CN103106366A - Dynamic maintenance method of sample database based on cloud - Google Patents
Dynamic maintenance method of sample database based on cloud Download PDFInfo
- Publication number
- CN103106366A CN103106366A CN2013100394738A CN201310039473A CN103106366A CN 103106366 A CN103106366 A CN 103106366A CN 2013100394738 A CN2013100394738 A CN 2013100394738A CN 201310039473 A CN201310039473 A CN 201310039473A CN 103106366 A CN103106366 A CN 103106366A
- Authority
- CN
- China
- Prior art keywords
- program
- behavior
- black
- white list
- performance
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a dynamic maintenance method of a sample database based on cloud. At first a client terminal computer collects program characteristics and program behaviors corresponding with the program characteristics, and sends the program characteristics and the program behaviors to a server end. Then different program characteristics and the program behaviors corresponding with the program characteristics and a black/white list are recorded in a database of the server end. Combined with the program characteristics and the program behaviors corresponding with the program characteristics of an existing black/white list, characteristics and behaviors of an unknown program are analyzed to update the black/white list. According to the dynamic maintenance method of the sample database based on the cloud, due to the fact that the program behaviors are collected and are related to the program characteristics, the program characteristics and the program behaviors corresponding with the program characteristics of the samples are analyzed and concluded in the database, and therefore the dynamic maintenance method of the sample database based on the cloud is capable of facilitating classification distinguishing of the black list and the white list for software or a program, and capable of formulating corresponding removing or recovering measurements of malicious software of the black list.
Description
Patented claim of the present invention be that on 08 18th, 2010, application number are 201010256958.9 the applying date, name is called the dividing an application of Chinese invention patent application of " a kind of sample database dynamic maintaining method based on cloud ".
Technical field
The present invention relates to field of information security technology, relate in particular to a kind of sample database dynamic maintaining method based on cloud security.
Background technology
Along with the computer technology extensive utilization of every field in social life, rogue program (Malwar, malicious software refers to that any intentional establishment is used for carrying out without permission and the software program of harmful act normally) also come one after another as its accessory.the infectivity that has due to these rogue programs, replicability and destructiveness, it has become the significant problem that the puzzlement computing machine uses, therefore, in today that Cyberthreat rises violently, upgrading virus signature becomes the work of enterprise and netizen's indispensability every day, from once in a week to once a day, until constantly upgrade, and traditional antivirus software is that virus base is placed on client computer, carry out the analytical work of file in client, can repeatedly compare in local virus library in scanning process, take a large amount of system resources, and the continuous upgrading along with virus base, the capacity of virus base is increasing, time spent during Study document is also more and more longer, allow client computer use slower and slower, therefore, the anti-virus industry must be sought new technological breakthrough.
" cloud security (Cloud Security) " plan is namely the up-to-date embodiment of information security cybertimes, and it has merged the emerging technology concepts such as parallel processing, grid computing, unknown virus behavior judgement, with " theory of cloud computing has been applied to security fields.
The realization of " cloud security " plan is closely bound up with the structure of its sample database, therefore, how effectively to organize and to safeguard sample database, then becomes the industry problem demanding prompt solution.
Summary of the invention
Technical matters to be solved by this invention is to provide a kind of sample database dynamic maintaining method based on cloud, to improve the efficient of database maintenance and process analysis, helps program is carried out the recovery of black and white differentiation and file.
For solving the problems of the technologies described above, the invention provides a kind of sample database dynamic maintaining method based on cloud, comprise the steps:
By client computer collection procedure feature and corresponding program behavior thereof, and be sent to server end;
Record different performance of program and corresponding program behavior thereof in the servers' data storehouse, and the black/white list;
In conjunction with the performance of program in existing known black/white list and corresponding program behavior thereof, unknown program feature and program behavior are analyzed, to upgrade the black/white list.
Wherein, the described step that unknown program feature and program behavior thereof are analyzed can comprise:
If the unknown program feature is identical with known procedure feature in existing black/white list, list this unknown program feature and program behavior thereof in the black/white list.
Wherein, the described step that unknown program feature and program behavior thereof are analyzed can comprise:
If the unknown program behavior is identical or approximate with the known procedure behavior in existing black/white list, list this unknown program behavior and performance of program thereof in the black/white list.
Wherein, described method may further include:
Set up the incidence relation of behavior and feature between the program with identical or approximate behavior;
According to the incidence relation between described program with identical or approximate behavior, unknown program feature and program behavior are analyzed, to upgrade the black/white list.
Wherein, the described step that unknown program feature and program behavior thereof are analyzed can comprise:
When certain program behavior was put into the black/white list, performance of program in database, that this program behavior is corresponding was listed the black/white list in, and other program behaviors and performance of program that will be relevant with this program behavior be also listed the black/white list in.
Wherein, the described step that unknown program feature and program behavior thereof are analyzed can comprise:
When certain performance of program was put into the black/white list, program behavior in database, that this performance of program is corresponding was listed the black/white list in, and other program behaviors and performance of program that will be relevant with this performance of program be also listed the black/white list in.
Wherein, described method may further include:
For the program that is put on the blacklist, further record the reverse behavior of this program in database, when having or moving the program that this is put on the blacklist in confirming client computer, carry out described reverse behavior.
Wherein, described method may further include:
For the program that is put on the blacklist, according to the behavior of this program, determine the information of the infected file of client computer in database;
According to the information of infected file, a intact respective file that is stored in database is downloaded to the infected file of covering in client computer.
Wherein, described method may further include:
Further be recorded in the number change of the identical performance of program of being collected by the different clients computing machine in a Preset Time in database;
According to the number change of described performance of program, unknown program feature and program behavior are analyzed, to upgrade the black/white list.
Wherein, described number change according to performance of program, the step to unknown program feature and program behavior are analyzed can comprise:
If in a Preset Time, the increase and decrease of the quantity of certain unknown program feature of being collected by the different clients computing machine surpasses threshold value, in database, this performance of program and corresponding program behavior thereof is piped off.
The present invention is by the behavior of client collection procedure and be associated with performance of program, thereby logging program feature and corresponding program behavior thereof in database, incidence relation according to the program behavior of collecting and performance of program, can carry out analytic induction to sample in database, thereby help software or program are carried out the discriminant classification of black and white, can also formulate corresponding removal or restoration measure for the Malware in blacklist.
Description of drawings
Fig. 1 is Implementation Modes schematic diagram of the present invention;
Fig. 2 is sample database dynamic maintaining method process flow diagram based on cloud described according to the embodiment of the present invention;
Fig. 3 is incidence relation schematic diagram described according to the embodiment of the present invention;
Fig. 4 is that file described according to the embodiment of the present invention recovers process flow diagram;
Fig. 5 is analysis process schematic diagram described according to the embodiment of the present invention.
Embodiment
The present invention is described further with reference to the accompanying drawings.
Cloud structure is exactly a large-scale client/server (CS) framework, as shown in Figure 1, is Implementation Modes schematic diagram of the present invention.Core concept of the present invention is that the behavior of collecting various programs by a large amount of client computers 102 (can be single behavior, can be also the combination of one group of behavior), the particularly behavior of suspicious program, and program behavior is associated with the feature of this program, can record feature and the corresponding behavior record thereof of a program in the database 104 of server end.Like this, at server end, can conclude in database and analyze according to program behavior or performance of program or batch processing behavior and performance of program, thereby helping software or program are carried out the discriminant classification of black and white.Further, can also formulate corresponding removal or restoration measure for the Malware in blacklist.
The said procedure behavior can be for example drive load behavior, the file generated behavior, and the loading behavior of program or code, the behavior of add-on system startup item, or the act of revision of file or program etc., or the combination of a series of behaviors.
The said procedure feature can be via MD5(Message-Digest Algorithm5, md5-challenge) the MD5 identifying code that draws of computing, or the SHA1 code, or CRC(Cyclic Redundancy Check, cyclic redundancy check (CRC)) but code waits the condition code of unique identification original program.
As shown in Figure 2, be sample database dynamic maintaining method process flow diagram based on cloud described according to the embodiment of the present invention, at first, by client computer collection procedure feature and corresponding program behavior thereof, and be sent to server end (step 202); Then record different performance of program and corresponding program behavior thereof in the servers' data storehouse, and black/white list (step 204); In conjunction with the performance of program in existing known black/white list and corresponding program behavior thereof, unknown program feature and program behavior are analyzed, to upgrade black/white list (step 206).
Owing to having recorded performance of program and behavior record corresponding to this feature in database, therefore can analyze unknown program in conjunction with known black/white list.
For example, if the unknown program feature is identical with known procedure feature in existing black/white list, all list this unknown program feature and program behavior thereof in the black/white list.
If the unknown program behavior is identical or approximate with the known procedure behavior in existing black/white list, all list this unknown program behavior and performance of program thereof in the black/white list.
By mutation or add the technology such as shell and can change condition code, but its behavior does not have very large change, therefore, by the comparative analysis that program behavior records, can determine comparatively easily whether some unknown programs are rogue program due to some virus.This comparative analysis does not sometimes even need follow-up analysis is done in the behavior of program itself, only needs known procedure behavior in simple and existing black/white list to compare and can judge the character of unknown program.
By the record analysis in database, we can find, there is the behavior of some programs identical or approximate, but performance of program is different, at this moment, as long as we set up the incidence relation of behavior and feature between the program with identical or approximate behavior, and according to this incidence relation, just can analyze unknown program feature and program behavior more easily, to upgrade the black/white list.
As shown in Figure 3, be incidence relation schematic diagram described according to the embodiment of the present invention.The feature of supposing unknown program A, B and C is respectively A, B and C, and its each self-corresponding program behavior is A1~A4, B1~B4, C1~C4.If the analysis found that program behavior A1~A4, B1~B4, identical in fact or very approximate between C1~C4, so just can be at feature A, B, C and behavior A1~A4, B1~B4 sets up the incidence relation of feature and behavior between C1~C4.
By this incidence relation, under certain condition can be more efficiently from expand database be safeguarded.For example, when program behavior B1~B4 of program B is confirmed to be the rogue program behavior and is put on the blacklist, performance of program B that can automatically will be corresponding with this program behavior in database pipes off, simultaneously, according to incidence relation, can be automatically with the program behavior A1~A4 relevant with this program behavior, C1~C4 and corresponding performance of program A, feature C also lists the black/white list in.
Again for example, if when initial, program A, B and C belong to the program of black and white the unknown, and via other checking and killing virus approach, at first performance of program B is confirmed to be the feature that belongs to rogue program, not only can be automatically in database the combination of behavior B1~B4 be piped off, can also be according to incidence relation, feature A and the C that automatically will have identical or approximate behavior also pipe off, and with program behavior A1~A4, C1~C4 also pipes off.
The present invention is owing to having recorded behavior corresponding to performance of program in database, this just makes the behavioural analysis to unknown program provide great convenience.For example, if when interested in the behavior of load driver, whole program behaviors with the load driver behavior can be accessed analysis-by-synthesis, if in the model with the load driver behavior in existing blacklist, generally all follow a special file generated behavior after load driver, so for just should listing indicating risk in or directly pipe off with the program behavior of similar behavior combination equally in unknown program.
The adoptable analytical approach of the present invention is not limited to above-mentioned, can also utilize to be similar to decision tree, and bayesian algorithm, the methods such as nerve net territory calculating are perhaps used simple Threshold Analysis, can well be used on Basis of Database of the present invention.
In addition, can also further record the reverse behavior of this program for the program that is put on the blacklist in database, when having or moving the program that this is put on the blacklist in confirming client computer, carry out described reverse behavior.
For example, the information of collecting according to the foreground after the killing of foundation cloud or other are found certain program as the condition code mode and are rogue program, can be carried out according to the reverse behavior of described record and recover action.
For some files that can't be restored by carrying out reverse behavior, can also be restored by the mode of replacing, as shown in Figure 4, for file described according to the embodiment of the present invention recovers process flow diagram, at first in database for the program that is put on the blacklist, according to the behavior of this program, determine the information (step 402) of the infected file of client computer; Then according to the information of infected file, a intact respective file that is stored in database is downloaded to covering infected file (step 404) in client computer.
For obtaining of the information of infected file, can pass through file path, system version, the relevant information such as application component that are linked to inquire abouts definite in database.
In addition, utilize the mode of the behavior of a large amount of client computer collection procedure and performance of program that relevant information is recorded in database due to the present invention, therefore, can also come by the velocity of propagation of a certain program of monitoring analysis within short-term the attribute of decision procedure.Please refer to Fig. 5, be analysis process schematic diagram described according to the embodiment of the present invention, at first further be recorded in the number change (step 502) of the identical performance of program of being collected by the different clients computing machine in a Preset Time in database; Then according to the number change of described performance of program, unknown program feature and program behavior are analyzed, to upgrade black/white list (step 504).
For example, if in a Preset Time, the increase and decrease of the quantity of certain unknown program feature of being collected by the different clients computing machine surpasses threshold value, in database, this performance of program and corresponding program behavior thereof is piped off.
utilize this mode, the program information that the foreground is collected passes to the background server cluster, if this program is a trojan horse program, but it no longer does any propagation, it is a quiet dead horse, at this moment just can think that this wooden horse does not threaten, if but this wooden horse propagates into again a new machine the inside, utilize the present invention just can perceive very soon, because this client computer also can be reported to server, when 100, 500, 1000 machines have been reported, the information of the quantity growth that server database will statistics collection arrives, and analyze and feed back, the increased number of this program has surpassed threshold value within a very short time, perhaps occurred much having the deformation procedure of similar behavior to the behavior of this program, utilize the present invention just can analyze automatically and judge, in case judgement is just completed and can be added in blacklist, and the more new database blacklist that utilizes the present invention certainly to expand dynamically, improved greatly the efficient of database maintenance and process analysis.
Claims (8)
1. the sample database dynamic maintaining method based on cloud, is characterized in that, comprises the steps:
By client computer collection procedure feature and corresponding program behavior thereof, and be sent to server end;
Record different performance of program and corresponding program behavior thereof in the servers' data storehouse, and the black/white list;
In conjunction with the performance of program in existing known black/white list and corresponding program behavior thereof, unknown program feature and program behavior are analyzed, to upgrade the black/white list;
Wherein, the described step that unknown program feature and program behavior thereof are analyzed comprises:
If the unknown program feature is identical with known procedure feature in existing black/white list, list this unknown program feature and program behavior thereof in the black/white list;
If the unknown program behavior is identical or approximate with the known procedure behavior in existing black/white list, list this unknown program behavior and performance of program thereof in the black/white list.
2. the method for claim 1, is characterized in that, further comprises:
Set up the incidence relation of behavior and feature between the program with identical or approximate behavior;
According to the incidence relation between described program with identical or approximate behavior, unknown program feature and program behavior are analyzed, to upgrade the black/white list.
3. method as claimed in claim 2, is characterized in that, the described step that unknown program feature and program behavior thereof are analyzed comprises:
When certain program behavior was put into the black/white list, performance of program in database, that this program behavior is corresponding was listed the black/white list in, and other program behaviors and performance of program that will be relevant with this program behavior be also listed the black/white list in.
4. method as claimed in claim 2, is characterized in that, the described step that unknown program feature and program behavior thereof are analyzed comprises:
When certain performance of program was put into the black/white list, program behavior in database, that this performance of program is corresponding was listed the black/white list in, and other program behaviors and performance of program that will be relevant with this performance of program be also listed the black/white list in.
5. the method for claim 1, is characterized in that, further comprises:
For the program that is put on the blacklist, further record the reverse behavior of this program in database, when having or moving the program that this is put on the blacklist in confirming client computer, carry out described reverse behavior.
6. the method for claim 1, is characterized in that, further comprises:
For the program that is put on the blacklist, according to the behavior of this program, determine the information of the infected file of client computer in database;
According to the information of infected file, a intact respective file that is stored in database is downloaded to the infected file of covering in client computer.
7. the method for claim 1, is characterized in that, further comprises:
Further be recorded in the number change of the identical performance of program of being collected by the different clients computing machine in a Preset Time in database;
According to the number change of described performance of program, unknown program feature and program behavior are analyzed, to upgrade the black/white list.
8. method as claimed in claim 7, is characterized in that, described number change according to performance of program, and the step to unknown program feature and program behavior are analyzed comprises:
If in a Preset Time, the increase and decrease of the quantity of certain unknown program feature of being collected by the different clients computing machine surpasses threshold value, in database, this performance of program and corresponding program behavior thereof is piped off.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310039473.8A CN103106366B (en) | 2010-08-18 | 2010-08-18 | A kind of sample database dynamic maintaining method based on cloud |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102569589A CN101923617B (en) | 2010-08-18 | 2010-08-18 | Cloud-based sample database dynamic maintaining method |
| CN201310039473.8A CN103106366B (en) | 2010-08-18 | 2010-08-18 | A kind of sample database dynamic maintaining method based on cloud |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010102569589A Division CN101923617B (en) | 2010-08-18 | 2010-08-18 | Cloud-based sample database dynamic maintaining method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103106366A true CN103106366A (en) | 2013-05-15 |
| CN103106366B CN103106366B (en) | 2016-05-04 |
Family
ID=48314217
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310039473.8A Active CN103106366B (en) | 2010-08-18 | 2010-08-18 | A kind of sample database dynamic maintaining method based on cloud |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103106366B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103500305A (en) * | 2013-09-04 | 2014-01-08 | 中国航天科工集团第二研究院七〇六所 | System and method for malicious code analysis based on cloud computing |
| CN104966018A (en) * | 2015-06-18 | 2015-10-07 | 华侨大学 | Windows system-based software program abnormal behavior analysis method |
| CN109815696A (en) * | 2018-12-29 | 2019-05-28 | 360企业安全技术(珠海)有限公司 | Terminal device system protection method and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1936910A (en) * | 2005-11-16 | 2007-03-28 | 白杰 | Method for identifying unknown virus programe and clearing method thereof |
| JP2007164338A (en) * | 2005-12-12 | 2007-06-28 | Isamu Kiyu | Virus intrusion prevention system |
| CN101039177A (en) * | 2007-04-27 | 2007-09-19 | 珠海金山软件股份有限公司 | Apparatus and method for on-line searching virus |
| CN101350052A (en) * | 2007-10-15 | 2009-01-21 | 北京瑞星国际软件有限公司 | Method and apparatus for discovering malignancy of computer program |
| CN101645125A (en) * | 2008-08-05 | 2010-02-10 | 珠海金山软件股份有限公司 | Method for filtering and monitoring behavior of program |
-
2010
- 2010-08-18 CN CN201310039473.8A patent/CN103106366B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1936910A (en) * | 2005-11-16 | 2007-03-28 | 白杰 | Method for identifying unknown virus programe and clearing method thereof |
| JP2007164338A (en) * | 2005-12-12 | 2007-06-28 | Isamu Kiyu | Virus intrusion prevention system |
| CN101039177A (en) * | 2007-04-27 | 2007-09-19 | 珠海金山软件股份有限公司 | Apparatus and method for on-line searching virus |
| CN101350052A (en) * | 2007-10-15 | 2009-01-21 | 北京瑞星国际软件有限公司 | Method and apparatus for discovering malignancy of computer program |
| CN101645125A (en) * | 2008-08-05 | 2010-02-10 | 珠海金山软件股份有限公司 | Method for filtering and monitoring behavior of program |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103500305A (en) * | 2013-09-04 | 2014-01-08 | 中国航天科工集团第二研究院七〇六所 | System and method for malicious code analysis based on cloud computing |
| CN104966018A (en) * | 2015-06-18 | 2015-10-07 | 华侨大学 | Windows system-based software program abnormal behavior analysis method |
| CN109815696A (en) * | 2018-12-29 | 2019-05-28 | 360企业安全技术(珠海)有限公司 | Terminal device system protection method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103106366B (en) | 2016-05-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101923617B (en) | Cloud-based sample database dynamic maintaining method | |
| Bayer et al. | Scalable, behavior-based malware clustering. | |
| CN101924762B (en) | Cloud security-based active defense method | |
| Rieck et al. | Automatic analysis of malware behavior using machine learning | |
| US9715588B2 (en) | Method of detecting a malware based on a white list | |
| EP2893447B1 (en) | Systems and methods for automated memory and thread execution anomaly detection in a computer network | |
| CN103839003B (en) | Malicious file detection method and device | |
| US8108931B1 (en) | Method and apparatus for identifying invariants to detect software tampering | |
| CN109586282B (en) | Power grid unknown threat detection system and method | |
| CN102413142A (en) | Active defense method based on cloud platform | |
| CN103473346A (en) | Android re-packed application detection method based on application programming interface | |
| Huang et al. | Android malware development on public malware scanning platforms: A large-scale data-driven study | |
| CN103942491A (en) | Internet malicious code disposal method | |
| Vadrevu et al. | Maxs: Scaling malware execution with sequential multi-hypothesis testing | |
| CN103607381A (en) | White list generation method, malicious program detection method, client and server | |
| CN103475671A (en) | Method for detecting rogue programs | |
| CN111859399A (en) | Vulnerability detection method and device based on oval | |
| Fatemi et al. | Threat hunting in windows using big security log data | |
| Liu et al. | A system call analysis method with mapreduce for malware detection | |
| CN106203105B (en) | File management method and device | |
| CN103106366B (en) | A kind of sample database dynamic maintaining method based on cloud | |
| US8918873B1 (en) | Systems and methods for exonerating untrusted software components | |
| CN103501294A (en) | Method for judging whether program is malicious or not | |
| Schlegel et al. | A framework for incident response in industrial control systems | |
| Bayer | Large-scale dynamic malware analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220708 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co., Ltd |