514 detection method Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 239000007943 implant Substances 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/561—Virus type analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to a system and a method for protecting mine digging viruses by a server, wherein due to the huge interest temptation of virtual currency, the gas flame of the mine digging viruses is gradually increased, most hackers organize the mine digging viruses to be listed at present, so that the novel varieties of the mine digging viruses are extremely large, and the existing mode for protecting the mine digging viruses based on a characteristic library mode cannot obtain good effect mostly. The invention takes the fine-grained management and control of server resources as the core, utilizes the process management and control driving technology to control the utilization rate of the core resources (CPU, memory, video memory, hard disk and network) of the server, and the resources used by the illegal process are limited to a very low level, thereby fundamentally limiting the core function of the mining virus. And analyzing all the flow entering and exiting the protected server by combining with the network side, comparing the flow with the characteristics of the mining virus flow, and comparing the flow with a mining pool resource pool to identify whether the mining virus flow exists in the network. Resource, host computer, the linkage of network three-layer let dig the ore deposit virus and hide everywhere, can in time inform the safety control person with digging the ore deposit virus epidemic situation simultaneously, in time deal with.
Description
Technical Field
The invention relates to a system and a method for protecting mine digging viruses of a server, which carry out deep defense on mine digging viruses on three layers of a host, a process and a network. In the resource layer, a server resource consumption control technology is combined with a white list technology; the process level adopts a blacklist technology and a drive layer process start-stop control technology; and the network layer utilizes a flow analysis technology and an excavation threat intelligence technology. And displaying the discovered risk early warning of the mining virus in real time by adopting a visualization technology.
Abbreviations and noun explanations:
Background
Like traditional trojans, these miners "kidnapping" your computer will implant these mining viruses into certain programs, and if you download these levels it is likely that the mining trojans will invade your computer. Unlike traditional trojans, these mining trojans would acquire the virtual digital currency they need by consuming the capabilities of your host. Therefore, if mine digging viruses are found in the computer, you cannot find the mine digging viruses in time because the mine digging Trojan horse is extremely high in concealment. But compared with the traditional Trojan horse virus, mining Trojan horse is said to be killer to the danger of your computer. If the history of the dug of the bitcoin is known, people do not develop an ore machine special for ore digging in the early period, and the difficulty of ore digging is low in the early period, so that many people can dig the ore through a display card of a computer. However, the mining procedure is complicated, a large amount of electric energy is consumed by mining with the video card, and the CPU and the video card of the computer are also consumed by intensive work. So if you get the mine virus in your computer, you can say that your computer life will be very weak. Moreover, because the CPU of the computer is occupied by the mining trojans, your computer can be very hot, the running speed can also be reduced sharply, and if the servers of enterprises and public institutions providing services to the outside are infected with mining viruses, the servers can be seriously damaged, and the problems that the services are rejected and the like seriously affect the business can be caused.
The invention content is as follows:
The invention provides a system and a method for protecting server mine excavation viruses. And the triple deep defense of network, process and resource is realized.
The system for preventing the mine excavation viruses of the server can work cooperatively from three layers.
1. In the resource layer, the key resources (CPU, memory, video memory, hard disk, network) of the server are all configured in advance through the configuration center, and only authorized processes can use the key resources of the server to exceed a default threshold (10% of the total resources, which can be adjusted through the configuration center).
2. And a process layer, namely firstly directly putting the known mine excavation virus into a process control library to forbid the known mine excavation virus from being started on the server, then directly and dynamically adding the unknown mine excavation virus into the known mine excavation virus process control library of the whole network server to end the active process and forbid the unknown mine excavation virus from being started permanently after the characteristics described in the step 1 and the step 3 are matched for the unknown mine excavation virus process.
3. And the network layer copies one part of the flow entering and exiting the protected server to the anti-excavation security gateway, the gateway restores the full flow, performs flow characteristic analysis on the excavation virus, matches the flow characteristic analysis with the mine pool resources, and obtains the probability of infecting the excavation virus by a certain server through the analysis.
4. Three-layer linkage, wherein once the 3 workflows are abnormal, the 3 workflows immediately inform an anti-excavation security gateway alarm center module to perform visual display and inform a security manager to intervene; meanwhile, the result of the network layer analysis can synchronously carry out correlation judgment on the process layer so as to increase the judgment accuracy and reduce the misjudgment rate.
Fig. 1 is a schematic diagram of a system for protecting server mining viruses, which includes a process control driver, a resource control module, a mining virus blocking module, a full flow analysis module, a mine pool resource matching module, a configuration center, and an alarm center module.
And (3) process management and control driving: and monitoring the use condition of each process on system resources, and controlling the start-stop action of the process according to the configuration rule.
A resource control module: and receiving the configuration rule of the configuration center, automatically increasing the configuration rule according to the judgment result fed back by other modules, and uploading the generated configuration rule to the synchronous whole network of the configuration center.
The ore digging virus blocking module: and informing the process control driver to stop the mine digging virus according to the known mine digging virus process library and the real-time judgment result.
The full flow analysis module: and capturing the total inflow and outflow flow of the protected server, judging the matching degree of the server flow and the mining virus flow according to the known characteristics of the mining virus, and reporting the judgment result to an alarm center and other associated modules.
A mine pool resource matching module: and acquiring the external communication IP address of the server analyzed by the full-flow analysis module, performing matching judgment on the external communication IP address and the addresses of all the global large mine pools, and reporting the judgment result to an alarm center and other correlation modules.
a configuration center: the system is deployed in an anti-excavation safety gateway, provides a configuration and display page, serves as a center for configuration of a plurality of servers, and manages configuration of each server in a lump.
And (4) an alarm center: the system is deployed in the anti-excavation safety gateway and provides alarm display and alarm notification functions.
the invention also provides a method for protecting the server mine excavation virus, which adopts a three-layer lifelong defense system of resources, processes and networks and strictly controls the utilization rate of key resources (CPU, memory, video memory, hard disk and network) of the server according to configuration rules; limiting the starting of the known mine digging virus on the protected server according to the known mine digging virus process library; and collecting the flow entering and exiting the protected server, performing characteristic analysis, and simultaneously comparing the flow with the global mine pool resource address. Through the cooperative work, the mining virus can be quickly found, the damage to a server product is prevented, and meanwhile, the virus epidemic situation is reported to an administrator in time and is disposed in time.
Drawings
FIG. 1 is a schematic diagram of a system for preventing server mine excavation viruses according to the present invention.
The specific implementation mode is as follows:
The system comprises anti-excavation safety software and anti-excavation safety gateway hardware equipment, and realizes the safety protection of the server excavation virus in a software and hardware linkage mode.
the anti-excavation safety software is installed on the server and automatically started along with the starting of the server; the initial configuration or the security policy adjustment is uniformly managed by the anti-excavation security gateway hardware equipment; the software contains the four modules mentioned above: the system comprises a process control drive, a resource control module and an ore excavation virus blocking module.
The anti-excavation safety gateway hardware equipment is embedded hardware equipment, and adopts a core switch bypass deployment mode to realize strategy management and automatic issuing, log acquisition, known and unknown excavation detection and network flow detection and blocking of excavation virus attack by the anti-excavation safety software. The hardware contains two modules mentioned above: the system comprises a full-flow analysis module, a mine pool resource matching module, a configuration center and an alarm center.
Claims (7)
1. The invention relates to a system and a method for protecting mine digging viruses of a server, which carry out deep defense on mine digging viruses on three layers of a host, a process and a network. In the resource layer, a server resource consumption control technology is combined with a white list technology; the process level adopts a blacklist technology and a drive layer process start-stop control technology; and the network layer utilizes a flow analysis technology and an excavation threat intelligence technology. And displaying the discovered risk early warning of the mining virus in real time by adopting a visualization technology. The system comprises a process control driver, a resource control module, an ore excavation virus blocking module, a full flow analysis module, an ore pool resource matching module, a configuration center and an alarm center module. Wherein:
A. And (3) process management and control driving: and monitoring the use condition of each process on system resources, and controlling the start-stop action of the process according to the configuration rule.
