CN112597496B - File reputation identification method, device and system - Google Patents
File reputation identification method, device and system Download PDFInfo
- Publication number
- CN112597496B CN112597496B CN202011543348.7A CN202011543348A CN112597496B CN 112597496 B CN112597496 B CN 112597496B CN 202011543348 A CN202011543348 A CN 202011543348A CN 112597496 B CN112597496 B CN 112597496B
- Authority
- CN
- China
- Prior art keywords
- authentication
- file
- security detection
- sample
- detection equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 55
- 238000001514 detection method Methods 0.000 claims abstract description 171
- 238000012545 processing Methods 0.000 claims abstract description 18
- 238000005070 sampling Methods 0.000 claims description 32
- 230000008569 process Effects 0.000 claims description 18
- 208000015181 infectious disease Diseases 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 11
- 230000005540 biological transmission Effects 0.000 claims description 9
- 238000011156 evaluation Methods 0.000 claims description 9
- 230000003068 static effect Effects 0.000 claims description 6
- 238000012795 verification Methods 0.000 claims description 6
- 238000004891 communication Methods 0.000 claims description 5
- 238000012797 qualification Methods 0.000 claims 1
- 230000008439 repair process Effects 0.000 abstract description 7
- 230000007812 deficiency Effects 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 12
- 230000007547 defect Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000032683 aging Effects 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Databases & Information Systems (AREA)
- Virology (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the application provides a method, a device and a system for identifying file reputation, and relates to the technical field of network security. Receiving at least one authentication request which is sent by security detection equipment and is not used for determining whether a sample file HASH value of a malicious file is obtained; processing the authentication request to obtain an authentication result, and transmitting the authentication result to the security detection device; receiving a sample to be identified in detail in the identification result returned by the safety detection equipment and generating a sample identification task and a corresponding identification task serial number; and sending the identification task sequence number to the safety detection equipment, so that the safety detection equipment inquires an identification result and identification detail information according to the identification task sequence number, cloud-to-ground linkage is realized by using a cloud sample identification server, the purpose of comprehensive and rapid identification of leak detection and deficiency repair is achieved, and the problems of insufficient sample identification capability and low identification efficiency in the existing method are solved.
Description
Technical Field
The application relates to the technical field of network security, in particular to a method, a device and a system for identifying file reputation.
Background
The safety detection device is arranged at the user network in a bypass mode, and discovers a safety event and alarms in time by monitoring network message data. However, since a large amount of processor resources are consumed in the process of identifying the sample file, and the time is long, and the method is limited by the processing resources of the device, the complex technology cannot be adopted, and therefore, the problems of insufficient sample identification capability and low identification efficiency exist.
Disclosure of Invention
The embodiment of the application aims to provide a file reputation identification method, device and system, which realize cloud-to-ground linkage by utilizing a cloud sample identification server so as to achieve the purpose of comprehensive and rapid identification of leak detection and deficiency, and solve the problems of insufficient sample identification capability and low identification efficiency in the existing method.
The embodiment of the application provides a file credit authentication method which is applied to a sample authentication server and comprises the following steps:
receiving at least one authentication request which is sent by security detection equipment and is not used for determining whether the sample file HASH value of the malicious file is the sample file HASH value;
processing the authentication request to obtain an authentication result, and transmitting the authentication result to the security detection device;
receiving a sample to be identified in detail in the identification result returned by the safety detection equipment and generating a sample identification task and a corresponding identification task serial number;
and sending the authentication task sequence number to the security detection device so that the security detection device can inquire the authentication result and authentication detail information according to the authentication task sequence number.
In the implementation process, the sample identification server is in communication connection with the safety detection equipment to realize cloud-to-ground linkage, and the sample identification server provides quick identification and asynchronous inquiry identification result service, so that the problem of insufficient sample identification capability of the safety detection equipment is solved, the purposes of leak detection, deficiency repair and comprehensive detection are achieved, and the problems of insufficient sample identification capability and low identification efficiency in the existing method are solved.
Further, before the step of receiving the authentication request sent by the security detection device, the method further includes:
receiving an authentication request sent by a security detection device to authenticate the security detection device;
authenticating the security detection device according to the stored authentication data;
and sending an authentication success identification, an authentication certificate, a file credit list and a sampling configuration file to the security detection equipment so that the security detection equipment determines whether the file is a malicious file according to the file credit list HASH value and the restored file HASH value.
In the implementation process, after authentication is successful, the security detection device receives and loads the file reputation list and the sampling configuration file, restores the file according to the sampling proportion in the sampling configuration file, calculates the restored file HASH value, and performs preliminary judgment on the malicious file according to comparison of the file reputation list HASH value and the restored file HASH value.
Further, the processing the authentication request to obtain an authentication result includes:
and performing static search according to the HASH value of the sample file, and marking with black, white and gray.
In the implementation process, the sample identification server determines an identification result of the HASH value of the sample file through static search and marks the identification result with black, white and gray, wherein black represents a malicious sample, white represents a normal sample and gray is an uncertain sample.
Further, the sending the authentication task number to the security detection device, so that the security detection device queries the authentication result and authentication detail information according to the authentication task number, includes:
receiving a query authentication result request sent by the security detection equipment, wherein the query authentication result request comprises the authentication task sequence number;
if the authentication is not finished, returning a prompt message which is being processed to the safety detection equipment so that the safety detection equipment can send the request for inquiring the authentication result again after a preset delay time interval;
if the authentication is finished, returning an authentication result corresponding to the authentication task sequence number, so that the security detection equipment initiates a request for inquiring authentication details according to the authentication result;
and sending the corresponding authentication detail information to the security detection equipment according to the inquiry authentication detail request.
In the implementation process, the process of asynchronous request identification results is provided, the subsequent inquiry of the identification results is carried out through the identification task sequence numbers, peak-shifting inquiry can be carried out, and non-blocking file submission and result inquiry can be realized.
Further, the method further comprises:
updating the propagation map, the infection map and the reputation library and calculating a key file reputation list;
updating the file sampling proportion and periodically transmitting the file sampling proportion to the safety detection equipment for information synchronization.
In the implementation process, rich propagation maps and infection maps are established in the cloud, so that the tracking of malicious files is realized.
The embodiment of the application also provides a device for identifying the credit of the file, which comprises the following components:
the request receiving module is used for receiving at least one authentication request which is sent by the security detection equipment and is not used for determining whether the sample file HASH value of the malicious file is the sample file HASH value;
the processing module is used for processing the authentication request to obtain an authentication result and sending the authentication result to the safety detection equipment;
the sample receiving module is used for receiving a sample to be identified in detail returned by the safety detection equipment and generating a sample identification task and a corresponding identification task sequence number;
and the result sending module is used for sending the authentication task sequence number to the safety detection equipment so that the safety detection equipment inquires the authentication result and authentication detail information according to the authentication task sequence number.
In the implementation process, the cloud-to-ground linkage is used for realizing rapid and comprehensive identification of malicious sample files, the safety detection equipment can asynchronously inquire the identification result, and the safety detection equipment and the sample identification server are mutually matched, so that the problem of insufficient sample identification capability of the safety detection equipment is solved, the purpose of leak detection and defect repair is achieved, and the detection performance of the safety detection equipment is ensured.
The embodiment of the application also provides a file reputation identification system, which comprises:
the security detection equipment is used for preliminarily determining malicious files based on file reputation list HASH values and restored file HASH values, and sending identification requests corresponding to samples to be identified in detail and sample file HASH values which cannot be determined whether the malicious files are or not to the sample identification server;
the sample authentication server is in communication connection with the security detection device and is used for receiving the authentication request of the security detection device and the asynchronous inquiry authentication result request and sending authentication detail information to the security detection device.
In the implementation process, the sample which cannot be detected by the safety detection equipment is sent to the sample identification server for further detection, and the closed loop design of file identification by cloud identification and verification by the safety detection equipment is adopted, so that the defect of sample identification capability of the safety detection equipment is overcome, the purpose of leak detection and deficiency repair is achieved, and the query efficiency is improved through asynchronous result query.
The embodiment of the application also provides electronic equipment, which comprises a memory and a processor, wherein the memory is used for storing a computer program, and the processor runs the computer program to enable the electronic equipment to execute the file reputation identification method.
The embodiment of the application also provides a readable storage medium, wherein the readable storage medium stores computer program instructions, and when the computer program instructions are read and run by a processor, the method for identifying the credit of the file is executed.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for identifying file reputation according to an embodiment of the present application;
FIG. 2 is a flow chart of a detection process of a security detection device according to an embodiment of the present application;
FIG. 3 is a schematic diagram illustrating interaction between a security detection device and a sample authentication server according to an embodiment of the present application;
FIG. 4 is a flowchart of an asynchronous query authentication result provided by an embodiment of the present application;
FIG. 5 is a flow chart of an update file reputation and sampling ratio provided by an embodiment of the present application;
FIG. 6 is a block diagram of a device for identifying reputation of a file according to an embodiment of the present application;
FIG. 7 is a block diagram of the overall structure of a device for identifying reputation of a file according to an embodiment of the present application;
FIG. 8 is a block diagram of a system for reputation evaluation of files according to an embodiment of the present application.
Icon:
100-a request receiving module; 110-an authentication module; 111-an authentication request module; 112-an authentication processing module; 113-a file sending module; 200-a processing module; 300-a sample receiving module; 400-a result sending module; 401-a result request receiving module; 402-an authentication result module; 403-an authentication details sending module; 510-an update module; 511-a map update module; 512-an information synchronization module; 601-a security detection device; 602-sample authentication server.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
Example 1
Referring to fig. 1, fig. 1 is a flowchart of a method for identifying a reputation of a file according to an embodiment of the present application. The method is applied to a sample authentication server 602 in the cloud, such as a cloud detection system, and the sample authentication server 602 is in communication connection with a local security detection device 601 to form a cloud-to-ground combined rapid authentication mode, and the method comprises the following specific steps:
step S100: receiving at least one authentication request sent by the security detection device 601, wherein the authentication request cannot determine whether the sample file HASH value of the malicious file is the sample file HASH value;
prior to step S100, as shown in fig. 2, there is a flowchart of a detection process of the security detection device 601, and the method further includes:
step S111: receiving an authentication request sent by a security detection device 601 to authenticate the security detection device 601;
step S112: authenticating the security detection device 601 based on the stored authentication data;
step S113: and sending an authentication success identification, an authentication certificate, a file credit list and a sampling configuration file to the security detection device 601, so that the security detection device 601 determines whether the file is a malicious file according to the file credit list HASH value and the restored file HASH value.
Specifically, as shown in fig. 3, for an interaction schematic diagram between the security detection device 601 and the sample authentication server 602, such as a cloud detection system, the security detection device 601 initiates an authentication request to the sample authentication server 602, where authentication information in the authentication request includes, but is not limited to, an ip address of the security detection device 601, a product name, a device identifier, and the like, where the device identifier may be a product serial number, and is used as a unique identifier of the security detection device 601.
The sample authentication server 602 authenticates the security detection device 601 according to the stored authentication data, returns an authentication success identification and authentication credentials if access is allowed, and simultaneously issues a file credit list, a sampling configuration file, a log record and the like, wherein the sampling configuration file comprises a sampling proportion; if access is not allowed, the authentication request of the security detection device 601 is denied.
The security detection device 601 loads a file credit list, identifies the file header and the file type, randomly restores the file according to the sampling proportion, and calculates a restored file HASH value; comparing the file reputation list HASH value with the restored file HASH value, if hit, recording the information of the transmission map and the infection map, such as the transmission URL, the transmission protocol, the transmission application, the transmission port, the transmission IP, the transmission mailbox, the infection IP, the infection mailbox and the like, and simultaneously transmitting the transmission map and the infection map to the sample authentication server 602; the sample authentication server 602 receives the spread map and the infection map, and can update the reputation library, i.e., update the spread map and the infection map of the file, complete the file reputation aging update, and calculate a key file reputation list.
If the file is not hit, it indicates whether the file is a malicious file, and a quick identification request may be initiated to the cloud sample identification server 602, where the identification request carries at least one HASH value of the sample file that cannot be determined whether the file is a malicious file, but the sample file is not carried, and the HASH algorithm may be MD5, SHA1, or the like, which is not limited herein.
Step S200: processing the authentication request to obtain an authentication result, and transmitting the authentication result to the security detection device 601;
the sample authentication server 602 performs quick sample authentication according to the information carried by the quick authentication request, specifically, performs static search according to the HASH value of the sample file, and marks the authentication result with black, white and gray sequentially, where black represents a malicious sample, white represents a normal sample, and gray represents an uncertain sample that needs further analysis.
Step S300: receiving a sample to be identified in detail in the identification result returned by the security detection device 601 and generating a sample identification task and a corresponding identification task serial number;
specifically, the security detection device 601 processes according to the rapid authentication result returned by the sample authentication server 602, and the authentication is finished for the samples corresponding to the black and white mark results; the sample corresponding to the gray mark result is the sample to be identified in detail, and is uploaded to the sample identification server 602 for identification in detail.
Upon receipt of the sample authentication to be detailed, the sample authentication server 602 initiates a sample authentication task and returns an authentication task number for use by the security detection device 601 in asynchronously querying the authentication results without waiting for authentication to end.
Step S400: the authentication task number is transmitted to the security detection device 601 so that the security detection device 601 inquires of an authentication result and authentication detail information according to the authentication task number.
When the sample authentication server 602 performs a sample authentication task, a detection method such as dynamic or static is called to perform professional and detailed sample authentication processing.
As shown in fig. 4, the step may specifically include:
step S401: receiving a query authentication result request sent by the security detection device 601, where the query authentication result request includes the authentication task sequence number;
step S402: if the authentication is not finished, returning a prompt message which is being processed to the security detection device 601, so that the security detection device 601 sends the inquiry authentication result request again after a preset delay time interval;
if the authentication is finished, returning an authentication result corresponding to the authentication task sequence number, so that the security detection device 601 initiates a request for inquiring authentication details according to the authentication result;
step S403: and sending the corresponding authentication details information to the security detection device 601 according to the inquiry authentication details request.
Specifically, the security detection device 601 initiates a query authentication result request to the sample authentication server 602 in the cloud, where the query authentication result request carries an authentication task sequence number, and the sample authentication server 602 returns an authentication result corresponding to the authentication task sequence number to the security detection device 601: if the returned result is "processing", it indicates that the authentication has not ended, and the security detection device 601 should delay for a period of time and then initiate a request for inquiring the authentication result again; if the method is finished, a query authentication detail request can be initiated according to the authentication result, wherein the authentication detail request comprises detail information required by the user for configuring the strategy marks, such as static authentication detail information, dynamic authentication detail information or all detail information; the cloud sample authentication server 602 sorts the detail data according to the authentication detail request, and sends part or all of the detail information designated by the security detection device 601 to the security detection device 601.
As shown in FIG. 5, to update the file reputation and sample ratio flow chart, the method further comprises:
step S511: updating the propagation map, the infection map and the reputation library and calculating a key file reputation list;
step S512: updating the file sample ratio and periodically transmitting the file sample ratio to the security detection device 601 for information synchronization.
Specifically, the cloud sample authentication server 602 updates the file infection map and the propagation map according to the received information and the calculation result, completes the aging refresh of the file reputation, calculates a key file reputation list, and calculates the latest sampling proportion of various types of files according to the proportion of malicious samples in the file types; the latest file reputation list and the sampling ratio of each type of file are updated to each authenticated security detection device 601 at regular times.
In summary, the security detection device 601 is combined with the cloud sample identification server 602, so that cloud-to-ground combined quick identification and malicious file tracking of malicious files are realized, and meanwhile, a file propagation map and an infection map are built through the tracking of the malicious files; calculating a sampling proportion according to the malicious sample proportion of each file type in the cloud; adopting a file identification closed-loop design verified by cloud identification and detection equipment, and keeping the detection equipment to detect the most important malicious files at any time; through the asynchronous inquiry and identification result method, non-blocking file submission and result inquiry are ensured; the sample to be detected in detail and the sample identification server 602 which cannot determine whether the sample is a malicious file sample are sent to the cloud for identification, so that the problem of insufficient sample identification capability of the safety detection equipment 601 is solved, the purpose of leak detection and repair is achieved, and the detection performance of the safety detection equipment 601 is guaranteed.
Example 2
The embodiment of the application provides a file reputation identification device, which is applied to the file reputation identification method in the embodiment 1, and as shown in fig. 6, is a structural block diagram of the file reputation identification device, and the device comprises:
a request receiving module 100, configured to receive at least one authentication request sent by the security detection device 601, where the authentication request cannot determine whether the sample file HASH value is a malicious file;
a processing module 200, configured to process the authentication request to obtain an authentication result, and send the authentication result to the security detection device 601;
the sample receiving module 300 is configured to receive a sample to be identified in detail returned by the security detection device 601 and generate a sample identification task and a corresponding identification task serial number;
and a result sending module 400, configured to send the authentication task number to the security detection device 601, so that the security detection device 601 queries an authentication result and authentication detail information according to the authentication task number.
As shown in FIG. 7, which is an overall block diagram of the file reputation evaluation apparatus, the apparatus further comprises an authentication module 110:
an authentication request module 111, configured to receive an authentication request sent by a security detection device 601, so as to authenticate the security detection device 601;
an authentication processing module 112, configured to authenticate the security detection device 601 according to stored authentication data;
the file sending module 113 is configured to send an authentication success identifier, an authentication credential, a file reputation list, and a sampling configuration file to the security detection device 601, so that the security detection device 601 determines whether the file reputation list HASH value and the restored file HASH value are malicious files.
Wherein, the result transmitting module 400 includes:
a result request receiving module 401, configured to receive a query authentication result request sent by the security detection device 601, where the query authentication result request includes the authentication task sequence number;
the authentication result module 402 is configured to return, if authentication is not finished, a prompt message being processed to the security detection device 601, so that the security detection device 601 sends the query authentication result request again after a preset delay time interval;
if the authentication is finished, returning the query authentication result so that the security detection device 601 initiates a query authentication detail request according to the query authentication result, wherein the query authentication detail request comprises marking information set according to a user configuration policy;
an authentication details sending module 403, configured to send the corresponding authentication details to the security detection device 601 according to the query authentication details request.
The apparatus further includes an update module 510:
a map update module 511 for updating the propagation map, the infection map and the reputation library and calculating a key file reputation list;
and the information synchronization module 512 is configured to update a file sampling ratio and periodically send the file sampling ratio to the security detection device 601 for information synchronization.
The cloud-to-ground linkage is used for realizing rapid and comprehensive identification of malicious sample files, the security detection equipment 601 can asynchronously inquire identification results, and the security detection equipment 601 and the sample identification server 602 are mutually matched, so that the problem of insufficient sample identification capability of the security detection equipment 601 is solved, the purpose of leak detection and defect repair is achieved, and the detection performance of the security detection equipment 601 is guaranteed.
Example 3
The embodiment of the application provides a file reputation identification system, as shown in fig. 8, which is a structural block diagram of the file reputation identification system, wherein the system comprises:
the security detection device 601 is configured to preliminarily determine a malicious file based on the file reputation list HASH value and the restored file HASH value, and send an authentication request corresponding to a sample to be authenticated in detail and a sample file HASH value that cannot be determined whether the sample file HASH value is a malicious file to the sample authentication server 602;
the sample authentication server 602 is communicatively connected to the security detection device 601, for example, may perform remote communication through the internet, and is configured to receive an authentication request from the security detection device 601 and an asynchronous inquiry authentication result request, and send authentication detail information to the security detection device 601.
In the implementation process, through cloud-to-ground linkage, the security detection device 601 sends a sample to be identified in detail and a sample file HASH value which cannot be determined whether to be a malicious file to the sample identification server 602 for further identification, so that the problem of insufficient identification capability of a built-in sample of the device is solved, and the purpose of leak detection and defect repair is achieved.
An embodiment of the present application provides an electronic device, where the electronic device includes a memory and a processor, where the memory is configured to store a computer program, and the processor is configured to execute the computer program to cause the electronic device to execute the method for identifying a reputation of a file described in embodiment 1.
An embodiment of the present application provides a readable storage medium having stored therein computer program instructions which, when read and executed by a processor, perform the file reputation evaluation method described in embodiment 1.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are merely illustrative, for example, of the flowcharts and block diagrams in the figures that illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and variations will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Claims (9)
1. A method for reputation evaluation of a file, applied to a sample evaluation server, the method comprising:
receiving an authentication request sent by a security detection device to authenticate the security detection device;
authenticating the security detection device according to the stored authentication data;
sending an authentication success identification, an authentication certificate, a file credit list and a sampling configuration file to the security detection equipment so that the security detection equipment determines whether the file is a malicious file according to the file credit list HASH value and the restored file HASH value, wherein the sampling configuration file comprises a sampling proportion, randomly restoring the file according to the sampling proportion, and calculating the restored file HASH value;
receiving at least one authentication request which is sent by security detection equipment and is not used for determining whether the sample file HASH value of the malicious file is the sample file HASH value;
processing the authentication request to obtain an authentication result, and transmitting the authentication result to the security detection device;
receiving a sample to be identified in detail in the identification result returned by the safety detection equipment and generating a sample identification task and a corresponding identification task serial number;
and sending the authentication task sequence number to the security detection device so that the security detection device can inquire the authentication result and authentication detail information according to the authentication task sequence number.
2. The method for reputation authentication of a file according to claim 1, wherein the processing the authentication request to obtain an authentication result comprises:
and performing static search according to the HASH value of the sample file, and marking with black, white and gray.
3. The file reputation verification method of claim 1, wherein the transmitting the verification task number to the security detection device to cause the security detection device to query the verification result and the verification detail information according to the verification task number comprises:
receiving a query authentication result request sent by the security detection equipment, wherein the query authentication result request comprises the authentication task sequence number;
if the authentication is not finished, returning a prompt message which is being processed to the safety detection equipment so that the safety detection equipment can send the request for inquiring the authentication result again after a preset delay time interval;
if the authentication is finished, returning an authentication result corresponding to the authentication task sequence number, so that the security detection equipment initiates a request for inquiring authentication details according to the authentication result;
and sending the corresponding authentication detail information to the security detection equipment according to the inquiry authentication detail request.
4. The method of file reputation identification of claim 1, further comprising:
updating the propagation map, the infection map and the reputation library and calculating a key file reputation list;
updating the file sampling proportion and periodically transmitting the file sampling proportion to the safety detection equipment for information synchronization.
5. A file reputation evaluation apparatus, the apparatus comprising:
an authentication module, the authentication module comprising:
an authentication request module, configured to receive an authentication request sent by a security detection device, so as to authenticate the security detection device;
the authentication processing module is used for authenticating the safety detection equipment according to the stored authentication data;
the file sending module is used for sending an authentication success identifier, an authentication certificate, a file credit list and a sampling configuration file to the safety detection equipment so that the safety detection equipment can determine whether the file is a malicious file according to the file credit list HASH value and the restored file HASH value, wherein the sampling configuration file comprises a sampling proportion, the file is restored randomly according to the sampling proportion, and the restored file HASH value is calculated;
the apparatus further comprises:
the request receiving module is used for receiving at least one authentication request which is sent by the security detection equipment and is not used for determining whether the sample file HASH value of the malicious file is the sample file HASH value;
the processing module is used for processing the authentication request to obtain an authentication result and sending the authentication result to the safety detection equipment;
the sample receiving module is used for receiving a sample to be identified in detail returned by the safety detection equipment and generating a sample identification task and a corresponding identification task sequence number;
and the result sending module is used for sending the authentication task sequence number to the safety detection equipment so that the safety detection equipment inquires the authentication result and authentication detail information according to the authentication task sequence number.
6. The file reputation evaluation apparatus of claim 5, wherein the result transmission module comprises:
the result request receiving module is used for receiving a query authentication result request sent by the safety detection equipment, wherein the query authentication result request comprises the authentication task sequence number;
the authentication result module is used for returning a prompt message which is being processed to the safety detection equipment if authentication is not finished, so that the safety detection equipment sends the inquiry authentication result request again after a preset delay time interval;
if the authentication is finished, returning the query authentication result so that the security detection equipment initiates a query authentication detail request according to the query authentication result, wherein the query authentication detail request comprises marking information set according to a user configuration strategy;
and the authentication detail sending module is used for sending the corresponding authentication detail information to the security detection equipment according to the inquiry authentication detail request.
7. A file reputation evaluation system, the system comprising:
the security detection equipment is used for preliminarily determining malicious files based on file reputation list HASH values and restored file HASH values, and sending identification requests corresponding to samples to be identified in detail and sample file HASH values which cannot be determined whether the malicious files are or not to the sample identification server;
the sample authentication server is in communication connection with the security detection device, and is used for receiving an authentication request of the security detection device and an asynchronous inquiry authentication result request and sending authentication detail information to the security detection device after passing authentication of the security detection device, wherein the specific authentication process comprises the following steps: receiving an authentication request sent by a security detection device to authenticate the security detection device;
authenticating the security detection device according to the stored authentication data;
and sending an authentication success identification, an authentication certificate, a file credit list and a sampling configuration file to the security detection equipment so that the security detection equipment determines whether the file is a malicious file according to the file credit list HASH value and the restored file HASH value, wherein the sampling configuration file comprises a sampling proportion, the file is restored randomly according to the sampling proportion, and the restored file HASH value is calculated.
8. An electronic device comprising a memory for storing a computer program and a processor that runs the computer program to cause the electronic device to perform the file reputation qualification method of any of claims 1-4.
9. A readable storage medium having stored therein computer program instructions which, when read and executed by a processor, perform the method of file reputation evaluation of any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011543348.7A CN112597496B (en) | 2020-12-23 | 2020-12-23 | File reputation identification method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011543348.7A CN112597496B (en) | 2020-12-23 | 2020-12-23 | File reputation identification method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112597496A CN112597496A (en) | 2021-04-02 |
| CN112597496B true CN112597496B (en) | 2023-11-10 |
Family
ID=75200613
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011543348.7A Active CN112597496B (en) | 2020-12-23 | 2020-12-23 | File reputation identification method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112597496B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102546628A (en) * | 2011-12-31 | 2012-07-04 | 北京奇虎科技有限公司 | Sample authenticating method and system |
| CN103888480A (en) * | 2014-04-18 | 2014-06-25 | 北京奇虎科技有限公司 | Cloud monitoring based network information security identification method and cloud device |
| CN106295333A (en) * | 2015-05-27 | 2017-01-04 | 安恒通(北京)科技有限公司 | For detecting the method and system of malicious code |
| CN111209582A (en) * | 2020-01-03 | 2020-05-29 | 平安科技(深圳)有限公司 | Request authentication method, apparatus, device and storage medium |
-
2020
- 2020-12-23 CN CN202011543348.7A patent/CN112597496B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102546628A (en) * | 2011-12-31 | 2012-07-04 | 北京奇虎科技有限公司 | Sample authenticating method and system |
| CN103888480A (en) * | 2014-04-18 | 2014-06-25 | 北京奇虎科技有限公司 | Cloud monitoring based network information security identification method and cloud device |
| CN106295333A (en) * | 2015-05-27 | 2017-01-04 | 安恒通(北京)科技有限公司 | For detecting the method and system of malicious code |
| CN111209582A (en) * | 2020-01-03 | 2020-05-29 | 平安科技(深圳)有限公司 | Request authentication method, apparatus, device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112597496A (en) | 2021-04-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20230224167A1 (en) | Access control method based on zero-trust security, device, and storage medium | |
| US11005779B2 (en) | Method of and server for detecting associated web resources | |
| CN108737418B (en) | Identity authentication method and system based on block chain | |
| US10355865B1 (en) | Systems and techniques for certification of trusted media data | |
| US10911438B2 (en) | Secure detection and management of compromised credentials using a salt and a set model | |
| US20180324170A1 (en) | Method and apparatus for allocating device identifiers | |
| CN101924760B (en) | Method and system for downloading executable file securely | |
| JP6574168B2 (en) | Terminal identification method, and method, system, and apparatus for registering machine identification code | |
| US11727101B2 (en) | Methods and systems for verifying applications | |
| US20110276804A1 (en) | Server authentication method and client terminal | |
| CN110690972B (en) | Token authentication method and device, electronic equipment and storage medium | |
| WO2005045579A2 (en) | Method and system for identity recognition | |
| US20100023510A1 (en) | Terminal device and system for searching personal information | |
| CN109241352A (en) | The acquisition methods and server of Profile information | |
| US12056243B2 (en) | Methods and systems for verifying applications | |
| CN110943840B (en) | Signature verification method | |
| CN113364755A (en) | Single sign-on method, device, equipment and medium based on IP address | |
| EP1875712A1 (en) | Method, system, and program product for connecting a client to a network | |
| KR102228744B1 (en) | Data message authentication based on random numbers | |
| Gao et al. | Similarity-based secure deduplication for iiot cloud management system | |
| CN112597496B (en) | File reputation identification method, device and system | |
| CN111917760B (en) | Network collaborative manufacturing cross-domain fusion trust management and control method based on identification analysis | |
| CN112507310A (en) | Building Internet of things management method, device, equipment and storage medium | |
| CN117376000A (en) | Block chain-based data processing method, device, equipment and storage medium | |
| CN112104701B (en) | Method, device, network node and storage medium for cross-link communication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |