CN110688658B - Unknown virus infection tracing method, device and system - Google Patents
Unknown virus infection tracing method, device and system Download PDFInfo
- Publication number
- CN110688658B CN110688658B CN201910957252.6A CN201910957252A CN110688658B CN 110688658 B CN110688658 B CN 110688658B CN 201910957252 A CN201910957252 A CN 201910957252A CN 110688658 B CN110688658 B CN 110688658B
- Authority
- CN
- China
- Prior art keywords
- file
- characteristic
- unknown
- unknown virus
- suspected
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Measuring Or Testing Involving Enzymes Or Micro-Organisms (AREA)
Abstract
The invention provides an unknown virus infection tracing method, a device and a system, which relate to the technical field of computers and comprise the following steps: receiving the file content of a monitoring file sent by a terminal, and extracting a first characteristic and a second characteristic from the file content; judging whether the monitoring file is a suspected unknown virus file or not based on the first characteristic and the second characteristic; if yes, judging whether the suspected unknown virus file has virus behavior characteristics; if so, determining the suspected unknown virus file with the virus behavior characteristics as an unknown virus; receiving file operations reported by all terminals, and searching for an infection source of unknown viruses based on the MD5 value of the first characteristic of the unknown viruses and the operation information of the file operations; and sequencing all the unknown viruses according to the infection time sequence of each unknown virus based on the infection source to form a propagation path of the unknown viruses. The invention can trace the source of the unknown virus and trace the propagation path of the unknown virus.
Description
Technical Field
The invention relates to the technical field of computers, in particular to an unknown virus infection tracing method, device and system.
Background
With the rapid prevalence of malware such as Lesovirus and mining Trojan, various novel virus file machine varieties emerge endlessly, and constitute a huge challenge for traditional antivirus software. For an information system, the discovery and treatment of the unknown virus are very important, and the tracing of the source and the propagation path of the unknown virus is also important for discovering the weak point of protection and reinforcing in time. However, the traditional antivirus software only traces back known Lesox viruses, and can not trace back the sources and propagation paths of unknown viruses, so that the weakness of an information system can not be found, and the final reinforcement of the information system is influenced.
Disclosure of Invention
The invention aims to provide an unknown virus infection tracing method, device and system, which can trace not only the source of an unknown virus but also the propagation path of the unknown virus.
The invention provides an unknown virus infection tracing method, which is applied to an unknown virus infection tracing engine and comprises the following steps: receiving file content of a monitoring file sent by a terminal, and extracting a first characteristic and a second characteristic from the file content; wherein the first characteristic is an MD5 characteristic of the whole file content, and the second characteristic is an MD5 characteristic of the local file content; judging whether the monitoring file is a suspected unknown virus file or not based on the first characteristic and the second characteristic; if yes, the suspected unknown virus file is placed in a sandbox to be processed, and whether the suspected unknown virus file has virus behavior characteristics or not is judged; if so, determining the suspected unknown virus file with the virus behavior characteristics as an unknown virus; receiving file operations reported by all terminals, and searching for an infection source of the unknown virus based on the MD5 value of the first characteristic of the unknown virus and the operation information of the file operations; and sequencing all the unknown viruses according to the infection time sequence of each unknown virus based on the infection sources to form the propagation path of the unknown viruses.
Further, based on the first feature and the second feature, determining whether the monitored file is a suspected unknown virus file includes: calculating a first ratio of the terminal of the file with the first characteristic to all terminals based on the first characteristic; if the first proportion is larger than or equal to a first preset ratio, determining the monitoring file as a suspected unknown virus file; if the first proportion is smaller than the first preset ratio, determining the monitoring file as a suspected normal file; calculating a second ratio of the terminal of the suspected normal file with the second characteristic to all terminals based on the second characteristic; and if the second ratio is larger than or equal to a second preset ratio, determining the suspected normal file as the suspected unknown virus file.
Further, the method for tracing unknown virus infection further comprises the following steps: and if the second ratio is smaller than a second preset ratio, determining the suspected normal file as a normal file.
The invention provides an unknown virus infection tracing device, which is applied to an unknown virus infection tracing engine and comprises the following components: the receiving module is used for receiving the file content of the monitoring file sent by the terminal and extracting a first characteristic and a second characteristic from the file content; wherein the first characteristic is an MD5 characteristic of the whole file content, and the second characteristic is an MD5 characteristic of the local file content; the judging module is used for judging whether the monitoring file is a suspected unknown virus file or not based on the first characteristic and the second characteristic; the processing and judging module is used for putting the suspected unknown virus file into a sandbox for processing if the suspected unknown virus file has the virus behavior characteristics; the determining module is used for determining the suspected unknown virus file with the virus behavior characteristics as an unknown virus if the file has the virus behavior characteristics; the receiving and searching module is used for receiving file operations reported by all terminals and searching the infection source of the unknown virus based on the MD5 value of the first characteristic of the unknown virus and the operation information of the file operations; and the sequencing module is used for sequencing all the unknown viruses according to the infection time sequence of each unknown virus based on the infection sources to form the propagation paths of the unknown viruses.
Further, the judging module includes: the first calculating unit is used for calculating a first ratio of the terminal of the file with the first characteristic to all terminals based on the first characteristic; a first determining unit, configured to determine the monitoring file as a suspected unknown virus file if the first proportion is greater than or equal to a first preset ratio; a second determining unit, configured to determine the monitoring file as a suspected normal file if the first percentage is smaller than the first preset ratio; the second calculation unit is used for calculating a second ratio of the terminal of the suspected normal file with the second characteristic to all terminals based on the second characteristic; and the third determining unit is used for determining the suspected normal file as the suspected unknown virus file if the second proportion is larger than or equal to a second preset ratio.
Further, the determining module further includes: and the fourth determining unit is used for determining the suspected normal file as a normal file if the second proportion is smaller than a second preset proportion.
The invention provides an unknown virus infection tracing system, which comprises: the system comprises an unknown virus infection tracing engine, at least one terminal and a visual presentation system; the terminal is used for providing file content and file operation of a monitoring file on the terminal for the unknown virus infection tracing engine; the unknown virus infection tracing engine is used for receiving the file content and the file operation and forming a propagation path of an unknown virus based on the file content and the file operation; and the visual presentation system is used for displaying the propagation path.
Further, the terminal includes: a file content extraction subsystem and a file operation extraction subsystem; the file content extraction subsystem is used for providing the file content of the monitoring file on the terminal for the unknown virus infection tracing engine; and the file operation extraction subsystem is used for providing the file operation of the monitoring file on the terminal for the unknown virus infection tracing engine.
The invention also provides an electronic device, which comprises a memory and a processor, wherein the memory stores a computer program capable of running on the processor, and the processor executes the computer program to realize the unknown virus infection tracing method.
The present invention also provides a computer readable medium having non-volatile program code executable by a processor, wherein the program code causes the processor to perform the unknown virus infection traceability method.
The invention provides an unknown virus infection tracing method, device and system, which are applied to an unknown virus infection tracing engine and comprise the following steps: receiving the file content of a monitoring file sent by a terminal, and extracting a first characteristic and a second characteristic from the file content; wherein the first characteristic is the MD5 characteristic of the whole file content, and the second characteristic is the MD5 characteristic of the local file content; judging whether the monitoring file is a suspected unknown virus file or not based on the first characteristic and the second characteristic; if yes, the suspected unknown virus file is placed in a sandbox to be processed, and whether the suspected unknown virus file has virus behavior characteristics or not is judged; if so, determining the suspected unknown virus file with the virus behavior characteristics as an unknown virus; receiving file operations reported by all terminals, and searching for an infection source of unknown viruses based on the MD5 value of the first characteristic of the unknown viruses and the operation information of the file operations; and sequencing all the unknown viruses according to the infection time sequence of each unknown virus based on the infection source to form a propagation path of the unknown viruses. According to the method and the system, the propagation process of the unknown virus can be restored according to the file content and the file operation, so that a tracing engine of the propagation path of the unknown virus can be realized, the weakness of an information system can be discovered, and the information system can be effectively reinforced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a flowchart of a tracing method for unknown virus infection according to an embodiment of the present invention;
FIG. 2 is a flowchart of step S102 in FIG. 1;
fig. 3 is a schematic structural diagram of an unknown virus infection tracing device according to an embodiment of the present invention;
FIG. 4 is a schematic structural diagram of the determining module shown in FIG. 3;
fig. 5 is a schematic structural diagram of an unknown virus infection tracing system according to an embodiment of the present invention.
Icon:
11-a receiving module; 12-a judgment module; 13-processing judgment module; 14-a determination module; 15-receiving a lookup module; 16-a sorting module; 21-a first calculation unit; 22-a first determination unit; 23-a second determination unit; 24-a second calculation unit; 25-a third determination unit; 26-a fourth determination unit; 30-unknown virus infection tracing engine; 40-a terminal; 41-file content extraction subsystem; 42-file operation extraction subsystem; 50-visual presentation System.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the following embodiments, and it should be understood that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The traditional antivirus software only traces known Lesox viruses, and can not trace the source and propagation path of unknown viruses, so that the weakness of an information system can not be found, and the final reinforcement of the information system is influenced. Based on the method and the device, the propagation process of the unknown virus can be restored according to the file content and the file operation, so that a tracing engine of the propagation path of the unknown virus can be realized, the weakness of an information system can be discovered, and the information system can be effectively reinforced.
For the understanding of this embodiment, a detailed description of the method for tracing unknown virus infection disclosed in this embodiment of the present invention will be given.
The first embodiment is as follows:
referring to fig. 1, an embodiment of the present invention provides an unknown virus infection tracing method, where the unknown virus infection tracing method applied to an unknown virus infection tracing engine may include the following steps:
step S101, receiving the file content of the monitoring file sent by the terminal, and extracting a first characteristic and a second characteristic from the file content; wherein the first characteristic is the MD5 characteristic of the whole file content, and the second characteristic is the MD5 characteristic of the local file content;
in the embodiment of the present invention, the file content of the monitoring file is extracted in two cases, so as to obtain MD5 features of the two file contents. In case 1, extracting the whole file content of the monitoring file to obtain the MD5 feature of the whole file content; in case 2, extracting the local file content of the monitoring file to obtain the MD5 feature of the local file content; the MD5 characteristic in both cases may refer to MD5 values. The local file content may refer to the file content of the first half, i.e. the file content of the monitoring file which occupies the first 50% of the file length. The embodiment of the invention also has the following characteristics of two file contents MD 5: the first characteristic and the second characteristic are recorded in a file whole MD5 library and a file first half MD5 library respectively.
According to the embodiment of the invention, file contents with different lengths can be extracted by using different file content extraction methods, and then the MD5 characteristics of the file contents with different lengths can be obtained respectively. The file content extraction method comprises the following steps: a method for extracting the whole content of the file and a method for extracting the content of the first half part of the file. The unknown virus infection tracing engine of the embodiment of the invention can extract the MD5 characteristic of the whole file content and the MD5 characteristic of the local file content from the file content by using a file characteristic extraction method and a file characteristic analysis technology, and aims to avoid the inaccuracy of local analysis.
Step S102, judging whether the monitoring file is a suspected unknown virus file or not based on the first characteristic and the second characteristic;
in the embodiment of the invention, the first characteristic is the MD5 characteristic of the whole file content, and the second characteristic is the MD5 characteristic of the local file content, which can also be called the MD5 characteristic of the first half part of the file. Since the content is often inserted or modified at the tail when the file corresponding to the unknown virus changes, the overall MD5 value of the file is easily inconsistent. Therefore, the present embodiment can avoid the problem of failure to match due to the change in the entire MD5 after the file is overwritten by the tail by extracting the feature value of the content of the first half of the file.
According to the embodiment of the invention, whether the monitored file is a suspected unknown virus file is determined according to the MD5 characteristics of the whole file content, specifically, more than 50% of terminals have files with the characteristics consistent with the MD5 characteristics of the whole file content, and the monitored file is determined to be the suspected unknown virus file. If more than 50% of terminals have files with the same characteristics as the overall MD5 of the file, the monitored file is used as a suspected normal file to enter the first half part of the file to be analyzed in the MD 5.
When the characteristic analysis of the first half part MD5 of the suspected normal file is carried out, whether the suspected normal file is suspected unknown virus is determined according to the characteristics of the first half part MD5 of the file. Specifically, if 50% or more of the terminals have a file with a characteristic that matches the characteristic of the MD5 in the first half of the file, it is determined that the suspected normal file is a suspected unknown virus file. If the files with the value consistent with the whole MD5 value exist in less than 50% of the terminals, the suspected normal files are judged to be normal files.
Step S103, if yes, the suspected unknown virus file is placed in a sandbox to be processed, and whether the suspected unknown virus file has virus behavior characteristics or not is judged;
in the embodiment of the invention, in order to accurately confirm whether the suspected unknown virus file has the virus behavior characteristics, the suspected unknown virus file needs to be put into a sandbox for operation. And determining whether the suspected unknown virus file has virus behavior characteristics according to the running condition of the file in the sandbox. If the suspected unknown virus file has virus behavior characteristics, judging the file to be an unknown virus; otherwise, the file is determined to be a normal file.
Step S104, if yes, determining the suspected unknown virus file with the virus behavior characteristics as an unknown virus;
in the embodiment of the present invention, the unknown virus may refer to a virus that the antivirus software cannot recognize.
Step S105, receiving file operations reported by all terminals, and searching for an infection source of unknown viruses based on the MD5 value of the first characteristic of the unknown viruses and operation information of the file operations;
in the embodiment of the invention, the file content and the file operation can provide the processes of file generation and execution. Once the file operation is found on the terminal, the terminal reports the file content and the file operation to an unknown virus infection tracing engine. According to the file operation reported by each terminal, the terminal where the unknown virus lands for the first time can be found by combining the MD5 value of the first characteristic of the unknown virus, and the terminal is determined as the first machine where the unknown virus lands.
And S106, sequencing all the unknown viruses according to the infection time sequence of each unknown virus based on the infection source to form a propagation path of the unknown viruses.
In the embodiment of the present invention, the file operation includes: and the operation time is used for forming a propagation path of unknown viruses according to the file operation reported by each terminal. The specific method comprises the following steps: the machine that created the unknown virus at the first time is identified as the first machine, i.e., the source of infection. The machine that created the file at the second time is then determined to be the first infected machine. And the rest are analogized in sequence, if the time for creating the file is completely the same, the file is judged to be infected by other machines at the same time, and finally an infection sequence, namely a propagation path of the unknown virus is formed.
The unknown virus infection tracing method provided by the embodiment of the invention is applied to an unknown virus infection tracing engine, and comprises the following steps: receiving the file content of a monitoring file sent by a terminal, and extracting a first characteristic and a second characteristic from the file content; wherein the first characteristic is the MD5 characteristic of the whole file content, and the second characteristic is the MD5 characteristic of the local file content; judging whether the monitoring file is a suspected unknown virus file or not based on the first characteristic and the second characteristic; if yes, the suspected unknown virus file is placed in a sandbox to be processed, and whether the suspected unknown virus file has virus behavior characteristics or not is judged; if so, determining the suspected unknown virus file with the virus behavior characteristics as an unknown virus; receiving file operations reported by all terminals, and searching for an infection source of unknown viruses based on the MD5 value of the first characteristic of the unknown viruses and the operation information of the file operations; and sequencing all the unknown viruses according to the infection time sequence of each unknown virus based on the infection source to form a propagation path of the unknown viruses. According to the embodiment of the invention, the propagation process of the unknown virus can be restored according to the file content and the file operation, so that a tracing engine of the propagation path of the unknown virus can be realized, the weakness of an information system can be discovered, and the information system can be effectively reinforced.
Referring to fig. 2, step S102 may include the steps of:
step S201, calculating a first ratio of the terminal of the file with the first characteristic to all terminals based on the first characteristic;
step S202, if the first ratio is larger than or equal to a first preset ratio, determining the monitoring file as a suspected unknown virus file;
step S203, if the first ratio is smaller than a first preset ratio, determining the monitoring file as a suspected normal file;
step S204, based on the second characteristic, calculating a second ratio of the terminal of the suspected normal file with the second characteristic to all terminals;
in step S205, if the second ratio is greater than or equal to the second preset ratio, the suspected normal file is determined as the suspected unknown virus file.
Further, step S102 further includes the following steps: in step S206, if the second ratio is smaller than the second preset ratio, the suspected normal file is determined as a normal file.
In the embodiment of the present invention, the first preset ratio is determined according to actual conditions, and is set to be 50% in the embodiment of the present invention, and the embodiment of the present invention does not specifically limit specific data thereof. The determination of the unknown virus based on the first and second characteristics improves accuracy.
Example two:
referring to fig. 3, an embodiment of the present invention provides an unknown virus infection tracing apparatus, where the unknown virus infection tracing apparatus is applied to an unknown virus infection tracing engine, and the apparatus includes:
the receiving module 11 is configured to receive file content of a monitoring file sent by a terminal, and extract a first feature and a second feature from the file content; wherein the first characteristic is the MD5 characteristic of the whole file content, and the second characteristic is the MD5 characteristic of the local file content;
the judging module 12 is configured to judge whether the monitored file is a suspected unknown virus file based on the first characteristic and the second characteristic;
the processing and judging module 13 is configured to, if yes, place the suspected unknown virus file in a sandbox for processing, and judge whether the suspected unknown virus file has virus behavior characteristics;
a determining module 14, configured to determine, if yes, a suspected unknown virus file with virus behavior characteristics as an unknown virus;
the receiving and searching module 15 is configured to receive file operations reported by all terminals, and search for an infection source of an unknown virus based on the MD5 value of the first characteristic of the unknown virus and operation information of the file operations;
and the sequencing module 16 is used for sequencing all the unknown viruses according to the infection time sequence of each unknown virus based on the infection source to form a propagation path of the unknown viruses.
The unknown virus infection tracing device provided by the embodiment of the invention is applied to an unknown virus infection tracing engine, and comprises the following components: receiving the file content of the monitoring file sent by the terminal by using a receiving module, and extracting a first characteristic and a second characteristic from the file content; wherein the first characteristic is the MD5 characteristic of the whole file content, and the second characteristic is the MD5 characteristic of the local file content; based on the first characteristic and the second characteristic, judging whether the monitored file is a suspected unknown virus file by using a judging module; if yes, the suspected unknown virus file is placed into a sandbox for processing by using a processing and judging module, and whether the suspected unknown virus file has virus behavior characteristics or not is judged; if so, determining the suspected unknown virus file with the virus behavior characteristics as an unknown virus by using a determining module; receiving file operations reported by all terminals by using a receiving and searching module, and searching for an infection source of unknown viruses based on the MD5 value of the first characteristic of the unknown viruses and operation information of the file operations; based on the infection source, sequencing all unknown viruses according to the infection time sequence of each unknown virus by utilizing a sequencing module to form a propagation path of the unknown viruses. According to the embodiment of the invention, the propagation process of the unknown virus can be restored based on the file content and the file operation, so that a tracing engine of the propagation path of the unknown virus can be realized, the weakness of an information system can be found, and the information system can be effectively reinforced.
Further, referring to fig. 4, the determining module 12 includes the following units:
the first calculating unit 21 is configured to calculate a first ratio of the terminal where the file with the first feature is located to all terminals based on the first feature;
the first determining unit 22 is configured to determine the monitoring file as a suspected unknown virus file if the first proportion is greater than or equal to a first preset ratio;
the second determining unit 23 is configured to determine the monitoring file as a suspected normal file if the first percentage is smaller than a first preset ratio;
the second calculating unit 24 is configured to calculate, based on the second feature, a second ratio between the terminal where the suspected normal file having the second feature is located and all terminals;
and a third determining unit 25, configured to determine the suspected normal file as a suspected unknown virus file if the second proportion is greater than or equal to a second preset ratio.
Further, the determining module 12 further includes the following units: a fourth determining unit 26, configured to determine the suspected normal file as a normal file if the second proportion is smaller than the second preset ratio.
The embodiment of the invention can effectively solve the problem that the unknown virus cannot trace the propagation path. According to the embodiment of the invention, the time and the machine of the first occurrence of the unknown virus and the propagation path are confirmed by combining the whole network analysis through the file operation extraction technology and the file content extraction technology, so that the tracking and tracing of the unknown virus are realized.
Example three:
referring to fig. 5, an embodiment of the present invention provides an unknown virus infection tracing system, including: an unknown virus infection tracing engine 30, at least one terminal 40 and a visual presentation system 50; the terminal 40 is used for providing file content and file operation of a monitoring file on the terminal to an unknown virus infection tracing engine; an unknown virus infection tracing engine 30, configured to receive file content and file operation, and form a propagation path of an unknown virus based on the file content and the file operation; a visual presentation system 50 for displaying the propagation path.
In the embodiment of the present invention, the unknown virus infection tracing engine 30 receives the file characteristic data reported by each terminal 40, and forms a tracing result after analyzing the global data, where the global data technology may refer to a whole network data technology, and the tracing result includes a first machine infected by the unknown virus file and a propagation diffusion path, where the first machine infected by the unknown virus file may be referred to as an infection source for short, and the propagation diffusion path may be referred to as a propagation path for short. The unknown viral infection traceability engine 30 is also used to provide the visual presentation system 50 with an infection source and a propagation diffusion path. The visualization presentation system 50 may present the first machine and the propagation diffusion path to which the unknown virus file is infected through a World Wide Web (World Wide Web) interface.
In the embodiment of the present invention, the unknown virus infection tracing engine 30 constructs an infection tracing technology for an unknown virus based on a file monitoring technology and a whole network analysis technology. The unknown virus may refer to an unknown virus file. The unknown virus infection tracing system provided by the embodiment of the invention combines a file landing monitoring technology, wherein the file landing monitoring technology can refer to the generation and execution conditions of each file on the monitoring terminal 40. The system has the tracing principle that the propagation path of the unknown virus file is found according to the file creating behavior of the terminal host, and the propagation process can be displayed by the visual presentation system.
Further, the terminal 40 includes: a file content extraction subsystem 41 and a file operation extraction subsystem 42; a file content extraction subsystem 41, configured to provide file content of the monitored file on the terminal to the unknown virus infection tracing engine; and the file operation extraction subsystem 42 is used for providing file operation of the monitoring file on the terminal to the unknown virus infection tracing engine.
In the embodiment of the invention, the terminal is provided with the agent program, and the agent program is a software package for recording and generating unknown virus infection data. The file content and file operation of the monitoring file provided by the terminal belong to the assets of the information system. The terminal belongs to a monitored object and is also an object infected by unknown viruses.
The document content extracting subsystem 41 is configured to extract a first feature and a second feature of the monitoring document, so as to achieve the purpose of comparing the monitoring document. The working principle of the file content extraction subsystem 41 is as follows: (1) extracting the overall MD5 value of the monitoring file, and extracting the size of the file with the unit of byte; (2) the MD5 value of the content of the first half of the monitoring file is extracted. Wherein the first half refers to the first 50% of the length of the file.
And the file operation extraction subsystem 42 is used for providing file operation of the monitoring file on the terminal to the unknown virus infection tracing engine. The working principle of the file operation extraction subsystem 42 is as follows: (1) recording process data such as creation and execution of monitoring files generated by manual operation or program automation; (2) the hook is mounted on an operation function of a file system, such as file opening, creating, reading, writing, closing, attribute changing and the like. It should be noted that: hooks are mounted at the virtual file system level and cannot be mounted to a specific file system. The hook function usually works in a virtual file system kernel, and a user mode which needs to be sent to a terminal after the file behavior data is acquired is used for storing relevant information. (3) Collecting data in a hook function, wherein the collected data comprises: operation information such as operation starting time, operation ending time, operation items, operation process names, operation user names and file authorities.
According to the embodiment of the invention, the unknown virus file transmission process can be restored by using the unknown virus infection tracing engine based on the file content extracted by the file content extraction subsystem and the file operation extracted by the file operation extraction subsystem, the unknown virus infection tracing system can determine the time when the unknown virus appears on a certain terminal device for the first time and the time when the unknown virus falls to other specific terminals for the first time according to the infection source in the transmission process, and can also query and restore the process of being diffused to other terminal devices, so that a global diffusion path is formed, the weakness of an information system can be discovered, and the information system can be effectively reinforced. The embodiment of the invention not only can trace the propagation path of unknown viruses, but also can provide reference for threat disposal.
In another embodiment of the present invention, an electronic device is further provided, which includes a memory and a processor, where the memory stores a computer program executable on the processor, and the processor implements the steps of the method of the above method embodiment when executing the computer program.
In yet another embodiment of the invention, a computer-readable medium having non-volatile program code executable by a processor, the program code causing the processor to perform the method of the method embodiment is also provided.
In the description of the present invention, it should be noted that the terms "first", "second", and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.
Claims (8)
1. An unknown virus infection tracing method is applied to an unknown virus infection tracing engine, and comprises the following steps:
receiving file content of a monitoring file sent by a terminal, and extracting a first characteristic and a second characteristic from the file content; wherein the first characteristic is an MD5 characteristic of the whole file content, and the second characteristic is an MD5 characteristic of the local file content;
judging whether the monitoring file is a suspected unknown virus file or not based on the first characteristic and the second characteristic;
if yes, the suspected unknown virus file is placed in a sandbox to be processed, and whether the suspected unknown virus file has virus behavior characteristics or not is judged;
if so, determining the suspected unknown virus file with the virus behavior characteristics as an unknown virus;
receiving file operations reported by all terminals, and searching for an infection source of the unknown virus based on the MD5 value of the first characteristic of the unknown virus and the operation information of the file operations;
sequencing all the unknown viruses according to the infection time sequence of each unknown virus based on the infection sources to form a propagation path of the unknown viruses;
based on the first characteristic and the second characteristic, judging whether the monitoring file is a suspected unknown virus file comprises the following steps:
calculating a first ratio of the terminal of the file with the first characteristic to all terminals based on the first characteristic;
if the first proportion is larger than or equal to a first preset ratio, determining the monitoring file as a suspected unknown virus file;
if the first proportion is smaller than the first preset ratio, determining the monitoring file as a suspected normal file;
calculating a second ratio of the terminal of the suspected normal file with the second characteristic to all terminals based on the second characteristic;
and if the second ratio is larger than or equal to a second preset ratio, determining the suspected normal file as the suspected unknown virus file.
2. The method for tracing unknown viral infection according to claim 1, further comprising:
and if the second ratio is smaller than a second preset ratio, determining the suspected normal file as a normal file.
3. An unknown virus infection tracing device is applied to an unknown virus infection tracing engine, and comprises:
the receiving module is used for receiving the file content of the monitoring file sent by the terminal and extracting a first characteristic and a second characteristic from the file content; wherein the first characteristic is an MD5 characteristic of the whole file content, and the second characteristic is an MD5 characteristic of the local file content;
the judging module is used for judging whether the monitoring file is a suspected unknown virus file or not based on the first characteristic and the second characteristic;
the processing and judging module is used for putting the suspected unknown virus file into a sandbox for processing if the suspected unknown virus file has the virus behavior characteristics;
the determining module is used for determining the suspected unknown virus file with the virus behavior characteristics as an unknown virus if the file has the virus behavior characteristics;
the receiving and searching module is used for receiving file operations reported by all terminals and searching the infection source of the unknown virus based on the MD5 value of the first characteristic of the unknown virus and the operation information of the file operations;
the sequencing module is used for sequencing all the unknown viruses according to the infection time sequence of each unknown virus based on the infection sources to form the propagation paths of the unknown viruses;
the judging module comprises:
the first calculating unit is used for calculating a first ratio of the terminal of the file with the first characteristic to all terminals based on the first characteristic;
a first determining unit, configured to determine the monitoring file as a suspected unknown virus file if the first proportion is greater than or equal to a first preset ratio;
a second determining unit, configured to determine the monitoring file as a suspected normal file if the first percentage is smaller than the first preset ratio;
the second calculation unit is used for calculating a second ratio of the terminal of the suspected normal file with the second characteristic to all terminals based on the second characteristic;
and the third determining unit is used for determining the suspected normal file as the suspected unknown virus file if the second proportion is larger than or equal to a second preset ratio.
4. The unknown virus infection traceability device of claim 3, wherein the judging module further comprises:
and the fourth determining unit is used for determining the suspected normal file as a normal file if the second proportion is smaller than a second preset proportion.
5. An unknown viral infection traceability system, comprising: an unknown virus infection traceability engine, at least one terminal and a visual presentation system for executing the unknown virus infection traceability method of any one of claims 1-2;
the terminal is used for providing file content and file operation of a monitoring file on the terminal for the unknown virus infection tracing engine;
the unknown virus infection tracing engine is used for receiving the file content and the file operation and forming a propagation path of an unknown virus based on the file content and the file operation;
and the visual presentation system is used for displaying the propagation path.
6. The unknown virus infection traceability system of claim 5, wherein the terminal comprises: a file content extraction subsystem and a file operation extraction subsystem;
the file content extraction subsystem is used for providing the file content of the monitoring file on the terminal for the unknown virus infection tracing engine;
and the file operation extraction subsystem is used for providing the file operation of the monitoring file on the terminal for the unknown virus infection tracing engine.
7. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the method according to any of claims 1 to 2 when executing the computer program.
8. A computer-readable medium having non-volatile program code executable by a processor, the program code causing the processor to perform the method of any of claims 1 to 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910957252.6A CN110688658B (en) | 2019-10-09 | 2019-10-09 | Unknown virus infection tracing method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910957252.6A CN110688658B (en) | 2019-10-09 | 2019-10-09 | Unknown virus infection tracing method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110688658A CN110688658A (en) | 2020-01-14 |
| CN110688658B true CN110688658B (en) | 2021-08-20 |
Family
ID=69111987
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910957252.6A Active CN110688658B (en) | 2019-10-09 | 2019-10-09 | Unknown virus infection tracing method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110688658B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113935030B (en) * | 2020-07-14 | 2024-04-09 | 深信服科技股份有限公司 | Virus characteristic extraction method, system, storage medium and terminal |
| CN112149115A (en) * | 2020-08-28 | 2020-12-29 | 杭州安恒信息技术股份有限公司 | Method and device for updating virus library, electronic device and storage medium |
| CN112989349B (en) * | 2021-04-19 | 2021-08-13 | 腾讯科技(深圳)有限公司 | Virus detection method, device, equipment and storage medium |
| CN113360904A (en) * | 2021-05-17 | 2021-09-07 | 杭州美创科技有限公司 | Unknown virus detection method and system |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102457841A (en) * | 2010-10-28 | 2012-05-16 | 西门子公司 | Method and device for detecting virus |
| CN102945349A (en) * | 2012-10-19 | 2013-02-27 | 北京奇虎科技有限公司 | Method and device for processing unknown files |
| CN102945348A (en) * | 2012-10-19 | 2013-02-27 | 北京奇虎科技有限公司 | Method and device for collecting file information |
| CN103310155A (en) * | 2013-06-17 | 2013-09-18 | 腾讯科技(深圳)有限公司 | Method and device for searching virus parent |
| CN104239795A (en) * | 2014-09-16 | 2014-12-24 | 百度在线网络技术(北京)有限公司 | File scanning method and device |
| CN109359467A (en) * | 2018-10-10 | 2019-02-19 | 杭州安恒信息技术股份有限公司 | For the unknown accurate identification for extorting virus and the whole network linkage defense method and system |
| CN109492399A (en) * | 2019-01-17 | 2019-03-19 | 腾讯科技(深圳)有限公司 | Risk file test method, device and computer equipment |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8201244B2 (en) * | 2006-09-19 | 2012-06-12 | Microsoft Corporation | Automated malware signature generation |
| CN109829304B (en) * | 2018-12-29 | 2021-04-13 | 奇安信科技集团股份有限公司 | Virus detection method and device |
-
2019
- 2019-10-09 CN CN201910957252.6A patent/CN110688658B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102457841A (en) * | 2010-10-28 | 2012-05-16 | 西门子公司 | Method and device for detecting virus |
| CN102945349A (en) * | 2012-10-19 | 2013-02-27 | 北京奇虎科技有限公司 | Method and device for processing unknown files |
| CN102945348A (en) * | 2012-10-19 | 2013-02-27 | 北京奇虎科技有限公司 | Method and device for collecting file information |
| CN103310155A (en) * | 2013-06-17 | 2013-09-18 | 腾讯科技(深圳)有限公司 | Method and device for searching virus parent |
| CN104239795A (en) * | 2014-09-16 | 2014-12-24 | 百度在线网络技术(北京)有限公司 | File scanning method and device |
| CN109359467A (en) * | 2018-10-10 | 2019-02-19 | 杭州安恒信息技术股份有限公司 | For the unknown accurate identification for extorting virus and the whole network linkage defense method and system |
| CN109492399A (en) * | 2019-01-17 | 2019-03-19 | 腾讯科技(深圳)有限公司 | Risk file test method, device and computer equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110688658A (en) | 2020-01-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110688658B (en) | Unknown virus infection tracing method, device and system | |
| US9208307B2 (en) | Automatic algorithm discovery using reverse dataflow analysis | |
| CN109101815B (en) | Malicious software detection method and related equipment | |
| US10382477B2 (en) | Identification apparatus, control method therefor, and storage medium | |
| CN110474900B (en) | Game protocol testing method and device | |
| CN110737892B (en) | Detection method aiming at APC injection and related device | |
| US11366907B2 (en) | Malware analysis device, malware analysis method, and storage medium having malware analysis program contained therein | |
| CA2816781C (en) | Identifying client states | |
| CN109255240B (en) | Vulnerability processing method and device | |
| JP6282217B2 (en) | Anti-malware system and anti-malware method | |
| CN111222137A (en) | Program classification model training method, program classification method and device | |
| CN112148305A (en) | Application detection method and device, computer equipment and readable storage medium | |
| CN115062309A (en) | Vulnerability mining method based on equipment firmware simulation under novel power system and storage medium | |
| CN111913878A (en) | Program analysis result-based bytecode instrumentation method, device and storage medium | |
| JP5967225B2 (en) | Data update omission inspection device, data update omission inspection method, data update omission inspection program | |
| CN110727565B (en) | Network equipment platform information collection method and system | |
| CN113110870B (en) | Resource packaging management method, device, equipment and storage medium | |
| CN114610577A (en) | Target resource locking method, device, equipment and medium | |
| US11657160B2 (en) | Vulnerability analyzer | |
| US11513884B2 (en) | Information processing apparatus, control method, and program for flexibly managing event history | |
| CN111338956A (en) | Automatic pressure measurement method, device, equipment and storage medium | |
| CN106203076B (en) | Method for judging malicious file by utilizing EBP (electronic book protocol) | |
| CN111444144A (en) | File feature extraction method and device | |
| CN111625853B (en) | Snapshot processing method, device and equipment and readable storage medium | |
| CN117688564B (en) | Detection method, device and storage medium for intelligent contract event log |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |