CN103235918B - The collection method of trusted file and system - Google Patents
The collection method of trusted file and system Download PDFInfo
- Publication number
- CN103235918B CN103235918B CN201310135900.2A CN201310135900A CN103235918B CN 103235918 B CN103235918 B CN 103235918B CN 201310135900 A CN201310135900 A CN 201310135900A CN 103235918 B CN103235918 B CN 103235918B
- Authority
- CN
- China
- Prior art keywords
- digital signature
- signature
- file
- credible
- database
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 230000002155 anti-virotic effect Effects 0.000 claims description 11
- 230000000737 periodic effect Effects 0.000 claims description 9
- 239000000203 mixture Substances 0.000 claims description 3
- KXLUWEYBZBGJRZ-POEOZHCLSA-N Canin Chemical compound O([C@H]12)[C@]1([C@](CC[C@H]1C(=C)C(=O)O[C@@H]11)(C)O)[C@@H]1[C@@]1(C)[C@@H]2O1 KXLUWEYBZBGJRZ-POEOZHCLSA-N 0.000 claims description 2
- GPFVKTQSZOQXLY-UHFFFAOYSA-N Chrysartemin A Natural products CC1(O)C2OC2C34OC3(C)CC5C(CC14)OC(=O)C5=C GPFVKTQSZOQXLY-UHFFFAOYSA-N 0.000 claims description 2
- 238000012549 training Methods 0.000 abstract description 9
- 238000005516 engineering process Methods 0.000 abstract description 4
- 238000004891 communication Methods 0.000 abstract description 2
- 238000012545 processing Methods 0.000 description 9
- 230000008901 benefit Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 3
- 238000007430 reference method Methods 0.000 description 3
- 241001076939 Artines Species 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 239000007799 cork Substances 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 241000135164 Timea Species 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000001846 repelling effect Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The present invention relates to network communications technology field, it discloses a kind of collection method and system of trusted file. The collection method of this trusted file comprises: the digital signature of obtaining sample file; Determine that whether digital signature is credible; In the time that definite digital signature is credible, sample file is collected in default trusted file database. According to the collection method of trusted file of the present invention and system, by obtaining the digital signature of sample file and judging that the whether believable mode of digital signature collects trusted file. Solved thus in prior art and need to use a large amount of sample files in the time that produce believed characteristic code by training early stage, and training process is comparatively consuming time, cause collecting not in time the problem relatively lagging behind.
Description
Technical field
The present invention relates to network communications technology field, be specifically related to a kind of collection method of trusted file and beSystem.
Background technology
In " cloud security " system, the collection of trusted file is a difficult problem always, on the one hand will be as far as possibleCollect all sidedly the trusted file of main flow, avoid again on the other hand collecting mistakenly untrusted file,Contradiction between the two to a certain extent.
At present, in traditional trusted file collection mode, generally adopt the mode of characteristic codes coupling to sentenceWhether other file is credible. In this mode, first, need to carry out sample by a large amount of trusted fileThis training, thus study produces believable characteristic codes; Then, in follow-up collection process, according to treatingWhether the characteristic codes of collecting file belongs to the believable characteristic codes producing is above judged that file to be collected isNo credible.
But aforesaid way need to be used a large amount of samples in the time that produce believed characteristic code by training early stageFile, and training process is comparatively consuming time, causes collecting not in time, relatively lags behind.
Summary of the invention
In view of the above problems, the present invention has been proposed to provide one to overcome the problems referred to above or at least part ofCollection method and the system of the trusted file that addresses the above problem.
According to one aspect of the present invention, a kind of collection method of trusted file is provided, comprising: obtainThe digital signature of sample file; Determine that whether digital signature is credible; In the time that definite digital signature is credible, willSample file is collected in default trusted file database.
Alternatively, determining whether digital signature is credible specifically comprises: judge whether digital signature is stored inIn default credible signature database, if judged result is yes, determine that digital signature is credible.
Alternatively, if judged result is no, said method further comprises step: according to what presetJudgment rule determines that whether digital signature is credible, and in the time determining that according to judgment rule digital signature is credible,Further digital signature is stored in default credible signature database.
Alternatively, default judgment rule comprises one or more in following rule: according to digital signatureIn the Business Name or the issuer title that comprise judge whether digital signature belongs to the signature of regular company; RootJudge in the historical sample that digital signature signs and issues, whether there is malice sample according to default hostile signature databaseThis, wherein, default hostile signature database is for storing the digital signature of signing and issuing malice sample; NumberBefore the deadline whether word sign; And the numeral label of having stored in digital signature and credible signature databaseWhether the similarity between name is greater than predetermined threshold value.
Alternatively, after sample file being collected in default trusted file database, further comprise stepRapid: to call the file in antivirus engine periodic scanning trusted file database; By scan determine can messageWhether while there is apocrypha in event data storehouse, analyzing apocrypha is malicious file; If apocryphaFor malicious file, the digital signature of malicious file is deleted from credible signature database, and further existIn trusted file database, analyze whether all sample files of being signed and issued by the digital signature of malicious file are evilMeaning file.
Alternatively, after sample file being collected in default trusted file database, further comprise stepRapid: when the signing certificate of determining the digital signature in credible signature database lost efficacy, or, determine numeralWhen the key exposure of signature, digital signature is deleted from credible signature database, and further credibleIn document data bank, analyze whether all sample files of being signed and issued by digital signature are malicious file.
According to another aspect of the present invention, a kind of gathering system of trusted file is provided, comprising: obtainModule, is suitable for obtaining the digital signature of sample file; Whether determination module, be suitable for definite digital signature and canLetter; Collection module, is suitable in the time that definite digital signature is credible, sample file is collected default credibleIn document data bank.
Alternatively, determination module is suitable for judging whether digital signature has been stored in default credible signed dataIn storehouse, if judged result is yes, determine that digital signature is credible.
Alternatively, if judged result is no, determination module is further adapted for according to default judgement ruleDetermine that whether digital signature is credible, and in the time determining that according to judgment rule digital signature is credible, furtherDigital signature is stored in default credible signature database.
Alternatively, default judgment rule comprises one or more in following rule: according to digital signatureIn the Business Name or the issuer title that comprise judge whether digital signature belongs to the signature of regular company; RootJudge in the historical sample that digital signature signs and issues, whether there is malice sample according to default hostile signature databaseThis, wherein, default hostile signature database is for storing the digital signature of signing and issuing malice sample; NumberBefore the deadline whether word sign; And the numeral label of having stored in digital signature and credible signature databaseWhether the similarity between name is greater than predetermined threshold value.
Alternatively, this system further comprises: scan module, being suitable for calling antivirus engine periodic scanning canFile in letter document data bank; Analysis module, is suitable for determining in trusted file database at scan moduleWhether while there is apocrypha, analyzing apocrypha is malicious file; Net background module, is suitable for canWhen doubtful file is malicious file, the digital signature of malicious file is deleted from credible signature database, andFurther in trusted file database, analyze all sample files of being signed and issued by the digital signature of malicious fileWhether be malicious file.
Alternatively, net background module is further adapted for: when the numeral label of determining in credible signature databaseName signing certificate lost efficacy, or, while determining the key exposure of digital signature, by digital signature from credibleIn signature database, delete, and further in trusted file database, analyze the institute of being signed and issued by digital signatureHave whether sample file is malicious file.
According to the collection method of trusted file of the present invention and system, by obtaining the numeral label of sample fileName also judges that the whether believable mode of digital signature collects trusted file. Solve thus in prior artIn the time that produce believed characteristic code by training early stage, need to use a large amount of sample files, and training processComparatively consuming time, cause collecting not in time, the problem relatively lagging behind, having obtained can be directly according to numeral labelName is collected trusted file, thereby has improved the beneficial effect of collection efficiency.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to better understand skill of the present inventionArt means, and can being implemented according to the content of description, and for allow of the present invention above-mentioned and otherObject, feature and advantage can become apparent, below especially exemplified by the specific embodiment of the present invention.
Brief description of the drawings
By reading below detailed description of the preferred embodiment, various other advantage and benefit for thisIt is cheer and bright that field those of ordinary skill will become. Accompanying drawing is only for the object of preferred embodiment is shown,And do not think limitation of the present invention. And in whole accompanying drawing, represent by identical reference symbolIdentical parts. In the accompanying drawings:
Fig. 1 shows the flow chart of the collection method of the trusted file that the embodiment of the present invention provides; And
Fig. 2 shows the structure chart of the gathering system of the trusted file that the embodiment of the present invention provides.
Detailed description of the invention
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail. Although show in accompanying drawingExemplary embodiment of the present disclosure, but should be appreciated that and can realize the disclosure and not with various formsThe embodiment that should be set forth here limits. On the contrary, providing these embodiment is for can be more thoroughlyUnderstand the disclosure, and can be by the those skilled in the art that conveys to complete the scope of the present disclosure.
Fig. 1 shows the flow chart of the collection method of the trusted file that the embodiment of the present invention provides. As Fig. 1Shown in, the method originates in step S110, in step S110, obtains the digital signature of sample file.
Here the sample file of mentioning is the file to be collected obtaining by modes such as downloads. Acquisition sample literary compositionAfter part, need to further obtain the digital signature comprising in sample file. Wherein, " digital signature "Refer to the electronic security(ELSEC) mark that can add in file, use the distribution that digital signature can authenticating documentsWhether person and help authenticating documents are changed after being digitally signed, and general regular software vendor issuesSoftware all with self digital signature. Particularly, obtaining the digital signature comprising in sample fileTime, can obtain by the api interface Win-VerifyTrust that calls windows and provide.
Get the digital signature of sample file by step S110 after, next, at step S120In, whether the digital signature further getting in determining step S110 is credible. Particularly, in stepIn S120, determining when whether above-mentioned digital signature is credible, is mainly by judging whether above-mentioned digital signatureBe stored in and realize in default credible signature database, deposit if judge above-mentioned digital signatureStorage, in default credible signature database, determines that above-mentioned digital signature is credible.
Wherein, this default credible signature database is used for storing believable digital signature. Real in the present inventionExecute in example, can be in the implementation of trusted file collection method this credible signature database of dynamic creation.Because this credible signature database is dynamic creation, therefore, processing first sample by step S120Before presents, the credible signature of storing in this is credible signature database is for empty, therefore, and in step S120Digital signature in first sample file of processing must not be stored in this credible signature database.
Correspondingly, in the time judging above-mentioned digital signature and not being stored in this credible signature database, alsoNeed further to carry out following steps: determine that according to default judgment rule whether above-mentioned digital signature is credible,And when determining above-mentioned digital signature according to default judgment rule when credible, further above-mentioned numeral is signedName stores in this credible signature database, thereby realizes the dynamic creation of this credible signature database and moreNewly.
Wherein, default judgment rule can comprise one or more in following four kinds of rules:
(1) judge above-mentioned numeral according to the Business Name comprising in above-mentioned digital signature or issuer titleWhether signature belongs to the signature of regular company.
In the time judging according to this rule, first need to obtain the Business Name that comprises in digital signature orIssuer title, wherein, Business Name can be for example the company that digital signature is signed and issued by Baidu, Tengxun etc.Title, issuer title refers to that the company for signing and issuing digital signature issues the upper level public affairs of this digital signatureThe title of department. If the Business Name comprising in digital signature or issuer title belong to the name of regular companyClaim, can determine that above-mentioned digital signature belongs to the signature of regular company, thereby determine that this digital signature isBelievable; Otherwise, determine that this digital signature is incredible. Wherein, the title of regular company is commonRefer to some well known renowned companies (such as Baidu, Tengxun etc.), can filter out in advanceThe title of these companies, and be stored in a list, so that use in this rule.
Judge that by this rule the whether believable foundation of digital signature is, under normal circumstances, regular public affairsThe digital signature that department signs and issues is all the believable digital signature obtaining by regular channel.
(2) judge in the historical sample that above-mentioned digital signature signs and issues according to default hostile signature databaseWhether have malice sample, wherein, default hostile signature database was signed and issued malice sample for storageDigital signature.
In the time judging according to this rule, need to safeguard in advance a hostile signature database, Mei DangfaNow malice when sample, just stores the digital signature of signing and issuing this malice sample in this hostile signature database,Thereby guarantee that nearly all digital signature of signing and issuing malice sample is all stored in this hostile signature databaseIn. Thus one, if find that above-mentioned digital signature belongs to this hostile signature database, just can determineIn the historical sample that this digital signature is signed and issued, there is malice sample, and then determine that this digital signature is insincere;Otherwise, illustrate that this digital signature is credible.
Judge that by this rule the whether believable foundation of digital signature is, under normal circumstances, a numberWord Autograph Session is is successively signed and issued a large amount of sample files, if find that a certain digital signature once signed and issued maliceSample (correspondingly this digital signature will be stored in hostile signature database), just illustrates this numeral labelName is likely usurped by unauthorized person, thereby the follow-up sample file of signing and issuing of this digital signature also very likelyIncredible.
(3) before the deadline whether above-mentioned digital signature.
In the time judging according to this rule, first need to obtain signature time of comprising in digital signature andThe term of validity of signing certificate. For example, the signature time is on January 1st, 2013, is valid for three months.Therefore, if current date is on February 2nd, 2013, this digital signature is described still before the deadline,And then determine that this digital signature is believable; If current date is on April 5th, 2013, explanation shouldDigital signature not before the deadline, and then determine this digital signature be incredible.
Judge that by this rule the whether believable foundation of digital signature is, under normal circumstances, the term of validityIn digital signature be legal digital signature, the digital signature outside the term of validity be lost efficacy even non-The digital signature of method.
(4) similar between the digital signature of having stored in above-mentioned digital signature and credible signature databaseWhether degree is greater than predetermined threshold value.
In the time judging according to this rule, need to by above-mentioned digital signature and credible signature databaseEach digital signature through storage is carried out respectively similarity comparison, if find above-mentioned data signature and credibleSimilarity between a certain digital signature of having stored in signature database is greater than predetermined threshold value, canIt is credible inferring this digital signature; Otherwise it is insincere inferring this digital signature.
Judge that by this rule the whether believable foundation of digital signature is, under normal circumstances, signs and issues public affairsTake charge of between multiple digital signature identical or that issuer is identical and exist certain similitude, these are similarIf digital signature in have one to be confirmed as believablely, remaining is severally also likely soBelievable.
Four kinds of rules introducing above can be used separately, also can combine use. In addition, exceptOutside these four kinds of rules, those skilled in the art also can select other rule to judge numeral label flexiblyWhether name is credible.
By mode above, whether crediblely just digital signature can be determined in step S120. UpperIn the step S120 that face is introduced, credible signature database is dynamic creation, therefore, and when at step S120When first sample file of middle processing, in credible signature database, also do not store believable digital signature,Therefore, need to judge that the digital signature in first sample file is according to above-mentioned default judgment ruleNo credible, and in the time that digital signature is credible, this digital signature is added in credible signature database, follow-upSample file processing procedure the rest may be inferred. In this way, without creating credible signature databaseStep deliberately carry out as an independent step, only need be in the deterministic process of each sample file withThereby time dynamically add this credible signature database of credible signature gradual perfection, saved independent woundBuild the operating process of this credible signature database.
But, in actual conditions, also can be as required, be pre-created credible signature database, that is:Filter out believable digital signature by a certain amount of sample file in advance, be stored in credible number of signatureIn storehouse. When concrete screening, also can screen by four kinds of rules introducing above. Like this, existWhile processing first sample file in step S120, just can directly obtain according to credible signature databaseJudged result. Although such way needs to create separately credible signature database, at step S120In can directly use this database, without according to default rule, each sample file being judged again,Thereby also possesses certain advantage.
Or, also above-mentioned two kinds of modes can be combined, filter out in advance the believable of someDigital signature, and complete the preliminary establishment of credible signature database according to these digital signature, then,In follow-up step S120, belong to this credible signature database if judge digital signature, can be directlyDetermine that this digital signature is credible; Do not belong to this credible signature database if judge digital signature, continueContinuous judge by default judgment rule above-mentioned, and judging this digital signature when credible,Further this digital signature is added in credible signature database, thereby both can just open at step S120Begin just can use this credible signature database while execution, again can be to these credible label in follow-up processName database is carried out perfect, to improve the accuracy of judgement.
After execution of step S120, in step S130, in the time that definite above-mentioned digital signature is credible,Corresponding sample file is collected in default trusted file database. In step S130, collect credibleFile according to being, under normal circumstances, be believable if sign and issue the digital signature of sample file,This sample file is also believable.
By mode above, just realize the collection of trusted file. In above-mentioned collection mode, pass throughDigital signature is identified trusted file, due to a file that digital Autograph Session is corresponding a large amount of, so pass throughDigital signature can be collected the trusted file of greater number like a cork, has therefore greatly improved collection efficiency.In addition, because digital signature is difficult to imitate, itself just has antiforge function, and, as long as regular manufacturerDigital signature be correct, its file of signing and issuing is conventionally all also correct, so, sign by numeralName is collected trusted file and has also greatly been improved the accuracy of collecting, thereby has ensured trusted file databaseThe accuracy of collection file.
Further, in order to ensure better the accuracy of collection file of trusted file database,Avoid collecting mistakenly incredible file, this collection method can also be further after step S130Comprise step S140. In step S140, call in antivirus engine periodic scanning trusted file databaseFile; Determine while there is apocrypha in trusted file database by scanning, analyze apocrypha and beNo is malicious file; If apocrypha is malicious file, by the digital signature of malicious file from credible labelIn name database, delete, and further in trusted file database, analyze and signed by the numeral of this malicious fileWhether all sample files that name is signed and issued are malicious file.
Wherein, while calling the file in antivirus engine periodic scanning trusted file database, can be by normalThe antivirus software of rule is realized. In the time that antivirus software passes through scanning discovery apocrypha, conventionally can be by playing windowPoint out Deng prompting mode. Those skilled in the art can arrange flexibly as required antivirus software and determineThe rule adopting when apocrypha, the present invention is not construed as limiting this. After finding apocrypha, needWhether will further analyze this apocrypha is malicious file, particularly, and can be according to the row of apocryphaFor feature determines whether it is malicious file, common malicious file comprises wooden horse or virus etc., theseThe concrete behavior feature of malicious file can be set according to the feature of himself. If find credible signatureIn database, really occurred malicious file, can infer that the digital signature of signing and issuing this malicious file has canCan be incredible, thereby the digital signature of signing and issuing this malicious file is deleted from credible signature database,The digital signature of signing and issuing this malicious file can also be deposited in hostile signature database further.
In addition, because this digital signature has been estimated to be incrediblely, thereby this digital signature is signedOther sample files of sending out are very likely also incredible (being potential malicious file). To this, alsoCan in trusted file database, analyze one by one further all sample literary compositions of being signed and issued by this digital signatureWhether part is malicious file, if malicious file deletes it from trusted file database, withMaintain the accuracy of the collection file of trusted file database. Or, for can be by this within the very first timeA little potential malicious files are deleted from trusted file database, to avoid in time these potential malice literary compositionsThe harm that part causes, all samples that also can first in trusted file database, this digital signature be signed and issuedPresents is all deleted, and then judges by the mode of analyzing one by one whether it is malicious file, asFruit is not malicious file, then it is added in trusted file database again.
By the mode of the periodic scanning in step S140, just can realize determining trusted file databasePhase checks, to reject incredible file. In addition, can also be after step S130 furtherComprise step S150. In step S150, when determining the label of the digital signature in credible signature databaseName certificate lost efficacy, or, while determining the key exposure of digital signature, by this digital signature from credible signatureIn database, delete, and further in trusted file database, analyze signed and issued by this digital signature allWhether sample file is malicious file.
Wherein, in the time that whether the signing certificate of determining the digital signature in credible signature database lost efficacy, mainIf the CRL of issuing according to certificate authority person judges. Certificate authority person conventionally can be regularlyIssue CRL, so that user understands the certificate being revoked in time. If credible signature databaseIn the signing certificate of a certain digital signature be listed in this CRL, this digital signature is describedSigning certificate lost efficacy, thereby this digital signature also become incredible, so need to be by it from canIn letter signature database, delete, further, can also this digital signature add hostile signature database toIn.
In the time that whether the key of determining digital signature leaks, be mainly to disappear according to the online key exposure of issuingBreath judges. Regular software vendor is in the time finding key exposure, in order to prevent that third party from utilizing this closeKey is signed and issued malicious file, generally can be in the online message of issuing key exposure, so that user understands in timeThis situation. If the key of a certain digital signature is published on the net in credible signature database, sayThe key of bright this digital signature leaks, thus this digital signature also become incredible, so needIt is deleted from credible signature database, further, can also this digital signature add malice label toIn name database.
Same, due to this digital signature be estimated to be incredible, thereby, this digital signature instituteOther sample files of signing and issuing are very likely also incredible (being potential malicious file). To this,In step S150, also can in trusted file database, analyze one by one further by these digital signature labelWhether all sample files of sending out are malicious file, if malicious file, by it from trusted file numberAccording to deleting in storehouse, to maintain the accuracy of collection file of trusted file database. Or, for can beIn the very first time, these potential malicious files are deleted from trusted file database, to avoid in time thisThe harm that a little potential malicious files cause, also can be first in trusted file database by these numeral labelAll sample files that name is signed and issued are all deleted, and then whether judge it by the mode of analyzing one by oneBe malicious file, if not malicious file, then it added in trusted file database again.
By the processing of step S140 and step S150, just can further improve trusted file databaseThe accuracy of collection file, stop sneaking into of insincere file.
In the embodiment of the present invention, in order to identify believable digital signature and incredible digital signature, respectivelyBe provided with credible signature database and hostile signature database, in actual conditions, also can be by credible signatureDatabase and hostile signature database combining are a database, are each digital signature in this databaseA rank is set separately, for example, should be stored in the rank of the digital signature in credible signature databaseBe set to crediblely, the rank that should be stored in the digital signature in hostile signature database is set to insincere,Thereby both can realize the management to digital signature, the expense that can save again a database.
Fig. 2 shows the structure chart of the gathering system of the trusted file that the embodiment of the present invention provides. As Fig. 2Shown in, this gathering system comprises: acquisition module 21, determination module 22 and collection module 23. Wherein,Acquisition module 21 is suitable for obtaining the digital signature of sample file; Determination module 22 is suitable for determining digital signatureWhether credible; Collection module 23 is suitable for, in the time that definite digital signature is credible, sample file being collected defaultTrusted file database in.
Lower mask body is introduced the course of work of each module.
Wherein, acquisition module 21, can be by calling windows in the time obtaining the digital signature of sample fileThe api interface Win-VerifyTrust providing obtains.
Determination module 22, in the time that whether definite above-mentioned digital signature is credible, is mainly by judging above-mentioned numeralWhether signature has been stored in is realized in default credible signature database 31, if judge above-mentioned numberWord signature has been stored in default credible signature database 31, determines that above-mentioned digital signature is credible.
Wherein, this default credible signature database 31 is for storing believable digital signature. In the present inventionIn embodiment, can this credible signature database 31 of dynamic creation. Due to this credible signature database 31Dynamic creation, therefore, before determination module 22 is processed first sample files, this is credible signatureThe credible signature of storing in database is sky, therefore, and in first sample file that determination module 22 is processedDigital signature must not be stored in this credible signature database 31.
Correspondingly, judge above-mentioned digital signature when determination module 22 and be not stored in this credible signed dataIn storehouse 31 time, also need further to carry out following processing: determine above-mentioned numeral according to default judgment ruleWhether crediblely sign, and when determining above-mentioned digital signature according to default judgment rule when credible, enter oneStep stores above-mentioned digital signature in this credible signature database 31 into, thereby realizes this credible signed dataThe dynamic creation in storehouse 31 and renewal. Wherein, default judgment rule can reference method embodiment in corresponding portionThe description dividing repeats no more herein.
By mode above, whether determination module 22 just can be determined digital signature credible. In the aboveIn the mode of introducing, credible signature database 31 is dynamic creations, therefore, and when determination module 22 placesWhile managing first sample file, in credible signature database 31, also do not store believable digital signature, because ofThis, need to judge digital signature in first sample file whether according to above-mentioned default judgment ruleCredible, and in the time that digital signature is credible, this digital signature is added in credible signature database, follow-upThe rest may be inferred for sample file processing procedure. In this way, without creating credible signature databaseOperation is deliberately carried out as an independent operation, only need be in the deterministic process of each sample file at any timeThereby dynamically add this credible signature database of credible signature gradual perfection, saved independent establishmentThe operating process of this credible signature database.
But, in actual conditions, also can be as required, be pre-created credible signature database, that is:Filter out believable digital signature by a certain amount of sample file in advance, be stored in credible number of signatureIn storehouse. When concrete screening, also can screen by four kinds of rules introducing above. Like this, existWhen determination module 22 is processed first sample file, just can directly obtain according to credible signature databaseJudged result. Although such way needs to create separately credible signature database, determination module 22Can directly use this database, without according to default rule, each sample file being judged again,Thereby also possesses certain advantage.
Or, also above-mentioned two kinds of modes can be combined, filter out in advance the believable of someDigital signature, and complete the preliminary establishment of credible signature database according to these digital signature, then, asFruit determination module 22 is judged digital signature and is belonged to this credible signature database, can directly determine this numeralSign credible; Do not belong to this credible signature database if determination module 22 is judged digital signature, continueContinuous judge by default judgment rule above-mentioned, and judging this digital signature when credible,Further this digital signature is added in credible signature database.
Collection module 23, in the time that definite above-mentioned digital signature is credible, is collected default by corresponding sample fileTrusted file database 32 in. Collection module 23 collect trusted file according to being, normal conditionsUnder, be believable if sign and issue the digital signature of sample file, this sample file is also believable.
By cooperatively interacting of above-mentioned module, just realize the collection of trusted file. In said process,Identify trusted file by digital signature, due to a file that digital Autograph Session is corresponding a large amount of, soCan collect like a cork the trusted file of greater number by digital signature, therefore greatly improve collectionEfficiency. In addition, because digital signature is difficult to imitate, itself just has antiforge function, and, as long as justThe digital signature of rule manufacturer is correct, and its file of signing and issuing is all also correct conventionally, so, pass throughDigital signature is collected trusted file and has also greatly been improved the accuracy of collecting, thereby has ensured trusted fileThe accuracy of the collection file of database.
Further, in order to ensure better the accuracy of collection file of trusted file database,Avoid collecting mistakenly incredible file, this gathering system can further include: scan module24, be suitable for calling the file in antivirus engine periodic scanning trusted file database; Analysis module 25, suitableIn there is apocrypha in scan module 24 is determined trusted file database time, whether analyze apocryphaFor malicious file; Net background module 26, is suitable in the time that apocrypha is malicious file, by malicious fileDigital signature from credible signature database, delete, and further in trusted file database analyze byWhether all sample files that the digital signature of malicious file is signed and issued are malicious file. About scan module 24,The specific works process of analysis module 25 and net background module 26, can reference method embodiment in stepThe description of S140 repeats no more herein.
Further, net background module 26 is further adapted for: when the number of determining in credible signature databaseThe signing certificate of word signature lost efficacy, or, while determining the key exposure of digital signature, by digital signature fromIn credible signature database, delete, and further in trusted file database, analyze and signed and issued by digital signatureAll sample files whether be malicious file. This process can reference method embodiment in the retouching of step S150State, repeat no more herein.
By above-mentioned processing, just can further improve the accuracy of the collection file of trusted file database,Stop sneaking into of insincere file.
The embodiment of the present invention further comprises:
Scan module, is suitable for calling the file in trusted file database described in antivirus engine periodic scanning;
Analysis module, is suitable for determining in described trusted file database and having suspicious literary composition at described scan moduleWhether when part, analyzing described apocrypha is malicious file;
Net background module, is suitable in the time that described apocrypha is malicious file, by described malicious fileDigital signature is deleted from credible signature database, and further in trusted file database, analyzes by instituteState whether all sample files that the digital signature of malicious file signs and issues are malicious file.
In the embodiment of the present invention, described net background module is further adapted for: when definite described credible signatureThe signing certificate of the digital signature in database lost efficacy, or, determine the key exposure of described digital signatureTime, described digital signature is deleted from described credible signature database, and further at trusted file numberAccording to analyzing whether all sample files of being signed and issued by described digital signature are malicious file in storehouse.
According to the collection method of trusted file of the present invention and system, by obtaining the numeral label of sample fileName also judges that the whether believable mode of digital signature collects trusted file. Solve thus in prior artIn the time that produce believed characteristic code by training early stage, need to use a large amount of sample files, and training processComparatively consuming time, cause collecting not in time, the problem relatively lagging behind, having obtained can be directly according to numeral labelName is collected trusted file, thereby has improved the beneficial effect of collection efficiency.
The algorithm providing at this and demonstration are solid with any certain computer, virtual system or miscellaneous equipmentHave relevant. Various general-purpose systems also can with based on using together with this teaching. According to description above,It is apparent constructing the desired structure of this type systematic. In addition, the present invention is not also for any specificProgramming language. It should be understood that and can utilize various programming languages to realize content of the present invention described here,And the description of above language-specific being done is in order to disclose preferred forms of the present invention.
In the description that provided herein, a large amount of details are described. But, can understand, thisInventive embodiment can be put into practice in the situation that there is no these details. In some instances, notBe shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, should be appreciated that in order to simplify the disclosure and to help to understand in each inventive aspectOr multiple, in the above in the description of exemplary embodiment of the present invention, each feature of the present invention is sometimesBe grouped together into single embodiment, figure or in its description. But, should be by the disclosureMethod be construed to the following intention of reflection: the present invention for required protection requires than in each claimThe more feature of the middle feature of clearly recording. Or rather, as claims below reflectLike that, inventive aspect is to be less than all features of disclosed single embodiment above. Therefore, followClaims of detailed description of the invention are incorporated to this detailed description of the invention, wherein each right thus clearlyRequirement itself is all as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can carry out certainly the module in the equipment in embodimentChange adaptively and they are arranged in one or more equipment different from this embodiment. CanModule in embodiment or unit or assembly are combined into a module or unit or assembly, and in addition canTo put them into multiple submodules or subelement or sub-component. Except such feature and/or process orAt least some in unit are, outside mutually repelling, can adopt any combination (to comprise companion to this descriptionWith claim, summary and accompanying drawing) in disclosed all features and so disclosed any method orAll processes or the unit of person's equipment combine. Unless clearly statement in addition, this description (comprises companionWith claim, summary and accompanying drawing) in disclosed each feature can be by providing identical, being equal to or phaseAlternative features like object replaces.
In addition, although those skilled in the art will appreciate that embodiment more described herein comprise itIncluded some feature instead of further feature in its embodiment, but the group of the feature of different embodimentClose and mean within scope of the present invention and form different embodiment. For example, power belowIn profit claim, the one of any of embodiment required for protection can make with combination arbitrarilyWith.
All parts embodiment of the present invention can realize with hardware, or with in one or more processingThe software module of moving on device realizes, or realizes with their combination. Those skilled in the art shouldUnderstand, can use in practice microprocessor or digital signal processor (DSP) to realize basisThe some or all functions of the some or all parts in the browser client of the embodiment of the present invention.The present invention can also be embodied as for carry out method as described herein part or all equipment orPerson's device program (for example, computer program and computer program). Realizing is like this of the present inventionProgram can be stored on computer-readable medium, or can have the form of one or more signal.Such signal can be downloaded and obtain from internet website, or provides on carrier signal, or withAny other form provides.
It should be noted above-described embodiment the present invention will be described instead of limit the invention, andAnd those skilled in the art can design to replace and implement in the case of not departing from the scope of claimsExample. In the claims, any reference symbol between bracket should be configured to claimRestriction. Word " comprises " not to be got rid of existence and is not listed as element or step in the claims. Be positioned at unitWord " one " before part or " one " do not get rid of and have multiple such elements. The present invention can borrowHelp include the hardware of some different elements and realize by means of the computer of suitably programming. At rowLifted in the unit claim of some devices, several in these devices can be by same hardPart item carrys out imbody. The use of word first, second and C grade does not represent any order. CanBe title by these word explanations.
Claims (8)
1. a collection method for trusted file, comprising:
Obtain the digital signature of sample file;
Judge whether described digital signature has been stored in default credible signature database, if judgement knotFruit is yes, determines that described digital signature is credible;
In the time that definite described digital signature is credible, described sample file is collected to default trusted file numberIn storehouse;
And, described described sample file is collected in default trusted file database after furtherComprise step:
Call the file in trusted file database described in antivirus engine periodic scanning;
Determine while there is apocrypha in described trusted file database by scanning, analyze described suspicious literary compositionWhether part is malicious file;
If described apocrypha is malicious file, by the digital signature of described malicious file from credible signatureIn database, delete, further in trusted file database, delete the digital signature by described malicious fileAll sample files of signing and issuing, and analyze one by one each sample of being signed and issued by the digital signature of described malicious fileWhether presents is malicious file, when analysis result adds it to trusted file database while being no againIn.
2. the method for claim 1, wherein judge described whether described digital signature depositsIn the step of storage in default credible signature database, if judged result is no, further compriseStep: determine that according to default judgment rule whether described digital signature is credible, and work as according to described judgementRule determines that described digital signature is when credible, further described digital signature is stored into described default canIn letter signature database.
3. method as claimed in claim 2, described default judgment rule comprises one in following ruleIndividual or multiple:
Judge that according to the Business Name comprising in described digital signature or issuer title described digital signature isThe no signature that belongs to regular company;
Judge in the historical sample that described digital signature signs and issues whether deposit according to default hostile signature databaseAt malice sample, wherein, described default hostile signature database was signed and issued malice sample for storingDigital signature;
Before the deadline whether described digital signature; And
Similarity between the digital signature of having stored in described digital signature and described credible signature databaseWhether be greater than predetermined threshold value.
4. the method as described in as arbitrary in claim 1-3, describedly collects default by described sample fileAfter in trusted file database, further comprise step:
When the signing certificate of determining the digital signature in described credible signature database lost efficacy, or, determineWhen the key exposure of described digital signature, described digital signature is deleted from described credible signature database,And further in trusted file database, whether analyze all sample files of being signed and issued by described digital signatureFor malicious file.
5. a gathering system for trusted file, comprising:
Acquisition module, is suitable for obtaining the digital signature of sample file;
Determination module, is suitable for judging whether described digital signature has been stored in default credible signature databaseIn, if judged result is yes, determine that described digital signature is credible;
Collection module, is suitable for, in the time that definite described digital signature is credible, described sample file being collected in advanceIf trusted file database in;
Wherein, further comprise:
Scan module, is suitable for calling the file in trusted file database described in antivirus engine periodic scanning;
Analysis module, is suitable for determining in described trusted file database and having suspicious literary composition at described scan moduleWhether when part, analyzing described apocrypha is malicious file;
Net background module, is suitable in the time that described apocrypha is malicious file, by described malicious fileDigital signature is deleted from credible signature database, further in trusted file database, deletes by describedAll sample files that the digital signature of malicious file is signed and issued, and analyze one by one the number by described malicious fileWhether each sample file that word is signed and issued is malicious file, when analysis result adds it while being no againBe added in trusted file database.
6. system as claimed in claim 5, wherein, if judged result is no, described definite mouldPiece is further adapted for according to default judgment rule determines that whether described digital signature is credible, and works as according to instituteState judgment rule and determine when described digital signature is credible, further described digital signature is stored into described pre-If credible signature database in.
7. system as claimed in claim 6, described default judgment rule comprises one in following ruleIndividual or multiple:
Judge that according to the Business Name comprising in described digital signature or issuer title described digital signature isThe no signature that belongs to regular company;
Judge in the historical sample that described digital signature signs and issues whether deposit according to default hostile signature databaseAt malice sample, wherein, described default hostile signature database was signed and issued malice sample for storingDigital signature;
Before the deadline whether described digital signature; And
Similarity between the digital signature of having stored in described digital signature and described credible signature databaseWhether be greater than predetermined threshold value.
8. system as claimed in claim 7, described net background module is further adapted for: when definite instituteThe signing certificate of stating the digital signature in credible signature database lost efficacy, or, determine described digital signatureKey exposure time, described digital signature is deleted from described credible signature database, and further existsIn trusted file database, analyze whether all sample files of being signed and issued by described digital signature are malice literary compositionPart.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310135900.2A CN103235918B (en) | 2013-04-18 | 2013-04-18 | The collection method of trusted file and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310135900.2A CN103235918B (en) | 2013-04-18 | 2013-04-18 | The collection method of trusted file and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103235918A CN103235918A (en) | 2013-08-07 |
| CN103235918B true CN103235918B (en) | 2016-05-25 |
Family
ID=48883958
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310135900.2A Active CN103235918B (en) | 2013-04-18 | 2013-04-18 | The collection method of trusted file and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103235918B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103544411A (en) * | 2013-10-16 | 2014-01-29 | 深圳全智达通信股份有限公司 | Software package certificate protection method and device |
| CN104200163A (en) * | 2014-08-27 | 2014-12-10 | 哈尔滨工业大学(威海) | Virus detection method and virus detection engine |
| CN106549766A (en) * | 2016-10-25 | 2017-03-29 | 中国建设银行股份有限公司 | A kind of processing method and relevant device of assessment report |
| CN106559220A (en) * | 2016-10-25 | 2017-04-05 | 中国建设银行股份有限公司 | A kind of processing method and relevant device of guaranty |
| CN108959929B (en) * | 2018-07-23 | 2021-01-01 | 奇安信科技集团股份有限公司 | Program file processing method and device |
| CN111050133B (en) * | 2019-12-23 | 2020-10-23 | 广州公评科技有限公司 | Video data processing system based on block chain technology |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102844750A (en) * | 2010-03-24 | 2012-12-26 | 微软公司 | Executable code validation in a web browser |
| CN102855274A (en) * | 2012-07-17 | 2013-01-02 | 北京奇虎科技有限公司 | Method and device for detecting suspicious progresses |
| CN102982291A (en) * | 2012-11-05 | 2013-03-20 | 北京奇虎科技有限公司 | Methods and device of dependable file digital signature acquisition |
-
2013
- 2013-04-18 CN CN201310135900.2A patent/CN103235918B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102844750A (en) * | 2010-03-24 | 2012-12-26 | 微软公司 | Executable code validation in a web browser |
| CN102855274A (en) * | 2012-07-17 | 2013-01-02 | 北京奇虎科技有限公司 | Method and device for detecting suspicious progresses |
| CN102982291A (en) * | 2012-11-05 | 2013-03-20 | 北京奇虎科技有限公司 | Methods and device of dependable file digital signature acquisition |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103235918A (en) | 2013-08-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11601450B1 (en) | Suspicious message report processing and threat response | |
| US11997115B1 (en) | Message platform for automated threat simulation, reporting, detection, and remediation | |
| US12034746B2 (en) | Systems and methods for automated retrieval, processing, and distribution of cyber-threat information | |
| US20220224723A1 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
| US9900332B2 (en) | Network security system with real-time and batch paths | |
| CN112765245A (en) | Electronic government affair big data processing platform | |
| US12041091B2 (en) | System and methods for automated internet- scale web application vulnerability scanning and enhanced security profiling | |
| CN113486351A (en) | Civil aviation air traffic control network safety detection early warning platform | |
| CN103235918B (en) | The collection method of trusted file and system | |
| US11095675B1 (en) | System and method for identifying system vulnerabilities | |
| JP7120350B2 (en) | SECURITY INFORMATION ANALYSIS METHOD, SECURITY INFORMATION ANALYSIS SYSTEM AND PROGRAM | |
| EP3742694A1 (en) | Computer system for malware analysis based on data clustering | |
| CN114761953A (en) | Attack activity intelligence and visualization for countering network attacks | |
| WO2016164844A1 (en) | Message report processing and threat prioritization | |
| US10454967B1 (en) | Clustering computer security attacks by threat actor based on attack features | |
| CN105471823A (en) | Sensitive information processing method, device, server and security determination system | |
| CN101816148A (en) | Be used to verify, data transmit and the system and method for protection against phishing | |
| KR102648653B1 (en) | Mail security-based zero-day URL attack defense service providing device and method of operation | |
| AU2016246074B2 (en) | Message report processing and threat prioritization | |
| Liu et al. | A research and analysis method of open source threat intelligence data | |
| WO2023102105A1 (en) | Detecting and mitigating multi-stage email threats | |
| US11582250B2 (en) | Scanning of content in weblink | |
| Leite et al. | Automated Cyber Threat Intelligence Generation on Multi-Host Network Incidents | |
| US20240356969A1 (en) | Statistical modeling of email senders to detect business email compromise | |
| US20230171213A1 (en) | Detecting and mitigating multi-stage email threats |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220725 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right |