CN107196916A - A kind of method, network side equipment and the terminal of virus document detection - Google Patents

A kind of method, network side equipment and the terminal of virus document detection Download PDF

Info

Publication number
CN107196916A
CN107196916A CN201710279334.0A CN201710279334A CN107196916A CN 107196916 A CN107196916 A CN 107196916A CN 201710279334 A CN201710279334 A CN 201710279334A CN 107196916 A CN107196916 A CN 107196916A
Authority
CN
China
Prior art keywords
terminal
detected
virus
characteristic information
virus document
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710279334.0A
Other languages
Chinese (zh)
Inventor
马晓凯
张�杰
王小猛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Internet Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Internet Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Internet Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201710279334.0A priority Critical patent/CN107196916A/en
Publication of CN107196916A publication Critical patent/CN107196916A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention discloses a kind of method of virus document detection, methods described includes:The malicious act feature of at least one terminal is monitored, it is determined that the corresponding virus characteristic information of each malicious act feature;Determine the corresponding virus characteristic information of malicious act feature of terminal to be detected;According to the corresponding virus characteristic information of the terminal to be detected of determination, the virus document of the terminal to be detected is detected.In this way, according to the corresponding virus characteristic information of terminal to be detected, detecting virus document, the detection efficiency of virus document, reduction terminal resource consumption are improved.The embodiment of the invention also discloses a kind of network side equipment of virus document detection and terminal.

Description

A kind of method, network side equipment and the terminal of virus document detection
Technical field
The present invention relates to method, network side equipment and the end of network safety filed, more particularly to a kind of detection of virus document End.
Background technology
With forth generation mobile phone mobile communication standard 4G high speed development, China by mobile terminal (such as:Mobile phone) The user of online also with day abruptly increase, with mobile phone development interface increasingly unify, the situation that mobile phone is infected is more and more tighter Weight, viral value volume and range of product increasingly increases, so as to result in the increase of the detection difficulty of virus document.Virus document is in movement A kind of form of expression when being run in terminal is the operation of Malware, according to the data display of China Internet association issue, The first quarter in 2016, China mobile terminal Internet access user alreadys exceed 900,000,000, in the June, 2009 from 2000 to, the shifting found altogether Malware only more than 400 in dynamic terminal, and by the end of in by the end of March, 2016, the mobile terminal from malicious being trapped in China is soft Part sum is 89097, and therefore, influence of the virus document to terminal is more and more wider.
The harm that virus document exists when being run in terminal mainly include it is following some:1st, malice is triggered to deduct fees;2nd, steal Take privacy of user;3rd, attacking network or network other-end;4th, the function or data of terminal are destroyed.With the hair of mobile Internet Exhibition, virus document is also gradually in the way of mobile network and communication network are combined as main communication means and profit model.By The communication quality and communication security of terminal are influenceed in many aspects such as rate, secret protection, network stabilizations in virus document, it is mobile Operator starts to build the monitoring analysis system of various virus documents one after another, using mobile operator peculiar advantage, to movement Mass data in network and communication network is excavated and analyzed, overall monitor and the propagation and outburst for taking precautions against virus document.
The product detected on the market on terminal virus document at present, the virus characteristic storehouse installed just with terminal local Passive Defence is carried out, but as virus characteristic storehouse constantly increases, the load of terminal and checking and killing virus take and are continuously increased, and make virus The strick precaution difficulty of file is sharply increased.
The content of the invention
In order to solve the above technical problems, the embodiment of the present invention is expected to provide a kind of method of virus document detection, network side Equipment and terminal, improve virus document detection efficiency.
The technical proposal of the invention is realized in this way:
The embodiments of the invention provide a kind of method of virus document detection, including:
The malicious act feature of at least one terminal is monitored, it is determined that the corresponding virus characteristic letter of each malicious act feature Breath;
Determine the corresponding virus characteristic information of malicious act feature of terminal to be detected;
According to the corresponding virus characteristic information of the terminal to be detected of determination, the virus text of the terminal to be detected is detected Part.
In such scheme, methods described also includes:The identification information of the terminal to be detected is obtained, according to described to be detected The identification information of terminal determines the malicious act feature of terminal to be detected.
In such scheme, the terminal to be detected corresponding virus characteristic information according to determination is treated described in detection The virus document of terminal is detected, including:The corresponding virus characteristic information of the terminal to be detected was sent to the end to be detected End, makes the terminal to be detected according to corresponding virus characteristic information, detects virus document.
In such scheme, the terminal to be detected corresponding virus characteristic information according to determination is treated described in detection The virus document of terminal is detected, including:File model to be detected is determined according to the corresponding virus characteristic information of the terminal to be detected Enclose, the virus document of the terminal to be detected is detected in the file extent to be detected.
The present invention additionally provides the detection method of another virus document in implementing, this method includes:
Virus document detection request is sent to network side;The virus document detection request is used for acquisition request end to be detected The corresponding virus characteristic information of malicious act feature at end;
Receive the virus characteristic information for the terminal to be detected that the network side is sent;
According to the corresponding virus characteristic information of the terminal to be detected, the virus document of the terminal to be detected is detected.
In such scheme, the virus document request includes:The identification information of the terminal to be detected.
In such scheme, the terminal to be detected corresponding virus characteristic information according to determination is treated described in detection The virus document of terminal is detected, including:File model to be detected is determined according to the corresponding virus characteristic information of the terminal to be detected Enclose, the virus document of the terminal to be detected is detected in the file extent to be detected.
The embodiment of the present invention additionally provides a kind of network side equipment, and the equipment includes:Monitoring module, determining module and first Detection module;Wherein,
Monitoring module, the malicious act feature for monitoring at least one terminal, it is determined that each malicious act feature correspondence Virus characteristic information;
Determining module, the corresponding virus characteristic information of malicious act feature for determining terminal to be detected;
First detection module, for the corresponding virus characteristic information of the terminal to be detected according to determination, detection is described The virus document of terminal to be detected.
In such scheme, the determining module is additionally operable to obtain the identification information of the terminal to be detected, treated according to described The identification information of detection terminal determines the malicious act feature of terminal to be detected.
In such scheme, the first detection module, specifically for the corresponding virus characteristic of the terminal to be detected is believed Breath is sent to the terminal to be detected, is made the terminal to be detected according to corresponding virus characteristic information, is detected virus document.
The embodiment of the present invention additionally provides a kind of terminal, and the terminal includes:Sending module, receiving module and the second detection mould Block;Wherein,
Sending module, is asked for sending virus document detection to network side;The virus document detection request is used for please Seek the virus characteristic information of the corresponding terminal to be detected of the malicious act feature for obtaining terminal to be detected;
Receiving module, the virus characteristic information for receiving the terminal to be detected that the network side is sent;
Second detection module, for according to the corresponding virus characteristic information of the terminal to be detected, detecting described to be detected The virus document of terminal.
In such scheme, the virus document request includes:The identification information of the terminal to be detected.
In the embodiment of the present invention, the malicious act feature of at least one terminal is monitored, it is determined that each malicious act feature pair The virus characteristic information answered;Determine the corresponding virus characteristic information of malicious act feature of terminal to be detected;According to the institute of determination The corresponding virus characteristic information of terminal to be detected is stated, the virus document of the terminal to be detected is detected.In this way, according to end to be detected Corresponding virus characteristic information is held, virus document is detected, the detection efficiency of virus document, reduction terminal resource consumption is improved.
Brief description of the drawings
Fig. 1 is the flow chart of the first embodiment for the method that virus document of the present invention is detected;
Fig. 2 is the schematic diagram of the second embodiment for the method that virus document of the present invention is detected;
Fig. 3 is the schematic diagram of the 3rd embodiment for the method that virus document of the present invention is detected;
Fig. 4 is the flow chart of the fourth embodiment for the method that virus document of the present invention is detected;
Fig. 5 is the composition structural representation for the network side equipment that virus document of the embodiment of the present invention is detected;
Fig. 6 is the composition structural representation for the terminal that virus document of the embodiment of the present invention is detected;
Fig. 7 is the hardware architecture diagram for the terminal that virus document of the embodiment of the present invention is detected.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation is described.
Killing and protection are carried out to virus document by installing different types of antivirus software in current terminal, generally adopted The scanning of virus document is carried out with the physical features matching way of virus document, its general principle is to pass through scanning engine opponent File, application program on machine are scanned one by one, by each file and the physical features of application (such as:MD5 values of file content etc.) It is compared with all information in virus characteristic storehouse, it is final to determine virus document in terminal.Here, MD5 refers to information-summary Algorithm 5 (Message-Digest Algorithm 5, MD5) value, file or the application of terminal downloads can be verified by MD5 values Whether program is carried virus document.
Existing detection method is first to assume that All Files is all virus document, therefore, can be to All Files in detection Detected, that is, need to carry out after characteristic operation All Files, then entered with all known virus characteristics in virus characteristic storehouse Row contrast, it is determined that really virus document.Therefore, there can be substantial amounts of invalid computing, detection efficiency is low, time-consuming, take eventually The excessive resource in end.
In addition, whether virus characteristic storehouse is comprehensive in existing detection method, checking and killing virus result is directly affected.It is specific to exist Following two problems, the renewal frequency in the first virus characteristic storehouse directly affects the accuracy of checking and killing virus and comprehensive, second with Virus characteristic storehouse content constantly increases, can seriously consume terminal resource occupation, add feature database safeguard and update Difficulty.Therefore the embodiment of the present invention proposes a kind of method, network side equipment and the terminal of virus document detection, can improve disease Malicious file detection efficiency.
Fig. 1 is the flow chart of the first embodiment for the method that virus document of the present invention is detected, as shown in figure 1, this method bag Include:
Step 101:The malicious act feature of at least one terminal is monitored, it is determined that the corresponding virus of each malicious act feature Characteristic information.
Exemplary, network side monitors the behavioural characteristic of each terminal being connected with network side, when the behavior of terminal is special When levying as malicious act feature, the malicious act feature is recorded, and determine the corresponding virus characteristic letter of each malicious act feature Breath.
Specifically, by setting up virus document monitoring analysis system in network side, utilizing virus document monitoring analysis system Data to network side are analyzed and monitored, so as to realize the monitoring to the malicious act feature of terminal.The content of monitoring can To be, to the short message of terminal, multimedia message, Wireless Application Protocol (Wireless Application Protocol, WAP) etc. Data flow of ticket and various download files etc. is accessed, and data are filtered and analyzed according to default monitoring rules, Whether monitor terminal is by virus document infection conditions, in conjunction with monitoring management personnel's experience, final to determine terminal by virus document Infection, and determine that current a series of operation characteristic is malice operation characteristic.
Exemplary, when judging whether short message application produces abnormal transmitting-receiving phenomenon due to virus document infection, preset Monitoring rules can be:The number that terminal sent or received short message within the unit interval is more than certain amount threshold value (such as:One point When the number of short message sent or received in clock being more than 100), or terminal send or receive short message interval time be less than it is certain Time threshold is (such as:When sending or receive the time interval of short message less than 1 second kind).
When actually implementing, Virus Info feature database is set up using the virus characteristic information of each virus document;Terminal Each malicious act feature correspondence virus characteristic storehouse at least one virus characteristic information, determined from virus characteristic storehouse each The corresponding all virus characteristic information of malicious act characteristic information.
Step 102:Determine the corresponding virus characteristic information of malicious act feature of terminal to be detected.
Also include before this step:The identification information of terminal to be detected is obtained, according to the identification information of terminal to be detected Determine the malicious act feature of terminal to be detected.
Exemplary, network side is after the virus document detection request that terminal to be detected is sent is received, according in request The identification information of the terminal to be detected carried, determines the malicious act feature of terminal to be detected, further according to the evil of terminal to be detected Meaning behavioural characteristic determines corresponding virus characteristic information.
Specifically, being filtered according to the malicious act feature of terminal to be detected to virus characteristic storehouse, end to be detected is determined Hold corresponding virus characteristic information.
In the embodiment of the present invention, when being updated in virus characteristic storehouse, due to the malicious act feature according to terminal to be detected from Corresponding virus characteristic information is determined in virus characteristic storehouse, when the corresponding virus characteristic information of malicious act characteristic information changes When, corresponding relation between the two need to be only updated, therefore, the renewal in virus characteristic storehouse does not interfere with terminal virus characteristic to be detected The acquisition of information, does not interfere with the detection efficiency of terminal-pair virus document yet.
Step 103:According to the corresponding virus characteristic information of the terminal to be detected of determination, the terminal to be detected is detected Virus document.
When actually implementing, file extent to be detected is determined according to the corresponding virus characteristic information of terminal to be detected, treated Detect the virus document of the detection terminal to be detected in file extent.Here, virus document can be Malware.
Optionally, can be directly by network side according to the corresponding virus of terminal to be detected when carrying out virus document detection Characteristic information, detects the virus document of terminal to be detected.
The corresponding virus characteristic information of terminal to be detected can also be sent to terminal to be detected, make terminal to be detected according to Corresponding virus characteristic information, detects virus document.Exemplary, terminal to be detected is after virus characteristic information is received, root File extent to be detected is determined according to virus characteristic information, the virus document of terminal to be detected is detected in file extent to be detected. The screening to terminal document is so passed through, it is to avoid to the invalid detection of normal file, reduce file detection range, has improved The efficiency of virus document detection.
Optionally, after the completion of the virus document detection of terminal to be detected, virus document is removed, generates and preserves viral text Part removes record.
Here, step 101 can be realized to step 103 using network side equipment.
In the embodiment of the present invention, the malicious act feature of at least one terminal is monitored, it is determined that each malicious act feature pair The virus characteristic information answered;Determine the corresponding virus characteristic information of malicious act feature of terminal to be detected;According to the institute of determination The corresponding virus characteristic information of terminal to be detected is stated, the virus document of the terminal to be detected is detected.In this way, can make full use of The resources advantage of network side, to monitor and record virus document caused malicious act feature in terminal operating, according to terminal Malicious act feature determine corresponding virus characteristic information, reduce virus document detection range, improve virus document inspection The accuracy of survey, realizes the complete detection to virus document, improves the detection efficiency of virus document.
Second embodiment
In order to be able to more embody the purpose of the present invention, on the basis of first embodiment of the invention, further lifted Example explanation.
Fig. 2 is the schematic diagram of the second embodiment for the method that virus document of the present invention is detected, this method includes:
Step 201:Terminal sends Viral diagnosis request to network side.
Step 202:Network side obtains the malicious act feature of terminal according to the terminal identification information included in request.
Step 203:Network side obtains the corresponding virus of terminal according to the malicious act characteristic filter virus characteristic storehouse of terminal Characteristic information.
Step 204:The lateral terminal of network sends the corresponding virus characteristic information of the terminal.
Step 205:Terminal is according to corresponding virus characteristic infomation detection virus document.
Step 206:Terminal removes virus document, and generates virus document removing record.
Step 207:Terminal uploads virus document to network side and removes record.
In the embodiment of the present invention, network side records terminal malicious act by the monitoring and analysis to terminal operating behavior Feature, when terminal to be detected carries out virus document detection, network side can be arrived according to the identification information-enquiry of terminal to be detected Corresponding malicious act record, and then the corresponding virus characteristic information of terminal to be detected is determined, treat that terminal is utilizing corresponding disease When malicious characteristic information carries out virus document detection, many useless detections can be avoided, the quick of terminal-pair virus document is realized Positioning and accurate removing.
3rd embodiment
In order to be able to more embody the purpose of the present invention, on the basis of first embodiment of the invention, further lifted Example explanation.
In the embodiment of the present invention, network side can include:Virus document monitoring system and virus document killing server, its In, virus document monitoring system is used for pair all terminals being connected with network side and carries out malicious act monitoring, and records each The malicious act of terminal, virus document killing server is used for the malicious act feature for obtaining terminal to be detected, according to be detected The malicious act characteristic filter virus characteristic storehouse of terminal, obtains the virus characteristic information of terminal to be detected.Fig. 3 is present invention virus The schematic diagram of the 3rd embodiment of the method for file detection, this method is specifically included:
Step 311:Virus document monitoring system obtains the behavioural characteristic of terminal.
Step 312:Virus document monitoring analysis terminal behavior feature.
Step 313:Virus document monitoring system determines that terminal behavior is characterized as after malicious act feature, by the malice of terminal Behavioural characteristic record is preserved to virus document killing server.
It should be noted that by above-mentioned steps 311 to step 313, network side can be realized to terminal operating behavior Dynamic monitoring, knows malicious act feature of the virus document in terminal operating in time, determines that terminal is infected situation, and will eventually The infection conditions at end are supplied to virus document killing server, for providing corresponding infection feelings for each terminal to be detected Condition, i.e. malicious act characteristic information.
Further, the detection and removing of terminal-pair virus document can be realized by step 321 to step 327.
Step 321:Terminal sends virus document detection to virus document killing server and asked.
Step 322:Virus document killing server is detected according to virus document asks the terminal identification information carried to obtain Corresponding malicious act feature.
Step 323:Virus document killing server obtains the disease of terminal according to malicious act characteristic filter virus characteristic storehouse Malicious characteristic information.
Step 324:Virus document killing server sends corresponding virus characteristic information to terminal.
Step 325:Terminal is detected according to virus characteristic information to local virus document, confirms virus document.
In this step, when carrying out virus document detection, file extent to be detected is first determined according to virus characteristic information, will The physical features of each file in file extent to be detected are (such as:The condition code MD5 values of file content) and obtain it is all Virus characteristic information contrasted, the final virus document for confirming to include in terminal.
Step 326:Terminal removes virus document, and generates virus document removing record.
Step 327:Terminal sends virus document to virus document killing server and removes record.
Fourth embodiment
The method that the embodiment of the present invention additionally provides another virus document detection, Fig. 4 detects for virus document of the present invention Method fourth embodiment flow chart, as shown in figure 4, this method includes:
Step 401:Virus document detection request is sent to network side.
Here, virus document detection request is special for the corresponding virus of malicious act feature of acquisition request terminal to be detected Reference ceases.
Optionally, virus document detection request can include:The identification information of terminal to be detected, identification information be used for pair Terminal carries out unique mark.
Specifically, when terminal to be detected is mobile phone, identification information can be:Phone number, international mobile subscriber identification Code (International Mobile Subscriber Identification Number, IMSI) or international movement are set Standby identity code (International Mobile Equipment Identity, IMEI) etc..
Step 402:Receive the virus characteristic information for the terminal to be detected that network side is sent.
Step 403:According to the corresponding virus characteristic information of terminal to be detected, the virus document of terminal to be detected is detected.
Exemplary, file extent to be detected is determined according to the corresponding virus characteristic information of terminal to be detected, to be detected The virus document of detection terminal to be detected in file extent.
Here, step 401 can be realized to step 403 by terminal.
5th embodiment
For the method for the embodiment of the present invention, the embodiment of the present invention additionally provides a kind of network side equipment, and the equipment can use In the detection of virus document.Fig. 5 is the composition structural representation for the network side equipment that virus document of the embodiment of the present invention is detected, such as Shown in Fig. 5, the equipment includes:Monitoring module 501, determining module 502 and first detection module 503;Wherein,
Monitoring module 501, the malicious act feature for monitoring at least one terminal, it is determined that each malicious act feature pair The virus characteristic information answered.
Determining module 502, the corresponding virus characteristic information of malicious act feature for determining terminal to be detected.
First detection module 503, for the corresponding virus characteristic information of the terminal to be detected according to determination, detects institute State the virus document of terminal to be detected.
Exemplary, determining module 502 can be also used for obtaining the identification information of terminal to be detected, according to end to be detected The identification information at end determines the malicious act feature of terminal to be detected.
Exemplary, first detection module 503 specifically can be used for the corresponding virus characteristic letter of the terminal to be detected Breath is sent to the terminal to be detected, is made the terminal to be detected according to corresponding virus characteristic information, is detected virus document.
In actual applications, monitoring module 501, determining module 502 and first detection module 503 can be by positioned at network sides Central processing unit (Central Processing Unit, CPU), microprocessor (Micro Processor in equipment Unit, MPU), digital signal processor (Digital Signal Processor, DSP) or field programmable gate array (Field Programmable Gate Array, FPGA) etc. is realized.
Sixth embodiment
For the method for the embodiment of the present invention, the embodiment of the present invention additionally provides a kind of terminal, and the terminal can be used for virus The detection of file.Fig. 6 is the composition structural representation for the terminal that virus document of the embodiment of the present invention is detected, as shown in fig. 6, the end End includes:Sending module 601, the detection module 603 of receiving module 602 and second;Wherein,
Sending module 601, is asked for sending virus document detection to network side;The virus document detection request is used for The virus characteristic information of the corresponding terminal to be detected of malicious act feature of acquisition request terminal to be detected.Virus document please Asking to include:The identification information of terminal to be detected.
Receiving module 602, the virus characteristic information for receiving the terminal to be detected that the network side is sent.
Second detection module 603, for according to the corresponding virus characteristic information of the terminal to be detected, detecting described to be checked Survey the virus document of terminal.
In actual applications, sending module 601, the detection module 603 of receiving module 602 and second can be by setting positioned at terminal CPU, MPU, DSP or FPGA in standby etc. are realized.
7th embodiment
For the method for the embodiment of the present invention, the embodiment of the present invention additionally provides the terminal of another virus document detection. Fig. 7 is the hardware architecture diagram for the terminal that virus document of the embodiment of the present invention is detected, as shown in fig. 7, the terminal includes:Communication Bus 701, processor 702 and memory 703;Wherein,
Communication bus 701, for realizing the connection communication between processor 702 and memory 703;
Processor 702, for detecting virus document, specifically for:The malicious act feature of at least one terminal is monitored, really Determine the corresponding virus characteristic information of each malicious act feature;Determine that the corresponding virus of malicious act feature of terminal to be detected is special Reference ceases;According to the corresponding virus characteristic information of the terminal to be detected of determination, the virus text of the terminal to be detected is detected Part.
Memory 703, malicious act characteristic information and virus characteristic storehouse for storing terminal.
In actual applications, above-mentioned processor 702 can be application-specific IC (ASIC, Application Specific Integrated Circuit), digital signal processing device (DSPD, Digital Signal Processing Device), programmable logic device (PLD, Programmable Logic Device), FPGA, DSP, CPU, controller, micro- At least one of controller, microprocessor.It is to be appreciated that for different equipment, for realizing above-mentioned processor function Electronic device can also be to be other, the embodiment of the present invention is not especially limited.
Above-mentioned memory 703 can be volatile memory (volatile memory), such as random access memory (RAM, Random-Access Memory);Or nonvolatile memory (non-volatile memory), such as it is read-only to deposit Reservoir (ROM, Read-Only Memory), flash memory (flash memory), hard disk (HDD, Hard Disk Drive) Or solid state hard disc (SSD, Solid-State Drive);Or the combination of the memory of mentioned kind, and carried to processor 702 For instruction and data.
It should be understood by those skilled in the art that, embodiments of the invention can be provided as method, system or computer program Product.Therefore, the shape of the embodiment in terms of the present invention can use hardware embodiment, software implementation or combine software and hardware Formula.Moreover, the present invention can be used can use storage in one or more computers for wherein including computer usable program code The form for the computer program product that medium is implemented on (including but is not limited to magnetic disk storage and optical memory etc.).
The present invention is the flow with reference to method according to embodiments of the present invention, equipment (system) and computer program product Figure and/or block diagram are described.It should be understood that can be by every first-class in computer program instructions implementation process figure and/or block diagram Journey and/or the flow in square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided The processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce A raw machine so that produced by the instruction of computer or the computing device of other programmable data processing devices for real The device for the function of being specified in present one flow of flow chart or one square frame of multiple flows and/or block diagram or multiple square frames.
These computer program instructions, which may be alternatively stored in, can guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works so that the instruction being stored in the computer-readable memory, which is produced, to be included referring to Make the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one square frame of block diagram or The function of being specified in multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that in meter Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented processing, thus in computer or The instruction performed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one The step of function of being specified in individual square frame or multiple square frames.
The foregoing is only a preferred embodiment of the present invention, is not intended to limit the scope of the present invention.

Claims (12)

1. a kind of detection method of virus document, it is characterised in that methods described includes:
The malicious act feature of at least one terminal is monitored, it is determined that the corresponding virus characteristic information of each malicious act feature;
Determine the corresponding virus characteristic information of malicious act feature of terminal to be detected;
According to the corresponding virus characteristic information of the terminal to be detected of determination, the virus document of the terminal to be detected is detected.
2. according to the method described in claim 1, it is characterised in that methods described also includes:Obtain the terminal to be detected Identification information, the malicious act feature of terminal to be detected is determined according to the identification information of the terminal to be detected.
3. according to the method described in claim 1, it is characterised in that the corresponding disease of the terminal to be detected according to determination Malicious characteristic information, detects the virus document of the terminal to be detected, including:By the corresponding virus characteristic letter of the terminal to be detected Breath is sent to the terminal to be detected, is made the terminal to be detected according to corresponding virus characteristic information, is detected virus document.
4. according to the method described in claim 1, it is characterised in that the corresponding disease of the terminal to be detected according to determination Malicious characteristic information, detects the virus document of the terminal to be detected, including:According to the corresponding virus characteristic of the terminal to be detected Information determines file extent to be detected, and the virus document of the terminal to be detected is detected in the file extent to be detected.
5. a kind of detection method of virus document, it is characterised in that methods described includes:
Virus document detection request is sent to network side;The virus document detection request is for acquisition request terminal to be detected The corresponding virus characteristic information of malicious act feature;
Receive the virus characteristic information for the terminal to be detected that the network side is sent;
According to the corresponding virus characteristic information of the terminal to be detected, the virus document of the terminal to be detected is detected.
6. method according to claim 5, it is characterised in that the virus document request includes:The terminal to be detected Identification information.
7. method according to claim 5, it is characterised in that the corresponding disease of the terminal to be detected according to determination Malicious characteristic information, detects the virus document of the terminal to be detected, including:According to the corresponding virus characteristic of the terminal to be detected Information determines file extent to be detected, and the virus document of the terminal to be detected is detected in the file extent to be detected.
8. a kind of network side equipment, it is characterised in that the equipment includes:Monitoring module, determining module and first detection module; Wherein,
Monitoring module, the malicious act feature for monitoring at least one terminal, it is determined that the corresponding disease of each malicious act feature Malicious characteristic information;
Determining module, the corresponding virus characteristic information of malicious act feature for determining terminal to be detected;
First detection module, for the corresponding virus characteristic information of the terminal to be detected according to determination, is detected described to be checked Survey the virus document of terminal.
9. equipment according to claim 8, it is characterised in that the determining module, is additionally operable to obtain the end to be detected The identification information at end, the malicious act feature of terminal to be detected is determined according to the identification information of the terminal to be detected.
10. equipment according to claim 8, it is characterised in that the first detection module, specifically for will be described to be checked Survey the corresponding virus characteristic information of terminal to send to the terminal to be detected, make the terminal to be detected special according to corresponding virus Reference ceases, and detects virus document.
11. a kind of terminal, it is characterised in that the terminal includes:Sending module, receiving module and the second detection module;Wherein,
Sending module, is asked for sending virus document detection to network side;The virus document detection request is obtained for request Take the virus characteristic information of the corresponding terminal to be detected of malicious act feature of terminal to be detected;
Receiving module, the virus characteristic information for receiving the terminal to be detected that the network side is sent;
Second detection module, for according to the corresponding virus characteristic information of the terminal to be detected, detecting the terminal to be detected Virus document.
12. terminal according to claim 11, it is characterised in that the virus document request includes:The end to be detected The identification information at end.
CN201710279334.0A 2017-04-25 2017-04-25 A kind of method, network side equipment and the terminal of virus document detection Pending CN107196916A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710279334.0A CN107196916A (en) 2017-04-25 2017-04-25 A kind of method, network side equipment and the terminal of virus document detection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710279334.0A CN107196916A (en) 2017-04-25 2017-04-25 A kind of method, network side equipment and the terminal of virus document detection

Publications (1)

Publication Number Publication Date
CN107196916A true CN107196916A (en) 2017-09-22

Family

ID=59873409

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710279334.0A Pending CN107196916A (en) 2017-04-25 2017-04-25 A kind of method, network side equipment and the terminal of virus document detection

Country Status (1)

Country Link
CN (1) CN107196916A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110826069A (en) * 2019-11-05 2020-02-21 深信服科技股份有限公司 Virus processing method, device, equipment and storage medium
CN114596656A (en) * 2020-12-03 2022-06-07 中移互联网有限公司 Electronic pass processing method, device and equipment

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101859349A (en) * 2009-04-13 2010-10-13 珠海金山软件有限公司 File screening system and file screening method for searching and killing malicious programs
CN102281540A (en) * 2011-09-08 2011-12-14 广东华仝九方科技有限公司 Method and system for searching and killing mobile phone malicious software
CN102902915A (en) * 2012-09-29 2013-01-30 北京奇虎科技有限公司 System for detecting behavior feature of file
CN103368904A (en) * 2012-03-27 2013-10-23 百度在线网络技术(北京)有限公司 Mobile terminal, and system and method for suspicious behavior detection and judgment
US8590039B1 (en) * 2007-11-28 2013-11-19 Mcafee, Inc. System, method and computer program product for sending information extracted from a potentially unwanted data sample to generate a signature
CN104363256A (en) * 2014-10-11 2015-02-18 北京中创腾锐技术有限公司 Cellphone virus recognition and control method, device and system
KR101710684B1 (en) * 2015-09-10 2017-03-02 (주) 세인트 시큐리티 System and method of recovering operating system anayzing malicious code not operating in virtual environment

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8590039B1 (en) * 2007-11-28 2013-11-19 Mcafee, Inc. System, method and computer program product for sending information extracted from a potentially unwanted data sample to generate a signature
CN101859349A (en) * 2009-04-13 2010-10-13 珠海金山软件有限公司 File screening system and file screening method for searching and killing malicious programs
CN102281540A (en) * 2011-09-08 2011-12-14 广东华仝九方科技有限公司 Method and system for searching and killing mobile phone malicious software
CN103368904A (en) * 2012-03-27 2013-10-23 百度在线网络技术(北京)有限公司 Mobile terminal, and system and method for suspicious behavior detection and judgment
CN102902915A (en) * 2012-09-29 2013-01-30 北京奇虎科技有限公司 System for detecting behavior feature of file
CN104363256A (en) * 2014-10-11 2015-02-18 北京中创腾锐技术有限公司 Cellphone virus recognition and control method, device and system
KR101710684B1 (en) * 2015-09-10 2017-03-02 (주) 세인트 시큐리티 System and method of recovering operating system anayzing malicious code not operating in virtual environment

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110826069A (en) * 2019-11-05 2020-02-21 深信服科技股份有限公司 Virus processing method, device, equipment and storage medium
CN114596656A (en) * 2020-12-03 2022-06-07 中移互联网有限公司 Electronic pass processing method, device and equipment
CN114596656B (en) * 2020-12-03 2023-09-19 中移互联网有限公司 Electronic pass processing method, device and equipment

Similar Documents

Publication Publication Date Title
US10229269B1 (en) Detecting ransomware based on file comparisons
JP6472771B2 (en) System and method for detecting fraudulent online transactions
US8805995B1 (en) Capturing data relating to a threat
US10291630B2 (en) Monitoring apparatus and method
CN110830986B (en) Method, device, equipment and storage medium for detecting abnormal behavior of Internet of things card
CN107508815B (en) Early warning method and device based on website traffic analysis
CN108337219B (en) Method for preventing Internet of things from being invaded and storage medium
WO2013184099A1 (en) Cross-user correlation for detecting server-side multi-target intrusion
CN106656640A (en) Early warning method and device of network attack
Merlo et al. Measuring and estimating power consumption in android to support energy-based intrusion detection
CN110941823B (en) Threat information acquisition method and device
CN106790299B (en) Wireless attack defense method and device applied to wireless Access Point (AP)
JP2017142744A (en) Information processing apparatus, virus detection method, and program
CN110959158A (en) Information processing apparatus, information processing method, and information processing program
CN110602135A (en) Network attack processing method and device and electronic equipment
CN114785567B (en) Flow identification method, device, equipment and medium
CN108183884B (en) Network attack determination method and device
CN112995236A (en) Internet of things equipment safety management and control method, device and system
CN109889477A (en) Server based on trusted cryptography's engine starts method and device
CN107196916A (en) A kind of method, network side equipment and the terminal of virus document detection
Qadri et al. A Review of Significance of Energy-Consumption Anomaly in Malware Detection in Mobile Devices.
CN112383513B (en) Crawler behavior detection method and device based on proxy IP address pool and storage medium
US20180176250A1 (en) Detection system, detection apparatus, detection method, and detection program
CN110363002A (en) A kind of intrusion detection method, device, equipment and readable storage medium storing program for executing
CN112671724B (en) Terminal security detection analysis method, device, equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170922

RJ01 Rejection of invention patent application after publication