CN113282922B - Method, device, equipment and medium for protecting and controlling mobile storage equipment - Google Patents
Method, device, equipment and medium for protecting and controlling mobile storage equipment Download PDFInfo
- Publication number
- CN113282922B CN113282922B CN202110725664.4A CN202110725664A CN113282922B CN 113282922 B CN113282922 B CN 113282922B CN 202110725664 A CN202110725664 A CN 202110725664A CN 113282922 B CN113282922 B CN 113282922B
- Authority
- CN
- China
- Prior art keywords
- mobile storage
- value
- reference feature
- target reference
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides a method, a device, equipment and a medium for protecting and controlling mobile storage equipment, wherein the method comprises the following steps: receiving equipment characteristic information sent by an external client; the equipment characteristic information is obtained and transmitted by the client when the client detects that the mobile storage equipment is accessed to the client; determining at least one reference feature based on the device feature information; performing reputation evaluation on the mobile storage device according to the at least one reference feature; determining a corresponding protection control strategy according to the reputation evaluation result; and sending the protection control strategy to the client so that the client can carry out protection control on the mobile storage device by using the protection control strategy. According to the scheme, the protection capability of the mobile storage equipment can be improved.
Description
Technical Field
The embodiment of the invention relates to the technical field of computers, in particular to a method, a device, equipment and a medium for protecting and controlling mobile storage equipment.
Background
The use of mobile storage devices for file copying and storage has been a very popular application scenario. However, malicious attackers often utilize mobile storage devices to attack client devices that access the mobile storage devices. For example, a virus file is stored in a mobile storage device, and after the mobile storage device is accessed to a client device, the virus file is implanted into the client device, so that an attack is initiated on the client device.
In the related art, when a client device detects that a mobile storage device is accessed, the mobile storage device is scanned, and if a virus file is found, the virus file is deleted, so that the security of the client device is protected.
Disclosure of Invention
Based on the problem of low protection capability of the mobile storage device, the embodiment of the invention provides a method, a device, equipment and a medium for protecting and controlling the mobile storage device, which can improve the protection capability of the mobile storage device.
In a first aspect, an embodiment of the present invention provides a method for performing protection control on a mobile storage device, where the method is applied to a server, and includes:
Receiving equipment characteristic information sent by an external client; the equipment characteristic information is obtained and transmitted by the client when the client detects that the mobile storage equipment is accessed to the client;
determining at least one reference feature according to the equipment feature information;
Performing reputation evaluation on the mobile storage device according to the at least one reference feature;
determining a corresponding protection control strategy according to the reputation evaluation result;
and sending the protection control strategy to the client so that the client can carry out protection control on the mobile storage equipment by using the protection control strategy.
Preferably, said reputation evaluation of said mobile storage device according to said at least one reference feature comprises:
respectively determining the operation value of a target reference feature in the at least one reference feature;
Determining an abnormality index of the target reference feature according to the operation value of the target reference feature and a preset standard boundary value;
and calculating the credit evaluation value of the mobile storage device according to the abnormality index of the target reference characteristic.
Preferably, the standard boundary values are plural, and plural standard boundary values form at least two reference intervals, and each reference interval corresponds to one abnormality index;
The determining the abnormality index of the target reference feature according to the operation value of the target reference feature and a preset standard boundary value comprises the following steps:
determining a target reference interval corresponding to the operation value of the target reference feature;
And determining the abnormality index corresponding to the target reference interval as the abnormality index of the target reference feature.
Preferably, the standard boundary value is one;
The determining the abnormality index of the target reference feature according to the operation value of the target reference feature and a preset standard boundary value comprises the following steps:
comparing the operation value of the target reference feature with the standard boundary value;
If the comparison result meets the preset abnormal condition, calculating a difference value between the operation value of the target reference feature and the standard boundary value, and calculating an abnormal index of the target reference feature according to the difference value;
and if the comparison result does not meet the abnormal condition, taking the set value as an abnormal index of the target reference characteristic.
Preferably, the calculating the reputation evaluation value of the mobile storage device according to the abnormality index of the target reference feature includes:
determining a reputation evaluation total value;
determining a weight value of the target reference feature;
calculating the product of the weight value of the target reference feature, the abnormality index of the target reference feature and the reputation evaluation total value;
and obtaining the reputation evaluation value of the mobile storage device by using the product.
Preferably, after the sending the protection control policy to the client, the method further includes:
Receiving data interaction behavior between the mobile storage device and the client; the data interaction behavior is detected and concurrent by the client in the process of executing the protection control;
And updating the current reputation evaluation value of the mobile storage device according to the data interaction behavior.
Preferably, after updating the reputation evaluation value of the mobile storage device, the method further comprises:
and when the updated reputation evaluation value meets the pop-up condition, sending a forced pop-up instruction to the client so that the client can forcedly pop up the mobile storage device.
In a second aspect, an embodiment of the present invention further provides an apparatus for performing protection control on a mobile storage device, where the apparatus is located at a server, and the apparatus includes:
The receiving unit is used for receiving the equipment characteristic information sent by the external client; the device characteristic information is obtained and transmitted by the client when the client detects that the mobile storage device is accessed to the client;
a reference feature determining unit configured to determine at least one reference feature according to the device feature information;
the reputation evaluation unit is used for performing reputation evaluation on the mobile storage equipment according to the at least one reference characteristic;
the strategy determining unit is used for determining a corresponding protection control strategy according to the reputation evaluation result;
And the sending unit is used for sending the protection control strategy to the client so that the client can carry out protection control on the mobile storage equipment by utilizing the protection control strategy.
In a third aspect, an embodiment of the present invention further provides a computing device, including a memory and a processor, where the memory stores a computer program, and the processor implements a method according to any embodiment of the present specification when executing the computer program.
In a fourth aspect, embodiments of the present invention also provide a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform a method according to any of the embodiments of the present specification.
The embodiment of the invention provides a method, a device, equipment and a medium for protecting and controlling mobile storage equipment, which are characterized in that a server performs reputation evaluation on the mobile storage equipment accessed to a client, and the client can use different protection and control strategies to protect and control the mobile storage equipment with different reputations according to different reputation evaluation results, so that the protection effect which cannot be achieved only by virus scanning can be realized, and the protection capability of the mobile storage equipment is improved.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are needed in the embodiments or the description of the prior art will be briefly described, it will be obvious that the drawings in the following description are some embodiments of the invention, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a method for performing protection control on a mobile storage device according to an embodiment of the present invention;
FIG. 2 is a flow chart of a reputation evaluation method according to one embodiment of the present invention;
FIG. 3 is a flowchart of a method for calculating a reputation evaluation value according to an embodiment of the present invention;
FIG. 4 is a hardware architecture diagram of a computing device according to one embodiment of the invention;
FIG. 5 is a block diagram of an apparatus for performing protection control on a mobile storage device according to an embodiment of the present invention;
Fig. 6 is a block diagram of another apparatus for performing protection control on a mobile storage device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments, and all other embodiments obtained by persons of ordinary skill in the art without making any inventive effort based on the embodiments of the present invention are within the scope of protection of the present invention.
As described above, a malicious attacker may take the form of storing a virus file in a mobile storage device, and when the mobile storage device is connected to a client device, the virus file is embedded in the client device, so as to attack the client device. In the related art, when a client device detects that a mobile storage device is accessed, the mobile storage device is scanned to detect whether a virus file is stored in the mobile storage device. If the virus file is found, the virus file is deleted, and then the data copy is carried out between the mobile storage device and the virus file. But the client device is only able to detect known viruses and has limited protection against unknown viruses. Thus, the protection capability of the mobile storage device is low in the prior art.
After the mobile storage equipment is accessed to the client equipment, the safety of the client equipment is guaranteed, the protection capability of the mobile storage equipment is improved, reputation evaluation of the mobile storage equipment can be considered, and different protection control strategies are executed for the mobile storage equipment according to reputation evaluation results, so that the protection effect which cannot be achieved only by virus scanning is achieved.
Specific implementations of the above concepts are described below.
Referring to fig. 1, an embodiment of the present invention provides a method for performing protection control on a mobile storage device, which is applied to a server, and the method includes:
Step 100, receiving equipment characteristic information sent by an external client; the device characteristic information is obtained and transmitted by the client when the client detects that the mobile storage device is accessed to the client.
Step 102, determining at least one reference feature according to the device feature information.
And 104, performing reputation evaluation on the mobile storage device according to the at least one reference characteristic.
And 106, determining a corresponding protection control strategy according to the reputation evaluation result.
And step 108, the protection control strategy is sent to the client so that the client can perform protection control on the mobile storage device by using the protection control strategy.
In the embodiment of the invention, the server performs reputation evaluation on the mobile storage equipment accessed to the client, and aiming at different reputation evaluation results, the client can use different protection control strategies to perform protection control on the mobile storage equipment with different reputations, thereby realizing the protection effect which cannot be achieved only by virus scanning and improving the protection capability on the mobile storage equipment.
The manner in which the individual steps shown in fig. 1 are performed is described below.
Firstly, aiming at step 100, receiving equipment characteristic information sent by an external client; the device characteristic information is obtained and transmitted by the client when the client detects that the mobile storage device is accessed to the client.
The client can be used for sensing an access event of the peripheral interface, and when the access of the mobile storage device on the peripheral interface is detected, the device characteristic information can be acquired, the device characteristic information is sent to the server, and reputation evaluation is carried out on the mobile storage device by the server.
In one embodiment of the invention, the device characteristic information may include one or more of the following: client device attribute information, mobile storage device attribute information, and mobile storage device storage information.
Wherein, the client device attribute information may include: one or more of name, type, brand, and ID. The mobile storage device attribute information may include: one or more of access time, name, type, brand, and ID. The stored information of the mobile storage device may include: whether the mobile storage device contains a virus or not, a virus characteristic when the virus is contained, whether the mobile storage device contains an abnormal file or not, an abnormal file characteristic when the abnormal file is contained, and the like.
At least one reference feature is then determined from the device feature information for step 102.
In one embodiment of the present invention, to improve the accuracy of reputation evaluation of a mobile storage device, device feature information may be analyzed in at least the following dimensions to obtain at least one reference feature:
Dimension one, client history information.
In this dimension, the reference features that can be determined can include: the historical times of the client accessing the mobile storage device and the historical times of the client accessing other mobile storage devices.
In one embodiment of the present invention, after the server receives the device characteristic information reported by the client each time, the access relationship between the client and the mobile storage device is stored according to the attribute information of the client device and the attribute information of the mobile storage device.
After the server side receives the device characteristic information reported by the client side, whether the access relation of the client side to the mobile storage device is stored or not and whether the access relation of the client side to other mobile storage devices is stored or not can be determined according to the attribute information of the client side and the attribute information of the mobile storage device; if the access relation of the client to the mobile storage equipment is determined, further determining the access times; and if the access relation of the client to the mobile storage device is not stored, determining that the historical times of the client to the mobile storage device is 0. If the access relation of the client to other mobile storage devices is determined, the access times are further determined; and if the access relation of the client to other mobile storage devices is not stored, determining that the historical times of the client to other mobile storage devices is 0.
Dimension two, mobile storage device history information.
In this dimension, the reference features that can be determined can include: historical times of access of the mobile storage device to other clients.
In one embodiment of the present invention, the historical number of times the mobile storage device accesses other clients may also be determined by the stored information in the server. After the server receives the device characteristic information reported by the client, determining whether an access relation of the mobile storage device to other clients is stored according to the device attribute information of the client and the attribute information of the mobile storage device, and if the access relation of the mobile storage device to other clients is determined to be stored, further determining the access times; and if the access relation of the mobile storage device to other clients is not stored, the historical times of the mobile storage device to other clients are determined to be 0.
And D, mobile storage equipment current information.
In this dimension, the reference features that can be determined can include: whether the virus file is stored in the mobile storage device, the type of the virus file stored in the mobile storage device, whether the abnormal file is stored in the mobile storage device, the type of the abnormal file stored in the mobile storage device and the matching degree of the identification type of the mobile storage device and the actual type.
In one embodiment of the present invention, if a virus file is stored in the mobile storage device, the type of the virus file, such as a virus format, may be further determined. If the mobile storage device stores an abnormal file, it can further determine the type of the abnormal file, for example, whether the abnormal file is an unknown executable program, a non-universal language, whether the abnormal file is a file that does not appear on the blacklist and the whitelist, etc.
In one embodiment of the present invention, the actual type of the mobile storage device may also be identified, and the representation type of the mobile storage device may be obtained, and whether the identification type of the mobile storage device matches the actual type may be determined. For example, if the identified actual type of the mobile storage device is a device having a storage function, but the identified type of the mobile storage device is a keyboard or a mouse, it may be determined that the identified type of the mobile storage device does not match the actual type.
Next, for step 104, reputation evaluation is performed on the mobile storage device based on the at least one reference feature.
In one embodiment of the present invention, in order to accurately obtain the reputation evaluation result of the mobile storage device, please refer to fig. 2, the step 104 may be performed at least in the following manner:
Step 200, determining an operational value of a target reference feature in the at least one reference feature, respectively.
In one embodiment of the present invention, if the reference feature obtained in step 102 is a numerical value, the numerical value may be directly determined as the operation value of the reference feature. For example, the reference feature obtained in step 102 is the historical number of times the client accesses the mobile storage device, and then the historical number of times is directly determined as the operation value. If the reference feature obtained in step 102 is of the content type, the content may be quantized to obtain an operation value of the reference feature. For example, if the reference feature obtained in step 102 is that the mobile storage device stores a virus file, the operation value of the reference feature may be 1, and if the mobile storage device does not store a virus file, the operation value of the reference feature may be 0.
Step 202, determining an abnormality index of the target reference feature according to the operation value of the target reference feature and a preset standard boundary value.
In one embodiment of the present invention, different determining manners may be adopted when determining the abnormality indexes for different target reference features, and when determining the abnormality indexes differently, the number of standard boundary values may be different, specifically, the number of standard boundary values may correspond to at least two cases as follows:
The number of standard boundary values is plural in case a.
The case B, standard boundary value is one.
The manner of determining the abnormality index will be described below for each of the above two cases.
In the case of corresponding case a, the plurality of standard boundary values form at least two reference intervals, each reference interval corresponding to an abnormality index. For example, two standard boundary values form three reference intervals, respectively:
the reference interval 1 is (0, standard boundary value 1), and the abnormality index is A;
the reference interval 2 is [ standard boundary value 1, standard boundary value 2], and the abnormality index is B;
The reference interval 3 is (standard boundary value 2, + -infinity), and the abnormality index is C.
Then, this step 202 may include: determining a target reference interval corresponding to the operation value of the target reference feature; and determining the abnormality index corresponding to the target reference interval as the abnormality index of the target reference feature.
In the case A, the corresponding relation between the reference interval and the abnormality index is adopted, and the corresponding reference interval can be determined according to the target reference characteristics, so that the abnormality index can be rapidly determined, and the reputation evaluation speed is improved.
In case B, this step 202 may include: comparing the operation value of the target reference feature with the standard boundary value; if the comparison result meets the preset abnormal condition, calculating the difference value between the operation value of the target reference characteristic and the standard boundary value, and calculating according to the difference value to obtain an abnormal index of the target reference characteristic; and if the comparison result does not meet the abnormal condition, taking the set value as an abnormal index of the target reference characteristic.
In one embodiment of the invention, the exception conditions corresponding to different reference features may be different. For example, the target reference feature is a historical number of times the client accesses the mobile storage device, and the greater the historical number of times, the lower the degree of abnormality is indicated, and the target reference feature can be set: and when the comparison result is that the operation value of the target reference feature is smaller than the standard boundary value, determining that the abnormal condition is met. For another example, the target reference feature is a type of an abnormal file stored in the mobile storage device, and when the operation value of the type of the abnormal file after quantization is higher, the higher the abnormal degree is indicated, the target reference feature can be set: and when the comparison result shows that the operation value of the target reference feature is larger than the standard boundary value, determining that the abnormal condition is met. Therefore, when the abnormality indexes are determined for different reference characteristics, the determination result of the abnormality indexes can be more accurate.
In one embodiment of the present invention, when the abnormality index of the target reference feature is calculated according to the difference in step 202, the abnormality index may be calculated according to the following formula (1):
Wherein, Q i is used for representing the abnormality index of the ith target reference feature in n target reference features, n is an integer not less than 1; q i1 is used for representing a standard boundary value preset for the ith target reference feature; q i is used for representing the operation value of the ith target reference feature; a i is used to characterize the constant of the ith reference feature.
The anomaly index of the target reference feature can be accurately obtained by calculating the anomaly index using the above calculation formula, taking into account the distance between the calculated value and the standard boundary value (i.e., the difference between the calculated value and the standard boundary value), taking the difference between the standard boundary value and the constant as the reference value, and dividing the distance between the calculated value and the standard boundary value by the reference value. In addition, the values of the parameters in the calculation formula are easy to obtain, the abnormal index can be quickly calculated by substituting the values into the calculation formula, and the calculation speed is high.
The above calculation formula is only one embodiment of the present invention, and other calculation formulas may be used to calculate the abnormality index of the target reference feature, or the difference may be directly used as the abnormality index of the target reference feature.
Step 204, calculating a reputation evaluation value of the mobile storage device according to the abnormality index of the target reference feature.
In one embodiment of the present invention, referring to FIG. 3, the reputation evaluation of the mobile storage device may be calculated by at least one of:
Step 300, determining a reputation evaluation total.
The total reputation evaluation value may be a score corresponding to the mobile storage device without any anomaly, for example, taking a full score as an example, the total reputation evaluation value may be 100 points full.
Step 302, determining a weight value of the target reference feature.
Because the influence of different reference characteristics on the credit of the mobile storage equipment is different, different weight values can be set for different reference characteristics, so that the credit evaluation result can be more accurate.
Step 304, calculating the product of the weight value of the target reference feature, the abnormality index of the target reference feature and the total reputation evaluation value.
And 306, obtaining a reputation evaluation value of the mobile storage device by using the product.
In one embodiment of the present invention, when the product is used to obtain the reputation evaluation value of the mobile storage device, the reputation evaluation value can be obtained by at least the following formula (2):
Wherein V is used for representing the reputation evaluation value of the mobile storage device, M is used for representing the reputation evaluation total value, Q i is used for representing the abnormality index of the ith target reference feature in n target reference features, and n is an integer not less than 1; omega i is used to characterize the weight value of the i-th target reference feature.
Taking into consideration the product of the total reputation evaluation value, the weight value of the target reference feature and the abnormality index of the target reference feature in the formula (2), the product can be used as the reputation value corresponding to the target reference feature, and the product of each abnormality index is divided by n times of square root in the formula (2) and the sum of each abnormality index is calculated, wherein the abnormality indexes are subjected to equalization processing, so that the reputation evaluation value is calculated more accurately by using the formula (2). And after the parameter values are obtained, the parameters in the formula (2) are substituted into the formula, so that the reputation evaluation value of the mobile storage device can be quickly calculated.
In addition to calculating the reputation evaluation value of the mobile storage device according to the above formula (2), in this step 306, the reputation evaluation value may be calculated by other methods, for example, dividing the sum of products corresponding to the target reference features by n.
In addition to calculating the reputation evaluation value for the mobile storage device in the manner described above with respect to FIG. 3, other calculation manners may be used in this step 204. For example, the other calculation modes may include: determining a reputation evaluation total value; determining a base score set for the target reference feature; calculating the product of the basic score of the target reference feature and the abnormality index of the target reference feature; and adding the products of the n target reference features to obtain a calculated sum, and determining the difference value between the total reputation evaluation value and the calculated sum as the reputation evaluation value of the mobile storage device.
Continuing to aim at step 106, according to the reputation evaluation result, a corresponding protection control strategy is determined.
In one embodiment of the present invention, different protection control policies may be preset for different reputation evaluation results, where the protection control policies may include the following: inhibit access of the mobile storage device to the client, allow copying of files only from the mobile storage device to the client, inhibit running of files within the mobile storage device, etc.
Finally, in step 108, the protection control policy is sent to the client, so that the client performs protection control on the mobile storage device by using the protection control policy.
The client receives a protection control strategy sent by the server, responds to the access of the mobile storage device by using the protection control strategy, and performs protection control on the mobile storage device by using the protection control strategy after allowing the access of the mobile storage device. For example, the protection control policy is to prohibit the permission of the file in the mobile storage device, then the client side allows the access of the mobile storage device, and detects the data interaction behavior between the mobile storage device and the client side in real time, and when detecting that the data interaction behavior is that the file stored in the mobile storage device is executed on the client side, the client side refuses to execute the data interaction behavior.
In one embodiment of the present invention, in order to further ensure the security of the client after the mobile storage device is accessed to the client, the data interaction behavior between the client and the mobile storage device may be detected, and then the detected data interaction behavior may be reported to the server.
The strategies for reporting the data interaction behavior at least comprise the following two types:
The first reporting strategy: reporting every time the data interaction behavior is detected.
And a second reporting strategy: only data interaction behaviors belonging to the sensitive interaction behaviors are reported.
In the second reporting policy, the client side stores the features of the sensitive interaction behavior in advance, and when the features of the data interaction behavior are detected to be the same as the features of the sensitive interaction behavior, the data interaction behavior is determined to belong to the sensitive interaction behavior, and the data interaction behavior is reported to the server side.
The client may respond to the data interaction behavior with the content of the response being that the data interaction behavior is allowed to be executed or the data interaction behavior is refused to be executed, regardless of whether the first reporting policy or the second reporting policy is the first reporting policy.
After the server receives the data interaction behavior reported by the client, the server evaluates the risk of the data interaction behavior so as to update the reputation evaluation value.
Specifically, the reputation evaluation value may be updated at least by: determining a risk level of the data interaction behavior; determining a risk coefficient corresponding to the risk level; and updating the current reputation evaluation value of the mobile storage device according to the risk coefficient.
If the data interaction behavior is the interaction behavior performed for the first time after the mobile storage device accesses the client, the current reputation evaluation value of the mobile storage device is the reputation evaluation value calculated in step 204; if the data interaction behavior is the interaction behavior which is not performed for the first time after the mobile storage device is accessed to the client, the current reputation evaluation value of the mobile storage device is the reputation evaluation value obtained after the last data interaction behavior update.
When the current reputation evaluation value of the mobile storage device is updated according to the risk coefficient, the product of the risk coefficient and the current reputation evaluation value of the mobile storage device can be determined as an updated reputation evaluation value. In this way, updating of the reputation evaluation value can be quickly achieved.
It should be noted that, if the data interaction behavior does not have a risk, for example, a normal data copy behavior, then the risk coefficient of the corresponding risk level of the data interaction behavior may be 1, and the updated reputation evaluation value is the same as the reputation evaluation value before the update. If the data interaction behavior has a risk, for example, a manually input copy instruction is not detected, and a data copy behavior is generated; for another example, copying the sensitive file into the client or the mobile storage device, wherein when the characteristics of the copied file are the same as the characteristics of the preset sensitive file, the copied file is determined to be the sensitive file; for another example, an abnormal program file in the mobile storage device is run; then the risk factor for the corresponding risk level for the data interaction activity may be less than 1, where the updated reputation evaluation value is less than the pre-update reputation evaluation value.
In one real-time embodiment of the present invention, after updating the reputation evaluation value of the mobile storage device, the method may further comprise: and when the updated reputation evaluation value meets the pop-up condition, sending a forced pop-up instruction to the client so that the client can forcedly pop up the mobile storage device.
For example, if the updated reputation evaluation value is less than the set score, it is determined that the updated reputation evaluation value satisfies the pop-up condition. When the reputation evaluation value of the mobile storage device gradually decreases to meet the pop-up condition, the risk of the mobile storage device is extremely high, and if data interaction between the mobile storage device and the client is continuously allowed, higher risk is brought to the safety of the client. Therefore, in order to ensure the security of the client, a forced eject instruction may be sent to the client, so that the client forces the mobile storage device to eject.
As shown in fig. 4 and fig. 5, the embodiment of the invention provides a device for performing protection control on a mobile storage device. The apparatus embodiments may be implemented by software, or may be implemented by hardware or a combination of hardware and software. In terms of hardware, as shown in fig. 4, a hardware architecture diagram of a computing device where an apparatus for performing protection control on a mobile storage device according to an embodiment of the present invention is located is shown, where in addition to a processor, a memory, a network interface, and a nonvolatile memory shown in fig. 4, the computing device where the apparatus is located in the embodiment may generally include other hardware, such as a forwarding chip responsible for processing a packet, and so on. Taking a software implementation as an example, as shown in fig. 5, as a device in a logic sense, the device is formed by reading a corresponding computer program in a nonvolatile memory into a memory by a CPU of a computing device where the device is located. The device for protecting and controlling the mobile storage device provided in this embodiment is located at a server, and includes:
A receiving unit 501, configured to receive device feature information sent by an external client; the equipment characteristic information is obtained and transmitted by the client when the client detects that the mobile storage equipment is accessed to the client;
A reference feature determining unit 502, configured to determine at least one reference feature according to the device feature information;
A reputation evaluation unit 503, configured to perform reputation evaluation on the mobile storage device according to the at least one reference feature;
a policy determining unit 504, configured to determine a corresponding protection control policy according to the reputation evaluation result;
And the sending unit 505 is configured to send the protection control policy to the client, so that the client performs protection control on the mobile storage device by using the protection control policy.
In one embodiment of the present invention, the reputation evaluation unit 503 is specifically configured to determine an operation value of a target reference feature in the at least one reference feature respectively; determining an abnormality index of the target reference feature according to the operation value of the target reference feature and a preset standard boundary value; and calculating a reputation evaluation value of the mobile storage device according to the abnormality index of the target reference characteristic.
In one embodiment of the present invention, the standard boundary values are plural, and plural standard boundary values form at least two reference intervals, and each reference interval corresponds to an abnormality index;
The reputation evaluation unit 503 is specifically configured to determine a target reference interval corresponding to the operation value of the target reference feature when determining an abnormality index of the target reference feature according to the operation value of the target reference feature and a preset standard boundary value; and determining the abnormality index corresponding to the target reference interval as the abnormality index of the target reference feature.
In one embodiment of the present invention, the standard boundary value is one;
the reputation evaluation unit 503 is specifically configured to compare the operation value of the target reference feature with the standard boundary value when determining the abnormality index of the target reference feature according to the operation value of the target reference feature and the preset standard boundary value; if the comparison result meets the preset abnormal condition, calculating a difference value between the operation value of the target reference feature and the standard boundary value, and calculating an abnormal index of the target reference feature according to the difference value; and if the comparison result does not meet the abnormal condition, taking the set value as an abnormal index of the target reference characteristic.
In one embodiment of the present invention, the reputation evaluation unit 503 is specifically configured to determine a reputation evaluation total value when performing the calculation of the reputation evaluation value of the mobile storage device according to the abnormality index of the target reference feature; determining a weight value of the target reference feature; calculating the product of the weight value of the target reference feature, the abnormality index of the target reference feature and the reputation evaluation total value; and obtaining the reputation evaluation value of the mobile storage device by using the product.
In one embodiment of the present invention, the receiving unit 501 is further configured to receive a data interaction behavior between the mobile storage device and the data interaction behavior sent by the client; the data interaction behavior is detected and concurrent by the client in the process of executing the protection control;
Referring to fig. 6, the apparatus for performing protection control on a mobile storage device may further include:
and an updating unit 506, configured to update the current reputation evaluation value of the mobile storage device according to the data interaction behavior.
In one embodiment of the present invention, the sending unit 505 is further configured to send a force pop-up instruction to the client, when the updated reputation evaluation value meets a pop-up condition, so that the client forces the mobile storage device to pop up.
It will be appreciated that the structure illustrated in the embodiments of the present invention does not constitute a specific limitation on a device for performing protection control on a mobile storage device. In other embodiments of the invention, an apparatus for securing control of a mobile storage device may include more or fewer components than shown, or may be a combination of certain components, or may be a split of certain components, or may be a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
The content of information interaction and execution process between the modules in the above-mentioned device, because the content is based on the same conception as the embodiment of the method of the present invention, the specific content can be referred to the description in the embodiment of the method of the present invention, and the details are not repeated here.
The embodiment of the invention also provides a computing device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the method for protecting and controlling the mobile storage device in any embodiment of the invention when executing the computer program.
The embodiment of the invention also provides a computer readable storage medium, wherein the computer readable storage medium is stored with a computer program, and the computer program when being executed by a processor, causes the processor to execute the method for protecting and controlling the mobile storage device.
Specifically, a system or apparatus provided with a storage medium on which a software program code realizing the functions of any of the above embodiments is stored, and a computer (or CPU or MPU) of the system or apparatus may be caused to read out and execute the program code stored in the storage medium.
In this case, the program code itself read from the storage medium may realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code form part of the present invention.
Examples of storage media for providing program code include floppy disks, hard disks, magneto-optical disks, optical disks (e.g., CD-ROMs, CD-R, CD-RWs, DVD-ROMs, DVD-RAMs, DVD-RWs, DVD+RWs), magnetic tapes, nonvolatile memory cards, and ROMs. Alternatively, the program code may be downloaded from a server computer by a communication network.
Further, it should be apparent that the functions of any of the above-described embodiments may be achieved not only by executing the program code read out by the computer but also by causing an operating system or the like operating on the computer to perform part or all of the actual operations based on the instructions of the program code.
Further, it is understood that the program code read out by the storage medium is written into a memory provided in an expansion board inserted into a computer or into a memory provided in an expansion module connected to the computer, and then a CPU or the like mounted on the expansion board or the expansion module is caused to perform part and all of actual operations based on instructions of the program code, thereby realizing the functions of any of the above embodiments.
The embodiments of the invention have at least the following beneficial effects:
1. in one embodiment of the invention, the server performs reputation evaluation on the mobile storage equipment accessed to the client, and the client can use different protection control strategies to protect and control the mobile storage equipment with different reputations according to different reputation evaluation results, so that the protection effect which cannot be achieved only by virus scanning can be realized, and the protection capability of the mobile storage equipment is improved.
2. In one embodiment of the invention, the accuracy of reputation evaluation can be improved when the reputation evaluation is performed on the mobile storage device by using the at least one reference feature calculation through analyzing a plurality of dimensions of client history information, mobile storage device current information and the like to obtain the at least one reference feature.
3. In one embodiment of the invention, the abnormal index of the target reference feature is determined through the operation value of the target reference feature and the set standard boundary value, and when the standard boundary value is a plurality of standard boundary values, the target reference interval corresponding to the operation value of the target reference feature is determined through the corresponding relation between the reference interval and the abnormal index, so that the abnormal index of the target reference feature can be determined rapidly, and the determination speed of the reputation evaluation value is improved.
4. In one embodiment of the invention, because the influence of different reference features on the reputation of the mobile storage device is different, different weight values can be set for different reference features, so that the reputation evaluation result can be more accurate.
5. In one embodiment of the invention, the abnormality index of the target reference feature is determined by the operation value of the target reference feature and the set standard boundary value, when the standard boundary value is one, the abnormality index is calculated by using a calculation formula, the distance between the operation value and the standard boundary value (namely, the difference between the operation value and the standard boundary value) is considered, the difference between the standard boundary value and the constant is taken as a reference value, the distance between the operation value and the standard boundary value is divided by the reference value to accurately obtain the abnormality index of the target reference feature, the values of all the parameters in the calculation formula are easy to obtain, the values of all the parameters are substituted into the calculation formula to quickly calculate the abnormality index, and the operation speed is high.
6. In one embodiment of the present invention, when the current reputation evaluation value of the mobile storage device is updated according to the risk coefficient, the product of the risk coefficient and the current reputation evaluation value of the mobile storage device may be determined as the updated reputation evaluation value. Thus, the reputation evaluation value can be updated quickly.
7. In one embodiment of the invention, when the updated reputation evaluation value meets the pop-up condition, a forced pop-up instruction is sent to the client so that the client can forcedly pop up the mobile storage device, thereby ensuring the safety of the client.
It should be noted that relational terms such as first and second are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, where the program, when executed, performs steps including the above method embodiments; and the aforementioned storage medium includes: various media in which program codes may be stored, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some of the technical features can be replaced equivalently; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (8)
1. The method for protecting and controlling the mobile storage equipment is applied to a server and is characterized by comprising the following steps:
receiving equipment characteristic information sent by an external client; the equipment characteristic information is obtained and transmitted by the client when the client detects that the mobile storage equipment is accessed to the client;
determining at least one reference feature according to the equipment feature information;
Performing reputation evaluation on the mobile storage device according to the at least one reference feature;
determining a corresponding protection control strategy according to the reputation evaluation result;
the protection control strategy is sent to the client so that the client can carry out protection control on the mobile storage device by utilizing the protection control strategy;
the reputation evaluation of the mobile storage device according to the at least one reference feature comprises:
respectively determining the operation value of a target reference feature in the at least one reference feature;
Determining an abnormality index of the target reference feature according to the operation value of the target reference feature and a preset standard boundary value;
Calculating a reputation evaluation value of the mobile storage device according to the abnormality index of the target reference feature;
the calculating the reputation evaluation value of the mobile storage device according to the abnormality index of the target reference feature comprises the following steps:
determining a reputation evaluation total value;
determining a weight value of the target reference feature;
Calculating the product of the weight value of the target reference feature, the abnormality index of the target reference feature and the reputation evaluation total value;
Obtaining a reputation evaluation value of the mobile storage device by using the product;
The reputation evaluation value is calculated by the following formula:
Wherein V is used for representing the reputation evaluation value of the mobile storage device, M is used for representing the reputation evaluation total value, Q i is used for representing the abnormality index of the ith target reference feature in n target reference features, and n is an integer not less than 1; omega i is used to characterize the weight value of the i-th target reference feature.
2. The method of claim 1, wherein the standard boundary values are plural, and the plural standard boundary values form at least two reference intervals, each reference interval corresponding to an abnormality index;
The determining the abnormality index of the target reference feature according to the operation value of the target reference feature and a preset standard boundary value comprises the following steps:
determining a target reference interval corresponding to the operation value of the target reference feature;
And determining the abnormality index corresponding to the target reference interval as the abnormality index of the target reference feature.
3. The method of claim 1, wherein the standard boundary value is one;
The determining the abnormality index of the target reference feature according to the operation value of the target reference feature and a preset standard boundary value comprises the following steps:
comparing the operation value of the target reference feature with the standard boundary value;
If the comparison result meets the preset abnormal condition, calculating a difference value between the operation value of the target reference feature and the standard boundary value, and calculating an abnormal index of the target reference feature according to the difference value;
And if the comparison result does not meet the abnormal condition, taking the set value as an abnormal index of the target reference characteristic.
4. A method according to any of claims 1-3, further comprising, after said sending said guard control policy to said client:
receiving data interaction behavior between the mobile storage device and the client; the data interaction behavior is detected and concurrent by the client in the process of executing the protection control;
And updating the current reputation evaluation value of the mobile storage equipment according to the data interaction behavior.
5. The method of claim 4, further comprising, after said updating the reputation evaluation value of the mobile storage device:
And when the updated reputation evaluation value meets the pop-up condition, sending a forced pop-up instruction to the client so that the client can forcedly pop up the mobile storage device.
6. An apparatus for performing protection control on a mobile storage device, located at a server, and comprising:
The receiving unit is used for receiving the equipment characteristic information sent by the external client; the equipment characteristic information is obtained and transmitted by the client when the client detects that the mobile storage equipment is accessed to the client;
a reference feature determining unit, configured to determine at least one reference feature according to the device feature information;
The reputation evaluation unit is used for performing reputation evaluation on the mobile storage equipment according to the at least one reference characteristic;
the strategy determining unit is used for determining a corresponding protection control strategy according to the reputation evaluation result;
The sending unit is used for sending the protection control strategy to the client so that the client can carry out protection control on the mobile storage device by utilizing the protection control strategy;
The reputation evaluation unit is specifically configured to determine an operation value of a target reference feature in the at least one reference feature respectively; determining an abnormality index of the target reference feature according to the operation value of the target reference feature and a preset standard boundary value; calculating a reputation evaluation value of the mobile storage device according to the abnormality index of the target reference feature;
The reputation evaluation unit is used for determining a reputation evaluation total value when the reputation evaluation value of the mobile storage device is calculated according to the abnormality index of the target reference characteristic; determining a weight value of the target reference feature; calculating the product of the weight value of the target reference feature, the abnormality index of the target reference feature and the reputation evaluation total value; obtaining a reputation evaluation value of the mobile storage device by using the product; the reputation evaluation value is calculated by the following formula:
Wherein V is used for representing the reputation evaluation value of the mobile storage device, M is used for representing the reputation evaluation total value, Q i is used for representing the abnormality index of the ith target reference feature in n target reference features, and n is an integer not less than 1; omega i is used to characterize the weight value of the i-th target reference feature.
7. A computing device comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the method of any of claims 1-5 when the computer program is executed.
8. A computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110725664.4A CN113282922B (en) | 2021-06-29 | 2021-06-29 | Method, device, equipment and medium for protecting and controlling mobile storage equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110725664.4A CN113282922B (en) | 2021-06-29 | 2021-06-29 | Method, device, equipment and medium for protecting and controlling mobile storage equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113282922A CN113282922A (en) | 2021-08-20 |
| CN113282922B true CN113282922B (en) | 2024-08-20 |
Family
ID=77286189
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110725664.4A Active CN113282922B (en) | 2021-06-29 | 2021-06-29 | Method, device, equipment and medium for protecting and controlling mobile storage equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113282922B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102171657A (en) * | 2008-06-30 | 2011-08-31 | 赛门铁克公司 | Simplified communication of a reputation score for an entity |
| CN111460445A (en) * | 2020-03-04 | 2020-07-28 | 奇安信科技集团股份有限公司 | Method and device for automatic identification of malicious degree of sample program |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9081958B2 (en) * | 2009-08-13 | 2015-07-14 | Symantec Corporation | Using confidence about user intent in a reputation system |
| CN102945340B (en) * | 2012-10-23 | 2016-04-20 | 北京神州绿盟信息安全科技股份有限公司 | information object detection method and system |
| US9311480B2 (en) * | 2013-03-15 | 2016-04-12 | Mcafee, Inc. | Server-assisted anti-malware client |
| US9398036B2 (en) * | 2014-09-17 | 2016-07-19 | Microsoft Technology Licensing, Llc | Chunk-based file acquisition and file reputation evaluation |
| CN105578455B (en) * | 2016-01-27 | 2020-06-09 | 哈尔滨工业大学深圳研究生院 | A Distributed Dynamic Reputation Evaluation Method in Opportunistic Networks |
| CN108665184A (en) * | 2018-05-21 | 2018-10-16 | 国网陕西省电力公司咸阳供电公司 | A kind of power customer credit assessment method based on big data reference |
| CN109242261B (en) * | 2018-08-14 | 2024-04-05 | 中国平安人寿保险股份有限公司 | Method for evaluating security risk based on big data and terminal equipment |
| CN111598568B (en) * | 2020-05-12 | 2023-04-18 | 江苏大学 | Abnormal transaction identification method based on multi-transaction object multi-dimensional credit management |
-
2021
- 2021-06-29 CN CN202110725664.4A patent/CN113282922B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102171657A (en) * | 2008-06-30 | 2011-08-31 | 赛门铁克公司 | Simplified communication of a reputation score for an entity |
| CN111460445A (en) * | 2020-03-04 | 2020-07-28 | 奇安信科技集团股份有限公司 | Method and device for automatic identification of malicious degree of sample program |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113282922A (en) | 2021-08-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8479296B2 (en) | System and method for detecting unknown malware | |
| CN108268354B (en) | Data security monitoring method, background server, terminal and system | |
| US8826444B1 (en) | Systems and methods for using client reputation data to classify web domains | |
| RU2514140C1 (en) | System and method for improving quality of detecting malicious objects using rules and priorities | |
| US8806641B1 (en) | Systems and methods for detecting malware variants | |
| CN110061987B (en) | Access access control method and device based on role and terminal credibility | |
| US11431748B2 (en) | Predictive crowdsourcing-based endpoint protection system | |
| CN118228211B (en) | Software authorization authentication method | |
| CN114866296B (en) | Intrusion detection method, intrusion detection device, intrusion detection equipment and readable storage medium | |
| CN113821792A (en) | Method and device for preventing model parameter stealing, computer equipment and storage medium | |
| US20190156037A1 (en) | Using a machine learning model in quantized steps for malware detection | |
| US12455965B2 (en) | Malware scans | |
| CN112738107B (en) | Network security evaluation method, device, equipment and storage medium | |
| CN111131166B (en) | User behavior prejudging method and related equipment | |
| CN106845217B (en) | Detection method for malicious behaviors of android application | |
| CN113282929B (en) | Behavior processing method, device and equipment of mobile storage equipment and storage medium | |
| US20170193222A1 (en) | Baseline Calculation for Firewalling | |
| CN111181979A (en) | Access control method, device, computer equipment and computer readable storage medium | |
| CN113282922B (en) | Method, device, equipment and medium for protecting and controlling mobile storage equipment | |
| JP6857627B2 (en) | White list management system | |
| CN111625825B (en) | Virus detection method, device, equipment and storage medium | |
| CN115086022B (en) | Method and device for adjusting safety evaluation index system | |
| JP7075362B2 (en) | Judgment device, judgment method and judgment program | |
| CN119004465B (en) | Smart commercial display device playback safety detection method, detection equipment and storage medium | |
| CN111818017B (en) | Railway network security prediction method and system and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |