CN103136477A - Scanning method and scanning system for file samples - Google Patents
Scanning method and scanning system for file samples Download PDFInfo
- Publication number
- CN103136477A CN103136477A CN2013100712726A CN201310071272A CN103136477A CN 103136477 A CN103136477 A CN 103136477A CN 2013100712726 A CN2013100712726 A CN 2013100712726A CN 201310071272 A CN201310071272 A CN 201310071272A CN 103136477 A CN103136477 A CN 103136477A
- Authority
- CN
- China
- Prior art keywords
- paper sample
- sample
- assessor
- grey
- dangerous
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Paper (AREA)
Abstract
The invention discloses a scanning method and a scanning system for file samples. The scanning method includes that as for grey file samples in the file samples, to-be-scanned grey file samples are selected from stored grey file samples according to a preset strategy; one assessor for scanning the grey file samples is selected according to updating records of each assessor and/or scanning records of each assessor; the selected assessor is used for scanning the to-be-scanned grey file samples and storing scanning results, so that the scanning results are returned after a request inquiring whether file samples are safe or not is received; and the grey file samples are file samples with unknown safety. Resources of scanning devices are saved, scanning efficiency is improved, and scanning speed is increased.
Description
Technical field
The present invention relates to computer network security field, be specifically related to a kind of scan method and system of paper sample.
Background technology
In network safety filed, usually need to carry out the killing of virus document.Virus document is a recapitulative term, refers to that any intentional establishment is used for carrying out without permission and the application file of harmful act normally.For example, comprising: computer virus, backdoor programs, Key Logger, password are stolen taker, Word and excel macro virus, leading viruses, script virus, wooden horse etc.
In prior art, the method that the virus document killing is adopted mainly depends on the feature database pattern.Feature database is comprised of the condition code of the virus document sample that manufacturer collects, condition code is that analysis project is an apprentice of and is found in virus document and the difference of proper file, intercept one section document code that is similar to " keyword ", this document code is condition code.In the killing process, engine meeting file reading mates with all condition codes in feature database, if find that document code is hit, just can judge that this document is virus document.
But along with the growth of virus document quantity, current virus document quantity is how much levels and increases, and based on the speedup of this explosion type, the generation of feature database often lags behind with renewal, and many times the independent killing engine of terminal can't killing go out unknown virus document.
Therefore, produced active defense method in prior art.In the method for Initiative Defense; independently analyze judgement based on the file behavior; carry out real-time killing; not with the foundation of condition code as the judgement virus document; but from the original definition of file; directly with the foundation of file behavior as the judgement virus document, the behavior that wherein derive in local use characteristic storehouse, the behavior threshold value is set and differentiates, tackle virus document in the mode of the heuristic virus killing in this locality in this locality, thus reach to a certain extent the purpose of protecting terminal.
But also there is the problem that needs solution in above-mentioned local active defense method.At first, local Initiative Defense easily causes free to kill to virus document, for example, namely can avoid the anti-pattern of killing of feature database of local Initiative Defense by virus document being added shell; By for virus behavior, reduce or replace the corelation behaviour that virus document is carried out, thereby avoiding triggering the anti-startup upper limit of killing pattern of behavior threshold value.In addition, local Initiative Defense also needs to depend on upgrading in time of local data base, if database update is untimely, causes virus document undiscovered.
Based on the problems referred to above, also have the active defense method based on cloud security in prior art, do not rely on local data base, and the analyses and comparison of Initiative Defense operation is placed on server side completes.
But for the active defense method of cloud security, the paper sample for the treatment of killing that is usually directed to reaches more than one hundred million levels.Because each can set feature database by special analyst to the assessor that paper sample carries out killing, the situation that the paper sample of killing may be failed to report or report by mistake, feature database is in continuous upgrading, therefore paper sample is carried out multiple scanning failing to report before can making up, the wrong report before repairing.When scanning, if the All Files sample is all scanned one time, can expend the ample resources of server side at every turn.
Summary of the invention
In view of the above problems, the present invention proposes scan method and the system of paper sample, when carrying out file scanning to overcome, the problem that consumes resources is too much.
According to an aspect of the present invention, provide a kind of scan method of paper sample, described method comprises:
For the grey paper sample in paper sample, choose grey paper sample to be scanned according to default strategy from the grey paper sample of storage;
Choose be used to the assessor that scans grey paper sample according to the more new record of each assessor and/or the sweep record of assessor;
Use selected assessor scanning grey paper sample to be scanned, and the memory scanning result, with receiving the inquiry file sample whether during the request of safety, return to scanning result;
Described grey paper sample is the paper sample of security the unknown.
Wherein, the default strategy of described basis is chosen grey paper sample to be scanned and is specifically comprised from the grey paper sample of storage:
Get the rate of failing to report of ash discharge paper sample according to the attribute of grey paper sample, choose grey paper sample to be scanned according to rate of failing to report from the grey paper sample of storage.
Wherein, described method also comprises:
For the dangerous paper sample in paper sample, determine that the dangerous paper sample of report is the assessor of virus document, described dangerous paper sample is the paper sample that identified device is reported as virus document;
The assessor that the dangerous paper sample of operation report is virus document rescans dangerous paper sample, if being this danger paper sample, scanning result no longer is virus document, determine that this danger paper sample is to be the paper sample of virus document by wrong report, goes the wrong report operation to this danger paper sample.
Wherein, the dangerous paper sample of described definite report is also to comprise after the assessor of virus document:
Draw the rate of false alarm of dangerous paper sample according to the assessor of determining, set up the corresponding relation of assessor quantity and rate of false alarm;
Choose dangerous paper sample to be scanned according to rate of false alarm from the dangerous paper sample of storage;
The assessor that the dangerous paper sample of described operation report is virus document rescans dangerous paper sample and specifically comprises:
For each dangerous paper sample to be scanned, operation report should the danger paper sample be that the assessor of virus document rescans this danger paper sample.
Wherein, described method also comprises:
Receiving the inquiry file sample whether during the request of safety, the request that record receives in daily record;
According to the record in daily record, be extracted in the interior inquiry times of Preset Time greater than the paper sample of default temperature threshold values, the paper sample of extraction is for enlivening paper sample.
Wherein, described attribute according to the grey paper sample rate of failing to report that gets the ash discharge paper sample specifically comprises:
Extract grey paper sample from enliven paper sample, draw the rate of failing to report of this ash paper sample according to the attribute of the grey paper sample that extracts;
Describedly choose grey paper sample to be scanned and specifically comprise from the grey paper sample of storage according to rate of failing to report:
Choose rate of failing to report greater than the grey paper sample of default rate of failing to report threshold values from the grey paper sample that extracts, take the grey paper sample chosen as grey paper sample to be scanned.
Wherein, the dangerous paper sample of described definite report is that the assessor of virus document specifically comprises:
Extract dangerous paper sample from enliven paper sample, determine that the dangerous paper sample that report is extracted is the assessor of virus document;
Describedly choose dangerous paper sample to be scanned and specifically comprise from the dangerous paper sample of storage according to rate of false alarm:
Choose rate of false alarm greater than the dangerous paper sample of default rate of false alarm threshold values from the dangerous paper sample that extracts, take the dangerous paper sample chosen as dangerous paper sample to be scanned.
Wherein, described attribute according to the grey paper sample rate of failing to report that gets the ash discharge paper sample specifically comprises:
According to the feature of virus document being added up the statistics that draws, and the attribute of grey paper sample, calculate this ash paper sample and may be the probability of virus document, with the parameter of this probability as the rate of failing to report that calculates this ash paper sample.
Wherein, described basis is added up the statistics that draws to the feature of virus document, and the attribute of grey paper sample, and calculating this ash paper sample may specifically comprise for the probability of virus document:
According to the size of virus document being added up the statistics that draws, and the size of grey paper sample, calculate this ash paper sample and may be the probability of virus document;
And/or,
According to the path of virus document being added up the statistics that draws, and the path of grey paper sample, calculate this ash paper sample and may be the probability of virus document;
And/or,
According to the operation behavior of virus document being added up the risky operation behavior list that draws, and the operation behavior of grey paper sample, calculate this ash paper sample and may be the probability of virus document.
Wherein, described sweep record according to each assessor is chosen be used to the assessor that scans grey paper sample and is specifically comprised:
For each assessor, grey paper sample that each is to be scanned, scan the number of times of this ash paper sample according to this assessor, calculate this ash paper sample corresponding to the sweep spacing of this assessor;
Choose be used to the assessor that scans grey paper sample according to sweep spacing.
Wherein, described more new record according to each assessor is chosen be used to the assessor that scans grey paper sample and is specifically comprised:
Be chosen at from each assessor according to new record more and carried out the assessor that upgrades after last scan.
Wherein, described attribute according to grey paper sample also comprises before getting the rate of failing to report of ash discharge paper sample:
Whether judge the discovery time first of grey paper sample early than the Preset Time threshold values, if so, the rate of failing to report that detects this ash paper sample is 0, if not, carries out the operation that described attribute according to grey paper sample gets the rate of failing to report of ash discharge paper sample.
According to another aspect of the present invention, the invention discloses a kind of scanning system of paper sample, described system comprises: sample storage device, killing engine, scan schedule device and comprise the scan sample device of a plurality of assessors;
Described sample storage device is suitable for the storage file sample;
Described scan schedule device, be suitable for for the grey paper sample in paper sample, choose grey paper sample to be scanned according to default strategy from the grey paper sample of described sample storage device storage, and choose be used to the assessor that scans grey paper sample according to the more new record of each assessor and/or the sweep record of assessor;
Described scan sample device is suitable for obtaining grey paper sample to be scanned from described sample storage device, uses the assessor that described scan schedule device is chosen to scan the grey paper sample to be scanned that obtains, and stores scanning result into the killing engine;
Described killing engine is suitable for the scanning result of storing sample file, and receiving the inquiry file sample whether during the request of safety, returns to scanning result;
Described grey paper sample is the paper sample of security the unknown.
Wherein, described scan schedule device specifically is suitable for getting according to the attribute of grey paper sample the rate of failing to report of ash discharge paper sample, chooses grey paper sample to be scanned according to rate of failing to report from the grey paper sample of storage.
Wherein, described scan schedule device also is suitable for for the dangerous paper sample in paper sample, determines that the dangerous paper sample of report is the assessor of virus document, and described dangerous paper sample is the paper sample that identified device is reported as virus document;
Described scan sample device, also be suitable for obtaining dangerous paper sample from described sample storage device, the assessor that uses described scan schedule device to determine rescans the dangerous paper sample that obtains, if being this danger paper sample, scanning result no longer is virus document, determine that this danger paper sample is to be the paper sample of virus document by wrong report, goes the wrong report operation to this danger paper sample.
Wherein, described scan schedule device, also be suitable for after determining that the dangerous paper sample of report is the assessor of virus document, draw the rate of false alarm of dangerous paper sample according to the assessor of determining, set up the corresponding relation of assessor quantity and rate of false alarm, choose dangerous paper sample to be scanned according to rate of false alarm from the dangerous paper sample of described sample storage device storage;
Described scan sample device specifically is suitable for for each dangerous paper sample to be scanned, and operation report should the danger paper sample be that the assessor of virus document rescans this danger paper sample.
Wherein, described killing engine also is suitable for receiving the inquiry file sample whether during the request of safety, the request that record receives in daily record;
Described scan schedule device also is suitable for according to the record in daily record, is extracted in the interior inquiry times of Preset Time greater than the paper sample of default temperature threshold values, and the paper sample of extraction is for enlivening paper sample.
Wherein, described scan schedule device, specifically be suitable for extracting grey paper sample from enliven paper sample, draw the rate of failing to report of this ash paper sample according to the attribute of the grey paper sample that extracts, choose rate of failing to report according to drawn rate of failing to report greater than the grey paper sample of default rate of failing to report threshold values from the grey paper sample that extracts, take the grey paper sample chosen as grey paper sample to be scanned.
Wherein, described scan schedule device, specifically be suitable for extracting dangerous paper sample from enliven paper sample, determine that the dangerous paper sample that report is extracted is the assessor of virus document, draw the rate of false alarm of the dangerous paper sample of extraction according to the assessor of determining, choose rate of false alarm according to rate of false alarm greater than the dangerous paper sample of default rate of false alarm threshold values from the dangerous paper sample that extracts, take the dangerous paper sample chosen as dangerous paper sample to be scanned.
Wherein, described scan schedule device specifically is suitable for basis the feature of virus document is added up the statistics that draws, and the attribute of grey paper sample, calculate this ash paper sample and may be the probability of virus document, take the parameter of this probability as the rate of failing to report of this ash paper sample of calculating.
Wherein, described scan schedule device specifically is suitable for basis the size of virus document is added up the statistics that draws, and the size of grey paper sample, calculates this ash paper sample and may be the probability of virus document;
And/or,
According to the path of virus document being added up the statistics that draws, and the path of grey paper sample, calculate this ash paper sample and may be the probability of virus document;
And/or,
According to the operation behavior of virus document being added up the risky operation behavior list that draws, and the operation behavior of grey paper sample, calculate this ash paper sample and may be the probability of virus document.
Wherein, described scan schedule device, specifically be suitable for for each assessor, grey paper sample that each is to be scanned, scan the number of times of this ash paper sample according to this assessor, calculate this ash paper sample corresponding to the sweep spacing of this assessor, choose be used to the assessor that scans grey paper sample according to sweep spacing.
Wherein, described scan schedule device specifically is suitable for being chosen at from each assessor according to new record more and carried out the assessor that upgrades after last scan.
Wherein, described scan schedule device, also be suitable for before the attribute according to grey paper sample gets the rate of failing to report of ash discharge paper sample, judge that whether the discovery time first of grey paper sample is early than the Preset Time threshold values, if, the rate of failing to report that detects this ash paper sample is 0, if not, carries out the operation that described attribute according to grey paper sample gets the rate of failing to report of ash discharge paper sample.
According to the technical scheme of paper sample scanning of the present invention, when the grey paper sample in paper sample is scanned, choose grey paper sample to be scanned according to default strategy from the grey paper sample of storage; Choose be used to the assessor that scans grey paper sample according to the more new record of each assessor and/or the sweep record of assessor; Use selected assessor scanning grey paper sample to be scanned, and the memory scanning result, with receiving the inquiry file sample whether during the request of safety, return to scanning result.
Because, when carrying out grey paper sample scanning, according to default strategy, grey paper sample is chosen, and according to the more new record of assessor and/or the sweep record of assessor, assessor is chosen, so can guarantee to make up fail to report in, reduced the workload of scanning, solved thus when scanning and paper sample all need to have been scanned, cause the large problem of consumption of natural resource amount, obtained the resource of saving the equipment that scans, accelerate scan efficiency, the beneficial effect of sweep velocity is provided.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, for can clearer understanding technological means of the present invention, and can be implemented according to the content of instructions, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Description of drawings
By reading hereinafter detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing only is used for the purpose of preferred implementation is shown, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts with identical reference symbol.In the accompanying drawings:
Fig. 1 shows the structural drawing of the scanning system of paper sample according to an embodiment of the invention;
Fig. 2 shows the process flow diagram of the scan method of paper sample according to an embodiment of the invention;
Fig. 3 shows the process flow diagram of choosing according to an embodiment of the invention grey paper sample according to rate of failing to report;
Fig. 4 shows the process flow diagram that in the scan method of paper sample according to an embodiment of the invention, dangerous paper sample is scanned;
Fig. 5 shows the process flow diagram that in the scan method of paper sample according to an embodiment of the invention, grey paper sample is scanned;
Fig. 6 shows the process flow diagram that in the scan method of paper sample according to an embodiment of the invention, dangerous paper sample is scanned.
Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in accompanying drawing, yet should be appreciated that and to realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order to understand the disclosure more thoroughly that these embodiment are provided, and can with the scope of the present disclosure complete convey to those skilled in the art.
Referring to Fig. 1, show the scanning system of paper sample according to an embodiment of the invention.System comprises: sample storage device 100, killing engine 200, scan schedule device 300 and comprise the scan sample device 400 of a plurality of assessors.This system can be that in system, each device is arranged in same physical equipment, can be also that in system, each device is arranged in different physical equipments.
Particularly, scan schedule device 300 gets the rate of failing to report of ash discharge paper sample according to the attribute of grey paper sample, chooses grey paper sample to be scanned according to rate of failing to report from the grey paper sample of storage.
For example, scan schedule device 300 is according to the feature of virus document is added up the statistics that draws, and the attribute of grey paper sample, calculate this ash paper sample and may be the probability of virus document, take the parameter of this probability as the rate of failing to report of this ash paper sample of calculating.
For example, size, path and/or the behavior of 300 pairs of virus documents of scan schedule device are added up, and draw paper sample according to statistics and may be the probability of virus document.
Usually virus document is in order to propagate, so virus document is smaller.Virus document is added up, is for example used hadoop(Distributed Computing Platform) add up, draw file size and a relation curve reporting viral rate, get the ash discharge paper sample according to curve and may be the probability of virus document.
If only take the probability that draws according to grey paper sample size as calculating the parameter of rate of failing to report, take this probability as rate of failing to report, selecting rate of failing to report is grey paper sample to be scanned greater than the grey paper sample of default rate of failing to report threshold values.For example, the rate of failing to report threshold values is 0.001%, and the paper sample newspaper viral rate of file size more than 10M is 0.001%, and selecting the grey paper sample less than 10M is grey paper sample to be scanned.
By the off-line statistics to the path of virus document, for example use hadoop(Distributed Computing Platform) add up, can draw file path and a relation curve reporting viral rate, get the ash discharge paper sample according to curve and may be the probability of virus document.
If only take the probability that draws according to grey paper sample path as calculating the parameter of rate of failing to report, take this probability as rate of failing to report, selecting rate of failing to report is grey paper sample to be scanned greater than the grey paper sample of default rate of failing to report threshold values.
Can comprise one or more in following operation behavior in risky operation behavior list:
Writing registration table loads automatically;
Edit the registry;
Revise system file;
Revise the application file of appointment;
Inject between executive process;
The end process;
Revise web page contents in browser; And
Record keyboard operation.
Risky operation behavior quantity according to grey paper sample triggers calculates this ash paper sample and may be the probability of virus document.The risky operation behavior that triggers is more, and grey paper sample may be higher for the probability of virus document.For example, obtain the quantity that grey paper sample triggers the risky operation behavior, with the total amount of this quantity divided by risky operation behavior in risky operation behavior list, get the ash discharge paper sample and may be the probability of virus document.
If the probability that the risky operation behavior quantity that only triggers take the grey paper sample of foundation draws is as calculating the parameter of rate of failing to report, take this probability as rate of failing to report, selecting rate of failing to report is grey paper sample to be scanned greater than the grey paper sample of default rate of failing to report threshold values.
If take the above-mentioned a plurality of probability that draw as calculating the parameter of rate of failing to report, can weighted value be set corresponding each parameter, the parameter weighted sum is got the rate of failing to report of ash discharge paper sample.
Wherein, when selecting assessor, can choose be used to the assessor that scans grey paper sample according to the sweep record of each assessor.
Wherein, when selecting assessor, can choose be used to the assessor that scans grey paper sample according to the more new record of each assessor.Scan schedule device 300 bases more new record are chosen at the assessor that carried out renewal after last scan from each assessor.
Also can, choose be used to the assessor that scans grey paper sample according to the more new record of each assessor and the sweep record of assessor.For example, first be chosen at the assessor that carried out renewal after last scan, then choose assessor by sweep spacing again from the assessor that this is chosen.
Killing engine 200 is suitable for the scanning result of storing sample file, and receiving the inquiry file sample whether during the request of safety, returns to scanning result.
The present embodiment guarantee to make up fail to report in, reduced the workload of scanning, solved thus when scanning and paper sample all need to have been scanned, cause the large problem of consumption of natural resource amount, obtained the resource of saving the equipment that scans, add fast scan speed, the beneficial effect of scan efficiency is provided.
In a preferred embodiment, scan schedule device 300, also be suitable for before the attribute according to grey paper sample gets the rate of failing to report of ash discharge paper sample, judge that whether the discovery time first of grey paper sample is early than the Preset Time threshold values, if, the rate of failing to report that detects this ash paper sample is 0, if not, carries out the operation that above-mentioned attribute according to grey paper sample gets the rate of failing to report of ash discharge paper sample.
Because, the discovery time of grey paper sample more early, it is less by possibility of being failed to report.When discovery time is early than the Preset Time threshold values first, no longer this ash paper sample is scanned, thus, further reduced unnecessary scan operation, saved scanning document sample resource used, improved scan efficiency.
In another embodiment of the present invention, the dangerous paper sample in paper sample is scanned.Dangerous paper sample is the paper sample that identified device is reported as virus document.Use for dangerous paper sample its assessor that is reported as virus document is scanned this danger paper sample, if after scanning, those assessors determine that all this danger paper sample is not virus document, goes the wrong report operation to this danger paper sample.The concrete technical scheme of the present embodiment is as described below.
Wherein, going to report by mistake operation can be the record of virus document for deletion this document sample, also can be updated to grey paper sample or text of an annotated book spare sample by dangerous paper sample for the record with this document sample.Text of an annotated book spare sample is for determining non-hazardous paper sample.
Killing engine 200 is suitable for the scanning result of storing sample file, and receiving the inquiry file sample whether during the request of safety, returns to scanning result.
By the present embodiment, for dangerous paper sample, only use its assessor that is reported as virus document is scanned this danger paper sample, thus, when guaranteeing to revise wrong report, can reduce scan operation, improve scan efficiency.
Further, calculate the rate of false alarm of dangerous paper sample, select the dangerous paper sample that scans according to rate of false alarm.Further reduced thus the dangerous paper sample that is scanned.
For example, for dangerous paper sample being reported as the assessor of virus document, can arrange accuracy rate that should dangerous file each assessor, the accuracy rate addition must and be worth, with 1 rate of false alarm that deducts and be worth dangerous paper sample, choosing rate of false alarm is dangerous paper sample to be scanned greater than the dangerous paper sample of default rate of false alarm threshold values.
When arranging accuracy rate that should dangerous file, if the analyst is set to virus document, it is 1 that accuracy rate directly is set.For each assessor, according to the degree of belief of this assessor and this assessor are arranged accuracy rate to the scanning times of dangerous file, scanning times more high-accuracy is higher.For example, higher to the degree of belief of antivirus engine A, antivirus engine A sweep number of times greater than scanning threshold after, determine that antivirus engine A is 1 to accuracy rate that should dangerous file.
Thus, according to rate of false alarm, dangerous paper sample is chosen, further reduced unnecessary scan operation, saved scanning document sample resource used, improved scan efficiency.
Further, be the assessor of virus document for the dangerous paper sample of the report of determining, choose for the assessor that scans this danger paper sample according to the more new record of assessor and/or the sweep record of assessor.
Wherein, in dangerous paper sample is defined as the assessor of virus document, can choose for the assessor that scans this danger paper sample according to the sweep record of each assessor.
Wherein, in dangerous paper sample is defined as the assessor of virus document, can choose be used to the assessor that scans dangerous paper sample according to the more new record of each assessor.Scan schedule device 300 bases more new record are chosen at the assessor that carried out renewal after last scan from assessor.
Also can, choose be used to the assessor that scans dangerous paper sample according to the more new record of each assessor and the sweep record of assessor.For example, in dangerous paper sample is defined as the assessor of virus document, first be chosen at the assessor that carried out renewal after last scan, then choose assessor by sweep spacing again from the assessor that this is chosen.
Thus, choose for assessor according to the more new record of assessor and/or the sweep record of assessor, further reduced unnecessary scan operation, saved scanning document sample resource used, improved scan efficiency.
In another embodiment of the present invention, the temperature of the inquiry of statistics file sample, from temperature high enliven selecting file sample paper sample, further reduce the paper sample quantity that scans, improved scan efficiency.
Killing engine 200 also is suitable for receiving the inquiry file sample whether during the request of safety, the request that record receives in daily record.
Thus, when grey paper sample scans, scan schedule device 300 extracts grey paper sample from enliven paper sample, draw the rate of failing to report of this ash paper sample according to the attribute of the grey paper sample that extracts, choose rate of failing to report greater than the grey paper sample of default rate of failing to report threshold values from the grey paper sample that extracts, take the grey paper sample chosen as grey paper sample to be scanned.
When dangerous paper sample scans, scan schedule device 300 extracts dangerous paper sample from enliven paper sample, determine that the dangerous paper sample that report is extracted is the assessor of virus document, draw the rate of false alarm of the dangerous paper sample of extraction according to the assessor of determining, choose rate of false alarm greater than the dangerous paper sample of default rate of false alarm threshold values from the dangerous paper sample that extracts, take the dangerous paper sample chosen as dangerous paper sample to be scanned.
Below in conjunction with an instantiation, the scanning of grey paper sample is described.
The scanning system of paper sample comprises: sample storage device 100, killing engine 200, scan schedule device 300 and comprise the scan sample device 400 of a plurality of assessors.In this instantiation, take the MD5(Message Digest Algorithm 5 of paper sample) value is the sign of paper sample.In addition, also can be with the character string of 40 byte lengths of the md5+sha1 unique identification as paper sample, only avoiding take md5 as sign, the identification collision that causes, when the md5 value of namely two different paper samples being calculated is identical, the identification collision of these two paper samples.Scan schedule device 300 stores the paper sample information bank, wherein store attribute information and other relevant informations of each paper sample, for example, for each paper sample, whether the size, path, operation behavior and the paper sample that store paper sample are dangerous paper sample or grey paper sample, when paper sample is dangerous paper sample, report that it is assessor of virus document etc.
The scanning result of killing engine 200 storing sample files receiving the inquiry file sample whether during the request of safety, returns to scanning result; And receiving the inquiry file sample whether during the request of safety, the request that record receives in daily record.The request that receives comprises the MD5 value of paper sample.
Below in conjunction with an instantiation, the scanning of dangerous paper sample is described.
The scanning result of killing engine 200 storage file samples receiving the inquiry file sample whether during the request of safety, returns to scanning result; And receiving the inquiry file sample whether during the request of safety, the request that record receives in daily record.The request that receives comprises the MD5 value of paper sample.
Abovely be illustrated for document scanning system of the present invention, this system can guarantee to make up to be failed to report and when revising wrong report, reduced the workload of scanning, solved thus when scanning and paper sample all need to have been scanned, cause the large problem of consumption of natural resource amount, obtained the resource of saving the equipment that scans, accelerated scan efficiency, the beneficial effect of sweep velocity is provided.
Referring to Fig. 2, show the scan method of paper sample according to an embodiment of the invention.
Step S210 for the grey paper sample in paper sample, chooses grey paper sample to be scanned according to default strategy from the grey paper sample of storage.
Particularly, in step S210, get the rate of failing to report of ash discharge paper sample according to the attribute of grey paper sample, choose grey paper sample to be scanned according to rate of failing to report from the grey paper sample of storage.For example, according to the feature of virus document being added up the statistics that draws, and the attribute of grey paper sample, calculate this ash paper sample and may be the probability of virus document, the parameter take this probability as the rate of failing to report that calculates this ash paper sample.
For example, size, path and/or the behavior of virus document are added up, drawn paper sample according to statistics and may be the probability of virus document.
According to the size of virus document being added up the statistics that draws, and the size of grey paper sample, calculate this ash paper sample and may be the probability of virus document.
Usually virus document is in order to propagate, so virus document is smaller.Virus document is added up, is for example used hadoop(Distributed Computing Platform) add up, draw file size and a relation curve reporting viral rate, get the ash discharge paper sample according to curve and may be the probability of virus document.
If only take the probability that draws according to grey paper sample size as calculating the parameter of rate of failing to report, take this probability as rate of failing to report, selecting rate of failing to report is grey paper sample to be scanned greater than the grey paper sample of default rate of failing to report threshold values.For example, the rate of failing to report threshold values is 0.001%, and the paper sample newspaper viral rate of file size more than 10M is 0.001%, and selecting the grey paper sample less than 10M is grey paper sample to be scanned.
According to the path of virus document being added up the statistics that draws, and the path of grey paper sample, calculate this ash paper sample and may be the probability of virus document.
By the off-line statistics to the path of virus document, for example use hadoop(Distributed Computing Platform) add up, can draw file path and a relation curve reporting viral rate, get the ash discharge paper sample according to curve and may be the probability of virus document.
If only take the probability that draws according to grey paper sample path as calculating the parameter of rate of failing to report, take this probability as rate of failing to report, selecting rate of failing to report is grey paper sample to be scanned greater than the grey paper sample of default rate of failing to report threshold values.
According to the operation behavior of virus document being added up the risky operation behavior list that draws, and the operation behavior of grey paper sample, calculate this ash paper sample and may be the probability of virus document.
Can comprise one or more in following operation behavior in risky operation behavior list:
Writing registration table loads automatically;
Edit the registry;
Revise system file;
Revise the application file of appointment;
Inject between executive process;
The end process;
Revise web page contents in browser; And
Record keyboard operation.
Risky operation behavior quantity according to grey paper sample triggers calculates this ash paper sample and may be the probability of virus document.The risky operation behavior that triggers is more, and grey paper sample may be higher for the probability of virus document.For example, obtain the quantity that grey paper sample triggers the risky operation behavior, with the total amount of this quantity divided by risky operation behavior in risky operation behavior list, get the ash discharge paper sample and may be the probability of virus document.
If the probability that the risky operation behavior quantity that only triggers take the grey paper sample of foundation draws is as calculating the parameter of rate of failing to report, take this probability as rate of failing to report, selecting rate of failing to report is grey paper sample to be scanned greater than the grey paper sample of default rate of failing to report threshold values.
If take the above-mentioned a plurality of probability that draw as calculating the parameter of rate of failing to report, can weighted value be set corresponding each parameter, the parameter weighted sum is got the rate of failing to report of ash discharge paper sample.
Step S220 chooses be used to the assessor that scans grey paper sample according to the more new record of each assessor and/or the sweep record of assessor.
Wherein, assessor can be used for the virus killing for detection of the paper sample security, for example bitdefender(bit moral of ancient India, use from Rumanian a kind of virus killing), and QVM(Qihoo support vector machine) the virus killing application that provides and cloud antivirus engine etc.The ash paper sample is the paper sample of security the unknown.
Particularly, when selecting assessor, can choose be used to the assessor that scans grey paper sample according to the sweep record of each assessor.
For each assessor, grey paper sample that each is to be scanned, scan the number of times of this ash paper sample according to this assessor, calculate this ash paper sample corresponding to the sweep spacing of this assessor, choose be used to the assessor that scans grey paper sample according to sweep spacing.Wherein, sweep spacing is longer more at most for the number of times of scanning.For example, adopt formula T=(logN) * 1.5+1 to calculate sweep spacing.N scans the number of times of the scanning of certain grey paper sample for certain assessor, T is that this ash paper sample is corresponding to the sweep spacing of this assessor.
Wherein, when selecting assessor, also can choose be used to the assessor that scans grey paper sample according to the more new record of each assessor.Particularly, be chosen at from each assessor according to new record more and carried out the assessor that upgrades after last scan.
Also can, choose be used to the assessor that scans grey paper sample according to the more new record of each assessor and the sweep record of assessor.For example, first be chosen at the assessor that carried out renewal after last scan, then choose assessor by sweep spacing again from the assessor that this is chosen.
Step S230 uses selected assessor scanning grey paper sample to be scanned, and the memory scanning result, with receiving the inquiry file sample whether during the request of safety, returns to scanning result.
The present embodiment guarantee to make up fail to report in, reduced the workload of scanning, solved thus when scanning and paper sample all need to have been scanned, cause the large problem of consumption of natural resource amount, obtained the resource of saving the equipment that scans, add fast scan speed, the beneficial effect of scan efficiency is provided.
In a preferred embodiment, as shown in Figure 3, for choose according to an embodiment of the invention the process flow diagram of grey paper sample according to rate of failing to report, described step S210 comprises the steps.
Step S2102 extracts grey paper sample.
Whether step S2104 judges the discovery time first of grey paper sample early than the Preset Time threshold values, if so, and execution in step S2106, if not, execution in step S2108.
Step S2106, the rate of failing to report that detects this ash paper sample is 0, execution in step S2110.
Step S2108 gets the rate of failing to report of ash discharge paper sample, execution in step S2110 according to the attribute of grey paper sample.
Step S2110 judges whether grey paper sample has extracted, if so, and execution in step S2112, otherwise, execution in step S2102.
Step S2112 chooses grey paper sample to be scanned according to rate of failing to report from the grey paper sample of storage.
Because, the discovery time of grey paper sample more early, it is less by possibility of being failed to report.When discovery time is early than the Preset Time threshold values first, no longer this ash paper sample is scanned, thus, further reduced unnecessary scan operation, saved scanning document sample resource used, improved scan efficiency.
In another embodiment of the present invention, the dangerous paper sample in paper sample is scanned.Dangerous paper sample is the paper sample that identified device is reported as virus document.Use for dangerous paper sample its assessor that is reported as virus document is scanned this danger paper sample, if after scanning, those assessors determine that all this danger paper sample is not virus document, goes the wrong report operation to this danger paper sample.The concrete technical scheme of the present embodiment is as described below.
Referring to Fig. 4, show the flow process that in the scan method of paper sample according to an embodiment of the invention, dangerous paper sample is scanned, comprise the steps.
Step S410 for the dangerous paper sample in paper sample, determines that the dangerous paper sample of report is the assessor of virus document.
Step S420, the assessor that the dangerous paper sample of operation report is virus document rescans the dangerous paper sample that obtains, if being this danger paper sample, scanning result no longer is virus document, determine that this danger paper sample is to be the paper sample of virus document by wrong report, goes the wrong report operation to this danger paper sample.
Wherein, going to report by mistake operation can be the record of virus document for deletion this document sample, also can be updated to grey paper sample or text of an annotated book spare sample by dangerous paper sample for the record with this document sample.Text of an annotated book spare sample is for determining non-hazardous paper sample.
By the present embodiment, for dangerous paper sample, only use its assessor that is reported as virus document is scanned this danger paper sample, thus, when guaranteeing to revise wrong report, can reduce scan operation, improve scan efficiency.
Further, calculate the rate of false alarm of dangerous paper sample, select the dangerous paper sample that scans according to rate of false alarm.Further reduced thus the dangerous paper sample that is scanned.
Comprise after step S410: draw the rate of false alarm of dangerous paper sample according to the assessor of determining, set up the corresponding relation of assessor quantity and rate of false alarm, choose dangerous paper sample to be scanned according to rate of false alarm from the dangerous paper sample of storage.Wherein, the quantity of determined assessor is more, and the rate of false alarm of this danger paper sample is lower.
For example, for dangerous paper sample being reported as the assessor of virus document, can arrange accuracy rate that should dangerous file each assessor, the accuracy rate addition must and be worth, with 1 rate of false alarm that deducts and be worth dangerous paper sample, choose rate of false alarm greater than the dangerous paper sample of default rate of false alarm threshold values as dangerous paper sample to be scanned.
When arranging accuracy rate that should dangerous file, if the analyst is set to virus document, it is 1 that accuracy rate directly is set.For each assessor, according to the degree of belief of this assessor and this assessor are arranged accuracy rate to the scanning times of dangerous file, scanning times more high-accuracy is higher.For example, higher to the degree of belief of antivirus engine A, antivirus engine A sweep number of times greater than scanning threshold after, determine that antivirus engine A is 1 to accuracy rate that should dangerous file.
Thus, according to rate of false alarm, dangerous paper sample is chosen, further reduced unnecessary scan operation, saved scanning document sample resource used, improved scan efficiency.
Further, comprise also after step S410 that for the dangerous paper sample of the report of determining be the assessor of virus document, choose for the assessor that scans this danger paper sample according to the more new record of assessor and/or the sweep record of assessor.
Wherein, in dangerous paper sample is defined as the assessor of virus document, can choose for the assessor that scans this danger paper sample according to the sweep record of each assessor.
For each assessor of determining, the dangerous paper sample that each is to be scanned, scan the number of times of this danger paper sample according to this assessor, calculate this danger paper sample corresponding to the sweep spacing of this assessor, choose be used to the assessor that scans dangerous paper sample according to sweep spacing.Wherein, sweep spacing is longer more at most for the number of times of scanning.For example, adopt formula T=(logN) * 1.5+1 to calculate sweep spacing.N scans the number of times of the scanning of certain dangerous paper sample for certain assessor, T is that this danger paper sample is corresponding to the sweep spacing of this assessor.
Wherein, in dangerous paper sample is defined as the assessor of virus document, can choose be used to the assessor that scans dangerous paper sample according to the more new record of each assessor.For example, be chosen at from assessor according to new record more and carried out the assessor that upgrades after last scan.
Also can, choose be used to the assessor that scans dangerous paper sample according to the more new record of each assessor and the sweep record of assessor.For example, in dangerous paper sample is defined as the assessor of virus document, first be chosen at the assessor that carried out renewal after last scan, then choose assessor by sweep spacing again from the assessor that this is chosen.
Thus, choose for assessor according to the more new record of assessor and/or the sweep record of assessor, further reduced unnecessary scan operation, saved scanning document sample resource used, improved scan efficiency.
In another embodiment of the present invention, the temperature of the inquiry of statistics file sample, from temperature high enliven selecting file sample paper sample, further reduce the paper sample quantity that scans, improved scan efficiency.
Institute's method also comprises:
Receiving the inquiry file sample whether during the request of safety, the request that record receives in daily record.
According to the record in daily record, be extracted in the interior inquiry times of Preset Time greater than the paper sample of default temperature threshold values, the paper sample of extraction is for enlivening paper sample.Enliven paper sample, for temperature is higher, the frequency that is queried is greater than the paper sample of predetermined threshold value.
Thus, when the grey paper sample of scanning, the rate of failing to report that described attribute according to grey paper sample gets the ash discharge paper sample specifically comprises: extract grey paper sample from enliven paper sample, draw the rate of failing to report of this ash paper sample according to the attribute of the grey paper sample that extracts.Describedly choose grey paper sample to be scanned and specifically comprise from the grey paper sample of storage according to rate of failing to report: choose rate of failing to report greater than the grey paper sample of default rate of failing to report threshold values from the grey paper sample that extracts, take the grey paper sample chosen as grey paper sample to be scanned.
When the dangerous paper sample of scanning, the dangerous paper sample of described definite report is that the assessor of virus document specifically comprises: extract dangerous paper sample from enliven paper sample, determine that the dangerous paper sample that report is extracted is the assessor of virus document.Describedly choose dangerous paper sample to be scanned and specifically comprise from the dangerous paper sample of storage according to rate of false alarm: choose rate of false alarm greater than the dangerous paper sample of default rate of false alarm threshold values from the dangerous paper sample that extracts, take the mistake paper sample chosen as dangerous paper sample to be scanned.
Below in conjunction with an instantiation, the scanning of grey paper sample is described.
In this instantiation, take the MD5(Message Digest Algorithm 5 of paper sample) value is the sign of paper sample.In addition, also can be with the character string of 40 byte lengths of the md5+sha1 unique identification as paper sample, only avoiding take md5 as sign, the identification collision that causes, when the md5 value of namely two different paper samples being calculated is identical, the identification collision of these two paper samples.In the paper sample information bank, store attribute information and other relevant informations of each paper sample, for example, for each paper sample, whether the size, path, operation behavior and the paper sample that store paper sample are black or grey paper sample, report that it is the assessor etc. of virus document.
Referring to Fig. 5, show the process flow diagram that in the scan method of paper sample according to an embodiment of the invention, grey paper sample is scanned.
Step S510 receives the whether request of safety of inquiry file sample, returns to the scanning result of the request File sample of storage, the request that record receives in daily record.
Particularly, the request of reception comprises the MD5 value of paper sample, searches scanning result according to the MD5 value, and presses the request of MD5 value record.
Step S520 according to the record in daily record, is extracted in the interior inquiry times of Preset Time greater than the paper sample of default temperature threshold values, and the paper sample of extraction is for enlivening paper sample.
Step S530, extract grey paper sample from enliven paper sample, obtain the attribute of this ash paper sample according to the MD5 value of this ash paper sample from the paper sample information bank, draw the rate of failing to report of this ash paper sample according to the attribute that obtains, select drawn rate of failing to report greater than the grey paper sample of default rate of failing to report threshold values from the grey paper sample that extracts.
Step S540 chooses be used to the assessor that scans grey paper sample according to the more new record of each assessor and the sweep record of assessor.
Step S550 uses the assessor of choosing to scan the grey paper sample that obtains, and the memory scanning result.
Below in conjunction with an instantiation, the scanning of dangerous paper sample is described.
Referring to Fig. 6, show the process flow diagram that in the scan method of paper sample according to an embodiment of the invention, dangerous paper sample is scanned.
Step S610 receives the whether request of safety of inquiry file sample, returns to the scanning result of the request File sample of storage, the request that record receives in daily record.
Particularly, the request of reception comprises the MD5 value of paper sample, searches scanning result according to the MD5 value, and presses the request of MD5 value record.
Step S620 according to the record in daily record, is extracted in the interior inquiry times of Preset Time greater than the paper sample of default temperature threshold values, and the paper sample of extraction is for enlivening paper sample.
Step S630 extracts dangerous paper sample from enliven paper sample, according to information in the MD5 value reading information storehouse of this danger paper sample, determine that the dangerous paper sample of report extraction is the assessor of virus document.
Step S640 draws the rate of false alarm of the dangerous paper sample of extraction according to the assessor of determining, choose from the dangerous paper sample that extracts rate of false alarm greater than the dangerous paper sample of default rate of false alarm threshold values as dangerous paper sample to be scanned.
Step S650 for each dangerous paper sample to be scanned, is the assessor of virus document from this danger paper sample of report of determining, chooses for the assessor that scans this danger paper sample according to the more new record of assessor and the sweep record of assessor.
Step S660, for each dangerous paper sample to be scanned, the assessor that use is chosen rescans this danger paper sample, if being this danger paper sample, scanning result no longer is virus document, determine the paper sample of this danger paper sample for being reported by mistake, this danger paper sample is gone the wrong report operation.
Abovely be illustrated for file scanning method of the present invention, the method can guarantee to make up to be failed to report and when revising wrong report, reduced the workload of scanning, solved thus when scanning and paper sample all need to have been scanned, cause the large problem of consumption of natural resource amount, obtained the resource of saving the equipment that scans, accelerated scan efficiency, the beneficial effect of sweep velocity is provided.
Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with demonstration at this algorithm that provides.Various general-purpose systems also can with based on using together with this teaching.According to top description, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.Should be understood that and to utilize various programming languages to realize content of the present invention described here, and the top description that language-specific is done is in order to disclose preferred forms of the present invention.
In the instructions that provides herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can be in the situation that do not have these details to put into practice.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the description to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes in the above.Yet the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires the more feature of feature clearly put down in writing than institute in each claim.Or rather, as following claims reflected, inventive aspect was to be less than all features of the disclosed single embodiment in front.Therefore, follow claims of embodiment and incorporate clearly thus this embodiment into, wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can adaptively change and they are arranged in one or more equipment different from this embodiment the module in the equipment in embodiment.Can be combined into a module or unit or assembly to the module in embodiment or unit or assembly, and can put them into a plurality of submodules or subelement or sub-component in addition.At least some in such feature and/or process or unit are mutually repelling, and can adopt any combination to disclosed all features in this instructions (comprising claim, summary and the accompanying drawing followed) and so all processes or the unit of disclosed any method or equipment make up.Unless clearly statement in addition, in this instructions (comprising claim, summary and the accompanying drawing followed), disclosed each feature can be by providing identical, being equal to or the alternative features of similar purpose replaces.
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included in other embodiment, the combination of the feature of different embodiment mean be in scope of the present invention within and form different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with array mode arbitrarily.
All parts embodiment of the present invention can realize with hardware, perhaps realizes with the software module of moving on one or more processor, and perhaps the combination with them realizes.It will be understood by those of skill in the art that and to use in practice microprocessor or digital signal processor (DSP) to realize according to some or all some or repertoire of parts in the scanning system of the paper sample of the embodiment of the present invention.The present invention can also be embodied as be used to part or all equipment or the device program (for example, computer program and computer program) of carrying out method as described herein.The program of the present invention that realizes like this can be stored on computer-readable medium, perhaps can have the form of one or more signal.Such signal can be downloaded from internet website and obtain, and perhaps provides on carrier signal, perhaps provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation that do not break away from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed in element or step in claim.Being positioned at word " " before element or " one " does not get rid of and has a plurality of such elements.The present invention can realize by means of the hardware that includes some different elements and by means of the computing machine of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to come imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title with these word explanations.
Claims (24)
1. the scan method of a paper sample, described method comprises:
For the grey paper sample in paper sample, choose grey paper sample to be scanned according to default strategy from the grey paper sample of storage;
Choose be used to the assessor that scans grey paper sample according to the more new record of each assessor and/or the sweep record of assessor;
Use selected assessor scanning grey paper sample to be scanned, and the memory scanning result, with receiving the inquiry file sample whether during the request of safety, return to scanning result;
Described grey paper sample is the paper sample of security the unknown.
2. method according to claim 1, wherein,
The default strategy of described basis is chosen grey paper sample to be scanned and is specifically comprised from the grey paper sample of storage:
Get the rate of failing to report of ash discharge paper sample according to the attribute of grey paper sample, choose grey paper sample to be scanned according to rate of failing to report from the grey paper sample of storage.
3. method according to claim 1 and 2, wherein,
Described method also comprises:
For the dangerous paper sample in paper sample, determine that the dangerous paper sample of report is the assessor of virus document, described dangerous paper sample is the paper sample that identified device is reported as virus document;
The assessor that the dangerous paper sample of operation report is virus document rescans dangerous paper sample, if being this danger paper sample, scanning result no longer is virus document, determine that this danger paper sample is to be the paper sample of virus document by wrong report, goes the wrong report operation to this danger paper sample.
4. method according to claim 3, wherein,
The dangerous paper sample of described definite report is also to comprise after the assessor of virus document:
Draw the rate of false alarm of dangerous paper sample according to the assessor of determining, set up the corresponding relation of assessor quantity and rate of false alarm;
Choose dangerous paper sample to be scanned according to rate of false alarm from the dangerous paper sample of storage;
The assessor that the dangerous paper sample of described operation report is virus document rescans dangerous paper sample and specifically comprises:
For each dangerous paper sample to be scanned, operation report should the danger paper sample be that the assessor of virus document rescans this danger paper sample.
5. the described method of according to claim 1 to 4 any one, wherein,
Described method also comprises:
Receiving the inquiry file sample whether during the request of safety, the request that record receives in daily record;
According to the record in daily record, be extracted in the interior inquiry times of Preset Time greater than the paper sample of default temperature threshold values, the paper sample of extraction is for enlivening paper sample.
6. method according to claim 5, wherein,
The rate of failing to report that described attribute according to grey paper sample gets the ash discharge paper sample specifically comprises:
Extract grey paper sample from enliven paper sample, draw the rate of failing to report of this ash paper sample according to the attribute of the grey paper sample that extracts;
Describedly choose grey paper sample to be scanned and specifically comprise from the grey paper sample of storage according to rate of failing to report:
Choose rate of failing to report greater than the grey paper sample of default rate of failing to report threshold values from the grey paper sample that extracts, take the grey paper sample chosen as grey paper sample to be scanned.
7. method according to claim 5, wherein,
The dangerous paper sample of described definite report is that the assessor of virus document specifically comprises:
Extract dangerous paper sample from enliven paper sample, determine that the dangerous paper sample that report is extracted is the assessor of virus document;
Describedly choose dangerous paper sample to be scanned and specifically comprise from the dangerous paper sample of storage according to rate of false alarm:
Choose rate of false alarm greater than the dangerous paper sample of default rate of false alarm threshold values from the dangerous paper sample that extracts, take the dangerous paper sample chosen as dangerous paper sample to be scanned.
8. method according to claim 2, wherein,
The rate of failing to report that described attribute according to grey paper sample gets the ash discharge paper sample specifically comprises:
According to the feature of virus document being added up the statistics that draws, and the attribute of grey paper sample, calculate this ash paper sample and may be the probability of virus document, with the parameter of this probability as the rate of failing to report that calculates this ash paper sample.
9. method according to claim 8, wherein,
Described basis is added up the statistics that draws to the feature of virus document, and the attribute of grey paper sample, and calculating this ash paper sample may specifically comprise for the probability of virus document:
According to the size of virus document being added up the statistics that draws, and the size of grey paper sample, calculate this ash paper sample and may be the probability of virus document;
And/or,
According to the path of virus document being added up the statistics that draws, and the path of grey paper sample, calculate this ash paper sample and may be the probability of virus document;
And/or,
According to the operation behavior of virus document being added up the risky operation behavior list that draws, and the operation behavior of grey paper sample, calculate this ash paper sample and may be the probability of virus document.
10. method according to claim 1, wherein,
Described sweep record according to each assessor is chosen be used to the assessor that scans grey paper sample and is specifically comprised:
For each assessor, grey paper sample that each is to be scanned, scan the number of times of this ash paper sample according to this assessor, calculate this ash paper sample corresponding to the sweep spacing of this assessor;
Choose be used to the assessor that scans grey paper sample according to sweep spacing.
11. method according to claim 1, wherein,
Described more new record according to each assessor is chosen be used to the assessor that scans grey paper sample and is specifically comprised:
Be chosen at from each assessor according to new record more and carried out the assessor that upgrades after last scan.
12. method according to claim 2, wherein,
Described attribute according to grey paper sample also comprises before getting the rate of failing to report of ash discharge paper sample:
Whether judge the discovery time first of grey paper sample early than the Preset Time threshold values, if so, the rate of failing to report that detects this ash paper sample is 0, if not, carries out the operation that described attribute according to grey paper sample gets the rate of failing to report of ash discharge paper sample.
13. the scanning system of a paper sample, described system comprises: sample storage device, killing engine, scan schedule device and comprise the scan sample device of a plurality of assessors;
Described sample storage device is suitable for the storage file sample;
Described scan schedule device, be suitable for for the grey paper sample in paper sample, choose grey paper sample to be scanned according to default strategy from the grey paper sample of described sample storage device storage, and choose be used to the assessor that scans grey paper sample according to the more new record of each assessor and/or the sweep record of assessor;
Described scan sample device is suitable for obtaining grey paper sample to be scanned from described sample storage device, uses the assessor that described scan schedule device is chosen to scan the grey paper sample to be scanned that obtains, and stores scanning result into the killing engine;
Described killing engine is suitable for the scanning result of storing sample file, and receiving the inquiry file sample whether during the request of safety, returns to scanning result;
Described grey paper sample is the paper sample of security the unknown.
14. system according to claim 13, wherein,
Described scan schedule device specifically is suitable for getting according to the attribute of grey paper sample the rate of failing to report of ash discharge paper sample, chooses grey paper sample to be scanned according to rate of failing to report from the grey paper sample of storage.
15. according to claim 13 or 14 described systems, wherein,
Described scan schedule device also is suitable for for the dangerous paper sample in paper sample, determines that the dangerous paper sample of report is the assessor of virus document, and described dangerous paper sample is the paper sample that identified device is reported as virus document;
Described scan sample device, also be suitable for obtaining dangerous paper sample from described sample storage device, the assessor that uses described scan schedule device to determine rescans the dangerous paper sample that obtains, if being this danger paper sample, scanning result no longer is virus document, determine that this danger paper sample is to be the paper sample of virus document by wrong report, goes the wrong report operation to this danger paper sample.
16. system according to claim 15, wherein,
Described scan schedule device, also be suitable for after determining that the dangerous paper sample of report is the assessor of virus document, draw the rate of false alarm of dangerous paper sample according to the assessor of determining, set up the corresponding relation of assessor quantity and rate of false alarm, choose dangerous paper sample to be scanned according to rate of false alarm from the dangerous paper sample of described sample storage device storage;
Described scan sample device specifically is suitable for for each dangerous paper sample to be scanned, and operation report should the danger paper sample be that the assessor of virus document rescans this danger paper sample.
17. according to claim 13 to 16 any one described systems, wherein,
Described killing engine also is suitable for receiving the inquiry file sample whether during the request of safety, the request that record receives in daily record;
Described scan schedule device also is suitable for according to the record in daily record, is extracted in the interior inquiry times of Preset Time greater than the paper sample of default temperature threshold values, and the paper sample of extraction is for enlivening paper sample.
18. system according to claim 17, wherein,
Described scan schedule device, specifically be suitable for extracting grey paper sample from enliven paper sample, draw the rate of failing to report of this ash paper sample according to the attribute of the grey paper sample that extracts, choose rate of failing to report according to drawn rate of failing to report greater than the grey paper sample of default rate of failing to report threshold values from the grey paper sample that extracts, take the grey paper sample chosen as grey paper sample to be scanned.
19. system according to claim 17, wherein,
Described scan schedule device, specifically be suitable for extracting dangerous paper sample from enliven paper sample, determine that the dangerous paper sample that report is extracted is the assessor of virus document, draw the rate of false alarm of the dangerous paper sample of extraction according to the assessor of determining, choose rate of false alarm according to rate of false alarm greater than the dangerous paper sample of default rate of false alarm threshold values from the dangerous paper sample that extracts, take the dangerous paper sample chosen as dangerous paper sample to be scanned.
20. system according to claim 14, wherein,
Described scan schedule device, specifically be suitable for according to the feature of virus document is added up the statistics that draws, and the attribute of grey paper sample, calculate this ash paper sample and may be the probability of virus document, take the parameter of this probability as the rate of failing to report of this ash paper sample of calculating.
21. system according to claim 20, wherein,
Described scan schedule device specifically is suitable for basis the size of virus document is added up the statistics that draws, and the size of grey paper sample, calculates this ash paper sample and may be the probability of virus document;
And/or,
According to the path of virus document being added up the statistics that draws, and the path of grey paper sample, calculate this ash paper sample and may be the probability of virus document;
And/or,
According to the operation behavior of virus document being added up the risky operation behavior list that draws, and the operation behavior of grey paper sample, calculate this ash paper sample and may be the probability of virus document.
22. system according to claim 13, wherein,
Described scan schedule device, specifically be suitable for for each assessor, grey paper sample that each is to be scanned, scan the number of times of this ash paper sample according to this assessor, calculate this ash paper sample corresponding to the sweep spacing of this assessor, choose be used to the assessor that scans grey paper sample according to sweep spacing.
23. system according to claim 13, wherein,
Described scan schedule device specifically is suitable for being chosen at from each assessor according to new record more and carried out the assessor that upgrades after last scan.
24. system according to claim 14, wherein,
Described scan schedule device, also be suitable for before the attribute according to grey paper sample gets the rate of failing to report of ash discharge paper sample, judge that whether the discovery time first of grey paper sample is early than the Preset Time threshold values, if, the rate of failing to report that detects this ash paper sample is 0, if not, carry out the operation that described attribute according to grey paper sample gets the rate of failing to report of ash discharge paper sample.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310071272.6A CN103136477B (en) | 2013-03-06 | 2013-03-06 | The scan method of paper sample and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310071272.6A CN103136477B (en) | 2013-03-06 | 2013-03-06 | The scan method of paper sample and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103136477A true CN103136477A (en) | 2013-06-05 |
| CN103136477B CN103136477B (en) | 2015-09-02 |
Family
ID=48496294
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310071272.6A Active CN103136477B (en) | 2013-03-06 | 2013-03-06 | The scan method of paper sample and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103136477B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103729593A (en) * | 2013-12-31 | 2014-04-16 | 安一恒通(北京)科技有限公司 | Method and system for recognizing file safety |
| CN104751058A (en) * | 2015-03-16 | 2015-07-01 | 联想(北京)有限公司 | File scan method and electronic equipment |
| CN105095752A (en) * | 2014-05-07 | 2015-11-25 | 腾讯科技(深圳)有限公司 | Identification method, apparatus and system of virus packet |
| CN105938533A (en) * | 2016-03-03 | 2016-09-14 | 杭州迪普科技有限公司 | Scanning method and scanning device for system loopholes |
| CN108334777A (en) * | 2017-04-17 | 2018-07-27 | 北京安天网络安全技术有限公司 | A kind of method of sample analysis and system based on user perspective |
| CN108920956A (en) * | 2018-07-03 | 2018-11-30 | 亚信科技(成都)有限公司 | Machine learning method and system based on context aware |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050086499A1 (en) * | 2001-05-22 | 2005-04-21 | Hoefelmeyer Ralph S. | System and method for malicious code detection |
| US20060026687A1 (en) * | 2004-07-31 | 2006-02-02 | Cyrus Peikari | Protecting embedded devices with integrated permission control |
| CN101685486A (en) * | 2008-09-23 | 2010-03-31 | 联想(北京)有限公司 | Virus killing method and virus killing system with multiple antivirus engines |
| US20100251365A1 (en) * | 2009-03-26 | 2010-09-30 | Lyne James I G | Dynamic scanning based on compliance metadata |
| US7823205B1 (en) * | 2006-06-29 | 2010-10-26 | Symantec Corporation | Conserving computing resources while providing security |
| CN102314571A (en) * | 2011-09-27 | 2012-01-11 | 奇智软件(北京)有限公司 | Method and device for processing computer viruses |
| CN102594809A (en) * | 2012-02-07 | 2012-07-18 | 奇智软件(北京)有限公司 | Method and system for rapidly scanning files |
| CN102609653A (en) * | 2012-02-07 | 2012-07-25 | 奇智软件(北京)有限公司 | File quick-scanning method and file quick-scanning system |
| CN102867148A (en) * | 2011-07-08 | 2013-01-09 | 北京金山安全软件有限公司 | Safety protection method and device for electronic equipment |
-
2013
- 2013-03-06 CN CN201310071272.6A patent/CN103136477B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050086499A1 (en) * | 2001-05-22 | 2005-04-21 | Hoefelmeyer Ralph S. | System and method for malicious code detection |
| US20060026687A1 (en) * | 2004-07-31 | 2006-02-02 | Cyrus Peikari | Protecting embedded devices with integrated permission control |
| US7823205B1 (en) * | 2006-06-29 | 2010-10-26 | Symantec Corporation | Conserving computing resources while providing security |
| CN101685486A (en) * | 2008-09-23 | 2010-03-31 | 联想(北京)有限公司 | Virus killing method and virus killing system with multiple antivirus engines |
| US20100251365A1 (en) * | 2009-03-26 | 2010-09-30 | Lyne James I G | Dynamic scanning based on compliance metadata |
| CN102867148A (en) * | 2011-07-08 | 2013-01-09 | 北京金山安全软件有限公司 | Safety protection method and device for electronic equipment |
| CN102314571A (en) * | 2011-09-27 | 2012-01-11 | 奇智软件(北京)有限公司 | Method and device for processing computer viruses |
| CN102594809A (en) * | 2012-02-07 | 2012-07-18 | 奇智软件(北京)有限公司 | Method and system for rapidly scanning files |
| CN102609653A (en) * | 2012-02-07 | 2012-07-25 | 奇智软件(北京)有限公司 | File quick-scanning method and file quick-scanning system |
Non-Patent Citations (2)
| Title |
|---|
| WD19880427: "参观金山公司见闻及感想总结", 《爱毒霸社区》, 26 April 2010 (2010-04-26) * |
| 许蓉等: ""云安全"检测技术安全性分析", 《计算机工程与设计》, 30 September 2012 (2012-09-30) * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103729593A (en) * | 2013-12-31 | 2014-04-16 | 安一恒通(北京)科技有限公司 | Method and system for recognizing file safety |
| CN105095752A (en) * | 2014-05-07 | 2015-11-25 | 腾讯科技(深圳)有限公司 | Identification method, apparatus and system of virus packet |
| CN105095752B (en) * | 2014-05-07 | 2019-01-08 | 腾讯科技(深圳)有限公司 | The recognition methods of viral data packet, apparatus and system |
| CN104751058A (en) * | 2015-03-16 | 2015-07-01 | 联想(北京)有限公司 | File scan method and electronic equipment |
| CN104751058B (en) * | 2015-03-16 | 2018-08-31 | 联想(北京)有限公司 | A kind of file scanning method and electronic equipment |
| CN105938533A (en) * | 2016-03-03 | 2016-09-14 | 杭州迪普科技有限公司 | Scanning method and scanning device for system loopholes |
| CN105938533B (en) * | 2016-03-03 | 2019-01-22 | 杭州迪普科技股份有限公司 | A kind of scan method and scanning means of system vulnerability |
| CN108334777A (en) * | 2017-04-17 | 2018-07-27 | 北京安天网络安全技术有限公司 | A kind of method of sample analysis and system based on user perspective |
| CN108334777B (en) * | 2017-04-17 | 2020-04-24 | 北京安天网络安全技术有限公司 | Sample analysis method and system based on user view angle |
| CN108920956A (en) * | 2018-07-03 | 2018-11-30 | 亚信科技(成都)有限公司 | Machine learning method and system based on context aware |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103136477B (en) | 2015-09-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Jain et al. | Towards detection of phishing websites on client-side using machine learning based approach | |
| CN103136477B (en) | The scan method of paper sample and system | |
| US9614862B2 (en) | System and method for webpage analysis | |
| US8943588B1 (en) | Detecting unauthorized websites | |
| Jain et al. | Two-level authentication approach to protect from phishing attacks in real time | |
| CN102254111B (en) | Malicious site detection method and device | |
| Xiang et al. | Cantina+ a feature-rich machine learning framework for detecting phishing web sites | |
| US7860971B2 (en) | Anti-spam tool for browser | |
| US20180082061A1 (en) | Scanning device, cloud management device, method and system for checking and killing malicious programs | |
| CN102833258A (en) | Website access method and system | |
| WO2014105919A1 (en) | Identifying web pages in malware distribution networks | |
| CN102446255B (en) | Method and device for detecting page tamper | |
| CN109246064A (en) | Safe access control, the generation method of networkaccess rules, device and equipment | |
| CN102982121A (en) | File scanning method and file scanning device and file detecting system | |
| CN103473506A (en) | Method and device of recognizing malicious APK files | |
| CN103078864A (en) | Active defense file repairing method based on cloud security | |
| CN101853277A (en) | Vulnerability data mining method based on classification and association analysis | |
| CN102591965B (en) | Method and device for detecting black chain | |
| CN102663296A (en) | Intelligent detection method for Java script malicious code facing to the webpage | |
| CN103491543A (en) | Method for detecting malicious websites through wireless terminal, and wireless terminal | |
| EP2880580A1 (en) | Vulnerability vector information analysis | |
| CN103605925A (en) | Webpage tampering detecting method and device | |
| CN103577756A (en) | Virus detection method and device based on script type judgment | |
| CN103207970A (en) | Virus file scanning method and device | |
| CN102567546A (en) | Structured query language (SQL) injection detection method and SQL injection detection device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220720 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right |