CN111611585A - Terminal device monitoring method and device, electronic device and medium - Google Patents
Terminal device monitoring method and device, electronic device and medium Download PDFInfo
- Publication number
- CN111611585A CN111611585A CN202010433040.0A CN202010433040A CN111611585A CN 111611585 A CN111611585 A CN 111611585A CN 202010433040 A CN202010433040 A CN 202010433040A CN 111611585 A CN111611585 A CN 111611585A
- Authority
- CN
- China
- Prior art keywords
- file
- source information
- monitoring
- entry
- inlet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 52
- 238000000034 method Methods 0.000 title claims abstract description 50
- 230000002159 abnormal effect Effects 0.000 claims abstract description 11
- 241000700605 Viruses Species 0.000 claims description 28
- 238000004590 computer program Methods 0.000 claims description 13
- 230000008569 process Effects 0.000 claims description 13
- 230000005540 biological transmission Effects 0.000 claims description 10
- 238000002347 injection Methods 0.000 claims description 7
- 239000007924 injection Substances 0.000 claims description 7
- 238000012546 transfer Methods 0.000 claims description 3
- 238000004891 communication Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 9
- 230000015654 memory Effects 0.000 description 9
- 230000006870 function Effects 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 238000001514 detection method Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 230000004044 response Effects 0.000 description 3
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 239000003795 chemical substances by application Substances 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 208000015181 infectious disease Diseases 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000004806 packaging method and process Methods 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 239000000758 substrate Substances 0.000 description 2
- 108010001267 Protein Subunits Proteins 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000012552 review Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The present disclosure provides a monitoring method for a terminal device, including: monitoring a file inlet of the terminal equipment, responding to the monitoring that a file is transmitted into the terminal equipment through the file inlet, acquiring file information of the file and file source information corresponding to the file inlet, and storing an incidence relation between the file information and the file source information so as to determine a file source of an abnormal file based on the incidence relation.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a method and an apparatus for monitoring a terminal device, an electronic device, and a medium.
Background
With the rapid development of network technology, the requirements of users on network security and information security are higher and higher. A computer virus is a computer program that is created by a human or non-human, and that can replicate or run on its own without the knowledge or approval of the user. Computer viruses often affect the normal operation of infected electronic devices, causing frustration to users.
Disclosure of Invention
In view of this, the present disclosure provides a monitoring method and apparatus for a terminal device, an electronic device, and a medium.
One aspect of the present disclosure provides a monitoring method for a terminal device, including: monitoring a file inlet of the terminal equipment, responding to the monitoring that a file is transmitted into the terminal equipment through the file inlet, acquiring file information of the file and file source information corresponding to the file inlet, and storing an incidence relation between the file information and the file source information so as to determine a file source of an abnormal file based on the incidence relation.
According to an embodiment of the present disclosure, the file entry includes at least one of an external device entry, a network download entry, an application program transmission entry, and a network sharing entry.
According to the embodiment of the disclosure, the file source information corresponding to the external device entry includes a device identifier of the external device, the file source information corresponding to the network download entry includes a download address of an incoming file, the file source information corresponding to the application program transmission entry includes an identifier of the application program and/or a user identifier corresponding to the incoming file, and the file source information corresponding to the network sharing entry includes an IP address of the sharing device.
According to an embodiment of the present disclosure, the monitoring a file entry of the terminal device includes: and monitoring the file entry of the terminal equipment through a driving program and/or an injection module.
According to an embodiment of the present disclosure, the method further comprises: and detecting whether the file has viruses or not, and determining file source information associated with the file based on the association relation under the condition that the file has the viruses.
According to an embodiment of the present disclosure, the method further comprises: and uploading the file source information to a server connected with the terminal equipment so that the server processes the file source information.
Another aspect of the present disclosure provides a monitoring apparatus for a terminal device, including a monitoring module, an obtaining module, and a storage module. The monitoring module is used for monitoring a file entry of the terminal equipment. The acquisition module is used for responding to the monitoring that the file is transmitted into the terminal equipment through the file inlet, and acquiring the file information of the file and the file source information corresponding to the file inlet. The storage module is used for storing the incidence relation between the file information and the file source information so as to determine the file source of the abnormal file based on the incidence relation.
According to an embodiment of the present disclosure, the file entry includes at least one of an external device entry, a network download entry, an application program transmission entry, and a network sharing entry.
According to the embodiment of the disclosure, the file source information corresponding to the external device entry includes a device identifier of the external device, the file source information corresponding to the network download entry includes a download address of an incoming file, the file source information corresponding to the application program transmission entry includes an identifier of the application program and/or a user identifier corresponding to the incoming file, and the file source information corresponding to the network sharing entry includes an IP address of the sharing device.
According to an embodiment of the present disclosure, the monitoring a file entry of the terminal device includes: and monitoring the file entry of the terminal equipment through a driving program and/or an injection module.
According to an embodiment of the present disclosure, the apparatus further includes a detection module and a determination module. The detection module is used for detecting whether the file has viruses or not. The determining module is used for determining file source information associated with the file based on the association relation under the condition that the file has the virus.
According to an embodiment of the present disclosure, the apparatus further comprises: and the uploading module is used for uploading the file source information to a server connected with the terminal equipment so that the server processes the file source information.
Another aspect of the present disclosure provides an electronic device including: one or more processors, and a computer readable storage medium storing one or more programs, which when executed by the one or more processors, cause the one or more processors to implement the method as described above.
Another aspect of the present disclosure provides a computer-readable medium storing computer-executable instructions for implementing the method as described above when executed.
Another aspect of the disclosure provides a computer program comprising computer executable instructions for implementing the method as described above when executed.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates an application scenario of a monitoring method and apparatus according to an embodiment of the present disclosure;
fig. 2 schematically shows a flow chart of a monitoring method of a terminal device according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates an operational schematic of a monitoring method according to an embodiment of the disclosure;
fig. 4 schematically shows a block diagram of a monitoring arrangement of a terminal device according to an embodiment of the present disclosure; and
fig. 5 schematically shows a block diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The words "a", "an" and "the" and the like as used herein are also intended to include the meanings of "a plurality" and "the" unless the context clearly dictates otherwise. Furthermore, the terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). It will be further understood by those within the art that virtually any disjunctive word and/or phrase presenting two or more alternative terms, whether in the description, claims, or drawings, should be understood to contemplate the possibilities of including one of the terms, either of the terms, or both terms. For example, the phrase "a or B" should be understood to include the possibility of "a" or "B", or "a and B".
The embodiment of the disclosure provides a monitoring method and device for terminal equipment. The method comprises the following steps: and monitoring a file inlet of the terminal equipment, responding to the monitoring that the file is transmitted into the terminal equipment through the file inlet, and acquiring the file information of the transmitted file and the file source information corresponding to the file inlet. Then, the incidence relation between the file information and the file source information is stored, so that the file source of the abnormal file is determined based on the incidence relation.
Fig. 1 schematically illustrates an application scenario 100 of a monitoring method and apparatus according to an embodiment of the present disclosure.
It should be noted that fig. 1 is only an example of an application scenario in which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, but does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
As shown in fig. 1, the application scenario 100 according to this embodiment may include terminal devices 101, 102, 103, 104 and a server 105. The end devices 101, 102, 103, 104 and the server 105 may communicate over a network, which may include, for example, various connection types such as wired, wireless communication links, or fiber optic cables.
The user may use the terminal devices 101, 102, 103, 104 to interact with the server 105 over the network to receive or send messages or the like. Various client applications may be installed on the terminal devices 101, 102, 103, 104, such as a shopping-like application, a web browser application, a search-like application, an instant messaging tool, a mailbox client, social platform software, etc. (by way of example only).
The terminal devices 101, 102, 103, 104 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 105 may be a server providing various services, and for example, may perform processing such as analysis on data such as a received user request, and feed back a processing result (e.g., a web page, information, or data obtained or generated according to the user request) to the terminal device (for example only).
It should be noted that the monitoring method provided by the embodiments of the present disclosure may be generally executed by the terminal devices 101, 102, 103, and 104. Accordingly, the monitoring apparatus provided by the embodiments of the present disclosure may be generally disposed in the terminal devices 101, 102, 103, and 104.
According to an embodiment of the present disclosure, a plurality of terminal devices, for example, terminal devices 101, 102, 103, and 104, may be included in the local area network. The server 105 may be, for example, a regulation server of the local area network. In the embodiment of the present disclosure, each terminal device in the local area network may monitor its own file entry, and store an association relationship between file information of an incoming file and file source information corresponding to the file entry, so as to determine a file source of an abnormal file (for example, a file carrying a virus) based on the association relationship, and upload the file source to the server 105. The server 105 can receive and process file source information of abnormal files uploaded by each terminal device, and can perform early warning in time to process virus sources in a targeted manner, so that the problem of repeated infection caused by the same virus sources in a local area network can be solved quickly.
It should be understood that the number of terminal devices and servers in fig. 1 is merely illustrative. There may be any number of terminal devices and servers, as desired for implementation.
Fig. 2 schematically shows a flow chart of a monitoring method of a terminal device according to an embodiment of the present disclosure.
As shown in fig. 2, the method includes operations S201 to S203.
In operation S201, a file entry of a terminal device is monitored.
According to the embodiment of the disclosure, various possible file entries, into which a file can be transmitted to a terminal device, can be monitored. For example, the file entry may include at least one of an external device entry, a network download entry, an application transfer entry, and a network share entry.
In an embodiment of the present disclosure, a file may be transferred to a terminal device through an external storage medium such as a usb disk, and then whether the file is transferred to the terminal device through an external device inlet may be monitored through a file system driver technology.
In another embodiment of the present disclosure, the file may also be downloaded to the terminal device via a network, for example, via a browser or via a download tool. The embodiment of the disclosure can monitor whether a file is transmitted into the terminal device through the network download entrance by using technologies such as a process injection module and/or a file system driver.
In yet another embodiment of the present disclosure, the file may also be transferred to the terminal device through an application transfer portal, for example, by an instant messaging application or by an email application. The embodiment of the disclosure can monitor whether a file is transmitted into the terminal device through the application program transmission inlet of the instant messaging class or not through technologies such as the process injection module and/or the file system driver. The embodiment of the disclosure can also monitor whether a file is transmitted into the terminal device through an application program transmission inlet of the mail class or not through technologies such as a client plug-in and/or network protocol analysis.
In yet another embodiment of the present disclosure, the file may also be transferred to the terminal device through a network sharing portal, for example, through a specific communication protocol. The embodiment of the disclosure can monitor whether a file is transmitted to the terminal device through the communication protocol by capturing the network packet and analyzing the communication protocol of the network packet. For example, a network packet may be captured by a wincap (windows packet capture) and the smb (server Message block) communication protocol may be analyzed.
In operation S202, in response to monitoring that a file is transmitted into a terminal device through a file entry, file information of the file and file source information corresponding to the file entry are acquired.
According to the embodiment of the disclosure, in response to monitoring that a file is transmitted into the terminal device through a certain file entry, the identification information of the file can be acquired as the file information of the file. For example, a hash value of the file may be acquired as the file information of the file.
In an embodiment of the present disclosure, if a file is transmitted into a terminal device through an external device inlet, a device identifier (for example, a name or a serial number of the external device) of the external device may be obtained as file source information of the file.
In another embodiment of the present disclosure, if a file is transmitted into a terminal device through a network download portal, a download address of the transmitted file may be acquired as file source information of the file. For example, url (uniform resource locator) of file download is obtained as the file source information of the file.
In another embodiment of the present disclosure, if a file is transmitted into a terminal device through an application transmission portal, an identifier of the application and/or a user identifier corresponding to the transmitted file may be acquired as file source information of the file. For example, if a file is transmitted to a terminal device through an application program of an instant messaging class, the name of the application program may be acquired as file source information of the file. For another example, if a file is transferred to a terminal device through an application program such as a mail, the information of the sender may be acquired as the file source information of the file.
In another embodiment of the present disclosure, if a file is transmitted to a terminal device through a network sharing portal, an IP address of a sharing device may be acquired as file source information of the file. For example, if a file is transmitted to a terminal device through a specific sharing protocol, the source IP address of the file may be acquired as the file source information of the file.
In operation S203, an association relationship between the file information and the file source information is stored, so as to determine a file source of the abnormal file based on the association relationship.
According to the embodiment of the disclosure, the terminal device may store the association relationship between the file information of the incoming file and the file source information locally.
In the embodiment of the present disclosure, the terminal device may further detect whether a virus exists in the incoming file. For example, each file may be scanned by anti-virus software to determine whether each file carries a virus. In the case of a virus in an incoming file, file source information associated with the file may be determined based on the stored association.
According to the embodiment of the present disclosure, the terminal device may be, for example, a terminal device in a local area network, and the local area network may have a management and control server, and each terminal device in the local area network may upload file source information corresponding to a file with a virus to the management and control server, so that the management and control server may process the file source information.
For example, the management and control server may display source information of files uploaded by each terminal device for a worker to review and understand.
For another example, the management and control server may further process the file source information to warn the heavy virus source. For example, a virus source having file origin information of more than 10% (by way of example only) of the total file origin information is warned.
According to the embodiment of the disclosure, the monitoring file can be transmitted into various possible file entries of the terminal device, and the incidence relation between the transmitted file and the file source can be timely obtained, so that the source can be quickly positioned.
When the anti-virus software discovers the file carrying the virus, the file source of the file can be quickly inquired and reported to the control server. The management and control server can receive and process file source information of abnormal files uploaded by each terminal device, and timely early warning is carried out, so that the virus source is processed in a targeted manner, and the problem of repeated infection caused by the same virus source in a local area network can be rapidly solved.
Fig. 3 schematically shows an operational diagram of a monitoring method according to an embodiment of the present disclosure.
As shown in fig. 3, the terminal device 310 may include at least one collection point, a data acquisition module, a file source recording module, an information recording database, a file system real-time protection module, a virus scanning module, and a communication agent module. The server 320 may include a log reporting interface and a governing platform interface.
According to the embodiment of the disclosure, the terminal device 310 may set at least one collection point by installing a driver or an injection module, etc. Each collection point can capture a file incoming event of the terminal equipment. The data acquisition module captures related file information and file source information according to callback information of the acquisition point, processes the captured file information and file source information (for example, normalizes the format), and sends the processed file information and file source information to the file source recording module. The file source recording module may record the association relationship between the file source information and the file information in the information record database of the terminal device 310. The file system real-time protection module can protect the file system in real time. The virus scanning module can scan the file system to find files carrying viruses, and acquire file source information corresponding to the files carrying the viruses from the file source module. The communication agent module may send the file source information corresponding to the file carrying the virus to the log reporting interface of the server 320. And the log reporting interface reports the information to the management and control platform interface. The control platform interface can display source information of each file, so that workers can read virus sources from the control platform interface and perform targeted processing.
Fig. 4 schematically shows a block diagram of a monitoring apparatus 400 of a terminal device according to an embodiment of the present disclosure.
As shown in fig. 4, the apparatus 400 includes a monitoring module 410, an obtaining module 420, and a storing module 430.
The monitoring module 410 is used for monitoring a file entry of the terminal device.
The obtaining module 420 is configured to, in response to monitoring that a file is transmitted to the terminal device through the file entry, obtain file information of the file and file source information corresponding to the file entry.
The storage module 430 is configured to store an association relationship between the file information and the file source information, so as to determine a file source of the abnormal file based on the association relationship.
According to an embodiment of the present disclosure, the file entry includes at least one of an external device entry, a network download entry, an application program transmission entry, and a network sharing entry.
According to the embodiment of the disclosure, the file source information corresponding to the external device entry includes a device identifier of the external device, the file source information corresponding to the network download entry includes a download address of an incoming file, the file source information corresponding to the application program transmission entry includes an identifier of the application program and/or a user identifier corresponding to the incoming file, and the file source information corresponding to the network sharing entry includes an IP address of the sharing device.
According to an embodiment of the present disclosure, the monitoring a file entry of the terminal device includes: and monitoring the file entry of the terminal equipment through a driving program and/or an injection module.
According to an embodiment of the present disclosure, the apparatus further comprises a detection module and a determination module (not shown in the figure). The detection module is used for detecting whether the file has viruses or not. The determining module is used for determining file source information associated with the file based on the association relation under the condition that the file has the virus.
According to an embodiment of the present disclosure, the apparatus further comprises: an uploading module (not shown) configured to upload the file source information to a server connected to the terminal device, so that the server processes the file source information.
According to an embodiment of the disclosure, the apparatus 400 may, for example, perform the method described above with reference to fig. 2, which is not described herein again.
Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
For example, the monitoring module 410, the obtaining module 420, and the storing module 430 may be combined and implemented in one module, or any one of the modules may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the invention, at least one of the monitoring module 410, the obtaining module 420 and the storing module 430 may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or in a suitable combination of three implementations of software, hardware and firmware. Alternatively, at least one of the monitoring module 410, the obtaining module 420 and the storing module 430 may be at least partially implemented as a computer program module, which when executed by a computer may perform the functions of the respective module.
Fig. 5 schematically shows a block diagram of an electronic device according to an embodiment of the disclosure. The electronic device shown in fig. 5 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 5, an electronic device 500 according to an embodiment of the present disclosure includes a processor 501 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)502 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. The processor 501 may comprise, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 501 may also include onboard memory for caching purposes. Processor 501 may include a single processing unit or multiple processing units for performing different acts of the method flows described with reference to fig. 2 in accordance with embodiments of the disclosure.
In the RAM 503, various programs and data necessary for the operation of the system 500 are stored. The processor 501, the ROM 502, and the RAM 503 are connected to each other by a bus 504. The processor 501 performs various operations as described above by executing programs in the ROM 502 and/or the RAM 503. Note that the programs may also be stored in one or more memories other than the ROM 502 and the RAM 503. The processor 501 may also perform various operations as described above by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, system 500 may also include an input/output (I/O) interface 505, input/output (I/O) interface 505 also being connected to bus 504. The system 500 may also include one or more of the following components connected to the I/O interface 505: an input portion 506 including a keyboard, a mouse, and the like; an output portion 507 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the internet. The driver 510 is also connected to the I/O interface 505 as necessary. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 510 as necessary, so that a computer program read out therefrom is mounted into the storage section 508 as necessary.
According to an embodiment of the present disclosure, the method described above with reference to the flow chart may be implemented as a computer software program. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 509, and/or installed from the removable medium 511. The computer program, when executed by the processor 501, performs the above-described functions defined in the system of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
It should be noted that the computer readable media shown in the present disclosure may be computer readable signal media or computer readable storage media or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer-readable signal medium may include a propagated data signal with computer-readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing. According to embodiments of the present disclosure, a computer-readable medium may include ROM 502 and/or RAM 503 and/or one or more memories other than ROM 502 and RAM 503 described above.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
As another aspect, the present disclosure also provides a computer-readable medium, which may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to perform the method as described above.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.
Claims (10)
1. A monitoring method of terminal equipment comprises the following steps:
monitoring a file inlet of the terminal equipment;
responding to the monitored file and transmitting the file into the terminal equipment through the file inlet, and acquiring file information of the file and file source information corresponding to the file inlet; and
and storing the incidence relation between the file information and the file source information so as to determine the file source of the abnormal file based on the incidence relation.
2. The method of claim 1, wherein the file entry comprises at least one of an external device entry, a network download entry, an application transfer entry, and a network share entry.
3. The method of claim 2, wherein,
the file source information corresponding to the external device inlet comprises a device identifier of the external device;
the file source information corresponding to the network downloading inlet comprises a downloading address of an incoming file;
the file source information corresponding to the application program transmission inlet comprises an identifier of the application program and/or a user identifier corresponding to an incoming file;
the file source information corresponding to the network sharing entry comprises an IP address of the sharing device.
4. The method of claim 1, wherein the monitoring of the file entry of the terminal device comprises:
and monitoring the file entry of the terminal equipment through a driving program and/or an injection module.
5. The method of claim 1, further comprising:
detecting whether viruses exist in the file or not;
and determining file source information associated with the file based on the association relation under the condition that the virus exists in the file.
6. The method of claim 5, further comprising:
and uploading the file source information to a server connected with the terminal equipment so that the server processes the file source information.
7. A monitoring apparatus of a terminal device, comprising:
the monitoring module is used for monitoring a file inlet of the terminal equipment;
the acquisition module is used for responding to the monitoring that the file is transmitted into the terminal equipment through the file inlet, and acquiring the file information of the file and the file source information corresponding to the file inlet;
and the storage module is used for storing the incidence relation between the file information and the file source information so as to determine the file source of the abnormal file based on the incidence relation.
8. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-6.
9. A computer readable medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method of any one of claims 1 to 6.
10. A computer program product comprising computer readable instructions, wherein the computer readable instructions, when executed, are for performing the method of any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010433040.0A CN111611585A (en) | 2020-05-20 | 2020-05-20 | Terminal device monitoring method and device, electronic device and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010433040.0A CN111611585A (en) | 2020-05-20 | 2020-05-20 | Terminal device monitoring method and device, electronic device and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111611585A true CN111611585A (en) | 2020-09-01 |
Family
ID=72199464
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010433040.0A Pending CN111611585A (en) | 2020-05-20 | 2020-05-20 | Terminal device monitoring method and device, electronic device and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111611585A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113849858A (en) * | 2021-09-29 | 2021-12-28 | 北京兰云科技有限公司 | Method, device, computer storage medium and terminal for realizing file supervision |
| WO2022062997A1 (en) * | 2020-09-22 | 2022-03-31 | International Business Machines Corporation | Computer file metadata segmentation security system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102306256A (en) * | 2010-09-13 | 2012-01-04 | 微软公司 | The file that obtains is carried out the prestige inspection |
| US20120215908A1 (en) * | 2011-02-18 | 2012-08-23 | Hitachi, Ltd. | Method and system for detecting improper operation and computer-readable non-transitory storage medium |
| CN106612283A (en) * | 2016-12-29 | 2017-05-03 | 北京奇虎科技有限公司 | Method and device for identifying source of downloaded file |
| CN109858243A (en) * | 2018-12-29 | 2019-06-07 | 北京奇安信科技有限公司 | The method and apparatus for tracking viral source |
| CN110309110A (en) * | 2019-05-24 | 2019-10-08 | 深圳壹账通智能科技有限公司 | A kind of big data log monitoring method and device, storage medium and computer equipment |
| CN110928842A (en) * | 2019-10-30 | 2020-03-27 | 维沃移动通信有限公司 | Display method and terminal equipment |
-
2020
- 2020-05-20 CN CN202010433040.0A patent/CN111611585A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102306256A (en) * | 2010-09-13 | 2012-01-04 | 微软公司 | The file that obtains is carried out the prestige inspection |
| US20120215908A1 (en) * | 2011-02-18 | 2012-08-23 | Hitachi, Ltd. | Method and system for detecting improper operation and computer-readable non-transitory storage medium |
| CN106612283A (en) * | 2016-12-29 | 2017-05-03 | 北京奇虎科技有限公司 | Method and device for identifying source of downloaded file |
| CN109858243A (en) * | 2018-12-29 | 2019-06-07 | 北京奇安信科技有限公司 | The method and apparatus for tracking viral source |
| CN110309110A (en) * | 2019-05-24 | 2019-10-08 | 深圳壹账通智能科技有限公司 | A kind of big data log monitoring method and device, storage medium and computer equipment |
| CN110928842A (en) * | 2019-10-30 | 2020-03-27 | 维沃移动通信有限公司 | Display method and terminal equipment |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022062997A1 (en) * | 2020-09-22 | 2022-03-31 | International Business Machines Corporation | Computer file metadata segmentation security system |
| US11526612B2 (en) | 2020-09-22 | 2022-12-13 | International Business Machines Corporation | Computer file metadata segmentation security system |
| GB2614667A (en) * | 2020-09-22 | 2023-07-12 | Ibm | Computer file metadata segmentation security system |
| CN113849858A (en) * | 2021-09-29 | 2021-12-28 | 北京兰云科技有限公司 | Method, device, computer storage medium and terminal for realizing file supervision |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10176321B2 (en) | Leveraging behavior-based rules for malware family classification | |
| US20170041337A1 (en) | Systems, Methods, Apparatuses, And Computer Program Products For Forensic Monitoring | |
| AU2012308630B2 (en) | Providing a network-accessible malware analysis | |
| CN111131320B (en) | Asset identification method, device, system and medium | |
| RU2573265C2 (en) | Method of detecting false positive results of scanning files for malware | |
| US8862675B1 (en) | Method and system for asynchronous analysis of URLs in messages in a live message processing environment | |
| CN111914262A (en) | Test method, device, system, electronic equipment and storage medium | |
| CN113114680B (en) | Detection method and detection device for file uploading vulnerability | |
| CN113810408B (en) | Network attack organization detection method, device, equipment and readable storage medium | |
| CN114024764A (en) | Monitoring method, monitoring system, equipment and storage medium for abnormal access of database | |
| CN111611585A (en) | Terminal device monitoring method and device, electronic device and medium | |
| US20180183819A1 (en) | System to detect machine-initiated events in time series data | |
| CN113900834A (en) | Data processing method, device, equipment and storage medium based on Internet of things technology | |
| US20180316696A1 (en) | Analysis apparatus, analysis method, and analysis program | |
| CN114490280A (en) | Log processing method, device, equipment and medium | |
| CN107766224B (en) | Test method and test device | |
| CN113162937A (en) | Application safety automatic detection method, system, electronic equipment and storage medium | |
| US8935784B1 (en) | Protecting subscribers of web feeds from malware attacks | |
| CN114490264A (en) | File monitoring method and device of application system, electronic equipment and storage medium | |
| CN113542185B (en) | Method and device for preventing hijacking of page, electronic equipment and storage medium | |
| CN115203178A (en) | Data quality inspection method and device, electronic equipment and storage medium | |
| CN114091013A (en) | Security scoring method, device, computer system and readable storage medium | |
| CN112948830B (en) | File risk identification method and device | |
| CN115499292B (en) | Alarm method, device, equipment and storage medium | |
| CN112565271B (en) | Web attack detection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200901 |
|
| RJ01 | Rejection of invention patent application after publication |