CN112579330B - Processing method, device and equipment for abnormal data of operating system - Google Patents
Processing method, device and equipment for abnormal data of operating system Download PDFInfo
- Publication number
- CN112579330B CN112579330B CN201910943747.3A CN201910943747A CN112579330B CN 112579330 B CN112579330 B CN 112579330B CN 201910943747 A CN201910943747 A CN 201910943747A CN 112579330 B CN112579330 B CN 112579330B
- Authority
- CN
- China
- Prior art keywords
- abnormal
- operating system
- item
- file
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 222
- 238000003672 processing method Methods 0.000 title claims description 5
- 238000000034 method Methods 0.000 claims abstract description 61
- 238000001514 detection method Methods 0.000 claims abstract description 42
- 238000012544 monitoring process Methods 0.000 claims abstract description 27
- 238000012545 processing Methods 0.000 claims abstract description 24
- 238000009434 installation Methods 0.000 claims description 34
- 230000005856 abnormality Effects 0.000 claims description 20
- 238000004590 computer program Methods 0.000 claims description 7
- 238000013515 script Methods 0.000 description 26
- 230000006870 function Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 4
- 230000007547 defect Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000010365 information processing Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 239000000725 suspension Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/0751—Error or fault detection not based on redundancy
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/0793—Remedial or corrective actions
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application discloses a method, a device and equipment for processing abnormal data of an operating system, and relates to the technical field of network security. The method comprises the following steps: monitoring the security of a plurality of key items corresponding to an operating system, wherein the key items at least comprise one or more of installation software, a registry, WMI, a planning task and a system boot area code; if abnormal items exist in the plurality of key items, repairing the abnormal items according to preset target repairing rules corresponding to the abnormal items, wherein different abnormal items have corresponding preset repairing rules. The method and the device can realize comprehensive detection and repair of the abnormal items of the operating system, enlarge the repair range of the abnormal items of the operating system and improve the accuracy of detecting the abnormal items of the operating system.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, an apparatus, and a device for processing abnormal data of an operating system.
Background
The file system stores key data in the operating system, wherein the file system comprises a disk file system and a registry, the registry is similar to a file directory structure, and the memory is an important component of the operating system, so that once the data in the areas are tampered, abnormal behavior of the operating system can occur.
At present, the existing operating system abnormality detection is only performed for detecting whether an abnormality exists in a file system, but other key items of the operating system are not or are seldom concerned, so that if the abnormality occurs due to the other key items of the operating system, the existing technology cannot detect in time and perform corresponding safety treatment, thereby not only affecting the use of users, but also possibly causing certain potential safety hazards.
Disclosure of Invention
In view of this, the present application provides a method, an apparatus and a device for processing abnormal data of an operating system, which mainly aims to solve the technical problems that in the prior art, abnormal items of the operating system are not detected comprehensively, which not only can affect the use of users, but also can cause certain potential safety hazards.
According to one aspect of the present application, there is provided a method for processing abnormal data of an operating system, the method including:
monitoring the security of a plurality of key items corresponding to an operating system, wherein the key items at least comprise one or more of installation software, a registry, WMI, a planning task and a system boot area code;
if abnormal items exist in the plurality of key items, repairing the abnormal items according to preset target repairing rules corresponding to the abnormal items, wherein different abnormal items have corresponding preset repairing rules.
Optionally, the security detection of the installed software corresponding to the operating system specifically includes:
acquiring a file list of target software running in the operating system;
carrying out security detection on paths and/or file hash values on the file list;
and if the abnormality exists according to the path and/or the file hash value, determining that the key item corresponding to the installed software is an abnormal item.
Optionally, the security detection of the registry corresponding to the operating system specifically includes:
performing path and corresponding value security detection on the registry key of the operating system and/or the self-starting property key and/or the COM component key;
if the registry item of the operating system and/or the self-starting property item and/or the COM component item are/is judged to be abnormal, determining that the key item corresponding to the registry is an abnormal item.
Optionally, the security detection of WMI corresponding to the operating system specifically includes:
acquiring and analyzing WMI consumers and triggers;
performing malicious key item matching on the analyzed content;
and if the malicious key terms are successfully matched, determining that the key terms corresponding to the WMI are abnormal terms.
Optionally, the security detection of the planned task corresponding to the operating system specifically includes:
Resolving the name of a planning task and the target file path of the planning task;
performing abnormal name matching on the names of the planning tasks;
if the abnormal name matching is successful, acquiring a target file in the target file path to perform abnormal feature matching;
and if the abnormal characteristics are successfully matched, determining the key item corresponding to the planning task as an abnormal item.
Optionally, the security detection of the system boot area code corresponding to the operating system specifically includes:
comparing the MBR data of the master boot record with the MBR data clean by the operating system;
and if an abnormal jump instruction exists, determining that the key item corresponding to the system boot area code is an abnormal item.
Optionally, if it is determined that the installation package management software has an abnormality according to the abnormal item, repairing the abnormal item according to a preset target repair rule corresponding to the abnormal item, including:
acquiring an installation catalog of the installation package management software through a registry;
acquiring the position of a folder where the installation package management software is located in the installation directory;
if the file folder position has a preset target file, acquiring file information of the preset target file and matching with the abnormal rule field description;
And if the abnormal rule field describes that the matching is successful, deleting the preset target file in the folder position.
Optionally, before repairing the abnormal item according to the preset target repair rule corresponding to the abnormal item, the method further includes:
judging whether the current file system and/or registry of the operating system needs subsequent repair operation or not according to the target repair rule;
if the file system and/or the registry need subsequent repair operation, backing up the data of the original positions of the file system and the registry before repair;
repairing the abnormal item according to a preset target repairing rule corresponding to the abnormal item, wherein the repairing comprises the following steps:
if the repair failure results in damage to the current environment of the operating system, repairing the damaged current environment of the operating system by using the backup data.
Optionally, the method further comprises:
and dynamically updating the target repairing rule in the process of repairing the abnormal item.
Optionally, the dynamically updating the target repair rule specifically includes:
acquiring original byte code information to be updated in the target repair rule and tag information corresponding to the original byte code information;
The original byte code information and the tag information are sent to a cloud server, so that the cloud server determines whether to update the original byte code information according to the tag information;
receiving updated new byte code information returned by the cloud server;
and updating and replacing the original byte code information into the new byte code information in the target repair rule.
According to another aspect of the present application, there is provided an apparatus for processing operating system exception data, the apparatus including:
the monitoring module is used for monitoring the safety of a plurality of key items corresponding to the operating system, wherein the key items at least comprise one or more of installation software, a registry, WMI, a planning task and a system boot area code;
and the repair module is used for repairing the abnormal item according to a preset target repair rule corresponding to the abnormal item if the abnormal item exists in the plurality of key items, wherein different abnormal items have respective corresponding preset repair rules.
Optionally, the monitoring module is specifically configured to obtain a file list of the target software running in the operating system;
carrying out security detection on paths and/or file hash values on the file list;
And if the abnormality exists according to the path and/or the file hash value, determining that the key item corresponding to the installed software is an abnormal item.
Optionally, the monitoring module is specifically configured to perform security detection on paths and corresponding values of an operating system registry item, and/or a self-starting property item, and/or a COM component item;
if the registry item of the operating system and/or the self-starting property item and/or the COM component item are/is judged to be abnormal, determining that the key item corresponding to the registry is an abnormal item.
Optionally, the monitoring module is specifically configured to obtain and parse WMI consumers and triggers;
performing malicious key item matching on the analyzed content;
and if the malicious key terms are successfully matched, determining that the key terms corresponding to the WMI are abnormal terms.
Optionally, the monitoring module is specifically configured to analyze a name of a planning task and a target file path of the planning task;
performing abnormal name matching on the names of the planning tasks;
if the abnormal name matching is successful, acquiring a target file in the target file path to perform abnormal feature matching;
and if the abnormal characteristics are successfully matched, determining the key item corresponding to the planning task as an abnormal item.
Optionally, the monitoring module is specifically configured to compare the primary boot record MBR data with the clean MBR data of the operating system;
and if an abnormal jump instruction exists, determining that the key item corresponding to the system boot area code is an abnormal item.
Optionally, the repair module is specifically configured to obtain, if it is determined that the installation package management software is abnormal according to the abnormal item, an installation directory of the installation package management software through a registry;
acquiring the position of a folder where the installation package management software is located in the installation directory;
if the file folder position has a preset target file, acquiring file information of the preset target file and matching with the abnormal rule field description;
and if the abnormal rule field describes that the matching is successful, deleting the preset target file in the folder position.
Optionally, the apparatus further includes: the device comprises a judging module and a backup module;
the judging module is used for judging whether the current file system and/or registry of the operating system needs subsequent repair operation according to the target repair rule;
the backup module is used for backing up the data of the original positions of the file system and the registry before repair if the file system and/or the registry need subsequent repair operation;
The repair module is specifically configured to repair the damaged current environment of the operating system by using backup data if the repair failure results in damage to the current environment of the operating system.
Optionally, the apparatus further includes:
and the updating module is used for dynamically updating the target repairing rule in the process of repairing the abnormal item.
Optionally, the updating module is specifically configured to obtain original byte code information to be updated in the target repair rule, and tag information corresponding to the original byte code information;
the original byte code information and the tag information are sent to a cloud server, so that the cloud server determines whether to update the original byte code information according to the tag information;
receiving updated new byte code information returned by the cloud server;
and updating and replacing the original byte code information into the new byte code information in the target repair rule.
According to still another aspect of the present application, there is provided a storage medium having stored thereon a computer program which, when executed by a processor, implements the above-described method of processing operating system exception data.
According to still another aspect of the present application, there is provided an entity apparatus for processing abnormal data of an operating system, including a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, where the processor implements the method for processing abnormal data of an operating system when executing the program.
By means of the technical scheme, the method, the device and the equipment for processing the abnormal data of the operating system are provided. Compared with the existing operating system abnormality detection which is only performed on a file system, the method and the device can monitor the safety of a plurality of key items such as installation software, a registry, WMI, a planning task, a system boot area code and the like corresponding to the operating system, and can realize targeted abnormality repair on the key items. The method and the device can further realize comprehensive detection and repair of abnormal items of the operating system, enlarge the repair range of the abnormal items of the operating system, improve the accuracy of detecting the abnormal items of the operating system, timely respond and quickly repair the abnormal items of the operating system when the abnormal items of the operating system are found, reduce the influence on the use of users and improve certain safety.
The foregoing description is only an overview of the technical solutions of the present application, and may be implemented according to the content of the specification in order to make the technical means of the present application more clearly understood, and in order to make the above-mentioned and other objects, features and advantages of the present application more clearly understood, the following detailed description of the present application will be given.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
fig. 1 is a schematic flow chart of a method for processing abnormal data of an operating system according to an embodiment of the present application;
FIG. 2 is a flowchart illustrating another method for processing abnormal data of an operating system according to an embodiment of the present disclosure;
FIG. 3 is a schematic diagram of a system architecture of a dynamic updating method for repairing abnormal items of an operating system according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a processing device for abnormal data of an operating system according to an embodiment of the present application;
Detailed Description
The present application will be described in detail hereinafter with reference to the accompanying drawings in conjunction with embodiments. It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be combined with each other.
In view of the fact that the existing operating system exception detection only detects whether an exception exists in a file system and does not pay attention to other key items of the operating system or is little, the embodiment provides a processing method of operating system exception data, which can achieve more comprehensive operating system exception item detection, as shown in fig. 1, and the method includes:
101. And monitoring the security of a plurality of key items corresponding to the operating system.
Wherein the plurality of key items include at least one or more of installation software, registry, WMI (Windows Management Instrumentation, windows management specification), planning tasks, system boot code. This embodiment is equivalent to monitoring the security of these other key items in addition to the original file system.
The execution body of the embodiment may be a processing device or equipment of the abnormal data of the operating system, and may be configured on the client side or configured on the server side according to actual requirements. The method is particularly applicable to detection and repair of abnormal items of an operating system.
102. If abnormal items in the plurality of key items are monitored, repairing the abnormal items according to a preset target repairing rule corresponding to the abnormal items.
Wherein, different abnormal items have corresponding preset repair rules. Operations such as deletion, and/or update, and/or disable, and/or enable, and/or replace, and/or copy, and/or lock may be included in the repair rules. And optionally, these operations, when performed, may choose whether to inform the user. So as to reduce the impact on the user's use, taking into account the actual situation.
In this embodiment, the corresponding repair rule scripts may be edited in advance for different abnormal items, and when the abnormal items are repaired by using the repair rules, the corresponding repair rule scripts may be obtained to parse the abnormal items, and then the corresponding repair policy instructions may be executed, so as to achieve effective repair of the abnormal items.
Compared with the existing operating system abnormality detection which only detects a file system, the operating system abnormality data processing method provided by the embodiment can monitor the safety of a plurality of key items such as installation software, a registry, WMI, a planning task, a system boot code and the like corresponding to the operating system at the same time, and can realize targeted abnormal item repair for the key items. The method and the device can further realize comprehensive detection and repair of abnormal items of the operating system, enlarge the repair range of the abnormal items of the operating system, improve the accuracy of detecting the abnormal items of the operating system, timely respond and quickly repair the abnormal items of the operating system when the abnormal items of the operating system are found, reduce the influence on the use of users and improve certain safety.
Further, as a refinement and extension of the specific implementation manner of the foregoing embodiment, in order to fully describe the implementation process of this embodiment, another method for processing abnormal data of an operating system is provided, as shown in fig. 2, where the method includes:
201. And monitoring the security of a plurality of key items corresponding to the operating system.
To illustrate the process of security detection for each key, a number of alternative examples (a-e) are given below:
a. the security detection of the installed software corresponding to the operating system may specifically include: firstly, acquiring a file list of target software running in an operating system; then, carrying out security detection on paths and/or file hash values on the file list; if the abnormality exists according to the path and/or the file hash value, determining that the key item corresponding to the installed software is an abnormal item.
For example, for software detection on a running operating system, a list of all files of the software is obtained, path and file hash rule judgment is carried out on the list, and if an abnormal rule is hit, the abnormal item is considered. By this alternative, abnormal items of the operating system with respect to the installed software can be accurately discriminated.
b. The security detection of the registry corresponding to the operating system specifically comprises the following steps: performing path and corresponding value security detection on an operating system registry key and/or a self-starting property key and/or a COM component (COM component) key; if the registry key of the operating system and/or the self-starting property key and/or the COM component key are/is abnormal, determining that the key corresponding to the registry is abnormal.
For example, the path and the value of the system service registry item, the items with self-starting property item, the COM component existing locally and the like are subjected to rule matching, and if the name is abnormal, the abnormal item is considered. By this alternative, the operating system can be accurately distinguished about the registry-related abnormal items.
c. The security detection of the WMI corresponding to the operating system specifically includes: firstly, acquiring a WMI consumer and a trigger and analyzing the WMI consumer and the trigger; then carrying out malicious key item matching on the analyzed content; if the malicious key terms are successfully matched, determining that the key terms corresponding to the WMI are abnormal terms.
For example, for WMI detection, by acquiring WMI consumers and triggers that exist locally, content in the WMI consumers and triggers is parsed, and malicious key terms are matched with the content, and the matching success is considered as an abnormal term. By this alternative, abnormal items of the operating system with respect to WMI can be accurately discriminated.
d. The safety detection of the planning task corresponding to the operating system specifically comprises the following steps: firstly, analyzing the name of a planning task and a target file path of the planning task; then carrying out abnormal name matching on the names of the planning tasks; if the abnormal name matching is successful, acquiring a target file in the target file path to perform abnormal feature matching; if the abnormal characteristics are successfully matched, determining the key item corresponding to the planning task as an abnormal item.
For example, for a planning task, the planning task name and the target file path of the planning task are analyzed, the planning task name is subjected to abnormal name rule matching, the planning task name is successfully considered as a suspicious item, and meanwhile, the target file is subjected to feature matching, and if the feature is hit, the abnormal planning task item is determined. By this alternative, abnormal items of the operating system with respect to the planned tasks can be accurately distinguished.
e. The security detection of the system boot sector code corresponding to the operating system specifically includes: comparing the master boot record (Master Boot Record, MBR) data with operating system clean MBR data; if an abnormal jump instruction exists, determining that the key item corresponding to the system boot area code is an abnormal item.
For example, the system boot code obtains the local MBR data, compares the local MBR data with the clean MBR data under the system, and considers the local MBR data as an abnormal boot item if an abnormal jump instruction is found. By this alternative, abnormal items of the operating system with respect to the planned tasks can be accurately distinguished. By this alternative, the exception item of the operating system with respect to the system boot code may be accurately determined.
202. If abnormal items exist in the plurality of key items, judging whether the current file system and/or registry of the operating system needs subsequent repair operation or not according to a preset target repair rule corresponding to the abnormal items.
For example, the target repair rule may be specifically parsed, and whether the current file system and/or registry of the repair operating system are involved in the subsequent repair of the abnormal item is determined according to the parsing content.
203. If the file system and/or the registry are judged to need the subsequent repair operation, the data of the original positions of the file system and the registry before repair are backed up.
In this embodiment, since the files of the file system and the registry are also large, if all the data are backed up, the overall repair efficiency of the abnormal item may be affected, so that the data in the file system and the registry that need to be repaired can be backed up in advance, so that the data magnitude of the backup is greatly reduced, the backup speed is increased, and the repair efficiency of the abnormal item of the operating system can be further improved.
204. And repairing the abnormal item according to the target repairing rule, and repairing the current environment of the damaged operating system by using the backup data if the repairing failure leads to the damage of the current environment of the operating system.
For the embodiment, by the method of first backing up data and then repairing, the current environment of the operating system can be effectively prevented from being damaged due to failure in repairing, and the influence on the use of a user is reduced.
To illustrate a process of repairing with a repair rule, if it is determined that there is an abnormality in the installation package management software according to the abnormal item, repairing the abnormal item according to the target repair rule may include: firstly, acquiring an installation catalog of installation package management software through a registry; acquiring the position of a folder where the installation package management software is located in the installation directory; if the file folder position has the preset target file, acquiring file information of the preset target file and matching with the abnormal rule field description; if the abnormal rule field describes that the matching is successful, deleting the preset target file in the folder position. By the aid of the method, vulnerabilities in the installation package management software can be effectively repaired, influence of abnormal items of the installation software on the operation system on use of a user is reduced, and the user can safely use the installation package management software in the operation system.
For example, taking repairing a WinRar vulnerability as an example, firstly, acquiring an installation catalog of the local WinRar through a registry; then taking out the position of the folder where the WinRar is located in the installation catalog; then judging whether the file folder position has the UNACEV2.DLL, if so, acquiring the version, the size and other information of the UNACEV2.DLL target file, and matching with the description of the abnormal rule field; if the match is successful, the unaev 2.Dll target file may be deleted while executing the repair logic.
The process illustrated in steps 201 to 204 above may be implemented specifically by using an operating system exception item repair policy script. The abnormal item repairing policy script is suitable for detecting and repairing the abnormal, problem, defect, risk item and the like of the current operating system through two operations of scanning (carrying out security scanning on a designated position and an object) and repairing (carrying out processing on a scanning result). In the conventional scheme at present, scripts are written in advance and then issued to the client for local execution, which is equivalent to separation of the abnormal item repair strategy script from the specific implementation in the embodiment. However, considering the application scenario of the method of the embodiment, if the abnormal item repairing policy needs to be updated later, the timeliness of the update is limited by a way of separating the traditional script from the implementation, and the emergency situation cannot be dealt with; and the abnormal item repairing strategy may have defects and problems, so that the abnormal item repairing strategy cannot be effectively avoided in time. If the abnormal item repairing policy script is suspended in the middle to replace the updated abnormal item repairing policy script, the abnormal item of the operating system cannot be effectively detected and repaired in the suspension time period.
In order to solve the above-mentioned problem, the method of this embodiment is further optional, and a dynamic update scheme of an operating system abnormal item repairing policy is provided, that is, in the process of repairing an operating system abnormal item, a target repairing rule may be dynamically updated. By the aid of the method, abnormal item repairing strategies and data control capacity can be greatly improved, and timeliness of updating the abnormal item repairing strategies is improved.
Optionally, the dynamically updating the target repair rule may specifically include: firstly, acquiring original byte code information to be updated in a target repair rule and label information corresponding to the original byte code information; then the original byte code information and the tag information are sent to a cloud server, so that the cloud server determines whether to update the original byte code information according to the tag information; receiving updated new byte code information returned by the cloud server; and then updating the replaced original byte code information into the new byte code information in the target repair rule. The method can effectively realize the dynamic update of the abnormal item repairing strategy of the operating system, namely the byte code information in the repairing strategy can be dynamically updated in the process of running the abnormal item repairing strategy script, so that the defects and problems in the strategy script can be repaired in time, the abnormal item repairing strategy script can not be suspended in the middle of running, and the effective detection and repair of the abnormal item of the operating system can be ensured in real time.
The following describes a specific implementation manner of the dynamic update process, and it should be noted that, the implementation manner is given by way of example only, and the method of the present embodiment is not limited in any way:
(1) Firstly, an abnormal item repairing strategy is configured, and an acquisition position of control information is given, such as a website for configuring cloud server (closed) acquisition and a local disk directory for local (local) acquisition.
(2) By the position given in step (1), control information can be obtained in which list information of the function script is listed.
For example, < script id= "0" guid= "2690b77e-276c-4bff-99f6-5fff2607ea19"/>
<script id="1"guid="38e62270-cd24-4aa2-9483-b27060158c9c"/>
Wherein the guid portion is used to distinguish between different functional scripts.
(3) And (3) acquiring a function script list through the step (2), calling a GetScript interface function, and transmitting a guid list to be loaded, wherein the interface is preferentially acquired at a closed end, if the acquisition fails, the script is not updated, and if the script is acquired from the local, the latest script is directly acquired from the closed end.
(4) The function script provides a "scan", "repair" function, wherein for definition of rule data,
taking the abnormal Uniform resource locator (Uniform Resource Locator, URL) information as an example, aa. Com, bb. Com, cc. Com are contained in the pre-update URL list. If a new dd.com is needed, the script needs to be re-scripted and released in the existing case. However, the method in this embodiment may be used, and by providing a concept like "GetScript", a GetListData interface is provided, which is imported with a TAG for distinguishing the current rule list version information and the like, and subsequent { "aa.com", "bb.com", "cc.com" } is also imported, as black_url_list=getlistdata (TAG, { "aa.com", "bb.com", "cc.com" }.
(5) The GetListData interface transmits the TAG and the existing list to the cloud server, and the cloud server performs correction operation (adding and deleting) on the list data after distinguishing the TAG, for example, adding dd.com, and finally returns corrected data. The dynamic updating function of the strategy script and the rule data is completed through the logic, and a prototype diagram of the method in the embodiment is shown in fig. 3.
By applying the scheme of the embodiment, the dynamic update of the abnormal item repairing strategy of the operating system can be effectively realized, namely, the byte code information in the repairing strategy can be dynamically updated in the process of operating the abnormal item repairing strategy script, so that the defects and problems in the strategy script can be timely repaired, the abnormal item repairing strategy script cannot be suspended in the middle of operation, and the effective detection and repair of the abnormal item of the operating system can be ensured.
Further, as a specific implementation of the methods shown in fig. 1 and fig. 2, the present embodiment provides a device for processing abnormal data of an operating system, as shown in fig. 4, where the device includes: a monitoring module 31 and a repairing module 32.
The monitoring module 31 is configured to monitor security of a plurality of key items corresponding to the operating system, where the plurality of key items at least includes one or more of installation software, registry, WMI, planning task, and system boot area code;
And the repairing module 32 is configured to repair the abnormal item according to a preset target repairing rule corresponding to the abnormal item if the abnormal item exists in the plurality of key items, where different abnormal items have corresponding preset repairing rules.
In a specific application scenario, the monitoring module 31 may be specifically configured to obtain a file list of the target software running in the operating system; carrying out security detection on paths and/or file hash values on the file list; and if the abnormality exists according to the path and/or the file hash value, determining that the key item corresponding to the installed software is an abnormal item.
In a specific application scenario, the monitoring module 31 may be specifically configured to perform a security detection on a path and a corresponding value of an operating system registry key, and/or a component having a self-starting property, and/or a COM component; if the registry item of the operating system and/or the self-starting property item and/or the COM component item are/is judged to be abnormal, determining that the key item corresponding to the registry is an abnormal item.
In a specific application scenario, the monitoring module 31 may be specifically configured to obtain and parse WMI consumers and triggers; performing malicious key item matching on the analyzed content; and if the malicious key terms are successfully matched, determining that the key terms corresponding to the WMI are abnormal terms.
In a specific application scenario, the monitoring module 31 may be specifically configured to analyze a name of a planning task and a target file path of the planning task; performing abnormal name matching on the names of the planning tasks; if the abnormal name matching is successful, acquiring a target file in the target file path to perform abnormal feature matching; and if the abnormal characteristics are successfully matched, determining the key item corresponding to the planning task as an abnormal item.
In a specific application scenario, the monitoring module 31 may be specifically configured to compare the primary boot record MBR data with the clean MBR data of the operating system; and if an abnormal jump instruction exists, determining that the key item corresponding to the system boot area code is an abnormal item.
In a specific application scenario, the repair module 32 may be specifically configured to obtain, through a registry, an installation directory of the installation package management software if it is determined that an abnormality exists in the installation package management software according to the abnormality item; acquiring the position of a folder where the installation package management software is located in the installation directory; if the file folder position has a preset target file, acquiring file information of the preset target file and matching with the abnormal rule field description; and if the abnormal rule field describes that the matching is successful, deleting the preset target file in the folder position.
In a specific application scenario, the device further includes: the device comprises a judging module and a backup module;
the judging module is used for judging whether the current file system and/or registry of the operating system needs subsequent repair operation according to the target repair rule;
the backup module is used for backing up the data of the original positions of the file system and the registry before repair if the file system and/or the registry need subsequent repair operation;
the repair module 32 may be further specifically configured to repair the current environment of the operating system damaged by using the backup data if the repair failure results in the current environment of the operating system being damaged.
In a specific application scenario, the device further includes: updating a module;
and the updating module can be used for dynamically updating the target repairing rule in the process of repairing the abnormal item.
In a specific application scenario, the updating module is specifically configured to obtain original bytecode information to be updated in the target repair rule, and tag information corresponding to the original bytecode information; the original byte code information and the tag information are sent to a cloud server, so that the cloud server determines whether to update the original byte code information according to the tag information; receiving updated new byte code information returned by the cloud server; and updating and replacing the original byte code information into the new byte code information in the target repair rule.
It should be noted that, for other corresponding descriptions of each functional unit related to the processing device for abnormal data of an operating system provided in this embodiment, reference may be made to corresponding descriptions in fig. 1 and fig. 2, and no further description is given here.
Based on the above methods shown in fig. 1 and 2, correspondingly, the present embodiment further provides a storage medium, on which a computer program is stored, where the program, when executed by a processor, implements the above method for processing abnormal data of an operating system shown in fig. 1 and 2.
Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, where the software product to be identified may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disc, a mobile hard disk, etc.), and include several instructions for causing a computer device (may be a personal computer, a server, or a network device, etc.) to execute the method described in each implementation scenario of the present application.
Based on the methods shown in fig. 1 and fig. 2 and the virtual device embodiment shown in fig. 4, in order to achieve the above objects, this embodiment further provides an entity device for processing abnormal data of an operating system, which may specifically be a personal computer, a server, a smart phone, a tablet computer, or other network devices, where the entity device includes a storage medium and a processor; a storage medium storing a computer program; a processor for executing a computer program to implement the method as shown in fig. 1 and 2.
Optionally, the physical device may further include a user interface, a network interface, a camera, radio Frequency (RF) circuitry, sensors, audio circuitry, WI-FI modules, and the like. The user interface may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, etc. The network interface may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface), etc.
It will be appreciated by those skilled in the art that the structure of the entity device for processing abnormal data of an operating system provided in this embodiment is not limited to the entity device, and may include more or fewer components, or may combine some components, or may be different in arrangement of components.
The storage medium may also include an operating system, a network communication module. The operating system is a program for managing the entity equipment hardware and the software resources to be identified, and supports the operation of the information processing program and other software and/or programs to be identified. The network communication module is used for realizing communication among all components in the storage medium and communication with other hardware and software in the information processing entity equipment.
From the above description of the embodiments, it will be apparent to those skilled in the art that the present application may be implemented by means of software plus necessary general hardware platforms, or may be implemented by hardware. By applying the technical scheme of the embodiment, compared with the existing operating system abnormality detection which is only performed on the file system, the embodiment can monitor the safety of a plurality of key items such as installation software, a registry, WMI, a planning task, a system boot code and the like corresponding to the operating system at the same time, and can realize targeted abnormality repair for the key items. The method and the device can further realize comprehensive detection and repair of abnormal items of the operating system, enlarge the repair range of the abnormal items of the operating system, improve the accuracy of detecting the abnormal items of the operating system, timely respond and quickly repair the abnormal items of the operating system when the abnormal items of the operating system are found, reduce the influence on the use of users and improve certain safety.
Those skilled in the art will appreciate that the drawings are merely schematic illustrations of one preferred implementation scenario, and that the modules or flows in the drawings are not necessarily required to practice the present application. Those skilled in the art will appreciate that modules in an apparatus in an implementation scenario may be distributed in an apparatus in an implementation scenario according to an implementation scenario description, or that corresponding changes may be located in one or more apparatuses different from the implementation scenario. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The foregoing application serial numbers are merely for description, and do not represent advantages or disadvantages of the implementation scenario. The foregoing disclosure is merely a few specific implementations of the present application, but the present application is not limited thereto and any variations that can be considered by a person skilled in the art shall fall within the protection scope of the present application.
Claims (18)
1. A method for processing abnormal data of an operating system, comprising:
monitoring the security of a plurality of key items corresponding to an operating system, wherein the key items at least comprise one or more of installation software, a registry, WMI, a planning task and a system boot area code;
if abnormal items exist in the plurality of key items, repairing the abnormal items according to preset target repairing rules corresponding to the abnormal items, wherein different abnormal items have corresponding preset repairing rules;
in the process of repairing the abnormal item, dynamically updating the target repairing rule;
the step of dynamically updating the target repair rule comprises the following steps:
acquiring original byte code information to be updated in the target repair rule and tag information corresponding to the original byte code information;
The original byte code information and the tag information are sent to a cloud server, so that the cloud server determines whether to update the original byte code information according to the tag information;
and if updated new byte code information returned by the cloud server according to the tag information is received, updating and replacing the original byte code information into the new byte code information in the target repair rule.
2. The method according to claim 1, wherein the security detection of the installed software corresponding to the operating system specifically includes:
acquiring a file list of target software running in the operating system;
carrying out security detection on paths and/or file hash values on the file list;
and if the abnormality exists according to the path and/or the file hash value, determining that the key item corresponding to the installed software is an abnormal item.
3. The method according to claim 1, wherein the security detection of the registry corresponding to the operating system specifically includes:
performing path and corresponding value security detection on the registry key of the operating system and/or the self-starting property key and/or the COM component key;
If the registry item of the operating system and/or the self-starting property item and/or the COM component item are/is judged to be abnormal, determining that the key item corresponding to the registry is an abnormal item.
4. The method of claim 1, wherein the security detection of WMI corresponding to the operating system specifically includes:
acquiring and analyzing WMI consumers and triggers;
performing malicious key item matching on the analyzed content;
and if the malicious key terms are successfully matched, determining that the key terms corresponding to the WMI are abnormal terms.
5. The method according to claim 1, wherein the security detection of the planned task corresponding to the operating system specifically includes:
resolving the name of a planning task and the target file path of the planning task;
performing abnormal name matching on the names of the planning tasks;
if the abnormal name matching is successful, acquiring a target file in the target file path to perform abnormal feature matching;
and if the abnormal characteristics are successfully matched, determining the key item corresponding to the planning task as an abnormal item.
6. The method of claim 1, wherein the security detection of the system boot code corresponding to the operating system specifically comprises:
Comparing the MBR data of the master boot record with the MBR data clean by the operating system;
and if an abnormal jump instruction exists, determining that the key item corresponding to the system boot area code is an abnormal item.
7. The method according to claim 1, wherein if it is determined that there is an abnormality in the installation package management software according to the abnormal item, the repairing the abnormal item according to a preset target repairing rule corresponding to the abnormal item specifically includes:
acquiring an installation catalog of the installation package management software through a registry;
acquiring the position of a folder where the installation package management software is located in the installation directory;
if the file folder position has a preset target file, acquiring file information of the preset target file and matching with the abnormal rule field description;
and if the abnormal rule field describes that the matching is successful, deleting the preset target file in the folder position.
8. The method according to claim 1, wherein before repairing the abnormal item according to a target repair rule preset corresponding to the abnormal item, the method further comprises:
judging whether the current file system and/or registry of the operating system needs subsequent repair operation or not according to the target repair rule;
If the file system and/or the registry need subsequent repair operation, backing up the data of the original positions of the file system and the registry before repair;
repairing the abnormal item according to a preset target repairing rule corresponding to the abnormal item, wherein the repairing comprises the following steps:
if the repair failure results in damage to the current environment of the operating system, repairing the damaged current environment of the operating system by using the backup data.
9. An operating system exception data processing apparatus, comprising:
the monitoring module is used for monitoring the safety of a plurality of key items corresponding to the operating system, wherein the key items at least comprise one or more of installation software, a registry, WMI, a planning task and a system boot area code;
the repair module is used for repairing the abnormal item according to a preset target repair rule corresponding to the abnormal item if the abnormal item exists in the plurality of key items, wherein different abnormal items have respective corresponding preset repair rules;
the updating module is used for dynamically updating the target repairing rule in the process of repairing the abnormal item;
the updating module is specifically configured to obtain original byte code information to be updated in the target repair rule and tag information corresponding to the original byte code information;
The original byte code information and the tag information are sent to a cloud server, so that the cloud server determines whether to update the original byte code information according to the tag information;
receiving updated new byte code information returned by the cloud server;
and updating and replacing the original byte code information into the new byte code information in the target repair rule.
10. The apparatus of claim 9, wherein the device comprises a plurality of sensors,
the monitoring module is specifically used for acquiring a file list of target software running in the operating system;
carrying out security detection on paths and/or file hash values on the file list;
and if the abnormality exists according to the path and/or the file hash value, determining that the key item corresponding to the installed software is an abnormal item.
11. The apparatus of claim 9, wherein the device comprises a plurality of sensors,
the monitoring module is specifically used for carrying out path and corresponding value security detection on registry items of an operating system and/or items with self-starting properties and/or COM component items;
if the registry item of the operating system and/or the self-starting property item and/or the COM component item are/is judged to be abnormal, determining that the key item corresponding to the registry is an abnormal item.
12. The apparatus of claim 9, wherein the device comprises a plurality of sensors,
the monitoring module is specifically used for acquiring and analyzing WMI consumers and triggers;
performing malicious key item matching on the analyzed content;
and if the malicious key terms are successfully matched, determining that the key terms corresponding to the WMI are abnormal terms.
13. The apparatus of claim 9, wherein the device comprises a plurality of sensors,
the monitoring module is specifically used for analyzing the name of the planning task and the target file path of the planning task;
performing abnormal name matching on the names of the planning tasks;
if the abnormal name matching is successful, acquiring a target file in the target file path to perform abnormal feature matching;
and if the abnormal characteristics are successfully matched, determining the key item corresponding to the planning task as an abnormal item.
14. The apparatus of claim 9, wherein the device comprises a plurality of sensors,
the monitoring module is specifically configured to compare the primary boot record MBR data with the clean MBR data of the operating system;
and if an abnormal jump instruction exists, determining that the key item corresponding to the system boot area code is an abnormal item.
15. The apparatus of claim 9, wherein the device comprises a plurality of sensors,
The repair module is specifically configured to obtain an installation directory of the installation package management software through a registry if it is determined that the installation package management software is abnormal according to the abnormal item;
acquiring the position of a folder where the installation package management software is located in the installation directory;
if the file folder position has a preset target file, acquiring file information of the preset target file and matching with the abnormal rule field description;
and if the abnormal rule field describes that the matching is successful, deleting the preset target file in the folder position.
16. The apparatus of claim 9, wherein the apparatus further comprises: the device comprises a judging module and a backup module;
the judging module is used for judging whether the current file system and/or registry of the operating system needs subsequent repair operation according to the target repair rule;
the backup module is used for backing up the data of the original positions of the file system and the registry before repair if the file system and/or the registry need subsequent repair operation;
the repair module is specifically configured to repair the damaged current environment of the operating system by using backup data if the repair failure results in damage to the current environment of the operating system.
17. A storage medium having stored thereon a computer program, wherein the program when executed by a processor implements the method of processing operating system exception data according to any one of claims 1 to 8.
18. An operating system exception data processing apparatus comprising a storage medium, a processor and a computer program stored on the storage medium and executable on the processor, wherein the processor implements the operating system exception data processing method of any one of claims 1 to 8 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910943747.3A CN112579330B (en) | 2019-09-30 | 2019-09-30 | Processing method, device and equipment for abnormal data of operating system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910943747.3A CN112579330B (en) | 2019-09-30 | 2019-09-30 | Processing method, device and equipment for abnormal data of operating system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112579330A CN112579330A (en) | 2021-03-30 |
| CN112579330B true CN112579330B (en) | 2024-02-06 |
Family
ID=75116833
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910943747.3A Active CN112579330B (en) | 2019-09-30 | 2019-09-30 | Processing method, device and equipment for abnormal data of operating system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112579330B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113468158B (en) * | 2021-07-13 | 2023-10-31 | 广域铭岛数字科技有限公司 | Data restoration method, system, electronic equipment and medium |
| CN117455465B (en) * | 2023-12-21 | 2024-04-26 | 广东须臾科技有限公司 | Analysis management system based on multi-stage operation data of equipment internet of things platform |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2005148814A (en) * | 2003-11-11 | 2005-06-09 | Business Eggs:Kk | File access monitoring device, method, program, and storage medium |
| CN102799500A (en) * | 2012-06-25 | 2012-11-28 | 腾讯科技(深圳)有限公司 | System repair method, device and storage medium |
| CN102867141A (en) * | 2012-09-29 | 2013-01-09 | 北京奇虎科技有限公司 | Method and device for processing master boot record malicious programs |
| CN103198011A (en) * | 2012-01-09 | 2013-07-10 | 阿里巴巴集团控股有限公司 | Method and device for detecting file disturbance of JAVA program |
| CN103902855A (en) * | 2013-12-17 | 2014-07-02 | 哈尔滨安天科技股份有限公司 | File tamper detecting and repairing method and system |
| CN103971052A (en) * | 2013-01-28 | 2014-08-06 | 腾讯科技(深圳)有限公司 | Magnetic disk boot virus identification method and device |
| CN106921731A (en) * | 2017-01-24 | 2017-07-04 | 北京奇虎科技有限公司 | Leak restorative procedure and device |
| CN108304699A (en) * | 2018-02-13 | 2018-07-20 | 北京奇安信科技有限公司 | A kind of method and device that security software is protected |
| US10146515B1 (en) * | 2015-03-10 | 2018-12-04 | Twitter, Inc. | Live code updates |
| CN109241729A (en) * | 2017-07-10 | 2019-01-18 | 阿里巴巴集团控股有限公司 | Detection, processing method, device, terminal device and the electronic equipment of application program |
| CN109254827A (en) * | 2018-08-27 | 2019-01-22 | 电子科技大学成都学院 | A kind of secure virtual machine means of defence and system based on big data and machine learning |
| CN110197071A (en) * | 2018-04-25 | 2019-09-03 | 腾讯科技(深圳)有限公司 | Boot section data processing method and device, computer storage medium, electronic equipment |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100082963A1 (en) * | 2008-10-01 | 2010-04-01 | Chun Hui Li | Embedded system that automatically updates its software and the method thereof |
| US10853488B2 (en) * | 2017-07-10 | 2020-12-01 | Dell Products, Lp | System and method for a security filewall system for protection of an information handling system |
-
2019
- 2019-09-30 CN CN201910943747.3A patent/CN112579330B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2005148814A (en) * | 2003-11-11 | 2005-06-09 | Business Eggs:Kk | File access monitoring device, method, program, and storage medium |
| CN103198011A (en) * | 2012-01-09 | 2013-07-10 | 阿里巴巴集团控股有限公司 | Method and device for detecting file disturbance of JAVA program |
| CN102799500A (en) * | 2012-06-25 | 2012-11-28 | 腾讯科技(深圳)有限公司 | System repair method, device and storage medium |
| CN102867141A (en) * | 2012-09-29 | 2013-01-09 | 北京奇虎科技有限公司 | Method and device for processing master boot record malicious programs |
| CN103971052A (en) * | 2013-01-28 | 2014-08-06 | 腾讯科技(深圳)有限公司 | Magnetic disk boot virus identification method and device |
| CN103902855A (en) * | 2013-12-17 | 2014-07-02 | 哈尔滨安天科技股份有限公司 | File tamper detecting and repairing method and system |
| US10146515B1 (en) * | 2015-03-10 | 2018-12-04 | Twitter, Inc. | Live code updates |
| CN106921731A (en) * | 2017-01-24 | 2017-07-04 | 北京奇虎科技有限公司 | Leak restorative procedure and device |
| CN109241729A (en) * | 2017-07-10 | 2019-01-18 | 阿里巴巴集团控股有限公司 | Detection, processing method, device, terminal device and the electronic equipment of application program |
| CN108304699A (en) * | 2018-02-13 | 2018-07-20 | 北京奇安信科技有限公司 | A kind of method and device that security software is protected |
| CN110197071A (en) * | 2018-04-25 | 2019-09-03 | 腾讯科技(深圳)有限公司 | Boot section data processing method and device, computer storage medium, electronic equipment |
| CN109254827A (en) * | 2018-08-27 | 2019-01-22 | 电子科技大学成都学院 | A kind of secure virtual machine means of defence and system based on big data and machine learning |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112579330A (en) | 2021-03-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10235524B2 (en) | Methods and apparatus for identifying and removing malicious applications | |
| US9596257B2 (en) | Detection and prevention of installation of malicious mobile applications | |
| US9652632B2 (en) | Method and system for repairing file at user terminal | |
| US11086983B2 (en) | System and method for authenticating safe software | |
| US8612398B2 (en) | Clean store for operating system and software recovery | |
| US20200042703A1 (en) | Anomaly-Based Ransomware Detection for Encrypted Files | |
| US9686303B2 (en) | Web page vulnerability detection method and apparatus | |
| US20130160126A1 (en) | Malware remediation system and method for modern applications | |
| US10430590B2 (en) | Apparatus for quantifying security of open-source software package, and apparatus and method for optimizing open-source software package | |
| US20170076094A1 (en) | System and method for analyzing patch file | |
| US11621974B2 (en) | Managing supersedence of solutions for security issues among assets of an enterprise network | |
| US11227049B1 (en) | Systems and methods of detecting malicious PowerShell scripts | |
| KR20130134790A (en) | Method and system for storing the integrity information of application, method and system for checking the integrity of application | |
| US20170277887A1 (en) | Information processing apparatus, information processing method, and computer readable medium | |
| CN103279707A (en) | Method, device and system for actively defending against malicious programs | |
| CN112579330B (en) | Processing method, device and equipment for abnormal data of operating system | |
| JP6282217B2 (en) | Anti-malware system and anti-malware method | |
| US20230185921A1 (en) | Prioritizing vulnerabilities | |
| US11496304B2 (en) | Information processing device, information processing method, and storage medium | |
| US10880316B2 (en) | Method and system for determining initial execution of an attack | |
| US20090193411A1 (en) | Method and system for assessing deployment and un-deployment of software installations | |
| US11550925B2 (en) | Information security system for identifying potential security threats in software package deployment | |
| US11526617B2 (en) | Information security system for identifying security threats in deployed software package | |
| KR101600178B1 (en) | Method and apparatus for detecting illegally copied application | |
| CN113778841A (en) | Detection method, device and equipment for file to be tested and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |