CN114912111A - Cloud host virus detection method, device and system - Google Patents
Cloud host virus detection method, device and system Download PDFInfo
- Publication number
- CN114912111A CN114912111A CN202210360973.0A CN202210360973A CN114912111A CN 114912111 A CN114912111 A CN 114912111A CN 202210360973 A CN202210360973 A CN 202210360973A CN 114912111 A CN114912111 A CN 114912111A
- Authority
- CN
- China
- Prior art keywords
- cloud host
- cloud
- virus
- process number
- virus detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/22—Matching criteria, e.g. proximity measures
Abstract
The invention discloses a cloud host virus detection method, device and system, and relates to the technical field of computers. One embodiment of the method comprises: receiving cloud host process numbers collected and sent by one or more cloud hosts; sequentially judging whether process file information corresponding to the process number of the cloud host is detected for the first time or not; if yes, determining a cloud host number corresponding to the cloud host process number, generating a process file information acquisition task, receiving process file information returned by the cloud host, extracting process file characteristics of the process file information, matching the process file characteristics with virus characteristics in a virus database, and determining a cloud host virus detection result according to a matching result; and if not, taking the result corresponding to the last detection of the cloud host process number as the cloud host virus detection result. According to the embodiment, the cloud host virus detection efficiency is improved, the load risk of the cloud host is reduced, the applicable scene of the virus detection method is expanded, and the user experience is improved.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a cloud host virus detection method, device and system.
Background
The cloud host is an electronic computing machine for high-speed computing, can perform numerical computation and logic computation, and also has a storage and memory function. The cloud host is required to be scanned for viruses, processes judged to be viruses are killed or the virus files are removed, and correlation removal is carried out on the started virus processes.
The prior art has at least the following problems:
the existing method faces to cloud host virus detection, especially when a large number of cloud hosts in a cloud platform are subjected to virus detection at the same time, the virus detection efficiency is low, the load risk of the cloud hosts is increased, the operation of the services of the cloud hosts is influenced, the virus detection result is displayed slowly, the applicable scene is narrow, and the user experience is poor.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method, an apparatus, and a system for detecting a cloud host virus, which can simultaneously detect a large number of cloud hosts, improve the cloud host virus detection efficiency, reduce the load risk of the cloud hosts, effectively ensure the operation of the services of the cloud hosts themselves, and simultaneously visually display the virus detection results, thereby expanding the application scenarios of the virus detection method and improving the user experience.
To achieve the above object, according to an aspect of the embodiments of the present invention, a cloud host virus detection method is provided, which is applied to a cloud, and includes:
receiving cloud host process numbers collected and sent by one or more cloud hosts; the cloud host process number is acquired by the cloud host according to a cloud host process number acquisition task, and the cloud host process number acquisition task is generated by the user side based on a cloud host virus detection request;
sequentially judging whether process file information corresponding to the process number of the cloud host is detected for the first time or not;
if yes, determining a cloud host number corresponding to the cloud host process number, generating and sending a process file information acquisition task to the cloud host corresponding to the cloud host number so as to receive process file information returned by the cloud host, extracting process file characteristics of the process file information, matching the process file characteristics with virus characteristics in a virus database, and determining a cloud host virus detection result according to a matching result; and if not, taking the result corresponding to the last detection of the cloud host process number as the cloud host virus detection result.
Further, the step of receiving the cloud host process numbers collected and sent by one or more cloud hosts includes:
and receiving the cloud host process number which is acquired by one or more cloud hosts according to the cloud host process number acquisition task and is sent by the storage system.
Further, determining a cloud host virus detection result according to the matching result, including:
comparing the matching degrees corresponding to the process file characteristics in the matching result and a plurality of virus characteristics in the virus database with a matching degree threshold respectively;
and if the matching degree exceeds the threshold value of the matching degree, determining that the corresponding process file is a virus file.
Further, still include:
determining a virus file type, a target cloud host process number corresponding to the virus file type and a target cloud host comprising the target cloud host process number;
and performing visual display according to the target cloud host, the process number of the target cloud host and the virus file type.
Furthermore, the acquisition period is indicated in the acquisition task of the cloud host process number; the step of receiving the cloud host process numbers collected and sent by one or more cloud hosts comprises the following steps:
and receiving the cloud host process numbers which are regularly acquired and sent by one or more cloud hosts according to the acquisition period.
According to another aspect of the embodiments of the present invention, there is provided a cloud host virus detection apparatus, disposed in a cloud, including:
the process number receiving module is used for receiving the cloud host process numbers acquired and sent by one or more cloud hosts; the cloud host process number is acquired by the cloud host according to a cloud host process number acquisition task, and the cloud host process number acquisition task is generated by the user side based on a cloud host virus detection request;
the judging module is used for sequentially judging whether the process file information corresponding to the process number of the cloud host is detected for the first time;
the detection module is used for determining the cloud host number corresponding to the cloud host process number if the process file information corresponding to the cloud host process number is detected for the first time, generating and sending a process file information acquisition task to the cloud host corresponding to the cloud host number so as to receive the process file information returned by the cloud host, extracting the process file characteristics of the process file information, matching the process file characteristics with the virus characteristics in the virus database, and determining the cloud host virus detection result according to the matching result; and if the process file information corresponding to the cloud host process number is not detected for the first time, taking the result corresponding to the last detection of the cloud host process number as the cloud host virus detection result.
Further, the detection module is further configured to:
comparing the matching degrees corresponding to the process file characteristics in the matching result and a plurality of virus characteristics in the virus database with a matching degree threshold respectively;
and if the matching degree exceeds the threshold value of the matching degree, determining that the corresponding process file is a virus file.
According to another aspect of the embodiments of the present invention, there is provided a cloud host virus detection system, including a cloud end, a user end, and one or more cloud hosts, wherein,
the client is used for generating a cloud host process number acquisition task based on the cloud host virus detection request and distributing the cloud host process number acquisition task to the cloud host;
the cloud host is used for receiving the cloud host process number acquisition task, acquiring the cloud host process number according to the cloud host process number acquisition task, and sending the cloud host process number to the cloud end;
the cloud end is used for receiving the process number of the cloud host; sequentially judging whether process file information corresponding to the process number of the cloud host is detected for the first time; if yes, determining a cloud host number corresponding to the cloud host process number, generating and sending a process file information acquisition task to the cloud host corresponding to the cloud host number so as to receive process file information returned by the cloud host, extracting process file characteristics of the process file information, matching the process file characteristics with virus characteristics in a virus database, and determining a cloud host virus detection result according to a matching result; if not, taking the result corresponding to the last detection of the cloud host process number as the cloud host virus detection result.
According to another aspect of the embodiments of the present invention, there is provided an electronic device for cloud host virus detection, including:
one or more processors;
a storage device for storing one or more programs,
when executed by one or more processors, cause the one or more processors to implement any of the cloud host virus detection methods described above.
According to another aspect of the embodiments of the present invention, there is provided a computer readable medium, on which a computer program is stored, which when executed by a processor, implements any one of the cloud host virus detection methods described above.
One embodiment of the above invention has the following advantages or benefits: the method adopts the cloud host process number which is collected and sent by one or more cloud hosts; the cloud host process number is acquired by the cloud host according to a cloud host process number acquisition task, and the cloud host process number acquisition task is generated by the user side based on a cloud host virus detection request; sequentially judging whether process file information corresponding to the process number of the cloud host is detected for the first time or not; if yes, determining a cloud host number corresponding to the cloud host process number, generating and sending a process file information acquisition task to the cloud host corresponding to the cloud host number so as to receive process file information returned by the cloud host, extracting process file characteristics of the process file information, matching the process file characteristics with virus characteristics in a virus database, and determining a cloud host virus detection result according to a matching result; if not, the result corresponding to the last detection of the cloud host process number is used as the technical means of the cloud host virus detection result, so that the technical problems that the existing method faces the cloud host virus detection, especially when a large number of cloud hosts in a cloud platform are subjected to virus detection simultaneously, the existing virus detection efficiency is low, the load risk of the cloud hosts is high, the applicable scene is narrow, and the user experience is poor are solved, and further the virus detection can be simultaneously performed on the large number of cloud hosts, the cloud host virus detection efficiency is improved, the load risk of the cloud hosts is reduced, the operation of the services of the cloud hosts is effectively guaranteed, meanwhile, the virus detection result can be visually displayed, the applicable scene of the virus detection method is expanded, and the technical effect of the user experience is improved.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
fig. 1 is a schematic diagram of a main flow of a cloud host virus detection method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a main flow of a cloud host virus detection method according to another embodiment of the present invention;
fig. 3 is a schematic diagram of main modules of a cloud host virus detection apparatus provided according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of the main modules of a cloud host virus detection system provided in accordance with an embodiment of the present invention;
FIG. 5 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
fig. 6 is a schematic block diagram of a computer system suitable for use in implementing a terminal device or server of an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Fig. 1 is a schematic diagram of a main flow of a cloud host virus detection method according to an embodiment of the present invention; as shown in fig. 1, the cloud host virus detection method provided in the embodiment of the present invention is applied to a cloud, and mainly includes:
step S101, receiving cloud host process numbers collected and sent by one or more cloud hosts; the cloud host process number is acquired by the cloud host according to a cloud host process number acquisition task, and the cloud host process number acquisition task is generated by the user side based on the cloud host virus detection request.
Specifically, according to the embodiment of the present invention, the cloud host process code may be a process name running on the cloud host, a process MD5 value (MD 5Message Digest Algorithm, MD5Message-Digest Algorithm, a widely used cryptographic hash function, which may generate a 128-bit (16-byte) hash value (hash value) for ensuring complete and consistent information transmission), and the like, which are used to characterize a unique identifier running on the cloud host to the process. Because the cloud host process codes of the same process are the same, whether the process file information corresponding to the cloud host process number is detected for the first time can be judged subsequently, the process file information corresponding to the same cloud host process code is only acquired once, and only one-time detection is needed, so that the virus detection efficiency of a large number of cloud hosts is obviously improved.
Further, according to an embodiment of the present invention, the step of receiving the cloud host process numbers collected and sent by one or more cloud hosts includes:
and receiving the cloud host process number which is acquired by one or more cloud hosts according to the cloud host process number acquisition task and is sent by the storage system.
In an actual scene, a large number of processes run in the cloud host at the same time, so that the order of magnitude of corresponding process codes is large, the process codes acquired by the cloud host are stored in a storage system, particularly a distributed storage system, and then the distributed storage system sends the corresponding acquired cloud host process codes to the cloud end, so that the virus detection efficiency of the cloud host can be further improved.
According to a preferred implementation manner of the embodiment of the invention, one or more cloud host process codes acquired by a cloud host according to a cloud host process code acquisition task can be stored through kafka (a distributed, partitioned, multi-copy, multi-subscriber, zookeeper-based coordinated distributed log system), and the corresponding cloud host process codes are uploaded to the cloud.
Preferably, according to the embodiment of the present invention, the collection cycle is further indicated in the collection task of the cloud host process number; the step of receiving the cloud host process numbers collected and sent by one or more cloud hosts includes:
and receiving the cloud host process numbers which are regularly acquired and sent by one or more cloud hosts according to the acquisition period.
For example, an acquisition period may be set in the acquisition task of the process number of the cloud host generated by the user side, for example, a process code corresponding to a currently running process on the cloud host is acquired every five minutes.
And S102, sequentially judging whether the process file information corresponding to the process number of the cloud host is detected for the first time.
Because the cloud host process codes of the same process are the same, whether the process file information corresponding to the cloud host process number is detected for the first time or not is judged, the process file information corresponding to the same cloud host process code is only acquired once and only needs to be detected once, the phenomenon that the same process file is acquired and detected for multiple times due to the fact that the process file runs in a plurality of cloud hosts is avoided, the efficiency of virus detection of a large number of cloud hosts is improved, meanwhile, the load risk of the cloud host is reduced, and the running of the service of the cloud host is effectively guaranteed.
Step S103, if yes, determining a cloud host number corresponding to the cloud host process number, generating and sending a process file information acquisition task to the cloud host corresponding to the cloud host number so as to receive process file information returned by the cloud host, extracting process file characteristics of the process file information, matching the process file characteristics with virus characteristics in a virus database, and determining a cloud host virus detection result according to a matching result; and if not, taking the result corresponding to the last detection of the cloud host process number as the cloud host virus detection result.
Specifically, according to the embodiment of the present invention, determining the cloud host virus detection result according to the matching result includes:
comparing the matching degrees corresponding to the process file characteristics in the matching result and a plurality of virus characteristics in the virus database with a matching degree threshold respectively;
and if the matching degree exceeds the threshold value of the matching degree, determining that the corresponding process file is a virus file.
The virus library is a set of all known virus characteristics, and after feature extraction is carried out on undetected process file information, feature matching is carried out in sequence according to the process file characteristics and all virus characteristics in the virus characteristic set, so that whether the process file is a virus file or not can be judged quickly.
Further, according to an embodiment of the present invention, the method further includes:
determining a virus file type, a target cloud host process number corresponding to the virus file type and a target cloud host comprising the target cloud host process number;
and performing visual display according to the target cloud host, the process number of the target cloud host and the virus file type.
According to the embodiment of the invention, the risk level of the virus file can be determined, and the risk level of the virus file is displayed in the visualization result.
According to the technical scheme of the embodiment of the invention, the cloud host process number collected and sent by one or more cloud hosts is received; the cloud host process number is acquired by the cloud host according to a cloud host process number acquisition task, and the cloud host process number acquisition task is generated by the user side based on a cloud host virus detection request; sequentially judging whether process file information corresponding to the process number of the cloud host is detected for the first time; if yes, determining a cloud host number corresponding to the cloud host process number, generating and sending a process file information acquisition task to the cloud host corresponding to the cloud host number so as to receive process file information returned by the cloud host, extracting process file characteristics of the process file information, matching the process file characteristics with virus characteristics in a virus database, and determining a cloud host virus detection result according to a matching result; if not, the result corresponding to the last detection of the cloud host process number is used as the technical means of the cloud host virus detection result, so that the technical problems that the existing method faces the cloud host virus detection, especially when a large number of cloud hosts in a cloud platform are subjected to virus detection simultaneously, the existing virus detection efficiency is low, the load risk of the cloud hosts is high, the applicable scene is narrow, and the user experience is poor are solved, and further the virus detection can be simultaneously performed on the large number of cloud hosts, the cloud host virus detection efficiency is improved, the load risk of the cloud hosts is reduced, the operation of the services of the cloud hosts is effectively guaranteed, meanwhile, the virus detection result can be visually displayed, the applicable scene of the virus detection method is expanded, and the technical effect of the user experience is improved.
Fig. 2 is a schematic diagram of a main flow of a cloud host virus detection method according to another embodiment of the present invention; as shown in fig. 2, the cloud host virus detection method provided in the embodiment of the present invention is applied to a cloud host virus detection system, and mainly includes:
step S201, the user side generates a cloud host process number acquisition task based on the cloud host virus detection request, and distributes the cloud host process number acquisition task to the cloud host.
Further, according to the embodiment of the present invention, after the user generates the cloud host process number acquisition task, the cloud host process number acquisition task may be stored, for example, in a redis (key-value storage system), and then the cloud host process number acquisition task is distributed to the plurality of cloud hosts through the task scheduling center. The task scheduling center may be an independent component, or may be a component disposed in the user side.
Step S202, the cloud host receives the cloud host process number acquisition task, acquires the cloud host process number according to the cloud host process number acquisition task, and sends the cloud host process number to the cloud end.
Specifically, according to the embodiment of the invention, a large number of processes run in the cloud host at the same time, so that the order of the corresponding process codes is large, and the process codes acquired by the cloud host are stored in the storage system, especially the distributed storage system, and then the distributed storage system sends the corresponding acquired process codes of the cloud host to the cloud, so that the virus detection efficiency of the cloud host can be further improved.
According to a preferred implementation manner of the embodiment of the invention, one or more cloud host process codes acquired by a cloud host according to a cloud host process code acquisition task can be stored through kafka (a distributed, partitioned, multi-copy, multi-subscriber, zookeeper-based coordinated distributed log system), and the corresponding cloud host process codes are uploaded to the cloud.
Step S203, the cloud receives the cloud host process number, and determines whether process file information corresponding to the cloud host process number is detected for the first time. If yes, go to step S204; if not, go to step S205.
Because the cloud host process codes of the same process are the same, whether the process file information corresponding to the cloud host process number is detected for the first time or not is judged, the process file information corresponding to the same cloud host process code is only acquired once and only needs to be detected once, the phenomenon that the same process file is acquired and detected for multiple times due to the fact that the process file runs in a plurality of cloud hosts is avoided, the efficiency of virus detection of a large number of cloud hosts is improved, meanwhile, the load risk of the cloud host is reduced, and the running of the service of the cloud host is effectively guaranteed.
Step S204, determining a cloud host number corresponding to the cloud host process number, generating and sending a process file information acquisition task to the cloud host corresponding to the cloud host number so as to receive process file information returned by the cloud host, extracting process file characteristics of the process file information, matching the process file characteristics with virus characteristics in a virus database, and determining a cloud host virus detection result according to a matching result.
Specifically, according to the embodiment of the present invention, determining the cloud host virus detection result according to the matching result includes:
comparing the matching degrees corresponding to the process file characteristics in the matching result and a plurality of virus characteristics in the virus database with a matching degree threshold respectively;
and if the matching degree exceeds the threshold value of the matching degree, determining that the corresponding process file is a virus file.
The virus library is a set of all known virus characteristics, and after feature extraction is carried out on the undetected process file information, feature matching is carried out in sequence according to the process file characteristics and all virus characteristics in the virus characteristic set, so that whether the process file is a virus file or not can be judged quickly.
And step S205, taking the result corresponding to the last detection of the cloud host process number as the cloud host virus detection result.
Step S206, determining the virus file type, the target cloud host process number corresponding to the virus file type and the target cloud host comprising the target cloud host process number; and performing visual display according to the target cloud host, the process number of the target cloud host and the virus file type.
According to the embodiment of the invention, the risk level of the virus file can be determined, and the risk level of the virus file is displayed in the visualization result.
According to the technical scheme of the embodiment of the invention, the cloud host process number collected and sent by one or more cloud hosts is received; the cloud host process number is acquired by the cloud host according to the cloud host process number acquisition task, and the cloud host process number acquisition task is generated by the user side based on the cloud host virus detection request; sequentially judging whether process file information corresponding to the process number of the cloud host is detected for the first time or not; if yes, determining a cloud host number corresponding to the cloud host process number, generating and sending a process file information acquisition task to the cloud host corresponding to the cloud host number so as to receive process file information returned by the cloud host, extracting process file characteristics of the process file information, matching the process file characteristics with virus characteristics in a virus database, and determining a cloud host virus detection result according to a matching result; if not, the result corresponding to the last detection of the cloud host process number is used as a technical means of a cloud host virus detection result, so that the technical problems that the existing method faces to the cloud host virus detection, particularly when a large number of cloud hosts in a cloud platform are subjected to virus detection simultaneously, the existing virus detection efficiency is low, the load risk of the cloud hosts is high, the applicable scene is narrow, and the user experience is poor are solved, and then virus detection can be simultaneously performed on the large number of cloud hosts, the cloud host virus detection efficiency is improved, the load risk of the cloud hosts is reduced, the operation of the services of the cloud hosts is effectively guaranteed, meanwhile, the virus detection results can be visually displayed, the applicable scene of the virus detection method is expanded, and the technical effect of the user experience is improved.
Fig. 3 is a schematic diagram of main modules of a cloud host virus detection apparatus provided according to an embodiment of the present invention; as shown in fig. 3, the cloud host virus detection apparatus 300 according to the embodiment of the present invention is applied to a cloud, and mainly includes:
the process number receiving module 301 is configured to receive a cloud host process number acquired and sent by one or more cloud hosts; the cloud host process number is acquired by the cloud host according to a cloud host process number acquisition task, and the cloud host process number acquisition task is generated by the user side based on the cloud host virus detection request.
Specifically, according to the embodiment of the present invention, the cloud host process code may be a unique identifier used to characterize a process running on the cloud host, such as a process name running on the cloud host, a process MD5 value, and the like. Because the cloud host process codes of the same process are the same, whether process file information corresponding to the cloud host process number is detected for the first time can be judged subsequently, the process file information corresponding to the same cloud host process code is only acquired once, and only one-time detection is needed, so that the efficiency of virus detection of a large number of cloud hosts is obviously improved.
Further, according to the embodiment of the present invention, the process number receiving module 301 is further configured to:
and receiving the cloud host process number which is acquired by one or more cloud hosts according to the cloud host process number acquisition task and is sent by the storage system.
In an actual scene, a large number of processes run in the cloud host at the same time, so that the magnitude of corresponding process codes is large, the process codes acquired by the cloud host are stored in a storage system, particularly a distributed storage system, and then the distributed storage system sends the corresponding acquired process codes of the cloud host to the cloud end, so that the virus detection efficiency of the cloud host can be further improved.
According to a preferred implementation manner of the embodiment of the invention, one or more cloud host process codes acquired by a cloud host according to a cloud host process code acquisition task can be stored through kafka (a distributed, partitioned, multi-copy, multi-subscriber, zookeeper-based coordinated distributed log system), and the corresponding cloud host process codes are uploaded to the cloud.
Preferably, according to the embodiment of the present invention, the collection cycle is further indicated in the collection task of the cloud host process number; the process number receiving module 301 is further configured to:
and receiving the cloud host process numbers which are regularly acquired and sent by one or more cloud hosts according to the acquisition period.
For example, an acquisition period may be set in the acquisition task of the process number of the cloud host generated by the user side, for example, a process code corresponding to a currently running process on the cloud host is acquired every five minutes.
The determining module 302 is configured to sequentially determine whether process file information corresponding to the cloud host process number is detected for the first time.
Because the cloud host process codes of the same process are the same, whether the process file information corresponding to the cloud host process number is detected for the first time or not is judged, the process file information corresponding to the same cloud host process code is only acquired once and only needs to be detected once, the phenomenon that the same process file is acquired and detected for multiple times due to the fact that the process file runs in a plurality of cloud hosts is avoided, the efficiency of virus detection of a large number of cloud hosts is improved, meanwhile, the load risk of the cloud host is reduced, and the running of the service of the cloud host is effectively guaranteed.
The detection module 303 is configured to determine a cloud host number corresponding to the cloud host process number if the process file information corresponding to the cloud host process number is detected for the first time, generate and send a process file information acquisition task to a cloud host corresponding to the cloud host number to receive process file information returned by the cloud host, extract process file features of the process file information, match the process file features with virus features in a virus database, and determine a cloud host virus detection result according to a matching result; and if the process file information corresponding to the cloud host process number is not detected for the first time, taking the result corresponding to the last detection of the cloud host process number as the cloud host virus detection result.
Specifically, according to the embodiment of the present invention, the detecting module 303 is further configured to:
comparing the matching degrees corresponding to the process file characteristics in the matching result and a plurality of virus characteristics in the virus database with a matching degree threshold respectively;
and if the matching degree exceeds the threshold value of the matching degree, determining that the corresponding process file is a virus file.
The virus library is a set of all known virus characteristics, and after feature extraction is carried out on the undetected process file information, feature matching is carried out in sequence according to the process file characteristics and all virus characteristics in the virus characteristic set, so that whether the process file is a virus file or not can be judged quickly.
Further, according to an embodiment of the present invention, the cloud host virus detection apparatus 300 further includes a visualization display module, configured to:
determining a virus file type, a target cloud host process number corresponding to the virus file type and a target cloud host comprising the target cloud host process number;
and performing visual display according to the target cloud host, the process number of the target cloud host and the virus file type.
According to the embodiment of the invention, the risk level of the virus file can be determined, and the risk level of the virus file is displayed in the visualization result.
According to the technical scheme of the embodiment of the invention, the cloud host process number collected and sent by one or more cloud hosts is received; the cloud host process number is acquired by the cloud host according to the cloud host process number acquisition task, and the cloud host process number acquisition task is generated by the user side based on the cloud host virus detection request; sequentially judging whether process file information corresponding to the process number of the cloud host is detected for the first time or not; if yes, determining a cloud host number corresponding to the cloud host process number, generating and sending a process file information acquisition task to the cloud host corresponding to the cloud host number so as to receive process file information returned by the cloud host, extracting process file characteristics of the process file information, matching the process file characteristics with virus characteristics in a virus database, and determining a cloud host virus detection result according to a matching result; if not, the result corresponding to the last detection of the cloud host process number is used as the technical means of the cloud host virus detection result, so that the technical problems that the existing method faces the cloud host virus detection, especially when a large number of cloud hosts in a cloud platform are subjected to virus detection simultaneously, the existing virus detection efficiency is low, the load risk of the cloud hosts is high, the applicable scene is narrow, and the user experience is poor are solved, and further the virus detection can be simultaneously performed on the large number of cloud hosts, the cloud host virus detection efficiency is improved, the load risk of the cloud hosts is reduced, the operation of the services of the cloud hosts is effectively guaranteed, meanwhile, the virus detection result can be visually displayed, the applicable scene of the virus detection method is expanded, and the technical effect of the user experience is improved.
FIG. 4 is a schematic diagram of the main modules of a cloud host virus detection system provided in accordance with an embodiment of the present invention; as shown in fig. 4, the cloud host virus detection system 400 according to the embodiment of the present invention mainly includes a cloud end, a user end, and one or more cloud hosts,
the user side 401 is configured to generate a cloud host process number acquisition task based on the cloud host virus detection request, and distribute the cloud host process number acquisition task to the cloud host 402.
And the cloud host 402 is used for receiving the cloud host process number acquisition task, acquiring the cloud host process number according to the cloud host process number acquisition task, and sending the cloud host process number to the cloud end.
The cloud 300 (i.e., the cloud host virus detection apparatus in the above) is configured to receive cloud host process numbers acquired by one or more cloud hosts 402 according to the cloud host process numbers; sequentially judging whether process file information corresponding to the process number of the cloud host is detected for the first time or not; if yes, determining a cloud host number corresponding to the cloud host process number, generating and sending a process file information acquisition task to the cloud host corresponding to the cloud host number so as to receive process file information returned by the cloud host, extracting process file characteristics of the process file information, matching the process file characteristics with virus characteristics in a virus database, and determining a cloud host virus detection result according to a matching result; and if not, taking the result corresponding to the last detection of the cloud host process number as the cloud host virus detection result.
According to the technical scheme of the embodiment of the invention, the cloud host process number collected and sent by one or more cloud hosts is received; the cloud host process number is acquired by the cloud host according to a cloud host process number acquisition task, and the cloud host process number acquisition task is generated by the user side based on a cloud host virus detection request; sequentially judging whether process file information corresponding to the process number of the cloud host is detected for the first time; if yes, determining a cloud host number corresponding to the cloud host process number, generating and sending a process file information acquisition task to the cloud host corresponding to the cloud host number so as to receive process file information returned by the cloud host, extracting process file characteristics of the process file information, matching the process file characteristics with virus characteristics in a virus database, and determining a cloud host virus detection result according to a matching result; if not, the result corresponding to the last detection of the cloud host process number is used as the technical means of the cloud host virus detection result, so that the technical problems that the existing method faces the cloud host virus detection, especially when a large number of cloud hosts in a cloud platform are subjected to virus detection simultaneously, the existing virus detection efficiency is low, the load risk of the cloud hosts is high, the applicable scene is narrow, and the user experience is poor are solved, and further the virus detection can be simultaneously performed on the large number of cloud hosts, the cloud host virus detection efficiency is improved, the load risk of the cloud hosts is reduced, the operation of the services of the cloud hosts is effectively guaranteed, meanwhile, the virus detection result can be visually displayed, the applicable scene of the virus detection method is expanded, and the technical effect of the user experience is improved.
Fig. 5 illustrates an exemplary system architecture 500 to which the cloud host virus detection method or the cloud host virus detection apparatus according to the embodiments of the present invention may be applied.
As shown in fig. 5, the system architecture 500 may include terminal devices 501, 502, 503, a network 504, and a server 505 (this architecture is merely an example, and the components included in a particular architecture may be adapted according to application specific circumstances). The network 504 serves to provide a medium for communication links between the terminal devices 501, 502, 503 and the server 505. Network 504 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 501, 502, 503 to interact with a server 505 over a network 504 to receive or send messages or the like. The terminal devices 501, 502, 503 may have various communication client applications installed thereon, such as a cloud host virus detection application, a web browser application, a search application, an instant messaging tool, a mailbox client, social platform software, etc. (for example only).
The terminal devices 501, 502, 503 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 505 may be a server that provides various services, such as a server (for example only) for users who utilize the terminal devices 501, 502, 503 (for cloud host virus detection/data processing). The server may analyze and perform other processing on the received data such as the cloud host process number, and feed back a processing result (for example, a cloud host virus detection result — just an example) to the terminal device.
It should be noted that the cloud host virus detection method provided by the embodiment of the present invention is generally executed by the server 505, and accordingly, the cloud host virus detection apparatus is generally disposed in the server 505.
It should be understood that the number of terminal devices, networks, and servers in fig. 5 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 6, a block diagram of a computer system 600 suitable for use with a terminal device or server implementing an embodiment of the invention is shown. The terminal device or the server shown in fig. 6 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 6, the computer system 600 includes a Central Processing Unit (CPU)601 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. In the RAM 603, various programs and data necessary for the operation of the system 600 are also stored. The CPU 601, ROM 602, and RAM 603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
The following components are connected to the I/O interface 605: an input portion 606 including a keyboard, a mouse, and the like; an output portion 607 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The driver 610 is also connected to the I/O interface 605 as needed. A removable medium 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 610 as necessary, so that a computer program read out therefrom is mounted in the storage section 608 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 609, and/or installed from the removable medium 611. The computer program performs the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 601.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present invention, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present invention may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor includes a process number receiving module, a judging module, and a detecting module. The names of these modules do not limit the modules themselves in some cases, for example, the process number receiving module may also be described as a "module for receiving a cloud host process number collected and transmitted by one or more cloud hosts".
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise: receiving cloud host process numbers collected and sent by one or more cloud hosts; the cloud host process number is acquired by the cloud host according to a cloud host process number acquisition task, and the cloud host process number acquisition task is generated by the user side based on a cloud host virus detection request; sequentially judging whether process file information corresponding to the process number of the cloud host is detected for the first time or not; if yes, determining a cloud host number corresponding to the cloud host process number, generating and sending a process file information acquisition task to the cloud host corresponding to the cloud host number so as to receive process file information returned by the cloud host, extracting process file characteristics of the process file information, matching the process file characteristics with virus characteristics in a virus database, and determining a cloud host virus detection result according to a matching result; and if not, taking the result corresponding to the last detection of the cloud host process number as the cloud host virus detection result.
According to the technical scheme of the embodiment of the invention, the cloud host process number collected and sent by one or more cloud hosts is received; the cloud host process number is acquired by the cloud host according to a cloud host process number acquisition task, and the cloud host process number acquisition task is generated by the user side based on a cloud host virus detection request; sequentially judging whether process file information corresponding to the process number of the cloud host is detected for the first time or not; if yes, determining a cloud host number corresponding to the cloud host process number, generating and sending a process file information acquisition task to the cloud host corresponding to the cloud host number so as to receive process file information returned by the cloud host, extracting process file characteristics of the process file information, matching the process file characteristics with virus characteristics in a virus database, and determining a cloud host virus detection result according to a matching result; if not, the result corresponding to the last detection of the cloud host process number is used as the technical means of the cloud host virus detection result, so that the technical problems that the existing method faces the cloud host virus detection, especially when a large number of cloud hosts in a cloud platform are subjected to virus detection simultaneously, the existing virus detection efficiency is low, the load risk of the cloud hosts is high, the applicable scene is narrow, and the user experience is poor are solved, and further the virus detection can be simultaneously performed on the large number of cloud hosts, the cloud host virus detection efficiency is improved, the load risk of the cloud hosts is reduced, the operation of the services of the cloud hosts is effectively guaranteed, meanwhile, the virus detection result can be visually displayed, the applicable scene of the virus detection method is expanded, and the technical effect of the user experience is improved.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A cloud host virus detection method is applied to a cloud end and comprises the following steps:
receiving cloud host process numbers collected and sent by one or more cloud hosts; the cloud host process number is acquired by the cloud host according to a cloud host process number acquisition task, and the cloud host process number acquisition task is generated by a user side based on a cloud host virus detection request;
sequentially judging whether the process file information corresponding to the cloud host process number is detected for the first time;
if yes, determining a cloud host number corresponding to the cloud host process number, generating and sending a process file information acquisition task to a cloud host corresponding to the cloud host number so as to receive process file information returned by the cloud host, extracting process file characteristics of the process file information, matching the process file characteristics with virus characteristics in the virus database, and determining a cloud host virus detection result according to a matching result; and if not, taking the result corresponding to the last detection of the cloud host process number as the cloud host virus detection result.
2. The method according to claim 1, wherein the step of receiving the cloud host process numbers collected and sent by one or more cloud hosts comprises:
and receiving the cloud host process numbers which are acquired by one or more cloud hosts according to the cloud host process number acquisition tasks and are sent by a storage system.
3. The method according to claim 1, wherein the determining a cloud host virus detection result according to the matching result comprises:
comparing the matching degrees corresponding to the process file features in the matching result and a plurality of virus features in the virus database with a matching degree threshold respectively;
and if the matching degree exceeds the threshold value of the matching degree, determining that the corresponding process file is a virus file.
4. The cloud host virus detection method of claim 3, further comprising:
determining a virus file type, a target cloud host process number corresponding to the virus file type and a target cloud host comprising the target cloud host process number;
and performing visual display according to the target cloud host, the process number of the target cloud host and the virus file type.
5. The cloud host virus detection method according to claim 1 or 2, wherein an acquisition cycle is further indicated in the cloud host process number acquisition task; the step of receiving the cloud host process numbers collected and sent by one or more cloud hosts comprises:
and receiving the cloud host process numbers which are regularly acquired and sent by one or more cloud hosts according to the acquisition period.
6. The utility model provides a cloud host virus detection device which characterized in that sets up in the high in the clouds, includes:
the process number receiving module is used for receiving the cloud host process numbers acquired and sent by one or more cloud hosts; the cloud host process number is acquired by the cloud host according to a cloud host process number acquisition task, and the cloud host process number acquisition task is generated by a user side based on a cloud host virus detection request;
the judging module is used for sequentially judging whether the process file information corresponding to the cloud host process number is detected for the first time;
the detection module is used for determining the cloud host number corresponding to the cloud host process number if the process file information corresponding to the cloud host process number is detected for the first time, generating and sending a process file information acquisition task to the cloud host corresponding to the cloud host number so as to receive the process file information returned by the cloud host, extracting the process file characteristics of the process file information, matching the process file characteristics with the virus characteristics in the virus database, and determining the cloud host virus detection result according to the matching result; and if the process file information corresponding to the cloud host process number is not detected for the first time, taking the result corresponding to the last detection of the cloud host process number as the cloud host virus detection result.
7. The cloud host virus detection apparatus of claim 6, wherein the detection module is further configured to:
comparing the matching degrees corresponding to the process file features in the matching result and a plurality of virus features in the virus database with a matching degree threshold value respectively;
and if the matching degree exceeds the threshold value of the matching degree, determining that the corresponding process file is a virus file.
8. A cloud host virus detection system is characterized by comprising a cloud end, a user end and one or more cloud hosts, wherein,
the user side is used for generating a cloud host process number acquisition task based on a cloud host virus detection request and distributing the cloud host process number acquisition task to the cloud host;
the cloud host is used for receiving the cloud host process number acquisition task, acquiring a cloud host process number according to the cloud host process number acquisition task, and sending the cloud host process number to the cloud end;
the cloud end is used for receiving the process number of the cloud host; sequentially judging whether the process file information corresponding to the cloud host process number is detected for the first time; if yes, determining a cloud host number corresponding to the cloud host process number, generating and sending a process file information acquisition task to a cloud host corresponding to the cloud host number so as to receive process file information returned by the cloud host, extracting process file characteristics of the process file information, matching the process file characteristics with virus characteristics in the virus database, and determining a cloud host virus detection result according to a matching result; and if not, taking the result corresponding to the last detection of the cloud host process number as the cloud host virus detection result.
9. An electronic device for cloud host virus detection, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-5.
10. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210360973.0A CN114912111A (en) | 2022-04-07 | 2022-04-07 | Cloud host virus detection method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210360973.0A CN114912111A (en) | 2022-04-07 | 2022-04-07 | Cloud host virus detection method, device and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114912111A true CN114912111A (en) | 2022-08-16 |
Family
ID=82763551
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210360973.0A Pending CN114912111A (en) | 2022-04-07 | 2022-04-07 | Cloud host virus detection method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114912111A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117093994A (en) * | 2023-09-18 | 2023-11-21 | 卫士通(广州)信息安全技术有限公司 | Suspected virus file analysis method, system, equipment and storable medium |
-
2022
- 2022-04-07 CN CN202210360973.0A patent/CN114912111A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117093994A (en) * | 2023-09-18 | 2023-11-21 | 卫士通(广州)信息安全技术有限公司 | Suspected virus file analysis method, system, equipment and storable medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107809331B (en) | Method and device for identifying abnormal flow | |
| CN108933695B (en) | Method and apparatus for processing information | |
| CN108595448B (en) | Information pushing method and device | |
| CN113377653B (en) | Method and device for generating test cases | |
| CN109240802B (en) | Request processing method and device | |
| CN114912111A (en) | Cloud host virus detection method, device and system | |
| US10762207B2 (en) | Method and device for scanning virus | |
| CN112818026A (en) | Data integration method and device | |
| CN107908662B (en) | Method and device for realizing search system | |
| CN113904943A (en) | Account detection method and device, electronic equipment and storage medium | |
| CN112433757A (en) | Method and device for determining interface calling relationship | |
| CN113312553A (en) | Method and device for determining user label | |
| CN112671892A (en) | Data transmission method, data transmission device, electronic equipment, medium and computer program product | |
| CN110505289B (en) | File downloading method and device, computer readable medium and wireless communication equipment | |
| CN113452733A (en) | File downloading method and device | |
| CN115423030A (en) | Equipment identification method and device | |
| CN109144991B (en) | Method and device for dynamic sub-metering, electronic equipment and computer-storable medium | |
| CN113590447B (en) | Buried point processing method and device | |
| CN112714163B (en) | Data transmission method, device, electronic equipment and medium | |
| CN110020040B (en) | Method, device and system for querying data | |
| CN114741162A (en) | Service arranging method, device, storage medium and equipment | |
| CN109087097B (en) | Method and device for updating same identifier of chain code | |
| CN113157911A (en) | Service verification method and device | |
| CN114780501A (en) | Data processing method, electronic device and computer program product | |
| CN112559497A (en) | Data processing method, information transmission method and device and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |