Method for detecting virus program and virus program detecting device
A virus program and detection device technology, applied in the field of network security, can solve problems such as inability to find download links, and achieve the effect of strengthening protection and improving experience
Active Publication Date: 2014-04-30
ZHUHAI BAOQU TECH CO LTD
8 Cites 9 Cited by
AI-Extracted Technical Summary
Problems solved by technology
However, this method can only monitor a single known download link, and can...
Method used
Embodiments of the present invention search other virus programs stored in the network hard disk by the disseminator of the target virus program according to the download link of the target virus program, realize the monitoring of the network hard disk, strengthen the protection of the users of the network hard disk, and improve user safety Internet experience.
Embodiments of the present invention search t...
Abstract
The embodiment of the invention discloses a method for detecting a virus program. The method comprises the steps that the identify label of a disseminator of the target virus program in a network hard disk is acquired according to the download link of the target virus program; in network hard disk, the file information of all files stored in a personal network disk corresponding to the identify label is acquired; the virus program in all the files is determined by analyzing the file information. Correspondingly, the embodiment of the invention discloses a virus program detecting device. Through the method and the device, other virus programs of the network hard disk corresponding to the download link can be found according to the download link of the known virus program, the virus programs are prevented from being spread through the network hard disk, and the safe internet surfing experience of the user is improved.
Application Domain
Platform integrity maintainance
Technology Topic
Personal networkComputer engineering +2
Image
Examples
- Experimental program(1)
Example Embodiment
[0020] The technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, rather than all the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of the present invention.
[0021] The online hard drive mentioned in the embodiment of the present invention is a cloud network service for uploading and downloading services provided by an Internet service provider, such as Kingsoft Quick Disk, Baidu Cloud Disk, and 360 Cloud Disk. The virus program spreader only needs to establish a network hard disk account to store the virus program in the personal network disk corresponding to the account, and induce users to download the virus program through fraud and endanger the user terminal. It should be noted that, in an optional embodiment of the present invention, the network hard disk is a Baidu network disk.
[0022] The virus program detection method mentioned in the present invention may be implemented by a virus program detection device. In an alternative embodiment, the virus program detection device mentioned in the present invention may be one or more background servers.
[0023] figure 1 It is a schematic flowchart of a virus program detection method in an embodiment of the present invention. As shown in the figure, the flow of the virus program detection method in this embodiment may include:
[0024] S101: Obtain the identity of the spreader of the target virus program on the network hard disk according to the download link of the target virus program.
[0025] The download link is a uniform resource locator used to download the target file, and the user terminal or virus program detection device can download the target file pointed to by the download link. Further, when the user terminal performs the download task, the virus program detection device can obtain the download link by hooking the user's browser or hooking the user's download software. The hook is the HOOK technology, that is, the program in the application software. Insert your own code to achieve the technology of obtaining relevant information.
[0026] Specifically, when it is confirmed that a file downloaded from the network hard disk is a virus program, the virus program detection device obtains the identity of the spreader of the virus program on the network hard disk according to the download link obtained by the previous HOOK browser or the HOOK download software . It should be pointed out that the identification is the account of the communicator on the network hard disk.
[0027] S102: In the network hard disk, obtain file information of all files stored in the personal network disk corresponding to the identity identifier.
[0028] See Figure 5 As shown in a network topology diagram, the user terminal and the virus program detection device are connected to the network hard disk through the Internet. The network hard disk is equipped with multiple personal network disks according to different identities, and each personal network disk can store files with a preset capacity For example, the personal network disk under the ID_1 of the network hard disk stores file 1, file 2, and file n.
[0029] Specifically, the virus program detection device searches the network hard disk for file information of all files stored in the personal network disk under the identity of the virus program spreader.
[0030] S103: Determine virus programs in all files by analyzing the file information.
[0031] The file information includes at least the identification code, naming, and transmission times of the file. Specifically, the virus program detection device learns the virus program under the personal network disk by analyzing the characteristics of the file's identification code, naming, and transmission times.
[0032] It needs to be pointed out that, according to the existing network splicing technology based on network hard disks, the download link of the file can be spliced when the identification code and the identity of the file are known. However, not all files in the personal network disk under the identity of the virus program spreader are virus programs. If the virus program detection device directly downloads all the files for identification, it will undoubtedly increase the burden of the virus program detection device. Furthermore, if the virus program detection device first predicts a part of suspicious files and then identifies the suspicious files, the burden of the virus program detection device will be greatly reduced.
[0033] Correspondingly, the implementation process for the virus program detection device to learn the virus program may be: the virus program detection device predicts the suspicious files in all the files according to the file information, and identifies all the files through the preset virus program inspection process. Describe virus programs in suspicious files.
[0034] Optionally, the virus program detection device may predict files that meet the following conditions as suspicious files:
[0035] ① The file name contains at least two preset keywords. It should be pointed out that the preset keywords may include hot events, sensitive topics, and pornographic violent content. According to general experience, naming a file containing two or more preset keywords is more likely to be a virus program, and the spreader of the virus program induces users to download the virus program by naming the file.
[0036] ② The file has the same identification code as at least one other file but has a different name, and the number of transmissions of the file exceeds the preset threshold. It should be pointed out that the identification code of the document is the code calculated after the document is authenticated by the MD5 (Message Digest Algorithm 5) algorithm, which is similar to the ID card of the document, and the identification code of the same document is the same. According to general experience, the identification code of a file is the same as the identification code of another file, but the name is different or dissimilar, and the number of transmissions is very high, then the file has a higher probability of being a virus program. Disguise as different files to induce more users to download virus programs.
[0037] Further, after the virus program detection device downloads the suspicious files that meet the above conditions, the virus program in the suspicious file is identified through a preset virus program identification process, and the identified virus program and its download link are placed in the virus database.
[0038] Furthermore, when the virus program detection device detects that the user terminal downloads the virus program, it sends a danger warning to the user terminal. Specifically, when the user terminal downloads a file identified as a virus program on the network hard disk through the Internet, the virus program detection device can learn that the download link is a download link in the virus database through the HOOK browser or the HOOK download software. A danger alert is issued to the user terminal to remind the user that the downloaded target file is a virus program.
[0039] According to the download link of the target virus program, the embodiment of the present invention searches for other virus programs stored in the network hard disk by the spreader of the target virus program, realizes the monitoring of the network hard disk, strengthens the protection of the users of the network hard disk, and improves the user's safe surfing experience .
[0040] figure 2 It is a schematic flow chart of another virus program detection method in an embodiment of the present invention, which may include:
[0041] S201: Obtain a target virus program.
[0042] It should be pointed out that the target virus program has a corresponding download link, and the download link points to a resource in the network hard disk.
[0043] The download link is a uniform resource locator used to download the target file, and the user terminal or the virus program detection device can download the target file pointed to by the download link. Further, when the user terminal performs the download task, the virus program detection device may obtain the download link by hooking the user's browser or hooking the user's download software. The hook is the HOOK technology, that is, the program in the application software. Insert your own code to achieve the technology of obtaining relevant information.
[0044] S202: According to the download link of the target virus program, obtain the identity of the spreader of the target virus program on the network hard disk.
[0045] Specifically, the virus program detection device obtains the identity of the disseminator of the target virus program on the network hard disk according to the download link obtained by the previous HOOK browser or the HOOK download software. It should be pointed out that the identification is the account of the communicator on the network hard disk.
[0046] S203: In the network hard disk, obtain file information of all files stored in the personal network disk corresponding to the identity identifier.
[0047] See Figure 5 As shown in a network topology diagram, the user terminal and the virus program detection device are connected to the network hard disk through the Internet. The network hard disk is equipped with multiple personal network disks according to different identities, and each personal network disk can store files with a preset capacity For example, the personal network disk under the ID_1 of the network hard disk stores file 1, file 2, and file n.
[0048] Specifically, the virus program detection device searches the network hard disk for file information of all files stored in the personal network disk under the identity of the virus program spreader.
[0049] S204: Prejudge suspicious files among all the files according to the file information.
[0050] The file information includes at least the identification code, naming, and transmission times of the file. Specifically, the virus program detection device may prejudge files that meet the following conditions as suspicious files:
[0051] ① The file name contains at least two preset keywords. It should be pointed out that the preset keywords may include hot events, sensitive topics, and pornographic violent content. According to general experience, naming a file containing two or more preset keywords is more likely to be a virus program, and the spreader of the virus program induces users to download the virus program by naming the file.
[0052] ② The file has the same identification code as at least one other file but has a different name, and the number of transmissions of the file exceeds the preset threshold. It should be pointed out that the identification code of the document is the code calculated after the document is authenticated by the MD5 (Message Digest Algorithm 5) algorithm, which is similar to the ID card of the document, and the identification code of the same document is the same. According to general experience, the identification code of a file is the same as the identification code of another file, but the name is different or dissimilar, and the number of transmissions is very large, then the file has a higher probability of being a virus program, and virus spreaders are used to using the same virus Disguise as different files to induce more users to download virus programs.
[0053] It should be pointed out that, according to the existing network splicing technology based on network hard disks, the download link of the file can be spliced when the identification code and the identity of the file are known. However, not all files in the personal network disk under the identity of the virus program spreader are virus programs. If the virus program detection device directly downloads all the files for identification, it will undoubtedly increase the burden of the virus program detection device. Furthermore, if the virus program detection device first predicts a part of suspicious files, and then identifies the suspicious files, the burden of the virus program detection device will be greatly reduced.
[0054] S205: Obtain the suspicious file, and identify the virus program in the suspicious file through a preset virus program inspection process.
[0055] Specifically, after the virus program detection device downloads the suspicious files that meet the above-mentioned conditions, the virus program in the suspicious file is identified through a preset virus program identification process, and the identified virus program and its download link are put into the virus database.
[0056] S206: When it is detected that a newly-added file appears in the personal network disk corresponding to the identity identifier, obtain file information of the newly-added file.
[0057] Specifically, the virus program detection device adds the identity to the blacklist, and detects the identity in a preset time period. When the virus program detection device detects that a new file appears in the personal network disk corresponding to the identity, Get the file information of the newly added file.
[0058] S207: Determine the virus program in the newly added file by analyzing the file information of the newly added file.
[0059] Specifically, the virus program detection device still determines the virus program in the newly added file by analyzing the file information of the newly added file, and stores the determined virus in the virus database.
[0060] S208: When it is detected that the user terminal downloads the virus program, a danger alert is issued to the user terminal.
[0061] Specifically, when the user terminal downloads a file identified as a virus program on the network hard disk through the Internet, the virus program detection device can learn that the download link is a download link in the virus database through the HOOK browser or the HOOK download software. A danger alert is issued to the user terminal to remind the user that the downloaded target file is a virus program.
[0062] According to the download link of the target virus program, the embodiment of the present invention searches for the identity of the disseminator of the target virus program on the network hard disk, and authenticates all files and newly-added files under the identity identifier, finds out the virus program, and realizes network access The monitoring of hard disks strengthens the protection of users of network hard disks and improves users’ experience of surfing safely.
[0063] image 3 It is a schematic structural diagram of a virus program detection device in an embodiment of the present invention. As shown in the figure, the virus program detection apparatus in the embodiment of the present invention may at least include an identity identification acquisition module 310, a file information acquisition module 320, and a virus program determination module 330, wherein:
[0064] The identity obtaining module 310 is configured to obtain the identity of the disseminator of the target virus program on the network hard disk according to the download link of the target virus program.
[0065] The download link is a uniform resource locator used to download the target file, and the user terminal or virus program detection device can download the target file pointed to by the download link. Further, when the user terminal performs the download task, the virus program detection device may obtain the download link by hooking the user's browser or hooking the user's download software. The hook is the HOOK technology, that is, the program in the application software. Insert your own code to achieve the technology of obtaining relevant information.
[0066] Specifically, when it is confirmed that a file downloaded from the network hard disk is a virus program, the identity acquisition module 310 obtains the identity of the spreader of the virus program on the network hard disk according to the download link obtained by the previous HOOK browser or the HOOK download software. Logo. It should be pointed out that the identification is the account of the communicator on the network hard disk.
[0067] The file information obtaining module 320 is configured to obtain, in the network hard disk, file information of all files stored in the personal network disk corresponding to the identity identifier.
[0068] See Figure 5 As shown in a network topology diagram, the user terminal and the virus program detection device are connected to the network hard disk through the Internet. The network hard disk is equipped with multiple personal network disks according to different identities. Each personal network disk can store files with a preset capacity For example, the personal network disk under the ID_1 of the network hard disk stores file 1, file 2, and file n.
[0069] Specifically, the file information acquisition module 320 inquires the file information of all files stored in the personal network disk under the identity of the virus program spreader in the network hard disk.
[0070] The virus program determining module 330 is configured to determine the virus program in all the files by analyzing the file information. In specific implementation, the virus program determining module 330 may be as Figure 4 The illustration further includes: a suspicious file prediction unit 331 and a virus program identification unit 332, where:
[0071] The suspicious file pre-judgment unit 331 is configured to pre-judge the suspicious files in all the files according to the file information.
[0072] The file information includes at least the identification code, naming, and transmission times of the file. Specifically, the suspicious file pre-judgment unit 331 may prejudge a file that meets the following conditions as a suspicious file:
[0073] ① The file name contains at least two preset keywords. It should be pointed out that the preset keywords may include hot events, sensitive topics, and pornographic violent content. According to general experience, naming a file containing two or more preset keywords is more likely to be a virus program, and the spreader of the virus program induces users to download the virus program by naming the file.
[0074] ② The file has the same identification code as at least one other file but has a different name, and the number of transmissions of the file exceeds the preset threshold. It should be pointed out that the identification code of the document is the code calculated after the document is authenticated by the MD5 (Message Digest Algorithm 5) algorithm, which is similar to the ID card of the document, and the identification code of the same document is the same. According to general experience, the identification code of a file is the same as the identification code of another file, but the name is different or dissimilar, and the number of transmissions is very large, then the file has a higher probability of being a virus program, and virus spreaders are used to using the same virus Disguise as different files to induce more users to download virus programs.
[0075] It should be pointed out that, according to the existing network splicing technology based on network hard disks, the download link of the file can be spliced when the identification code and the identity of the file are known. However, not all files in the personal network disk under the identity of the virus program spreader are virus programs. If the virus program detection device directly downloads all the files for identification, it will undoubtedly increase the burden of the virus program detection device. Furthermore, if the virus program detection device first predicts a part of suspicious files and then identifies the suspicious files, the burden of the virus program detection device will be greatly reduced.
[0076] The virus program identification unit 332 is configured to obtain the suspicious file, and identify the virus program in the suspicious file through a preset virus program inspection process.
[0077] Specifically, after the virus program identification unit 332 downloads the suspicious files that meet the above conditions, it identifies the virus program in the suspicious file through a preset virus program identification process, and puts the identified virus program and its download link into the virus database .
[0078] See image 3 As shown in the figure, the virus program detection device in the embodiment of the present invention may further include a newly added file detection module 340, a newly added file analysis module 350, and a virus program warning module 360, wherein:
[0079] A new file detection module 340 is used to obtain file information of the new file when a new file is detected in the personal network disk corresponding to the identity identifier.
[0080] Specifically, the newly added file detection module 340 adds the identity to the blacklist, and detects the identity according to a preset time period. When the newly added file detection module 340 detects that a new personal network disk corresponding to the identity is displayed When adding a file, get the file information of the added file.
[0081] The newly added file analysis module 350 is used to determine the virus program in the newly added file by analyzing the file information of the newly added file.
[0082] Specifically, the newly added file analysis module 350 still determines the virus program in the newly added file by analyzing the file information of the newly added file, and stores the determined virus in the virus database.
[0083] The virus program warning module 360 is configured to send a danger warning to the user terminal when it is detected that the user terminal downloads the virus program determined by the virus program determination module.
[0084] Specifically, when the user terminal downloads a file identified as a virus program on the network hard disk through the Internet, the virus program warning module 360 can learn that the download link is the download link in the virus database through the HOOK browser or the HOOK download software. Immediately issue a danger alert to the user terminal to remind the user that the downloaded target file is a virus program.
[0085] According to the download link of the target virus program, the embodiment of the present invention searches for the identity of the disseminator of the target virus program on the network hard disk, and authenticates all files and newly-added files under the identity identifier, finds out the virus program, and realizes network access The monitoring of hard disks strengthens the protection of users of network hard disks and improves users’ experience of surfing safely.
[0086] A person of ordinary skill in the art can understand that all or part of the processes in the above-mentioned embodiment methods can be implemented by instructing relevant hardware through a computer program. The program can be stored in a computer readable storage medium. During execution, it may include the procedures of the above-mentioned method embodiments. Wherein, the storage medium may be a magnetic disk, an optical disk, a read-only memory (Read-Only Memory, ROM), or a random access memory (Random Access Memory, RAM), etc.
[0087] The above-disclosed are only preferred embodiments of the present invention. Of course, the scope of rights of the present invention cannot be limited by this. Therefore, equivalent changes made according to the claims of the present invention still fall within the scope of the present invention.
PUM
Description & Claims & Application Information
We can also present the details of the Description, Claims and Application information to help users get a comprehensive understanding of the technical details of the patent, such as background art, summary of invention, brief description of drawings, description of embodiments, and other original content. On the other hand, users can also determine the specific scope of protection of the technology through the list of claims; as well as understand the changes in the life cycle of the technology with the presentation of the patent timeline. Login to view more.
Similar technology patents
Projection display device and method for improving security of projection display device
Owner:LENOVO (BEIJING) CO LTD
Data processing method, device and system
Owner:LENOVO (BEIJING) CO LTD
Data security sharing method, system and device
Owner:BEIJING UNIV OF POSTS & TELECOMM +1
Visor with pivoted side window panel
Owner:MARCUS AUTOMOTIVE
Classification and recommendation of technical efficacy words
- improve protection
- Improve experience
Method and device for intercepting behaviors of program, and client equipment
Owner:BEIJING QIHOO TECH CO LTD +1
Safety device for enhanced pedestrian protection
Owner:BOUDVILLE WESLEY JOHN
Dash-proof distant control boring machine and its control method
Owner:CHINA COAL TECH ENG GRP CHONGQING RES INST
Scalable search system using human searchers
Owner:CHACHA SEARCH
Vehicle scheduling, apparatus and system
Owner:XIANFENG ZHIDAO BEIJING TECH CO LTD
Method and system for displaying panoramic video
ActiveCN104010225AImprove experienceAppreciate the angle and camera position to switch quickly and optimize
Owner:ALIBABA (CHINA) CO LTD
Screen projection method, system and related device
Owner:HUAWEI TECH CO LTD
Incoming call processing method and mobile terminal
Owner:ZTE CORP