CN113609483B - Method, device, equipment and readable medium for processing server virus - Google Patents
Method, device, equipment and readable medium for processing server virus Download PDFInfo
- Publication number
- CN113609483B CN113609483B CN202110807553.8A CN202110807553A CN113609483B CN 113609483 B CN113609483 B CN 113609483B CN 202110807553 A CN202110807553 A CN 202110807553A CN 113609483 B CN113609483 B CN 113609483B
- Authority
- CN
- China
- Prior art keywords
- virus
- server
- abnormal operation
- module
- execution module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 241000700605 Viruses Species 0.000 title claims abstract description 143
- 238000000034 method Methods 0.000 title claims abstract description 37
- 238000012545 processing Methods 0.000 title abstract description 11
- 230000006399 behavior Effects 0.000 claims abstract description 79
- 230000002159 abnormal effect Effects 0.000 claims abstract description 74
- 238000004590 computer program Methods 0.000 claims description 11
- 238000004458 analytical method Methods 0.000 claims description 7
- 238000012544 monitoring process Methods 0.000 claims description 6
- 230000004044 response Effects 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 abstract description 12
- 230000006870 function Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 230000003993 interaction Effects 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 238000001514 detection method Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 235000012907 honey Nutrition 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000006698 induction Effects 0.000 description 1
- 230000008450 motivation Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 231100000331 toxic Toxicity 0.000 description 1
- 230000002588 toxic effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Debugging And Monitoring (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a method, a device, equipment and a readable medium for processing server viruses, wherein the method comprises the following steps: setting monitoring software on a server where the honeypot system is located, and sending abnormal operation behaviors monitored by the monitoring software to a strategy module which is independently arranged outside the server; the strategy module analyzes the received abnormal operation behaviors and judges whether the abnormal operation behaviors are caused by viruses of a preset type; responding to the abnormal operation behavior caused by viruses of a preset type, and sending instructions to an execution module which is independently arranged outside each server; and the execution module generates a disc of the type to be accessed by the preset viruses in each corresponding server according to the instruction so as to enable the preset viruses to access and alarm through the execution module. By using the scheme of the invention, the problem that the system cannot be perceived as being broken by viruses and cannot save oneself in the honeypot technology can be effectively solved, and the risk that the viruses encrypt data and cannot recover the data and are halved is reduced.
Description
Technical Field
The present invention relates to the field of computers, and more particularly to a method, apparatus, device, and readable medium for server virus processing.
Background
Computer system virus detection generally refers to a method of interpreting whether a system or a storage medium is toxic by some diagnostic software. With the development of computer networks, more and more viruses are transmitted through the networks, causing great loss to users. The virus is extremely harmful and difficult to prevent, and detection of the virus becomes an emerging hot spot.
The honeypot technology is actually a defence technology for cheating an attacker, and by arranging a plurality of systems serving as baits, network services and the like, the attacker is induced to attack the baits, so that the behavior of the attacker can be grasped and analyzed, the tool and the method used by the attacker are known, the intention and the motivation of the attacker are presumed, the attacker can clearly know the facing security threat, and the security protection capability of an actual system and the network services is enhanced by means of the technology and the like. Honeypots are the target for intentional hacking, attracting hackers to attack. When an attacker invades, the attacker can know how successful the attacker is, and the latest attack and vulnerability launched by the system can be known at any time. It is also possible to collect various tools used by hackers by listening to the connections between hackers and keep track of the real intention of the attacker. Honeypots can be classified into low-interaction honeypots and high-interaction honeypots according to their degree of interaction. High interaction honeypots are typically built based on a real application environment, and can provide real services. The high-interaction honeypot can be used for acquiring a large amount of information and capturing various operation behaviors of an attacker, so that the high-interaction honeypot has the capability of discovering new attack modes and vulnerability exploitation methods. The risk is greater because the high interaction honeypot provides a relatively real application environment for the attacker. Low interaction honeypots typically provide only a small number of interaction functions, and honeypots monitor connections and record packets at specific ports, which can be used to achieve port scanning and detection of brute force cracking. The low-interaction honeypot is simple in structure, easy to install and deploy, limited in information collection and low in risk due to low simulation degree and few functions.
Regardless of the type of honeypot technology employed, conventional honeypot technology attaches to protected systems and networks that fail to self-rescue once the system is breached, which can lead to an overall system crash once breached.
Disclosure of Invention
In view of the above, an object of the embodiments of the present invention is to provide a method, apparatus, device and readable medium for processing server viruses, which can effectively solve the problem that the honeypot technology cannot detect that the system is broken by viruses and cannot save oneself, and reduce the risk that viruses encrypt data, cannot recover data and are halved.
Based on the above objects, an aspect of an embodiment of the present invention provides a method for server virus processing, including the steps of:
setting monitoring software on a server where the honeypot system is located, and sending abnormal operation behaviors monitored by the monitoring software to a strategy module which is independently arranged outside the server;
The strategy module analyzes the received abnormal operation behaviors and judges whether the abnormal operation behaviors are caused by viruses of a preset type;
responding to the abnormal operation behavior caused by viruses of a preset type, and sending instructions to an execution module which is independently arranged outside each server;
And the execution module generates a disc of the type to be accessed by the preset viruses in each corresponding server according to the instruction so as to enable the preset viruses to access and alarm through the execution module.
According to one embodiment of the present invention, the policy module analyzes the received abnormal operation behavior and determines whether the abnormal operation behavior is caused by a virus of a preset type, including:
Judging whether the received abnormal operation behavior is a circular scanning disk file, classifying file types, creating a new encrypted file, and deleting an original file;
And responding to the abnormal operation behavior to circularly scan the disk file, classifying the file types, creating a new encrypted file, deleting the original file, and judging that the abnormal operation behavior is caused by viruses of a preset type.
According to one embodiment of the invention, the predetermined type of virus is the lux virus.
According to one embodiment of the present invention, in response to the abnormal operation behavior being caused by a virus of a preset type, sending an instruction to an execution module independently provided outside each server includes:
responding to the abnormal operation behavior caused by the Leucasian virus, and sending the file type and the access sequence to be accessed by the Leucasian virus obtained by analysis to each execution module by the strategy module;
the policy module sends instructions to each execution module to create a disk in each server.
According to one embodiment of the present invention, the generating, by the execution module, a disc of a type to be accessed by a preset virus in each corresponding server according to the instruction, so that the preset virus accesses and the alarm is given by the execution module includes:
The execution module sequentially creates disks in the corresponding servers according to the Leucovirus access sequence, and generates a plurality of file types to be accessed by Leucovirus in the disks.
According to one embodiment of the invention, the file types to be accessed by the Leucovirus include pictures, documents, audio and video.
According to one embodiment of the present invention, the generating, by the execution module, a disc of a type to be accessed by a preset virus in each corresponding server according to the instruction, so that the preset virus accesses and the alarm is given by the execution module includes:
The execution module sends the alarm information to the manager mobile device and the email box through the network, and displays the alarm information on a display device of the server.
In another aspect of the embodiment of the present invention, there is also provided an apparatus for processing a server virus, including:
The monitoring module is configured to set monitoring software on a server where the honeypot system is located, and send abnormal operation behaviors monitored by the monitoring software to a strategy module which is independently arranged outside the server;
The strategy module is configured to analyze the received abnormal operation behaviors and judge whether the abnormal operation behaviors are caused by viruses of a preset type;
the sending module is configured to respond to the fact that the abnormal operation behavior is caused by a virus of a preset type and send an instruction to an execution module which is independently arranged outside each server;
the execution module is configured to generate a magnetic disk of a type to be accessed by the preset viruses in each corresponding server according to the instruction so as to enable the preset viruses to access and alarm through the execution module.
In another aspect of the embodiments of the present invention, there is also provided a computer apparatus including:
At least one processor; and
And a memory storing computer instructions executable on the processor, the instructions when executed by the processor performing the steps of any of the methods described above.
In another aspect of the embodiments of the present invention, there is also provided a computer-readable storage medium storing a computer program which, when executed by a processor, implements the steps of any of the methods described above.
The invention has the following beneficial technical effects: according to the server virus processing method provided by the embodiment of the invention, monitoring software is arranged on a server where a honey pot system is located, and abnormal operation behaviors monitored by the monitoring software are sent to a strategy module which is independently arranged outside the server; the strategy module analyzes the received abnormal operation behaviors and judges whether the abnormal operation behaviors are caused by viruses of a preset type; responding to the abnormal operation behavior caused by viruses of a preset type, and sending instructions to an execution module which is independently arranged outside each server; the execution module generates a magnetic disk of the type to be accessed by the preset viruses in each corresponding server according to the instructions so that the preset viruses can access and the execution module alarms, so that the problem that the honeypot technology cannot perceive that the system is broken by the viruses and cannot save self-rescue can be effectively solved, and the risks that the viruses encrypt data, cannot recover the data and are halved are reduced.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are necessary for the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention and that other embodiments may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow diagram of a method of server virus processing according to one embodiment of the invention;
FIG. 2 is a schematic diagram of an apparatus for server virus processing according to one embodiment of the invention;
FIG. 3 is a schematic diagram of a computer device according to one embodiment of the invention;
fig. 4 is a schematic diagram of a computer-readable storage medium according to one embodiment of the invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the following embodiments of the present invention will be described in further detail with reference to the accompanying drawings.
With the above object in view, in a first aspect, an embodiment of a method for server virus processing is provided. Fig. 1 shows a schematic flow chart of the method.
As shown in fig. 1, the method may include the steps of:
S1, monitoring software is arranged on a server where the honeypot system is located, and abnormal operation behaviors monitored by the monitoring software are sent to a strategy module which is independently arranged outside the server.
And setting monitoring software on the basis of the existing honeypot system, wherein the monitoring is operated on a server where the honeypot system is positioned, is responsible for monitoring each operation of the honeypot system, and detects common virus operation to find suspicious operation behaviors and sends behavior information to a strategy module. The policy module is a hardware device that is disposed outside the servers, and independent of the respective servers, the hardware device may be implemented using chip programming.
And S2, analyzing the received abnormal operation behaviors by the strategy module and judging whether the abnormal operation behaviors are caused by viruses of a preset type.
The method comprises the steps that a preset type of viruses are lux viruses, a strategy module analyzes received abnormal operation behaviors to judge whether the honeypot system is attacked by the lux viruses, if the abnormal operation behaviors accord with characteristics of the lux viruses, namely, the abnormal operation behaviors are cyclic scanning disk files, the file types are classified, new encrypted files are created, original files are deleted, and then the abnormal operation behaviors are judged to be caused by the lux viruses, namely, the honeypot system and other servers possibly are attacked by the lux viruses. The policy module also analyzes the collected information of the lux virus, and analyzes the intention of the lux virus attack (type of access file) and the information of the position, sequence and the like of the attack.
And S3, responding to the abnormal operation behavior caused by the virus of the preset type, and sending an instruction to an execution module which is independently arranged outside each server.
The execution module is arranged outside the server, is independent of each server, can be realized by adopting chip programming, can communicate with the strategy module and the server, and if the abnormal operation behavior is determined to be caused by the Leucavirus, the strategy module sends the file type and the access sequence to be accessed by the Leucavirus obtained by analysis to each execution module, and the strategy module sends the instruction for creating a disk in each server to each execution module.
S4, the execution module generates a disc of a type to be accessed by the preset viruses in each corresponding server according to the instruction so that the preset viruses can be accessed and the execution module alarms.
After receiving the instruction information, the execution module creates a virtual disk in a server connected with the execution module, and places a large number of file types which the lux virus wants to access in the disk, for example, the information in the instruction indicates that the access sequence of the lux virus is a D disk and a C disk, and the file types which the lux virus wants to access are pictures, the execution module preferentially creates a virtual disk in the D disk, places enough pictures in the virtual disk to induce the lux virus to access the disk, and then creates the same disk in the C disk, so when the lux virus attacks the server, the virtual disk of the D disk is attacked, and the pictures in the virtual disk are tampered, and because enough pictures are arranged in the virtual disk, the lux virus can circulate in the virtual disk, so that the safety of the files in the D disk can be ensured. In addition, the execution module is required to alarm, and manual intervention is required to remove viruses.
By the technical scheme, the problem that the system cannot be perceived as being broken by viruses and cannot save oneself in the honeypot technology can be effectively solved, and the risk that the viruses encrypt data and cannot recover the data and are halved is reduced.
In a preferred embodiment of the present invention, the policy module analyzing the received abnormal operation behavior and determining whether the abnormal operation behavior is caused by a virus of a preset type includes:
Judging whether the received abnormal operation behavior is a circular scanning disk file, classifying file types, creating a new encrypted file, and deleting an original file;
And responding to the abnormal operation behavior to circularly scan the disk file, classifying the file types, creating a new encrypted file, deleting the original file, and judging that the abnormal operation behavior is caused by viruses of a preset type. The preset type of viruses are Lesovirus, and other types of viruses can be judged according to the behavior characteristics of the viruses.
In a preferred embodiment of the invention, the predetermined type of virus is the lux virus. Other types of viruses may also be provided with corresponding induction methods according to their characteristics.
In a preferred embodiment of the present invention, in response to the abnormal operation behavior being caused by a virus of a preset type, sending an instruction to an execution module independently provided outside each server includes:
responding to the abnormal operation behavior caused by the Leucasian virus, and sending the file type and the access sequence to be accessed by the Leucasian virus obtained by analysis to each execution module by the strategy module;
the policy module sends instructions to each execution module to create a disk in each server.
In a preferred embodiment of the present invention, the generating, by the execution module, a disc of a type to be accessed by a preset virus in each corresponding server according to the instruction, so that the preset virus accesses and the alarm is given by the execution module includes:
The execution module sequentially creates disks in the corresponding servers according to the Leucovirus access sequence, and generates a plurality of file types which are required to be accessed by Leucovirus in the disks. For example, the information in the instruction indicates that the access sequence of the lux virus is D disc and C disc, the file type to be accessed is picture, the execution module preferentially creates a virtual disc in the D disc, places enough pictures in the virtual disc to induce the lux virus to access the disc, and then creates the same disc in the C disc, so when the lux virus attacks the server, the lux virus attacks the virtual disc of the D disc, and falsifies the pictures in the virtual disc, and the lux virus can circulate in the virtual disc due to the fact that enough pictures are arranged in the virtual disc, so that the safety of the file in the D disc can be ensured.
In a preferred embodiment of the invention, the file types to be accessed by the Leucovirus include pictures, documents, audio and video.
In a preferred embodiment of the present invention, the generating, by the execution module, a disc of a type to be accessed by a preset virus in each corresponding server according to the instruction, so that the preset virus accesses and the alarm is given by the execution module includes:
The execution module sends the alarm information to the manager mobile device and the email box through the network, and displays the alarm information on a display device of the server.
By the technical scheme, the problem that the system cannot be perceived as being broken by viruses and cannot save oneself in the honeypot technology can be effectively solved, and the risk that the viruses encrypt data and cannot recover the data and are halved is reduced.
It should be noted that, it will be understood by those skilled in the art that all or part of the procedures in implementing the methods of the above embodiments may be implemented by a computer program to instruct related hardware, and the above program may be stored in a computer readable storage medium, and the program may include the procedures of the embodiments of the above methods when executed. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), or the like. The computer program embodiments described above may achieve the same or similar effects as any of the method embodiments described above.
Furthermore, the method disclosed according to the embodiment of the present invention may also be implemented as a computer program executed by a CPU, which may be stored in a computer-readable storage medium. When executed by a CPU, performs the functions defined above in the methods disclosed in the embodiments of the present invention.
With the above object in mind, in a second aspect of the embodiments of the present invention, there is provided an apparatus for server virus processing, as shown in fig. 2, an apparatus 200 includes:
the monitoring module 201, the monitoring module 201 is configured to set monitoring software on a server where the honeypot system is located, and send abnormal operation behaviors monitored by the monitoring software to a strategy module which is independently set outside the server;
the policy module 202, the policy module 202 is configured to analyze the received abnormal operation behavior and determine whether the abnormal operation behavior is caused by a virus of a preset type;
the sending module 203 is configured to send an instruction to an execution module independently arranged outside each server in response to the abnormal operation behavior being caused by a virus of a preset type;
the execution module 204 is configured to generate a disc of a type to be accessed by the preset virus in each corresponding server according to the instruction so that the preset virus can be accessed and alarm can be given through the execution module.
In a preferred embodiment of the invention, the policy module is further configured to:
Judging whether the received abnormal operation behavior is a circular scanning disk file, classifying file types, creating a new encrypted file, and deleting an original file;
And responding to the abnormal operation behavior to circularly scan the disk file, classifying the file types, creating a new encrypted file, deleting the original file, and judging that the abnormal operation behavior is caused by viruses of a preset type.
In a preferred embodiment of the invention, the predetermined type of virus is the lux virus.
In a preferred embodiment of the invention, the transmitting module is further configured to:
responding to the abnormal operation behavior caused by the Leucasian virus, and sending the file type and the access sequence to be accessed by the Leucasian virus obtained by analysis to each execution module by the strategy module;
the policy module sends instructions to each execution module to create a disk in each server.
In a preferred embodiment of the invention, the execution module is further configured to:
The execution module sequentially creates disks in the corresponding servers according to the Leucovirus access sequence, and generates a plurality of file types to be accessed by Leucovirus in the disks.
In a preferred embodiment of the invention, the file types to be accessed by the Leucovirus include pictures, documents, audio and video.
In a preferred embodiment of the invention, the execution module is further configured to:
The execution module sends the alarm information to the manager mobile device and the email box through the network, and displays the alarm information on a display device of the server.
Based on the above object, a third aspect of the embodiments of the present invention proposes a computer device. Fig. 3 is a schematic diagram of an embodiment of a computer device provided by the present invention. As shown in fig. 3, an embodiment of the present invention includes the following means: at least one processor S21; and a memory S22, the memory S22 storing computer instructions S23 executable on the processor, the instructions when executed by the processor performing the method of:
setting monitoring software on a server where the honeypot system is located, and sending abnormal operation behaviors monitored by the monitoring software to a strategy module which is independently arranged outside the server;
The strategy module analyzes the received abnormal operation behaviors and judges whether the abnormal operation behaviors are caused by viruses of a preset type;
responding to the abnormal operation behavior caused by viruses of a preset type, and sending instructions to an execution module which is independently arranged outside each server;
And the execution module generates a disc of the type to be accessed by the preset viruses in each corresponding server according to the instruction so as to enable the preset viruses to access and alarm through the execution module.
In a preferred embodiment of the present invention, the policy module analyzing the received abnormal operation behavior and determining whether the abnormal operation behavior is caused by a virus of a preset type includes:
Judging whether the received abnormal operation behavior is a circular scanning disk file, classifying file types, creating a new encrypted file, and deleting an original file;
And responding to the abnormal operation behavior to circularly scan the disk file, classifying the file types, creating a new encrypted file, deleting the original file, and judging that the abnormal operation behavior is caused by viruses of a preset type.
In a preferred embodiment of the invention, the predetermined type of virus is the lux virus.
In a preferred embodiment of the present invention, in response to the abnormal operation behavior being caused by a virus of a preset type, sending an instruction to an execution module independently provided outside each server includes:
responding to the abnormal operation behavior caused by the Leucasian virus, and sending the file type and the access sequence to be accessed by the Leucasian virus obtained by analysis to each execution module by the strategy module;
the policy module sends instructions to each execution module to create a disk in each server.
In a preferred embodiment of the present invention, the generating, by the execution module, a disc of a type to be accessed by a preset virus in each corresponding server according to the instruction, so that the preset virus accesses and the alarm is given by the execution module includes:
The execution module sequentially creates disks in the corresponding servers according to the Leucovirus access sequence, and generates a plurality of file types to be accessed by Leucovirus in the disks.
In a preferred embodiment of the invention, the file types to be accessed by the Leucovirus include pictures, documents, audio and video.
In a preferred embodiment of the present invention, the generating, by the execution module, a disc of a type to be accessed by a preset virus in each corresponding server according to the instruction, so that the preset virus accesses and the alarm is given by the execution module includes:
The execution module sends the alarm information to the manager mobile device and the email box through the network, and displays the alarm information on a display device of the server.
Based on the above object, a fourth aspect of the embodiments of the present invention proposes a computer-readable storage medium. Fig. 4 is a schematic diagram of an embodiment of a computer-readable storage medium provided by the present invention. As shown in fig. 4, the computer-readable storage medium S31 stores a computer program S32 that, when executed by a processor, performs the method as described above.
Furthermore, the method disclosed according to the embodiment of the present invention may also be implemented as a computer program executed by a processor, which may be stored in a computer-readable storage medium. The above-described functions defined in the methods disclosed in the embodiments of the present invention are performed when the computer program is executed by a processor.
Furthermore, the above-described method steps and system units may also be implemented using a controller and a computer-readable storage medium storing a computer program for causing the controller to implement the above-described steps or unit functions.
Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as software or hardware depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.
In one or more exemplary designs, the functions may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one location to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer. By way of example, and not limitation, such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a general purpose or special purpose computer or general purpose or special purpose processor. Further, any connection is properly termed a computer-readable medium. For example, if the software is transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, digital Subscriber Line (DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium. Disk and disc, as used herein, includes Compact Disc (CD), laser disc, optical disc, digital Versatile Disc (DVD), floppy disk, blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable media.
The foregoing is an exemplary embodiment of the present disclosure, but it should be noted that various changes and modifications could be made herein without departing from the scope of the disclosure as defined by the appended claims. The functions, steps and/or actions of the method claims in accordance with the disclosed embodiments described herein need not be performed in any particular order. Furthermore, although elements of the disclosed embodiments may be described or claimed in the singular, the plural is contemplated unless limitation to the singular is explicitly stated.
It should be understood that as used herein, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly supports the exception. It should also be understood that "and/or" as used herein is meant to include any and all possible combinations of one or more of the associated listed items.
The foregoing embodiment of the present invention has been disclosed with reference to the number of embodiments for the purpose of description only, and does not represent the advantages or disadvantages of the embodiments.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program for instructing relevant hardware, and the program may be stored in a computer readable storage medium, where the storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
Those of ordinary skill in the art will appreciate that: the above discussion of any embodiment is merely exemplary and is not intended to imply that the scope of the disclosure of embodiments of the invention, including the claims, is limited to such examples; combinations of features of the above embodiments or in different embodiments are also possible within the idea of an embodiment of the invention, and many other variations of the different aspects of the embodiments of the invention as described above exist, which are not provided in detail for the sake of brevity. Therefore, any omission, modification, equivalent replacement, improvement, etc. of the embodiments should be included in the protection scope of the embodiments of the present invention.
Claims (7)
1. A method of server virus handling comprising the steps of:
setting monitoring software on a server where the honeypot system is located, and sending abnormal operation behaviors monitored by the monitoring software to a strategy module which is independently arranged outside the server;
The strategy module analyzes the received abnormal operation behaviors and judges whether the abnormal operation behaviors are caused by viruses of a preset type, wherein the viruses of the preset type are lux viruses;
And sending an instruction to an execution module independently arranged outside each server in response to the abnormal operation behavior being caused by a virus of a preset type, wherein the sending of the instruction to the execution module independently arranged outside each server in response to the abnormal operation behavior being caused by the virus of the preset type comprises: responding to abnormal operation behavior caused by the Leucasian virus, sending the file type and the access sequence to be accessed by the Leucasian virus obtained by analysis to each execution module by the strategy module, and sending an instruction for creating a disk in each server to each execution module by the strategy module;
The execution module generates a disc of a type to be accessed by the preset virus in each corresponding server according to the instruction so as to enable the preset virus to access and alarm through the execution module, wherein the generation of the disc of the type to be accessed by the preset virus in each corresponding server according to the instruction so as to enable the preset virus to access and alarm through the execution module comprises the following steps: the execution module sequentially creates disks in the corresponding servers according to the Leucovirus access sequence, and generates a plurality of file types to be accessed by Leucovirus in the disks.
2. The method of claim 1, wherein the policy module analyzing the received abnormal operation behavior and determining whether the abnormal operation behavior is caused by a virus of a preset type comprises:
Judging whether the received abnormal operation behavior is a circular scanning disk file, classifying file types, creating a new encrypted file, and deleting an original file;
And responding to the abnormal operation behavior to circularly scan the disk file, classifying the file types, creating a new encrypted file, deleting the original file, and judging that the abnormal operation behavior is caused by viruses of a preset type.
3. The method of claim 1, wherein the file types to be accessed by the lux virus include pictures, documents, audio and video.
4. The method of claim 1, wherein the executing module generating, in each corresponding server, a disc of a type to be accessed by a preset virus according to the instruction to enable the preset virus to access and alarm by the executing module comprises:
The execution module sends the alarm information to the manager mobile device and the email box through the network, and displays the alarm information on a display device of the server.
5. An apparatus for server virus handling, the apparatus comprising:
the monitoring module is configured to set monitoring software on a server where the honeypot system is located, and send abnormal operation behaviors monitored by the monitoring software to a strategy module which is independently arranged outside the server;
The strategy module is configured to analyze the received abnormal operation behaviors and judge whether the abnormal operation behaviors are caused by viruses of a preset type, wherein the viruses of the preset type are lux viruses;
The sending module is configured to respond to the abnormal operation behavior caused by viruses of a preset type and send instructions to execution modules which are independently arranged outside each server, the sending module is also configured to respond to the abnormal operation behavior caused by the Leucavirus, the policy module sends the file types and the access sequences to be accessed by the Leucavirus obtained through analysis to each execution module, and the policy module sends instructions for creating a disk in each server to each execution module;
The system comprises an execution module, an execution module and a file type generation module, wherein the execution module is configured to generate a disk of a type to be accessed by a preset virus in each corresponding server according to an instruction so that the preset virus can access and alarm is given through the execution module, the execution module is further configured to sequentially create the disks in the corresponding servers according to the Leuch virus access sequence, and generate a plurality of file types to be accessed by the Leuch virus in the disks.
6. A computer device, comprising:
At least one processor; and
A memory storing computer instructions executable on the processor, which when executed by the processor, perform the steps of the method of any one of claims 1-4.
7. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the steps of the method of any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110807553.8A CN113609483B (en) | 2021-07-16 | 2021-07-16 | Method, device, equipment and readable medium for processing server virus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110807553.8A CN113609483B (en) | 2021-07-16 | 2021-07-16 | Method, device, equipment and readable medium for processing server virus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113609483A CN113609483A (en) | 2021-11-05 |
| CN113609483B true CN113609483B (en) | 2024-05-03 |
Family
ID=78337705
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110807553.8A Active CN113609483B (en) | 2021-07-16 | 2021-07-16 | Method, device, equipment and readable medium for processing server virus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113609483B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106096397A (en) * | 2016-05-26 | 2016-11-09 | 倪茂志 | A kind of prevention method extorting software and system |
| CN107480527A (en) * | 2017-08-03 | 2017-12-15 | 深圳市联软科技股份有限公司 | Extort the prevention method and system of software |
| CN108353078A (en) * | 2015-11-09 | 2018-07-31 | 高通股份有限公司 | Dynamic honeypot system |
| CN111277539A (en) * | 2018-11-16 | 2020-06-12 | 慧盾信息安全科技(苏州)股份有限公司 | Server Lesox virus protection system and method |
| CN112187825A (en) * | 2020-10-13 | 2021-01-05 | 网络通信与安全紫金山实验室 | Honeypot defense method, system, equipment and medium based on mimicry defense |
| CN112329014A (en) * | 2020-11-27 | 2021-02-05 | 杭州安恒信息技术股份有限公司 | Virus identification defense method, device, storage medium and equipment |
| CN112910907A (en) * | 2021-02-07 | 2021-06-04 | 深信服科技股份有限公司 | Defense method, device, client, server, storage medium and system |
| CN112906001A (en) * | 2021-03-15 | 2021-06-04 | 上海交通大学 | Linux lasso virus prevention method and system |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9888032B2 (en) * | 2016-05-03 | 2018-02-06 | Check Point Software Technologies Ltd. | Method and system for mitigating the effects of ransomware |
| US10607009B2 (en) * | 2017-04-05 | 2020-03-31 | Block Ransomware, Llc | System and method for blocking ransomware infections |
| US10599838B2 (en) * | 2017-05-08 | 2020-03-24 | Micron Technology, Inc. | Crypto-ransomware compromise detection |
-
2021
- 2021-07-16 CN CN202110807553.8A patent/CN113609483B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108353078A (en) * | 2015-11-09 | 2018-07-31 | 高通股份有限公司 | Dynamic honeypot system |
| CN106096397A (en) * | 2016-05-26 | 2016-11-09 | 倪茂志 | A kind of prevention method extorting software and system |
| CN107480527A (en) * | 2017-08-03 | 2017-12-15 | 深圳市联软科技股份有限公司 | Extort the prevention method and system of software |
| CN111277539A (en) * | 2018-11-16 | 2020-06-12 | 慧盾信息安全科技(苏州)股份有限公司 | Server Lesox virus protection system and method |
| CN112187825A (en) * | 2020-10-13 | 2021-01-05 | 网络通信与安全紫金山实验室 | Honeypot defense method, system, equipment and medium based on mimicry defense |
| CN112329014A (en) * | 2020-11-27 | 2021-02-05 | 杭州安恒信息技术股份有限公司 | Virus identification defense method, device, storage medium and equipment |
| CN112910907A (en) * | 2021-02-07 | 2021-06-04 | 深信服科技股份有限公司 | Defense method, device, client, server, storage medium and system |
| CN112906001A (en) * | 2021-03-15 | 2021-06-04 | 上海交通大学 | Linux lasso virus prevention method and system |
Non-Patent Citations (1)
| Title |
|---|
| 勒索软件追踪溯源技术研究;王梓晗;中国优秀硕士学位论文全文数据库 (信息科技辑)(第9期);I139-104 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113609483A (en) | 2021-11-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6894003B2 (en) | Defense against APT attacks | |
| US20200153852A1 (en) | Locally Detecting Phishing Weakness | |
| CN110430190B (en) | Deception defense system based on ATT & CK, construction method and full link defense realization method | |
| US9667647B2 (en) | Detecting malicious resources in a network based upon active client reputation monitoring | |
| JP4742144B2 (en) | Method and computer program for identifying a device attempting to penetrate a TCP / IP protocol based network | |
| US7509675B2 (en) | Non-invasive monitoring of the effectiveness of electronic security services | |
| KR20190006901A (en) | Cyber security system with adaptive machine learning features | |
| EP2911078A2 (en) | Security sharing system | |
| JP2016503936A (en) | System and method for identifying and reporting application and file vulnerabilities | |
| US10142343B2 (en) | Unauthorized access detecting system and unauthorized access detecting method | |
| CN113676449B (en) | Network attack processing method and device | |
| US20090282482A1 (en) | Active Computer System Defense Technology | |
| JP2012064208A (en) | Network virus prevention method and system | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| CN112398829A (en) | Network attack simulation method and system for power system | |
| CN110753014A (en) | Threat perception method, equipment and device based on flow forwarding and storage medium | |
| Kvarnström | A survey of commercial tools for intrusion detection | |
| CN112751861A (en) | Malicious mail detection method and system based on dense network and network big data | |
| CN113609483B (en) | Method, device, equipment and readable medium for processing server virus | |
| CN113660291B (en) | Method and device for preventing malicious tampering of intelligent large-screen display information | |
| TWI711939B (en) | Systems and methods for malicious code detection | |
| CN113709130A (en) | Risk identification method and device based on honeypot system | |
| Mayorga et al. | Honeypot network configuration through cyberattack patterns | |
| JP2008165601A (en) | Communication monitoring system, communication monitoring device and communication control device | |
| US20200382552A1 (en) | Replayable hacktraps for intruder capture with reduced impact on false positives |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |