Method, device and system for alerting against unknown malicious codes within a network environment
DC CAFCFirst Claim
Patent Images
1. A method for alerting against unknown malicious codes, the method comprising:
- receiving, by a network device, a request sent by a terminal for obtaining a file from a network entity and a data stream carrying the file;
recording, by the network device, a source path carried in the request, wherein the network entity provides the file on the source path;
judging, by the network device, whether the file is an executable file according to at least one of;
the request and the data stream carrying the file;
when the network device judges the file is an executable file, sending, by the network device, first alert information that carries the source path to a monitoring device;
receiving, by the network device, second alarm information sent by the monitoring device after further detecting the file downloaded according to the source path by the monitoring device; and
intercepting, by the network device,a) the executable file according to the second alarm information comprising a maliciousness of the executable file;
orb) the executable file and packets transmitted in a Botnet according to the second alarm information comprising the maliciousness of the executable file and Botnet topology information.
3 Assignments
Litigations
2 Petitions
Accused Products
Abstract
A method, a device, and a system for alerting against unknown malicious codes includes judging whether any suspicious code exists in the packet, recording a source path of the suspicious code and sending alert information that carries the source path to a monitoring device. The embodiments of the present disclosure report the source paths of suspicious codes proactively at the earliest possible time, which lays a foundation for shortening the time required for overcoming virus threats, and avoids the trouble of installing software on the terminal.
16 Citations
9 Claims
-
1. A method for alerting against unknown malicious codes, the method comprising:
-
receiving, by a network device, a request sent by a terminal for obtaining a file from a network entity and a data stream carrying the file; recording, by the network device, a source path carried in the request, wherein the network entity provides the file on the source path; judging, by the network device, whether the file is an executable file according to at least one of;
the request and the data stream carrying the file;when the network device judges the file is an executable file, sending, by the network device, first alert information that carries the source path to a monitoring device; receiving, by the network device, second alarm information sent by the monitoring device after further detecting the file downloaded according to the source path by the monitoring device; and intercepting, by the network device, a) the executable file according to the second alarm information comprising a maliciousness of the executable file;
orb) the executable file and packets transmitted in a Botnet according to the second alarm information comprising the maliciousness of the executable file and Botnet topology information. - View Dependent Claims (2)
-
-
3. A network device comprising computing hardware and a non-transitory computer-readable storage medium including computer-executable instructions executed by the computing hardware to perform, on the network device, operations comprising:
-
receiving a request sent by a terminal for obtaining a file from a network entity and receiving a data stream carrying the file; recording a source path carried in the request, wherein the network entity provides the file on the source path; judging the file is an executable file according to at least one of;
the request and the data stream carrying the file;when the network device judges the file is the executable file, sending first alert information that carries the source path to a monitoring device; receiving second alarm information sent by the monitoring device sent by the monitoring device after further detecting the file downloaded according to the source path by the monitoring device, wherein the second alarm information includes (a) a maliciousness of the executable file or (b) the maliciousness of the executable file and Botnet topology information; and intercepting i. the executable file according to one of the maliciousness of the executable file;
orii. the executable file and packets transmitted in a Botnet according to the second alarm information comprising the maliciousness of the executable file and Botnet topology information. - View Dependent Claims (4)
-
-
5. A system for alerting against unknown malicious codes comprising a network device and a monitoring device:
-
the network device comprising a first computing hardware and a first non-transitory computer-readable storage medium including a first set of computer-executable instructions executed by the first computing hardware to perform, on the network device, operations comprising; a) receiving a request sent by a terminal for obtaining a file from a network entity and receiving a data stream carrying the file; b) recording a source path carried in the request, wherein the network entity provides the file on the source path; c) determining the file is an executable file according to at least one of (a) the received request and (b) the data stream carrying the file; d) sending first alert information that carries the source path to a monitoring device when the network device determines the file is an executable file; e) receiving second alarm information sent by the monitoring device after detecting the executable file downloaded according to the source path; and f) intercepting i. the executable file according to one of the maliciousness of the executable file;
orii. the executable file and packets transmitted in a Botnet according to the second alarm information comprising the maliciousness of the executable file and Botnet topology information; and the monitoring device comprising a second computing hardware and a second non-transitory computer-readable storage medium including a second set of computer-executable instructions executed by the second computing hardware to perform, on the monitoring device, operations comprising; a) receiving the first alert information from the network device; b) downloading an executable file according to the source path; c) detecting the executable file to confirm maliciousness of the executable file; and d) sending the second alarm information to the network device, wherein the second alarm information comprises one of;
maliciousness of the executable file, and both the maliciousness of the executable file and Botnet topology information. - View Dependent Claims (6, 7)
-
-
8. A non-transitory computer readable medium storing instructions for execution by a processor, the instructions causing the processor to be configured to provide the following:
-
receive a request sent by a terminal for obtaining a file from a network entity and receive a data stream carrying the file; record a source path carried in the request, wherein the network entity provides the file on the source path; determine whether the file is an executable file according to (a) the request or (b) the data stream carrying the file; send first alert information that carries the source path to a monitoring device, if the network device judges the file is the executable file; receive second alarm information that includes (a) a maliciousness of the executable file or (b) the maliciousness of the executable file and Botnet topology information; and intercepting a) the executable file according to one of the maliciousness of the executable file;
orb) the executable file and packets transmitted in a Botnet according to the second alarm information comprising the maliciousness of the executable file and Botnet topology information. - View Dependent Claims (9)
-
Specification