B. A resource control module: and receiving the configuration rule of the configuration center, automatically increasing the configuration rule according to the judgment result fed back by other modules, and uploading the generated configuration rule to the synchronous whole network of the configuration center.
C. The ore digging virus blocking module: and informing the process control driver to stop the mine digging virus according to the known mine digging virus process library and the real-time judgment result.
D. The full flow analysis module: and capturing the total inflow and outflow flow of the protected server, judging the matching degree of the server flow and the mining virus flow according to the known characteristics of the mining virus, and reporting the judgment result to an alarm center and other associated modules.
E. A mine pool resource matching module: and acquiring the external communication IP address of the server analyzed by the full-flow analysis module, performing matching judgment on the external communication IP address and the addresses of all the global large mine pools, and reporting the judgment result to an alarm center and other correlation modules.
F. The configuration center is used as a center for configuring a plurality of servers and overall manages the configuration of each server;
G. And the alarm center receives the alarm and visually displays the alarm.
2. The system for server excavation virus protection according to claim 1, wherein a process management and control driver module, a resource control module, an excavation virus blocking module of the system are deployed in a server operating system, and a full flow analysis module, a mine pool resource matching module, a configuration center, and an alarm center are deployed in independent hardware.
3. The system according to claim 1, wherein, in the resource layer, the key resources (CPU, memory, video memory, hard disk, network) of the server are configured in advance through the configuration center, and only authorized processes can use the key resources of the server beyond a default threshold (10% of the total resources, which can be adjusted through the configuration center) through the process management and control driver module and the resource control module.
4. the system for server excavation virus protection according to claim 1, wherein the process layer, first, directly puts the known excavation virus into the process control library, and the excavation virus blocking module prohibits its start on the server, and then, for the unknown excavation virus process, if the process continuously tries an illegal process exceeding a set threshold and the process generates a flow with the characteristics of the excavation virus, dynamically adds the illegal process to the known excavation virus process control library of the whole network server, ends the active process, and permanently prohibits its start.
5. The system for server excavation virus protection according to claim 1, wherein the network layer copies all traffic entering and exiting the protected server to a full traffic analysis module and a mine pool resource matching module, restores the full traffic, performs excavation virus traffic characteristic analysis, matches the mine pool resources, and determines that a server is most likely to be infected with an excavation virus if the server is in communication with any mine pool resource IP address in the world.
6. The system for server excavation virus protection according to claim 1, wherein the resource layer, the process layer, the network layer, the configuration center and the alarm center combine three layers to generate excavation virus infection risk information with different dimensions, automatically optimize the established configuration and broadcast in the whole network, and simultaneously generate real-time alarm to inform a security administrator of timely disposal.
7. A method for protecting server mine excavation virus, which is characterized in that the system for protecting server mine excavation virus according to any one of claims 1 to 6 is adopted to carry out deep defense on mine excavation virus at three layers of a host, a process and a network. In the resource layer, a server resource consumption control technology is combined with a white list technology; the process level adopts a blacklist technology and a drive layer process start-stop control technology; and the network layer utilizes a flow analysis technology and an excavation threat intelligence technology. And displaying the discovered risk early warning of the mining virus in real time by adopting a visualization technology.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910820990.6A CN110569645A (en) | 2019-09-02 | 2019-09-02 | System and method for protecting server mine excavation viruses |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910820990.6A CN110569645A (en) | 2019-09-02 | 2019-09-02 | System and method for protecting server mine excavation viruses |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110569645A true CN110569645A (en) | 2019-12-13 |
Family
ID=68777377
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910820990.6A Pending CN110569645A (en) | 2019-09-02 | 2019-09-02 | System and method for protecting server mine excavation viruses |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110569645A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111967004A (en) * | 2020-07-31 | 2020-11-20 | 深圳比特微电子科技有限公司 | Virus scanning method and device of digital currency mining machine and digital currency mining machine |
| CN113704749A (en) * | 2020-05-20 | 2021-11-26 | 中国移动通信集团浙江有限公司 | Malicious excavation detection processing method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2012064208A (en) * | 2010-09-15 | 2012-03-29 | Chunghwa Telecom Co Ltd | Network virus prevention method and system |
| CN108183900A (en) * | 2017-12-28 | 2018-06-19 | 北京奇虎科技有限公司 | A kind of method, server, client and system for digging the detection of ore deposit script |
| CN108399337A (en) * | 2018-03-16 | 2018-08-14 | 北京奇虎科技有限公司 | Webpage digs the method and device of mine script for identification |
| CN109347806A (en) * | 2018-09-20 | 2019-02-15 | 天津大学 | A kind of the digging mine malware detection system and method for Intrusion Detection based on host monitoring technology |
-
2019
- 2019-09-02 CN CN201910820990.6A patent/CN110569645A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2012064208A (en) * | 2010-09-15 | 2012-03-29 | Chunghwa Telecom Co Ltd | Network virus prevention method and system |
| CN108183900A (en) * | 2017-12-28 | 2018-06-19 | 北京奇虎科技有限公司 | A kind of method, server, client and system for digging the detection of ore deposit script |
| CN108399337A (en) * | 2018-03-16 | 2018-08-14 | 北京奇虎科技有限公司 | Webpage digs the method and device of mine script for identification |
| CN109347806A (en) * | 2018-09-20 | 2019-02-15 | 天津大学 | A kind of the digging mine malware detection system and method for Intrusion Detection based on host monitoring technology |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113704749A (en) * | 2020-05-20 | 2021-11-26 | 中国移动通信集团浙江有限公司 | Malicious excavation detection processing method and device |
| CN113704749B (en) * | 2020-05-20 | 2024-03-19 | 中国移动通信集团浙江有限公司 | Malicious mining detection processing method and device |
| CN111967004A (en) * | 2020-07-31 | 2020-11-20 | 深圳比特微电子科技有限公司 | Virus scanning method and device of digital currency mining machine and digital currency mining machine |
| CN111967004B (en) * | 2020-07-31 | 2021-06-04 | 深圳比特微电子科技有限公司 | Virus scanning method and device of digital currency mining machine and digital currency mining machine |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104023034B (en) | Security defensive system and defensive method based on software-defined network | |
| US7549166B2 (en) | Defense mechanism for server farm | |
| Sandhu et al. | A survey of intrusion detection & prevention techniques | |
| US6405318B1 (en) | Intrusion detection system | |
| US20180248896A1 (en) | System and method to prevent, detect, thwart, and recover automatically from ransomware cyber attacks, using behavioral analysis and machine learning | |
| Shurman et al. | IoT denial-of-service attack detection and prevention using hybrid IDS | |
| US20060010493A1 (en) | Attack impact prediction system | |
| EP3225009A1 (en) | Systems and methods for malicious code detection | |
| US20160232349A1 (en) | Mobile malware detection and user notification | |
| CN111277539B (en) | Server Lesox virus protection system and method | |
| CN104378387A (en) | Virtual platform information security protection method | |
| Jain et al. | Defending against internet worms using honeyfarm | |
| US10997306B2 (en) | Data protection and threat detection | |
| KR100788256B1 (en) | System for monitoring web server fablication using network and method thereof | |
| JP7204247B2 (en) | Threat Response Automation Methods | |
| CN110569645A (en) | System and method for protecting server mine excavation viruses | |
| CN116708210A (en) | Operation and maintenance processing method and terminal equipment | |
| Letou et al. | Host-based intrusion detection and prevention system (HIDPS) | |
| CN108429746B (en) | Privacy data protection method and system for cloud tenants | |
| Jaiganesh et al. | An efficient algorithm for network intrusion detection system | |
| CN106878338B (en) | Telecontrol equipment gateway firewall integrated machine system | |
| Kadam et al. | An enhanced approach for intrusion detection in virtual network of cloud computing | |
| CN103679015A (en) | Attacking control method for protecting kernel system | |
| Sandhu et al. | A study of the novel approaches used in intrusion detection and prevention systems | |
| WO2020136009A1 (en) | Threat forecasting |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20191213 |