CN114386030A - Big data software-based security monitoring method, system, device and medium - Google Patents
Big data software-based security monitoring method, system, device and medium Download PDFInfo
- Publication number
- CN114386030A CN114386030A CN202210039026.1A CN202210039026A CN114386030A CN 114386030 A CN114386030 A CN 114386030A CN 202210039026 A CN202210039026 A CN 202210039026A CN 114386030 A CN114386030 A CN 114386030A
- Authority
- CN
- China
- Prior art keywords
- software
- preset
- terminal
- malicious
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a software security monitoring method, system, equipment and medium based on big data, and relates to the technical field of information security. Embedding a preset monitoring program in an operating system, and setting the monitoring program to be self-started; reading process information to obtain a process list; monitoring the process list to obtain an object of the software process; judging the software as risk software according to the data acquisition amount in the preset time; detecting the software authorization condition, and if the software is not authorized by the terminal, judging the software to be malicious software; creating a software behavior file for recording, and prompting risk software and malicious software; uploading the software behavior files to a background terminal, and continuously receiving the software behavior files of the plurality of terminals by the background terminal to analyze all the software behavior files; judging the software to be malicious software by using the access frequency; and shielding the malicious software, prohibiting the operating system from installing the software malicious software, reporting the software malicious software to a manager, and tracking the risk software in real time. The security of personal information in the terminal equipment can be improved.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a software security monitoring method, system, equipment and medium based on big data.
Background
With the development of the times, the internet has been deeply penetrated into the social aspect, so that the information security also becomes an important social problem, and particularly, for the existing mobile devices such as mobile phones or computers, the software installed on the mobile devices can randomly access or acquire user information, so that information which is not needed by the software is illegally acquired, and the user information is leaked, and therefore a security monitoring method based on big data software is needed.
Disclosure of Invention
The invention aims to provide a software security monitoring method based on big data, which can improve the security of personal information in terminal equipment.
The embodiment of the invention is realized by the following steps:
in a first aspect, an embodiment of the present application provides a big data software-based security monitoring method, which includes embedding a preset monitoring program in an operating system of a terminal, and setting the preset monitoring program as a self-start; a preset monitoring program reads process information to obtain a process list; monitoring the process list by a preset monitoring program to obtain an object of software process operation; if the software obtains the object data more than or equal to the first preset data within the first preset time, judging the software as risk software; otherwise, continuing monitoring; detecting whether software access or an operation object is authorized, and if the software is not authorized by a terminal, judging the software to be malicious software; creating a software behavior file, and storing a digital signature of an operation object corresponding to any software into the software behavior file; simultaneously marking risk software and malicious software; simultaneously displaying prompt information of the risk software and the malicious software on a terminal home page interface; uploading the software behavior files to a background terminal through a terminal, presetting a privacy object in the background terminal, continuously receiving the software behavior files of a plurality of terminals by the background terminal, and analyzing all the software behavior files; if any software in the software behavior file is in a second preset time, the access or operation frequency of the privacy object exceeds a preset frequency; judging the software to be malicious software; and shielding the malicious software, prohibiting the operating system from installing the software malicious software, reporting the software malicious software to a manager, and tracking the risk software in real time.
In some embodiments of the invention, the step of detecting whether the software access or the operand is authorized comprises: acquiring a terminal authorization list; screening out software authorization authority according to the authorization list; if the authorization authority includes the object, the authorization is judged not to be obtained, otherwise, the authorization is judged to be obtained.
In some embodiments of the present invention, if the software is not authorized by the terminal, the step of determining that the software is malicious software includes: a preset monitoring program acquires networking data of any software in an operating system to generate a flow data list; presetting a white list, selecting white list software by a user through a pop-up window, and monitoring the flow of any non-white list software by a monitoring program; and if the use flow of any non-white list software exceeds the preset quantity within the preset time, displaying a non-white list software flow use report on a terminal home page interface.
In some embodiments of the present invention, the step of displaying the non-white list software traffic usage report on the terminal home page interface includes: if the use flow exceeds the preset quantity and the installation is requested to pass through the popup window in the preset time of any non-white list software, the illegal use flow is judged; and if the use flow of any non-white list software exceeds the preset quantity within the preset time and the non-white list software is not authorized to be directly installed in the background, judging the non-white list software as the malicious software.
In some embodiments of the present invention, the step of monitoring the process list by the preset monitor program and obtaining the object of the software process operation includes: when any software on the operating system creates a process and allocates an address space, the added process is displayed on the process list, and the preset monitoring program tracks the address space of the added process and reads the process space to obtain an object operated by the software process.
In some embodiments of the invention, the step of tracking the risk software in real time comprises: when any software behavior file is received, software needing real-time tracking is preferentially compared, data reports are generated according to data of the software at different terminals, and the data reports are reported to management personnel.
In some embodiments of the present invention, the step of uploading the software behavior file to the background terminal through the terminal includes: and compressing the software behavior file, and uploading the software behavior file to a background terminal through the terminal.
In a second aspect, an embodiment of the present application provides a big data software-based security monitoring system, including: the system comprises a presetting module, a control module and a control module, wherein the presetting module is used for embedding a preset monitoring program in an operating system of the terminal and setting the preset monitoring program to be self-started; the process reading module is used for presetting a monitoring program to read process information to obtain a process list; the monitoring module is used for presetting a monitoring program to monitor the process list and acquiring an object of software process operation; if the software obtains the object data more than or equal to the first preset data within the first preset time, judging the software as risk software; otherwise, continuing monitoring; the authorization detection module is used for detecting whether software access or an operation object is authorized, and if the software is not authorized by the terminal, the software is judged to be malicious software; the behavior recording module is used for creating a software behavior file and storing the digital signature of the corresponding operation object of any software into the software behavior file; simultaneously marking risk software and malicious software; simultaneously displaying prompt information of the risk software and the malicious software on a terminal home page interface; the big data processing module uploads the software behavior files to the background terminal through the terminal, a privacy object is preset in the background terminal, the background terminal continuously receives the software behavior files of the plurality of terminals, and all the software behavior files are analyzed; the judging module is used for accessing the privacy object or enabling the operation frequency to exceed the preset frequency within a second preset time by any software if the software behavior file is in the software behavior file; judging the software to be malicious software; and shielding the malicious software, prohibiting the operating system from installing the software malicious software, reporting the software malicious software to a manager, and tracking the risk software in real time.
In a third aspect, an embodiment of the present application provides an electronic device, including at least one processor, at least one memory, and a data bus; wherein: the processor and the memory complete mutual communication through a data bus; the memory stores program instructions executable by the processor, and the processor calls the program instructions to execute a big data based software security monitoring method.
In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements a big data based software security monitoring method.
Compared with the prior art, the embodiment of the invention has at least the following advantages or beneficial effects:
for the problem that the existing software illegally acquires information of a mobile phone, a computer and other terminals, the design adopts a process monitoring program arranged in an operating system, and the principle is that when any program operates or accesses files in the terminal, a process needs to be established, so that monitoring can be carried out according to the content of the process, identification can be carried out according to the specific operation of the process, and therefore the illegal behaviors of malicious software are collected by a background terminal to carry out big data analysis and the malicious software is forbidden. Thereby improving the security of the terminal device.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
FIG. 1 is a schematic flow chart of a big data software-based security monitoring method according to the present invention;
FIG. 2 is a schematic flow chart of authorization detection according to the present invention;
FIG. 3 is a schematic flow chart of flow detection according to the present invention;
FIG. 4 is a schematic structural diagram of software security monitoring based on big data in the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to the present invention.
Icon: 1. presetting a module; 2. a process reading module; 3. a monitoring module; 4. an authorization detection module; 5. a behavior recording module; 6. a big data processing module; 7. a judgment module; 8. a processor; 9. a memory; 10. a data bus.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
In the description of the present application, it should be noted that the terms "upper", "lower", "inner", "outer", and the like indicate orientations or positional relationships based on orientations or positional relationships shown in the drawings or orientations or positional relationships conventionally found in use of products of the application, and are used only for convenience in describing the present application and for simplification of description, but do not indicate or imply that the referred devices or elements must have a specific orientation, be constructed in a specific orientation, and be operated, and thus should not be construed as limiting the present application.
In the description of the present application, it is also to be noted that, unless otherwise explicitly specified or limited, the terms "disposed" and "connected" are to be interpreted broadly, e.g., as being either fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meaning of the above terms in the present application can be understood in a specific case by those of ordinary skill in the art.
Some embodiments of the present application will be described in detail below with reference to the accompanying drawings. The embodiments described below and the individual features of the embodiments can be combined with one another without conflict.
Example 1
Referring to fig. 1, for the problem that the existing software illegally obtains information of a terminal such as a mobile phone or a computer, a process monitoring program is arranged in an operating system in the design, and the principle is that a process needs to be established when any program operates or accesses a file in the terminal, so that monitoring can be performed according to the content of the process, identification can be performed according to specific operation of the process, and accordingly, a background terminal is used for collecting illegal behaviors of malicious software to perform big data analysis and block the malicious software. Thereby improving the security of the terminal device.
S1: embedding a preset monitoring program in an operating system of the terminal, and setting the preset monitoring program to be self-started;
in order to monitor the program outside the system as real time as possible, the monitoring program is started automatically when the operating system is started.
S2: a preset monitoring program reads process information to obtain a process list;
the process monitoring is a real-time changing process, so that the process list can be directly read, and the creation of a new process or the ending of an existing process can be checked in the process list.
S3: monitoring the process list by a preset monitoring program to obtain an object of software process operation; if the software obtains the object data more than or equal to the first preset data within the first preset time, judging the software as risk software; otherwise, continuing monitoring;
in the process of monitoring the process, it is mainly monitored which objects are accessed or operated by the process, and the objects include pictures, positions and other personal information of users. For the initial determination, the data of which the target data is more than or equal to 40MB (first preset data) is obtained within 5 minutes (first preset time), and the software is determined as risk software; the reason is that in most cases, the user does not use commands such as uploading, and the software needs to be uploaded after being illegally collected, so that the software can be acquired as quickly as possible, and the software can be temporarily changed into risk software.
S4: detecting whether software access or an operation object is authorized, and if the software is not authorized by a terminal, judging the software to be malicious software;
and for objects which need to be authorized to access, such as personal photo albums and call records, the objects can be directly accessed without authorization, and the software can be directly judged to steal information, so that the software is judged to be malicious software.
S5: creating a software behavior file, and storing a digital signature of an operation object corresponding to any software into the software behavior file; simultaneously marking risk software and malicious software; simultaneously displaying prompt information of the risk software and the malicious software on a terminal home page interface;
and for the behavior of software in a single terminal, in order to avoid misjudgment, the behavior of the software is recorded and uploaded to the terminal for further identification.
S6: uploading the software behavior files to a background terminal through a terminal, presetting a privacy object in the background terminal, continuously receiving the software behavior files of a plurality of terminals by the background terminal, and analyzing all the software behavior files;
the monitoring in one terminal can only reflect individual conditions, and in order to avoid misjudging the software property, big data processing is adopted, namely, software behavior files uploaded by all terminals provided with monitoring programs are comprehensively analyzed, so that illegal software is determined.
S7: if any software in the software behavior file is in a second preset time, the access or operation frequency of the privacy object exceeds a preset frequency; judging the software to be malicious software; and shielding the malicious software, prohibiting the operating system from installing the software malicious software, reporting the software malicious software to a manager, and tracking the risk software in real time.
The privacy object refers to an extremely private information source such as user positioning information, an address book, a recording and the like, and when the frequency of accessing or operating the privacy object is within 1 hour and exceeds 1 time per second (preset frequency), the frequency of normally reading and accessing data is exceeded, so that the software is judged to be malicious software.
Referring to fig. 2, in some embodiments of the invention, the step of detecting whether the software access or the operation object is authorized comprises:
s401: acquiring a terminal authorization list;
for the authorization problem, the operation of the program is slow by singly checking a certain authorization, and the monitoring speed of other software is slow, so that an authorization list is directly obtained to carry out authorization screening on all external security software.
S402: screening out software authorization authority according to the authorization list;
after obtaining the authorization list, finding the software to be detected, and directly checking the authority.
S403: if the authorization authority includes the object, the authorization is judged not to be obtained, otherwise, the authorization is judged to be obtained.
The authorized authority range is compared with the object to obtain whether the authorization is available.
Referring to fig. 3, in some embodiments of the invention, if the software is not authorized by the terminal, the step of determining that the software is malicious software includes:
s411: a preset monitoring program acquires networking data of any software in an operating system to generate a flow data list;
for many software, the user traffic is wasted by directly downloading other software or updating advertisements without permission, and the software networking data is monitored.
S412: presetting a white list, selecting white list software by a user through a pop-up window, and monitoring the flow of any non-white list software by a monitoring program;
in view of the specific needs of some users, a white list can be set to avoid misjudgment.
S413: and if the use flow of any non-white list software exceeds the preset quantity within the preset time, displaying a non-white list software flow use report on a terminal home page interface.
And generating a use report to inform a user and prompting the traffic use risk.
Referring to fig. 3, in some embodiments of the present invention, the step of displaying the non-white list software traffic usage report on the terminal home page interface includes:
s414: if the use flow exceeds the preset quantity and the installation is requested to pass through the popup window in the preset time of any non-white list software, the illegal use flow is judged;
and for the software which is downloaded privately and then is requested to be installed by the user, the software which is not allowed to be downloaded belongs to, so that the illegal use flow is judged.
S415: and if the use flow of any non-white list software exceeds the preset quantity within the preset time and the non-white list software is not authorized to be directly installed in the background, judging the non-white list software as the malicious software.
And for the privately downloaded software, the authorized installation is directly bypassed, so that great potential safety hazard exists, and the software is judged to be malicious software.
In some embodiments of the present invention, the step of monitoring the process list by the preset monitor program and obtaining the object of the software process operation includes:
when any software on the operating system creates a process and allocates an address space, the added process is displayed on the process list, and the preset monitoring program tracks the address space of the added process and reads the process space to obtain an object operated by the software process. For software, address space must be allocated to a newly created process during operation, and process space needs to be read.
In some embodiments of the invention, the step of tracking the risk software in real time comprises: when any software behavior file is received, software needing real-time tracking is preferentially compared, data reports are generated according to data of the software at different terminals, and the data reports are reported to management personnel.
In some embodiments of the present invention, the step of uploading the software behavior file to the background terminal through the terminal includes: and compressing the software behavior file, and uploading the software behavior file to a background terminal through the terminal.
Example 2
Referring to fig. 4, a big data software based security monitoring system provided by the present invention includes: the system comprises a preset module 1, a control module and a display module, wherein the preset module 1 is used for embedding a preset monitoring program in an operating system of a terminal and setting the preset monitoring program to be self-started; the process reading module 2 is used for presetting a monitoring program to read process information to obtain a process list; the monitoring module 3 is used for presetting a monitoring program to monitor the process list and acquiring an object of software process operation; if the software obtains the object data more than or equal to the first preset data within the first preset time, judging the software as risk software; otherwise, continuing monitoring; the authorization detection module 4 is used for detecting whether software access or an operation object is authorized, and if the software is not authorized by the terminal, the software is judged to be malicious software; the behavior recording module 5 is used for creating a software behavior file and storing the digital signature of the operation object corresponding to any software into the software behavior file; simultaneously marking risk software and malicious software; simultaneously displaying prompt information of the risk software and the malicious software on a terminal home page interface; the big data processing module 6 uploads the software behavior files to a background terminal through the terminal, a privacy object is preset in the background terminal, the background terminal continuously receives the software behavior files of a plurality of terminals, and all the software behavior files are analyzed; the judging module 7 is used for accessing the privacy object or enabling the operation frequency to exceed the preset frequency within a second preset time by any software if the software behavior file is in the software behavior file; judging the software to be malicious software; and shielding the malicious software, prohibiting the operating system from installing the software malicious software, reporting the software malicious software to a manager, and tracking the risk software in real time.
Example 3
Referring to fig. 5, an electronic device according to the present invention includes at least one processor 8, at least one memory 9, and a data bus 10; wherein: the processor 8 and the memory 9 are communicated with each other through a data bus 10; the memory 9 stores program instructions executable by the processor 8, and the processor 8 calls the program instructions to execute a big data based software security monitoring method. For example, the following steps are realized:
embedding a preset monitoring program in an operating system of the terminal, and setting the preset monitoring program to be self-started; a preset monitoring program reads process information to obtain a process list; monitoring the process list by a preset monitoring program to obtain an object of software process operation; if the software obtains the object data more than or equal to the first preset data within the first preset time, judging the software as risk software; otherwise, continuing monitoring; detecting whether software access or an operation object is authorized, and if the software is not authorized by a terminal, judging the software to be malicious software; creating a software behavior file, and storing a digital signature of an operation object corresponding to any software into the software behavior file; simultaneously marking risk software and malicious software; simultaneously displaying prompt information of the risk software and the malicious software on a terminal home page interface; uploading the software behavior files to a background terminal through a terminal, presetting a privacy object in the background terminal, continuously receiving the software behavior files of a plurality of terminals by the background terminal, and analyzing all the software behavior files; if any software in the software behavior file is in a second preset time, the access or operation frequency of the privacy object exceeds a preset frequency; judging the software to be malicious software; and shielding the malicious software, prohibiting the operating system from installing the software malicious software, reporting the software malicious software to a manager, and tracking the risk software in real time.
Example 4
The present invention provides a computer-readable storage medium on which a computer program is stored which, when executed by a processor 8, implements a big-data based software security monitoring method. For example, the following steps are realized:
embedding a preset monitoring program in an operating system of the terminal, and setting the preset monitoring program to be self-started; a preset monitoring program reads process information to obtain a process list; monitoring the process list by a preset monitoring program to obtain an object of software process operation; if the software obtains the object data more than or equal to the first preset data within the first preset time, judging the software as risk software; otherwise, continuing monitoring; detecting whether software access or an operation object is authorized, and if the software is not authorized by a terminal, judging the software to be malicious software; creating a software behavior file, and storing a digital signature of an operation object corresponding to any software into the software behavior file; simultaneously marking risk software and malicious software; simultaneously displaying prompt information of the risk software and the malicious software on a terminal home page interface; uploading the software behavior files to a background terminal through a terminal, presetting a privacy object in the background terminal, continuously receiving the software behavior files of a plurality of terminals by the background terminal, and analyzing all the software behavior files; if any software in the software behavior file is in a second preset time, the access or operation frequency of the privacy object exceeds a preset frequency; judging the software to be malicious software; and shielding the malicious software, prohibiting the operating system from installing the software malicious software, reporting the software malicious software to a manager, and tracking the risk software in real time.
The MEMORY 9 may be, but is not limited to, RANDOM ACCESS MEMORY (RAM), READ ONLY MEMORY (READ ONLY MEMORY, ROM), PROGRAMMABLE READ ONLY MEMORY (PROM), ERASABLE READ ONLY MEMORY (EPROM), electrically ERASABLE READ ONLY MEMORY (EEPROM), and the like.
The processor 8 may be an integrated circuit chip having signal processing capabilities. The PROCESSOR 8 may be a general-purpose PROCESSOR, including a CENTRAL PROCESSING UNIT (CPU), a NETWORK PROCESSOR (NP), and the like; it may also be a digital signal processor (DIGITAL SIGNAL PROCESSING, DSP), an APPLICATION Specific Integrated CIRCUIT (ASIC), a FIELD PROGRAMMABLE gate array (FIELD-PROGRAMMABLE GATE ARRAY, FPGA) or other PROGRAMMABLE logic device, discrete gate or transistor logic device, discrete hardware component.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U disk, a removable hard disk, a READ-ONLY MEMORY (ROM), a RANDOM ACCESS MEMORY (RAM), a magnetic disk or an optical disk, and various media capable of storing program codes.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
It will be evident to those skilled in the art that the present application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.
Claims (10)
1. A big data software-based safety monitoring method is characterized by comprising the following steps:
embedding a preset monitoring program in an operating system of a terminal, and setting the preset monitoring program to be self-started;
the preset monitoring program reads process information to obtain a process list;
the preset monitoring program monitors the process list to obtain an object of the software process operation; if the software obtains the object data more than or equal to first preset data within first preset time, judging the software as risk software; otherwise, continuing monitoring;
detecting whether the object is authorized for software access or operation, and if the software is not authorized by the terminal, judging the software to be malicious software;
creating a software behavior file, and storing a digital signature of an operation object corresponding to any software into the software behavior file; simultaneously tagging the at-risk software and the malware; simultaneously displaying prompt information of the risk software and the malicious software on a terminal home page interface;
uploading the software behavior files to a background terminal through the terminal, presetting a privacy object in the background terminal, and continuously receiving the software behavior files of a plurality of terminals by the background terminal to analyze all the software behavior files;
if any software in the software behavior file is in a second preset time, the access or operation frequency of the software to the privacy object exceeds a preset frequency; determining the software is malware; and shielding the malicious software, prohibiting the operating system from installing the software malicious software, reporting the software malicious software to a manager, and tracking the risk software in real time.
2. The big data based software security monitoring method as claimed in claim 1, wherein the step of detecting whether the software access or operation of the object is authorized comprises:
acquiring the terminal authorization list;
screening out the software authorization authority according to the authorization list;
if the authorization authority includes the object, determining that authorization is not obtained, otherwise, determining that authorization is obtained.
3. The big data software-based security monitoring method of claim 1, wherein if the software is not authorized by the terminal, the step of determining that the software is malicious software comprises:
the preset monitoring program acquires networking data of any software in the operating system and generates a flow data list;
presetting a white list, selecting white list software by a user through a pop-up window, and monitoring the flow of any non-white list software by the monitoring program;
and if the traffic of any non-white list software exceeds the preset quantity within the preset time, displaying the traffic use report of the non-white list software on the terminal home page interface.
4. The big-data-based software security monitoring method of claim 3, wherein the step of displaying the non-white-list software traffic usage report on the terminal home interface comprises:
if the use flow of any non-white list software exceeds a preset quantity within a preset time and the installation is requested to pass through a popup window, determining that the illegal use flow is used;
and if the usage flow of any non-white list software exceeds the preset quantity within the preset time and the non-white list software is not authorized to be directly installed in the background, judging the non-white list software as malicious software.
5. The big data software security monitoring method as claimed in claim 1, wherein the preset monitor program monitors the process list, and the step of obtaining the object of the software process operation comprises:
when any software on the operating system creates a process and allocates an address space, the added process is displayed on the process list, and the preset monitoring program tracks the address space of the added process and reads the process space to obtain an object operated by the software process.
6. The big data software-based security monitoring method as claimed in claim 1, wherein the step of tracking the risk software in real time comprises:
and when any one software behavior file is received, preferentially comparing the software needing to be tracked in real time, generating a data report according to the data of the software at different terminals, and reporting the data report to a manager.
7. The big-data-based software security monitoring method as claimed in claim 1, wherein the step of uploading the software behavior file to a background terminal via the terminal comprises: and compressing the software behavior file, and uploading the software behavior file to a background terminal through the terminal.
8. A big data software based safety monitoring system is characterized by comprising:
the system comprises a presetting module, a control module and a display module, wherein the presetting module is used for embedding a preset monitoring program in an operating system of the terminal and setting the preset monitoring program to be self-started;
the process reading module is used for reading process information by the preset monitoring program to obtain a process list;
the monitoring module is used for monitoring the process list by the preset monitoring program to obtain an object operated by the software process; if the software obtains the object data more than or equal to first preset data within first preset time, judging the software as risk software; otherwise, continuing monitoring;
the authorization detection module is used for detecting whether the software accesses or operates the object to be authorized or not, and if the software is not authorized by the terminal, judging the software to be malicious software;
the behavior recording module is used for creating a software behavior file and storing a digital signature of an operation object corresponding to any software into the software behavior file; simultaneously tagging the at-risk software and the malware; simultaneously displaying prompt information of the risk software and the malicious software on a terminal home page interface;
the big data processing module uploads the software behavior files to a background terminal through the terminal, a privacy object is preset in the background terminal, and the background terminal continuously receives the software behavior files of a plurality of terminals and analyzes all the software behavior files;
the judging module is used for accessing the privacy object or enabling the operation frequency to exceed the preset frequency in a second preset time by any software if the software is in the software behavior file; determining the software is malware; and shielding the malicious software, prohibiting the operating system from installing the software malicious software, reporting the software malicious software to a manager, and tracking the risk software in real time.
9. An electronic device comprising at least one processor, at least one memory, and a data bus; wherein: the processor and the memory complete mutual communication through the data bus; the memory stores program instructions executable by the processor, the processor calling the program instructions to perform the method of any of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210039026.1A CN114386030A (en) | 2022-01-13 | 2022-01-13 | Big data software-based security monitoring method, system, device and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210039026.1A CN114386030A (en) | 2022-01-13 | 2022-01-13 | Big data software-based security monitoring method, system, device and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114386030A true CN114386030A (en) | 2022-04-22 |
Family
ID=81201481
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210039026.1A Withdrawn CN114386030A (en) | 2022-01-13 | 2022-01-13 | Big data software-based security monitoring method, system, device and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114386030A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115174222A (en) * | 2022-07-06 | 2022-10-11 | 北京神州安付科技股份有限公司 | Information security protection method and system based on mobile device |
-
2022
- 2022-01-13 CN CN202210039026.1A patent/CN114386030A/en not_active Withdrawn
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115174222A (en) * | 2022-07-06 | 2022-10-11 | 北京神州安付科技股份有限公司 | Information security protection method and system based on mobile device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11936666B1 (en) | Risk analyzer for ascertaining a risk of harm to a network and generating alerts regarding the ascertained risk | |
| US10375101B2 (en) | Computer implemented techniques for detecting, investigating and remediating security violations to IT infrastructure | |
| CN108268354B (en) | Data security monitoring method, background server, terminal and system | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| TWI726749B (en) | Method for diagnosing whether network system is breached by hackers and related method for generating multiple associated data frames | |
| CN109862003B (en) | Method, device, system and storage medium for generating local threat intelligence library | |
| US20130333039A1 (en) | Evaluating Whether to Block or Allow Installation of a Software Application | |
| CN111191226B (en) | Method, device, equipment and storage medium for determining program by utilizing right-raising loopholes | |
| US11861006B2 (en) | High-confidence malware severity classification of reference file set | |
| CN113177205B (en) | Malicious application detection system and method | |
| CN113489713A (en) | Network attack detection method, device, equipment and storage medium | |
| CN103368904A (en) | Mobile terminal, and system and method for suspicious behavior detection and judgment | |
| CN108763951B (en) | Data protection method and device | |
| CN110417718B (en) | Method, device, equipment and storage medium for processing risk data in website | |
| CN111683047A (en) | Unauthorized vulnerability detection method and device, computer equipment and medium | |
| CN109783316B (en) | Method and device for identifying tampering behavior of system security log, storage medium and computer equipment | |
| CN110716973A (en) | Big data based security event reporting platform and method | |
| Lee et al. | Protecting data on android platform against privilege escalation attack | |
| CN114154147A (en) | Man-machine behavior detection method, system, equipment and medium | |
| Liccardi et al. | Improving mobile app selection through transparency and better permission analysis | |
| CN114386030A (en) | Big data software-based security monitoring method, system, device and medium | |
| CN111767537A (en) | Tamper verification method of application program based on IOS (operating system) and related equipment | |
| CN115225385A (en) | Flow monitoring method, system, equipment and computer readable storage medium | |
| CN109784051B (en) | Information security protection method, device and equipment | |
| CN114117539A (en) | Data protection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20220422 |