WO2017036042A1 - Procédé et appareil de collecte d'informations - Google Patents

Procédé et appareil de collecte d'informations Download PDF

Info

Publication number
WO2017036042A1
WO2017036042A1 PCT/CN2015/099897 CN2015099897W WO2017036042A1 WO 2017036042 A1 WO2017036042 A1 WO 2017036042A1 CN 2015099897 W CN2015099897 W CN 2015099897W WO 2017036042 A1 WO2017036042 A1 WO 2017036042A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
related data
system information
data
file
Prior art date
Application number
PCT/CN2015/099897
Other languages
English (en)
Chinese (zh)
Inventor
邹荣新
Original Assignee
安一恒通(北京)科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 安一恒通(北京)科技有限公司 filed Critical 安一恒通(北京)科技有限公司
Publication of WO2017036042A1 publication Critical patent/WO2017036042A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Definitions

  • the present application relates to the field of computer technologies, and in particular, to the field of Internet technologies, and in particular, to an information collection method and apparatus.
  • the prior art adopts a cloud data collection method.
  • the system system information is generally used directly as the user identification number.
  • the collected data information is completely uploaded, and the machine system Information may have sensitive information such as the user's personal information, so there is a lack of security considerations.
  • the purpose of the present application is to propose a privacy-removing information collecting method and apparatus to solve the technical problems mentioned in the above background art.
  • the application provides an information collection method, and the method includes: Collecting client system information, and obfuscating the system information; collecting various running related data; and filtering the running related data if the running related data includes an identity identifier;
  • the system information and the operation related data are uploaded to the server by encryption, wherein the uploaded system information and the operation related data are stored in blocks in the server.
  • the processing of the processed system information and the operation related data by the encrypted uploading and transmitting server comprises: detecting the running related data; if an unrecognizable portable execution is detected And uploading the path information of the portable executable file; uploading the portable executable file according to the fragmentation acquisition instruction, wherein the fragmentation acquisition instruction is based on the path by the server Generated and delivered by information.
  • uploading the path information of the portable executable file includes: uploading the portable executable file file In the case of the path information, the user name included in the path information is filtered.
  • the system information includes at least one of the following: installed software list information, system configuration utility list information, service list information, operating system version information, browser version information, network card Mac address, hard disk sequence Number, memory information, system structure information.
  • the collecting client system information and obscuring the system information includes: collecting client system information, generating a file by using the system information, performing hash calculation on the file, and generating Unique identification number.
  • the various operational related data includes at least one of the following: software behavior data, user operational behavior data, user uniform resource locator data, detected threat log data, file information, and content data.
  • the present application provides an information collecting apparatus, where the apparatus includes a first collecting unit configured to collect client system information and obfuscate the system information; and a second collecting unit configured to be used for Collecting various operation related data; filtering a processing unit configured to filter the operation related data if the operation related data includes an identity identifier; and a transmission unit configured to process the processed system
  • the information and the operation related data are uploaded to the server by encryption, wherein the uploaded system information and the operation related data are stored in blocks in the server.
  • the transmission unit is further configured to: detect the operation related data; upload an path information of the portable executable file if an unrecognizable portable executable file is detected; And uploading the portable executable file according to the fragmentation acquisition instruction, wherein the fragmentation acquisition instruction is generated and delivered by the server based on the path information.
  • the filtering processing unit is further configured to: when uploading the path information of the portable executable file, perform filtering processing on a username included in the path information.
  • the system information includes at least one of the following: a network card Mac address, a hard disk serial number, memory information, and system structure information.
  • the obfuscation processing unit is further configured to: collect client system information, generate a file by using the system information, perform hash calculation on the file, and generate a unique identification number.
  • the various operational related data includes at least one of the following: software behavior data, user operational behavior data, user uniform resource locator data, detected threat log data, file information, and content data.
  • the information collecting method and device provided by the present application collects the client system information, obfuscates the above system information, and collects various running related data, and if the running related data includes the identity identifier, the operation is related. The data is filtered, and finally the processed system information and the operation related data are encrypted and uploaded, thereby reducing the sensitivity of collecting information and reducing the security problem brought by information collection.
  • FIG. 1 is an exemplary system architecture diagram to which the present application can be applied;
  • FIG. 2 is a flow chart of one embodiment of an information collection method according to the present application.
  • FIG. 3 is a flow chart of still another embodiment of an information collecting method according to the present application.
  • FIG. 4 is a schematic structural diagram of an embodiment of an information collecting apparatus according to the present application.
  • FIG. 5 is a schematic structural diagram of a computer system suitable for implementing a terminal device or a server of an embodiment of the present application.
  • FIG. 1 illustrates an exemplary system architecture 100 in which an embodiment of an information collection method or information collection device of the present application may be applied.
  • system architecture 100 can include terminal devices 101, 102, 103, network 104, and server 105.
  • the network 104 is used to provide a medium for communication links between the terminal devices 101, 102, 103 and the server 105.
  • Network 104 may include various types of connections, such as wired, wireless communication links, fiber optic cables, and the like.
  • the user can interact with the server 105 over the network 104 using the terminal devices 101, 102, 103 to receive or transmit messages and the like.
  • Various client software applications such as instant messaging tools, email clients, social platform software, etc., which may involve user information collection, may be installed on the terminal devices 101, 102, and 103.
  • the terminal devices 101, 102, 103 can be various electronic devices including, but not limited to, personal computers, smart phones, smart watches, tablets, personal digital assistants, and the like.
  • the server 105 can be a server that provides various services.
  • the server can store, analyze, and the like the received data, and feed back the processing result to the terminal device.
  • the information collection method provided by the embodiment of the present application is generally performed by the terminal devices 101, 102, and 103.
  • the information collecting device is generally disposed in the terminal devices 101, 102, and 103.
  • terminal devices, networks and servers in Figure 1 is merely illustrative. Sexual. Depending on the implementation needs, there can be any number of terminal devices, networks, and servers.
  • the information collection method includes the following steps:
  • step 201 the client system information is collected, and the system information is blurred.
  • an electronic device (such as the terminal device shown in FIG. 1) on which the information collecting method runs can collect system information.
  • the client software may locally acquire the system information and obfuscate the system information.
  • the foregoing system information may include at least one of the following: an installed software list information, a system configuration utility (Microsoft System Configuration, msconfig) list information, a service list information, and an operating system. Version information, browser version information, network card Mac address, hard disk serial number, memory information, system structure information.
  • a system configuration utility Microsoft System Configuration, msconfig
  • the system information fuzzification process may first generate a file by using the system information, and then perform a hash calculation on the file to obtain a hash value of the file, where the hash value is obtained.
  • the hash value is a unique identification number after the system information of the user's machine is blurred.
  • step 202 various operational related data are collected.
  • the client software installed on the electronic device collects various operation related data.
  • the foregoing various operation related data may include at least one of the following: software behavior data, user operation behavior data, user uniform resource locator data, detection threat log data, file information, and Content data.
  • the software behavior data is the behavior data of the client software itself, wherein the behavior of the client software itself may include software installation, uninstallation, daily behavior, upgrade requirements, and the like.
  • the user operation behavior data may include data of a user's usage characteristics, a click button, and the like.
  • the client software collects the Uniform Resource Locator URL data.
  • Step 203 Perform filtering processing on the operation related data if the operation related data includes an identity identifier.
  • the user uniform resource locator data includes a user account and a password.
  • the user personal information needs to be filtered.
  • the user's personal information can be removed and occlusion can be performed, for example, the user account and password can be occluded with "******".
  • Step 204 The processed system information and the operation related data are encrypted and uploaded to the server, wherein the uploaded system information and the operation related data are stored in blocks in the server.
  • the system information processed by step 201 and step 203 and the operation related data are encrypted and uploaded to the server, wherein the uploaded system information and the operation related data are stored in blocks in the server, for example, When storing, use a storage machine cluster across the equipment room, and upload the interface uniformly, and store the uploaded content separately.
  • the process 300 of the information collection method includes the following steps:
  • Step 301 Collect client system information, and obfuscate the system information.
  • the electronic device (for example, the terminal device shown in FIG. 1) on which the information collecting method runs can collect system information.
  • the client may locally obtain the system information and obfuscate the system information.
  • the foregoing system information may include at least one of the following: an installed software list information, a system configuration utility list information, a service list information, an operating system version information, a browser version information, a network card Mac address, a hard disk serial number, and a memory information. , system structure information.
  • the system information fuzzification process may be as follows: first, generating the file by using the above system information; and then performing a hash calculation on the file to obtain a hash value of the file, and the hash value is a system of the user machine.
  • the unique identification number after the information is blurred.
  • step 302 various operational related data are collected.
  • the client software installed on the electronic device collects various operation related data.
  • the above various operation related data may include the following At least one item: software behavior data, user operation behavior data, user uniform resource locator data, detection threat log data, file information, and content data.
  • Step 303 Perform filtering processing on the operation related data if the operation related data includes an identity identifier.
  • some user personal information may exist in the above operation related data.
  • the user personal information needs to be filtered.
  • Step 304 The processed system information and the operation related data are transmitted to the server through encryption, wherein the uploaded system information and the operation related data are stored in blocks in the server.
  • system information and the operation related data processed in steps 301 and 303 are encrypted and uploaded to the server, wherein the uploaded system information and the operation related data are stored in blocks in the server.
  • step 305 the operation related data is detected.
  • the running related data of the uploading server is detected, and the portable running data (Portable Executable (PE) file) that is not recognized by the client software is detected in the running related data.
  • the above portable executable file may include an Executable Program (EXE) file, a Dynamic Link Library (DLL) file, and an Object Linking and Embedding (OLE) Control eXtension (OCX) file. , System (SYS) files or other portable executable files that will be developed in the future.
  • Step 306 If an unrecognizable portable executable file is detected, upload path information of the portable executable file.
  • step 305 based on the detection result of step 305, if an unrecognizable portable executable file is detected, the path information of the detected unrecognizable portable executable file is uploaded to the server.
  • the path information of the portable executable file that cannot be identified when uploaded, the path information may be filtered to remove the personal information in the path information, where Personal information can include a username.
  • Step 307 Upload the portable executable file according to the fragmentation acquisition instruction fragment, wherein the fragment acquisition instruction is generated by the server based on the path information and Made.
  • the portable executable file that is not recognized is detected according to the fragmentation acquisition instruction fragment uploading step 305.
  • the flow 300 of the information collection method in the present embodiment highlights the step of fragmentation transmission of an unrecognizable portable executable file as compared with the embodiment corresponding to FIG. Therefore, the scheme described in this embodiment can implement the fragment uploading of the file, and the fragment uploading makes the data collected on each machine limited, and the data privacy problem cannot be analyzed according to the fragment data collected on one machine. , thereby effectively reducing the generation of personal privacy sensitive data.
  • the present application provides an embodiment of an information collecting apparatus, and the apparatus embodiment corresponds to the method embodiment shown in FIG. Used in a variety of electronic devices.
  • the information collecting apparatus 400 described in this embodiment includes: a first collecting unit 401, a second collecting unit 402, a filtering processing unit 403, and a transmitting unit 404.
  • the first collecting unit 401 is configured to collect client system information, and the above system information is fuzzified;
  • the second collecting unit 402 is configured to collect various running related data;
  • the filtering processing unit 403 is configured to be used in the foregoing operation.
  • the related data includes the identity identifier, the foregoing operation related data is filtered;
  • the transmission unit 404 is configured to pass the processed system information and the operation related data to the server after being encrypted, wherein the uploaded system information and The above operation related data is stored in blocks in the above server.
  • the first collection unit 401 of the information collection device 400 can collect system information. Specifically, when the client software is installed on the electronic device, the client software may obtain the system information locally through the first collecting unit 401, and the system information acquired by the first acquisition unit 401 by the Shanghai-Soviet unit 401. The blurring process is performed, and the system information after the blurring process is transmitted to the transmission unit 404.
  • the second collection unit 402 may collect various operation related data of the client software, and send the collected operation related data to the The filtering processing unit 403 described above.
  • the filtering processing unit 403 filters the operation related data in the case that the operation related data includes the identity identifier, removes the identity identifier in the operation related data, and performs the filtering operation.
  • the relevant data is sent to the above transmission unit 404.
  • the transmission unit 404 may upload the system information and the operation related data to the server by using a wired connection method or a wireless connection manner.
  • the above-described information collection device 400 also includes other well-known structures, such as processors, memories, etc., which are not shown in FIG. 4 in order to unnecessarily obscure the embodiments of the present disclosure.
  • FIG. 5 there is shown a block diagram of a computer system 500 suitable for use in implementing a terminal device or server of an embodiment of the present application.
  • computer system 500 includes a central processing unit (CPU) 501 that can be loaded into a program in random access memory (RAM) 503 according to a program stored in read only memory (ROM) 502 or from storage portion 508. And perform various appropriate actions and processes.
  • RAM random access memory
  • ROM read only memory
  • RAM 503 various programs and data required for the operation of the system 500 are also stored.
  • the CPU 501, the ROM 502, and the RAM 503 are connected to each other through a bus 504.
  • An input/output (I/O) interface 505 is also coupled to bus 504.
  • the following components are connected to the I/O interface 505: an input portion 506 including a keyboard, a mouse, etc.; an output portion 507 including, for example, a cathode ray tube (CRT), a liquid crystal display (LCD), and the like, and a storage portion 508 including a hard disk or the like. And a communication portion 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the Internet.
  • Driver 510 is also coupled to I/O interface 505 as needed.
  • a removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory or the like is mounted on the drive 510 as needed so that a computer program read therefrom is installed into the storage portion 508 as needed.
  • an embodiment of the present disclosure includes a computer program product comprising a computer program tangibly embodied on a machine readable medium, the computer program comprising program code for executing the method illustrated in the flowchart.
  • the computer program can be downloaded and installed from the network via the communication portion 509, and/or installed from the removable medium 511.
  • each block of the flowchart or block diagrams can represent a module, a program segment, or a portion of code that includes one or more logic for implementing the specified.
  • Functional executable instructions can also occur in a different order than that illustrated in the drawings. For example, two successively represented blocks may in fact be executed substantially in parallel, and they may sometimes be executed in the reverse order, depending upon the functionality involved.
  • each block of the block diagrams and/or flowcharts, and combinations of blocks in the block diagrams and/or flowcharts can be implemented in a dedicated hardware-based system that performs the specified function or operation. Or it can be implemented by a combination of dedicated hardware and computer instructions.
  • the units involved in the embodiments of the present application may be implemented by software or by hardware.
  • the described unit may also be provided in the processor, for example, as a processor comprising a first acquisition unit, a second acquisition unit, a filtering processing unit, and a transmission unit.
  • the name of these units does not constitute a limitation on the unit itself in some cases.
  • the first collection unit may also be described as “used to collect client system information and obfuscate the system information. Unit.”
  • the present application further provides a computer readable storage medium, which may be a computer readable storage medium included in the apparatus described in the foregoing embodiment, or may exist separately, not A computer readable storage medium that is assembled into a terminal.
  • the computer readable storage medium stores one or more programs that are used by one or more processors to perform the information collection methods described herein.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

L'invention concerne un procédé et un appareil de collecte d'informations. Le procédé comprend : la collecte d'informations de système client, et la réalisation d'un traitement de modification logique floue sur les informations de système ; la collecte de diverses données liées à l'exécution ; dans le cas où les données liées à l'exécution incluent une identité, la réalisation d'un traitement de filtrage sur lesdites données ; et le téléchargement vers un serveur, après un chiffrement, des informations de système traitées et des données liées à l'exécution traitées, les informations de système téléchargées et les données liées à l'exécution téléchargées étant mémorisées par blocs par le serveur. Le procédé résout en partie le problème de sécurité posé par la collecte d'informations.
PCT/CN2015/099897 2015-08-31 2015-12-30 Procédé et appareil de collecte d'informations WO2017036042A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510548965.9 2015-08-31
CN201510548965.9A CN105224880B (zh) 2015-08-31 2015-08-31 信息采集方法和装置

Publications (1)

Publication Number Publication Date
WO2017036042A1 true WO2017036042A1 (fr) 2017-03-09

Family

ID=54993842

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/099897 WO2017036042A1 (fr) 2015-08-31 2015-12-30 Procédé et appareil de collecte d'informations

Country Status (2)

Country Link
CN (1) CN105224880B (fr)
WO (1) WO2017036042A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111556098A (zh) * 2020-04-08 2020-08-18 深圳供电局有限公司 一种基于人工智能的物联网数据的分析系统和分析方法

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106130784A (zh) * 2016-07-20 2016-11-16 云南电网有限责任公司信息中心 一种安全可配置的it信息统一采集器
CN109660694A (zh) * 2017-11-19 2019-04-19 杭州美盛红外光电技术有限公司 探测装置、接收装置、访问装置、探测系统和探测加密方法

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102014133A (zh) * 2010-11-26 2011-04-13 清华大学 在云存储环境下一种安全存储系统的实现方法
CN102984180A (zh) * 2011-09-02 2013-03-20 广东电子工业研究院有限公司 一种基于云存储的跨移动平台数据处理装置及其处理方法
CN103368942A (zh) * 2013-05-25 2013-10-23 中山市中商港科技有限公司 一种云数据安全存储及管理的方法
CN104270465A (zh) * 2014-10-23 2015-01-07 成都双奥阳科技有限公司 一种云存储的保护系统

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110153748A1 (en) * 2009-12-18 2011-06-23 Electronics And Telecommunications Research Institute Remote forensics system based on network
CN101808102B (zh) * 2010-04-23 2012-12-12 潘燕辉 一种基于云计算的操作记录追踪系统和方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102014133A (zh) * 2010-11-26 2011-04-13 清华大学 在云存储环境下一种安全存储系统的实现方法
CN102984180A (zh) * 2011-09-02 2013-03-20 广东电子工业研究院有限公司 一种基于云存储的跨移动平台数据处理装置及其处理方法
CN103368942A (zh) * 2013-05-25 2013-10-23 中山市中商港科技有限公司 一种云数据安全存储及管理的方法
CN104270465A (zh) * 2014-10-23 2015-01-07 成都双奥阳科技有限公司 一种云存储的保护系统

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111556098A (zh) * 2020-04-08 2020-08-18 深圳供电局有限公司 一种基于人工智能的物联网数据的分析系统和分析方法
CN111556098B (zh) * 2020-04-08 2023-09-15 深圳供电局有限公司 一种基于人工智能的物联网数据的分析系统和分析方法

Also Published As

Publication number Publication date
CN105224880A (zh) 2016-01-06
CN105224880B (zh) 2019-06-18

Similar Documents

Publication Publication Date Title
US10594713B2 (en) Systems and methods for secure propagation of statistical models within threat intelligence communities
US11288398B2 (en) Systems, methods, and devices for obfuscation of browser fingerprint data on the world wide web
US9356943B1 (en) Systems and methods for performing security analyses on network traffic in cloud-based environments
AU2015380394B2 (en) Methods and systems for identifying potential enterprise software threats based on visual and non-visual data
EP3021551A1 (fr) Procédé d'identification et d'inhibition des attaques internet
CN114787805A (zh) 系统事件的自动语义建模
AU2015409179B2 (en) Machine-driven crowd-disambiguation of data resources
CN111163095B (zh) 网络攻击分析方法、网络攻击分析装置、计算设备和介质
EP3547121B1 (fr) Dispositif, procédé et programme de combinaison
US20190394040A1 (en) User Security Token Invalidation
CN111163094B (zh) 网络攻击检测方法、网络攻击检测装置、电子设备和介质
US11356433B2 (en) System and method for detecting unauthorized activity at an electronic device
CN111258602A (zh) 信息更新方法和装置
Mistry et al. Signature based volatile memory forensics: a detection based approach for analyzing sophisticated cyber attacks
US20230216868A1 (en) Analysis of endpoint detect and response data
US10067862B2 (en) Tracking asynchronous entry points for an application
US20180302437A1 (en) Methods of identifying and counteracting internet attacks
CN112291277B (zh) 一种恶意软件检测方法、装置、设备及存储介质
WO2017036042A1 (fr) Procédé et appareil de collecte d'informations
Dargahi et al. Investigating storage as a service cloud platform: pCloud as a case study
Odebade et al. Mitigating anti-forensics in the cloud via resource-based privacy preserving activity attribution
CN111459577B (zh) 应用安装来源跟踪方法、装置、设备及存储介质
JP6169497B2 (ja) 接続先情報判定装置、接続先情報判定方法、及びプログラム
CN109361712B (zh) 一种信息处理方法及信息处理装置
Rochmadi et al. Forensic analysis in cloud storage with live forensics in windows (adrive case study)

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15902846

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15902846

Country of ref document: EP

Kind code of ref document: A1