CN118157936A - A malicious code monitoring method and device - Google Patents
A malicious code monitoring method and device Download PDFInfo
- Publication number
- CN118157936A CN118157936A CN202410259890.1A CN202410259890A CN118157936A CN 118157936 A CN118157936 A CN 118157936A CN 202410259890 A CN202410259890 A CN 202410259890A CN 118157936 A CN118157936 A CN 118157936A
- Authority
- CN
- China
- Prior art keywords
- internet
- malicious
- monitored
- codes
- code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a malicious code monitoring method and a device, wherein the malicious code monitoring method comprises the following steps: acquiring equipment of the Internet of things to be monitored; the method comprises the steps of connecting with the to-be-monitored internet of things equipment, and acquiring flow data of the to-be-monitored internet of things equipment in real time; scanning files in the flow data of the to-be-monitored internet of things equipment, and determining first feature codes of the files in the to-be-monitored internet of things equipment; matching the first feature code with each second feature code in a preset feature code set, and if the matching is successful, considering that a file corresponding to the first feature code contains malicious codes; the preset feature codes are used for storing a plurality of second feature codes representing different malicious codes in a centralized manner; and killing the malicious codes, and scanning files in the to-be-monitored internet of things equipment to determine that the to-be-monitored internet of things equipment does not contain the malicious codes after being killed. By implementing the method and the system, the running safety of the Internet of things system can be improved.
Description
Technical Field
The invention relates to the technical field of the internet of things, in particular to a malicious code monitoring method and device.
Background
The internet of things system is used for connecting any object with a network through information sensing equipment and a contracted protocol, and the object exchanges information and communicates through an information transmission medium so as to realize the functions of intelligent identification, positioning, tracking, supervision and the like; the method has the advantages that the risk of malicious code invasion exists when the existing Internet of things system operates, but the existing Internet of things does not have an effective technology for monitoring and capturing the invaded malicious code when the malicious code invades, so that the Internet of things system is damaged to different degrees when the malicious code invades.
Disclosure of Invention
The embodiment of the invention provides a malicious code monitoring method and device, which can effectively solve the problem that the prior art cannot monitor and capture the invaded malicious code and improve the operation safety of an Internet of things system and various Internet of things equipment connected with the Internet of things system.
An embodiment of the present invention provides a malicious code monitoring method, including:
Acquiring equipment of the Internet of things to be monitored;
the method comprises the steps of connecting with the to-be-monitored internet of things equipment, and acquiring flow data of the to-be-monitored internet of things equipment in real time;
Scanning files in the flow data of the to-be-monitored internet of things equipment, and determining first feature codes of the files in the to-be-monitored internet of things equipment;
matching the first feature code with each second feature code in a preset feature code set, and if the matching is successful, considering that a file corresponding to the first feature code contains malicious codes; the preset feature codes are used for storing a plurality of second feature codes representing different malicious codes in a centralized manner;
and killing the malicious codes, and scanning files in the to-be-monitored internet of things equipment to determine that the to-be-monitored internet of things equipment does not contain the malicious codes after being killed.
Further, the method further comprises the following steps:
The file of the to-be-monitored internet of things equipment is put into a virtual machine to be executed by utilizing a sandbox technology, so that the file of the to-be-monitored internet of things equipment runs in the virtual machine to determine the file with malicious codes;
capturing malicious codes and adding the captured malicious codes into the preset feature code set.
Further, after capturing the malicious code and adding the captured malicious code to the preset feature code set, the method further includes:
Tracing analysis is carried out on the malicious codes according to the information parameters of the captured malicious codes; wherein the information parameter comprises any one or more of the following: systematic viruses, worm viruses, trojans, script viruses, macro viruses and backdoors;
Determining a mode that the malicious code enters the Internet of things according to the captured information parameters of the malicious code; the way for malicious codes to enter the Internet of things comprises the following steps: operating system vulnerabilities, weak passwords, default credentials, and wireless network attacks.
Further, the scanning the file in the to-be-monitored internet of things device includes:
And sequentially performing timing full detection scanning, sampling type detection scanning and random time full detection scanning on each file in the to-be-monitored internet of things equipment.
Further, the method further comprises the following steps:
When the to-be-monitored internet of things equipment performs data transmission, carrying out timing data backup on the transmission data to obtain backup data;
and when the to-be-monitored Internet of things equipment loses the transmission data, recovering the lost data from the backup data.
On the basis of the method item embodiments, the invention correspondingly provides device item embodiments;
An embodiment of the present invention correspondingly provides a malicious code monitoring apparatus, including: the device comprises an equipment acquisition module, a traffic data acquisition module, a first malicious code detection module and a malicious code killing module;
the equipment acquisition module is used for acquiring equipment of the Internet of things to be monitored;
the flow data acquisition module is used for connecting with the to-be-monitored internet of things equipment and acquiring flow data of the to-be-monitored internet of things equipment in real time;
The first malicious code detection module is used for scanning files in the flow data of the to-be-monitored internet of things equipment and determining first feature codes of the files in the to-be-monitored internet of things equipment; matching the first feature code with each second feature code in a preset feature code set, and if the matching is successful, considering that a file corresponding to the first feature code contains malicious codes; the preset feature codes are used for storing a plurality of second feature codes representing different malicious codes in a centralized manner;
The malicious code killing module is used for killing the malicious code and scanning files in the to-be-monitored internet of things equipment to determine that the to-be-monitored internet of things equipment does not contain the malicious code after being killed.
Further, the system also comprises a second malicious code detection module;
The second malicious code detection module is used for placing the file of the to-be-monitored internet of things device into a virtual machine to be executed by utilizing a sandbox technology, so that the file of the to-be-monitored internet of things device runs in the virtual machine to determine the file with the malicious code;
capturing malicious codes and adding the captured malicious codes into the preset feature code set.
Further, after capturing the malicious code and adding the captured malicious code to the preset feature code set, the method further includes:
Tracing analysis is carried out on the malicious codes according to the information parameters of the captured malicious codes; wherein the information parameter comprises any one or more of the following: systematic viruses, worm viruses, trojans, script viruses, macro viruses and backdoors;
Determining a mode that the malicious code enters the Internet of things according to the captured information parameters of the malicious code; the way for malicious codes to enter the Internet of things comprises the following steps: operating system vulnerabilities, weak passwords, default credentials, and wireless network attacks.
Further, the scanning the file in the to-be-monitored internet of things device includes:
And sequentially performing timing full detection scanning, sampling type detection scanning and random time full detection scanning on each file in the to-be-monitored internet of things equipment.
Further, the system also comprises a data backup module;
The data backup module is used for carrying out timing data backup on transmission data to obtain backup data when the to-be-monitored internet of things equipment carries out data transmission;
and when the to-be-monitored Internet of things equipment loses the transmission data, recovering the lost data from the backup data.
The invention has the following beneficial effects:
The invention provides a malicious code monitoring method and a malicious code monitoring device, which are used for acquiring flow data of an Internet of things device to be monitored in real time after the malicious code monitoring device is connected with the Internet of things device to be monitored, scanning files in the acquired flow data, and determining first feature codes of all the files in the Internet of things device to be monitored according to a scanning result; matching the first feature code with a preset feature code set which is preset and stores a plurality of second feature codes representing different malicious codes, so as to determine whether the first feature code is any second feature code in the preset feature code set, if so, judging that the malicious code exists in a file corresponding to the first feature code, killing the malicious code in the file, rescanning the file in the Internet of things equipment to be monitored, and ensuring that the Internet of things equipment to be monitored does not contain the malicious code after killing; the method has the advantages that the first feature code is determined by scanning the files in the flow data and then is matched with the preset second feature code, so that malicious code detection is achieved, the problem that the invasive malicious code cannot be monitored and captured in the prior art is effectively solved, and the operation safety of the Internet of things system and all Internet of things equipment connected with the Internet of things system is improved.
Drawings
Fig. 1 is a flowchart of a malicious code monitoring method according to an embodiment of the present invention.
Fig. 2 is a schematic structural diagram of a malicious code monitoring apparatus according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs; the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application; the terms "comprising" and "having" and any variations thereof in the description of the application and the claims and the description of the drawings above are intended to cover a non-exclusive inclusion.
In the description of embodiments of the present application, the technical terms "first," "second," and the like are used merely to distinguish between different objects and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated, a particular order or a primary or secondary relationship. In the description of the embodiments of the present application, the meaning of "plurality" is two or more unless explicitly defined otherwise.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
In the description of the embodiments of the present application, the term "and/or" is merely an association relationship describing an association object, and indicates that three relationships may exist, for example, a and/or B may indicate: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
In the description of the embodiments of the present application, the term "plurality" means two or more (including two), and similarly, "plural sets" means two or more (including two), and "plural sheets" means two or more (including two).
In the description of the embodiments of the present application, unless explicitly specified and limited otherwise, the terms "mounted," "connected," "secured" and the like should be construed broadly and may be, for example, fixedly connected, detachably connected, or integrally formed; or may be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communicated with the inside of two elements or the interaction relationship of the two elements. The specific meaning of the above terms in the embodiments of the present application will be understood by those of ordinary skill in the art according to specific circumstances.
In order to better understand the technical means of the present invention, it should be noted in advance that malicious code is a program or script that damages a computer system, a network, or other data. Malicious code is typically designed to be hidden in the computer system, such as by script or virus, causing attacks and damage to the system. Malicious code may be propagated to the victim's computer through email, web site, or other awareness pathways. In the Internet of things system, the process of realizing data interaction after the Internet of things system is connected with the Internet of things equipment to be monitored can be affected by invasion of malicious codes, so that the Internet of things system or the Internet of things equipment to be monitored is damaged to different degrees, and the malicious code monitoring method is provided for solving the problems caused by invasion of the malicious codes.
As shown in fig. 1, a malicious code monitoring method according to an embodiment of the present invention includes:
Step S1: acquiring equipment of the Internet of things to be monitored;
step S2: the method comprises the steps of connecting with the to-be-monitored internet of things equipment, and acquiring flow data of the to-be-monitored internet of things equipment in real time;
Step S3: scanning files in the flow data of the to-be-monitored internet of things equipment, and determining first feature codes of the files in the to-be-monitored internet of things equipment;
Step S4: matching the first feature code with each second feature code in a preset feature code set, and if the matching is successful, considering that a file corresponding to the first feature code contains malicious codes; the preset feature codes are used for storing a plurality of second feature codes representing different malicious codes in a centralized manner;
Step S5: and killing the malicious codes, and scanning files in the to-be-monitored internet of things equipment to determine that the to-be-monitored internet of things equipment does not contain the malicious codes after being killed.
And for the step S1 and the step S2, acquiring the to-be-monitored Internet of things equipment, and connecting the Internet of things system with the to-be-monitored Internet of things equipment so that the Internet of things system can acquire flow data of the to-be-monitored Internet of things equipment in real time. The method comprises the steps that the Internet of things and equipment to be used are utilized to carry out butt joint, data transmission or large-flow data generated during operation can be received and acquired between the Internet of things system and each piece of connecting equipment, and the received large-flow data is stored in a set internal storage space. And processing the flow data of each to-be-monitored Internet of things device acquired in real time by utilizing a carding module in the Internet of things system in combination with a sensor technology, an RFID technology and mobile equipment, so as to detect malicious codes in the large flow data through the step S3.
And for the steps S3 and S4, matching the file of the Internet of things system with the file in the flow data of the equipment of the Internet of things to be monitored by utilizing a scanning engine deployed with a feature code scanning technology. Specifically, files in flow data of the to-be-monitored internet of things equipment are scanned, and feature codes (namely the first feature codes) of all the files in the to-be-monitored internet of things equipment are determined; matching the first feature code with each second feature code in a preset feature code set stored in the internet of things system; each second feature code stored in the preset feature code set represents different malicious codes. And if the first feature code scanned in the to-be-monitored internet of things equipment is matched with the second feature code stored in the internet of things system, the file corresponding to the first feature code is considered to contain malicious codes.
In a preferred embodiment, after the first feature code is matched with each second feature code in the preset feature code set, if the matching is successful, the file corresponding to the first feature code is considered to contain malicious code, the method further includes: the file of the to-be-monitored internet of things equipment is put into a virtual machine to be executed by utilizing a sandbox technology, so that the file of the to-be-monitored internet of things equipment runs in the virtual machine to determine the file with malicious codes; capturing malicious codes and adding the captured malicious codes into the preset feature code set.
Specifically, after the malicious code is determined by the traffic data, the malicious code may also be determined by a sandbox technique. And determining malicious codes by utilizing a sandbox technology, wherein the malicious codes are mainly executed by putting the file of the to-be-monitored internet of things device into a virtual machine, so that the file of the to-be-monitored internet of things device runs in the virtual machine. In the process of putting the file of the internet of things equipment to be monitored into a virtual machine for execution, all the executed operations are virtually redirected without changing an actual operating system, the virtual machine enables a program to run in a virtual computer through software and hardware virtualization, the file containing or not containing malicious codes is processed in an encryption, confusion or polymorphic deformation mode and then is put into the virtual machine, the malicious operations are automatically decoded and started to be executed in the virtual machine, and different operation instructions, such as feature code scanning or typical behavior feature analysis, are executed on the file of the internet of things equipment to be monitored in a controllable environment through the process of simulating the execution in the virtual machine, so that whether the malicious codes exist in the file can be determined. Preferably, the typical behavioral profile analysis mainly includes: frequent network connections, parking table modification, memory consumption detection, etc. The malicious operation behaviors can be determined through the characteristic analysis of the typical behaviors, and when a program or a file runs in the virtual machine, the behavior of the program or the file is detected to violate legal program operation rules or accord with the malicious program operation rules, and the program or the file can be judged to be malicious code. For example: when a file is put into a virtual machine for execution, and when the behavior of automatically modifying the registry is detected for a plurality of times, malicious codes exist in the file. When a file with malicious codes is detected, capturing and marking the malicious codes in the file, and adding the multi-captured malicious codes into a preset feature code set, so that the malicious codes can be determined to exist in a feature code scanning stage when the malicious codes of the same type exist next time, the running and detecting process of a virtual machine is reduced, and the calculation power consumption is reduced.
In a preferred embodiment, after capturing the malicious code and adding the captured malicious code to the set of preset feature codes, the method further comprises: tracing analysis is carried out on the malicious codes according to the information parameters of the captured malicious codes; wherein the information parameter comprises any one or more of the following: systematic viruses, worm viruses, trojans, script viruses, macro viruses and backdoors; determining a mode that the malicious code enters the Internet of things according to the captured information parameters of the malicious code; the way for malicious codes to enter the Internet of things comprises the following steps: operating system vulnerabilities, weak passwords, default credentials, and wireless network attacks.
Specifically, after capturing and marking the malicious code, tracing analysis is performed on the intrusion mode of the malicious code. The tracing analysis is mainly used for tracing analysis of the malicious codes through the information parameters of the captured malicious codes. The information parameters for the traceability analysis include any one or more of the following: systematic viruses (Win 32, PE, win95, W32, W95), worm viruses (Worm), trojan (Trojan), script, macro, and backdoor (Backdoor). And determining the way of the malicious code entering the Internet of things equipment to be monitored by detecting whether one or more of the information parameters are included in the information parameters carried in the captured malicious code. The way for malicious codes to enter the Internet of things comprises the following steps: operating system vulnerabilities, weak passwords, default credentials, and wireless network attacks.
And S5, when detecting that malicious codes exist, eliminating the malicious codes in the file to eliminate the malicious codes in the file, ensuring the safe and stable operation of the to-be-monitored Internet of things equipment, and after eliminating, scanning the file in the to-be-monitored Internet of things equipment to ensure that the to-be-monitored Internet of things equipment does not contain the malicious codes after eliminating.
In a preferred embodiment, the scanning the file in the to-be-monitored internet of things device includes: and sequentially performing timing full detection scanning, sampling type detection scanning and random time full detection scanning on each file in the to-be-monitored internet of things equipment.
Specifically, after the malicious code is killed, files in the internet of things equipment to be monitored need to be scanned, and the scanning mode comprises the following steps: timing full detection scan, sampling detection scan, and random time full detection scan. When the Internet of things equipment to be monitored is sequentially scanned and detected, if the loopholes are detected, patch repair is carried out on the detected loopholes by using a patch software program. In addition, after the disinfection, the files in the to-be-monitored internet of things equipment are scanned, and the to-be-monitored internet of things equipment can be subjected to timing comprehensive detection through setting timing comprehensive scanning, sampling detection scanning and random time full detection scanning. The method can timely find and prevent the invasion of malicious codes by the comprehensive and regular scanning mode.
It is to be added that, in order to make the monitoring of malicious codes more comprehensive, a firewall can be added to the internet of things equipment to be monitored or the internet of things system connected with the internet of things equipment to be monitored and a trapping monitoring system can be constructed, multiple layers of firewalls are added in the internet of things system or the equipment to be monitored to limit external access, the internet of things system and the internet of things equipment to be monitored connected with the internet of things system are subjected to timing maintenance system security update and adopt a reinforced password and an encrypted wireless network, an independent trapping program is built in time, a malicious code monitoring program is set, the malicious code is trapped by the trapping program release induction program, and the internet of things system and the connecting equipment can be monitored in real time by the malicious code monitoring program.
In a preferred embodiment, further comprising: when the to-be-monitored internet of things equipment performs data transmission, carrying out timing data backup on the transmission data to obtain backup data; and when the to-be-monitored Internet of things equipment loses the transmission data, recovering the lost data from the backup data.
Specifically, in order to comprehensively detect malicious codes, when the to-be-monitored internet of things equipment and the internet of things system perform data transmission, the transmitted data is backed up at regular time; and carrying out space isolation on the backup data, and storing the backup data into an independent internal space of the Internet of things system for sealing so as to obtain the backup data from the independent internal space for use when the data are transmitted.
The method is characterized in that when the backup data are acquired for use, the identity of a user is required to be comprehensively authenticated, after the identity authentication is passed, the backup data are extracted, when transmission data are lost due to intrusion of malicious codes into the to-be-monitored internet of things equipment or the internet of things system, the identity authentication can be performed in an independent internal space of the internet of things system to enter the independent internal space, and then the backup data are copied into a mobile hard disk by using external storage equipment so as to extract the backup data for use.
On the basis of the method item embodiments, the invention correspondingly provides the device item embodiments.
As shown in fig. 2, an embodiment of the present invention provides a malicious code monitoring apparatus, including: the device comprises an equipment acquisition module, a traffic data acquisition module, a first malicious code detection module and a malicious code killing module;
the equipment acquisition module is used for acquiring equipment of the Internet of things to be monitored;
the flow data acquisition module is used for connecting with the to-be-monitored internet of things equipment and acquiring flow data of the to-be-monitored internet of things equipment in real time;
The first malicious code detection module is used for scanning files in the flow data of the to-be-monitored internet of things equipment and determining first feature codes of the files in the to-be-monitored internet of things equipment; matching the first feature code with each second feature code in a preset feature code set, and if the matching is successful, considering that a file corresponding to the first feature code contains malicious codes; the preset feature codes are used for storing a plurality of second feature codes representing different malicious codes in a centralized manner;
The malicious code killing module is used for killing the malicious code and scanning files in the to-be-monitored internet of things equipment to determine that the to-be-monitored internet of things equipment does not contain the malicious code after being killed.
In a preferred embodiment, the system further comprises a second malicious code detection module;
The second malicious code detection module is used for placing the file of the to-be-monitored internet of things device into a virtual machine to be executed by utilizing a sandbox technology, so that the file of the to-be-monitored internet of things device runs in the virtual machine to determine the file with the malicious code;
capturing malicious codes and adding the captured malicious codes into the preset feature code set.
In a preferred embodiment, after capturing the malicious code and adding the captured malicious code to the set of preset feature codes, the method further comprises:
Tracing analysis is carried out on the malicious codes according to the information parameters of the captured malicious codes; wherein the information parameter comprises any one or more of the following: systematic viruses, worm viruses, trojans, script viruses, macro viruses and backdoors;
Determining a mode that the malicious code enters the Internet of things according to the captured information parameters of the malicious code; the way for malicious codes to enter the Internet of things comprises the following steps: operating system vulnerabilities, weak passwords, default credentials, and wireless network attacks.
In a preferred embodiment, the scanning the file in the to-be-monitored internet of things device includes:
And sequentially performing timing full detection scanning, sampling type detection scanning and random time full detection scanning on each file in the to-be-monitored internet of things equipment.
In a preferred embodiment, the system further comprises a data backup module;
The data backup module is used for carrying out timing data backup on transmission data to obtain backup data when the to-be-monitored internet of things equipment carries out data transmission;
and when the to-be-monitored Internet of things equipment loses the transmission data, recovering the lost data from the backup data.
It should be noted that the above-described apparatus embodiments are merely illustrative, and the units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. In addition, in the drawings of the embodiment of the device provided by the invention, the connection relation between the modules represents that the modules have communication connection, and can be specifically implemented as one or more communication buses or signal lines. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
It will be clear to those skilled in the art that, for convenience and brevity, the specific working process of the apparatus described above may refer to the corresponding process in the foregoing method embodiment, which is not described herein again.
The terminal device may be a computing device such as a desktop computer, a notebook computer, a palm computer, a cloud server, etc. The terminal device may include, but is not limited to, a processor, a memory.
The Processor may be a central processing unit (Central Processing Unit, CPU), other general purpose Processor, digital signal Processor (DIGITAL SIGNAL Processor, DSP), application SPECIFIC INTEGRATED Circuit (ASIC), off-the-shelf Programmable gate array (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The general purpose processor may be a microprocessor or the processor may be any conventional processor or the like, which is a control center of the terminal device, and which connects various parts of the entire terminal device using various interfaces and lines.
The memory may be used to store the computer program, and the processor may implement various functions of the terminal device by running or executing the computer program stored in the memory and invoking data stored in the memory. The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to the use of the cellular phone, etc. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as a hard disk, memory, plug-in hard disk, smart memory card (SMART MEDIA CARD, SMC), secure Digital (SD) card, flash memory card (FLASH CARD), at least one disk storage device, flash memory device, or other volatile solid-state storage device.
The storage medium is a computer readable storage medium, and the computer program is stored in the computer readable storage medium, and when executed by a processor, the computer program can implement the steps of the above-mentioned method embodiments. Wherein the computer program comprises computer program code which may be in source code form, object code form, executable file or some intermediate form etc. The computer readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), an electrical carrier signal, a telecommunications signal, a software distribution medium, and so forth.
While the foregoing is directed to the preferred embodiments of the present invention, it will be appreciated by those skilled in the art that changes and modifications may be made without departing from the principles of the invention, such changes and modifications are also intended to be within the scope of the invention.
Claims (10)
1. A method for malicious code monitoring, comprising:
Acquiring equipment of the Internet of things to be monitored;
the method comprises the steps of connecting with the to-be-monitored internet of things equipment, and acquiring flow data of the to-be-monitored internet of things equipment in real time;
Scanning files in the flow data of the to-be-monitored internet of things equipment, and determining first feature codes of the files in the to-be-monitored internet of things equipment;
matching the first feature code with each second feature code in a preset feature code set, and if the matching is successful, considering that a file corresponding to the first feature code contains malicious codes; the preset feature codes are used for storing a plurality of second feature codes representing different malicious codes in a centralized manner;
and killing the malicious codes, and scanning files in the to-be-monitored internet of things equipment to determine that the to-be-monitored internet of things equipment does not contain the malicious codes after being killed.
2. The method for monitoring malicious code according to claim 1, wherein after the first feature code is matched with each second feature code in the preset feature code set, if the matching is successful, the file corresponding to the first feature code is considered to contain malicious code, further comprising:
The file of the to-be-monitored internet of things equipment is put into a virtual machine to be executed by utilizing a sandbox technology, so that the file of the to-be-monitored internet of things equipment runs in the virtual machine to determine the file with malicious codes;
capturing malicious codes and adding the captured malicious codes into the preset feature code set.
3. The method of claim 2, further comprising, after capturing the malicious code and adding the captured malicious code to the set of predetermined feature codes:
Tracing analysis is carried out on the malicious codes according to the information parameters of the captured malicious codes; wherein the information parameter comprises any one or more of the following: systematic viruses, worm viruses, trojans, script viruses, macro viruses and backdoors;
Determining a mode that the malicious code enters the Internet of things according to the captured information parameters of the malicious code; the way for malicious codes to enter the Internet of things comprises the following steps: operating system vulnerabilities, weak passwords, default credentials, and wireless network attacks.
4. The method for monitoring malicious code according to claim 3, wherein the scanning the file in the internet of things device to be monitored comprises:
And sequentially performing timing full detection scanning, sampling type detection scanning and random time full detection scanning on each file in the to-be-monitored internet of things equipment.
5. The malicious code monitoring method of claim 4, further comprising:
When the to-be-monitored internet of things equipment performs data transmission, carrying out timing data backup on the transmission data to obtain backup data;
and when the to-be-monitored Internet of things equipment loses the transmission data, recovering the lost data from the backup data.
6. A malicious code monitoring apparatus, comprising: the device comprises an equipment acquisition module, a traffic data acquisition module, a first malicious code detection module and a malicious code killing module;
the equipment acquisition module is used for acquiring equipment of the Internet of things to be monitored;
the flow data acquisition module is used for connecting with the to-be-monitored internet of things equipment and acquiring flow data of the to-be-monitored internet of things equipment in real time;
The first malicious code detection module is used for scanning files in the flow data of the to-be-monitored internet of things equipment and determining first feature codes of the files in the to-be-monitored internet of things equipment; matching the first feature code with each second feature code in a preset feature code set, and if the matching is successful, considering that a file corresponding to the first feature code contains malicious codes; the preset feature codes are used for storing a plurality of second feature codes representing different malicious codes in a centralized manner;
The malicious code killing module is used for killing the malicious code and scanning files in the to-be-monitored internet of things equipment to determine that the to-be-monitored internet of things equipment does not contain the malicious code after being killed.
7. The malicious code monitoring apparatus of claim 6, further comprising a second malicious code detection module;
The second malicious code detection module is used for placing the file of the to-be-monitored internet of things device into a virtual machine to be executed by utilizing a sandbox technology, so that the file of the to-be-monitored internet of things device runs in the virtual machine to determine the file with the malicious code;
capturing malicious codes and adding the captured malicious codes into the preset feature code set.
8. The malicious code monitoring apparatus of claim 7, further comprising, after capturing malicious code and adding the captured malicious code to the set of preset feature codes:
Tracing analysis is carried out on the malicious codes according to the information parameters of the captured malicious codes; wherein the information parameter comprises any one or more of the following: systematic viruses, worm viruses, trojans, script viruses, macro viruses and backdoors;
Determining a mode that the malicious code enters the Internet of things according to the captured information parameters of the malicious code; the way for malicious codes to enter the Internet of things comprises the following steps: operating system vulnerabilities, weak passwords, default credentials, and wireless network attacks.
9. The malicious code monitoring apparatus of claim 8, wherein the scanning the files in the internet of things device to be monitored comprises:
And sequentially performing timing full detection scanning, sampling type detection scanning and random time full detection scanning on each file in the to-be-monitored internet of things equipment.
10. The malicious code monitoring apparatus of claim 9, further comprising a data backup module;
The data backup module is used for carrying out timing data backup on transmission data to obtain backup data when the to-be-monitored internet of things equipment carries out data transmission;
and when the to-be-monitored Internet of things equipment loses the transmission data, recovering the lost data from the backup data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410259890.1A CN118157936A (en) | 2024-03-07 | 2024-03-07 | A malicious code monitoring method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410259890.1A CN118157936A (en) | 2024-03-07 | 2024-03-07 | A malicious code monitoring method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118157936A true CN118157936A (en) | 2024-06-07 |
Family
ID=91294197
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410259890.1A Pending CN118157936A (en) | 2024-03-07 | 2024-03-07 | A malicious code monitoring method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118157936A (en) |
-
2024
- 2024-03-07 CN CN202410259890.1A patent/CN118157936A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11463458B2 (en) | Protecting against and learning attack vectors on web artifacts | |
| CN109711171B (en) | Software vulnerability location method and device, system, storage medium, and electronic device | |
| US9363286B2 (en) | System and methods for detection of fraudulent online transactions | |
| EP3462698B1 (en) | System and method of cloud detection, investigation and elimination of targeted attacks | |
| US10511616B2 (en) | Method and system for detecting and remediating polymorphic attacks across an enterprise | |
| US9973531B1 (en) | Shellcode detection | |
| JP6624771B2 (en) | Client-based local malware detection method | |
| CN111931166B (en) | Application anti-attack method and system based on code injection and behavior analysis | |
| US9438623B1 (en) | Computer exploit detection using heap spray pattern matching | |
| CN110837640B (en) | Malicious file searching and killing method, device, storage medium and device | |
| US20230185902A1 (en) | Undetectable sandbox for malware | |
| US20190147163A1 (en) | Inferential exploit attempt detection | |
| US20080148381A1 (en) | Methods, systems, and computer program products for automatically configuring firewalls | |
| CN112351017B (en) | Transverse penetration protection method, device, equipment and storage medium | |
| US8640233B2 (en) | Environmental imaging | |
| US20230179631A1 (en) | System and method for detection of malicious interactions in a computer network | |
| KR101851233B1 (en) | Apparatus and method for detection of malicious threats included in file, recording medium thereof | |
| CN105939311A (en) | Method and device for determining network attack behavior | |
| ES2965391T3 (en) | Method of monitoring and protecting access to an online service | |
| KR101902747B1 (en) | Method and Apparatus for Analyzing Web Vulnerability for Client-side | |
| CN106998335B (en) | Vulnerability detection method, gateway equipment, browser and system | |
| KR101816045B1 (en) | Malware detecting system with malware rule set | |
| US8341744B1 (en) | Real-time behavioral blocking of overlay-type identity stealers | |
| ES2967194T3 (en) | Method of monitoring and protecting access to an online service | |
| CN110505116A (en) | Power information acquisition system and penetration test method, device, readable storage medium storing program for executing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |