[go: up one dir, main page]

CN117851154A - A computer host operation abnormality identification system based on data analysis - Google Patents

A computer host operation abnormality identification system based on data analysis Download PDF

Info

Publication number
CN117851154A
CN117851154A CN202311646918.9A CN202311646918A CN117851154A CN 117851154 A CN117851154 A CN 117851154A CN 202311646918 A CN202311646918 A CN 202311646918A CN 117851154 A CN117851154 A CN 117851154A
Authority
CN
China
Prior art keywords
data
computer
software
module
viruses
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311646918.9A
Other languages
Chinese (zh)
Inventor
沈国良
刘立鑫
陈孝军
谢文武
朱鹏
余超
蔡梁元
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Pansheng Dingcheng Technology Co ltd
Hunan Institute of Science and Technology
Original Assignee
Wuhan Pansheng Dingcheng Technology Co ltd
Hunan Institute of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Pansheng Dingcheng Technology Co ltd, Hunan Institute of Science and Technology filed Critical Wuhan Pansheng Dingcheng Technology Co ltd
Priority to CN202311646918.9A priority Critical patent/CN117851154A/en
Publication of CN117851154A publication Critical patent/CN117851154A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3058Monitoring arrangements for monitoring environmental properties or parameters of the computing system or of the computing system component, e.g. monitoring of power, currents, temperature, humidity, position, vibrations
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Quality & Reliability (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Mathematical Physics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明公开了一种基于数据分析的电脑主机运行异常甄别系统,包括中央控制模块、硬件监测模块、软件监测模块、数据采集模块与报警模块,所述硬件监测模块用于电脑主机硬件数据异常甄别监测,软件监测模块用于电脑主机软件数据异常甄别监测;本发明通过对电脑主机硬件数据异常甄别的同时可对软件数据异常甄别,使得电脑主机硬件数据及软件数据异常甄别监测相辅相成,从而可以更全面地了解电脑主机的安全状况,及时发现并清除病毒威胁,并且能够定期备份重要数据存储,防止重要数据丢失,提高了电脑主机的安全性的同时,在监测到电脑主机异常时,能够将电脑主机异常情况及时通知用户,便于用户及时发现及进行处理。

The present invention discloses a computer host operation abnormality identification system based on data analysis, comprising a central control module, a hardware monitoring module, a software monitoring module, a data acquisition module and an alarm module, wherein the hardware monitoring module is used for computer host hardware data abnormality identification and monitoring, and the software monitoring module is used for computer host software data abnormality identification and monitoring; the present invention can identify computer host hardware data abnormality while identifying software data abnormality, so that the computer host hardware data and software data abnormality identification and monitoring complement each other, thereby being able to more comprehensively understand the computer host's security status, timely discover and eliminate virus threats, and being able to regularly back up important data storage to prevent important data loss, thereby improving the security of the computer host, and when the computer host abnormality is detected, being able to promptly notify the user of the computer host abnormality, so that the user is convenient to promptly discover and handle it.

Description

一种基于数据分析的电脑主机运行异常甄别系统A computer host operation abnormality identification system based on data analysis

技术领域Technical Field

本发明属于电脑主机安全技术领域,更具体地说,尤其涉及一种基于数据分析的电脑主机运行异常甄别系统。The present invention belongs to the technical field of computer host security, and more specifically, particularly relates to a computer host operation abnormality identification system based on data analysis.

背景技术Background technique

计算机可以运行各种软件,包括操作系统、办公软件、游戏软件、设计软件等等,为用户提供各种服务,而随着计算机发展及使用,计算机中病毒是一种常见的安全问题。Computers can run a variety of software, including operating systems, office software, game software, design software, etc., to provide users with a variety of services. With the development and use of computers, computer viruses are a common security issue.

目前,病毒可以通过各种方式传播,例如通过电子邮件附件、网络共享文件夹、恶意网站等。一旦电脑主机感染了病毒,可能会导致系统运行缓慢、文件丢失、数据泄露、无法正常运行等异常现象问题,因此我们需要提供一种基于数据分析的电脑主机运行异常甄别系统。Currently, viruses can be spread in various ways, such as through email attachments, network shared folders, malicious websites, etc. Once a computer host is infected with a virus, it may cause abnormal phenomena such as slow system operation, file loss, data leakage, and failure to operate normally. Therefore, we need to provide a computer host operation abnormality identification system based on data analysis.

发明内容Summary of the invention

本发明的目的是为了解决现有技术中存在的缺点,而提出的一种基于数据分析的电脑主机运行异常甄别系统。The purpose of the present invention is to solve the shortcomings of the prior art and to propose a computer host operation abnormality identification system based on data analysis.

为实现上述目的,本发明提供如下技术方案:一种基于数据分析的电脑主机运行异常甄别系统,包括中央控制模块、硬件监测模块、软件监测模块、数据采集模块与报警模块,所述硬件监测模块与软件监测模块均与本地服务器连接,所述硬件监测模块用于电脑主机硬件数据异常甄别监测,软件监测模块用于电脑主机软件数据异常甄别监测,所述硬件监测模块与软件监测模块均与中央控制模块连接,所述中央控制模块用于硬件监测模块与软件监测模块检测的数据分析,判断电脑主机硬件数据与软件数据是否存在异常。To achieve the above-mentioned purpose, the present invention provides the following technical solutions: a computer host operation abnormality identification system based on data analysis, comprising a central control module, a hardware monitoring module, a software monitoring module, a data acquisition module and an alarm module, wherein the hardware monitoring module and the software monitoring module are both connected to a local server, the hardware monitoring module is used for identifying and monitoring abnormalities in the computer host hardware data, and the software monitoring module is used for identifying and monitoring abnormalities in the computer host software data, the hardware monitoring module and the software monitoring module are both connected to the central control module, and the central control module is used for analyzing the data detected by the hardware monitoring module and the software monitoring module to determine whether there are abnormalities in the hardware data and software data of the computer host.

优选的,所述硬件监测模块包括定时检查单元、备份数据单元、异常监测单元与温度监测单元,所述定时检查单元包括任务计划程序,通过创建新的任务,设置任务的触发器和操作,通过设置计划任务,可以定期运行特定的程序或脚本,以实现定时检查电脑的目的。Preferably, the hardware monitoring module includes a scheduled inspection unit, a backup data unit, an abnormality monitoring unit and a temperature monitoring unit. The scheduled inspection unit includes a task scheduler. By creating a new task, setting the trigger and operation of the task, and setting the scheduled task, specific programs or scripts can be run regularly to achieve the purpose of regularly checking the computer.

优选的,所述备份数据单元:定期备份重要数据存储在可靠的云服务中,可以防止病毒攻击导致数据丢失;Preferably, the backup data unit: regularly backs up important data and stores it in a reliable cloud service, which can prevent data loss caused by virus attacks;

所述异常监测单元:病毒通常会占用系统资源,导致电脑运行缓慢。通过监测CPU、内存、硬盘等资源的占用情况,可以判断是否存在病毒;The abnormal monitoring unit: viruses usually occupy system resources, causing the computer to run slowly. By monitoring the usage of resources such as CPU, memory, and hard disk, it can be determined whether there is a virus;

所述温度监测单元:病毒入侵可能导致电脑硬件资源的过度使用,从而使得电脑发热,通过监测电脑硬件的温度,可以初步判断是否存在病毒入侵。The temperature monitoring unit: Virus invasion may lead to excessive use of computer hardware resources, thereby causing the computer to heat up. By monitoring the temperature of the computer hardware, it is possible to preliminarily determine whether there is a virus invasion.

优选的,所述软件监测模块是一个集成在杀毒软件或安全软件中的核心功能模块,用于检测和清除电脑中的病毒、木马等恶意程序;Preferably, the software monitoring module is a core functional module integrated in anti-virus software or security software, and is used to detect and remove malicious programs such as viruses and Trojans in the computer;

所述软件监测模块包括扫描引擎、病毒库、行为分析引擎、系统警告提醒与沙盒技术,全面地检测和清除电脑中的病毒、木马等恶意程序,保护电脑的安全和稳定运行。The software monitoring module includes a scanning engine, a virus database, a behavior analysis engine, a system warning reminder and a sandbox technology, which comprehensively detects and removes viruses, Trojans and other malicious programs in the computer to protect the security and stable operation of the computer.

优选的,所述扫描引擎:扫描引擎是病毒软件检测模块的核心部分,负责扫描电脑中的文件和系统关键区域,寻找潜在的病毒和恶意程序;Preferably, the scanning engine: The scanning engine is the core part of the virus software detection module, responsible for scanning files and key system areas in the computer to find potential viruses and malicious programs;

病毒库:病毒库是包含已知病毒样本和特征的数据库,用于比对和识别电脑中的病毒。Virus database: The virus database is a database containing known virus samples and characteristics, which is used to compare and identify viruses in the computer.

优选的,所述行为分析引擎:行为分析引擎通过监控和分析程序的运行行为,判断其是否具有恶意性质,以检测一些未知的病毒和恶意程序;Preferably, the behavior analysis engine: The behavior analysis engine monitors and analyzes the running behavior of the program to determine whether it has malicious nature, so as to detect some unknown viruses and malicious programs;

行为分析引擎包括开放端口检查、进程查看、启动项检查、系统账户检查及防火墙和入侵检测系统;The behavior analysis engine includes open port checking, process checking, startup item checking, system account checking, and firewall and intrusion detection systems;

开放端口检查:通过扫描本机的开放端口,可以发现可能被病毒打开的端口,从其他主机上扫描本机所有开放端口,可以防止本机上被隐藏的端口;Open port check: By scanning the open ports of the local machine, you can find the ports that may be opened by viruses. Scanning all open ports of the local machine from other hosts can prevent hidden ports on the local machine.

进程查看:查看正在运行的进程,特别是用带有路径和启动参数的进程查看软件检查,如果存在未知的进程或者带可疑参数的进程,存在可能是病毒的表现,将其列为可疑进程;Process check: Check the running processes, especially using process check software with paths and startup parameters. If there are unknown processes or processes with suspicious parameters, there may be signs of viruses, so list them as suspicious processes.

启动项检查:检查电脑的启动项,包括服务、计划任务等,如果存在可疑的启动项,存在可能是病毒通过修改系统设置或者添加非法服务等方式进行隐藏的表现,将其列为可疑启动项。Startup item check: Check the computer's startup items, including services, scheduled tasks, etc. If there are suspicious startup items, there may be viruses hiding by modifying system settings or adding illegal services, etc., and they will be listed as suspicious startup items.

系统账户检查:检查系统的账户信息,特别是管理员账户和来宾账户,如果存在未知的账户或者有异常的账户行为,存在可能是恶意攻击者留下的后门,将其列为可疑账户。System account check: Check the system account information, especially the administrator account and guest account. If there are unknown accounts or abnormal account behavior, there may be backdoors left by malicious attackers, and they will be listed as suspicious accounts.

防火墙和入侵检测系统:防火墙和IDS可以监控检查电脑的网络连接情况,特别是在没有正常程序连接网络的情况下,病毒可能会在网络中传输数据,造成网络流量的异常,通过监测网络流量,可以发现是否存在病毒导致的网络异常,如果存在未知的网络连接或者异常的网络流量,存在是病毒通过后门等方式进行网络传输数据的可能性,从而可发现并阻止外部攻击和恶意代码的传播。Firewalls and intrusion detection systems: Firewalls and IDS can monitor and check the computer's network connection, especially when there is no normal program connected to the network. Viruses may transmit data in the network, causing network traffic anomalies. By monitoring network traffic, it can be found whether there are network anomalies caused by viruses. If there are unknown network connections or abnormal network traffic, there is a possibility that the virus transmits data through the network through backdoors, etc., thereby detecting and preventing external attacks and the spread of malicious code.

优选的,所述系统警告提醒:当检测到可能存在病毒攻击时,系统可以自动弹出警告窗口,向用户发出提醒,并告知用户如何采取措施进行修复和防范。Preferably, the system warns: when a possible virus attack is detected, the system can automatically pop up a warning window to warn the user and inform the user how to take measures to repair and prevent the attack.

优选的,所述沙盒技术:用于在安全条件下运行可疑进程、可疑启动项、可疑账户与可以网络流量异常,观察其行为特征,以判断是否存在病毒,如果判断存在病毒时,将其病毒存在的位置与信息反馈至中央控制模块。Preferably, the sandbox technology is used to run suspicious processes, suspicious startup items, suspicious accounts and abnormal network traffic under safe conditions, observe their behavioral characteristics to determine whether there is a virus, and if it is determined that a virus exists, the location and information of the virus are fed back to the central control module.

优选的,所述数据采集模块、报警模块均与中央控制模块连接,所述数据采集模块用于对硬件监测模块与软件监测模块检测与收集的数据信息进行数据采集与储存。Preferably, the data acquisition module and the alarm module are both connected to the central control module, and the data acquisition module is used to collect and store the data information detected and collected by the hardware monitoring module and the software monitoring module.

优选的,所述报警模块包括无线信号传输单元,用于通过无线信号将报警信息及采集到的数据传递到远程的移动终端,提醒用户电脑存在病毒入侵。Preferably, the alarm module includes a wireless signal transmission unit for transmitting the alarm information and the collected data to a remote mobile terminal via a wireless signal to remind the user that there is a virus invasion on the computer.

本发明的技术效果和优点:本发明提供的一种基于数据分析的电脑主机运行异常甄别系统,与现有技术相比,具有以下优点:Technical effects and advantages of the present invention: Compared with the prior art, the present invention provides a computer host operation abnormality identification system based on data analysis, which has the following advantages:

本发明通过对电脑主机硬件数据异常甄别的同时可对软件数据异常甄别,使得电脑主机硬件数据及软件数据异常甄别监测相辅相成,从而可以更全面地了解电脑主机的安全状况,及时发现并清除病毒威胁,并且能够定期备份重要数据存储,防止重要数据丢失,提高了电脑主机的安全性的同时,在监测到电脑主机异常时,能够将电脑主机异常情况及时通知用户,便于用户及时发现及进行处理。The present invention can identify abnormalities in the computer host hardware data while also identifying abnormalities in the software data, so that the abnormal identification and monitoring of the computer host hardware data and software data complement each other, thereby being able to more comprehensively understand the security status of the computer host, timely discover and eliminate virus threats, and regularly back up important data storage to prevent the loss of important data, thereby improving the security of the computer host. When the computer host abnormality is detected, the computer host abnormality can be notified to the user in a timely manner, facilitating the user to discover and handle it in a timely manner.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1为本发明的结构示意图;Fig. 1 is a schematic diagram of the structure of the present invention;

图2为本发明的硬件监测模块结构示意图;FIG2 is a schematic diagram of the hardware monitoring module structure of the present invention;

图3为本发明的软件监测模块结构示意图;FIG3 is a schematic diagram of the structure of a software monitoring module of the present invention;

图4为本发明的行为分析引擎结构示意图。FIG. 4 is a schematic diagram of the behavior analysis engine structure of the present invention.

具体实施方式Detailed ways

为了使本发明的目的、技术方案及优点更加清楚明白,以下结合具体实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical scheme and advantages of the present invention clearer, the present invention is further described in detail below in conjunction with specific embodiments. It should be understood that the specific embodiments described herein are only used to explain the present invention and are not intended to limit the present invention. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without making creative work are within the scope of protection of the present invention.

本发明提供了如图1-4所示的一种基于数据分析的电脑主机运行异常甄别系统,包括中央控制模块、硬件监测模块、软件监测模块、数据采集模块与报警模块,硬件监测模块与软件监测模块均与本地服务器连接,硬件监测模块用于电脑主机硬件数据异常甄别监测,软件监测模块用于电脑主机软件数据异常甄别监测,硬件监测模块与软件监测模块均与中央控制模块连接,中央控制模块用于硬件监测模块与软件监测模块检测的数据分析,判断电脑主机硬件数据与软件数据是否存在异常;The present invention provides a computer host operation abnormality identification system based on data analysis as shown in Figures 1-4, including a central control module, a hardware monitoring module, a software monitoring module, a data acquisition module and an alarm module, the hardware monitoring module and the software monitoring module are both connected to a local server, the hardware monitoring module is used for computer host hardware data abnormality identification and monitoring, the software monitoring module is used for computer host software data abnormality identification and monitoring, the hardware monitoring module and the software monitoring module are both connected to the central control module, the central control module is used for data analysis detected by the hardware monitoring module and the software monitoring module, and determines whether there are abnormalities in the computer host hardware data and software data;

硬件监测模块包括定时检查单元、备份数据单元、异常监测单元与温度监测单元,所述定时检查单元包括任务计划程序,通过创建新的任务,设置任务的触发器和操作,通过设置计划任务,可以定期运行特定的程序或脚本,以实现定时检查电脑的目的;The hardware monitoring module includes a timed inspection unit, a data backup unit, an abnormality monitoring unit and a temperature monitoring unit. The timed inspection unit includes a task scheduler. By creating a new task, setting the trigger and operation of the task, and setting the scheduled task, a specific program or script can be run regularly to achieve the purpose of timed inspection of the computer.

备份数据单元:定期备份重要数据存储在可靠的云服务中,可以防止病毒攻击导致数据丢失;Backup data unit: Regularly back up important data and store it in a reliable cloud service to prevent data loss caused by virus attacks;

异常监测单元:病毒通常会占用系统资源,导致电脑运行缓慢。通过监测CPU、内存、硬盘等资源的占用情况,可以判断是否存在病毒;Abnormal monitoring unit: Viruses usually occupy system resources, causing the computer to run slowly. By monitoring the usage of CPU, memory, hard disk and other resources, you can determine whether there is a virus;

温度监测单元:病毒入侵可能导致电脑硬件资源的过度使用,从而使得电脑发热,通过监测电脑硬件的温度,可以初步判断是否存在病毒入侵;Temperature monitoring unit: Virus intrusion may lead to excessive use of computer hardware resources, causing the computer to heat up. By monitoring the temperature of computer hardware, it is possible to preliminarily determine whether there is a virus intrusion;

软件监测模块是一个集成在杀毒软件或安全软件中的核心功能模块,用于检测和清除电脑中的病毒、木马等恶意程序;The software monitoring module is a core functional module integrated in antivirus software or security software, which is used to detect and remove viruses, Trojans and other malicious programs in the computer;

软件监测模块包括扫描引擎、病毒库、行为分析引擎、系统警告提醒与沙盒技术,全面地检测和清除电脑中的病毒、木马等恶意程序,保护电脑的安全和稳定运行;The software monitoring module includes scanning engine, virus database, behavior analysis engine, system warning reminder and sandbox technology, which can comprehensively detect and remove viruses, Trojans and other malicious programs in the computer to protect the security and stable operation of the computer;

扫描引擎:扫描引擎是病毒软件检测模块的核心部分,负责扫描电脑中的文件和系统关键区域,寻找潜在的病毒和恶意程序;Scanning engine: The scanning engine is the core part of the virus software detection module, responsible for scanning the files and key system areas in the computer to find potential viruses and malicious programs;

病毒库:病毒库是包含已知病毒样本和特征的数据库,用于比对和识别电脑中的病毒;Virus database: The virus database is a database containing known virus samples and features, which is used to compare and identify viruses in the computer;

行为分析引擎:行为分析引擎通过监控和分析程序的运行行为,判断其是否具有恶意性质,以检测一些未知的病毒和恶意程序;Behavior analysis engine: The behavior analysis engine monitors and analyzes the running behavior of the program to determine whether it is malicious in nature, so as to detect some unknown viruses and malicious programs;

行为分析引擎包括开放端口检查、进程查看、启动项检查、系统账户检查及防火墙和入侵检测系统;The behavior analysis engine includes open port checking, process checking, startup item checking, system account checking, and firewall and intrusion detection systems;

开放端口检查:通过扫描本机的开放端口,可以发现可能被病毒打开的端口,从其他主机上扫描本机所有开放端口,可以防止本机上被隐藏的端口;Open port check: By scanning the open ports of the local machine, you can find the ports that may be opened by viruses. Scanning all open ports of the local machine from other hosts can prevent hidden ports on the local machine.

进程查看:查看正在运行的进程,特别是用带有路径和启动参数的进程查看软件检查,如果存在未知的进程或者带可疑参数的进程,存在可能是病毒的表现,将其列为可疑进程;Process check: Check the running processes, especially using process check software with paths and startup parameters. If there are unknown processes or processes with suspicious parameters, there may be signs of viruses, so list them as suspicious processes.

启动项检查:检查电脑的启动项,包括服务、计划任务等,如果存在可疑的启动项,存在可能是病毒通过修改系统设置或者添加非法服务等方式进行隐藏的表现,将其列为可疑启动项;Startup item check: Check the computer's startup items, including services, scheduled tasks, etc. If there are suspicious startup items, there may be viruses hiding by modifying system settings or adding illegal services, etc., and they will be listed as suspicious startup items;

系统账户检查:检查系统的账户信息,特别是管理员账户和来宾账户,如果存在未知的账户或者有异常的账户行为,存在可能是恶意攻击者留下的后门,将其列为可疑账户;System account check: Check the system account information, especially the administrator account and guest account. If there are unknown accounts or abnormal account behavior, there may be backdoors left by malicious attackers, and they will be listed as suspicious accounts.

防火墙和入侵检测系统:防火墙和IDS可以监控检查电脑的网络连接情况,特别是在没有正常程序连接网络的情况下,病毒可能会在网络中传输数据,造成网络流量的异常,通过监测网络流量,可以发现是否存在病毒导致的网络异常,如果存在未知的网络连接或者异常的网络流量,存在是病毒通过后门等方式进行网络传输数据的可能性,从而可发现并阻止外部攻击和恶意代码的传播;Firewall and Intrusion Detection System: Firewall and IDS can monitor and check the network connection of the computer. In particular, when there is no normal program connected to the network, viruses may transmit data in the network, causing abnormal network traffic. By monitoring network traffic, it can be found whether there are network anomalies caused by viruses. If there are unknown network connections or abnormal network traffic, there is a possibility that the virus transmits data through the network through backdoors, etc., so as to detect and prevent external attacks and the spread of malicious code;

系统警告提醒:当检测到可能存在病毒攻击时,系统可以自动弹出警告窗口,向用户发出提醒,并告知用户如何采取措施进行修复和防范;System warning reminder: When a possible virus attack is detected, the system can automatically pop up a warning window to remind the user and tell the user how to take measures to repair and prevent it;

沙盒技术:用于在安全条件下运行可疑进程、可疑启动项、可疑账户与可以网络流量异常,观察其行为特征,以判断是否存在病毒,如果判断存在病毒时,将其病毒存在的位置与信息反馈至中央控制模块;Sandbox technology: used to run suspicious processes, suspicious startup items, suspicious accounts and abnormal network traffic under safe conditions, observe their behavior characteristics to determine whether there is a virus. If a virus is found, the location and information of the virus will be fed back to the central control module;

数据采集模块、报警模块均与中央控制模块连接,数据采集模块用于对硬件监测模块与软件监测模块检测与收集的数据信息进行数据采集与储存;The data acquisition module and the alarm module are both connected to the central control module. The data acquisition module is used to collect and store the data information detected and collected by the hardware monitoring module and the software monitoring module;

报警模块包括无线信号传输单元,用于通过无线信号将报警信息及采集到的数据传递到远程的移动终端,提醒用户电脑存在病毒入侵;The alarm module includes a wireless signal transmission unit, which is used to transmit the alarm information and the collected data to the remote mobile terminal through wireless signals to remind the user that there is a virus invasion on the computer;

工作原理:通过对电脑主机硬件数据异常甄别的同时可对软件数据异常甄别,使得电脑主机硬件数据及软件数据异常甄别监测相辅相成,从而可以更全面地了解电脑主机的安全状况,及时发现并清除病毒威胁,并且能够定期备份重要数据存储,防止重要数据丢失,提高了电脑主机的安全性的同时,在监测到电脑主机异常时,能够将电脑主机异常情况及时通知用户,便于用户及时发现及进行处理。Working principle: By identifying abnormalities in the computer host hardware data, the software data can be identified abnormally at the same time, so that the abnormal identification and monitoring of the computer host hardware data and software data complement each other, so that the security status of the computer host can be more comprehensively understood, virus threats can be discovered and removed in a timely manner, and important data storage can be backed up regularly to prevent the loss of important data. While improving the security of the computer host, when the computer host abnormality is detected, the computer host abnormality can be notified to the user in time, so that the user can discover and deal with it in time.

最后应说明的是:以上所述仅为本发明的优选实施例而已,并不用于限制本发明,尽管参照前述实施例对本发明进行了详细的说明,对于本领域的技术人员来说,其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。Finally, it should be noted that the above is only a preferred embodiment of the present invention and is not intended to limit the present invention. Although the present invention has been described in detail with reference to the aforementioned embodiments, it is still possible for those skilled in the art to modify the technical solutions described in the aforementioned embodiments or to make equivalent substitutions for some of the technical features therein. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A computer host operation abnormality screening system based on data analysis is characterized in that: the system comprises a central control module, a hardware monitoring module, a software monitoring module, a data acquisition module and an alarm module, wherein the hardware monitoring module and the software monitoring module are connected with a local server, the hardware monitoring module is used for screening and monitoring abnormal hardware data of a computer host, the software monitoring module is used for screening and monitoring abnormal software data of the computer host, the hardware monitoring module and the software monitoring module are connected with the central control module, and the central control module is used for analyzing data detected by the hardware monitoring module and the software monitoring module and judging whether the abnormal hardware data and the abnormal software data of the computer host exist.
2. The system for screening for anomalies in operation of a host computer based on data analysis of claim 1, wherein: the hardware monitoring module comprises a timing checking unit, a backup data unit, an abnormality monitoring unit and a temperature monitoring unit, wherein the timing checking unit comprises a task planning program, a trigger and operation of a task are set by creating a new task, and a specific program or script can be run regularly by setting the planning task so as to realize the purpose of checking the computer at regular time.
3. The system for screening for abnormal operation of a computer host based on data analysis of claim 2, wherein: the backup data unit: the important data is regularly backed up and stored in a reliable cloud service, so that the data loss caused by virus attack can be prevented;
the abnormality monitoring unit: viruses often occupy system resources, resulting in slow computer operation. Whether viruses exist or not can be judged by monitoring the occupation condition of resources such as a CPU, a memory, a hard disk and the like;
the temperature monitoring unit: the virus invasion may cause excessive use of computer hardware resources, so that the computer heats up, and by monitoring the temperature of the computer hardware, whether the virus invasion exists can be primarily judged.
4. The system for screening for anomalies in operation of a host computer based on data analysis of claim 1, wherein: the software monitoring module is a core function module integrated in antivirus software or security software and is used for detecting and eliminating malicious programs such as viruses, trojans and the like in a computer;
the software monitoring module comprises a scanning engine, a virus library, a behavior analysis engine, a system warning prompt and a sandbox technology, and is used for comprehensively detecting and eliminating malicious programs such as viruses, trojans and the like in the computer and protecting the safe and stable operation of the computer.
5. The system for screening for anomalies in operation of a computer host based on data analysis of claim 4, wherein: the scan engine: the scanning engine is a core part of the virus software detection module and is responsible for scanning files and system key areas in a computer to search potential viruses and malicious programs;
virus library: the virus library is a database containing known virus samples and characteristics for use in aligning and identifying viruses in a computer.
6. The system for screening for anomalies in operation of a computer host based on data analysis of claim 5, wherein: the behavior analysis engine: the behavior analysis engine judges whether the program has malicious properties or not by monitoring and analyzing the running behavior of the program so as to detect some unknown viruses and malicious programs;
the behavior analysis engine comprises an open port check, a process check, a startup check, a system account check, a firewall and an intrusion detection system;
open port inspection: by scanning the open ports of the host, the ports which are possibly opened by viruses can be found, and all the open ports of the host are scanned from other hosts, so that the hidden ports on the host can be prevented;
process viewing: checking running processes, in particular checking software with processes with path and start parameters, if there is an unknown process or a process with suspicious parameters, there is a performance that may be a virus, and listing it as suspicious process;
initiating item checking: checking starting items of a computer, including services, planning tasks and the like, and if suspicious starting items exist, performing hidden expression by viruses through modifying system settings or adding illegal services and the like, and listing the suspicious starting items as suspicious starting items;
system account checking: checking account information of the system, particularly an administrator account and a guest account, and if an unknown account or abnormal account behavior exists, a backdoor which possibly is left by a malicious attacker exists, and the backdoor is listed as a suspicious account;
firewall and intrusion detection system: the firewall and the IDS can monitor and check the network connection condition of the computer, especially under the condition that no normal program is connected with the network, viruses can transmit data in the network to cause network traffic abnormality, whether the network abnormality caused by the viruses exists can be found by monitoring the network traffic, if unknown network connection or abnormal network traffic exists, the possibility that the viruses transmit data through a back door and the like exists, and therefore external attacks and transmission of malicious codes can be found and prevented.
7. The data analysis-based computer host operation anomaly screening system of claim 6, wherein: the system alerts the reminder: when detecting that a virus attack is possible, the system can automatically pop up a warning window, send a prompt to a user and inform the user how to take measures to repair and prevent.
8. The data analysis-based computer host operation anomaly screening system of claim 7, wherein: the sand box technology comprises the following steps: the method is used for running suspicious processes, suspicious starting items, suspicious accounts and abnormal network flow under the safety condition, observing the behavior characteristics of the suspicious processes, suspicious starting items, suspicious accounts and abnormal network flow to judge whether viruses exist or not, and feeding back the positions and information of the viruses to the central control module if the viruses exist.
9. The system for screening for anomalies in operation of a host computer based on data analysis of claim 1, wherein: the data acquisition module and the alarm module are both connected with the central control module, and the data acquisition module is used for carrying out data acquisition and storage on the data information detected and collected by the hardware monitoring module and the software monitoring module.
10. The data analysis-based computer host operation anomaly screening system of claim 9, wherein: the alarm module comprises a wireless signal transmission unit and is used for transmitting alarm information and acquired data to a remote mobile terminal through wireless signals to remind a user of virus invasion of a computer.
CN202311646918.9A 2023-12-04 2023-12-04 A computer host operation abnormality identification system based on data analysis Pending CN117851154A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311646918.9A CN117851154A (en) 2023-12-04 2023-12-04 A computer host operation abnormality identification system based on data analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311646918.9A CN117851154A (en) 2023-12-04 2023-12-04 A computer host operation abnormality identification system based on data analysis

Publications (1)

Publication Number Publication Date
CN117851154A true CN117851154A (en) 2024-04-09

Family

ID=90540935

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311646918.9A Pending CN117851154A (en) 2023-12-04 2023-12-04 A computer host operation abnormality identification system based on data analysis

Country Status (1)

Country Link
CN (1) CN117851154A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118331829A (en) * 2024-06-12 2024-07-12 深圳市德立通智能科技有限公司 Operation monitoring system and method for tablet personal computer

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118331829A (en) * 2024-06-12 2024-07-12 深圳市德立通智能科技有限公司 Operation monitoring system and method for tablet personal computer
CN118331829B (en) * 2024-06-12 2024-08-16 深圳市德立通智能科技有限公司 Operation monitoring system and method for tablet personal computer

Similar Documents

Publication Publication Date Title
US12166786B1 (en) Malware detection verification and enhancement by coordinating endpoint and malware detection systems
US20240320323A1 (en) Methods and apparatus for control and detection of malicious content using a sandbox environment
US11936666B1 (en) Risk analyzer for ascertaining a risk of harm to a network and generating alerts regarding the ascertained risk
US11562068B2 (en) Performing threat detection by synergistically combining results of static file analysis and behavior analysis
US10587647B1 (en) Technique for malware detection capability comparison of network security devices
US7870612B2 (en) Antivirus protection system and method for computers
US8621624B2 (en) Apparatus and method for preventing anomaly of application program
JP6104149B2 (en) Log analysis apparatus, log analysis method, and log analysis program
CN104766011B (en) The sandbox detection alarm method and system of Intrusion Detection based on host feature
CN113660224B (en) Situation awareness defense method, device and system based on network vulnerability scanning
US11924235B2 (en) Leveraging user-behavior analytics for improved security event classification
US10142343B2 (en) Unauthorized access detecting system and unauthorized access detecting method
US11909761B2 (en) Mitigating malware impact by utilizing sandbox insights
JP5326063B1 (en) Malicious shellcode detection apparatus and method using debug events
JP5102659B2 (en) Malignant website determining device, malignant website determining system, method and program thereof
Sequeira Intrusion prevention systems: security's silver bullet?
JP6407184B2 (en) Attack countermeasure determination system, attack countermeasure determination method, and attack countermeasure determination program
Vigna et al. Host-based intrusion detection
CN117851154A (en) A computer host operation abnormality identification system based on data analysis
US8631485B2 (en) Identification of malicious activities through non-logged-in host usage
Kono et al. An unknown malware detection using execution registry access
JP2005284523A (en) System, method and program for illegal intrusion detection
KR101942442B1 (en) System and method for inspecting malicious code
CN118627062A (en) Network security isolation method, electronic device and computer program product
KR20250102600A (en) Edr system with deep process monitoring and threat thread screening blocking technology based on malicious behavior thread tracking technology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination