CN116821896A - Malicious sample file acquisition system, malicious sample file reporting method and device - Google Patents

Malicious sample file acquisition system, malicious sample file reporting method and device Download PDF

Info

Publication number
CN116821896A
CN116821896A CN202310622089.4A CN202310622089A CN116821896A CN 116821896 A CN116821896 A CN 116821896A CN 202310622089 A CN202310622089 A CN 202310622089A CN 116821896 A CN116821896 A CN 116821896A
Authority
CN
China
Prior art keywords
malicious sample
sample file
file
target malicious
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310622089.4A
Other languages
Chinese (zh)
Inventor
骆振源
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Qianxin Safety Technology Zhuhai Co Ltd
Original Assignee
Qianxin Technology Group Co Ltd
Qianxin Safety Technology Zhuhai Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Technology Group Co Ltd, Qianxin Safety Technology Zhuhai Co Ltd filed Critical Qianxin Technology Group Co Ltd
Priority to CN202310622089.4A priority Critical patent/CN116821896A/en
Publication of CN116821896A publication Critical patent/CN116821896A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/17Details of further file system functions
    • G06F16/172Caching, prefetching or hoarding of files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/182Distributed file systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The embodiment of the invention provides a malicious sample file acquisition system, a malicious sample file reporting method and a malicious sample file reporting device, wherein the malicious sample file acquisition system comprises an application system, a central control system and at least one terminal device, and the central control system is connected with the at least one terminal device through the application system; the terminal equipment is used for sending a report message to the application system under the condition that at least one target malicious sample file is monitored; the report message comprises at least one target malicious sample file; the application system is used for storing the target malicious sample files into the cloud storage component and sending notification messages to the central control system when the target malicious sample files are determined not to be stored into the cloud storage component aiming at each target malicious sample file; the notification message comprises address information corresponding to the target malicious sample file; and the central control system is used for storing the address information corresponding to the target malicious sample file into the first file database so as to download the target malicious sample file based on the address information.

Description

Malicious sample file acquisition system, malicious sample file reporting method and device
Technical Field
The present invention relates to the field of computer security technologies, and in particular, to a malicious sample file acquisition system, a malicious sample file reporting method and a malicious sample file reporting device.
Background
Computer technology plays an important role in the development of many industries, and along with popularization and application of the computer technology, various malicious files are continuously developed and changed, and the malicious files form potential threats to the computer security of users.
The security operator of the computer can learn the attack mode of the malicious file by utilizing the sample file of the malicious file so as to improve the capability of preventing the malicious file from being attacked, and timely acquire various malicious sample files has positive significance for improving the security protection capability of the computer. At present, the method for acquiring malicious sample files by security operators mainly comprises respective actual combat accumulation or sample resource exchange, but the acquisition methods have certain drawbacks, such as: the types and the quantity of malicious sample files accumulated through respective actual combat are small; there are a large number of duplicate malicious sample files in the exchanged malicious sample file resources, i.e., there are a large number of invalid malicious sample files.
The existing malicious sample file acquisition method can not acquire effective malicious sample files timely and in large quantity, and restricts the development of computer security technology. Therefore, how to make users obtain a large number of effective malicious sample files in time becomes a problem to be solved.
Disclosure of Invention
Aiming at the problems in the prior art, the embodiment of the invention provides a malicious sample file acquisition system, a malicious sample file reporting method and a malicious sample file reporting device.
By way of example, the embodiment of the invention provides the following technical scheme:
in a first aspect, an embodiment of the present invention provides a malicious sample file obtaining system, including an application system, a central control system, and at least one terminal device, where the central control system is connected with at least one terminal device through the application system;
the terminal equipment is used for sending a report message to the application system under the condition that at least one target malicious sample file is monitored; the reported message comprises at least one target malicious sample file;
the application system is used for storing the target malicious sample files into the cloud storage component and sending notification messages to the central control system when determining that the target malicious sample files are not stored into the cloud storage component for each target malicious sample file; the notification message comprises address information corresponding to the target malicious sample file stored in the cloud storage component;
the central control system is used for storing address information corresponding to the target malicious sample file into a first file database so as to download the target malicious sample file in the cloud storage component based on the address information.
Further, the application system comprises a first load balancing device and at least one application server connected with the first load balancing device; the first load balancing device is connected with at least one terminal device, and each application server is connected with the central control system;
the first load balancing device is configured to receive the reporting messages sent by each terminal device, and allocate corresponding reporting messages to each application server based on a first load balancing policy;
the application server is configured to store, for the target malicious sample file in each received report message, the target malicious sample file into the cloud storage component when it is determined that the target malicious sample file is not stored into the cloud storage component, and send the notification message to the central control system.
Further, an openResity program is installed on each application server;
the application server is specifically configured to store the target malicious sample file to the cloud storage component through the openredundancy program.
Further, the central control system comprises a second load balancing device and at least one central control server connected with the second load balancing device, and each application server is connected with the second load balancing device;
The second load balancing device is configured to receive the notification messages sent by the application servers, and allocate corresponding notification messages to the central control servers based on a second load balancing policy;
the central control server is configured to store address information corresponding to the target malicious sample file in each received notification message into the first file database.
Further, each central control server is provided with a kafka message queue;
the second load balancing device is specifically configured to send a notification message allocated to each central control server to the kafka message queue of the corresponding central control server;
the central control server is specifically configured to obtain the notification message from the kafka message queue based on a preset duration, and store address information corresponding to the target malicious sample file in the notification message into the first file database.
Further, the application server is further configured to prohibit the target malicious sample file from being stored again in the cloud storage component when it is determined that the target malicious sample file is already stored in the cloud storage component.
Further, the report message further includes md5 values of the target malicious sample files;
the application server is specifically configured to match, for the target malicious sample file in each received report message, an md5 value of the target malicious sample file with an md5 value of each malicious sample file in a second file database; the second file database stores md5 values of each malicious sample file in the cloud storage component;
when the matching is successful, determining that the target malicious sample file is stored in the cloud storage component;
and when the matching fails, determining that the target malicious sample file is not stored in the cloud storage component.
Further, the notification message further includes an md5 value of the target malicious sample file;
the application server is further configured to store, after storing the target malicious sample file in the cloud storage component, an md5 value of the target malicious sample file in the second file database;
the central control server is further configured to store an md5 value of the target malicious sample file in a third file database.
In a second aspect, an embodiment of the present invention further provides a malicious sample file reporting method, which is applied to an application system, where the method includes:
Receiving reporting messages sent by each terminal device; the report message comprises at least one target malicious sample file;
for each target malicious sample file, when the target malicious sample file is determined not to be stored in a cloud storage component, storing the target malicious sample file in the cloud storage component, and sending a notification message to a central control system; the notification message comprises address information corresponding to the target malicious sample file stored in the cloud storage component; the notification message is used for the central control system to store address information corresponding to the target malicious sample file into a first file database so as to download the target malicious sample file in the cloud storage component based on the address information.
In a third aspect, an embodiment of the present invention further provides a malicious sample file reporting device, including:
the receiving unit is used for receiving the report messages sent by the terminal devices respectively; the report message comprises at least one target malicious sample file;
the storage unit is used for storing the target malicious sample files into the cloud storage assembly and sending notification messages to the central control system when the target malicious sample files are determined not to be stored into the cloud storage assembly; the notification message comprises address information corresponding to the target malicious sample file stored in the cloud storage component; the notification message is used for the central control system to store address information corresponding to the target malicious sample file into a first file database so as to download the target malicious sample file in the cloud storage component based on the address information.
In a fourth aspect, an embodiment of the present invention further provides an electronic device, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor implements the malicious sample file reporting method according to the second aspect when executing the computer program.
In a fifth aspect, an embodiment of the present invention further provides a non-transitory computer readable storage medium, on which a computer program is stored, which when executed by a processor implements the malicious sample file reporting method according to the second aspect.
In a sixth aspect, embodiments of the present invention also provide a computer program product having stored thereon executable instructions that, when executed by a processor, cause the processor to implement a malicious sample file reporting method according to the second aspect.
The malicious sample file acquisition system comprises an application system, a central control system and at least one terminal device, wherein the terminal device sends a report message comprising a target malicious sample file to the application system under the condition that at least one target malicious sample file is monitored; for each target malicious sample file, when the application system determines that the target malicious sample file is not stored in the cloud storage component, the application system stores the target malicious sample file in the cloud storage component and sends a notification message to the central control system, wherein the notification message comprises address information corresponding to the storage of the target malicious sample file in the cloud storage component; and the central control system stores address information corresponding to the target malicious sample file into a first file database so as to download the target malicious sample file in the cloud storage component based on the address information. In this way, the malicious sample file acquisition system can store the target malicious sample files which are monitored by each terminal device and are not stored in the cloud storage component into the cloud storage component, so that the aim of timely storing a large number of effective target malicious sample files can be fulfilled; the address information corresponding to the target malicious sample file is sent to the central control system by using the notification message, and the address information is stored in the first file database, so that a user can download the corresponding target malicious sample file from the cloud storage component through the address information, and the purpose that the user timely acquires a large number of effective target malicious sample files is achieved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a malicious sample file acquisition system according to an embodiment of the present invention;
FIG. 2 is a second schematic diagram of a malicious sample file obtaining system according to an embodiment of the present invention;
FIG. 3 is a flow chart of a malicious sample file reporting method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a malicious sample file reporting device provided by an embodiment of the present invention;
fig. 5 is a schematic diagram of an entity structure of an electronic device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be noted that, in the present invention, the numbers of the described objects, such as "first", "second", etc., are only used to distinguish the described objects, and do not have any sequence or technical meaning.
Malicious sample files are often the subject of computer security researchers, antivirus vendors, and network security specialists' analysis and research, who use various techniques to analyze and detect malicious sample files to understand their working principles, attack paths, and potential threats, thereby providing corresponding security safeguards and solutions. The computer security operator can better prevent security threat for the user through learning and studying and judging the malicious sample file.
In general, it is difficult to obtain a large amount of malicious sample files, and in general, in a practical and real protection scenario, the malicious sample files are obtained through identification and screening of terminal devices, or the malicious sample files are exchanged or shared with other researchers in a network. However, these methods have certain drawbacks, and cannot obtain a large number of effective malicious sample files.
Based on the above, the embodiment of the invention provides a malicious sample file acquisition system, which uses an application system to perform duplication removal operation on a target malicious sample file through a central control system, the application system and at least one terminal device, and timely stores the effective target malicious sample file, so that the acquisition and storage of the malicious sample file are realized, and the user requirements are met.
The malicious sample file obtaining system provided by the embodiment of the invention is described below with reference to fig. 1-2.
Fig. 1 is a schematic structural diagram of a malicious sample file obtaining system according to an embodiment of the present invention, where, as shown in fig. 1, the system includes a central control system 110, an application system 120, and at least one terminal device 130, and the central control system 110 is connected to the at least one terminal device 130 through the application system 120.
The terminal device 130 is configured to send a report message to the application system 120 when at least one target malicious sample file is detected; the report message comprises at least one target malicious sample file.
For example, the terminal device 130 may be an electronic device such as a computer, a mobile phone, a tablet computer, a server or a server cluster, or a specially designed smart device. The target malicious sample file is a file containing malicious code that is monitored in the terminal device. Malicious code is any form of computer code designed to be able to perform malicious operations on a victim computer.
The target malicious sample file may be, for example, a computer virus, a Trojan horse, a worm, spyware, etc. The target malicious sample file may take various forms, such as executable files, script files, document files, PDF files, picture files, and the like. Target malicious sample files are commonly used by hackers to attack and invade victim computer systems for the purpose of stealing sensitive information, control systems, encrypted files, etc. Hackers often use various techniques to hide or confuse target malicious sample files to avoid being monitored, inspected, or cleared by security protection software.
For example, the terminal device 130 may monitor the target malicious sample file through security protection software installed on the terminal device 130. The security protection software may be a computer program installed on the terminal device 130 for protecting the terminal device 130 and its stored data. For example, the terminal device 130 is installed with antivirus software or security software, and the terminal device 130 is scanned for file identification by using the antivirus software or security software, so that whether the target malicious sample file exists on the terminal device 130 can be monitored.
In case the terminal device 130 monitors at least one target malicious sample file, the terminal device 130 sends a report message to the application system 120, the report message comprising the at least one target malicious sample file.
For example, three target malicious sample files, namely, a target malicious sample file a, a target malicious sample file B and a target malicious sample file C, are monitored in the terminal device 130, the terminal device 130 sends a report message to the application system 120, where the report message includes the target malicious sample file a, the target malicious sample file B and the target malicious sample file C, and the specific terminal device 130 may send the report message to the application system 120 when a preset number of target malicious sample files are monitored; the preset number may be set based on the requirement, which is not limited by the present invention.
The application system 120 is configured to store, for each target malicious sample file, the target malicious sample file in the cloud storage component and send a notification message to the central control system 110 when it is determined that the target malicious sample file is not stored in the cloud storage component; the notification message comprises address information corresponding to the target malicious sample file stored in the cloud storage component.
By way of example, the application system 120 may be an electronic device such as a computer, a server, or a server cluster, or a specially designed smart device. Alternatively, one application system 120 may be set in the malicious sample file obtaining system, or two or more application systems 120 may be set, specifically, the number of the terminal devices 130 may be determined according to the need, and when two or more application systems 120 are set, each application system 120 is connected to the central control system 110 respectively.
After receiving the report message sent by the terminal device 130, the application system 120 needs to analyze each target malicious sample file in the report message, and after analysis, when determining that the target malicious sample file is not stored in the cloud storage component, stores the target malicious sample file in the cloud storage component, and sends a notification message to the central control system 110. The analysis on each target malicious sample file may be a deduplication operation performed on each target malicious sample file, that is, the analysis determines whether the current cloud storage component already has the same file as the target malicious sample file. And if the current cloud storage component does not have the same file as the target malicious sample file, storing the target malicious sample file into the cloud storage component. By respectively analyzing each target malicious sample file in the reported message, the aim of timely storing the effective target malicious sample files is fulfilled.
The notification message sent by the application system 120 to the central control system 110 includes address information corresponding to storing the target malicious sample file in the cloud storage component. The address information may be any information for downloading the target malicious sample file, for example, may be a download address of the download target malicious sample file, or may be an extraction number of the download target malicious sample file, or may be a two-dimensional code of the download target malicious sample file, or the like.
For example, the report message sent by the terminal device 130 to the application system 120 includes the target malicious sample file a, the target malicious sample file B, and the target malicious sample file C. If the application system 120 analyzes and determines that the file which is the same as the target malicious sample file C already exists in the current cloud storage component; the current cloud storage component does not have the same files as the target malicious sample file A and the same files as the target malicious sample file B; the application system 120 stores both the target malicious sample file a and the target malicious sample file B in the cloud storage component and sends a notification message to the central control system 110, where the notification message includes the download address of the download target malicious sample file a and the download address of the download target malicious sample file B.
The cloud storage component may be a set of services and tools for storing and managing data in a cloud computing environment. Cloud storage components generally provide features of high reliability, high availability, resilient extension, security, ease of use, etc., which can help users easily store, backup, share, and access data. The cloud storage component may be at least one of a cloud storage service, a file synchronization and sharing tool, a data backup and restore service, a database service, an object storage service, a data lake service, and the like. The cloud storage service is an internet-based data storage service, can provide high reliability, high availability, elastic expansion and security, and can store and manage mass data. The file synchronization and sharing tool provides functions of file synchronization, sharing, access control and the like, and can conveniently share and cooperate with other people. The data backup and restoration service may backup data into cloud storage to prevent data loss and disaster recovery. The database service provides an on-cloud database that can conveniently store and manage structured data. The object store service may store and manage a large amount of unstructured data, such as images, video, audio, and the like. The data lake service may store and manage various types of data, such as text, images, video, audio, logs, and the like. The cloud storage component can help users reduce the cost of data storage and management, improve the safety and reliability of data, and provide flexible data storage solutions for various application scenes.
For example, the application system 120 may parse the domain name of the terminal device 130 to obtain the location information of the terminal device 130 when receiving the report message sent by the terminal device 130. For example, the dns server may be used to resolve the domain name of the terminal device 130 to obtain the IP address of the terminal device 130. The location information of the terminal device 130 that sends the report message is obtained, and the target malicious sample file may be further analyzed or applied.
The central control system 110 is configured to store address information corresponding to the target malicious sample file into the first file database, so as to download the target malicious sample file in the cloud storage component based on the address information.
For example, the central control system 110 may be an electronic device such as a computer, a server, or a server cluster, or a specially designed smart device. After receiving the notification message sent by the application system 120, the central control system 110 stores address information corresponding to the target malicious sample file included in the notification message into the first file database. When a user needs to download a target malicious sample, the target malicious sample can be downloaded from the cloud storage component through address information corresponding to the target malicious sample to be downloaded.
For example, the notification message sent by the application system 120 to the central control system 110 includes the download address of the download target malicious sample file a and the download address of the download target malicious sample file B, the central control system 110 stores the download address of the download target malicious sample file a and the download address of the download target malicious sample file B in the first file database, and the user can download the target malicious sample file a from the cloud storage component through the download address of the target malicious sample file a and can also download the target malicious sample file B from the cloud storage component through the download address of the target malicious sample file B.
The malicious sample file acquisition system provided by the embodiment of the invention comprises an application system, a central control system and at least one terminal device, wherein the terminal device sends a report message comprising a target malicious sample file to the application system under the condition that at least one target malicious sample file is monitored; for each target malicious sample file, when the application system determines that the target malicious sample file is not stored in the cloud storage component, the application system stores the target malicious sample file in the cloud storage component and sends a notification message to the central control system, wherein the notification message comprises address information corresponding to the storage of the target malicious sample file in the cloud storage component; and the central control system stores address information corresponding to the target malicious sample file into a first file database so as to download the target malicious sample file in the cloud storage component based on the address information. In this way, the malicious sample file acquisition system can store the target malicious sample files which are monitored by each terminal device and are not stored in the cloud storage component into the cloud storage component, so that the aim of timely storing a large number of effective target malicious sample files can be fulfilled; the address information corresponding to the target malicious sample file is sent to the central control system by using the notification message, and the address information is stored in the first file database, so that a user can download the corresponding target malicious sample file from the cloud storage component through the address information, and the purpose that the user timely acquires a large number of effective target malicious sample files is achieved.
By using the malicious sample file acquisition system, a closed loop link for monitoring and finding a target malicious sample file from each terminal device, reporting the target malicious sample file and storing the target malicious sample file after analysis can be realized. Through a large amount of effective malicious sample files obtained, security operators can study malicious codes, learn computer security technology and improve the capability of computer security protection.
In the application system, the processing capacity of the whole application system can be improved by arranging load balancing equipment and an application server.
In one embodiment, an application system includes a first load balancing device and at least one application server connected to the first load balancing device; the first load balancing device is connected with at least one terminal device, and each application server is connected with the central control system; the first load balancing device is used for receiving the report messages sent by the terminal devices respectively and distributing corresponding report messages to the application servers based on a first load balancing policy; the application server is used for storing the target malicious sample file in the cloud storage component and sending a notification message to the central control system when the target malicious sample file is determined not to be stored in the cloud storage component aiming at the target malicious sample file in each received report message.
The first load balancing device may be a device with a certain load balancing capability, for example, may be a load balancer, or may be a hardware device, a load balancing program installed on the hardware device, or the like. The first load balancing device may be a load balancing device such as F5, netScaler, array, or the like, or may be a device in which load balancing software such as LVS, nginx, haprox, or the like is installed. The terminal device is connected with the first load balancing device, and the terminal device can send a report message to the first load balancing device connected with the terminal device. The first load balancing device is connected with each application server and distributes different reporting messages to each application server.
The application server may be an electronic device such as a server or a server cluster that processes the target malicious sample file in the report message. Before storing the target malicious sample file, the application server performs a deduplication operation on the target malicious sample file, and when determining that the target malicious sample file is not stored in the cloud storage component, the target malicious sample file is stored in the cloud storage component, so that the repeated storage of the same target malicious sample file is avoided. The same target malicious sample file can be understood as an invalid target malicious sample file, and different target malicious sample files can be understood as valid target malicious sample files, so that the target malicious sample files are stored after the duplication removal operation of the application server, a large number of valid target malicious sample files can be accumulated, the data storage amount can be reduced, and the application efficiency of the target malicious sample files is improved.
After receiving the report messages sent by the terminal devices, the first load balancing device distributes corresponding report messages to the application servers based on a first load balancing policy. The first load balancing policy may be an allocation policy formulated according to factors such as processing capability of each application server or an overall architecture of an application system. By way of example, the first load balancing policy may employ round robin balancing, response speed balancing, processing power balancing, or other form of load balancing policy.
The round robin balancing is illustrated with a first load balancing policy. The first load balancing device provided with LVS load balancing software is connected with an application server a and an application server b respectively, and after the first load balancing device receives a first report message sent by the terminal device, the report message is distributed to the application server a; after receiving a second report message sent by the terminal equipment, the first load balancing equipment distributes the report message to the application server b; after the first load balancing equipment receives a third reporting message sent by the terminal equipment, distributing the reporting message to the application server a; after the first load balancing device receives the fourth report message sent by the terminal device, the report message is distributed to the application server b, and the round robin balancing is performed to distribute the report messages. The corresponding reporting information is distributed in a round robin balancing mode, so that the method is suitable for the situation that all application servers in the application system have the same software and hardware configuration and average service requests are relatively balanced, and the overall processing capacity of the application system can be improved.
In this embodiment, the first load balancing device distributes corresponding reporting messages to each application server based on the first load balancing policy, so that the processing progress of each application server can be balanced, and the overall processing capability of the application system is improved; and after the application server performs the de-duplication operation on each target malicious sample file, the effective target malicious sample files are stored in the cloud storage component, so that the data storage quantity is reduced, the repetition rate of the malicious sample files in the cloud storage space is reduced, the convenience of subsequent application of the malicious sample files is improved, and the application efficiency is improved.
In order to timely store the effective target malicious sample file into the cloud storage component, an openResity program can be installed on each application server, and the openResity program is utilized to store the target malicious sample file.
In an embodiment, an openResty program is installed on each application server; the application server is specifically configured to store the target malicious sample file into the cloud storage component through the openResity program.
For example, an openResity program is installed on each application server in each application system, and after the application server performs a deduplication operation on the target malicious sample file, the effective target malicious sample file is stored into the cloud storage component through the openResity program.
The openResity program is an Nginx-based Web application server software, integrates a plurality of popular Lua libraries and third party modules, and provides a high-performance, extensible, flexible and easy-to-use Web development framework. The core of openResity is LuaJIT, which is a high-performance Lua interpreter that is capable of executing Lua code quickly.
The OpenResty program can process high-concurrency Web requests by utilizing the high performance and high reliability of Nginx and combining the high-efficiency execution capability of LuaJIT, so that the OpenResty program has the characteristic of high performance. The openResity program provides rich third-party modules and Lua libraries, and can easily expand functions of the openResity program, such as supporting Memcached, redis, mySQL and other common data storage and caching services, so that the openResity program has the characteristic of being expandable. The OpenResty program adopts a Lua-based configuration language, can conveniently write and modify configuration files, and supports dynamic loading and unloading modules, so that the OpenResty program has the characteristic of high flexibility. The openResity program provides a series of APIs and tools that are easy to use, and can conveniently develop and debug Web applications, which makes the openResity program easy to use.
For example, an openResity program is installed on each application server in each application system, and when the application server performs a deduplication operation on each target malicious sample file, the application server can use the openResity program to perform the deduplication operation, so that a large number of repeated malicious sample files can be reduced.
In the embodiment, the application server stores the target malicious sample file into the cloud storage component by using the OpenResity program, and timely and accurately stores the effective target malicious sample file into the cloud storage component by using the characteristics of high performance, expandability, high flexibility and easiness in use of the OpenResity program, so that a user can conveniently obtain a large number of effective malicious sample files timely, and the difficulty in obtaining the malicious sample files by the user is reduced.
In order to improve the overall processing capacity of the central control system, a second load balancing device and a central control server can be arranged in the central control system.
In an embodiment, the central control system comprises a second load balancing device and at least one central control server connected with the second load balancing device, and each application server is connected with the second load balancing device; the second load balancing equipment is used for receiving the notification messages sent by the application servers and distributing corresponding notification messages to the central control servers based on a second load balancing strategy; the central control server is used for storing address information corresponding to the target malicious sample file in each received notification message into the first file database.
The second load balancing device may be a device with a certain load balancing capability, for example, may be a load balancer, or may be a hardware device, a load balancing program installed on the hardware device, or the like. Similar to the first load balancing device, the second load balancing device may be a load balancing device such as F5, netScaler, array, or the like, or may be a device in which load balancing software such as LVS, nginnx, HAProxy, or the like is installed. Each application server is connected with the second load balancing device, and each application server can send a notification message to the second load balancing device. The second load balancing device is connected with each central control server and distributes different notification messages to each central control server.
The central control server may be an electronic device such as a server or a cluster of servers that process notification messages. And the central control server stores the address information corresponding to the target malicious sample file in each received notification message into a first file database, so that the address information is stored. Address information corresponding to a large number of target malicious sample files is stored in the first file database, and a user can download a large number of effective target malicious sample files through the address information.
The second load balancing policy may be an allocation policy formulated according to factors such as processing capacity of each central control server or overall architecture of the central control system. Similarly, the second load balancing policy may also adopt round robin balancing, response speed balancing, processing capacity balancing or other form of load balancing policy, which is not limited in this embodiment.
In this embodiment, the second load balancing device distributes corresponding notification messages to each central control server based on the second load balancing policy, so that the processing progress of each central control server can be balanced, and the overall processing capability of the central control system is improved. The central control server stores address information corresponding to the target malicious sample files in the received notification messages into the first file database, so that a large amount of address information corresponding to the target malicious sample files can be provided for users, and the users can conveniently download the target malicious sample files. In addition, only the address information is stored in the first file database, and the target malicious sample files are not stored, so that the occupation of the storage space of the first file database can be greatly reduced, and the utilization rate of the first file database is improved.
In order to timely and reliably store address information corresponding to the target malicious sample file in each notification message into the first file database, a kafka message queue may be installed on each central control server.
In one embodiment, each central control server is provided with a kafka message queue; the second load balancing device is specifically configured to send the notification message distributed to each central control server to the kafka message queue of the corresponding central control server; the central control server is specifically configured to obtain a notification message from the kafka message queue based on a preset duration, and store address information corresponding to a target malicious sample file in the notification message into the first file database.
For example, when the second load balancing device distributes each received notification message to the corresponding central control server, the second load balancing device sends the notification message to the kafka message queue of the corresponding central control server, and manages the notification message by using the kafka message queue. The central control server can acquire the notification message in the kafka message queue based on the preset time length, wherein the preset time length can be set according to the actual running condition of the central control system, so that the central control server can be prevented from reading the data of the kafka message queue too frequently based on the preset time length, and the overall running efficiency of the central control system can be improved.
The Kafka message queue is a high-throughput, distributed message queue system, and is mainly used for processing large-scale real-time data streams, such as website activity logs, sensor data, business indexes and the like. The Kafka message queue can provide an extensible, high-performance and durable message transmission system and is widely applied to the fields of big data processing, real-time data stream processing, log collection, message transmission and the like.
The architecture of the Kafka message queue includes three components, producer, consumer and proxy. The producer is responsible for sending messages to the Kafka message queue, the consumer is responsible for subscribing to and receiving messages from the Kafka message queue, and the broker is responsible for storing and distributing messages. The messages of the Kafka message queue are organized and managed in the form of topics, each topic being divided into a plurality of partitions, each partition being duplicated and backed up among a plurality of agents.
The Kafka message queue can process millions of messages per second in a distributed environment, and simultaneously supports multiple consumer groups and multiple partitions, and the processing capacity can be conveniently expanded, so that the Kafka message queue has the characteristic of high throughput. The message of the Kafka message queue is persistently stored, and can be copied and backed up in a plurality of copies to ensure that the message is not lost, so that the Kafka message queue has the characteristic of high reliability. The Kafka message queue supports multiple message formats and protocols and can be integrated with a variety of different applications and data processing tools, which enables the Kafka message queue to have the characteristic of high flexibility. The Kafka message queue can process stream data in real time and support real-time data stream analysis and processing, so that the Kafka message queue has the characteristic of high real-time performance.
In this embodiment, each central control server is provided with a kafka message queue, and the second load balancing device sends each notification message to the kafka message queue of the corresponding central control server, manages the notification message received by the central control server by using the characteristics of high throughput, high reliability, high flexibility and high real-time of the kafka message queue, and stores address information corresponding to a target malicious sample file in the notification message based on the kafka message queue, so that the purpose of efficiently acquiring and storing the notification message is achieved.
In an embodiment, the application server is further configured to prohibit the target malicious sample file from being stored again in the cloud storage component when it is determined that the target malicious sample file has been stored in the cloud storage component.
For example, when the application server determines that the target malicious sample files are stored in the cloud storage component, the application server prohibits the target malicious sample files from being stored in the cloud storage component again, namely, when analyzing each target malicious sample file to perform the duplication removal operation, the application server does not store the target malicious sample files stored in the cloud storage component again, so that the repeated storage of the same target malicious sample files is effectively prevented, and adverse effects caused by redundant data operation are avoided.
In order to quickly and accurately determine whether the target malicious sample file is a malicious sample file already stored in the cloud storage component, the determination may be analyzed based on the md5 value of the target malicious sample file.
In an embodiment, the report message further includes md5 values of each target malicious sample file; the application server is specifically configured to match, for each received target malicious sample file in the report message, an md5 value of the target malicious sample file with an md5 value of each malicious sample file in the second file database; the second file database stores md5 values of each malicious sample file in the cloud storage component; when the matching is successful, determining that the target malicious sample file is stored in the cloud storage component; and when the matching fails, determining that the target malicious sample file is not stored in the cloud storage component.
Illustratively, the md5 value of the target malicious sample file may be obtained by an md5 algorithm program. For example, a md5 algorithm program is loaded in the terminal device or the security protection software on the terminal device, and after the terminal device monitors the target malicious sample file, the md5 value of the target malicious sample file can be obtained by calculating the target malicious sample file by using the md5 algorithm.
The second file database stores md5 values of malicious sample files in the cloud storage component. When the md5 value is used for carrying out the duplication removal operation on the target malicious sample file, the application server matches the md5 value of the target malicious sample file with the md5 value of each malicious sample file in the second file database aiming at the target malicious sample file in each received report message. When the matching is successful, the fact that the target malicious sample file is stored in the current cloud storage component can be determined, and the application server does not store the target malicious sample file; when the matching fails, it can be determined that the target malicious sample file is not stored in the current cloud storage component, and the application server stores the target malicious sample file.
In this embodiment, based on the md5 value of the target malicious sample file, the md5 value of each malicious sample file in the second file database is used to match the target malicious sample file, so that whether the target malicious sample file is a malicious sample file stored in the cloud storage component can be quickly and accurately determined, and the speed and accuracy of the deduplication operation of the application server are improved.
In order to perform the deduplication operation on the target malicious sample file more accurately, the data in the second file database can be updated in time. Meanwhile, in order to improve the reliability of each stored md5 value, each md5 value may be stored in the central control system and updated synchronously.
In an embodiment, the notification message further includes an md5 value of the target malicious sample file; the application server is further used for storing the md5 value of the target malicious sample file in the second file database after storing the target malicious sample file in the cloud storage component; the central control server is further used for storing the md5 value of the target malicious sample file in a third file database.
When storing each target malicious sample file, the md5 value of each target malicious sample file is stored in the second file database, so that each md5 value in the second file database can correspond to each malicious sample file in the cloud storage component, the accuracy of the target malicious sample file deduplication operation is improved, and the existing target malicious sample file is prevented from being stored in the cloud storage component again.
The notification message sent to the central control system by the application server comprises the md5 value of the target malicious sample file stored in the cloud storage component, and the central control server stores the md5 value of the target malicious sample file in the third file database, so that the reliability of storing the md5 value of the target malicious sample file can be improved. For example, in the case that the data of the second file database is lost or damaged, the data in the third file database can be used for recovering the data, so that the problem that the duplicate removal operation cannot be accurately performed due to the fact that malicious sample files in the cloud storage assembly cannot correspond to md5 values in the second file database is avoided.
Fig. 2 is a second schematic structural diagram of a malicious sample file obtaining system provided in an embodiment of the present invention, as shown in fig. 2, each terminal device is connected with a first load balancing device LVS in an application system, the first load balancing device LVS is connected with each application server in the application system, each application server is connected with a second load balancing device LVS in a central control system, the second load balancing device LVS is connected with each central control server, each central control server is connected with a first file database and a third file database, each application server is connected with a second file database, and each application server is connected with a cloud storage component. The first file database may be a DB cluster, the second file database may be a redis cluster, and the third file database may be a redis cluster.
And after the security protection software installed in the terminal equipment monitors the target malicious sample file, compressing and packaging the target malicious sample file, and sending a report message to a first load balancing device (LVS) in the application system, wherein the report message comprises the target malicious sample file and the md5 value of the target malicious sample file. The first load balancing device LVS distributes the report message to an application server in the application system.
And the application server receiving the report message judges whether the target malicious sample file exists in the current cloud storage component according to the md5 value of the malicious sample file currently stored in the second file database redis cluster. If the target malicious sample file exists, uploading the target malicious sample file to a cloud storage component is not performed; if the target malicious sample file does not exist, uploading the target malicious sample file to a cloud storage component for storage, storing the md5 value of the target malicious sample file to a second file database redis cluster, and sending a notification message to a second load balancing device LVS of the central control system, wherein the notification message comprises address information corresponding to the storage of the target malicious sample file to the cloud storage component and the md5 value of the target malicious sample file.
The second load balancing device LVS distributes the notification message to the kafka message queue of one central server. The central control server acquires the notification message from the kafka message queue based on the preset duration, stores address information corresponding to a target malicious sample file in the notification message into a first file database DB cluster, and stores the md5 value of the target malicious sample file into a third file database redis cluster.
The whole process of monitoring, de-duplication, storing, uploading and updating the md5 value of the target malicious sample file is completed, and the system realizes the acquisition of a large number of effective target malicious sample files and can provide users to download and apply each target malicious sample file.
Fig. 3 is a flow chart of a malicious sample file reporting method provided by an embodiment of the present invention, where the method is applied to an application system, and as shown in fig. 3, the method includes the following steps:
step 310, receiving the report messages sent by the terminal devices respectively; the report message comprises at least one target malicious sample file.
Step 320, for each target malicious sample file, when it is determined that the target malicious sample file is not stored in the cloud storage component, storing the target malicious sample file in the cloud storage component, and sending a notification message to the central control system; the notification message comprises address information corresponding to the target malicious sample file stored in the cloud storage component; the notification message is used for the central control system to store address information corresponding to the target malicious sample file into the first file database so as to download the target malicious sample file in the cloud storage component based on the address information.
The method for reporting the malicious sample file in the embodiment can realize various functions of the application system in the malicious sample acquisition system in each implementation, and the specific implementation process and technical effects of the method are similar to those of the application system side embodiment in the malicious sample acquisition system, and specific details of the application system side embodiment in the malicious sample acquisition system can be referred to, and are not repeated herein.
The malicious sample file reporting device provided by the embodiment of the invention is described below, and the malicious sample file reporting device described below and the malicious sample file reporting method described above can be referred to correspondingly.
Fig. 4 is a schematic structural diagram of a malicious sample file reporting apparatus according to an embodiment of the present invention, where, as shown in fig. 4, a malicious sample file reporting apparatus 400 includes:
a receiving unit 410, configured to receive a report message sent by each terminal device; the report message comprises at least one target malicious sample file;
the storage unit 420 is configured to store, for each target malicious sample file, the target malicious sample file into the cloud storage component and send a notification message to the central control system when it is determined that the target malicious sample file is not stored into the cloud storage component; the notification message comprises address information corresponding to the target malicious sample file stored in the cloud storage component; the notification message is used for the central control system to store address information corresponding to the target malicious sample file into the first file database so as to download the target malicious sample file in the cloud storage component based on the address information.
The device of the embodiment may be used for executing the method of the embodiment of the method for reporting a malicious sample file, and the specific implementation process and technical effects of the device are similar to those of the embodiment of the method for reporting a malicious sample file, and specific details of the embodiment of the method for reporting a malicious sample file may be referred to in the embodiment of the method for reporting a malicious sample file, which are not described herein again.
Fig. 5 is a schematic physical structure of an electronic device according to an embodiment of the present invention, as shown in fig. 5, the electronic device may include: processor 510, communication interface (Communications Interface) 520, memory 530, and communication bus 540, wherein processor 510, communication interface 520, memory 530 complete communication with each other through communication bus 540. Processor 510 may invoke logic instructions in memory 530 to perform the malicious sample file reporting method provided by the above embodiments, the method comprising: receiving reporting messages sent by each terminal device; the report message comprises at least one target malicious sample file; aiming at each target malicious sample file, when the target malicious sample file is determined not to be stored in the cloud storage component, storing the target malicious sample file in the cloud storage component, and sending a notification message to the central control system; the notification message comprises address information corresponding to the target malicious sample file stored in the cloud storage component; the notification message is used for the central control system to store address information corresponding to the target malicious sample file into the first file database so as to download the target malicious sample file in the cloud storage component based on the address information.
Further, the logic instructions in the memory 530 described above may be implemented in the form of software functional units and may be stored in a computer-readable storage medium when sold or used as a stand-alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, an embodiment of the present invention further provides a non-transitory computer readable storage medium, on which a computer program is stored, where the computer program is implemented when executed by a processor to perform the malicious sample file reporting method provided in the foregoing embodiment, where the method includes: receiving reporting messages sent by each terminal device; the report message comprises at least one target malicious sample file; aiming at each target malicious sample file, when the target malicious sample file is determined not to be stored in the cloud storage component, storing the target malicious sample file in the cloud storage component, and sending a notification message to the central control system; the notification message comprises address information corresponding to the target malicious sample file stored in the cloud storage component; the notification message is used for the central control system to store address information corresponding to the target malicious sample file into the first file database so as to download the target malicious sample file in the cloud storage component based on the address information.
In yet another aspect, an embodiment of the present invention further provides a computer program product, including a computer program stored on a non-transitory computer readable storage medium, the computer program including program instructions which, when executed by a computer, enable the computer to perform the malicious sample file reporting method provided by the above embodiment, the method including: receiving reporting messages sent by each terminal device; the report message comprises at least one target malicious sample file; aiming at each target malicious sample file, when the target malicious sample file is determined not to be stored in the cloud storage component, storing the target malicious sample file in the cloud storage component, and sending a notification message to the central control system; the notification message comprises address information corresponding to the target malicious sample file stored in the cloud storage component; the notification message is used for the central control system to store address information corresponding to the target malicious sample file into the first file database so as to download the target malicious sample file in the cloud storage component based on the address information.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (13)

1. The malicious sample file acquisition system is characterized by comprising an application system, a central control system and at least one terminal device, wherein the central control system is connected with at least one terminal device through the application system;
the terminal equipment is used for sending a report message to the application system under the condition that at least one target malicious sample file is monitored; the reported message comprises at least one target malicious sample file;
the application system is used for storing the target malicious sample files into the cloud storage component and sending notification messages to the central control system when determining that the target malicious sample files are not stored into the cloud storage component for each target malicious sample file; the notification message comprises address information corresponding to the target malicious sample file stored in the cloud storage component;
the central control system is used for storing address information corresponding to the target malicious sample file into a first file database so as to download the target malicious sample file in the cloud storage component based on the address information.
2. The malicious sample file acquisition system of claim 1, wherein the application system comprises a first load balancing device and at least one application server connected to the first load balancing device; the first load balancing device is connected with at least one terminal device, and each application server is connected with the central control system;
The first load balancing device is configured to receive the reporting messages sent by each terminal device, and allocate corresponding reporting messages to each application server based on a first load balancing policy;
the application server is configured to store, for the target malicious sample file in each received report message, the target malicious sample file into the cloud storage component when it is determined that the target malicious sample file is not stored into the cloud storage component, and send the notification message to the central control system.
3. The malicious sample file acquisition system according to claim 2, wherein each of the application servers is installed with an openResity program;
the application server is specifically configured to store the target malicious sample file to the cloud storage component through the openredundancy program.
4. The malicious sample file acquisition system of claim 2, wherein the central control system comprises a second load balancing device and at least one central control server connected to the second load balancing device, each of the application servers being connected to the second load balancing device;
The second load balancing device is configured to receive the notification messages sent by the application servers, and allocate corresponding notification messages to the central control servers based on a second load balancing policy;
the central control server is configured to store address information corresponding to the target malicious sample file in each received notification message into the first file database.
5. The malicious sample file retrieval system of claim 4, wherein each of the central control servers has a kafka message queue installed thereon;
the second load balancing device is specifically configured to send a notification message allocated to each central control server to the kafka message queue of the corresponding central control server;
the central control server is specifically configured to obtain the notification message from the kafka message queue based on a preset duration, and store address information corresponding to the target malicious sample file in the notification message into the first file database.
6. The malicious sample file retrieval system of claim 2, wherein the malicious sample file retrieval system is configured to,
the application server is further configured to prohibit the target malicious sample file from being stored again in the cloud storage component when it is determined that the target malicious sample file is stored in the cloud storage component.
7. The malicious sample file acquisition system of any one of claims 2-6, wherein the report message further includes md5 values for each of the target malicious sample files;
the application server is specifically configured to match, for the target malicious sample file in each received report message, an md5 value of the target malicious sample file with an md5 value of each malicious sample file in a second file database; the second file database stores md5 values of each malicious sample file in the cloud storage component;
when the matching is successful, determining that the target malicious sample file is stored in the cloud storage component;
and when the matching fails, determining that the target malicious sample file is not stored in the cloud storage component.
8. The malicious sample file acquisition system according to claim 7, wherein the notification message further includes an md5 value of the target malicious sample file;
the application server is further configured to store, after storing the target malicious sample file in the cloud storage component, an md5 value of the target malicious sample file in the second file database;
The central control server is further configured to store an md5 value of the target malicious sample file in a third file database.
9. A malicious sample file reporting method, which is applied to an application system, the method comprising:
receiving reporting messages sent by each terminal device; the report message comprises at least one target malicious sample file;
for each target malicious sample file, when the target malicious sample file is determined not to be stored in a cloud storage component, storing the target malicious sample file in the cloud storage component, and sending a notification message to a central control system; the notification message comprises address information corresponding to the target malicious sample file stored in the cloud storage component; the notification message is used for the central control system to store address information corresponding to the target malicious sample file into a first file database so as to download the target malicious sample file in the cloud storage component based on the address information.
10. A malicious sample file reporting device, comprising:
the receiving unit is used for receiving the report messages sent by the terminal devices respectively; the report message comprises at least one target malicious sample file;
The storage unit is used for storing the target malicious sample files into the cloud storage assembly and sending notification messages to the central control system when the target malicious sample files are determined not to be stored into the cloud storage assembly; the notification message comprises address information corresponding to the target malicious sample file stored in the cloud storage component; the notification message is used for the central control system to store address information corresponding to the target malicious sample file into a first file database so as to download the target malicious sample file in the cloud storage component based on the address information.
11. An electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the malicious sample file reporting method of claim 9 when the computer program is executed by the processor.
12. A non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the malicious sample file reporting method of claim 9.
13. A computer program product having stored thereon executable instructions which, when executed by a processor, cause the processor to implement the malicious sample file reporting method of claim 9.
CN202310622089.4A 2023-05-29 2023-05-29 Malicious sample file acquisition system, malicious sample file reporting method and device Pending CN116821896A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310622089.4A CN116821896A (en) 2023-05-29 2023-05-29 Malicious sample file acquisition system, malicious sample file reporting method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310622089.4A CN116821896A (en) 2023-05-29 2023-05-29 Malicious sample file acquisition system, malicious sample file reporting method and device

Publications (1)

Publication Number Publication Date
CN116821896A true CN116821896A (en) 2023-09-29

Family

ID=88115747

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310622089.4A Pending CN116821896A (en) 2023-05-29 2023-05-29 Malicious sample file acquisition system, malicious sample file reporting method and device

Country Status (1)

Country Link
CN (1) CN116821896A (en)

Similar Documents

Publication Publication Date Title
CN112839111B (en) System, method, and medium for customizable event-triggered computation at edge locations
Moser et al. Hunting in the enterprise: Forensic triage and incident response
AU2019200445A1 (en) Methods and apparatus for dealing with malware
EP2939173B1 (en) Real-time representation of security-relevant system state
US11216555B2 (en) System and method of providing a set of convolutions to a computing device for detecting anomalous events
CN111464502A (en) Network security protection method and system based on big data platform
US11954118B2 (en) Method, device and computer program product for data backup
CN115454636A (en) Container cloud platform GPU resource scheduling method, device and application
US9154519B1 (en) System and method for antivirus checking of objects from a plurality of virtual machines
US9141795B2 (en) Techniques for detecting malicious activity
CN114465741A (en) Anomaly detection method and device, computer equipment and storage medium
CN105162765B (en) A kind of cloud data security implementation method sought survival based on docking
CN116821896A (en) Malicious sample file acquisition system, malicious sample file reporting method and device
CN108829340B (en) Storage processing method, device, storage medium and processor
CN113778826B (en) Log processing method and device
CN108400884B (en) Method, system and device for improving stability of website service
CN110636072A (en) Target domain name scheduling method, device, equipment and storage medium
US20220188293A1 (en) System and method for consistency checks in cloud object stores using microservices
KR101776662B1 (en) Data storage and processing method for collecting and analyzing real-time events, and network system using the same
EP4231168A1 (en) Mimic storage system and method for data security of industrial control system
US11762984B1 (en) Inbound link handling
CN108959405B (en) Strong consistency reading method of data and terminal equipment
CN111104212A (en) Scheduling task execution method and device, electronic equipment and storage medium
US11880281B1 (en) Intelligent destination target selection for remote backups
US11403427B2 (en) Methods and systems for reinforcement learning of post-attack security hardening passes

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination