CN112769849B - Method, system, equipment and storage medium for virus diagnosis and blocking - Google Patents
Method, system, equipment and storage medium for virus diagnosis and blocking Download PDFInfo
- Publication number
- CN112769849B CN112769849B CN202110069494.9A CN202110069494A CN112769849B CN 112769849 B CN112769849 B CN 112769849B CN 202110069494 A CN202110069494 A CN 202110069494A CN 112769849 B CN112769849 B CN 112769849B
- Authority
- CN
- China
- Prior art keywords
- virus
- message
- message forwarding
- blocking
- terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
In the existing local area network framework, a virus diagnosis device is connected beside a self-safety device, and the self-safety device can copy all messages to the virus diagnosis device, wherein most messages of a message forwarding device pass through the self-safety device, so that the virus diagnosis device can be used for detecting most messages sent by a terminal. And the virus diagnosis equipment detects viruses of all the messages, and if the viruses are detected, the detection result (including source information of the viruses) is reported to the management platform. After receiving the detection result, the management platform issues a blocking instruction to the virus source message forwarding device according to the detection result so as to block all messages sent by the virus source terminal, thereby preventing the virus source terminal from continuously sending messages carrying the virus to infringe other terminals.
Description
Technical Field
The present disclosure relates to the field of computer networks, and in particular, to a method, system, device, and storage medium for virus diagnosis and blocking.
Background
Conventionally, it is a concern to prevent network viruses, and in the prior art, a message forwarding device (such as a switch) generally performs diagnosis and blocking of viruses. Specifically, an administrator issues configuration information for each message forwarding device, so that the message forwarding device performs diagnosis and blocking on viruses according to the configuration information.
However, the main function of the message forwarding device is not virus diagnosis, and the virus diagnosis capability is limited. In practical application, because the virus diagnosis capability of the message forwarding device is limited, the function of virus protection is achieved by configuring the message forwarding device and updating the virus library, so that when the virus library or the protection strategy changes, configuration information needs to be issued for each message forwarding device, and management by an administrator is not facilitated.
Disclosure of Invention
In order to overcome the problems of limited virus diagnosis capability and complicated configuration of the message forwarding device, the specification provides a virus diagnosis and blocking method, a system, a device and a storage medium.
The specification provides a virus diagnosis and blocking method which is applied to a virus diagnosis and blocking system and comprises a plurality of message forwarding devices, self-safety devices, a management platform and virus diagnosis devices; the message forwarding devices interact with each other through the self-safety device; the self-safety equipment performs a copying operation to obtain a corresponding message copy aiming at each received message, and sends the message copy to the virus diagnosis equipment; the method comprises the following steps:
the virus diagnosis equipment carries out virus detection on the received message copy; if the virus is detected, reporting the detection result of the virus to the management platform; the detection result comprises source information of the virus; the virus source information comprises a terminal identifier corresponding to the message copy source terminal and a message forwarding equipment identifier corresponding to the message copy source message forwarding equipment;
the management platform issues a blocking instruction containing the terminal identifier to the message forwarding device corresponding to the message forwarding device identifier under the condition of appointed blocking according to the detection result;
and the message forwarding equipment blocks the message sent by the terminal corresponding to the terminal identifier according to the received blocking instruction.
The specification also provides a virus diagnosis and blocking system, which comprises a plurality of message forwarding devices, self-safety devices, a management platform and virus diagnosis devices;
the message forwarding devices interact with each other through the self-safety device; the self-safety equipment performs a copying operation to obtain a corresponding message copy aiming at each received message, and sends the message copy to the virus diagnosis equipment;
the virus diagnosis equipment is used for detecting the virus of the received message copy; if the virus is detected, reporting the detection result of the virus to the management platform; the detection result comprises source information of the virus; the virus source information comprises a terminal identifier corresponding to the message copy source terminal and a message forwarding equipment identifier corresponding to the message copy source message forwarding equipment;
the management platform issues a blocking instruction containing the terminal identifier to the message forwarding device corresponding to the message forwarding device identifier under the condition of appointed blocking according to the detection result;
and the message forwarding equipment blocks the message sent by the terminal corresponding to the terminal identifier according to the received blocking instruction.
According to the technical scheme of the embodiment of the specification, in the existing local area network framework, a virus diagnosis device is connected beside the self-safety device, and the self-safety device can copy all messages to the virus diagnosis device, wherein most messages of the message forwarding device pass through the self-safety device, so that the virus diagnosis device can be used for detecting most messages sent by the terminal. And the virus diagnosis equipment detects viruses of all the messages, and if the viruses are detected, the detection result (including source information of the viruses) is reported to the management platform. After receiving the detection result, the management platform issues a blocking instruction to the virus source message forwarding device according to the detection result so as to block all messages sent by the virus source terminal, thereby preventing the virus source terminal from continuously sending messages carrying the virus to infringe other terminals.
By the technical scheme of the embodiment of the specification, a piece of virus diagnosis equipment with excellent performance is added, the message forwarding equipment does not need to carry out virus detection on the message sent by the terminal, does not need to judge whether blocking is needed, and reduces the workload of the message forwarding equipment. In addition, the virus diagnosis equipment has better performance, so that the message sent by the terminal can be detected in all directions, the diagnosis capability of the hidden network virus is improved, and the control of the network virus is facilitated. When the administrator performs network management, the administrator only needs to perform unified configuration and management on the management platform, and does not need to configure and issue each message forwarding device, so that the network management of the administrator is convenient.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the specification and together with the description, serve to explain the principles of the specification.
Fig. 1 is a schematic diagram of a lan device shown in the present specification.
Fig. 2 is a schematic diagram of a message diagnosis and blocking process in the prior art shown in the present specification.
FIG. 3 is a schematic flow chart of a virus diagnosis and blocking method shown in the specification.
FIG. 4 is a schematic diagram showing interactions between devices in a virus diagnosis and blocking method according to the present disclosure.
Detailed Description
An important step in preventing network viruses is to pick up from the source, that is, for viruses transmitted by the network, the viruses need to be found and controlled in time to avoid more terminals from being damaged, therefore, in practical application, virus detection is generally performed on messages sent by each terminal, and if viruses are detected, the terminals are limited to send messages to prevent the messages from infecting other terminals through the network. In the prior art, a message sent by a terminal is subjected to virus diagnosis and blocking through message forwarding equipment, so that viruses are prevented from infecting other terminals through a network. As shown in the schematic lan architecture of fig. 1, the message forwarding devices interact with each other through a self-security device (also called imac device), so, in order to prevent a terminal from propagating a network virus to other terminals, the message sent by each terminal is diagnosed through the message forwarding device. Specifically, as shown in fig. 2, an administrator issues configuration information of each message forwarding device to each message forwarding device through a management platform, the message forwarding device performs diagnosis on received messages according to the configuration information, if viruses are detected, all messages sent by a terminal sending the messages are blocked, and a security log is generated and reported to the management platform through self-security devices so as to be convenient for the administrator to check.
The network virus in the present description refers to a virus that can be transmitted through a network, and the virus that is destroyed only inside the terminal and does not transmit through the network is not included in the discussion of the present description.
However, the capability of virus diagnosis of the message forwarding device is not very good due to the limitation of functions and performances, and generally, an administrator is required to issue configuration (such as ACL configuration, drawing up security policy, checking message format, virus library easy to check, etc.) through a management platform, so that the message forwarding device has a certain capability of virus diagnosis, but this does not satisfy increasingly complex network environments, and for some hidden and complex network viruses, the message forwarding device cannot perform effective diagnosis, if the capability of virus diagnosis of the message forwarding device is required to be improved, the performance of each message forwarding device is required to be improved, which is expensive for enterprises. In addition, in a large lan, there is no more than one message forwarding device, as shown in the connection schematic diagram of fig. 1, an administrator needs to configure each message forwarding device at the management platform and send the configuration to the corresponding message forwarding device, and in practical application, the virus layer is endless, and the protection policy and the virus library need to be updated from time to time, which is not friendly to the administrator, and has low configuration efficiency.
In one or more embodiments of the present disclosure, a virus diagnosis device (also referred to as imac-X device) is connected to a self-security device in the existing lan framework, and the self-security device may copy all the messages to the virus diagnosis device, where most of the messages of the message forwarding device pass through the self-security device, so that the virus diagnosis device may be used to detect most of the messages sent by the terminal. And the virus diagnosis equipment detects viruses of all the messages, and if the viruses are detected, the detection result (including source information of the viruses) is reported to the management platform. After receiving the detection result, the management platform issues a blocking instruction to the virus source message forwarding device according to the detection result so as to block all messages sent by the virus source terminal, thereby preventing the virus source terminal from continuously sending messages carrying the virus to infringe other terminals.
By utilizing one or more embodiments of the present disclosure, a virus diagnosis device with excellent performance is added, and the message forwarding device does not need to perform virus detection on the message sent by the terminal, and does not need to determine whether blocking is required, thereby reducing the workload of the message forwarding device. In addition, the virus diagnosis equipment has better performance, so that the message sent by the terminal can be detected in all directions, the diagnosis capability of the hidden network virus is improved, and the control of the network virus is facilitated. When the administrator performs network management, the administrator only needs to perform unified configuration and management on the management platform, and does not need to configure and issue each message forwarding device, so that the network management of the administrator is convenient.
It should be noted that in one or more embodiments of the present disclosure, the function of the virus diagnosis device may be added to the management platform or the self-security device, but the management platform and the self-security device have respective functions, so that virus diagnosis is a complex and huge task, and the function of the virus diagnosis device needs to be added to the self-security device or the management platform, which needs to be improved in existing performance, and needs to be balanced for each function. Therefore, the function of the virus diagnosis device is increased to be realized when the device is managed by a platform or a self-safety device, but the practical application value is not increased by one virus diagnosis device.
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the present specification. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present description as detailed in the accompanying claims.
The terminology used in the description presented herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the description. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in this specification to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of the present description. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
Next, embodiments of the present specification will be described in detail.
As shown in fig. 3, fig. 3 is a schematic flow chart of virus diagnosis and blocking according to an exemplary embodiment of the present disclosure, including the following steps:
step 201, virus diagnosis equipment detects viruses on all received message copies.
The self-security device manages the message interactions between the message forwarding devices, so that most messages received by the message forwarding devices pass through the self-security device. After receiving the messages from the security device, performing a copying operation to obtain a corresponding message copy for each received message, and sending the message copy to the virus diagnosis device.
And the virus diagnosis equipment detects the virus of the received message copy. The virus diagnosis device is special for detecting viruses and has better virus diagnosis capability than the message forwarding device. In fact, the virus diagnosis capability of each message forwarding device can be improved, but with the improvement of the virus diagnosis capability, the original message forwarding function of the message forwarding device is affected, the message forwarding device cannot be damaged, and the self-safety device is equivalent to the management platform. The other is to improve the performance of each message forwarding device, which means that the device with higher cost is needed to replace the existing device, and all message forwarding devices are replaced, so that the cost is high.
Step 202, if the virus diagnosis device detects a virus, the virus diagnosis device sends a detection result including the virus source information to the management platform.
The virus source information is the information of detecting the virus message Wen Fuben, from which message forwarding device and which terminal the message copy comes according to the content of the message copy, and then using the determined message forwarding identifier and terminal identifier as the source information of the virus.
As shown in the structure of fig. 1, the terminal 1 needs to send a message X to the terminal 6, and the terminal 1 forwards the message to the message forwarding device a first, and after the message forwarding device a receives the message X, the message X is forwarded to the message forwarding device C through the self-security device. After receiving the message X, the self-safety device copies the message X to obtain a message copy X and forwards the message copy X to the virus diagnosis device. If the virus diagnosis device detects a virus in the message copy X, the source of the virus (i.e. the source of the message Wen Fuben X) is the message forwarding device a and the terminal 1, and the virus source information is the identifier of the message forwarding device a and the identifier of the terminal 1.
The identifier may be a MAC address, an IP address, etc., and may uniquely identify each terminal and the packet forwarding device.
In practical applications, the detection result may further include virus attributes, such as virus names (e.g., win32.BHO.anbp, win32.StartPage. Aggp [ Dropper ], win32.QQPass. Yia, etc.), virus risk levels (e.g., high, medium, low), virus types (e.g., laughing virus, macro virus, back door virus, etc.), and the like.
And 203, the management platform sends a blocking instruction containing the virus source terminal identifier to the virus source message forwarding equipment under the specified condition according to the detection result.
An administrator generally manages each device on the management platform, if the management platform determines, according to the message forwarding device identifier in the virus source information of the detection result, to which specific message forwarding device the blocking instruction needs to be issued (i.e. determines the source message forwarding device), and then issues the blocking instruction containing the terminal identifier corresponding to the source terminal to the source message forwarding device.
When the detection result includes a virus attribute, an administrator may configure a blocking policy of each packet forwarding device, that is, a set of virus attributes that each packet device needs to block. If the virus attribute is a virus name, the corresponding virus attribute set is a set composed of a plurality of virus names, if the virus attribute is a virus type, the corresponding virus attribute set is a set composed of a plurality of virus types, and if the virus attribute is a virus risk level, the corresponding virus attribute set is a set composed of a virus risk level.
Taking the virus risk level as an example, the virus risk level can be classified according to the epidemic degree (the spreading extensive degree) of the existing virus, the higher the epidemic degree is, the higher the risk degree is, the virus risk level can be classified according to the hazard course (the severity degree causing the consequences) of the existing virus, the higher the hazard degree is, the higher the risk degree is, and the virus risk level can be classified according to the epidemic degree and the hazard degree. Wherein, the classification can be performed according to actual needs, for example, three classes can be classified: high, medium, low, or generally, important, severe, five grades may also be divided: primary virus, secondary virus, tertiary virus, quaternary virus, and penta virus.
As shown in fig. 1, if the blocking policy of the message forwarding device B is to block viruses with middle-high virus attribute, then the set of virus attribute corresponding to the message forwarding device B is { middle-high virus }, if the virus identification device detects that the message sent by the terminal 3 carries low-level virus, then the message sent by the terminal 3 is not in the blocking policy of the message forwarding device B, so that the management platform will not issue a blocking instruction for the virus; if the virus identification device detects that the message sent by the terminal 4 carries the advanced virus, the message sent by the terminal 4 is in the blocking policy of the message forwarding device B, so that the management platform can send a blocking instruction containing the terminal identifier corresponding to the terminal 4 to the message forwarding device B aiming at the virus.
It should be noted that, compared with blocking configuration in the prior art, the embodiment of the present disclosure has flexibility and convenience, and different blocking policies can be configured for each message forwarding device, without sending configuration information to each message forwarding device. For example, a terminal served by a certain message forwarding device has specificity and has higher requirement on security, so that viruses with all virus properties are blocked only when a management platform configures a blocking strategy of the message forwarding device. A terminal served by a message forwarding device sends a normal message, but is always easy to be mistakenly identified as a low-level virus, so that when a blocking strategy of the message forwarding device is configured, only viruses with medium and high-level virus attributes are blocked.
And 204, the message forwarding equipment blocks the message sent by the virus source terminal according to the blocking instruction.
After receiving the blocking instruction, the message forwarding device indicates that in the terminal connected with the message forwarding device, the message sent by the terminal contains network virus. The message forwarding device determines a terminal corresponding to the terminal identifier in the terminal connected with the message forwarding device according to the terminal identifier in the blocking instruction, and blocks all messages sent by the terminal so as to prevent the terminal from continuously sending messages containing network viruses to infringe the network.
In practical application, the management platform may also release blocking of the message sent by the target terminal meeting the security requirement, for example, after confirmation by a technician or an administrator, the terminal blocked from sending the message completes security detection, or the terminal blocked from sending the message is a misdiagnosis device, at this time, the management platform may send a blocking release instruction containing the target terminal identifier to the message forwarding device responsible for forwarding the message sent by the target terminal, so that the target terminal normally sends the message to other terminals or devices.
Specifically, when the management platform issues the blocking instruction, the terminal identifier in the blocking instruction is added into the blocking list. As shown in fig. 1, after determining that the terminal 3 is safe, the administrator removes the terminal identifier 3 corresponding to the terminal 3 from the blocking list, and the management platform generates a release instruction for the terminal identifier 3, and issues the release blocking instruction including the terminal identifier 3 to the message forwarding device B responsible for forwarding the message sent by the terminal 3, so that the terminal 3 normally sends the message to other terminals or devices.
As shown in fig. 4, is an interaction process between various devices in one or more embodiments. According to the actual situation, an administrator configures a blocking strategy of each message forwarding device on the management platform, and after the configuration is completed, a notification message is sent to the message forwarding devices which are successfully configured, so that each message forwarding device is notified that virus identification is not needed and a security log is not needed to be reported.
After the terminal is started up and is online, a message is sent through a message forwarding device, and when the message forwarding device forwards the message to other devices through the self-safety device, the self-safety device copies the message to a virus diagnosis device.
And the virus diagnosis equipment detects the virus of the received message, and if the virus is detected, a detection result is generated according to the source information and the attribute of the virus and is reported to the management platform.
After receiving the detection result, the management platform searches a blocking strategy corresponding to the message forwarding equipment identifier (namely, an attribute set corresponding to the message forwarding equipment identifier) according to the message forwarding equipment identifier in the virus source information, then determines whether the virus attribute is in the attribute set (namely, judges whether the virus attribute is in a blocking range) according to the virus attribute and the blocking strategy corresponding to the message forwarding equipment identifier, if so, generates a blocking instruction according to the terminal identifier in the virus source information, and transmits the blocking instruction to the message forwarding equipment corresponding to the message forwarding equipment identifier; if not, no operation is performed.
If the message forwarding device receives a blocking instruction sent by the management platform, the message forwarding device blocks a message sent by a terminal corresponding to the terminal identifier according to the terminal identifier in the blocking instruction.
The system comprises a plurality of message forwarding devices, self-safety devices, a management platform and virus diagnosis devices;
the message forwarding devices interact with each other through the self-safety device; the self-safety equipment performs a copying operation to obtain a corresponding message copy aiming at each received message, and sends the message copy to the virus diagnosis equipment;
the virus diagnosis equipment is used for detecting the virus of the received message copy; if the virus is detected, reporting the detection result of the virus to the management platform; the detection result comprises source information of the virus; the virus source information comprises a terminal identifier corresponding to the message copy source terminal and a message forwarding equipment identifier corresponding to the message copy source message forwarding equipment;
the management platform issues a blocking instruction containing the terminal identifier to the message forwarding device corresponding to the message forwarding device identifier under the condition of appointed blocking according to the detection result;
and the message forwarding equipment blocks the message sent by the terminal corresponding to the terminal identifier according to the received blocking instruction.
The detection result also comprises a virus attribute corresponding to the virus;
the specified blocking condition is that the virus attribute is in an attribute set corresponding to the message forwarding equipment identifier; the set of attributes is configured by an administrator.
The virus attribute may be a virus risk level; the risk level is classified according to the hazard level and/or popularity of the existing virus.
The virus diagnosis and blocking system may further include:
the management platform sends a release instruction containing a terminal identifier corresponding to a target terminal to message forwarding equipment responsible for forwarding a message sent by the target terminal aiming at the target terminal meeting the specified condition;
and the message forwarding equipment releases the blocking of the message sent by the target terminal according to the release instruction.
The implementation process of the functions and roles of each device in the system is specifically shown in the implementation process of the corresponding steps in the method, and will not be described in detail herein.
The present specification also provides a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor is configured to perform the method performed by any one of the above-described management platform, message forwarding device, virus diagnosis device, self-security device.
The embodiments of the present disclosure also provide a computer readable storage medium having a computer program stored thereon, where the program is executed by a processor to perform a method performed by any one of the above-described management platform, message forwarding device, virus diagnosis device, self-security device.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, units of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
Other embodiments of the present description will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This specification is intended to cover any variations, uses, or adaptations of the specification following, in general, the principles of the specification and including such departures from the present disclosure as come within known or customary practice within the art to which the specification pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the specification being indicated by the following claims.
It is to be understood that the present description is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present description is limited only by the appended claims.
The foregoing description of the preferred embodiments is provided for the purpose of illustration only, and is not intended to limit the scope of the disclosure, since any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the disclosure are intended to be included within the scope of the disclosure.
Claims (8)
1. The virus diagnosis and blocking method is characterized by being applied to a virus diagnosis and blocking system and comprising a plurality of message forwarding devices, self-safety devices, a management platform and virus diagnosis devices; the management platform is configured with blocking strategies of the message forwarding devices, is used for managing the message forwarding devices, and sends notification messages to the message forwarding devices which are configured successfully, so that the message forwarding devices which are configured successfully stop virus identification and stop reporting of security logs; the message forwarding devices interact with each other through the self-safety device; the self-safety equipment performs a copying operation to obtain a corresponding message copy aiming at each received message, and sends the message copy to the virus diagnosis equipment; the method comprises the following steps:
the virus diagnosis equipment carries out virus detection on the received message copy; if the virus is detected, reporting the detection result of the virus to the management platform; the detection result comprises virus source information of the virus and virus attributes corresponding to the virus; the virus source information comprises a terminal identifier corresponding to the message copy source terminal and a message forwarding equipment identifier corresponding to the message copy source message forwarding equipment;
the management platform searches a blocking strategy corresponding to the message forwarding equipment identifier according to the message forwarding equipment identifier contained in the detection result, and issues a blocking instruction containing the terminal identifier to the message forwarding equipment corresponding to the message forwarding equipment identifier under the condition of appointed blocking according to the searched blocking strategy and the virus attribute; the specified blocking condition is that the virus attribute is in an attribute set corresponding to the message forwarding equipment identifier;
and the message forwarding equipment blocks the message sent by the terminal corresponding to the terminal identifier according to the received blocking instruction.
2. The method of claim 1, wherein the viral attribute is a viral risk level; the risk level is classified according to the hazard level and/or popularity of the existing virus.
3. The method of any one of claims 1-2, further comprising:
the management platform sends a release instruction containing a terminal identifier corresponding to a target terminal to message forwarding equipment responsible for forwarding a message sent by the target terminal aiming at the target terminal meeting the specified condition;
and the message forwarding equipment releases blocking of the message sent by the target terminal according to the release instruction.
4. The virus diagnosis and blocking system is characterized by comprising a plurality of message forwarding devices, self-safety devices, a management platform and virus diagnosis devices;
the management platform is configured with blocking strategies of the message forwarding devices, and is used for managing the message forwarding devices, and sending notification messages to the message forwarding devices which are configured successfully, so that the message forwarding devices which are configured successfully stop virus identification and stop reporting of security logs; the message forwarding devices interact with each other through the self-safety device; the self-safety equipment performs a copying operation to obtain a corresponding message copy aiming at each received message, and sends the message copy to the virus diagnosis equipment;
the virus diagnosis equipment is used for detecting the virus of the received message copy; if the virus is detected, reporting the detection result of the virus to the management platform; the detection result comprises source information of the virus and virus attributes corresponding to the virus; the virus source information comprises a terminal identifier corresponding to the message copy source terminal and a message forwarding equipment identifier corresponding to the message copy source message forwarding equipment;
the management platform searches a blocking strategy corresponding to the message forwarding equipment identifier according to the message forwarding equipment identifier contained in the detection result, and issues a blocking instruction containing the terminal identifier to the message forwarding equipment corresponding to the message forwarding equipment identifier under the condition of appointed blocking according to the searched blocking strategy and the virus attribute; the specified blocking condition is that the virus attribute is in an attribute set corresponding to the message forwarding equipment identifier;
and the message forwarding equipment blocks the message sent by the terminal corresponding to the terminal identifier according to the received blocking instruction.
5. The system of claim 4, wherein the viral attribute is a viral risk level; the risk level is classified according to the hazard level and/or popularity of the existing virus.
6. The system of any one of claim 4 to 5,
the management platform sends a release instruction containing a terminal identifier corresponding to a target terminal to message forwarding equipment responsible for forwarding a message sent by the target terminal aiming at the target terminal meeting the specified condition;
and the message forwarding equipment releases the blocking of the message sent by the target terminal according to the release instruction.
7. An electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor is configured to implement the method of any one of claims 1-3 by running the computer program.
8. A computer readable storage medium, characterized in that a computer program is stored thereon, which program, when being executed by a processor, implements the steps of the method according to any of claims 1-3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110069494.9A CN112769849B (en) | 2021-01-19 | 2021-01-19 | Method, system, equipment and storage medium for virus diagnosis and blocking |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110069494.9A CN112769849B (en) | 2021-01-19 | 2021-01-19 | Method, system, equipment and storage medium for virus diagnosis and blocking |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112769849A CN112769849A (en) | 2021-05-07 |
| CN112769849B true CN112769849B (en) | 2023-06-09 |
Family
ID=75703167
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110069494.9A Active CN112769849B (en) | 2021-01-19 | 2021-01-19 | Method, system, equipment and storage medium for virus diagnosis and blocking |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112769849B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114944930A (en) * | 2022-03-25 | 2022-08-26 | 国网浙江省电力有限公司杭州供电公司 | Intranet safe communication method based on high aggregation scene |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5414833A (en) * | 1993-10-27 | 1995-05-09 | International Business Machines Corporation | Network security system and method using a parallel finite state machine adaptive active monitor and responder |
| WO2009125659A1 (en) * | 2008-04-11 | 2009-10-15 | 三菱電機株式会社 | Device state detecting device, device state detecting method, device state detecting server, device state detecting system, liver abnormality detecting device, liver abnormality detecting system, liver abnormality detecting method, and device state database maintaining server |
| CN104539625A (en) * | 2015-01-09 | 2015-04-22 | 江苏理工学院 | Network security defense system based on software-defined network and working method of network security defense system |
| CN105763351A (en) * | 2014-12-17 | 2016-07-13 | 华为技术有限公司 | Method for deploying value added service, forwarding equipment, detection equipment, and management equipment |
| CN111107087A (en) * | 2019-12-19 | 2020-05-05 | 杭州迪普科技股份有限公司 | Message detection method and device |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP5124455B2 (en) * | 2005-07-28 | 2013-01-23 | エムフォメーション・テクノロジーズ・インコーポレイテッド | System and method for remotely controlling device functionality |
| CN101022459B (en) * | 2007-03-05 | 2010-05-26 | 华为技术有限公司 | System and method for preventing virus invading network |
| US10091238B2 (en) * | 2014-02-11 | 2018-10-02 | Varmour Networks, Inc. | Deception using distributed threat detection |
| US9769209B1 (en) * | 2016-03-04 | 2017-09-19 | Secureauth Corporation | Identity security and containment based on detected threat events |
| CN106254338B (en) * | 2016-07-29 | 2019-09-06 | 新华三技术有限公司 | Message detecting method and device |
| US10771487B2 (en) * | 2016-12-12 | 2020-09-08 | Gryphon Online Safety Inc. | Method for protecting IoT devices from intrusions by performing statistical analysis |
| CN108551449B (en) * | 2018-04-13 | 2021-02-05 | 上海携程商务有限公司 | Anti-virus management system and method |
| CN110505235B (en) * | 2019-09-02 | 2021-10-01 | 四川长虹电器股份有限公司 | System and method for detecting malicious request bypassing cloud WAF |
-
2021
- 2021-01-19 CN CN202110069494.9A patent/CN112769849B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5414833A (en) * | 1993-10-27 | 1995-05-09 | International Business Machines Corporation | Network security system and method using a parallel finite state machine adaptive active monitor and responder |
| WO2009125659A1 (en) * | 2008-04-11 | 2009-10-15 | 三菱電機株式会社 | Device state detecting device, device state detecting method, device state detecting server, device state detecting system, liver abnormality detecting device, liver abnormality detecting system, liver abnormality detecting method, and device state database maintaining server |
| CN105763351A (en) * | 2014-12-17 | 2016-07-13 | 华为技术有限公司 | Method for deploying value added service, forwarding equipment, detection equipment, and management equipment |
| CN104539625A (en) * | 2015-01-09 | 2015-04-22 | 江苏理工学院 | Network security defense system based on software-defined network and working method of network security defense system |
| CN111107087A (en) * | 2019-12-19 | 2020-05-05 | 杭州迪普科技股份有限公司 | Message detection method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112769849A (en) | 2021-05-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10187422B2 (en) | Mitigation of computer network attacks | |
| US20220150274A1 (en) | Rule-based assignment of criticality scores to assets and generation of a criticality rules table | |
| US9124621B2 (en) | Security alert prioritization | |
| JP2019067398A (en) | Automated reduction in electronic mail-based security threat | |
| US10567384B2 (en) | Verifying whether connectivity in a composed policy graph reflects a corresponding policy in input policy graphs | |
| US20200358738A1 (en) | Systems and Methods For Using DNS Messages To Selectively Collect Computer Forensic Data | |
| US10078655B2 (en) | Reconciling sensor data in a database | |
| US11128649B1 (en) | Systems and methods for detecting and responding to anomalous messaging and compromised accounts | |
| CN112637377B (en) | Method and equipment for detecting IP address conflict | |
| CN110545277B (en) | Risk processing method and device applied to security system, computing equipment and medium | |
| US20220353170A1 (en) | Method, apparatus, and system for controlling a flow entry | |
| CN112769849B (en) | Method, system, equipment and storage medium for virus diagnosis and blocking | |
| CN112737945B (en) | Server connection control method and device | |
| JP2016066282A (en) | Virus detection system and method | |
| US10277484B2 (en) | Self organizing network event reporting | |
| US20210281586A1 (en) | Minimizing Data Flow Between Computing Infrastructures for Email Security | |
| CN104539611A (en) | Method, device and system for managing shared file | |
| CN109743733B (en) | Wireless signal control method and device | |
| CN110311868B (en) | Service processing method, device, member equipment and machine-readable storage medium | |
| CN114356593A (en) | Data processing method, device, network equipment and medium | |
| CN108270614B (en) | SDN network-based fault processing method, device and equipment | |
| WO2016086876A1 (en) | Packet processing method, network server and virtual private network system | |
| CN108880994B (en) | Method and device for retransmitting mails | |
| CN113641534A (en) | Network disconnection simulation method and device, electronic equipment and system | |
| CN117527440A (en) | IP automatic blocking method and system for network attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |