技术领域technical field
本发明涉及计算机安全技术领域,特别是涉及一种基于局域网的安全检测方法和一种基于局域网的安全检测装置。The invention relates to the technical field of computer safety, in particular to a local area network-based safety detection method and a local area network-based safety detection device.
背景技术Background technique
随着互联网的迅速普及,局域网已成为企业发展中必不可少的一部分。然而,在为企业带来便利的同时,局域网也面临着各种各样的进攻和威胁,如机密泄漏、数据丢失、网络滥用、身份冒用、非法入侵等。With the rapid popularization of the Internet, LAN has become an indispensable part of enterprise development. However, while bringing convenience to enterprises, LANs also face various attacks and threats, such as confidentiality leakage, data loss, network abuse, identity fraud, and illegal intrusion.
现有基于局域网的安全检测方案大多通过在企业网内部的终端上分别安装杀毒软件客户端,由该杀毒软件客户端基于病毒特征库发现终端上的病毒数量和病毒危害程度,并依据企业网内部所述终端的病毒数量和病毒危害程度进行企业网的安全评估。Most of the existing LAN-based security detection schemes install anti-virus software clients on the terminals inside the enterprise network, and the anti-virus software clients find the number of viruses and the degree of virus damage on the terminals based on the virus signature database, and calculate the The number of viruses and the degree of virus damage of the terminal are used for security assessment of the enterprise network.
对于病毒数量和病毒危害程度而言,尽管这种方法能够在一定程度上体现出企业网的安全状况,但是由于病毒特征库相对于病毒具有一定的滞后性,存在病毒的企业网已经处于危险状态,此种情况下的企业网已经属于不及格的网络环境,而对不及格的网络环境进行评分或进行检测,属于事后补救的范畴,因此无法有效保证企业网的安全性。For the number of viruses and the degree of virus damage, although this method can reflect the security status of the enterprise network to a certain extent, because the virus signature database has a certain lag compared to the virus, the enterprise network with viruses is already in a dangerous state In this case, the enterprise network already belongs to the unqualified network environment, and scoring or testing the unqualified network environment belongs to the category of post-event remediation, so the security of the enterprise network cannot be effectively guaranteed.
发明内容Contents of the invention
鉴于上述问题,提出了本发明以便提供一种克服上述问题或者至少部分地解决上述问题的一种基于局域网的安全检测方法和一种基于局域网的安全检测装置。In view of the above problems, the present invention is proposed to provide a LAN-based security detection method and a LAN-based security detection device that overcome the above problems or at least partially solve the above problems.
依据本发明的一个方面,提供了一种基于局域网的安全检测方法,包括:According to one aspect of the present invention, a kind of security detection method based on local area network is provided, comprising:
从预先获取的文件传输事件中获取与异常文件相应的待分析文件传输事件;其中,所述文件传输事件为所述局域网内的用户终端上报的事件;Obtaining a file transfer event to be analyzed corresponding to the abnormal file from the pre-acquired file transfer event; wherein, the file transfer event is an event reported by a user terminal in the local area network;
对所述待分析文件传输事件的信息进行分析,以得到所述异常文件对应的传输来源和/或受影响用户终端。The information of the file transmission event to be analyzed is analyzed to obtain the transmission source and/or the affected user terminal corresponding to the abnormal file.
可选地,所述文件传输事件的信息包括如下信息中的至少一种:时间信息、渠道信息、文件信息、文件传输方向和终端信息。Optionally, the information of the file transfer event includes at least one of the following information: time information, channel information, file information, file transfer direction and terminal information.
可选地,所述从预先获取的文件传输事件中获取与异常文件相应的待分析文件传输事件的步骤,包括:Optionally, the step of obtaining the file transfer event to be analyzed corresponding to the abnormal file from the pre-acquired file transfer event includes:
将所述异常文件的文件信息与所述文件传输事件的文件信息进行匹配,将匹配成功的文件传输事件作为待分析文件传输事件。The file information of the abnormal file is matched with the file information of the file transfer event, and the successfully matched file transfer event is used as the file transfer event to be analyzed.
可选地,所述对所述待分析文件传输事件的信息进行分析的步骤,包括:Optionally, the step of analyzing the information of the file transfer event to be analyzed includes:
依据所述待分析文件传输事件的时间信息,从所述待分析文件传输事件中获取发生时间最早的目标文件传输事件,并依据所述目标文件传输事件的渠道信息,得到所述异常文件对应的传输来源;和/或According to the time information of the file transfer event to be analyzed, the target file transfer event with the earliest occurrence time is obtained from the file transfer event to be analyzed, and the channel information corresponding to the abnormal file is obtained according to the channel information of the target file transfer event. the source of the transmission; and/or
依据所述待分析文件传输事件的终端信息,得到所述异常文件对应的受影响用户终端。According to the terminal information of the file transfer event to be analyzed, the affected user terminal corresponding to the abnormal file is obtained.
可选地,通过如下步骤获取所述异常文件的信息:Optionally, obtain the information of the abnormal file through the following steps:
接收用户终端针对文件异常上报的异常文件信息;和/或receiving abnormal file information reported by the user terminal for abnormal file; and/or
依据用户终端上报的进程行为,检测所述进程行为对应的文件是否存在异常。According to the process behavior reported by the user terminal, it is detected whether the file corresponding to the process behavior is abnormal.
可选地,所述依据用户终端上报的进程行为,检测所述进程行为对应的文件是否存在异常的步骤,包括:Optionally, the step of detecting whether the file corresponding to the process behavior is abnormal according to the process behavior reported by the user terminal includes:
依据用户终端上报的进程行为,获取所述用户终端在不同时刻的进程树、以及所述进程树中各进程与进程行为之间的映射关系;According to the process behavior reported by the user terminal, obtain the process tree of the user terminal at different times, and the mapping relationship between each process in the process tree and the process behavior;
从所述进程树中获取符合预置进程模式的目标进程;Obtaining a target process conforming to a preset process pattern from the process tree;
依据所述目标进程的进程行为,检测所述目标进程的安全性。The security of the target process is detected according to the process behavior of the target process.
可选地,所述方法还包括:Optionally, the method also includes:
对所述异常文件对应的传输来源进行拦截处理;和/或intercepting the transmission source corresponding to the abnormal file; and/or
对所述受影响用户终端进行修复处理。Perform repair processing on the affected user terminal.
可选地,所述对所述异常文件对应的传输来源进行拦截处理的步骤,包括:Optionally, the step of intercepting the transmission source corresponding to the abnormal file includes:
针对所述异常文件对应的传输来源,设置相应的防火墙规则,以通过所述防火墙规则实现对于所述传输来源的拦截。For the transmission source corresponding to the abnormal file, set corresponding firewall rules, so as to implement interception of the transmission source through the firewall rules.
可选地,所述对所述受影响用户终端进行修复处理的步骤,包括:Optionally, the step of repairing the affected user terminal includes:
在单个受影响用户终端上查杀所述异常文件对应的进程,若查杀成功,则在所有受影响用户终端上查杀所述异常文件对应的进程;或者Kill the process corresponding to the abnormal file on a single affected user terminal, and if the killing is successful, then kill the process corresponding to the abnormal file on all affected user terminals; or
在单个受影响用户终端上查杀所述异常文件对应的进程,若查杀失败,则针对各受影响用户终端进行数据备份后,更新各受影响用户终端的操作系统。Check and kill the process corresponding to the abnormal file on a single affected user terminal, if the killing fails, after performing data backup for each affected user terminal, update the operating system of each affected user terminal.
可选地,所述方法还包括:Optionally, the method also includes:
接收用户终端上报的进程行为;Receive the process behavior reported by the user terminal;
检测所述进程行为是否包含针对文件的预置窃取行为。Detecting whether the process behavior includes a preset stealing behavior for a file.
根据本发明的另一方面,提供了一种基于局域网的安全检测装置,应用于服务器,包括:According to another aspect of the present invention, a kind of safety detection device based on local area network is provided, is applied to server, comprises:
传输事件获取模块,用于从预先获取的文件传输事件中获取与异常文件相应的待分析文件传输事件;其中,所述文件传输事件为所述局域网内的用户终端上报的事件;以及A transfer event obtaining module, configured to obtain a file transfer event to be analyzed corresponding to the abnormal file from pre-acquired file transfer events; wherein, the file transfer event is an event reported by a user terminal in the local area network; and
传输事件分析模块,用于对所述待分析文件传输事件的信息进行分析,以得到所述异常文件对应的传输来源和/或受影响用户终端。The transmission event analysis module is configured to analyze the information of the file transmission event to be analyzed, so as to obtain the transmission source and/or the affected user terminal corresponding to the abnormal file.
可选地,所述文件传输事件的信息包括如下信息中的至少一种:时间信息、渠道信息、文件信息、文件传输方向和终端信息。Optionally, the information of the file transfer event includes at least one of the following information: time information, channel information, file information, file transfer direction and terminal information.
可选地,所述传输事件获取模块包括:Optionally, the transmission event acquisition module includes:
匹配子模块,用于将所述异常文件的文件信息与所述文件传输事件的文件信息进行匹配,将匹配成功的文件传输事件作为待分析文件传输事件。The matching sub-module is configured to match the file information of the abnormal file with the file information of the file transfer event, and use the successfully matched file transfer event as the file transfer event to be analyzed.
可选地,所述传输事件分析模块包括:Optionally, the transmission event analysis module includes:
第一传输事件分子模块,用于依据所述待分析文件传输事件的时间信息,从所述待分析文件传输事件中获取发生时间最早的目标文件传输事件,并依据所述目标文件传输事件的渠道信息,得到所述异常文件对应的传输来源;和/或The first transfer event molecular module is used to obtain the target file transfer event with the earliest occurrence time from the file transfer event to be analyzed according to the time information of the file transfer event to be analyzed, and according to the channel of the target file transfer event information to obtain the transmission source corresponding to the abnormal file; and/or
第二传输事件分子模块,用于依据所述待分析文件传输事件的终端信息,得到所述异常文件对应的受影响用户终端。The second transfer event molecule module is configured to obtain the affected user terminal corresponding to the abnormal file according to the terminal information of the file transfer event to be analyzed.
可选地,所述装置还包括:用于获取所述异常文件的信息的异常获取模块:Optionally, the device further includes: an exception acquisition module for acquiring information about the exception file:
所述异常获取模块包括:The abnormal acquisition module includes:
接收子模块,用于接收用户终端针对文件异常上报的异常文件信息;和/或The receiving submodule is used to receive abnormal file information reported by the user terminal for abnormal file; and/or
进程检测子模块,用于依据用户终端上报的进程行为,检测所述进程行为对应的文件是否存在异常。The process detection sub-module is configured to detect whether the file corresponding to the process behavior is abnormal according to the process behavior reported by the user terminal.
可选地,所述进程检测子模块,包括:Optionally, the process detection submodule includes:
进程树获取单元,用于依据用户终端上报的进程行为,获取所述用户终端在不同时刻的进程树、以及所述进程树中各进程与进程行为之间的映射关系;a process tree obtaining unit, configured to obtain the process tree of the user terminal at different times and the mapping relationship between each process in the process tree and the process behavior according to the process behavior reported by the user terminal;
目标进程获取单元,用于从所述进程树中获取符合预置进程模式的目标进程;a target process obtaining unit, configured to obtain a target process conforming to a preset process pattern from the process tree;
依据所述目标进程的进程行为,检测所述目标进程的安全性。The security of the target process is detected according to the process behavior of the target process.
可选地,所述装置还包括:Optionally, the device also includes:
拦截模块,用于对所述异常文件对应的传输来源进行拦截处理;和/或An interception module, configured to intercept the transmission source corresponding to the abnormal file; and/or
修复模块,用于对所述受影响用户终端进行修复处理。A repair module, configured to repair the affected user terminal.
可选地,所述拦截模块包括:Optionally, the interception module includes:
防火墙拦截子模块,用于针对所述异常文件对应的传输来源,设置相应的防火墙规则,以通过所述防火墙规则实现对于所述传输来源的拦截。The firewall interception sub-module is configured to set corresponding firewall rules for the transmission source corresponding to the abnormal file, so as to implement interception of the transmission source through the firewall rules.
可选地,所述修复模块包括:Optionally, the repair module includes:
第一修复子模块,用于在单个受影响用户终端上查杀所述异常文件对应的进程,若查杀成功,则在所有受影响用户终端上查杀所述异常文件对应的进程;或者The first repair submodule is used to check and kill the process corresponding to the abnormal file on a single affected user terminal, and if the killing is successful, then check and kill the process corresponding to the abnormal file on all affected user terminals; or
第二修复子模块,用于在单个受影响用户终端上查杀所述异常文件对应的进程,若查杀失败,则针对各受影响用户终端进行数据备份后,更新各受影响用户终端的操作系统。The second repair submodule is used to check and kill the process corresponding to the abnormal file on a single affected user terminal. If the killing fails, after performing data backup for each affected user terminal, update the operation of each affected user terminal system.
可选地,所述装置还包括:Optionally, the device also includes:
进程行为接收模块,用于接收用户终端上报的进程行为;The process behavior receiving module is used to receive the process behavior reported by the user terminal;
窃取检测模块,用于检测所述进程行为是否包含针对文件的预置窃取行为。The theft detection module is configured to detect whether the process behavior includes a preset stealing behavior for files.
根据本发明实施例的一种基于局域网的安全检测方法和装置,由于文件传输事件可用于表示用户终端侧文件的流转事件,用户终端侧的每个文件传输事件都被上报至服务器,故本发明实施例可以基于对与异常文件相关的待分析文件传输事件的信息的分析,得到异常文件对应的传输来源;因此,相对于传统的病毒特征库,本发明实施例能够通过用户终端上报的文件传输事件,更及时地检测出局域网的未知威胁和安全隐患,从而能够提高安全检测的及时性;进一步,能够尽早对所述异常文件对应的传输来源进行拦截处理,以实现对于异常文件的传播路径的封堵。According to a LAN-based security detection method and device according to an embodiment of the present invention, since file transfer events can be used to represent file transfer events on the user terminal side, each file transfer event on the user terminal side is reported to the server, so the present invention The embodiment can obtain the transmission source corresponding to the abnormal file based on the analysis of the information of the file transfer event to be analyzed related to the abnormal file; Events can detect unknown threats and potential safety hazards in the local area network in a more timely manner, thereby improving the timeliness of security detection; further, the transmission source corresponding to the abnormal file can be intercepted as early as possible, so as to realize the propagation path of the abnormal file. blockage.
另外,本发明实施例能够通过用户终端上报的文件传输事件,更及时地检测出局域网内受异常文件影响的受影响用户终端,故能够尽早地实现对于上述受影响终端的修复处理,这样,不仅能够及时阻止异常文件对于用户终端的影响,而且能够在一定程度上有效保护用户终端的用户。In addition, the embodiment of the present invention can detect the affected user terminal affected by the abnormal file in the local area network in a more timely manner through the file transfer event reported by the user terminal, so the repair process for the above-mentioned affected terminal can be realized as soon as possible. The impact of abnormal files on the user terminal can be prevented in time, and the user of the user terminal can be effectively protected to a certain extent.
上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段,而可依照说明书的内容予以实施,并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方式。The above description is only an overview of the technical solution of the present invention. In order to better understand the technical means of the present invention, it can be implemented according to the contents of the description, and in order to make the above and other purposes, features and advantages of the present invention more obvious and understandable , the specific embodiments of the present invention are enumerated below.
附图说明Description of drawings
通过阅读下文可选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出可选实施方式的目的,而并不认为是对本发明的限制。而且在整个附图中,用相同的参考符号表示相同的部件。在附图中:Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the alternative embodiments. The drawings are only for purposes of illustrating alternative embodiments and are not to be considered as limiting the invention. Also throughout the drawings, the same reference numerals are used to designate the same parts. In the attached picture:
图1示出了根据本发明一个实施例的一种基于局域网的安全检测方法的步骤流程示意图;Fig. 1 shows a schematic flow chart of the steps of a security detection method based on a local area network according to an embodiment of the present invention;
图2示出了根据本发明一个实施例的一种基于局域网的安全检测方法的步骤流程示意图;Fig. 2 shows a schematic flow chart of a security detection method based on a local area network according to an embodiment of the present invention;
图3示出了根据本发明一个实施例的一种基于局域网的安全检测方法的步骤流程示意图;以及Fig. 3 shows a schematic flow chart of a security detection method based on a local area network according to an embodiment of the present invention; and
图4示出了根据本发明一个实施例的一种基于局域网的安全检测装置的结构示意。Fig. 4 shows a schematic structural diagram of a security detection device based on a local area network according to an embodiment of the present invention.
具体实施方式detailed description
下面将参照附图更详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例,然而应当理解,可以以各种形式实现本公开而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本公开,并且能够将本公开的范围完整的传达给本领域的技术人员。Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided for more thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.
参照图1,示出了根据本发明一个实施例的一种基于局域网的安全检测方法的步骤流程图,应用于服务器,具体可以包括如下步骤:Referring to FIG. 1 , it shows a flow chart of steps of a security detection method based on a local area network according to an embodiment of the present invention, which is applied to a server and may specifically include the following steps:
步骤101、从预先获取的文件传输事件中获取与异常文件相应的待分析文件传输事件;其中,所述文件传输事件为所述局域网内的用户终端上报的事件;Step 101. Obtain a file transfer event to be analyzed corresponding to the abnormal file from pre-acquired file transfer events; wherein, the file transfer event is an event reported by a user terminal in the local area network;
步骤102、对所述待分析文件传输事件的信息进行分析,以得到所述异常文件对应的传输来源和/或受影响用户终端。Step 102: Analyze the information of the file transfer event to be analyzed to obtain the transfer source and/or affected user terminal corresponding to the abnormal file.
本发明实施例可以应用于企业网、政府网、校园网等局域网中;在上述局域网中,所述服务器是指局域网内用于控制其它用户终端进行安全检测的设备,所述用户终端是指局域网内响应服务器的控制指令,与服务器进行数据交互的终端。在实际应用中,可以在服务器部署服务器代理模块,在用户终端部署软件客户端模块,以类似C/S(客户端/服务器,Client/Server)的架构,实现局域网内服务器对用户终端的控制功能,以及,用户终端的控制响应及通信功能。其中,上述服务器和上述用户终端之间可以通过标准协议或者私有协议进行通信,其中,私有协议具有封闭性和安全性高的优点;可以理解,本发明实施例对于服务器与用户终端之间的具体通信方式不加以限制。Embodiments of the present invention can be applied to local area networks such as enterprise networks, government networks, and campus networks; in the above-mentioned local area networks, the server refers to devices used to control other user terminals in the local area network for security detection, and the user terminal refers to local area network A terminal that responds to the control instructions of the server and performs data interaction with the server. In practical applications, the server agent module can be deployed on the server, and the software client module can be deployed on the user terminal to realize the control function of the server on the user terminal in the LAN with a structure similar to C/S (client/server, Client/Server). , and the control response and communication functions of the user terminal. Wherein, the above-mentioned server and the above-mentioned user terminal can communicate through a standard protocol or a private protocol, wherein the private protocol has the advantages of closure and high security; The means of communication are not limited.
在实际应用中,服务器的用户可以是网络管理员等具有一定的网络安全知识的高级用户,因此,服务器的用户可以根据局域网的当前安全需求和实际情况,灵活地设置相应的控制指令。In practical application, the user of the server can be an advanced user such as a network administrator with certain knowledge of network security. Therefore, the user of the server can flexibly set corresponding control commands according to the current security requirements and actual conditions of the LAN.
本发明实施例中,一种第一控制指令可用于指示用户终端向服务器上报文件传输事件,则用户终端在接收到该第一控制指令后,可以对本地的文件传输事件进行监测,并向服务器上报监测到的文件传输事件。In the embodiment of the present invention, a first control instruction can be used to instruct the user terminal to report a file transfer event to the server, then the user terminal can monitor the local file transfer event after receiving the first control instruction, and report to the server Report the detected file transfer events.
本发明实施例中,文件传输事件可用于表示用户终端侧文件的流转事件,可选地,文件传输事件的信息可以包括如下信息中的至少一种:时间信息、渠道信息、文件信息、文件传输方向和终端信息。其中,时间信息可用于表示文件传输事件的发生时间;渠道信息可用于表示文件传输事件的通道,可选地,该渠道信息可以为文件传输事件对应的应用程序信息或者网站信息;文件信息可用于标识文件,可选地,该文件信息可以包括但不限于:文件名、文件路径、文件特征,例如,该文件特征可以为例如MD5(消息摘要算法第5版,MessageDigest Algorithm5)的特征,可以理解,本发明实施例对于具体的文件特征不加以限制;文件传输方向可以包括:入方向或者出方向;终端信息可用于表示发生文件传输事件的用户终端的信息。In the embodiment of the present invention, the file transfer event can be used to indicate the transfer event of the file on the user terminal side. Optionally, the information of the file transfer event can include at least one of the following information: time information, channel information, file information, file transfer directions and terminal information. Wherein, the time information can be used to indicate the occurrence time of the file transfer event; the channel information can be used to indicate the channel of the file transfer event, optionally, the channel information can be application program information or website information corresponding to the file transfer event; the file information can be used to Identifies the file, optionally, the file information may include but not limited to: file name, file path, file feature, for example, the file feature may be a feature such as MD5 (the 5th edition of the message digest algorithm, MessageDigest Algorithm5), it can be understood , the embodiment of the present invention does not limit specific file features; the file transfer direction may include: inbound direction or outbound direction; terminal information may be used to indicate the information of the user terminal where the file transfer event occurs.
在本发明的一种应用示例中,上述文件传输事件可以包括:浏览器文件传输、IM(即时通讯,Instant Messaging)文件传输、邮件附件文件传输、U盘(USB闪存盘,USB flashdisk)文件传输、以及下载工具文件传输中的至少一种。用户终端侧的每个文件传输事件都被上报至服务器,同时上报的可以包括:各文件传输事件的信息。In an application example of the present invention, the above-mentioned file transfer event may include: browser file transfer, IM (instant messaging, Instant Messaging) file transfer, mail attachment file transfer, U disk (USB flash drive, USB flashdisk) file transfer , and at least one of download tool file transfer. Each file transfer event at the user terminal side is reported to the server, and the report may include: information of each file transfer event.
在接收到各用户终端上报的文件传输事件后,服务器可以对接收的文件传输事件的信息进行记录,需要说明的是,本发明实施例可以仅仅记录文件传输事件的例如文件名、文件路径、或者文件特征的文件信息;由于上述文件信息足以实现文件的文件传播路径的追踪,故本发明实施例可以在不保存文件的情况下实现对于文件传输事件的信息的记录,因此能够节省服务器的存储空间。After receiving the file transfer event reported by each user terminal, the server can record the information of the received file transfer event. It should be noted that, in this embodiment of the present invention, only the file name, file path, or File information of file characteristics; since the above file information is sufficient to track the file transmission path of the file, the embodiment of the present invention can record the information of the file transfer event without saving the file, so the storage space of the server can be saved .
本发明实施例中,异常文件中可用于表示局域网中存在异常或者引起异常的文件。In the embodiment of the present invention, the exception file may be used to indicate that there is an exception in the local area network or a file causing an exception.
在本发明的一种可选实施例中,所述异常文件的信息的获取方式可以包括:In an optional embodiment of the present invention, the way of obtaining the information of the abnormal file may include:
获取方式1、接收用户终端针对文件异常上报的异常文件信息;和/或Obtaining method 1, receiving abnormal file information reported by the user terminal for abnormal file; and/or
获取方式2、依据用户终端上报的进程行为,检测所述进程行为对应的文件是否存在异常。Obtaining method 2. According to the process behavior reported by the user terminal, it is detected whether there is an abnormality in the file corresponding to the process behavior.
其中,获取方式1可以通过用户终端反馈的方式获取异常文件的信息。在本发明的一种应用示例中,假设某用户终端在下载某邮件附件“采购表.doc”后出现系统异常,则用户终端可以将该邮件附件“采购表.doc”作为异常文件,并上报对应的异常文件信息。Wherein, the obtaining method 1 may obtain the information of the abnormal file through feedback from the user terminal. In an application example of the present invention, assuming that a user terminal has a system abnormality after downloading an email attachment "Purchase Form.doc", the user terminal can use the email attachment "Purchase Form.doc" as an abnormal file and report Corresponding exception file information.
获取方式2可以依据用户终端上报的进程行为,检测所述进程行为对应的文件是否存在异常,若是,则可以将该进程行为对应的文件作为异常文件。The acquisition method 2 may detect whether the file corresponding to the process behavior is abnormal according to the process behavior reported by the user terminal, and if so, may use the file corresponding to the process behavior as an abnormal file.
在本发明的一种可选实施例中,一种第二控制指令可用于指示用户终端向服务器上报进程行为,则用户终端在接收到该第二控制指令后,可以监测本地进程的进程行为,并向服务器上报监测得到的进程行为。而服务器可以用户终端上报的进程行为,检测所述进程行为对应的文件是否存在异常。可选地,上述进程行为可以包括但不限于:进程启停行为、内存行为以及变更行为中的至少一种。其中,上述内存行为可以包括:进程注入行为、文件访问行为、以及网络连接行为,上述变更行为可以包括:系统变更行为(注册表的创建、删除和修改)、账户变更(账户的创建、账户权限的变更)行为、以及文件变更行为,上述网络连接行为可以包括:URL(统一资源定位符,Uniform Resource Locator)访问行为、IP(网络之间互联的协议,Internet Protocol)访问、端口访问、以及DNS(域名系统,Domain NameSystem)访问等行为中的至少一种。In an optional embodiment of the present invention, a second control instruction may be used to instruct the user terminal to report the process behavior to the server, then the user terminal may monitor the process behavior of the local process after receiving the second control instruction, And report the monitored process behavior to the server. The server may use the process behavior reported by the user terminal to detect whether the file corresponding to the process behavior is abnormal. Optionally, the above process behaviors may include but not limited to: at least one of process start and stop behaviors, memory behaviors and modification behaviors. Wherein, the above-mentioned memory behavior may include: process injection behavior, file access behavior, and network connection behavior, and the above-mentioned change behavior may include: system change behavior (creation, deletion and modification of registry), account change (creation of account, account authority Change) behavior, and file change behavior, the above-mentioned network connection behavior may include: URL (Uniform Resource Locator, Uniform Resource Locator) access behavior, IP (Internet Protocol interconnection protocol, Internet Protocol) access, port access, and DNS (Domain Name System, Domain Name System) access and other behaviors at least one.
在本发明的一种可选实施例中,上述检测所述进程行为对应的文件是否存在异常的过程可以包括:判断所述进程行为对应的行为模式是否符合预置行为模式,若是,则确定检测所述进程行为对应的文件存在异常。In an optional embodiment of the present invention, the above-mentioned process of detecting whether the file corresponding to the process behavior is abnormal may include: judging whether the behavior pattern corresponding to the process behavior conforms to the preset behavior pattern, and if so, determining whether the detection The file corresponding to the process behavior is abnormal.
在本发明的另一种可选实施例中,所述依据用户终端上报的进程行为,检测所述进程行为对应的文件是否存在异常的步骤,可以进一步包括:依据用户终端上报的进程行为,获取所述用户终端在不同时刻的进程树、以及所述进程树中各进程与进程行为之间的映射关系;从所述进程树中获取符合预置进程模式的目标进程;依据所述目标进程的进程行为,检测所述目标进程的安全性。In another optional embodiment of the present invention, the step of detecting whether the file corresponding to the process behavior is abnormal according to the process behavior reported by the user terminal may further include: according to the process behavior reported by the user terminal, obtaining The process tree of the user terminal at different times, and the mapping relationship between each process in the process tree and the process behavior; obtain the target process conforming to the preset process mode from the process tree; according to the target process Process behavior, detecting the security of the target process.
预置行为模式可用于表示进程行为的可疑行为模式。在实际应用中,本领域技术人员可以根据实际应用需求确定所需的任意预置行为模式。在本发明的一种可选实施例中,上述预置行为模式可以为,文件相关进程启动了非操作系统进程,例如winword进程启动了非微软的子进程,其中,winword进程为文件相关进程。在本发明的另一种可选实施例中,上述预置行为模式可以为,进程变更文件系统中第一文件后,访问第二文件并加密。例如,进程变更MFT(大文件传输,Managed File Transfer)中的文件后,快速访问办公文档;该预置行为模式属于恶意进程勒索软件的行为,该恶意进程首先删除MFT中的文件记录,以使文件记录无法恢复,然后开始寻找文档并进行加密。Preset behavioral patterns can be used to represent suspicious behavioral patterns of process behavior. In practical applications, those skilled in the art can determine any desired preset behavior mode according to actual application requirements. In an optional embodiment of the present invention, the preset behavior mode may be that a file-related process starts a non-operating system process, for example, a winword process starts a non-Microsoft sub-process, wherein the winword process is a file-related process. In another optional embodiment of the present invention, the aforementioned preset behavior mode may be that, after the process modifies the first file in the file system, it accesses the second file and encrypts it. For example, after the process changes the files in the MFT (Managed File Transfer), quickly access office documents; this preset behavior mode belongs to the behavior of malicious process ransomware, the malicious process first deletes the file records in the MFT, so that The file records cannot be recovered, and then start looking for documents and encrypting them.
由于本发明实施例基于用户终端在不同时刻的进程树、以及所述进程树中各进程与进程行为之间的映射关系的分析,获取符合预置进程行为模式的目标进程,并依据所述目标进程的进程行为,检测所述目标进程的安全性;因此,相对于传统的病毒特征库,本发明实施例能够通过不同时刻的进程树、所述进程树中各进程与进程行为之间的映射关系、以及表征进程行为的可疑行为模式或者恶意行为模式的预置行为模式,更及时地检测出局域网的未知威胁和安全隐患,从而能够提高安全检测的及时性,且能够实现病毒的有效预防。Since the embodiment of the present invention is based on the analysis of the process tree of the user terminal at different times and the mapping relationship between each process and the process behavior in the process tree, the target process conforming to the preset process behavior mode is obtained, and according to the target The process behavior of the process detects the security of the target process; therefore, with respect to the traditional virus signature database, the embodiment of the present invention can pass the process tree at different times, the mapping between each process in the process tree and the process behavior Relationships, as well as suspicious behavior patterns representing process behaviors or preset behavior patterns of malicious behavior patterns, can detect unknown threats and security risks in the local area network in a more timely manner, thereby improving the timeliness of security detection and realizing effective prevention of viruses.
在本发明的一种可选实施例中,在接收到各用户终端上报的进程行为后,服务器可以对接收的进程行为的信息进行记录。可选地,进程行为的信息可以包括但不限于:进程的信息、进程行为的执行参数等字段的信息。In an optional embodiment of the present invention, after receiving the process behavior reported by each user terminal, the server may record the received process behavior information. Optionally, the process behavior information may include, but not limited to: process information, process behavior execution parameters and other field information.
本发明实施例中,进程树是一种用户终端上进程之间的关系,其通常由父进程和子进程两部分组成。一些程序进程运行后,会创建或调用其他进程,这样就组成了一个进程树。可选地,进程树中各进程的信息可以包括:进程名称、进程对应程序的特征值、以及进程的父进程等等,可以理解,本发明实施例对于进程树中各进程的具体信息不加以限制。在实际应用中,进程树中各节点的名称可以与各进程的进程名称相同或者不同,本发明实施例主要以进程树中各节点的名称可以与各进程的进程名称相同为例进行说明。In the embodiment of the present invention, a process tree is a relationship between processes on a user terminal, which usually consists of two parts: a parent process and a child process. After some program processes run, they will create or call other processes, thus forming a process tree. Optionally, the information of each process in the process tree may include: the name of the process, the characteristic value of the program corresponding to the process, and the parent process of the process, etc. limit. In practical applications, the name of each node in the process tree may be the same as or different from the process name of each process. The embodiment of the present invention mainly uses an example in which the name of each node in the process tree may be the same as the process name of each process for illustration.
在本发明的一种可选实施例中,可以依据行程行为所包括的进程启停行为,建议上述用户终端在不同时刻的进程树。可选地,进程启停行为可以包括:各进程的启动时间、停止时间、以及各进程创建或调用的进程等信息,这样,可以依据进程启停行为获得进程树中的各节点。例如,进程A、进程B和进程C的启动时间分别为时刻1、时刻2和时刻3,假设进程A为系统中第一个进程,则可以得到进程树中的根节点A,假设进程A创建或调用了进程B和进程C,则可以得到根节点A的子节点B和C,按照上述流程可以得到不同时刻的进程树。需要说明的是,进程树可以随着进程启停行为的变化而变化,由此可以得到用户终端在不同时刻的进程树,并且,通过对前后时刻的进程树进行对比,可以得到进程启停行为的变化。In an optional embodiment of the present invention, the process tree of the user terminal at different times may be suggested according to the process start-stop behavior included in the itinerary behavior. Optionally, the process start and stop behavior may include information such as the start time and stop time of each process, and the process created or called by each process, so that each node in the process tree can be obtained according to the process start and stop behavior. For example, the start times of process A, process B, and process C are time 1, time 2, and time 3 respectively. Assuming that process A is the first process in the system, the root node A in the process tree can be obtained. Suppose process A creates Or if process B and process C are called, child nodes B and C of root node A can be obtained, and process trees at different times can be obtained according to the above process. It should be noted that the process tree can change with the change of the process start and stop behavior, so that the process tree of the user terminal at different times can be obtained, and by comparing the process trees at the previous and subsequent moments, the process start and stop behavior can be obtained The change.
在本发明的另一种可选实施例中,本实施例的方法还可以包括:接收所述用户终端上报的在某时刻的系统快照;则所述依据所述进程行为,建立所述用户终端在不同时刻的进程树的步骤,可以包括:在所述系统快照的基础上,依据上述进程行为建立所述用户终端在不同时刻的进程树。本发明实施例中,系统快照可用于表示用户终端某时刻T的系统状态,该系统状态可以包括:某时刻T系统包含的进程及其行为、注册表、文件等状态,可以认为,该系统快照可以包含某时刻T的进程树,故本发明实施例在所述系统快照的基础上,依据上述进程行为建立所述用户终端在不同时刻的进程树,能够减少进程树的建立所需的运算量,提高进程树的建立效率。In another optional embodiment of the present invention, the method of this embodiment may further include: receiving a system snapshot at a certain moment reported by the user terminal; then, according to the process behavior, establishing the user terminal The step of process trees at different times may include: on the basis of the system snapshot, establishing process trees of the user terminal at different times according to the above process behavior. In the embodiment of the present invention, the system snapshot can be used to represent the system state of the user terminal at a certain time T. The system state can include: the processes and their behaviors, registry, files and other states contained in the system at a certain time T. It can be considered that the system snapshot The process tree at a certain time T can be included, so the embodiment of the present invention builds the process tree of the user terminal at different times according to the above process behavior on the basis of the system snapshot, which can reduce the amount of calculation required for the establishment of the process tree , to improve the efficiency of building the process tree.
在本发明的再一种可选实施例中,所述系统快照可以为所述用户终端在第一时刻T1的系统状态,所述进程行为可以包括:进程启停行为,则所述在所述系统快照的基础上,依据上述进程行为建立所述用户终端在不同时刻的进程树的步骤,可以包括:依据所述第一时刻T1之后的进程启停行为,得到所述用户终端在第二时刻T2的进程树。其中,T2晚于T1,也即,可以在上述系统快照对应进程树1的基础上,添加或者删除节点,以得到T2时刻的进程树。可选地,T1可以为操作系统启动完成后的下一时刻,例如,操作系统启动完成的时刻为T0,在T1为T0的下一时刻;当然,本发明实施例对于具体的T1不加以限制。In yet another optional embodiment of the present invention, the system snapshot may be the system state of the user terminal at the first moment T1, and the process behavior may include: process start and stop behavior, then the On the basis of the system snapshot, the step of establishing the process tree of the user terminal at different times according to the above process behavior may include: according to the process start and stop behavior after the first time T1, obtain the user terminal at the second time T2's process tree. Wherein, T2 is later than T1, that is, on the basis of the process tree 1 corresponding to the above-mentioned system snapshot, nodes can be added or deleted to obtain the process tree at T2. Optionally, T1 may be the next moment after the operating system startup is completed, for example, the moment when the operating system startup is completed is T0, and T1 is the next moment after T0; of course, the embodiment of the present invention does not limit the specific T1 .
在本发明的一种可选实施例中,所述进程行为可以包括:进程启停行为和/或内存行为和/或变更行为等进程启动后产生的一系列行为,则所述依据所述进程行为,建立所述进程树中各进程与进程行为之间的映射关系的步骤,可以包括:针对所述进程树中各进程,建立其与进程启停行为和/或内存行为和/或变更行为之间的映射关系。In an optional embodiment of the present invention, the process behavior may include: a series of behaviors generated after the process starts, such as process start-stop behavior and/or memory behavior and/or change behavior, then the process Behavior, the step of establishing a mapping relationship between each process in the process tree and the process behavior may include: for each process in the process tree, establish its relationship with the process start-stop behavior and/or memory behavior and/or change behavior mapping relationship between them.
在建立用户终端在不同时刻的进程树、以及所述进程树中各进程与进程行为之间的映射关系之后,可以从所述进程树中获取符合预置进程行为模式的目标进程。在实际应用中,可以对进程树中各进程进行遍历,并针对遍历得到的当前进程,从上述映射关系中得到对应的当前进程行为,并判断该当前行为模式是否符合预置行为模式,可以理解,本发明实施例对于从所述进程树中获取符合预置进程行为模式的目标进程的具体过程不加以限制。After establishing the process tree of the user terminal at different times and the mapping relationship between each process in the process tree and the process behavior, the target process conforming to the preset process behavior mode can be obtained from the process tree. In practical applications, each process in the process tree can be traversed, and the corresponding current process behavior can be obtained from the above mapping relationship for the current process obtained through the traversal, and it can be understood whether the current behavior mode conforms to the preset behavior mode. , the embodiment of the present invention does not limit the specific process of obtaining the target process conforming to the preset process behavior pattern from the process tree.
进一步,可以依据目标进程的进程行为,检测所述目标进程的安全性。Further, the security of the target process may be detected according to the process behavior of the target process.
本发明实施例可以提供依据所述目标进程的进程行为,检测所述目标进程的安全性的如下检测方式;Embodiments of the present invention may provide the following detection methods for detecting the security of the target process according to the process behavior of the target process;
检测方式1、针对所述目标进程发出相应的告警信息,以使管理员用户针对所述告警信息,依据所述目标进程的进程行为,检测所述目标进程的安全性;和/或Detection method 1. Send corresponding alarm information for the target process, so that the administrator user can detect the security of the target process according to the process behavior of the target process according to the alarm information; and/or
检测方式2、将所述目标进程、或者所述目标进程的子孙进程作为待分析进程,依据所述待分析进程的进程行为的执行参数,检测所述目标进程的安全性。Detection mode 2. Taking the target process or the descendant process of the target process as the process to be analyzed, and detecting the security of the target process according to the execution parameters of the process behavior of the process to be analyzed.
其中,检测方式1可以针对所述目标进程发出相应的告警信息,以使管理员用户接收所述告警信息,并通过人工方式检测目标进程的安全性。例如,可以通过人工方式对进程行为进行分析,并依据分析结果判断目标进程的安全性,相应的分析过程可以包括:行为行为的执行参数等特定字段的排除和统计操作等。Wherein, the detection mode 1 may issue corresponding alarm information for the target process, so that the administrator user receives the alarm information and manually detects the security of the target process. For example, the process behavior can be analyzed manually, and the security of the target process can be judged based on the analysis results. The corresponding analysis process can include: exclusion of specific fields such as execution parameters of the behavior, and statistical operations.
检测方式2可将所述目标进程、或者所述目标进程的子孙进程作为待分析进程,则所述待分析进程的进程行为的执行参数可以表明目标进程执行了产生了哪些行为,或者目标进程的子孙进程产生了哪些行为,这样,可以依据上述执行参数检测所述目标进程的安全性。Detection method 2 may use the target process or the descendant process of the target process as the process to be analyzed, then the execution parameters of the process behavior of the process to be analyzed may indicate which behaviors are generated by the execution of the target process, or the target process’s What behaviors are produced by the descendant processes, so that the security of the target process can be detected according to the above execution parameters.
在本发明的一种可选实施例中,所述依据所述待分析进程的进程行为的执行参数,检测所述目标进程的安全性的步骤,可以包括:In an optional embodiment of the present invention, the step of detecting the security of the target process according to the execution parameters of the process behavior of the process to be analyzed may include:
若所述执行参数包含的命令行脚本环境参数涉及脚本加密行为,则所述目标进程的安全性检测结果为不安全;和/或If the command line script environment parameters contained in the execution parameters involve script encryption behavior, the security detection result of the target process is unsafe; and/or
若所述执行参数包含的策略排除参数涉及绕过执行限制策略的行为,则所述目标进程的安全性检测结果为不安全。If the policy exclusion parameter included in the execution parameter involves the behavior of bypassing the execution restriction policy, the security detection result of the target process is unsafe.
其中,powershell可以为命令行脚本环境参数的一种示例,若powershell的运行参数中包括例如enc的参数的脚本加密行为,可以认为目标进程的安全性检测结果为不安全。Wherein, powershell may be an example of command line script environment parameters. If the running parameters of powershell include the script encryption behavior of the parameter such as enc, it may be considered that the security detection result of the target process is unsafe.
Excludepolicy可以为策略排除参数的一种示例,若Excludepolicy涉及绕过执行限制策略的行为,则可以认为目标进程的安全性检测结果为不安全。其中,执行限制策略是一个组策略,在开启限制的情况下,可以防止通过powershell执行命令,然而有很多方法可以绕过执行上述执行限制策略,这让恶意进程有机可乘。本发明实施例在依据所述待分析进程的进程行为的待分析执行参数,检测所述目标进程的安全性的过程中,可以执行待分析进程的进程行为的待分析执行参数,在执行限制策略开启限制的情况下,若执行上述待分析参数则会发出相应的提示信息,而本发明实施例可以通过EDR(端点检测响应,endpoint detection and response)单元捕获上述提示信息,若捕获成功,可以认为,Excludepolicy涉及绕过执行限制策略的行为,进一步认为目标进程的安全性检测结果为不安全。Excludepolicy may be an example of a policy exclusion parameter, and if the Excludepolicy involves bypassing an execution restriction policy, the security detection result of the target process may be deemed unsafe. Among them, the execution restriction policy is a group policy. When the restriction is turned on, it can prevent the execution of commands through powershell. However, there are many ways to bypass the execution restriction policy above, which allows malicious processes to take advantage of it. In the embodiment of the present invention, in the process of detecting the security of the target process based on the execution parameters to be analyzed of the process behavior of the process to be analyzed, the execution parameters to be analyzed of the process behavior of the process to be analyzed can be executed, and the restriction policy is executed. When the restriction is turned on, if the above-mentioned parameters to be analyzed are executed, corresponding prompt information will be sent out, and the embodiment of the present invention can capture the above-mentioned prompt information through the EDR (endpoint detection and response) unit. If the capture is successful, it can be considered , Excludepolicy involves the behavior of bypassing the execution restriction policy, and further considers the security detection result of the target process as unsafe.
可以理解,上述执行参数包含的命令行脚本环境参数涉及脚本加密行为和执行参数包含的策略排除参数涉及绕过执行限制策略的行为对应的检测过程只是作为本发明的可选实施例,实际上,本领域技术人员还可以根据实际应用需求,对执行参数包含的其他行为进行检测,本发明实施例对于依据所述待分析进程的进程行为的执行参数,检测所述目标进程的安全性的具体过程不加以限制。另外,可以理解,本发明实施例中,目标进程的安全性检测结果还可以包括:安全。It can be understood that the command-line script environment parameters included in the above execution parameters involve script encryption behavior and the policy exclusion parameters included in the execution parameters involve bypassing the execution restriction policy. The corresponding detection process is only an optional embodiment of the present invention. In fact, Those skilled in the art can also detect other behaviors included in the execution parameters according to actual application requirements. In the embodiment of the present invention, the specific process of detecting the security of the target process is based on the execution parameters of the process behavior of the process to be analyzed. Not limited. In addition, it can be understood that in this embodiment of the present invention, the security detection result of the target process may also include: security.
可以理解,上述获取方式1和获取方式2只是作为本发明的异常文件的信息的获取方式的可选实施例,实际上,本领域技术人员可以根据实际应用需求,采用异常文件的其他获取方式。例如,可以依据文件传输事件对应文件的文件特征进行文件校验,若未通过文件校验,则将其作为异常文件。又如,可以依据所述局域网内的用户终端在一个时间段内的扫描结果,分析得到文件传输事件对应文件的生长趋势,并依据各文件的生长趋势,判定各文件是否异常。假设局域网内的用户终端在一个时间段内的扫描结果表明,某文件在一周内从一台主机扩散到一千台主机,故可以依据该文件的生长趋势,判定该文件为异常文件。其中,可以依据生长趋势对应的速率、风险对象的最大值等参数判定文件是否异常,本发明实施例对于具体的判定方法不加以限制。It can be understood that the above acquisition method 1 and acquisition method 2 are only optional embodiments of the method of obtaining abnormal file information in the present invention. In fact, those skilled in the art can adopt other methods of obtaining abnormal file according to actual application requirements. For example, the file verification may be performed according to the file characteristics of the file corresponding to the file transfer event, and if the file verification fails, it is regarded as an abnormal file. As another example, the growth trend of the files corresponding to the file transfer event can be analyzed according to the scanning results of the user terminals in the local area network within a period of time, and whether each file is abnormal can be determined according to the growth trend of each file. Assuming that the scanning results of the user terminals in the local area network within a certain period of time show that a certain file has spread from one host to a thousand hosts within a week, it can be determined that the file is an abnormal file based on the growth trend of the file. Wherein, whether the file is abnormal can be determined according to parameters such as the rate corresponding to the growth trend and the maximum value of the risk object, and the embodiment of the present invention does not limit the specific determination method.
在获取异常文件的信息后,步骤101可以从预先获取的文件传输事件中获取与异常文件相应的待分析文件传输事件,具体地,可以将异常文件的信息与各文件传输事件的信息进行匹配,若匹配成功,则将匹配成功的文件传输事件作为待分析文件传输事件。。例如,可以将异常文件的文件特征与文件传输事件的文件特征进行匹配等等,可以理解,本发明实施例对于从预先获取的文件传输事件中获取与异常文件相应的待分析文件传输事件的具体过程不加以限制。After obtaining the information of the abnormal file, step 101 can obtain the file transfer event to be analyzed corresponding to the abnormal file from the pre-acquired file transfer event, specifically, the information of the abnormal file can be matched with the information of each file transfer event, If the matching is successful, the successfully matched file transfer event is used as the file transfer event to be analyzed. . For example, the file feature of the abnormal file can be matched with the file feature of the file transfer event, etc. The process is not limited.
步骤102可以对步骤101得到的待分析文件传输事件的信息进行分析,以得到所述异常文件对应的传输来源和/或受影响用户终端。Step 102 may analyze the information of the file transfer event to be analyzed obtained in step 101 to obtain the transfer source and/or affected user terminal corresponding to the abnormal file.
由于文件传输事件可用于表示用户终端侧文件的流转事件,用户终端侧的每个文件传输事件都被上报至服务器,故本发明实施例可以基于对与异常文件相关的待分析文件传输事件的信息的分析,得到异常文件对应的传输来源;因此,相对于传统的病毒特征库,本发明实施例能够通过用户终端上报的文件传输事件,更及时地检测出局域网的未知威胁和安全隐患,从而能够提高安全检测的及时性;进一步,能够尽早对所述异常文件对应的传输来源进行拦截处理,以实现对于异常文件的传播路径的封堵。Since the file transfer event can be used to represent the transfer event of the file on the user terminal side, and each file transfer event on the user terminal side is reported to the server, the embodiment of the present invention can be based on the information of the file transfer event to be analyzed related to the abnormal file According to the analysis, the transmission source corresponding to the abnormal file is obtained; therefore, compared with the traditional virus signature database, the embodiment of the present invention can detect unknown threats and potential safety hazards of the local area network in a more timely manner through the file transmission events reported by the user terminal, thereby being able to The timeliness of security detection is improved; further, the transmission source corresponding to the abnormal file can be intercepted as early as possible, so as to block the transmission path of the abnormal file.
另外,本发明实施例能够通过用户终端上报的文件传输事件,更及时地检测出局域网内受异常文件影响的受影响用户终端,故能够尽早地实现对于上述受影响终端的修复处理,这样,不仅能够及时阻止异常文件对于用户终端的影响,而且能够在一定程度上有效保护用户终端的用户。In addition, the embodiment of the present invention can detect the affected user terminal affected by the abnormal file in the local area network in a more timely manner through the file transfer event reported by the user terminal, so the repair process for the above-mentioned affected terminal can be realized as soon as possible. The impact of abnormal files on the user terminal can be prevented in time, and the user of the user terminal can be effectively protected to a certain extent.
在本发明的一种可选实施例中,上述对所述待分析文件传输事件的信息进行分析的步骤102,可以包括:依据所述待分析文件传输事件的时间信息,从所述待分析文件传输事件中获取发生时间最早的目标文件传输事件,并依据所述目标文件传输事件的渠道信息,得到所述异常文件对应的传输来源。由于时间信息可用于表示文件传输事件的发生时间,故可以依据各分析文件传输事件的时间信息,从多个待分析文件传输事件中获取发生时间最早的目标文件传输事件,作为传播来源对应的文件传输事件,进一步,可以依据目标文件传输事件的渠道信息,得到所述异常文件对应的传输来源。In an optional embodiment of the present invention, the step 102 of analyzing the information of the file transmission event to be analyzed may include: according to the time information of the file transmission event to be analyzed, from the file to be analyzed In the transmission event, the target file transmission event with the earliest occurrence time is obtained, and the transmission source corresponding to the abnormal file is obtained according to the channel information of the target file transmission event. Since the time information can be used to indicate the occurrence time of the file transfer event, the target file transfer event with the earliest occurrence time can be obtained from multiple file transfer events to be analyzed according to the time information of each analyzed file transfer event, and used as the corresponding file of the propagation source For the transmission event, further, the transmission source corresponding to the abnormal file can be obtained according to the channel information of the target file transmission event.
在本发明的一种应用示例中,假设异常文件为“采购表.doc”,则可以依据该异常文件对应待分析文件传输文件的时间信息,获得其中发生时间最早的目标文件传输事件,该目标文件传输事件也即局域网内首次发生的与该异常文件有关的事件。例如,该异常文件的方向为入方向,该异常文件通过浏览器、邮箱、或者U盘等渠道进入了局域网,则可以依据上述渠道信息得到对应的传输来源。可选地,上述传输来源可以包括但不限于:威胁URL、威胁邮箱联系人、威胁IP、威胁DNS、或者分析得到的威胁病毒特征等。In an application example of the present invention, assuming that the abnormal file is "purchasing form.doc", the time information of the abnormal file corresponding to the file transfer file to be analyzed can be obtained to obtain the target file transfer event with the earliest occurrence time. The file transfer event is also the event related to the abnormal file that occurs for the first time in the local area network. For example, the direction of the abnormal file is the inbound direction, and the abnormal file enters the local area network through channels such as a browser, mailbox, or U disk, and the corresponding transmission source can be obtained according to the above channel information. Optionally, the above-mentioned transmission source may include but not limited to: threat URL, threat email contact, threat IP, threat DNS, or threat virus characteristics obtained through analysis.
在本发明的另一种可选实施例中,本实施例的方法还可以包括:对所述异常文件对应的传输来源进行拦截处理。对所述异常文件对应的传输来源进行拦截处理,可以实现对于异常文件的传播路径的封堵。In another optional embodiment of the present invention, the method in this embodiment may further include: intercepting the transmission source corresponding to the abnormal file. Intercepting the transmission source corresponding to the abnormal file can block the propagation path of the abnormal file.
可选地,所述对所述异常文件对应的传输来源进行拦截处理的步骤,可以包括:针对所述异常文件对应的传输来源,设置相应的防火墙规则,以通过所述防火墙规则实现对于所述传输来源的拦截。例如,可以针对威胁URL、威胁邮箱联系人、威胁IP、威胁DNS等,设置对应的防火墙规则,以实现对于威胁URL、威胁邮箱联系人、威胁IP、威胁DNS等传输来源的拦截,例如可以阻止威胁邮箱联系人发送的邮件。Optionally, the step of intercepting the transmission source corresponding to the abnormal file may include: setting corresponding firewall rules for the transmission source corresponding to the abnormal file, so as to implement the Interception of Transmission Sources. For example, you can set corresponding firewall rules for threat URLs, threat email contacts, threat IP, threat DNS, etc., to achieve interception of threat URLs, threat email contacts, threat IP, threat DNS, etc. Emails sent by Threat Mailbox contacts.
可以理解,上述通过所述防火墙规则实现对于所述传输来源的拦截只是作为可选实施例,实际上,本领域技术人员对于具体的拦截处理方式不加以限制,例如对于威胁病毒特征而言,还可以通过病毒特征库进行威胁病毒特征的拦截处理等等,可以理解,实现对于传输来源的拦截的任意拦截处理方式均在本发明实施例的保护范围之内。It can be understood that the above-mentioned interception of the transmission source through the firewall rule is only an optional embodiment. In fact, those skilled in the art do not limit the specific interception processing method. The virus signature database can be used to intercept and process threat virus signatures, and it can be understood that any interception processing method that implements interception of transmission sources is within the scope of protection of the embodiments of the present invention.
在本发明的一种可选实施例中,上述对所述待分析文件传输事件的信息进行分析的步骤102,可以包括:依据所述待分析文件传输事件的终端信息,得到所述异常文件对应的受影响用户终端。由于待分析文件传输事件是与异常文件相应的,故依据待分析文件传输事件的终端信息可以得到异常文件对应的受影响用户终端。在本发明的一种应用示例中,假设异常文件为“采购表.doc”,其在局域网内的第一个文件传输事件是通过邮箱的邮件附件传输的,假设第一个文件传输事件的用户1进一步通过IM方式产生了第二个文件传输事件,并将该异常文件发送给了用户2,用户2进一步通过邮箱的邮件附件产生了第三个文件传输事件,并将该异常文件发送给了用户3…进一步,用户1、用户2和用户3还触发了其他文件传输事件,假设文件传输事件的数量为N,N为正整数,则本发明实施例可以认为该N个文件传输事件对应的终端均为受影响终端。In an optional embodiment of the present invention, the step 102 of analyzing the information of the file transfer event to be analyzed may include: obtaining the corresponding information of the abnormal file according to the terminal information of the file transfer event to be analyzed. affected user terminals. Since the file transfer event to be analyzed corresponds to the abnormal file, the affected user terminal corresponding to the abnormal file can be obtained according to the terminal information of the file transfer event to be analyzed. In an application example of the present invention, assuming that the abnormal file is "purchase form. 1 further generated the second file transfer event through IM, and sent the abnormal file to user 2, and user 2 further generated the third file transfer event through the email attachment of the mailbox, and sent the abnormal file to User 3...Furthermore, user 1, user 2, and user 3 also triggered other file transfer events. Assuming that the number of file transfer events is N, and N is a positive integer, the embodiment of the present invention can consider that the N file transfer events correspond to All terminals are affected terminals.
在本发明的另一种可选实施例中,本实施例的方法还可以包括:对所述受影响用户终端进行预警处理。例如,上述预警处理可以向存储上述异常文件的用户终端发送第一通知消息,对存储上述异常文件的U盘发送第二通知消息等,以实现对于传播路径的封堵。In another optional embodiment of the present invention, the method in this embodiment may further include: performing early warning processing on the affected user terminal. For example, the above-mentioned early warning processing may send a first notification message to the user terminal storing the above-mentioned abnormal file, and send a second notification message to the U disk storing the above-mentioned abnormal file, so as to block the transmission path.
在本发明的再一种可选实施例中,本实施例的方法还可以包括:对所述受影响用户终端进行修复处理。可选地,上述修复处理可以:召回已经传输的异常文件,例如,可以对通过邮件附件传输的异常文件进行召回等等。In yet another optional embodiment of the present invention, the method in this embodiment may further include: performing repair processing on the affected user terminal. Optionally, the above repair process may: recall the abnormal files that have been transmitted, for example, recall the abnormal files transmitted through email attachments, and so on.
在本发明的又一种可选实施例中,对所述受影响用户终端进行修复处理对应的修复方式,可以包括:In yet another optional embodiment of the present invention, performing a repair method corresponding to the repair process on the affected user terminal may include:
修复方式1、在单个受影响用户终端上查杀所述异常文件对应的进程,若查杀成功,则在所有受影响用户终端上查杀所述异常文件对应的进程;或者Repair method 1, check and kill the process corresponding to the abnormal file on a single affected user terminal, and if the killing is successful, then check and kill the process corresponding to the abnormal file on all affected user terminals; or
修复方式2、在单个受影响用户终端上查杀所述异常文件对应的进程,若查杀失败,则针对各受影响用户终端进行数据备份后,更新各受影响用户终端的操作系统。Repair method 2. Check and kill the process corresponding to the abnormal file on a single affected user terminal. If the killing fails, perform data backup for each affected user terminal, and then update the operating system of each affected user terminal.
其中,修复方式1可以尝试在单个受影响用户终端上查杀所述异常文件对应的进程,并根据查杀结果判断是否能够实现异常文件对应的进程的隔离,若是,则认为查杀成功,故可以在所有受影响用户终端上同步上述异常文件对应的进程的查杀操作。Among them, the repair method 1 can try to check and kill the process corresponding to the abnormal file on a single affected user terminal, and judge whether the isolation of the process corresponding to the abnormal file can be realized according to the killing result, if so, then it is considered that the killing is successful, so The killing operation of the process corresponding to the above abnormal file can be synchronized on all affected user terminals.
修复方式2则适用于查杀失败的情形,具体地,可以针对各受影响用户终端进行数据备份后,更新各受影响用户终端的操作系统;例如,可以将受影响用户终端的用户数据拷贝至非系统盘或者安全的移动设备,并在受影响用户终端上重装系统。Repair method 2 is applicable to the situation of killing failure. Specifically, after data backup can be performed for each affected user terminal, the operating system of each affected user terminal can be updated; for example, the user data of the affected user terminal can be copied to Non-system disk or secure mobile device, and reinstall the system on the affected user terminal.
综上,本发明实施例的基于局域网的安全检测方法,由于文件传输事件可用于表示用户终端侧文件的流转事件,用户终端侧的每个文件传输事件都被上报至服务器,故本发明实施例可以基于对与异常文件相关的待分析文件传输事件的信息的分析,得到异常文件对应的传输来源;因此,相对于传统的病毒特征库,本发明实施例能够通过用户终端上报的文件传输事件,更及时地检测出局域网的未知威胁和安全隐患,从而能够提高安全检测的及时性;进一步,能够尽早对所述异常文件对应的传输来源进行拦截处理,以实现对于异常文件的传播路径的封堵。To sum up, in the LAN-based security detection method of the embodiment of the present invention, since the file transfer event can be used to indicate the transfer event of the file on the user terminal side, each file transfer event on the user terminal side is reported to the server, so the embodiment of the present invention The transmission source corresponding to the abnormal file can be obtained based on the analysis of the information of the file transmission event to be analyzed related to the abnormal file; therefore, compared with the traditional virus signature database, the embodiment of the present invention can use the file transmission event reported by the user terminal Detect unknown threats and potential safety hazards in the local area network in a more timely manner, thereby improving the timeliness of security detection; further, intercepting the transmission source corresponding to the abnormal file as soon as possible, so as to block the transmission path of the abnormal file .
另外,本发明实施例能够通过用户终端上报的文件传输事件,更及时地检测出局域网内受异常文件影响的受影响用户终端,故能够尽早地实现对于上述受影响终端的修复处理,这样,不仅能够及时阻止异常文件对于用户终端的影响,而且能够在一定程度上有效保护用户终端的用户。In addition, the embodiment of the present invention can detect the affected user terminal affected by the abnormal file in the local area network in a more timely manner through the file transfer event reported by the user terminal, so the repair process for the above-mentioned affected terminal can be realized as soon as possible. The impact of abnormal files on the user terminal can be prevented in time, and the user of the user terminal can be effectively protected to a certain extent.
参照图2,示出了根据本发明一个实施例的一种基于局域网的安全检测方法的步骤流程图,应用于服务器,具体可以包括如下步骤:Referring to FIG. 2 , it shows a flow chart of steps of a security detection method based on a local area network according to an embodiment of the present invention, which is applied to a server and may specifically include the following steps:
步骤201、从预先获取的文件传输事件中获取与异常文件相应的待分析文件传输事件;其中,所述文件传输事件为所述局域网内的用户终端上报的事件;Step 201. Obtain a file transfer event to be analyzed corresponding to the abnormal file from pre-acquired file transfer events; wherein, the file transfer event is an event reported by a user terminal in the local area network;
步骤202、对所述待分析文件传输事件的信息进行分析,以得到所述异常文件对应的传输来源和/或受影响用户终端;Step 202, analyzing the information of the file transfer event to be analyzed to obtain the transfer source and/or affected user terminal corresponding to the abnormal file;
相对于图1所示方法实施例,本实施例的方法还可以包括:With respect to the method embodiment shown in Figure 1, the method of this embodiment may also include:
步骤203、接收用户终端上报的进程行为;Step 203, receiving the process behavior reported by the user terminal;
步骤204、检测所述进程行为是否包含针对文件的预置窃取行为。Step 204, detecting whether the process behavior includes preset stealing behavior for files.
本发明实施例可以针对用户终端上报的进程行为,检测该进程行为是否包含针对文件的预置窃取行为,由此可以检测中文件传输过程中的泄密行为。The embodiment of the present invention can detect whether the process behavior reported by the user terminal includes a preset stealing behavior for a file, thereby detecting a leaking behavior during file transmission.
在本发明的一种可选实施例中,上述预置窃取行为可以通过winword的子进程访问其他文件,并通过文件内容复制、文件内容修改等方式实现对于文件内容的窃取。可以理解,本领域技术人员可以根据实际应用需求设置相应的预置窃取行为,本发明实施例对于具体的预置窃取行为不加以限制。In an optional embodiment of the present invention, the above preset stealing behavior can access other files through the sub-process of winword, and the file content can be stolen by means of file content copying, file content modification, and the like. It can be understood that those skilled in the art can set corresponding preset stealing behaviors according to actual application requirements, and the embodiment of the present invention does not limit the specific preset stealing behaviors.
需要说明的是,当步骤204得到的检测结果为是时,可以发出相应的警示信息,以使网络管理员对该预置窃取行为对应的用户终端或者用户采取相应的措施,例如,可以禁止用户终端或者用户对于文件的操作权限等等,以有效防止局域网数据的丢失,提高局域网的安全性。It should be noted that, when the detection result obtained in step 204 is yes, a corresponding warning message can be issued, so that the network administrator can take corresponding measures for the user terminal or user corresponding to the preset stealing behavior, for example, the user can be prohibited from Terminal or user's operation rights to files, etc., to effectively prevent the loss of LAN data and improve the security of the LAN.
参照图3,示出了根据本发明一个实施例的一种基于局域网的安全检测方法的步骤流程图,具体可以包括如下步骤:Referring to FIG. 3 , it shows a flow chart of steps of a security detection method based on a local area network according to an embodiment of the present invention, which may specifically include the following steps:
步骤301、用户终端对本地的文件传输事件进行监测,并向服务器上报监测到的文件传输事件及该文件传输事件的信息;Step 301, the user terminal monitors the local file transfer event, and reports the detected file transfer event and the information of the file transfer event to the server;
步骤302、服务器对用户终端上报的文件传输事件进行记录;Step 302, the server records the file transfer event reported by the user terminal;
步骤303、服务器获取异常文件的信息;Step 303, the server obtains the information of the abnormal file;
步骤304、服务器从预先获取的文件传输事件中获取与异常文件相应的待分析文件传输事件;Step 304, the server obtains the file transfer event to be analyzed corresponding to the abnormal file from the pre-acquired file transfer event;
步骤305、服务器对所述待分析文件传输事件的信息进行分析,以得到所述异常文件对应的传输来源和/或受影响用户终端;Step 305, the server analyzes the information of the file transmission event to be analyzed to obtain the transmission source and/or affected user terminal corresponding to the abnormal file;
步骤306、服务器对所述异常文件对应的传输来源进行拦截处理;和/或,对所述受影响用户终端进行修复处理;Step 306, the server intercepts the transmission source corresponding to the abnormal file; and/or, repairs the affected user terminal;
步骤307、用户终端对本地进程的进程行为进行监测,并向服务器上报监测到的进程行为;Step 307, the user terminal monitors the process behavior of the local process, and reports the monitored process behavior to the server;
步骤308、服务器检测所述进程行为是否包含针对文件的预置窃取行为。Step 308, the server detects whether the process behavior includes a preset stealing behavior for files.
需要说明的是,本发明实施例对于步骤301—步骤306与步骤307—步骤308的执行顺序不加以限制,步骤301—步骤306与步骤307—步骤308之间的执行顺序可以为先后、后先、或者并列。It should be noted that the embodiment of the present invention does not limit the execution order of steps 301-step 306 and steps 307-step 308, and the execution order of steps 301-step 306 and steps 307-step 308 can be sequential or sequential , or side by side.
综上,本发明实施例的基于局域网的安全检测方法,能够通过用户终端上报的文件传输事件,更及时地检测出局域网的未知威胁和安全隐患,从而能够提高安全检测的及时性;进一步,能够尽早对所述异常文件对应的传输来源进行拦截处理,以实现对于异常文件的传播路径的封堵。To sum up, the security detection method based on the LAN in the embodiment of the present invention can detect unknown threats and potential safety hazards in the LAN in a more timely manner through the file transfer event reported by the user terminal, thereby improving the timeliness of security detection; further, it can The transmission source corresponding to the abnormal file is intercepted as early as possible, so as to block the propagation path of the abnormal file.
另外,本发明实施例能够通过用户终端上报的文件传输事件,更及时地检测出局域网内受异常文件影响的受影响用户终端,故能够尽早地实现对于上述受影响终端的修复处理,这样,不仅能够及时阻止异常文件对于用户终端的影响,而且能够在一定程度上有效保护用户终端的用户。In addition, the embodiment of the present invention can detect the affected user terminal affected by the abnormal file in the local area network in a more timely manner through the file transfer event reported by the user terminal, so the repair process for the above-mentioned affected terminal can be realized as soon as possible. The impact of abnormal files on the user terminal can be prevented in time, and the user of the user terminal can be effectively protected to a certain extent.
并且,本发明实施例可以针对用户终端上报的进程行为,检测该进程行为是否包含针对文件的预置窃取行为,由此可以检测中文件传输过程中的泄密行为,进而进一步提高局域网的安全性。Moreover, the embodiment of the present invention can detect whether the process behavior reported by the user terminal includes a preset stealing behavior for files, thereby detecting leaking behavior during file transmission, and further improving the security of the local area network.
对于方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本发明实施例并不受所描述的动作顺序的限制,因为依据本发明实施例,某些步骤可以采用其他顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于可选实施例,所涉及的动作并不一定是本发明实施例所必须的。For the method embodiment, for the sake of simple description, it is expressed as a series of action combinations, but those skilled in the art should know that the embodiment of the present invention is not limited by the described action order, because according to the embodiment of the present invention , certain steps may be performed in other order or simultaneously. Secondly, those skilled in the art should also know that the embodiments described in the specification are all optional embodiments, and the actions involved are not necessarily required by the embodiments of the present invention.
参照图4,示出了根据本发明一个实施例的一种基于局域网的安全检测装置的结构框图,该装置应用于服务器,具体可以包括如下模块:Referring to Fig. 4, it shows a structural block diagram of a security detection device based on a local area network according to an embodiment of the present invention, the device is applied to a server, and may specifically include the following modules:
传输事件获取模块401,用于从预先获取的文件传输事件中获取与异常文件相应的待分析文件传输事件;其中,所述文件传输事件为所述局域网内的用户终端上报的事件;A transfer event acquisition module 401, configured to obtain a file transfer event to be analyzed corresponding to the abnormal file from pre-acquired file transfer events; wherein, the file transfer event is an event reported by a user terminal in the local area network;
传输事件分析模块402,用于对所述待分析文件传输事件的信息进行分析,以得到所述异常文件对应的传输来源和/或受影响用户终端。The transmission event analysis module 402 is configured to analyze the information of the file transmission event to be analyzed, so as to obtain the transmission source and/or the affected user terminal corresponding to the abnormal file.
可选地,所述文件传输事件的信息可以包括如下信息中的至少一种:时间信息、渠道信息、文件信息、文件传输方向和终端信息。Optionally, the information of the file transfer event may include at least one of the following information: time information, channel information, file information, file transfer direction, and terminal information.
可选地,所述传输事件获取模块可以包括:Optionally, the transmission event acquisition module may include:
匹配子模块,用于将所述异常文件的文件信息与所述文件传输事件的文件信息进行匹配,将匹配成功的文件传输事件作为待分析文件传输事件。The matching sub-module is configured to match the file information of the abnormal file with the file information of the file transfer event, and use the successfully matched file transfer event as the file transfer event to be analyzed.
可选地,所述传输事件分析模块可以包括:Optionally, the transmission event analysis module may include:
第一传输事件分子模块,用于依据所述待分析文件传输事件的时间信息,从所述待分析文件传输事件中获取发生时间最早的目标文件传输事件,并依据所述目标文件传输事件的渠道信息,得到所述异常文件对应的传输来源;和/或The first transfer event molecular module is used to obtain the target file transfer event with the earliest occurrence time from the file transfer event to be analyzed according to the time information of the file transfer event to be analyzed, and according to the channel of the target file transfer event information to obtain the transmission source corresponding to the abnormal file; and/or
第二传输事件分子模块,用于依据所述待分析文件传输事件的终端信息,得到所述异常文件对应的受影响用户终端。The second transfer event molecule module is configured to obtain the affected user terminal corresponding to the abnormal file according to the terminal information of the file transfer event to be analyzed.
可选地,所述装置还可以包括:用于获取所述异常文件的信息的异常获取模块:Optionally, the device may further include: an exception acquisition module for acquiring information about the exception file:
所述异常获取模块可以包括:The exception acquisition module may include:
接收子模块,用于接收用户终端针对文件异常上报的异常文件信息;和/或The receiving submodule is used to receive abnormal file information reported by the user terminal for abnormal file; and/or
进程检测子模块,用于依据用户终端上报的进程行为,检测所述进程行为对应的文件是否存在异常。The process detection sub-module is configured to detect whether the file corresponding to the process behavior is abnormal according to the process behavior reported by the user terminal.
可选地,所述进程检测子模块,可以包括:Optionally, the process detection submodule may include:
进程树获取单元,用于依据用户终端上报的进程行为,获取所述用户终端在不同时刻的进程树、以及所述进程树中各进程与进程行为之间的映射关系;a process tree obtaining unit, configured to obtain the process tree of the user terminal at different times and the mapping relationship between each process in the process tree and the process behavior according to the process behavior reported by the user terminal;
目标进程获取单元,用于从所述进程树中获取符合预置进程模式的目标进程;a target process obtaining unit, configured to obtain a target process conforming to a preset process pattern from the process tree;
依据所述目标进程的进程行为,检测所述目标进程的安全性。The security of the target process is detected according to the process behavior of the target process.
可选地,所述装置还可以包括:Optionally, the device may also include:
拦截模块,用于对所述异常文件对应的传输来源进行拦截处理;和/或An interception module, configured to intercept the transmission source corresponding to the abnormal file; and/or
修复模块,用于对所述受影响用户终端进行修复处理。A repair module, configured to repair the affected user terminal.
可选地,所述拦截模块可以包括:Optionally, the interception module may include:
防火墙拦截子模块,用于针对所述异常文件对应的传输来源,设置相应的防火墙规则,以通过所述防火墙规则实现对于所述传输来源的拦截。The firewall interception sub-module is configured to set corresponding firewall rules for the transmission source corresponding to the abnormal file, so as to implement interception of the transmission source through the firewall rules.
可选地,所述修复模块可以包括:Optionally, the repair module may include:
第一修复子模块,用于在单个受影响用户终端上查杀所述异常文件对应的进程,若查杀成功,则在所有受影响用户终端上查杀所述异常文件对应的进程;或者The first repair submodule is used to check and kill the process corresponding to the abnormal file on a single affected user terminal, and if the killing is successful, then check and kill the process corresponding to the abnormal file on all affected user terminals; or
第二修复子模块,用于在单个受影响用户终端上查杀所述异常文件对应的进程,若查杀失败,则针对各受影响用户终端进行数据备份后,更新各受影响用户终端的操作系统。The second repair submodule is used to check and kill the process corresponding to the abnormal file on a single affected user terminal. If the killing fails, after performing data backup for each affected user terminal, update the operation of each affected user terminal system.
可选地,所述装置还可以包括:Optionally, the device may also include:
进程行为接收模块,用于接收用户终端上报的进程行为;The process behavior receiving module is used to receive the process behavior reported by the user terminal;
窃取检测模块,用于检测所述进程行为是否包含针对文件的预置窃取行为。The theft detection module is configured to detect whether the process behavior includes a preset stealing behavior for files.
对于装置实施例而言,由于其与方法实施例基本相似,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。As for the device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for related parts, please refer to the part of the description of the method embodiment.
在此提供的算法和显示不与任何特定计算机、虚拟系统或者其它设备固有相关。各种通用系统也可以与基于在此的示教一起使用。根据上面的描述,构造这类系统所要求的结构是显而易见的。此外,本发明也不针对任何特定编程语言。应当明白,可以利用各种编程语言实现在此描述的本发明的内容,并且上面对特定语言所做的描述是为了披露本发明的最佳实施方式。The algorithms and displays presented herein are not inherently related to any particular computer, virtual system, or other device. Various generic systems can also be used with the teachings based on this. The structure required to construct such a system is apparent from the above description. Furthermore, the present invention is not specific to any particular programming language. It should be understood that various programming languages can be used to implement the content of the present invention described herein, and the above description of specific languages is for disclosing the best mode of the present invention.
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure the understanding of this description.
类似地,应当理解,为了精简本公开并帮助理解各个发明方面中的一个或多个,在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如下面的权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发明的单独实施例。Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, in order to streamline this disclosure and to facilitate an understanding of one or more of the various inventive aspects, various features of the invention are sometimes grouped together in a single embodiment, figure, or its description. This method of disclosure, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.
本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。Those skilled in the art can understand that the modules in the device in the embodiment can be adaptively changed and arranged in one or more devices different from the embodiment. Modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore may be divided into a plurality of sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings) and any method or method so disclosed may be used in any combination, except that at least some of such features and/or processes or units are mutually exclusive. All processes or units of equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如,在下面的权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。Furthermore, those skilled in the art will understand that although some embodiments described herein include some features included in other embodiments but not others, combinations of features from different embodiments are meant to be within the scope of the invention. and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
本发明的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP,Digital Signal Process)来实现根据本发明实施例的基于局域网的安全检测方法和装置中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。这样的实现本发明的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网平台上下载得到,或者在载体信号上提供,或者以任何其他形式提供。The various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. It should be understood by those skilled in the art that a microprocessor or a digital signal processor (DSP, Digital Signal Process) can be used in practice to realize some or all of the components in the security detection method and device based on a local area network according to an embodiment of the present invention some or all of the features. The present invention can also be implemented as an apparatus or an apparatus program (for example, a computer program and a computer program product) for performing a part or all of the methods described herein. Such a program for realizing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such a signal may be downloaded from an Internet platform, or provided on a carrier signal, or provided in any other form.
应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包括”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The use of the words first, second, and third, etc. does not indicate any order. These words can be interpreted as names.
本发明公开了A1、一种基于局域网的安全检测方法,应用于服务器,包括:The invention discloses A1, a security detection method based on a local area network, applied to a server, including:
从预先获取的文件传输事件中获取与异常文件相应的待分析文件传输事件;其中,所述文件传输事件为所述局域网内的用户终端上报的事件;Obtaining a file transfer event to be analyzed corresponding to the abnormal file from the pre-acquired file transfer event; wherein, the file transfer event is an event reported by a user terminal in the local area network;
对所述待分析文件传输事件的信息进行分析,以得到所述异常文件对应的传输来源和/或受影响用户终端。The information of the file transmission event to be analyzed is analyzed to obtain the transmission source and/or the affected user terminal corresponding to the abnormal file.
A2、如A1所述的方法,所述文件传输事件的信息包括如下信息中的至少一种:时间信息、渠道信息、文件信息、文件传输方向和终端信息。A2. The method according to A1, wherein the information of the file transfer event includes at least one of the following information: time information, channel information, file information, file transfer direction, and terminal information.
A3、如A1或A2所述的方法,所述从预先获取的文件传输事件中获取与异常文件相应的待分析文件传输事件的步骤,包括:A3. The method as described in A1 or A2, the step of obtaining the file transfer event to be analyzed corresponding to the abnormal file from the pre-acquired file transfer event includes:
将所述异常文件的文件信息与所述文件传输事件的文件信息进行匹配,将匹配成功的文件传输事件作为待分析文件传输事件。The file information of the abnormal file is matched with the file information of the file transfer event, and the successfully matched file transfer event is used as the file transfer event to be analyzed.
A4、如A1或A2所述的方法,所述对所述待分析文件传输事件的信息进行分析的步骤,包括:A4. The method described in A1 or A2, the step of analyzing the information of the file transfer event to be analyzed includes:
依据所述待分析文件传输事件的时间信息,从所述待分析文件传输事件中获取发生时间最早的目标文件传输事件,并依据所述目标文件传输事件的渠道信息,得到所述异常文件对应的传输来源;和/或According to the time information of the file transfer event to be analyzed, the target file transfer event with the earliest occurrence time is obtained from the file transfer event to be analyzed, and the channel information corresponding to the abnormal file is obtained according to the channel information of the target file transfer event. the source of the transmission; and/or
依据所述待分析文件传输事件的终端信息,得到所述异常文件对应的受影响用户终端。According to the terminal information of the file transfer event to be analyzed, the affected user terminal corresponding to the abnormal file is obtained.
A5、如A1或A2所述的方法,通过如下步骤获取所述异常文件的信息:A5. As described in A1 or A2, the information of the abnormal file is obtained through the following steps:
接收用户终端针对文件异常上报的异常文件信息;和/或receiving abnormal file information reported by the user terminal for abnormal file; and/or
依据用户终端上报的进程行为,检测所述进程行为对应的文件是否存在异常。According to the process behavior reported by the user terminal, it is detected whether the file corresponding to the process behavior is abnormal.
A6、如A5所述的方法,所述依据用户终端上报的进程行为,检测所述进程行为对应的文件是否存在异常的步骤,包括:A6, the method as described in A5, the step of detecting whether the file corresponding to the process behavior is abnormal according to the process behavior reported by the user terminal includes:
依据用户终端上报的进程行为,获取所述用户终端在不同时刻的进程树、以及所述进程树中各进程与进程行为之间的映射关系;According to the process behavior reported by the user terminal, obtain the process tree of the user terminal at different times, and the mapping relationship between each process in the process tree and the process behavior;
从所述进程树中获取符合预置进程模式的目标进程;Obtaining a target process conforming to a preset process pattern from the process tree;
依据所述目标进程的进程行为,检测所述目标进程的安全性。The security of the target process is detected according to the process behavior of the target process.
A7、如A1或A2所述的方法,所述方法还包括:A7, the method as described in A1 or A2, described method also comprises:
对所述异常文件对应的传输来源进行拦截处理;和/或intercepting the transmission source corresponding to the abnormal file; and/or
对所述受影响用户终端进行修复处理。Perform repair processing on the affected user terminal.
A8、如A7所述的方法,所述对所述异常文件对应的传输来源进行拦截处理的步骤,包括:A8. The method as described in A7, the step of intercepting the transmission source corresponding to the abnormal file includes:
针对所述异常文件对应的传输来源,设置相应的防火墙规则,以通过所述防火墙规则实现对于所述传输来源的拦截。For the transmission source corresponding to the abnormal file, set corresponding firewall rules, so as to implement interception of the transmission source through the firewall rules.
A9、如A7所述的方法,所述对所述受影响用户终端进行修复处理的步骤,包括:A9. The method as described in A7, the step of repairing the affected user terminal includes:
在单个受影响用户终端上查杀所述异常文件对应的进程,若查杀成功,则在所有受影响用户终端上查杀所述异常文件对应的进程;或者Kill the process corresponding to the abnormal file on a single affected user terminal, and if the killing is successful, then kill the process corresponding to the abnormal file on all affected user terminals; or
在单个受影响用户终端上查杀所述异常文件对应的进程,若查杀失败,则针对各受影响用户终端进行数据备份后,更新各受影响用户终端的操作系统。Check and kill the process corresponding to the abnormal file on a single affected user terminal, if the killing fails, after performing data backup for each affected user terminal, update the operating system of each affected user terminal.
A10、如A1或A2所述的方法,所述方法还包括:A10, the method as described in A1 or A2, described method also comprises:
接收用户终端上报的进程行为;Receive the process behavior reported by the user terminal;
检测所述进程行为是否包含针对文件的预置窃取行为。Detecting whether the process behavior includes a preset stealing behavior for a file.
本发明公开了B11、一种基于局域网的安全检测装置,应用于服务器,包括:The invention discloses B11, a safety detection device based on a local area network, applied to a server, including:
传输事件获取模块,用于从预先获取的文件传输事件中获取与异常文件相应的待分析文件传输事件;其中,所述文件传输事件为所述局域网内的用户终端上报的事件;A transfer event acquisition module, configured to obtain a file transfer event to be analyzed corresponding to the abnormal file from pre-acquired file transfer events; wherein, the file transfer event is an event reported by a user terminal in the local area network;
传输事件分析模块,用于对所述待分析文件传输事件的信息进行分析,以得到所述异常文件对应的传输来源和/或受影响用户终端。The transmission event analysis module is configured to analyze the information of the file transmission event to be analyzed, so as to obtain the transmission source and/or the affected user terminal corresponding to the abnormal file.
B12、如B11所述的装置,所述文件传输事件的信息包括如下信息中的至少一种:时间信息、渠道信息、文件信息、文件传输方向和终端信息。B12. The device according to B11, wherein the information of the file transfer event includes at least one of the following information: time information, channel information, file information, file transfer direction and terminal information.
B13、如B11或B12所述的装置,所述传输事件获取模块包括:B13. The device as described in B11 or B12, the transmission event acquisition module includes:
匹配子模块,用于将所述异常文件的文件信息与所述文件传输事件的文件信息进行匹配,将匹配成功的文件传输事件作为待分析文件传输事件。The matching sub-module is configured to match the file information of the abnormal file with the file information of the file transfer event, and use the successfully matched file transfer event as the file transfer event to be analyzed.
B14、如B11或B12所述的装置,所述传输事件分析模块包括:B14. The device as described in B11 or B12, the transmission event analysis module includes:
第一传输事件分子模块,用于依据所述待分析文件传输事件的时间信息,从所述待分析文件传输事件中获取发生时间最早的目标文件传输事件,并依据所述目标文件传输事件的渠道信息,得到所述异常文件对应的传输来源;和/或The first transfer event molecular module is used to obtain the target file transfer event with the earliest occurrence time from the file transfer event to be analyzed according to the time information of the file transfer event to be analyzed, and according to the channel of the target file transfer event information to obtain the transmission source corresponding to the abnormal file; and/or
第二传输事件分子模块,用于依据所述待分析文件传输事件的终端信息,得到所述异常文件对应的受影响用户终端。The second transfer event molecule module is configured to obtain the affected user terminal corresponding to the abnormal file according to the terminal information of the file transfer event to be analyzed.
B15、如B11或B12所述的装置,所述装置还包括:用于获取所述异常文件的信息的异常获取模块:B15. The device as described in B11 or B12, the device also includes: an abnormal acquisition module for obtaining the information of the abnormal file:
所述异常获取模块包括:The abnormal acquisition module includes:
接收子模块,用于接收用户终端针对文件异常上报的异常文件信息;和/或The receiving submodule is used to receive abnormal file information reported by the user terminal for abnormal file; and/or
进程检测子模块,用于依据用户终端上报的进程行为,检测所述进程行为对应的文件是否存在异常。The process detection sub-module is configured to detect whether the file corresponding to the process behavior is abnormal according to the process behavior reported by the user terminal.
B16、如B15所述的装置,所述进程检测子模块,包括:B16, the device as described in B15, the process detection submodule includes:
进程树获取单元,用于依据用户终端上报的进程行为,获取所述用户终端在不同时刻的进程树、以及所述进程树中各进程与进程行为之间的映射关系;a process tree obtaining unit, configured to obtain the process tree of the user terminal at different times and the mapping relationship between each process in the process tree and the process behavior according to the process behavior reported by the user terminal;
目标进程获取单元,用于从所述进程树中获取符合预置进程模式的目标进程;a target process obtaining unit, configured to obtain a target process conforming to a preset process pattern from the process tree;
依据所述目标进程的进程行为,检测所述目标进程的安全性。The security of the target process is detected according to the process behavior of the target process.
B17、如B11或B12所述的装置,所述装置还包括:B17. The device as described in B11 or B12, the device further comprising:
拦截模块,用于对所述异常文件对应的传输来源进行拦截处理;和/或An interception module, configured to intercept the transmission source corresponding to the abnormal file; and/or
修复模块,用于对所述受影响用户终端进行修复处理。A repair module, configured to repair the affected user terminal.
B18、如B17所述的装置,所述拦截模块包括:B18, the device as described in B17, the interception module includes:
防火墙拦截子模块,用于针对所述异常文件对应的传输来源,设置相应的防火墙规则,以通过所述防火墙规则实现对于所述传输来源的拦截。The firewall interception sub-module is configured to set corresponding firewall rules for the transmission source corresponding to the abnormal file, so as to implement interception of the transmission source through the firewall rules.
B19、如B17所述的装置,所述修复模块包括:B19, the device as described in B17, the repair module includes:
第一修复子模块,用于在单个受影响用户终端上查杀所述异常文件对应的进程,若查杀成功,则在所有受影响用户终端上查杀所述异常文件对应的进程;或者The first repair submodule is used to check and kill the process corresponding to the abnormal file on a single affected user terminal, and if the killing is successful, then check and kill the process corresponding to the abnormal file on all affected user terminals; or
第二修复子模块,用于在单个受影响用户终端上查杀所述异常文件对应的进程,若查杀失败,则针对各受影响用户终端进行数据备份后,更新各受影响用户终端的操作系统。The second repair submodule is used to check and kill the process corresponding to the abnormal file on a single affected user terminal. If the killing fails, after performing data backup for each affected user terminal, update the operation of each affected user terminal system.
B20、如B11或B12所述的装置,所述装置还包括:B20, the device as described in B11 or B12, said device also includes:
进程行为接收模块,用于接收用户终端上报的进程行为;The process behavior receiving module is used to receive the process behavior reported by the user terminal;
窃取检测模块,用于检测所述进程行为是否包含针对文件的预置窃取行为。The theft detection module is configured to detect whether the process behavior includes a preset stealing behavior for files.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611250336.9ACN106856478A (en) | 2016-12-29 | 2016-12-29 | A kind of safety detection method and device based on LAN |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611250336.9ACN106856478A (en) | 2016-12-29 | 2016-12-29 | A kind of safety detection method and device based on LAN |
| Publication Number | Publication Date |
|---|---|
| CN106856478Atrue CN106856478A (en) | 2017-06-16 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611250336.9APendingCN106856478A (en) | 2016-12-29 | 2016-12-29 | A kind of safety detection method and device based on LAN |
| Country | Link |
|---|---|
| CN (1) | CN106856478A (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110351222A (en)* | 2018-04-02 | 2019-10-18 | 腾讯科技(深圳)有限公司 | Data safety processing method and device, system |
| CN114866276A (en)* | 2022-03-21 | 2022-08-05 | 杭州薮猫科技有限公司 | Terminal detection method and device for abnormal transmission file, storage medium and equipment |
| US11647029B2 (en)* | 2017-12-12 | 2023-05-09 | WithSecure Corporation | Probing and responding to computer network security breaches |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090178139A1 (en)* | 2008-01-09 | 2009-07-09 | Global Dataguard, Inc. | Systems and Methods of Network Security and Threat Management |
| US7835361B1 (en)* | 2004-10-13 | 2010-11-16 | Sonicwall, Inc. | Method and apparatus for identifying data patterns in a file |
| CN102413011A (en)* | 2011-11-18 | 2012-04-11 | 奇智软件(北京)有限公司 | Method and system for local area network security assessment |
| CN103020520A (en)* | 2012-11-26 | 2013-04-03 | 北京奇虎科技有限公司 | Enterprise-based document security detection method and system |
| CN103049697A (en)* | 2012-11-26 | 2013-04-17 | 北京奇虎科技有限公司 | File detection method and system for enterprises |
| CN103955645A (en)* | 2014-04-28 | 2014-07-30 | 百度在线网络技术(北京)有限公司 | Method, device and system for detecting malicious process behavior |
| CN104462968A (en)* | 2014-12-16 | 2015-03-25 | 北京奇虎科技有限公司 | Malicious application program scanning method, device and system |
| CN104461826A (en)* | 2014-12-05 | 2015-03-25 | 北京奇虎科技有限公司 | Object flow monitoring method, device and system |
| CN104702456A (en)* | 2013-12-04 | 2015-06-10 | 大连东浦机电有限公司 | Method for monitoring local area network transmission data risk based on keyword extraction strategy |
| CN105430001A (en)* | 2015-12-18 | 2016-03-23 | 北京奇虎科技有限公司 | APT attack detection method, terminal equipment, server and system |
| CN105743732A (en)* | 2015-12-28 | 2016-07-06 | 哈尔滨安天科技股份有限公司 | Method and system for recording transmission paths and distribution conditions of files in local area network |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7835361B1 (en)* | 2004-10-13 | 2010-11-16 | Sonicwall, Inc. | Method and apparatus for identifying data patterns in a file |
| US20090178139A1 (en)* | 2008-01-09 | 2009-07-09 | Global Dataguard, Inc. | Systems and Methods of Network Security and Threat Management |
| CN102413011A (en)* | 2011-11-18 | 2012-04-11 | 奇智软件(北京)有限公司 | Method and system for local area network security assessment |
| CN103020520A (en)* | 2012-11-26 | 2013-04-03 | 北京奇虎科技有限公司 | Enterprise-based document security detection method and system |
| CN103049697A (en)* | 2012-11-26 | 2013-04-17 | 北京奇虎科技有限公司 | File detection method and system for enterprises |
| CN104702456A (en)* | 2013-12-04 | 2015-06-10 | 大连东浦机电有限公司 | Method for monitoring local area network transmission data risk based on keyword extraction strategy |
| CN103955645A (en)* | 2014-04-28 | 2014-07-30 | 百度在线网络技术(北京)有限公司 | Method, device and system for detecting malicious process behavior |
| CN104461826A (en)* | 2014-12-05 | 2015-03-25 | 北京奇虎科技有限公司 | Object flow monitoring method, device and system |
| CN104462968A (en)* | 2014-12-16 | 2015-03-25 | 北京奇虎科技有限公司 | Malicious application program scanning method, device and system |
| CN105430001A (en)* | 2015-12-18 | 2016-03-23 | 北京奇虎科技有限公司 | APT attack detection method, terminal equipment, server and system |
| CN105743732A (en)* | 2015-12-28 | 2016-07-06 | 哈尔滨安天科技股份有限公司 | Method and system for recording transmission paths and distribution conditions of files in local area network |
| Title |
|---|
| 曹聪: "《计算机操作系统》", 31 August 1994, 兰州大学出版社* |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11647029B2 (en)* | 2017-12-12 | 2023-05-09 | WithSecure Corporation | Probing and responding to computer network security breaches |
| CN110351222A (en)* | 2018-04-02 | 2019-10-18 | 腾讯科技(深圳)有限公司 | Data safety processing method and device, system |
| CN114866276A (en)* | 2022-03-21 | 2022-08-05 | 杭州薮猫科技有限公司 | Terminal detection method and device for abnormal transmission file, storage medium and equipment |
| CN114866276B (en)* | 2022-03-21 | 2024-06-11 | 杭州薮猫科技有限公司 | Method, device, storage medium and equipment for detecting abnormal transmission file terminal |
| Publication | Publication Date | Title |
|---|---|---|
| US11489855B2 (en) | System and method of adding tags for use in detecting computer attacks | |
| US11652829B2 (en) | System and method for providing data and device security between external and host devices | |
| US10057284B2 (en) | Security threat detection | |
| CN106650436B (en) | A security detection method and device based on local area network | |
| US10462188B2 (en) | Computer network security system | |
| US10587647B1 (en) | Technique for malware detection capability comparison of network security devices | |
| JP6334069B2 (en) | System and method for accuracy assurance of detection of malicious code | |
| US20140201843A1 (en) | Systems and methods for identifying and reporting application and file vulnerabilities | |
| US11909761B2 (en) | Mitigating malware impact by utilizing sandbox insights | |
| KR20250041036A (en) | Detection and prevention of supply chain attacks based on inline package names | |
| US20250258916A1 (en) | Drift detection in remote computer systems | |
| CN116566654A (en) | Protection system for block chain management server | |
| CN106856478A (en) | A kind of safety detection method and device based on LAN | |
| CN105262777A (en) | Local area network (LAN)-based security detection method and device | |
| CN110401621A (en) | A protection method, device and storage medium for sensitive instructions | |
| CN106856477B (en) | Threat processing method and device based on local area network | |
| CN105912945A (en) | Safety reinforcing device and operation method of operating system | |
| CN117955675A (en) | Network attack defending method and device, electronic equipment and storage medium | |
| CN106657102A (en) | LAN based threat processing method and device | |
| US20240086538A1 (en) | Computer investigation method and system for investigating authentication in remote host computers | |
| US20250047695A1 (en) | Advanced threat prevention | |
| CN117278288A (en) | Network attack protection method and device, electronic equipment and storage medium | |
| CN110708332A (en) | Cigarette network safety protection method | |
| CN114650210A (en) | Alarm processing method and protection equipment |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | Address after:100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Applicant after:BEIJING QIHOO TECHNOLOGY Co.,Ltd. Applicant after:QAX Technology Group Inc. Address before:100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Applicant before:BEIJING QIHOO TECHNOLOGY Co.,Ltd. Applicant before:BEIJING QIANXIN TECHNOLOGY Co.,Ltd. | |
| CB02 | Change of applicant information | ||
| RJ01 | Rejection of invention patent application after publication | Application publication date:20170616 | |
| RJ01 | Rejection of invention patent application after publication |