WO2012097553A1 - Virus prevention method and system for intelligent mobile terminal - Google Patents

Virus prevention method and system for intelligent mobile terminal Download PDF

Info

Publication number
WO2012097553A1
WO2012097553A1 PCT/CN2011/073710 CN2011073710W WO2012097553A1 WO 2012097553 A1 WO2012097553 A1 WO 2012097553A1 CN 2011073710 W CN2011073710 W CN 2011073710W WO 2012097553 A1 WO2012097553 A1 WO 2012097553A1
Authority
WO
WIPO (PCT)
Prior art keywords
downlink data
virus
payload
data
mobile terminal
Prior art date
Application number
PCT/CN2011/073710
Other languages
French (fr)
Chinese (zh)
Inventor
周昊
杨小明
甘惠亮
苏玉婷
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2012097553A1 publication Critical patent/WO2012097553A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/128Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware

Definitions

  • the present invention relates to the field of communications, and in particular to a virus flood prevention method and system for an intelligent mobile terminal.
  • BACKGROUND In a large environment where smart mobile terminals (for example, smart phones) are becoming more and more popular and accepted and used by people, there are some criminals who can use smart mobile terminals to install application software at will, and manufacture and Spreading smartphone viruses and malware, there are digital displays. From December 2009 to June 2010, there were more than 500 new mobile phone viruses in the world in just half a year, which is more than the sum of previous years. Once hundreds of millions of smartphone users are infected with viruses, or the back door of some mobile phone software is maliciously exploited, it is likely to cause incalculable losses to users.
  • FIG. 1 is a schematic diagram of a virus intrusion smartphone in the related art.
  • the virus intrusion intelligent mobile terminal is mainly divided into the following processes: Process (1): The process of hiding and spreading the virus in the mobile phone network; Process (2): The process of the virus reaching the smartphone communication processor through the base station; Process (3): The virus arrives at the application processor process through the smartphone communication processor; Process (4): The virus is implanted in the process of applying the processor; Process (5): Virus triggering and bursting process.
  • the virus defense and killing system of intelligent mobile terminals are gradually improving, but mainly focus on virus detection and removal, and the detection and removal work is completed on the smartphone local application processor.
  • the operating frequency of the processor of the terminal is biased.
  • the application detects the virus in parallel the operation efficiency is too low, and only if the virus is checked and killed, the effective interception of similar or similar viruses cannot be achieved. Or the effect of a malicious program propagation path. Summary of the invention
  • a virus anti-P method for an intelligent mobile terminal includes: the communication processor of the intelligent mobile terminal performs protocol decomposition on the received downlink data, and parses out the payload of the downlink data; the communication processor matches the payload with the suspected virus feature To obtain a matching value; when the matching value is greater than the threshold, the communications processor transmits the payload to the base station to perform subsequent virus analysis.
  • the communication processor performs protocol decomposition on the received downlink data, including: the communication processor determines whether the downlink data is circuit domain data or packet domain data; when the downlink data is circuit domain data, parses according to a short message format or a circuit domain data format.
  • the downlink data is packet domain data
  • the payload of the downlink data is parsed by the transport layer protocol, the routing layer protocol, and the upper layer protocol.
  • the method further includes: when the matching value is less than or equal to the threshold, the communications processor directly sends the downlink data to the application processor of the smart mobile terminal.
  • Performing the subsequent virus analysis by the base station includes: The base station matches the payload with the virus information in the virus database, and determines whether the downlink data is virus information.
  • the method further includes: the communication processor receiving the determination response and the analysis report from the base station feedback, wherein the determining response carries the indication information that the downlink data is the virus information; the communication processor intercepts the downlink data and the local The data other than the downlink data in the secondary transmission, and the information corresponding to the downlink data is recorded.
  • the information corresponding to the downlink data includes at least one of the following: source information of the data packet, and a propagation path.
  • the virus defense system of the smart mobile terminal includes: an intelligent mobile terminal; the smart mobile terminal includes: a communication processor; the communication processor further includes: a protocol analysis module configured to perform protocol decomposition and parsing on the received downlink data The payload of the downlink data; the first decision mode a block, configured to match the payload with the suspected virus feature to obtain a matching value, and determine whether the matching value is greater than a threshold; the first communication module is configured to send the valid to the base station when the output of the first determining module is YES Load to perform subsequent virus analysis.
  • the base station includes: a second communication module configured to receive a payload from the first communication module; and a second determination module configured to perform virus analysis on the downlink data according to the payload.
  • the protocol analysis module includes: a determining unit, configured to determine whether the downlink data is circuit domain data or packet domain data; and the first parsing unit is configured to parse the short message format or the circuit domain data format when the downlink data is circuit domain data
  • the payload of the downlink data is configured to parse the payload of the downlink data by using a transport layer protocol, a routing layer protocol, and a higher layer protocol when the downlink data is packet domain data.
  • the smart mobile terminal further includes: an application processor, configured to receive downlink data from the communications processor when the matching value is less than or equal to the threshold.
  • the second determining module includes: a matching unit configured to match the payload with the virus information in the virus database to determine whether the downlink data is virus information.
  • the first communication module is further configured to receive the determination response and the analysis report from the feedback of the base station, where the determination response carries the indication information that the downlink data is the virus information; the communication processor further includes: an intercepting module, configured to intercept the downlink data And other data except the downlink data in the current transmission; the statistics module is set to record the information corresponding to the downlink data.
  • the communication processor of the intelligent mobile terminal and the mobile network base station are combined to implement virus protection and unloading of the intelligent mobile terminal, and the virus detection and removal of the intelligent mobile terminal are all performed on the local application processor.
  • FIG. 1 A virus detection and removal work of the smart phone in the related art is solved on the local application processor, which leads to the problem of low operation efficiency, effectively realizes the virus defense against the intelligent mobile terminal, and avoids the reduction of the virus when the virus is detected.
  • the operating efficiency of intelligent mobile terminals BRIEF DESCRIPTION OF THE DRAWINGS.
  • FIG. 1 is a schematic diagram of a virus intrusion intelligent mobile terminal in the related art
  • 2 is a structural block diagram of a virus defense system of an intelligent mobile terminal according to an embodiment of the present invention
  • FIG. 3 is a structural block diagram of a virus anti-P system of an intelligent mobile terminal according to a preferred embodiment of the present invention
  • FIG. 5 is a flowchart showing the operation of the first decision module and the first communication module according to a preferred embodiment of the present invention
  • FIG. 6 is a second embodiment of the preferred embodiment of the present invention
  • FIG. 7 is a flowchart of a virus anti-discharge method of an intelligent mobile terminal according to an embodiment of the present invention
  • FIG. 8 is a preferred implementation according to the present invention.
  • FIG. 2 is a structural block diagram of a virus anti-discharge system of an intelligent mobile terminal according to an embodiment of the present invention. As shown in FIG.
  • the virus defense system includes: an intelligent mobile terminal 1; wherein, the smart mobile terminal 1 includes: a communication processor 10; the communication processor 10 further includes: a protocol analysis module 100, configured to receive downlink data Performing protocol decomposition to parse the payload of the downlink data; the first determining module 102 is configured to match the payload with the suspected virus feature to obtain a matching value, and determine whether the matching value is greater than a threshold; the first communication module 104 And being configured to send a payload to the base station to perform subsequent virus analysis when the first decision module output is YES.
  • the smart mobile terminal 1 includes: a communication processor 10; the communication processor 10 further includes: a protocol analysis module 100, configured to receive downlink data Performing protocol decomposition to parse the payload of the downlink data; the first determining module 102 is configured to match the payload with the suspected virus feature to obtain a matching value, and determine whether the matching value is greater than a threshold; the first communication module 104 And being configured to send a payload to the base station
  • the foregoing virus defense system may further include: a base station 2, the base station may further include: a second communication module 200, configured to receive a payload from the first communication module;
  • the second determining module 204 is configured to perform virus analysis on the downlink data by using the payload.
  • an intelligent mobile terminal for example, a smart phone
  • a communication processor wherein a general application processor operating system is mostly a common platform (such as Windows, Linux, etc.).
  • a general application processor operating system is mostly a common platform (such as Windows, Linux, etc.).
  • a general application processor operating system is mostly a common platform (such as Windows, Linux, etc.).
  • RTOSs RTOSs, and the possibility of being infected by viruses is very small. Therefore, in this embodiment, it is not easy to be infected by viruses on the communication processor.
  • the application processor of the intelligent mobile terminal is usually also responsible for local external storage, and the virus usually needs to be stored for self-replication and self-replication and re-propagation. Controlling the virus on the application processor is "killing” ,,,, and blocking the virus on the communication processor is "preventing the problem," and the virus or malicious program is discarded and not safely rooted in the mobile phone.
  • the foregoing protocol analysis module 100 may further include: a determining unit 1000 (not shown in FIG. 3) configured to determine whether the downlink data is circuit domain data or packet domain data; the first parsing unit 1002 (not shown in FIG.
  • Step S402 All submodules in the communication processor of the smart mobile terminal (for example, a smart phone) are started when the communication processor is started, and run in the background at work;
  • S404 The protocol analysis module monitors whether data arrives.
  • Step S406 After receiving the data packet, the protocol analysis module first determines, according to the current service, that the data arrives at the mobile terminal through the circuit domain or the packet domain. Step S408: If it is a circuit domain, perform protocol analysis according to the normal short message format or the circuit domain data format, extract the payload of the user data, and submit the payload to the first determining module 102, and end the current processing. Step S410: If it is a packet domain, the protocol is analyzed by using a transport layer protocol and a routing layer protocol.
  • Step S412 Determine how the downlink data is encapsulated in the upper layer protocol stack, and divide it into IP/PPP HTTP/MMS/SMTP according to a common protocol, and parse the payload of the user data, and submit it to the first determining module 102, ending the present Secondary processing.
  • the smart mobile terminal 1 may further include: an application processor 12 configured to receive downlink data from the communications processor when the matching value is less than or equal to the threshold. That is, when the matching degree value is less than or equal to the threshold, the communication processor 10 is set to directly transmit the downlink data to the application processor 12 of the smart mobile terminal.
  • an application processor 12 configured to receive downlink data from the communications processor when the matching value is less than or equal to the threshold. That is, when the matching degree value is less than or equal to the threshold, the communication processor 10 is set to directly transmit the downlink data to the application processor 12 of the smart mobile terminal.
  • the second determining module 204 includes: a matching unit 2040 (not shown in FIG. 3) configured to match the payload with the virus information in the virus database to determine whether the downlink data is virus information. .
  • a matching unit 2040 (not shown in FIG. 3) configured to match the payload with the virus information in the virus database to determine whether the downlink data is virus information.
  • FIG. 5 is a flowchart showing the operation of the first determining module 102 and the first communication module 104 according to a preferred embodiment of the present invention. As shown in FIG. 5, the method includes the following steps: Step S502: The first determining module 102 monitors whether data arrives. Step S504: The first determining module 102 receives the data information submitted by the protocol analyzing module 100, and needs to perform the first time. determination.
  • the virus suspicious judgment can be made according to a very simple matching rule (for example, data source, data length, basic characteristics of the virus head, file type, etc.), that is, the basic principle of arbitrarily misjudged and not missed, and effectively avoiding the virus Leaking the net.
  • a very simple matching rule for example, data source, data length, basic characteristics of the virus head, file type, etc.
  • step S506 determining whether the downlink data is suspicious source data; if yes, executing step S512. Otherwise, step 4 is performed to gather S 508.
  • Step S508 Determine whether the data format is suspicious. If yes, step S512 is performed, otherwise step 4 is performed S510.
  • Step S510 The other determination criterion is used to determine whether the downlink data is suspicious.
  • Step S512 The first determining module 102 determines that the virus is suspected, and submits the payload of the downlink data to the first communication module 104.
  • the first communication module 104 directly submits the payload of the first determining module 102 to the base station of the cloud. With a second decision request message.
  • the communication processor of the intelligent mobile terminal generally has a low main frequency and has high real-time requirements in the communication process, so it is not suitable for running a virus detailed matching algorithm program requiring high time complexity on the communication processor, so the intelligence is
  • the communication processor of the mobile terminal is only responsible for the virus one-time decision, finds suspicious data and submits it to the base station for processing.
  • Step S514 The first determining module 102 determines that the non-suspicious virus is directly submitted to the application processor 12 of the smart mobile terminal 1.
  • the first communication module 104 is further configured to receive a determination response and an analysis report fed back from the base station, where the determination response carries indication information that the downlink data is virus information;
  • the data may further include: an intercepting module 106, configured to intercept downlink data and other data in the current transmission except the downlink data; and a statistics module 108, configured to record information corresponding to the downlink data, where the information may include but not limited to the following At least one: source information of the packet, propagation path.
  • Setting the statistics module 108 can facilitate collecting virus-related information as a basis for the next determination, and can effectively prevent future infringement of similar viruses. It should be noted that statistical modules of the same function can also be deployed in base stations and other wireless access point systems, and a special mobile virus statistics library can be established to collect activity data of those criminals, find virus sources and collect viruses. sample.
  • the detailed workflow of the second communication module, the second determination module, the interception module, and the statistics module will be described below with reference to FIG. 6 is a flowchart showing the operation of a second communication module, a second determination module, an interception module, and a statistics module in accordance with a preferred embodiment of the present invention. As shown in FIG.
  • Step S602 The second communication module 200 waits to receive a scan request and scanned data (ie, the above payload) sent by the communication processor of the smart mobile terminal.
  • Step S604 After the second communication module 200 receives the data to be scanned and the scan request, the second determining module 200 located at the cloud base station performs a second scan determination on the data. It should be noted that the second decision module 200 deployed on the base station is not always running because the traffic of the base station is large and busy.
  • the base station After receiving the suspicious data sent by the smartphone and the second determination request, the base station immediately starts the virus secondary determination program to perform detailed scanning on the suspicious data, and the matching criterion is to match according to the standard virus database, if it is confirmed that the program includes
  • the mobile phone virus immediately sends feedback and virus information to the smartphone.
  • the smart mobile terminal needs to perform more detailed detection on the virus, it then initiates a request to the base station, which greatly reduces the burden on the base station. In this way, the communication processor of the client and the cloud base station work together, so that the processing capability of the virus is greatly improved.
  • Step S606 The second determining module 200 matches the payload with the virus information in the virus database to determine whether the downlink data is virus information.
  • Step S608 The second communication module 200 sends a scan message to the smart mobile terminal, indicating that the data is a virus. Then, the process returns to step S602.
  • Step S610 The second communication module 200 sends a scan 4 notification to the smart mobile terminal, indicating that the data is not a virus. Then, the process returns to step S602.
  • Step S612 The first communication module 104 waits to receive a virus secondary scan.
  • Step S614 It is determined whether the determination result is a virus. If yes, go to step S616, otherwise, go to step S618.
  • Step S616 The data code that is determined to be the mobile terminal virus in the virus secondary determination is received by the statistical module of the smart mobile terminal, and the intercepting module immediately stops processing the data other than the downlink data in the current transmission. Discard the data so as not to invade the application processor, and the statistics module records the source of the packet (short message sender number, IP source address, IP transmission route, etc.) currently determined to be virus data, as the basis for the next decision. If you receive data from these sources, you should prioritize its potential as virus data. After that, the process returns to step S612.
  • Step S618 The communication processor of the smart mobile terminal directly sends the downlink data to the application processor of the smart mobile terminal. After that, the process returns to step S612.
  • the virus anti-discharging method mainly includes the following processing: Step S702: The communication processor of the intelligent mobile terminal performs protocol decomposition on the received downlink data, and parses the payload of the downlink data. Step S704: The communication processor matches the payload with the suspected virus feature to obtain a matching value. Step S706: When the matching degree value is greater than the threshold, the communications processor sends the payload to the base station to perform subsequent virus analysis.
  • the virus detection and cleaning work of the intelligent mobile terminal is performed on the local application processor, and detecting the virus when the application runs in parallel may result in low operation efficiency.
  • the above modules are deployed on the communication processor of the intelligent mobile terminal and the mobile network base station, and the communication processor and the base station are combined to effectively implement the virus protection against the smart mobile terminal. And to avoid the operation efficiency of the descending intelligent mobile terminal when killing the virus.
  • the above step S702 may further include the following processing:
  • the communication processor determines whether the downlink data is circuit domain data or packet domain data
  • the payload of the downlink data is parsed according to the short message format
  • the payload of the downlink data is parsed according to the transport layer protocol and the routing layer protocol.
  • the communications processor directly sends the downlink data to the application processor of the smart mobile terminal.
  • the performing the subsequent virus analysis by the base station may further include the following process: The base station matches the payload with the virus information in the virus database to determine whether the downlink data is virus information.
  • the following processing may also be included:
  • the communication processor receives the determination response and the analysis report from the feedback of the base station, wherein the determination response carries the indication information that the downlink data is the virus information; (2) the communication processor intercepts the downlink data and the downlink data in the current transmission Other data than the other, and record the information corresponding to the downlink data.
  • the information corresponding to the downlink data includes, but is not limited to, at least one of the following: source information of the data packet, and a propagation path. The following preferred embodiments are described in detail below by taking a smart mobile terminal as a smart phone as an example.
  • FIG. 8 is a flowchart of a virus anti-discharge method of a smart mobile terminal according to a preferred embodiment of the present invention. As shown in FIG.
  • the virus anti-discharge method mainly includes the following processing: Step S802: The communication processor of the smart phone receives the downlink data. Step S804: The communication processor performs protocol decomposition on all downlink data (including Circuit Switch (CS) domain and Packet Switch (PS) domain) in accordance with different communication protocols. This process involves the above protocol analysis module. Step S806: The decomposed payload is determined by the first determining module of the smartphone communication processor. In the specific implementation process, a simple decision criterion can be set. Due to the low time complexity of the algorithm, the normal operation of the smartphone communication processor is hardly affected. Step S808: The first determining module determines whether it is a suspected virus.
  • CS Circuit Switch
  • PS Packet Switch
  • Step S810 If the determination result is established, that is, the matching degree between the payload and the suspected virus feature is considered to be high, and if the threshold value is exceeded, the communication processor pauses to send the downlink data to the application processor, and the first communication module transfers the payload. Submitted to the cloud base station, and initiates a virus secondary determination request to the cloud base station.
  • Step S812 The cloud base station receives the virus secondary determination request and the payload data of the suspected virus, and inputs a virus secondary determination procedure (ie, the second determination module) that is dependent on the high-speed processing device.
  • Step S814 Detailed virus analysis is performed by the second determination module to analyze whether it is a virus and which virus. If it is a virus, the process goes to step S816, and if it is not a virus, the process goes to step S818.
  • Step S816 The cloud base station organizes the detailed analysis result into a communication processor that is sent to the smart phone, and attaches a virus secondary determination response, indicating that the payload is a virus or a malicious program.
  • Step S818 The smartphone communication processor receives the second determination response and the analysis report, intercepts the segment data, does not allow the data to be sent to the smartphone application processor, and records the virus or malicious program information on the external memory of the communication processor. , including the data source and the propagation path.
  • Step S820 The cloud base station organizes the detailed analysis result into a communication processor that is sent to the smart phone, and attaches a virus secondary determination response, indicating that the payload is safety data.
  • Step S822 If the data is not a virus or a malicious program, the smartphone communication processor directly transmits the valid data to the application processor for processing. It should be noted that in terms of the communication processor, since the smart phone can not only support the traditional base station communication, but also supports the communication modes such as Wi-Fi and Bluetooth, the data transmission path can be diversified and can be deployed.
  • a communication processor of a smart mobile terminal for example, a smart phone
  • a mobile network base station are combined to implement effective detection, interception, and virus transmission of the smart phone virus. Paths and virus types are monitored to effectively avoid future hidden dangers.
  • a general-purpose computing device which can be concentrated on a single computing device or distributed over a network composed of multiple computing devices.
  • the computing device may be implemented by program code executable by the computing device, such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein.
  • the steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps are fabricated as a single integrated circuit module.
  • the invention is not limited to any specific combination of hardware and software.
  • the above is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the scope of the present invention are intended to be included within the scope of the present invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephone Function (AREA)

Abstract

A virus prevention method and system for an intelligent mobile terminal are provided. In the above method, a communication processor of the intelligent mobile terminal performs protocol resolution for the received downlink data, and obtains payload of the downlink data by resolution (S702); the communication processor matches the payload with suspected virus features to obtain a match degree value (S704); when the match degree value is greater than a threshold value, the communication processor transmits the payload to the base station to perform the subsequent virus analysis (S706). With the technical schemes provided by the present invention, virus is prevented effectively in the intelligent mobile terminal, and the decrease of operation efficiency in the mobile terminal due to the virus detection and killing is avoided.

Description

智能移动终端的病毒防 卩方法及系统 技术领域 本发明涉及通信领域, 具体而言, 涉及一种智能移动终端的病毒防 卩方法 及系统。 背景技术 在智能移动终端 (例如, 智能手机)越来越普及、 越来越被人们所接受和 使用的大环境下, 有一些不法分子利用智能移动终端可以随意安装应用软件的 特点, 大肆制造和散播智能手机病毒以及恶意软件, 有数字显示, 从 2009 年 12月至 2010年 6月, 仅半年时间全球新增手机病毒超过 500个, 这已经超过 之前几年的总和。 一旦数亿智能手机用户被病毒大量感染, 或某些手机软件的 后门被恶意利用很可能会给用户带来无法估量的损失。 图 1是相关技术中病毒入侵智能手机的示意图。 如图 1所示, 病毒入侵智 能移动终端主要分为以下几个过程: 过程 ( 1 ): 病毒在手机网络的匿藏及传播过程; 过程 ( 2 ): 病毒通过基站到达智能手机通信处理器过程; 过程 ( 3 ): 病毒通过智能手机通信处理器到达应用处理器过程; 过程 ( 4 ): 病毒植才艮于应用处理器的过程; 过程 ( 5 ): 病毒触发和爆发过程。 目前智能移动终端的病毒防御和查杀系统也正在逐渐完善, 但是主要都是 集中在病毒检测和清除方面, 检测和清除的工作又都是在智能手机本地应用处 理器上完成的。 目前的终端的处理器工作频率都偏氏下, 在应用程序并行运行 的时候对病毒进行检测, 会导致运行效率过低, 而且仅仅是对病毒进行查杀的 话, 不能达到有效截断同类或者相似病毒或者恶意程序传播路径的效果。 发明内容 The present invention relates to the field of communications, and in particular to a virus flood prevention method and system for an intelligent mobile terminal. BACKGROUND In a large environment where smart mobile terminals (for example, smart phones) are becoming more and more popular and accepted and used by people, there are some criminals who can use smart mobile terminals to install application software at will, and manufacture and Spreading smartphone viruses and malware, there are digital displays. From December 2009 to June 2010, there were more than 500 new mobile phone viruses in the world in just half a year, which is more than the sum of previous years. Once hundreds of millions of smartphone users are infected with viruses, or the back door of some mobile phone software is maliciously exploited, it is likely to cause incalculable losses to users. FIG. 1 is a schematic diagram of a virus intrusion smartphone in the related art. As shown in Figure 1, the virus intrusion intelligent mobile terminal is mainly divided into the following processes: Process (1): The process of hiding and spreading the virus in the mobile phone network; Process (2): The process of the virus reaching the smartphone communication processor through the base station; Process (3): The virus arrives at the application processor process through the smartphone communication processor; Process (4): The virus is implanted in the process of applying the processor; Process (5): Virus triggering and bursting process. At present, the virus defense and killing system of intelligent mobile terminals are gradually improving, but mainly focus on virus detection and removal, and the detection and removal work is completed on the smartphone local application processor. At present, the operating frequency of the processor of the terminal is biased. When the application detects the virus in parallel, the operation efficiency is too low, and only if the virus is checked and killed, the effective interception of similar or similar viruses cannot be achieved. Or the effect of a malicious program propagation path. Summary of the invention
4十对相关技术中智能移动终端的病毒检测和清除工作都是在本地应用处 理器上完成的, 导致运行效率过低的问题, 本发明提供了一种智能移动终端的 病毒防 卩方法及系统, 以解决上述问题至少之一。 居本发明的一个方面, 提供了一种智能移动终端的病毒防 P方法。 根据本发明的智能移动终端的病毒防御方法包括: 智能移动终端的通信处 理器对接收到的下行数据进行协议分解, 解析出下行数据的有效载荷; 通信处 理器将有效载荷与疑似病毒特征进行匹配, 以获取匹配度值; 在匹配度值大于 阈值时, 通信处理器将有效载荷发送基站以执行后续的病毒分析。 上述通信处理器对接收到的下行数据进行协议分解包括: 通信处理器判断 下行数据是电路域数据还是分组域数据; 当下行数据是电路域数据时, 则按照 短消息格式或电路域数据格式解析出下行数据的有效载荷; 当下行数据是分组 域数据时, 则釆用传输层协议、 路由层协议以及高层协议解析出下行数据的有 效载荷。 在获取匹配度值时, 还包括: 在匹配度值小于或等于阈值时, 通信处理器 将下行数据直接发送至智能移动终端的应用处理器。 上述基站执行后续的病毒分析包括: 基站将有效载荷与病毒库中的病毒信 息进行匹配, 判定下行数据是否为病毒信息。 当判定下行数据是病毒信息时, 还包括: 通信处理器接收来自于基站反馈 的判定响应以及分析报告, 其中, 判定响应携带有下行数据为病毒信息的指示 信息; 通信处理器拦截下行数据以及本次传输中除下行数据之外的其他数据, 并且记录下行数据对应的信息。 上述下行数据对应的信息包括以下至少之一: 数据包的来源信息、 传播路 径。 居本发明的一个方面, 提供了一种智能移动终端的病毒防 P系统。 根据本发明的智能移动终端的病毒防御系统包括: 智能移动终端; 该智能 移动终端包括: 通信处理器; 通信处理器进一步包括: 协议分析模块, 设置为 对接收到的下行数据进行协议分解, 解析出下行数据的有效载荷; 第一判定模 块, 设置为将有效载荷与疑似病毒特征进行匹配, 以获取匹配度值, 并判断匹 配度值是否大于阈值; 第一通信模块, 设置为在第一判定模块输出为是时, 向 基站发送有效载荷以执行后续的病毒分析。 上述基站包括: 第二通信模块, 设置为接收来自于第一通信模块的有效载 荷; 第二判定模块, 设置为根据有效载荷对下行数据进行病毒分析。 上述协议分析模块包括: 判断单元, 设置为判断下行数据是电路域数据还 是分组域数据; 第一解析单元, 设置为在下行数据是电路域数据时, 按照短消 息格式或电路域数据格式解析出下行数据的有效载荷; 第二解析单元, 设置为 在下行数据是分组域数据时, 釆用传输层协议、 路由层协议以及高层协议解析 出下行数据的有效载荷。 上述智能移动终端还包括: 应用处理器, 设置为在匹配度值小于或等于阈 值时, 接收来自于通信处理器的下行数据。 上述第二判定模块包括: 匹配单元, 设置为将有效载荷与病毒库中的病毒 信息进行匹配, 判定下行数据是否为病毒信息。 上述第一通信模块, 还设置为接收来自于基站反馈的判定响应以及分析报 告, 其中, 判定响应携带有下行数据为病毒信息的指示信息; 通信处理器还包 括: 拦截模块, 设置为拦截下行数据以及本次传输中除下行数据之外的其他数 据; 统计模块, 设置为记录下行数据对应的信息。 通过本发明, 将智能移动终端的通信处理器以及移动网络基站结合起来, 实现对智能移动终端的病毒防^卸, 智能移动终端的病毒检测和清除工作都是在 本地应用处理器上完成的, 解决了相关技术中智能手机的病毒检测和清除工作 都是在本地应用处理器上完成的, 导致运行效率过低的问题, 有效实现了对智 能移动终端的病毒防御, 并避免查杀病毒时降低智能移动终端的运行效率。 附图说明 此处所说明的附图用来提供对本发明的进一步理解, 构成本申请的一部 分, 本发明的示意性实施例及其说明用于解释本发明, 并不构成对本发明的不 当限定。 在附图中: 图 1是相关技术中病毒入侵智能移动终端的示意图; 图 2是根据本发明实施例的智能移动终端的病毒防御系统的结构框图; 图 3 是才艮据本发明优选实施例的智能移动终端的病毒防 P系统的结构框 图; 图 4是 居本发明优选实施例的协议分析模块的工作流程图; 图 5是才艮据本发明优选实施例的第一判定模块和第一通信模块的工作流程 图; 图 6是根据本发明优选实施例的第二通信模块、 第二判定模块、 拦截模块 和统计模块的工作流程图; 图 7是才艮据本发明实施例的智能移动终端的病毒防 ^卸方法的流程图; 图 8是根据本发明优选实施例的智能移动终端的病毒防御方法的流程图。 具体实施方式 下文中将参考附图并结合实施例来详细说明本发明。 需要说明的是, 在不 冲突的情况下, 本申请中的实施例及实施例中的特征可以相互组合。 图 2是才艮据本发明实施例的智能移动终端的病毒防^卸系统的结构框图。 如 图 2所示, 该病毒防御系统包括: 智能移动终端 1 ; 其中, 智能移动终端 1包括: 通信处理器 10; 通信处理器 10进一步包括: 协议分析模块 100, 设置为对接收到的下行数据进行协议分解, 解析出下 行数据的有效载荷; 第一判定模块 102 , 设置为将有效载荷与疑似病毒特征进行匹配, 以获取 匹配度值, 并判断匹配度值是否大于阈值; 第一通信模块 104 , 设置为在第一判定模块输出为是时, 向基站发送有效 载荷以执行后续的病毒分析。 优选地, 如图 3所示, 上述病毒防御系统还可以包括: 基站 2 , 该基站可 以进一步包括: 第二通信模块 200, 设置为接收来自于第一通信模块的有效载荷; 第二判定模块 204 , 设置为 居有效载荷对下行数据进行病毒分析。 相关技术中, 智能移动终端 (例如, 智能手机) 处理器分为应用处理器和 通信处理器, 其中, 一般应用处理器操作系统大多为常用平台 (如 Windows, Linux 等)。 针对这些平台的病毒比较多, 而通信处理器的操作系统都是一些 RTOS , 受到病毒侵害的可能性非常小, 因此本实施例中, 在通信处理器上对 病毒进行处理其本身不易首先被病毒破坏, 风险较 'J、。 此外, 智能移动终端的应用处理器通常也负责本地外部存储, 病毒通常要 在被存储的情况下才能达到匿藏和自我复制以及再传播的目的, 在应用处理器 上控制病毒是 "查杀于已然,,, 而在通信处理器上拦截病毒是"防患于未然,,, 这 样做是的病毒或者恶意程序在没有根植于手机之间就被抛弃掉, 更加安全。 优选地, 上述协议分析模块 100可以进一步包括: 判断单元 1000 (图 3 中未示出), 设置为判断下行数据是电路域数据还是 分组域数据; 第一解析单元 1002 (图 3中未示出), 设置为在下行数据是电路域数据时, 按照短消息格式或电路域数据格式解析出下行数据的有效载荷; 第二解析单元 1004 (图 3中未示出), 设置为在下行数据是分组域数据时, 釆用传输层协议、 路由层协议以及高层协议解析出下行数据的有效载荷。 以下结合图 4描述上述协议分析模块的详细工作流程。 如图 4所示, 主要 包括以下处理: 步骤 S402: 智能移动终端(例如, 智能手机)的通信处理器中所有的子模 块在通信处理器启动的时候启动, 并在工作时运行于后台; 步骤 S404: 协议分析模块监听是否有数据到达; 步骤 S406: 协议分析模块接收到数据包之后, 根据当前的业务首先判断该 数据是通过电路域或者是分组域到达移动终端的。 步骤 S408: 如果是电路域, 则按照普通短消息格式或者电路域数据格式进 行协议分析, 析取用户数据的有效载荷, 并将有效载荷提交给第一判定模块 102 , 结束本次处理过程。 步骤 S410:如果是分组域,则釆用传输层协议和路由层协议进行协议分析。 步骤 S412: 判定此下行数据在上层协议栈如何实现协议封装, 按常用协议 分为 IP/PPP HTTP/MMS/SMTP等, 并解析出用户数据的有效载荷, 提交给 第一判定模块 102 , 结束本次处理过程。 优选地, 如图 3所示, 上述智能移动终端 1还可以包括: 应用处理器 12 , 设置为在匹配度值小于或等于阈值时,接收来自于通信处理器的下行数据。 即, 在匹配度值小于或等于阈值时, 通信处理器 10设置为直接将下行数据直接发 送至智能移动终端的应用处理器 12。 优选地, 如图 3所示, 第二判定模块 204包括: 匹配单元 2040 (图 3中未 示出), 设置为将有效载荷与病毒库中的病毒信息进行匹配, 判定下行数据是 否为病毒信息。 以下结合图 5描述第一判定模块和第一通信模块的详细工作流程。 图 5是根据本发明优选实施例的第一判定模块 102、 第一通信模块 104的 工作流程图。 如图 5所示, 主要包括以下处理: 步骤 S502: 第一判定模块 102监听是否有数据到达; 步骤 S 504: 第一判定模块 102接收到协议分析模块 100提交的数据信息 , 需要进行第一次判定。 具体地, 可以按照非常简单的匹配法则 (例如, 数据来源、 数据长短、 病 毒头基本特征、 文件类型等)进行病毒可疑性判断, 即釆用宁可误判也不要错 漏的基本原则, 有效避免病毒漏网。 例如, 执行步骤 S506、 步骤 S508以及步 骤 S510。 步骤 S506: 判断下行数据是否为可疑来源数据; 如果是, 执行步骤 S512。 否则, 执行步 4聚 S 508。 步骤 S508: 判定数据格式是否可疑。 如果是, 执行步骤 S512, 否则执行 步 4聚 S510。 步骤 S510: 釆用其他判定准则判断上述下行数据是否可疑。 如果是, 执行 步骤 S512, 否则, 执行步 4聚 S514。 步骤 S512: 第一判定模块 102判定为疑似病毒, 则将下行数据的有效载荷 提交给第一通信模块 104 , 第一通信模块 104接收到第一判定模块 102的有效 载荷之后直接提交给云端的基站, 并附带一个二次判定请求信息。 智能移动终端的通信处理器一般主频较低, 并且在通信过程中对实时性要 求很高, 因此不适合在通信处理器上运行对时间复杂度要求较高的病毒详细匹 配算法程序, 所以智能移动终端的通信处理器只负责病毒一次判定, 找到可疑 的数据并且提交给基站进行处理。 步骤 S514: 第一判定模块 102判定为非疑似病毒, 直接提交给智能移动终 端 1的应用处理器 12。 优选地, 如图 3所示, 上述第一通信模块 104 , 还设置为接收来自于基站 反馈的判定响应以及分析报告, 其中, 判定响应携带有下行数据为病毒信息的 指示信息; 则通信处理器 10还可以包括: 拦截模块 106 , 设置为拦截下行数据 以及本次传输中除上述下行数据之外的其他数据; 统计模块 108 , 记录下行数 据对应的信息, 其中, 该信息可以包括但不限于以下至少之一: 数据包的来源 信息、 传播路径。 设置统计模块 108 , 可以便于收集与病毒相关的信息, 作为下一次判定的 依据, 可以有效防范类似病毒今后的侵害。 需要注意的是, 也可以在基站以及其它无线接入点系统中部署同样功能的 统计模块, 还可以建立专门的移动病毒统计库, 以搜集那些不法分子的活动资 料, 找到病毒源以及釆集病毒样本。 以下结合图 6述第二通信模块、 第二判定模块、 拦截模块和统计模块的详 细工作流程。 图 6是根据本发明优选实施例的第二通信模块、 第二判定模块、 拦截模块 和统计模块的工作流程图。 如图 6所示, 主要包括以下处理: 步骤 S602:第二通信模块 200等待接收智能移动终端的通信处理器发出的 扫描请求和被扫描数据 (即上述有效载荷;)。 步骤 S604: 在第二通信模块 200接收到待扫描数据和扫描请求后, 位于云 端基站的第二判定模块 200对数据进行二次扫描判定。 需要注意的是, 由于基站的通信量大而且比较繁忙, 部署于基站上的第二 判定模块 200并不是一直运行的。 基站接收到智能手机发送过来的可疑数据以 及二次判定请求之后, 才立即启动病毒二次判定程序, 对可疑数据进行详细扫 描,其匹配标准为按照标准的病毒库进行匹配,如果确认此程序包含手机病毒, 则立即向智能手机发出反馈以及病毒信息。 当智能移动终端需要对病毒进行更加详细的检测的时候再向基站发起请 求, 这样大大减轻了基站的负担。 这样客户端的通信处理器和云端基站协同工 作, 使得病毒的处理能力大大提高。 步骤 S606: 第二判定模块 200将有效载荷与病毒库中的病毒信息进行匹 配, 判定下行数据是否为病毒信息。 如果是, 执行步骤 S608 , 否则, 执行步骤 S610。 步骤 S608: 第二通信模块 200向智能移动终端发送扫描 4艮告, 表明该数据 是病毒。 之后返回执行步骤 S602。 步骤 S610: 第二通信模块 200向智能移动终端发送扫描 4艮告, 表明该数据 不是病毒。 之后返回执行步骤 S602。 步骤 S612: 第一通信模块 104等待接收病毒二次扫描 4艮告。 步骤 S614: 确定判定结果是否为病毒。 如果是, 执行步骤 S616 , 否则, 执行步骤 S618。 步骤 S616: 在病毒二次判定中被判定为移动终端病毒的数据代码, 将被智 能移动终端的统计模块所接收, 拦截模块立即停止对本次传输中除下行数据之 外的其他数据的处理, 丢弃这些数据, 以免其侵害到应用处理器, 并且统计模 块将当前判定为病毒数据的包来源(短消息发送方号码、 IP源地址、 IP传输路 由等)加以记录, 作为下次一次判定的依据, 如果再接收到这些来源发送的数 据, 就要优先考虑其作为病毒数据的可能性。 之后, 返回执行步骤 S612。 步骤 S618:智能移动终端的通信处理器直接向智能移动终端的应用处理器 发送上述下行数据。 之后, 返回执行步骤 S612。 图 7是才艮据本发明实施例的智能移动终端的病毒防 ^卸方法的流程图。 如图 7所示, 该病毒防^卸方法主要包括以下处理: 步骤 S702: 智能移动终端的通信处理器对接收到的下行数据进行协议分 解, 解析出下行数据的有效载荷; 步骤 S704: 通信处理器将有效载荷与疑似病毒特征进行匹配, 以获取匹配 度值; 步骤 S706: 在匹配度值大于阈值时, 通信处理器将有效载荷发送基站以执 行后续的病毒分析。 相关技术中, 智能移动终端的病毒检测和清除工作都是在本地应用处理器 上完成的,在应用程序并行运行的时候对病毒进行检测,会导致运行效率过低。 从图 1 中的过程 (3 ) 着手, 在智能移动终端的通信处理器以及移动网络基站 上部署上述各模块, 将通信处理器以及基站结合起来, 有效实现了对智能移动 终端的病毒防 p , 并避免查杀病毒时降氏智能移动终端的运行效率。 优选地, 上述步骤 S702可以进一步包括以下处理: The virus detecting and erasing work of the smart mobile terminal in the related technology is completed on the local application processor, resulting in the problem of low operating efficiency, and the invention provides a virus anti-smashing method and system for the intelligent mobile terminal To solve at least one of the above problems. In an aspect of the invention, a virus anti-P method for an intelligent mobile terminal is provided. The virus defense method of the intelligent mobile terminal according to the present invention includes: the communication processor of the intelligent mobile terminal performs protocol decomposition on the received downlink data, and parses out the payload of the downlink data; the communication processor matches the payload with the suspected virus feature To obtain a matching value; when the matching value is greater than the threshold, the communications processor transmits the payload to the base station to perform subsequent virus analysis. The communication processor performs protocol decomposition on the received downlink data, including: the communication processor determines whether the downlink data is circuit domain data or packet domain data; when the downlink data is circuit domain data, parses according to a short message format or a circuit domain data format. When the downlink data is packet domain data, the payload of the downlink data is parsed by the transport layer protocol, the routing layer protocol, and the upper layer protocol. When the matching value is obtained, the method further includes: when the matching value is less than or equal to the threshold, the communications processor directly sends the downlink data to the application processor of the smart mobile terminal. Performing the subsequent virus analysis by the base station includes: The base station matches the payload with the virus information in the virus database, and determines whether the downlink data is virus information. When determining that the downlink data is virus information, the method further includes: the communication processor receiving the determination response and the analysis report from the base station feedback, wherein the determining response carries the indication information that the downlink data is the virus information; the communication processor intercepts the downlink data and the local The data other than the downlink data in the secondary transmission, and the information corresponding to the downlink data is recorded. The information corresponding to the downlink data includes at least one of the following: source information of the data packet, and a propagation path. In one aspect of the invention, a virus anti-P system for an intelligent mobile terminal is provided. The virus defense system of the smart mobile terminal according to the present invention includes: an intelligent mobile terminal; the smart mobile terminal includes: a communication processor; the communication processor further includes: a protocol analysis module configured to perform protocol decomposition and parsing on the received downlink data The payload of the downlink data; the first decision mode a block, configured to match the payload with the suspected virus feature to obtain a matching value, and determine whether the matching value is greater than a threshold; the first communication module is configured to send the valid to the base station when the output of the first determining module is YES Load to perform subsequent virus analysis. The base station includes: a second communication module configured to receive a payload from the first communication module; and a second determination module configured to perform virus analysis on the downlink data according to the payload. The protocol analysis module includes: a determining unit, configured to determine whether the downlink data is circuit domain data or packet domain data; and the first parsing unit is configured to parse the short message format or the circuit domain data format when the downlink data is circuit domain data The payload of the downlink data; the second parsing unit is configured to parse the payload of the downlink data by using a transport layer protocol, a routing layer protocol, and a higher layer protocol when the downlink data is packet domain data. The smart mobile terminal further includes: an application processor, configured to receive downlink data from the communications processor when the matching value is less than or equal to the threshold. The second determining module includes: a matching unit configured to match the payload with the virus information in the virus database to determine whether the downlink data is virus information. The first communication module is further configured to receive the determination response and the analysis report from the feedback of the base station, where the determination response carries the indication information that the downlink data is the virus information; the communication processor further includes: an intercepting module, configured to intercept the downlink data And other data except the downlink data in the current transmission; the statistics module is set to record the information corresponding to the downlink data. Through the invention, the communication processor of the intelligent mobile terminal and the mobile network base station are combined to implement virus protection and unloading of the intelligent mobile terminal, and the virus detection and removal of the intelligent mobile terminal are all performed on the local application processor. The virus detection and removal work of the smart phone in the related art is solved on the local application processor, which leads to the problem of low operation efficiency, effectively realizes the virus defense against the intelligent mobile terminal, and avoids the reduction of the virus when the virus is detected. The operating efficiency of intelligent mobile terminals. BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are set to illustrate,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, In the drawings: FIG. 1 is a schematic diagram of a virus intrusion intelligent mobile terminal in the related art; 2 is a structural block diagram of a virus defense system of an intelligent mobile terminal according to an embodiment of the present invention; FIG. 3 is a structural block diagram of a virus anti-P system of an intelligent mobile terminal according to a preferred embodiment of the present invention; FIG. 5 is a flowchart showing the operation of the first decision module and the first communication module according to a preferred embodiment of the present invention; FIG. 6 is a second embodiment of the preferred embodiment of the present invention; FIG. 7 is a flowchart of a virus anti-discharge method of an intelligent mobile terminal according to an embodiment of the present invention; FIG. 8 is a preferred implementation according to the present invention. A flow chart of a virus defense method for an intelligent mobile terminal. BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, the present invention will be described in detail with reference to the accompanying drawings. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict. 2 is a structural block diagram of a virus anti-discharge system of an intelligent mobile terminal according to an embodiment of the present invention. As shown in FIG. 2, the virus defense system includes: an intelligent mobile terminal 1; wherein, the smart mobile terminal 1 includes: a communication processor 10; the communication processor 10 further includes: a protocol analysis module 100, configured to receive downlink data Performing protocol decomposition to parse the payload of the downlink data; the first determining module 102 is configured to match the payload with the suspected virus feature to obtain a matching value, and determine whether the matching value is greater than a threshold; the first communication module 104 And being configured to send a payload to the base station to perform subsequent virus analysis when the first decision module output is YES. Preferably, as shown in FIG. 3, the foregoing virus defense system may further include: a base station 2, the base station may further include: a second communication module 200, configured to receive a payload from the first communication module; The second determining module 204 is configured to perform virus analysis on the downlink data by using the payload. In the related art, an intelligent mobile terminal (for example, a smart phone) processor is divided into an application processor and a communication processor, wherein a general application processor operating system is mostly a common platform (such as Windows, Linux, etc.). There are many viruses for these platforms, and the operating systems of communication processors are some RTOSs, and the possibility of being infected by viruses is very small. Therefore, in this embodiment, it is not easy to be infected by viruses on the communication processor. Destruction, risk is better than 'J. In addition, the application processor of the intelligent mobile terminal is usually also responsible for local external storage, and the virus usually needs to be stored for self-replication and self-replication and re-propagation. Controlling the virus on the application processor is "killing" ,,,, and blocking the virus on the communication processor is "preventing the problem," and the virus or malicious program is discarded and not safely rooted in the mobile phone. Preferably, the foregoing protocol analysis module 100 may further include: a determining unit 1000 (not shown in FIG. 3) configured to determine whether the downlink data is circuit domain data or packet domain data; the first parsing unit 1002 (not shown in FIG. 3 And being configured to parse the payload of the downlink data according to the short message format or the circuit domain data format when the downlink data is the circuit domain data; the second parsing unit 1004 (not shown in FIG. 3) is set to be in the downlink data. When packet domain data is used, the payload of the downlink data is parsed by the transport layer protocol, the routing layer protocol, and the upper layer protocol. The detailed workflow of the above protocol analysis module will be described below with reference to FIG. As shown in FIG. 4, the following processing is mainly included: Step S402: All submodules in the communication processor of the smart mobile terminal (for example, a smart phone) are started when the communication processor is started, and run in the background at work; S404: The protocol analysis module monitors whether data arrives. Step S406: After receiving the data packet, the protocol analysis module first determines, according to the current service, that the data arrives at the mobile terminal through the circuit domain or the packet domain. Step S408: If it is a circuit domain, perform protocol analysis according to the normal short message format or the circuit domain data format, extract the payload of the user data, and submit the payload to the first determining module 102, and end the current processing. Step S410: If it is a packet domain, the protocol is analyzed by using a transport layer protocol and a routing layer protocol. Step S412: Determine how the downlink data is encapsulated in the upper layer protocol stack, and divide it into IP/PPP HTTP/MMS/SMTP according to a common protocol, and parse the payload of the user data, and submit it to the first determining module 102, ending the present Secondary processing. Preferably, as shown in FIG. 3, the smart mobile terminal 1 may further include: an application processor 12 configured to receive downlink data from the communications processor when the matching value is less than or equal to the threshold. That is, when the matching degree value is less than or equal to the threshold, the communication processor 10 is set to directly transmit the downlink data to the application processor 12 of the smart mobile terminal. Preferably, as shown in FIG. 3, the second determining module 204 includes: a matching unit 2040 (not shown in FIG. 3) configured to match the payload with the virus information in the virus database to determine whether the downlink data is virus information. . The detailed workflow of the first decision module and the first communication module will be described below with reference to FIG. FIG. 5 is a flowchart showing the operation of the first determining module 102 and the first communication module 104 according to a preferred embodiment of the present invention. As shown in FIG. 5, the method includes the following steps: Step S502: The first determining module 102 monitors whether data arrives. Step S504: The first determining module 102 receives the data information submitted by the protocol analyzing module 100, and needs to perform the first time. determination. Specifically, the virus suspicious judgment can be made according to a very simple matching rule (for example, data source, data length, basic characteristics of the virus head, file type, etc.), that is, the basic principle of arbitrarily misjudged and not missed, and effectively avoiding the virus Leaking the net. For example, step S506, step S508, and step S510 are performed. Step S506: determining whether the downlink data is suspicious source data; if yes, executing step S512. Otherwise, step 4 is performed to gather S 508. Step S508: Determine whether the data format is suspicious. If yes, step S512 is performed, otherwise step 4 is performed S510. Step S510: The other determination criterion is used to determine whether the downlink data is suspicious. If yes, step S512 is performed, otherwise, step 4 is performed S514. Step S512: The first determining module 102 determines that the virus is suspected, and submits the payload of the downlink data to the first communication module 104. The first communication module 104 directly submits the payload of the first determining module 102 to the base station of the cloud. With a second decision request message. The communication processor of the intelligent mobile terminal generally has a low main frequency and has high real-time requirements in the communication process, so it is not suitable for running a virus detailed matching algorithm program requiring high time complexity on the communication processor, so the intelligence is The communication processor of the mobile terminal is only responsible for the virus one-time decision, finds suspicious data and submits it to the base station for processing. Step S514: The first determining module 102 determines that the non-suspicious virus is directly submitted to the application processor 12 of the smart mobile terminal 1. Preferably, as shown in FIG. 3, the first communication module 104 is further configured to receive a determination response and an analysis report fed back from the base station, where the determination response carries indication information that the downlink data is virus information; The data may further include: an intercepting module 106, configured to intercept downlink data and other data in the current transmission except the downlink data; and a statistics module 108, configured to record information corresponding to the downlink data, where the information may include but not limited to the following At least one: source information of the packet, propagation path. Setting the statistics module 108 can facilitate collecting virus-related information as a basis for the next determination, and can effectively prevent future infringement of similar viruses. It should be noted that statistical modules of the same function can also be deployed in base stations and other wireless access point systems, and a special mobile virus statistics library can be established to collect activity data of those criminals, find virus sources and collect viruses. sample. The detailed workflow of the second communication module, the second determination module, the interception module, and the statistics module will be described below with reference to FIG. 6 is a flowchart showing the operation of a second communication module, a second determination module, an interception module, and a statistics module in accordance with a preferred embodiment of the present invention. As shown in FIG. 6, the method mainly includes the following steps: Step S602: The second communication module 200 waits to receive a scan request and scanned data (ie, the above payload) sent by the communication processor of the smart mobile terminal. Step S604: After the second communication module 200 receives the data to be scanned and the scan request, the second determining module 200 located at the cloud base station performs a second scan determination on the data. It should be noted that the second decision module 200 deployed on the base station is not always running because the traffic of the base station is large and busy. After receiving the suspicious data sent by the smartphone and the second determination request, the base station immediately starts the virus secondary determination program to perform detailed scanning on the suspicious data, and the matching criterion is to match according to the standard virus database, if it is confirmed that the program includes The mobile phone virus immediately sends feedback and virus information to the smartphone. When the smart mobile terminal needs to perform more detailed detection on the virus, it then initiates a request to the base station, which greatly reduces the burden on the base station. In this way, the communication processor of the client and the cloud base station work together, so that the processing capability of the virus is greatly improved. Step S606: The second determining module 200 matches the payload with the virus information in the virus database to determine whether the downlink data is virus information. If yes, go to step S608, otherwise, go to step S610. Step S608: The second communication module 200 sends a scan message to the smart mobile terminal, indicating that the data is a virus. Then, the process returns to step S602. Step S610: The second communication module 200 sends a scan 4 notification to the smart mobile terminal, indicating that the data is not a virus. Then, the process returns to step S602. Step S612: The first communication module 104 waits to receive a virus secondary scan. Step S614: It is determined whether the determination result is a virus. If yes, go to step S616, otherwise, go to step S618. Step S616: The data code that is determined to be the mobile terminal virus in the virus secondary determination is received by the statistical module of the smart mobile terminal, and the intercepting module immediately stops processing the data other than the downlink data in the current transmission. Discard the data so as not to invade the application processor, and the statistics module records the source of the packet (short message sender number, IP source address, IP transmission route, etc.) currently determined to be virus data, as the basis for the next decision. If you receive data from these sources, you should prioritize its potential as virus data. After that, the process returns to step S612. Step S618: The communication processor of the smart mobile terminal directly sends the downlink data to the application processor of the smart mobile terminal. After that, the process returns to step S612. FIG. 7 is a flowchart of a virus anti-discharge method of an intelligent mobile terminal according to an embodiment of the present invention. As shown in FIG. 7, the virus anti-discharging method mainly includes the following processing: Step S702: The communication processor of the intelligent mobile terminal performs protocol decomposition on the received downlink data, and parses the payload of the downlink data. Step S704: The communication processor matches the payload with the suspected virus feature to obtain a matching value. Step S706: When the matching degree value is greater than the threshold, the communications processor sends the payload to the base station to perform subsequent virus analysis. In the related art, the virus detection and cleaning work of the intelligent mobile terminal is performed on the local application processor, and detecting the virus when the application runs in parallel may result in low operation efficiency. Starting from the process (3) in FIG. 1, the above modules are deployed on the communication processor of the intelligent mobile terminal and the mobile network base station, and the communication processor and the base station are combined to effectively implement the virus protection against the smart mobile terminal. And to avoid the operation efficiency of the descending intelligent mobile terminal when killing the virus. Preferably, the above step S702 may further include the following processing:
( 1 ) 通信处理器判断下行数据是电路域数据还是分组域数据; (1) The communication processor determines whether the downlink data is circuit domain data or packet domain data;
( 2 ) 当下行数据是电路域数据时, 则按照短消息格式解析出下行数据的 有效载荷; (2) When the downlink data is circuit domain data, the payload of the downlink data is parsed according to the short message format;
( 3 ) 当下行数据是分组域数据时, 则按照传输层协议和路由层协议解析 出下行数据的有效载荷。 优选地, 在上述匹配度值小于或等于阈值时, 通信处理器将下行数据直接 发送至智能移动终端的应用处理器。 优选地, 基站执行后续的病毒分析可以进一步包括以下处理: 基站将有效 载荷与病毒库中的病毒信息进行匹配, 判定下行数据是否为病毒信息。 优选地, 当判定下行数据是病毒信息时, 还可以包括以下处理: (3) When the downlink data is packet domain data, the payload of the downlink data is parsed according to the transport layer protocol and the routing layer protocol. Preferably, when the matching degree value is less than or equal to the threshold, the communications processor directly sends the downlink data to the application processor of the smart mobile terminal. Preferably, the performing the subsequent virus analysis by the base station may further include the following process: The base station matches the payload with the virus information in the virus database to determine whether the downlink data is virus information. Preferably, when it is determined that the downlink data is virus information, the following processing may also be included:
( 1 ) 通信处理器接收来自于基站反馈的判定响应以及分析报告, 其中, 判定响应携带有下行数据为病毒信息的指示信息; ( 2 ) 通信处理器拦截下行数据以及本次传输中除下行数据之外的其他数 据, 并且记录下行数据对应的信息。 其中, 上述下行数据对应的信息包括但不限于以下至少之一: 数据包的来 源信息、 传播路径。 以下以智能移动终端为智能手机为例, 详细描述上述优选实施方式。 图 8是才艮据本发明优选实施例的智能移动终端的病毒防 ^卸方法的流程图。 如图 8所示, 该病毒防^卸方法主要包括以下处理: 步骤 S802: 智能手机的通信处理器接收下行数据。 步骤 S804:通信处理器对所有流经它的下行数据(包括电路交换( Circuit Switch, 简称为 CS ) 域和分组交换 (Packet Switch, 简称为 PS ) 域的数据) 按照不同的通信协议进行协议分解, 此过程涉及到上述协议分析模块。 步骤 S806:被分解过的有效载荷被智能手机通信处理器的第一判定模块进 行判定。 在具体实施过程中, 可以设定简单的判定标准, 由于算法时间复杂度低, 几乎不影响智能手机通信处理器的正常工作。 步骤 S808: 第一判定模块判定是否为疑似病毒。 如果是, 执行步骤 S810, 否则, 执行步骤 S 822。 步骤 S810: 如果判定结果成立, 即认为该有效载荷和疑似病毒特征匹配度 较高, 超过一定阈值, 则通信处理器暂停向应用处理器发送上述下行数据, 转 由第一通信模块将此有效载荷提交给云端基站, 并且向云端基站发起病毒二次 判定请求。 步骤 S812: 云端基站接收到病毒二次判定请求, 以及疑似病毒的有效载荷 数据, 输入依赖于高速处理设备的病毒二次判定程序 (即上述第二判定模块)。 步骤 S814: 由第二判定模块进行详细的病毒分析, 分析出是否是病毒, 以 及是何种病毒。 如果是病毒, 则跳转到步骤 S816, 如果不是病毒, 则跳转到步 骤 S818。 步骤 S816:云端基站将详细的分析结果整理成 4艮告下发给智能手机的通信 处理器, 并且附带病毒二次判定响应, 注明该有效载荷为病毒或者恶意程序。 步骤 S818: 智能手机通信处理器接收到二次判定响应以及分析报告, 拦截 此段数据, 不让此数据发送到智能手机应用处理器, 并且在通信处理器的外部 存储器上记录病毒或者恶意程序信息, 包括数据来源及传播路径, 今后再有此 来源或者传播路径的数据到达时, 会自动汇报给云端基站请求二次判定。 步骤 S820:云端基站将详细的分析结果整理成报告下发给智能手机的通信 处理器, 并且附带病毒二次判定响应, 注明该有效载荷为安全数据。 步骤 S822: 如果此数据不是病毒或者恶意程序, 智能手机通信处理器直接 传送有效数据给应用处理器进行处理。 需要注意的是, 在通信处理器方面, 由于目前智能手机不仅可以支持传统 的基站通信, 还可以支持 Wi-Fi、 蓝牙等通信模式, 因此在数据传输路径上还 可故到多元化, 可以部署类似的方案在 Wi-Fi、 蓝牙处理芯片或者驱动程序以 及 Wi-Fi、 蓝牙接入点上。 综上所述, 借助本发明提供的上述实施例, 将智能移动终端 (例如, 智能 手机) 的通信处理器和移动网络基站结合起来, 实现对智能手机病毒进行有效 的检测、 拦截以及对病毒传播路径、 病毒类型进行监控, 从而有效避免了今后 的隐患。 显然, 本领域的技术人员应该明白, 上述的本发明的各模块或各步骤可以 用通用的计算装置来实现, 它们可以集中在单个的计算装置上, 或者分布在多 个计算装置所组成的网络上, 可选地, 它们可以用计算装置可执行的程序代码 来实现, 从而, 可以将它们存储在存储装置中由计算装置来执行, 并且在某些 情况下, 可以以不同于此处的顺序执行所示出或描述的步骤, 或者将它们分别 制作成各个集成电路模块, 或者将它们中的多个模块或步骤制作成单个集成电 路模块来实现。 这样, 本发明不限制于任何特定的硬件和软件结合。 以上所述仅为本发明的优选实施例而已, 并不用于限制本发明, 对于本领 域的技术人员来说, 本发明可以有各种更改和变化。 凡在本发明的 ^"神和原则 之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护范围之 内。 (1) The communication processor receives the determination response and the analysis report from the feedback of the base station, wherein the determination response carries the indication information that the downlink data is the virus information; (2) the communication processor intercepts the downlink data and the downlink data in the current transmission Other data than the other, and record the information corresponding to the downlink data. The information corresponding to the downlink data includes, but is not limited to, at least one of the following: source information of the data packet, and a propagation path. The following preferred embodiments are described in detail below by taking a smart mobile terminal as a smart phone as an example. FIG. 8 is a flowchart of a virus anti-discharge method of a smart mobile terminal according to a preferred embodiment of the present invention. As shown in FIG. 8, the virus anti-discharge method mainly includes the following processing: Step S802: The communication processor of the smart phone receives the downlink data. Step S804: The communication processor performs protocol decomposition on all downlink data (including Circuit Switch (CS) domain and Packet Switch (PS) domain) in accordance with different communication protocols. This process involves the above protocol analysis module. Step S806: The decomposed payload is determined by the first determining module of the smartphone communication processor. In the specific implementation process, a simple decision criterion can be set. Due to the low time complexity of the algorithm, the normal operation of the smartphone communication processor is hardly affected. Step S808: The first determining module determines whether it is a suspected virus. If yes, go to step S810, otherwise, go to step S822. Step S810: If the determination result is established, that is, the matching degree between the payload and the suspected virus feature is considered to be high, and if the threshold value is exceeded, the communication processor pauses to send the downlink data to the application processor, and the first communication module transfers the payload. Submitted to the cloud base station, and initiates a virus secondary determination request to the cloud base station. Step S812: The cloud base station receives the virus secondary determination request and the payload data of the suspected virus, and inputs a virus secondary determination procedure (ie, the second determination module) that is dependent on the high-speed processing device. Step S814: Detailed virus analysis is performed by the second determination module to analyze whether it is a virus and which virus. If it is a virus, the process goes to step S816, and if it is not a virus, the process goes to step S818. Step S816: The cloud base station organizes the detailed analysis result into a communication processor that is sent to the smart phone, and attaches a virus secondary determination response, indicating that the payload is a virus or a malicious program. Step S818: The smartphone communication processor receives the second determination response and the analysis report, intercepts the segment data, does not allow the data to be sent to the smartphone application processor, and records the virus or malicious program information on the external memory of the communication processor. , including the data source and the propagation path. When the data of this source or propagation path arrives in the future, it will automatically report to the cloud base station for a second decision. Step S820: The cloud base station organizes the detailed analysis result into a communication processor that is sent to the smart phone, and attaches a virus secondary determination response, indicating that the payload is safety data. Step S822: If the data is not a virus or a malicious program, the smartphone communication processor directly transmits the valid data to the application processor for processing. It should be noted that in terms of the communication processor, since the smart phone can not only support the traditional base station communication, but also supports the communication modes such as Wi-Fi and Bluetooth, the data transmission path can be diversified and can be deployed. A similar solution is on Wi-Fi, Bluetooth processing chips or drivers as well as Wi-Fi, Bluetooth access points. In summary, with the above embodiments provided by the present invention, a communication processor of a smart mobile terminal (for example, a smart phone) and a mobile network base station are combined to implement effective detection, interception, and virus transmission of the smart phone virus. Paths and virus types are monitored to effectively avoid future hidden dangers. Obviously, those skilled in the art should understand that the above modules or steps of the present invention can be implemented by a general-purpose computing device, which can be concentrated on a single computing device or distributed over a network composed of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device, such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein. The steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps are fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software. The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the scope of the present invention are intended to be included within the scope of the present invention.

Claims

权 利 要 求 书 Claim
1. 一种智能移动终端的病毒防 p方法, 包括: A virus anti-p method for an intelligent mobile terminal, comprising:
智能移动终端的通信处理器对接收到的下行数据进行协议分解, 解 析出所述下行数据的有效载荷;  The communication processor of the intelligent mobile terminal performs protocol decomposition on the received downlink data, and analyzes the payload of the downlink data;
所述通信处理器将所述有效载荷与疑似病毒特征进行匹配, 以获取 匹配度值;  The communication processor matches the payload with a suspected virus signature to obtain a match value;
在所述匹配度值大于阈值时, 所述通信处理器将所述有效载荷发送 基站以执行后续的病毒分析。  The communication processor transmits the payload to a base station to perform subsequent virus analysis when the match value is greater than a threshold.
2. 根据权利要求 1所述的方法, 其中, 所述通信处理器对接收到的下行数 据进行协议分解包括: 2. The method according to claim 1, wherein the communication processor performs protocol decomposition on the received downlink data, including:
所述通信处理器判断所述下行数据是电路域数据还是分组域数据; 当所述下行数据是电路域数据时, 则按照短消息格式或电路域数据 格式解析出所述下行数据的有效载荷;  The communication processor determines whether the downlink data is circuit domain data or packet domain data; when the downlink data is circuit domain data, parsing the payload of the downlink data according to a short message format or a circuit domain data format;
当所述下行数据是分组域数据时, 则釆用传输层协议、 路由层协议 以及高层协议解析出所述下行数据的有效载荷。  When the downlink data is packet domain data, the payload of the downlink data is parsed by using a transport layer protocol, a routing layer protocol, and a higher layer protocol.
3. 根据权利要求 1所述的方法, 其中, 在获取匹配度值时, 还包括: The method according to claim 1, wherein when the matching value is obtained, the method further includes:
在所述匹配度值小于或等于所述阈值时, 所述通信处理器将所述下 行数据直接发送至所述智能移动终端的应用处理器。  And when the matching degree value is less than or equal to the threshold, the communications processor directly sends the downlink data to an application processor of the smart mobile terminal.
4. 根据权利要求 1所述的方法, 其中, 所述基站执行后续的病毒分析包括: 所述基站将所述有效载荷与病毒库中的病毒信息进行匹配, 判定所述下 行数据是否为病毒信息。 The method according to claim 1, wherein the performing, by the base station, the subsequent virus analysis comprises: the base station matching the payload with the virus information in the virus database, and determining whether the downlink data is virus information. .
5. 根据权利要求 4所述的方法, 其中, 当判定所述下行数据是病毒信息时, 还包括: The method according to claim 4, wherein when determining that the downlink data is virus information, the method further includes:
所述通信处理器接收来自于所述基站反馈的判定响应以及分析报 告, 其中, 所述判定响应携带有所述下行数据为病毒信息的指示信息; 所述通信处理器拦截所述下行数据以及本次传输中除所述下行数据 之外的其他数据, 并且记录所述下行数据对应的信息。 The communication processor receives a determination response and an analysis report from the feedback of the base station, where the determination response carries indication information that the downlink data is virus information; the communication processor intercepts the downlink data and the local Other data except the downlink data in the secondary transmission, and recording information corresponding to the downlink data.
6. 根据权利要求 5所述的方法, 其中, 所述下行数据对应的信息包括以下 至少之一: 所述数据包的来源信息、 传播路径。 The method according to claim 5, wherein the information corresponding to the downlink data comprises at least one of the following: source information of the data packet, and a propagation path.
7. —种智能移动终端的病毒防御系统, 包括: 智能移动终端; 7. A virus defense system for a smart mobile terminal, comprising: an intelligent mobile terminal;
所述智能移动终端包括: 通信处理器; 所述通信处理器进一步包括: 协议分析模块, 设置为对接收到的下行数据进行协议分解, 解析出 所述下行数据的有效载荷;  The smart mobile terminal includes: a communications processor; the communications processor further includes: a protocol analyzing module, configured to perform protocol decomposition on the received downlink data, and parse the payload of the downlink data;
第一判定模块, 设置为将所述有效载荷与疑似病毒特征进行匹配, 以获取匹配度值, 并判断所述匹配度值是否大于阈值;  a first determining module, configured to match the payload with a suspected virus feature to obtain a matching value, and determine whether the matching value is greater than a threshold;
第一通信模块, 设置为在所述第一判定模块输出为是时, 向所述基 站发送所述有效载荷以执行后续的病毒分析。  The first communication module is configured to transmit the payload to the base station to perform subsequent virus analysis when the first decision module output is YES.
8. 根据权利要求 7所述的系统, 其中, 所述基站包括: 8. The system according to claim 7, wherein the base station comprises:
第二通信模块, 设置为接收来自于所述第一通信模块的所述有效载 荷;  a second communication module, configured to receive the payload from the first communication module;
第二判定模块, 设置为根据所述有效载荷对所述下行数据进行病毒 分析。  The second determining module is configured to perform virus analysis on the downlink data according to the payload.
9. 根据权利要求 7所述的系统, 其中, 所述协议分析模块包括: 9. The system according to claim 7, wherein the protocol analysis module comprises:
判断单元,设置为判断所述下行数据是电路域数据还是分组域数据; 第一解析单元, 设置为在所述下行数据是电路域数据时, 按照短消 息格式或电路域数据格式解析出所述下行数据的有效载荷;  a determining unit, configured to determine whether the downlink data is circuit domain data or packet domain data; and the first parsing unit is configured to parse the short message format or the circuit domain data format when the downlink data is circuit domain data The payload of the downlink data;
第二解析单元, 设置为在所述下行数据是分组域数据时, 釆用传输 层协议、 路由层协议以及高层协议解析出所述下行数据的有效载荷。  The second parsing unit is configured to parse the payload of the downlink data by using a transport layer protocol, a routing layer protocol, and a higher layer protocol when the downlink data is packet domain data.
10. 才艮据权利要求 7所述的系统, 其中, 所述智能移动终端还包括: 10. The system of claim 7, wherein the smart mobile terminal further comprises:
应用处理器, 设置为在所述匹配度值小于或等于所述阈值时, 接收 来自于所述通信处理器的所述下行数据。  The application processor is configured to receive the downlink data from the communications processor when the match value is less than or equal to the threshold.
11. 根据权利要求 7所述的系统, 其中, 所述第二判定模块包括: The system according to claim 7, wherein the second determining module comprises:
匹配单元,设置为将所述有效载荷与病毒库中的病毒信息进行匹配, 判定所述下行数据是否为病毒信息。 根据权利要求 11所述的系统, 其中, The matching unit is configured to match the payload with the virus information in the virus database, and determine whether the downlink data is virus information. The system according to claim 11, wherein
所述第一通信模块, 还设置为接收来自于所述基站反馈的判定响应 以及分析报告, 其中, 所述判定响应携带有所述下行数据为病毒信息的 指示信息;  The first communication module is further configured to receive a determination response and an analysis report from the feedback of the base station, where the determination response carries indication information that the downlink data is virus information;
所述通信处理器还包括:  The communication processor further includes:
拦截模块, 设置为拦截所述下行数据以及本次传输中除所述下行数 据之外的其他数据;  And an intercepting module, configured to intercept the downlink data and other data in the current transmission except the downlink data;
统计模块, 设置为记录所述下行数据对应的信息。  The statistics module is configured to record information corresponding to the downlink data.
PCT/CN2011/073710 2011-01-20 2011-05-05 Virus prevention method and system for intelligent mobile terminal WO2012097553A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110023257.5 2011-01-20
CN2011100232575A CN102045368A (en) 2011-01-20 2011-01-20 Virus preventing method of intelligent mobile terminal and system

Publications (1)

Publication Number Publication Date
WO2012097553A1 true WO2012097553A1 (en) 2012-07-26

Family

ID=43911138

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/073710 WO2012097553A1 (en) 2011-01-20 2011-05-05 Virus prevention method and system for intelligent mobile terminal

Country Status (2)

Country Link
CN (1) CN102045368A (en)
WO (1) WO2012097553A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103824017A (en) * 2012-11-19 2014-05-28 腾讯科技(深圳)有限公司 Method and platform for monitoring rogue programs

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102045368A (en) * 2011-01-20 2011-05-04 中兴通讯股份有限公司 Virus preventing method of intelligent mobile terminal and system
CN103294953B (en) * 2012-12-27 2016-01-13 武汉安天信息技术有限责任公司 A kind of mobile phone malicious code detecting method and system
CN103810428B (en) * 2014-02-24 2017-05-24 珠海市君天电子科技有限公司 Method and device for detecting macro virus
WO2016011614A1 (en) * 2014-07-23 2016-01-28 华为技术有限公司 Method and device for blocking harassment number
CN112528285B (en) * 2020-12-18 2022-01-25 南方电网电力科技股份有限公司 Security protection method and device for cloud computing platform, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1889773A (en) * 2006-07-18 2007-01-03 毛兴鹏 Mobile phone virtus examining and protecting method and system based on base station
CN101079689A (en) * 2006-05-26 2007-11-28 上海晨兴电子科技有限公司 Method and device for virus scanning and processing of the data received by mobile phone
KR20100027507A (en) * 2008-09-02 2010-03-11 엘지전자 주식회사 Method for treating virus in mobile terminal and system thereof
CN102045368A (en) * 2011-01-20 2011-05-04 中兴通讯股份有限公司 Virus preventing method of intelligent mobile terminal and system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101340680B (en) * 2008-08-12 2012-01-04 华为终端有限公司 Method and apparatus for implementing virus defending and virus killing by bi-core terminal
CN101388056B (en) * 2008-10-20 2010-06-02 成都市华为赛门铁克科技有限公司 Method, system and apparatus for preventing worm

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101079689A (en) * 2006-05-26 2007-11-28 上海晨兴电子科技有限公司 Method and device for virus scanning and processing of the data received by mobile phone
CN1889773A (en) * 2006-07-18 2007-01-03 毛兴鹏 Mobile phone virtus examining and protecting method and system based on base station
KR20100027507A (en) * 2008-09-02 2010-03-11 엘지전자 주식회사 Method for treating virus in mobile terminal and system thereof
CN102045368A (en) * 2011-01-20 2011-05-04 中兴通讯股份有限公司 Virus preventing method of intelligent mobile terminal and system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103824017A (en) * 2012-11-19 2014-05-28 腾讯科技(深圳)有限公司 Method and platform for monitoring rogue programs

Also Published As

Publication number Publication date
CN102045368A (en) 2011-05-04

Similar Documents

Publication Publication Date Title
CN112219381B (en) Method and apparatus for message filtering based on data analysis
US20150229669A1 (en) Method and device for detecting distributed denial of service attack
EP2742711B1 (en) Detection of suspect wireless access points
US11057398B2 (en) Detecting poisoning attacks of internet of things (IOT) location beacons in wireless local area networks (WLANS) with silence periods
US10313372B2 (en) Identifying malware-infected network devices through traffic monitoring
CN111800412B (en) Advanced sustainable threat tracing method, system, computer equipment and storage medium
US20100095351A1 (en) Method, device for identifying service flows and method, system for protecting against deny of service attack
EP3863317A1 (en) Method and device for determining category information
WO2012097553A1 (en) Virus prevention method and system for intelligent mobile terminal
US20220263823A1 (en) Packet Processing Method and Apparatus, Device, and Computer-Readable Storage Medium
US11711395B2 (en) User-determined network traffic filtering
CN111526132B (en) Attack transfer method, device, equipment and computer readable storage medium
US20170201533A1 (en) Mobile aware intrusion detection system
CN113518042B (en) Data processing method, device, equipment and storage medium
US11277428B2 (en) Identifying malware-infected network devices through traffic monitoring
US8516592B1 (en) Wireless hotspot with lightweight anti-malware
US20240089178A1 (en) Network service processing method, system, and gateway device
US8661102B1 (en) System, method and computer program product for detecting patterns among information from a distributed honey pot system
CN116723020A (en) Network service simulation method and device, electronic equipment and storage medium
KR20140126633A (en) Method and appratus for detecting malicious message
WO2016014178A1 (en) Identifying malware-infected network devices through traffic monitoring
JP5596626B2 (en) DoS attack detection method and DoS attack detection device
US9912643B2 (en) Attack defense processing method and protection device
CN114050917A (en) Audio data processing method, device, terminal, server and storage medium
CN110035041B (en) Method and equipment for identifying application attack source

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11855940

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11855940

Country of ref document: EP

Kind code of ref document: A1