WO2011131019A1 - Operation record tracing system and method based on the cloud computing - Google Patents

Operation record tracing system and method based on the cloud computing Download PDF

Info

Publication number
WO2011131019A1
WO2011131019A1 PCT/CN2011/000249 CN2011000249W WO2011131019A1 WO 2011131019 A1 WO2011131019 A1 WO 2011131019A1 CN 2011000249 W CN2011000249 W CN 2011000249W WO 2011131019 A1 WO2011131019 A1 WO 2011131019A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
operation record
hash value
module
client
Prior art date
Application number
PCT/CN2011/000249
Other languages
French (fr)
Chinese (zh)
Inventor
潘燕辉
周勇兵
Original Assignee
Pan Yanhui
Zhou Yongbing
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Pan Yanhui, Zhou Yongbing filed Critical Pan Yanhui
Publication of WO2011131019A1 publication Critical patent/WO2011131019A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting

Definitions

  • the present invention relates to the field of information security, and in particular, to a cloud computing-based multi-user collaborative operation record tracking system and method. Background technique
  • a multi-purpose collaborative operation record tracking system comprising: at least one server end and a plurality of clients; each of the clients is connected to at least one of the server end networks;
  • the client is configured to obtain operation records and process information of at least one process that it runs, calculate a hash value of each process, and upload each of the hash values and corresponding operation records and process information to the
  • the server side the process information includes at least one of client information of the process, a file name of the process, a version number of the process, a company name of the process, and a process file size;
  • the server is configured to use the hash according to the hash The value categorizes the corresponding operation record and the process information, and generates report information to be downloaded to each of the clients, where the report information includes an operation record tracked by the process on other clients.
  • the operation record tracking system wherein the client includes a tracking module, a hash value calculation module, and an upload module;
  • the tracking module is configured to obtain operation records and process information of at least one of the processes;
  • the hash value calculation module is configured to calculate a hash value of each of the processes;
  • the uploading module is configured to: The hash value and its corresponding operation record and process information are uploaded to the server;
  • the server includes a classification storage module and a sharing module, and the classification storage module is configured to store the corresponding operation record and the process information to the server according to the hash value of each process;
  • the sharing module is configured to download, according to the operation record and the process information i of each process stored in the server, into the report information, and download the report information to each of the clients.
  • the operation record tracking system wherein the client further includes a report module, and the report module is configured to report according to the report information.
  • the operation record tracking system wherein the client further includes a consultation comment module, wherein the consultation comment module is connected with the tracking module, and is used for determining an instruction to start tracking, and then starting the tracking module to open # track. ,
  • the operation record tracking system wherein the sharing module includes an operation record search unit, a percentage calculation unit, a report information generation unit, and a download unit; the operation record search unit is configured to search for the classification storage module a process of the same hash value, generating a search result according to the operation record and the process information; the percentage calculation unit is configured to generate an operation record percentage according to the search result; the report information generating unit is configured to use the operation record according to the operation record The percentage and the search result generate the report information; the download unit is configured to download the report information to each of the clients.
  • the sharing module includes an operation record search unit, a percentage calculation unit, a report information generation unit, and a download unit
  • the operation record search unit is configured to search for the classification storage module a process of the same hash value, generating a search result according to the operation record and the process information
  • the percentage calculation unit is configured to generate an operation record percentage according to the search result
  • the report information generating unit is configured to use the operation record according to the operation record The percentage and the search
  • a multi-user coordinated operation record tracking method which is applicable to any of the above-described operation record tracking systems, comprising the following steps:
  • A1 a tracking step, configured to obtain an operation record and process information of a process running by the client, where the process information includes at least a client information of the process, a file name of the process, a version number of the process, and One of the company name and process size of the process;
  • A2 a hash value calculation step, configured to calculate a hash value of each process of the client;
  • A3 an uploading step, configured to upload each of the hash values and their corresponding operation records and process information to the server;
  • A4 'Classification storage step, configured to classify and store the corresponding operation record and the process information according to the hash value;
  • A5 a sharing step, configured to generate report information according to the operation record and the process information, and download the report information to each of the clients.
  • the reporting step is further performed: reporting according to the report information.
  • the step A1 further includes a step of asking for a chapter: for inquiring whether to execute the step A1 to query the client, and if the affirmative answer of the guest is obtained, the step A1 is started.
  • the operation record includes at least one of a file operation record, a network connection record, and an operation record to the registry.
  • step A5 performs the following steps:
  • A51 an operation record searching step for finding a process having the same hash value, and generating a search score according to the operation record and the process information;
  • A52 a percentage calculation step, configured to generate an operation record percentage according to the search result
  • A53 a report information generation step, configured to generate report information according to the operation record percentage and the search result
  • A54 a downloading step for downloading the report information to each of the clients for sharing.
  • the large-scale cloud tracking technology provided by the present invention utilizes a large user group to share process tracking information of each client. This tracking sister will track the other files accessed by the process files of each client user, the network connections made, and even the changes to the registry. Then record it to the server and share it with each client user, especially focusing on the non-Rudu operation records.
  • the process file is the same file, the user of this file will view the behavior of the file tracked by all other users who have the same file. The behavior of this file will be sorted according to the same proportion of behavior, and can be seen at the same time. Users with similar behaviors account for the proportion of users who own this file.
  • Figure 1 is a schematic view showing the overall structure of the system of the present invention
  • 2 is a schematic structural view of a system of the present invention
  • FIG. 3 is a schematic structural diagram of the sharing module in FIG. 2. detailed description
  • FIG. 1 is a schematic diagram showing the overall structure of an operation record tracking system for multi-user collaboration, including: at least one server end and a plurality of clients, and a plurality of server ends can be set up according to requirements, and each client and at least one server end are connected through a network.
  • the system can include one or more servers, and clients can connect to one or more servers.
  • the client is configured to track an operation record of at least one process run by the client and process information of the process running on the client, for example, the operation record may be a file accessed by the process, and which websites are accessed, the process
  • the message may include, but is not limited to, the information of the user to which the process belongs, the company to which the process belongs, and the like, and may track the operation records of multiple processes as needed; then calculate the hash value of the process, and the server receives the response from
  • the above-mentioned hash value and process information of a large number of clients are stored on the server side according to different hash values, and the report information generated by the server is downloaded to each client for sharing, according to the report information.
  • the client can view the operation record of the file tracked by all the users who have the same process file on the client.
  • the operation record of this file can be sorted according to the same proportion of the behavior, and the similar behavior can be seen.
  • User information the process belongs to Company and other information, and the proportion of the operation records to all users who own this process, so that the client can monitor the operation records tracked by the process on other clients, so that even if a certain software utilizes server rules on any computer
  • the terminal performs some ulterior operations, such as using the user's computer to click on the advertisement in the background, or secretly collecting user information unrelated to the user, it will be monitored by all other users in the network, and the user will use the software. Be wary, you can even choose to uninstall the software.
  • the client can set the operation record and process information of only one or several processes, that is, set the number of acquisition processes; or set one or more processes, that is, select the processes to be acquired.
  • a certain program A For example, a certain program A ⁇ .SXE, accessing the information in the user's computer without uploading the user's permission and uploading it to the urea server Q to which the process file AgC. EXE belongs, while guiding the user to open in the background. An ad page for fraudulent clicks, Server Q controls ABC. EXE randomly selects a subset of users from a large group of users to collect information and click on ads; User A has ABC.EXE installed, but ABC.EXE is not yet in User A. The act of collecting user information has been performed on the computer, and only the behavior of clicking the advertisement has been performed.
  • the user A uses the operation record tracking system provided by the present invention to record the behavior of the ABC.XE background guiding user to click the advertisement to the server, and share it with other users who have the ABC.EXE, and the information shared by other users. , also learned the behavior of ABC. EXE collecting user information, so all the violations performed by the file ABC. EXE will be mastered by the users in the network, and saved as i, according to which the user can choose to uninstall Procedures to prevent further damage from further harm.
  • the client may include a tracking module 11, a hash value calculation module '12, and an uploading module 13;
  • the tracking module 11 is configured to obtain an operation record of at least one process run by the client and process information running in the process, for example, obtaining a network connection accessed by the process, or modifying the local file, or registering The modification of the table, and the related information of the process file, such as the file name, the company, and the like, are recorded;
  • the hash value calculation module 12 is configured to calculate the hash value of the process, and the calculation method of the hash value belongs to Commonly, it is not described here;
  • the uploading module 13 is configured to upload the process information and the hash value of the operation record/process to the server;
  • the server side may include the classification storage module 21 and the sharing module 22; the classification storage module 21 And storing the operation record and the process information to the service axe end according to the hash value of the foregoing process, for example, using different hash values to build an index or a directory, and storing the operation record and the process information on the server;
  • the sharing module 22 According to the operation record of the process file stored on
  • the client dock further includes a report module 14 for reporting the information to the user, for example, reporting the operation record of the file tracked by other users having the same file, and obtaining the percentage of the record according to the behavior. Sorting and so on.
  • the client further includes a consultation comment module 10, and the consultation comment module 10 is connected with the tracking module 11 for tracking whether the cookie block 11 starts to track the client user.
  • the tracking module 11 immediately starts tracking. For example, before starting to track the process B.EXE, the user is asked whether to start tracking the process. If the user selects a positive answer, the tracking module 11 Start tracking for process B. EXE, which avoids unnecessary tracking and logging of some regular processes.
  • the sharing module may further include an operation record searching unit 221, a percentage calculating unit 222, a report information generating unit 223, and a downloading unit 224;
  • the searching unit 221 is configured to search the classification storage module 21 for the operation record of the process having the same hash value and the information of the process, and generate a search result, for example, using the hash value as the search condition, and searching in the classification storage module 21.
  • the percentage calculation unit 222 configured to generate an operation record percentage according to the above search result
  • the report information generating unit 223 is configured to The operation record percentage and the search result generate report information
  • the download unit 224 is configured to download the report information to the corresponding client for sharing.
  • the percentage of operation records used in the above description is defined in the present invention.
  • the number of clients that have implemented an operation behavior is proportional to the number of all the clients that have the process.
  • the embodiment continues to provide a multi-user coordinated operation record tracking method, which is applied to any of the above embodiments, and includes the following steps:
  • A1 a tracking step, which is used to obtain operation records and process information of at least one process run by the client, and may obtain operation record process information of multiple processes as needed, and the number of processes is not limited; the process information includes at least the process of each process.
  • A2 a hash value calculation step for calculating a hash value of each process in the client; respectively calculating a hash value of each process;
  • A3 an uploading step, configured to upload each hash value and its corresponding operation record and process information to the server; for example, upload the hash value of each process and its corresponding operation record and process information one by one to The server side;
  • A4 a classification storage step, configured to classify the operation record and the process information corresponding to each hash value according to the hash value; for example, a storage item includes: a hash value, an operation record corresponding to the hash value, The process information corresponding to the hash value;
  • A5 a sharing step of downloading report information to each of the clients according to the operation record and process information generated as described above.
  • the reporting step can also be performed, according to the report information. Reporting, for example, alerting the client; for example, popping up a prompt window on the client; providing the user with a valuable report for the user to make a decision.
  • step A4 may specifically perform the following steps:
  • A51 an operation record searching step, which is used to find an operation record of a process having the same hash value and process information of the process, and generate a search result
  • A52 a percentage calculation step for generating an operation record percentage according to the search result
  • A53 report The information generating step is configured to generate report information according to the operation record percentage and the process information of the process
  • A54 a downloading step, configured to download the report information to the corresponding client for sharing.
  • the client is further configured to monitor, according to the report information, an operation record or the like traced by another process by another process.
  • step A1 the step of consulting is further included, and the step of consulting is used to consult the client user for starting the step A1. If an affirmative answer is obtained from the client, step A1 is started, for example, starting tracking. Before the process B. EXE, the user is asked whether to start tracking the process. If the user chooses to answer affirmatively, the tracking module 11 starts tracking the process B. EXE, so as to avoid unnecessary tracking and recording of some regular processes. .
  • the operation record may be applied to: the file operation record, the network connection record, and the operation record of the registry; wherein the process information may include the client information of the process, the file name of the process, and the version of the process. The number, the company name of the process, the process file size, or a combination or all of them.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

An operation record tracing system cooperated with users is disclosed in the present invention. The system includes at least one server and several client terminals. Each client terminal networks with one server at least, obtains the operation record and process information of at least one process running in this client terminal, calculates hash value of each process respectively, and uploads the hash value and corresponding operation record and process information into the server. The server classifies and stores the corresponding operation record and process information based on the hash value, and generates the report information which includes the operation records with the same process traced by other client terminals and is downloaded into the client terminals. Once any client terminal takes a sinister operation in the network, the process document can be detected by all other users in the network. Those users will use the relevant software vigilantly, in order to avoid becoming an attacked computer or being utilized by others unlawfully.

Description

一种基于云计算的操作记录追踪系统和方法. 技术领域  Cloud computing-based operation record tracking system and method. Technical field
本发明涉及信息安全领域, 尤其涉及的是一种基于云计算的多用户协 同操作记录追踪系统和方法。 背景技术  The present invention relates to the field of information security, and in particular, to a cloud computing-based multi-user collaborative operation record tracking system and method. Background technique
现今, 随着信息化程度的提高及各种适用性技术的不断推出, 用户进 行各种与数字信息相关的活动也越发便利, 而且不可否认的是, 用户与信 息化、 数字化的关联也越发紧密。 然而与此相随, 数字信息犯罪诸如攻击 (尤其是通过互联网)个人电脑、 服务器、 或者其他计算机化装置的事件 却频繁发生。 显然的是, 目前地下数字经济已日益产业化、 规模化, 而且 其相应的犯罪行为也越趋隐蔽化, 恶意软件的攻击手段得到了极大的发展。 诸如由以前的单个文件发展为多模块、 多组件化的攻击的形式, 更甚至多 数恶意软件均具有较强的伪装能力。  Nowadays, with the improvement of the degree of informatization and the continuous introduction of various applicability technologies, it is more convenient for users to carry out various activities related to digital information, and it is undeniable that users are more closely related to informationization and digitization. . Incidentally, however, digital information crimes such as attacks (especially via the Internet) of personal computers, servers, or other computerized devices occur frequently. Obviously, the underground digital economy has become increasingly industrialized and scaled, and its corresponding criminal behavior has become more and more concealed. The means of attack by malware has been greatly developed. In the form of multi-module, multi-component attacks from previous single files, even more malware has strong camouflage capabilities.
随着技术的发展, 一些病毒和木马纷纷加强了服务器端的策略控制。 以前只要是病毒和木马发作, 就会按照某种规律持续性发作, 比如即时发 作, 固定时间段发作 (黑色星期五病毒)等等。 但是现在往往通过服务器 控制病毒和木马的发作时间和规模, 比如控制部分 IP段发作, 或者部分时 间段发作, 而且这些发作规则由病毒和木马所属的服务器控制, 随时可以 进行调整。 甚至一些商业正规软件也利用服务器规则进行一些不可告人的 操作, 比如利用用户电脑在后台点击广告, 或者偷偷收集与自己无关的用 户信息。 这种发作规则灵活控制的策略, 导致发现木马和病毒的几率大大 降低。 尤其是在进行一些非破坏行为的时候, 是所有杀毒软件或者防护软 件无法预报的。 比如操作用户电脑访问某个网址, 点击某个广告等等行为, 这些均不会被防护软件提示。 造成即使被控制为肉鸡, 也很难发现的情况。 因此, 现有技术存在缺陷, 需要改进。 发明内容 - 本发明 f要解决的技术问题是, 针对现有技术的不足, 提供一种基于 云计算的多用户协同的操作记录追踪系统和方法。 With the development of technology, some viruses and Trojans have strengthened server-side policy control. In the past, as long as it was a virus and a Trojan attack, it would continue to attack according to certain rules, such as an immediate attack, a fixed time period (Black Friday virus) and so on. But now it is often through the server to control the time and scale of the virus and Trojan attack, such as controlling part of the IP segment, or part of the time, and these rules of attack are controlled by the server of the virus and Trojan, and can be adjusted at any time. Even some commercial formal software uses server rules to perform some singular operations, such as using a user's computer to click on an advertisement in the background, or secretly collecting user information that is not related to itself. This strategy of flexible control of seizure rules has led to a significant reduction in the chances of finding Trojans and viruses. Especially when doing some non-destructive behavior, all anti-virus software or protection software cannot be predicted. For example, operating a user's computer to access a URL, clicking on an ad, etc. These will not be prompted by the protection software. It is difficult to find even if it is controlled as a broiler. Therefore, the prior art has drawbacks and needs improvement. SUMMARY OF THE INVENTION The technical problem to be solved by the present invention is to provide a multi-user collaborative operation record tracking system and method based on cloud computing in view of the deficiencies of the prior art.
本发明的技术方案如下: ' 一种多用卢协同的操作记录追踪系统, 其中, 包括: 至少一服务器端 以及若干客户端; 各所述客户端与至少一所述服务器端网络连接;  The technical solution of the present invention is as follows: A multi-purpose collaborative operation record tracking system, comprising: at least one server end and a plurality of clients; each of the clients is connected to at least one of the server end networks;
所述客户端用于获取其所运行的至少一进程的操作记录及进程信息, 分别计算各进程的哈希值, 将各所述哈希值及其对应的操作记录及进程信 息上传到所述服务器端; 所述进程信息至少包括该进程所在的客户端信息、 进程的文件名、 进程的版本号、 进程所属公司名、 进程文件大小其中之一; 所述服务器端用于根据所述哈希值将其对应的所述操作记录和所述进 程信息分类存储, 并生成报告信息下载到各所述客户端, 所述报告信息包 括所述进程在其他客户端所追踪到的操作记录。 ,  The client is configured to obtain operation records and process information of at least one process that it runs, calculate a hash value of each process, and upload each of the hash values and corresponding operation records and process information to the The server side; the process information includes at least one of client information of the process, a file name of the process, a version number of the process, a company name of the process, and a process file size; the server is configured to use the hash according to the hash The value categorizes the corresponding operation record and the process information, and generates report information to be downloaded to each of the clients, where the report information includes an operation record tracked by the process on other clients. ,
所述的操作记录追踪系统, 其中, 所述客户端包括追踪模块、 哈希值 计算模块和上传模块;  The operation record tracking system, wherein the client includes a tracking module, a hash value calculation module, and an upload module;
所述追踪模块, 用于获取至少一所述进程的操作记录及进程信息; 所 述哈希值计算模块, 用于计算各所述进程的哈希值; 所述上传模块, 用于 将所述哈希值及其对应的操作记录及进程信息上传到所述服务器端;  The tracking module is configured to obtain operation records and process information of at least one of the processes; the hash value calculation module is configured to calculate a hash value of each of the processes; and the uploading module is configured to: The hash value and its corresponding operation record and process information are uploaded to the server;
所述服务器端包括分类存储模块和分享模块; 所述分类存储模块, 用 于根据各所述进程的哈希值, 将其对应的所述操作记录和所述进程信息存 储到所述服务器端; 所述分享模块, 用于根据存储在所述服务器端的各所 述进程的所述操作记录和所述进程信息 i成所述报告信息, 下载到各所述 客户端。 所述的操作记录追踪系统, 其中, 所述客户端还包括报告模块, 所述 报告模块用于根据所述报告信息进行报告。 The server includes a classification storage module and a sharing module, and the classification storage module is configured to store the corresponding operation record and the process information to the server according to the hash value of each process; The sharing module is configured to download, according to the operation record and the process information i of each process stored in the server, into the report information, and download the report information to each of the clients. The operation record tracking system, wherein the client further includes a report module, and the report module is configured to report according to the report information.
所述的操作记录追踪系统, 其中, 所迷客户端还包括征询意见模块, 所述征询意见模块与所迷追踪模块连接, 用于判断接收开始追踪的指令, 是则启动所迷追踪模块开 #追踪。 、  The operation record tracking system, wherein the client further includes a consultation comment module, wherein the consultation comment module is connected with the tracking module, and is used for determining an instruction to start tracking, and then starting the tracking module to open # track. ,
所述的操作记录追踪系统, 其中, 所述分享模块包括操作记录查找单 元、 百分比计算单元、 报告信息生成单元和下载单元; 所迷操作记录查找 单元, 用于在所述分类存储模块中查找具有相同哈希值的进程, 根据其操 作记录及进程信息, 生成查找结果; 所述百分比计算单元, 用于根据所述 查找结果生成操作记录百分比; 所述报告信息生成单元用于根据所述操作 记录百分比及所述查找结果生成所述报告信息; 所述下载单元用于将所述 报告信息下载到各所述客户端。  The operation record tracking system, wherein the sharing module includes an operation record search unit, a percentage calculation unit, a report information generation unit, and a download unit; the operation record search unit is configured to search for the classification storage module a process of the same hash value, generating a search result according to the operation record and the process information; the percentage calculation unit is configured to generate an operation record percentage according to the search result; the report information generating unit is configured to use the operation record according to the operation record The percentage and the search result generate the report information; the download unit is configured to download the report information to each of the clients.
. 一种多用户协同的操作记录追踪方法, 应用上述任一所述的操作记录 追踪系统, 其中, 包括以下步骤:  A multi-user coordinated operation record tracking method, which is applicable to any of the above-described operation record tracking systems, comprising the following steps:
A1 : 追踪步骤, 用于获取所述客户端所运行的盖少一进程的操作记录 及进程信息; 所述进程信息至少包括该进程所在的客户端信息、 进程的文 件名、 进程的版本号、 进程所属公司名、 进程丈件大小其中之一;  A1: a tracking step, configured to obtain an operation record and process information of a process running by the client, where the process information includes at least a client information of the process, a file name of the process, a version number of the process, and One of the company name and process size of the process;
A2: 哈希值计算步骤, 用于计算所述客户端各进程的哈希值;  A2: a hash value calculation step, configured to calculate a hash value of each process of the client;
A3: 上传步骤, 用于将各所述哈希值及其对应的操作记录及进程信息 上传到所述服务器端;  A3: an uploading step, configured to upload each of the hash values and their corresponding operation records and process information to the server;
A4: '分类存储步骤, 用于根据所述哈希值将其对应的所述操作记录和 所述进程信息分类存储;  A4: 'Classification storage step, configured to classify and store the corresponding operation record and the process information according to the hash value;
A5 : 分享步骤, 用于根据所述操作记录和所述进程信息生成报告信息 下载给每个所述客户端。  A5: a sharing step, configured to generate report information according to the operation record and the process information, and download the report information to each of the clients.
所述的方法, 其中, 所述步骤 A5之后还执行报告步骤: 根据所述报告 信息进行报告。 所述的方法, 其中, 所述步骤 A1之前还包括征询章见步骤: 用于就是 否执行步骤 A1征询所 客户端的指令, 若得到所述客卢^的肯定回答, 则 开始所述步骤 Al。 The method, wherein, after the step A5, the reporting step is further performed: reporting according to the report information. The method, wherein the step A1 further includes a step of asking for a chapter: for inquiring whether to execute the step A1 to query the client, and if the affirmative answer of the guest is obtained, the step A1 is started.
所述的方法, 其中, 所述操作记录至少包括文件操作记录、 网络连接 记录、 对注册表的操作记录其中之一。  The method, wherein the operation record includes at least one of a file operation record, a network connection record, and an operation record to the registry.
所述的方法, 其中, 所迷步、骤 A5具体执行以下步骤:  The method, wherein the step A5 performs the following steps:
A51 : 操作记录查找步骤, 用于查找具有相同哈希值的进程, 根据其操 作记录及进程信息, 生成查找结杲;  A51: an operation record searching step for finding a process having the same hash value, and generating a search score according to the operation record and the process information;
A52: 百分比计算步骤, 用于根据所述查找结果生成操作记录百分比; . A53: 报告信息生成步骤, 用于根据所述操作记录百分比及所述查找结 果生成报告信息;  A52: a percentage calculation step, configured to generate an operation record percentage according to the search result; A53: a report information generation step, configured to generate report information according to the operation record percentage and the search result;
. A54: 下载步骤, 用于将所述报告信息下载到各所述客户端进行分享 本发明提供的大规模云追踪技术, 利用庞大的用户群来分享每个客户 端的进程追踪信息。 这种追踪妹术将追踪每个客户端用户的进程文件所访 问的其他文件, 所进行的网络连接, 甚至包括对注册表的修改等记录。 然 后统一记录到服务器, 分享给每个客户端用户, 尤其重点分享非鲁遍的操 作记录。 当进程文件 同一个文件时, 此文件的用户就会查看到其他拥有 同一文件的所有用户所追踪到的该文件的行为, 此文件的行为会按照行为 的相同比例进行排序, 同时可以看到进行了类似行为的用户, 占所有拥有 此文件用户的比例。 即使有系统文件利用各种规则进行不可告人的操作, 也逃不过所有用户的共同监控, 这样任何一个进程文件只要在网络中某一 客户端进行了不可告人的操作, 就会被网络中所有其他用户发现, 在使用 该软件的时候就会提高警惕, 避免成为肉鸡或被他人非法利用。 附图说明  A54: a downloading step for downloading the report information to each of the clients for sharing. The large-scale cloud tracking technology provided by the present invention utilizes a large user group to share process tracking information of each client. This tracking sister will track the other files accessed by the process files of each client user, the network connections made, and even the changes to the registry. Then record it to the server and share it with each client user, especially focusing on the non-Rudu operation records. When the process file is the same file, the user of this file will view the behavior of the file tracked by all other users who have the same file. The behavior of this file will be sorted according to the same proportion of behavior, and can be seen at the same time. Users with similar behaviors account for the proportion of users who own this file. Even if there are system files that use various rules for scams, they can't escape the common monitoring of all users, so that any process file will be hacked by a client on the network. All other users have found that they will be vigilant when using the software to avoid becoming broilers or being illegally exploited by others. DRAWINGS
图 1是本发明系统的整体结构示意图; 图 2是本发明的一种系统结构示意图; Figure 1 is a schematic view showing the overall structure of the system of the present invention; 2 is a schematic structural view of a system of the present invention;
图 3是图 2中的分享模块的结构示意图。 具体实施方式  FIG. 3 is a schematic structural diagram of the sharing module in FIG. 2. detailed description
以下结令附图和具体¾施例, 对本发明进行详细说明。  The invention will now be described in detail with reference to the drawings and specific embodiments.
实施例 1  Example 1
图 1 所示为多用户协同的操作记录追踪系统整体结构示意图, 包括: 至少一服务器端和以及若干客户端, 根据需要可以架设多个服务器端, 各 客户端与至少一服务器端通过网络进行连接; 该系统可以包括一个或多个 服务器端, --个客户端可以连接一个或多个服务器端。  FIG. 1 is a schematic diagram showing the overall structure of an operation record tracking system for multi-user collaboration, including: at least one server end and a plurality of clients, and a plurality of server ends can be set up according to requirements, and each client and at least one server end are connected through a network. The system can include one or more servers, and clients can connect to one or more servers.
客户端用于追踪获取该客户端所运行的至少一进程的操作记录和运行 于该客户端的该进程的进程信息, 例如上述操作记录可以是该进程访问了 哪些文件, 访问了哪些网站, 上述进程佶息可以包括但不限于该进程所属 用户的信息、 该进程的所属公司等等信息等, 根据需要可以对多个进程的 操作记录进行追踪; 然后计算该进程的哈希值, 服务器端接收来自大量客 户端的上述哈希值和进程信息, 在服务器端, 根据哈希值的不同将操作记 录以及进程信息分类存储, 同时, 由服务器端生成报告信息下载给每个客 户端进行分享, 根据报告信息, 客户端就能够查看到其他拥有同一进程文 件的所有用户所追踪到的该文件在其客户端的操作记录, 此文件的操作记 录可以按照行为的相同比例进行排序, 同时可以看到进行了类似行为的用 户信息, 该进程的所属公司等等信息, 以及该操作记录占所有拥有此进程 用户的比例, 这样客户端就能够监控到进程在其他客户端所追踪到的操作 记录, 这样即使某一软件利用服务器规则在任何一台电脑终端进行一些不 可告人的操作, 比如利用用户电脑在后台点击广告, 或者偷偷收集与自己 无关的用户信息的时候, 都会被联网中的其他所有用户监控到, 用户在使 用该软件的时候就会加以提防, 甚至可以选择卸载该软件。 例如, 客户端可以设置仅获取一个或若干个进程的操作记录和进程信 息, 即设置获取进程的数量; 也可以设置指定一个或多个进程, 即选择需 要获取的进程。 The client is configured to track an operation record of at least one process run by the client and process information of the process running on the client, for example, the operation record may be a file accessed by the process, and which websites are accessed, the process The message may include, but is not limited to, the information of the user to which the process belongs, the company to which the process belongs, and the like, and may track the operation records of multiple processes as needed; then calculate the hash value of the process, and the server receives the response from The above-mentioned hash value and process information of a large number of clients are stored on the server side according to different hash values, and the report information generated by the server is downloaded to each client for sharing, according to the report information. The client can view the operation record of the file tracked by all the users who have the same process file on the client. The operation record of this file can be sorted according to the same proportion of the behavior, and the similar behavior can be seen. User information, the process belongs to Company and other information, and the proportion of the operation records to all users who own this process, so that the client can monitor the operation records tracked by the process on other clients, so that even if a certain software utilizes server rules on any computer The terminal performs some ulterior operations, such as using the user's computer to click on the advertisement in the background, or secretly collecting user information unrelated to the user, it will be monitored by all other users in the network, and the user will use the software. Be wary, you can even choose to uninstall the software. For example, the client can set the operation record and process information of only one or several processes, that is, set the number of acquisition processes; or set one or more processes, that is, select the processes to be acquired.
举例来说 , 某个 程 件 A^. SXE, 在不续用户许可情况下, 访问用户 电脑里面的甚他信息并且上传到迸程文件 AgC. EXE所属的脲务器 Q,同时 后台引导用户打开一个广告页面进行欺诈点击, 服务器 Q控制 ABC. EXE每 次随机从大量的用户群中选择一部分用户进行收集信息和点取广告;用户 A 装有 ABC. EXE,但是 ABC. EXE尚未在用户 A的电脑上执行过收集用户信息的 行为, 仅仪执行了点击广告的行为。 此时用户 A使用了本发明提供的的操 作记录追踪系统, 将 ABC. XE后台引导用户点击广告的行为记录到服务器, 并且共享给其他拥有 ABC. EXE的用户, 而通过其他用户所共享的信息, 也 得知了 ABC. EXE收集用户信息的行为, 这样文件 ABC. EXE所进行的所有违 规操作将被联网中的用户全部掌握, 并且作为 i正据进行了保存, 用户可以 据此选择卸载该程序, 防止其危害进一步扩大。  For example, a certain program A^.SXE, accessing the information in the user's computer without uploading the user's permission and uploading it to the urea server Q to which the process file AgC. EXE belongs, while guiding the user to open in the background. An ad page for fraudulent clicks, Server Q controls ABC. EXE randomly selects a subset of users from a large group of users to collect information and click on ads; User A has ABC.EXE installed, but ABC.EXE is not yet in User A. The act of collecting user information has been performed on the computer, and only the behavior of clicking the advertisement has been performed. At this time, the user A uses the operation record tracking system provided by the present invention to record the behavior of the ABC.XE background guiding user to click the advertisement to the server, and share it with other users who have the ABC.EXE, and the information shared by other users. , also learned the behavior of ABC. EXE collecting user information, so all the violations performed by the file ABC. EXE will be mastered by the users in the network, and saved as i, according to which the user can choose to uninstall Procedures to prevent further damage from further harm.
以图 2 所示为例, 举例说明上述系统的一种具体结构示意图, 例如客 户端可以包括追踪模块 11、 哈希值计算模块' 12和上传模块 13;  As shown in FIG. 2, a specific structural diagram of the above system is illustrated. For example, the client may include a tracking module 11, a hash value calculation module '12, and an uploading module 13;
上述追踪模块 11 , 用于获取客户端所运行的至少一个进程的操作记录 和运行于该进程的进程信息, 例如获取该进程所访问的网络连接, 或者对 本地文件所做的修改, 或者对注册表所做的修改, 同时记录下该进程文件 的有关信息, 例如文件名, 所属公司等等; 上述哈希值计算模块 12, 用于 计算该进程的哈希值, 哈希值的计算方法属于公知常识, 在此不作赘述; 上传模块 13, 用于将上述操作记录 /进程的进程信息和哈希值上传到服务 器端; 在服务器端可以包括分类存储模块 21和分享模块 22; 分类存储模块 21 , 用于根据上述进程的哈希值将操作记录和进程信息存储到服斧器端, 例如使用不同哈希值建立索引或者目录, 将操作记录和进程信息存储在服 务器端; 分享模块 22 , 用于根据存储在服务器端的进程文件的操作记录和 进程信息生成报告信 , }艮专信 , 下栽给各个客户端或者每个客户端进 行分享, 例如上迷根告信 ¾可以包栝其他拥有同一进程文件的用户所追踪 到的该进程文件的槔作记录, 或者还可以包括按照某一操作行为的操作记 录百分比得到的排序, 用户同时还可以从报告信息中看到进行了类似行为 的用户信息, 例如用户的 ip地址、 所属国家地区等等; 客户塢还包括报告 模块 14 ,报告模块 14用于根搌拫告信息向用户进行拫告, 例如报告其他拥 有同一文件的用户所追踪到的该文件的操作记录, 按照行为的 作记录百 分比得到的排序等等。 The tracking module 11 is configured to obtain an operation record of at least one process run by the client and process information running in the process, for example, obtaining a network connection accessed by the process, or modifying the local file, or registering The modification of the table, and the related information of the process file, such as the file name, the company, and the like, are recorded; the hash value calculation module 12 is configured to calculate the hash value of the process, and the calculation method of the hash value belongs to Commonly, it is not described here; the uploading module 13 is configured to upload the process information and the hash value of the operation record/process to the server; the server side may include the classification storage module 21 and the sharing module 22; the classification storage module 21 And storing the operation record and the process information to the service axe end according to the hash value of the foregoing process, for example, using different hash values to build an index or a directory, and storing the operation record and the process information on the server; the sharing module 22, According to the operation record of the process file stored on the server side and Process information generation report letter, }艮Special letter, download to each client or each client for sharing, for example, the root message can be used to package the process file tracked by other users who have the same process file. Recording, or it may also include sorting according to the percentage of the operation record of an operation behavior, and the user may also see the user information of the similar behavior from the report information, such as the user's IP address, the country region, and the like. The client dock further includes a report module 14 for reporting the information to the user, for example, reporting the operation record of the file tracked by other users having the same file, and obtaining the percentage of the record according to the behavior. Sorting and so on.
实施例  Example
在实施例 1 的基础上, 为了提高人机交互功能, 客户端还包括征询意 见模块 10,征询意见模块 10与追踪模块 1 1连接, 用于就追踪淇块 11是否 开始追踪征询客户端用户的意见, 若得到客户端的肯定 ^答, 则追踪模块 11就立即开始追踪, 例如在开始追踪进程 B. EXE之前, 征询用户是否开始 对该进程进行追踪, 若用户选择肯定回答, 则追踪模块 11就开始针对进程 B. EXE进行追踪, 这样可以避免对一些常规进程进行不必要的追踪和记录。  On the basis of Embodiment 1, in order to improve the human-computer interaction function, the client further includes a consultation comment module 10, and the consultation comment module 10 is connected with the tracking module 11 for tracking whether the cookie block 11 starts to track the client user. Opinion, if the client's affirmation is answered, the tracking module 11 immediately starts tracking. For example, before starting to track the process B.EXE, the user is asked whether to start tracking the process. If the user selects a positive answer, the tracking module 11 Start tracking for process B. EXE, which avoids unnecessary tracking and logging of some regular processes.
实施例 3 , 在实施例 1 的基础上, 为了进一步补充完善该系统的功能, 分享模块 进一步可以包括操作记录查找单元 221、 百分比计算单元 222、 报告信息生 成单元 223和下载单元 224; 操作记彔查找单元 221, 用于在分类存储模块 21 中查找具有相同哈希值的进程的操作记录及该进程的信息, 生成查找结 果, 例如使用哈希值作为搜索条件, 在分类存储模块 21中进行搜索, 搜索 哈希值相同的进程的操作记录, 以及所记录的用户数量, 用户信息, 生成 查找结果; 百分比计算单元 222, 用于根据上述查找结果生成操作记录百分 比; 报告信息生成单元 223用于根据操作记录百分比及查找结果生成报告 信息; 下载单元 224用于将报告信息下载到对应客户端进行分享。  Embodiment 3, on the basis of Embodiment 1, in order to further supplement the function of the system, the sharing module may further include an operation record searching unit 221, a percentage calculating unit 222, a report information generating unit 223, and a downloading unit 224; The searching unit 221 is configured to search the classification storage module 21 for the operation record of the process having the same hash value and the information of the process, and generate a search result, for example, using the hash value as the search condition, and searching in the classification storage module 21. Searching for an operation record of the process with the same hash value, and the number of users recorded, the user information, generating a search result; the percentage calculation unit 222, configured to generate an operation record percentage according to the above search result; the report information generating unit 223 is configured to The operation record percentage and the search result generate report information; the download unit 224 is configured to download the report information to the corresponding client for sharing.
需要说明的是, 上述描述中所使用的操作记录百分比在本发明中定义 为: 服务器端所存储的某一进程的操作记录中, 实施了某个操作行为的客 户端数量占所有拥有此进程的容户端数量的比例, 例如关于进程 A访问 XX 网站的操作记录百分比可以这样计算: 在服务器端追踪到了 500万拥有进 程 A的客户端, 其中有 200万用户的进程 A进行了访问 XX网站的操作, 则 访问 XX网站的操作记录百分比为 200/500=40%, ^据该百分比可以看出哪 些行为是普遍操作, 哪些行为是个别操作, 用户可以根据上述判断做出选 择, 例如卸载某些经常进行个别操作的进程。 It should be noted that the percentage of operation records used in the above description is defined in the present invention. For the operation record of a process stored on the server side, the number of clients that have implemented an operation behavior is proportional to the number of all the clients that have the process. For example, the percentage of the operation records of the process A accessing the XX website can be This calculation: On the server side, 5 million clients with process A are tracked. Among them, process A of 2 million users has visited the XX website, and the percentage of operation records of visiting XX website is 200/500=40%, ^ According to the percentage, it can be seen which behaviors are common operations and which behaviors are individual operations. The user can make selections based on the above judgments, for example, uninstalling some processes that are often performed individually.
实施例 4  Example 4
本实施例继续提供一种多用户协同的操作记录追踪方法, 应用于上述 任一实施例, 包括以下步驟:  The embodiment continues to provide a multi-user coordinated operation record tracking method, which is applied to any of the above embodiments, and includes the following steps:
A1 : 追踪步骤, 用于获取客户端所运行的至少一个进程的操作记录及 进程信息, 根据需要可以获取多个进程的操作记录进程信息, 进程数量不 作限制; 上述进程信息至少包括各个进程所在的客户端的信息、 进程的文 件名、 进程的版本号、 进程所属公司名、 进程文件大小其中之一; 进程信 息也可以包括全部上述信息;  A1: a tracking step, which is used to obtain operation records and process information of at least one process run by the client, and may obtain operation record process information of multiple processes as needed, and the number of processes is not limited; the process information includes at least the process of each process. The information of the client, the file name of the process, the version number of the process, the company name of the process, and the process file size; the process information may also include all the above information;
A2 : 哈希值计算步骤, 用于计算客户端中各进程的哈希值; 分别计算 得到各进程的哈希值;  A2: a hash value calculation step for calculating a hash value of each process in the client; respectively calculating a hash value of each process;
A3: 上传步骤, 用于将各哈希值及其对应的操作记录及进程信息上传 到所述服务器端; 例如, 逐一将各进程的哈希值, 及其对应的操作记录及 进程信息上传到所述服务器端;  A3: an uploading step, configured to upload each hash value and its corresponding operation record and process information to the server; for example, upload the hash value of each process and its corresponding operation record and process information one by one to The server side;
A4: 分类存储步骤, 用于根据哈希值将各个哈希值所对应的操作记录 和进程信息分类存储; 例如, 一条存储项包括: 哈希值、 该哈希值所对应 的操作记录、 该哈希值所对应的进程信息;  A4: a classification storage step, configured to classify the operation record and the process information corresponding to each hash value according to the hash value; for example, a storage item includes: a hash value, an operation record corresponding to the hash value, The process information corresponding to the hash value;
A5: 分享步骤, 用于根据上述 ^应的操作记录和进程信息生成报告信 息下载给每个所述客户端。  A5: a sharing step of downloading report information to each of the clients according to the operation record and process information generated as described above.
又一个例子, 在上述步骤 A5之后还可以执行报告步骤, 根据报告信息 进行报告, 例如, 向客户端发出警报; 又如, 在客户端弹出提示窗口;, 向 用户提供有价值的报告, 供用户决策。 In another example, after the step A5 above, the reporting step can also be performed, according to the report information. Reporting, for example, alerting the client; for example, popping up a prompt window on the client; providing the user with a valuable report for the user to make a decision.
实施例 5  Example 5
应用于上述各实施例, 步骤 A4可以具体执行以下步骤:  Applying to the above embodiments, step A4 may specifically perform the following steps:
A51 : 操作记录查找步骤, 用于查找具有相同哈希值的进程的操作记录 及该进程的进程信息, 生成查找结果; A52: 百分比计算步骤, 用于根据查 找结果生成操作记录百分比; A53: 报告信息生成步骤, 用于根据操作记录 百分比及进程的进程信息生成报告信息; A54: 下载步骤, 用于将报告信息 下载到对应客户端进行分享。 例如, 所述客户端还用于根据所述报告信息 监控某一所述进程在其他客户端所追踪到的操作记录等。  A51: an operation record searching step, which is used to find an operation record of a process having the same hash value and process information of the process, and generate a search result; A52: a percentage calculation step for generating an operation record percentage according to the search result; A53: report The information generating step is configured to generate report information according to the operation record percentage and the process information of the process; A54: a downloading step, configured to download the report information to the corresponding client for sharing. For example, the client is further configured to monitor, according to the report information, an operation record or the like traced by another process by another process.
实施例 6  Example 6
应用于上述各实施例, 步骤 A1之前还包括征询意见步骤, 征询意见步 骤, 用于就是否开始步骤 A1征询客户端用户的意见, 若得到客户端的肯定 回答, 则开始步骤 A1 , 例如在开始追踪进程 B. EXE之前, 征询用户是否开 始对该进程进行追踪, 若用户选择肯定回答, 则追踪模块 11就开始针对进 程 B. EXE进行追踪, 这样可以避免对一些常规进程进行不必要的追踪和记 录。  In the above embodiments, before step A1, the step of consulting is further included, and the step of consulting is used to consult the client user for starting the step A1. If an affirmative answer is obtained from the client, step A1 is started, for example, starting tracking. Before the process B. EXE, the user is asked whether to start tracking the process. If the user chooses to answer affirmatively, the tracking module 11 starts tracking the process B. EXE, so as to avoid unnecessary tracking and recording of some regular processes. .
实施例 7  Example 7
应用于上述各实施例, 其中的操作记录可以包括: 文件操作记录、 网 络连接记录、 对注册表的操作记录; 其中, 进程信息可以包括进程所在的 客户端信息、 进程的文件名、 进程的版本号、 进程所属公司名、 进程文件 大小之一或其组合或全部。  The operation record may be applied to: the file operation record, the network connection record, and the operation record of the registry; wherein the process information may include the client information of the process, the file name of the process, and the version of the process. The number, the company name of the process, the process file size, or a combination or all of them.
应当理解的是, 对本领域普通技术人员来说, 可以根据上述说明加以 改进或变换, 而所有这些改进和变换都应属于本发明所附权利要求的保护 范围。  It is to be understood that those skilled in the art can make modifications and changes in the above-described description, and all such modifications and changes are intended to fall within the scope of the appended claims.

Claims

权 利 要 求  Rights request
; 1、 一种多用户协同的操作记录追踪系统, 其特征在于, 包括: 至少 一服务器端以及若干客户端; 各所述客户端与至少一所述服务器端网络连 接; 、 A multi-user coordinated operation record tracking system, comprising: at least one server end and a plurality of clients; each of the clients is connected to at least one of the server end networks;
所逢客户端用于获取其所运行的至少一进程的操作记录及进程信 息, 分别计算各进程的哈希值,. 将各所述哈希值及其对应的操作记录及 进程信息上传到所述服务器端; 所述进程信息至少包括该进 ¾所在的客 户端信息、 进程的文件名、 进程的版本号、 进程所属公司名、 进程文件 大小其中之一;  The client is used to obtain the operation record and process information of at least one process that it runs, and respectively calculate the hash value of each process, and upload the hash value and its corresponding operation record and process information to the location. The server side; the process information includes at least one of the client information of the input, the file name of the process, the version number of the process, the company name of the process, and the process file size;
所迷服务器端用于根据所述哈希值将其对应的所述操作记录和所述 进程信息分类存储, 并生成报告信息下栽到各所述客户端, 所述报告信 息包括所述进程在其他客户端所追踪到的操作记录。  The server end is configured to classify and store the corresponding operation record and the process information according to the hash value, and generate report information to be sent to each of the clients, where the report information includes that the process is The record of operations tracked by other clients.
2、 根据权利要求 1所述的操作记录追踪系统, 其特征在于, 所述客 户端包括追踪模块、 哈希值计算模块和上传模块;  2. The operation record tracking system according to claim 1, wherein the client comprises a tracking module, a hash value calculation module, and an uploading module;
所述追踪模块, 用于获取至少一所述进程的操作记录及进程信息; 所述哈希值计算模块, 用于计算各所述进程的哈希值; 所述上传模块, 用于将所述哈希值及其对应的操作记录及进程信息上传到所述服务器 端;  The tracking module is configured to obtain operation records and process information of at least one of the processes; the hash value calculation module is configured to calculate a hash value of each of the processes; and the uploading module is configured to: The hash value and its corresponding operation record and process information are uploaded to the server;
所述服务器端包括分类存储模块和分享模块; 所述分类存储模块, 用于根据各所述进程的哈希值, 将其对应的所述操作记录和所述进程信 息存储到所述服务器端; 所述分享模块, 用于根据存储在所述服务器端 的各所述进程的所述操作记录和所述进程信息生成所述^ ^告信息, 下载 到各所述客户端。 '  The server includes a classification storage module and a sharing module, and the classification storage module is configured to store the corresponding operation record and the process information to the server according to the hash value of each process; The sharing module is configured to generate the information according to the operation record and the process information of each process stored in the server, and download the information to each client. '
3、 根据权利要求 1或 2所述的操作记录追踪系统, 其特征在于, 所 述客户端还包括报告模块, 所述报告模块用于根据所述报告信息进行报告。 The operation record tracking system according to claim 1 or 2, wherein the client further comprises a report module, wherein the report module is configured to report according to the report information.
4、 根据权利要求 2所¾的槔作记录追踪系统, 其特征在于, 所 客 户端还&括征询意 模块, 所迷征询意见模块与所述追踪模块 -连接, 用于 判断接收开始追踪的指令, 是则启动所述追踪模块开始追踪。 4. The recording and tracking system according to claim 2, wherein the client further includes a query module, and the query module is connected to the tracking module to determine the instruction to start tracking. , then start the tracking module to start tracking.
5、 根据杈利要求 2所迷的操作记录追踪系统, 其特征在于, 所述分 享模块包括操作记录查找单元、 百分比计算单元、 报告信息生成单元和下 裁单元; 所述捧作 录查找单元, 用于在所述分类存储模块中查找具有相 同哈希值的迸程, 根据其操作记录及进程信息, 生成查找结果; 所述百分 比计算单元,: 用于根 4t所述查找结果生成操作记录百分比; 所述报告信息 生成单元用于根椐所述操作记录百分比及所述查找结果生成所述报告信 息; 所述下载单元用于将所述《¾告信息下载到各所述客户端。  5. The operation record tracking system according to claim 2, wherein the sharing module comprises an operation record search unit, a percentage calculation unit, a report information generation unit, and a lower cutting unit; And searching for a process having the same hash value in the classification storage module, and generating a search result according to the operation record and the process information; the percentage calculation unit, the percentage of the operation result generated by the search result for the root 4t The report information generating unit is configured to generate the report information according to the operation record percentage and the search result; and the downloading unit is configured to download the “3” message information to each of the clients.
6、 一种多用户协同的操作记录追踪方法, 应用于权利要求 1至 5任 一所迷的操作记录追踔系统, 其特征在于, 包括以下步骤:  A multi-user coordinated operation record tracking method, which is applied to any of the operation record tracking systems according to any one of claims 1 to 5, characterized in that it comprises the following steps:
A1 : 追踪步骤, 用于获取所述客户端所运行的至少一进程的操作记 录及进程信息; 所述进程信息至少包括该进程所在的客户端信息、 进程 .的文伴名、 进程的版本号、 进程所属公司名、 进程文件大小其中之一; A1: a tracking step, configured to obtain operation records and process information of at least one process run by the client; the process information includes at least a client information, a process partner name, and a process version number of the process One of the company name of the process and the size of the process file;
A2: 哈希值计算步骤, 用于计算所述客卢端各进程的哈希值; A2: a hash value calculation step, configured to calculate a hash value of each process of the guest terminal;
A3: 上传步骤, 用于将各所述哈希值及其对应的操作记录及进程信 息上传到所述服务器端; 、 ,  A3: an uploading step, configured to upload each of the hash values and their corresponding operation records and process information to the server end;
A4: 分类存储步骤, 用于根据所述哈希值将其对应的所述操作记录 和所述进程信息分类存储;  A4: a classification storage step, configured to classify the corresponding operation record and the process information according to the hash value;
A5: 分享步骤, 用于根据所述操作记录和所述进程信息生成报告信 息下载给每个所述客户端。  A5: a sharing step, configured to generate, according to the operation record and the process information, report information to each of the clients.
7、 根据权利要求 6所述的方法, 其特征在于, 所述步骤 A5之后还' 执行报告步骤: 根据所述报告信息进行报告。  The method according to claim 6, wherein after the step A5, the step of performing the report is further performed: reporting according to the report information.
8、 根据权利要求 6所述的方法, 其特征在于, 所述步骤 A1之前还 包括征询意见步骤: 用于就是否执行步骤 A1征询所述客户端的指令, 若得 到所述客户端的肯定回答, 则开始所述步骤 Al。 The method according to claim 6, wherein the step A1 further comprises a step of asking for comments: for inquiring whether to execute the step A1 to query the client, if To the affirmative answer of the client, the step A1 is started.
9 根据权利要求 6所述的方法, 其特征在于, 所述操作记录至少包 括 件採作 ¾录、 网绛连接^录、 对注册表的操作记录其中之一。  The method according to claim 6, wherein the operation record includes at least one of an operation record recorded by the device, a network connection record, and an operation record to the registry.
10、 根据权利要求 6所迷的方法, 其特征在于, 所述步骤 A5具体执 行以下步骤: 10. The method of claim 6 fans claim, wherein said step A 5 carries out the following steps:
A51: 操作 ¾彔奢找^骤, 用于查找具有相同哈希值的进程, 根据其 槔# 来 迸釋信息, 生成查找结果; ;  A51: Operation 3⁄4彔 luxury search, used to find the process with the same hash value, according to its 槔# to release the information, generate the search result;
A52:百分比计算步骤,用于根据所述查找结果生成操作记录 分比; A52: a percentage calculation step, configured to generate an operation record ratio according to the search result;
A53 报告信息生成步骤, 用于根据所述操作记录百分比及所述查找 结果生成艮告信息; A53 report information generating step, configured to generate obituary information according to the operation record percentage and the search result;
: A54:下栽步骤,用于将所迷报告信息下载到各所述客户端进行分享。 : A54: a downloading step for downloading the reported information to each of the clients for sharing.
PCT/CN2011/000249 2010-04-23 2011-02-17 Operation record tracing system and method based on the cloud computing WO2011131019A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010154180.0 2010-04-23
CN 201010154180 CN101808102B (en) 2010-04-23 2010-04-23 Operating record tracing system and method based on cloud computing

Publications (1)

Publication Number Publication Date
WO2011131019A1 true WO2011131019A1 (en) 2011-10-27

Family

ID=42609722

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/000249 WO2011131019A1 (en) 2010-04-23 2011-02-17 Operation record tracing system and method based on the cloud computing

Country Status (2)

Country Link
CN (1) CN101808102B (en)
WO (1) WO2011131019A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10599112B2 (en) 2014-12-05 2020-03-24 Schneider Electric Automation Gmbh Method for programming and configuring a device in a traceable manner
CN112486767A (en) * 2020-11-25 2021-03-12 中移(杭州)信息技术有限公司 Intelligent monitoring method, system, server and storage medium for cloud resources

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101808102B (en) * 2010-04-23 2012-12-12 潘燕辉 Operating record tracing system and method based on cloud computing
CN102081714A (en) * 2011-01-25 2011-06-01 潘燕辉 Cloud antivirus method based on server feedback
CN102073820A (en) * 2011-01-25 2011-05-25 潘燕辉 User sharing-based cloud scanning method
CN102915421B (en) * 2011-08-04 2013-10-23 腾讯科技(深圳)有限公司 Method and system for scanning files
CN103516748A (en) * 2012-06-25 2014-01-15 北京智慧风云科技有限公司 Method and system for self-adaption file downloading processing of cloud server and cloud server
CN103473501B (en) * 2013-08-22 2016-05-25 北京奇虎科技有限公司 A kind of Malware method for tracing based on cloud security
CN105095781B (en) * 2014-05-12 2018-07-24 宇龙计算机通信科技(深圳)有限公司 A kind of application program access rights system for prompting and method
CN105100166A (en) * 2014-05-21 2015-11-25 陆春观 Mobile phone software instant sharing method and system
CN105224880B (en) * 2015-08-31 2019-06-18 安一恒通(北京)科技有限公司 Information acquisition method and device
CN106339875B (en) * 2016-08-25 2019-09-06 江苏通付盾科技有限公司 Operation note checking method and device based on publicly-owned block chain

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101213555A (en) * 2005-06-30 2008-07-02 普瑞维克斯有限公司 Methods and apparatus for dealing with malware
CN101808102A (en) * 2010-04-23 2010-08-18 潘燕辉 Operating record tracing system and method based on cloud computing
CN101827096A (en) * 2010-04-09 2010-09-08 潘燕辉 Cloud computing-based multi-user collaborative safety protection system and method
CN101908116A (en) * 2010-08-05 2010-12-08 潘燕辉 Computer safeguard system and method

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7398399B2 (en) * 2003-12-12 2008-07-08 International Business Machines Corporation Apparatus, methods and computer programs for controlling performance of operations within a data processing system or network
US7895651B2 (en) * 2005-07-29 2011-02-22 Bit 9, Inc. Content tracking in a network security system
CN101039177A (en) * 2007-04-27 2007-09-19 珠海金山软件股份有限公司 Apparatus and method for on-line searching virus
CN101308533A (en) * 2008-06-30 2008-11-19 华为技术有限公司 Method, apparatus and system for virus checking and killing

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101213555A (en) * 2005-06-30 2008-07-02 普瑞维克斯有限公司 Methods and apparatus for dealing with malware
CN101827096A (en) * 2010-04-09 2010-09-08 潘燕辉 Cloud computing-based multi-user collaborative safety protection system and method
CN101808102A (en) * 2010-04-23 2010-08-18 潘燕辉 Operating record tracing system and method based on cloud computing
CN101908116A (en) * 2010-08-05 2010-12-08 潘燕辉 Computer safeguard system and method

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10599112B2 (en) 2014-12-05 2020-03-24 Schneider Electric Automation Gmbh Method for programming and configuring a device in a traceable manner
CN112486767A (en) * 2020-11-25 2021-03-12 中移(杭州)信息技术有限公司 Intelligent monitoring method, system, server and storage medium for cloud resources
CN112486767B (en) * 2020-11-25 2022-10-18 中移(杭州)信息技术有限公司 Intelligent monitoring method, system, server and storage medium for cloud resources

Also Published As

Publication number Publication date
CN101808102B (en) 2012-12-12
CN101808102A (en) 2010-08-18

Similar Documents

Publication Publication Date Title
WO2011131019A1 (en) Operation record tracing system and method based on the cloud computing
JP6522707B2 (en) Method and apparatus for coping with malware
EP3430560B1 (en) Using private threat intelligence in public cloud
US8640246B2 (en) Distributed malware detection
US20200351285A1 (en) Anomaly detection based on evaluation of user behavior using multi-context machine learning
US8646038B2 (en) Automated service for blocking malware hosts
US8635079B2 (en) System and method for sharing malware analysis results
US20200106790A1 (en) Intelligent system for mitigating cybersecurity risk by analyzing domain name system traffic
WO2012064578A1 (en) Ip-based blocking of malware
US20230308460A1 (en) Behavior detection and verification
Ghafir et al. Malicious file hash detection and drive-by download attacks
US20230179631A1 (en) System and method for detection of malicious interactions in a computer network
WO2017019717A1 (en) Dynamic attachment delivery in emails for advanced malicious content filtering
US20200106791A1 (en) Intelligent system for mitigating cybersecurity risk by analyzing domain name system traffic metrics
Serketzis et al. Actionable threat intelligence for digital forensics readiness
US20090328210A1 (en) Chain of events tracking with data tainting for automated security feedback
Shin et al. EFFORT: A new host–network cooperated framework for efficient and effective bot malware detection
US9239907B1 (en) Techniques for identifying misleading applications
Park et al. How to design practical client honeypots based on virtual environment
Zammit A machine learning based approach for intrusion prevention using honeypot interaction patterns as training data
CN115952375A (en) Method for verifying validity of threat information data
Mokhov et al. Automating MAC spoofer evidence gathering and encoding for investigations
US9569619B1 (en) Systems and methods for assessing internet addresses
US20230069731A1 (en) Automatic network signature generation
Cardarelli Automated Deployment of a Security Operations Center

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11771472

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11771472

Country of ref document: EP

Kind code of ref document: A1