CN117056915B - File detection method and device, medium and electronic equipment - Google Patents

File detection method and device, medium and electronic equipment Download PDF

Info

Publication number
CN117056915B
CN117056915B CN202311309242.4A CN202311309242A CN117056915B CN 117056915 B CN117056915 B CN 117056915B CN 202311309242 A CN202311309242 A CN 202311309242A CN 117056915 B CN117056915 B CN 117056915B
Authority
CN
China
Prior art keywords
file
candidate
attack type
malicious attack
target electronic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311309242.4A
Other languages
Chinese (zh)
Other versions
CN117056915A (en
Inventor
奚乾悦
辛颖
肖新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Antan Network Security Technology Co ltd
Original Assignee
Shenzhen Antan Network Security Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Antan Network Security Technology Co ltd filed Critical Shenzhen Antan Network Security Technology Co ltd
Priority to CN202311309242.4A priority Critical patent/CN117056915B/en
Publication of CN117056915A publication Critical patent/CN117056915A/en
Application granted granted Critical
Publication of CN117056915B publication Critical patent/CN117056915B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5027Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
    • G06F9/5038Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals considering the execution order of a plurality of tasks, e.g. taking priority or time dependency constraints into consideration

Abstract

The present disclosure relates to the field of network security technologies, and in particular, to a method, an apparatus, a medium, and an electronic device for detecting a file. The method comprises the following steps: determining candidate files; determining the malicious attack type which is not detected by each candidate file as a candidate attack type so as to obtain a candidate attack type list set H; traversing H according to each malicious attack type to obtain a list of numbers of files to be detected jn= (JN 1, JN2,., JNw, JNy); obtain device number list sn= (SN 1, SN2,., SNw, SNy); and if JNw is less than or equal to SNw, sending the candidate files corresponding to each candidate attack type list containing the w-th malicious attack type to the equipment group corresponding to SNw. The method and the device control the utilization rate of the computing resources of the file detection server, and reasonably allocate the candidate files so that the candidate files can have residual computing power to process urgent tasks.

Description

File detection method and device, medium and electronic equipment
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a method, an apparatus, a medium, and an electronic device for detecting a file.
Background
The terminal safety protection system can collect files to be detected by using a client, then upload the files to a file detection server, the file detection server is provided with a full virus library, and the file detection server detects reported objects through integrating the files into the full virus library or detection rules, such as cloud searching and killing and other functions. However, in some cases, the file detecting server may perform multiple tasks with high computational power at the same time, for example, when performing multiple whole-network virus scans, which may cause the current computing resource usage of the file detecting server to be too high, if there is an urgent file detecting task waiting to be processed at this time, the file detecting server does not have enough computational power to process.
Disclosure of Invention
The technical problem to be solved by the application is as follows: how the computing resource utilization of the file detection server can be reasonably controlled to enable it to handle urgent tasks with residual computing power.
In view of the above technical problems, according to a first aspect of the present application, there is provided a method applied to a file detection server, where the file detection server is connected with a plurality of device groups, each device group including a plurality of target electronic devices; associating a malicious attack type with each device group; each malicious attack type is provided with a corresponding virus library respectively; each target electronic device in each device group is provided with a virus library corresponding to the malicious attack type associated with the device group in which the target electronic device is positioned; the file detection server is internally provided with virus libraries corresponding to all malicious attack types;
The method comprises the following steps:
determining at least one of the files which are not detected as candidate files in response to the fact that the current computing resource utilization rate of the file detection server is greater than a preset utilization rate threshold value;
determining the malicious attack type which is not detected by each candidate file as a candidate attack type to obtain a candidate attack type list set H= (H) 1 ,H 2 ,...,H c ,...,H d );c=1,2,...,d;H c =(H c,1 ,H c,2 ,...,H c,e ,...,H c,s(c) ) The method comprises the steps of carrying out a first treatment on the surface of the d is the number of candidate files; s (c) is the number of malicious attack types that the c candidate file has not detected; h c A candidate attack type list corresponding to the c candidate file; h c,e The e-th malicious attack type which is not detected for the c-th candidate file; e=1, 2, s (c);
traversing each candidate attack type list in H according to each malicious attack type to obtain a to-be-detected file quantity list JN= (JN) 1 ,JN 2 ,...,JN w ,...,JN y ) The method comprises the steps of carrying out a first treatment on the surface of the y is the number of all malicious attack types; JN (Java virtual machine) w The number of candidate attack type lists containing the w-th malicious attack type in the H; w=1, 2,. -%, y;
obtaining target electricity with idle state in current state in each equipment groupThe number of sub-devices to obtain a device number list sn= (SN 1 ,SN 2 ,...,SN w ,...,SN y );SN w The number of target electronic devices in which the current state is an idle state in the device group corresponding to the w-th malicious attack type;
JN of the JNs w And SN of the above SNs w Comparing, if JN w ≤SN w JN corresponding to the w-th malicious attack type w The candidate files are sent to SN w And carrying out malicious detection on the corresponding equipment group.
In an exemplary embodiment of the present application, the number of target electronic devices in each device group whose current state is idle is obtained to obtain a device number list sn= (SN 1 ,SN 2 ,...,SN w ,...,SN y ) Thereafter, the method further comprises:
JN of the JNs w And SN of the above SNs w Comparing, if JN w >SN w JN corresponding to the w-th malicious attack type w Determination of SN in candidate files w The candidate files are used as target files corresponding to the w malicious attack types;
SN corresponding to w-th malicious attack type w Target files are sent to SN w A corresponding group of devices.
In an exemplary embodiment of the present application, the JN corresponding to the w-th malicious attack type w Determination of SN in candidate files w The candidate files serving as target files corresponding to the w malicious attack types comprise:
obtaining the file size of each candidate file corresponding to the w-th malicious attack type to obtain a file size list D w =(D w,1 ,D w,2 ,...,D w,h ,...,D w,JNw );D w,h The file size of the h candidate file is arranged according to the sequence from small to large for the file size of each candidate file corresponding to the w malicious attack type; h=1, 2, JN w
Will D w In (1) front SN w And taking the candidate file corresponding to the size of the file as a target file corresponding to the w malicious attack type.
In an exemplary embodiment of the present application, the method further includes: after any target electronic device is determined to receive a candidate file, the current state of the target electronic device is switched from the idle state to the non-idle state.
In an exemplary embodiment of the present application, the above-mentioned JN of the above-mentioned JNs w And SN of the above SNs w Comparing, if JN w ≤SN w JN corresponding to the w-th malicious attack type w The candidate files are sent to SN w The malicious detection of the corresponding equipment group comprises the following steps:
JN of the JNs w And SN of the above SNs w Comparing, if JN w ≤SN w Obtaining the file size of each candidate file corresponding to the w-th malicious attack type to obtain a file size list E w =(E w,1 ,E w,2 ,...,E w,h ,...,E w,JNw );E w,h The file size of the h candidate file is arranged according to the sequence from large to small for the file size of each candidate file corresponding to the w malicious attack type;
acquiring a device performance priority list XF of target electronic devices with idle states in the current states in a device group corresponding to a w-th malicious attack type w =(XF w,1 ,XF w,2 ,...,XF w,r ,...,XF w,SNw );r=1,2,...,SN w ;XF w,r Target electronics with idle state current state in equipment group corresponding to w malicious attack type performance priority of the target electronic device with the performance priority level arranged in the r-th position in the device;
XF w,r Meets the following conditions:
XF w,rXF1 w,r +αβ/>XF2 w,r
wherein α+β=1; XF1 w,r Priority for CPU performance; if XF1 w,r If the number of CPU cores of the corresponding target electronic device is smaller than or equal to the first number threshold, XF1 is selected w,r =f11; if XF1 w,r If the number of CPU cores of the corresponding target electronic device is greater than the first number threshold and less than the second number threshold, XF1 is formed w,r =f12; if XF1 w,r If the number of CPU cores of the corresponding target electronic device is greater than the second number threshold, XF1 is executed w,r =f13; f11 is more than 0 and F12 is more than 0 and F13 is more than 1; f11, F12, F13 are preset CPU performance priorities;
XF2 w,r the memory performance priority is given; if XF2 w,r If the memory capacity of the corresponding target electronic device is less than or equal to the first memory threshold, XF2 w,r =f21; if XF2 w,r If the memory capacity of the corresponding target electronic device is greater than the first memory threshold and less than the second memory threshold, XF2 w,r =f22; if XF2 w,r If the memory capacity of the corresponding target electronic device is greater than the second memory threshold, XF2 w,r =f23; f21 is more than 0 and less than F22 is more than F23 and less than 1; f21, F22, F23 are preset memory performance priorities; and f11=f21; f12 =f22; f13 =f23;
will D w The candidate files corresponding to the files are sent to target electronic equipment corresponding to performance priorities which are ordered from large to small in XFw in a one-to-one correspondence mode according to the order of the file sizes from large to small, and malicious detection is carried out.
In an exemplary embodiment of the present application, the determining of the candidate file includes:
determining each file which is not detected as an intermediate file in response to the fact that the current computing resource utilization rate of the file detection server is greater than a preset utilization rate threshold;
acquiring an attack type quantity list A= (A) of which detection is not completed by each intermediate file 1 ,A 2 ,...,A a ,...,A b ) The method comprises the steps of carrying out a first treatment on the surface of the a=1, 2,; wherein A is a Is the a-th intermediate file not yet completedThe number of attack types detected; b is the number of intermediate files;
if A a < AY, determination of A a Is a candidate file; AY is a preset attack type quantity threshold value.
In an exemplary embodiment of the present application, the AY meets the following conditions:the method comprises the steps of carrying out a first treatment on the surface of the Wherein (1)>Is a round down function.
According to a second aspect of the present application, there is provided a file detecting apparatus applied to a file detecting server, where the file detecting server is connected to a plurality of device groups, each device group including a plurality of target electronic devices; associating a malicious attack type with each device group; each malicious attack type is provided with a corresponding virus library respectively; each target electronic device in each device group is provided with a virus library corresponding to the malicious attack type associated with the device group in which the target electronic device is positioned; the file detection server is internally provided with virus libraries corresponding to all malicious attack types;
The device comprises:
the candidate file determining module is used for determining the file which is not detected as a candidate file in response to the fact that the current computing resource utilization rate of the file detecting server is larger than a preset utilization rate threshold value;
a candidate list determining module, configured to determine a malicious attack type that is not yet detected by each candidate file as a candidate attack type, so as to obtain a candidate attack type list set h= (H) 1 ,H 2 ,...,H c ,...,H d );c=1,2,...,d;H c =(H c,1 ,H c,2 ,...,H c,e ,...,H c,s(c) ) The method comprises the steps of carrying out a first treatment on the surface of the d is the number of candidate files; s (c) is the number of malicious attack types that the c candidate file has not detected; h c A candidate attack type list corresponding to the c candidate file; h c,e For candidate file c not yet detectedThe e-th malicious attack type; e=1, 2, s (c);
a file list obtaining module, configured to traverse each candidate attack type list in H according to each malicious attack type to obtain a to-be-detected file number list Jn= (JN) 1 ,JN 2 ,...,JN w ,...,JN y ) The method comprises the steps of carrying out a first treatment on the surface of the y is the number of all malicious attack types; JN (Java virtual machine) w The number of candidate attack type lists containing the w-th malicious attack type in the H; w=1, 2,. -%, y;
a number list obtaining module, configured to obtain a number of target electronic devices in each device group, where the current state is an idle state, to obtain a device number list sn= (SN 1 ,SN 2 ,...,SN w ,...,SN y );SN w The number of target electronic devices in which the current state is an idle state in the device group corresponding to the w-th malicious attack type;
a candidate file sending module, configured to send JN from the JNs w And SN of the above SNs w Comparing, if JN w ≤SN w JN corresponding to the w-th malicious attack type w The candidate files are sent to SN w And carrying out malicious detection on the corresponding equipment group.
According to a third aspect of the present application, there is provided a non-transitory computer readable storage medium having stored therein at least one instruction or at least one program, the at least one instruction or the at least one program being loaded and executed by a processor to implement the above-mentioned file detection method.
According to a fourth aspect of the present application, there is provided an electronic device comprising a processor and the non-transitory computer readable storage medium described above.
The application has at least the following beneficial effects:
the file detection method is applied to a file detection server, wherein the file detection server is connected with a plurality of equipment groups, and each equipment group comprises a plurality of target electronic equipment; associating a malicious attack type with each device group; each malicious attack type is provided with a corresponding virus library respectively; each target electronic device in each device group is provided with a virus library corresponding to the malicious attack type associated with the device group in which the target electronic device is positioned; and a virus library corresponding to each malicious attack type is installed in the file detection server. In order to reduce the load of the file detection server, when the current computing resource utilization rate of the file detection server is greater than a preset utilization rate threshold value, determining the file which is not detected currently as a candidate file; here, for each file to be detected, there are a plurality of types of possible malicious attacks, so detection is required for each type of malicious attack. Splitting an original full virus library, wherein each equipment group comprises a plurality of target electronic equipment; each device group is associated with a malicious attack type. Then, determining the malicious attack type which is not detected by each candidate file as a candidate attack type to obtain a candidate attack type list set H; each candidate file corresponds to a candidate attack list, and the list comprises candidate attack types included in the candidate file; furthermore, each candidate attack type list in the H is traversed according to each malicious attack type to obtain a to-be-detected file quantity list JN, and the quantity of candidate files which correspond to each malicious attack type and are not detected can be determined. And then, acquiring the number of target electronic devices in each device group, which are in an idle state, so as to obtain a device number list SN, wherein the target electronic devices in the idle state are target electronic devices capable of carrying out security detection on the file to be detected. Finally, if the number of candidate attack type lists (the number of candidate files which do not detect the malicious attack type) in the candidate attack type list set is smaller than the number of idle target electronic devices in the device group corresponding to the malicious attack type, the number of candidate files which need to be detected and correspond to the malicious attack type is indicated to be smaller than the sparse number of idle target electronic devices which can detect the malicious attack type, so that the candidate files are directly sent to the corresponding device group to be detected. In the method, as the storage space and the computing power of the target electronic equipment are smaller than those of the file detection server, a plurality of target electronic equipment are divided into a plurality of equipment groups, each equipment group is associated with one malicious attack type, namely, each equipment group is used for detecting whether a file to be detected is attacked by the malicious attack type corresponding to the equipment group, so that the load of the file detection server is reduced, a large amount of storage space and computing power of the target electronic equipment are not occupied, and the file detection efficiency is improved. And then establishing a candidate attack type list, acquiring the number of files to be detected corresponding to each malicious attack type from the candidate attack type list, and finally, if the number of idle target electronic devices corresponding to a certain malicious attack type is larger than the number of files to be detected corresponding to the malicious attack type, directly sending the corresponding candidate files to a corresponding device group for detection, controlling the utilization rate of computing resources of a file detection server, and reasonably distributing the candidate files which cannot be processed currently by the file detection server so as to enable the file detection server to process urgent tasks with residual computing power.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a method for detecting a file according to an embodiment of the present disclosure;
fig. 2 is a block diagram of a document detection apparatus according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
As shown in fig. 1, a method for detecting a file is provided according to an embodiment of the present application.
The method is applied to a file detection server, wherein the file detection server is connected with a plurality of equipment groups, and each equipment group comprises a plurality of target electronic equipment; associating a malicious attack type with each device group; each malicious attack type is provided with a corresponding virus library respectively; each target electronic device in each device group is provided with a virus library corresponding to the malicious attack type associated with the device group in which the target electronic device is positioned; and the file detection server is internally provided with virus libraries corresponding to all malicious attack types.
Specifically, a full-quantity virus library is installed in the file detection server, the malicious attack types corresponding to the full-quantity virus library comprise all malicious attack types associated with all equipment groups, and herein, as the storage space and the computational power of the target electronic equipment are smaller than those of the file detection server, all the malicious attack types corresponding to the full-quantity virus library are split, and each equipment group is associated with one malicious attack type, so that each equipment group can detect whether a file to be detected is attacked by the malicious attack type corresponding to the equipment group. Each device group contains a plurality of target electronic devices, and the number of the device groups is the same as the number of the malicious attack types. As an example, the virus library corresponding to the malicious attack type includes: viruses, trojans, worms, macroviruses, luxes, mineral-digging trojans, webShell, others, and the like.
The file detection method comprises the following steps:
and S100, determining at least one file which is not detected as a candidate file in response to the fact that the current computing resource utilization rate of the file detection server is greater than a preset utilization rate threshold value.
Specifically, if the current computing resource usage rate of the file detection server is greater than a preset usage rate threshold, in order to reasonably control the computing resource usage rate of the file detection server so that the file detection server can process urgent tasks with residual computing power, each file which is required to be processed by the file detection server and is not detected is determined to be a candidate file, and the candidate file is distributed. Here, each file to be detected needs to be detected one by using a virus library corresponding to each malicious attack type. As an example: the candidate file may have one or five types of malicious attacks undetected.
S200, determining the malicious attack type which is not detected by each candidate file as the candidate attack type, so as to obtain a candidate attack type list set H= (H) 1 ,H 2 ,...,H c ,...,H d );c=1,2,...,d;H c =(H c,1 ,H c,2 ,...,H c,e ,...,H c,s(c) ) The method comprises the steps of carrying out a first treatment on the surface of the d is the number of candidate files; s (c) is the number of malicious attack types that the c candidate file has not detected; h c A candidate attack type list corresponding to the c candidate file; h c,e The e-th malicious attack type which is not detected for the c-th candidate file; e=1, 2,..s (c).
Specifically, the candidate attack type list set includes a candidate attack type list of each candidate file composed of malicious attack types that each candidate file has not yet detected.
S300, traversing each candidate attack type list in H according to each malicious attack type to obtain a to-be-detected file quantity list JN= (JN) 1 ,JN 2 ,...,JN w ,...,JN y ) The method comprises the steps of carrying out a first treatment on the surface of the y is the number of all malicious attack types; JN (Java virtual machine) w The number of candidate attack type lists containing the w-th malicious attack type in the H; w=1, 2,..y.
Specifically, according to H, the number of candidate files to be detected corresponding to each malicious attack type is obtained.
S400, obtaining the number of target electronic devices in each device group, the current state of which is idle, to obtain a device number list SN= (SN) 1 ,SN 2 ,...,SN w ,...,SN y );SN w And the number of target electronic devices in which the current state is an idle state in the device group corresponding to the w-th malicious attack type.
Specifically, each target electronic device has its own fixed task to be executed (except the detection task described above), and there may be an idle time between multiple fixed tasks to be executed, where the idle time may be used to perform security detection on the candidate file, and when the target electronic device determines that there is no fixed task to be executed currently, it determines that the current state is an idle state, and may determine the predicted idle state release time according to the predicted execution time of the fixed task to be executed next. It will be appreciated that in particular implementations, those skilled in the art may determine the predicted idle state release time in other ways, such as using an AI model to predict each electronic device's historical computing resource usage, etc.
S500, the JN in the JNs is selected w And SN of the above SNs w Comparing, if JN w ≤SN w JN corresponding to the w-th malicious attack type w The candidate files are sent to SN w And carrying out malicious detection on the corresponding equipment group.
Specifically, if the number of candidate files to be detected corresponding to a malicious attack type is smaller than the number of target electronic devices in which the current state is in an idle state in a device group corresponding to the malicious attack type, it is indicated that enough target electronic devices in the device group corresponding to the malicious attack type can detect the candidate files to be detected corresponding to the malicious attack type, and at this time, each candidate file corresponding to a candidate attack type list containing the malicious attack type is sent to the device group corresponding to the malicious attack type. Further, the specific sending method may be random, or may be sending the candidate file with the large file size to the target electronic device with the large remaining storage space, which is not limited herein.
In this embodiment, since the storage space and the computing power of the target electronic device are smaller than those of the file detection server, a plurality of target electronic devices are divided into a plurality of device groups, and each device group is associated with a malicious attack type, that is, each device group is used to detect whether the file to be detected is attacked by the malicious attack type corresponding to the device group, so that the load of the file detection server is reduced, a large amount of storage space and computing power of the target electronic device are not occupied, and the file detection efficiency is improved. And then establishing a candidate attack type list, acquiring the number of files to be detected corresponding to each malicious attack type from the candidate attack type list, and finally, if the number of idle target electronic devices corresponding to a certain malicious attack type is larger than the number of files to be detected corresponding to the idle target electronic devices, directly sending the corresponding candidate files to a corresponding device group for detection, so that the computing resource utilization rate of a file detection server is controlled, the candidate files which cannot be processed currently by the file detection server are reasonably allocated, and the detection efficiency is improved.
In an exemplary embodiment of the present application, after step S400, the method further includes:
s600, JN of the JNs is selected w And SN of the above SNs w Comparing, if JN w >SN w JN corresponding to the w-th malicious attack type w Determination of SN in candidate files w And taking the candidate files as target files corresponding to the w malicious attack types.
Firstly, obtaining the file size of each candidate file corresponding to the w-th malicious attack type to obtain a file size list D w =(D w,1 ,D w,2 ,...,D w,h ,...,D w,JNw );D w,h The file size of the h candidate file is arranged according to the sequence from small to large for the file size of each candidate file corresponding to the w malicious attack type; h=1, 2, JN w The method comprises the steps of carrying out a first treatment on the surface of the Here, the file sizes of the obtained candidate files are arranged in order from small to large to obtain a file size list D w
Then, D is w In (1) front SN w And taking the candidate file corresponding to the size of the file as a target file corresponding to the w malicious attack type.
It can be understood that, because the storage space and the calculation force of the target electronic device are smaller than those of the file detection server, in order to ensure that the fixed task of the target electronic device is normally executed and the safety detection of the candidate file can be efficiently completed, the candidate file with smaller file size is processed by using the target electronic device, so that the occupied storage space and calculation force are smaller. Therefore, the candidate files corresponding to the first SNw file sizes in the file size list are obtained by arranging the file sizes of the candidate files in order from small to large, and serve as target files corresponding to the w-th malicious attack type.
S700, SN corresponding to the w-th malicious attack type w Target files are sent to SN w A corresponding group of devices.
In this embodiment, if the number of candidate files to be detected corresponding to a malicious attack type is greater than the number of target electronic devices in an idle state in a device group corresponding to the malicious attack type, it is indicated that there are not enough target electronic devices in the device group corresponding to the malicious attack type to detect the candidate files to be detected corresponding to the malicious attack type, and at this time, the candidate files in a number corresponding to the number of target electronic devices in an idle state in the current state are selected and sent to the corresponding device group for security detection. And when the candidate file is selected, because the storage space and the calculation force of the target electronic equipment are smaller than those of the file detection server, in order to ensure that the fixed task of the target electronic equipment is normally executed and the safety detection of the candidate file can be efficiently completed, the candidate file with smaller file size is processed by using the target electronic equipment, and thus, the occupied storage space and calculation force are smaller.
It should be noted that, in the present application, after determining that any target electronic device receives a candidate file, the current state of the target electronic device is switched from the idle state to the non-idle state.
In an exemplary embodiment of the present application, step S500 includes:
s510, the JN in the JNs is selected w And SN of the above SNs w Comparing, if JN w ≤SN w Obtaining the file size of each candidate file corresponding to the w-th malicious attack type to obtain a file size list E w =(E w,1 ,E w,2 ,...,E w,h ,...,E w,JNw );E w,h And (3) arranging the file sizes of the h candidate files according to the sequence from large to small for the file sizes of each candidate file corresponding to the w malicious attack type.
S520, acquiring a device performance priority list XF of target electronic devices with idle states in the current states in the device group corresponding to the w-th malicious attack type w =(XF w,1 ,XF w,2 ,...,XF w,r ,...,XF w,SNw );r=1,2,...,f;XF w,r And (3) arranging the performance priority of the target electronic equipment with the performance priority in the r-th position in the target electronic equipment with the idle state in the current state in the equipment group corresponding to the w-th malicious attack type.
XF w,r Meets the following conditions:
XF w,rXF1 w,r +αβ/>XF2 w,r
wherein α+β=1; XF1 w,r Priority for CPU performance; if XF1 w,r If the number of CPU cores of the corresponding target electronic device is smaller than or equal to the first number threshold, XF1 is selected w,r =f11; if XF1 w,r If the number of CPU cores of the corresponding target electronic device is greater than the first number threshold and less than the second number threshold, XF1 is formed w,r =f12; if XF1 w,r If the number of CPU cores of the corresponding target electronic device is greater than the second number threshold, XF1 is executed w,r =f13; f11 is more than 0 and F12 is more than 0 and F13 is more than 1; f11, F12, F13 are preset CPU performance priorities;
XF2 w,r the memory performance priority is given; if XF2 w,r If the memory capacity of the corresponding target electronic device is less than or equal to the first memory threshold, XF2 w,r =f21; if XF2 w,r If the memory capacity of the corresponding target electronic device is greater than the first memory threshold and less than the second memory threshold, XF2 w,r =f22; if XF2 w,r If the memory capacity of the corresponding target electronic device is greater than the second memory threshold, XF2 w,r =f23; f21 is more than 0 and less than F22 is more than F23 and less than 1; f21, F22, F23 are preset memory performance priorities; and f11=f21; f12 =f22; f13 =f23.
Here, the performance priority of the target electronic device is determined according to the hardware information of the target electronic device, wherein the larger the CPU core number of the target electronic device is, the stronger the processing capacity of the target electronic device is, and the better the performance is; conversely, the weaker the processing power of the target electronic device, the poorer the performance. In addition, the larger the memory capacity of the target electronic equipment is, the larger the current storage space of the target electronic equipment is, the higher the processing efficiency is, and the better the performance is; and otherwise, the smaller the current storage space of the target electronic device is, the lower the processing efficiency is, and the poorer the performance is. Therefore, the corresponding CPU performance priority and memory performance priority are determined according to the CPU core number and memory capacity of the target electronic device, and corresponding weights alpha, beta, alpha+beta=1 can be set for the CPU performance priority and the memory performance priority according to actual conditions, so that the device performance priority of the target electronic device is obtained. The larger the number of CPU cores and the larger the memory capacity, the higher the performance priority of the target electronic device. In this embodiment, α=β=0.5. As an example: the first number threshold is 4; the second number threshold is 8; the first capacity threshold is 4GB; the second capacity threshold is 8GB.
It should be noted that: and if the performance priorities of any two target electronic devices are the same, randomly sequencing when sequencing.
S530, D w The corresponding candidate files in the file are sent to the XF in a one-to-one correspondence mode according to the order of the file sizes from large to small w And performing malicious detection in the target electronic equipment corresponding to the performance priority of the medium-to-small ranking.
Specifically, candidate files are sequentially and correspondingly sent to XF one by one according to the order of the file sizes w In (2), the candidate file with the largest file size in the file size list is sent to the XF w Among the target electronic devices with highest performance priority, and so on.
In this embodiment, the file sizes of the candidate files are arranged in the order from large to small, and the performance priorities of the target electronic devices are arranged in the order from high to low, so that the candidate files are sent to the corresponding target electronic devices in the order one by one.
In an exemplary embodiment of the present application, the determining of the candidate file includes:
s101, determining each file which is not detected as an intermediate file in response to the fact that the current computing resource utilization rate of the file detection server is greater than a preset utilization rate threshold.
S102, acquiring an attack type quantity list A= (A) of which the detection of each intermediate file is not finished yet 1 ,A 2 ,...,A a ,...,A b ) The method comprises the steps of carrying out a first treatment on the surface of the a=1, 2,; wherein A is a The number of attack types which are not detected yet for the a-th intermediate file; b is the number of intermediate files.
S103, if Aa is less than AY, determining Aa as a candidate file; AY is a preset attack type quantity threshold value. Here, the AY satisfies the following conditions:the method comprises the steps of carrying out a first treatment on the surface of the Wherein (1)>Is a round down function.
In this embodiment, a dynamic attack type number threshold is set, where the preset attack type number threshold changes with the sum of attack type numbers that all intermediate files have not completed detecting, and when the attack type number that the intermediate files have not completed detecting becomes smaller, the preset attack type number threshold becomes smaller. If a fixed preset attack type number threshold is set and is too large, if the number of attack types of which the intermediate file has not completed detection is small, candidate files may not exist; at this time, the intermediate files cannot be processed timely, otherwise, if a fixed preset attack type number threshold is set and the threshold is too small, all the intermediate files may be candidate files when the number of attack types of which the intermediate files have not completed detection is large, at this time, each candidate file needs to be sent to different equipment groups, and for the candidate files with the large number of attack types which have not completed detection, the candidate files need to be sent to a plurality of equipment groups, so that the number of sending times is large and the occupied network resources are large, therefore, in order to ensure that the candidate files are distributed to target electronic equipment, and the candidate files with the large number of attack types which have not completed detection can be intercepted, the network resources are saved, and a dynamic preset attack type number threshold is set; in addition, as the number of the attack type number is an integer, the preset attack type number threshold value is subjected to rounding processing. For intermediate files with more attack types which are not detected yet, the file detection servers with lower current computing resource occupancy rate in the file detection server cluster can carry out security detection, so that the occupancy of network resources is reduced, the computing power and the storage space of the file detection servers with lower current computing resource occupancy rate are larger than those of the target electronic equipment, and the security detection efficiency is higher.
The embodiment of the application also provides a file detection device 100, which is applied to a file detection server, wherein the file detection server is connected with a plurality of equipment groups, and each equipment group comprises a plurality of target electronic equipment; associating a malicious attack type with each device group; each malicious attack type is provided with a corresponding virus library respectively; each target electronic device in each device group is provided with a virus library corresponding to the malicious attack type associated with the device group in which the target electronic device is positioned; the file detection server is internally provided with virus libraries corresponding to all malicious attack types;
as shown in fig. 2, the above-mentioned apparatus includes:
a candidate file determining module 110, configured to determine the file that is not detected as a candidate file in response to the current computing resource usage rate of the file detecting server being greater than a preset usage rate threshold;
a candidate list determining module 120, configured to determine a malicious attack type that is not yet detected by each candidate file as a candidate attack type, so as to obtain a candidate attack type list set h= (H) 1 ,H 2 ,...,H c ,...,H d );c=1,2,...,d;H c =(H c,1 ,H c,2 ,...,H c,e ,...,H c,s(c) ) The method comprises the steps of carrying out a first treatment on the surface of the d is the number of candidate files; s (c) is the number of malicious attack types that the c candidate file has not detected; h c A candidate attack type list corresponding to the c candidate file; h c,e The e-th malicious attack type which is not detected for the c-th candidate file; e=1, 2, s (c);
a file list obtaining module 130, configured to traverse each candidate attack type list in H according to each malicious attack type to obtain a to-be-detected file number list Jn= (JN) 1 ,JN 2 ,...,JN w ,...,JN y ) The method comprises the steps of carrying out a first treatment on the surface of the y is the number of all malicious attack types; JN (Java virtual machine) w The number of candidate attack type lists containing the w-th malicious attack type in the H; w=1, 2,. -%, y;
a number list obtaining module 140, configured to obtain the number of target electronic devices in each device group whose current state is an idle state, so as to obtain a device number list sn= (SN 1 ,SN 2 ,...,SN w ,...,SN y );SN w The number of target electronic devices in which the current state is an idle state in the device group corresponding to the w-th malicious attack type;
a candidate file sending module 150, configured to send JN among the JNs w And SN of the above SNs w Comparing, if JN w ≤SN w JN corresponding to the w-th malicious attack type w The candidate files are sent to SN w And carrying out malicious detection on the corresponding equipment group.
Embodiments of the present application also provide a computer program product comprising program code for causing an electronic device to carry out the steps of the method according to various exemplary embodiments of the present application as described in the present specification, when the program product is run on the electronic device.
Furthermore, although the steps of the methods in the present disclosure are depicted in a particular order in the drawings, this does not require or imply that the steps must be performed in that particular order or that all illustrated steps be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform, etc.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, including several instructions to cause a computing device (may be a personal computer, a server, a mobile terminal, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided.
Those skilled in the art will appreciate that the various aspects of the present application may be implemented as a system, method, or program product. Accordingly, aspects of the present application may be embodied in the following forms, namely: an entirely hardware embodiment, an entirely software embodiment (including firmware, micro-code, etc.) or an embodiment combining hardware and software aspects may be referred to herein as a "circuit," module "or" system.
An electronic device according to this embodiment of the present application. The electronic device is only one example and should not impose any limitation on the functionality and scope of use of the embodiments of the present application.
The electronic device is in the form of a general purpose computing device. Components of an electronic device may include, but are not limited to: the at least one processor, the at least one memory, and a bus connecting the various system components, including the memory and the processor.
Wherein the memory stores program code that can be executed by the processor to cause the processor to perform steps according to various exemplary embodiments of the present application as described in the above section of the exemplary method of the present specification.
The storage may include readable media in the form of volatile storage, such as Random Access Memory (RAM) and/or cache memory, and may further include Read Only Memory (ROM).
The storage may also include a program/utility having a set (at least one) of program modules including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
The bus may be one or more of several types of bus structures including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, or a local bus using any of a variety of bus architectures.
The electronic device may also communicate with one or more external devices (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device, and/or with any device (e.g., router, modem, etc.) that enables the electronic device to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface. And, the electronic device may also communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet, through a network adapter. As shown, the network adapter communicates with other modules of the electronic device over a bus. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with an electronic device, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, including several instructions to cause a computing device (may be a personal computer, a server, a terminal device, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, a computer-readable storage medium having stored thereon a program product capable of implementing the method described above in the present specification is also provided. In some possible implementations, the various aspects of the present application may also be implemented in the form of a program product comprising program code for causing a terminal device to carry out the steps according to the various exemplary embodiments of the present application as described in the "exemplary methods" section of this specification, when the program product is run on the terminal device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable signal medium may include a data signal propagated in baseband or as part of a carrier wave with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
Furthermore, the above-described figures are only illustrative of the processes involved in the method according to exemplary embodiments of the present application, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.
It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions easily conceivable by those skilled in the art within the technical scope of the present application should be covered in the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. The file detection method is characterized by being applied to a file detection server, wherein the file detection server is connected with a plurality of equipment groups, and each equipment group comprises a plurality of target electronic equipment; associating a malicious attack type with each device group; each malicious attack type is provided with a corresponding virus library respectively; each target electronic device in each device group is provided with a virus library corresponding to the malicious attack type associated with the device group in which the target electronic device is positioned; the file detection server is internally provided with virus libraries corresponding to all malicious attack types;
The method comprises the following steps:
determining at least one of the files which are not detected as candidate files in response to the current computing resource utilization rate of the file detection server being greater than a preset utilization rate threshold;
determining the malicious attack type which is not detected by each candidate file as a candidate attack type to obtain a candidate attack type list set H= (H) 1 ,H 2 ,...,H c ,...,H d );c=1,2,...,d;H c =(H c,1 ,H c,2 ,...,H c,e ,...,H c,s(c) ) The method comprises the steps of carrying out a first treatment on the surface of the d is the number of candidate files; s (c) is a malicious attack for which the c-th candidate file has not been detectedNumber of types; h c A candidate attack type list corresponding to the c candidate file; h c,e The e-th malicious attack type which is not detected for the c-th candidate file; e=1, 2, s (c);
traversing each candidate attack type list in H according to each malicious attack type to obtain a to-be-detected file quantity list JN= (JN) 1 ,JN 2 ,...,JN w ,...,JN y ) The method comprises the steps of carrying out a first treatment on the surface of the y is the number of all malicious attack types; JN (Java virtual machine) w The number of candidate attack type lists containing the w-th malicious attack type in the H; w=1, 2,. -%, y;
obtaining the number of target electronic devices in each device group, the current state of which is idle state, so as to obtain a device number list sn= (SN 1 ,SN 2 ,...,SN w ,...,SN y );SN w The number of target electronic devices in which the current state is an idle state in the device group corresponding to the w-th malicious attack type;
JN of the JNs w And SN of the SNs w Comparing, if JN w ≤SN w JN corresponding to the w-th malicious attack type w The candidate files are sent to SN w And carrying out malicious detection on the corresponding equipment group.
2. The method of claim 1, wherein the number of target electronic devices in each device group whose current state is idle is obtained to obtain a device number list sn= (SN 1 ,SN 2 ,...,SN w ,...,SN y ) Thereafter, the method further comprises:
JN of the JNs w And SN of the SNs w Comparing, if JN w >SN w JN corresponding to the w-th malicious attack type w Determination of SN in candidate files w The candidate files are used as target files corresponding to the w malicious attack types;
SN corresponding to w-th malicious attack type w Target files are sent to SN w A corresponding group of devices.
3. The method for detecting files as in claim 2, wherein said JN corresponding to the w-th malicious attack type w Determination of SN in candidate files w The candidate files serving as target files corresponding to the w malicious attack types comprise:
obtaining the file size of each candidate file corresponding to the w-th malicious attack type to obtain a file size list D w =(D w,1 ,D w,2 ,...,D w,h ,...,D w,JNw );D w,h The file size of the h candidate file is arranged according to the sequence from small to large for the file size of each candidate file corresponding to the w malicious attack type; h=1, 2, JN w
Will D w In (1) front SN w And taking the candidate file corresponding to the size of the file as a target file corresponding to the w malicious attack type.
4. A document detection method according to any one of claims 1 to 3, wherein the method further comprises:
after any target electronic device is determined to receive a candidate file, the current state of the target electronic device is switched from the idle state to the non-idle state.
5. The file detection method according to claim 3, wherein the step of extracting JN from the JNs w And SN of the SNs w Comparing, if JN w ≤SN w JN corresponding to the w-th malicious attack type w The candidate files are sent to SN w The malicious detection of the corresponding equipment group comprises the following steps:
JN of the JNs w And SN of the SNs w Comparing, if JN w ≤SN w Obtaining the file size of each candidate file corresponding to the w-th malicious attack type to obtain a file size list E w =(E w,1 ,E w,2 ,...,E w,h ,...,E w,JNw );E w,h The file size of the h candidate file is arranged according to the sequence from large to small for the file size of each candidate file corresponding to the w malicious attack type;
acquiring a device performance priority list XF of target electronic devices with idle states in the current states in a device group corresponding to a w-th malicious attack type w =(XF w,1 ,XF w,2 ,...,XF w,r ,...,XF w,SNw );r=1,2,...,SN w ;XF w,r Target electronics with idle state current state in equipment group corresponding to w malicious attack type performance priority of the target electronic device with the performance priority level arranged in the r-th position in the device;
XF w,r meets the following conditions:
XF w,rXF1 w,r +αβ/>XF2 w,r
wherein α+β=1; XF1 w,r Priority for CPU performance; if XF1 w,r If the number of CPU cores of the corresponding target electronic device is smaller than or equal to the first number threshold, XF1 is selected w,r =f11; if XF1 w,r If the number of CPU cores of the corresponding target electronic device is greater than the first number threshold and less than the second number threshold, XF1 is formed w,r =f12; if XF1 w,r If the number of CPU cores of the corresponding target electronic device is greater than the second number threshold, XF1 is executed w,r =f13; f11 is more than 0 and F12 is more than 0 and F13 is more than 1; f11, F12, F13 are preset CPU performance priorities;
XF2 w,r the memory performance priority is given; if XF2 w,r If the memory capacity of the corresponding target electronic device is less than or equal to the first memory threshold, XF2 w,r =f21; if XF2 w,r If the memory capacity of the corresponding target electronic device is greater than the first memory threshold and less than the second memory threshold, XF2 w,r =f22; if XF2 w,r If the memory capacity of the corresponding target electronic device is greater than the second memory threshold, XF2 w,r =f23; f21 is more than 0 and less than F22 is more than F23 and less than 1; f21, F22, F23 are preset memory performance priorities; and f11=f21; f12 =f22; f13 =f23;
Will D w The corresponding candidate files in the file are sent to the XF in a one-to-one correspondence mode according to the order of the file sizes from large to small w And performing malicious detection in the target electronic equipment corresponding to the performance priority of the medium-to-small ranking.
6. The file detection method as claimed in claim 1, wherein the determination of the candidate file includes:
determining each file which is not detected as an intermediate file in response to the current computing resource utilization rate of the file detection server being greater than a preset utilization rate threshold;
acquiring an attack type quantity list A= (A) of which detection is not completed by each intermediate file 1 ,A 2 ,...,A a ,...,A b ) The method comprises the steps of carrying out a first treatment on the surface of the a=1, 2,; wherein A is a The number of attack types which are not detected yet for the a-th intermediate file; b is the number of intermediate files;
if A a < AY, determination of A a Is a candidate file; AY is a preset attack type quantity threshold value.
7. The document detection method of claim 6, wherein AY meets the following conditions:the method comprises the steps of carrying out a first treatment on the surface of the Wherein (1)>Is a round down function.
8. The file detection device is characterized by being applied to a file detection server, wherein the file detection server is connected with a plurality of equipment groups, and each equipment group comprises a plurality of target electronic equipment; associating a malicious attack type with each device group; each malicious attack type is provided with a corresponding virus library respectively; each target electronic device in each device group is provided with a virus library corresponding to the malicious attack type associated with the device group in which the target electronic device is positioned; the file detection server is internally provided with virus libraries corresponding to all malicious attack types;
The device comprises:
the candidate file determining module is used for determining at least one of the files which are not detected as candidate files in response to the fact that the current computing resource utilization rate of the file detecting server is larger than a preset utilization rate threshold value;
a candidate list determining module, configured to determine a malicious attack type that is not yet detected by each candidate file as a candidate attack type, so as to obtain a candidate attack type list set h= (H) 1 ,H 2 ,...,H c ,...,H d );c=1,2,...,d;H c =(H c,1 ,H c,2 ,...,H c,e ,...,H c,s(c) ) The method comprises the steps of carrying out a first treatment on the surface of the d is the number of candidate files; s (c) is the number of malicious attack types that the c candidate file has not detected; h c A candidate attack type list corresponding to the c candidate file; h c,e The e-th malicious attack type which is not detected for the c-th candidate file; e=1, 2, s (c);
a file list obtaining module, configured to traverse each candidate attack type list in H according to each malicious attack type to obtain a to-be-detected file number list Jn= (JN) 1 ,JN 2 ,...,JN w ,...,JN y ) The method comprises the steps of carrying out a first treatment on the surface of the y is the number of all malicious attack types; JN (Java virtual machine) w The number of candidate attack type lists containing the w-th malicious attack type in the H; w=1, 2,. -%, y;
a number list obtaining module, configured to obtain a number of target electronic devices in each device group, where the current state is an idle state, to obtain a device number list sn= (SN 1 ,SN 2 ,...,SN w ,...,SN y );SN w Target electronic device with idle state current state in device group corresponding to w-th malicious attack typeThe number of preparations;
a candidate file sending module, configured to send JN of the JNs w And SN of the SNs w Comparing, if JN w ≤SN w JN corresponding to the w-th malicious attack type w The candidate files are sent to SN w And carrying out malicious detection on the corresponding equipment group.
9. A non-transitory computer readable storage medium having stored therein at least one instruction, wherein the at least one instruction is loaded and executed by a processor to implement the method of any one of claims 1-7.
10. An electronic device comprising a processor and the non-transitory computer readable storage medium of claim 9.
CN202311309242.4A 2023-10-11 2023-10-11 File detection method and device, medium and electronic equipment Active CN117056915B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311309242.4A CN117056915B (en) 2023-10-11 2023-10-11 File detection method and device, medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311309242.4A CN117056915B (en) 2023-10-11 2023-10-11 File detection method and device, medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN117056915A CN117056915A (en) 2023-11-14
CN117056915B true CN117056915B (en) 2024-02-02

Family

ID=88659348

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311309242.4A Active CN117056915B (en) 2023-10-11 2023-10-11 File detection method and device, medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN117056915B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106682508A (en) * 2016-06-17 2017-05-17 腾讯科技(深圳)有限公司 Method and device for searching and killing viruses
CN107358096A (en) * 2017-07-10 2017-11-17 成都虫洞奇迹科技有限公司 File virus checking and killing method and system
CN107395395A (en) * 2017-06-19 2017-11-24 国家电网公司 The treating method and apparatus of security protection system
CN115113821A (en) * 2022-07-07 2022-09-27 北京算讯科技有限公司 5G big data computing power service system based on quantum encryption
CN115563613A (en) * 2022-10-21 2023-01-03 苏州浪潮智能科技有限公司 File security detection system and method
CN116861430A (en) * 2023-09-04 2023-10-10 北京安天网络安全技术有限公司 Malicious file detection method, device, equipment and medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8108933B2 (en) * 2008-10-21 2012-01-31 Lookout, Inc. System and method for attack and malware prevention

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106682508A (en) * 2016-06-17 2017-05-17 腾讯科技(深圳)有限公司 Method and device for searching and killing viruses
CN107395395A (en) * 2017-06-19 2017-11-24 国家电网公司 The treating method and apparatus of security protection system
CN107358096A (en) * 2017-07-10 2017-11-17 成都虫洞奇迹科技有限公司 File virus checking and killing method and system
CN115113821A (en) * 2022-07-07 2022-09-27 北京算讯科技有限公司 5G big data computing power service system based on quantum encryption
CN115563613A (en) * 2022-10-21 2023-01-03 苏州浪潮智能科技有限公司 File security detection system and method
CN116861430A (en) * 2023-09-04 2023-10-10 北京安天网络安全技术有限公司 Malicious file detection method, device, equipment and medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于虚拟机技术的可疑文件自动检测系统;钟明全;李焕洲;唐彰国;张健;;计算机应用(12);第3357-3362页 *

Also Published As

Publication number Publication date
CN117056915A (en) 2023-11-14

Similar Documents

Publication Publication Date Title
US8424007B1 (en) Prioritizing tasks from virtual machines
US11311722B2 (en) Cross-platform workload processing
WO2015101091A1 (en) Distributed resource scheduling method and device
CN111338785A (en) Resource scheduling method and device, electronic equipment and storage medium
CN112600761B (en) Resource allocation method, device and storage medium
JP2017215923A (en) System and method for detecting malicious files on virtual machine in distributed network
CN115113987A (en) Method, device, equipment and medium for allocating non-uniform memory access resources
CN114911385A (en) Secure sharing of multiple applications during a remote session
CN113806097A (en) Data processing method and device, electronic equipment and storage medium
CN117056915B (en) File detection method and device, medium and electronic equipment
CN102184124A (en) Task scheduling method and system
CN111885184A (en) Method and device for processing hot spot access keywords in high concurrency scene
JP2011141703A (en) System, method and program for arranging resource
JP2013222459A (en) Programmatic load-based management of processor population
US9626226B2 (en) Cross-platform workload processing
CN114338170B (en) Detection control method, detection control device, electronic equipment, storage medium and computer system
CN113760494B (en) Task scheduling method and device
CN114827157A (en) Cluster task processing method, device and system, electronic equipment and readable medium
CN115220908A (en) Resource scheduling method, device, electronic equipment and storage medium
CN114416357A (en) Method and device for creating container group, electronic equipment and medium
CN117056928B (en) Virus library deployment method and device, medium and electronic equipment
CN114374657A (en) Data processing method and device
CN116962086B (en) File security detection method and system
CN116975934B (en) File security detection method and system
CN116827694B (en) Data security detection method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant