CN114285618B - Network threat detection method and device, electronic equipment and readable storage medium - Google Patents
Network threat detection method and device, electronic equipment and readable storage medium Download PDFInfo
- Publication number
- CN114285618B CN114285618B CN202111567145.6A CN202111567145A CN114285618B CN 114285618 B CN114285618 B CN 114285618B CN 202111567145 A CN202111567145 A CN 202111567145A CN 114285618 B CN114285618 B CN 114285618B
- Authority
- CN
- China
- Prior art keywords
- threat
- file
- source information
- determining
- browser
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 23
- 238000000034 method Methods 0.000 claims abstract description 209
- 230000008569 process Effects 0.000 claims abstract description 184
- 230000006399 behavior Effects 0.000 claims description 32
- 230000004044 response Effects 0.000 claims description 14
- 238000012544 monitoring process Methods 0.000 claims description 7
- 238000009434 installation Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 241000700605 Viruses Species 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000011269 treatment regimen Methods 0.000 description 3
- 238000010295 mobile communication Methods 0.000 description 2
- 238000011282 treatment Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000011900 installation process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Abstract
The embodiment of the application discloses a network threat detection method, a network threat detection device, electronic equipment and a readable storage medium, relates to the technical field of network security, and is invented for improving the security of user data conveniently. The method comprises the following steps: acquiring source information of a file downloaded through a browser; running the file and acquiring flow elements corresponding to the process; the process is a process corresponding to the file; determining whether the process is a threat process according to the flow elements; and responding to the process as a threat process, and determining the source of the threat according to the source information. The application is applicable to determining threat sources.
Description
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a method and apparatus for detecting a network threat, an electronic device, and a readable storage medium.
Background
There are a large number of viruses in the current network world that threaten user data in many ways. When a user downloads a file through a browser, viruses can silently enter user equipment, so that the user data is stolen, and a great threat is formed to network security.
Disclosure of Invention
In view of this, embodiments of the present application provide a network threat detection method, apparatus, electronic device, and readable storage medium, which are convenient for improving security of user data.
In a first aspect, an embodiment of the present application provides a method for detecting a cyber threat, including: acquiring source information of a file downloaded through a browser; running the file and acquiring flow elements corresponding to the process; the process is a process corresponding to the file; determining whether the process is a threat process according to the flow elements; and responding to the process as a threat process, and determining the source of the threat according to the source information.
According to a specific implementation manner of the embodiment of the present application, the obtaining source information of a file downloaded through a browser includes: tracking network access behaviors of the browser; the network access behavior corresponds to downloading the file through the browser; and recording the network access behavior to form source information of the file.
According to a specific implementation manner of the embodiment of the present application, the obtaining a flow element corresponding to the process includes: monitoring whether the process establishes network connection in a kernel of an operating system; and responding to the process to establish network connection, and acquiring a flow element corresponding to the process.
According to a specific implementation manner of the embodiment of the present application, the determining, according to the flow element, whether the process is a threat process includes: determining whether the flow element is a threat element according to a preset threat judgment strategy and the flow element; determining that the process is a threat process in response to the traffic element being a threat element; in response to the traffic element not being a threat element, determining that the process is not a threat process.
According to a specific implementation of an embodiment of the present application, the threat element includes an IP address; the method further comprises the steps of: and sending the IP address to a cloud end so that the cloud end determines the geographic position of the threat according to the IP address.
According to a specific implementation manner of the embodiment of the present application, the source information includes at least two uniform resource locators and a jump sequence between the at least two uniform resource locators, and the method further includes: and sending the source information to a cloud database so that the cloud database classifies the at least two resource locators according to the jump sequence between the at least two uniform resource locators.
In a second aspect, a network threat detection apparatus provided in an embodiment of the present application includes: the first acquisition module is used for acquiring source information of the files downloaded through the browser; the second acquisition module is used for running the file and acquiring flow elements corresponding to the process; the process is a process corresponding to the file; the first determining module is used for determining whether the process is a threat process or not according to the flow elements; and the second determining module is used for determining the source of the threat according to the source information in response to the process being a threat process.
According to a specific implementation manner of the embodiment of the present application, the first obtaining module is specifically configured to: tracking network access behaviors of the browser; the network access behavior corresponds to downloading the file through the browser; and recording the network access behavior to form source information of the file.
According to a specific implementation manner of the embodiment of the present application, the second obtaining module is specifically configured to: monitoring whether the process establishes network connection in a kernel of an operating system; and responding to the process to establish network connection, and acquiring a flow element corresponding to the process.
According to a specific implementation manner of the embodiment of the present application, the first determining module is specifically configured to: determining whether the flow element is a threat element according to a preset threat judgment strategy and the flow element; determining that the process is a threat process in response to the traffic element being a threat element; in response to the traffic element not being a threat element, determining that the process is not a threat process.
According to a specific implementation of an embodiment of the present application, the threat element includes an IP address; the apparatus further comprises: and the first sending module is used for sending the IP address to the cloud end so that the cloud end can determine the geographic position of the threat according to the IP address.
According to a specific implementation manner of the embodiment of the present application, the source information includes at least two uniform resource locators and a jump sequence between the at least two uniform resource locators, and the apparatus further includes: and the second sending module is used for sending the source information to a cloud database so that the cloud database classifies the at least two resource locators according to the jump sequence between the at least two uniform resource locators.
In a third aspect, an embodiment of the present application provides an electronic device, including: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space surrounded by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for executing the method of the network threat detection method according to any of the foregoing implementations.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium storing one or more programs executable by one or more processors to implement the network threat detection method of any of the foregoing implementations.
According to the network threat detection method, the device, the electronic equipment and the readable storage medium, as source information of the file downloaded through the browser is obtained, the downloaded file is operated, flow elements corresponding to the process are obtained, whether the process is a threat process or not is determined according to the flow elements, when the process is the threat process, the source of the threat can be determined according to the source information, and accordingly, a corresponding treatment strategy can be adopted for the source of the threat, and accordingly, safety of user data is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for detecting a cyber threat according to an embodiment of the present application;
FIG. 2 is a flowchart of a method for detecting a cyber threat according to yet another embodiment of the present disclosure;
FIG. 3 is a schematic structural diagram of a cyber threat detection apparatus according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Embodiments of the present application are described in detail below with reference to the accompanying drawings. It should be understood that the described embodiments are merely some, but not all, of the embodiments of the present application. All other embodiments, based on the embodiments herein, which would be apparent to one of ordinary skill in the art without making any inventive effort, are intended to be within the scope of the present application.
In order that those skilled in the art will better understand the technical concepts, embodiments and advantages of the examples of the present application, a detailed description will be given below by way of specific examples.
The network threat detection method provided by an embodiment of the application comprises the following steps: acquiring source information of a file downloaded through a browser; running the file and acquiring flow elements corresponding to the process; the process is a process corresponding to the file; determining whether the process is a threat process according to the flow elements; and responding to the process as a threat process, and determining the source of the threat according to the source information, so that the safety of the user data is improved.
Fig. 1 is a flow chart of a network threat detection method provided in an embodiment of the present application, as shown in fig. 1, the network threat detection method of the present embodiment may include:
s101, acquiring source information of a file downloaded through a browser.
The browser may be an application that displays files within a web server or file system and allows a user to interact with the files. It is used to display text, images and other information within the world wide web or local area network, etc. These text or images, which may be hyperlinks to other web sites, allow the user to quickly and easily view a variety of information. The files downloaded through the browser may be installation packages, documents, and the like. The source information may be browser names required for downloading files, utilized web site information, hyperlink information involved under the web site. For example, for downloading a pdf file, the corresponding source information may include using an IE browser, entering www.XX.com via an input, entering the interface for downloading the document via a hyperlink at the web site, and downloading the document in the interface.
The source information may be stored in the form of a log.
S102, running the file and acquiring flow elements corresponding to the process.
In this embodiment, the process is a process corresponding to a file.
And the running file generates a corresponding process, and for the case that the downloaded file is an installation package, the installation package can be installed, and then software corresponding to the installation package is run.
After the running file generates the corresponding process, the flow elements corresponding to the process are obtained, wherein the flow elements can include the size of the data packet, the source IP address, the source port, the destination IP address, the destination port, the transmission protocol and/or the protocol content.
S103, determining whether the process is a threat process according to the flow elements.
And determining whether the process is a threat process according to the flow elements corresponding to the process. When the traffic element corresponding to the process is a threat element, the process is determined to be a threat process, and when the traffic element corresponding to the process is not a threat element, the process is determined not to be a threat process.
S104, responding to the process as a threat process, and determining the source of the threat according to the source information.
When the process is a threat process, the source of the threat can be determined according to the source information of the file corresponding to the process, after the source of the threat is determined, a corresponding treatment strategy can be formulated for the source of the threat, the threat is limited from the source of the threat (virus), a pdf file is downloaded, and the corresponding source information comprises: the IE browser is utilized, the interface for downloading the document is entered through the input www.XX.com and a hyperlink under the website, the document is downloaded in the interface, a threat process is generated when the pdf file is operated, and the hyperlink for downloading the pdf file can be forbidden according to the source of the pdf file, so that the safety of user data is improved.
In this embodiment, since source information of a file downloaded through a browser is acquired, the downloaded file is operated, a flow element corresponding to a process is acquired, whether the process is a threat process is determined according to the flow element, and when the process is a threat process, a source of a threat can be determined according to the source information, so that a corresponding treatment policy can be adopted for the source of the threat, thereby improving security of user data and avoiding a problem of lower security of the user data caused by difficulty in determining the source of the threat.
Fig. 2 is a flow chart of a network threat detection method according to another embodiment of the present application, as shown in fig. 2, and the difference is that, in the embodiment, obtaining source information of a file downloaded through a browser (S101) may include:
s101a, tracking network access behaviors of the browser.
In this embodiment, the network access behavior corresponds to downloading the file through the browser.
The network access behavior may include operations of the network access behavior and a sequence among the operations, for example, the network access behavior may be obtained by tracking: b website is input in the browser A, then the installation package D is downloaded through the hyperlink C, in the installation process of the installation package D, one section of malicious code E points to the hyperlink F, the malicious code G is downloaded through the hyperlink F, and the malicious code G can control the mouse.
S101b, recording network access behaviors to form source information of the file.
And recording the network access behavior obtained by tracking in the step S101a, thereby forming source information of the file.
According to the embodiment, the source information of the file is formed by tracking the network access behavior of the browser and recording the network access behavior, and the network access behavior can be recorded in more detail due to the fact that the network access behavior of the browser is tracked, and further, a corresponding disposal strategy can be accurately adopted, and the safety of user data is further improved.
A further embodiment of the present application is basically the same as the above embodiment, except that the obtaining a flow element corresponding to a process (S102) of the present embodiment may include:
s102a, in a kernel of an operating system, monitoring whether a process establishes network connection.
In the kernel of the operating system (ring 0), a network connection is established for whether there are processes. In some examples, a process may establish a network connection based on whether the process has three-way handshake behavior of the TCP protocol, if so.
S102b, responding to the process to establish network connection, and acquiring flow elements corresponding to the process.
After the process establishes network connection, the flow elements corresponding to the process can be obtained.
In this embodiment, a listener may be set in each layer of model of the system interconnection to monitor the traffic information, so as to obtain the traffic element in the kernel layer.
In this embodiment, whether a process establishes network connection is monitored in the kernel of the operating system, and when a process establishes network connection, a flow element corresponding to a networked process is acquired, and because network data is received or transmitted through a network card, and a network card driver corresponding to the network card is disposed in the kernel layer of the operating system, the networked process and the flow element corresponding to the process can be acquired more reliably, and further, a threat element and a corresponding process can be determined, thereby providing a basis for further improving the security of user data.
A further embodiment of the present application is substantially the same as the above embodiment, except that determining whether the process is a threat process according to the traffic element (S103) of the present embodiment may include:
s103a, determining whether the flow element is a threat element according to a preset threat judgment strategy and the flow element.
The preset threat judgment strategy can be formulated according to the network environment. If the office environment does not involve an overseas IP address, the preset threat determination policy may be that the overseas IP address is a threat element, so that it may be determined whether the IP address in the traffic element is a threat element according to the policy.
S103b, responding to the traffic element as the threat element, and determining the process as a threat process.
If the traffic element is a threat element, the process corresponding to the traffic element is a threat process.
And S103c, in response to the traffic element not being a threat element, determining that the process is not a threat process.
If the traffic element is not a threat element, then the process corresponding to the traffic element is not a threat process.
To determine the geographic location of the threat to obtain more threat-related information, in some examples, the threat element may include an IP address; the method further comprises the steps of:
s105, the IP address is sent to the cloud end, so that the cloud end determines the geographic position of the threat according to the IP address.
In some examples, a number of IP address-to-geographic location correspondences may be stored at the cloud end, through which the geographic location corresponding to the IP address in the threat element may be determined.
In this embodiment, the IP address is sent to the cloud end, so that the cloud end determines the geographical location of the threat according to the IP address, so that not only can more threat-related information be obtained, but also the relevant personnel can determine whether to process the IP address, and local computing resources can be saved.
In still other examples, the source information includes at least two uniform resource locators and a jump sequence between the at least two uniform resource locators, the method further comprising:
and S106, sending the source information to the cloud database so that the cloud database classifies the at least two resource locators according to the jump sequence between the at least two uniform resource locators.
In this embodiment, at least two resource locators are classified according to a jump sequence between the at least two uniform resource locators, and specifically, the at least two resource locators may be determined as threat classes, and further, a corresponding processing policy may be formulated according to the classification. For example, the existence of at least two uniform resource locators and the jump sequence thereof in the embodiment can be considered to be possible to be threatened, and according to the same judgment, the existence of such operation behavior can be intercepted, thereby further improving the security of user data.
The following describes the embodiments of the present application in detail with reference to a specific example.
The network threat detection method of the embodiment may include:
step 1, tracking network access behaviors of a browser, and forming a log about acquisition sources of installation packages when the browser is detected to download the software installation packages and the installation packages are received by user instructions.
And 2, monitoring the network connection condition and the sending condition of the IO data packet in the kernel layer of the operating system when the software runs.
When the software runs, the corresponding generation process can monitor the network connection condition of the process and the generated flow data packet.
And step 3, sending the process and the corresponding flow data packet to an application layer, and calling corresponding software at the application layer to judge whether the process is abnormal.
And judging whether the process is abnormal or not according to preset judging rules and flow elements in the flow data packet.
And 4, if the process is abnormal, the log in the step 1 is called, and the sequence of browsing and clicking the URL by the user is determined, so that the source of the malicious code is determined.
Uploading the logs to a cloud database, and determining the jump certainty of Uniform Resource Locators (URLs) according to the jump sequence of the URLs in the logs so as to classify the related URLs.
And 5, sending the IP information to the cloud end, so that the cloud end determines the geographic position of each IP address.
Step 6, inquiring a cloud database according to the IP, and displaying the geographic position together, so that related personnel can conveniently determine whether to process the corresponding process according to the information; or determining whether to close the corresponding process according to a preset geographic position judging rule.
In this embodiment, since source information of a file downloaded through a browser is acquired, the downloaded file is operated, a flow element corresponding to a process is acquired, whether the process is a threat process is determined according to the flow element, when the process is a threat process, a source of the threat can be determined according to the source information, thereby a corresponding treatment policy can be adopted for the source of the threat, and accordingly, safety of user data is improved, in order to further improve safety of user data, network access behavior of the browser can be tracked, and network access behavior is recorded, thereby source information of the file is formed, in a kernel of an operating system, whether the process establishes network connection and acquires a flow element corresponding to the process establishing connection can be more reliably acquired, a basis is provided for further improving safety of user data, in order to simplify determination of whether the process is a threat process, whether the flow element is a threat element can be determined through a preset threat judgment policy, if so, a corresponding process is a threat process, in order to acquire more information related to threat address processing of the IP address can be conveniently determined, an IP address can be sent to the IP address according to the network access behavior, and accordingly, the position of the user address can be further classified according to a uniform resource, and the at least two-located resource can be more than two-located according to a uniform-resource locator policy.
The network threat detection apparatus provided in an embodiment of the present application includes: the first acquisition device is used for acquiring source information of the file downloaded through the browser; the second acquisition device is used for running the file and acquiring flow elements corresponding to the process; the process is a process corresponding to the file; the first determining module is used for determining whether the process is a threat process or not according to the flow elements; and the second determining module is used for determining the source of the threat according to the source information in response to the process being a threat process. And the security of the user data is convenient to improve.
Fig. 3 is a schematic structural diagram of a cyber threat detection apparatus provided in an embodiment of the present application, and as shown in fig. 3, the cyber threat detection apparatus of the present embodiment may include: a first obtaining module 11, configured to obtain source information of a file downloaded through a browser; the second obtaining module 12 is configured to run the file and obtain a flow element corresponding to the process; the process is a process corresponding to the file; a first determining module 13, configured to determine, according to the flow element, whether the process is a threat process; a second determining module 14, configured to determine a source of the threat according to the source information in response to the process being a threat process.
The device of this embodiment may be used to implement the technical solution of the method embodiment shown in fig. 1, and its implementation principle and technical effects are similar, and are not described here again.
According to the device, as the source information of the file downloaded through the browser is obtained, the downloaded file is operated, the flow elements corresponding to the process are obtained, whether the process is a threat process or not is determined according to the flow elements, and when the process is the threat process, the source of the threat can be determined according to the source information, so that a corresponding treatment strategy can be adopted for the source of the threat, the safety of user data is improved, and the problem that the safety of the user data is lower due to the fact that the source of the threat is difficult to determine is avoided.
As an optional implementation manner, the first obtaining module is specifically configured to: tracking network access behaviors of the browser; the network access behavior corresponds to downloading the file through the browser; and recording the network access behavior to form source information of the file.
As an optional implementation manner, the second obtaining module is specifically configured to: monitoring whether the process establishes network connection in a kernel of an operating system; and responding to the process to establish network connection, and acquiring a flow element corresponding to the process.
As an optional implementation manner, the first determining module is specifically configured to: determining whether the flow element is a threat element according to a preset threat judgment strategy and the flow element; determining that the process is a threat process in response to the traffic element being a threat element; in response to the traffic element not being a threat element, determining that the process is not a threat process.
As an alternative embodiment, the threat element includes an IP address; the apparatus further comprises: and the first sending module is used for sending the IP address to the cloud end so that the cloud end can determine the geographic position of the threat according to the IP address.
As an optional implementation manner, the source information includes at least two uniform resource locators and a jump sequence between the at least two uniform resource locators, and the apparatus further includes: and the second sending module is used for sending the source information to a cloud database so that the cloud database classifies the at least two resource locators according to the jump sequence between the at least two uniform resource locators.
The device of the above embodiment may be used to implement the technical solution of the above method embodiment, and its implementation principle and technical effects are similar, and are not repeated here.
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application, as shown in fig. 4, may include: the processor 62 and the memory 63 are arranged on the circuit board 64, wherein the circuit board 64 is arranged in a space surrounded by the shell 61; a power supply circuit 65 for supplying power to the respective circuits or devices of the above-described electronic apparatus; the memory 63 is for storing executable program code; the processor 62 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 63, so as to perform any one of the network threat detection methods provided in the foregoing embodiments, and thus, the corresponding beneficial technical effects can also be achieved, which have been described in detail above and will not be repeated herein.
Such electronic devices exist in a variety of forms including, but not limited to:
(1) A mobile communication device: such devices are characterized by mobile communication capabilities and are primarily aimed at providing voice, data communications. Such terminals include: smart phones (e.g., iPhone), multimedia phones, functional phones, and low-end phones, etc.
(2) Ultra mobile personal computer device: such devices are in the category of personal computers, having computing and processing functions, and generally also having mobile internet access characteristics. Such terminals include: PDA, MID, and UMPC devices, etc., such as iPad.
(3) Portable entertainment device: such devices may display and play multimedia content. The device comprises: audio, video players (e.g., iPod), palm game consoles, electronic books, and smart toys and portable car navigation devices.
(4) And (3) a server: the configuration of the server includes a processor, a hard disk, a memory, a system bus, and the like, and the server is similar to a general computer architecture, but is required to provide highly reliable services, and thus has high requirements in terms of processing capacity, stability, reliability, security, scalability, manageability, and the like.
(5) Other electronic devices with data interaction functions.
Accordingly, embodiments of the present application further provide a computer readable storage medium storing one or more programs, where the one or more programs may be executed by one or more processors to implement any of the network threat detection provided in the foregoing embodiments, so that corresponding technical effects may also be achieved, which have been described in detail above and are not repeated herein.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In this specification, each embodiment is described in a related manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments.
In particular, for the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments in part.
For convenience of description, the above apparatus is described as being functionally divided into various units/modules, respectively. Of course, the functions of each unit/module may be implemented in one or more pieces of software and/or hardware when implementing the present application.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), or the like.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions easily conceivable by those skilled in the art within the technical scope of the present application should be covered in the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (6)
1. A method for detecting a cyber threat, comprising:
acquiring source information of a file downloaded through a browser; the obtaining the source information of the file downloaded by the browser comprises the following steps: tracking network access behaviors of the browser; the network access behavior corresponds to downloading the file through the browser; recording the network access behavior to form source information of the file;
running the file and acquiring flow elements corresponding to the process; the process is a process corresponding to the file; the obtaining the flow factor corresponding to the process comprises the following steps: monitoring whether the process establishes network connection in a kernel of an operating system; responding to the process to establish network connection, and acquiring flow elements corresponding to the process;
determining whether the process is a threat process according to the flow elements; the determining whether the process is a threat process according to the flow element comprises: determining whether the flow element is a threat element according to a preset threat judgment strategy and the flow element; determining that the process is a threat process in response to the traffic element being a threat element; in response to the traffic element not being a threat element, determining that the process is not a threat process;
responding to the process as a threat process, and determining the source of the threat according to the source information;
the source information comprises at least two uniform resource locators and a jump sequence between the at least two uniform resource locators, and the method further comprises: and sending the source information to a cloud database, so that the cloud database classifies the at least two resource locators according to the jump sequence among the at least two uniform resource locators, and formulates a corresponding disposal strategy according to the classification result.
2. The method of claim 1, wherein the threat element comprises an IP address; the method further comprises the steps of:
and sending the IP address to a cloud end so that the cloud end determines the geographic position of the threat according to the IP address.
3. A network threat detection apparatus, comprising:
the first acquisition module is used for acquiring source information of the files downloaded through the browser;
the first obtaining module is specifically configured to: tracking network access behaviors of the browser; the network access behavior corresponds to downloading the file through the browser; recording the network access behavior to form source information of the file;
the second acquisition module is used for running the file and acquiring flow elements corresponding to the process; the process is a process corresponding to the file; the second obtaining module is specifically configured to: monitoring whether the process establishes network connection in a kernel of an operating system; responding to the process to establish network connection, and acquiring flow elements corresponding to the process;
the first determining module is used for determining whether the process is a threat process or not according to the flow elements; the first determining module is specifically configured to: determining whether the flow element is a threat element according to a preset threat judgment strategy and the flow element; determining that the process is a threat process in response to the traffic element being a threat element; in response to the traffic element not being a threat element, determining that the process is not a threat process;
the second determining module is used for responding to the process as a threat process and determining the source of the threat according to the source information;
the source information includes at least two uniform resource locators and a jump sequence between the at least two uniform resource locators, and the device further includes:
and the second sending module is used for sending the source information to a cloud database so that the cloud database classifies the at least two resource locators according to the jump sequence between the at least two uniform resource locators, and formulates a corresponding disposal strategy according to the classification result.
4. The apparatus of claim 3, wherein the threat element comprises an IP address; the apparatus further comprises:
and the first sending module is used for sending the IP address to the cloud end so that the cloud end can determine the geographic position of the threat according to the IP address.
5. An electronic device, the electronic device comprising: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space surrounded by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; a processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory for performing the method of cyber threat detection according to any of the preceding claims 1-2.
6. A computer readable storage medium storing one or more programs executable by one or more processors to implement the method of cyber threat detection of any of claims 1-2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111567145.6A CN114285618B (en) | 2021-12-20 | 2021-12-20 | Network threat detection method and device, electronic equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111567145.6A CN114285618B (en) | 2021-12-20 | 2021-12-20 | Network threat detection method and device, electronic equipment and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114285618A CN114285618A (en) | 2022-04-05 |
| CN114285618B true CN114285618B (en) | 2024-03-19 |
Family
ID=80873243
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111567145.6A Active CN114285618B (en) | 2021-12-20 | 2021-12-20 | Network threat detection method and device, electronic equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114285618B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103761478A (en) * | 2014-01-07 | 2014-04-30 | 北京奇虎科技有限公司 | Judging method and device of malicious files |
| CN104732145A (en) * | 2015-03-31 | 2015-06-24 | 北京奇虎科技有限公司 | Parasitic course detection method and device in virtual machine |
| CN105095759A (en) * | 2015-07-21 | 2015-11-25 | 安一恒通(北京)科技有限公司 | File detection method and device |
| CN113452717A (en) * | 2021-07-02 | 2021-09-28 | 安天科技集团股份有限公司 | Method and device for communication software safety protection, electronic equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2018200642A (en) * | 2017-05-29 | 2018-12-20 | 富士通株式会社 | Threat detection program, threat detection method, and information processing apparatus |
-
2021
- 2021-12-20 CN CN202111567145.6A patent/CN114285618B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103761478A (en) * | 2014-01-07 | 2014-04-30 | 北京奇虎科技有限公司 | Judging method and device of malicious files |
| CN104732145A (en) * | 2015-03-31 | 2015-06-24 | 北京奇虎科技有限公司 | Parasitic course detection method and device in virtual machine |
| CN105095759A (en) * | 2015-07-21 | 2015-11-25 | 安一恒通(北京)科技有限公司 | File detection method and device |
| CN113452717A (en) * | 2021-07-02 | 2021-09-28 | 安天科技集团股份有限公司 | Method and device for communication software safety protection, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114285618A (en) | 2022-04-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9680850B2 (en) | Identifying bots | |
| CN109743315B (en) | Behavior identification method, behavior identification device, behavior identification equipment and readable storage medium for website | |
| CN108183916B (en) | Network attack detection method and device based on log analysis | |
| CN105553917B (en) | Method and system for detecting webpage bugs | |
| CN106911693B (en) | Method and device for detecting hijacking of webpage content and terminal equipment | |
| US8505102B1 (en) | Detecting undesirable content | |
| CN106899549B (en) | Network security detection method and device | |
| CN103384888A (en) | Systems and methods for malware detection and scanning | |
| CN107979573B (en) | Risk information detection method, system and server | |
| CN109802919B (en) | Web page access intercepting method and device | |
| CN110782374A (en) | Electronic evidence obtaining method and system based on block chain | |
| KR101847381B1 (en) | System and method for offering e-mail in security network | |
| CN111563015B (en) | Data monitoring method and device, computer readable medium and terminal equipment | |
| US10326859B2 (en) | Internet-wide scheduling of transactions | |
| CN111949531B (en) | Block chain network testing method, device, medium and electronic equipment | |
| CN104767747A (en) | Click jacking safety detection method and device | |
| CN108494762A (en) | Web access method, device and computer readable storage medium, terminal | |
| US20190207907A1 (en) | Method and system for intrusion detection and prevention | |
| CN106250761B (en) | Equipment, device and method for identifying web automation tool | |
| KR20110008179A (en) | Generating sitemaps | |
| CN108768934B (en) | Malicious program release detection method, device and medium | |
| US8789177B1 (en) | Method and system for automatically obtaining web page content in the presence of redirects | |
| CN113810381B (en) | Crawler detection method, web application cloud firewall device and storage medium | |
| CN112671605B (en) | Test method and device and electronic equipment | |
| CN112087455B (en) | WAF site protection rule generation method, system, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |