摘要：【中文】本发明实施例公开一种计算机系统管理方法、装置、电子设备、存储介质，涉及计算机技术领域，能够有效提高计算机系统管理效率，所述方法包括：根据用户指令生成环境配置文件，所述环境配置文件中包括元素标识，用于指示待生成操作系统的环境元素；其中，所述环境元素包括以下至少一项：操作系统、操作系统的版本、应用软件；根据所述环境配置文件，从预先建立的环境池中查找所述环境元素；根据查找到的所述环境元素，为目标终端安装所述待生成操作系统。本发明可用于计算机系统管理中。 【EN】The embodiment of the invention discloses a computer system management method, a computer system management device, electronic equipment and a storage medium, which relate to the technical field of computers and can effectively improve the management efficiency of a computer system, and the method comprises the following steps: generating an environment configuration file according to a user instruction, wherein the environment configuration file comprises an element identifier for indicating an environment element of an operating system to be generated; wherein the environmental element comprises at least one of: an operating system, a version of the operating system, application software; searching the environment elements from a pre-established environment pool according to the environment configuration file; and installing the operating system to be generated for the target terminal according to the searched environment elements. The invention can be used in computer system management.

摘要：【中文】本发明的实施例公开一种安全防御方法、装置、电子设备及存储介质，涉及安全防御技术领域，为减低实现成本而发明。所述安全防御方法，包括：对应用程序的安装或启动进行监控，获取待安装或待启动的应用程序的特征信息；根据所述特征信息，判断所述应用程序是否为恶意应用程序；若所述应用程序为恶意应用程序，则拦截所述应用程序的安装或启动，并在移动终端的屏幕最前端生成activity页面；在所述activity页面中展示告警信息。本发明适用于移动终端中恶意应用程序的安装或启动。 【EN】The embodiment of the invention discloses a security defense method, a security defense device, electronic equipment and a storage medium, relates to the technical field of security defense, and aims to reduce implementation cost. The security defense method comprises the following steps: monitoring the installation or the starting of the application program, and acquiring the characteristic information of the application program to be installed or started; judging whether the application program is a malicious application program or not according to the characteristic information; if the application program is a malicious application program, intercepting the installation or the starting of the application program, and generating an activity page at the foremost end of a screen of the mobile terminal; and displaying alarm information in the activity page. The method and the device are suitable for installing or starting the malicious application program in the mobile terminal.

摘要：【中文】本发明的实施例公开一种勒索病毒挂载系统进程的识别方法，涉及计算机安全技术领域，能够快速准确地识别出勒索病毒。所述方法包括：判断挂载到系统进程的子模块是否为可疑子模块；记录所述可疑子模块的挂载信息；监测当前磁盘中的文件是否被修改；若监测到当前磁盘中的文件被修改，则判断在与被修改文件的同级目录中是否存在新创建的可疑文件；若在与被修改文件的同级目录中存在新创建的可疑文件，则监测当前磁盘中的文件是否再次被修改；若监测到当前磁盘中的文件再次被修改，则根据所述挂载信息，将挂载时间点距离当前时间点最近的可疑子模块，确定为勒索病毒。本发明适用于勒索病毒的识别。 【EN】The embodiment of the invention discloses a method for identifying a Lessovirus mounting system process, relates to the technical field of computer security, and can quickly and accurately identify Lessoviruses. The method comprises the following steps: judging whether the submodule mounted to the system process is a suspicious submodule or not; recording mounting information of the suspicious sub-modules; monitoring whether the file in the current disk is modified; if the current file in the disk is monitored to be modified, judging whether a newly created suspicious file exists in a peer directory of the modified file; if a newly created suspicious file exists in the same-level directory of the modified file, monitoring whether the file in the current disk is modified again; and if the situation that the file in the current disk is modified again is monitored, determining the suspicious submodule with the mounting time point closest to the current time point as the Lessovirus according to the mounting information. The invention is suitable for identifying Lesovirus.

摘要：【中文】本发明的实施例公开一种确定网络环境中易受攻击的资产序列的方法及装置，涉及网络信息安全领域，能够准确地确定出网络环境中易受攻击的资产序列。所述确定网络环境中易受攻击的资产序列的方法包括：根据目标网络的网络环境，构建所述目标网络的攻击图；根据所述攻击图，确定攻击行为路径；根据攻击行为路径，计算每条攻击行为路径对应的攻击代价；根据每条攻击行为路径对应的攻击代价，将攻击代价最小的攻击行为路径上的资产序列作为最易受攻击的资产序列。所述装置及电子设备包括用于执行所述方法的模块。本发明适用于确定网络环境中易受攻击的资产序列。 【EN】The embodiment of the invention discloses a method and a device for determining an asset sequence which is vulnerable to attack in a network environment, relates to the field of network information security, and can accurately determine the asset sequence which is vulnerable to attack in the network environment. The method for determining the vulnerable asset sequence in the network environment comprises the following steps: constructing an attack graph of a target network according to the network environment of the target network; determining an attack behavior path according to the attack graph; according to the attack behavior paths, calculating attack costs corresponding to each attack behavior path; and according to the attack cost corresponding to each attack behavior path, taking the asset sequence on the attack behavior path with the minimum attack cost as the most vulnerable asset sequence. The apparatus and electronic device include modules for performing the methods. The method is suitable for determining the vulnerable asset sequence in the network environment.

摘要：【中文】本发明实施例公开一种网络攻击图的生成方法、装置及电子设备，涉及网络信息安全领域，能够较快地生成网络攻击图。所述网络攻击图的生成方法，包括：在目标网络环境中，确定目标资产的各关联资产节点；确定各关联资产节点所存在的漏洞；确定具有直接网络连接关系的关联资产节点的漏洞之间是否存在逻辑关系；若具有直接网络连接关系的关联资产节点的漏洞之间存在逻辑关系，则将存在逻辑关系的漏洞进行逻辑关联，建立关联资产节点之间的漏洞逻辑关系；依据关联资产节点之间的漏洞逻辑关系，建立基于所述目标网络环境的、以所述目标资产为攻击目标的网络攻击图。所述装置及电子设备包括用于执行所述方法的模块。本发明适用于生成网络攻击图。 【EN】The embodiment of the invention discloses a method and a device for generating a network attack graph and electronic equipment, relates to the field of network information security, and can generate the network attack graph relatively quickly. The generation method of the network attack graph comprises the following steps: determining each associated asset node of a target asset in a target network environment; determining the existing vulnerability of each associated asset node; determining whether a logical relationship exists between vulnerabilities of associated asset nodes having a direct network connection relationship; if the vulnerabilities of the associated asset nodes with the direct network connection relationship have a logical relationship, performing logical association on the vulnerabilities with the logical relationship, and establishing a vulnerability logical relationship between the associated asset nodes; and establishing a network attack graph which is based on the target network environment and takes the target asset as an attack target according to the vulnerability logic relationship among the associated asset nodes. The apparatus and electronic device include modules for performing the methods. The method and the device are suitable for generating the network attack graph.

摘要：【中文】本发明的实施例公开一种动态检测恶意代码的方法、装置及电子设备，涉及网络安全防护技术领域，能够解决现有技术中终端的黑白名单和恶意代码特征库维护艰难的问题。所述方法包括：接收客户端上报的可疑文件；运行所述可疑文件，采集所述可疑文件运行时对预先设置的API数据集中的API的调用数据；将所述可疑文件运行时对所述API数据集中的API的调用数据生成为待检测数据；判断所述待检测数据与预先设置的对比样本库中的样本数据之间的相似度是否高于预定的相似度阈值；若是，则确定所述可疑文件包含恶意代码。本发明能够实现终端和服务端的动态联动检测，减少特征库维护难度，适用于各种计算机安全防护场合。 【EN】The embodiment of the invention discloses a method and a device for dynamically detecting malicious codes and electronic equipment, relates to the technical field of network security protection, and can solve the problem that a black and white list and a malicious code feature library of a terminal are difficult to maintain in the prior art. The method comprises the following steps: receiving a suspicious file reported by a client; running the suspicious file, and collecting calling data of an API in a preset API data set when the suspicious file runs; generating calling data of the suspicious file to the API in the API dataset during operation into data to be detected; judging whether the similarity between the data to be detected and sample data in a preset comparison sample library is higher than a preset similarity threshold value or not; if so, determining that the suspicious file contains malicious code. The invention can realize the dynamic linkage detection of the terminal and the server, reduce the maintenance difficulty of the feature library and is suitable for various computer safety protection occasions.

摘要：【中文】本发明的实施例公开一种钓鱼邮件检测方法、装置、电子设备及存储介质，涉及网络安全技术领域，为提高钓鱼邮件的识别率而发明。所述钓鱼邮件检测方法，包括：从邮件流量中获取待检测邮件；检测所述待检测邮件是否包含预定的行为特征；若所述待检测邮件包含预定的行为特征，则确定所述待检测邮件为钓鱼邮件。所述钓鱼邮件检测装置，包括：获取模块，用于从邮件流量中获取待检测邮件；检测模块，用于检测所述待检测邮件是否包含预定的行为特征；判断模块，用于若所述待检测邮件包含预定的行为特征，则确定所述待检测邮件为钓鱼邮件。本发明适用于邮件流量中钓鱼邮件的检测识别。 【EN】The embodiment of the invention discloses a phishing mail detection method, a phishing mail detection device, electronic equipment and a storage medium, relates to the technical field of network security, and aims to improve the recognition rate of phishing mails. The phishing mail detection method comprises the following steps: acquiring a mail to be detected from mail flow; detecting whether the mail to be detected contains preset behavior characteristics; and if the mail to be detected contains the preset behavior characteristics, determining that the mail to be detected is a phishing mail. The phishing mail detection device comprises: the acquisition module is used for acquiring the mail to be detected from the mail flow; the detection module is used for detecting whether the mail to be detected contains the preset behavior characteristics; and the judging module is used for determining that the mail to be detected is a phishing mail if the mail to be detected contains the preset behavior characteristics. The invention is suitable for detecting and identifying phishing mails in mail flow.

摘要：【中文】本发明的实施例公开一种基于DNS解析报文的入侵威胁指标拓展方法、装置及电子设备，涉及计算机网络安全防护技术领域，能够解决现有的入侵威胁指标有限的问题。所述方法包括：获取实时接收的网络流量的IP地址；判断所述网络流量的IP地址是否能在预先设置的IP子库中匹配到；若是，则根据所述网络流量使用的协议对所述网络流量进行分类；对DNS协议流量进行DNS解析，得到DNS解析报文；根据预先设置的入侵威胁指标匹配库判断所述DNS协议流量的解析请求发起方是否被恶意代码感染；若是，则在所述入侵威胁指标匹配库中增加入侵威胁指标拓展记录。本发明适用于各种使用IOC进行安全威胁检测的场合。 【EN】The embodiment of the invention discloses an intrusion threat index expanding method, device and electronic equipment based on DNS (domain name system) analysis messages, relates to the technical field of computer network security protection, and can solve the problem that the existing intrusion threat index is limited. The method comprises the following steps: acquiring an IP address of network flow received in real time; judging whether the IP address of the network flow can be matched in a preset IP sub-library; if so, classifying the network traffic according to a protocol used by the network traffic; performing DNS analysis on DNS protocol flow to obtain a DNS analysis message; judging whether an analysis request initiator of the DNS protocol flow is infected by a malicious code or not according to a preset intrusion threat index matching library; and if so, adding an intrusion threat index expansion record in the intrusion threat index matching library. The invention is suitable for various occasions using the IOC to detect the security threat.

摘要：【中文】本发明的实施例公开了一种网络流量安全监测方法、装置、电子设备及存储介质，涉及计算机信息安全技术领域，用于在不改变用户已有网络拓扑结构的情况下使用反向代理模式的WAF实现旁路化安全监测。所述网络流量安全监测方法，用于客户端连接待保护的第一服务器的网络中，所述网络包括反向代理模式的WAF，所述WAF的输出端连接有对任何请求均返回固定内容的http服务器，所述WAF设置为保护所述http服务器，所述方法包括：获取所述客户端访问所述第一服务器的流量中的http请求；向所述WAF发送所述http请求；探测所述WAF对所述http请求是否产生告警，以实现网络流量安全监测。 【EN】The embodiment of the invention discloses a network flow safety monitoring method, a network flow safety monitoring device, electronic equipment and a storage medium, relates to the technical field of computer information safety, and is used for realizing bypass safety monitoring by using a WAF in a reverse proxy mode under the condition of not changing the existing network topology structure of a user. The network flow safety monitoring method is used in a network in which a client is connected with a first server to be protected, the network comprises a WAF in a reverse proxy mode, the output end of the WAF is connected with an http server which returns fixed content to any request, the WAF is set to protect the http server, and the method comprises the following steps: acquiring an http request in the flow of the client accessing the first server; sending the http request to the WAF; and detecting whether the WAF generates an alarm on the http request or not so as to realize network flow safety monitoring.

摘要：【中文】本发明的实施例公开一种基于DNS解析结果触发的流量数据收集方法、装置及电子设备，能够解决现有技术中无法提供足够多的有效线索对Ioc检测结果进行分析研判的问题。所述方法包括：对DNS流量进行DNS解析；判断DNS解析结果是否是DNS响应；若所述DNS解析结果是DNS响应，则对所述DNS解析结果进行入侵威胁指标判断；若判定所述DNS解析结果命中入侵威胁指标，则生成关于所述DNS解析结果的记录；从所述记录的录入时间开始至预设时长届满前，收集所述记录对应IP地址流过的流量数据。本发明收集可能具有威胁的解析对象的相关流量数据，适用于各种网络安全防护产品。 【EN】The embodiment of the invention discloses a flow data collection method, a flow data collection device and electronic equipment based on DNS analysis result triggering, which can solve the problem that sufficient effective clues cannot be provided to analyze and judge an Ioc detection result in the prior art. The method comprises the following steps: performing DNS analysis on the DNS traffic; judging whether the DNS analysis result is a DNS response; if the DNS analysis result is a DNS response, judging an intrusion threat index of the DNS analysis result; if the DNS analysis result is judged to hit the intrusion threat index, generating a record related to the DNS analysis result; and collecting the traffic data flowing through the IP address corresponding to the record from the recorded recording time to the preset time. The method collects the relevant flow data of the analysis object possibly with the threat, and is suitable for various network safety protection products.