CN104243470B - Cloud checking and killing method and system based on adaptive classifier - Google Patents

Cloud checking and killing method and system based on adaptive classifier Download PDF

Info

Publication number
CN104243470B
CN104243470B CN201410459367.XA CN201410459367A CN104243470B CN 104243470 B CN104243470 B CN 104243470B CN 201410459367 A CN201410459367 A CN 201410459367A CN 104243470 B CN104243470 B CN 104243470B
Authority
CN
China
Prior art keywords
file
clouds
feature
client
black
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410459367.XA
Other languages
Chinese (zh)
Other versions
CN104243470A (en
Inventor
吴子章
刘申
赵志宏
柴丽颖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Neusoft Corp
Original Assignee
Neusoft Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Neusoft Corp filed Critical Neusoft Corp
Priority to CN201410459367.XA priority Critical patent/CN104243470B/en
Publication of CN104243470A publication Critical patent/CN104243470A/en
Application granted granted Critical
Publication of CN104243470B publication Critical patent/CN104243470B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Image Analysis (AREA)

Abstract

The present invention provides a kind of cloud checking and killing method and system based on adaptive classifier, and method therein includes:Client is based on Hamming distance grader and carries out classification and Detection to file;When the characteristic matching in the feature of file and lightweight black and white lists feature database is unsuccessful, client sends the file to high in the clouds;Hash value grader of the high in the clouds based at least two-stage Hamming distance carries out classification and Detection to file;When the characteristic matching success in the feature of file and the black and white lists feature database in high in the clouds, high in the clouds is according to the hit rate of the feature of the file counted, hit rate ranking in predetermined time interval is sent to the renewal of client progress lightweight black and white lists feature database in the file of preset range, while Hamming distance grader completes adaptive updates.The filter efficiency and hit probability of file characteristic can be improved by the present invention, client is reduced and is sent to the data in high in the clouds, while shortens the inquiry distance of the feature of file beyond the clouds, improves the efficiency of search characteristics.

Description

Cloud checking and killing method and system based on adaptive classifier
Technical field
The present invention relates to cloud security technical field, more specifically, is related to a kind of cloud killing based on adaptive classifier Method and system.
Background technology
Cloud security is the newest embodiment of cybertimes information security, and cloud security technology be then P2P technologies, network technology with And cloud computing technology distributed computing technique mixing development, the result of natural evolvement.Because the feature database of high in the clouds storage can be with It is more much larger than original hardware device, therefore feature database is transferred to high in the clouds using cloud security technology can reduce opening for device memory Pin, while the high performance disposal ability in high in the clouds is utilized, security sweep is also transferred into high in the clouds can reduce security sweep to hardware The influence of equipment performance.There is above advantage just because of cloud security technology, therefore it has become more and more safe producers Selection, but this also brings the problem of new to cloud security.
Consider from safety perspective, no matter in the world major information security manufacturer or domestic main information security firm, Its cloud security product has all showed more and more obvious centralization, and this is as caused by following two aspects:First, terminal Data are no longer preserved, attack the effect increasingly unobvious of terminal;Second, the lightweightization of terminal causes with reasons such as variations The difficulty of attack terminal gradually increases.Based on above-mentioned both sides reason, nowadays malicious attacker is more by the lance of attack Head has pointed to server end, i.e. high in the clouds.It is nearly occur within 2 years APT (Advanced Persistent Threat, it is advanced lasting Property threaten) can with a variety of infiltration means to high in the clouds platform carry out malicious attack.For the above situation, if reduced as far as possible Client is sent to the data volume in high in the clouds, then can reduce the probability of this high in the clouds attack to a certain extent.
Consider from performance perspective, will to the high-performance of cloud security with the arriving of the safe centralization trend of cloud computing era Ask and also reached unprecedented height.Cloud security faces the network attack to emerge in an endless stream, and how it reduces client to high in the clouds Dependence, how to improve response speed have become improve its own security critical path.Current many mainstream vendors (such as Palo Alto, Checkpoint, Fortinet, 360, Trend Micro etc.) is use up by the way of black and white lists mostly Amount reduces the matching process of feature database, to improve the performance of whole cloud killing and while reduction loss, but its black and white accordingly List technology still has following problem:
1st, the order of magnitude still can take very big resource for several ten million black and white lists in search procedure and bring certain Performance loss;
2nd, the low sample of many frequency of use occupies quite a high proportion of query time in black and white lists.
In view of the above-mentioned problems, many manufacturers all use hardware based two level black and white lists mechanism, i.e., it is the order of magnitude is larger Black and white lists be deployed in the stronger high in the clouds of disposal ability, the black and white lists of lightweight are deployed in local client to play one Individual pre-filtered effect.But following problem is equally existed using hardware based two level black and white lists mechanism:
1st, black and white lists are all disposed within hardware, are unfavorable for the regulation of black and white lists, over time, are sent to high in the clouds The data volume of inspection can be more and more, ultimately result in the loss of the occupancy and performance of high in the clouds resource;
2nd, the filter efficiency of client and the match hit rate of feature database are low.
The content of the invention
In view of the above problems, it is an object of the invention to provide a kind of cloud checking and killing method based on adaptive classifier and it is System, it is big to solve the resource occupation amount of existing hardware based two level black and white lists mechanism beyond the clouds and loss, and in visitor The problem of filter efficiency at family end and the low match hit rate of feature database.
According to an aspect of the present invention, there is provided a kind of cloud checking and killing method based on adaptive classifier, including:
Client is based on Hamming distance grader and carries out classification and Detection to file;Wherein, when the feature and client of file Lightweight black and white lists feature database in characteristic matching it is unsuccessful when, client sends the file to high in the clouds;
Hash value grader of the high in the clouds based at least two-stage Hamming distance carries out classification and Detection to file;Wherein, file is worked as Feature and high in the clouds black and white lists feature database in characteristic matching success when, statistics file feature hit high in the clouds black and white name The probability of feature in single feature database;
According to the probability counted, the probability ranking in predetermined time interval is sent to by high in the clouds in the file of preset range Client;
File of the client according to transmitted by high in the clouds carries out the renewal of the lightweight black and white lists feature database of client;Its In, for client while lightweight black and white lists feature database is updated, Hamming distance grader completes adaptive updates.
Wherein, according to predetermined time interval, the black and white lists that the feature of the file of client is hit in high in the clouds in high in the clouds are special The file of the probability ranking of feature in sign storehouse within a predetermined range feeds back to lightweight black and white name of the client as client Single feature database.
Wherein, when the characteristic matching success in the feature of file and the black and white lists feature database in high in the clouds, high in the clouds is counted The probability that the series where feature in black and white lists feature database is hit, the probability adaptation being hit according to series adjust the Chinese The hash values grader of prescribed distance putting in order beyond the clouds.
On the other hand, the present invention provides a kind of cloud killing system based on adaptive classifier, including:
First classification and Detection unit, for carrying out classification and Detection to the file of client based on Hamming distance grader;
File transmitting element, for when the first classification and Detection unit detect file feature and client lightweight it is black When characteristic matching in white list feature database is unsuccessful, the file of client is sent to high in the clouds;
Second classification and Detection unit, for the hash values grader based at least two-stage Hamming distance to file transmitting element Transmitted file carries out classification and Detection;
First probability statistics unit, for detecting the file transmitted by file transmitting element when the second classification and Detection unit Feature and high in the clouds black and white lists feature database in characteristic matching success when, file transmitted by statistics file transmitting element The probability of feature in the black and white lists feature database in feature hit high in the clouds;
Updating block, for updating the lightweight black and white lists feature database of client;Wherein, the renewal is high in the clouds according to The probability that one probability statistic unit is counted, file of the probability ranking interior at preset time intervals in preset range is sent Realized to client;Wherein, while the lightweight black and white lists feature database of client is updated, Hamming distance grader Complete adaptive updates.
Using the above-mentioned cloud checking and killing method and system based on adaptive classifier according to the present invention, by based on adaptive Grader carries out classification and Detection to file, on the one hand, can improve the feature in client lightweight black and white lists feature database Filter efficiency and hit probability, reduce the data volume for being sent to high in the clouds;On the other hand can shorten in the black and white lists feature database of high in the clouds Feature inquiry distance, improve the efficiency of search characteristics.
In order to realize above-mentioned and related purpose, one or more aspects of the invention include will be explained in below and The feature particularly pointed out in claim.Some illustrative aspects of the present invention are described in detail in following explanation and accompanying drawing. However, some modes in the various modes of the principle that the present invention only can be used of these aspect instructions.It is in addition, of the invention It is intended to include all these aspects and their equivalent.
Brief description of the drawings
By reference to the explanation and the content of claims below in conjunction with accompanying drawing, and with to the present invention more comprehensively Understand, other purposes and result of the invention will be more apparent and should be readily appreciated that.In the accompanying drawings:
Fig. 1 is the first pass schematic diagram according to the cloud killing based on adaptive classifier of the embodiment of the present invention;
Fig. 2 is the second procedure schematic diagram according to the cloud killing based on adaptive classifier of the embodiment of the present invention;
Fig. 3 is the logical construction block diagram according to the cloud killing system based on adaptive classifier of the embodiment of the present invention.
Identical label indicates similar or corresponding feature or function in all of the figs.
Embodiment
The specific embodiment of the present invention is described in detail below with reference to accompanying drawing.
It is dumb for regulation of the foregoing existing hardware based two level black and white lists mechanism to black and white lists, filtering effect The problem of rate and the low match hit rate of feature database.The present invention carries out classification and Detection based on adaptive classifier to file.Wherein, In client, the present invention carries out classification and Detection based on adaptive Hamming distance grader to the file for sending to client, wherein, High in the clouds has been hit when the feature for the file for sending to classification and Detection does not hit the lightweight black and white lists feature database of client During black and white lists feature database, the hit rate ranking in predetermined time interval is fed back to client by high in the clouds in the file of preset range , should while carrying out the renewal of the lightweight black and white lists feature database of client, and update lightweight black and white lists feature database Hamming distance grader completes adaptive updates.It can be improved in client lightweight black and white lists feature database by the above method Feature filter efficiency and hit probability, reduce and be sent to the data volume in high in the clouds.
In addition, beyond the clouds, the hash values grader of the invention based on multistage Hamming distance divides the file for sending to high in the clouds Class detects, the characteristic matching success in sending to high in the clouds and making the feature of file and the black and white lists feature database in high in the clouds of classification and Detection When, the probability adaptation that the series where feature in the black and white lists feature database in high in the clouds is hit adjusts the Hamming distance Hash values grader putting in order beyond the clouds.Feature in the black and white lists feature database of high in the clouds can be shortened by such a method Inquiry distance, improve the performance and efficiency of search characteristics.
In order to illustrate the cloud checking and killing method provided by the invention based on adaptive classifier, Fig. 1 is shown according to the present invention The flow of the cloud checking and killing method based on adaptive classifier of embodiment.
As shown in figure 1, the cloud checking and killing method provided by the invention based on adaptive classifier includes:
S110:Client is based on Hamming distance grader and carries out classification and Detection to file.
Specifically, client before classification and Detection is carried out to file based on Hamming distance grader, deposited by client There is the black and white lists feature database of lightweight.Due to being influenceed by flow and external data environment, each client to be carried out The file of detection is all different, and therefore, the black and white lists feature database of the lightweight is that high in the clouds is directed to specific client, will be pre- The probability ranking of feature in the black and white lists feature database in the feature hit high in the clouds of the file for the client in interval of fixing time exists File in preset range feeds back to what client was obtained.
That is, according to predetermined time interval, the black and white name in high in the clouds is hit the feature of the file of client in high in the clouds It is black as the lightweight of client that the file of the probability ranking of feature in single feature database within a predetermined range feeds back to client White list feature database.It should be noted that predetermined time interval can be by hour or in units of day, and preset range can To be 100 or 1000 before probability ranking.
For example, being directed to specific client, the feature of the file of client in 8 hours can be hit the black of high in the clouds by high in the clouds 100 file feeds back to lightweight black and white of the client as the client before the probability ranking of feature in white list feature database List feature database.
It should be noted that the process that client carries out classification and Detection to file is the feature of file and the light weight of client The process that feature in level black and white lists feature database is matched.Wherein, Hamming distance grader is based on to file in client During carrying out classification and Detection, MD5 value or SHA1 value of the Hamming distance grader based on file are classified to file Detection.That is, file is characterized in the calculating based on MD5 values or SHA1 values to file and got.Wherein, to text The MD5 values of part and SHA1 values are calculated as common knowledge, will not be repeated here.
S120:When the characteristic matching in the feature of file and the lightweight black and white lists feature database of client is unsuccessful, Client sends the file to high in the clouds.
Specifically, first by the blacklist feature database in the lightweight black and white lists feature database of the feature of file and client In feature matched, if the match is successful, direct returning result;If matching is unsuccessful, the light weight with client The feature in white list feature database in level black and white lists feature database is matched, if the match is successful, direct returning result; If matching is unsuccessful, illustrate that this file is not belonging to any one of lightweight black and white lists feature database of client, for This document can be then routed directly to high in the clouds and be handled by such a situation, client.
S130:Hash value grader of the high in the clouds based at least two-stage Hamming distance carries out classification and Detection to file.
Specifically, because the feature in the black and white lists feature database in high in the clouds belongs to magnanimity level, therefore for the spy of magnanimity level Sign, hash value grader of the present invention beyond the clouds based on eight grades of Hamming distances carry out classification and Detection to file.That is, this hair It is bright to devise eight grades of hash value graders based on Hamming distance, wherein, one Chinese based on hash values of every 16 designs Prescribed distance grader, it is considered as one kind when distance is less than " 4 ", so often first-level class device can all be divided into four classes, eight grades Grader is divided into 16384 classes, and for 30,000,000 black and white lists feature database, the characteristic included in final every class is about 1832.Class interval can be maximized by such a method, the distance for learning grader is the difference between bit vector Other weight.Wherein, similitude is higher between smaller explanation bit vector, when distance is less than certain limit, you can think to belong to In same class.
Wherein, the process that high in the clouds carries out classification and Detection to file is to give the feature of file and the black and white name in high in the clouds in high in the clouds The process that feature in single feature database is matched.
Wherein, when the characteristic matching being sent in the black and white lists feature database in the feature of file in high in the clouds and high in the clouds is unsuccessful When, then illustrate that the feature of this document had both been not belonging to the feature in the blacklist feature database in the black and white lists feature database in high in the clouds, its Also the feature being not belonging in the white list feature database in the black and white lists feature database in high in the clouds, now then using multi engine to this document Carry out killing.The multi engine killing in high in the clouds can be using inspirational education engine by the way of artificial intelligence engine is combined, such as Using BitDefender and QVM (Qihoo Support Vector Machine, Qihoo's SVMs) artificial intelligence engine Killing is carried out to this document etc. the mode being combined.
In addition, when the characteristic matching success being sent in the feature of file and the black and white lists feature database in high in the clouds in high in the clouds When, it is also necessary to the probability that the series where counting the feature in the black and white lists feature database in high in the clouds is hit, then according to place The hash values grader of probability adaptation that series is hit regulation Hamming distance putting in order beyond the clouds.
That is, the hash values grader based on Hamming distance beyond the clouds similarly uses hit rate ranking mechanism, Before i.e. the grader to shoot straight can be automatically adjusted to by it.Because entirely the hash value graders based on Hamming distance are total Eight grades are divided into, its classifying quality is all likewise, but of the invention dynamically according to this since which rank of grader in theory The hit rate of eight grades of graders can reduce the quantity of grader handling process as far as possible to adjust the sequencing residing for its own, So as to improve the performance and efficiency of searching feature.
S140:When the characteristic matching success in the feature of file and the black and white lists feature database in high in the clouds, statistics file The probability of feature in the black and white lists feature database in feature hit high in the clouds.
It should be noted that the feature of the file to being sent to high in the clouds hits the feature in the black and white lists feature database in high in the clouds Probability carry out statistics can be easy to update client lightweight black and white lists feature database, so as to further improve file spy The probability of feature in the lightweight black and white lists feature database of sign hit client, and then reduce client and be sent to high in the clouds detection The data volume of file.
S150:According to the probability counted, high in the clouds by the probability ranking in predetermined time interval preset range file It is sent to client.
S160:File of the client according to transmitted by high in the clouds carries out the lightweight black and white lists feature database of client more Newly;Wherein, for client while lightweight black and white lists feature database is updated, Hamming distance grader completes adaptive updates.
Understood by experiment, should during client is based on Hamming distance grader to file progress classification and Detection The accuracy rate of grader can reach more than 95%, and about 50% performance loss can be saved from the angle of probability.For every The black and white lists feature for the new lightweight that secondary high in the clouds is sent, the grader can all carry out self study self-training, wait new point Class device can just be locked with grader to original lightweight black and white lists feature database after training, replaced.
In order to further illustrate the cloud checking and killing method provided by the invention based on adaptive classifier, Fig. 2 shows basis The second procedure of the cloud killing based on adaptive classifier of the embodiment of the present invention.As shown in Figure 2:
MD5 values are carried out to the file for sending to client detection to calculate, be then based on the MD5 values calculated, Hamming distance first Judge whether this document hits the blacklist feature database in the lightweight black and white lists feature database of client from grader, if life In, then direct returning result;If do not hit, judge whether it hits the white list in lightweight black and white lists feature database Feature database;If hit, same direct returning result, if again without hit, this file is directly sent to high in the clouds.
MD5 value of the high in the clouds equally based on file is classified to the file that client sends over, when this document hits cloud During the black and white lists feature database at end, the probability of the feature in the black and white lists feature database in the feature hit high in the clouds for counting this document, Then the feature in n black and white lists feature database before the hit rate highest in T time is sent out according to the probability counted in high in the clouds Give client.Wherein, T is the predetermined time interval in flow shown in above-mentioned Fig. 1, and n is preset range.
Last feature of the client according to transmitted by high in the clouds, the Hamming distance grader of client carry out self study from instruction Practice, feature in original lightweight black and white lists feature database and grader are locked after new classifier training is good, Replace, complete black and white lists feature database with being updated while grader.
Corresponding with the above method, the present invention provides a kind of cloud killing system based on adaptive classifier.Fig. 3 is shown The logical construction of cloud killing system based on adaptive classifier according to embodiments of the present invention.
As shown in figure 3, the cloud killing system 300 provided by the invention based on adaptive classifier includes the first classification and Detection Unit 310, file transmitting element 320, the second classification and Detection unit 330, the first probability statistics unit 340 and updating block 350.
Wherein, the first classification and Detection unit 310 is used to classify to the file of client based on Hamming distance grader Detection.
Specifically, client before classification and Detection is carried out to file based on Hamming distance grader, deposited by client There is the black and white lists feature database of lightweight.Due to being influenceed by flow and external data environment, each client to be carried out The file of detection is all different, and therefore, the black and white lists feature database of the lightweight is that high in the clouds is directed to specific client, will be pre- The probability ranking of feature in the black and white lists feature database in the feature hit high in the clouds of the file for the client in interval of fixing time exists File in preset range feeds back to what client was obtained.It is that is, provided by the invention based on adaptive classifier Cloud killing system further comprises feature database transmitting element (not shown), for according to predetermined time interval, by client The probability ranking of feature in the black and white lists feature database in the feature hit high in the clouds of the file at end is fed back in the file of preset range Give lightweight black and white lists feature database of the client as client.
It should be noted that the process that the first classification and Detection unit 310 carries out classification and Detection to file is the feature of file The process matched with the feature in the lightweight black and white lists feature database of client.Wherein, it is based on Hamming distance in client During classification and Detection being carried out from grader to file, MD5 value or SHA1 value of the Hamming distance grader based on file Classification and Detection is carried out to file.That is, file is characterized in the calculating based on MD5 values or SHA1 values to file and obtained Come.Wherein, the MD5 values to file and SHA1 values are calculated as common knowledge, will not be repeated here.
File transmitting element 320 be used for when the first classification and Detection unit 310 detect file feature and client it is light When characteristic matching in magnitude black and white lists feature database is unsuccessful, the file of client is sent to high in the clouds.
Specifically, first by the blacklist feature database in the lightweight black and white lists feature database of the feature of file and client In feature matched, if the match is successful, direct returning result;If matching is unsuccessful, the light weight with client The feature in white list feature database in level black and white lists feature database is matched, if the match is successful, direct returning result; If matching is unsuccessful, illustrate that this file is not belonging to any one of lightweight black and white lists feature database of client, for This document can be then routed directly to high in the clouds and be handled by such a situation, client.
Second classification and Detection unit 330 is used for the hash values grader based at least two-stage Hamming distance and sends list to file File transmitted by member 320 carries out classification and Detection.
Wherein, the cloud killing system provided by the invention based on adaptive classifier further comprises multi engine killing unit (not shown), for detecting feature and the high in the clouds of the file transmitted by file transmitting element when the second classification and Detection unit Black and white lists feature database in characteristic matching it is unsuccessful when, using multi engine to this document carry out killing.
Further, since the feature in the black and white lists feature database in high in the clouds belongs to magnanimity level, therefore for the feature of magnanimity level, Hash value grader of the present invention beyond the clouds based on eight grades of Hamming distances carries out classification and Detection to file.It is that is, of the invention Eight grades of hash value graders based on Hamming distance are devised, wherein, one Hamming based on hash values of every 16 designs Distance classifier, it is considered as one kind when distance is less than " 4 ", so can be all divided into four classes, eight fractions per first-level class device Class device is divided into 16384 classes, and for 30,000,000 black and white lists feature database, the characteristic included in final every class is about 1832 Bar.Class interval can be maximized by such a method, the distance for learning grader is the difference power between bit vector Weight.Wherein, similitude is higher between smaller explanation bit vector, when distance is less than certain limit, you can think to belong to same It is a kind of.Wherein, the process that high in the clouds carries out classification and Detection to file is to give the feature of file and the black and white lists in high in the clouds in high in the clouds The process that feature in feature database is matched.
Wherein, the cloud killing system provided by the invention based on adaptive classifier further comprises the second probability statistics list Member and sequential adjustment unit (being not shown in figure), wherein, the second probability statistics unit is used for when the second classification and Detection unit 330 When detecting the characteristic matching success in the feature of the file transmitted by file transmitting element and the black and white lists feature database in high in the clouds, The probability that series where counting the feature in the black and white lists feature database in high in the clouds is hit;Sequential adjustment unit is used for according to the The hash values grader of probability adaptation that two probability statistics units are counted regulation Hamming distance putting in order beyond the clouds.
That is, the hash values grader based on Hamming distance beyond the clouds similarly uses hit rate ranking mechanism, Before i.e. the grader to shoot straight can be automatically adjusted to by it.Because entirely the hash value graders based on Hamming distance are total Eight grades are divided into, its classifying quality is all likewise, but of the invention dynamically according to this since which rank of grader in theory The hit rate of eight grades of graders can reduce the quantity of grader handling process as far as possible to adjust the sequencing residing for its own, So as to improve the performance and efficiency of searching feature.
First probability statistics unit 340 is used for when the second classification and Detection unit 330 detects that file transmitting element 320 is sent out When characteristic matching in the feature of the file sent and the black and white lists feature database in high in the clouds is successful, transmitted by statistics file transmitting element File feature hit high in the clouds black and white lists feature database in feature probability.
It should be noted that the feature of the file to being sent to high in the clouds hits the feature in the black and white lists feature database in high in the clouds Probability carry out statistics can be easy to update client lightweight black and white lists feature database, so as to further improve file spy The probability of feature in the lightweight black and white lists feature database of sign hit client, and then reduce client and be sent to high in the clouds detection The data volume of file.
Updating block 350 is used for the lightweight black and white lists feature database for updating client;Wherein, the renewal be high in the clouds according to The probability that first probability statistics unit 340 is counted, by probability ranking interior at preset time intervals preset range text Part is sent to client and realized;Wherein, while the lightweight black and white lists feature database of client is updated, Hamming distance Grader completes adaptive updates.
By above-mentioned, according to cloud checking and killing method and system provided by the invention based on adaptive classifier, on the one hand, energy The filter efficiency and hit probability of the feature in client lightweight black and white lists feature database are enough improved, reduces the number for being sent to high in the clouds According to amount;On the other hand the inquiry distance of the feature in the black and white lists feature database of high in the clouds can be shortened, improve the efficiency of search characteristics.
Describe the cloud killing side based on adaptive classifier according to the present invention in an illustrative manner above with reference to accompanying drawing Method and system.It will be understood by those skilled in the art, however, that for the invention described above proposed based on adaptive classifier Cloud checking and killing method and system, various improvement can also be made on the basis of present invention is not departed from.Therefore, guarantor of the invention Shield scope should be determined by the content of appended claims.

Claims (8)

1. a kind of cloud checking and killing method based on adaptive classifier, including:
Client is based on Hamming distance grader and carries out classification and Detection to file;Wherein, when the feature and client of the file Lightweight black and white lists feature database in characteristic matching it is unsuccessful when,
The file is sent to high in the clouds by the client;
Hash value grader of the high in the clouds based at least two-stage Hamming distance carries out classification and Detection, the Hamming to the file The hash value graders of distance refer to the Hamming distance grader based on hash values;Wherein, when the file feature with When characteristic matching in the black and white lists feature database in high in the clouds is successful,
The feature for counting the file hits the probability of the feature in the black and white lists feature database in the high in the clouds, and described in statistics The probability that the series where feature in the black and white lists feature database in high in the clouds is hit;
According to the probability counted, the probability ranking in predetermined time interval is sent to by the high in the clouds in the file of preset range The client, and the hash value graders for the probability adaptation regulation Hamming distance being hit according to the series exist The high in the clouds puts in order;
File of the client according to transmitted by high in the clouds carries out the renewal of the lightweight black and white lists feature database of the client; Wherein, the client while lightweight black and white lists feature database is updated, complete certainly by the Hamming distance grader Adapt to renewal.
2. the cloud checking and killing method based on adaptive classifier as claimed in claim 1, wherein, feature and institute when the file State characteristic matching in the black and white lists feature database in high in the clouds it is unsuccessful when, killing is carried out to the file using multi engine.
3. the cloud checking and killing method based on adaptive classifier as claimed in claim 1, in addition to:According between the predetermined time Every the probability ranking of the feature in the black and white lists feature database in the high in the clouds is hit the feature of the file of the client in high in the clouds File within a predetermined range feeds back to the client, the lightweight black and white lists feature database as the client.
4. the cloud checking and killing method based on adaptive classifier as claimed in claim 1, wherein, the Hamming distance grader and MD5 value or SHA1 value of the hash values grader of the Hamming distance based on file carry out classification and Detection to the file.
5. a kind of cloud killing system based on adaptive classifier, including:
First classification and Detection unit, for carrying out classification and Detection to the file of client based on Hamming distance grader;
File transmitting element, for detecting the feature of the file and the light weight of client when the first classification and Detection unit When characteristic matching in level black and white lists feature database is unsuccessful, the file of the client is sent to high in the clouds;
Second classification and Detection unit, for the hash values grader based at least two-stage Hamming distance to the file transmitting element Transmitted file carries out classification and Detection, and the hash value graders of the Hamming distance refer to the Hamming distance based on hash values From grader;
First probability statistics unit, for being detected when the second classification and Detection unit transmitted by the file transmitting element When characteristic matching in the feature of file and the black and white lists feature database in high in the clouds is successful, count transmitted by the file transmitting element The feature of file hit the probability of the feature in the black and white lists feature database in the high in the clouds;
Second probability statistics unit, for being detected when the second classification and Detection unit transmitted by the file transmitting element When characteristic matching in the feature of file and the black and white lists feature database in high in the clouds is successful, the black and white lists feature in the high in the clouds is counted The probability that the series where feature in storehouse is hit;
Sequential adjustment unit, the probability adaptation for being counted according to the second probability statistics unit adjust the Hamming distance From hash values grader putting in order in the high in the clouds;
Updating block, for updating the lightweight black and white lists feature database of the client;Wherein, the renewal is the high in the clouds The probability counted according to the first probability statistics unit, by probability ranking interior at preset time intervals in preset range File be sent to the client and realize;Wherein, the lightweight black and white lists feature database of the client is being updated Meanwhile the Hamming distance grader completes adaptive updates.
6. the cloud killing system based on adaptive classifier as claimed in claim 5, further comprises:Multi engine killing list Member, for detecting feature and the high in the clouds of file transmitted by the file transmitting element when the second classification and Detection unit When characteristic matching in black and white lists feature database is unsuccessful, killing is carried out to the file using multi engine.
7. the cloud killing system based on adaptive classifier as claimed in claim 5, further comprises:Feature database sends single Member, for according to predetermined time interval, the feature of the file of the client to be hit to the black and white lists feature in the high in the clouds It is black as the lightweight of the client that the probability ranking of feature in storehouse in the file of preset range feeds back to the client White list feature database.
8. the cloud killing system based on adaptive classifier as claimed in claim 5, wherein, the Hamming distance grader and MD5 value or SHA1 value of the hash values grader of the Hamming distance based on file carry out classification and Detection to the file.
CN201410459367.XA 2014-09-10 2014-09-10 Cloud checking and killing method and system based on adaptive classifier Active CN104243470B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410459367.XA CN104243470B (en) 2014-09-10 2014-09-10 Cloud checking and killing method and system based on adaptive classifier

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410459367.XA CN104243470B (en) 2014-09-10 2014-09-10 Cloud checking and killing method and system based on adaptive classifier

Publications (2)

Publication Number Publication Date
CN104243470A CN104243470A (en) 2014-12-24
CN104243470B true CN104243470B (en) 2018-04-06

Family

ID=52230820

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410459367.XA Active CN104243470B (en) 2014-09-10 2014-09-10 Cloud checking and killing method and system based on adaptive classifier

Country Status (1)

Country Link
CN (1) CN104243470B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105624074A (en) * 2016-03-25 2016-06-01 福建师范大学 Harmless treatment method for antibiotic mycelium residues
CN107294929B (en) * 2016-04-05 2021-05-18 阿里巴巴集团控股有限公司 Rule matching and management method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102811213A (en) * 2011-11-23 2012-12-05 北京安天电子设备有限公司 Fuzzy hashing algorithm-based malicious code detection system and method
US8375450B1 (en) * 2009-10-05 2013-02-12 Trend Micro, Inc. Zero day malware scanner
CN103500305A (en) * 2013-09-04 2014-01-08 中国航天科工集团第二研究院七〇六所 System and method for malicious code analysis based on cloud computing
CN103530557A (en) * 2013-03-12 2014-01-22 Tcl集团股份有限公司 Method and system for scanning virus apk based on cloud terminal mass samples

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013063474A1 (en) * 2011-10-28 2013-05-02 Scargo, Inc. Security policy deployment and enforcement system for the detection and control of polymorphic and targeted malware

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8375450B1 (en) * 2009-10-05 2013-02-12 Trend Micro, Inc. Zero day malware scanner
CN102811213A (en) * 2011-11-23 2012-12-05 北京安天电子设备有限公司 Fuzzy hashing algorithm-based malicious code detection system and method
CN103530557A (en) * 2013-03-12 2014-01-22 Tcl集团股份有限公司 Method and system for scanning virus apk based on cloud terminal mass samples
CN103500305A (en) * 2013-09-04 2014-01-08 中国航天科工集团第二研究院七〇六所 System and method for malicious code analysis based on cloud computing

Also Published As

Publication number Publication date
CN104243470A (en) 2014-12-24

Similar Documents

Publication Publication Date Title
US7716297B1 (en) Message stream analysis for spam detection and filtering
US10360380B2 (en) Advanced malware classification
CN104142999B (en) Search result methods of exhibiting and device
US10003607B1 (en) Automated detection of session-based access anomalies in a computer network through processing of session data
Gao et al. Sybilfuse: Combining local attributes with global structure to perform robust sybil detection
CN104205111A (en) Computing device to detect malware
KR20160116415A (en) Malicious domain cluster detection apparatus and method
CN104102700A (en) Categorizing method oriented to Internet unbalanced application flow
US20200162496A1 (en) System and method for classifying cyber security threats using natural language processing
CN104901971A (en) Method and device for carrying out safety analysis on network behaviors
CN104243470B (en) Cloud checking and killing method and system based on adaptive classifier
EP3599566A1 (en) Machine learning data filtering in a cross-domain environment
Hosseini et al. Are odds really odd? bypassing statistical detection of adversarial examples
CN106161465A (en) A kind of cloud storage method, cloud storage system and safe cloud storage system
CN102968645A (en) Method for improving face recognition accuracy rate and adaptability through updating of images
CN103546449A (en) E-mail virus detection method and device based on attachment formats
Cao et al. Combating friend spam using social rejections
CN105554763B (en) A kind of method and server detecting pseudo-base station central number
CN105578434B (en) A kind of method and server detecting pseudo-base station motion profile
Li et al. Detecting adversarial patch attacks through global-local consistency
US8356076B1 (en) Apparatus and method for performing spam detection and filtering using an image history table
Zhang et al. A3fl: Adversarially adaptive backdoor attacks to federated learning
US10263998B1 (en) Automated determination of relevance of a security alert to one or more other security alerts based on shared markers
CN103841006A (en) Method and device for intercepting junk mails in cloud computing system
US20190005116A1 (en) Information processing apparatus, information processing system and information processing method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant