CN113282922A - Method, device, equipment and medium for performing protection control on mobile storage equipment - Google Patents

Method, device, equipment and medium for performing protection control on mobile storage equipment Download PDF

Info

Publication number
CN113282922A
CN113282922A CN202110725664.4A CN202110725664A CN113282922A CN 113282922 A CN113282922 A CN 113282922A CN 202110725664 A CN202110725664 A CN 202110725664A CN 113282922 A CN113282922 A CN 113282922A
Authority
CN
China
Prior art keywords
mobile storage
client
storage device
value
target reference
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110725664.4A
Other languages
Chinese (zh)
Other versions
CN113282922B (en
Inventor
奚乾悦
徐翰隆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Antiy Network Technology Co Ltd
Original Assignee
Beijing Antiy Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Antiy Network Technology Co Ltd filed Critical Beijing Antiy Network Technology Co Ltd
Priority to CN202110725664.4A priority Critical patent/CN113282922B/en
Publication of CN113282922A publication Critical patent/CN113282922A/en
Application granted granted Critical
Publication of CN113282922B publication Critical patent/CN113282922B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention provides a method, a device, equipment and a medium for protecting and controlling mobile storage equipment, wherein the method comprises the following steps: receiving equipment characteristic information sent by an external client; the device characteristic information is obtained and sent by the client when the client detects that the mobile storage device is accessed to the client; determining at least one reference feature according to the device feature information; performing reputation evaluation on the mobile storage device according to the at least one reference feature; determining a corresponding protection control strategy according to the credit evaluation result; and sending the protection control strategy to the client so that the client performs protection control on the mobile storage device by using the protection control strategy. According to the scheme, the protection capability of the mobile storage device can be improved.

Description

Method, device, equipment and medium for performing protection control on mobile storage equipment
Technical Field
The embodiment of the invention relates to the technical field of computers, in particular to a method, a device, equipment and a medium for performing protection control on mobile storage equipment.
Background
The use of mobile storage devices for file copying and storage is already a very common application scenario. But often a malicious attacker makes use of the mobile storage device to attack the client device accessing the mobile storage device. For example, a virus file is stored in a mobile storage device, and after the mobile storage device is accessed to a client device, the virus file is implanted into the client device, so as to attack the client device.
In the related art, when the client device detects that the mobile storage device is accessed, the mobile storage device is scanned, and if a virus file is found, the virus file is deleted, so that the safety of the client device is protected.
Disclosure of Invention
Based on the problem of low protection capability of the mobile storage device, embodiments of the present invention provide a method, an apparatus, a device, and a medium for performing protection control on the mobile storage device, which can improve the protection capability of the mobile storage device.
In a first aspect, an embodiment of the present invention provides a method for performing protection control on a mobile storage device, which is applied to a server, and includes:
receiving equipment characteristic information sent by an external client; the device characteristic information is obtained and sent by the client when the client detects that the mobile storage device is accessed to the client;
determining at least one reference feature according to the device feature information;
performing reputation evaluation on the mobile storage device according to the at least one reference feature;
determining a corresponding protection control strategy according to the credit evaluation result;
and sending the protection control strategy to the client so that the client performs protection control on the mobile storage device by using the protection control strategy.
Preferably, the reputation evaluating the mobile storage device according to the at least one reference feature comprises:
respectively determining the operation values of the target reference features in the at least one reference feature;
determining an abnormal index of the target reference feature according to the operation value of the target reference feature and a preset standard boundary value;
and calculating a reputation evaluation value of the mobile storage equipment according to the anomaly index of the target reference feature.
Preferably, the standard boundary values are multiple, and the multiple standard boundary values form at least two reference intervals, and each reference interval corresponds to one abnormality index;
the determining the abnormality index of the target reference feature according to the operation value of the target reference feature and a preset standard boundary value comprises the following steps:
determining a target reference interval corresponding to the operation value of the target reference characteristic;
and determining the abnormal index corresponding to the target reference interval as the abnormal index of the target reference characteristic.
Preferably, the standard boundary value is one;
the determining the abnormality index of the target reference feature according to the operation value of the target reference feature and a preset standard boundary value comprises the following steps:
comparing the operation value of the target reference characteristic with the standard boundary value;
if the comparison result meets the preset abnormal condition, calculating the difference value between the operation value of the target reference feature and the standard boundary value, and calculating the abnormal index of the target reference feature according to the difference value;
and if the comparison result does not meet the abnormal condition, taking a set value as the abnormal index of the target reference feature.
Preferably, the calculating the reputation evaluation value of the mobile storage device according to the abnormality index of the target reference feature includes:
determining a total value of the reputation evaluation;
determining a weight value of the target reference feature;
calculating the product of the weight value of the target reference feature, the anomaly index of the target reference feature and the total reputation evaluation value;
and obtaining the reputation evaluation value of the mobile storage device by using the product.
Preferably, after the sending the protection control policy to the client, the method further includes:
receiving data interaction behaviors sent by the client and between the client and the mobile storage device; the data interaction behavior is detected by the client side in the process of executing the protection control;
and updating the current reputation evaluation value of the mobile storage equipment according to the data interaction behavior.
Preferably, after the updating the reputation evaluation value of the mobile storage device, the method further includes:
and when the updated reputation evaluation value meets the pop-up condition, sending a forced pop-up instruction to the client so that the client can pop up the mobile storage device forcibly.
In a second aspect, an embodiment of the present invention further provides a device for performing protection control on a mobile storage device, where the device is located at a server and includes:
the receiving unit is used for receiving the device characteristic information sent by the external client; the device characteristic information is obtained and sent by the client when the client detects that the mobile storage device is accessed to the client;
a reference feature determination unit, configured to determine at least one reference feature according to the device feature information;
the reputation evaluation unit is used for evaluating the reputation of the mobile storage device according to the at least one reference feature;
the strategy determining unit is used for determining a corresponding protection control strategy according to the reputation evaluation result;
and the sending unit is used for sending the protection control strategy to the client so that the client performs protection control on the mobile storage device by using the protection control strategy.
In a third aspect, an embodiment of the present invention further provides a computing device, including a memory and a processor, where the memory stores a computer program, and the processor, when executing the computer program, implements the method described in any embodiment of this specification.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed in a computer, the computer program causes the computer to execute the method described in any embodiment of the present specification.
The embodiment of the invention provides a method, a device, equipment and a medium for protecting and controlling mobile storage equipment.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart of a method for performing protection control on a mobile storage device according to an embodiment of the present invention;
FIG. 2 is a flowchart of a reputation evaluation method according to an embodiment of the present invention;
FIG. 3 is a flowchart of a method for calculating a reputation evaluation value according to an embodiment of the present invention;
FIG. 4 is a diagram of a hardware architecture of a computing device according to an embodiment of the present invention;
fig. 5 is a block diagram of an apparatus for performing protection control on a mobile storage device according to an embodiment of the present invention;
fig. 6 is a block diagram of another apparatus for performing protection control on a mobile storage device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some but not all embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without creative efforts belong to the protection scope of the present invention.
As mentioned above, a malicious attacker may employ a method of storing a virus file in a mobile storage device, and after the mobile storage device is accessed to a client device, the virus file is implanted into the client device, so as to attack the client device. In the related art, when a client device detects that a mobile storage device is accessed, the client device scans the mobile storage device to detect whether a virus file is stored in the mobile storage device. If the virus file is found, the virus file is deleted, and then data copying is carried out between the mobile storage device and the virus file. However, client devices are only able to detect known viruses, and have limited defense against unknown viruses. Therefore, the protection capability of the prior art to the mobile storage device is low.
The credit evaluation of the mobile storage equipment can be considered, and different protection control strategies are executed for the mobile storage equipment according to the credit evaluation result so as to realize the protection effect which cannot be achieved only by virus scanning.
Specific implementations of the above concepts are described below.
Referring to fig. 1, an embodiment of the present invention provides a method for performing protection control on a mobile storage device, which is applied to a server, and the method includes:
step 100, receiving device characteristic information sent by an external client; the device characteristic information is obtained and sent by the client when the client detects that the mobile storage device is accessed to the client.
Step 102, determining at least one reference feature according to the device feature information.
And 104, performing reputation evaluation on the mobile storage device according to the at least one reference characteristic.
And step 106, determining a corresponding protection control strategy according to the reputation evaluation result.
And step 108, sending the protection control strategy to the client, so that the client performs protection control on the mobile storage device by using the protection control strategy.
In the embodiment of the invention, the credit evaluation is carried out on the mobile storage equipment accessed to the client by the server, and the client can use different protection control strategies to carry out protection control on the mobile storage equipment with different credits according to different credit evaluation results, so that the protection effect which cannot be achieved only by virus scanning can be realized, and the protection capability on the mobile storage equipment is improved.
The manner in which the various steps shown in fig. 1 are performed is described below.
Firstly, aiming at step 100, receiving device characteristic information sent by an external client; the device characteristic information is obtained and sent by the client when the client detects that the mobile storage device is accessed to the client.
The client can be used for sensing an access event of the peripheral interface, when the mobile storage device is detected to be accessed on the peripheral interface, the device characteristic information can be obtained, the device characteristic information is sent to the server, and the credit evaluation is carried out on the mobile storage device by the server.
In one embodiment of the invention, the device characteristic information may include one or more of: client device attribute information, mobile storage device attribute information and storage information of the mobile storage device.
Wherein the client device attribute information may include: one or more of a name, type, brand, and ID. The mobile storage device attribute information may include: one or more of access time, name, type, brand, and ID. The storage information of the mobile storage device may include: whether the mobile storage device contains viruses and virus characteristics when the viruses are contained, whether the mobile storage device contains abnormal files and abnormal file characteristics when the abnormal files are contained, and the like.
Then, for step 102, at least one reference feature is determined based on the device feature information.
In one embodiment of the present invention, in order to improve the accuracy of reputation evaluation on a mobile storage device, device feature information may be analyzed in at least the following dimensions to obtain at least one reference feature:
dimension one, client history information.
In this dimension, the reference features that may be determined may include: the historical times of the client accessing the mobile storage device and the historical times of the client accessing other mobile storage devices.
In an embodiment of the present invention, after the server receives the device characteristic information reported by the client each time, the server stores the access relationship between the client and the mobile storage device according to the client device attribute information and the mobile storage device attribute information.
After the server receives the device feature information reported by the client this time, whether the access relationship of the client accessing the mobile storage device is stored or not and whether the access relationship of the client accessing other mobile storage devices is stored or not can be determined according to the client device attribute information and the mobile storage device attribute information; if the access relation of the client accessing the mobile storage device is determined to be stored, further determining the access times; and if the access relationship of the client accessing the mobile storage device is not stored, determining that the historical times of the client accessing the mobile storage device is 0. If the access relation of the client accessing other mobile storage devices is determined to be stored, further determining the access times; and if the access relation that the client accesses other mobile storage devices is not stored, determining that the historical times that the client accesses other mobile storage devices is 0.
Dimension two, mobile storage device history information.
In this dimension, the reference features that may be determined may include: historical times of accessing other clients by the mobile storage device.
In an embodiment of the present invention, the historical times of accessing other clients by the mobile storage device may also be determined by the storage information in the server. After the server receives the device feature information reported by the client this time, whether an access relation of the mobile storage device accessing other clients is stored or not can be determined according to the client device attribute information and the mobile storage device attribute information, and if the access relation of the mobile storage device accessing other clients is determined to be stored, the access times are further determined; and if the access relation of the mobile storage device accessing other clients is not stored, determining that the historical times of the mobile storage device accessing other clients is 0.
Dimension three, current information of the mobile storage device.
In this dimension, the reference features that may be determined may include: whether virus files are stored in the mobile storage device, the type of the virus files stored in the mobile storage device, whether abnormal files are stored in the mobile storage device, the type of the abnormal files stored in the mobile storage device and the matching degree of the identification type of the mobile storage device and the actual type.
In an embodiment of the present invention, if a virus file is stored in the mobile storage device, the type of the virus file, such as a virus format, may be further determined. If the abnormal file is stored in the mobile storage device, the type of the abnormal file may be further determined, for example, whether the abnormal file is an unknown executable program, whether a program language is a non-general language, whether the abnormal file is a file that does not appear on a black list or a white list, or the like.
In one embodiment of the present invention, the actual type of the mobile storage device may also be identified, and the representation type of the mobile storage device is obtained to determine whether the identification type of the mobile storage device matches the actual type. For example, if the identified actual type of the mobile storage device is a device with a storage function, but the identification type of the mobile storage device is a keyboard or a mouse, it may be determined that the identification type of the mobile storage device does not match the actual type.
Next, with respect to step 104, a reputation evaluation is performed on the mobile storage device based on the at least one reference characteristic.
In an embodiment of the present invention, in order to accurately obtain a reputation evaluation result of a mobile storage device, please refer to fig. 2, this step 104 can be performed at least in one of the following ways:
and step 200, respectively determining the operation values of the target reference features in the at least one reference feature.
In an embodiment of the present invention, if the reference feature obtained in step 102 is a numerical type, the numerical value can be directly determined as the operation value of the reference feature. For example, if the reference characteristic obtained in step 102 is the historical number of times that the client accesses the mobile storage device, the historical number is directly determined as the operation value. If the reference feature obtained in step 102 is a content type, the content may be quantized to obtain a calculation value of the reference feature. For example, if the reference feature obtained in step 102 is that a virus file is stored in the mobile storage device, the operation value of the reference feature may be 1, and if the virus file is not stored in the mobile storage device, the operation value of the reference feature may be 0.
Step 202, determining an abnormality index of the target reference feature according to the operation value of the target reference feature and a preset standard boundary value.
In an embodiment of the present invention, different determination manners may be adopted when determining the abnormality index for different target reference features, and when the determination manners are different, the number of the standard boundary values may be different, specifically, the number of the standard boundary values may at least correspond to the following two cases:
the case a and the standard boundary value are plural.
In case B, the standard boundary value is one.
The following describes how to determine the abnormality index for each of the above two cases.
In case of case a, the plurality of standard boundary values form at least two reference intervals, each reference interval corresponding to an abnormality index. For example, two standard boundary values form three reference intervals, respectively:
the reference interval 1 is (0, standard boundary value 1), and the abnormality index is A;
the reference interval 2 is [ standard boundary value 1, standard boundary value 2], and the abnormality index is B;
the reference interval 3 is (standard boundary value 2, + ∞) and the abnormality index is C.
Then, this step 202 may include: determining a target reference interval corresponding to the operation value of the target reference characteristic; and determining the abnormality index corresponding to the target reference interval as the abnormality index of the target reference characteristic.
In the case A, the corresponding relation between the reference interval and the abnormal index is adopted, and the corresponding reference interval can be determined according to the target reference characteristic, so that the abnormal index can be rapidly determined, and the reputation evaluation speed is increased.
In case of case B, this step 202 may include: comparing the operation value of the target reference characteristic with the standard boundary value; if the comparison result meets the preset abnormal condition, calculating the difference value between the operation value of the target reference feature and the standard boundary value, and calculating the abnormal index of the target reference feature according to the difference value; and if the comparison result does not meet the abnormal condition, taking the set value as the abnormal index of the target reference characteristic.
In one embodiment of the invention, the exception conditions may be different for different reference features. For example, the target reference feature is the historical number of times that the client accesses the mobile storage device, the more the historical number of times, the lower the abnormal degree is, and the target reference feature may be set as follows: and determining that an abnormal condition is met when the comparison result is that the operation value of the target reference feature is smaller than the standard boundary value. For another example, the target reference feature is a type to which an exception file stored in the mobile storage device belongs, and when a higher operation value of the exception file after quantization of the type to which the exception file belongs indicates a higher exception degree, the target reference feature may be set as: and determining that an abnormal condition is met when the comparison result is that the operation value of the target reference feature is greater than the standard boundary value. Therefore, when the abnormality indexes are determined according to different reference characteristics, the determination result of the abnormality indexes can be more accurate.
In an embodiment of the present invention, when the abnormality index of the target reference feature is calculated according to the difference in step 202, the abnormality index may be calculated according to the following formula (1):
Figure RE-GDA0003165999850000091
wherein Q isiThe abnormality index is used for characterizing the ith target reference feature in the n target reference features, and n is an integer not less than 1; q. q.si1The standard boundary value is used for representing the preset standard boundary value aiming at the ith target reference characteristic; q. q.siThe operation value is used for representing the ith target reference characteristic; a. theiA constant for characterizing the ith reference feature.
By calculating the abnormality index using the above calculation formula, the abnormality index of the target reference feature can be accurately obtained by taking into account the distance between the operation value and the standard boundary value (i.e., the difference between the operation value and the standard boundary value), taking the difference between the standard boundary value and the constant as a reference value, and dividing the distance between the operation value and the standard boundary value by the reference value. In addition, the values of all parameters in the calculation formula are easy to obtain, and the abnormal index can be quickly calculated by substituting the values into the calculation formula, so that the calculation speed is high.
The above calculation formula is only one embodiment of the present invention, and in addition to the above calculation formula, other calculation formulas may be used to calculate the abnormality index of the target reference feature, or the difference may be directly used as the abnormality index of the target reference feature.
And step 204, calculating a reputation evaluation value of the mobile storage device according to the abnormality index of the target reference characteristic.
In an embodiment of the present invention, referring to fig. 3, the reputation evaluation value of the mobile storage device may be calculated at least by one of the following ways:
step 300, determining a total value of the reputation evaluations.
The total reputation evaluation value may be a score corresponding to the mobile storage device without abnormality, for example, taking a full score as an example, the total reputation evaluation value may be 100 full scores.
Step 302, determining a weight value of the target reference feature.
Because different reference characteristics have different influences on the reputation of the mobile storage device, different weight values can be set for different reference characteristics, so that the reputation evaluation result is more accurate.
Step 304, calculating the product of the weight value of the target reference feature, the anomaly index of the target reference feature and the total reputation evaluation value.
And step 306, obtaining the reputation evaluation value of the mobile storage device by using the product.
In one embodiment of the present invention, when the product is used to obtain the reputation evaluation value of the mobile storage device, the reputation evaluation value can be obtained by at least the following formula (2):
Figure BDA0003137560750000101
wherein V is used for representing the reputation evaluation value of the mobile storage device, M is used for representing the total reputation evaluation value, and QiThe abnormality index is used for characterizing the ith target reference feature in the n target reference features, and n is an integer not less than 1; omegaiA weight value for characterizing the ith target reference feature.
In the formula (2), the product of the total reputation evaluation value, the weight value of the target reference feature and the abnormality index of the target reference feature is considered, the product can be used as the reputation value corresponding to the target reference feature, and in the formula (2), the product of each abnormality index is divided by the root of the power n and the sum of each abnormality index is calculated, and the abnormality indexes are balanced, so that the reputation evaluation value calculated by using the formula (2) is more accurate. And after the parameter values are obtained by the parameters in the formula (2), the parameters are substituted into the formula, so that the reputation evaluation value of the mobile storage device can be quickly calculated.
It should be noted that, in this step 306, in addition to calculating the reputation evaluation value of the mobile storage device by using the above formula (2), other methods may be used to calculate, for example, the reputation evaluation value is obtained by dividing the sum of the products corresponding to the target reference features by n.
In this step 204, in addition to calculating the reputation evaluation value of the mobile storage device in the manner shown in fig. 3, other calculation manners may be used. For example, the other calculation methods may include: determining a total value of the reputation evaluation; determining a base score set for the target reference feature; calculating the product of the basic score of the target reference characteristic and the abnormality index of the target reference characteristic; and adding the products of the n target reference characteristics to obtain a calculated sum, and determining the difference value of the total reputation evaluation value and the calculated sum as the reputation evaluation value of the mobile storage equipment.
Continuing to step 106, determining a corresponding protection control strategy according to the reputation evaluation result.
In an embodiment of the present invention, different protection control policies may be set in advance for different reputation evaluation results, where the protection control policies may include the following: forbidding the mobile storage device to access the client, only allowing files to be copied from the mobile storage device to the client, forbidding the files in the mobile storage device to run, and the like.
Finally, in step 108, the protection control policy is sent to the client, so that the client performs protection control on the mobile storage device by using the protection control policy.
The client side receives the protection control strategy sent by the server side, responds to the access of the mobile storage device by using the protection control strategy, and performs protection control on the mobile storage device by using the protection control strategy after allowing the access of the mobile storage device. For example, the protection control policy is to prohibit allowing of a file in the mobile storage device, then the client allows access to the mobile storage device, and detects a data interaction behavior between the mobile storage device and the client in real time, and when it is detected that the data interaction behavior is to run the file stored in the mobile storage device on the client, the client refuses to execute the data interaction behavior.
In an embodiment of the present invention, in order to further ensure the security of the client after the mobile storage device accesses the client, a data interaction between the client and the mobile storage device may be detected, and then the detected data interaction is reported to the server.
The strategies for reporting the data interaction behavior at least include the following two strategies:
the first reporting strategy is as follows: and reporting the data every time the data interaction behavior is detected.
The second reporting strategy is as follows: and only reporting the data interactive behaviors belonging to the sensitive interactive behaviors.
In the second reporting strategy, the client stores the characteristics of the sensitive interactive behavior in advance, and when the characteristics of the data interactive behavior are detected to be the same as the characteristics of the sensitive interactive behavior, the data interactive behavior is determined to belong to the sensitive interactive behavior, and the data interactive behavior is reported to the server.
Regardless of the first reporting policy or the second reporting policy, the client may respond to the data interaction behavior, where the response content is to allow the data interaction behavior to be executed or to deny the data interaction behavior to be executed.
And after the server receives the data interaction behavior reported by the client, evaluating the risk of the data interaction behavior by the server so as to update the credit evaluation value.
Specifically, the reputation evaluation value may be updated at least one of: determining a risk level of the data interaction behavior; determining a risk coefficient corresponding to the risk level; and updating the current reputation evaluation value of the mobile storage device according to the risk coefficient.
If the data interaction behavior is the interaction behavior which is performed for the first time after the mobile storage device accesses the client, then the current reputation evaluation value of the mobile storage device is the reputation evaluation value calculated in step 204; if the data interaction behavior is an interaction behavior which is not performed for the first time after the mobile storage device accesses the client, the current reputation evaluation value of the mobile storage device is the reputation evaluation value obtained after the last data interaction behavior is updated.
When the current reputation evaluation value of the mobile storage device is updated according to the risk coefficient, the product of the risk coefficient and the current reputation evaluation value of the mobile storage device may be determined as the updated reputation evaluation value. In this way, updating of the reputation evaluation value can be quickly achieved.
It should be noted that, if the data interaction behavior does not have a risk, for example, a normal data copy behavior, the risk coefficient of the risk level corresponding to the data interaction behavior may be 1, and at this time, the updated reputation evaluation value is the same as the reputation evaluation value before updating. If the data interaction behavior is at risk, for example, a manually input copy instruction is not detected, and a data copy behavior is generated; for another example, copying a sensitive file into the client or the mobile storage device, wherein when the characteristics of the copied file are the same as those of a preset sensitive file, the copied file is determined to be the sensitive file; for another example, running an abnormal program file in the mobile storage device; the risk factor of the risk level corresponding to the data interaction behavior may be less than 1, where the updated reputation estimate is less than the pre-update reputation estimate.
In a real-time embodiment of the present invention, after updating the reputation evaluation value of the mobile storage device, the method may further include: and when the updated reputation evaluation value meets the pop-up condition, sending a forced pop-up instruction to the client so that the client can forcibly pop up the mobile storage device.
For example, if the updated reputation evaluation value is smaller than the set score, it is determined that the updated reputation evaluation value satisfies the pop-up condition. When the reputation evaluation value of the mobile storage device gradually decreases to meet the pop-up condition, the risk of the mobile storage device is very high, and if data interaction between the mobile storage device and the client is continuously allowed, the higher risk is brought to the security of the client. Therefore, in order to ensure the security of the client, a forced pop instruction can be sent to the client so as to enable the client to forcibly pop the mobile storage device.
As shown in fig. 4 and fig. 5, an embodiment of the present invention provides an apparatus for performing protection control on a mobile storage device. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. From a hardware aspect, as shown in fig. 4, for a hardware architecture diagram of a computing device in which an apparatus for performing protection control on a mobile storage device according to an embodiment of the present invention is located, in addition to the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 4, the computing device in which the apparatus is located in the embodiment may generally include other hardware, such as a forwarding chip responsible for processing a packet, and the like. Taking a software implementation as an example, as shown in fig. 5, as a logical means, the device is formed by reading a corresponding computer program in a non-volatile memory into a memory by a CPU of a computing device where the device is located and running the computer program. The apparatus for performing protection control on a mobile storage device provided in this embodiment is located at a server, and includes:
a receiving unit 501, configured to receive device characteristic information sent by an external client; the device characteristic information is obtained and sent by the client when the client detects that the mobile storage device is accessed to the client;
a reference feature determining unit 502, configured to determine at least one reference feature according to the device feature information;
a reputation evaluating unit 503, configured to perform a reputation evaluation on the mobile storage device according to the at least one reference feature;
a policy determining unit 504, configured to determine a corresponding protection control policy according to the reputation evaluation result;
a sending unit 505, configured to send the protection control policy to the client, so that the client performs protection control on the mobile storage device by using the protection control policy.
In an embodiment of the present invention, the reputation evaluating unit 503 is specifically configured to determine operation values of target reference features in the at least one reference feature respectively; determining an abnormal index of the target reference feature according to the operation value of the target reference feature and a preset standard boundary value; and calculating the reputation evaluation value of the mobile storage equipment according to the anomaly index of the target reference characteristic.
In an embodiment of the present invention, the standard boundary values are multiple, and the multiple standard boundary values form at least two reference intervals, each reference interval corresponds to an abnormal index;
the reputation evaluation unit 503 is specifically configured to determine a target reference interval corresponding to the operation value of the target reference feature when determining the abnormal index of the target reference feature according to the operation value of the target reference feature and a preset standard boundary value; and determining the abnormality index corresponding to the target reference interval as the abnormality index of the target reference feature.
In one embodiment of the present invention, the standard boundary value is one;
the reputation evaluation unit 503 is specifically configured to compare the operation value of the target reference feature with the standard boundary value when determining the abnormality index of the target reference feature according to the operation value of the target reference feature and the preset standard boundary value; if the comparison result meets a preset abnormal condition, calculating a difference value between the operation value of the target reference feature and the standard boundary value, and calculating according to the difference value to obtain an abnormal index of the target reference feature; and if the comparison result does not meet the abnormal condition, taking a set value as the abnormal index of the target reference feature.
In an embodiment of the present invention, the reputation evaluating unit 503 is specifically configured to determine a total reputation evaluation value when performing the calculation of the reputation evaluation value of the mobile storage device according to the anomaly index of the target reference feature; determining a weight value of the target reference feature; calculating a product of a weight value of the target reference feature, an abnormality index of the target reference feature and the reputation evaluation total value; and obtaining the reputation evaluation value of the mobile storage device by using the product.
In an embodiment of the present invention, the receiving unit 501 is further configured to receive data interaction behavior with the mobile storage device sent by the client; the data interaction behavior is detected by the client side in the process of executing the protection control;
referring to fig. 6, the apparatus for performing protection control on a mobile storage device may further include:
an updating unit 506, configured to update the current reputation evaluation value of the mobile storage device according to the data interaction behavior.
In an embodiment of the present invention, the sending unit 505 is further configured to send a forced pop instruction to the client when the updated reputation evaluation value satisfies a pop condition, so that the client pops up the mobile storage device forcibly.
It is to be understood that the illustrated structure of the embodiment of the present invention does not constitute a specific limitation to an apparatus for performing protection control on a mobile storage device. In other embodiments of the present invention, an apparatus for providing protection control for a mobile storage device may include more or fewer components than shown, or some components may be combined, some components may be separated, or a different arrangement of components may be provided. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
Because the content of information interaction, execution process, and the like among the modules in the device is based on the same concept as the method embodiment of the present invention, specific content can be referred to the description in the method embodiment of the present invention, and is not described herein again.
The embodiment of the present invention further provides a computing device, which includes a memory and a processor, where the memory stores a computer program, and when the processor executes the computer program, the method for performing protection control on a mobile storage device in any embodiment of the present invention is implemented.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program causes the processor to execute a method for performing protection control on a mobile storage device in any embodiment of the present invention.
Specifically, a system or an apparatus equipped with a storage medium on which a software program code that realizes the functions of any of the above-described embodiments is stored may be provided, and a computer (or a CPU or MPU) of the system or the apparatus is caused to read out and execute the program code stored in the storage medium.
In this case, the program code itself read from the storage medium can realize the functions of any one of the above-described embodiments, and thus the program code and the storage medium storing the program code constitute a part of the present invention.
Examples of the storage medium for supplying the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD + RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer via a communications network.
Further, it should be clear that the functions of any one of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform a part or all of the actual operations based on the instructions of the program code.
Further, it is to be understood that the program code read out from the storage medium is written to a memory provided in an expansion board inserted into the computer or to a memory provided in an expansion module connected to the computer, and then causes a CPU or the like mounted on the expansion board or the expansion module to perform part or all of the actual operations based on instructions of the program code, thereby realizing the functions of any of the above-described embodiments.
The embodiments of the invention have at least the following beneficial effects:
1. in an embodiment of the invention, the credit evaluation is carried out on the mobile storage device accessed to the client by the server, and aiming at different credit evaluation results, the client can use different protection control strategies to carry out protection control on the mobile storage devices with different credits, so that the protection effect which cannot be achieved only by virus scanning can be realized, and the protection capability on the mobile storage device is improved.
2. In an embodiment of the invention, at least one reference feature is obtained by analyzing multiple dimensions such as client historical information, mobile storage device historical information and mobile storage device current information, and when reputation evaluation is performed on the mobile storage device by utilizing the at least one reference feature, the accuracy of reputation evaluation can be improved.
3. In one embodiment of the invention, the abnormal index of the target reference feature is determined through the operation value of the target reference feature and the set standard boundary value, and when a plurality of standard boundary values exist, the target reference interval corresponding to the operation value of the target reference feature is determined through the corresponding relation between the reference interval and the abnormal index, so that the abnormal index of the target reference feature can be rapidly determined, and the determination speed of the credit evaluation value is improved.
4. In an embodiment of the invention, because different reference features have different influences on the reputation of the mobile storage device, different weight values can be set for different reference features, so that the reputation evaluation result is more accurate.
5. In an embodiment of the present invention, the abnormality index of the target reference feature is determined by the operation value of the target reference feature and the set standard boundary value, when the standard boundary value is one, the abnormality index is calculated by using the calculation formula, not only the distance between the operation value and the standard boundary value (i.e. the difference between the operation value and the standard boundary value) is considered, the difference between the standard boundary value and the constant is used as the reference value, and the abnormality index of the target reference feature can be accurately obtained by dividing the distance between the operation value and the standard boundary value by the reference value.
6. In one embodiment of the present invention, when the current reputation evaluation value of the mobile storage device is updated according to the risk coefficient, the product of the risk coefficient and the current reputation evaluation value of the mobile storage device may be determined as the updated reputation evaluation value. In this manner, updates to reputation evaluation values can be quickly implemented.
7. In an embodiment of the present invention, when the updated reputation evaluation value satisfies the pop-up condition, a forced pop-up instruction is sent to the client, so that the client forces the mobile storage device to pop up, which can ensure the security of the client.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. A method for protecting and controlling mobile storage equipment is applied to a server side and is characterized by comprising the following steps:
receiving equipment characteristic information sent by an external client; the device characteristic information is obtained and sent by the client when the client detects that the mobile storage device is accessed to the client;
determining at least one reference feature according to the device feature information;
performing reputation evaluation on the mobile storage device according to the at least one reference feature;
determining a corresponding protection control strategy according to the credit evaluation result;
and sending the protection control strategy to the client so that the client performs protection control on the mobile storage device by using the protection control strategy.
2. The method of claim 1, wherein the reputation evaluating the mobile storage device according to the at least one reference characteristic comprises:
respectively determining the operation values of the target reference features in the at least one reference feature;
determining an abnormal index of the target reference feature according to the operation value of the target reference feature and a preset standard boundary value;
and calculating the reputation evaluation value of the mobile storage equipment according to the anomaly index of the target reference characteristic.
3. The method of claim 2, wherein the normalized boundary values are plural and form at least two reference intervals, each reference interval corresponding to an abnormality index;
the determining the abnormality index of the target reference feature according to the operation value of the target reference feature and a preset standard boundary value comprises:
determining a target reference interval corresponding to the operation value of the target reference characteristic;
and determining the abnormality index corresponding to the target reference interval as the abnormality index of the target reference feature.
4. The method of claim 2, wherein the standard boundary value is one;
the determining the abnormality index of the target reference feature according to the operation value of the target reference feature and a preset standard boundary value comprises:
comparing the operation value of the target reference characteristic with the standard boundary value;
if the comparison result meets the preset abnormal condition, calculating the difference value between the operation value of the target reference feature and the standard boundary value, and calculating according to the difference value to obtain the abnormal index of the target reference feature;
and if the comparison result does not meet the abnormal condition, taking a set value as the abnormal index of the target reference feature.
5. The method of claim 2, wherein the calculating the reputation assessment value of the mobile storage device according to the anomaly index of the target reference feature comprises:
determining a total value of the reputation evaluation;
determining a weight value of the target reference feature;
calculating the product of the weight value of the target reference feature, the anomaly index of the target reference feature and the total reputation evaluation value;
and obtaining the reputation evaluation value of the mobile storage device by using the product.
6. The method according to any of claims 2-5, further comprising, after said sending the protection control policy to the client:
receiving data interaction behaviors sent by the client and between the client and the mobile storage device; the data interaction behavior is detected by the client side in the process of executing the protection control;
and updating the current reputation evaluation value of the mobile storage equipment according to the data interaction behavior.
7. The method of claim 6, further comprising, after the updating the reputation evaluation value of the mobile storage device:
and when the updated reputation evaluation value meets the pop-up condition, sending a forced pop-up instruction to the client so that the client can pop up the mobile storage device forcibly.
8. An apparatus for performing protection control on a mobile storage device, located at a server, includes:
the receiving unit is used for receiving the device characteristic information sent by the external client; the device characteristic information is obtained and sent by the client when the client detects that the mobile storage device is accessed to the client;
a reference feature determination unit, configured to determine at least one reference feature according to the device feature information;
the reputation evaluation unit is used for evaluating the reputation of the mobile storage device according to the at least one reference feature;
the strategy determining unit is used for determining a corresponding protection control strategy according to the reputation evaluation result;
and the sending unit is used for sending the protection control strategy to the client so that the client performs protection control on the mobile storage device by using the protection control strategy.
9. A computing device comprising a memory having stored therein a computer program and a processor that, when executing the computer program, implements the method of any of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored which, when executed in a computer, causes the computer to carry out the method of any one of claims 1-7.
CN202110725664.4A 2021-06-29 2021-06-29 Method, device, equipment and medium for protecting and controlling mobile storage equipment Active CN113282922B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110725664.4A CN113282922B (en) 2021-06-29 2021-06-29 Method, device, equipment and medium for protecting and controlling mobile storage equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110725664.4A CN113282922B (en) 2021-06-29 2021-06-29 Method, device, equipment and medium for protecting and controlling mobile storage equipment

Publications (2)

Publication Number Publication Date
CN113282922A true CN113282922A (en) 2021-08-20
CN113282922B CN113282922B (en) 2024-08-20

Family

ID=77286189

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110725664.4A Active CN113282922B (en) 2021-06-29 2021-06-29 Method, device, equipment and medium for protecting and controlling mobile storage equipment

Country Status (1)

Country Link
CN (1) CN113282922B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102171657A (en) * 2008-06-30 2011-08-31 赛门铁克公司 Simplified communication of a reputation score for an entity
CN102656587A (en) * 2009-08-13 2012-09-05 赛门铁克公司 Using confidence metrics of client devices in a reputation system
CN102945340A (en) * 2012-10-23 2013-02-27 北京神州绿盟信息安全科技股份有限公司 Information object detection method and system
US20140283066A1 (en) * 2013-03-15 2014-09-18 John D. Teddy Server-assisted anti-malware client
US20160080400A1 (en) * 2014-09-17 2016-03-17 Microsoft Technology Licensing, Llc File reputation evaluation
CN105578455A (en) * 2016-01-27 2016-05-11 哈尔滨工业大学深圳研究生院 Distributed dynamic reputation evaluation method in opportunity network
CN108665184A (en) * 2018-05-21 2018-10-16 国网陕西省电力公司咸阳供电公司 A kind of power customer credit assessment method based on big data reference
CN109242261A (en) * 2018-08-14 2019-01-18 中国平安人寿保险股份有限公司 Save the method and terminal device of risk from damage based on big data assessment
CN111460445A (en) * 2020-03-04 2020-07-28 奇安信科技集团股份有限公司 Method and device for automatically identifying malicious degree of sample program
CN111598568A (en) * 2020-05-12 2020-08-28 江苏大学 Abnormal transaction identification method based on multi-transaction object multi-dimensional credit management

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102171657A (en) * 2008-06-30 2011-08-31 赛门铁克公司 Simplified communication of a reputation score for an entity
CN102656587A (en) * 2009-08-13 2012-09-05 赛门铁克公司 Using confidence metrics of client devices in a reputation system
CN102945340A (en) * 2012-10-23 2013-02-27 北京神州绿盟信息安全科技股份有限公司 Information object detection method and system
US20140283066A1 (en) * 2013-03-15 2014-09-18 John D. Teddy Server-assisted anti-malware client
US20160080400A1 (en) * 2014-09-17 2016-03-17 Microsoft Technology Licensing, Llc File reputation evaluation
CN107079041A (en) * 2014-09-17 2017-08-18 微软技术许可有限责任公司 File credit assessment
CN105578455A (en) * 2016-01-27 2016-05-11 哈尔滨工业大学深圳研究生院 Distributed dynamic reputation evaluation method in opportunity network
CN108665184A (en) * 2018-05-21 2018-10-16 国网陕西省电力公司咸阳供电公司 A kind of power customer credit assessment method based on big data reference
CN109242261A (en) * 2018-08-14 2019-01-18 中国平安人寿保险股份有限公司 Save the method and terminal device of risk from damage based on big data assessment
CN111460445A (en) * 2020-03-04 2020-07-28 奇安信科技集团股份有限公司 Method and device for automatically identifying malicious degree of sample program
CN111598568A (en) * 2020-05-12 2020-08-28 江苏大学 Abnormal transaction identification method based on multi-transaction object multi-dimensional credit management

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李勇,李秀芬,王鹏: "数据泄露防护系统的设计分析", 《内蒙古电力技术》, 12 August 2016 (2016-08-12), pages 61 - 65 *

Also Published As

Publication number Publication date
CN113282922B (en) 2024-08-20

Similar Documents

Publication Publication Date Title
US8479296B2 (en) System and method for detecting unknown malware
RU2514140C1 (en) System and method for improving quality of detecting malicious objects using rules and priorities
US8214905B1 (en) System and method for dynamically allocating computing resources for processing security information
US20180032726A1 (en) Elimination of false positives in antivirus records
EP3899770B1 (en) System and method for detecting data anomalies by analysing morphologies of known and/or unknown cybersecurity threats
US8214904B1 (en) System and method for detecting computer security threats based on verdicts of computer users
US9208315B2 (en) Identification of telemetry data
CN110061987B (en) Access access control method and device based on role and terminal credibility
CN102710598A (en) System and method for reducing security risk in computer network
CN112738107B (en) Network security evaluation method, device, equipment and storage medium
KR102230441B1 (en) Method, Device and program for generating security action report based on the results of the security vulnerability assessment
JP6282217B2 (en) Anti-malware system and anti-malware method
CN111159762A (en) Method and system for verifying credibility of main body under mandatory access control
CN112784281A (en) Safety assessment method, device, equipment and storage medium for industrial internet
EP2584488B1 (en) System and method for detecting computer security threats based on verdicts of computer users
CN112087408A (en) Method and device for evaluating network assets
CN113282929B (en) Behavior processing method, device and equipment of mobile storage equipment and storage medium
CN111783099B (en) Equipment safety analysis method, device and equipment
CN111131166B (en) User behavior prejudging method and related equipment
CN113282922A (en) Method, device, equipment and medium for performing protection control on mobile storage equipment
CN116483670A (en) Wind control method and device based on user access behaviors
CN111949363A (en) Service access management method, computer equipment, storage medium and system
CN114285630A (en) Security domain risk warning method, system and device and readable storage medium
CN113342594A (en) Industrial control host and dynamic health degree evaluation method thereof
CN118427671B (en) Deep learning-based server security risk identification method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant