CN103501294A - Method for judging whether program is malicious or not - Google Patents
Method for judging whether program is malicious or not Download PDFInfo
- Publication number
- CN103501294A CN103501294A CN201310446501.8A CN201310446501A CN103501294A CN 103501294 A CN103501294 A CN 103501294A CN 201310446501 A CN201310446501 A CN 201310446501A CN 103501294 A CN103501294 A CN 103501294A
- Authority
- CN
- China
- Prior art keywords
- program
- behavior
- white list
- feature
- performance
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Stored Programmes (AREA)
Abstract
The invention discloses a method for judging whether a program is malicious or not. The method comprises the following steps: establishing a white list of a legal program by a database of a server end, and collecting and updating; collecting program characteristics and/or program behaviors of one program by a client, and sending the program characteristics and/or the program behaviors to the server end to be inquired; carrying out analysis and comparison in the white list by the server end according to the program characteristics and/or the program behaviors; and judging the validity or a trust value of the program according to a comparing result and feeding back to the client. According to the method for judging whether the program is malicious or not, the legal program is judged by using the white list so as to judge an illegal program which does not belong to a white list range to be a malicious program and carry out judgment, searching and killing of the malicious program from the other angle.
Description
Patent application of the present invention be that August 18, application number in 2010 are 201010256973.3 the applying date, name is called the dividing an application of Chinese invention patent application of " a kind of method of carrying out the rogue program detection according to white list ".
Technical field
The invention belongs to network safety filed, specifically, relate to a kind of whether method of malice of determining program.
Background technology
Anti-the killing of traditional rogue program mainly depends on the feature database pattern.The condition code of the rogue program sample that feature database is collected by manufacturer forms, and condition code is that analysis project is an apprentice of in rogue program and is found and the difference of proper software, intercepts one section and be similar to the program code of " searched key word ".In the killing process, engine meeting file reading is also mated with all condition codes " keyword " in feature database, if find that the file routine code is hit, and just can judge that this document program is as rogue program.
Having derived again afterwards the mode in the heuristic virus killing in this locality, is dynamic height device or the decompiler of realizing with ad hoc fashion, by the decompiling to relevant command sequence, progressively understands and determine the real motive that it is contained.The difference of rogue program and normal procedure can embody in many aspects, such as: a common application program is in initial instruction, to check that the order line input has or not parameter item, cls and the demonstration of preservation original screen etc., rogue program initial instruction usually is direct writing disk manipulation, decoding instruction, or searches for the associative operation command sequences such as executable program under certain path.These significant differences, only the need quick glance just can be very clear under debugging mode for a skilled programmer.In fact heuristic code scans technology is exactly this experience and knowledge to be transplanted to a specific procedure in the killing bogusware embody.
But the method for above-mentioned killing Malware all is based on malicious act and/or malice feature, and first to a programmed decision, whether it is rogue program, and then determines whether to carry out killing or cleaning.This just unavoidably causes having occurred following drawback.
According to statistics, global rogue program quantity is how much level growths now, the speedup based on this explosion type, and the generation of feature database lags behind often with renewal, the supplementary unknown rogue program emerged in an endless stream that do not catch up with of the condition code of rogue program in feature database.
In addition, in recent years, along with the application of rogue program producer to technology free to kill, by the gimmick that rogue program is added to shell or revise the condition code of this rogue program, more and more occur; And many trojan horse programs have adopted more more frequently auto Deformations fast, these all cause the difficulty rogue program judged by malicious act and/or malice feature increasing, thereby cause the difficulty to killing or the cleaning of rogue program.
Summary of the invention
In view of this, technical problem to be solved by this invention has been to provide a kind of method of carrying out the rogue program detection according to white list, does not rely on local data base, and rogue program is oppositely judged in the identification based on to legal procedure.
In order to solve the problems of the technologies described above, the invention discloses a kind of method of carrying out the rogue program detection according to white list, comprising: the white list of the Database legal procedure of server end is also collected renewal; Client is collected and is sent to server end to the performance of program of a program and/or program behavior and inquired about, server end is analysed and compared in described white list according to described performance of program and/or program behavior, according to comparison result, the legitimacy of described program or trust value is judged and is fed back to described client.
Further, described server end, according to described performance of program and/or program behavior, is compared with the legal procedure feature of preserving in described white list and/or legal procedure behavior, if hit, judge that described program is as legal procedure, and feed back to described client; If do not hit, judge that described program is as rogue program, and feed back to described client.
Further, described server end is according to batch processing feature and/or the batch processing behavior of program, with the legal procedure feature of preserving in described white list and/or legal procedure behavior, compare, according to the degree of hitting, give a trust value to described program, and described trust value is fed back to described client; Described client is preset a threshold value, compare according to described trust value and described threshold value, if described trust value is not less than described threshold value, judge that described program is legal procedure, if described trust value is less than described threshold value, judge that described program is as rogue program.
Further, if described batch processing feature and/or batch processing behavior are all hit in described white list, described server end is given the highest trust value to described program; If described batch processing feature and/or batch processing behavior are all miss in described white list, described server end is given a minimum trust value to described program.
Further, also comprise: described client determines that according to described result of determination behavior is tackled, stopped carrying out this rogue program and/or clears up this rogue program, the recovery system environment to rogue program.
Further, also comprise: described client, according to described result of determination and in conjunction with the attribute of described rogue program, determines whether this rogue program behavior is tackled, stopped carrying out this rogue program and/or clears up this rogue program.
Further, described attribute comprises: whether described rogue program is whether self-triggered program and/or described rogue program are present in system directory.
Further, the database of described server end is collected the step of upgrading to the white list of legal procedure, comprising: periodically by craft, utilize spider or web crawlers and/or user to upload legal procedure is collected; By manual or automatically screen performance of program and or the program behavior being kept in described white list of described legal procedure by instrument.
Further, the database of described server end is collected the step of upgrading to the white list of legal procedure, comprise: according to the legal procedure feature in existing known white list and corresponding program behavior thereof, unknown program feature and program behavior are analyzed, to upgrade white list.
Further, described performance of program comprises: static nature and/or static nature string in program file.
Further, the described step that unknown program feature and program behavior thereof are analyzed, comprising: if the unknown program feature is identical with the known procedure feature in existing white list, list this unknown program feature and program behavior thereof in white list; If the unknown program behavior is identical or approximate with the known procedure behavior in existing white list, list this unknown program behavior and performance of program thereof in white list; When certain program behavior is put into white list, in database, by this program behavior, corresponding performance of program is listed white list in, and other program behaviors and performance of program that will be relevant with this program behavior be also listed white list in; And/or, when certain performance of program is put into white list, in database, by this performance of program, corresponding program behavior is listed white list in, and other program behaviors and performance of program that will be relevant with this performance of program be also listed white list in.
Further, also comprise: the incidence relation of setting up behavior and feature between the program with identical or approximate behavior, according to the incidence relation between the described program with identical or approximate behavior, unknown program feature and program behavior are analyzed, to upgrade white list.
Compare the technique effect that the present invention obtains with existing scheme:
The present invention is by using white list to be judged legal procedure, thereby the non-legal procedure that will not belong to the white list category is judged to be rogue program, carries out the determining and killing of rogue program from another angle;
Introduce the cloud security framework simultaneously, will own " cloud security " client and be connected in real time with " cloud security " server, the decision analysis of legal procedure is placed on to server end and completes;
In addition, the present invention is also by the behavior of client collection procedure and be associated with performance of program, thereby logging program feature and corresponding program behavior thereof in database, incidence relation according to the program behavior of collecting and performance of program, can in database, to sample, carry out analytic induction, thereby contribute to software or program are carried out to legal differentiation.
The accompanying drawing explanation
Fig. 1 is Implementation Modes schematic diagram of the present invention;
Fig. 2 method flow diagram that carries out the rogue program detection according to white list of the present invention;
Fig. 3 is according to the described incidence relation schematic diagram of the embodiment of the present invention.
Embodiment
Below will coordinate graphic and embodiment to describe embodiments of the present invention in detail, and can fully understand and implement according to this present invention's implementation procedure how the application technology means solve technical problem and reach the technology effect by this.
Core idea of the present invention is: the white list of the Database legal procedure of server end is also collected renewal; Client is collected and is sent to server end to the performance of program of a program and/or program behavior and inquired about, server end is analysed and compared in described white list according to described performance of program and/or program behavior, according to comparison result, described program is judged and is fed back to described client.
Under the white list detection of malicious program technic that regards under the cloud security pattern formed by a large amount of client computer 102-server ends 104 describe.Cloud structure is exactly a large-scale client/server (CS) framework, as shown in Figure 1, is Implementation Modes schematic diagram of the present invention.
Be the method flow diagram that carries out the rogue program detection according to white list of the present invention with reference to figure 2, comprise:
S1, the white list of the Database legal procedure of server end is also collected renewal;
S2, client is collected and is sent to server end to the performance of program of a program and/or program behavior and inquired about;
S3, server end is analysed and compared in described white list according to described performance of program and/or program behavior, according to comparison result, described program is judged and is fed back to described client;
S4, described client determines that according to described result of determination behavior is tackled, stopped carrying out this rogue program and/or clears up this rogue program, the recovery system environment to rogue program; Perhaps
Described client, according to described result of determination and in conjunction with the attribute of described rogue program, determines whether this rogue program behavior is tackled, stopped carrying out this rogue program and/or clears up this rogue program;
Described attribute comprises: whether described rogue program is whether self-triggered program and/or described rogue program are present in system directory.
For step S3, can specifically by following mode, be realized.
First method: described server end is according to described performance of program and/or program behavior, with the legal procedure feature of preserving in described white list and/or legal procedure behavior, compare, if hit, judge that described program is as legal procedure, and feed back to described client; If do not hit, judge that described program is as rogue program, and feed back to described client.
Second method: described server end is according to batch processing feature and/or the batch processing behavior of program, with the legal procedure feature of preserving in described white list and/or legal procedure behavior, compare, according to the degree of hitting, give a trust value to described program, and described trust value is fed back to described client; Described client is preset a threshold value, compare according to described trust value and described threshold value, if described trust value is not less than described threshold value, judge that described program is legal procedure, if described trust value is less than described threshold value, judge that described program is as rogue program.
For the setting of trust value, if described batch processing feature and/or batch processing behavior are all hit in described white list, described server end is given the highest trust value to described program; If described batch processing feature and/or batch processing behavior are all miss in described white list, described server end is given a minimum trust value to described program; Program between above-mentioned two hit rates is set by described above-mentioned trend.
For step S1, the database of described server end is collected the step of upgrading to the white list of legal procedure, can be realized by following mode.
First method: by the technical staff periodically by craft, utilize spider or web crawlers and/or user to upload legal procedure is collected; By manual or automatically screen performance of program and or the program behavior being kept in described white list of described legal procedure by instrument.
Second method: according to the legal procedure feature in existing known white list and corresponding program behavior thereof, unknown program feature and program behavior are analyzed, to upgrade white list.
Described performance of program, it can be the static nature in program file, as via MD5(Message-Digest Algorithm5, md5-challenge) the MD5 identifying code that computing draws, or SHA1 code, or CRC(Cyclic Redundancy Check, cyclic redundancy check (CRC)) but code waits the condition code of unique identification original program; It can be also the static nature string in program file.
Under regard to the database white list of server end in second method structure and Dynamic Maintenance carry out lower explanation.
It processes thinking mainly: according to the performance of program in existing known white list and corresponding program behavior thereof, unknown program feature and program behavior are analyzed, to upgrade white list.This comparative analysis does not sometimes need the behavior of program itself is done to follow-up analysis, only needs known procedure behavior in simple and existing white list to compare and can judge the character of unknown program.
Owing to having recorded performance of program and behavior record corresponding to this feature in database, therefore can to unknown program, be analyzed in conjunction with known white list.
For example, if the unknown program feature is identical with the known procedure feature in existing white list, all list this unknown program feature and program behavior thereof in white list.
If the unknown program behavior is identical or approximate with the known procedure behavior in existing white list, all list this unknown program behavior and performance of program thereof in white list.
By the record analysis in database, we can find, there is the behavior of some programs identical or approximate, but performance of program difference, at this moment, as long as we set up the incidence relation of behavior and feature between the program with identical or approximate behavior, and according to this incidence relation, just can to unknown program feature and program behavior, be analyzed more easily, to upgrade white list.
As shown in Figure 3, for according to the described incidence relation schematic diagram of the embodiment of the present invention.The feature of supposing unknown program A, B and C is respectively A, B and C, and its each self-corresponding program behavior is A1~A4, B1~B4, C1~C4.If the analysis found that program behavior A1~A4, B1~B4, identical in fact or very approximate between C1~C4, so just can be at feature A, B, C and behavior A1~A4, B1~B4, set up the incidence relation of feature and behavior between C1~C4.
By this incidence relation, under certain conditions can be more efficiently from expand database be safeguarded.For example, when program behavior B1~B4 of program B is confirmed to be the legal procedure behavior and is put into white list, performance of program B that can automatically will be corresponding with this program behavior in database lists white list in, simultaneously, according to incidence relation, can be automatically by the program behavior A1~A4 relevant with this program behavior, C1~C4 and corresponding performance of program A, feature C also lists white list in.
Again for example, if when initial, program A, B and C belong to the program of black and white the unknown, and via other checking and killing virus approach, at first performance of program B is confirmed to be the feature that belongs to legal procedure, in database, can automatically list the combination of behavior B1~B4 in white list, can also be according to incidence relation, feature A and the C that will have identical or approximate behavior also list white list in, and, by program behavior A1~A4, C1~C4 also lists white list in.
The present invention is owing to having recorded behavior corresponding to performance of program in database, and this just makes the behavioural analysis to unknown program provide great convenience.The above-mentioned analytical method of the present invention is not limited to this, and can also utilize and be similar to decision tree, bayesian algorithm, the methods such as nerve net territory calculating, or use simple Threshold Analysis, can on Basis of Database of the present invention, well be applied.
Above-mentioned explanation illustrates and has described some preferred embodiments of the present invention, but as previously mentioned, be to be understood that the present invention is not limited to the disclosed form of this paper, should not regard the eliminating to other embodiment as, and can be used for various other combinations, modification and environment, and can, in invention contemplated scope described herein, by technology or the knowledge of above-mentioned instruction or association area, be changed.And the change that those skilled in the art carry out and variation do not break away from the spirit and scope of the present invention, all should be in the protection range of claims of the present invention.
Claims (9)
1. the determining program method of malice whether, it comprises:
The white list of the Database legal procedure of server end is also collected renewal;
Described white list is preserved performance of program and/or the program behavior of legal procedure;
Set up the incidence relation of behavior and feature between the program with identical or approximate behavior;
Client is collected and is sent to server end to the performance of program of a program and/or program behavior and inquired about, server end is analysed and compared in described white list according to described performance of program and/or program behavior, according to comparison result, the legitimacy of described program or trust value is judged and is fed back to described client.
2. the method for claim 1, wherein, described server end is according to described performance of program and/or program behavior, with the legal procedure feature of preserving in described white list and/or legal procedure behavior, compare, if hit, judge that described program is as legal procedure, and feed back to described client; If do not hit, judge that described program is as rogue program, and feed back to described client.
3. method as claimed in claim 2, wherein, described server end is according to batch processing feature and/or the batch processing behavior of program, with the legal procedure feature of preserving in described white list and/or legal procedure behavior, compare, according to the degree of hitting, give a trust value to described program, and described trust value is fed back to described client;
Described client is preset a threshold value, compare according to described trust value and described threshold value, if described trust value is not less than described threshold value, judge that described program is legal procedure, if described trust value is less than described threshold value, judge that described program is as rogue program.
4. method as claimed in claim 3, wherein, if described batch processing feature and/or batch processing behavior are all hit in described white list, described server end is given the highest trust value to described program; If described batch processing feature and/or batch processing behavior are all miss in described white list, described server end is given a minimum trust value to described program.
5. method as claimed in claim 4, wherein, the database of described server end is collected the step of upgrading to the white list of legal procedure, further comprise:
Periodically by craft, utilize spider or web crawlers and/or user to upload legal procedure is collected;
By manual or automatically screen performance of program and or the program behavior being kept in described white list of described legal procedure by instrument.
6. method as claimed in claim 5, wherein, the database of described server end is collected the step of upgrading to the white list of legal procedure, further comprise:
According to the legal procedure feature in existing known white list and corresponding program behavior thereof, unknown program feature and program behavior are analyzed, to upgrade white list.
7. method as described as claim 5 or 6, wherein, described performance of program comprises: static nature and/or static nature string in program file.
8. method as claimed in claim 7, wherein, the described step that unknown program feature and program behavior thereof are analyzed comprises:
If the unknown program feature is identical with the known procedure feature in existing white list, list this unknown program feature and program behavior thereof in white list;
If the unknown program behavior is identical or approximate with the known procedure behavior in existing white list, list this unknown program behavior and performance of program thereof in white list;
When certain program behavior is put into white list, in database, by this program behavior, corresponding performance of program is listed white list in, and other program behaviors and performance of program that will be relevant with this program behavior be also listed white list in; And/or
When certain performance of program is put into white list, in database, by this performance of program, corresponding program behavior is listed white list in, and other program behaviors and performance of program that will be relevant with this performance of program be also listed white list in.
9. method as claimed in claim 8 further comprises:
According to the incidence relation between the described program with identical or approximate behavior, unknown program feature and program behavior are analyzed, to upgrade white list.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310446501.8A CN103501294B (en) | 2010-08-18 | 2010-08-18 | The determining program whether method of malice |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102569733A CN101924761B (en) | 2010-08-18 | 2010-08-18 | Method for detecting malicious program according to white list |
| CN201310446501.8A CN103501294B (en) | 2010-08-18 | 2010-08-18 | The determining program whether method of malice |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010102569733A Division CN101924761B (en) | 2010-08-18 | 2010-08-18 | Method for detecting malicious program according to white list |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103501294A true CN103501294A (en) | 2014-01-08 |
| CN103501294B CN103501294B (en) | 2017-03-08 |
Family
ID=49866466
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310446501.8A Active CN103501294B (en) | 2010-08-18 | 2010-08-18 | The determining program whether method of malice |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103501294B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105190637A (en) * | 2014-03-04 | 2015-12-23 | 华为技术有限公司 | Software security detection method, apparatus and device |
| CN107729753A (en) * | 2017-09-22 | 2018-02-23 | 郑州云海信息技术有限公司 | A kind of defence method and system of computer unknown virus |
| CN108989304A (en) * | 2018-07-05 | 2018-12-11 | 北京广成同泰科技有限公司 | A kind of trusted software white list construction method |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101373501A (en) * | 2008-05-12 | 2009-02-25 | 公安部第三研究所 | Method for capturing dynamic behavior aiming at computer virus |
| US7640589B1 (en) * | 2009-06-19 | 2009-12-29 | Kaspersky Lab, Zao | Detection and minimization of false positives in anti-malware processing |
| CN100585534C (en) * | 2004-10-29 | 2010-01-27 | 微软公司 | Be used for determining whether file is the computer system and method for Malware |
| US20100031361A1 (en) * | 2008-07-21 | 2010-02-04 | Jayant Shukla | Fixing Computer Files Infected by Virus and Other Malware |
| CN101650768A (en) * | 2009-07-10 | 2010-02-17 | 深圳市永达电子股份有限公司 | Security guarantee method and system for Windows terminals based on auto white list |
| US7743419B1 (en) * | 2009-10-01 | 2010-06-22 | Kaspersky Lab, Zao | Method and system for detection and prediction of computer virus-related epidemics |
-
2010
- 2010-08-18 CN CN201310446501.8A patent/CN103501294B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100585534C (en) * | 2004-10-29 | 2010-01-27 | 微软公司 | Be used for determining whether file is the computer system and method for Malware |
| CN101373501A (en) * | 2008-05-12 | 2009-02-25 | 公安部第三研究所 | Method for capturing dynamic behavior aiming at computer virus |
| US20100031361A1 (en) * | 2008-07-21 | 2010-02-04 | Jayant Shukla | Fixing Computer Files Infected by Virus and Other Malware |
| US7640589B1 (en) * | 2009-06-19 | 2009-12-29 | Kaspersky Lab, Zao | Detection and minimization of false positives in anti-malware processing |
| CN101650768A (en) * | 2009-07-10 | 2010-02-17 | 深圳市永达电子股份有限公司 | Security guarantee method and system for Windows terminals based on auto white list |
| US7743419B1 (en) * | 2009-10-01 | 2010-06-22 | Kaspersky Lab, Zao | Method and system for detection and prediction of computer virus-related epidemics |
Non-Patent Citations (1)
| Title |
|---|
| 桂佳平: "基于智能手机恶意代码防范模型的研究", 《计算机技术与发展》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105190637A (en) * | 2014-03-04 | 2015-12-23 | 华为技术有限公司 | Software security detection method, apparatus and device |
| CN107729753A (en) * | 2017-09-22 | 2018-02-23 | 郑州云海信息技术有限公司 | A kind of defence method and system of computer unknown virus |
| CN108989304A (en) * | 2018-07-05 | 2018-12-11 | 北京广成同泰科技有限公司 | A kind of trusted software white list construction method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103501294B (en) | 2017-03-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101924761B (en) | Method for detecting malicious program according to white list | |
| Li et al. | Libd: Scalable and precise third-party library detection in android markets | |
| CN101924762B (en) | Cloud security-based active defense method | |
| Crussell et al. | Andarwin: Scalable detection of semantically similar android applications | |
| Crussell et al. | Andarwin: Scalable detection of android application clones based on semantics | |
| CN103607381A (en) | White list generation method, malicious program detection method, client and server | |
| Costin et al. | A {Large-scale} analysis of the security of embedded firmwares | |
| CN103475671A (en) | Method for detecting rogue programs | |
| CN101923617B (en) | Cloud-based sample database dynamic maintaining method | |
| US9300682B2 (en) | Composite analysis of executable content across enterprise network | |
| Bayer et al. | Scalable, behavior-based malware clustering. | |
| CN104573515A (en) | Virus processing method, device and system | |
| Ahmadi et al. | Malware detection by behavioural sequential patterns | |
| Narouei et al. | DLLMiner: structural mining for malware detection | |
| US20150207811A1 (en) | Vulnerability vector information analysis | |
| Severi et al. | M alrec: compact full-trace malware recording for retrospective deep analysis | |
| CN102867038A (en) | Method and device for determining type of file | |
| Huang et al. | Android malware development on public malware scanning platforms: A large-scale data-driven study | |
| Malisa et al. | Mobile application impersonation detection using dynamic user interface extraction | |
| KR102120200B1 (en) | Malware Crawling Method and System | |
| Paturi et al. | Mobile malware visual analytics and similarities of Attack Toolkits (Malware gene analysis) | |
| US11580220B2 (en) | Methods and apparatus for unknown sample classification using agglomerative clustering | |
| Li et al. | Large-scale third-party library detection in android markets | |
| CN105791250A (en) | Application detection method and device | |
| CN103501294A (en) | Method for judging whether program is malicious or not |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220706 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |