CN114386023A - Terminal data detection method and device, computer equipment and storage medium - Google Patents
Terminal data detection method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN114386023A CN114386023A CN202111650730.2A CN202111650730A CN114386023A CN 114386023 A CN114386023 A CN 114386023A CN 202111650730 A CN202111650730 A CN 202111650730A CN 114386023 A CN114386023 A CN 114386023A
- Authority
- CN
- China
- Prior art keywords
- file data
- data
- naming
- feature
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 43
- 230000004044 response Effects 0.000 claims abstract description 51
- 238000012544 monitoring process Methods 0.000 claims abstract description 32
- 238000000034 method Methods 0.000 claims abstract description 23
- 230000000903 blocking effect Effects 0.000 claims description 7
- 238000004590 computer program Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000007123 defense Effects 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a terminal data detection method, a device, computer equipment and a storage medium, wherein the method comprises the following steps: monitoring file data, wherein the file data is generated according to at least one naming feature sent by a server, and the naming feature is a feature word representing sensitive information; and if the preset operation of the user on the file data is detected, triggering a preset response rule. And if the attacker carries out preset operation on the file data, triggering a response rule, and further carrying out security measures such as shielding and the like on the attacker. The method and the device realize active trapping of attackers through the file data, and protect the safety of the file data through the response rule when the attackers perform preset operation on the file data, thereby improving the data protection efficiency.
Description
Technical Field
The embodiment of the invention relates to a network security technology, in particular to a terminal data detection method, a terminal data detection device, computer equipment and a storage medium.
Background
With the wide use of network technology, the network threat gradually changes from system attack to stealing important data, and the security of the data is more and more emphasized. After a Personal Computer (PC) is networked, data stored in the PC is located in the network, which causes a security risk.
At present, a novel encryption technology and the like are adopted to encrypt data in a personal computer so as to improve the data security. However, the above method can only passively protect data when an attacker steals the data, and cannot trap the attacker, and further cannot actively protect the data, so that the data protection efficiency is low.
Disclosure of Invention
The invention provides a terminal data detection method, a terminal data detection device, computer equipment and a storage medium, which are used for actively trapping attackers and improving data protection efficiency.
In a first aspect, an embodiment of the present invention provides a terminal data detection method, including:
monitoring file data, wherein the file data is generated according to at least one naming feature sent by a server, and the naming feature is a feature word representing sensitive information;
and if the preset operation of the user on the file data is detected, triggering a preset response rule.
In a second aspect, an embodiment of the present invention further provides a terminal data detection apparatus, including:
the system comprises a monitoring module, a data processing module and a data processing module, wherein the monitoring module is used for monitoring file data, the file data is generated according to at least one naming feature sent by a server, and the naming feature is a feature word representing sensitive information;
and the response module is used for triggering a preset response rule if detecting that the user carries out preset operation on the file data.
In a third aspect, an embodiment of the present invention further provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor executes the computer program to implement the terminal data detection method shown in the embodiment of the present application.
In a fourth aspect, the present invention further provides a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform the terminal data detection method according to the embodiment of the present application.
The terminal data detection method provided by the invention monitors file data, wherein the file data is generated according to at least one naming feature sent by a server, and the naming feature is a feature word representing sensitive information; and if the preset operation of the user on the file data is detected, triggering a preset response rule. And if the attacker carries out preset operation on the file data, triggering a response rule, and further carrying out security measures such as shielding and the like on the attacker. The method and the device realize active trapping of attackers through the file data, and protect the safety of the file data through the response rule when the attackers perform preset operation on the file data, thereby improving the data protection efficiency.
Drawings
Fig. 1 is a flowchart of a terminal data detection method according to a first embodiment of the present invention;
fig. 2 is a flowchart of a terminal data detection method according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of a terminal data detection apparatus according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of a computer device in the fourth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1 is a flowchart of a terminal data detection method according to an embodiment of the present invention, where this embodiment is applicable to a case of performing attack detection on file data in a terminal such as a computing device, and the method may be executed by a terminal such as a computer device, a smart phone, and a tablet computer, and specifically includes the following steps:
and step 110, monitoring the file data.
The file data is generated according to at least one naming feature sent by the server, and the naming feature is a feature word representing sensitive information.
The naming feature is a feature word of the presence representation sensitive information acquired by the server. An attacker usually performs a search for file data based on the feature words.
Only the name of the file data may be generated, or the content of the file data may be generated together with the name. In order to be closer to the real data, the data volume of the file data is required to be consistent with the formal data, so that the content can be filled in the file data based on the named features.
Further, before monitoring the file data in step 110, the method further includes:
receiving at least one naming characteristic sent by a server; generating corresponding file data according to the naming characteristics, wherein the file data is a file or a folder; and storing the file data in a preset storage position.
The embodiment of the invention is applied to the terminal, the terminal generates the file data according to the naming feature issued by the server, and the detection of an attacker can be completed locally at the terminal while the load of the server is reduced.
Optionally, the file data is stored in a preset storage location, and the following implementation may be performed:
and storing the file data in a root directory of a storage space.
And 120, if the preset operation of the file data by the user is detected, triggering a preset response rule.
The preset operation may be an operation related to an attack behavior collected by the server in advance.
Optionally, if it is detected that the user performs a preset operation on the file data, triggering a preset response rule, which may be implemented in the following manner:
and if the fact that the user performs read operation or write operation on the file data is detected, triggering a preset response rule.
Optionally, the response rule includes at least one of blocking, alerting, redirecting, and trap tracking.
And when the user is found to perform read operation or write operation on the file data, determining the user as an attacker. And processing the user according to a preset response rule. For example, the user is blocked from connecting to the terminal. Also for example, an alarm may be issued to a network security department or end user. For another example, the access content of the user is redirected to other data so that the user cannot access the terminal. As another example, the network address of the user may be stored and the user may be tracked based on the network address.
The terminal data detection method provided by the invention monitors file data, wherein the file data is generated according to at least one naming feature sent by a server, and the naming feature is a feature word representing sensitive information; and if the preset operation of the user on the file data is detected, triggering a preset response rule. And if the attacker carries out preset operation on the file data, triggering a response rule, and further carrying out security measures such as shielding and the like on the attacker. The method and the device realize active trapping of attackers through the file data, and protect the safety of the file data through the response rule when the attackers perform preset operation on the file data, thereby improving the data protection efficiency.
Example two
Fig. 2 is a flowchart of a terminal data detection method according to a second embodiment of the present invention, which further illustrates the above embodiment, before monitoring file data, further includes: receiving a naming feature sent by a server, detecting starting time and a response rule corresponding to the naming feature; correspondingly, the monitoring of the file data includes: and monitoring the file data according to the detection opening time. Based on this, the terminal data detection method provided by the embodiment of the present invention may be implemented in the following manner:
step 210, receiving a naming feature sent by a server, detecting the starting time and a response rule corresponding to the naming feature.
Optionally, the naming feature, the detection start time, and the response rule corresponding to the naming feature are set by the user through the server.
The method comprises the steps that a server receives at least one naming feature set by a user, the starting time of active audit, terminals needing to be deployed and a response rule corresponding to each naming feature; wherein the named features are feature words for representing sensitive information. Before the terminal can actively defend, the server needs to be preset with relevant information, and after the setting is completed, the server is deployed to the corresponding terminal. The user can set a naming feature on the server, wherein the naming feature is a feature word for characterizing sensitive information, namely a feature word which is interested by an attacker, such as: personal information, company secrets, national secrets, innovation inventions, etc. It should be noted that the naming characteristics can be set according to actual needs. The method can guess which type of information is more interesting to the attacker in advance, and is easier to steal or tamper from the terminal.
Different named features may have different response rules including at least one of blocking, alerting, redirecting, and trap tracking. For example: for a named feature, its response rules may be alarm and trap tracking, blocking and redirection, blocking, alarm and trap tracking, etc.
Further, the user may set other parameters in the server, such as: the location of deployment to the terminal, etc.
And step 220, monitoring the file data according to the detection opening time.
The file data is generated according to at least one naming feature sent by a server, and the naming feature is a feature word representing sensitive information;
step 230, if it is detected that the user performs a preset operation on the file data, triggering a preset response rule.
The time period in which an attacker generally attacks can be collected in advance, and then the opening time or the closing time of the active defense is set according to the attack time period, namely, if the naming characteristics are sent to the terminal, the terminal can be controlled to open the active defense in the time period. This has the advantage of relieving the processor to some extent.
EXAMPLE III
Fig. 3 is a schematic structural diagram of a terminal data detection apparatus according to a third embodiment of the present invention, where this embodiment is applicable to a case of performing attack detection on file data in a terminal such as a computing device, and the apparatus may be executed by a terminal such as a computer device, a smart phone, and a tablet computer, and specifically includes: a monitoring module 310 and a response module 320.
The monitoring module 310 is configured to monitor file data, where the file data is generated according to at least one naming feature sent by a server, and the naming feature is a feature word representing sensitive information;
the response module 320 is configured to trigger a preset response rule if it is detected that the user performs a preset operation on the file data.
On the basis of the above embodiment, the system further includes a file data generation module, where the file data generation module is configured to:
receiving at least one naming characteristic sent by a server;
generating corresponding file data according to the naming characteristics, wherein the file data is a file or a folder;
and storing the file data in a preset storage position.
On the basis of the above embodiment, the file data generation module is configured to:
and storing the file data in a root directory of a storage space.
On the basis of the above embodiment, the response module 320 is configured to:
and if the fact that the user performs read operation or write operation on the file data is detected, triggering a preset response rule.
On the basis of the above embodiment, the response rule includes at least one of blocking, alarming, redirecting, and trap tracking.
On the basis of the above embodiment, the mobile terminal further includes a receiving module, where the receiving module is configured to:
receiving a naming feature sent by a server, detecting starting time and a response rule corresponding to the naming feature;
accordingly, the monitoring module 310 is configured to:
and monitoring the file data according to the detection opening time.
On the basis of the above embodiment, the naming feature, the detection start time, and the response rule corresponding to the naming feature are set by the user through the server.
The terminal data detection device provided by the invention comprises a monitoring module 310, a data processing module and a data processing module, wherein the monitoring module 310 is used for monitoring file data, the file data is generated according to at least one naming feature sent by a server, and the naming feature is a feature word for representing sensitive information;
the response module 320 is configured to trigger a preset response rule if it is detected that the user performs a preset operation on the file data. And if the attacker carries out preset operation on the file data, triggering a response rule, and further carrying out security measures such as shielding and the like on the attacker. The method and the device realize active trapping of attackers through the file data, and protect the safety of the file data through the response rule when the attackers perform preset operation on the file data, thereby improving the data protection efficiency.
The terminal data detection device provided by the embodiment of the invention can execute the terminal data detection method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example four
Fig. 4 is a schematic structural diagram of a computer apparatus according to a fourth embodiment of the present invention, as shown in fig. 4, the computer apparatus includes a processor 40, a memory 41, an input device 42, and an output device 43; the number of processors 40 in the computer device may be one or more, and one processor 40 is taken as an example in fig. 4; the processor 40, the memory 41, the input device 42 and the output device 43 in the computer apparatus may be connected by a bus or other means, and the connection by the bus is exemplified in fig. 4.
The memory 41 is a computer-readable storage medium, and can be used for storing software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the terminal data detection method in the embodiment of the present invention (for example, the monitoring module 310, the response module 320, the file data generation module, and the receiving module in the terminal data detection apparatus). The processor 40 executes various functional applications and data processing of the computer device by running software programs, instructions and modules stored in the memory 41, that is, implements the above-described terminal data detection method.
The memory 41 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 41 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, memory 41 may further include memory located remotely from processor 40, which may be connected to a computer device over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 42 is operable to receive input numeric or character information and to generate key signal inputs relating to user settings and function controls of the computer apparatus. The output device 43 may include a display device such as a display screen.
EXAMPLE five
An embodiment of the present invention further provides a storage medium containing computer-executable instructions, where the computer-executable instructions are executed by a computer processor to perform a method for detecting terminal data, and the method includes:
monitoring file data, wherein the file data is generated according to at least one naming feature sent by a server, and the naming feature is a feature word representing sensitive information;
and if the preset operation of the user on the file data is detected, triggering a preset response rule.
On the basis of the above embodiment, before monitoring the file data, the method further includes:
receiving at least one naming characteristic sent by a server;
generating corresponding file data according to the naming characteristics, wherein the file data is a file or a folder;
and storing the file data in a preset storage position.
On the basis of the foregoing embodiment, the storing the file data in a preset storage location includes:
and storing the file data in a root directory of a storage space.
On the basis of the foregoing embodiment, if it is detected that the user performs the preset operation on the file data, triggering a preset response rule includes:
and if the fact that the user performs read operation or write operation on the file data is detected, triggering a preset response rule.
On the basis of the above embodiment, the response rule includes at least one of blocking, alarming, redirecting, and trap tracking.
On the basis of the above embodiment, before monitoring the file data, the method further includes:
receiving a naming feature sent by a server, detecting starting time and a response rule corresponding to the naming feature;
correspondingly, the monitoring of the file data includes:
and monitoring the file data according to the detection opening time.
On the basis of the above embodiment, the naming feature, the detection start time, and the response rule corresponding to the naming feature are set by the user through the server.
Of course, the storage medium containing the computer-executable instructions provided by the embodiments of the present invention is not limited to the method operations described above, and may also perform related operations in the terminal data detection method provided by any embodiment of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
It should be noted that, in the embodiment of the terminal data detection apparatus, each included unit and module are only divided according to functional logic, but are not limited to the above division as long as the corresponding function can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.
Claims (10)
1. A terminal data detection method is characterized by comprising the following steps:
monitoring file data, wherein the file data is generated according to at least one naming feature sent by a server, and the naming feature is a feature word representing sensitive information;
and if the preset operation of the user on the file data is detected, triggering a preset response rule.
2. The method of claim 1, prior to monitoring the document data, further comprising:
receiving at least one naming characteristic sent by a server;
generating corresponding file data according to the naming characteristics, wherein the file data is a file or a folder;
and storing the file data in a preset storage position.
3. The method according to claim 2, wherein the storing the file data in a preset storage location comprises:
and storing the file data in a root directory of a storage space.
4. The method according to claim 1, wherein if it is detected that a user performs a preset operation on the file data, triggering a preset response rule includes:
and if the fact that the user performs read operation or write operation on the file data is detected, triggering a preset response rule.
5. The method of claim 1, wherein the response rules include at least one of blocking, alerting, redirecting, and trap tracking.
6. The method of claim 1, prior to monitoring the document data, further comprising:
receiving a naming feature sent by a server, detecting starting time and a response rule corresponding to the naming feature;
correspondingly, the monitoring of the file data includes:
and monitoring the file data according to the detection opening time.
7. The method of claim 6, wherein the naming feature, the detection turn-on time, and the response rule corresponding to the naming feature are set by a user through the server.
8. A terminal data detecting device, comprising:
the system comprises a monitoring module, a data processing module and a data processing module, wherein the monitoring module is used for monitoring file data, the file data is generated according to at least one naming feature sent by a server, and the naming feature is a feature word representing sensitive information;
and the response module is used for triggering a preset response rule if detecting that the user carries out preset operation on the file data.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the terminal data detection method according to any one of claims 1 to 7 when executing the program.
10. A storage medium containing computer executable instructions for performing the terminal data detection method according to any one of claims 1 to 7 when executed by a computer processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111650730.2A CN114386023A (en) | 2021-12-30 | 2021-12-30 | Terminal data detection method and device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111650730.2A CN114386023A (en) | 2021-12-30 | 2021-12-30 | Terminal data detection method and device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114386023A true CN114386023A (en) | 2022-04-22 |
Family
ID=81199345
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111650730.2A Pending CN114386023A (en) | 2021-12-30 | 2021-12-30 | Terminal data detection method and device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114386023A (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110944014A (en) * | 2019-12-18 | 2020-03-31 | 北京天融信网络安全技术有限公司 | Terminal data security active defense method and device |
| CN112769833A (en) * | 2021-01-12 | 2021-05-07 | 恒安嘉新(北京)科技股份公司 | Method and device for detecting command injection attack, computer equipment and storage medium |
-
2021
- 2021-12-30 CN CN202111650730.2A patent/CN114386023A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110944014A (en) * | 2019-12-18 | 2020-03-31 | 北京天融信网络安全技术有限公司 | Terminal data security active defense method and device |
| CN112769833A (en) * | 2021-01-12 | 2021-05-07 | 恒安嘉新(北京)科技股份公司 | Method and device for detecting command injection attack, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3225009B1 (en) | Systems and methods for malicious code detection | |
| Damopoulos et al. | Evaluation of anomaly‐based IDS for mobile devices using machine learning classifiers | |
| CN111756759B (en) | Network attack tracing method, device and equipment | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| WO2018093643A1 (en) | Security systems and methods using an automated bot with a natural language interface for improving response times for security alert response and mediation | |
| CN110598404A (en) | Security risk monitoring method, monitoring device, server and storage medium | |
| CN112532631A (en) | Equipment safety risk assessment method, device, equipment and medium | |
| CN113872965B (en) | SQL injection detection method based on Snort engine | |
| CN113141335B (en) | Network attack detection method and device | |
| CN110944014A (en) | Terminal data security active defense method and device | |
| CN113746781A (en) | Network security detection method, device, equipment and readable storage medium | |
| CN113632432A (en) | Method and device for judging attack behavior and computer storage medium | |
| CN114003904B (en) | Information sharing method, device, computer equipment and storage medium | |
| WO2024125108A1 (en) | On-demand enabling method and apparatus for security aspect of mobile terminal | |
| CN112953895B (en) | Attack behavior detection method, device and equipment and readable storage medium | |
| CN113965406A (en) | Network blocking method, device, electronic device and storage medium | |
| CN113472789A (en) | Attack detection method, attack detection system, storage medium and electronic equipment | |
| CN112395637A (en) | Database protection method and device, storage medium and computer equipment | |
| CN115348086B (en) | Attack protection method and device, storage medium and electronic equipment | |
| CN114386023A (en) | Terminal data detection method and device, computer equipment and storage medium | |
| CN113364766B (en) | APT attack detection method and device | |
| CN112351008B (en) | Network attack analysis method and device, readable storage medium and computer equipment | |
| Abrek | Attack taxonomies and ontologies | |
| CN114285588A (en) | Method, device, equipment and storage medium for acquiring attack object information | |
| CN113139179A (en) | Web attack-based analysis method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |