Virus detection method and device for power monitoring equipment

Abstract

This invention discloses a virus detection method and apparatus for power monitoring equipment, addressing the technical problem that current virus detection systems struggle to quickly respond to dynamically changing virus threats. The method is applied to a first power monitoring device; the method includes: periodically collecting operating status information of the first power monitoring device; calculating the current resource pressure index of the first power monitoring device based on the operating status information and the resource pressure index; dynamically selecting a virus detection strategy based on the operating status information and the resource pressure index, combined with adaptive resource scheduling; and executing a virus detection task for the first power monitoring device under the virus detection strategy to obtain virus detection results.

Description

Technical Field

[0001] This invention relates to the field of power system automation and security technology, and in particular to a virus detection method for power monitoring equipment, a virus detection device for power monitoring equipment, a power monitoring equipment, and a storage medium. Background Technology

[0002] Power monitoring systems are widely used in substations, distribution automation, and power plant DCS (Distributed Control System) / SCADA (Supervisory Control and Data Acquisition) systems. They typically include a monitoring master station, communication management unit, protection devices, measurement and control devices, and HMI (Human-Machine Interface) equipment. Most of these devices operate continuously for extended periods, requiring extremely high real-time performance and stability. Furthermore, their hardware configurations are generally relatively low, and the operating systems are often embedded Linux, real-time operating systems, or customized versions of Windows.

[0003] With the widespread adoption of power monitoring systems, the threat of virus attacks and malware is becoming increasingly serious. Traditional virus detection methods often rely on powerful computing resources, making it difficult to meet the needs of low-performance devices. In some older devices (such as PLC controllers (Programmable Logic Controllers) and HMI terminals), due to limited computing power, running traditional virus detection programs will significantly impact system performance, resulting in low virus detection efficiency and even failing to detect specific malicious code targeting industrial equipment.

[0004] Current virus detection systems generally rely on locally installed virus definitions for offline detection, achieving this by periodically scanning the file system and comparing the results to a virus signature database. This technology is widely used in general IT systems. However, these systems struggle to respond quickly to dynamically changing virus threats. Summary of the Invention

[0005] This invention provides a method for virus detection in power monitoring equipment, a device for virus detection in power monitoring equipment, a power monitoring device, and a storage medium, which are used to solve or partially solve the technical problem that current virus detection systems are unable to quickly respond to dynamically changing virus threats.

[0006] This invention provides a virus detection method for power monitoring equipment, applied to a first power monitoring equipment; the method includes:

[0007] Periodically collect the operating status information of the first power monitoring equipment;

[0008] Based on the operating status information, calculate the current resource pressure index of the first power monitoring equipment;

[0009] Based on the operational status information and the resource pressure index, a virus detection strategy is dynamically selected using adaptive resource scheduling.

[0010] The virus detection task targeting the first power monitoring device is executed under the virus detection strategy to obtain the virus detection results.

[0011] Optionally, the operating status information includes CPU utilization, memory utilization, disk I / O load, and network communication load; calculating the current resource pressure index of the first power monitoring device based on the operating status information includes:

[0012] Based on the CPU utilization, memory utilization, disk I / O load, and network communication load, and combined with preset weighting factors, the current resource pressure index of the first power monitoring device is calculated in a weighted manner.

[0013] Optionally, the operating status information includes the device system operating status; the step of dynamically selecting a virus detection strategy based on the operating status information and the resource pressure index, combined with adaptive resource scheduling, includes:

[0014] When the resource pressure index representing the operating status of the device system is lower than the first preset pressure index threshold for a continuous period of time, the deep scan mode of virus detection is triggered and sandbox analysis is started.

[0015] When the resource pressure index representing the operating status of the device system is greater than or equal to the first preset pressure index threshold and lower than the second preset pressure index threshold for a continuous period of time, the standard scanning mode for virus detection is triggered, and the signature matching action is performed.

[0016] When the resource pressure index representing the operating status of the device system is greater than or equal to the second preset pressure index threshold and lower than the third preset pressure index threshold for a continuous period of time, the lightweight scanning mode of virus detection is triggered to reduce the detection frequency and control the monitoring and scanning of key areas.

[0017] When the resource pressure index representing the operating status of the device system is greater than or equal to the third preset pressure index threshold for a continuous period of time, the virus detection is suspended.

[0018] Wherein, 0 < first preset pressure index threshold < second preset pressure index threshold < third preset pressure index threshold < 1.

[0019] Optionally, the step of performing a virus detection task against the first power monitoring device under the virus detection strategy and obtaining virus detection results includes:

[0020] Based on the virus detection strategy, the first power monitoring device is scanned for files to be detected;

[0021] Perform a virus detection task on the file to be detected and obtain the virus detection results;

[0022] The virus detection task includes: comparing file features of the file to be detected based on a virus feature database; prioritizing the detection of newly added files and / or modified files in the file to be detected; and performing a deduplication scanning mechanism based on file hash values ​​during the virus detection process to avoid repeated scanning of already detected files.

[0023] Optionally, the method further includes:

[0024] Record the virus detection results, and select at least one of the following post-processing actions to perform based on preset configuration conditions:

[0025] When the virus detection result indicates that the first power monitoring device is abnormal, a local alarm is triggered.

[0026] The virus test results were sent to the centralized management platform.

[0027] Logs will be generated based on this virus detection action for subsequent auditing and analysis.

[0028] Optionally, the operating status information includes the operating status of the device system; the method further includes:

[0029] When the resource pressure index representing the operating status of the equipment system is lower than the first preset pressure index threshold for a period of time, the system available resource redundancy of the first power monitoring equipment is determined, and the presence of a second power monitoring equipment in the same local area network is determined by broadcasting.

[0030] If so, send an assistance query to the second power monitoring device asking whether assistance with virus detection is needed;

[0031] When a request for assistance confirmation is received from the second power monitoring device based on the assistance inquiry information, a cross-device virus detection is performed on the second power monitoring device.

[0032] Optionally, when receiving an assistance confirmation request returned by the second power monitoring device based on the assistance query information, performing cross-device virus detection on the second power monitoring device includes:

[0033] When receiving an assistance confirmation request returned by the second power monitoring device based on the assistance inquiry information, a file retrieval request is sent to the second power monitoring device through a preset remote protocol that supports encrypted transmission. The file retrieval request contains a randomly generated shared key.

[0034] When the second power monitoring device receives an encrypted file encrypted with the shared key via the preset remote protocol, the encrypted file is decrypted using the shared key, and a virus detection task is performed on the decrypted file to obtain cross-device virus detection results.

[0035] The cross-device virus detection results are returned to the second power monitoring device.

[0036] The present invention also provides a virus detection device for power monitoring equipment, applied to a first power monitoring equipment; the device includes:

[0037] The information acquisition unit is used to periodically collect the operating status information of the first power monitoring equipment;

[0038] The resource pressure index calculation unit is used to calculate the current resource pressure index of the first power monitoring equipment based on the operating status information.

[0039] The virus detection strategy selection unit is used to dynamically select a virus detection strategy based on the running status information and the resource pressure index, combined with adaptive resource scheduling.

[0040] The virus detection task execution unit is used to execute a virus detection task for the first power monitoring device under the virus detection strategy and obtain virus detection results.

[0041] The present invention also provides a power monitoring device, the device comprising a processor and a memory:

[0042] The memory is used to store program code and transmit the program code to the processor;

[0043] The processor is used to execute the virus detection method for the power monitoring equipment as described above, according to the instructions in the program code.

[0044] The present invention also provides a computer-readable storage medium for storing program code for executing the virus detection method for power monitoring equipment as described in any of the preceding claims.

[0045] As can be seen from the above technical solutions, the present invention has the following advantages:

[0046] A method for virus detection in power monitoring equipment is provided. The method is applied to a first power monitoring device; the method includes: periodically collecting operating status information of the first power monitoring device; calculating the current resource pressure index of the first power monitoring device based on the operating status information; dynamically selecting a virus detection strategy based on the operating status information and the resource pressure index, combined with adaptive resource scheduling; executing a virus detection task for the first power monitoring device under the virus detection strategy, and obtaining virus detection results. Thus, by real-time sensing of the device's operating status, fully considering resource pressure, and dynamically selecting a virus detection strategy based on adaptive resource scheduling, the method dynamically adjusts the execution timing, scanning intensity, and detection method of the virus detection task. This allows for rapid response to dynamically changing virus threats while ensuring the priority operation of core system services, achieving efficient virus detection. Attached Figure Description

[0047] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0048] Figure 1 A flowchart illustrating the steps of a virus detection method for power monitoring equipment;

[0049] Figure 2 This is a schematic diagram illustrating the decision logic of an adaptive detection strategy.

[0050] Figure 3 This is a schematic diagram of the structure of an intelligent virus detection system;

[0051] Figure 4 A schematic diagram of the overall process of a virus detection method for power monitoring equipment;

[0052] Figure 5 This is a structural block diagram of a virus detection device for power monitoring equipment. Detailed Implementation

[0053] This invention provides a method for virus detection in power monitoring equipment, a device for virus detection in power monitoring equipment, a power monitoring device, and a storage medium, which are used to solve or partially solve the technical problem that current virus detection systems are unable to quickly respond to dynamically changing virus threats.

[0054] To make the objectives, features, and advantages of this invention more apparent and understandable, the technical solutions of the embodiments of this invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the embodiments described below are only some embodiments of this invention, and not all embodiments. Based on the embodiments of this invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this invention.

[0055] As an example, with the widespread adoption of power monitoring systems, the threat of virus attacks and malware is becoming increasingly serious. Traditional virus detection methods often rely on powerful computing resources, making it difficult to meet the needs of low-performance devices. In some older devices (such as PLC controllers and HMI terminals), due to limited computing power, running traditional virus detection programs will have a significant impact on system performance, resulting in low virus detection efficiency and even failing to detect specific malicious code targeting industrial equipment.

[0056] Current virus detection systems generally rely on locally installed virus definitions for offline detection, achieving this by periodically scanning the file system and comparing the results to a virus signature database. This technology is widely used in general IT systems. However, these systems struggle to respond quickly to dynamically changing virus threats.

[0057] Further analysis of this invention reveals that, in power monitoring systems, to prevent the spread of viruses and malicious code, one or a combination of the following methods are typically employed:

[0058] 1. Install traditional antivirus software on the power monitoring host or server to scan local files regularly or in real time;

[0059] 2. Perform offline virus scans manually during equipment maintenance windows;

[0060] 3. Perform traffic inspection only on the border protection device (such as security isolation device, firewall), and do not inspect terminal files.

[0061] However, the above-mentioned virus testing methods have the following drawbacks:

[0062] a) Uncontrollable resource consumption

[0063] Traditional virus detection programs continuously consume CPU, memory, and disk I / O resources during the scanning process, which can easily affect the real-time operations of power monitoring systems and may cause system lag or even business interruption.

[0064] b. Not applicable to resource-constrained devices

[0065] Many power monitoring devices have low hardware performance and cannot operate a complete virus detection engine and a large-capacity virus database stably for a long time.

[0066] c. Lack of flexibility in detection strategies

[0067] Traditional solutions often employ fixed scanning cycles and fixed detection strategies, which cannot be dynamically adjusted according to the current load and operating status of the equipment.

[0068] d. Limited coverage of virus testing

[0069] Current methods mostly rely on perimeter protection or manual detection, which cannot perform continuous and systematic virus detection on files of internal network terminal devices.

[0070] Therefore, one of the core inventive points of this invention is: to achieve efficient, controllable, and continuous virus detection of devices within a power monitoring system without affecting its real-time performance and stability, a virus detection method for power monitoring system devices based on adaptive resource scheduling is proposed, adaptable to low-performance devices and resource-constrained environments. By real-time sensing of device operating status and fully considering resource pressure, a virus detection strategy is dynamically selected based on adaptive resource scheduling to dynamically adjust the execution timing, scanning intensity, and detection method of virus detection tasks. This allows for rapid response to dynamically changing virus threats while ensuring the priority operation of core system services, achieving efficient virus detection. When a device has high performance or redundant available resources, a cross-device virus detection mechanism can assist in cross-device virus detection of devices with lower performance or limited available resources, thus overcoming the difficulties in virus detection of low-performance devices and resource-constrained environments.

[0071] Reference Figure 1 This diagram illustrates a flowchart of a virus detection method for a power monitoring device according to an embodiment of the present invention, applied to a first power monitoring device; the method specifically includes the following steps:

[0072] Step 101: Periodically collect the operating status information of the first power monitoring equipment;

[0073] In practical applications, the virus detection method provided in this embodiment of the invention is applicable to master station equipment, communication equipment, HMI terminals, and other intranet devices in power monitoring systems, collectively referred to as power monitoring equipment. To distinguish between the master device (which can be understood as an active auxiliary device or a high-configuration device) and the slave device (which can be understood as an assisted device or a low-configuration device) in the cross-device virus detection operation in subsequent embodiments, a power monitoring device that performs its own virus detection action and has cross-device virus detection capabilities under conditions of redundant available resources is defined as the first power monitoring device, and other power monitoring devices besides the current first power monitoring device are defined as second power monitoring devices.

[0074] In the specific implementation, the first step is to collect the device's operating status. Specifically, on the protected power monitoring equipment (the first power monitoring equipment), the following operating status information is periodically collected: CPU utilization, memory utilization (memory usage), disk I / O load, network communication load (network latency), and the device system operating status.

[0075] The above operational status information forms the equipment resource status data.

[0076] Step 102: Calculate the current resource pressure index of the first power monitoring equipment based on the operating status information;

[0077] This step primarily calculates the resource pressure index. Specifically, based on the device resource status data collected in the previous steps, the current resource pressure index of the device is calculated according to a preset resource pressure model. The resource pressure index reflects the remaining resources available to the device for performing virus detection tasks. Understandably, a higher resource pressure index indicates less available resource balance.

[0078] The resource pressure index model provided in this embodiment of the invention is as follows:

[0079] ;

[0080] Where A, B, C, and D represent the set thresholds for CPU utilization, memory utilization, disk I / O load, and network communication load, respectively.

[0081] It should be noted that the resource pressure index model provided in this embodiment of the invention applies to power monitoring equipment (asset objects) that must meet the following conditions: firstly, virus detection tools (Linux system and Windows system) can be installed; secondly, system resources (CPU / memory / disk / network resources) can be obtained.

[0082] Based on the preceding discussion, the periodically collected operational status information includes CPU utilization, memory utilization, disk I / O load, and network communication load. Therefore, in the specific implementation, the process of calculating the current resource pressure index of the first power monitoring device based on the operational status information can include: calculating the current resource pressure index of the first power monitoring device using a weighted method based on CPU utilization, memory utilization, disk I / O load, and network communication load, combined with preset weighting factors.

[0083] By introducing a resource pressure index calculation mechanism based on equipment operating status, the resource load of power monitoring system equipment can be assessed in real time. In subsequent processes, the virus detection strategy can be dynamically adjusted based on the resource pressure index, and an adaptive scheduling method can be used to optimize the execution of virus detection tasks.

[0084] Step 103: Based on the running status information and the resource pressure index, dynamically select a virus detection strategy using adaptive resource scheduling;

[0085] Operational status information can further include the operational status of the equipment system. By combining the resource pressure index and observing the operational status of the equipment system, it can be determined whether the first power monitoring equipment currently has virus detection capabilities, and the degree of feasibility of virus detection (depth / standard / lightweight).

[0086] Furthermore, when the system operating status of the equipment indicates that the resource pressure index meets the resource idle index for a continuous period of time (configurable according to actual conditions), the first power monitoring equipment can act as a high-configuration device to perform cross-device virus detection on low-configuration devices. This cross-device virus detection mechanism, to avoid affecting the virus detection process of the first power monitoring equipment itself, uses the resource pressure index in deep scan mode as the basis for determining whether the device meets the available resource redundancy criteria and can assist other low-configuration devices in performing virus detection.

[0087] In this embodiment of the invention, an adaptive resource scheduling engine is introduced as the core module of the virus detection system, taking full account of resource constraints. This engine aims to resolve the performance-security contradiction in traditional security software under resource-constrained scenarios. Its core idea is to minimize the impact on the host system while ensuring virus detection accuracy through dynamic resource awareness and intelligent task allocation. The adaptive resource scheduling engine adopts a layered design, comprising three subsystems: resource monitoring, decision analysis, and task scheduling, supporting full-scenario adaptation from embedded devices to cloud computing nodes.

[0088] One improvement of this invention lies in its adaptive detection strategy decision-making. Its implementation principle follows this: dynamically selecting the corresponding virus detection strategy based on the resource pressure index and the device system's operating status. When the resource pressure index is higher than a preset pressure index threshold (e.g., 0.8), a lightweight scanning mode is adopted to reduce the detection frequency. When it is higher than a higher preset pressure index threshold (e.g., 0.9), a pause detection strategy can be adopted. Conversely, when the resource pressure index is lower than this higher preset pressure index threshold (e.g., 0.9), it indicates that a virus detection task can be triggered. When the resource pressure index is lower than a lower preset pressure index threshold (e.g., 0.5), the virus detection task can be appropriately enhanced. For example, a deep scan mode can be used, and sandbox analysis can be enabled. For example, the adaptive detection strategy decision-making logic is as follows: Figure 2 As shown.

[0089] The adaptive detection strategy decisions provided in this embodiment of the invention include, but are not limited to: whether to start a virus detection task; the file scanning range and scanning depth for virus detection.

[0090] The key criteria for determining whether to initiate a virus detection task include: the resource pressure index meeting the requirements; and the resource pressure index meeting the requirements for a period of time during which the equipment system is in operation.

[0091] The key criteria for determining the file scanning range and depth in virus detection include:

[0092] Scenario 1: When the resource pressure index is less than the first preset pressure index threshold (e.g., 0.5), the system is confirmed to be in low load mode through resource assessment, and the files and the lowest level depth of the entire system are detected.

[0093] Scenario 2: When the resource pressure index is greater than or equal to the first preset pressure index threshold (e.g., 0.5) and less than the second preset pressure index threshold (e.g., 0.8), the system is confirmed to be in normal load mode through resource assessment, the standard scanning mode is adopted, and the signature matching action is performed.

[0094] Specifically, the signature matching action includes: when the resource pressure index is greater than or equal to 0.5 and less than 0.6, detecting 40% of the entire system's directories (corresponding to 1-0.6) and the deepest 4 levels of subdirectories. When the resource pressure index is greater than or equal to 0.6 and less than 0.7, detecting 30% of the entire system's directories (corresponding to 1-0.7) and the deepest 3 levels of subdirectories. When the resource pressure index is greater than or equal to 0.7 and less than 0.8, detecting 20% ​​of the entire system's directories (corresponding to 1-0.8) and the deepest 2 levels of subdirectories.

[0095] Scenario 3: When the resource pressure index is greater than or equal to the second preset pressure index threshold (e.g., 0.8) and less than the third preset pressure index threshold (e.g., 0.9), the system is confirmed to be in a high-load mode through resource assessment. In this case, a lightweight scanning mode is adopted to reduce the detection frequency and control the monitoring and scanning of key areas. At this time, 10% of the entire system's directories (corresponding to 1-0.9) and the deepest subdirectories can be detected.

[0096] Scenario 4: When the resource pressure index is greater than or equal to the third preset pressure index threshold (e.g., 0.9), the virus detection can be suspended.

[0097] For scenarios one through three (i.e., scenarios where virus testing was actually performed), after the relevant scanning and testing actions are completed, corresponding behavior reports can be generated based on the respective scanning and analysis results.

[0098] Based on the preceding discussion, the specific implementation process, which dynamically selects virus detection strategies based on runtime status information and resource pressure index, combined with adaptive resource scheduling, includes:

[0099] In the first scenario, when the resource pressure index representing the operating status of the device system is consistently lower than the first preset pressure index threshold for a period of time, the deep scan mode for virus detection is triggered, and sandbox analysis is initiated.

[0100] In the second scenario, when the resource pressure index representing the operating status of the device system is greater than or equal to the first preset pressure index threshold and lower than the second preset pressure index threshold for a continuous period of time, the standard scanning mode for virus detection is triggered, and the signature matching action is performed.

[0101] In the third scenario, when the resource pressure index representing the operating status of the device system is greater than or equal to the second preset pressure index threshold and lower than the third preset pressure index threshold for a continuous period of time, the lightweight scanning mode for virus detection is triggered to reduce the detection frequency and control the monitoring and scanning of key areas.

[0102] In the fourth scenario, when the resource pressure index representing the operating status of the device system is greater than or equal to the third preset pressure index threshold for a continuous period of time, the virus detection will be suspended.

[0103] Wherein, 0 < first preset pressure index threshold < second preset pressure index threshold < third preset pressure index threshold < 1.

[0104] Therefore, based on the resource pressure index calculation mechanism, by executing adaptive resource scheduling to dynamically adjust the virus detection strategy, a virus detection execution mechanism that prioritizes business operations is essentially constructed. This mechanism ensures that the virus detection process does not significantly impact the real-time performance of the power monitoring system when equipment resources are strained. Compared to traditional virus detection methods, the solution provided by this invention is more suitable for resource-constrained power monitoring equipment, enabling flexible deployment.

[0105] In some embodiments, where the first power monitoring device itself has a high performance configuration, or where there is redundancy in the currently available resources, the present invention also provides a cross-device virus detection mechanism.

[0106] The cross-device virus detection mechanism is based on cross-device interaction. Specifically, for power monitoring devices located within the same local area network (LAN) and equipped with virus detection programs, once virus detection is initiated, they can periodically broadcast within the intranet to search for other power monitoring devices. In other words, each device within the same LAN can act as both the initiator of the search and the target of the search.

[0107] For any power monitoring device, if it actively detects or is detected by another device on the intranet, a "negotiation" interaction is triggered. Simultaneously, both devices can periodically send their own resource pressure index / device system operating status to each other.

[0108] When the resource pressure index and system operating status of the two devices meet the conditions for cross-device virus detection (one device has a higher configuration or redundant available resources, while the other device has a lower configuration or currently has no available resources to perform virus detection), both devices will generate identifiers related to each other to indicate that they have reached a cooperative relationship. For example, the lower-configuration device receiving assistance can generate an identifier related to the higher-configuration device (such as generating and storing the ID identifier of the higher-configuration device) to mark itself as having a higher-configuration master device for cross-device virus detection. The higher-configuration device providing assistance can record the lower-configuration slave devices that need to be assisted in detection through a similar identifier method.

[0109] Through mutual identification between the two devices, when other high-configuration devices scan the same low-configuration device and initiate a "negotiation" interaction, the low-configuration device will "inform" other high-configuration devices through information feedback that there is already a high-configuration master device assisting in cross-device virus detection, and there is no need to repeat cross-device virus detection.

[0110] In another scenario, if the high-configuration device that is the first power monitoring device is matched with a low-configuration device (that is, its own resource pressure indicators and device system operation status meet the "self-sufficiency" requirement), then in response to the "negotiation" interaction of the high-configuration device, the low-configuration device will "inform" the high-configuration device through information feedback that it can complete its own virus detection without the need for additional cross-device assistance (that is, leaving the opportunity to the low-configuration device that needs it more).

[0111] When the high-performance configuration device, acting as the primary power monitoring device, has redundant available resources (i.e., resource surplus), it can retrieve the files to be monitored from the low-performance configuration device, acting as the secondary power monitoring device, via remote protocols such as FTP (File Transfer Protocol), SFTP (SSH File Transfer Protocol), FTPPS (File Transfer Protocol Secure), or custom protocols. Once the high-performance configuration device completes the monitoring, it only needs to return the results to the low-performance configuration device. Before transferring the files, the low-performance configuration device must encrypt the files to be processed to improve the security of information exchange.

[0112] To facilitate understanding, based on the cross-device virus detection principle introduced above, the embodiments of this invention construct as follows: Figure 3 The virus detection intelligent system shown.

[0113] The system platform is the centralized management platform. This platform can distribute virus system programs and virus database updates to power monitoring equipment (asset equipment) within the same local area network. For ease of explanation, exemplarily, based on the device's own virus detection capabilities... Figure 3 The document outlines three main asset device types. Asset Device 1 (Standard Configuration) utilizes an adaptive resource scheduling engine to dynamically adjust scanning intensity based on system resource usage, selecting appropriate virus detection strategies and executing virus detection tasks (simply put, Standard Configuration Asset Device 1 can achieve a "self-sufficient" virus detection mode). Asset Device 2 (High Configuration), in addition to performing its own virus detection, can remotely scan other low-configuration devices when its performance is excessive (i.e., there is redundancy in available resources), providing cross-device virus detection assistance to low-configuration devices requiring virus detection via remote protocol transmission. Asset Device 3 (Low Configuration) represents devices that require assistance from other high-configuration devices to perform virus detection.

[0114] Based on the preceding discussion, the specific implementation steps of the cross-device virus detection mechanism include: when the resource pressure index representing the operating status of the device system is consistently lower than the first preset pressure index threshold for a period of time, the system available resource redundancy of the first power monitoring device is determined, and a broadcast is used to determine whether a second power monitoring device exists within the same local area network; if so, an assistance query message is sent to the second power monitoring device to inquire whether assistance in virus detection is required; when an assistance confirmation request is received from the second power monitoring device based on the assistance query message, cross-device virus detection is performed on the second power monitoring device.

[0115] Furthermore, for the first power monitoring device, when it receives an assistance confirmation request returned by the second power monitoring device based on assistance inquiry information, the specific implementation process for cross-device virus detection on the second power monitoring device may include: when receiving the assistance confirmation request returned by the second power monitoring device based on assistance inquiry information, sending a file retrieval request to the second power monitoring device through a preset remote protocol supporting encrypted transmission, the file retrieval request containing a randomly generated shared key; when receiving an encrypted file encrypted based on the shared key returned by the second power monitoring device through the preset remote protocol, decrypting the encrypted file using the shared key, and performing a virus detection task on the decrypted file to obtain cross-device virus detection results; and returning the cross-device virus detection results to the second power monitoring device.

[0116] The cross-device virus detection mechanism provided by this invention detects file data on low-performance devices across devices using high-performance devices, further improving the overall virus detection efficiency and system security, and making the virus detection process more controllable, adjustable, and sustainable.

[0117] Step 104: Execute a virus detection task for the first power monitoring device under the virus detection strategy to obtain virus detection results.

[0118] This step primarily involves the execution of virus detection tasks. Specifically, virus detection tasks are performed according to the virus detection strategy determined in the preceding steps. These tasks include: comparing file features based on a virus signature database; prioritizing the detection of newly added or modified files; and avoiding duplicate scanning of already detected files through hash value comparison.

[0119] Specifically, the hash value comparison method refers to a deduplication mechanism based on file hash values. By calculating the unique identifier of a file (such as a hash value) and storing the hash value records of detected files, the method avoids repeated scanning of the same file, thereby improving virus detection efficiency and reducing system resource consumption.

[0120] Based on the preceding discussion, in a specific implementation, the process of executing a virus detection task on the first power monitoring device under the virus detection strategy and obtaining the virus detection results may include: scanning the first power monitoring device for files based on the virus detection strategy to determine the files to be detected; executing a virus detection task on the files to be detected and obtaining the virus detection results.

[0121] The virus detection tasks include: comparing file features of the files to be detected based on the virus signature database; prioritizing the detection of newly added files and / or modified files in the files to be detected; and executing a deduplication mechanism based on file hash values ​​during the virus detection process to avoid repeated scanning of already detected files.

[0122] In some embodiments, after the first power monitoring device obtains the corresponding virus detection result by performing a virus detection task, it can further record the virus detection result and select to perform at least one of the following post-processing actions according to preset configuration conditions: when the virus detection result indicates that the first power monitoring device has an anomaly, a local alarm is triggered; the virus detection result is sent to the centralized management platform; and a log is generated based on this virus detection action for subsequent audit analysis.

[0123] This invention proposes a virus detection method for power monitoring systems based on adaptive resource scheduling, adaptable to low-performance devices and resource-constrained environments. On one hand, by real-time sensing of device operating status and full consideration of resource pressure, a virus detection strategy is dynamically selected based on adaptive resource scheduling. This dynamically adjusts the execution timing, scanning intensity, and detection method of virus detection tasks, thereby enabling rapid response to dynamically changing virus threats and achieving efficient virus detection while ensuring the priority operation of core system services. On the other hand, when the device itself has high performance or redundant available resources, a cross-device virus detection mechanism can assist in cross-device virus detection for devices with lower performance or limited available resources, overcoming the difficulties in virus detection for low-performance devices and resource-constrained environments. By implementing the technical solution provided by this invention, the impact of virus detection on the real-time performance of the power monitoring system is significantly reduced, while the overall security protection capability of the power monitoring system is improved, providing strong protection for the safe and stable operation of power monitoring equipment.

[0124] For better illustration, refer to Figure 4This diagram illustrates the overall flow of a virus detection method for power monitoring equipment according to an embodiment of the present invention. It should be noted that this embodiment only provides a brief description of the general process of virus detection for power monitoring equipment. The specific implementation process of each step can be understood by referring to the relevant content in the foregoing embodiments, and will not be elaborated upon here. It is understood that the present invention does not impose any limitations on this.

[0125] Step 401: Periodically collect data on the CPU utilization, memory utilization, disk I / O load, network communication load, and system operating status of the first power monitoring device;

[0126] Step 402: Based on CPU utilization, memory utilization, disk I / O load, and network communication load, and combined with preset weighting factors, calculate the current resource pressure index of the first power monitoring device in a weighted manner;

[0127] Step 403: Based on the device system operating status and resource pressure index, dynamically select the virus detection strategy in conjunction with adaptive resource scheduling;

[0128] Step 404: Based on the virus detection strategy, perform file scanning on the first power monitoring device, identify the files to be detected, execute the virus detection task on the files to be detected, obtain the virus detection results, and select and execute the corresponding post-processing actions according to the preset configuration conditions.

[0129] Step 405: When the system available resource redundancy of the first power monitoring device is determined by combining the device system operating status and resource pressure index, the existence of a second power monitoring device in the same local area network is determined by broadcasting.

[0130] Step 406: If yes, send an assistance query to the second power monitoring device asking whether assistance with virus detection is needed;

[0131] Step 407: When a request for assistance confirmation is received from the second power monitoring device based on the assistance inquiry information, a cross-device virus detection is performed on the second power monitoring device.

[0132] Reference Figure 5 This diagram illustrates a structural block diagram of a virus detection device for a power monitoring equipment according to an embodiment of the present invention, applied to a first power monitoring equipment; the device may specifically include:

[0133] The information acquisition unit 501 is used to periodically acquire the operating status information of the first power monitoring equipment;

[0134] Resource pressure index calculation unit 502 is used to calculate the current resource pressure index of the first power monitoring equipment based on the operating status information;

[0135] The virus detection strategy selection unit 503 is used to dynamically select a virus detection strategy based on the running status information and the resource pressure index, combined with adaptive resource scheduling.

[0136] The virus detection task execution unit 504 is used to execute a virus detection task for the first power monitoring device under the virus detection strategy and obtain virus detection results.

[0137] In one optional embodiment, the operating status information includes CPU utilization, memory utilization, disk I / O load, and network communication load; the resource pressure index calculation unit 502 is specifically used for:

[0138] Based on the CPU utilization, memory utilization, disk I / O load, and network communication load, and combined with preset weighting factors, the current resource pressure index of the first power monitoring device is calculated in a weighted manner.

[0139] In one optional embodiment, the operating status information includes the device system operating status; the virus detection strategy selection unit 503 includes:

[0140] The deep scan mode triggering unit is used to trigger the deep scan mode of virus detection and start sandbox analysis when the resource pressure index of the device system operation status is lower than the first preset pressure index threshold for a period of time.

[0141] The standard scan mode triggering unit is used to trigger the standard scan mode for virus detection and perform signature matching when the resource pressure index representing the operating status of the device system is greater than or equal to the first preset pressure index threshold and lower than the second preset pressure index threshold for a continuous period of time.

[0142] The lightweight scan mode triggering unit is used to trigger the lightweight scan mode for virus detection when the resource pressure index representing the operating status of the device system is greater than or equal to the second preset pressure index threshold and lower than the third preset pressure index threshold for a continuous period of time, thereby reducing the detection frequency and controlling the monitoring and scanning of key areas.

[0143] The virus detection pause unit is used to pause virus detection when the resource pressure index representing the operating status of the device system is greater than or equal to a third preset pressure index threshold for a continuous period of time.

[0144] Wherein, 0 < first preset pressure index threshold < second preset pressure index threshold < third preset pressure index threshold < 1.

[0145] In one optional embodiment, the virus detection task execution unit 504 includes:

[0146] The file scanning unit is used to scan the first power monitoring device for files based on the virus detection strategy and determine the files to be detected.

[0147] The virus detection task execution subunit is used to perform a virus detection task on the file to be detected and obtain the virus detection result.

[0148] The virus detection task includes: comparing file features of the file to be detected based on a virus feature database; prioritizing the detection of newly added files and / or modified files in the file to be detected; and performing a deduplication scanning mechanism based on file hash values ​​during the virus detection process to avoid repeated scanning of already detected files.

[0149] In one alternative embodiment, the device further includes:

[0150] The post-processing action execution unit is used to record the virus detection results and select at least one of the following post-processing actions to execute according to preset configuration conditions:

[0151] When the virus detection result indicates that the first power monitoring device is abnormal, a local alarm is triggered.

[0152] The virus test results were sent to the centralized management platform.

[0153] Logs will be generated based on this virus detection action for subsequent auditing and analysis.

[0154] In one optional embodiment, the operating status information includes the operating status of the device system; the device further includes:

[0155] The second power monitoring device search unit is used to determine the system available resource redundancy of the first power monitoring device when the resource pressure index of the device system operation status indicator is lower than the first preset pressure index threshold for a period of time, and to determine whether there is a second power monitoring device in the same local area network by broadcasting.

[0156] The assistance inquiry information sending unit is used to send assistance inquiry information to the second power monitoring equipment to ask whether assistance in virus detection is needed.

[0157] A cross-device virus detection unit is used to perform cross-device virus detection on the second power monitoring device when it receives an assistance confirmation request returned by the second power monitoring device based on the assistance query information.

[0158] In one alternative embodiment, the cross-device virus detection unit includes:

[0159] The file retrieval request sending unit is used to send a file retrieval request to the second power monitoring device through a preset remote protocol that supports encrypted transmission when it receives an assistance confirmation request returned by the second power monitoring device based on the assistance inquiry information. The file retrieval request contains a randomly generated shared key.

[0160] A cross-device virus detection execution unit is used to decrypt the encrypted file based on the shared key when it receives an encrypted file returned by the second power monitoring device through the preset remote protocol, and to perform a virus detection task on the decrypted file to obtain cross-device virus detection results.

[0161] The detection result feedback unit is used to return the cross-device virus detection result to the second power monitoring device.

[0162] As the device embodiment is basically similar to the method embodiment, it is described in a relatively simple way. For relevant details, please refer to the description of the method embodiment above.

[0163] It should be noted that, in order to enable those skilled in the art to better distinguish data of the same type but with different actual meanings, some technical features in the embodiments of the present invention are distinguished by the terms "first", "second", and "third". The terms "first", "second", and "third" are used only for data differentiation and have no other special meaning. It is understood that the present invention does not impose any limitations on this.

[0164] This invention also provides a power monitoring device, which includes a processor and a memory:

[0165] The memory is used to store program code and transfer the program code to the processor;

[0166] The processor is used to execute the virus detection method of the power monitoring equipment according to the instructions in the program code of any embodiment of the present invention.

[0167] This invention also provides a computer-readable storage medium for storing program code, which is used to execute the virus detection method for power monitoring equipment according to any embodiment of this invention.

[0168] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.

[0169] It should be noted that the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data used for analysis, data stored, data displayed, etc.) involved in this invention are all information and data authorized by the user or fully authorized by all parties. Furthermore, the collection, use and processing of related data must comply with the relevant laws, regulations and standards of the relevant countries and regions, and corresponding operation entry points are provided for users to choose to authorize or refuse.

[0170] In the embodiments provided by this invention, it should be understood that the disclosed systems, apparatuses, and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection between devices or units through some interfaces, and may be electrical, mechanical, or other forms.

[0171] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.

[0172] Furthermore, the functional units in the various embodiments of the present invention can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or as a software functional unit.

[0173] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0174] The above-described embodiments are only used to illustrate the technical solutions of the present invention, and are not intended to limit it. Although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

1. A method for virus detection in power monitoring equipment, characterized in that, Applied to a first power monitoring device; the method includes: Periodically collect the operating status information of the first power monitoring equipment; Based on the operating status information, calculate the current resource pressure index of the first power monitoring equipment; Based on the operational status information and the resource pressure index, a virus detection strategy is dynamically selected using adaptive resource scheduling. The virus detection task targeting the first power monitoring device is executed under the virus detection strategy to obtain the virus detection results.

2. The virus detection method for power monitoring equipment according to claim 1, characterized in that, The operational status information includes CPU utilization, memory utilization, disk I / O load, and network communication load. The step of calculating the current resource pressure index of the first power monitoring equipment based on the operating status information includes: Based on the CPU utilization, memory utilization, disk I / O load, and network communication load, and combined with preset weighting factors, the current resource pressure index of the first power monitoring device is calculated in a weighted manner.

3. The virus detection method for power monitoring equipment according to claim 1, characterized in that, The operational status information includes the device system operational status; the step of dynamically selecting a virus detection strategy based on the operational status information and the resource pressure index, combined with adaptive resource scheduling, includes: When the resource pressure index representing the operating status of the device system is lower than the first preset pressure index threshold for a continuous period of time, the deep scan mode of virus detection is triggered and sandbox analysis is started. When the resource pressure index representing the operating status of the device system is greater than or equal to the first preset pressure index threshold and lower than the second preset pressure index threshold for a continuous period of time, the standard scanning mode for virus detection is triggered, and the signature matching action is performed. When the resource pressure index representing the operating status of the device system is greater than or equal to the second preset pressure index threshold and lower than the third preset pressure index threshold for a continuous period of time, the lightweight scanning mode of virus detection is triggered to reduce the detection frequency and control the monitoring and scanning of key areas. When the resource pressure index representing the operating status of the device system is greater than or equal to the third preset pressure index threshold for a continuous period of time, the virus detection is suspended. Wherein, 0 < first preset pressure index threshold < second preset pressure index threshold < third preset pressure index threshold < 1.

4. The virus detection method for power monitoring equipment according to claim 1, characterized in that, The step of performing a virus detection task on the first power monitoring device under the virus detection strategy and obtaining virus detection results includes: Based on the virus detection strategy, the first power monitoring device is scanned for files to be detected; Perform a virus detection task on the file to be detected and obtain the virus detection results; The virus detection task includes: comparing file features of the file to be detected based on a virus feature database; prioritizing the detection of newly added files and / or modified files in the file to be detected; and performing a deduplication scanning mechanism based on file hash values ​​during the virus detection process to avoid repeated scanning of already detected files.

5. The virus detection method for power monitoring equipment according to claim 4, characterized in that, Also includes: Record the virus detection results, and select at least one of the following post-processing actions to perform based on preset configuration conditions: When the virus detection result indicates that the first power monitoring device is abnormal, a local alarm is triggered. The virus test results were sent to the centralized management platform. Logs will be generated based on this virus detection action for subsequent auditing and analysis.

6. The virus detection method for power monitoring equipment according to any one of claims 1 to 5, characterized in that, The operating status information includes the operating status of the device system; the method further includes: When the resource pressure index representing the operating status of the equipment system is lower than the first preset pressure index threshold for a period of time, the system available resource redundancy of the first power monitoring equipment is determined, and the presence of a second power monitoring equipment in the same local area network is determined by broadcasting. If so, send an assistance query to the second power monitoring device asking whether assistance with virus detection is needed; When a request for assistance confirmation is received from the second power monitoring device based on the assistance inquiry information, a cross-device virus detection is performed on the second power monitoring device.

7. The virus detection method for power monitoring equipment according to claim 6, characterized in that, When the assistance confirmation request returned by the second power monitoring device based on the assistance query information is received, cross-device virus detection is performed on the second power monitoring device, including: When receiving an assistance confirmation request returned by the second power monitoring device based on the assistance inquiry information, a file retrieval request is sent to the second power monitoring device through a preset remote protocol that supports encrypted transmission. The file retrieval request contains a randomly generated shared key. When the second power monitoring device receives an encrypted file encrypted with the shared key via the preset remote protocol, the encrypted file is decrypted using the shared key, and a virus detection task is performed on the decrypted file to obtain cross-device virus detection results. The cross-device virus detection results are returned to the second power monitoring device.

8. A virus detection device for power monitoring equipment, characterized in that, Applied to a first power monitoring device; the device includes: The information acquisition unit is used to periodically collect the operating status information of the first power monitoring equipment; The resource pressure index calculation unit is used to calculate the current resource pressure index of the first power monitoring equipment based on the operating status information. The virus detection strategy selection unit is used to dynamically select a virus detection strategy based on the running status information and the resource pressure index, combined with adaptive resource scheduling. The virus detection task execution unit is used to execute a virus detection task for the first power monitoring device under the virus detection strategy and obtain virus detection results.

9. A power monitoring device, characterized in that, The device includes a processor and a memory: The memory is used to store program code and transmit the program code to the processor; The processor is used to execute the virus detection method for the power monitoring equipment according to any one of claims 1-7, based on the instructions in the program code.

10. A computer-readable storage medium, characterized in that, The computer-readable storage medium is used to store program code for executing the virus detection method for the power monitoring equipment according to any one of claims 1-7.

Images