CN116738438A - Security monitoring method, device, equipment and storage medium - Google Patents
Security monitoring method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN116738438A CN116738438A CN202310706026.7A CN202310706026A CN116738438A CN 116738438 A CN116738438 A CN 116738438A CN 202310706026 A CN202310706026 A CN 202310706026A CN 116738438 A CN116738438 A CN 116738438A
- Authority
- CN
- China
- Prior art keywords
- software
- information
- security
- monitoring result
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 149
- 238000000034 method Methods 0.000 title claims abstract description 84
- 238000001514 detection method Methods 0.000 claims abstract description 129
- 238000009434 installation Methods 0.000 claims abstract description 78
- 230000004044 response Effects 0.000 claims description 27
- 238000012806 monitoring device Methods 0.000 claims description 21
- 238000013475 authorization Methods 0.000 claims description 9
- 238000010586 diagram Methods 0.000 description 13
- 238000004590 computer program Methods 0.000 description 8
- 238000012545 processing Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 239000000725 suspension Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application provides a security monitoring method, a device, equipment and a storage medium, which can be used in the field of network security or other fields. The method comprises the following steps: acquiring a security detection request sent by terminal equipment, wherein the security detection request comprises software information of first software; acquiring a software white list and a software black list according to the security detection request; if the software information of the first software exists in the software white list or the software black list, determining a safety monitoring result of the first software according to the software white list or the software black list; if the software information of the first software does not exist in the software white list and the software black list, acquiring the software type of the first software and the installation information of the terminal equipment on the first software, and determining the safety monitoring result of the first software according to the software type and the installation information. By the method, the efficiency of safety detection of the software is improved.
Description
Technical Field
The present application relates to the field of network security or other fields, and in particular, to a security monitoring method, apparatus, device, and storage medium.
Background
In the process of a user's office, various software (e.g., office software) may need to be used, and the user may download the software on his own over the network and use it.
Currently, some software is pay software, i.e., users need to pay a software provider to have access to the software. Some users typically download non-authentic software (e.g., pirated software or cracked software) in order to avoid payment to the software provider, and the behavior of the user using the non-authentic software is infringing on the software provider, and there may be a security risk in the use of the non-authentic software by the user. In the related art, network administrators of an enterprise often regularly check whether non-genuine software is installed in employee computers of the enterprise, however, it is inefficient to manually determine whether the non-genuine software is installed in the computers.
Disclosure of Invention
The application provides a safety monitoring method, a safety monitoring device, safety monitoring equipment and a storage medium, which improve the efficiency of safety detection of software.
In a first aspect, the present application provides a security monitoring method, comprising:
acquiring a security detection request sent by terminal equipment, wherein the security detection request comprises software information of first software, and the software information comprises a software identifier and a software version;
According to the security detection request, a software white list and a software black list are obtained, wherein the software white list comprises software information of a plurality of security software, and the software black list comprises software information of a plurality of risk software;
if the software information of the first software exists in the software white list or the software black list, determining a safety monitoring result of the first software according to the software white list or the software black list;
if the software information of the first software does not exist in the software white list and the software black list, acquiring the software type of the first software and the installation information of the terminal equipment on the first software, and determining a safety monitoring result of the first software according to the software type and the installation information, wherein the software type is a public type or a private type.
In a possible implementation manner, determining a security monitoring result of the first software according to the software type and the installation information includes:
if the software type is the public type, determining that the safety monitoring result is passing detection;
and if the software type is the private type, determining the security monitoring result according to the installation information.
In a possible implementation manner, determining the security monitoring result according to the installation information includes:
judging whether an authorization certificate exists in the installation information;
if yes, determining that the safety monitoring result is passing detection;
if not, a first download address of the first software is obtained from the installation information, vulnerability monitoring is carried out on the first software to obtain first vulnerability information of the first software, and the security monitoring result is determined according to the first download address and the first vulnerability information.
In a possible implementation manner, determining the security monitoring result according to the first download address and the first vulnerability information includes:
acquiring a standard download address and preset vulnerability information of the first software;
if the first download address is the same as the standard download address and the similarity between the first vulnerability information and the preset vulnerability information is greater than or equal to a preset threshold value, determining that the safety monitoring result is passing detection;
and if the first download address is different from the standard download address or the similarity between the first vulnerability information and the preset vulnerability information is smaller than the preset threshold value, determining that the security monitoring result is that the detection fails.
In one possible implementation of the method, the method comprises,
after determining that the safety monitoring result is that the detection is passed, the method further comprises the following steps:
adding software information of the first software to the software whitelist;
after determining that the safety monitoring result is that the detection fails, the method further comprises:
and adding the software information of the first software to the software blacklist.
In a possible implementation manner, the acquiring a security detection request sent by a terminal device includes:
after the terminal equipment is successfully accessed into a local area network, receiving the security detection request sent by the terminal equipment, wherein the first software is software installed in the terminal equipment or is software installed after a first moment, and the first moment is the moment when the terminal equipment performs security monitoring last time;
after determining the security monitoring result of the first software according to the software type and the installation information, the method further comprises the following steps:
and if the safety monitoring result is that the detection fails, sending an unloading instruction to the terminal equipment, wherein the unloading instruction is used for indicating the terminal equipment to unload the first software.
In a possible implementation manner, the acquiring a security detection request sent by a terminal device includes:
After the terminal equipment detects the installation instruction of the first software, receiving a security detection request sent by the terminal equipment, wherein the first software is the software to be installed;
after determining the security monitoring result of the first software according to the software type and the installation information, the method further comprises the following steps:
if the safety monitoring result is that the detection is passed, a first response is sent to the terminal equipment, wherein the first response is used for indicating the installation of the first software;
and if the safety monitoring result is that the detection is not passed, sending a second response to the terminal equipment, wherein the second response is used for indicating to pause the installation of the first software.
In a second aspect, the present application provides a safety monitoring device, including a first acquisition module, a second acquisition module, and a determination module, where:
the first acquisition module is used for acquiring a security detection request sent by the terminal equipment, wherein the security detection request comprises software information of first software, and the software information comprises a software identifier and a software version;
the second obtaining module is configured to obtain a software whitelist and a software blacklist according to the security detection request, where the software whitelist includes software information of a plurality of security software, and the software blacklist includes software information of a plurality of risk software;
The determining module is configured to determine, if the software information of the first software exists in the software white list or the software black list, a security monitoring result of the first software according to the software white list or the software black list;
the determining module is further configured to obtain a software type of the first software and installation information of the terminal device on the first software if software information of the first software does not exist in the software white list and the software black list, and determine a security monitoring result of the first software according to the software type and the installation information, where the software type is a public type or a private type.
In one possible implementation manner, the determining module is specifically configured to:
if the software type is the public type, determining that the safety monitoring result is passing detection;
and if the software type is the private type, determining the security monitoring result according to the installation information.
In one possible implementation manner, the determining module is specifically configured to:
judging whether an authorization certificate exists in the installation information;
if yes, determining that the safety monitoring result is passing detection;
If not, a first download address of the first software is obtained from the installation information, vulnerability monitoring is carried out on the first software to obtain first vulnerability information of the first software, and the security monitoring result is determined according to the first download address and the first vulnerability information.
In one possible implementation manner, the determining module is specifically configured to:
acquiring a standard download address and preset vulnerability information of the first software;
if the first download address is the same as the standard download address and the similarity between the first vulnerability information and the preset vulnerability information is greater than or equal to a preset threshold value, determining that the safety monitoring result is passing detection;
and if the first download address is different from the standard download address or the similarity between the first vulnerability information and the preset vulnerability information is smaller than the preset threshold value, determining that the security monitoring result is that the detection fails.
In a possible implementation manner, the device further comprises an updating module, wherein the updating module is used for:
after the determining module determines that the safety monitoring result is that the detection is passed, adding software information of the first software to the software white list;
And after the determining module determines that the safety monitoring result is that the detection fails, adding the software information of the first software to the software blacklist.
In one possible implementation, the apparatus further comprises a transmitting module, wherein,
the first obtaining module is specifically configured to: after the terminal equipment is successfully accessed into a local area network, receiving the security detection request sent by the terminal equipment, wherein the first software is software installed in the terminal equipment or is software installed after a first moment, and the first moment is the moment when the terminal equipment performs security monitoring last time;
the sending module is configured to send an uninstall instruction to the terminal device after the determining module determines, according to the software type and the installation information, a security monitoring result of the first software, where the uninstall instruction is used to instruct the terminal device to uninstall the first software if the security monitoring result is that the detection fails.
In one possible implementation of the method according to the invention,
the first obtaining module is specifically configured to: after the terminal equipment detects the installation instruction of the first software, receiving a security detection request sent by the terminal equipment, wherein the first software is the software to be installed;
The sending module is further configured to send a first response to the terminal device if the security monitoring result is that the security monitoring result passes the detection after the determining module determines the security monitoring result of the first software according to the software type and the installation information, where the first response is used to indicate that the first software is installed; and if the safety monitoring result is that the detection is not passed, sending a second response to the terminal equipment, wherein the second response is used for indicating to pause the installation of the first software.
In a third aspect, the present application provides a safety monitoring device comprising: a processor and a memory communicatively coupled to the processor;
the memory stores computer-executable instructions;
the processor executes computer-executable instructions stored in the memory to implement the method of any one of the first aspects.
In a fourth aspect, the present application provides a computer-readable storage medium having stored therein computer-executable instructions for performing the method of any of the first aspects when executed by a processor.
In a fifth aspect, the present application provides a computer program product comprising a computer program which, when executed by a computer, implements the method according to any of the first aspects.
According to the safety monitoring method, the safety monitoring device, the safety monitoring equipment and the storage medium, the safety detection request sent by the terminal equipment is obtained, wherein the safety detection request comprises software information of first software, and the software information comprises a software identifier and a software version; according to the security detection request, a software white list and a software black list are obtained, wherein the software white list comprises software information of a plurality of security software, and the software black list comprises software information of a plurality of risk software; if the software information of the first software exists in the software white list or the software black list, determining a safety monitoring result of the first software according to the software white list or the software black list; if the software information of the first software does not exist in the software white list and the software black list, acquiring the software type of the first software and the installation information of the terminal equipment on the first software, and determining the safety monitoring result of the first software according to the software type and the installation information. In the process, the safety detection can be rapidly carried out on the software installed in the terminal equipment, and the efficiency of carrying out the safety detection on the software is improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
Fig. 1 is a schematic diagram of an application scenario provided in an embodiment of the present application;
FIG. 2 is a schematic flow chart of a security monitoring method according to an embodiment of the present application;
FIG. 3 is a flowchart illustrating a method for determining a security detection result according to an embodiment of the present application;
FIG. 4 is a flow chart of another method for monitoring security according to an embodiment of the present application;
FIG. 5 is a flow chart of another method for monitoring security according to an embodiment of the present application;
FIG. 6 is a diagram illustrating an exemplary security monitoring method according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a safety monitoring device according to an embodiment of the present application;
FIG. 8 is a schematic diagram of another safety monitoring device according to an embodiment of the present application;
fig. 9 is a schematic hardware structure of the security monitoring device provided by the present application.
Specific embodiments of the present application have been shown by way of the above drawings and will be described in more detail below. The drawings and the written description are not intended to limit the scope of the inventive concepts in any way, but rather to illustrate the inventive concepts to those skilled in the art by reference to the specific embodiments.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the accompanying claims.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or fully authorized by each party, and the collection, use and processing of the related data need to comply with related laws and regulations and standards, and provide corresponding operation entries for the user to select authorization or rejection.
It should be noted that the security monitoring method, apparatus, device and storage medium of the present application may be used in the network security field, and may also be used in any field other than the network security field, and the application field of the security monitoring method and apparatus of the present application is not limited. Of course, the application scenario described in the embodiment of the present application is for more clearly describing the technical solution of the embodiment of the present application, and does not constitute a limitation on the technical solution provided in the embodiment of the present application, and as a person of ordinary skill in the art can know that the technical solution provided in the embodiment of the present application is applicable to similar problems with the appearance of a new service scenario.
For the convenience of explanation of the present application, the concepts related to the present application will be explained first.
Local area network: is a private network formed by a local area. The local area network can connect the computers, the external devices and the database in a certain area to form a communication network, and manage the terminal devices through a network transmission medium. The local area network is a closed network, and has strong safety, but once the network is attacked to break down, all hardware devices in the local area network can not work.
For the convenience of explanation of the present application, a scene to which the present application is applied will be explained first with reference to fig. 1.
Fig. 1 is a schematic diagram of an application scenario provided in an embodiment of the present application. Referring to fig. 1, in a local area network, there are a plurality of terminal devices and a network server. When the terminal equipment requests to access the local area network, the network server can acquire software information of the software installed on the terminal equipment. The network server may also manage the network services of the terminal device. For example, the network server may perform a network access operation or a network exit operation on the terminal device.
For example, referring to fig. 1, a network server may control access to a local area network for a plurality of terminal devices. After the network server passes the investigation, if it finds that the terminal device installs the illegal software (for example, non-legal software). The network server can carry out network-exiting operation on the terminal equipment provided with the illegal software so as to enable the terminal equipment to exit the local area network. After the terminal device uninstalls the offending software, a network access request can be initiated to the network server again. When the network server determines that the terminal equipment is not provided with the illegal software, the network server can agree that the terminal equipment is connected to the network so as to enable the terminal equipment to be connected to the local area network.
In the application, a software white list and a software black list can be preset, when the software in the terminal equipment needs to be subjected to security detection, the software in the terminal equipment can be subjected to security detection according to the white list and the black list, and when the security detection result cannot be determined according to the white list and the black list, the security detection result can also be determined according to the type and the installation information of the software in the terminal equipment. In the process, the safety detection can be rapidly carried out on the software installed in the terminal equipment, and the efficiency of carrying out the safety detection on the software is improved.
The following describes the technical scheme of the present application and how the technical scheme of the present application solves the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
Fig. 2 is a flow chart of a security monitoring method according to an embodiment of the present application. Referring to fig. 2, the method may include:
s201, acquiring a security detection request sent by the terminal equipment.
The security detection request comprises software information of the first software, and the software information comprises a software identifier and a software version.
The execution main body of the embodiment of the application can be a safety monitoring platform or a safety monitoring device in the safety monitoring platform. The security monitoring platform may be a terminal device, a server, etc.
The terminal device may be a computer, a server, etc.
The security detection request is for requesting detection of whether the first software is illegal software (non-genuine software). For example, the offending software may be pirated software or cracked software.
The first software is software already installed in the terminal device or software to be installed in the terminal device. The number of the first software may be 1 or more. For example, the first software may be all software installed in the terminal device, or the first software may be software installed within a certain period of time, or the first software may be software requested to be installed in the terminal device.
The software identification may uniquely indicate the first software. For example, the software identification may be a software number or a software name, etc.
S202, acquiring a software white list and a software black list according to the security detection request.
The software whitelist comprises software information of a plurality of security software, and the software blacklist comprises software information of a plurality of risk software.
The security software may include: open source software, free software, and enterprise purchased genuine software. The risk software may include: payment software not purchased by the enterprise.
S203, if the software information of the first software exists in the software white list or the software black list, determining a security monitoring result of the first software according to the software white list or the software black list.
The security monitoring result may be that the detection passes or the detection fails.
The number of the first software may be 1 or more, and when the number of the first software is different, the manner of determining the security monitoring result of the first software is different according to the software white list or the software black list, including the following two cases:
case 1, the number of first software is 1.
In this case, if the software whitelist includes the software information of the first software, determining that the security detection result is that the detection is passed; if the software blacklist comprises the software information of the first software, determining that the safety detection result is that the detection fails.
Case 2, the number of first software is plural.
In this case, if the software whitelist includes the software information of each first software, determining that the security detection result is that the detection is passed; if any piece of software information of the first software exists in the software blacklist, the security detection result is determined to be that the detection fails.
S204, if the software information of the first software does not exist in the software white list and the software black list, acquiring the software type of the first software and the installation information of the terminal equipment on the first software, and determining the safety monitoring result of the first software according to the software type and the installation information.
Wherein the software type is a public type or a private type. If the software type is a public type, the software is a legal software which can be used for free. If the software type is private, the software is the software which needs to be paid for or used normally by other regular procedures.
Wherein the installation information may be basic information of the software installation. The installation information may include a software version number, a software name, an authorization credential, a download address, and the like.
The security monitoring result of the first software may be determined by the following possible implementation: if the software type is the public type, determining that the safety monitoring result is passing detection; and if the software type is the private type, determining a safety monitoring result according to the installation information.
According to the safety monitoring method provided by the embodiment of the application, firstly, a safety detection request sent by the terminal equipment is obtained, a software white list and a software black list are obtained, a safety monitoring result is determined according to the software information of the first software in the safety detection request, the software white list and the software black list, and if the safety monitoring result cannot be obtained, the safety monitoring result is determined according to the software type and the installation information of the first software. The efficiency of carrying out safety detection to software is improved.
On the basis of any one of the above embodiments, a process of determining the security monitoring result of the first software according to the software type and the installation information will be described in detail with reference to the embodiment of fig. 3.
Fig. 3 is a schematic flow chart of determining a security detection result according to an embodiment of the present application. Referring to fig. 3, the method may include:
s301, acquiring the software type of the first software and the installation information of the terminal equipment on the first software.
Wherein the software type is a public type or a private type.
S302, judging whether the software type is a public type or not.
If yes, S303 is executed.
If not, S304 is performed.
S303, determining the safety monitoring result as passing detection.
S304, judging whether an authorization certificate exists in the installation information.
If yes, S303 is executed.
If not, S305 is performed.
The authorization certificate may be used to prove the legitimacy and security of the software.
S305, acquiring a first download address of the first software in the installation information, and performing vulnerability monitoring on the first software to obtain first vulnerability information of the first software.
The first download address may be a download link website for downloading the software by the terminal device. The first vulnerability information is vulnerability information of the first software, and the vulnerability information comprises vulnerability hazard types, vulnerability hazard levels and the like. The number of the first vulnerability information may be 1 or more.
The vulnerability monitoring of the first software may be performed by at least three possible implementations:
one possible implementation: and obtaining common security vulnerability information of the software, and detecting the first software item by adopting a security scanning technology.
Another possible implementation method is: the first software is scanned using a source code scanning technique.
Another possible implementation method is: the first software is software tested using an environmental error injection technique.
S306, acquiring a standard download address and preset vulnerability information of the first software.
Wherein the standard download address may be an official download address. The preset vulnerability information can be vulnerability information published by authorities, and the vulnerability information comprises vulnerability hazard types, vulnerability hazard levels and the like. The number of preset vulnerability information may be 1 or multiple.
S307, determining a security monitoring result according to the first download address, the first vulnerability information, the standard download address and the preset vulnerability information.
If the first download address is the same as the standard download address and the similarity between the first vulnerability information and the preset vulnerability information is greater than or equal to a preset threshold value, determining that the safety monitoring result is passing detection. If the first download address is different from the standard download address or the similarity of the first vulnerability information and the preset vulnerability information is smaller than a preset threshold value, determining that the security monitoring result is that the detection fails.
The similarity between the first vulnerability information and the preset vulnerability information can be calculated by the following possible implementation modes:
determining a first feature vector of the first vulnerability information, determining a second feature vector of the preset vulnerability information, determining a Euclidean distance between the first feature vector and the second feature vector, and determining the similarity of the first vulnerability information and the preset vulnerability information according to the Euclidean distance.
In the embodiment shown in fig. 3, when the first software is determined to be of a public type, the security detection result of the first software may be determined to be passing detection, and when the first software is of a private type, the security detection result of the first software may be accurately determined according to the installation information of the first software. That is, in the above-described process, the obtained security detection result of the first software may be rapidly and accurately determined according to the software type and installation information of the first software.
In the actual application process, the safety detection can be performed on the software installed in the terminal equipment when the terminal equipment requests to access the network, or the safety detection can be performed on the new software when the new software is installed in the terminal equipment. The two cases will be described below with reference to the embodiments of fig. 4 to 5.
Fig. 4 is a flow chart of another security monitoring method according to an embodiment of the present application. Referring to fig. 4, the method may include:
s401, receiving a network access request of the terminal equipment.
S402, sending a successful response of network access to the terminal equipment.
After the network access request of the terminal equipment passes, the terminal equipment successfully accesses the network after sending a network access success response to the terminal equipment.
S403, receiving a security detection request sent by the terminal equipment.
Wherein the security detection request includes software information of the first software.
The first software may be software already installed by the terminal device. For example, the first software may be all software already installed in the terminal device.
S404, acquiring a software white list and a software black list according to the security detection request.
The software whitelist comprises software information of a plurality of security software, and the software blacklist comprises software information of a plurality of risk software.
S405, if the software information of the first software exists in the software white list or the software black list, determining a security monitoring result of the first software according to the software white list or the software black list.
S406, if the software information of the first software does not exist in the software white list and the software black list, acquiring the software type of the first software and the installation information of the terminal equipment on the first software, and determining the safety monitoring result of the first software according to the software type and the installation information.
Wherein the software type is a public type or a private type.
It should be noted that, the execution process of S404-S406 may refer to the execution process of S201-S204, and will not be described herein.
S407, if the safety detection result is that the detection is not passed, sending an unloading instruction to the terminal equipment.
The uninstall instruction is used for instructing the terminal equipment to uninstall the first software.
Optionally, after sending the uninstalling instruction to the terminal device, the terminal device may be disconnected.
The security monitoring method provided by the embodiment can receive a network access request of the terminal equipment, send a network access success response to the terminal equipment, receive a security detection request sent by the terminal equipment, wherein the security detection request comprises software information of first software, determine a security monitoring result of the first software according to a preset software white list and a software black list, continuously determine the security monitoring result according to the software type and installation information of the first software if the security monitoring result of the first software cannot be determined according to the software white list and the software black list, and send an unloading instruction to the terminal equipment if the security monitoring result is that the detection is not passed. The method can carry out safety monitoring on the installed software when the terminal equipment is accessed to the network, and send an uninstalling instruction to the terminal equipment which does not pass the safety monitoring so as to instruct the terminal equipment to uninstall the illegal software. And when the terminal equipment is connected to the network, the compliance of the software is monitored, so that the efficiency of safety detection of the software is improved.
Fig. 5 is a flow chart of another security monitoring method according to an embodiment of the present application. Referring to fig. 5, the method may include:
s501, receiving a security detection request sent by the terminal equipment.
Wherein the security detection request includes software information of the first software.
The first software may be software to be installed in the terminal device. For example, the first software may be software that requests installation in the terminal device.
S502, acquiring a software white list and a software black list according to the security detection request.
The software whitelist comprises software information of a plurality of security software, and the software blacklist comprises software information of a plurality of risk software.
S503, if the software information of the first software exists in the software white list or the software black list, determining a security monitoring result of the first software according to the software white list or the software black list.
S504, if the software information of the first software does not exist in the software white list and the software black list, acquiring the software type of the first software and the installation information of the terminal equipment on the first software, and determining the safety monitoring result of the first software according to the software type and the installation information.
Wherein the software type is a public type or a private type.
It should be noted that, the execution process of S502-S504 may refer to the execution process of S201-S204, and will not be described herein.
S505, judging whether the detection result is passing or not.
If yes, S506 is performed.
If not, S507 is executed.
S506, sending a first response to the terminal equipment.
Wherein the first response is indicative of installing the first software.
S507, sending a second response to the terminal equipment.
Wherein the second response is used to indicate suspension of installation of the first software.
According to the safety monitoring method provided by the embodiment, a safety detection request sent by a terminal device is received, the safety detection request comprises software information of first software, a safety monitoring result of the first software is determined according to a preset software white list and a software black list, if the safety monitoring result of the first software cannot be determined according to the software white list and the software black list, the safety monitoring result is determined according to the software type and installation information of the first software continuously, and if the safety monitoring result is detected to be passed, a first response is sent to the terminal device, and the first response is used for indicating the installation of the first software; and if the safety monitoring result is that the detection fails, sending a second response to the terminal equipment, wherein the second response is used for indicating to pause the installation of the first software. The method can carry out safety monitoring on the software to be installed when the terminal equipment needs to install the software, and carries out corresponding installation indication on the terminal equipment according to the safety monitoring result. And when the terminal equipment installs new software, the compliance of the software to be installed is monitored, so that the efficiency of safety detection of the software is improved.
The security monitoring method shown in the above method embodiment will be described in detail below by way of specific example with reference to fig. 6.
Fig. 6 is an exemplary diagram of a security monitoring method according to an embodiment of the present application. Referring to fig. 6, the system comprises a computer terminal and a safety monitoring platform. The security detection platform is provided with a software white list and a software black list.
When the computer terminal needs to install the software A, a security detection request is sent to the security monitoring device, the security detection request comprises software information of the installed software, the software information comprises a software identifier, a software version, a software type and installation information, and the installation information comprises a first download address.
The security monitoring platform judges whether the software information of the software A is contained in a software white list or a software black list, if the software information of the software A is not contained in the software white list or the software black list, the software type in the software information of the software A is judged, if the software type is determined to be a private type, the installation information is analyzed, if the installation information is determined to not have an authorization certificate, the first download address in the installation information is not a standard download address, and the security monitoring result is determined to be that the detection fails. The safety monitoring device sends an installation stopping instruction to the computer terminal. The computer terminal stops installing the software A.
Fig. 7 is a schematic structural diagram of a safety monitoring device according to an embodiment of the present application. Referring to fig. 7, the security authentication device 10 includes a first acquisition module 11, a second acquisition module 12, and a determination module 13, wherein,
the first obtaining module 11 is configured to obtain a security detection request sent by a terminal device, where the security detection request includes software information of first software, and the software information includes a software identifier and a software version;
the second obtaining module 12 is configured to obtain a software whitelist and a software blacklist according to the security detection request, where the software whitelist includes software information of a plurality of security software, and the software blacklist includes software information of a plurality of risk software;
the determining module 13 is configured to determine, if the software information of the first software exists in the software white list or the software black list, a security monitoring result of the first software according to the software white list or the software black list;
the determining module 13 is further configured to obtain a software type of the first software and installation information of the terminal device on the first software if the software information of the first software does not exist in the software white list and the software black list, and determine a security monitoring result of the first software according to the software type and the installation information, where the software type is a public type or a private type.
The safety monitoring device provided in this embodiment may be used to execute the safety monitoring method in the above method embodiment, and its implementation principle and technical effects are similar, and are not described here again.
In a possible embodiment, the determining module 13 is specifically configured to:
if the software type is the public type, determining that the safety monitoring result is passing detection;
and if the software type is the private type, determining the security monitoring result according to the installation information.
In a possible embodiment, the determining module 13 is specifically configured to:
judging whether an authorization certificate exists in the installation information;
if yes, determining that the safety monitoring result is passing detection;
if not, a first download address of the first software is obtained from the installation information, vulnerability monitoring is carried out on the first software to obtain first vulnerability information of the first software, and the security monitoring result is determined according to the first download address and the first vulnerability information.
In a possible embodiment, the determining module 13 is specifically configured to:
acquiring a standard download address and preset vulnerability information of the first software;
If the first download address is the same as the standard download address and the similarity between the first vulnerability information and the preset vulnerability information is greater than or equal to a preset threshold value, determining that the safety monitoring result is passing detection;
and if the first download address is different from the standard download address or the similarity between the first vulnerability information and the preset vulnerability information is smaller than the preset threshold value, determining that the security monitoring result is that the detection fails.
Fig. 8 is a schematic structural diagram of another safety monitoring device according to an embodiment of the present application. Referring to fig. 8, the safety monitoring device 10 further includes an update module 14, the update module 14 is configured to,
after the determination module 13 determines that the security monitoring result is that detection passes, adding software information of the first software to the software whitelist;
after the determination module 13 determines that the security monitoring result is that the detection fails, software information of the first software is added to the software blacklist.
In one possible embodiment, the safety monitoring device 10 further comprises a transmission module 15, wherein,
the first obtaining module 11 is specifically configured to: after the terminal equipment is successfully accessed into a local area network, receiving the security detection request sent by the terminal equipment, wherein the first software is software installed in the terminal equipment or is software installed after a first moment, and the first moment is the moment when the terminal equipment performs security monitoring last time;
The sending module 15 is configured to send an uninstall instruction to the terminal device after the determining module 13 determines, according to the software type and the installation information, a security monitoring result of the first software, where the uninstall instruction is used to instruct the terminal device to uninstall the first software if the security monitoring result is that the detection fails.
In one possible implementation of the method according to the invention,
the first obtaining module 11 is specifically configured to: after the terminal equipment detects the installation instruction of the first software, receiving a security detection request sent by the terminal equipment, wherein the first software is the software to be installed;
the sending module 15 is further configured to send a first response to the terminal device if the security monitoring result is that the security monitoring result passes through after the determining module 13 determines the security monitoring result of the first software according to the software type and the installation information, where the first response is used to indicate that the first software is installed; and if the safety monitoring result is that the detection is not passed, sending a second response to the terminal equipment, wherein the second response is used for indicating to pause the installation of the first software.
The safety monitoring device provided in this embodiment may be used to execute the safety monitoring method in the above method embodiment, and its implementation principle and technical effects are similar, and are not described here again.
Fig. 9 is a schematic hardware structure of the security monitoring device provided by the present application. Referring to fig. 9, the safety monitoring device 20 may include: a processor 21, a memory 22, wherein the processor 21 and the memory 22 may communicate; illustratively, the processor 21 and the memory 22 are in communication via a communication bus 23, the memory 22 for storing computer-executable instructions, and the processor 21 is configured to invoke the computer-executable instructions in the memory to perform any of the methods described in any of the method embodiments above.
Optionally, the safety monitoring device 20 may also include a communication interface, which may include a transmitter and/or a receiver.
Alternatively, the processor may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the present application may be embodied directly in a hardware processor for execution, or in a combination of hardware and software modules in a processor for execution.
The present application provides a computer-readable storage medium having stored thereon computer-executable instructions; the computer-executable instructions are for implementing any of the methods described in any of the embodiments above.
Embodiments of the present application provide a computer program product comprising a computer program which, when executed, causes a computer to perform the above-described security monitoring method.
All or part of the steps for implementing the method embodiments described above may be performed by hardware associated with program instructions. The foregoing program may be stored in a readable memory. The program, when executed, performs steps including the method embodiments described above; and the aforementioned memory (storage medium) includes: read-only memory (ROM), RAM, flash memory, hard disk, solid state disk, magnetic tape, floppy disk, optical disk, and any combination thereof.
Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processing unit of a general purpose computer, special purpose computer, embedded processor, or other programmable terminal device to produce a machine, such that the instructions, which execute via the processing unit of the computer or other programmable terminal device, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable terminal device to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made to the embodiments of the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the embodiments of the present application fall within the scope of the claims and the equivalents thereof, the present application is also intended to include such modifications and variations.
In the present disclosure, the term "include" and variations thereof may refer to non-limiting inclusion; the term "or" and variations thereof may refer to "and/or". The terms "first," "second," and the like, herein, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. In the present application, "a plurality of" means two or more. "and/or", describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship.
Other embodiments of the application will be apparent to those skilled in the art from consideration of the specification and practice of the application disclosed herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains.
Claims (10)
1. A method of security monitoring, comprising:
acquiring a security detection request sent by terminal equipment, wherein the security detection request comprises software information of first software, and the software information comprises a software identifier and a software version;
according to the security detection request, a software white list and a software black list are obtained, wherein the software white list comprises software information of a plurality of security software, and the software black list comprises software information of a plurality of risk software;
if the software information of the first software exists in the software white list or the software black list, determining a safety monitoring result of the first software according to the software white list or the software black list;
if the software information of the first software does not exist in the software white list and the software black list, acquiring the software type of the first software and the installation information of the terminal equipment on the first software, and determining a safety monitoring result of the first software according to the software type and the installation information, wherein the software type is a public type or a private type.
2. The method of claim 1, wherein determining the security monitoring result of the first software based on the software type and the installation information comprises:
if the software type is the public type, determining that the safety monitoring result is passing detection;
and if the software type is the private type, determining the security monitoring result according to the installation information.
3. The method of claim 2, wherein determining the security monitoring result from the installation information comprises:
judging whether an authorization certificate exists in the installation information;
if yes, determining that the safety monitoring result is passing detection;
if not, a first download address of the first software is obtained from the installation information, vulnerability monitoring is carried out on the first software to obtain first vulnerability information of the first software, and the security monitoring result is determined according to the first download address and the first vulnerability information.
4. The method of claim 3, wherein determining the security monitoring result based on the first download address and the first vulnerability information comprises:
Acquiring a standard download address and preset vulnerability information of the first software;
if the first download address is the same as the standard download address and the similarity between the first vulnerability information and the preset vulnerability information is greater than or equal to a preset threshold value, determining that the safety monitoring result is passing detection;
and if the first download address is different from the standard download address or the similarity between the first vulnerability information and the preset vulnerability information is smaller than the preset threshold value, determining that the security monitoring result is that the detection fails.
5. The method according to any one of claim 2 to 4, wherein,
after determining that the safety monitoring result is that the detection is passed, the method further comprises the following steps:
adding software information of the first software to the software whitelist;
after determining that the safety monitoring result is that the detection fails, the method further comprises:
and adding the software information of the first software to the software blacklist.
6. The method according to any one of claims 1-5, wherein obtaining the security detection request sent by the terminal device comprises:
after the terminal equipment is successfully accessed into a local area network, receiving the security detection request sent by the terminal equipment, wherein the first software is software installed in the terminal equipment or is software installed after a first moment, and the first moment is the moment when the terminal equipment performs security monitoring last time;
After determining the security monitoring result of the first software according to the software type and the installation information, the method further comprises the following steps:
and if the safety monitoring result is that the detection fails, sending an unloading instruction to the terminal equipment, wherein the unloading instruction is used for indicating the terminal equipment to unload the first software.
7. The method according to any one of claims 1-5, wherein obtaining the security detection request sent by the terminal device comprises:
after the terminal equipment detects the installation instruction of the first software, receiving a security detection request sent by the terminal equipment, wherein the first software is the software to be installed;
after determining the security monitoring result of the first software according to the software type and the installation information, the method further comprises the following steps:
if the safety monitoring result is that the detection is passed, a first response is sent to the terminal equipment, wherein the first response is used for indicating the installation of the first software;
and if the safety monitoring result is that the detection is not passed, sending a second response to the terminal equipment, wherein the second response is used for indicating to pause the installation of the first software.
8. A safety monitoring device is characterized by comprising a first acquisition module, a second acquisition module and a determination module, wherein,
The first acquisition module is used for acquiring a security detection request sent by the terminal equipment, wherein the security detection request comprises software information of first software, and the software information comprises a software identifier and a software version;
the second obtaining module is configured to obtain a software whitelist and a software blacklist according to the security detection request, where the software whitelist includes software information of a plurality of security software, and the software blacklist includes software information of a plurality of risk software;
the determining module is configured to determine, if the software information of the first software exists in the software white list or the software black list, a security monitoring result of the first software according to the software white list or the software black list;
the determining module is further configured to obtain a software type of the first software and installation information of the terminal device on the first software if software information of the first software does not exist in the software white list and the software black list, and determine a security monitoring result of the first software according to the software type and the installation information, where the software type is a public type or a private type.
9. A safety monitoring device, comprising: a processor and a memory communicatively coupled to the processor;
the memory stores computer-executable instructions;
the processor executes computer-executable instructions stored in the memory to implement the method of any one of claims 1 to 7.
10. A computer readable storage medium having stored therein computer executable instructions which when executed by a processor are adapted to carry out the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310706026.7A CN116738438A (en) | 2023-06-14 | 2023-06-14 | Security monitoring method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310706026.7A CN116738438A (en) | 2023-06-14 | 2023-06-14 | Security monitoring method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116738438A true CN116738438A (en) | 2023-09-12 |
Family
ID=87916408
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310706026.7A Pending CN116738438A (en) | 2023-06-14 | 2023-06-14 | Security monitoring method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116738438A (en) |
-
2023
- 2023-06-14 CN CN202310706026.7A patent/CN116738438A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107615292B (en) | System and method for managing installation of application packages requiring high risk permission access | |
| USRE48001E1 (en) | Safe application distribution and execution in a wireless environment | |
| KR100932807B1 (en) | Run test enabled applications | |
| CN108183924A (en) | A kind of login validation method and terminal device | |
| US20140013429A1 (en) | Method for processing an operating application program and device for the same | |
| CN106845223B (en) | Method and apparatus for detecting malicious code | |
| US9275228B2 (en) | Protecting multi-factor authentication | |
| CN103617387A (en) | Method and device for preventing application program from being installed automatically | |
| CN111310233A (en) | Application interface display method, device, equipment and storage medium | |
| KR101561167B1 (en) | System and Method for Controlling Application Permission on the Android Mobile Platform | |
| CN109325363A (en) | Management method, device, computer equipment and the storage medium of authority information | |
| CN106897606A (en) | A kind of brush machine means of defence and device | |
| CN106934272B (en) | Application information verification method and device | |
| CN111797400A (en) | Method and device for dynamically detecting malicious applications in Internet of vehicles | |
| CN109818972B (en) | Information security management method and device for industrial control system and electronic equipment | |
| CN111259368A (en) | Method and equipment for logging in system | |
| CN112166449A (en) | Method of processing secure financial transactions using commercial off-the-shelf or internet-of-things devices | |
| CN112565251B (en) | Access authentication method, device and system for vehicle-mounted application | |
| US9449158B2 (en) | Expiration time authentication system, expiration time authentication device, and expiration time authentication method for applications | |
| CN116738438A (en) | Security monitoring method, device, equipment and storage medium | |
| CN108259424B (en) | Authorization verification method of terminal equipment | |
| CN106599619A (en) | Verification method and device | |
| CN114338073A (en) | Protection method, system, storage medium and equipment for vehicle-mounted network | |
| CN112651020A (en) | Threat detection method, apparatus, external device, electronic device, medium, and program | |
| CN106203189A (en) | Equipment data acquisition method and device and terminal equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |