WO2017036042A1 - Information collection method and apparatus - Google Patents

Information collection method and apparatus Download PDF

Info

Publication number
WO2017036042A1
WO2017036042A1 PCT/CN2015/099897 CN2015099897W WO2017036042A1 WO 2017036042 A1 WO2017036042 A1 WO 2017036042A1 CN 2015099897 W CN2015099897 W CN 2015099897W WO 2017036042 A1 WO2017036042 A1 WO 2017036042A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
related data
system information
data
file
Prior art date
Application number
PCT/CN2015/099897
Other languages
French (fr)
Chinese (zh)
Inventor
邹荣新
Original Assignee
安一恒通(北京)科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 安一恒通(北京)科技有限公司 filed Critical 安一恒通(北京)科技有限公司
Publication of WO2017036042A1 publication Critical patent/WO2017036042A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Definitions

  • the present application relates to the field of computer technologies, and in particular, to the field of Internet technologies, and in particular, to an information collection method and apparatus.
  • the prior art adopts a cloud data collection method.
  • the system system information is generally used directly as the user identification number.
  • the collected data information is completely uploaded, and the machine system Information may have sensitive information such as the user's personal information, so there is a lack of security considerations.
  • the purpose of the present application is to propose a privacy-removing information collecting method and apparatus to solve the technical problems mentioned in the above background art.
  • the application provides an information collection method, and the method includes: Collecting client system information, and obfuscating the system information; collecting various running related data; and filtering the running related data if the running related data includes an identity identifier;
  • the system information and the operation related data are uploaded to the server by encryption, wherein the uploaded system information and the operation related data are stored in blocks in the server.
  • the processing of the processed system information and the operation related data by the encrypted uploading and transmitting server comprises: detecting the running related data; if an unrecognizable portable execution is detected And uploading the path information of the portable executable file; uploading the portable executable file according to the fragmentation acquisition instruction, wherein the fragmentation acquisition instruction is based on the path by the server Generated and delivered by information.
  • uploading the path information of the portable executable file includes: uploading the portable executable file file In the case of the path information, the user name included in the path information is filtered.
  • the system information includes at least one of the following: installed software list information, system configuration utility list information, service list information, operating system version information, browser version information, network card Mac address, hard disk sequence Number, memory information, system structure information.
  • the collecting client system information and obscuring the system information includes: collecting client system information, generating a file by using the system information, performing hash calculation on the file, and generating Unique identification number.
  • the various operational related data includes at least one of the following: software behavior data, user operational behavior data, user uniform resource locator data, detected threat log data, file information, and content data.
  • the present application provides an information collecting apparatus, where the apparatus includes a first collecting unit configured to collect client system information and obfuscate the system information; and a second collecting unit configured to be used for Collecting various operation related data; filtering a processing unit configured to filter the operation related data if the operation related data includes an identity identifier; and a transmission unit configured to process the processed system
  • the information and the operation related data are uploaded to the server by encryption, wherein the uploaded system information and the operation related data are stored in blocks in the server.
  • the transmission unit is further configured to: detect the operation related data; upload an path information of the portable executable file if an unrecognizable portable executable file is detected; And uploading the portable executable file according to the fragmentation acquisition instruction, wherein the fragmentation acquisition instruction is generated and delivered by the server based on the path information.
  • the filtering processing unit is further configured to: when uploading the path information of the portable executable file, perform filtering processing on a username included in the path information.
  • the system information includes at least one of the following: a network card Mac address, a hard disk serial number, memory information, and system structure information.
  • the obfuscation processing unit is further configured to: collect client system information, generate a file by using the system information, perform hash calculation on the file, and generate a unique identification number.
  • the various operational related data includes at least one of the following: software behavior data, user operational behavior data, user uniform resource locator data, detected threat log data, file information, and content data.
  • the information collecting method and device provided by the present application collects the client system information, obfuscates the above system information, and collects various running related data, and if the running related data includes the identity identifier, the operation is related. The data is filtered, and finally the processed system information and the operation related data are encrypted and uploaded, thereby reducing the sensitivity of collecting information and reducing the security problem brought by information collection.
  • FIG. 1 is an exemplary system architecture diagram to which the present application can be applied;
  • FIG. 2 is a flow chart of one embodiment of an information collection method according to the present application.
  • FIG. 3 is a flow chart of still another embodiment of an information collecting method according to the present application.
  • FIG. 4 is a schematic structural diagram of an embodiment of an information collecting apparatus according to the present application.
  • FIG. 5 is a schematic structural diagram of a computer system suitable for implementing a terminal device or a server of an embodiment of the present application.
  • FIG. 1 illustrates an exemplary system architecture 100 in which an embodiment of an information collection method or information collection device of the present application may be applied.
  • system architecture 100 can include terminal devices 101, 102, 103, network 104, and server 105.
  • the network 104 is used to provide a medium for communication links between the terminal devices 101, 102, 103 and the server 105.
  • Network 104 may include various types of connections, such as wired, wireless communication links, fiber optic cables, and the like.
  • the user can interact with the server 105 over the network 104 using the terminal devices 101, 102, 103 to receive or transmit messages and the like.
  • Various client software applications such as instant messaging tools, email clients, social platform software, etc., which may involve user information collection, may be installed on the terminal devices 101, 102, and 103.
  • the terminal devices 101, 102, 103 can be various electronic devices including, but not limited to, personal computers, smart phones, smart watches, tablets, personal digital assistants, and the like.
  • the server 105 can be a server that provides various services.
  • the server can store, analyze, and the like the received data, and feed back the processing result to the terminal device.
  • the information collection method provided by the embodiment of the present application is generally performed by the terminal devices 101, 102, and 103.
  • the information collecting device is generally disposed in the terminal devices 101, 102, and 103.
  • terminal devices, networks and servers in Figure 1 is merely illustrative. Sexual. Depending on the implementation needs, there can be any number of terminal devices, networks, and servers.
  • the information collection method includes the following steps:
  • step 201 the client system information is collected, and the system information is blurred.
  • an electronic device (such as the terminal device shown in FIG. 1) on which the information collecting method runs can collect system information.
  • the client software may locally acquire the system information and obfuscate the system information.
  • the foregoing system information may include at least one of the following: an installed software list information, a system configuration utility (Microsoft System Configuration, msconfig) list information, a service list information, and an operating system. Version information, browser version information, network card Mac address, hard disk serial number, memory information, system structure information.
  • a system configuration utility Microsoft System Configuration, msconfig
  • the system information fuzzification process may first generate a file by using the system information, and then perform a hash calculation on the file to obtain a hash value of the file, where the hash value is obtained.
  • the hash value is a unique identification number after the system information of the user's machine is blurred.
  • step 202 various operational related data are collected.
  • the client software installed on the electronic device collects various operation related data.
  • the foregoing various operation related data may include at least one of the following: software behavior data, user operation behavior data, user uniform resource locator data, detection threat log data, file information, and Content data.
  • the software behavior data is the behavior data of the client software itself, wherein the behavior of the client software itself may include software installation, uninstallation, daily behavior, upgrade requirements, and the like.
  • the user operation behavior data may include data of a user's usage characteristics, a click button, and the like.
  • the client software collects the Uniform Resource Locator URL data.
  • Step 203 Perform filtering processing on the operation related data if the operation related data includes an identity identifier.
  • the user uniform resource locator data includes a user account and a password.
  • the user personal information needs to be filtered.
  • the user's personal information can be removed and occlusion can be performed, for example, the user account and password can be occluded with "******".
  • Step 204 The processed system information and the operation related data are encrypted and uploaded to the server, wherein the uploaded system information and the operation related data are stored in blocks in the server.
  • the system information processed by step 201 and step 203 and the operation related data are encrypted and uploaded to the server, wherein the uploaded system information and the operation related data are stored in blocks in the server, for example, When storing, use a storage machine cluster across the equipment room, and upload the interface uniformly, and store the uploaded content separately.
  • the process 300 of the information collection method includes the following steps:
  • Step 301 Collect client system information, and obfuscate the system information.
  • the electronic device (for example, the terminal device shown in FIG. 1) on which the information collecting method runs can collect system information.
  • the client may locally obtain the system information and obfuscate the system information.
  • the foregoing system information may include at least one of the following: an installed software list information, a system configuration utility list information, a service list information, an operating system version information, a browser version information, a network card Mac address, a hard disk serial number, and a memory information. , system structure information.
  • the system information fuzzification process may be as follows: first, generating the file by using the above system information; and then performing a hash calculation on the file to obtain a hash value of the file, and the hash value is a system of the user machine.
  • the unique identification number after the information is blurred.
  • step 302 various operational related data are collected.
  • the client software installed on the electronic device collects various operation related data.
  • the above various operation related data may include the following At least one item: software behavior data, user operation behavior data, user uniform resource locator data, detection threat log data, file information, and content data.
  • Step 303 Perform filtering processing on the operation related data if the operation related data includes an identity identifier.
  • some user personal information may exist in the above operation related data.
  • the user personal information needs to be filtered.
  • Step 304 The processed system information and the operation related data are transmitted to the server through encryption, wherein the uploaded system information and the operation related data are stored in blocks in the server.
  • system information and the operation related data processed in steps 301 and 303 are encrypted and uploaded to the server, wherein the uploaded system information and the operation related data are stored in blocks in the server.
  • step 305 the operation related data is detected.
  • the running related data of the uploading server is detected, and the portable running data (Portable Executable (PE) file) that is not recognized by the client software is detected in the running related data.
  • the above portable executable file may include an Executable Program (EXE) file, a Dynamic Link Library (DLL) file, and an Object Linking and Embedding (OLE) Control eXtension (OCX) file. , System (SYS) files or other portable executable files that will be developed in the future.
  • Step 306 If an unrecognizable portable executable file is detected, upload path information of the portable executable file.
  • step 305 based on the detection result of step 305, if an unrecognizable portable executable file is detected, the path information of the detected unrecognizable portable executable file is uploaded to the server.
  • the path information of the portable executable file that cannot be identified when uploaded, the path information may be filtered to remove the personal information in the path information, where Personal information can include a username.
  • Step 307 Upload the portable executable file according to the fragmentation acquisition instruction fragment, wherein the fragment acquisition instruction is generated by the server based on the path information and Made.
  • the portable executable file that is not recognized is detected according to the fragmentation acquisition instruction fragment uploading step 305.
  • the flow 300 of the information collection method in the present embodiment highlights the step of fragmentation transmission of an unrecognizable portable executable file as compared with the embodiment corresponding to FIG. Therefore, the scheme described in this embodiment can implement the fragment uploading of the file, and the fragment uploading makes the data collected on each machine limited, and the data privacy problem cannot be analyzed according to the fragment data collected on one machine. , thereby effectively reducing the generation of personal privacy sensitive data.
  • the present application provides an embodiment of an information collecting apparatus, and the apparatus embodiment corresponds to the method embodiment shown in FIG. Used in a variety of electronic devices.
  • the information collecting apparatus 400 described in this embodiment includes: a first collecting unit 401, a second collecting unit 402, a filtering processing unit 403, and a transmitting unit 404.
  • the first collecting unit 401 is configured to collect client system information, and the above system information is fuzzified;
  • the second collecting unit 402 is configured to collect various running related data;
  • the filtering processing unit 403 is configured to be used in the foregoing operation.
  • the related data includes the identity identifier, the foregoing operation related data is filtered;
  • the transmission unit 404 is configured to pass the processed system information and the operation related data to the server after being encrypted, wherein the uploaded system information and The above operation related data is stored in blocks in the above server.
  • the first collection unit 401 of the information collection device 400 can collect system information. Specifically, when the client software is installed on the electronic device, the client software may obtain the system information locally through the first collecting unit 401, and the system information acquired by the first acquisition unit 401 by the Shanghai-Soviet unit 401. The blurring process is performed, and the system information after the blurring process is transmitted to the transmission unit 404.
  • the second collection unit 402 may collect various operation related data of the client software, and send the collected operation related data to the The filtering processing unit 403 described above.
  • the filtering processing unit 403 filters the operation related data in the case that the operation related data includes the identity identifier, removes the identity identifier in the operation related data, and performs the filtering operation.
  • the relevant data is sent to the above transmission unit 404.
  • the transmission unit 404 may upload the system information and the operation related data to the server by using a wired connection method or a wireless connection manner.
  • the above-described information collection device 400 also includes other well-known structures, such as processors, memories, etc., which are not shown in FIG. 4 in order to unnecessarily obscure the embodiments of the present disclosure.
  • FIG. 5 there is shown a block diagram of a computer system 500 suitable for use in implementing a terminal device or server of an embodiment of the present application.
  • computer system 500 includes a central processing unit (CPU) 501 that can be loaded into a program in random access memory (RAM) 503 according to a program stored in read only memory (ROM) 502 or from storage portion 508. And perform various appropriate actions and processes.
  • RAM random access memory
  • ROM read only memory
  • RAM 503 various programs and data required for the operation of the system 500 are also stored.
  • the CPU 501, the ROM 502, and the RAM 503 are connected to each other through a bus 504.
  • An input/output (I/O) interface 505 is also coupled to bus 504.
  • the following components are connected to the I/O interface 505: an input portion 506 including a keyboard, a mouse, etc.; an output portion 507 including, for example, a cathode ray tube (CRT), a liquid crystal display (LCD), and the like, and a storage portion 508 including a hard disk or the like. And a communication portion 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the Internet.
  • Driver 510 is also coupled to I/O interface 505 as needed.
  • a removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory or the like is mounted on the drive 510 as needed so that a computer program read therefrom is installed into the storage portion 508 as needed.
  • an embodiment of the present disclosure includes a computer program product comprising a computer program tangibly embodied on a machine readable medium, the computer program comprising program code for executing the method illustrated in the flowchart.
  • the computer program can be downloaded and installed from the network via the communication portion 509, and/or installed from the removable medium 511.
  • each block of the flowchart or block diagrams can represent a module, a program segment, or a portion of code that includes one or more logic for implementing the specified.
  • Functional executable instructions can also occur in a different order than that illustrated in the drawings. For example, two successively represented blocks may in fact be executed substantially in parallel, and they may sometimes be executed in the reverse order, depending upon the functionality involved.
  • each block of the block diagrams and/or flowcharts, and combinations of blocks in the block diagrams and/or flowcharts can be implemented in a dedicated hardware-based system that performs the specified function or operation. Or it can be implemented by a combination of dedicated hardware and computer instructions.
  • the units involved in the embodiments of the present application may be implemented by software or by hardware.
  • the described unit may also be provided in the processor, for example, as a processor comprising a first acquisition unit, a second acquisition unit, a filtering processing unit, and a transmission unit.
  • the name of these units does not constitute a limitation on the unit itself in some cases.
  • the first collection unit may also be described as “used to collect client system information and obfuscate the system information. Unit.”
  • the present application further provides a computer readable storage medium, which may be a computer readable storage medium included in the apparatus described in the foregoing embodiment, or may exist separately, not A computer readable storage medium that is assembled into a terminal.
  • the computer readable storage medium stores one or more programs that are used by one or more processors to perform the information collection methods described herein.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Provided are an information collection method and apparatus. The method comprises: collecting client system information, and performing fuzzification processing on the system information; collecting various running-related data; in a case in which the running-related data comprises an identity, performing filtering processing on the running-related data; and uploading the processed system information and the processed running-related data to a server after encryption, the uploaded system information and the uploaded running-related data being stored in the server on a block basis. The method reduces the security problem brought by information collection.

Description

信息采集方法和装置Information collection method and device
相关申请的交叉引用Cross-reference to related applications
本申请要求于2015年08月31日提交的中国专利申请号为“201510548965.9”的优先权,其全部内容作为整体并入本申请中。The present application claims priority to Chinese Patent Application No. 201510548965.9, filed on Aug. 31, 2015, the entire content of
技术领域Technical field
本申请涉及计算机技术领域,具体涉及互联网技术领域,尤其涉及信息采集方法和装置。The present application relates to the field of computer technologies, and in particular, to the field of Internet technologies, and in particular, to an information collection method and apparatus.
背景技术Background technique
随着互联网的快速发展,恶意代码的黑色利益链已经形成,每日新增的恶意代码样本已经数以万计,传统的客户端检测方式转变为云查杀的检测方式,因此云端需要收集大量的文件数据。为了提升客户端检测的准确性,需要收集相关客户端软件的行为日志信息,在云端形成大数据日志分析,通过海量数据分析调整鉴定策略,从而有效提升产品的检测能力。然而,提升产品检测能力的前提条件是通过客户端采集相关的数据信息,并通过传输机制把数据信息回传到云端的数据存储中心,再经过大数据的分析处理,反馈于产品应用。With the rapid development of the Internet, the black interest chain of malicious code has been formed. There are tens of thousands of malicious code samples added every day. The traditional client detection method has changed to the detection method of cloud killing, so the cloud needs to collect a large amount. File data. In order to improve the accuracy of client detection, it is necessary to collect behavior log information of related client software, form big data log analysis in the cloud, and adjust the authentication strategy through massive data analysis, thereby effectively improving the detection capability of the product. However, the prerequisite for improving product detection capability is to collect relevant data information through the client, and transmit the data information back to the data storage center in the cloud through the transmission mechanism, and then analyze and process the big data and feedback to the product application.
现有技术采用了云数据采集方法,采集客户端数据信息时,一般会直接使用机器系统信息作为用户标识号,例如,使用机器名称作为用户标识号,将采集的数据信息完全上传,而机器系统信息可能会存在用户的个人信息等敏感信息,因此缺乏安全性的考虑。The prior art adopts a cloud data collection method. When collecting client data information, the system system information is generally used directly as the user identification number. For example, using the machine name as the user identification number, the collected data information is completely uploaded, and the machine system Information may have sensitive information such as the user's personal information, so there is a lack of security considerations.
发明内容Summary of the invention
本申请的目的在于提出一种保护隐私的信息采集方法和装置,来解决以上背景技术部分提到的技术问题。The purpose of the present application is to propose a privacy-removing information collecting method and apparatus to solve the technical problems mentioned in the above background art.
第一方面,本申请提供了一种信息采集方法,所述方法包括:采 集客户端系统信息,并将所述系统信息模糊化处理;采集各种运行相关数据;在所述运行相关数据包含身份标识的情况下,将所述运行相关数据进行过滤处理;将经处理的所述系统信息和所述运行相关数据通过加密后上传服务器,其中,上传的所述系统信息和所述运行相关数据在所述服务器中是分块存储的。In a first aspect, the application provides an information collection method, and the method includes: Collecting client system information, and obfuscating the system information; collecting various running related data; and filtering the running related data if the running related data includes an identity identifier; The system information and the operation related data are uploaded to the server by encryption, wherein the uploaded system information and the operation related data are stored in blocks in the server.
在一些实施例中,所述将经处理的所述系统信息和所述运行相关数据通过加密后上传传服务器,包括:对所述运行相关数据进行检测;如果检测到不能识别的可移植的执行体文件,则上传所述可移植的执行体文件的路径信息;根据分片采集指令分片上传所述可移植的执行体文件,其中,所述分片采集指令由所述服务器基于所述路径信息而生成并下发的。In some embodiments, the processing of the processed system information and the operation related data by the encrypted uploading and transmitting server comprises: detecting the running related data; if an unrecognizable portable execution is detected And uploading the path information of the portable executable file; uploading the portable executable file according to the fragmentation acquisition instruction, wherein the fragmentation acquisition instruction is based on the path by the server Generated and delivered by information.
在一些实施例中,所述如果检测到不能识别的可移植的执行体文件,则上传所述可移植的执行体文件的路径信息,包括:在上传所述可移植的执行体文件的所述路径信息时,将所述路径信息中包含的用户名进行过滤处理。In some embodiments, if the unrecognizable portable executable file is detected, uploading the path information of the portable executable file includes: uploading the portable executable file file In the case of the path information, the user name included in the path information is filtered.
在一些实施例中,所述系统信息包括以下至少一项:已安装的软件列表信息,系统配置实用程序列表信息,服务列表信息,操作系统版本信息,浏览器版本信息,网卡Mac地址、硬盘序列号、内存信息、系统结构信息。In some embodiments, the system information includes at least one of the following: installed software list information, system configuration utility list information, service list information, operating system version information, browser version information, network card Mac address, hard disk sequence Number, memory information, system structure information.
在一些实施例中,所述采集客户端系统信息,并将所述系统信息模糊化处理,包括:采集客户端系统信息,将所述系统信息生成文件,对所述文件进行哈希计算,生成唯一标识号。In some embodiments, the collecting client system information and obscuring the system information includes: collecting client system information, generating a file by using the system information, performing hash calculation on the file, and generating Unique identification number.
在一些实施例中,所述各种运行相关数据包括以下至少一项:软件行为数据、用户操作行为数据、用户统一资源定位符数据、检测威胁日志数据、文件信息及内容数据。In some embodiments, the various operational related data includes at least one of the following: software behavior data, user operational behavior data, user uniform resource locator data, detected threat log data, file information, and content data.
第二方面,本申请提供了一种信息采集装置,所述装置包括第一采集单元,配置用于采集客户端系统信息,并将所述系统信息模糊化处理;第二采集单元,配置用于采集各种运行相关数据;过滤处理单元,配置用于在所述运行相关数据包含身份标识的情况下,将所述运行相关数据进行过滤处理;传输单元,配置用于将经处理的所述系统 信息和所述运行相关数据通过加密后上传服务器,其中,上传的所述系统信息和所述运行相关数据在所述服务器中是分块存储的。在一些实施例中,所述传输单元进一步配置用于:对所述运行相关数据进行检测;如果检测到不能识别的可移植的执行体文件,则上传所述可移植的执行体文件的路径信息;根据分片采集指令分片上传所述可移植的执行体文件,其中,所述分片采集指令由所述服务器基于所述路径信息而生成并下发的。In a second aspect, the present application provides an information collecting apparatus, where the apparatus includes a first collecting unit configured to collect client system information and obfuscate the system information; and a second collecting unit configured to be used for Collecting various operation related data; filtering a processing unit configured to filter the operation related data if the operation related data includes an identity identifier; and a transmission unit configured to process the processed system The information and the operation related data are uploaded to the server by encryption, wherein the uploaded system information and the operation related data are stored in blocks in the server. In some embodiments, the transmission unit is further configured to: detect the operation related data; upload an path information of the portable executable file if an unrecognizable portable executable file is detected; And uploading the portable executable file according to the fragmentation acquisition instruction, wherein the fragmentation acquisition instruction is generated and delivered by the server based on the path information.
在一些实施例中,所述过滤处理单元进一步配置用于:在上传所述可移植的执行体文件的所述路径信息时,将所述路径信息中包含的用户名进行过滤处理。In some embodiments, the filtering processing unit is further configured to: when uploading the path information of the portable executable file, perform filtering processing on a username included in the path information.
在一些实施例中,所述系统信息包括以下至少一项:网卡Mac地址、硬盘序列号、内存信息、系统结构信息。In some embodiments, the system information includes at least one of the following: a network card Mac address, a hard disk serial number, memory information, and system structure information.
在一些实施例中,所述模糊处理单元进一步配置用于:采集客户端系统信息,将所述系统信息生成文件,对所述文件进行哈希计算,生成唯一标识号。In some embodiments, the obfuscation processing unit is further configured to: collect client system information, generate a file by using the system information, perform hash calculation on the file, and generate a unique identification number.
在一些实施例中,所述各种运行相关数据包括以下至少一项:软件行为数据、用户操作行为数据、用户统一资源定位符数据、检测威胁日志数据、文件信息及内容数据。In some embodiments, the various operational related data includes at least one of the following: software behavior data, user operational behavior data, user uniform resource locator data, detected threat log data, file information, and content data.
本申请提供的信息采集方法和装置,通过采集客户端系统信息,并将上述系统信息模糊化处理,再采集各种运行相关数据,在上述运行相关数据包含身份标识的情况下,将上述运行相关数据进行过滤处理,最后将经处理的上述系统信息和上述运行相关数据通过加密后上传,从而降低了采集信息的敏感度,减少信息采集带来的安全性问题。The information collecting method and device provided by the present application collects the client system information, obfuscates the above system information, and collects various running related data, and if the running related data includes the identity identifier, the operation is related. The data is filtered, and finally the processed system information and the operation related data are encrypted and uploaded, thereby reducing the sensitivity of collecting information and reducing the security problem brought by information collection.
附图说明DRAWINGS
通过阅读参照以下附图所作的对非限制性实施例所作的详细描述,本申请的其它特征、目的和优点将会变得更明显:Other features, objects, and advantages of the present application will become more apparent from the detailed description of the accompanying drawings.
图1是本申请可以应用于其中的示例性系统架构图;1 is an exemplary system architecture diagram to which the present application can be applied;
图2是根据本申请的信息采集方法的一个实施例的流程图;2 is a flow chart of one embodiment of an information collection method according to the present application;
图3是根据本申请的信息采集方法的又一个实施例的流程图; 3 is a flow chart of still another embodiment of an information collecting method according to the present application;
图4是根据本申请的信息采集装置的一个实施例的结构示意图;4 is a schematic structural diagram of an embodiment of an information collecting apparatus according to the present application;
图5是适于用来实现本申请实施例的终端设备或服务器的计算机系统的结构示意图。FIG. 5 is a schematic structural diagram of a computer system suitable for implementing a terminal device or a server of an embodiment of the present application.
具体实施方式detailed description
下面结合附图和实施例对本申请作进一步的详细说明。可以理解的是,此处所描述的具体实施例仅仅用于解释相关发明,而非对该发明的限定。另外还需要说明的是,为了便于描述,附图中仅示出了与有关发明相关的部分。The present application will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the invention, rather than the invention. It is also to be noted that, for the convenience of description, only the parts related to the related invention are shown in the drawings.
需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。下面将参考附图并结合实施例来详细说明本申请。It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict. The present application will be described in detail below with reference to the accompanying drawings.
图1示出了可以应用本申请的信息采集方法或信息采集装置的实施例的示例性系统架构100。FIG. 1 illustrates an exemplary system architecture 100 in which an embodiment of an information collection method or information collection device of the present application may be applied.
如图1所示,系统架构100可以包括终端设备101、102、103,网络104和服务器105。网络104用以在终端设备101、102、103和服务器105之间提供通信链路的介质。网络104可以包括各种连接类型,例如有线、无线通信链路或者光纤电缆等等。As shown in FIG. 1, system architecture 100 can include terminal devices 101, 102, 103, network 104, and server 105. The network 104 is used to provide a medium for communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various types of connections, such as wired, wireless communication links, fiber optic cables, and the like.
用户可以使用终端设备101、102、103通过网络104与服务器105交互,以接收或发送消息等。终端设备101、102、103上可以安装有各种客户端软件应用,例如可能涉及用户信息采集的即时通信工具、邮箱客户端、社交平台软件等。The user can interact with the server 105 over the network 104 using the terminal devices 101, 102, 103 to receive or transmit messages and the like. Various client software applications, such as instant messaging tools, email clients, social platform software, etc., which may involve user information collection, may be installed on the terminal devices 101, 102, and 103.
终端设备101、102、103可以是各种电子设备,包括但不限于个人电脑、智能手机、智能手表、平板电脑、个人数字助理等等。The terminal devices 101, 102, 103 can be various electronic devices including, but not limited to, personal computers, smart phones, smart watches, tablets, personal digital assistants, and the like.
服务器105可以是提供各种服务的服务器。服务器可以对接收到的数据进行存储、分析等处理,并将处理结果反馈给终端设备。The server 105 can be a server that provides various services. The server can store, analyze, and the like the received data, and feed back the processing result to the terminal device.
需要说明的是,本申请实施例所提供的信息采集方法一般由终端设备101、102、103执行。相应的,信息采集装置一般设于终端设备101、102、103中。It should be noted that the information collection method provided by the embodiment of the present application is generally performed by the terminal devices 101, 102, and 103. Correspondingly, the information collecting device is generally disposed in the terminal devices 101, 102, and 103.
应该理解,图1中的终端设备、网络和服务器的数目仅仅是示意 性的。根据实现需要,可以具有任意数目的终端设备、网络和服务器。It should be understood that the number of terminal devices, networks and servers in Figure 1 is merely illustrative. Sexual. Depending on the implementation needs, there can be any number of terminal devices, networks, and servers.
继续参考图2,其示出了根据本申请的信息采集方法的一个实施例的示例性流程200。所述的信息采集方法,包括以下步骤:With continued reference to FIG. 2, an exemplary process 200 of one embodiment of an information collection method in accordance with the present application is illustrated. The information collection method includes the following steps:
步骤201,采集客户端系统信息,并将系统信息模糊化处理。In step 201, the client system information is collected, and the system information is blurred.
在本实施例中,信息采集方法运行于其上的电子设备(例如图1所示的终端设备)可以采集系统信息。具体而言,当用户在上述电子设备上安装客户端软件时,客户端软件可以从本地获取上述系统信息,并将上述系统信息模糊化处理。In this embodiment, an electronic device (such as the terminal device shown in FIG. 1) on which the information collecting method runs can collect system information. Specifically, when the user installs the client software on the electronic device, the client software may locally acquire the system information and obfuscate the system information.
在本实施例的一些可选的实现方式中,上述系统信息可以包括以下至少一项:已安装的软件列表信息,系统配置实用程序(Microsoft System Configuration,msconfig)列表信息,服务列表信息,操作系统版本信息,浏览器版本信息,网卡Mac地址、硬盘序列号、内存信息、系统结构信息。In some optional implementation manners of the embodiment, the foregoing system information may include at least one of the following: an installed software list information, a system configuration utility (Microsoft System Configuration, msconfig) list information, a service list information, and an operating system. Version information, browser version information, network card Mac address, hard disk serial number, memory information, system structure information.
在本实施例的一些可选的实现方式中,上述系统信息模糊化处理可以首先将上述系统信息生成文件,然后对上述文件进行哈希(Hash)计算,得到上述文件的哈希值,该哈希值为用户机器的系统信息模糊化后的唯一标识号。In some optional implementation manners of the embodiment, the system information fuzzification process may first generate a file by using the system information, and then perform a hash calculation on the file to obtain a hash value of the file, where the hash value is obtained. The hash value is a unique identification number after the system information of the user's machine is blurred.
步骤202,采集各种运行相关数据。In step 202, various operational related data are collected.
在本实施例中,安装于上述电子设备上的客户端软件在运行后,会采集各种运行相关数据。In this embodiment, after running, the client software installed on the electronic device collects various operation related data.
在本实施例的一些可选的实现方式中,上述各种运行相关数据可以包括以下至少一项,软件行为数据、用户操作行为数据、用户统一资源定位符数据、检测威胁日志数据、文件信息及内容数据。在这里,软件行为数据为客户端软件本身的行为数据,其中,客户端软件本身的行为可以包括软件的安装、卸载、日常行为、升级要求等。用户操作行为数据可以包括用户的使用特征、点击按钮等的数据。用户通过浏览器访问统一资源定位符(Uniform Resoure Locator,URL)网址时,客户端软件会采集统一资源定位符网址数据。In some optional implementation manners of the embodiment, the foregoing various operation related data may include at least one of the following: software behavior data, user operation behavior data, user uniform resource locator data, detection threat log data, file information, and Content data. Here, the software behavior data is the behavior data of the client software itself, wherein the behavior of the client software itself may include software installation, uninstallation, daily behavior, upgrade requirements, and the like. The user operation behavior data may include data of a user's usage characteristics, a click button, and the like. When the user accesses the Uniform Resoure Locator (URL) URL through the browser, the client software collects the Uniform Resource Locator URL data.
步骤203,在上述运行相关数据包含身份标识的情况下,将上述运行相关数据进行过滤处理。 Step 203: Perform filtering processing on the operation related data if the operation related data includes an identity identifier.
在本实施例中,上述运行相关数据中可能存在一些用户个人信息,例如,用户统一资源定位符数据中包含有用户账号及密码,在这种情况下,需要将用户个人信息进行过滤处理。作为示例,可以将用户个人信息去除,还可以进行遮挡,例如,可以将用户账户和密码使用“******”遮挡。In this embodiment, some user personal information may exist in the foregoing operation related data. For example, the user uniform resource locator data includes a user account and a password. In this case, the user personal information needs to be filtered. As an example, the user's personal information can be removed and occlusion can be performed, for example, the user account and password can be occluded with "******".
步骤204,将经处理的上述系统信息和上述运行相关数据通过加密后上传服务器,其中,上传的上述系统信息和上述运行相关数据在上述服务器中是分块存储的。Step 204: The processed system information and the operation related data are encrypted and uploaded to the server, wherein the uploaded system information and the operation related data are stored in blocks in the server.
在本实施例中,将经步骤201和步骤203处理后的系统信息和运行相关数据进行加密处理后上传到服务器,其中,上传的系统信息和运行相关数据在服务器中是分块存储的,例如,存储时使用跨机房的存储机器集群,统一上传接口,将上传的内容分开存储。In this embodiment, the system information processed by step 201 and step 203 and the operation related data are encrypted and uploaded to the server, wherein the uploaded system information and the operation related data are stored in blocks in the server, for example, When storing, use a storage machine cluster across the equipment room, and upload the interface uniformly, and store the uploaded content separately.
进一步参考图3,其示出了信息采集方法的又一个实施例的流程300。该信息采集方法的流程300,包括以下步骤:With further reference to FIG. 3, a flow 300 of yet another embodiment of an information collection method is illustrated. The process 300 of the information collection method includes the following steps:
步骤301,采集客户端系统信息,并将所述系统信息模糊化处理。Step 301: Collect client system information, and obfuscate the system information.
本实施例中,信息采集方法运行于其上的电子设备(例如图1所示的终端设备)可以采集系统信息。具体而言,当用户在上述电子设备上安装客户端软件时,客户端可以从本地获取上述系统信息,并将上述系统信息模糊化处理。其中,上述系统信息可以包括以下至少一项:已安装的软件列表信息,系统配置实用程序列表信息,服务列表信息,操作系统版本信息,浏览器版本信息,网卡Mac地址、硬盘序列号、内存信息、系统结构信息。In this embodiment, the electronic device (for example, the terminal device shown in FIG. 1) on which the information collecting method runs can collect system information. Specifically, when the user installs the client software on the electronic device, the client may locally obtain the system information and obfuscate the system information. The foregoing system information may include at least one of the following: an installed software list information, a system configuration utility list information, a service list information, an operating system version information, a browser version information, a network card Mac address, a hard disk serial number, and a memory information. , system structure information.
上述系统信息模糊化处理可以采用以下方式:首先,将上述系统信息生成文件;然后,对上述文件进行哈希(Hash)计算,得到上述文件的哈希值,该哈希值为用户机器的系统信息模糊化后的唯一标识号。The system information fuzzification process may be as follows: first, generating the file by using the above system information; and then performing a hash calculation on the file to obtain a hash value of the file, and the hash value is a system of the user machine. The unique identification number after the information is blurred.
步骤302,采集各种运行相关数据。In step 302, various operational related data are collected.
本实施例中,安装于上述电子设备上的客户端软件在运行后,会采集各种运行相关数据。其中,上述各种运行相关数据可以包括以下 至少一项:软件行为数据、用户操作行为数据、用户统一资源定位符数据、检测威胁日志数据、文件信息及内容数据。In this embodiment, after running, the client software installed on the electronic device collects various operation related data. Wherein, the above various operation related data may include the following At least one item: software behavior data, user operation behavior data, user uniform resource locator data, detection threat log data, file information, and content data.
步骤303,在上述运行相关数据包含身份标识的情况下,将上述运行相关数据进行过滤处理。Step 303: Perform filtering processing on the operation related data if the operation related data includes an identity identifier.
本实施例中,上述运行相关数据中可能存在一些用户个人信息,在这种情况下,需要将用户个人信息进行过滤处理。In this embodiment, some user personal information may exist in the above operation related data. In this case, the user personal information needs to be filtered.
步骤304,将经处理的所述系统信息和所述运行相关数据通过加密后上传服务器,其中,上传的所述系统信息和所述运行相关数据在所述服务器中是分块存储的。Step 304: The processed system information and the operation related data are transmitted to the server through encryption, wherein the uploaded system information and the operation related data are stored in blocks in the server.
在本实施例中,将经步骤301和步骤303处理后的系统信息和运行相关数据进行加密处理后上传到服务器,其中,上传的系统信息和运行相关数据在服务器中是分块存储的。In this embodiment, the system information and the operation related data processed in steps 301 and 303 are encrypted and uploaded to the server, wherein the uploaded system information and the operation related data are stored in blocks in the server.
步骤305,对上述运行相关数据进行检测。In step 305, the operation related data is detected.
本实施例中,将需要上传服务器的运行相关数据进行检测,检测上述运行相关数据中是否包含有客户端软件不能识别的可移植的执行体(Portable Executable,PE)文件。上述可移植的执行体文件可以包括可执行程序(Executable Program,EXE)文件、应用程序拓展(Dynamic Link Library,DLL)文件、对象类别扩充组件(Object Linking and Embedding(OLE)Control eXtension,OCX)文件、系统(System,SYS)文件或者其它未来将要开发的可移植的执行体文件。In this embodiment, the running related data of the uploading server is detected, and the portable running data (Portable Executable (PE) file) that is not recognized by the client software is detected in the running related data. The above portable executable file may include an Executable Program (EXE) file, a Dynamic Link Library (DLL) file, and an Object Linking and Embedding (OLE) Control eXtension (OCX) file. , System (SYS) files or other portable executable files that will be developed in the future.
步骤306,如果检测到不能识别的可移植的执行体文件,则上传所述可移植的执行体文件的路径信息。Step 306: If an unrecognizable portable executable file is detected, upload path information of the portable executable file.
本实施例中,基于步骤305的检测结果,如果检测到不能识别的可移植的执行体文件,则将检测到的不能识别的可移植的执行体文件的路径信息上传给服务器。In this embodiment, based on the detection result of step 305, if an unrecognizable portable executable file is detected, the path information of the detected unrecognizable portable executable file is uploaded to the server.
在本实施例的一些可选的实现方式中,在上传上述不能识别的可移植的执行体文件的路径信息时,可以对上述路径信息进行过滤处理,去除上述路径信息中的个人信息,其中,个人信息可以包括用户名。In some optional implementation manners of the embodiment, when the path information of the portable executable file that cannot be identified is uploaded, the path information may be filtered to remove the personal information in the path information, where Personal information can include a username.
步骤307,根据分片采集指令分片上传上述可移植的执行体文件,其中,上述分片采集指令由所述服务器基于所述路径信息而生成并下 发的。Step 307: Upload the portable executable file according to the fragmentation acquisition instruction fragment, wherein the fragment acquisition instruction is generated by the server based on the path information and Made.
本实施例中,根据分片采集指令分片上传步骤305中检测不能识别的可移植的执行体文件。In this embodiment, the portable executable file that is not recognized is detected according to the fragmentation acquisition instruction fragment uploading step 305.
从图3中可以看出,与图2对应的实施例相比,本实施例中的信息采集方法的流程300突出了对不能识别的可移植的执行体文件分片传输的步骤。由此,本实施例描述的方案可以实现文件的分片上传,分片上传使得在每台机器上收集的数据都是有限的,无法根据一台机器上采集的分片数据分析数据的隐私问题,从而有效减少个人隐私敏感数据的产生。As can be seen from FIG. 3, the flow 300 of the information collection method in the present embodiment highlights the step of fragmentation transmission of an unrecognizable portable executable file as compared with the embodiment corresponding to FIG. Therefore, the scheme described in this embodiment can implement the fragment uploading of the file, and the fragment uploading makes the data collected on each machine limited, and the data privacy problem cannot be analyzed according to the fragment data collected on one machine. , thereby effectively reducing the generation of personal privacy sensitive data.
进一步参考图4,作为对上述各图所示方法的实现,本申请提供了一种信息采集装置的一个实施例,该装置实施例与图2所示的方法实施例相对应,该装置具体可以应用于各种电子设备中。With reference to FIG. 4, as an implementation of the method shown in the above figures, the present application provides an embodiment of an information collecting apparatus, and the apparatus embodiment corresponds to the method embodiment shown in FIG. Used in a variety of electronic devices.
如图4所示,本实施例所述的信息采集装置400包括:第一采集单元401、第二采集单元402、过滤处理单元403和传输单元404。其中,第一采集单元401配置用于采集客户端系统信息,并将上述系统信息模糊化处理;第二采集单元402配置用于采集各种运行相关数据;过滤处理单元403配置用于在上述运行相关数据包含身份标识的情况下,将上述运行相关数据进行过滤处理;传输单元404配置用于将经处理的上述系统信息和上述运行相关数据通过加密后上传服务器,其中,上传的上述系统信息和上述运行相关数据在上述服务器中是分块存储的。As shown in FIG. 4, the information collecting apparatus 400 described in this embodiment includes: a first collecting unit 401, a second collecting unit 402, a filtering processing unit 403, and a transmitting unit 404. The first collecting unit 401 is configured to collect client system information, and the above system information is fuzzified; the second collecting unit 402 is configured to collect various running related data; and the filtering processing unit 403 is configured to be used in the foregoing operation. When the related data includes the identity identifier, the foregoing operation related data is filtered; the transmission unit 404 is configured to pass the processed system information and the operation related data to the server after being encrypted, wherein the uploaded system information and The above operation related data is stored in blocks in the above server.
在本实施例中,信息采集装置400的第一采集单元401可以采集系统信息。具体而言,当用于在上述电子设备上安装客户端软件时,客户端软件可以通过上述第一采集单元401从本地获取上述系统信息,同时上海苏第一采集单元401将获取的上述系统信息进行模糊化处理,并将模糊化处理后的上述系统信息发送给上述传输单元404。In this embodiment, the first collection unit 401 of the information collection device 400 can collect system information. Specifically, when the client software is installed on the electronic device, the client software may obtain the system information locally through the first collecting unit 401, and the system information acquired by the first acquisition unit 401 by the Shanghai-Soviet unit 401. The blurring process is performed, and the system information after the blurring process is transmitted to the transmission unit 404.
在本实施例中,安装于上述电子设备上的上述客户端软件在运行之后,上述第二采集单元402可以采集上述客户端软件的各种运行相关数据,并将采集的上述运行相关数据发送给上述过滤处理单元403。 In this embodiment, after the client software installed on the electronic device is running, the second collection unit 402 may collect various operation related data of the client software, and send the collected operation related data to the The filtering processing unit 403 described above.
在本实施例中,上述过滤处理单元403在上述运行相关数据包含身份标识的情况下,将上述运行相关数据进行过滤处理,去除上述运行相关数据中的身份标识,并将过滤处理后的上述运行相关数据发送给上述传输单元404。In the embodiment, the filtering processing unit 403 filters the operation related data in the case that the operation related data includes the identity identifier, removes the identity identifier in the operation related data, and performs the filtering operation. The relevant data is sent to the above transmission unit 404.
在本实施例中,上述传输单元404可以通过有线连接方式或者无线连接方式将上述系统信息和上述运行相关数据上传到上述服务器。In this embodiment, the transmission unit 404 may upload the system information and the operation related data to the server by using a wired connection method or a wireless connection manner.
本领域技术人员可以理解,上述信息采集装置400还包括一些其他公知结构,例如处理器、存储器等,为了不必要地模糊本公开的实施例,这些公知的结构在图4中未示出。Those skilled in the art will appreciate that the above-described information collection device 400 also includes other well-known structures, such as processors, memories, etc., which are not shown in FIG. 4 in order to unnecessarily obscure the embodiments of the present disclosure.
下面参考图5,其示出了适于用来实现本申请实施例的终端设备或服务器的计算机系统500的结构示意图。Referring now to Figure 5, there is shown a block diagram of a computer system 500 suitable for use in implementing a terminal device or server of an embodiment of the present application.
如图5所示,计算机系统500包括中央处理单元(CPU)501,其可以根据存储在只读存储器(ROM)502中的程序或者从存储部分508加载到随机访问存储器(RAM)503中的程序而执行各种适当的动作和处理。在RAM 503中,还存储有系统500操作所需的各种程序和数据。CPU 501、ROM 502以及RAM503通过总线504彼此相连。输入/输出(I/O)接口505也连接至总线504。As shown in FIG. 5, computer system 500 includes a central processing unit (CPU) 501 that can be loaded into a program in random access memory (RAM) 503 according to a program stored in read only memory (ROM) 502 or from storage portion 508. And perform various appropriate actions and processes. In the RAM 503, various programs and data required for the operation of the system 500 are also stored. The CPU 501, the ROM 502, and the RAM 503 are connected to each other through a bus 504. An input/output (I/O) interface 505 is also coupled to bus 504.
以下部件连接至I/O接口505:包括键盘、鼠标等的输入部分506;包括诸如阴极射线管(CRT)、液晶显示器(LCD)等以及扬声器等的输出部分507;包括硬盘等的存储部分508;以及包括诸如LAN卡、调制解调器等的网络接口卡的通信部分509。通信部分509经由诸如因特网的网络执行通信处理。驱动器510也根据需要连接至I/O接口505。可拆卸介质511,诸如磁盘、光盘、磁光盘、半导体存储器等等,根据需要安装在驱动器510上,以便于从其上读出的计算机程序根据需要被安装入存储部分508。The following components are connected to the I/O interface 505: an input portion 506 including a keyboard, a mouse, etc.; an output portion 507 including, for example, a cathode ray tube (CRT), a liquid crystal display (LCD), and the like, and a storage portion 508 including a hard disk or the like. And a communication portion 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the Internet. Driver 510 is also coupled to I/O interface 505 as needed. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory or the like is mounted on the drive 510 as needed so that a computer program read therefrom is installed into the storage portion 508 as needed.
特别地,根据本公开的实施例,上文参考流程图描述的过程可以被实现为计算机软件程序。例如,本公开的实施例包括一种计算机程序产品,其包括有形地包含在机器可读介质上的计算机程序,所述计算机程序包含用于执行流程图所示的方法的程序代码。在这样的实施 例中,该计算机程序可以通过通信部分509从网络上被下载和安装,和/或从可拆卸介质511被安装。In particular, the processes described above with reference to the flowcharts may be implemented as a computer software program in accordance with an embodiment of the present disclosure. For example, an embodiment of the present disclosure includes a computer program product comprising a computer program tangibly embodied on a machine readable medium, the computer program comprising program code for executing the method illustrated in the flowchart. In such an implementation In an example, the computer program can be downloaded and installed from the network via the communication portion 509, and/or installed from the removable medium 511.
附图中的流程图和框图,图示了按照本申请各种实施例的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段、或代码的一部分,所述模块、程序段、或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flowchart and block diagrams in the Figures illustrate the architecture, functionality and operation of possible implementations of systems, methods and computer program products in accordance with various embodiments of the present application. In this regard, each block of the flowchart or block diagrams can represent a module, a program segment, or a portion of code that includes one or more logic for implementing the specified. Functional executable instructions. It should also be noted that in some alternative implementations, the functions noted in the blocks may also occur in a different order than that illustrated in the drawings. For example, two successively represented blocks may in fact be executed substantially in parallel, and they may sometimes be executed in the reverse order, depending upon the functionality involved. It is also noted that each block of the block diagrams and/or flowcharts, and combinations of blocks in the block diagrams and/or flowcharts, can be implemented in a dedicated hardware-based system that performs the specified function or operation. Or it can be implemented by a combination of dedicated hardware and computer instructions.
描述于本申请实施例中所涉及到的单元可以通过软件的方式实现,也可以通过硬件的方式来实现。所描述的单元也可以设置在处理器中,例如,可以描述为:一种处理器包括第一采集单元、第二采集单元、过滤处理单元和传输单元。其中,这些单元的名称在某种情况下并不构成对该单元本身的限定,例如,第一采集单元还可以被描述为“用于采集客户端系统信息,并将所述系统信息模糊化处理的单元”。The units involved in the embodiments of the present application may be implemented by software or by hardware. The described unit may also be provided in the processor, for example, as a processor comprising a first acquisition unit, a second acquisition unit, a filtering processing unit, and a transmission unit. The name of these units does not constitute a limitation on the unit itself in some cases. For example, the first collection unit may also be described as “used to collect client system information and obfuscate the system information. Unit."
作为另一方面,本申请还提供了一种计算机可读存储介质,该计算机可读存储介质可以是上述实施例中所述装置中所包含的计算机可读存储介质;也可以是单独存在,未装配入终端中的计算机可读存储介质。所述计算机可读存储介质存储有一个或者一个以上程序,所述程序被一个或者一个以上的处理器用来执行描述于本申请的信息采集方法。In another aspect, the present application further provides a computer readable storage medium, which may be a computer readable storage medium included in the apparatus described in the foregoing embodiment, or may exist separately, not A computer readable storage medium that is assembled into a terminal. The computer readable storage medium stores one or more programs that are used by one or more processors to perform the information collection methods described herein.
以上描述仅为本申请的较佳实施例以及对所运用技术原理的说明。本领域技术人员应当理解,本申请中所涉及的发明范围,并不限于上述技术特征的特定组合而成的技术方案,同时也应涵盖在不脱离所述发明构思的情况下,由上述技术特征或其等同特征进行任意组合而形成的其它技术方案。例如上述特征与本申请中公开的(但不限于) 具有类似功能的技术特征进行互相替换而形成的技术方案。 The above description is only a preferred embodiment of the present application and a description of the principles of the applied technology. It should be understood by those skilled in the art that the scope of the invention referred to in the present application is not limited to the specific combination of the above technical features, and should also be covered by the above technical features without departing from the inventive concept. Other technical solutions formed by any combination of their equivalent features. For example, the above features are disclosed in the application (but not limited to) A technical solution in which technical features having similar functions are replaced with each other.

Claims (14)

  1. 一种信息采集方法,其特征在于,所述方法包括:An information collecting method, characterized in that the method comprises:
    采集客户端系统信息,并将所述系统信息模糊化处理;Collecting client system information and obfuscating the system information;
    采集各种运行相关数据;Collect various operational related data;
    在所述运行相关数据包含身份标识的情况下,将所述运行相关数据进行过滤处理;And in the case that the operation related data includes an identity identifier, the operation related data is filtered;
    将经处理的所述系统信息和所述运行相关数据通过加密后上传服务器,其中,上传的所述系统信息和所述运行相关数据在所述服务器中是分块存储的。The processed system information and the operation related data are transmitted to the server through encryption, wherein the uploaded system information and the operation related data are stored in blocks in the server.
  2. 根据权利要求1所述的方法,其特征在于,所述将经处理的所述系统信息和所述运行相关数据通过加密后上传服务器,包括:The method according to claim 1, wherein the processing of the processed system information and the operation related data by the encrypted uploading server comprises:
    对所述运行相关数据进行检测;Detecting the operation related data;
    如果检测到不能识别的可移植的执行体文件,则上传所述可移植的执行体文件的路径信息;Uploading path information of the portable executable file if an unrecognizable portable executable file is detected;
    根据分片采集指令分片上传所述可移植的执行体文件,其中,所述分片采集指令由所述服务器基于所述路径信息而生成并下发的。And uploading the portable executable file according to the fragmentation acquisition instruction, wherein the fragmentation acquisition instruction is generated and delivered by the server based on the path information.
  3. 根据权利要求2所述的方法,其特征在于,所述如果检测到不能识别的可移植的执行体文件,则上传所述可移植的执行体文件的路径信息,包括:The method according to claim 2, wherein the uploading the path information of the portable executable file, if the unrecognizable portable executable file is detected, comprises:
    在上传所述可移植的执行体文件的所述路径信息时,将所述路径信息中包含的用户名进行过滤处理。When the path information of the portable executable file is uploaded, the user name included in the path information is filtered.
  4. 根据权利要求1所述的方法,其特征在于,所述系统信息包括以下至少一项:The method of claim 1 wherein said system information comprises at least one of the following:
    已安装的软件列表信息,系统配置实用程序列表信息,服务列表信息,操作系统版本信息,浏览器版本信息,网卡Mac地址、硬盘序列号、内存信息、系统结构信息。 Installed software list information, system configuration utility list information, service list information, operating system version information, browser version information, network card Mac address, hard disk serial number, memory information, system structure information.
  5. 根据权利要求1所述的方法,其特征在于,所述采集客户端系统信息,并将所述系统信息模糊化处理,包括:The method according to claim 1, wherein the collecting client system information and obfuscating the system information comprises:
    采集客户端系统信息;Collect client system information;
    将所述系统信息生成文件;Generating the system information into a file;
    对所述文件进行哈希计算,生成唯一标识号。A hash calculation is performed on the file to generate a unique identification number.
  6. 根据权利要求1所述的方法,其特征在于,所述各种运行相关数据包括以下至少一项:The method of claim 1 wherein said various operational related data comprises at least one of the following:
    软件行为数据、用户操作行为数据、用户统一资源定位符数据、检测威胁日志数据、文件信息及内容数据。Software behavior data, user operation behavior data, user uniform resource locator data, detection threat log data, file information, and content data.
  7. 一种信息采集装置,其特征在于,所述装置包括:An information collecting device, characterized in that the device comprises:
    第一采集单元,配置用于采集客户端系统信息,并将所述系统信息模糊化处理;a first collecting unit, configured to collect client system information, and obfuscate the system information;
    第二采集单元,配置用于采集各种运行相关数据;a second collection unit configured to collect various operational related data;
    过滤处理单元,配置用于在所述运行相关数据包含身份标识的情况下,将所述运行相关数据进行过滤处理;a filtering processing unit, configured to perform filtering processing on the running related data if the running related data includes an identity identifier;
    传输单元,配置用于将经处理的所述系统信息和所述运行相关数据通过加密后上传服务器,其中,上传的所述系统信息和所述运行相关数据在所述服务器中是分块存储的。a transmission unit configured to pass the processed system information and the operation related data to an encrypted upload server, where the uploaded system information and the operation related data are stored in blocks in the server .
  8. 根据权利要求7所述的信息采集装置,其特征在于,所述传输单元进一步配置用于:The information collecting apparatus according to claim 7, wherein the transmission unit is further configured to:
    对所述运行相关数据进行检测;Detecting the operation related data;
    如果检测到不能识别的可移植的执行体文件,则上传所述可移植的执行体文件的路径信息;Uploading path information of the portable executable file if an unrecognizable portable executable file is detected;
    根据分片采集指令分片上传所述可移植的执行体文件,其中,所述分片采集指令由所述服务器基于所述路径信息而生成并下发的。 And uploading the portable executable file according to the fragmentation acquisition instruction, wherein the fragmentation acquisition instruction is generated and delivered by the server based on the path information.
  9. 根据权利要求8所述的信息采集装置,其特征在于,所述过滤处理单元进一步配置用于:The information collecting apparatus according to claim 8, wherein the filtering processing unit is further configured to:
    在上传所述可移植的执行体文件的所述路径信息时,将所述路径信息中包含的用户名进行过滤处理。When the path information of the portable executable file is uploaded, the user name included in the path information is filtered.
  10. 根据权利要求7所述的信息采集装置,其特征在于,所述系统信息包括以下至少一项:The information collecting apparatus according to claim 7, wherein the system information comprises at least one of the following:
    网卡Mac地址、硬盘序列号、内存信息、系统结构信息。NIC Mac address, hard disk serial number, memory information, system structure information.
  11. 根据权利要求7所述的信息采集装置,其特征在于,所述模糊处理单元进一步配置用于:The information collecting apparatus according to claim 7, wherein the blur processing unit is further configured to:
    采集客户端系统信息,将所述系统信息生成文件,对所述文件进行哈希计算,生成唯一标识号。Collecting client system information, generating a file by using the system information, performing hash calculation on the file, and generating a unique identification number.
  12. 根据权利要求7所述的信息采集装置,其特征在于,所述各种运行相关数据包括以下至少一项:The information collecting apparatus according to claim 7, wherein said various operation related data comprises at least one of the following:
    软件行为数据、用户操作行为数据、用户统一资源定位符数据、检测威胁日志数据、文件信息及内容数据。Software behavior data, user operation behavior data, user uniform resource locator data, detection threat log data, file information, and content data.
  13. 一种设备,包括:A device that includes:
    处理器;和Processor; and
    存储器,Memory,
    所述存储器中存储有能够被所述处理器执行的计算机可读指令,在所述计算机可读指令被执行时,所述处理器执行权利要求1至6中任一项所述的方法。The memory stores computer readable instructions executable by the processor, the processor executing the method of any one of claims 1 to 6 when the computer readable instructions are executed.
  14. 一种非易失性计算机存储介质,所述计算机存储介质存储有能够被处理器执行的计算机可读指令,当所述计算机可读指令被处理器执行时,所述处理器执行权利要求1至6中任一项所述的方法。 A non-volatile computer storage medium storing computer readable instructions executable by a processor, the processor executing claim 1 to when the computer readable instructions are executed by a processor The method of any of 6.
PCT/CN2015/099897 2015-08-31 2015-12-30 Information collection method and apparatus WO2017036042A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510548965.9A CN105224880B (en) 2015-08-31 2015-08-31 Information collecting method and device
CN201510548965.9 2015-08-31

Publications (1)

Publication Number Publication Date
WO2017036042A1 true WO2017036042A1 (en) 2017-03-09

Family

ID=54993842

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/099897 WO2017036042A1 (en) 2015-08-31 2015-12-30 Information collection method and apparatus

Country Status (2)

Country Link
CN (1) CN105224880B (en)
WO (1) WO2017036042A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111556098A (en) * 2020-04-08 2020-08-18 深圳供电局有限公司 Artificial intelligence based analysis system and analysis method for internet of things data

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106130784A (en) * 2016-07-20 2016-11-16 云南电网有限责任公司信息中心 A kind of securely configurable IT information unification harvester
CN109660694A (en) * 2017-11-19 2019-04-19 杭州美盛红外光电技术有限公司 Detection device, reception device, access mechanism, detection system and detection encryption method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102014133A (en) * 2010-11-26 2011-04-13 清华大学 Method for implementing safe storage system in cloud storage environment
CN102984180A (en) * 2011-09-02 2013-03-20 广东电子工业研究院有限公司 Cloud storage-based cross-mobile platform data processing apparatus and processing method thereof
CN103368942A (en) * 2013-05-25 2013-10-23 中山市中商港科技有限公司 Cloud data security storage and management method
CN104270465A (en) * 2014-10-23 2015-01-07 成都双奥阳科技有限公司 Cloud storage protection system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110153748A1 (en) * 2009-12-18 2011-06-23 Electronics And Telecommunications Research Institute Remote forensics system based on network
CN101808102B (en) * 2010-04-23 2012-12-12 潘燕辉 Operating record tracing system and method based on cloud computing

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102014133A (en) * 2010-11-26 2011-04-13 清华大学 Method for implementing safe storage system in cloud storage environment
CN102984180A (en) * 2011-09-02 2013-03-20 广东电子工业研究院有限公司 Cloud storage-based cross-mobile platform data processing apparatus and processing method thereof
CN103368942A (en) * 2013-05-25 2013-10-23 中山市中商港科技有限公司 Cloud data security storage and management method
CN104270465A (en) * 2014-10-23 2015-01-07 成都双奥阳科技有限公司 Cloud storage protection system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111556098A (en) * 2020-04-08 2020-08-18 深圳供电局有限公司 Artificial intelligence based analysis system and analysis method for internet of things data
CN111556098B (en) * 2020-04-08 2023-09-15 深圳供电局有限公司 Analysis system and analysis method for Internet of things data based on artificial intelligence

Also Published As

Publication number Publication date
CN105224880A (en) 2016-01-06
CN105224880B (en) 2019-06-18

Similar Documents

Publication Publication Date Title
US10594713B2 (en) Systems and methods for secure propagation of statistical models within threat intelligence communities
US9356943B1 (en) Systems and methods for performing security analyses on network traffic in cloud-based environments
AU2015380394B2 (en) Methods and systems for identifying potential enterprise software threats based on visual and non-visual data
US9716726B2 (en) Method of identifying and counteracting internet attacks
US11288398B2 (en) Systems, methods, and devices for obfuscation of browser fingerprint data on the world wide web
US10194321B2 (en) Periodic mobile forensics
AU2015409179B2 (en) Machine-driven crowd-disambiguation of data resources
US8407789B1 (en) Method and system for dynamically optimizing multiple filter/stage security systems
US11632247B2 (en) User security token invalidation
CN111163095B (en) Network attack analysis method, network attack analysis device, computing device, and medium
EP3547121B1 (en) Combining device, combining method and combining program
CN111163094B (en) Network attack detection method, network attack detection device, electronic device, and medium
US11356433B2 (en) System and method for detecting unauthorized activity at an electronic device
CN111258602A (en) Information updating method and device
US10067862B2 (en) Tracking asynchronous entry points for an application
Mistry et al. Signature based volatile memory forensics: a detection based approach for analyzing sophisticated cyber attacks
WO2017036042A1 (en) Information collection method and apparatus
Odebade et al. Mitigating anti-forensics in the cloud via resource-based privacy preserving activity attribution
CN111459577B (en) Application installation source tracking method, device, equipment and storage medium
CN109361712B (en) Information processing method and information processing device
Rochmadi et al. Forensic analysis in cloud storage with live forensics in windows (adrive case study)
JP2015132942A (en) Connection destination information determination device, connection destination information determination method and program
WO2017028459A1 (en) Program monitoring method and apparatus
US9672356B2 (en) Determining malware status of file
Hennig et al. JasUA: A JavaScript Stack enabling web browsers to support OPC Unified Architecture's Binary mapping natively

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15902846

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15902846

Country of ref document: EP

Kind code of ref document: A1