CN116707892A - Terminal infected virus processing method, device and processing system - Google Patents

Terminal infected virus processing method, device and processing system Download PDF

Info

Publication number
CN116707892A
CN116707892A CN202310651446.XA CN202310651446A CN116707892A CN 116707892 A CN116707892 A CN 116707892A CN 202310651446 A CN202310651446 A CN 202310651446A CN 116707892 A CN116707892 A CN 116707892A
Authority
CN
China
Prior art keywords
target
asset
alarm log
work order
log
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310651446.XA
Other languages
Chinese (zh)
Inventor
华元
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Abt Networks Co ltd
Original Assignee
Beijing Abt Networks Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Abt Networks Co ltd filed Critical Beijing Abt Networks Co ltd
Priority to CN202310651446.XA priority Critical patent/CN116707892A/en
Publication of CN116707892A publication Critical patent/CN116707892A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications

Abstract

The application provides a terminal virus infection processing method, a terminal virus infection processing device and a terminal virus infection processing system, which are used for efficiently and accurately responding to terminal virus infection events by constructing a centralized processing system, thereby providing safe and reliable guarantee services for a plurality of enterprise terminals. The method comprises the following steps: receiving a target alarm log transmitted by a target security system under the condition of docking the security systems of all manufacturers; performing IP collision on the target alarm log and an attack threat information library configured on the system to determine whether the source IP of the target alarm log is matched with the source IP of the attack threat information library to be determined as the source IP with attack threat; if the IP collision is successfully completed, inquiring corresponding assets in corresponding manufacturers based on the target IP of the target alarm log; and generating a target work order based on the target alarm log and the asset positioning result, and pushing the target work order to an asset disposal unit of the asset positioning result, so that the asset disposal unit carries out response processing.

Description

Terminal infected virus processing method, device and processing system
Technical Field
The application relates to the field of network security, in particular to a method, a device and a system for processing terminal infected viruses.
Background
In recent years, network attack technology and attacker have both a new trend, in which case a server host running a service via the internet faces security threats in which the terminal is vulnerable to virus infection.
The occurrence of the terminal infection virus event may be due to old terminal system version, new loopholes not patched in time, pirated software installed by the system, and further penetration infection by the existing sinking host of the mine digging virus, in short, once the terminal infection virus alarm is found, quick response and immediate disposal are needed to prevent the terminal host from being broken and penetrated until sinking, so that the terminal host has urgency.
However, the inventor of the present application found that even if security operators of a general large data management center cooperate in a friendly manner in each department, it takes about 2 hours to process a terminal virus infection event, and this involves response flows such as manual research and judgment, asset positioning, investigation and evidence collection, issuing work orders, retesting threats, etc., and obviously has a problem of lower response efficiency.
Disclosure of Invention
The application provides a terminal virus infection processing method, a terminal virus infection processing device and a terminal virus infection processing system, which are used for efficiently and accurately responding to terminal virus infection events by constructing a centralized processing system, thereby providing safe and reliable guarantee services for a plurality of enterprise terminals.
In a first aspect, the present application provides a method for treating a terminal infected virus, where the method includes:
receiving a target alarm log transmitted by a target security system under the condition of docking the security systems of all manufacturers, wherein the target alarm log refers to an alarm log generated and reported when the target security system detects that a terminal infects a virus event;
performing IP collision on the target alarm log and an attack threat information library configured on the system to determine whether the source IP of the target alarm log is matched with the source IP of the attack threat information library to be determined as the source IP with attack threat;
if the IP collision is successfully completed, inquiring corresponding assets in corresponding manufacturers based on the target IP of the target alarm log to obtain asset positioning results;
and generating a target work order based on the target alarm log and the asset positioning result, and pushing the target work order to an asset disposal unit of the asset positioning result, so that the asset disposal unit carries out response processing.
With reference to the first aspect of the present application, in a first possible implementation manner of the first aspect of the present application, performing IP collision between a target alarm log and an attack threat information library configured on a system includes:
carrying out IP collision on the target alarm log and a public network threat library obtained by collecting the IP of a hacked-controlled broiler host in the network or the IP corresponding to the public information of destroying the network of other people in the network;
or, the target alarm log and each large machine room IDC are recorded into an IP periodic network threat library at regular intervals to perform IP collision;
or querying all alarm information of the source IP of the target alarm log within 1 hour of the target security system, and judging that the collision is successful if the alarm number is more than 100;
or, inquiring the access record of the source IP of the target alarm log in the past month systematically, starting with 100 minutes, deducting the credit score by 10 minutes by VPN every time in the record, and determining that the collision is successful if the VPN credit score is not more than 60 minutes.
With reference to the first aspect of the present application, in a second possible implementation manner of the first aspect of the present application, querying corresponding assets in corresponding vendors based on a destination IP of a target alarm log includes:
and inquiring IP asset lists related to each manufacturer server based on the target IP of the target alarm log.
With reference to the first aspect of the present application, in a third possible implementation manner of the first aspect of the present application, querying corresponding assets in corresponding vendors based on a destination IP of a target alarm log includes:
based on the target IP of the target alarm log, inquiring IP end asset list related to Web service of each manufacturer.
With reference to the first aspect of the present application, in a fourth possible implementation manner of the first aspect of the present application, generating a target work order based on the target alarm log and the asset positioning result includes:
generating a survey evidence obtaining report based on the target alarm log and the asset positioning result, wherein the content of the survey evidence obtaining report comprises the target alarm log, a content screenshot of the target alarm log, the asset positioning result and a report name;
and generating a target work order by combining the investigation evidence collection report, the target alarm log, the asset positioning result and the short message content.
With reference to the first aspect of the present application, in a fifth possible implementation manner of the first aspect of the present application, before generating the target work order based on the target alarm log and the asset positioning result, the method further includes:
determining whether an asset handling unit of the asset location result has automatic disabling capability or determining whether the asset handling unit of the asset location result has automatic disabling function;
If not, triggering the target alarm log and the asset positioning result to generate a target work order.
With reference to the first aspect of the present application, in a sixth possible implementation manner of the first aspect of the present application, after pushing the target work order to an asset disposition unit of the asset location result, the method further includes:
inquiring the disposal state of the target work order in a polling mode;
if the state is the treated state, retesting whether the corresponding threat virus data is generated after the treated time point based on the source IP of the target alarm log and the target IP of the target alarm log;
if so, prompting the asset handling unit to continue the response processing of the target work order.
In a second aspect, the present application provides a processing apparatus for terminal virus infection, the apparatus comprising:
the log receiving unit is used for receiving a target alarm log transmitted by the target security system under the condition of docking the security systems of all manufacturers, wherein the target alarm log refers to an alarm log generated and reported when the target security system detects that a terminal infects a virus event;
the IP collision unit is used for carrying out IP collision on the target alarm log and an attack threat information library configured on the system so as to determine whether the source IP of the target alarm log is matched with the source IP of the attack threat information library and is determined to be the source IP with attack threat;
The asset positioning unit is used for inquiring corresponding assets in corresponding manufacturers based on the target IP of the target alarm log if the IP collision is successfully completed, so as to obtain an asset positioning result;
and the work order processing unit is used for generating a target work order based on the target alarm log and the asset positioning result, pushing the target work order to an asset disposal unit of the asset positioning result, and enabling the asset disposal unit to perform response processing.
With reference to the second aspect of the present application, in a first possible implementation manner of the second aspect of the present application, the IP collision unit is specifically configured to:
carrying out IP collision on the target alarm log and a public network threat library obtained by collecting the IP of a hacked-controlled broiler host in the network or the IP corresponding to the public information of destroying the network of other people in the network;
or, the target alarm log and each large machine room IDC are recorded into an IP periodic network threat library at regular intervals to perform IP collision;
or querying all alarm information of the source IP of the target alarm log within 1 hour of the target security system, and judging that the collision is successful if the alarm number is more than 100;
or, inquiring the access record of the source IP of the target alarm log in the past month systematically, starting with 100 minutes, deducting the credit score by 10 minutes by VPN every time in the record, and determining that the collision is successful if the VPN credit score is not more than 60 minutes.
With reference to the second aspect of the present application, in a second possible implementation manner of the second aspect of the present application, the asset positioning unit is specifically configured to:
and inquiring IP asset lists related to each manufacturer server based on the target IP of the target alarm log.
With reference to the second aspect of the present application, in a third possible implementation manner of the second aspect of the present application, the asset positioning unit is specifically configured to:
based on the target IP of the target alarm log, inquiring IP end asset list related to Web service of each manufacturer.
With reference to the second aspect of the present application, in a fourth possible implementation manner of the second aspect of the present application, the work order processing unit is specifically configured to:
generating a survey evidence obtaining report based on the target alarm log and the asset positioning result, wherein the content of the survey evidence obtaining report comprises the target alarm log, a content screenshot of the target alarm log, the asset positioning result and a report name;
and generating a target work order by combining the investigation evidence collection report, the target alarm log, the asset positioning result and the short message content.
With reference to the second aspect of the present application, in a fifth possible implementation manner of the second aspect of the present application, the work order processing unit is specifically configured to:
determining whether an asset handling unit of the asset location result has automatic disabling capability or determining whether the asset handling unit of the asset location result has automatic disabling function;
If not, triggering the target alarm log and the asset positioning result to generate a target work order.
With reference to the second aspect of the present application, in a sixth possible implementation manner of the second aspect of the present application, the apparatus further includes a retest unit, configured to:
inquiring the disposal state of the target work order in a polling mode;
if the state is the treated state, retesting whether the corresponding threat virus data is generated after the treated time point based on the source IP of the target alarm log and the target IP of the target alarm log;
if so, prompting the asset handling unit to continue the response processing of the target work order.
In a third aspect, the present application provides a processing system comprising a processor and a memory in which a computer program is stored, the processor executing the method of the first aspect of the present application or any one of the possible implementations of the first aspect of the present application when calling the computer program in the memory.
In a fourth aspect, the present application provides a computer readable storage medium having stored thereon a plurality of instructions adapted to be loaded by a processor to perform the method of the first aspect of the present application or any of the possible implementations of the first aspect of the present application.
From the above, the present application has the following advantages:
aiming at the terminal security of each large manufacturer, the application receives the target alarm log transmitted by the target security system in each large manufacturer under the condition of docking the security system of each large manufacturer, then carries out IP collision on the target alarm log and the attack threat information base configured on the system to determine whether the source IP of the target alarm log is matched with the attack threat information base to be identified as the source IP with attack threat, if the IP collision is successfully completed, the destination IP of the target alarm log is used as the basis to inquire the corresponding asset in each corresponding manufacturer to obtain the asset positioning result, then the target work order is generated based on the target alarm log and the asset positioning result, and the target work order is pushed to the asset handling unit of the asset positioning result, so that the asset handling unit carries out response processing.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of a method for treating terminal infectious viruses according to the present application;
FIG. 2 is a schematic flow chart of a part of the method for treating terminal infectious viruses according to the present application;
FIG. 3 is a schematic flow chart of a further part of the method for treating terminal infectious viruses according to the present application;
FIG. 4 is a schematic flow chart of the automatic IP blocking method of the present application;
FIG. 5 is a schematic flow chart of a threat virus retest of the application;
FIG. 6 is a schematic structural view of a device for treating virus infection of a terminal according to the present application;
FIG. 7 is a schematic diagram of a processing system according to the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to fall within the scope of the application.
The terms first, second and the like in the description and in the claims and in the above-described figures, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or modules is not necessarily limited to those steps or modules that are expressly listed or inherent to such process, method, article, or apparatus. The naming or numbering of the steps in the present application does not mean that the steps in the method flow must be executed according to the time/logic sequence indicated by the naming or numbering, and the execution sequence of the steps in the flow that are named or numbered may be changed according to the technical purpose to be achieved, so long as the same or similar technical effects can be achieved.
The division of the modules in the present application is a logical division, and may be implemented in another manner in practical applications, for example, a plurality of modules may be combined or integrated in another system, or some features may be omitted or not implemented, and further, coupling or direct coupling or communication connection between the modules shown or discussed may be through some interfaces, and indirect coupling or communication connection between the modules may be electrical or other similar manners, which are not limited in the present application. The modules or sub-modules described as separate components may be physically separated or not, or may be distributed in a plurality of circuit modules, and some or all of the modules may be selected according to actual needs to achieve the purpose of the present application.
Before introducing the method for processing terminal infected virus provided by the application, the background content related to the application is first introduced.
The method and the device for processing the terminal infected virus and the computer readable storage medium can be applied to a processing system and used for efficiently and accurately responding to the terminal infected virus event by constructing a centralized processing system, thereby providing safe and reliable guarantee service for a plurality of enterprise terminals.
The execution subject of the method for processing the terminal infected virus can be a processing device of the terminal infected virus or a processing system integrated with the processing device of the terminal infected virus. The processing device for the terminal infected with the virus can be realized in a hardware or software mode, and the processing system is usually arranged in a device cluster mode, and of course, the processing system is not excluded to be a single processing device with high performance, and the processing device is configured according to actual situations.
Wherein, for the convenience of understanding, the relevant terms referred to in the following detailed description are first listed herein:
form template: a set of field templates consisting of a plurality of fields can customize names, types, sequences and the like;
data set: data set: the data maintained based on the form templates, called a data set, can support the addition, editing, deleting and excel importing, exporting and searching of pages, and can select different form templates for performing the operation;
1) Attack threat intelligence library: the threat information library in a certain company can be expanded according to the threat information library of the public network on the network and the information library combined with the business algorithm of the certain company;
2) Public network threat library: the collected data about ip analysis reputation on the network, such as a broiler host which is controlled by a hacker, can be listed as a public network threat library for reference;
3) IP collision: comparing IP with IP, IP section and IP section in threat information library to confirm whether they are equal or contained;
4) Treatment record: for a form dataset, the fields include source IP, destination IP, vendor, handling status, creation time, update time;
5) IP asset inventory: for an asset data set, the fields include unit type, unit name, system name, cloud asset type, IP;
6) ip port asset inventory: for an asset data set, the fields include unit type, unit name, system name, cloud asset type, IP, port;
7) Asset location results: the field comprises a positioning state, a unit type, a unit name, a system name, an IP and a port, and is only used as a storage bottom;
8) Application: the application is a capability, such as screenshot, report generation and digital calculation, which are all special capabilities, so the application is called as an application, and the investigation evidence collection, report generation, work order center and firewall blocking in the process are all applications containing different capabilities;
9) Infectious virus polling worksheet: the field comprises the alarming log information, creation time and update time of a work order ID, a source IP, a destination IP, a virus type and the like;
10 A banned information dataset: for a form dataset, the fields include a work form ID, an alarm log, a blocking time, blocking level information, and a creation time.
Next, the method for treating terminal infection virus provided by the application is described.
First, referring to fig. 1, fig. 1 shows a flow chart of a method for treating a terminal infected virus according to the present application, and the method for treating a terminal infected virus provided by the present application may specifically include steps S101 to S104 as follows:
step S101, receiving a target alarm log transmitted by a target security system under the condition of docking the security systems of all manufacturers, wherein the target alarm log refers to an alarm log generated and reported when the target security system detects that a terminal infection virus event exists;
it can be understood that the processing system of the application does not respond to the terminal infection virus event in the enterprise, but provides centralized response to the terminal infection virus event from outside the enterprise and from outside a plurality of enterprises, and provides terminal security guarantee service for a plurality of enterprises.
In this regard, the processing system of the present application needs to interface with the security systems of each manufacturer in advance, and each manufacturer can understand that each manufacturer (enterprise) will typically configure a corresponding security system in its online system, so that each manufacturer has a certain level of network security capability.
In this case, the present application uses the target security system of the individual manufacturer to detect the terminal infection event as a trigger condition, and uses the corresponding target alarm log to trigger the processing system of the present application to perform corresponding response (corresponding to the subsequent step content) through the previously constructed docking channel.
Step S102, carrying out IP collision on the target alarm log and an attack threat information library configured on the system to determine whether the source IP of the target alarm log is matched with the source IP of the attack threat information library to be identified as the source IP with attack threat;
it will be appreciated that for a processing system that maintains on the system an attack threat intelligence library that records source IPs identified as being in existence for attack threats, is directed to the counterpart network location that initiates the network attack, causing the terminal virus infection event.
In this way, under the triggering of the target alarm log reported by the target security system of a certain manufacturer, a secondary judgment is performed to determine whether the target alarm log belongs to an attack event which can be identified on the system, and the target alarm log is implemented by an IP collision (matching process for the source IP).
Step S103, if the IP collision is successfully completed, inquiring corresponding assets in corresponding manufacturers based on the target IP of the target alarm log to obtain asset positioning results;
Obviously, if the previous IP collision result is that the IP collision is successfully completed, that is, the matched source IP exists in the attack threat information library, the processing system can identify the terminal virus infection event detected by the target security system of a certain manufacturer as a real event, and the terminal virus infection event needs to be responded in time.
In contrast, the application inquires whether the asset corresponding to the destination IP exists in the assets related to each manufacturer accessing the security service for carrying out asset positioning targets aiming at the destination P carried in the target alarm log, namely one or more destination IPs related to the terminal infection event detected by the target security system, and the obtained asset positioning result can be used as the guidance of the subsequent security response.
The assets mentioned herein can be understood by network assets, in particular, related assets related to the network security scene, and can relate to related hardware equipment assets and related application service assets.
From the asset location here, it is apparent that global location of infected and potentially infected targets is performed based on the local detection of terminal virus infection events, whereby adaptive response measures can be performed for these located assets at a first time.
Step S104, based on the target alarm log and the asset positioning result, generating a target work order, and pushing the target work order to an asset disposal unit of the asset positioning result, so that the asset disposal unit carries out response processing.
It will be appreciated that for each vendor accessing the security service, the relevant assets within its enterprise will have corresponding asset handling units, either responsible or responsible, which can deploy security responses to the relevant assets and perform response processing.
Therefore, after locating the infected target and the potential infected target (asset), the corresponding asset handling unit can be triggered in the form of a work order to perform response processing at the first time according to the asset locating result so as to resist the current cyber-security threat or reduce the current cyber-security threat.
Specifically, the traditional threat information research and judgment, asset positioning, investigation and evidence collection, work order issuing and retesting threat are a series of complete processes or manual treatment modes, and the application changes the processes into system automatic control, then adds in different departments to automatically respond through the work order issuing, thereby obviously improving the response efficiency in a linkage mode, in addition, threat positioning in the whole range is carried out on the basis of an alarm log triggered by an individual manufacturer, and the corresponding asset treatment units are triggered by the targeted work order to carry out quick response, which is not a simple linkage system, thus carrying out efficient and accurate response on the terminal infection virus event on the basis of SOAR as a bottom logic, and optimizing the response efficiency again.
To facilitate an understanding of the foregoing, the steps and exemplary implementations thereof will be fully described below with reference to a set of examples in actual practice.
Referring to fig. 2 and 3, a partial flow chart of a method for processing a terminal infected with virus according to the present application (the flow shown in fig. 3 is a flow chart which extends the flow chart shown in fig. 2, that is, the top flow chart of fig. 3 is from the bottom flow chart of fig. 2, and corresponds to the order of node identifiers of the flow chart), which includes:
in the scheme starting stage, the processing system is accessed with alarm log information of the same source IP and the same destination IP of a plurality of manufacturers within 1 minute, the processing system queries processing information from a processing record data set based on the source IP and the destination IP as unique dimensions, if the processing state in a processing list obtained by query is the processing in process of automatic processing, the processing system represents that log data are repeatedly found in the processing process, one piece of source IP and destination IP is newly added, the state is the repeated processing information, and the log state at the end of an original log is updated to be ignored; if the processing state is not the "processing information", a piece of source IP and a piece of destination IP are added, the processing information with the state of "processing" is updated, and the log state of the original log end is updated to be "processing", and the description of the section corresponds to the flow chart nodes 1-8.
After determining the alert log to be processed currently through the repeatability judgment, the IP collision processing involved in step S102 may be expanded.
And carrying out IP collision on the source IP of the multi-manufacturer alarm log and an attack threat information library to obtain manufacturer threat information, analyzing threat information to obtain an analysis threat information judgment strategy for each unit for the self-created traffic volume, and corresponding to the flow chart node 9.
For the attack threat information library, the application is also configured with a more specific landing matching scheme, and the more specific scheme can comprise the following exemplary schemes:
IP listing information for public network threat library: collecting the IP of a broiler host controlled by a hacker in a network or wantonly destroying some public information records of other networks in the network, wherein the library is represented by a certain step, then using a source IP to collide with the library to obtain the threat, and carrying out the next treatment step corresponding to the nodes 10-11 of the flow chart;
each large machine room IDC IP periodically records: if a cloud host IP of each large machine room, for example, considers that a cloud IP of a certain A is a threat and a cloud B is not a threat, only a cloud IP host of a certain B can be recorded, then the source IP is used for carrying out IP collision with the library, and the next treatment step is carried out, and the nodes of the flow chart are corresponding to nodes 12-13;
Alarm number analysis: inquiring all alarm information of the IP within 1 hour of the manufacturer according to the alarm source IP, wherein the alarm number is more than 100, namely, the IP is considered as threat, adding a tag library, and carrying out the next treatment step, and the corresponding flow chart nodes 14-16;
alarm behavior analysis: inquiring access information of the past month according to the IP of the alarm source, accessing the IP to use VPN (i.e. foreign), deducting credit score of 10 (full score 100), and adding the information into a label library if the credit score is less than or equal to 60, and performing the next treatment step corresponding to the nodes 17-20 of the flow chart.
Other extensions: here, the extension term may further perform comprehensive judgment according to the threat behavior in the unit, and corresponds to the flowchart node 21.
Correspondingly, as an exemplary implementation manner, in the process of performing IP collision between the target alarm log and the attack threat information library configured on the system in step S102, the method specifically may include:
carrying out IP collision on the target alarm log and a public network threat library obtained by collecting the IP of a hacked-controlled broiler host in the network or the IP corresponding to the public information of destroying the network of other people in the network;
or, the target alarm log and each large machine room IDC are recorded into an IP periodic network threat library at regular intervals to perform IP collision;
Or querying all alarm information of the source IP of the target alarm log within 1 hour of the target security system, and judging that the collision is successful if the alarm number is more than 100;
or, inquiring the access record of the source IP of the target alarm log in the past month systematically, starting with 100 minutes, deducting the credit score by 10 minutes by VPN every time in the record, and determining that the collision is successful if the VPN credit score is not more than 60 minutes.
Wherein the VPN, i.e. the private virtual network (Virtual Private Network).
The four kinds of IP collision modes can be used alternatively or in a free combination mode, so that the IP collision modes are enriched, the secondary safety detection quality of the link can be enhanced, and the centralized safety response effect of the processing system is improved.
On the basis of the above judgment logic, if threat information of any manufacturer is true, it is determined that the threat exists, if the threat exists, the next step is performed, corresponding asset information is obtained from the asset list according to the corresponding destination IP (corresponding to the asset positioning process of step S103), if the threat does not exist, in order to prevent the manufacturer from warning correctly, but the threat information judgment algorithm is imperfect, a manual node may be further added here, whether the manual audit agrees to issue a work order, if so, the next step is performed, corresponding asset information is obtained from the asset list according to the destination IP, if so, the disposal record state is updated to be "complete-false report", and the original log end log state is updated to be "false report", corresponding to the flowchart nodes 22-26.
In the specific automatic asset positioning process, the service is divided into two kinds of IP asset lists related to the server, but an IP port asset list related to the Web service, where the two IP asset lists coexist and have overlapping portions, so there may be a small number of calculation modes, and collision is performed based on the destination IP and the IP asset list, and if not, the next step is performed, corresponding to the flowchart nodes 27-28.
Based on the objective IP and IP port asset list collision, if not, recording asset positioning information to a data set 'asset positioning result', wherein the asset positioning result state is 'positioning failure', the treatment recording state is 'treatment completion-not positioning to the asset', the original log end log state is 'untreated', if so, judging whether a plurality of pieces exist, if so, acquiring only the unit type and the unit name of the 1 st piece, if so, acquiring the unit type, the unit name and the system name of the record, wherein the asset positioning is clearer and more accurate, and the difference between the plurality of pieces and the 1 piece is that whether specific system name data can be obtained or not, and the corresponding flow chart nodes 29-35.
Based on the collision between the destination IP and the IP asset list, if the destination IP and the IP asset list exist, the corresponding unit type and unit name are directly acquired, asset positioning information is recorded into a data set of asset positioning results, wherein the status of the asset positioning results is positioning success, and particularly, the asset positioning result data set is used for facilitating the asset responsible person to update the asset list according to the positioning condition and corresponds to the flow chart nodes 36-37.
Correspondingly, for the asset location processing involved in step S103, as an exemplary implementation manner, step S103 is based on the destination IP of the target alarm log, and the process of querying the corresponding asset in the corresponding vendor may specifically include:
and inquiring IP asset lists related to each manufacturer server based on the target IP of the target alarm log.
On the other hand, as yet another exemplary implementation manner, step S103 may specifically include, based on the destination IP of the target alarm log, querying the corresponding asset in the corresponding vendor:
based on the target IP of the target alarm log, inquiring IP end asset list related to Web service of each manufacturer.
It will be appreciated that the two aspects of the asset location processing scheme correspond to the hardware aspects of the asset and the software aspects of the asset, and that in the specific asset location operation, the location objective is more conveniently achieved by using a preconfigured/statistical IP asset list.
And after the asset positioning is completed and the asset positioning result (asset information) is obtained, the processing of the corresponding work order can be developed.
As can be seen from fig. 3, in the process of generating a work order, there are:
investigation and evidence collection: directly intercepting an alarm log received by a system to form evidence in a screenshot mode, generating multiple screenshots by multiple manufacturers, generating at least one screenshot, and generating a word report, wherein the report comprises a report name, alarm information, asset positioning information and investigation evidence taking screenshot, and the flowchart nodes 38-39 are corresponding to each other;
generating a work order: and combining the report (including the alarm screenshot), the alarm information, the asset information and the short message content to generate a work order, wherein the work order comprises the unit type and the unit name of the asset information, and the work order corresponds to the flow chart node 40.
Threat virus responsible flow: the system can also monitor the status of the work order in real time (the work order is automatically blocked or manually blocked by an asset responsible unit and the status is changed), so that the work order ID and alarm log information are stored in an infection virus polling work order data set for the next step, and the monitoring step should be further provided with a script arrangement for processing, see the threat virus retest processing referred later, and correspond to the flow chart nodes 41-42.
In this regard, as an exemplary implementation manner, the step S104 may specifically include, in a process of generating the target work order based on the target alarm log and the asset location result:
generating a survey evidence obtaining report based on the target alarm log and the asset positioning result, wherein the content of the survey evidence obtaining report comprises the target alarm log, the content screenshot of the target alarm log, the asset positioning result and the report name
And generating a target work order by combining the investigation evidence collection report, the target alarm log, the asset positioning result and the short message content.
It can be seen that the work order generation processing involves two stages of processing contents, the first stage is to generate a special investigation evidence collection report, so as to facilitate archiving and backtracking of related contents, and then specifically generate a corresponding target work order based on the investigation evidence collection report, and at this time, the target work order can be pushed to a corresponding asset disposal unit through a work order flow procedure to perform corresponding safety response.
In addition, it is easy to understand that in terms of security response, since the source IP with threat is determined, the main security response is to implement the goal of resisting the threat and reducing the threat by adopting the measure of blocking the IP, and pushing the target work order can directly trigger the corresponding asset handling unit to perform automatic blocking processing of the source IP.
Or if the side of the asset disposal unit is faced with a situation that the automatic IP blocking capability is insufficient (for example, the network is not smooth or a series of abnormal situations such as the IP blocking capability is not generated, or the like) or manual intervention is needed to arrange the IP blocking capability, the corresponding asset disposal unit can be triggered to learn the current situation at the first time and arrange response measures through pushing of the target work order.
In this regard, for the response aspect of the asset handling unit, then there may be two cases:
case 1: all the assets are processed by a receiving log unit (asset handling unit), the situation is simpler, the automatic blocking is directly deployed on the current site, and the blocking corresponds to the source IP.
Specifically, referring to fig. 4, which is a schematic flow chart of the automatic IP blocking method according to the present application, an asset handling unit performs an automatic IP blocking process, and includes:
firstly, using a 'work order center', acquiring a work order of the unit and the work order state is 'untreated', and corresponding to flow chart nodes 43-44;
setting the work order state as 'to be audited', initiating audit notification, and carrying out link notification (the link notification represents sending mail to a corresponding responsible unit mailbox, clicking a link, confirming audit approval or rejection, the section is optional), defaulting to 5 minutes (the work order is adjustable according to practical conditions, the real-time requirement for sealing is higher, the work order is designed to be 2 minutes, the reliability is to be observed in the early operation stage of alarm information and threat information analysis, the time is set to be long), and the automatic audit confirmation is carried out, if the approval or the time reaches 5 minutes, the next step is carried out, the rejection is carried out, the asset responsible unit is about to carry out manual disposal, the manual disposal mode possibly carries out full-disc check and kill for downloading antivirus software, or carrying out bug repair, software upgrading and the like, and the corresponding flow chart nodes 45-47 are ended;
If the work order is in the state of 'to be checked', the manual processing is finished, if the work order is not in the state of 'to be checked', firewall processing is carried out, source IP is blocked, the work order center is applied, the work order state is set to be 'processed', the work order ID is newly added, alarm information, blocking time and blocking grade information are stored in a data set of 'blocking information', and the corresponding flow chart nodes 48-52 are corresponding.
Case 2: the asset responsible units have no alarm analysis capability and threat information analysis capability (which are not started temporarily or are not generated by the special conditions), and can only carry out association and flow circulation through a work order system due to the fact that the asset responsible units and the receiving log units (asset disposal units) have cross departments, different geographic positions or network failure and the like, and the asset responsible units are required to carry out automatic sealing or manual sealing by themselves, so that the work order system needs to be reported, and at the moment, each asset responsible unit is independently deployed with 'automatic sealing' to be deployed at the current site for sealing.
In this regard, before the target worksheet is generated in step S104, as an exemplary implementation manner, the method of the present application may further include the following determination mechanism:
determining whether an asset handling unit of the asset location result has automatic disabling capability or determining whether the asset handling unit of the asset location result has automatic disabling function;
If not, triggering the target alarm log and the asset positioning result to generate a target work order.
It can be understood that the setting here is to set up that only if it is confirmed that the asset disposal unit has no automatic blocking capability of IP or no automatic blocking capability of turning on IP, the job ticket pushing is performed through the channel of the job ticket system to remind the asset disposal unit side to respond in time.
In addition, it should be understood that, for some terminal virus infection events, the problem that the terminal virus infection event is not necessarily solved by blocking IP, for example, other machines can directly use a firewall to block the transmission of the infected virus, but the system is old, pirate software is installed, malicious files are implanted, and the like, at this time, the malicious files need to be manually deleted, the pirate software is uninstalled, and the like, which are usually directly ignored or cannot be done in a system automatic response mechanism, so that the IP blocking process is not enough to process all scenes, and the adoption of work order pushing is beneficial to directly reminding related personnel of such events, so as to play the aim of coping with the terminal infection event which is complicated in practical situations.
Further, after the response of the asset disposition unit is prompted by the work order system, as mentioned above with respect to the flow node 42 in fig. 3, a threat virus retest processing link may also be involved, specifically, referring to a flow diagram of the threat virus retest of the present application shown in fig. 5, which includes:
Starting to poll (polling interval is set to 5 minutes, which is determined according to system performance, is set to be too short, consumes performance, is set to be too long, and can not reach expected effect by retesting) "threat virus polls the work order" data set, and the work order state is obtained by applying "work order center", if the work order state is "treated", the next step is carried out, and the flow chart nodes 53-56 are corresponded;
judging whether corresponding threat virus data exist after the work order 'processed' time based on the log source IP and the target IP, if the corresponding threat virus data do not exist, representing retesting, carrying out the next step, and if the corresponding threat virus data exist, representing retesting, carrying out the next step and corresponding to the nodes 57-58 of the flow chart;
the retest is carried out by: the retest passes, the work order information is not monitored any more, the data of the data set of the virus infection polling work order is deleted, the work order center is informed, whether the work order can be closed or not is checked manually, if yes, the work order is closed, the update log state is "manual disposal-completion", the update alarm log is set as "success", if no, the update log state is "manual disposal-completion", the update alarm log is set as "success", and the corresponding flow chart nodes 59-65;
The retest does not pass: the retest is not passed, whether the work order is rejected is checked manually, if yes, the work order is rejected by using a work order center, the status of the work order is set as to be treated, the asset responsible units are required to reprocess, if no, the work order information is not monitored, the data of the virus infection polling work order data set is deleted, the status of the update log is manually treated-completed, and the update alarm log is set as successful and corresponds to the flow chart nodes 56-70;
and ends, corresponding to the flow chart node 71.
Correspondingly, after pushing the target work order to the asset handling unit of the asset positioning result in step S104, the method of the present application may further include:
inquiring the disposal state of the target work order in a polling mode;
if the state is the treated state, retesting whether the corresponding threat virus data is generated after the treated time point based on the source IP of the target alarm log and the target IP of the target alarm log;
if so, prompting the asset handling unit to continue the response processing of the target work order.
It is easy to see that the cooperative efficiency is improved by the retest mechanism, so that in practical application, the response of the asset disposal unit side is further guaranteed, and the problem that the response is not timely or fails due to abnormal conditions can be avoided or effectively relieved.
In general, for the above scheme content (including the scheme content of each exemplary implementation mode), the method and the device for processing the target alarm logs in the large vendors, under the condition of interfacing the security systems of the large vendors, receive the target alarm logs transmitted by the target security systems of the large vendors, then perform IP collision with an attack threat information base configured on the system to determine whether the source IP of the target alarm log matches the attack threat information base to identify the source IP with the attack threat, if the IP collision is successfully completed, query the corresponding assets in the corresponding vendors based on the destination IP of the target alarm log, obtain asset positioning results, generate target workflows based on the target alarm logs and the asset positioning results, and push the target workflows to asset handling units of the asset positioning results, so that the asset handling units perform response processing, under the setting, a terminal security guarantee service is constructed, the threat positioning in the whole range is performed based on the alarm logs triggered by individual vendors, and the corresponding asset handling units are triggered to perform quick response, the base on the SOAR logic to initiate the conventional single-service with high-efficiency and high-level and high-precision, and the cost of the conventional devices in the process of manually and the large-scale service is avoided.
The terminal infectious virus treatment method provided by the application is introduced, so that the terminal infectious virus treatment method provided by the application can be conveniently and better implemented, and the terminal infectious virus treatment device is also provided from the aspect of a functional module.
Referring to fig. 6, fig. 6 is a schematic structural diagram of a terminal virus infection processing apparatus according to the present application, in which a terminal virus infection processing apparatus 600 may specifically include the following structure:
the log receiving unit 601 is configured to receive a target alarm log transmitted by a target security system when the target security system is docked with each vendor security system, where the target alarm log refers to an alarm log generated and reported when the target security system detects that a terminal infects a virus event;
an IP collision unit 602, configured to perform IP collision on the target alarm log and an attack threat information library configured on the system, so as to determine whether the source IP of the target alarm log matches the source IP of the attack threat information library, where the source IP is determined to be the source IP with the attack threat;
the asset positioning unit 03 is configured to query corresponding assets in corresponding manufacturers based on a destination IP of the target alarm log if the IP collision is successfully completed, so as to obtain an asset positioning result;
And the work order processing unit 604 is configured to generate a target work order based on the target alarm log and the asset positioning result, and push the target work order to an asset disposal unit of the asset positioning result, so that the asset disposal unit performs response processing.
In an exemplary implementation, the IP collision unit 602 is specifically configured to:
carrying out IP collision on the target alarm log and a public network threat library obtained by collecting the IP of a hacked-controlled broiler host in the network or the IP corresponding to the public information of destroying the network of other people in the network;
or, the target alarm log and each large machine room IDC are recorded into an IP periodic network threat library at regular intervals to perform IP collision;
or querying all alarm information of the source IP of the target alarm log within 1 hour of the target security system, and judging that the collision is successful if the alarm number is more than 100;
or, inquiring the access record of the source IP of the target alarm log in the past month systematically, starting with 100 minutes, deducting the credit score by 10 minutes by VPN every time in the record, and determining that the collision is successful if the VPN credit score is not more than 60 minutes.
In yet another exemplary implementation, the asset location unit 603 is specifically configured to:
and inquiring IP asset lists related to each manufacturer server based on the target IP of the target alarm log.
In yet another exemplary implementation, the asset location unit 603 is specifically configured to:
based on the target IP of the target alarm log, inquiring IP end asset list related to Web service of each manufacturer.
In yet another exemplary implementation, the work order processing unit 604 is specifically configured to:
generating a survey evidence obtaining report based on the target alarm log and the asset positioning result, wherein the content of the survey evidence obtaining report comprises the target alarm log, a content screenshot of the target alarm log, the asset positioning result and a report name;
and generating a target work order by combining the investigation evidence collection report, the target alarm log, the asset positioning result and the short message content.
In yet another exemplary implementation, the work order processing unit 604 is specifically configured to:
determining whether an asset handling unit of the asset location result has automatic disabling capability or determining whether the asset handling unit of the asset location result has automatic disabling function;
if not, triggering the target alarm log and the asset positioning result to generate a target work order.
In yet another exemplary implementation, the apparatus further includes a retest unit 605 for:
inquiring the disposal state of the target work order in a polling mode;
If the state is the treated state, retesting whether the corresponding threat virus data is generated after the treated time point based on the source IP of the target alarm log and the target IP of the target alarm log;
if so, prompting the asset handling unit to continue the response processing of the target work order.
The present application also provides a processing system from the perspective of hardware structure, for convenience of explanation, the processing system is treated as a hardware device from the overall aspect, referring to fig. 7, fig. 7 shows a schematic structural diagram of the processing system of the present application, specifically, the processing system of the present application may include a processor 701, a memory 702, and an input/output device 703, where the processor 701 is configured to implement steps of a method for treating a terminal infected virus in the corresponding embodiment of fig. 1 when executing a computer program stored in the memory 702; alternatively, the processor 701 is configured to implement the functions of each unit in the corresponding embodiment of fig. 6 when executing the computer program stored in the memory 702, and the memory 702 is configured to store the computer program required for the processor 701 to execute the method for processing the terminal to infect viruses in the corresponding embodiment of fig. 1.
By way of example, a computer program may be partitioned into one or more modules/units that are stored in the memory 702 and executed by the processor 701 to perform the present application. One or more of the modules/units may be a series of computer program instruction segments capable of performing particular functions to describe the execution of the computer program in a computer device.
The processing system may include, but is not limited to, a processor 701, a memory 702, and an input output device 703. Those skilled in the art will appreciate that the illustrations are merely examples of processing systems and are not limiting of processing systems, and that more or fewer components than shown may be included, or certain components may be combined, or different components may be included, for example, a processing system may also include network access devices, buses, etc., through which the processor 701, memory 702, input output device 703, etc. are connected.
The processor 701 may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like that is a control center of a processing system that utilizes various interfaces and lines to connect the various parts of the overall device.
The memory 702 may be used to store computer programs and/or modules, and the processor 701 implements the various functions of the computer device by running or executing the computer programs and/or modules stored in the memory 702, and invoking data stored in the memory 702. The memory 702 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, application programs required for at least one function, and the like; the storage data area may store data created according to the use of the processing system, etc. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as a hard disk, memory, plug-in hard disk, smart Media Card (SMC), secure Digital (SD) Card, flash Card (Flash Card), at least one disk storage device, flash memory device, or other volatile solid-state storage device.
The processor 701 is configured to execute the computer program stored in the memory 702, and may specifically implement the following functions:
receiving a target alarm log transmitted by a target security system under the condition of docking the security systems of all manufacturers, wherein the target alarm log refers to an alarm log generated and reported when the target security system detects that a terminal infects a virus event;
Performing IP collision on the target alarm log and an attack threat information library configured on the system to determine whether the source IP of the target alarm log is matched with the source IP of the attack threat information library to be determined as the source IP with attack threat;
if the IP collision is successfully completed, inquiring corresponding assets in corresponding manufacturers based on the target IP of the target alarm log to obtain asset positioning results;
and generating a target work order based on the target alarm log and the asset positioning result, and pushing the target work order to an asset disposal unit of the asset positioning result, so that the asset disposal unit carries out response processing.
It will be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the above-described processing device, processing system and corresponding units for terminal infection virus may refer to the description of the processing method for terminal infection virus in the corresponding embodiment of fig. 1, and will not be repeated here.
Those of ordinary skill in the art will appreciate that all or a portion of the steps of the various methods of the above embodiments may be performed by instructions, or by instructions controlling associated hardware, which may be stored in a computer-readable storage medium and loaded and executed by a processor.
For this reason, the present application provides a computer readable storage medium, in which a plurality of instructions capable of being loaded by a processor are stored, so as to execute the steps of the method for treating terminal infected virus in the corresponding embodiment of fig. 1, and specific operations may refer to the description of the method for treating terminal infected virus in the corresponding embodiment of fig. 1, which is not repeated herein.
Wherein the computer-readable storage medium may comprise: read Only Memory (ROM), random access Memory (Random Access Memory, RAM), magnetic or optical disk, and the like.
Since the instructions stored in the computer readable storage medium may execute the steps of the method for processing a terminal infected virus according to the embodiment of fig. 1, the beneficial effects of the method for processing a terminal infected virus according to the embodiment of fig. 1 may be achieved, which are described in detail in the foregoing description and are not repeated herein.
The method, the device, the processing system and the computer readable storage medium for processing terminal infected viruses provided by the application are described in detail, and specific examples are applied to the description of the principle and the implementation mode of the application, and the description of the above examples is only used for helping to understand the method and the core idea of the application; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in light of the ideas of the present application, the present description should not be construed as limiting the present application.

Claims (10)

1. A method for treating a terminal infected virus, the method comprising:
receiving a target alarm log transmitted by a target security system under the condition of docking the security systems of all manufacturers, wherein the target alarm log refers to an alarm log generated and reported when the target security system detects that a terminal infection virus event exists;
performing IP collision on the target alarm log and an attack threat information library configured on a system to determine whether the source IP of the target alarm log is matched with the source IP of the attack threat information library, wherein the source IP is determined to be the source IP with attack threat;
if the IP collision is successfully completed, inquiring corresponding assets in the corresponding manufacturers on the basis of the target IP of the target alarm log to obtain an asset positioning result;
and generating a target work order based on the target alarm log and the asset positioning result, and pushing the target work order to an asset disposal unit of the asset positioning result, so that the asset disposal unit carries out response processing.
2. The method of claim 1, wherein said IP collision of the target alert log with a system-configured attack threat intelligence library comprises:
The target alarm log is collided with a public network threat library obtained by collecting the IP of a hacked-controlled broiler host in the network or the IP corresponding to the public information of destroying the network of other people in the network;
or, the target alarm log and each large computer room IDC are recorded into an IP periodic network threat library periodically to perform the IP collision;
or, inquiring all alarm information about the source IP of the target alarm log within 1 hour of the target security system, and if the alarm number is greater than 100, judging that the collision is successful;
or querying the access record of the source IP of the target alarm log in the past month systematically, starting with 100 minutes of full score, deducting 10 minutes of credit score by using VPN each time in the record, and determining that the collision is successful if the score is not more than 60 minutes.
3. The method of claim 1, wherein querying the corresponding asset in the respective vendor based on the destination IP of the target alert log comprises:
and inquiring the IP asset list related to each manufacturer server based on the target IP of the target alarm log.
4. The method of claim 1, wherein querying the corresponding asset in the respective vendor based on the destination IP of the target alert log comprises:
And inquiring IP end asset lists related to the Web services of all manufacturers based on the target IP of the target alarm log.
5. The method of claim 1, wherein the generating a target work order based on the target alert log and the asset location result comprises:
generating a survey evidence obtaining report based on the target alarm log and the asset positioning result, wherein the content of the survey evidence obtaining report comprises the target alarm log, a content screenshot of the target alarm log, the asset positioning result and a report name;
and generating the target work order by combining the investigation evidence obtaining report, the target alarm log, the asset positioning result and the short message content.
6. The method of claim 1, wherein prior to generating a target work order based on the target alert log and the asset location result, the method further comprises:
determining whether an asset handling unit of the asset location result has automatic disabling capability or determining whether an asset handling unit of the asset location result has automatic disabling function;
and if not, triggering the target alarm log and the asset positioning result to generate the target work order.
7. The method of claim 1, wherein after pushing the target work order to the asset handling unit of the asset location result, the method further comprises:
querying the disposal state of the target work order in a polling mode;
if the state is the treated state, retesting whether corresponding threat virus data is generated after the treated time point based on the source IP of the target alarm log and the target IP of the target alarm log;
if so, prompting the asset handling unit to continue the response processing of the target work order.
8. A terminal infected virus processing apparatus, the apparatus comprising:
the log receiving unit is used for receiving a target alarm log transmitted by a target security system under the condition of docking the security systems of all manufacturers, wherein the target alarm log is an alarm log generated and reported when the target security system detects that a terminal infects a virus event;
the IP collision unit is used for carrying out IP collision on the target alarm log and an attack threat information library configured on the system so as to determine whether the source IP of the target alarm log is matched with the source IP of the attack threat information library and determine that the source IP of the attack threat exists;
The asset positioning unit is used for inquiring corresponding assets in the corresponding manufacturers on the basis of the target IP of the target alarm log if the IP collision is successfully completed, so as to obtain an asset positioning result;
and the work order processing unit is used for generating a target work order based on the target alarm log and the asset positioning result, pushing the target work order to an asset disposal unit of the asset positioning result, and enabling the asset disposal unit to perform response processing.
9. A processing system comprising a processor and a memory, the memory having stored therein a computer program, the processor performing the method of any of claims 1 to 7 when the computer program in the memory is invoked by the processor.
10. A computer readable storage medium storing a plurality of instructions adapted to be loaded by a processor to perform the method of any one of claims 1 to 7.
CN202310651446.XA 2023-06-02 2023-06-02 Terminal infected virus processing method, device and processing system Pending CN116707892A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310651446.XA CN116707892A (en) 2023-06-02 2023-06-02 Terminal infected virus processing method, device and processing system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310651446.XA CN116707892A (en) 2023-06-02 2023-06-02 Terminal infected virus processing method, device and processing system

Publications (1)

Publication Number Publication Date
CN116707892A true CN116707892A (en) 2023-09-05

Family

ID=87833355

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310651446.XA Pending CN116707892A (en) 2023-06-02 2023-06-02 Terminal infected virus processing method, device and processing system

Country Status (1)

Country Link
CN (1) CN116707892A (en)

Similar Documents

Publication Publication Date Title
US10356044B2 (en) Security information and event management
US7752671B2 (en) Method and device for questioning a plurality of computerized devices
KR101883400B1 (en) detecting methods and systems of security vulnerability using agentless
US8739290B1 (en) Generating alerts in event management systems
JP7204247B2 (en) Threat Response Automation Methods
CN111131253A (en) Scene-based security event global response method, device, equipment and storage medium
CN114598525A (en) IP automatic blocking method and device for network attack
CN110266670A (en) A kind of processing method and processing device of terminal network external connection behavior
CN110868403B (en) Method and equipment for identifying advanced persistent Attack (APT)
CN111831275A (en) Method, server, medium and computer equipment for arranging micro-scene script
CN114139178A (en) Data link-based data security monitoring method and device and computer equipment
RU2481633C2 (en) System and method for automatic investigation of safety incidents
CN116708033B (en) Terminal security detection method and device, electronic equipment and storage medium
CN113987508A (en) Vulnerability processing method, device, equipment and medium
CN110086812B (en) Safe and controllable internal network safety patrol system and method
CN116707892A (en) Terminal infected virus processing method, device and processing system
CN115361203A (en) Vulnerability analysis method based on distributed scanning engine
KR101754964B1 (en) Method and Apparatus for Detecting Malicious Behavior
CN115080357B (en) Method and system for monitoring data in each industrial control operation device in complex industrial control
TWI835113B (en) System for executing task based on an analysis result of records for achieving device joint defense and method thereof
CN117150453B (en) Network application detection method, device, equipment, storage medium and program product
CN112580835B (en) Management method and device of server
US20220156361A1 (en) Detecting and preventing unauthorized command injection
CN117439757A (en) Data processing method and device of terminal risk program and server
CN114443140A (en) System and method for issuing plugging instruction

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination