CN1625133A - Method for detecting worm virus spreading - Google Patents
Method for detecting worm virus spreading Download PDFInfo
- Publication number
- CN1625133A CN1625133A CN 200410098965 CN200410098965A CN1625133A CN 1625133 A CN1625133 A CN 1625133A CN 200410098965 CN200410098965 CN 200410098965 CN 200410098965 A CN200410098965 A CN 200410098965A CN 1625133 A CN1625133 A CN 1625133A
- Authority
- CN
- China
- Prior art keywords
- message
- address
- worm
- virus
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
This invention relates to a recognizing method and device of worm virus spreading. It can recognize the information with the worm virus sent by the user terminal or received by information server. The relating method at first promises the special information address, inserts the special information address into the address list of the user terminal sending information or adds the special information address into the information list stored in the information user terminal, if the worm virus testing system detects the special information address included in the target information address, it thinks that this information contains the worm virus.
Description
Technical field
The present invention relates to field of information security technology, is a kind of method of utilizing special address detected worm virus spreading.
Background technology
Along with going deep into that the communication technology is used, worm-type virus increases day by day to the threat of communications network security.Diversified route of transmission and complicated applied environment make the occurrence frequency of worm-type virus more and more higher, and the loss that causes is also increasing, comprises e-mail system, timely message system, and the intelligent mobile phone system all can't avoid the attack from worm-type virus.
Clear in order to describe, in the present invention, the user's message that need transmit is referred to as message in communication network, for example: Email, timely message, mobile phone short-message, or the like.The program or the equipment that send these message are referred to as information client side, for example: email client, timely information client side, mobile phone or personal digital assistant device, or the like.The messaging list of preserving at information client side is referred to as the information client side messaging list, for example: outbox in the email client, draft, inbox message, send email list in the mail directory, the message list of preserving among mobile phone or the PDA, or the like.The destination address or the source address of message are referred to as message addresses, for example: e-mail address, timely message system user ID, wireless phone number, or the like.The address list of preserving in the information client side is referred to as the information client side address list, comprise: the address book that comprises e-mail address in the email client, contact person, send Email recipient email address, receive sender's e-mail address of Email, the address book that in time comprises user ID in the information client side, the address list that comprises telephone number among mobile phone or the PDA, or the like.The program or the equipment that receive these message are referred to as message server, for example: the timely information client side of the reception message in the e-mail server, message transport process, the mobile phone short-message gateway, or the like.Be used to protect the general designation message protection system of system of above-mentioned information client side or message server safety, network firewall for example, personal fire wall, or the like.
Can only detect the worm-type virus of known type by the mode of traditional virus signature coupling, the accuracy rate of this method is higher, but this method is based upon on the basis of the sample that must at first obtain the worm-type virus propagated, just virus signature can be analyzed, the worm-type virus of UNKNOWN TYPE can't be detected.
Announced a kind of system that monitors SPAM in american documentation literature US6052709, this system comprises a communication network with a plurality of terminals, and each terminal is all distributed an e-mail address; This system comprises a control centre, and this control centre produces additional e-mail address, and it is distributed on each disclosed WEB website, and expectation is added in the Spam address lists.If additional e-mail address is received an Email, then the sender with this mail joins in the database of a center control, revise the filter on the terminal then, so that each terminal can both identify when receiving this sender's Email, this sender once sent to Email on the additional e-mail address.The basis of this technology is the address searching mechanism of spam: spammer is by searching for e-mail address on disclosed website, thereby forms their spam target address list.If added virus by malice in the spam, this method can detect propagates the virus email of address from open website, but, the destination address of most of e-mail worm virus come from contact person in the Mail Clients of victim host, address book, send Email recipient email address, receive sender's e-mail address of Email rather than disclosed website.
Announce that in international monopoly document WO 2002/084459 a kind of method is used for discerning, locatees and deletion virus.In concrete the enforcement, network data processing system includes home server, a plurality of client data treatment system and bait server.Does not announce to client the address of bait server.Therefore, have virus on the client of attempting all can point out attempting visiting of any visit bait server.Bait server can monitoring itself, and response is from the trial of client-access bait server, the indication that broadcasting has virus attacking to all devices in the network.Bait server then can be ignored all further access request of client that virus is propagated, and receive this virus up to it and propagate client and killed virus till the indication of finishing, and the indication home server breaks this virus from network and propagates client.Bait server also can be notified home server and network manager problem place, and the sign of should virus propagating client, allows to start suitable action and kills virus with the client that this virus is propagated.This method is not suitable for the worm-type virus that utilizes Email to propagate, and transmits indirectly by e-mail server because comprised the Email of worm-type virus, directly the visit bait server.
Announced a kind of method that detects worm-type virus in IDS in Chinese patent literature CN1549126A, whether this method surpasses certain threshold value by the linking number that calculates each main frame and other main frames judges whether to exist worm-type virus.This method can detect those worm-type viruses that causes that the network linking number is unusual.Because the worm-type virus of propagating by Email only directly is connected with message server, and can comprise a plurality of targeted mails address in an Email, so e-mail worm virus might be propagated worm-type virus not causing under the unusual situation of linking number.
Summary of the invention
Therefore, first technical problem that the present invention will solve provides a kind of method, and it can provide the prerequisite that detects worm virus spreading.Another technical problem that the present invention will solve provides a kind of device, and it can provide the prerequisite that detects worm virus spreading.
First technical problem that the present invention will solve is by providing a kind of method that detects worm-type virus to realize that this method may further comprise the steps:
1 worm-type virus detection system and information client side are arranged some particular message addresses, the user of information client side can the people for distinguishing which is these particular message addresses, and which is common normal messages address.
2 add the particular message address in the information client side address list, or interpolation is the message of message addresses with the particular message address in the messaging list that information client side is preserved.
3 worm-type virus detection systems are checked the message that message that information client side sends or message server receive, if comprised any particular message address in the target message address, then think to comprise worm-type virus in this message.
Another technical problem that the present invention will solve provides a kind of device, and it can provide the prerequisite that detects worm virus spreading.
1 worm-type virus detection system and information client side are arranged some particular message addresses, in the information client side address list, add the particular message address of agreement, if information client side is preserved the messaging list that received or sent in the past, then in these messaging list, insert with the agreement particular message, or to add with the particular message address in the messaging list that information client side is preserved be the message of message addresses.
The message that message that 2 worm-type virus detection systems inspection information client side sends or message server receive if comprised any particular message address in the target message address, is then judged in this message to comprise worm-type virus.
Comprise worm-type virus if 3 worm-type virus detection systems are judged in the message, then delete this message, mark this to have sent the user who comprises worm-type virus message be the virus infections user.
4 send an alarm information to this virus infections user, comprise the term of validity of a special sequence string and this special sequence string in this alarm information.
5 in the term of validity of the special sequence string of this alarm information, if the message that this virus infections user is sent comprises this characteristic sequence string, and the target message address of this message does not comprise any particular message address, then thinks not comprise worm-type virus in this message that this virus infections user sent.
6 in the term of validity of the special sequence string of this alarm information, if the message that this virus infections user sends does not comprise this characteristic sequence string, perhaps the target message address of this message comprises any particular message address, then think to comprise worm-type virus in this message that this virus infections user sent, delete the message that this comprises worm-type virus.
Description of drawings
Fig. 1 is a particular message address distribution diagram.
Fig. 2 is the worm-type virus testing process.
Embodiment
Common message system comprises e-mail system, timely message system, and intelligent mobile radio telephone system or the like, below the specific embodiment of the present invention in 3 kinds of common environment described respectively:
One in e-mail system:
Set up following function at email client:
1 receives the specific e-mail address tabulation from the distribution of worm-type virus detecting processing system, as Fig. 1.
2 from specific e-mail address tabulation selection portion divide in the address book that special e-mail address adds email client to, or to add with the particular message address in the email list that email client is preserved be the Email of source or target email address.
On e-mail server, set up following function:
1 worm-type virus detecting processing system generates a specific e-mail address tabulation.
2 worm-type virus detecting processing systems are distributed to each email client in the range of management to specific e-mail address tabulation.
3 set up the Email buffering area on e-mail server, server whenever receives an Email, all necessary this Email a period of time of first buffer memory, just allow this Email to be received or to transmit then.
The 4 worm-type virus detecting processing systems Email destination address that client sends that checks e-mails, comprise address of the addressee and the people address of making a copy for, if the Email destination address comprises any one specific e-mail address in the specific e-mail address tabulation, then think and comprise worm-type virus in this Email, as Fig. 2, the worm-type virus detecting processing system stops the transmission of this Email and deletes this Email, produce alarm, send an Email that has warning information, special sequence string and the special sequence string term of validity to sender address.
5 worm-type virus detecting processing systems infect the host address (for example: transmission comprises the IP address of the email client main frame of worm-type virus Email) that writes down this transmission in the host address tabulation and comprise the email client of worm-type virus Email at e-mail virus, and write down this host address and infect the term of validity in the host address tabulation at e-mail virus, other Emails from this host address in all current Email buffering areas are sent it back sender address, delete interior other Emails of all current Email buffering areas then from this host address.
If 6 are infected in the Email that the main frame in the host address tabulation sends by e-mail virus and to have comprised the special sequence string in the term of validity, and the target email address of this Email does not comprise any specific e-mail address, thinks that then this Email mail is the normal Email that does not comprise worm-type virus.
If 7 infect the special sequence that do not comprise in the Email that the main frame in the host address tabulation sends in the term of validity number by e-mail virus, perhaps the target email address of this Email comprises any specific e-mail address, think that then this Email is the Email that comprises worm-type virus, system-kill comprises the Email of worm-type virus.
Two timely message systems:
On timely information client side, set up following function:
1 receives the particular message address list from the distribution of worm-type virus detecting processing system, as Fig. 1.
2 selection portions divide special timely message addresses to add in the address book of timely information client side, or the special timely message addresses that adds with agreement in the timely messaging list that in time information client side is preserved is the timely message of timely message addresses.
On guard system or timely message server, set up following function:
1 worm-type virus detecting processing system generates a special timely message addresses tabulation.
2 worm-type virus detecting processing systems are distributed to each interior timely information client side of range of management to special timely message addresses tabulation.
The timely message addresses of target of the timely message that the timely information client side of 3 worm-type virus detecting processing system inspections sends, if the timely message addresses of target comprises any one the timely message addresses in the special timely message addresses tabulation, then think and comprise worm-type virus in this timely message, as Fig. 2, the worm-type virus detecting processing system stops transmission and this timely message of deletion of this timely message, produce alarm, send a timely message that has warning information, special sequence string and the special sequence string term of validity to this timely information client side.
4 worm-type virus detecting processing systems record sends the host address (for example: transmission comprises the IP address of the timely information client side main frame of the timely message of worm-type virus) of the timely information client side that comprises the timely message of worm-type virus in timely message virus infections host address tabulation, and writes down the term of validity of this host address in message virus infections host address tabulation in time.
If comprised the special sequence string in the term of validity in the 5 timely message of sending by the main frame in the tabulation of timely message virus infections host address, and the timely message addresses of the target of this timely message does not comprise any special timely message addresses, thinks that then this timely message is the normal message in time that does not comprise worm-type virus.
If do not comprise the special sequence number in the term of validity in the 6 timely message of sending by the main frame in the tabulation of timely message virus infections host address, perhaps the timely message addresses of the target of this timely message comprises any special timely message addresses, think that then this timely message is the timely message that comprises worm-type virus, the deletion of worm-type virus detection system comprises the timely message of worm-type virus.
Three wireless communication systems:
On the wireless information client, set up following function:
1 receives the special wireless phone number tabulation from the distribution of worm-type virus detecting processing system.
2 selection portions are divided in the address list that special wireless phone number adds the wireless information client to, or the special wireless phone number of adding with agreement in the messaging list of wireless information client storage is the wireless information of message addresses.
On the wireless information server, set up following function:
1 worm-type virus detecting processing system generates a special wireless phone number tabulation, as Fig. 1.
2 special wireless phone number tabulations (for example: mobile radiotelephone) are distributed to each interior wireless information client of range of management.
3 worm-type virus detecting processing systems are checked the Target Wireless phone number of the wireless information that the wireless information client sends, if Target Wireless phone number comprises any one wireless phone number in the special wireless phone number tabulation, then think and comprise worm-type virus in this wireless information, as Fig. 2, the worm-type virus detecting processing system stops the transmission of this wireless information and deletes this wireless information, produce alarm, send a wireless information that has warning information, special sequence string and the special sequence string term of validity to this wireless information client.
4 worm-type virus detecting processing systems record sends the host address (for example: transmission comprises the wireless phone number of the wireless information client host of worm-type virus wireless information) of the wireless information client of the wireless information that comprises worm-type virus in the tabulation of wireless information virus infections host address, and writes down the term of validity of this host address in the tabulation of wireless information virus infections host address.
If comprised the special sequence string in the term of validity in 5 wireless informations that send by the main frame in the wireless information virus infections host address tabulation, and the Target Wireless phone number of this wireless information does not comprise any special wireless phone number, thinks that then this wireless information is the normal message in time that does not comprise worm-type virus.
If do not comprise the special sequence number in the term of validity in 6 wireless informations that send by the main frame in the wireless information virus infections host address tabulation, perhaps the destination phone numbers of this wireless information comprises any special wireless phone number address, think that then this wireless information is the wireless information that comprises worm-type virus, the deletion of worm-type virus detection system comprises the wireless information of worm-type virus.
Claims (2)
1 one kinds of methods that detect worm virus spreading, it may further comprise the steps:
A) worm-type virus detection system and information client side are arranged some particular message addresses.
B) in the information client side address list, add the particular message address of arranging, or the particular message address of adding with agreement is the message of message addresses in the messaging list that information client side is preserved.
C) check the message that message that information client side sends or message server receive,, then think to comprise worm-type virus in this message if comprised the particular message address of any agreement in the target message address.
2 by the described method of claim 1, and it comprises following additional step:
A) according to right 1 described detection method, if judge in the message and comprise worm-type virus, then delete this message, and this user who has sent the message that comprises worm-type virus of mark is the virus infections user,
B) send an alarm information to this virus infections user, comprise the term of validity of a special sequence string and this special sequence string in this alarm information.
C) in the term of validity of the special sequence string that this alarm information comprises, if the message that this virus infections user is sent comprises this characteristic sequence string, and the target message address does not comprise any particular message address, then thinks not comprise worm-type virus in the message that this virus infections user sent.
D) in the term of validity of the special sequence string that this alarm information comprises, if the message that this virus infections user sends does not comprise the characteristic sequence string, perhaps the target message address comprises any particular message address, then think to comprise worm-type virus in this message that this virus infections user sent, delete the message that this comprises worm-type virus.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410098965 CN1625133A (en) | 2004-12-20 | 2004-12-20 | Method for detecting worm virus spreading |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410098965 CN1625133A (en) | 2004-12-20 | 2004-12-20 | Method for detecting worm virus spreading |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1625133A true CN1625133A (en) | 2005-06-08 |
Family
ID=34766691
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200410098965 Pending CN1625133A (en) | 2004-12-20 | 2004-12-20 | Method for detecting worm virus spreading |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1625133A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101589595B (en) * | 2007-01-23 | 2013-04-24 | 阿尔卡特朗讯公司 | A containment mechanism for potentially contaminated end systems |
-
2004
- 2004-12-20 CN CN 200410098965 patent/CN1625133A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101589595B (en) * | 2007-01-23 | 2013-04-24 | 阿尔卡特朗讯公司 | A containment mechanism for potentially contaminated end systems |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20060026242A1 (en) | Messaging spam detection | |
| JP4917776B2 (en) | Method for filtering spam mail for mobile communication devices | |
| CA2607005C (en) | Identifying threats in electronic messages | |
| US8892661B2 (en) | Detecting spam from a bulk registered e-mail account | |
| EP2009858B1 (en) | Method and apparatus for creating predictive filters for messages | |
| US8392357B1 (en) | Trust network to reduce e-mail spam | |
| US20100205265A1 (en) | Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail | |
| US7941490B1 (en) | Method and apparatus for detecting spam in email messages and email attachments | |
| US7412487B2 (en) | Method and system for tracking receipt of electronic message | |
| US20080133686A1 (en) | Message Handling With Selective User Participation | |
| CN101471897A (en) | Heuristic detection of possible misspelled addresses in electronic communications | |
| US20080229101A1 (en) | Authenticated correspondent database | |
| GB2382900A (en) | Regulating receipt of electronic mail with a whitelist based on outgoing email addresses | |
| US8285269B2 (en) | Statistical spam message detection | |
| CN103404086A (en) | Spam reporting and management in a communication network | |
| KR102176564B1 (en) | Managing method for impersonation, forgery and alteration mail and system | |
| US7757288B1 (en) | Malicious e-mail attack inversion filter | |
| KR20090104124A (en) | Systems and methods for filtering cellular telephone messages | |
| US20060075099A1 (en) | Automatic elimination of viruses and spam | |
| CN1625133A (en) | Method for detecting worm virus spreading | |
| CN110944023A (en) | Network security management equipment and network security management method | |
| KR20090000073A (en) | Method and apparatus for removing spam connection by applying plural blocking criteria | |
| CN115208672A (en) | Blacklist adjusting method and device, electronic equipment and computer readable storage medium | |
| KR20080071629A (en) | System for blocking spam mail and method of the same | |
| KR20060124507A (en) | System for blocking spam mail and method of the same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |