CN114285618A - Network threat detection method and device, electronic equipment and readable storage medium - Google Patents
Network threat detection method and device, electronic equipment and readable storage medium Download PDFInfo
- Publication number
- CN114285618A CN114285618A CN202111567145.6A CN202111567145A CN114285618A CN 114285618 A CN114285618 A CN 114285618A CN 202111567145 A CN202111567145 A CN 202111567145A CN 114285618 A CN114285618 A CN 114285618A
- Authority
- CN
- China
- Prior art keywords
- threat
- file
- source information
- determining
- browser
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 27
- 238000000034 method Methods 0.000 claims abstract description 209
- 230000008569 process Effects 0.000 claims abstract description 182
- 230000006399 behavior Effects 0.000 claims description 31
- 230000004044 response Effects 0.000 claims description 13
- 238000012544 monitoring process Methods 0.000 claims description 6
- 238000009434 installation Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 4
- 241000700605 Viruses Species 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 3
- 101100508818 Mus musculus Inpp5k gene Proteins 0.000 description 2
- 101100366438 Rattus norvegicus Sphkap gene Proteins 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000011900 installation process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The embodiment of the application discloses a network threat detection method, a network threat detection device, electronic equipment and a readable storage medium, relates to the technical field of network security, and aims to improve the security of user data. The method comprises the following steps: acquiring source information of a file downloaded through a browser; running the file and acquiring flow elements corresponding to the processes; wherein the process is a process corresponding to the file; determining whether the process is a threat process according to the flow element; and responding to the process as a threat process, and determining the source of the threat according to the source information. The application is applicable to determining a source of threat.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a network threat detection method, apparatus, electronic device, and readable storage medium.
Background
There are a large number of viruses in the current network world that can threaten user data in many ways. When a user downloads a file through a browser, a virus can enter user equipment silently, so that user data is stolen, and great threat is formed to network security.
Disclosure of Invention
In view of this, embodiments of the present application provide a method and an apparatus for detecting a cyber threat, an electronic device, and a readable storage medium, which are convenient for improving security of user data.
In a first aspect, an embodiment of the present application provides a network threat detection method, including: acquiring source information of a file downloaded through a browser; running the file and acquiring flow elements corresponding to the processes; wherein the process is a process corresponding to the file; determining whether the process is a threat process according to the flow element; and responding to the process as a threat process, and determining the source of the threat according to the source information.
According to a specific implementation manner of the embodiment of the present application, the acquiring source information of the file downloaded through the browser includes: tracking the network access behavior of the browser; wherein the network access behavior corresponds to downloading the file through the browser; and recording the network access behavior to form the source information of the file.
According to a specific implementation manner of the embodiment of the present application, the acquiring the traffic element corresponding to the process includes: monitoring whether the process establishes network connection in a kernel of an operating system; and responding to the process to establish network connection, and acquiring the flow element corresponding to the process.
According to a specific implementation manner of the embodiment of the present application, the determining, according to the traffic element, whether the process is a threat process includes: determining whether the flow element is a threat element according to a preset threat judgment strategy and the flow element; in response to the traffic element being a threat element, determining that the process is a threat process; in response to the traffic element not being a threat element, determining that the process is not a threat process.
According to a specific implementation of an embodiment of the present application, the threat elements include IP addresses; the method further comprises the following steps: and sending the IP address to a cloud end so that the cloud end determines the geographic position of the threat according to the IP address.
According to a specific implementation manner of the embodiment of the present application, the source information includes at least two uniform resource locators and a skip sequence between the at least two uniform resource locators, and the method further includes: and sending the source information to a cloud database so that the cloud database classifies the at least two resource locators according to the jump sequence between the at least two uniform resource locators.
In a second aspect, a cyber threat detection apparatus provided in an embodiment of the present application includes: the first acquisition module is used for acquiring source information of the file downloaded through the browser; the second acquisition module is used for operating the file and acquiring flow elements corresponding to the process; wherein the process is a process corresponding to the file; a first determining module, configured to determine whether the process is a threat process according to the traffic element; and the second determining module is used for responding to the fact that the process is a threat process and determining the source of the threat according to the source information.
According to a specific implementation manner of the embodiment of the present application, the first obtaining module is specifically configured to: tracking the network access behavior of the browser; wherein the network access behavior corresponds to downloading the file through the browser; and recording the network access behavior to form the source information of the file.
According to a specific implementation manner of the embodiment of the present application, the second obtaining module is specifically configured to: monitoring whether the process establishes network connection in a kernel of an operating system; and responding to the process to establish network connection, and acquiring the flow element corresponding to the process.
According to a specific implementation manner of the embodiment of the present application, the first determining module is specifically configured to: determining whether the flow element is a threat element according to a preset threat judgment strategy and the flow element; in response to the traffic element being a threat element, determining that the process is a threat process; in response to the traffic element not being a threat element, determining that the process is not a threat process.
According to a specific implementation of an embodiment of the present application, the threat elements include IP addresses; the device further comprises: the first sending module is used for sending the IP address to a cloud end so that the cloud end can determine the geographic position of the threat according to the IP address.
According to a specific implementation manner of the embodiment of the present application, the source information includes at least two uniform resource locators and a skip sequence between the at least two uniform resource locators, and the apparatus further includes: and the second sending module is used for sending the source information to a cloud database so that the cloud database classifies the at least two resource locators according to the jump sequence between the at least two uniform resource locators.
In a third aspect, an embodiment of the present application provides an electronic device, including: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, and is used for executing the method of the cyber-threat detection method according to any one of the foregoing implementation modes.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium storing one or more programs, which are executable by one or more processors to implement a cyber-threat detection method according to any one of the foregoing implementations.
According to the network threat detection method, the network threat detection device, the electronic equipment and the readable storage medium, the source information of the file downloaded through the browser is obtained, the downloaded file is operated, the flow element corresponding to the process is obtained, whether the process is a threat process or not is determined according to the flow element, and when the process is the threat process, the source of the threat can be determined according to the source information, so that a corresponding handling strategy can be adopted for the source of the threat, and the safety of user data is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic flowchart of a cyber-threat detection method according to an embodiment of the present application;
fig. 2 is a schematic flow chart illustrating a cyber-threat detection method according to another embodiment of the present application;
fig. 3 is a schematic structural diagram of a cyber-threat detection apparatus according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The embodiments of the present application will be described in detail below with reference to the accompanying drawings. It should be understood that the embodiments described are only a few embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In order to make those skilled in the art better understand the technical concepts, embodiments and advantages of the examples of the present application, the following detailed description is given by way of specific examples.
An embodiment of the present application provides a network threat detection method, including: acquiring source information of a file downloaded through a browser; running the file and acquiring flow elements corresponding to the processes; wherein the process is a process corresponding to the file; determining whether the process is a threat process according to the flow element; and responding to the process as a threat process, and determining the source of the threat according to the source information, so that the safety of the user data is improved.
Fig. 1 is a schematic flow diagram of a cyber-threat detection method according to an embodiment of the present application, and as shown in fig. 1, the cyber-threat detection method according to the embodiment may include:
s101, obtaining source information of the file downloaded through the browser.
A browser may be an application that displays files on a web server or file system and allows a user to interact with the files. It is used to display text, images and other information within the world wide web or local area network, etc. These words or images can be hyperlinks to other web sites, and the user can browse various information quickly and easily. The file downloaded through the browser may be an installation package, a document, and so on. The source information can be the name of the browser required for downloading the file, the information of the utilized website, and the hyperlink information related under the website. For example, a pdf file may be downloaded and the corresponding source information may include an interface for downloading the document using an IE browser, through input www.XX.com, through a hyperlink under the website where the document is downloaded.
The source information may be stored in the form of a log.
And S102, operating the file, and acquiring flow elements corresponding to the process.
In this embodiment, the process is a process corresponding to the file.
And operating the file to generate a corresponding process, installing the installation package under the condition that the downloaded file is the installation package, and then operating the software corresponding to the installation package.
After the file is run to generate a corresponding process, a traffic element corresponding to the process is obtained, where the traffic element may include a size of a packet, a source IP address, a source port, a destination IP address, a destination port, a transmission protocol, and/or a protocol content.
S103, determining whether the process is a threat process according to the flow elements.
And determining whether the process is a threat process according to the flow element corresponding to the process. And when the flow element corresponding to the process is not the threat element, determining that the process is not the threat process.
And S104, responding to the fact that the process is a threat process, and determining the source of the threat according to the source information.
When the process is a threat process, the source of the threat can be determined according to the source information of the file corresponding to the process, after the source of the threat is determined, a corresponding handling strategy can be formulated for the source of the threat, the threat is limited from the source of the threat (virus), a pdf file is downloaded, and the corresponding source information comprises: the document is downloaded in the interface by entering the interface for downloading the document through input www.XX.com and a hyperlink under the website, and the threat process is generated when the pdf file is run, and the hyperlink for downloading the pdf file can be prohibited according to the source of the pdf file, so as to improve the security of the user data.
In this embodiment, because the source information of the file downloaded through the browser is acquired, the downloaded file is run, the traffic element corresponding to the process is acquired, whether the process is a threat process is determined according to the traffic element, and when the process is the threat process, the source of the threat can be determined according to the source information, a corresponding handling strategy can be adopted for the source of the threat, so that the security of the user data is improved, and the problem of low security of the user data caused by difficulty in determining the source of the threat is avoided.
Fig. 2 is a schematic flowchart of a cyber-threat detecting method according to another embodiment of the present application, and as shown in fig. 2, the another embodiment of the present application is basically the same as the above embodiment, except that the obtaining source information of a file downloaded through a browser (S101) in this embodiment may include:
and S101a, tracking the network access behavior of the browser.
In this embodiment, the network access behavior corresponds to downloading a file through a browser.
The network access behavior may include operations of the network access behavior and a precedence order among the operations, for example, the network access behavior obtained by tracking may be: inputting a website B in the browser A, downloading an installation package D through the hyperlink C, pointing a section of malicious code E to the hyperlink F in the installation process of the installation package D, and downloading the malicious code G through the hyperlink F, wherein the malicious code G can control a mouse.
S101b, recording network access behavior and forming source information of the file.
And recording the network access behavior tracked in the S101a so as to form the source information of the file.
In the embodiment, the source information of the file is formed by tracking the network access behavior of the browser and recording the network access behavior, and the network access behavior can be recorded in detail by tracking the network access behavior of the browser, so that further, a corresponding handling strategy can be accurately adopted, and the security of user data is further improved.
The present further embodiment is basically the same as the above embodiments, except that the acquiring of the traffic element corresponding to the process (S102) in the present embodiment may include:
s102a, in the kernel of the operating system, monitors whether the process establishes a network connection.
In the kernel of the operating system (ring0), a network connection is established to whether a process exists. In some examples, a process may establish a network connection if it has a three-way handshake behavior according to the TCP protocol.
S102b, in response to the process establishing the network connection, acquiring the traffic element corresponding to the process.
After the process establishes the network connection, the flow element corresponding to the process can be acquired.
In this embodiment, a monitor may be provided in each layer of the system interconnection model to monitor traffic information, so as to obtain traffic elements in the kernel layer.
In this embodiment, whether a process establishes a network connection is monitored in a kernel of an operating system, and when the process establishes the network connection, a traffic element corresponding to the networked process is acquired.
The present application further includes, basically the same as the foregoing embodiments, a difference that determining whether a process is a threat process according to a traffic element in this embodiment (S103) may include:
s103a, determining whether the flow element is a threat element according to the preset threat judgment strategy and the flow element.
The preset threat judgment policy can be made according to the network environment. If the office environment does not relate to the overseas IP address, the preset threat judgment strategy can be that the overseas IP address is a threat element, and therefore whether the IP address in the traffic element is a threat element can be determined according to the strategy.
And S103b, responding to the flow element as the threat element, and determining the process as the threat process.
If the traffic element is a threat element, the process corresponding to the traffic element is a threat process.
S103c, in response to the traffic element not being a threat element, determining that the process is not a threat process.
If the traffic element is not a threat element, the process corresponding to the traffic element is not a threat process.
To determine the geographic location of the threat for obtaining further information related to the threat, in some examples, the threat elements may include an IP address; the method further comprises the following steps:
and S105, sending the IP address to the cloud end so that the cloud end can determine the geographic position of the threat according to the IP address.
In some examples, a cloud may store a large number of correspondence relationships between IP addresses and geographic locations, and from such correspondence relationships, the geographic location corresponding to the IP address in the threat elements may be determined.
In this embodiment, the IP address is sent to the cloud, so that the cloud determines the geographic location of the threat according to the IP address, and thus, not only can more information related to the threat be obtained, so that relevant personnel can determine whether to process the IP address process, but also local computing resources can be saved.
In some examples, the source information includes at least two uniform resource locators and a jump sequence between the at least two uniform resource locators, and the method further includes:
and S106, sending the future source information to a cloud database so that the cloud database classifies the at least two resource locators according to the jump sequence between the at least two uniform resource locators.
In this embodiment, at least two resource locators are classified according to a jump sequence between the at least two uniform resource locators, and specifically, the at least two resource locators may be determined as a threat class. For example, the existence of at least two uniform resource locators and the jump sequence thereof in the embodiment can be considered as the possibility of threat, and the existence of such operation behavior can be intercepted according to the same judgment, so that the safety of user data is further improved.
The following describes the embodiments of the present application in detail with reference to a specific example.
The network threat detection method of the embodiment may include:
step 1, tracking the network access behavior of the browser, and forming a log related to the acquisition source of the installation package when detecting that the browser downloads the software installation package and receiving the user instruction for installation.
And 2, when the software runs, monitoring the network connection condition and the transmission condition of the IO data packet in an operating system kernel layer.
When the software runs, the corresponding process can be generated, and the network connection condition of the process and the generated flow data packet can be monitored.
And 3, sending the process and the corresponding flow data packet to an application layer, and calling corresponding software to judge whether the process is abnormal or not at the application layer.
Whether the process is abnormal or not can be judged through a preset judgment rule and a flow element in the flow data packet.
And 4, if the process is abnormal, calling the log in the step 1, and determining the browsing and URL clicking sequence of the user so as to determine the source of the malicious code.
Uploading the log to a cloud database, and determining the jump certainty of the Uniform Resource Locators (URLs) according to the jump sequence of the URLs in the log so as to classify the related URLs.
And 5, sending the IP information to the cloud end, so that the cloud end determines the geographic position of each IP address.
Step 6, inquiring a cloud database according to the IP, and displaying the geographical position together, so that related personnel can conveniently determine whether to process the corresponding process according to the information; or determining whether to close the corresponding process according to a preset geographic position judgment rule.
In this embodiment, because the source information of the file downloaded through the browser is obtained, the downloaded file is run and the traffic element corresponding to the process is obtained, whether the process is a threat process is determined according to the traffic element, and when the process is the threat process, the source of the threat can be determined according to the source information, so that a corresponding handling policy can be adopted for the source of the threat, thereby improving the security of the user data, and further improving the security of the user data, the source information of the file can be formed by tracking the network access behavior of the browser and recording the network access behavior, and in the kernel of the operating system, whether the process establishes the network connection and obtains the traffic element corresponding to the process establishing the connection is monitored, so that the traffic data can be obtained more reliably, a basis is provided for further improving the security of the user data, and whether the process is the threat process is determined in order to simplify, the method comprises the steps that whether a flow element is a threat element or not can be judged through a preset threat judgment strategy, if yes, the corresponding process is a threat process, in order to acquire more information related to the threat, and in order to enable relevant personnel to determine whether to process the IP address process or not, the IP address can be sent to the cloud end, so that the cloud end determines the geographical position of the threat according to the IP address, in order to further improve the safety of user data, at least two resource locators can be classified according to a skipping sequence between the at least two uniform resource locators, and a corresponding disposal strategy is formulated according to a classification result.
An embodiment of the present application provides a cyber-threat detection apparatus, including: the first acquisition device is used for acquiring source information of the file downloaded through the browser; the second acquisition device is used for operating the file and acquiring flow elements corresponding to the process; wherein the process is a process corresponding to the file; a first determining module, configured to determine whether the process is a threat process according to the traffic element; and the second determining module is used for responding to the fact that the process is a threat process and determining the source of the threat according to the source information. And the safety of user data is improved conveniently.
Fig. 3 is a schematic structural diagram of a cyber-threat detection apparatus according to an embodiment of the present application, and as shown in fig. 3, the cyber-threat detection apparatus according to the embodiment may include: a first obtaining module 11, configured to obtain source information of a file downloaded through a browser; a second obtaining module 12, configured to run the file and obtain a flow element corresponding to the process; wherein the process is a process corresponding to the file; a first determining module 13, configured to determine whether the process is a threat process according to the traffic element; and a second determining module 14, configured to determine, in response to the process being a threat process, a source of the threat according to the source information.
The apparatus of this embodiment may be used to implement the technical solution of the method embodiment shown in fig. 1, and the implementation principle and the technical effect are similar, which are not described herein again.
According to the device of the embodiment, the source information of the file downloaded through the browser is acquired, the downloaded file is operated, the flow element corresponding to the process is acquired, whether the process is a threat process is determined according to the flow element, and when the process is the threat process, the source of the threat can be determined according to the source information, so that a corresponding handling strategy can be adopted for the source of the threat, the safety of user data is improved, and the problem that the safety of the user data is low due to the fact that the source of the threat is difficult to determine is solved.
As an optional implementation manner, the first obtaining module is specifically configured to: tracking the network access behavior of the browser; wherein the network access behavior corresponds to downloading the file through the browser; and recording the network access behavior to form the source information of the file.
As an optional implementation manner, the second obtaining module is specifically configured to: monitoring whether the process establishes network connection in a kernel of an operating system; and responding to the process to establish network connection, and acquiring the flow element corresponding to the process.
As an optional implementation manner, the first determining module is specifically configured to: determining whether the flow element is a threat element according to a preset threat judgment strategy and the flow element; in response to the traffic element being a threat element, determining that the process is a threat process; in response to the traffic element not being a threat element, determining that the process is not a threat process.
As an alternative embodiment, the threat elements include IP addresses; the device further comprises: the first sending module is used for sending the IP address to a cloud end so that the cloud end can determine the geographic position of the threat according to the IP address.
As an optional implementation manner, the source information includes at least two uniform resource locators and a jump sequence between the at least two uniform resource locators, and the apparatus further includes: and the second sending module is used for sending the source information to a cloud database so that the cloud database classifies the at least two resource locators according to the jump sequence between the at least two uniform resource locators.
The apparatus of the foregoing embodiment may be configured to implement the technical solution of the foregoing method embodiment, and the implementation principle and the technical effect are similar, which are not described herein again.
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application, and as shown in fig. 4, the electronic device may include: the electronic device comprises a shell 61, a processor 62, a memory 63, a circuit board 64 and a power circuit 65, wherein the circuit board 64 is arranged inside a space enclosed by the shell 61, and the processor 62 and the memory 63 are arranged on the circuit board 64; a power supply circuit 65 for supplying power to each circuit or device of the electronic apparatus; the memory 63 is used to store executable program code; the processor 62 reads the executable program code stored in the memory 63 to run the program corresponding to the executable program code, so as to execute any one of the network threat detection methods provided in the foregoing embodiments, and therefore, corresponding advantageous technical effects can also be achieved.
The above electronic devices exist in a variety of forms, including but not limited to:
(1) a mobile communication device: such devices are characterized by mobile communications capabilities and are primarily targeted at providing voice, data communications. Such terminals include: smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) Ultra mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include: PDA, MID, and UMPC devices, etc., such as ipads.
(3) A portable entertainment device: such devices can display and play multimedia content. This type of device comprises: audio, video players (e.g., ipods), handheld game consoles, electronic books, and smart toys and portable car navigation devices.
(4) A server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service.
(5) And other electronic equipment with data interaction function.
Accordingly, embodiments of the present application further provide a computer-readable storage medium, where one or more programs are stored, and the one or more programs can be executed by one or more processors to implement any one of the network threat detection provided by the foregoing embodiments, so that corresponding technical effects can also be achieved, which have been described in detail above and are not described herein again.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments.
In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
For convenience of description, the above devices are described separately in terms of functional division into various units/modules. Of course, the functionality of the units/modules may be implemented in one or more software and/or hardware implementations when the present application is implemented.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (14)
1. A cyber-threat detection method, comprising:
acquiring source information of a file downloaded through a browser;
running the file and acquiring flow elements corresponding to the processes; wherein the process is a process corresponding to the file;
determining whether the process is a threat process according to the flow element;
and responding to the process as a threat process, and determining the source of the threat according to the source information.
2. The method of claim 1, wherein obtaining source information of the file downloaded through the browser comprises:
tracking the network access behavior of the browser; wherein the network access behavior corresponds to downloading the file through the browser;
and recording the network access behavior to form the source information of the file.
3. The method of claim 1, wherein the obtaining the traffic element corresponding to the process comprises:
monitoring whether the process establishes network connection in a kernel of an operating system;
and responding to the process to establish network connection, and acquiring the flow element corresponding to the process.
4. The method of claim 1, wherein said determining whether the process is a threat process based on the traffic element comprises:
determining whether the flow element is a threat element according to a preset threat judgment strategy and the flow element;
in response to the traffic element being a threat element, determining that the process is a threat process;
in response to the traffic element not being a threat element, determining that the process is not a threat process.
5. The method of claim 1, wherein the threat elements comprise an IP address; the method further comprises the following steps:
and sending the IP address to a cloud end so that the cloud end determines the geographic position of the threat according to the IP address.
6. The method of claim 1, wherein the source information comprises at least two uniform resource locators and a jump sequence between the at least two uniform resource locators, and wherein the method further comprises:
and sending the source information to a cloud database so that the cloud database classifies the at least two resource locators according to the jump sequence between the at least two uniform resource locators.
7. A cyber-threat detection apparatus, comprising:
the first acquisition module is used for acquiring source information of the file downloaded through the browser;
the second acquisition module is used for operating the file and acquiring flow elements corresponding to the process; wherein the process is a process corresponding to the file;
a first determining module, configured to determine whether the process is a threat process according to the traffic element;
and the second determining module is used for responding to the fact that the process is a threat process and determining the source of the threat according to the source information.
8. The apparatus of claim 7, wherein the first obtaining module is specifically configured to:
tracking the network access behavior of the browser; wherein the network access behavior corresponds to downloading the file through the browser;
and recording the network access behavior to form the source information of the file.
9. The apparatus of claim 7, wherein the second obtaining module is specifically configured to:
monitoring whether the process establishes network connection in a kernel of an operating system;
and responding to the process to establish network connection, and acquiring the flow element corresponding to the process.
10. The apparatus of claim 7, wherein the first determining module is specifically configured to:
determining whether the flow element is a threat element according to a preset threat judgment strategy and the flow element;
in response to the traffic element being a threat element, determining that the process is a threat process;
in response to the traffic element not being a threat element, determining that the process is not a threat process.
11. The apparatus of claim 7, wherein the threat elements comprise an IP address; the device further comprises:
the first sending module is used for sending the IP address to a cloud end so that the cloud end can determine the geographic position of the threat according to the IP address.
12. The apparatus as claimed in claim 7, wherein the source information includes at least two uniform resource locators and a jump sequence between the at least two uniform resource locators, the apparatus further comprising:
and the second sending module is used for sending the source information to a cloud database so that the cloud database classifies the at least two resource locators according to the jump sequence between the at least two uniform resource locators.
13. An electronic device, characterized in that the electronic device comprises: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for performing the method of cyber-threat detection as claimed in any one of the preceding claims 1 to 6.
14. A computer-readable storage medium, characterized in that the computer-readable storage medium stores one or more programs which are executable by one or more processors to implement the method of cyber-threat detection of any of the preceding claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111567145.6A CN114285618B (en) | 2021-12-20 | 2021-12-20 | Network threat detection method and device, electronic equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111567145.6A CN114285618B (en) | 2021-12-20 | 2021-12-20 | Network threat detection method and device, electronic equipment and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114285618A true CN114285618A (en) | 2022-04-05 |
| CN114285618B CN114285618B (en) | 2024-03-19 |
Family
ID=80873243
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111567145.6A Active CN114285618B (en) | 2021-12-20 | 2021-12-20 | Network threat detection method and device, electronic equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114285618B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103761478A (en) * | 2014-01-07 | 2014-04-30 | 北京奇虎科技有限公司 | Judging method and device of malicious files |
| CN104732145A (en) * | 2015-03-31 | 2015-06-24 | 北京奇虎科技有限公司 | Parasitic course detection method and device in virtual machine |
| CN105095759A (en) * | 2015-07-21 | 2015-11-25 | 安一恒通(北京)科技有限公司 | File detection method and device |
| US20180341769A1 (en) * | 2017-05-29 | 2018-11-29 | Fujitsu Limited | Threat detection method and threat detection device |
| CN113452717A (en) * | 2021-07-02 | 2021-09-28 | 安天科技集团股份有限公司 | Method and device for communication software safety protection, electronic equipment and storage medium |
-
2021
- 2021-12-20 CN CN202111567145.6A patent/CN114285618B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103761478A (en) * | 2014-01-07 | 2014-04-30 | 北京奇虎科技有限公司 | Judging method and device of malicious files |
| CN104732145A (en) * | 2015-03-31 | 2015-06-24 | 北京奇虎科技有限公司 | Parasitic course detection method and device in virtual machine |
| CN105095759A (en) * | 2015-07-21 | 2015-11-25 | 安一恒通(北京)科技有限公司 | File detection method and device |
| US20180341769A1 (en) * | 2017-05-29 | 2018-11-29 | Fujitsu Limited | Threat detection method and threat detection device |
| CN113452717A (en) * | 2021-07-02 | 2021-09-28 | 安天科技集团股份有限公司 | Method and device for communication software safety protection, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114285618B (en) | 2024-03-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2680624B1 (en) | Method, system and device for improving security of terminal when surfing internet | |
| CN103384888A (en) | Systems and methods for malware detection and scanning | |
| CN107979573B (en) | Risk information detection method, system and server | |
| CN109802919B (en) | Web page access intercepting method and device | |
| CN102333122A (en) | Downloaded resource provision method, device and system | |
| US10862995B2 (en) | Internet-wide scheduling of transactions | |
| CN111563015B (en) | Data monitoring method and device, computer readable medium and terminal equipment | |
| CN113810381B (en) | Crawler detection method, web application cloud firewall device and storage medium | |
| CN108494762A (en) | Web access method, device and computer readable storage medium, terminal | |
| CN113518077A (en) | Malicious web crawler detection method, device, equipment and storage medium | |
| CN114465741B (en) | Abnormality detection method, abnormality detection device, computer equipment and storage medium | |
| CN108768934B (en) | Malicious program release detection method, device and medium | |
| JP4855420B2 (en) | Unauthorized communication program regulation system and program | |
| CN105282094A (en) | Data collection method and system | |
| CN114285618B (en) | Network threat detection method and device, electronic equipment and readable storage medium | |
| CN111970310B (en) | Network protection method and system, electronic equipment and computer readable storage medium | |
| JP6787845B2 (en) | Suspected location estimation device and suspected location estimation method | |
| CN114726559B (en) | URL detection method, system, equipment and computer readable storage medium | |
| JP6134369B2 (en) | Terminal management system and terminal management method. | |
| CN114461484B (en) | Relevance determination method, device, equipment, medium and program for application program | |
| US11997068B2 (en) | Method and apparatus for providing IP address filtering | |
| JP6787846B2 (en) | Suspected location estimation device and suspected location estimation method | |
| CN115967566A (en) | Network threat information processing method and device, electronic equipment and storage medium | |
| CN115776380A (en) | Protection capability detection method, system, storage medium and terminal equipment | |
| CN114285619A (en) | Network information display method and device and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |