CN104243470B - Cloud checking and killing method and system based on adaptive classifier - Google Patents
Cloud checking and killing method and system based on adaptive classifier Download PDFInfo
- Publication number
- CN104243470B CN104243470B CN201410459367.XA CN201410459367A CN104243470B CN 104243470 B CN104243470 B CN 104243470B CN 201410459367 A CN201410459367 A CN 201410459367A CN 104243470 B CN104243470 B CN 104243470B
- Authority
- CN
- China
- Prior art keywords
- file
- clouds
- feature
- client
- black
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Image Analysis (AREA)
Abstract
The present invention provides a kind of cloud checking and killing method and system based on adaptive classifier, and method therein includes:Client is based on Hamming distance grader and carries out classification and Detection to file;When the characteristic matching in the feature of file and lightweight black and white lists feature database is unsuccessful, client sends the file to high in the clouds;Hash value grader of the high in the clouds based at least two-stage Hamming distance carries out classification and Detection to file;When the characteristic matching success in the feature of file and the black and white lists feature database in high in the clouds, high in the clouds is according to the hit rate of the feature of the file counted, hit rate ranking in predetermined time interval is sent to the renewal of client progress lightweight black and white lists feature database in the file of preset range, while Hamming distance grader completes adaptive updates.The filter efficiency and hit probability of file characteristic can be improved by the present invention, client is reduced and is sent to the data in high in the clouds, while shortens the inquiry distance of the feature of file beyond the clouds, improves the efficiency of search characteristics.
Description
Technical field
The present invention relates to cloud security technical field, more specifically, is related to a kind of cloud killing based on adaptive classifier
Method and system.
Background technology
Cloud security is the newest embodiment of cybertimes information security, and cloud security technology be then P2P technologies, network technology with
And cloud computing technology distributed computing technique mixing development, the result of natural evolvement.Because the feature database of high in the clouds storage can be with
It is more much larger than original hardware device, therefore feature database is transferred to high in the clouds using cloud security technology can reduce opening for device memory
Pin, while the high performance disposal ability in high in the clouds is utilized, security sweep is also transferred into high in the clouds can reduce security sweep to hardware
The influence of equipment performance.There is above advantage just because of cloud security technology, therefore it has become more and more safe producers
Selection, but this also brings the problem of new to cloud security.
Consider from safety perspective, no matter in the world major information security manufacturer or domestic main information security firm,
Its cloud security product has all showed more and more obvious centralization, and this is as caused by following two aspects:First, terminal
Data are no longer preserved, attack the effect increasingly unobvious of terminal;Second, the lightweightization of terminal causes with reasons such as variations
The difficulty of attack terminal gradually increases.Based on above-mentioned both sides reason, nowadays malicious attacker is more by the lance of attack
Head has pointed to server end, i.e. high in the clouds.It is nearly occur within 2 years APT (Advanced Persistent Threat, it is advanced lasting
Property threaten) can with a variety of infiltration means to high in the clouds platform carry out malicious attack.For the above situation, if reduced as far as possible
Client is sent to the data volume in high in the clouds, then can reduce the probability of this high in the clouds attack to a certain extent.
Consider from performance perspective, will to the high-performance of cloud security with the arriving of the safe centralization trend of cloud computing era
Ask and also reached unprecedented height.Cloud security faces the network attack to emerge in an endless stream, and how it reduces client to high in the clouds
Dependence, how to improve response speed have become improve its own security critical path.Current many mainstream vendors
(such as Palo Alto, Checkpoint, Fortinet, 360, Trend Micro etc.) is use up by the way of black and white lists mostly
Amount reduces the matching process of feature database, to improve the performance of whole cloud killing and while reduction loss, but its black and white accordingly
List technology still has following problem:
1st, the order of magnitude still can take very big resource for several ten million black and white lists in search procedure and bring certain
Performance loss;
2nd, the low sample of many frequency of use occupies quite a high proportion of query time in black and white lists.
In view of the above-mentioned problems, many manufacturers all use hardware based two level black and white lists mechanism, i.e., it is the order of magnitude is larger
Black and white lists be deployed in the stronger high in the clouds of disposal ability, the black and white lists of lightweight are deployed in local client to play one
Individual pre-filtered effect.But following problem is equally existed using hardware based two level black and white lists mechanism:
1st, black and white lists are all disposed within hardware, are unfavorable for the regulation of black and white lists, over time, are sent to high in the clouds
The data volume of inspection can be more and more, ultimately result in the loss of the occupancy and performance of high in the clouds resource;
2nd, the filter efficiency of client and the match hit rate of feature database are low.
The content of the invention
In view of the above problems, it is an object of the invention to provide a kind of cloud checking and killing method based on adaptive classifier and it is
System, it is big to solve the resource occupation amount of existing hardware based two level black and white lists mechanism beyond the clouds and loss, and in visitor
The problem of filter efficiency at family end and the low match hit rate of feature database.
According to an aspect of the present invention, there is provided a kind of cloud checking and killing method based on adaptive classifier, including:
Client is based on Hamming distance grader and carries out classification and Detection to file;Wherein, when the feature and client of file
Lightweight black and white lists feature database in characteristic matching it is unsuccessful when, client sends the file to high in the clouds;
Hash value grader of the high in the clouds based at least two-stage Hamming distance carries out classification and Detection to file;Wherein, file is worked as
Feature and high in the clouds black and white lists feature database in characteristic matching success when, statistics file feature hit high in the clouds black and white name
The probability of feature in single feature database;
According to the probability counted, the probability ranking in predetermined time interval is sent to by high in the clouds in the file of preset range
Client;
File of the client according to transmitted by high in the clouds carries out the renewal of the lightweight black and white lists feature database of client;Its
In, for client while lightweight black and white lists feature database is updated, Hamming distance grader completes adaptive updates.
Wherein, according to predetermined time interval, the black and white lists that the feature of the file of client is hit in high in the clouds in high in the clouds are special
The file of the probability ranking of feature in sign storehouse within a predetermined range feeds back to lightweight black and white name of the client as client
Single feature database.
Wherein, when the characteristic matching success in the feature of file and the black and white lists feature database in high in the clouds, high in the clouds is counted
The probability that the series where feature in black and white lists feature database is hit, the probability adaptation being hit according to series adjust the Chinese
The hash values grader of prescribed distance putting in order beyond the clouds.
On the other hand, the present invention provides a kind of cloud killing system based on adaptive classifier, including:
First classification and Detection unit, for carrying out classification and Detection to the file of client based on Hamming distance grader;
File transmitting element, for when the first classification and Detection unit detect file feature and client lightweight it is black
When characteristic matching in white list feature database is unsuccessful, the file of client is sent to high in the clouds;
Second classification and Detection unit, for the hash values grader based at least two-stage Hamming distance to file transmitting element
Transmitted file carries out classification and Detection;
First probability statistics unit, for detecting the file transmitted by file transmitting element when the second classification and Detection unit
Feature and high in the clouds black and white lists feature database in characteristic matching success when, file transmitted by statistics file transmitting element
The probability of feature in the black and white lists feature database in feature hit high in the clouds;
Updating block, for updating the lightweight black and white lists feature database of client;Wherein, the renewal is high in the clouds according to
The probability that one probability statistic unit is counted, file of the probability ranking interior at preset time intervals in preset range is sent
Realized to client;Wherein, while the lightweight black and white lists feature database of client is updated, Hamming distance grader
Complete adaptive updates.
Using the above-mentioned cloud checking and killing method and system based on adaptive classifier according to the present invention, by based on adaptive
Grader carries out classification and Detection to file, on the one hand, can improve the feature in client lightweight black and white lists feature database
Filter efficiency and hit probability, reduce the data volume for being sent to high in the clouds;On the other hand can shorten in the black and white lists feature database of high in the clouds
Feature inquiry distance, improve the efficiency of search characteristics.
In order to realize above-mentioned and related purpose, one or more aspects of the invention include will be explained in below and
The feature particularly pointed out in claim.Some illustrative aspects of the present invention are described in detail in following explanation and accompanying drawing.
However, some modes in the various modes of the principle that the present invention only can be used of these aspect instructions.It is in addition, of the invention
It is intended to include all these aspects and their equivalent.
Brief description of the drawings
By reference to the explanation and the content of claims below in conjunction with accompanying drawing, and with to the present invention more comprehensively
Understand, other purposes and result of the invention will be more apparent and should be readily appreciated that.In the accompanying drawings:
Fig. 1 is the first pass schematic diagram according to the cloud killing based on adaptive classifier of the embodiment of the present invention;
Fig. 2 is the second procedure schematic diagram according to the cloud killing based on adaptive classifier of the embodiment of the present invention;
Fig. 3 is the logical construction block diagram according to the cloud killing system based on adaptive classifier of the embodiment of the present invention.
Identical label indicates similar or corresponding feature or function in all of the figs.
Embodiment
The specific embodiment of the present invention is described in detail below with reference to accompanying drawing.
It is dumb for regulation of the foregoing existing hardware based two level black and white lists mechanism to black and white lists, filtering effect
The problem of rate and the low match hit rate of feature database.The present invention carries out classification and Detection based on adaptive classifier to file.Wherein,
In client, the present invention carries out classification and Detection based on adaptive Hamming distance grader to the file for sending to client, wherein,
High in the clouds has been hit when the feature for the file for sending to classification and Detection does not hit the lightweight black and white lists feature database of client
During black and white lists feature database, the hit rate ranking in predetermined time interval is fed back to client by high in the clouds in the file of preset range
, should while carrying out the renewal of the lightweight black and white lists feature database of client, and update lightweight black and white lists feature database
Hamming distance grader completes adaptive updates.It can be improved in client lightweight black and white lists feature database by the above method
Feature filter efficiency and hit probability, reduce and be sent to the data volume in high in the clouds.
In addition, beyond the clouds, the hash values grader of the invention based on multistage Hamming distance divides the file for sending to high in the clouds
Class detects, the characteristic matching success in sending to high in the clouds and making the feature of file and the black and white lists feature database in high in the clouds of classification and Detection
When, the probability adaptation that the series where feature in the black and white lists feature database in high in the clouds is hit adjusts the Hamming distance
Hash values grader putting in order beyond the clouds.Feature in the black and white lists feature database of high in the clouds can be shortened by such a method
Inquiry distance, improve the performance and efficiency of search characteristics.
In order to illustrate the cloud checking and killing method provided by the invention based on adaptive classifier, Fig. 1 is shown according to the present invention
The flow of the cloud checking and killing method based on adaptive classifier of embodiment.
As shown in figure 1, the cloud checking and killing method provided by the invention based on adaptive classifier includes:
S110:Client is based on Hamming distance grader and carries out classification and Detection to file.
Specifically, client before classification and Detection is carried out to file based on Hamming distance grader, deposited by client
There is the black and white lists feature database of lightweight.Due to being influenceed by flow and external data environment, each client to be carried out
The file of detection is all different, and therefore, the black and white lists feature database of the lightweight is that high in the clouds is directed to specific client, will be pre-
The probability ranking of feature in the black and white lists feature database in the feature hit high in the clouds of the file for the client in interval of fixing time exists
File in preset range feeds back to what client was obtained.
That is, according to predetermined time interval, the black and white name in high in the clouds is hit the feature of the file of client in high in the clouds
It is black as the lightweight of client that the file of the probability ranking of feature in single feature database within a predetermined range feeds back to client
White list feature database.It should be noted that predetermined time interval can be by hour or in units of day, and preset range can
To be 100 or 1000 before probability ranking.
For example, being directed to specific client, the feature of the file of client in 8 hours can be hit the black of high in the clouds by high in the clouds
100 file feeds back to lightweight black and white of the client as the client before the probability ranking of feature in white list feature database
List feature database.
It should be noted that the process that client carries out classification and Detection to file is the feature of file and the light weight of client
The process that feature in level black and white lists feature database is matched.Wherein, Hamming distance grader is based on to file in client
During carrying out classification and Detection, MD5 value or SHA1 value of the Hamming distance grader based on file are classified to file
Detection.That is, file is characterized in the calculating based on MD5 values or SHA1 values to file and got.Wherein, to text
The MD5 values of part and SHA1 values are calculated as common knowledge, will not be repeated here.
S120:When the characteristic matching in the feature of file and the lightweight black and white lists feature database of client is unsuccessful,
Client sends the file to high in the clouds.
Specifically, first by the blacklist feature database in the lightweight black and white lists feature database of the feature of file and client
In feature matched, if the match is successful, direct returning result;If matching is unsuccessful, the light weight with client
The feature in white list feature database in level black and white lists feature database is matched, if the match is successful, direct returning result;
If matching is unsuccessful, illustrate that this file is not belonging to any one of lightweight black and white lists feature database of client, for
This document can be then routed directly to high in the clouds and be handled by such a situation, client.
S130:Hash value grader of the high in the clouds based at least two-stage Hamming distance carries out classification and Detection to file.
Specifically, because the feature in the black and white lists feature database in high in the clouds belongs to magnanimity level, therefore for the spy of magnanimity level
Sign, hash value grader of the present invention beyond the clouds based on eight grades of Hamming distances carry out classification and Detection to file.That is, this hair
It is bright to devise eight grades of hash value graders based on Hamming distance, wherein, one Chinese based on hash values of every 16 designs
Prescribed distance grader, it is considered as one kind when distance is less than " 4 ", so often first-level class device can all be divided into four classes, eight grades
Grader is divided into 16384 classes, and for 30,000,000 black and white lists feature database, the characteristic included in final every class is about
1832.Class interval can be maximized by such a method, the distance for learning grader is the difference between bit vector
Other weight.Wherein, similitude is higher between smaller explanation bit vector, when distance is less than certain limit, you can think to belong to
In same class.
Wherein, the process that high in the clouds carries out classification and Detection to file is to give the feature of file and the black and white name in high in the clouds in high in the clouds
The process that feature in single feature database is matched.
Wherein, when the characteristic matching being sent in the black and white lists feature database in the feature of file in high in the clouds and high in the clouds is unsuccessful
When, then illustrate that the feature of this document had both been not belonging to the feature in the blacklist feature database in the black and white lists feature database in high in the clouds, its
Also the feature being not belonging in the white list feature database in the black and white lists feature database in high in the clouds, now then using multi engine to this document
Carry out killing.The multi engine killing in high in the clouds can be using inspirational education engine by the way of artificial intelligence engine is combined, such as
Using BitDefender and QVM (Qihoo Support Vector Machine, Qihoo's SVMs) artificial intelligence engine
Killing is carried out to this document etc. the mode being combined.
In addition, when the characteristic matching success being sent in the feature of file and the black and white lists feature database in high in the clouds in high in the clouds
When, it is also necessary to the probability that the series where counting the feature in the black and white lists feature database in high in the clouds is hit, then according to place
The hash values grader of probability adaptation that series is hit regulation Hamming distance putting in order beyond the clouds.
That is, the hash values grader based on Hamming distance beyond the clouds similarly uses hit rate ranking mechanism,
Before i.e. the grader to shoot straight can be automatically adjusted to by it.Because entirely the hash value graders based on Hamming distance are total
Eight grades are divided into, its classifying quality is all likewise, but of the invention dynamically according to this since which rank of grader in theory
The hit rate of eight grades of graders can reduce the quantity of grader handling process as far as possible to adjust the sequencing residing for its own,
So as to improve the performance and efficiency of searching feature.
S140:When the characteristic matching success in the feature of file and the black and white lists feature database in high in the clouds, statistics file
The probability of feature in the black and white lists feature database in feature hit high in the clouds.
It should be noted that the feature of the file to being sent to high in the clouds hits the feature in the black and white lists feature database in high in the clouds
Probability carry out statistics can be easy to update client lightweight black and white lists feature database, so as to further improve file spy
The probability of feature in the lightweight black and white lists feature database of sign hit client, and then reduce client and be sent to high in the clouds detection
The data volume of file.
S150:According to the probability counted, high in the clouds by the probability ranking in predetermined time interval preset range file
It is sent to client.
S160:File of the client according to transmitted by high in the clouds carries out the lightweight black and white lists feature database of client more
Newly;Wherein, for client while lightweight black and white lists feature database is updated, Hamming distance grader completes adaptive updates.
Understood by experiment, should during client is based on Hamming distance grader to file progress classification and Detection
The accuracy rate of grader can reach more than 95%, and about 50% performance loss can be saved from the angle of probability.For every
The black and white lists feature for the new lightweight that secondary high in the clouds is sent, the grader can all carry out self study self-training, wait new point
Class device can just be locked with grader to original lightweight black and white lists feature database after training, replaced.
In order to further illustrate the cloud checking and killing method provided by the invention based on adaptive classifier, Fig. 2 shows basis
The second procedure of the cloud killing based on adaptive classifier of the embodiment of the present invention.As shown in Figure 2:
MD5 values are carried out to the file for sending to client detection to calculate, be then based on the MD5 values calculated, Hamming distance first
Judge whether this document hits the blacklist feature database in the lightweight black and white lists feature database of client from grader, if life
In, then direct returning result;If do not hit, judge whether it hits the white list in lightweight black and white lists feature database
Feature database;If hit, same direct returning result, if again without hit, this file is directly sent to high in the clouds.
MD5 value of the high in the clouds equally based on file is classified to the file that client sends over, when this document hits cloud
During the black and white lists feature database at end, the probability of the feature in the black and white lists feature database in the feature hit high in the clouds for counting this document,
Then the feature in n black and white lists feature database before the hit rate highest in T time is sent out according to the probability counted in high in the clouds
Give client.Wherein, T is the predetermined time interval in flow shown in above-mentioned Fig. 1, and n is preset range.
Last feature of the client according to transmitted by high in the clouds, the Hamming distance grader of client carry out self study from instruction
Practice, feature in original lightweight black and white lists feature database and grader are locked after new classifier training is good,
Replace, complete black and white lists feature database with being updated while grader.
Corresponding with the above method, the present invention provides a kind of cloud killing system based on adaptive classifier.Fig. 3 is shown
The logical construction of cloud killing system based on adaptive classifier according to embodiments of the present invention.
As shown in figure 3, the cloud killing system 300 provided by the invention based on adaptive classifier includes the first classification and Detection
Unit 310, file transmitting element 320, the second classification and Detection unit 330, the first probability statistics unit 340 and updating block 350.
Wherein, the first classification and Detection unit 310 is used to classify to the file of client based on Hamming distance grader
Detection.
Specifically, client before classification and Detection is carried out to file based on Hamming distance grader, deposited by client
There is the black and white lists feature database of lightweight.Due to being influenceed by flow and external data environment, each client to be carried out
The file of detection is all different, and therefore, the black and white lists feature database of the lightweight is that high in the clouds is directed to specific client, will be pre-
The probability ranking of feature in the black and white lists feature database in the feature hit high in the clouds of the file for the client in interval of fixing time exists
File in preset range feeds back to what client was obtained.It is that is, provided by the invention based on adaptive classifier
Cloud killing system further comprises feature database transmitting element (not shown), for according to predetermined time interval, by client
The probability ranking of feature in the black and white lists feature database in the feature hit high in the clouds of the file at end is fed back in the file of preset range
Give lightweight black and white lists feature database of the client as client.
It should be noted that the process that the first classification and Detection unit 310 carries out classification and Detection to file is the feature of file
The process matched with the feature in the lightweight black and white lists feature database of client.Wherein, it is based on Hamming distance in client
During classification and Detection being carried out from grader to file, MD5 value or SHA1 value of the Hamming distance grader based on file
Classification and Detection is carried out to file.That is, file is characterized in the calculating based on MD5 values or SHA1 values to file and obtained
Come.Wherein, the MD5 values to file and SHA1 values are calculated as common knowledge, will not be repeated here.
File transmitting element 320 be used for when the first classification and Detection unit 310 detect file feature and client it is light
When characteristic matching in magnitude black and white lists feature database is unsuccessful, the file of client is sent to high in the clouds.
Specifically, first by the blacklist feature database in the lightweight black and white lists feature database of the feature of file and client
In feature matched, if the match is successful, direct returning result;If matching is unsuccessful, the light weight with client
The feature in white list feature database in level black and white lists feature database is matched, if the match is successful, direct returning result;
If matching is unsuccessful, illustrate that this file is not belonging to any one of lightweight black and white lists feature database of client, for
This document can be then routed directly to high in the clouds and be handled by such a situation, client.
Second classification and Detection unit 330 is used for the hash values grader based at least two-stage Hamming distance and sends list to file
File transmitted by member 320 carries out classification and Detection.
Wherein, the cloud killing system provided by the invention based on adaptive classifier further comprises multi engine killing unit
(not shown), for detecting feature and the high in the clouds of the file transmitted by file transmitting element when the second classification and Detection unit
Black and white lists feature database in characteristic matching it is unsuccessful when, using multi engine to this document carry out killing.
Further, since the feature in the black and white lists feature database in high in the clouds belongs to magnanimity level, therefore for the feature of magnanimity level,
Hash value grader of the present invention beyond the clouds based on eight grades of Hamming distances carries out classification and Detection to file.It is that is, of the invention
Eight grades of hash value graders based on Hamming distance are devised, wherein, one Hamming based on hash values of every 16 designs
Distance classifier, it is considered as one kind when distance is less than " 4 ", so can be all divided into four classes, eight fractions per first-level class device
Class device is divided into 16384 classes, and for 30,000,000 black and white lists feature database, the characteristic included in final every class is about 1832
Bar.Class interval can be maximized by such a method, the distance for learning grader is the difference power between bit vector
Weight.Wherein, similitude is higher between smaller explanation bit vector, when distance is less than certain limit, you can think to belong to same
It is a kind of.Wherein, the process that high in the clouds carries out classification and Detection to file is to give the feature of file and the black and white lists in high in the clouds in high in the clouds
The process that feature in feature database is matched.
Wherein, the cloud killing system provided by the invention based on adaptive classifier further comprises the second probability statistics list
Member and sequential adjustment unit (being not shown in figure), wherein, the second probability statistics unit is used for when the second classification and Detection unit 330
When detecting the characteristic matching success in the feature of the file transmitted by file transmitting element and the black and white lists feature database in high in the clouds,
The probability that series where counting the feature in the black and white lists feature database in high in the clouds is hit;Sequential adjustment unit is used for according to the
The hash values grader of probability adaptation that two probability statistics units are counted regulation Hamming distance putting in order beyond the clouds.
That is, the hash values grader based on Hamming distance beyond the clouds similarly uses hit rate ranking mechanism,
Before i.e. the grader to shoot straight can be automatically adjusted to by it.Because entirely the hash value graders based on Hamming distance are total
Eight grades are divided into, its classifying quality is all likewise, but of the invention dynamically according to this since which rank of grader in theory
The hit rate of eight grades of graders can reduce the quantity of grader handling process as far as possible to adjust the sequencing residing for its own,
So as to improve the performance and efficiency of searching feature.
First probability statistics unit 340 is used for when the second classification and Detection unit 330 detects that file transmitting element 320 is sent out
When characteristic matching in the feature of the file sent and the black and white lists feature database in high in the clouds is successful, transmitted by statistics file transmitting element
File feature hit high in the clouds black and white lists feature database in feature probability.
It should be noted that the feature of the file to being sent to high in the clouds hits the feature in the black and white lists feature database in high in the clouds
Probability carry out statistics can be easy to update client lightweight black and white lists feature database, so as to further improve file spy
The probability of feature in the lightweight black and white lists feature database of sign hit client, and then reduce client and be sent to high in the clouds detection
The data volume of file.
Updating block 350 is used for the lightweight black and white lists feature database for updating client;Wherein, the renewal be high in the clouds according to
The probability that first probability statistics unit 340 is counted, by probability ranking interior at preset time intervals preset range text
Part is sent to client and realized;Wherein, while the lightweight black and white lists feature database of client is updated, Hamming distance
Grader completes adaptive updates.
By above-mentioned, according to cloud checking and killing method and system provided by the invention based on adaptive classifier, on the one hand, energy
The filter efficiency and hit probability of the feature in client lightweight black and white lists feature database are enough improved, reduces the number for being sent to high in the clouds
According to amount;On the other hand the inquiry distance of the feature in the black and white lists feature database of high in the clouds can be shortened, improve the efficiency of search characteristics.
Describe the cloud killing side based on adaptive classifier according to the present invention in an illustrative manner above with reference to accompanying drawing
Method and system.It will be understood by those skilled in the art, however, that for the invention described above proposed based on adaptive classifier
Cloud checking and killing method and system, various improvement can also be made on the basis of present invention is not departed from.Therefore, guarantor of the invention
Shield scope should be determined by the content of appended claims.
Claims (8)
1. a kind of cloud checking and killing method based on adaptive classifier, including:
Client is based on Hamming distance grader and carries out classification and Detection to file;Wherein, when the feature and client of the file
Lightweight black and white lists feature database in characteristic matching it is unsuccessful when,
The file is sent to high in the clouds by the client;
Hash value grader of the high in the clouds based at least two-stage Hamming distance carries out classification and Detection, the Hamming to the file
The hash value graders of distance refer to the Hamming distance grader based on hash values;Wherein, when the file feature with
When characteristic matching in the black and white lists feature database in high in the clouds is successful,
The feature for counting the file hits the probability of the feature in the black and white lists feature database in the high in the clouds, and described in statistics
The probability that the series where feature in the black and white lists feature database in high in the clouds is hit;
According to the probability counted, the probability ranking in predetermined time interval is sent to by the high in the clouds in the file of preset range
The client, and the hash value graders for the probability adaptation regulation Hamming distance being hit according to the series exist
The high in the clouds puts in order;
File of the client according to transmitted by high in the clouds carries out the renewal of the lightweight black and white lists feature database of the client;
Wherein, the client while lightweight black and white lists feature database is updated, complete certainly by the Hamming distance grader
Adapt to renewal.
2. the cloud checking and killing method based on adaptive classifier as claimed in claim 1, wherein, feature and institute when the file
State characteristic matching in the black and white lists feature database in high in the clouds it is unsuccessful when, killing is carried out to the file using multi engine.
3. the cloud checking and killing method based on adaptive classifier as claimed in claim 1, in addition to:According between the predetermined time
Every the probability ranking of the feature in the black and white lists feature database in the high in the clouds is hit the feature of the file of the client in high in the clouds
File within a predetermined range feeds back to the client, the lightweight black and white lists feature database as the client.
4. the cloud checking and killing method based on adaptive classifier as claimed in claim 1, wherein, the Hamming distance grader and
MD5 value or SHA1 value of the hash values grader of the Hamming distance based on file carry out classification and Detection to the file.
5. a kind of cloud killing system based on adaptive classifier, including:
First classification and Detection unit, for carrying out classification and Detection to the file of client based on Hamming distance grader;
File transmitting element, for detecting the feature of the file and the light weight of client when the first classification and Detection unit
When characteristic matching in level black and white lists feature database is unsuccessful, the file of the client is sent to high in the clouds;
Second classification and Detection unit, for the hash values grader based at least two-stage Hamming distance to the file transmitting element
Transmitted file carries out classification and Detection, and the hash value graders of the Hamming distance refer to the Hamming distance based on hash values
From grader;
First probability statistics unit, for being detected when the second classification and Detection unit transmitted by the file transmitting element
When characteristic matching in the feature of file and the black and white lists feature database in high in the clouds is successful, count transmitted by the file transmitting element
The feature of file hit the probability of the feature in the black and white lists feature database in the high in the clouds;
Second probability statistics unit, for being detected when the second classification and Detection unit transmitted by the file transmitting element
When characteristic matching in the feature of file and the black and white lists feature database in high in the clouds is successful, the black and white lists feature in the high in the clouds is counted
The probability that the series where feature in storehouse is hit;
Sequential adjustment unit, the probability adaptation for being counted according to the second probability statistics unit adjust the Hamming distance
From hash values grader putting in order in the high in the clouds;
Updating block, for updating the lightweight black and white lists feature database of the client;Wherein, the renewal is the high in the clouds
The probability counted according to the first probability statistics unit, by probability ranking interior at preset time intervals in preset range
File be sent to the client and realize;Wherein, the lightweight black and white lists feature database of the client is being updated
Meanwhile the Hamming distance grader completes adaptive updates.
6. the cloud killing system based on adaptive classifier as claimed in claim 5, further comprises:Multi engine killing list
Member, for detecting feature and the high in the clouds of file transmitted by the file transmitting element when the second classification and Detection unit
When characteristic matching in black and white lists feature database is unsuccessful, killing is carried out to the file using multi engine.
7. the cloud killing system based on adaptive classifier as claimed in claim 5, further comprises:Feature database sends single
Member, for according to predetermined time interval, the feature of the file of the client to be hit to the black and white lists feature in the high in the clouds
It is black as the lightweight of the client that the probability ranking of feature in storehouse in the file of preset range feeds back to the client
White list feature database.
8. the cloud killing system based on adaptive classifier as claimed in claim 5, wherein, the Hamming distance grader and
MD5 value or SHA1 value of the hash values grader of the Hamming distance based on file carry out classification and Detection to the file.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410459367.XA CN104243470B (en) | 2014-09-10 | 2014-09-10 | Cloud checking and killing method and system based on adaptive classifier |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410459367.XA CN104243470B (en) | 2014-09-10 | 2014-09-10 | Cloud checking and killing method and system based on adaptive classifier |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104243470A CN104243470A (en) | 2014-12-24 |
CN104243470B true CN104243470B (en) | 2018-04-06 |
Family
ID=52230820
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410459367.XA Active CN104243470B (en) | 2014-09-10 | 2014-09-10 | Cloud checking and killing method and system based on adaptive classifier |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104243470B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105624074A (en) * | 2016-03-25 | 2016-06-01 | 福建师范大学 | Harmless treatment method for antibiotic mycelium residues |
CN107294929B (en) * | 2016-04-05 | 2021-05-18 | 阿里巴巴集团控股有限公司 | Rule matching and management method and device |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102811213A (en) * | 2011-11-23 | 2012-12-05 | 北京安天电子设备有限公司 | Fuzzy hashing algorithm-based malicious code detection system and method |
US8375450B1 (en) * | 2009-10-05 | 2013-02-12 | Trend Micro, Inc. | Zero day malware scanner |
CN103500305A (en) * | 2013-09-04 | 2014-01-08 | 中国航天科工集团第二研究院七〇六所 | System and method for malicious code analysis based on cloud computing |
CN103530557A (en) * | 2013-03-12 | 2014-01-22 | Tcl集团股份有限公司 | Method and system for scanning virus apk based on cloud terminal mass samples |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2013063474A1 (en) * | 2011-10-28 | 2013-05-02 | Scargo, Inc. | Security policy deployment and enforcement system for the detection and control of polymorphic and targeted malware |
-
2014
- 2014-09-10 CN CN201410459367.XA patent/CN104243470B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8375450B1 (en) * | 2009-10-05 | 2013-02-12 | Trend Micro, Inc. | Zero day malware scanner |
CN102811213A (en) * | 2011-11-23 | 2012-12-05 | 北京安天电子设备有限公司 | Fuzzy hashing algorithm-based malicious code detection system and method |
CN103530557A (en) * | 2013-03-12 | 2014-01-22 | Tcl集团股份有限公司 | Method and system for scanning virus apk based on cloud terminal mass samples |
CN103500305A (en) * | 2013-09-04 | 2014-01-08 | 中国航天科工集团第二研究院七〇六所 | System and method for malicious code analysis based on cloud computing |
Also Published As
Publication number | Publication date |
---|---|
CN104243470A (en) | 2014-12-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7716297B1 (en) | Message stream analysis for spam detection and filtering | |
US10360380B2 (en) | Advanced malware classification | |
CN104142999B (en) | Search result methods of exhibiting and device | |
US10003607B1 (en) | Automated detection of session-based access anomalies in a computer network through processing of session data | |
Gao et al. | Sybilfuse: Combining local attributes with global structure to perform robust sybil detection | |
CN104205111A (en) | Computing device to detect malware | |
KR20160116415A (en) | Malicious domain cluster detection apparatus and method | |
CN104102700A (en) | Categorizing method oriented to Internet unbalanced application flow | |
US20200162496A1 (en) | System and method for classifying cyber security threats using natural language processing | |
CN104901971A (en) | Method and device for carrying out safety analysis on network behaviors | |
CN104243470B (en) | Cloud checking and killing method and system based on adaptive classifier | |
EP3599566A1 (en) | Machine learning data filtering in a cross-domain environment | |
Hosseini et al. | Are odds really odd? bypassing statistical detection of adversarial examples | |
CN106161465A (en) | A kind of cloud storage method, cloud storage system and safe cloud storage system | |
CN102968645A (en) | Method for improving face recognition accuracy rate and adaptability through updating of images | |
CN103546449A (en) | E-mail virus detection method and device based on attachment formats | |
Cao et al. | Combating friend spam using social rejections | |
CN105554763B (en) | A kind of method and server detecting pseudo-base station central number | |
CN105578434B (en) | A kind of method and server detecting pseudo-base station motion profile | |
Li et al. | Detecting adversarial patch attacks through global-local consistency | |
US8356076B1 (en) | Apparatus and method for performing spam detection and filtering using an image history table | |
Zhang et al. | A3fl: Adversarially adaptive backdoor attacks to federated learning | |
US10263998B1 (en) | Automated determination of relevance of a security alert to one or more other security alerts based on shared markers | |
CN103841006A (en) | Method and device for intercepting junk mails in cloud computing system | |
US20190005116A1 (en) | Information processing apparatus, information processing system and information processing method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |