WO2023201583A1 - Network system protection method and apparatus, and computer device and storage medium - Google Patents

Network system protection method and apparatus, and computer device and storage medium Download PDF

Info

Publication number
WO2023201583A1
WO2023201583A1 PCT/CN2022/087996 CN2022087996W WO2023201583A1 WO 2023201583 A1 WO2023201583 A1 WO 2023201583A1 CN 2022087996 W CN2022087996 W CN 2022087996W WO 2023201583 A1 WO2023201583 A1 WO 2023201583A1
Authority
WO
WIPO (PCT)
Prior art keywords
target software
network system
object information
information
running
Prior art date
Application number
PCT/CN2022/087996
Other languages
French (fr)
Chinese (zh)
Inventor
高永吉
Original Assignee
西门子股份公司
西门子(中国)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 西门子股份公司, 西门子(中国)有限公司 filed Critical 西门子股份公司
Priority to PCT/CN2022/087996 priority Critical patent/WO2023201583A1/en
Publication of WO2023201583A1 publication Critical patent/WO2023201583A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Definitions

  • the present disclosure relates to the field of network system security technology, and in particular to a network system protection method, device, computer equipment and storage medium.
  • the embodiments of the present disclosure provide a network system protection method, including:
  • object information of the target software where the object information includes: mutex information of the target software, service information created after the target software is input into the network system, and request information issued after the target software is input into the network system. at least one of;
  • a protection policy for the target software is configured in the network system to prevent the target software from running in the network system.
  • configuring a protection policy for the target software in the network system according to the object information to prevent the target software from running in the network system includes:
  • the mutually exclusive program is input to at least one program execution device of the network system to run, so that the target software is prevented from running in the program execution device through the mutually exclusive program.
  • the service information includes the service name of the first service created after the target software inputs the network system
  • Configuring a protection policy for the target software in the network system according to the object information to prevent the target software from running in the network system includes:
  • the request information includes the URL that the target software accesses when it issues the first request after entering the network system, wherein the target software passes the first URL of the network system when it issues the first request.
  • DNS and the first server access the URL;
  • Configuring a protection policy for the target software in the network system according to the object information to prevent the target software from running in the network system includes:
  • configuring a protection policy for the target software in the network system according to the object information, the previously described method further includes:
  • obtaining the object information of the target software includes:
  • the object information of the target software is determined.
  • determining the object information of the target software based on the running data includes:
  • the running data is filtered through a preset blacklist to obtain the object information of the target software from the results of the filtering process.
  • the embodiments of the disclosure provide a network system protection device, which includes:
  • Acquisition module used to obtain object information of the target software, wherein the object information includes: mutex information of the target software, service information created after the target software is input into the network system, and the target software is input into the network system. At least one of the request messages sent later;
  • a blocking module configured to configure a protection policy for the target software in the network system according to the object information, so as to prevent the target software from running in the network system.
  • an embodiment of the present disclosure provides a computer device, which includes: a processor; and a memory storing a program, wherein the program includes computer operation instructions, and the computer operation instructions are executed by the processor.
  • the processor is then caused to execute the aforementioned network system protection method.
  • the embodiments of the present disclosure provide a computer storage medium, wherein the computer storage medium stores computer instructions, and the computer instructions are used to cause the computer to execute the aforementioned network protection method.
  • the network system protection solution of the embodiment of the present disclosure can obtain the object information of the target software.
  • the object information includes the mutex information of the target software, service information created after the target software is input into the network system, and requests issued by the target software after being input into the network system. At least one of the information, and configure a protection policy for the target software in the network system based on the object information to prevent the target software from running in the network system. Therefore, the embodiment of the present disclosure can protect the target software when the target software is malware. Prevent the operation of malware that enters the network system, thereby reducing the possibility of the network system being attacked by malware, making the operation of devices in the network system less likely to be interfered or hindered by malware, and effectively preventing malware from harming the network system. Cause adverse effects, thereby ensuring the security of the network system.
  • Figure 1 shows a flow chart of an optional network system protection method according to an embodiment of the present disclosure.
  • Figure 2 shows an optional sub-flow chart of "obtaining object information of the target software" in step S101 according to an embodiment of the present disclosure.
  • Figure 3 shows a flow chart of another optional network system protection method according to an embodiment of the present disclosure.
  • Figure 4 shows a block diagram of an optional network system protection device according to an embodiment of the present disclosure.
  • Figure 5 shows a schematic structural diagram of an optional computer device according to an embodiment of the present disclosure.
  • the embodiment of the present disclosure provides a network system protection method, which includes the following steps S101 and S103.
  • S101 Obtain object information of the target software, where the object information includes at least one of: mutex information of the target software, service information created after the target software is input into the network system, and request information issued by the target software after being input into the network system.
  • S103 Based on the object information, configure a protection policy for the target software in the network system to prevent the target software from running in the network system.
  • the object information of the target software can be obtained.
  • the object information includes the mutex information of the target software, the service information created after the target software is input into the network system, and the service information issued after the target software is input into the network system.
  • Request at least one of the information, and configure a protection policy for the target software in the network system according to the object information to prevent the target software from running in the network system. Therefore, the embodiment of the present disclosure can prevent the target software from running in the network system when the target software is malware.
  • the network system protection method in the embodiment of the present disclosure can be executed by a computer device capable of data processing.
  • the computer device can include one or more processing units, such as CPU, MCU, PLC, etc. It should be understood that in the embodiment of the present disclosure, No qualifications are placed on this.
  • the network system can be any computer network system, which is not limited here.
  • the network system can include one or more program running devices, and the program running devices can run software programs.
  • the target software is run in the network system, it may mean that the target software is input to the program running device in the network system to run.
  • the network system in the embodiment of the present disclosure can be an OT (Operational Technology) system
  • the program running device can be an OT device.
  • the network system protection solution in the embodiment of the present disclosure is applied to The beneficial effects are particularly significant in this specific scenario, which will be explained in detail below.
  • the target software can be any software program, which is not limited in the embodiment of the present disclosure.
  • the target software may be malware (such as ransomware, etc.).
  • malware When the malware is input into the network system for normal operation, it will interfere or hinder the normal operation of the network system.
  • an exemplary malware When an exemplary malware is input into a network system to run normally, it will encrypt some specific data so that the program running equipment in the network system cannot use these data for processing, thus affecting the normal operation of the program running equipment. Work. Of course this is just one example of malware and does not serve as any limitation on it.
  • the target software may be malware that has been filtered out. Therefore, before the malware is entered into the network system, the object information of the malware (i.e., the target software) is first obtained, and based on the object information, the malicious software is configured in the network system.
  • Software protection strategies can prevent malware from running in the network system after the malware is entered into the network system, thereby effectively protecting the network system.
  • the object information of the target software includes at least one of mutex information of the target software, service information created after the target software is input into the network system, and request information issued after the target software is input into the network system. These object information are The key to the normal operation of the target software.
  • mutex when some target software is running, it usually creates a mutex at the same time to avoid running itself twice. Mutex implements a simple form of mutually exclusive synchronization, which prohibits multiple threads from entering the code protection zone at the same time, that is, only one thread is allowed to enter the code protection zone at any time. So when the mutex is present, the target software will not be able to run again.
  • the mutex information in the embodiment of the present disclosure may be some characteristics of the mutex of the target software, for example, it may be the name of the mutex, the identification of the mutex, etc., which is not limited in the embodiment of the present disclosure. .
  • some target software runs as a created service when it starts running in the input network system.
  • the service information in the object information in the embodiment of the present disclosure may be some characteristics of the service, such as service name, service identification, etc. In this regard There are no limitations in the embodiments of the present disclosure.
  • some target software will first send a request when it starts running in the input network system.
  • the request information in the embodiment of the present disclosure may be some key features of the request, such as the URL visited when the request is issued,
  • the requested identifier, etc. are not limited in this embodiment of the present disclosure.
  • the object information is the key to the normal operation of the target software, it is convenient to configure a protection policy according to the object information in step S103 to prevent the target software from running in the network system.
  • the embodiment of the present disclosure does not limit the specific method of obtaining the object information of the target software in step S101.
  • the method of obtaining the object information of the target software in step S101 is The object information may include the following sub-steps S1011 and S1012.
  • S1011 Enter the target software into the preset sandbox to run, and obtain the running data.
  • S1012 Determine the object information of the target software based on the running data.
  • Sandbox is a technology used to safely run software programs. It is often used to execute untrusted software programs. The sandbox strictly limits the use of system resources by untrusted software programs in accordance with certain security policies. Used to achieve isolation, the impact of untrusted software programs running on the system will be limited within the sandbox and will not affect other parts of the system. Restore the structure of the network system in the sandbox so that the running phenomenon of the target software can be restored when the target software is run in the sandbox.
  • the running data may include object information of the target software, so the object information of the target software can be obtained from the running data by analyzing and processing the running data.
  • the target software by inputting the target software into a preset sandbox and running it, various running data of the target software (for example, the target software is malware) can be obtained safely and completely, so that the target software can be further safely and completely obtained. And completely obtain the object information of the target software based on the running data.
  • the target software is malware
  • the specific implementation method of "determining the object information of the target software based on the operating data" in S1012 is not limited here. For example, it can be obtained by directly analyzing the running data. For example, if the mutex information in the object information is the mutex name, it can be determined by identifying the field of the mutex name in the running data.
  • step S1012 may specifically include: filtering the running data through a preset blacklist to obtain the object information of the target software from the results of the filtering process.
  • the preset blacklist may be a blacklist of object information, which may record object information corresponding to other software running in the sandbox internal establishment system.
  • a corresponding blacklist can be preset for each type of object information.
  • the default blacklist can be a mutex name blacklist, which includes other software other than the target software in the system established inside the sandbox.
  • the corresponding mutex name is used to filter the running data through the mutex name blacklist.
  • the mutex names corresponding to other software except the target software can be filtered out, leaving only the mutex names corresponding to the target software.
  • Mutex name i.e. object information).
  • the default blacklist can be a service name blacklist, which includes those created by other software other than the target software in the system built inside the sandbox.
  • the service name of the service The running data is filtered through the service name blacklist.
  • the service names corresponding to other software except the target software can be filtered out, leaving only the service names corresponding to the target software (i.e. object information). .
  • the preset blacklist can be a URL blacklist, which includes other files other than the target software in the system established inside the sandbox.
  • the URL accessed when the software makes a request the running data is filtered through the URL blacklist, and the URLs corresponding to other software except the target software can be filtered out, leaving only the URL corresponding to the target software (i.e. object information) .
  • the object information of the target software can be accurately determined based on the running data, so as to subsequently configure the protection strategy for the network system based on the object information to prevent the target software from running in the network system, thereby causing damage to the network system. Effective protection.
  • step S103 the specific implementation method of configuring a protection policy for the target software in the network system according to the object information is not specifically limited in the embodiment of the present disclosure, as long as the configured protection policy can effectively prevent the target software from running in the network system. That’s it.
  • the embodiment of the present disclosure also provides several optional implementations of step S103, which are described in detail below. It should be understood that they should not be regarded as any limitations on the embodiment of the present disclosure.
  • step S103 includes: creating a mutex program corresponding to the target software according to the mutex information in the object information; The program is input to run in at least one program execution device of the network system to prevent the target software from running in the program execution device through the mutex program.
  • a mutex program can be created based on mutex information.
  • the aforementioned mutex information can be, for example, a mutex name.
  • the mutex information can be passed to the interface program as a parameter, thereby obtaining an interface program containing the mutex information, that is, a mutex program, and inputting the mutex program to at least one program running device of the network system to run. , this mutex program will create a false mutex object in the memory space of the device where the program is running.
  • the target software When the target software is input to the network system (for example, when the target software is input to the device running the program), the target software will detect the false mutex object and identify it as a mutex object created by itself. Therefore, the target software will exit to avoid running twice.
  • the network system protection method of the embodiment of the present disclosure achieves the purpose of preventing the target software from running normally in the program running device through the mutual exclusion program.
  • the service information in the object information of the target software includes the service name of the first service created after the target software is entered into the network system; based on this, step S103 includes: according to the service name, in the network system Create a first service to prevent the target software from creating the first service through the created first service.
  • some target software runs as a created service (such as the first service in this optional embodiment) when it starts running in the input network system.
  • the first service can be created in the network system according to the service name.
  • the service name can be passed as a parameter to the interface program, thereby obtaining an interface program containing the service name.
  • the interface program When the interface program is input to run on at least one program running device of the network system, the interface program will be stored in the memory of the program running device. Generate a false first service object in the space to create the first service.
  • the target software When the target software is input to the network system (for example, when the target software is input to the device running the program), the target software will detect the false first service object and identify it as the first service object generated by itself. object, so the target software will exit to avoid repeatedly creating the first service.
  • the network system protection method of the embodiment of the present disclosure achieves the purpose of preventing the target software from creating the first service through the created first service, so that the target software cannot run normally in the network system.
  • the request information in the object information of the target software includes the URL accessed when the target software issues the first request after being entered into the network system, wherein the target software passes the first DNS of the network system when issuing the first request. and the first server access URL; on this basis, step S103 includes: configuring the second DNS and the second server in the network system according to the URL to prevent the target software from passing the first DNS and the first server of the network system when issuing the first request.
  • the first server accesses the URL, causes the target software to access the URL through the second DNS of the network system and the second server, and exits based on the result of accessing the URL.
  • some target software will first send a request (such as the first request in this optional embodiment) when it starts running in the input network system.
  • the first request may be a URL request, so the target software sends The first request accesses the URL through the first DNS and the first server and obtains a response.
  • the target software when the response result meets certain conditions, the target software will exit the operation (for example, the response result is a response value, then The condition for exiting the run can be that the response value is greater than a response value threshold).
  • a second DNS and a second server can be configured in the network system according to the URL. The second DNS is different from the first DNS, and the second server is different from the first server.
  • the second DNS and the second server may be configured to specifically respond to the first request issued by the target software.
  • the target software When the target software is input to the network system (for example, when the target software is input to the program running device), due to the second The existence of DNS and the second server, which after issuing the first request (such as a URL request) no longer accesses the URL through the first DNS and the first server of the network system, but accesses it through the second DNS and the second server of the network system the URL.
  • the result of accessing the URL may be a response value after the first request of the target software is responded to. The response value is greater than the response value threshold corresponding to when the target software exits, so that the target software exits based on the result of accessing the URL.
  • the network system protection method of the embodiment of the present disclosure achieves the purpose of preventing the target software from running normally in the network system through the second DNS and the second server configured according to the URL.
  • both the first server and the second server in the embodiment of the present disclosure may be HTTP servers. This is, of course, not a reasonable limitation on the disclosure.
  • the protection strategy corresponding to each of the object information can be configured in the network system.
  • the target software for example, the target software is malware
  • the target software is malware
  • Interference or obstruction can effectively prevent malware from causing adverse effects on the network system, thereby ensuring the security of the network system.
  • step S102 is also included before step S103.
  • step S102 Input the object information into the verification system, and configure the protection strategy in the verification system according to the object information; enter the target software into the verification system configured with the protection strategy, and determine whether the target software can run normally in the verification system; if not, Then step S103 is executed, that is, configuring a protection policy for the target software in the network system according to the object information.
  • the same software operating environment as the network system can be established in the verification system, and the protection strategy can be configured in the verification system, so that the operation of the target software after input to the verification system can accurately display the operation of the target software after input to the configuration and verification.
  • the operating phenomena of network systems with the same protection strategy can be used to verify the reliability of the protection strategy. Specifically, if the target software can run normally in the verification system configured with a protection policy, it means that the protection policy is less reliable. When the protection policy is configured in the network system, it cannot effectively prevent the target software from running in the network system; If the target software cannot run normally in the verification system, it means that the protection strategy is more reliable.
  • the protection strategy When the protection strategy is configured in the network system, it can effectively prevent the target software from running in the network system, so it can be determined whether the target software can When the result of verifying normal operation in the system is negative, configure a protection policy for the target software in the network system based on the object information to prevent the target software from running.
  • the target software can run normally in a verification system configured with a protection strategy
  • the target software can be sent to the staff's terminal, and the staff can perform manual analysis.
  • the target software can be manually determined whether object information exists. , if there is a configuration based on the protection strategy for the network system.
  • the network system protection method in the embodiment of the present disclosure is applied to an application scenario where the network system is an OT system and the program running device is an OT device (such as various industrial control devices on the production line that can run software programs).
  • the program running device is an OT device (such as various industrial control devices on the production line that can run software programs).
  • the reason is that the OT system is different from other computer network systems.
  • the OT equipment in the OT system generally cannot frequently upgrade and patch its internal software programs, nor can it install dedicated software like the program running equipment in other computer network systems.
  • Anti-malware applications such as anti-virus software). On the one hand, this is to ensure the stability of OT equipment in industrial sites (such as production lines).
  • the object information of the target software is obtained.
  • the object information includes mutex information of the target software, service information created after the target software is input into the network system, and target software. At least one of the request information sent by the software after inputting it into the network system, and configuring a protection policy for the target software in the network system based on the object information to prevent the target software from running in the network system. Therefore, the embodiments of the present disclosure can very stably and effectively prevent the operation of malware input to the OT system when the target software is malware, thereby reducing the possibility of the OT system being attacked by malware and making the OT system more susceptible to malware attacks.
  • OT equipment is also less likely to be interfered or hindered by malware, which can effectively prevent malware from causing adverse effects on the OT system and ensure the security of the OT system.
  • a network system protection method is also more lightweight than installing dedicated anti-malware applications (such as anti-virus software) in OT devices, and it occupies a larger amount of memory on the OT device. It is small and does not involve any hooks and drivers, preventing these additional programs from affecting the stable operation of OT equipment; and even if the protection strategy configured in the OT system fails, the failure will not affect each OT of the OT system.
  • the network system protection method in the embodiment of the present disclosure can achieve more significant effects when applied to an application scenario where the network system is an OT system and the program running device is an OT device, and can stably and effectively protect the system. Protect according to one application scenario.
  • the network system protection method is used to protect OT systems from malware. It should be understood that this does not serve as any limitation on the embodiments of the present disclosure.
  • the target software is ransomware (recorded as warmthacry example), then enter the warmthacry example into the sandbox to run, and obtain the running data of the warmthacry example. Then use the preset mutex name blacklist, service name blacklist, and URL blacklist to filter the running data to obtain the object information of the warmthacry example, that is, the mutex name of the warmacry example (that is, the mutex information) , service name (i.e., service information), and URL (i.e., request information).
  • the object information of the warmthacry example that is, the mutex name of the warmthacry example (that is, the mutex information)
  • service name i.e., service information
  • URL i.e., request information
  • the protection strategy Enter the obtained mutex name, service name, and URL into the verification system, configure the protection strategy based on these object information, and create false mutex objects, false first service objects, and configurations in the memory space of the verification system. Fake DNS and HTTP servers so that the warmthacry example makes the first request to get a response by accessing the URL through the fake DNS and HTTP servers. If the wannacry example cannot run normally in the verification system, it means that the protection strategy that can be configured based on the object information of the warmacry example has good reliability. When the protection strategy is configured to the OT system, it can effectively prevent the warmthacry example from running in the OT system. .
  • the mutex name and service name are input into the interface program as different parameters, thereby obtaining an interface program containing the mutex information and service name, and deploying this program to at least one OT device in the OT system to run.
  • This procedure creates a fake mutex object and a fake first service object in the memory of the OT device, and configures a second DNS and a second server (for example, an HTTP server) in the OT system.
  • the second DNS and The second server can be configured specifically to respond to the first request made by the warmthacry example.
  • the mutex object warmthacry example is detected and will exit running; or the service object warmthacry example is detected and the first service is no longer created and exits because the first service has been started; or the first service is sent.
  • the corresponding URL is accessed through the second DNS and the second server, instead of accessing the URL through the first DNS and the first server (for example, HTTP server) of the OT system.
  • the result of accessing the URL through the second DNS and the second server can be the response value after the first request of the warmthacry example is responded to.
  • the response value is greater than the corresponding response value threshold when the warmthacry example exits the run, so that the warmthacry example is accessed Exit running after URL.
  • the network system protection method in the embodiment of the present disclosure can effectively prevent the operation of malware imported into the OT system (ie, the warmthacry example), thereby reducing the possibility of the OT system being attacked by malware.
  • This makes the operation of OT equipment in the OT system less likely to be interfered or hindered by malware, which can effectively prevent malware from causing adverse effects on the OT system, thus ensuring the security of the OT system.
  • this example does not serve as any limitation on the embodiments of the present disclosure.
  • the network system protection method of the embodiment of the present disclosure can obtain the object information of the target software.
  • the object information includes the mutex information of the target software, service information created after the target software is input into the network system, and the target software. At least one of the request information issued after inputting into the network system, and according to the object information, configure a protection policy for the target software in the network system to prevent the target software from running in the network system.
  • the embodiment of the present disclosure can be used when the target software is In the case of malware, the operation of malware input into the network system is prevented, thereby reducing the possibility of the network system being attacked by malware, making the operation of devices in the network system less likely to be interfered or hindered by malware, and can effectively To effectively prevent malware from causing adverse effects on network systems, thereby ensuring the security of network systems.
  • a network system protection device 400 which includes:
  • the acquisition module 401 is used to obtain the object information of the target software, where the object information includes: mutex information of the target software, service information created after the target software is input into the network system, and request information issued after the target software is input into the network system. at least one;
  • the blocking module 402 is configured to configure a protection policy for the target software in the network system based on the object information, so as to prevent the target software from running in the network system.
  • the blocking module 402 is specifically used to: create a mutex program corresponding to the target software according to the mutex information in the object information; input the mutex program into the network system running in at least one program running device to prevent the target software from running in the program running device through the mutex program.
  • the service information includes the service name of the first service created after the target software is entered into the network system; the blocking module 402 is specifically used to: create a service in the network system based on the service name. first service to prevent the target software from creating the first service through the already created first service.
  • the request information includes the URL that the target software accesses when it issues the first request after it is entered into the network system, wherein the target software passes the first request of the network system when it issues the first request.
  • DNS and the first server access URL; the blocking module 402 is specifically used to: configure the second DNS and the second server in the network system according to the URL to prevent the target software from passing the first DNS and the second server of the network system when issuing the first request.
  • the first server accesses the URL, causes the target software to access the URL through the second DNS of the network system and the second server, and exits based on the result of accessing the URL.
  • the network system protection device 400 is also used to input object information into the verification system, configure a protection strategy in the verification system according to the object information; input the target software and configure the protection strategy verification system, and determine whether the target software can run normally in the verification system; if not, the blocking module 402 is used to configure a protection policy for the target software in the network system based on the object information.
  • the acquisition module 401 is specifically used to: input the target software into a preset sandbox for operation, and obtain the operation data; and determine the object of the target software according to the operation data. information.
  • the acquisition module 401 is specifically configured to filter the running data through a preset blacklist to obtain the object information of the target software from the results of the filtering process.
  • the network system protection device 400 in the embodiment of the present disclosure is based on the same inventive concept as the network system protection method of the first aspect, and its relevant beneficial effects are also the same as those of the corresponding embodiments in the network system protection method of the first aspect.
  • the method is the same, so it can be understood according to the foregoing embodiments of the network system protection method, and will not be described again here.
  • the acquisition module 401 can obtain the object information of the target software, where the object information includes the mutex information of the target software, service information created after the target software is input into the network system, and the input of the target software. At least one of the request information issued by the network system; the blocking module 402 can configure a protection policy for the target software in the network system based on the object information to prevent the target software from running in the network system. Therefore, the embodiment of the present disclosure can prevent the target software from running in the network system.
  • the malware input into the network system is prevented from running, thereby reducing the possibility of the network system being attacked by malware and making the operation of the devices in the network system less likely to be interfered or hindered by malware. It can effectively prevent malware from causing adverse effects on the network system, thereby ensuring the security of the network system.
  • the embodiment of the present disclosure provides a computer device 500, which includes: a processor 502; and a memory 506 storing a program 510, wherein the program 510 includes computer operation instructions, and the computer operation instructions When executed by the processor 502, the processor 502 is caused to execute the aforementioned network system protection method.
  • the embodiment of the present disclosure does not limit the specific implementation of the computer device 500.
  • FIG. 5 is a schematic structural diagram of an optional computer device 500 provided by the embodiment of the present disclosure.
  • the computer device 500 can It includes: processor 502, communication interface 504, memory 506, and communication bus 508. Among them: the processor 502, the communication interface 504, and the memory 506 complete communication through the communication bus 508.
  • Communication interface 504 is used to communicate with other computer devices or servers.
  • the processor 502 is configured to execute the program 510. Specifically, it can execute the relevant steps in the aforementioned network system protection method embodiment.
  • program 510 may include program code including computer operating instructions.
  • the processor 502 may be a central processing unit (CPU), an application specific integrated circuit (ASIC), or one or more integrated circuits configured to implement embodiments of the present application.
  • the one or more processors included in the smart device can be the same type of processor, such as one or more CPUs; or they can be different types of processors, such as one or more CPUs and one or more ASICs.
  • Memory 506 is used to store programs 510.
  • Memory 506 may include high-speed RAM memory and may also include non-volatile memory, such as at least one disk memory.
  • the program 510 may be specifically used to cause the processor 502 to perform the aforementioned network system protection method operations.
  • each step in program 510 please refer to the corresponding description in the above embodiment of the network system protection method, and will not be described again here.
  • Those skilled in the art can clearly understand that for the convenience and simplicity of description, the specific working processes of the above-described devices and modules can be referred to the corresponding process descriptions in the foregoing method embodiments, and will not be described again here.
  • the embodiments of the present disclosure provide a computer storage medium, wherein the computer storage medium stores computer instructions, and the computer instructions are used to cause the computer to execute any of the foregoing network system protection methods.
  • the relevant content and beneficial effects are basically similar to the network system protection method embodiment provided in the first aspect, so the description here is relatively brief. This can be understood based on the foregoing embodiments of the network system protection method.
  • the term “include” and its variations are open-ended, ie, “including but not limited to.”
  • the term “based on” means “based at least in part on.”
  • the term “one embodiment” means “at least one embodiment”; the term “another embodiment” means “at least one additional embodiment”; and the term “some embodiments” means “at least some embodiments”. It should be noted that the modifications of "one” and “plurality” mentioned in this disclosure are illustrative and not restrictive. Those skilled in the art will understand that unless the context clearly indicates otherwise, it should be understood as “one or Multiple”.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The embodiments of the present disclosure provide a network system protection method and apparatus, and a computer device and a storage medium. The method comprises: acquiring object information of target software, wherein the object information comprises: at least one of mutex information of the target software, service information, which is created by the target software after same is input into a network system, and request information, which is sent by the target software after same is input into the network system; and configuring, according to the object information and in the network system, a protection policy for the target software, so as to prevent the target software from running in the network system. The embodiments of the present disclosure can effectively prevent malicious software from adversely affecting a network system, such that the security of the network system is ensured.

Description

网络系统防护方法、装置、计算机设备及存储介质Network system protection methods, devices, computer equipment and storage media 技术领域Technical field
本公开涉及网络系统安全技术领域,尤其涉及一种网络系统防护方法、装置、计算机设备及存储介质。The present disclosure relates to the field of network system security technology, and in particular to a network system protection method, device, computer equipment and storage medium.
背景技术Background technique
随着技术的发展,网络系统安全越来越受到重视。现如今网络系统时常会遭受恶意软件(例如勒索软件等)的攻击,这对网络系统的安全性形成了挑战,而一旦网络系统受到恶意软件的攻击,就容易对网络系统中的设备的运行形成干扰或阻碍。因此,如何防止恶意软件对网络系统造成不良影响,就成了一个亟待解决的技术问题。With the development of technology, network system security has received more and more attention. Nowadays, network systems are often attacked by malware (such as ransomware, etc.), which poses a challenge to the security of the network system. Once the network system is attacked by malware, it is easy to cause damage to the operation of the devices in the network system. Interference or hindrance. Therefore, how to prevent malware from causing adverse effects on network systems has become an urgent technical problem that needs to be solved.
发明内容Contents of the invention
根据本公开实施例中的第一方面,本公开实施例提供了一种网络系统防护方法,包括:According to the first aspect of the embodiments of the present disclosure, the embodiments of the present disclosure provide a network system protection method, including:
获取目标软件的对象信息,其中,所述对象信息包括:所述目标软件的互斥体信息、所述目标软件输入网络系统后创建的服务信息、所述目标软件输入网络系统后发出的请求信息中的至少一个;Obtain object information of the target software, where the object information includes: mutex information of the target software, service information created after the target software is input into the network system, and request information issued after the target software is input into the network system. at least one of;
根据所述对象信息,在所述网络系统中配置针对所述目标软件的防护策略,以阻止所述目标软件在所述网络系统中运行。According to the object information, a protection policy for the target software is configured in the network system to prevent the target software from running in the network system.
在可选的实施例中,所述根据所述对象信息,在所述网络系统中配置针对所述目标软件的防护策略,以阻止所述目标软件在所述网络系统中运行,包括:In an optional embodiment, configuring a protection policy for the target software in the network system according to the object information to prevent the target software from running in the network system includes:
根据所述对象信息中的互斥体信息,创建目标软件对应的互斥程序;Create a mutex program corresponding to the target software according to the mutex information in the object information;
将所述互斥程序输入到所述网络系统的至少一个程序运行设备中运行,以通过所述互斥程序阻止目标软件在所述程序运行设备中运行。The mutually exclusive program is input to at least one program execution device of the network system to run, so that the target software is prevented from running in the program execution device through the mutually exclusive program.
在可选的实施例中,所述服务信息包括目标软件输入所述网络系统后创建的第一服务的服务名称;In an optional embodiment, the service information includes the service name of the first service created after the target software inputs the network system;
所述根据所述对象信息,在所述网络系统中配置针对所述目标软件的防护策略,以阻止所述目标软件在所述网络系统中运行,包括:Configuring a protection policy for the target software in the network system according to the object information to prevent the target software from running in the network system includes:
根据所述服务名称,在所述网络系统中创建所述第一服务,以通过已创建的第一服务阻止目标软件创建所述第一服务。Create the first service in the network system according to the service name to prevent the target software from creating the first service through the created first service.
在可选的实施例中,所述请求信息包括目标软件输入所述网络系统后发出第一请求时访问的URL,其中,所述目标软件在发出第一请求时通过所述网络系统的第一DNS和第一服务器访问所述URL;In an optional embodiment, the request information includes the URL that the target software accesses when it issues the first request after entering the network system, wherein the target software passes the first URL of the network system when it issues the first request. DNS and the first server access the URL;
所述根据所述对象信息,在所述网络系统中配置针对所述目标软件的防护策略,以阻止所述目标软件在所述网络系统中运行,包括:Configuring a protection policy for the target software in the network system according to the object information to prevent the target software from running in the network system includes:
根据所述URL,在所述网络系统中配置第二DNS以及第二服务器,以阻止所述目标软件在发出第一请求时通过所述网络系统的第一DNS和第一服务器访问所述URL,并使所述目标软件通过所述网络系统的第二DNS和第二服务器访问所述URL,且基于访问所述URL的结果退出运行。Configuring a second DNS and a second server in the network system according to the URL to prevent the target software from accessing the URL through the first DNS and the first server of the network system when issuing a first request, The target software is caused to access the URL through the second DNS and the second server of the network system, and exits based on the result of accessing the URL.
在可选的实施例中,所述根据所述对象信息,在所述网络系统中配置针对所述目标软件的防护策略,之前所述方法还包括:In an optional embodiment, configuring a protection policy for the target software in the network system according to the object information, the previously described method further includes:
将所述对象信息输入验证系统,根据所述对象信息在验证系统中配置所述防护策略;Enter the object information into the verification system, and configure the protection strategy in the verification system according to the object information;
将所述目标软件输入配置有所述防护策略的验证系统,并确定所述目标软件是否能在所述验证系统中正常运行;其中,Enter the target software into a verification system configured with the protection strategy, and determine whether the target software can run normally in the verification system; wherein,
若否,则执行:根据所述对象信息,在所述网络系统中配置针对所述目标软件的防护策略。If not, execute: configure a protection policy for the target software in the network system according to the object information.
在可选的实施例中,所述获取目标软件的对象信息,包括:In an optional embodiment, obtaining the object information of the target software includes:
将所述目标软件输入到预设的沙箱中运行,并获得运行数据;Enter the target software into a preset sandbox to run, and obtain running data;
根据所述运行数据,确定所述目标软件的对象信息。According to the running data, the object information of the target software is determined.
在可选的实施例中,所述根据所述运行数据,确定所述目标软件的对象信息,包括:In an optional embodiment, determining the object information of the target software based on the running data includes:
通过预设的黑名单对所述运行数据进行过滤处理,以从过滤处理的结果中获得所述目标软件的对象信息。The running data is filtered through a preset blacklist to obtain the object information of the target software from the results of the filtering process.
根据本公开实施例中的第二方面,本公开实施例提供了一种网络系统防护装置,其包括:According to the second aspect of the embodiments of the disclosure, the embodiments of the disclosure provide a network system protection device, which includes:
获取模块,用于获取目标软件的对象信息,其中,所述对象信息包括:所述目标软件的互斥体信息、所述目标软件输入网络系统后创建的服务信息、所述目标软件输入网络系 统后发出的请求信息中的至少一个;Acquisition module, used to obtain object information of the target software, wherein the object information includes: mutex information of the target software, service information created after the target software is input into the network system, and the target software is input into the network system. At least one of the request messages sent later;
阻止模块,用于根据所述对象信息,在所述网络系统中配置针对所述目标软件的防护策略,以阻止所述目标软件在所述网络系统中运行。A blocking module configured to configure a protection policy for the target software in the network system according to the object information, so as to prevent the target software from running in the network system.
根据本公开实施例中的第三方面,本公开实施例提供了一种计算机设备,其包括:处理器;以及存储程序的存储器,其中,程序包括计算机操作指令,计算机操作指令在由处理器执行时使处理器执行前述的网络系统防护方法。According to a third aspect of the embodiments of the present disclosure, an embodiment of the present disclosure provides a computer device, which includes: a processor; and a memory storing a program, wherein the program includes computer operation instructions, and the computer operation instructions are executed by the processor. The processor is then caused to execute the aforementioned network system protection method.
根据本公开实施例中的第四方面,本公开实施例提供了一种计算机存储介质,其中,计算机存储介质存储有计算机指令,计算机指令用于使计算机执行前述的网络防护方法。According to a fourth aspect of the embodiments of the present disclosure, the embodiments of the present disclosure provide a computer storage medium, wherein the computer storage medium stores computer instructions, and the computer instructions are used to cause the computer to execute the aforementioned network protection method.
本公开实施例的网络系统防护方案,由于能够获取目标软件的对象信息,对象信息包括目标软件的互斥体信息、目标软件输入网络系统后创建的服务信息、目标软件输入网络系统后发出的请求信息中的至少一个,并根据对象信息,在网络系统中配置针对目标软件的防护策略,以阻止目标软件在网络系统中运行,因此本公开实施例能够在目标软件为恶意软件的情况下,对输入网络系统的恶意软件的运行进行阻止,从而降低网络系统受到恶意软件攻击的可能,使得网络系统中的设备的运行也更不易被恶意软件所干扰或阻碍,能够有效地防止恶意软件对网络系统造成不良影响,从而保证网络系统的安全性。The network system protection solution of the embodiment of the present disclosure can obtain the object information of the target software. The object information includes the mutex information of the target software, service information created after the target software is input into the network system, and requests issued by the target software after being input into the network system. At least one of the information, and configure a protection policy for the target software in the network system based on the object information to prevent the target software from running in the network system. Therefore, the embodiment of the present disclosure can protect the target software when the target software is malware. Prevent the operation of malware that enters the network system, thereby reducing the possibility of the network system being attacked by malware, making the operation of devices in the network system less likely to be interfered or hindered by malware, and effectively preventing malware from harming the network system. Cause adverse effects, thereby ensuring the security of the network system.
附图说明Description of the drawings
以下附图仅旨在于对本公开做示意性说明和解释,并不限定本公开的范围。The following drawings are only intended to schematically illustrate and explain the present disclosure and do not limit the scope of the present disclosure.
图1示出了根据本公开实施例的一个可选的网络系统防护方法的流程图。Figure 1 shows a flow chart of an optional network system protection method according to an embodiment of the present disclosure.
图2示出了根据本公开实施例的步骤S101的“获取目标软件的对象信息”的一个可选的子流程图。Figure 2 shows an optional sub-flow chart of "obtaining object information of the target software" in step S101 according to an embodiment of the present disclosure.
图3示出了根据本公开实施例的另一个可选的网络系统防护方法的流程图。Figure 3 shows a flow chart of another optional network system protection method according to an embodiment of the present disclosure.
图4示出了根据本公开实施例的一个可选的网络系统防护装置的框图。Figure 4 shows a block diagram of an optional network system protection device according to an embodiment of the present disclosure.
图5示出了根据本公开实施例的一个可选的计算机设备的结构示意图。Figure 5 shows a schematic structural diagram of an optional computer device according to an embodiment of the present disclosure.
附图标记:Reference signs:
400、网络系统防护装置;401、获取模块;402、阻止模块;500、计算机设备;502、处理器;504、通信接口;506、存储器;508、通信总线;510、程序。400. Network system protection device; 401. Acquisition module; 402. Blocking module; 500. Computer equipment; 502. Processor; 504. Communication interface; 506. Memory; 508. Communication bus; 510. Program.
具体实施方式Detailed ways
为了使本领域的人员更好地理解本公开实施例中的技术方案,下面将结合本公开实施例中的附图,对本公开实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅是本公开实施例一部分实施例,而不是全部的实施例。基于本公开实施例中的实施例,本领域普通技术人员所获得的所有其他实施例,都应当属于本公开实施例保护的范围。In order to enable those in the art to better understand the technical solutions in the embodiments of the present disclosure, the technical solutions in the embodiments of the present disclosure will be clearly and completely described below in conjunction with the drawings in the embodiments of the present disclosure. Obviously, the description The embodiments are only part of the embodiments of the present disclosure, rather than all the embodiments. Based on the embodiments of the present disclosure, all other embodiments obtained by those of ordinary skill in the art should fall within the scope of protection of the embodiments of the present disclosure.
随着技术的发展,网络系统安全越来越受到重视。现如今网络系统时常会遭受恶意软件(例如勒索软件等)的攻击,这对网络系统的安全性形成了挑战,而一旦网络系统受到恶意软件的攻击,就容易对网络系统中的设备的运行形成干扰或阻碍。因此,如何防止恶意软件对工业网络系统造成不良影响,就成了一个亟待解决的技术问题。With the development of technology, network system security has received more and more attention. Nowadays, network systems are often attacked by malware (such as ransomware, etc.), which poses a challenge to the security of the network system. Once the network system is attacked by malware, it is easy to cause damage to the operation of the devices in the network system. Interference or hindrance. Therefore, how to prevent malware from causing adverse effects on industrial network systems has become an urgent technical problem that needs to be solved.
针对于此,根据本公开实施例中的第一方面,参照图1中的流程图,本公开实施例中提供了一种网络系统防护方法,该方法包括下面的步骤S101和S103。To this end, according to the first aspect of the embodiment of the present disclosure, with reference to the flowchart in Figure 1, the embodiment of the present disclosure provides a network system protection method, which includes the following steps S101 and S103.
S101:获取目标软件的对象信息,其中,对象信息包括:目标软件的互斥体信息、目标软件输入网络系统后创建的服务信息、目标软件输入网络系统后发出的请求信息中的至少一个。S101: Obtain object information of the target software, where the object information includes at least one of: mutex information of the target software, service information created after the target software is input into the network system, and request information issued by the target software after being input into the network system.
S103:根据对象信息,在网络系统中配置针对目标软件的防护策略,以阻止目标软件在网络系统中运行。S103: Based on the object information, configure a protection policy for the target software in the network system to prevent the target software from running in the network system.
通过本公开实施例的网络系统防护方法,由于能够获取目标软件的对象信息,对象信息包括目标软件的互斥体信息、目标软件输入网络系统后创建的服务信息、目标软件输入网络系统后发出的请求信息中的至少一个,并根据对象信息,在网络系统中配置针对目标软件的防护策略,以阻止目标软件在网络系统中运行,因此本公开实施例能够在目标软件为恶意软件的情况下,对输入网络系统的恶意软件的运行进行阻止,从而降低网络系统受到恶意软件攻击的可能,使得网络系统中的设备的运行也更不易被恶意软件所干扰或阻碍,能够有效地防止恶意软件对网络系统造成不良影响,从而保证网络系统的安全性。Through the network system protection method of the embodiment of the present disclosure, the object information of the target software can be obtained. The object information includes the mutex information of the target software, the service information created after the target software is input into the network system, and the service information issued after the target software is input into the network system. Request at least one of the information, and configure a protection policy for the target software in the network system according to the object information to prevent the target software from running in the network system. Therefore, the embodiment of the present disclosure can prevent the target software from running in the network system when the target software is malware. Prevent the operation of malware imported into the network system, thereby reducing the possibility of the network system being attacked by malware, making the operation of devices in the network system less likely to be interfered or hindered by malware, and effectively preventing malware from affecting the network. system, thereby ensuring the security of the network system.
下面对该网络系统防护方法进行详细说明,应当理解的是,该说明不作为对本公开实施例中的任何限制。The network system protection method will be described in detail below. It should be understood that this description does not serve as any limitation on the embodiments of the present disclosure.
本公开实施例中的网络系统防护方法可以由一个能够进行数据处理的计算机设备执行,该计算机设备可以包括一个或多个处理单元,例如CPU、MCU、PLC等,应理解, 本公开实施例中对此不进行任何限定。The network system protection method in the embodiment of the present disclosure can be executed by a computer device capable of data processing. The computer device can include one or more processing units, such as CPU, MCU, PLC, etc. It should be understood that in the embodiment of the present disclosure, No qualifications are placed on this.
本公开实施例中,网络系统可以是任意的计算机网络系统,在此不进行限制,该网络系统可以包括一个或者多个程序运行设备,程序运行设备可以运行软件程序。目标软件在网络系统中运行,可以是指目标软件被输入到网络系统中的程序运行设备上运行。In the embodiment of the present disclosure, the network system can be any computer network system, which is not limited here. The network system can include one or more program running devices, and the program running devices can run software programs. When the target software is run in the network system, it may mean that the target software is input to the program running device in the network system to run.
在一种优选的实施例中,本公开实施例中的网络系统可以为OT(Operational Technology,运营技术)系统,程序运行设备可以为OT设备,本公开实施例中的网络系统防护方案在应用于这种具体的场景时,有益效果尤其显著,这一点将在下文中进行详细说明。In a preferred embodiment, the network system in the embodiment of the present disclosure can be an OT (Operational Technology) system, and the program running device can be an OT device. The network system protection solution in the embodiment of the present disclosure is applied to The beneficial effects are particularly significant in this specific scenario, which will be explained in detail below.
本公开实施例中,目标软件可以是任意的软件程序,本公开实施例中不进行限制。如前述目标软件可以是恶意软件(例如勒索软件等),当该恶意软件被输入到网络系统中正常运行时,会对网络系统的正常运行产生干扰或阻碍。例如,一种示例性的恶意软件在被输入网络系统中正常运行时,会将一些特定的数据进行加密,使得网络系统中的程序运行设备无法使用这些数据进行处理,因而影响程序运行设备的正常工作。当然这仅是对恶意软件的一种示例,并不作为对其的任何限制。In the embodiment of the present disclosure, the target software can be any software program, which is not limited in the embodiment of the present disclosure. As mentioned above, the target software may be malware (such as ransomware, etc.). When the malware is input into the network system for normal operation, it will interfere or hinder the normal operation of the network system. For example, when an exemplary malware is input into a network system to run normally, it will encrypt some specific data so that the program running equipment in the network system cannot use these data for processing, thus affecting the normal operation of the program running equipment. Work. Of course this is just one example of malware and does not serve as any limitation on it.
可选地,目标软件可以是被筛选出来的恶意软件,因此在该恶意软件被输入网络系统之前,先获取恶意软件(即目标软件)的对象信息,并根据对象信息在网络系统中配置针对恶意软件的防护策略,可以在恶意软件被输入网络系统后,阻止恶意软件在网络系统中运行,从而对网络系统形成有效保护。Optionally, the target software may be malware that has been filtered out. Therefore, before the malware is entered into the network system, the object information of the malware (i.e., the target software) is first obtained, and based on the object information, the malicious software is configured in the network system. Software protection strategies can prevent malware from running in the network system after the malware is entered into the network system, thereby effectively protecting the network system.
本公开实施例中,目标软件的对象信息包括目标软件的互斥体信息、目标软件输入网络系统后创建的服务信息、目标软件输入网络系统后发出的请求信息中的至少一个,这些对象信息是目标软件能够正常运行时的关键。In the embodiment of the present disclosure, the object information of the target software includes at least one of mutex information of the target software, service information created after the target software is input into the network system, and request information issued after the target software is input into the network system. These object information are The key to the normal operation of the target software.
具体地,一些目标软件在运行时,通常会同时创建一个互斥体,以避免自身的二次运行。互斥体实现了互相排斥同步的简单形式,其禁止多个线程同时进入代码保护区,也即在任意时刻只有一个线程被允许进入代码保护区。因此当存在互斥体时,目标软件将不能再次运行。本公开实施例中的互斥体信息可以是该目标软件的互斥体的一些特征,例如,可以是互斥体名称、互斥体的标识等等,对此本公开实施例中不进行限制。Specifically, when some target software is running, it usually creates a mutex at the same time to avoid running itself twice. Mutex implements a simple form of mutually exclusive synchronization, which prohibits multiple threads from entering the code protection zone at the same time, that is, only one thread is allowed to enter the code protection zone at any time. So when the mutex is present, the target software will not be able to run again. The mutex information in the embodiment of the present disclosure may be some characteristics of the mutex of the target software, for example, it may be the name of the mutex, the identification of the mutex, etc., which is not limited in the embodiment of the present disclosure. .
具体地,一些目标软件在输入网络系统中开始运行时以创建的服务运行,本公开实施例中对象信息中的服务信息可以是该服务的一些特征,例如服务名称、服务的标识等,对 此本公开实施例中不进行限制。Specifically, some target software runs as a created service when it starts running in the input network system. The service information in the object information in the embodiment of the present disclosure may be some characteristics of the service, such as service name, service identification, etc. In this regard There are no limitations in the embodiments of the present disclosure.
具体地,一些目标软件在输入网络系统中开始运行时会先发送请求,本公开实施例中的请求信息可以是可以是该请求的一些关键特征,例如可以是发出该请求时所访问的URL、请求的标识等,对此本公开实施例中不进行限制。Specifically, some target software will first send a request when it starts running in the input network system. The request information in the embodiment of the present disclosure may be some key features of the request, such as the URL visited when the request is issued, The requested identifier, etc. are not limited in this embodiment of the present disclosure.
本公开实施例中通过获取对象信息,由于该对象信息是该目标软件能够正常运行的关键,因而便于步骤S103中根据对象信息配置防护策略,以阻止目标软件在网络系统中运行。In the embodiment of the present disclosure, by obtaining the object information, since the object information is the key to the normal operation of the target software, it is convenient to configure a protection policy according to the object information in step S103 to prevent the target software from running in the network system.
本公开实施例中不限制根据S101中获取目标软件的对象信息的具体方式,示例性地,为了更方便地对目标软件进行分析,参照图2中的流程图,步骤S101中的获取目标软件的对象信息,可以包括如下子步骤S1011和S1012。The embodiment of the present disclosure does not limit the specific method of obtaining the object information of the target software in step S101. For example, in order to analyze the target software more conveniently, with reference to the flow chart in Figure 2, the method of obtaining the object information of the target software in step S101 is The object information may include the following sub-steps S1011 and S1012.
S1011:将目标软件输入到预设的沙箱中运行,并获得运行数据。S1011: Enter the target software into the preset sandbox to run, and obtain the running data.
S1012:根据运行数据,确定目标软件的对象信息。S1012: Determine the object information of the target software based on the running data.
沙箱(Sandbox)是一种用于安全运行软件程序的技术,常常用来执行那些非可信的软件程序,沙箱按照一定的安全策略,通过严格限制非可信的软件程序对系统资源的使用来实现隔离,其所运行的非可信的软件程序对系统的影响将会被限制在沙箱内而不会影响到系统的其它部分。在沙箱中还原网络系统的构成,以使目标软件在沙箱中运行时能够还原目标软件的运行现象。Sandbox is a technology used to safely run software programs. It is often used to execute untrusted software programs. The sandbox strictly limits the use of system resources by untrusted software programs in accordance with certain security policies. Used to achieve isolation, the impact of untrusted software programs running on the system will be limited within the sandbox and will not affect other parts of the system. Restore the structure of the network system in the sandbox so that the running phenomenon of the target software can be restored when the target software is run in the sandbox.
运行数据中可以包括目标软件的对象信息,因此可以通过对运行数据进行分析处理从运行数据中得到目标软件的对象信息。The running data may include object information of the target software, so the object information of the target software can be obtained from the running data by analyzing and processing the running data.
因此,本公开实施例中将目标软件输入到预设的沙箱中运行,可以安全且完整地得到该目标软件(例如目标软件为恶意软件)在运行时的各种运行数据,从而进一步可以安全且完整地根据运行数据得到目标软件的对象信息。以便于后续根据对象信息对网络系统进行防护策略的配置,以阻止目标软件在网络系统中运行,从而对网络系统形成有效保护。Therefore, in the embodiment of the present disclosure, by inputting the target software into a preset sandbox and running it, various running data of the target software (for example, the target software is malware) can be obtained safely and completely, so that the target software can be further safely and completely obtained. And completely obtain the object information of the target software based on the running data. This facilitates the subsequent configuration of protection strategies for the network system based on the object information to prevent target software from running in the network system, thereby effectively protecting the network system.
对于S1012中“根据运行数据,确定目标软件的对象信息”的具体实现方式,在此不进行限制。例如可以直接对运行数据进行分析得到,例如以对象信息中的互斥体信息为互斥体名称为例,则可以是识别运行数据中互斥体名称的字段,从而将之确定出来。The specific implementation method of "determining the object information of the target software based on the operating data" in S1012 is not limited here. For example, it can be obtained by directly analyzing the running data. For example, if the mutex information in the object information is the mutex name, it can be determined by identifying the field of the mutex name in the running data.
由于沙箱内部建立的系统中往往也运行有其他软件,因此部分其他软件可能也会建立 与目标软件相似的对象信息,也即其他软件在运行时也可以存在其对应的互斥体信息、服务信息、请求信息等,这些其他软件的对象信息也作为运行数据的一部分被从沙箱中输出出来。对此,在可选的实施例中,步骤S1012具体可以包括:通过预设的黑名单对运行数据进行过滤处理,以从过滤处理的结果中获得目标软件的对象信息。Since other software is often running in the system built inside the sandbox, some other software may also create object information similar to the target software, that is, other software may also have its corresponding mutex information and services when running. Information, request information, etc., the object information of other software is also output from the sandbox as part of the running data. In this regard, in an optional embodiment, step S1012 may specifically include: filtering the running data through a preset blacklist to obtain the object information of the target software from the results of the filtering process.
具体地,该预设的黑名单可以是对象信息的黑名单,其可以是记录有沙箱内部建立系统所运行的其他软件所对应的对象信息。另外,对于每一种对象信息,可以分别预设一个相应的黑名单。Specifically, the preset blacklist may be a blacklist of object information, which may record object information corresponding to other software running in the sandbox internal establishment system. In addition, for each type of object information, a corresponding blacklist can be preset.
例如,以对象信息中的互斥体信息为互斥体名称为例,则预设的黑名单可以是互斥体名称黑名单,其中包括沙箱内部建立的系统中除目标软件以外的其他软件所对应的互斥体名称,通过该互斥体名称黑名单对运行数据进行过滤处理,可以将其中除目标软件以外的其他软件所对应的互斥体名称滤除,仅留下目标软件对应的互斥体名称(即对象信息)。For example, assuming that the mutex information in the object information is the mutex name, the default blacklist can be a mutex name blacklist, which includes other software other than the target software in the system established inside the sandbox. The corresponding mutex name is used to filter the running data through the mutex name blacklist. The mutex names corresponding to other software except the target software can be filtered out, leaving only the mutex names corresponding to the target software. Mutex name (i.e. object information).
同理,再以对象信息中的服务信息为服务名称为例,则预设的黑名单中可以是服务名称黑名单,其中包括沙箱内部建立的系统中除目标软件以外的其他软件所创建的服务的服务名称,通过该服务名称黑名单对运行数据进行过滤处理,可以将其中除目标软件以外的其他软件所对应的服务名称滤除,仅留下目标软件对应的服务名称(即对象信息)。In the same way, taking the service information in the object information as the service name as an example, the default blacklist can be a service name blacklist, which includes those created by other software other than the target software in the system built inside the sandbox. The service name of the service. The running data is filtered through the service name blacklist. The service names corresponding to other software except the target software can be filtered out, leaving only the service names corresponding to the target software (i.e. object information). .
同理,再以对象信息的请求信息为目标软件发出请求时访问的URL为例,则预设的黑名单中可以是URL黑名单,其中包括沙箱内部建立的系统中除目标软件以外的其他软件发出请求时访问的URL,通过该URL黑名单对运行数据进行过滤处理,可以将其中除目标软件以外的其他软件所对应的URL滤除,仅留下目标软件对应的URL(即对象信息)。Similarly, if the request information of the object information is the URL accessed when the target software makes a request, for example, the preset blacklist can be a URL blacklist, which includes other files other than the target software in the system established inside the sandbox. The URL accessed when the software makes a request, the running data is filtered through the URL blacklist, and the URLs corresponding to other software except the target software can be filtered out, leaving only the URL corresponding to the target software (i.e. object information) .
显然,通过这样的方式,可以准确地根据运行数据确定目标软件的对象信息,以便于后续根据对象信息对网络系统进行防护策略的配置,以阻止目标软件在网络系统中运行,从而对网络系统形成有效保护。Obviously, in this way, the object information of the target software can be accurately determined based on the running data, so as to subsequently configure the protection strategy for the network system based on the object information to prevent the target software from running in the network system, thereby causing damage to the network system. Effective protection.
在步骤S103中,根据对象信息在网络系统中配置针对目标软件的防护策略的具体实施方式,本公开实施例中不做具体限定,只要配置的防护策略能够有效地阻止目标软件在网络系统中运行即可。示例性地,本公开实施例中也提供了几种步骤S103的可选的实施方式,下面对其进行具体说明,应当理解的是,其不应视为对本公开实施例中的任何限制。In step S103, the specific implementation method of configuring a protection policy for the target software in the network system according to the object information is not specifically limited in the embodiment of the present disclosure, as long as the configured protection policy can effectively prevent the target software from running in the network system. That’s it. Illustratively, the embodiment of the present disclosure also provides several optional implementations of step S103, which are described in detail below. It should be understood that they should not be regarded as any limitations on the embodiment of the present disclosure.
在可选的实施例中,以获取的目标软件的对象信息包括互斥体信息为例,步骤S103包括:根据对象信息中的互斥体信息,创建目标软件对应的互斥程序;将互斥程序输入到 网络系统的至少一个程序运行设备中运行,以通过互斥程序阻止目标软件在程序运行设备中运行。In an optional embodiment, taking the obtained object information of the target software including mutex information as an example, step S103 includes: creating a mutex program corresponding to the target software according to the mutex information in the object information; The program is input to run in at least one program execution device of the network system to prevent the target software from running in the program execution device through the mutex program.
具体地,如前文已经说明,一些目标软件在运行时,通常会同时创建一个互斥体,以避免自身的二次运行。对于此,本公开实施例中可以根据互斥体信息创建互斥程序,例如前述互斥体信息例如可以是互斥体名称。例如可以是将互斥体信息作为参数传递给接口程序,从而得到包含互斥体信息的接口程序,也即互斥程序,将该互斥程序输入到网络系统的至少一个程序运行设备上运行时,该互斥程序会在程序运行设备的内存空间中创建虚假的互斥体对象。当目标软件在输入到网络系统时(例如目标软件被输入到该程序运行设备上时),目标软件会检测到该虚假的互斥体对象,并将其认定为自身创建的互斥体对象,因此目标软件为避免二次运行会退出运行。通过这样的方式,本公开实施例的网络系统防护方法完成了通过互斥程序阻止目标软件在程序运行设备中正常运行的目的。Specifically, as mentioned above, when some target software is running, it usually creates a mutex at the same time to avoid running itself twice. In this regard, in the embodiment of the present disclosure, a mutex program can be created based on mutex information. For example, the aforementioned mutex information can be, for example, a mutex name. For example, the mutex information can be passed to the interface program as a parameter, thereby obtaining an interface program containing the mutex information, that is, a mutex program, and inputting the mutex program to at least one program running device of the network system to run. , this mutex program will create a false mutex object in the memory space of the device where the program is running. When the target software is input to the network system (for example, when the target software is input to the device running the program), the target software will detect the false mutex object and identify it as a mutex object created by itself. Therefore, the target software will exit to avoid running twice. In this way, the network system protection method of the embodiment of the present disclosure achieves the purpose of preventing the target software from running normally in the program running device through the mutual exclusion program.
在可选的实施例中,目标软件的对象信息中的服务信息包括目标软件输入网络系统后创建的第一服务的服务名称;在此基础上,步骤S103包括:根据服务名称,在网络系统中创建第一服务,以通过已创建的第一服务阻止目标软件创建第一服务。In an optional embodiment, the service information in the object information of the target software includes the service name of the first service created after the target software is entered into the network system; based on this, step S103 includes: according to the service name, in the network system Create a first service to prevent the target software from creating the first service through the created first service.
具体地,一些目标软件在输入网络系统中开始运行时以创建的服务(例如此可选实施例中所说的第一服务)运行。对于此,本公开实施例中可以根据服务名称在网络系统中创建第一服务。例如可以是将服务名称作为参数传递给接口程序,从而得到包含服务名称的接口程序,将该接口程序输入到网络系统的至少一个程序运行设备上运行时,该接口程序会在程序运行设备的内存空间中生成虚假的第一服务的对象,以创建第一服务。当目标软件在输入到网络系统时(例如目标软件被输入到该程序运行设备上时),目标软件会检测到该虚假的第一服务的对象,并将其认定为自身生成的第一服务的对象,因此目标软件为避免重复创建第一服务会退出运行。通过这样的方式,本公开实施例的网络系统防护方法完成了通过已创建的第一服务阻止目标软件创建第一服务的目的,使得目标软件无法在网络系统中正常运行。Specifically, some target software runs as a created service (such as the first service in this optional embodiment) when it starts running in the input network system. Regarding this, in the embodiment of the present disclosure, the first service can be created in the network system according to the service name. For example, the service name can be passed as a parameter to the interface program, thereby obtaining an interface program containing the service name. When the interface program is input to run on at least one program running device of the network system, the interface program will be stored in the memory of the program running device. Generate a false first service object in the space to create the first service. When the target software is input to the network system (for example, when the target software is input to the device running the program), the target software will detect the false first service object and identify it as the first service object generated by itself. object, so the target software will exit to avoid repeatedly creating the first service. In this way, the network system protection method of the embodiment of the present disclosure achieves the purpose of preventing the target software from creating the first service through the created first service, so that the target software cannot run normally in the network system.
在可选的实施例中,目标软件的对象信息中的请求信息包括目标软件输入网络系统后发出第一请求时访问的URL,其中,目标软件在发出第一请求时通过网络系统的第一DNS和第一服务器访问URL;在此基础上,步骤S103包括:根据URL,在网络系统中配置第二DNS以及第二服务器,以阻止目标软件在发出第一请求时通过网络系统的第一DNS和第一服务器访问URL,并使目标软件通过网络系统的第二DNS和第二服务器访问URL,且基于访问URL的结果退出运行。In an optional embodiment, the request information in the object information of the target software includes the URL accessed when the target software issues the first request after being entered into the network system, wherein the target software passes the first DNS of the network system when issuing the first request. and the first server access URL; on this basis, step S103 includes: configuring the second DNS and the second server in the network system according to the URL to prevent the target software from passing the first DNS and the first server of the network system when issuing the first request. The first server accesses the URL, causes the target software to access the URL through the second DNS of the network system and the second server, and exits based on the result of accessing the URL.
具体地,一些目标软件在输入网络系统中开始运行时会先发送请求(例如此可选实施例中所说的第一请求),具体地该第一请求可以是一个URL请求,因此目标软件发出该第一请求时通过第一DNS和第一服务器访问URL,并得到响应,对于目标软件来说,当响应的结果满足一定的条件后目标软件将退出运行(例如响应结果为一个响应值,则退出运行的条件可以是响应值大于一个响应值阈值)。对于此,本公开实施例中可以根据该URL,在网络系统中配置第二DNS以及第二服务器,该第二DNS与第一DNS不同,第二服务器与第一服务器不同。该第二DNS以及第二服务器可以被配置为专用于响应目标软件发出的第一请求,当目标软件在输入到网络系统时(例如目标软件被输入到该程序运行设备上时),由于第二DNS和第二服务器的存在,其发出第一请求(例如URL请求)后不再通过网络系统的第一DNS和第一服务器访问该URL,而是通过网络系统的第二DNS和第二服务器访问该URL。访问该URL的结果可以是目标软件的第一请求得到响应后的响应值,该响应值大于目标软件退出运行时对应的响应值阈值,从而使目标软件基于访问URL的结果退出运行。举例来说,如果目标软件退出运行时对应的响应值阈值为200,则目标软件通过第二DNS和第二服务器访问该URL,响应值可以设为300,由于响应值300>响应值阈值200,因此目标软件在发出第一请求通过配置好的第二DNS和第二服务器访问该URL后将退出运行。通过这样的方式,本公开实施例的网络系统防护方法完成了通过根据URL配置的第二DNS和第二服务器使得目标软件无法在网络系统中正常运行的目的。Specifically, some target software will first send a request (such as the first request in this optional embodiment) when it starts running in the input network system. Specifically, the first request may be a URL request, so the target software sends The first request accesses the URL through the first DNS and the first server and obtains a response. For the target software, when the response result meets certain conditions, the target software will exit the operation (for example, the response result is a response value, then The condition for exiting the run can be that the response value is greater than a response value threshold). Regarding this, in the embodiment of the present disclosure, a second DNS and a second server can be configured in the network system according to the URL. The second DNS is different from the first DNS, and the second server is different from the first server. The second DNS and the second server may be configured to specifically respond to the first request issued by the target software. When the target software is input to the network system (for example, when the target software is input to the program running device), due to the second The existence of DNS and the second server, which after issuing the first request (such as a URL request) no longer accesses the URL through the first DNS and the first server of the network system, but accesses it through the second DNS and the second server of the network system the URL. The result of accessing the URL may be a response value after the first request of the target software is responded to. The response value is greater than the response value threshold corresponding to when the target software exits, so that the target software exits based on the result of accessing the URL. For example, if the corresponding response value threshold when the target software exits running is 200, then the target software accesses the URL through the second DNS and the second server, and the response value can be set to 300. Since the response value 300 > the response value threshold 200, Therefore, the target software will exit after issuing the first request to access the URL through the configured second DNS and second server. In this way, the network system protection method of the embodiment of the present disclosure achieves the purpose of preventing the target software from running normally in the network system through the second DNS and the second server configured according to the URL.
可选地,本公开实施例中的第一服务器和第二服务器都可以是HTTP服务器。当然这不作为对本公开是合理中的限制。Optionally, both the first server and the second server in the embodiment of the present disclosure may be HTTP servers. This is, of course, not a reasonable limitation on the disclosure.
可以理解的是,获取的目标软件的对象信息包括互斥体信息、服务信息和请求信息中的多个时,可以将其每一种对象信息所对应的防护策略均在网络系统中进行配置,从而最大限度地提高阻止目标软件(例如该目标软件为恶意软件)运行的可靠性,从而最大限度地降低网络系统受到恶意软件攻击的可能,使得网络系统中的设备的运行也更不易被恶意软件所干扰或阻碍,能够有效地防止恶意软件对网络系统造成不良影响,从而保证网络系统的安全性。It can be understood that when the obtained object information of the target software includes multiple of mutex information, service information and request information, the protection strategy corresponding to each of the object information can be configured in the network system. Thereby maximizing the reliability of preventing the target software (for example, the target software is malware) from running, thereby minimizing the possibility of the network system being attacked by malware, making the operation of the devices in the network system less susceptible to malware. Interference or obstruction can effectively prevent malware from causing adverse effects on the network system, thereby ensuring the security of the network system.
为了提高本公开实施例中的网络系统防护方法对于阻止目标软件在网络系统中运行的可靠性,在一些可选地实施例中,参照图3所示的本公开实施例中的另一个可选的网络系统防护方法的步骤流程图,在该网络系统防护方法中,步骤S103之前还包括步骤S102。In order to improve the reliability of the network system protection method in the embodiment of the present disclosure in preventing target software from running in the network system, in some optional embodiments, refer to another optional method in the embodiment of the present disclosure shown in Figure 3 A step flow chart of a network system protection method. In the network system protection method, step S102 is also included before step S103.
S102:将对象信息输入验证系统,根据对象信息在验证系统中配置防护策略;将目标软件输入配置有防护策略的验证系统,并确定目标软件是否能在验证系统中正常运行;其中,若否,则执行步骤S103即:根据对象信息,在网络系统中配置针对目标软件的防护策略。S102: Input the object information into the verification system, and configure the protection strategy in the verification system according to the object information; enter the target software into the verification system configured with the protection strategy, and determine whether the target software can run normally in the verification system; if not, Then step S103 is executed, that is, configuring a protection policy for the target software in the network system according to the object information.
具体地,验证系统中可以建立与网络系统相同的软件运行环境,在验证系统中配置防护策略,以使得目标软件在输入验证系统后的运行情况可以准确地展示目标软件在输入到配置有与验证系统相同的防护策略的网络系统的运行现象,从而对防护策略的可靠性进行验证。具体地,若目标软件能够在配置有防护策略的验证系统中正常运行,说明该防护策略可靠性较差,当该防护策略被配置到网络系统后,无法有效阻止目标软件在网络系统中运行;而若目标软件不能在验证系统中正常运行,说明防护策略可靠性较好,当该防护策略被配置到网络系统后,可以有效阻止目标软件在网络系统中运行,因而可以在确定目标软件是否能在验证系统中正常运行的结果为否的情况下,根据对象信息在网络系统中配置针对目标软件的防护策略,以阻止目标软件的运行。Specifically, the same software operating environment as the network system can be established in the verification system, and the protection strategy can be configured in the verification system, so that the operation of the target software after input to the verification system can accurately display the operation of the target software after input to the configuration and verification. The operating phenomena of network systems with the same protection strategy can be used to verify the reliability of the protection strategy. Specifically, if the target software can run normally in the verification system configured with a protection policy, it means that the protection policy is less reliable. When the protection policy is configured in the network system, it cannot effectively prevent the target software from running in the network system; If the target software cannot run normally in the verification system, it means that the protection strategy is more reliable. When the protection strategy is configured in the network system, it can effectively prevent the target software from running in the network system, so it can be determined whether the target software can When the result of verifying normal operation in the system is negative, configure a protection policy for the target software in the network system based on the object information to prevent the target software from running.
可选地,若目标软件能够在配置有防护策略的验证系统中正常运行,可以将目标软件发送给工作人员的终端上,由工作人员进行人工分析,例如可以由人工确定目标软件是否存在对象信息,若存在依据其对网络系统进行防护策略的配置。Optionally, if the target software can run normally in a verification system configured with a protection strategy, the target software can be sent to the staff's terminal, and the staff can perform manual analysis. For example, the target software can be manually determined whether object information exists. , if there is a configuration based on the protection strategy for the network system.
由前文所述,本公开实施例中的网络系统防护方法在应用于网络系统为OT系统、程序运行设备为OT设备(例如生产线上的各种能够运行软件程序的工业控制设备)的应用场景时,可以得到更为显著的有效效果。其原因在于,OT系统与其他计算机网络系统不同,OT系统中的OT设备一般不能对其内部的软件程序进行频繁的升级和修补,也不能如其他计算机网络系统中的程序运行设备一样安装专用的防恶意软件的应用程序(例如防病毒软件)。这样一方面是为了保证工业现场(例如生产线上)的OT设备使用的稳定性,若频繁的升级和修补内部程序软件,容易导致OT设备不能稳定运行;另一方面是由于OT系统中的每个OT设备的软硬件配置往往各不相同,对于将专用的防恶意软件的应用程序安装到OT设备上,容易出现不兼容的情况而导致该应用程序不能正常运行,也容易导致OT设备出现蓝屏等故障。而且由于OT系统中的OT设备对于生产线上的生产任务的正常执行起到决定性作用,在其因内部软件升级和修补以及安装专用的防恶意软件的应用程序导致不能稳定运行的情况下,对生产任务的执行也会造成不良影响。As mentioned above, the network system protection method in the embodiment of the present disclosure is applied to an application scenario where the network system is an OT system and the program running device is an OT device (such as various industrial control devices on the production line that can run software programs). , you can get more significant effective effects. The reason is that the OT system is different from other computer network systems. The OT equipment in the OT system generally cannot frequently upgrade and patch its internal software programs, nor can it install dedicated software like the program running equipment in other computer network systems. Anti-malware applications (such as anti-virus software). On the one hand, this is to ensure the stability of OT equipment in industrial sites (such as production lines). Frequent upgrades and patching of internal program software may easily lead to unstable operation of OT equipment; on the other hand, because each of the OT devices in the OT system The software and hardware configurations of OT devices are often different. When a dedicated anti-malware application is installed on an OT device, it is easy to be incompatible, causing the application to not run properly, and it is also easy to cause a blue screen on the OT device. Fault. And because the OT equipment in the OT system plays a decisive role in the normal execution of production tasks on the production line, if it cannot run stably due to internal software upgrades and patches, as well as the installation of dedicated anti-malware software applications, it will have a negative impact on production. The performance of tasks can also have adverse effects.
而本公开实施例中的任一个网络系统防护方法的实施例中,则是获取目标软件的对象 信息,对象信息包括目标软件的互斥体信息、目标软件输入网络系统后创建的服务信息、目标软件输入网络系统后发出的请求信息中的至少一个,并根据对象信息在网络系统中配置针对目标软件的防护策略,以阻止目标软件在网络系统中运行。因此本公开实施例在其能够在目标软件为恶意软件的情况下,十分稳定有效地对输入OT系统的恶意软件的运行进行阻止,从而降低OT系统受到恶意软件攻击的可能,使得OT系统中的OT设备的运行也更不易被恶意软件所干扰或阻碍,能够有效地防止恶意软件对OT系统造成不良影响,能够保证OT系统的安全性。并且在此基础上,这样的网络系统防护方法相对于在OT设备中安装专用的防恶意软件的应用程序(例如防病毒软件)的情形来说也更加轻量化,其占用OT设备的内存量更小,不涉及任何挂钩和驱动程序,防止这些额外的程序对OT设备的稳定运行产生影响;并且即使在OT系统中配置的防护策略失效,也不会因该失效而影响到OT系统的各OT设备自身运行的稳定性;并且由于几乎不用考虑软硬件配置的问题,在能够更好地适用OT系统的各OT设备的情况下,其很少会出现不兼容的情况,不会出现使得OT设备出现蓝屏等故障。In any of the network system protection methods in the embodiments of the present disclosure, the object information of the target software is obtained. The object information includes mutex information of the target software, service information created after the target software is input into the network system, and target software. At least one of the request information sent by the software after inputting it into the network system, and configuring a protection policy for the target software in the network system based on the object information to prevent the target software from running in the network system. Therefore, the embodiments of the present disclosure can very stably and effectively prevent the operation of malware input to the OT system when the target software is malware, thereby reducing the possibility of the OT system being attacked by malware and making the OT system more susceptible to malware attacks. The operation of OT equipment is also less likely to be interfered or hindered by malware, which can effectively prevent malware from causing adverse effects on the OT system and ensure the security of the OT system. And on this basis, such a network system protection method is also more lightweight than installing dedicated anti-malware applications (such as anti-virus software) in OT devices, and it occupies a larger amount of memory on the OT device. It is small and does not involve any hooks and drivers, preventing these additional programs from affecting the stable operation of OT equipment; and even if the protection strategy configured in the OT system fails, the failure will not affect each OT of the OT system. The stability of the operation of the equipment itself; and since there is almost no need to consider the software and hardware configuration issues, when each OT equipment can be better adapted to the OT system, it will rarely be incompatible and will not cause the OT equipment to A blue screen or other failure occurs.
由此可以看出,本公开实施例中的网络系统防护方法在应用于网络系统为OT系统、程序运行设备为OT设备的应用场景时,可以得到更为显著的效果,能够稳定有效地对这一应用场景进行防护。It can be seen from this that the network system protection method in the embodiment of the present disclosure can achieve more significant effects when applied to an application scenario where the network system is an OT system and the program running device is an OT device, and can stably and effectively protect the system. Protect according to one application scenario.
下面,再以一个例子对本公开实施例中的网络系统防护方法进行总体说明。该例子中,该网络系统防护方法用于对OT系统进行恶意软件防护。应当理解,其并不作为对本公开实施例中的任何限制。Next, an example will be used to provide an overall description of the network system protection method in the embodiment of the present disclosure. In this example, the network system protection method is used to protect OT systems from malware. It should be understood that this does not serve as any limitation on the embodiments of the present disclosure.
在这一例子中,目标软件为勒索软件(记为wannacry示例),则将wannacry示例输入到沙箱中运行,获得wannacry示例的运行数据。再利用预设的互斥体名称黑名单、服务名称黑名单、以及URL黑名单对运行数据进行过滤处理,得到wannacry示例的对象信息,即wannacry示例的互斥体名称(即互斥体信息)、服务名称(即服务信息)、以及URL(即请求信息)。将获得的互斥体名称、服务名称、以及URL输入到验证系统,基于这些对象信息配置防护策略,在验证系统的内存空间中创建虚假的互斥体对象、虚假的第一服务的对象、配置虚假的DNS和HTTP服务器以使wannacry示例发出第一请求时通过虚假的DNS和HTTP服务器来访问URL获得响应。若wannacry示例在验证系统中不能正常运行,说明根据wannacry示例的对象信息能够配置的防护策略,可靠性较好,当该防护策略被配置到OT系统后,可以有效阻止wannacry示例在OT系统中运行。则将互斥体名称 和服务名称作为不同的参数输入接口程序,从而得到包含互斥体信息和服务名称的接口程序,将这一程序部署到OT系统中的至少一个OT设备中运行。这一程序在OT设备的内存中创建虚假的互斥体对象以及虚假的第一服务的对象,并在OT系统中配置第二DNS和第二服务器(例如为HTTP服务器),该第二DNS和第二服务器可以被配置为专用于响应wannacry示例发出的第一请求。当wannacry示例输入到OT设备时,检测到互斥体对象wannacry示例将退出运行;或者检测到服务对象wannacry示例将不再创建第一服务,并因第一服务已启动而退出运行;或者发送第一请求时通过第二DNS和第二服务器访问对应的URL,而不再通过OT系统的第一DNS和第一服务器(例如为HTTP服务器)访问该URL。并且在通过第二DNS和第二服务器访问URL的结果可以是wannacry示例的第一请求得到响应后的响应值,该响应值大于wannacry示例退出运行时对应的响应值阈值,从而使得wannacry示例在访问URL后退出运行。可以看出,在这一例子中本公开实施例中的网络系统防护方法可以有效地对输入OT系统的恶意软件(即wannacry示例)的运行进行阻止,从而降低OT系统受到恶意软件攻击的可能,使得OT系统中的OT设备的运行也更不易被恶意软件所干扰或阻碍,能够有效地防止恶意软件对OT系统造成不良影响,从而能够保证OT系统的安全性。可以理解的是,这一例子并不作为对本公开实施例中的任何限制。In this example, the target software is ransomware (recorded as wannacry example), then enter the wannacry example into the sandbox to run, and obtain the running data of the wannacry example. Then use the preset mutex name blacklist, service name blacklist, and URL blacklist to filter the running data to obtain the object information of the wannacry example, that is, the mutex name of the wannacry example (that is, the mutex information) , service name (i.e., service information), and URL (i.e., request information). Enter the obtained mutex name, service name, and URL into the verification system, configure the protection strategy based on these object information, and create false mutex objects, false first service objects, and configurations in the memory space of the verification system. Fake DNS and HTTP servers so that the wannacry example makes the first request to get a response by accessing the URL through the fake DNS and HTTP servers. If the wannacry example cannot run normally in the verification system, it means that the protection strategy that can be configured based on the object information of the wannacry example has good reliability. When the protection strategy is configured to the OT system, it can effectively prevent the wannacry example from running in the OT system. . Then the mutex name and service name are input into the interface program as different parameters, thereby obtaining an interface program containing the mutex information and service name, and deploying this program to at least one OT device in the OT system to run. This procedure creates a fake mutex object and a fake first service object in the memory of the OT device, and configures a second DNS and a second server (for example, an HTTP server) in the OT system. The second DNS and The second server can be configured specifically to respond to the first request made by the wannacry example. When the wannacry example is input to the OT device, the mutex object wannacry example is detected and will exit running; or the service object wannacry example is detected and the first service is no longer created and exits because the first service has been started; or the first service is sent. When making a request, the corresponding URL is accessed through the second DNS and the second server, instead of accessing the URL through the first DNS and the first server (for example, HTTP server) of the OT system. And the result of accessing the URL through the second DNS and the second server can be the response value after the first request of the wannacry example is responded to. The response value is greater than the corresponding response value threshold when the wannacry example exits the run, so that the wannacry example is accessed Exit running after URL. It can be seen that in this example, the network system protection method in the embodiment of the present disclosure can effectively prevent the operation of malware imported into the OT system (ie, the wannacry example), thereby reducing the possibility of the OT system being attacked by malware. This makes the operation of OT equipment in the OT system less likely to be interfered or hindered by malware, which can effectively prevent malware from causing adverse effects on the OT system, thus ensuring the security of the OT system. It should be understood that this example does not serve as any limitation on the embodiments of the present disclosure.
可以理解的是,上述内容仅为本公开实施例中的网络系统防护方法的一些示例性解释,并不作为对本公开实施例中的任何限制。It can be understood that the above contents are only some exemplary explanations of the network system protection methods in the embodiments of the present disclosure, and are not intended to limit any limitations in the embodiments of the present disclosure.
由以上内容可以看出,本公开实施例的网络系统防护方法,由于能够获取目标软件的对象信息,对象信息包括目标软件的互斥体信息、目标软件输入网络系统后创建的服务信息、目标软件输入网络系统后发出的请求信息中的至少一个,并根据对象信息,在网络系统中配置针对目标软件的防护策略,以阻止目标软件在网络系统中运行,因此本公开实施例能够在目标软件为恶意软件的情况下,对输入网络系统的恶意软件的运行进行阻止,从而降低网络系统受到恶意软件攻击的可能,使得网络系统中的设备的运行也更不易被恶意软件所干扰或阻碍,能够有效地防止恶意软件对网络系统造成不良影响,从而保证网络系统的安全性。It can be seen from the above that the network system protection method of the embodiment of the present disclosure can obtain the object information of the target software. The object information includes the mutex information of the target software, service information created after the target software is input into the network system, and the target software. At least one of the request information issued after inputting into the network system, and according to the object information, configure a protection policy for the target software in the network system to prevent the target software from running in the network system. Therefore, the embodiment of the present disclosure can be used when the target software is In the case of malware, the operation of malware input into the network system is prevented, thereby reducing the possibility of the network system being attacked by malware, making the operation of devices in the network system less likely to be interfered or hindered by malware, and can effectively To effectively prevent malware from causing adverse effects on network systems, thereby ensuring the security of network systems.
根据本公开实施例中的第二方面,参照图4的框图,还提供了一种网络系统防护装置400,其包括:According to the second aspect of the embodiment of the present disclosure, with reference to the block diagram of Figure 4, a network system protection device 400 is also provided, which includes:
获取模块401,用于获取目标软件的对象信息,其中,对象信息包括:目标软件的互斥体信息、目标软件输入网络系统后创建的服务信息、目标软件输入网络系统后发出的请 求信息中的至少一个;The acquisition module 401 is used to obtain the object information of the target software, where the object information includes: mutex information of the target software, service information created after the target software is input into the network system, and request information issued after the target software is input into the network system. at least one;
阻止模块402,用于根据对象信息,在网络系统中配置针对目标软件的防护策略,以阻止目标软件在网络系统中运行。The blocking module 402 is configured to configure a protection policy for the target software in the network system based on the object information, so as to prevent the target software from running in the network system.
在可选的实施例中,该网络系统防护装置400中,阻止模块402具体用于:根据对象信息中的互斥体信息,创建目标软件对应的互斥程序;将互斥程序输入到网络系统的至少一个程序运行设备中运行,以通过互斥程序阻止目标软件在程序运行设备中运行。In an optional embodiment, in the network system protection device 400, the blocking module 402 is specifically used to: create a mutex program corresponding to the target software according to the mutex information in the object information; input the mutex program into the network system running in at least one program running device to prevent the target software from running in the program running device through the mutex program.
在可选的实施例中,该网络系统防护装置400中,服务信息包括目标软件输入网络系统后创建的第一服务的服务名称;阻止模块402具体用于:根据服务名称,在网络系统中创建第一服务,以通过已创建的第一服务阻止目标软件创建第一服务。In an optional embodiment, in the network system protection device 400, the service information includes the service name of the first service created after the target software is entered into the network system; the blocking module 402 is specifically used to: create a service in the network system based on the service name. first service to prevent the target software from creating the first service through the already created first service.
在可选的实施例中,该网络系统防护装置400中,请求信息包括目标软件输入网络系统后发出第一请求时访问的URL,其中,目标软件在发出第一请求时通过网络系统的第一DNS和第一服务器访问URL;阻止模块402具体用于:根据URL,在网络系统中配置第二DNS以及第二服务器,以阻止目标软件在发出第一请求时通过网络系统的第一DNS和第一服务器访问URL,并使目标软件通过网络系统的第二DNS和第二服务器访问URL,且基于访问URL的结果退出运行。In an optional embodiment, in the network system protection device 400, the request information includes the URL that the target software accesses when it issues the first request after it is entered into the network system, wherein the target software passes the first request of the network system when it issues the first request. DNS and the first server access URL; the blocking module 402 is specifically used to: configure the second DNS and the second server in the network system according to the URL to prevent the target software from passing the first DNS and the second server of the network system when issuing the first request. The first server accesses the URL, causes the target software to access the URL through the second DNS of the network system and the second server, and exits based on the result of accessing the URL.
在可选的实施例中,该网络系统防护装置400中,网络系统防护装置400还用于将对象信息输入验证系统,根据对象信息在验证系统中配置防护策略;将目标软件输入配置有防护策略的验证系统,并确定目标软件是否能在验证系统中正常运行;其中,若否,则阻止模块402用于根据对象信息,在网络系统中配置针对目标软件的防护策略。In an optional embodiment, in the network system protection device 400, the network system protection device 400 is also used to input object information into the verification system, configure a protection strategy in the verification system according to the object information; input the target software and configure the protection strategy verification system, and determine whether the target software can run normally in the verification system; if not, the blocking module 402 is used to configure a protection policy for the target software in the network system based on the object information.
在可选的实施例中,该网络系统防护装置400中,获取模块401具体用于:将目标软件输入到预设的沙箱中运行,并获得运行数据;根据运行数据,确定目标软件的对象信息。In an optional embodiment, in the network system protection device 400, the acquisition module 401 is specifically used to: input the target software into a preset sandbox for operation, and obtain the operation data; and determine the object of the target software according to the operation data. information.
在可选的实施例中,该网络系统防护装置400中,获取模块401具体用于:通过预设的黑名单对运行数据进行过滤处理,以从过滤处理的结果中获得目标软件的对象信息。In an optional embodiment, in the network system protection device 400, the acquisition module 401 is specifically configured to filter the running data through a preset blacklist to obtain the object information of the target software from the results of the filtering process.
本公开实施例中的网络系统防护装置400与前述第一方面的网络系统防护方法基于同一发明构思,其相关有益效果与前述第一方面的网络系统防护方法中对应的各实施例的有益效果也相同,因此可以按照前文的网络系统防护方法的实施例进行理解,在此不再进行赘述。The network system protection device 400 in the embodiment of the present disclosure is based on the same inventive concept as the network system protection method of the first aspect, and its relevant beneficial effects are also the same as those of the corresponding embodiments in the network system protection method of the first aspect. The method is the same, so it can be understood according to the foregoing embodiments of the network system protection method, and will not be described again here.
本公开实施例中网络系统防护装置400,由于获取模块401能够获取目标软件的对象信息,其中,对象信息包括目标软件的互斥体信息、目标软件输入网络系统后创建的服务信息、目标软件输入网络系统后发出的请求信息中的至少一个;阻止模块402能够根据对 象信息,在网络系统中配置针对目标软件的防护策略,以阻止目标软件在网络系统中运行,因此本公开实施例能够在目标软件为恶意软件的情况下,对输入网络系统的恶意软件的运行进行阻止,从而降低网络系统受到恶意软件攻击的可能,使得网络系统中的设备的运行也更不易被恶意软件所干扰或阻碍,能够有效地防止恶意软件对网络系统造成不良影响,从而保证网络系统的安全性。In the network system protection device 400 in the embodiment of the present disclosure, the acquisition module 401 can obtain the object information of the target software, where the object information includes the mutex information of the target software, service information created after the target software is input into the network system, and the input of the target software. At least one of the request information issued by the network system; the blocking module 402 can configure a protection policy for the target software in the network system based on the object information to prevent the target software from running in the network system. Therefore, the embodiment of the present disclosure can prevent the target software from running in the network system. When the software is malware, the malware input into the network system is prevented from running, thereby reducing the possibility of the network system being attacked by malware and making the operation of the devices in the network system less likely to be interfered or hindered by malware. It can effectively prevent malware from causing adverse effects on the network system, thereby ensuring the security of the network system.
根据本公开实施例中的第三方面,本公开实施例提供了一种计算机设备500,其包括:处理器502;以及存储程序510的存储器506,其中,程序510包括计算机操作指令,计算机操作指令在由处理器502执行时使处理器502执行前述的网络系统防护方法。According to a third aspect of the embodiment of the present disclosure, the embodiment of the present disclosure provides a computer device 500, which includes: a processor 502; and a memory 506 storing a program 510, wherein the program 510 includes computer operation instructions, and the computer operation instructions When executed by the processor 502, the processor 502 is caused to execute the aforementioned network system protection method.
本公开实施例并不对该计算机设备500的具体实现做限定,作为示例性地,参照图5,为本公开实施例所提供的一种可选的计算机设备500的结构示意图,该计算机设备500可以包括:处理器502、通信接口504、存储器506、以及通信总线508。其中:处理器502、通信接口504、以及存储器506通过通信总线508完成通信。The embodiment of the present disclosure does not limit the specific implementation of the computer device 500. As an example, refer to FIG. 5, which is a schematic structural diagram of an optional computer device 500 provided by the embodiment of the present disclosure. The computer device 500 can It includes: processor 502, communication interface 504, memory 506, and communication bus 508. Among them: the processor 502, the communication interface 504, and the memory 506 complete communication through the communication bus 508.
通信接口504,用于与其它计算机设备或服务器进行通信。 Communication interface 504 is used to communicate with other computer devices or servers.
处理器502,用于执行程序510,具体可以执行前述的网络系统防护方法实施例中的相关步骤。The processor 502 is configured to execute the program 510. Specifically, it can execute the relevant steps in the aforementioned network system protection method embodiment.
具体地,程序510可以包括程序代码,该程序代码包括计算机操作指令。Specifically, program 510 may include program code including computer operating instructions.
处理器502可以是中央处理器CPU,或者是特定集成电路ASIC(Application Specific Integrated Circuit),或者是被配置成实施本申请实施例的一个或多个集成电路。智能设备包括的一个或多个处理器,可以是同一类型的处理器,如一个或多个CPU;也可以是不同类型的处理器,如一个或多个CPU以及一个或多个ASIC。The processor 502 may be a central processing unit (CPU), an application specific integrated circuit (ASIC), or one or more integrated circuits configured to implement embodiments of the present application. The one or more processors included in the smart device can be the same type of processor, such as one or more CPUs; or they can be different types of processors, such as one or more CPUs and one or more ASICs.
存储器506,用于存储程序510。存储器506可以包含高速RAM存储器,还可以包括非易失性存储器,例如至少一个磁盘存储器。 Memory 506 is used to store programs 510. Memory 506 may include high-speed RAM memory and may also include non-volatile memory, such as at least one disk memory.
程序510具体可以用于使得处理器502执行如前述的网络系统防护方法操作。The program 510 may be specifically used to cause the processor 502 to perform the aforementioned network system protection method operations.
程序510中各步骤的具体实现可以参见上述网络系统防护方法实施例中的对应的描述,在此不赘述。所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的设备和模块的具体工作过程,可以参考前述方法实施例中的对应过程描述,在此不再赘述。For the specific implementation of each step in program 510, please refer to the corresponding description in the above embodiment of the network system protection method, and will not be described again here. Those skilled in the art can clearly understand that for the convenience and simplicity of description, the specific working processes of the above-described devices and modules can be referred to the corresponding process descriptions in the foregoing method embodiments, and will not be described again here.
根据本公开实施例中的第四方面,本公开实施例提供了一种计算机存储介质,其中,计算机存储介质存储有计算机指令,计算机指令用于使计算机执行前述任一项的网络系统防护方法。According to a fourth aspect of the embodiments of the present disclosure, the embodiments of the present disclosure provide a computer storage medium, wherein the computer storage medium stores computer instructions, and the computer instructions are used to cause the computer to execute any of the foregoing network system protection methods.
对于网络系统防护装置/计算机设备/计算机存储介质实施例而言,其与前述第一方面所提供的网络系统防护方法实施例中的相关内容和有益效果基本类似,因此在此描述的较为简略,可以依据前述网络系统防护方法的实施例进行理解。For the network system protection device/computer equipment/computer storage medium embodiment, the relevant content and beneficial effects are basically similar to the network system protection method embodiment provided in the first aspect, so the description here is relatively brief. This can be understood based on the foregoing embodiments of the network system protection method.
应当理解,本公开的方法实施方式中记载的各个步骤可以按照不同的顺序执行,和/或并行执行。此外,方法实施方式可以包括附加的步骤和/或省略执行示出的步骤。本公开的范围在此方面不受限制。It should be understood that various steps described in the method implementations of the present disclosure may be executed in different orders and/or in parallel. Furthermore, method embodiments may include additional steps and/or omit performance of illustrated steps. The scope of the present disclosure is not limited in this regard.
本文使用的术语“包括”及其变形是开放性包括,即“包括但不限于”。术语“基于”是“至少部分地基于”。术语“一个实施例”表示“至少一个实施例”;术语“另一实施例”表示“至少一个另外的实施例”;术语“一些实施例”表示“至少一些实施例”。需要注意,本公开中提及的“一个”、“多个”的修饰是示意性而非限制性的,本领域技术人员应当理解,除非在上下文另有明确指出,否则应该理解为“一个或多个”。As used herein, the term "include" and its variations are open-ended, ie, "including but not limited to." The term "based on" means "based at least in part on." The term "one embodiment" means "at least one embodiment"; the term "another embodiment" means "at least one additional embodiment"; and the term "some embodiments" means "at least some embodiments". It should be noted that the modifications of "one" and "plurality" mentioned in this disclosure are illustrative and not restrictive. Those skilled in the art will understand that unless the context clearly indicates otherwise, it should be understood as "one or Multiple”.
应当理解,在本公开实施例中所使用的类似于“第一”、“第二”的表述可修饰各种部件而与顺序和/或重要性无关,但是这些表述不限制相应部件。以上表述仅配置为将部件与其它部件区分开的目的。It should be understood that expressions similar to “first” and “second” used in the embodiments of the present disclosure may modify various components regardless of order and/or importance, but these expressions do not limit the corresponding components. The above expressions are only provided for the purpose of distinguishing one component from another component.
最后应说明的是:以上实施例仅用以说明本公开实施例的技术方案,而非对其限制;尽管参照前述实施例对本公开进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本公开各实施例技术方案的精神和范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the embodiments of the present disclosure, but not to limit them; although the present disclosure has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: The technical solutions described in the foregoing embodiments can still be modified, or some of the technical features can be equivalently replaced; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and spirit of the technical solutions of the embodiments of the present disclosure. scope.

Claims (10)

  1. 一种网络系统防护方法,包括:A network system protection method, including:
    获取目标软件的对象信息,其中,所述对象信息包括:所述目标软件的互斥体信息、所述目标软件输入网络系统后创建的服务信息、所述目标软件输入网络系统后发出的请求信息中的至少一个;Obtain object information of the target software, where the object information includes: mutex information of the target software, service information created after the target software is input into the network system, and request information issued after the target software is input into the network system. at least one of;
    根据所述对象信息,在所述网络系统中配置针对所述目标软件的防护策略,以阻止所述目标软件在所述网络系统中运行。According to the object information, a protection policy for the target software is configured in the network system to prevent the target software from running in the network system.
  2. 根据权利要求1所述的方法,其中,所述根据所述对象信息,在所述网络系统中配置针对所述目标软件的防护策略,以阻止所述目标软件在所述网络系统中运行,包括:The method according to claim 1, wherein said configuring a protection policy for the target software in the network system according to the object information to prevent the target software from running in the network system includes: :
    根据所述对象信息中的互斥体信息,创建目标软件对应的互斥程序;Create a mutex program corresponding to the target software according to the mutex information in the object information;
    将所述互斥程序输入到所述网络系统的至少一个程序运行设备中运行,以通过所述互斥程序阻止目标软件在所述程序运行设备中运行。The mutually exclusive program is input to at least one program execution device of the network system to run, so that the target software is prevented from running in the program execution device through the mutually exclusive program.
  3. 根据权利要求1所述的方法,其中,所述服务信息包括目标软件输入所述网络系统后创建的第一服务的服务名称;The method according to claim 1, wherein the service information includes the service name of the first service created after the target software inputs the network system;
    所述根据所述对象信息,在所述网络系统中配置针对所述目标软件的防护策略,以阻止所述目标软件在所述网络系统中运行,包括:Configuring a protection policy for the target software in the network system according to the object information to prevent the target software from running in the network system includes:
    根据所述服务名称,在所述网络系统中创建所述第一服务,以通过已创建的第一服务阻止目标软件创建所述第一服务。Create the first service in the network system according to the service name to prevent the target software from creating the first service through the created first service.
  4. 根据权利要求1所述的方法,其中,所述请求信息包括目标软件输入所述网络系统后发出第一请求时访问的URL,其中,所述目标软件在发出第一请求时通过所述网络系统的第一DNS和第一服务器访问所述URL;The method according to claim 1, wherein the request information includes a URL accessed when the target software issues a first request after inputting into the network system, wherein the target software passes through the network system when issuing the first request. The first DNS and first server to access the URL;
    所述根据所述对象信息,在所述网络系统中配置针对所述目标软件的防护策略,以阻止所述目标软件在所述网络系统中运行,包括:Configuring a protection policy for the target software in the network system according to the object information to prevent the target software from running in the network system includes:
    根据所述URL,在所述网络系统中配置第二DNS以及第二服务器,以阻止所述目标软件在发出第一请求时通过所述网络系统的第一DNS和第一服务器访问所述URL,并使所述目标软件通过所述网络系统的第二DNS和第二服务器访问所述URL,且基于访问所 述URL的结果退出运行。Configuring a second DNS and a second server in the network system according to the URL to prevent the target software from accessing the URL through the first DNS and the first server of the network system when issuing a first request, The target software is caused to access the URL through the second DNS and the second server of the network system, and exits based on the result of accessing the URL.
  5. 根据权利要求1所述的方法,其中,所述根据所述对象信息,在所述网络系统中配置针对所述目标软件的防护策略,之前所述方法还包括:The method according to claim 1, wherein the protection policy for the target software is configured in the network system according to the object information, and the method further includes:
    将所述对象信息输入验证系统,根据所述对象信息在验证系统中配置所述防护策略;Enter the object information into the verification system, and configure the protection strategy in the verification system according to the object information;
    将所述目标软件输入配置有所述防护策略的验证系统,并确定所述目标软件是否能在所述验证系统中正常运行;其中,Enter the target software into a verification system configured with the protection strategy, and determine whether the target software can run normally in the verification system; wherein,
    若否,则执行:根据所述对象信息,在所述网络系统中配置针对所述目标软件的防护策略。If not, execute: configure a protection policy for the target software in the network system according to the object information.
  6. 根据权利要求1-5中任一项所述的方法,其中,所述获取目标软件的对象信息,包括:The method according to any one of claims 1-5, wherein said obtaining the object information of the target software includes:
    将所述目标软件输入到预设的沙箱中运行,并获得运行数据;Enter the target software into a preset sandbox to run, and obtain running data;
    根据所述运行数据,确定所述目标软件的对象信息。According to the running data, the object information of the target software is determined.
  7. 根据权利要求6所述的方法,其中,所述根据所述运行数据,确定所述目标软件的对象信息,包括:The method according to claim 6, wherein determining the object information of the target software according to the running data includes:
    通过预设的黑名单对所述运行数据进行过滤处理,以从过滤处理的结果中获得所述目标软件的对象信息。The running data is filtered through a preset blacklist to obtain the object information of the target software from the results of the filtering process.
  8. 一种网络系统防护装置(400),包括:A network system protection device (400), including:
    获取模块(401),用于获取目标软件的对象信息,其中,所述对象信息包括:所述目标软件的互斥体信息、所述目标软件输入网络系统后创建的服务信息、所述目标软件输入网络系统后发出的请求信息中的至少一个;Acquisition module (401), used to obtain object information of the target software, where the object information includes: mutex information of the target software, service information created after the target software is input into the network system, the target software At least one of the request information issued after being entered into the network system;
    阻止模块(402),用于根据所述对象信息,在所述网络系统中配置针对所述目标软件的防护策略,以阻止所述目标软件在所述网络系统中运行。A blocking module (402), configured to configure a protection policy for the target software in the network system according to the object information, so as to prevent the target software from running in the network system.
  9. 一种计算机设备(500),包括:A computer device (500) comprising:
    处理器(502);以及processor (502); and
    存储程序(510)的存储器(506),其中,所述程序(510)包括计算机操作指令, 所述计算机操作指令在由所述处理器(502)执行时使所述处理器(502)执行根据权利要求1-7中所述的网络系统防护方法。Memory (506) storing a program (510), wherein the program (510) includes computer operating instructions that, when executed by the processor (502), cause the processor (502) to perform the The network system protection method described in claims 1-7.
  10. 一种计算机存储介质,其中,所述计算机存储介质存储有计算机指令,所述计算机指令用于使计算机执行根据权利要求1-7中任一项所述的网络系统防护方法。A computer storage medium, wherein the computer storage medium stores computer instructions, and the computer instructions are used to cause the computer to execute the network system protection method according to any one of claims 1-7.
PCT/CN2022/087996 2022-04-20 2022-04-20 Network system protection method and apparatus, and computer device and storage medium WO2023201583A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/087996 WO2023201583A1 (en) 2022-04-20 2022-04-20 Network system protection method and apparatus, and computer device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/087996 WO2023201583A1 (en) 2022-04-20 2022-04-20 Network system protection method and apparatus, and computer device and storage medium

Publications (1)

Publication Number Publication Date
WO2023201583A1 true WO2023201583A1 (en) 2023-10-26

Family

ID=88418685

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/087996 WO2023201583A1 (en) 2022-04-20 2022-04-20 Network system protection method and apparatus, and computer device and storage medium

Country Status (1)

Country Link
WO (1) WO2023201583A1 (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2498442A1 (en) * 2011-03-11 2012-09-12 Openet Telecom Ltd. Methods, systems and devices for the detection and prevention of malware within a network
JP5955475B1 (en) * 2016-01-27 2016-07-20 三井物産セキュアディレクション株式会社 Program, information processing apparatus, and information processing method
CN109460658A (en) * 2018-11-16 2019-03-12 成都网域复兴科技有限公司 It is a kind of for the detection method for maliciously extorting sample
US10791138B1 (en) * 2017-03-30 2020-09-29 Fireeye, Inc. Subscription-based malware detection
CN112163222A (en) * 2020-10-10 2021-01-01 哈尔滨工业大学(深圳) Malicious software detection method and device
US11025649B1 (en) * 2018-06-26 2021-06-01 NortonLifeLock Inc. Systems and methods for malware classification
CN113722714A (en) * 2021-11-03 2021-11-30 北京微步在线科技有限公司 Network threat processing method and device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2498442A1 (en) * 2011-03-11 2012-09-12 Openet Telecom Ltd. Methods, systems and devices for the detection and prevention of malware within a network
JP5955475B1 (en) * 2016-01-27 2016-07-20 三井物産セキュアディレクション株式会社 Program, information processing apparatus, and information processing method
US10791138B1 (en) * 2017-03-30 2020-09-29 Fireeye, Inc. Subscription-based malware detection
US11025649B1 (en) * 2018-06-26 2021-06-01 NortonLifeLock Inc. Systems and methods for malware classification
CN109460658A (en) * 2018-11-16 2019-03-12 成都网域复兴科技有限公司 It is a kind of for the detection method for maliciously extorting sample
CN112163222A (en) * 2020-10-10 2021-01-01 哈尔滨工业大学(深圳) Malicious software detection method and device
CN113722714A (en) * 2021-11-03 2021-11-30 北京微步在线科技有限公司 Network threat processing method and device

Similar Documents

Publication Publication Date Title
US10609079B2 (en) Application of advanced cybersecurity threat mitigation to rogue devices, privilege escalation, and risk-based vulnerability and patch management
KR102419574B1 (en) Systems and methods for correcting memory corruption in computer applications
US11237817B2 (en) Operating system update management for enrolled devices
US8640240B2 (en) Apparatus and method for using information on malicious application behaviors among devices
US11757849B2 (en) Detecting and mitigating forged authentication object attacks in multi-cloud environments
US8850587B2 (en) Network security scanner for enterprise protection
US20180183766A1 (en) Detecting and mitigating forged authentication object attacks using an advanced cyber decision platform
JP4327698B2 (en) Network type virus activity detection program, processing method and system
WO2019179027A1 (en) Electronic device, firewall provisioning verification method, system and storage medium
WO2019080429A1 (en) Electronic apparatus, access request control method, and computer readable storage medium
WO2014121713A1 (en) Url interception processing method, device and system
CN108664793B (en) Method and device for detecting vulnerability
US20070260880A1 (en) System and method for the managed security control of processes on a computer system
CN110166459B (en) Protection method, device and equipment for deserialization loophole and readable storage medium
AU2013100355A4 (en) Device-specific content delivery
US20070044151A1 (en) System integrity manager
CN110943984B (en) Asset safety protection method and device
WO2013117148A1 (en) Method and system for detecting behaviour of remotely intruding into computer
CN111131221B (en) Interface checking device, method and storage medium
CN114065196A (en) Java memory horse detection method and device, electronic equipment and storage medium
CN112818307A (en) User operation processing method, system, device and computer readable storage medium
CN115701019A (en) Access request processing method and device of zero trust network and electronic equipment
US11251976B2 (en) Data security processing method and terminal thereof, and server
WO2023201583A1 (en) Network system protection method and apparatus, and computer device and storage medium
CN106856477B (en) Threat processing method and device based on local area network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22937820

Country of ref document: EP

Kind code of ref document: A1