CN104468632A - Loophole attack prevention method, device and system - Google Patents

Abstract

The invention discloses a loophole attack prevention method, device and system, and relates to the field of network security. The loophole attack prevention method, device and system aim to actively defense a loophole attack timely and effectively under the situation that a loophole is not repaired. The method includes the steps that a running process is monitored, the actual behavior feature of the process is obtained, and the process comprises an application process and a system process; the actual behavior feature is compared with a standard behavior feature in a behavior feature library, and the standard behavior feature is used for describing behaviors related to the loophole attack; if the actual behavior feature is consistent with the standard behavior feature, an attack log of the loophole attack is reported to a cloud server so that the cloud server can inform other terminals to actively defense the same loophole attack according to the attack log. The loophole attack prevention method is mainly applied to active attack defense under a private cloud environment.

Description

Method, equipment and system that defence leak is attacked

Technical field

The present invention relates to network safety filed, particularly relate to a kind of method, the equipment and system of defending leak to attack.

Background technology

Leak refers to the weakness that system exists or defect, and system is attacked specific threat or the sensitiveness of hazard event, or carries out the possibility of the threat effect of attacking.The mistake that leak may produce from defect when application program or operating system design or when encoding, also may from the unreasonable part in the design defect of business in iterative process or logic flow.These defects, mistake or unreasonable part may be utilized by hackers, thus adverse effect is caused to an application operation, attacked as information system or control, capsule information are stolen, user data is tampered, and system is by the springboard etc. as other host computer systems of invasion.

Attack for preventing leak and harmful effect is caused to user terminal or Website server, search the leak of application program or operating system mainly through the mode of Hole Detection in prior art, and the leak found is repaired, prevent hacker from attacking based on the leak do not repaired.Generally, Hole Detection can be divided into the detection of known bugs and the detection to unknown leak.The detection of known bugs is mainly by security sweep technology, and whether detection system exists the security breaches announced; And the object of unknown Hole Detection is to find may exist but still undiscovered leak in software systems.Existing unknown Hole Detection technology source code scanning, dis-assembling scanning, environment error injection etc.

In the mode that above-mentioned defence leak is attacked, inventor finds: in prior art, the principle of attack defending repairs leak for master, is reduced the possibility of assault by the mode of repairing leak.In real life, the leak in application program or operating system also cannot be searched limit, and the repairing with leak may also there will be new leak.Therefore this defense mechanism is comparatively passive.In addition, along with the continuous lifting of hacking technique, the automaticity that leak is attacked and attack speed day by day promote, if carry out again writing the operational processes such as patch, patch installing after generation leak is attacked, so leak is attacked and in a big way, is achieved wide-scale distribution already, brings disaster to more user terminal or server.Therefore, how to design one attack defending mechanism fast and efficiently, after leak attacks generation, it is defendd in time, just become and be placed in those skilled in the art's a difficult problem at the moment.

Summary of the invention

In view of the above problems, the invention provides a kind of method, the equipment and system of defending leak to attack, can attack leak when not repairing leak and carry out Initiative Defense timely and effectively.

First aspect, the invention provides a kind of method of defending leak to attack, the method comprises:

Monitor operating process, obtain the agenda feature of process, wherein, process comprises application process and system process;

Criterion behavior feature in agenda feature and behavioural characteristic storehouse compared, criterion behavior feature is for describing the behavior involved by leak attack;

If agenda feature is consistent with criterion behavior feature, then to the attack logs that Cloud Server reports leak to attack, according to attack logs notice other-end, Initiative Defense is carried out to the attack of identical leak to make Cloud Server.

Second aspect, present invention also offers a kind of method of defending leak to attack, the method comprises:

The attack logs that receiving terminal reports, carries the agenda feature of the leak attack that terminal suffers in attack logs;

Criterion behavior feature in agenda feature and behavioural characteristic storehouse, high in the clouds compared, criterion behavior feature is for describing the behavior involved by leak attack;

If agenda feature is consistent with criterion behavior feature, then attack logs is handed down to other-end, according to attack logs, Initiative Defense is carried out to the attack of identical leak to make other-end.

The third aspect, present invention also offers a kind of terminal, and this terminal comprises:

Monitoring means, for monitoring operating process, obtain the agenda feature of process, wherein, process comprises application process and system process;

Comparing unit, compares for the criterion behavior feature in the agenda feature that obtained by monitoring means and behavioural characteristic storehouse, criterion behavior feature for describe leak attack involved by behavior;

Transmitting element, for when the comparison result of comparing unit be agenda feature consistent with criterion behavior feature time, to the attack logs that Cloud Server reports leak to attack, according to attack logs notice other-end, Initiative Defense is carried out to the attack of identical leak to make Cloud Server.

Fourth aspect, present invention also offers a kind of Cloud Server, and this Cloud Server comprises:

Receiving element, for the attack logs that receiving terminal reports, carries the agenda feature of the leak attack that terminal suffers in attack logs;

Comparing unit, compares for the criterion behavior feature in the agenda feature that received by receiving element and behavioural characteristic storehouse, high in the clouds, criterion behavior feature for describe leak attack involved by behavior;

Transmitting element, for when the comparison result of comparing unit be agenda feature consistent with criterion behavior feature time, the attack logs that receiving element receives is handed down to other-end, according to attack logs, Initiative Defense is carried out to the attack of identical leak to make other-end.

5th aspect, present invention also offers a kind of system of defending leak to attack, this system comprises:

First terminal, Cloud Server and the second terminal; Wherein,

First terminal, for monitoring operating process, the agenda feature of acquisition process, wherein, process comprises application process and system process, the criterion behavior feature in agenda feature and behavioural characteristic storehouse is compared, and criterion behavior feature is for describing the behavior involved by leak attack, if agenda feature is consistent with criterion behavior feature, then to the attack logs that Cloud Server reports leak to attack;

Cloud Server, for receiving the attack logs that first terminal reports, criterion behavior feature in agenda feature in attack logs and behavioural characteristic storehouse, high in the clouds is compared, if agenda feature is consistent with criterion behavior feature, then attack logs is handed down to the second terminal;

Second terminal, for receiving the attack logs that Cloud Server issues, using the agenda feature in attack logs as criterion behavior feature, is recorded in behavioural characteristic storehouse, finds and Initiative Defense the leak attack that may occur according to behavioural characteristic storehouse.

By technique scheme, method, equipment and system that defence leak provided by the invention is attacked, finding locally through to the behavior monitoring of process " trace " that leak is attacked by terminal, and finding after " trace " that leak is attacked, to the attack logs that Cloud Server reports leak to attack, so that this attack logs is sent to other-end by Cloud Server, make other-end before suffering the attack of identical leak, Initiative Defense is carried out to this leak daily record.With find in prior art and patching bugs compared with, attack defending mode of the present invention not with leak reparation for main target, by the determination and analysis of attack reach find leak attack object.The present invention can after a certain station terminal be attacked by leak, other-end disposes attack defending strategy rapidly, also can exempt from leak attack even if make other-end not repair corresponding patch, thus can the Initiative Defense that leak is attacked of realization rapidly and efficiently.

Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of specification, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.

Accompanying drawing explanation

By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:

Fig. 1 shows a kind of method flow diagram defending leak to attack in the embodiment of the present invention;

Fig. 2 shows the method flow diagram that in the embodiment of the present invention, another kind of defence leak is attacked;

Fig. 3 shows the structural representation of a kind of terminal in the embodiment of the present invention;

Fig. 4 shows the structural representation of another kind of terminal in the embodiment of the present invention;

Fig. 5 shows the structural representation of a kind of Cloud Server in the embodiment of the present invention;

Fig. 6 shows the structural representation of another kind of Cloud Server in the embodiment of the present invention;

Fig. 7 shows a kind of system schematic of defending leak to attack in the embodiment of the present invention.

Embodiment

Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.

For when not patching bugs, realize the Initiative Defense that leak is attacked, The embodiment provides a kind of method of defending leak to attack, the method is mainly used in end side.As shown in Figure 1, the method comprises:

101, operating process is monitored, obtain the agenda feature of process.

In the present embodiment, the monitoring of terminal application programs or operating system runs realization mainly through monitoring corresponding process, and the process object that namely terminal is monitored comprises application process and system process.Usual process in the process of implementation, can relate to reading internal storage data, numerous behavior operation such as inter-process data communication.In the present embodiment, namely terminal is based on the monitoring to these behaviors, finds the behavioural characteristic that leak is attacked.

Terminal monitoring to agenda be characterized as process perform in all behavioural characteristics of producing, the behavioural characteristic produced when this behavioural characteristic comprising normal running also comprises the code performing the attack of virus, wooden horse or leak.Terminal from the numerous behavioural characteristics monitored by the mode in comparison behavioural characteristic storehouse in step 102, is filtered out leak and attacks the behavioural characteristic produced.

102, the criterion behavior feature in agenda feature and behavioural characteristic storehouse is compared.

Terminal local preserves the behavioural characteristic storehouse for record standard behavioural characteristic, and wherein criterion behavior feature is for describing the behavior involved by leak attack.After the agenda feature that the process that monitors produces, the criterion behavior feature in agenda feature and behavioural characteristic storehouse is compared by terminal, if both fruits are consistent, then illustrate that this agenda feature is attacked by leak and produced.

In practical application, end side can receive the behavioural characteristic storehouse that Cloud Server issues, and also can scan in the process of leak in this locality, and carry out training study by preset model to the behavioral characteristic that leak is attacked and obtain, the present embodiment is not restricted this.

In real life, when hacker carries out leak attack to terminal, federation produces some and process normally performs difference behavioural characteristic, such as edit the registry, illegal scanning etc.In the present embodiment, namely terminal is based on this feature, is to identify according to attacking leak with behavioural characteristic.

In the present embodiment, the behavioural characteristic relating to leak attack comprises: hide IP, illegal scanning, login main frame, removing record, reserved back door, edit the registry, code implant, steal information, information back, amendment DNS etc.In practical application, the typical process that Cloud Server can be attacked according to leak, arranges criterion behavior feature.

For example, usual common hacker can utilize and be attacked terminal and hide oneself IP address, and more senior hacker even can also utilize the unmanned switched service of 800 phones to be connected to ISP (Internet Service Provider, be called for short ISP), then attacked the account information of user and surfed the Net usurping.Therefore, in a kind of implementation of the present embodiment, " hiding IP address " this behavioural characteristic can be written in behavioural characteristic storehouse by Cloud Server.

After online, hacker needs to find destination host, namely by object of attack.Usually, on the internet can real mark main frame be IP address, DNS domain name is IP address for the ease of remembering main frame and the name set up another, as long as utilize DNS domain name and IP address just successfully can find destination host.Certainly, only determine that the position of destination host is also nowhere near, hacker also need to the OS Type of destination host and provide the information such as service to do in all directions understanding.Now, hacker can use some scanner instruments to carry out the operations such as address scan, TCP, repercussion mapping, slow scanning, what obtain that destination host runs is which version of which kind of operating system, which account number is system have, the server formulas such as WWW, FTP, Telnet, SMTP are the information such as which kind of version, for invasion performs sufficient preparation.In addition, if hacker enters a destination host, first to obtain account number and the password of this main frame, otherwise cannot log in.Usually force hacker first to manage to steal the account number file of user thus, crack, therefrom obtain account number and the password of certain user, then seek proper moment with this identity target approach main frame.Therefore, in the another kind of implementation of the present embodiment, Cloud Server can the behavioural characteristic such as " illegally scanning ", " login main frame " be written in behavioural characteristic storehouse.

Hacker, by instruments such as FTP, Telnet, after utilizing leak target approach main frame acquisition control, usually can remove and records and reserve back door.They can change some Operation system setting, implant wooden horse or some other remote control code in systems in which, can not again enter system with being perceiveed in the future.Most of back doors formula is compiled in advance, only needs to manage modification time and authority just can employ.Hacker generally can use rep to transmit these files, not leave FTB record.Remove daily record, delete after the means such as file of copy carry out oneself trace hiding, assailant just starts next step action.Therefore, in the another kind of implementation of the present embodiment, Cloud Server can by the behavioural characteristic write behavior feature database such as " removing record ", " reserved back door ", " edit the registry ", " code implant ".

After hacker finds destination host, next step attack can be continued, such as, return sensitive information, steal the behavior such as account number cipher, credit card account, or amendment network settings make network paralysis.Therefore, in the Another application scene of the present embodiment, Cloud Server " can also steal information ", " information back ", the behavioural characteristic write behavior feature database such as " amendment DNS ".

The citing more than arranging criterion behavior feature is only exemplary illustration, and in practical application, Cloud Server can arrange criterion behavior feature respectively according to the feature of different attack type.In practical application, the criterion behavior feature of attacking for same (class) leak is more, and the success rate that monitoring leak is attacked is higher.

If 103 agenda features are consistent with criterion behavior feature, then to the attack logs that Cloud Server reports leak to attack, according to attack logs notice other-end, Initiative Defense is carried out to the attack of identical leak to make Cloud Server.

When agenda feature is consistent with criterion behavior feature, illustrate that terminal exists the possibility attacked by leak, now the terminal attack logs that reports leak to attack to Cloud Server.

It should be noted that, when agenda feature is hit, terminal is attacked by leak might not, and such as, terminal use also may manual modification registration table.Therefore, in actual applications, the pre-conditioned of some should be set to the comparison of behavioural characteristic, to ensure the accuracy judged.Such as, the agenda feature quantity that can arrange hit is no less than 4 or 10; Or to the different weight of different criterion behavior characteristic allocation, the behavioural characteristic hit that weight is higher, then GC group connector is attacked by leak more likely.

In the present embodiment, terminal is after determining attacked by leak, and the object to Cloud Server reporting attack logs is, notifies that Initiative Defense is carried out in the leak attack that other-end is corresponding to this behavioural characteristic by Cloud Server.It should be noted that, in the present embodiment, other-end is when receiving the attack logs that Cloud Server issues, attacked by this leak, Cloud Server issues attack logs to other-end and other-end can be made to identify and Initiative Defense leak attack according to the behavioural characteristic of attacking in daily monitoring, and prevents the attack of this leak to occur on other-end thus.

And for the terminal of reporting attack logs, in the present embodiment, can be concerned about whether it is subjected to this leak and attacks.Attack if terminal is subjected to this leak, so terminal can carry out leak reparation based on certain correcting strategy, even if do not repair leak, at least after being subjected to the attack of this leak, the comparison result of Behavior-based control feature, terminal will have the Initiative Defense ability of attacking for this leak.

In a kind of implementation of the present embodiment, Cloud Server issues except attack logs except to other-end, identical attack logs can also be issued, the Initiative Defense ability making this terminal in the future have thus to attack for this leak to reporting the terminal of this attack logs.

Further, can be, but not limited to comprise in the attack logs of terminal to report: the mark of the process attacked by leak, attack type, bug code and agenda feature.Wherein, process identification (PID) be used for other-end identification leak attack institute for application program or operating system, the leak such as applied for certain instant messaging attack, or for the leak attack etc. of Android operation system.In practical application, the store path of process title, process ID, process handle, process file (comprising absolute path and relative path) can be adopted to use as process identification (PID).Agenda feature is used for other-end and is written to as criterion behavior feature in the behavioural characteristic storehouse of self, identifies and Initiative Defense to attack identical leak.

For attack type, it is mainly used in kind and the feature of expressing leak attack, so that other-end can take defence policies to be targetedly on the defensive.In practical application, attack type can comprise the types such as denial of service, unauthorized access trial, pre-detection attack, protocol-decoding, System Agent attack.Below, the present embodiment briefly introduces different attack types, should be clear and definite, and this introduction or explanation are only exemplary, not as to the present embodiment restriction in actual applications:

1, Denial of Service attack

Generally, Denial of Service attack is by making to be attacked the system core resource overload of terminal, thus makes attacked terminal stop section or all serve.Denial of Service attack known at present has hundreds of kind, and it is the most basic Network Intrusion means, is also one of the most ticklish Network Intrusion, and typical case has SYN Flood attack, Ping Flood attacks, Land attacks, WinNuke attacks.

2, unauthorized access is attempted attacking

It is the trial that hacker reads and writes protected file or performs that unauthorized access is attempted attacking, and also comprises the trial done for obtaining protected access rights.Wherein or go authority can be subdivided into again:

(1) local user obtains unauthorized read right

(2) local user obtains unauthorized write permission

(3) long-distance user obtains unauthorized account information

(4) long-distance user secures the privilege the read right of file

(5) long-distance user secures the privilege the write permission of file

(6) system manager's authority of having of long-distance user

In addition, unauthorized access is attempted attack and can also be divided into active attack and passive attack two kinds of modes.Wherein.Active attack comprises the intentional act that hacker accesses required information, and namely hacker is by the information required for specific technological means active obtaining; Passive attack is mainly collected information instead of is conducted interviews, and usual terminal use cannot discover this infonnation collection process.Passive attack comprises:

(1) eavesdropping comprises thump record, network monitoring, unauthorized access data, obtains cryptogam.

(2) deception comprises acquisition password, malicious code, network cheating.

(3) denial of service comprises and causes ectype, resource exhaustion type, deception type.

(4) data-driven attack comprises buffer overflow, format string attack, Input Validation Attacks, synchronous leak attack, trusts leak attack.

3, pre-detection is attacked

Hacker uses has the automated tool of the database of known response type, to from destination host, bad packet transmitted done by response check.Because often kind of operating system has the response method of its uniqueness (the tcpip stack specific implementation of such as NT and Solaris is different), by the known response in the response of this uniqueness and database being contrasted, hacker often can determine the operating system that destination host runs.

In continuous print unauthorized access cut-and-try process, hacker, in order to obtain the information around the information of network internal and network, uses this attacks to attempt usually, and typical case comprises that SATAN scans, TCP and the scanning of IP halfway etc.

4, protocol-decoding is attacked

Protocol-decoding is attacked and be can be used in the unexpected method of any one, network or safety officer need to carry out decoding effort, and obtaining corresponding result, decoded protocol information may show the activity expected, as decoding processes such as FTU User and Portmapper Proxy.

5, System Agent is attacked

This attack normally for single terminal initiate and not whole network, can be monitored them by RealSecure System Agent.

Below for several typical attack type, provide the mode of several formulation criterion behavior features of the present embodiment:

1, Land attacks

Attack type: Denial of Service attack.

Attack signature: for Land attack packet in source address and destination address be identical; because when operating system receives this kind of packet; do not know how this processes this situation identical with destination address of communication source address in storehouse; or circulation sends and receives this packet; consume a large amount of system resource, thus likely cause the phenomenon such as system crash or deadlock.

Criterion behavior feature: the source address of network packet or destination address are tampered and cause both different.

2, TCP ssyn attack

Attack type: Denial of Service attack.

Attack signature: utilize the defect of three-way handshake process between TCP client computer and server to carry out.Hacker sends a large amount of SYN packets by forging source IP address to victim, when being received a large amount of SYN packets by attack main frame, need to use a large amount of buffer memorys to connect to process these, and SYN ack msg bag is returned to the IP address of mistake, and wait for the response of ack msg bag always, finally cause buffer memory to be finished, can not connect by other legal SYN of reprocessing, namely externally can not provide normal service.

Criterion behavior feature: the SYN received in the unit interval connects the preset value exceeding default.

3, Ping Of Death attack or Ping Flood attack

Attack type: Denial of Service attack.

Attack signature Ping Of Death Attacking Packets is greater than 65535 bytes.Due to part operation system acceptance be greater than the packet of 65535 bytes to length time, internal memory spilling, system crash will be caused, restart, the kernel consequence such as unsuccessfully, thus reach the object of attack.Ping Flood attacks by sending Ping sense command in a large number to take Installed System Memory, network transmission resource thus reach the object of system crash.

Criterion behavior feature: size or the transmission times of packet exceed predetermined threshold value.

4, WinNuke attacks

Attack type: Denial of Service attack.

Attack signature: WinNuke attacks and transmits attack also known as band is outer, and its feature is target of attack port, and by the target port attacked normally 139,138,137,113,53, and URG position is set to " 1 ", i.e. emergency mode.

Criterion behavior feature: data packet destination port is 139,138,137,113,53 etc., and URG position is " 1 ".

5, Teardrop attacks

Attack type: Denial of Service attack.

Attack signature: Teardrop is the attack method of the ill packet segment based on UDP, its operation principle is the IP bag sending multiple burst to victim, and some operating system receives phenomenons such as will there will be system crash containing during the overlapping forged fragment packet offset, restart.

Criterion behavior feature: the burst side-play amount (Offset) of packet is wrong.

6, TCP/UDP TCP

Attack type: TCP/UDP TCP is that a kind of pre-detection is attacked.

Attack signature: send TCP or UDP connection request to by the different port attacking main frame, detect the COS run by object of attack.

Criterion behavior feature: the connection request that there is system port, particularly for the connection request of the non-common port beyond 21,23,25,53,80,8000,8080 etc.

Further, as the expansion to method shown in Fig. 1, in another embodiment of the invention, terminal, when for being subjected to leak attack, also can adopt the mode of simulation leak attack detecting to formulate criterion behavior feature.Concrete, terminal, in day-to-day operation process, can set up separately the process of analog monitoring, carries out analog detection to the current application process that performing or system process.In a kind of implementation of the present embodiment, terminal can adopt the mode of security sweep to carry out analog detection and obtain criterion behavior feature.Security sweep is also referred to as vulnerability assessment (Vulnerability Assessment), its general principle is that the mode adopting analog hacker to attack carries out one by onechecking to the known security flaw that target may exist, and can carry out security breaches detection to work station, server, switch, the various object of database.If successfully realize simulation leak to attack, then the behavioural characteristic that described simulation leak is attacked is recorded in behavioural characteristic storehouse as criterion behavior feature by terminal.In addition, terminal can also report the attack logs of simulation leak attack to Cloud Server.In the present embodiment, terminal, when not really being subjected to leak and attacking, obtains criterion behavior feature by the mode of analog detection, can reduce, and reduces actual attack to the impact of system, reduces the potential safety hazard of system.

Further, as the expansion to the various embodiments described above, terminal can also receive the attack logs that Cloud Server issues, and using the agenda feature in attack logs as criterion behavior feature, is recorded in behavioural characteristic storehouse.In daily behavioural characteristic observation process, terminal finds and Initiative Defense the leak attack that may occur according to the criterion behavior feature recorded in behavioural characteristic storehouse.

In fact, the terminal receiving attack logs in the present embodiment is " other-end " of indication in method shown in earlier figures 1.Why divide into " terminal " and " other-end " in the present invention, object is only to carry out differentiation explanation to reporting attack logs and reception attack logs two kinds of termination function.In practical application, a station terminal should possess function in above-mentioned two simultaneously, when monitoring local process, plays the part of the role of reporting attack logs, and when other-end reporting attack logs, then plays the part of the role receiving attack logs, carry out Initiative Defense.

Further, the network side as method shown in corresponding diagram 1 realizes, and another embodiment of the present invention additionally provides a kind of method of defending leak to attack.The method is mainly used in Cloud Server side, and as shown in Figure 2, the method comprises:

201, the attack logs that reports of receiving terminal.

After terminal monitoring is attacked to leak, the attack logs of cloud server terminal to report.Wherein, carry the agenda feature of the leak attack that terminal suffers in attack logs, for being handed down to other-end, and being saved in by other-end in the behavioural characteristic storehouse of self, identifying and Initiative Defense so that the follow-up leak to correspondence is attacked.

202, the criterion behavior feature in agenda feature and behavioural characteristic storehouse, high in the clouds is compared.

After the agenda feature obtaining terminal to report from this attack logs, whether Cloud Server needs to verify this agenda feature, correct with the monitoring result of identification terminal.The in store equally behavioural characteristic storehouse similar with terminal in Cloud Server, the criterion behavior feature in behavior feature database for describe leak attack involved by behavior.In the behavioural characteristic storehouse of Cloud Server, the value volume and range of product of behavioural characteristic is far away more than the behavioural characteristic storehouse in individual terminal.In practical application, the behavioural characteristic storehouse of Cloud Server can be made to contain the behavioural characteristic storehouse of all terminals in net.

Seemingly, the criterion behavior feature that Cloud Server side is preserved also comprises hiding IP, illegal scanning, login main frame, removes record, reserved back door, edit the registry, code implant, steals information, information back, amendment DNS the criterion behavior feature class preserved with end side in Fig. 1.Attack logs then comprises: the mark of the process attacked by leak, attack type, bug code and agenda feature.Wherein, the mark of process includes but not limited to it is the store path of process title, process ID, process handle, process file; Attack type then includes but not limited to it is denial of service, unauthorized access trial, pre-detection attack, protocol-decoding, System Agent attack.

If 203 agenda features are consistent with criterion behavior feature, then attack logs is handed down to other-end.

If comparison is consistent, then illustrate that terminal is really subject to leak and attacks, now, the attack logs of terminal to report is sent to other-end by Cloud Server, carries out Initiative Defense to make other-end according to the agenda feature of carrying in attack logs to the attack of identical leak.In fact, after terminal determines attacked by leak, its agenda feature obtained is consistent with the criterion behavior feature of its preservation, define in various embodiments of the present invention and agenda feature is carried in attack logs, only for ease of describing, also criterion behavior feature can be added in attack logs in practical application.

It should be noted that, in actual applications, the realization of step 202 and step 203 is optional, if Cloud Server is enough trusted terminal, so also directly the attack logs of terminal to report can be handed down to other-end, and without the need to verifying.

Further, in another embodiment of the invention, when terminal is when being attacked by leak really, when carrying out simulation Hole Detection voluntarily, if terminal successful implementation leak attack, so Cloud Server also can the attack logs attacked of the simulation leak that reports of receiving terminal.Further, similar to the attack logs of aforementioned reception, the attack logs that simulation leak is attacked can be sent to other each terminals by Cloud Server, identifies and Initiative Defense so that other-end is attacked the leak that simulation finds.

Further, in another embodiment of the invention, Cloud Server, except issuing except attack logs to other-end, can also be searched further and issue the defence policies of attacking for leak to other-end.In practical application, Cloud Server can preserve the defence policies and a mapping relations table of attacking for various leak, records the corresponding relation of attack type and defence policies in this table.Cloud Server directly can obtain the attack type that leak is attacked from the attack logs of terminal to report, also can judge to verify by Fig. 2 step 202 attack type that leak attacks voluntarily, and acquisition of then tabling look-up is to should the defence policies of attack type.When issuing attack logs to other-end, the defence policies found and attack logs can be bound by Cloud Server, and are together handed down to other-end.

To provide several defence policies for typical attack type for reference for the present embodiment below, should be clear and definite, and this explanation is only exemplary explanation, not as to the quantity of defence policies in practical application or the restriction of kind:

1, address scan

Defence policies: filter out ICMP response message on fire compartment wall.

2, TCP

Defence policies: whether scanned by fire compartment wall energy detection port, and automatically block scanning attempt.

3, back mapping

Defence policies: automatically resist this type of by NAT and non-route agent server and attack, or on fire compartment wall, filtration " hostunreachable " ICMP replys.

4, slow scanning

Defence policies: slow scanning is detected by service of luring.

5, architecture detection

Defence policies: delete or amendment Banner, comprise the Banner of operating system and various application service, and block the port for identifying.

6, DNS territory conversion

Defence policies: filter out territory convert requests at fire compartment wall place.

7, Finger service

Defence policies: close finger and serve and record the other side IP address attempting connecting this service, or filter on fire compartment wall.

8, LDAP service

Defence policies: carry out blocking and record for the LDAP spying internal network, if provide LDAP to serve on public machine, then puts into DMZ ldap server.

9, DNS cache pollution

Defence policies: filter inbound DNS and upgrade on fire compartment wall, outside dns server should be able to not change your understanding of internal server to internal machine.

10, Email is forged

Defence policies: use the security tools such as PGP and install e-mail certificate.

In each embodiment of the method for the present invention, the terminal of indication comprises user terminal and Website server, and wherein, user terminal can be mobile phone, PC, panel computer, notebook etc.In practical application, when above-mentioned terminal is server, the attack type that scheme relates to may be different with user terminal institute common attack type, should carry out differentiated treatment in conjunction with the feature of server attack type.

Further, as the realization to said method, another embodiment of the present invention additionally provides a kind of terminal, and this terminal can be user terminal, such as mobile phone, computer etc., also can be the server of website, in order to realize said method.As shown in Figure 3, this terminal comprises: monitoring means 31, comparing unit 32, transmitting element 33; Wherein,

Monitoring means 31, for monitoring operating process, obtain the agenda feature of process, wherein, process comprises application process and system process;

Comparing unit 32, compares for the criterion behavior feature in the agenda feature that obtained by monitoring means 31 and behavioural characteristic storehouse, criterion behavior feature for describe leak attack involved by behavior;

Transmitting element 33, for when the comparison result of comparing unit 32 be agenda feature consistent with criterion behavior feature time, to the attack logs that Cloud Server reports leak to attack, according to attack logs notice other-end, Initiative Defense is carried out to the attack of identical leak to make Cloud Server.

Further, the criterion behavior feature of comparing unit 32 comparison comprises:

Hide IP, illegal scanning, login main frame, remove record, reserved back door, edit the registry, code implant, steal information, information back, amendment DNS.

Further, the attack logs that transmitting element 33 sends comprises: the mark of the process attacked by leak, attack type, bug code and agenda feature.

Further, the mark of the process of transmitting element 33 transmission comprises:

The store path of process title, process ID, process handle, process file.

Further, the attack type that transmitting element 33 sends comprises:

Denial of service, unauthorized access trial, pre-detection attack, protocol-decoding, System Agent are attacked.

Further, as shown in Figure 4, this terminal also comprises:

Detecting unit 34, for carrying out simulation leak attack detecting to process;

First record cell 35, during for successfully realizing the attack of simulation leak when detecting unit 34, is recorded in behavioural characteristic storehouse using the behavioural characteristic that simulation leak is attacked as criterion behavior feature;

Transmitting element 33, the attack logs that the simulation leak realized for reporting detecting unit 34 to Cloud Server is attacked.

Further, as shown in Figure 4, this terminal also comprises:

Receiving element 36, for receiving the attack logs that Cloud Server issues;

Second record cell 37, for the agenda feature in the attack logs that received by receiving element 36 as criterion behavior feature, is recorded in behavioural characteristic storehouse;

Processing unit 38, finds and Initiative Defense the leak attack that may occur for the behavioural characteristic storehouse of recording according to the second record cell 37.

The terminal that the present embodiment provides, " trace " that leak is attacked can found locally through to the behavior monitoring of process, and finding after " trace " that leak is attacked, to the attack logs that Cloud Server reports leak to attack, so that this attack logs is sent to other-end by Cloud Server, make other-end before suffering the attack of identical leak, Initiative Defense is carried out to this leak daily record.With to find in prior art and compared with patching bugs, the attack defending mode of the present embodiment not with leak reparation for main target, reached the object finding that leak is attacked by the determination and analysis of attack.The present embodiment can after a certain station terminal be attacked by leak, other-end disposes attack defending strategy rapidly, also can exempt from leak attack even if make other-end not repair corresponding patch, thus can the Initiative Defense that leak is attacked of realization rapidly and efficiently.

Further, as the realization to said method, another embodiment of the present invention additionally provides a kind of Cloud Server, and this Cloud Server can be publicly-owned Cloud Server also can be privately owned Cloud Server, in order to realize said method.As shown in Figure 5, this Cloud Server comprises: receiving element 51, comparing unit 52, transmitting element 53; Wherein,

Receiving element 51, for the attack logs that receiving terminal reports, carries the agenda feature of the leak attack that terminal suffers in attack logs;

Comparing unit 52, compares for the criterion behavior feature in the agenda feature that received by receiving element 51 and behavioural characteristic storehouse, high in the clouds, criterion behavior feature for describe leak attack involved by behavior;

Transmitting element 53, for when the comparison result of comparing unit 52 be agenda feature consistent with criterion behavior feature time, the attack logs that receiving element 51 receives is handed down to other-end, according to attack logs, Initiative Defense is carried out to the attack of identical leak to make other-end.

Further, the criterion behavior feature of comparing unit 52 comparison comprises:

Hide IP, illegal scanning, login main frame, remove record, reserved back door, edit the registry, code implant, steal information, information back, amendment DNS.

Further, the attack logs that receiving element 51 receives comprises: the mark of the process attacked by leak, attack type, bug code and agenda feature.

Further, the mark of the process of receiving element 51 reception comprises:

The store path of process title, process ID, process handle, process file.

Further, the attack type that receiving element 51 receives comprises:

Denial of service, unauthorized access trial, pre-detection attack, protocol-decoding, System Agent are attacked.

Further, receiving element 51, for the attack logs of the simulation leak attack that receiving terminal reports.

Further, as shown in Figure 6, this Cloud Server also comprises:

Search unit 54, for when the comparison result of comparing unit 52 be agenda feature consistent with criterion behavior feature time, search corresponding leak attack defence policies;

Transmitting element 53, for searching defence policies that unit 54 finds and attack logs is bound, and is together handed down to other-end.

The Cloud Server that the present embodiment provides, can find locally through to the behavior monitoring of process " trace " that leak is attacked by terminal, and finding after " trace " that leak is attacked, to the attack logs that Cloud Server reports leak to attack, so that this attack logs is sent to other-end by Cloud Server, make other-end before suffering the attack of identical leak, Initiative Defense is carried out to this leak daily record.With to find in prior art and compared with patching bugs, the attack defending mode of the present embodiment not with leak reparation for main target, reached the object finding that leak is attacked by the determination and analysis of attack.The present embodiment can after a certain station terminal be attacked by leak, other-end disposes attack defending strategy rapidly, also can exempt from leak attack even if make other-end not repair corresponding patch, thus can the Initiative Defense that leak is attacked of realization rapidly and efficiently.

Further, as the realization to said method, another embodiment of the present invention additionally provides a kind of system of defending leak to attack, and as shown in Figure 7, this system comprises first terminal 71, Cloud Server 72 and the second terminal 73.Wherein, first terminal 71 can be the terminal shown in Fig. 3 or Fig. 4, and Cloud Server 72 can be the Cloud Server shown in Fig. 5 or Fig. 6.

First terminal 71, for monitoring operating process, the agenda feature of acquisition process, wherein, process comprises application process and system process, the criterion behavior feature in agenda feature and behavioural characteristic storehouse is compared, and criterion behavior feature is for describing the behavior involved by leak attack, if agenda feature is consistent with criterion behavior feature, then to the attack logs that Cloud Server 72 reports leak to attack;

Cloud Server 72, for receiving the attack logs that first terminal 71 reports, criterion behavior feature in agenda feature in attack logs and behavioural characteristic storehouse, high in the clouds is compared, if agenda feature is consistent with criterion behavior feature, then attack logs is handed down to the second terminal 73;

Second terminal 73, for receiving the attack logs that Cloud Server 72 issues, using the agenda feature in attack logs as criterion behavior feature, be recorded in behavioural characteristic storehouse, according to behavioural characteristic storehouse, the leak attack that may occur found and Initiative Defense.

The system that the defence leak that the present embodiment provides is attacked, finding locally through to the behavior monitoring of process " trace " that leak is attacked by terminal, and finding after " trace " that leak is attacked, to the attack logs that Cloud Server reports leak to attack, so that this attack logs is sent to other-end by Cloud Server, make other-end before suffering the attack of identical leak, Initiative Defense is carried out to this leak daily record.With to find in prior art and compared with patching bugs, the attack defending mode of the present embodiment not with leak reparation for main target, reached the object finding that leak is attacked by the determination and analysis of attack.The present embodiment can after a certain station terminal be attacked by leak, other-end disposes attack defending strategy rapidly, also can exempt from leak attack even if make other-end not repair corresponding patch, thus can the Initiative Defense that leak is attacked of realization rapidly and efficiently.

Embodiments of the invention disclose:

A1, a kind of method of defending leak to attack, described method comprises:

Monitor operating process, obtain the agenda feature of described process, wherein, described process comprises application process and system process;

Criterion behavior feature in described agenda feature and behavioural characteristic storehouse compared, described criterion behavior feature is for describing the behavior involved by leak attack;

If described agenda feature is consistent with described criterion behavior feature, then to the attack logs that Cloud Server reports leak to attack, according to described attack logs notice other-end, Initiative Defense is carried out to the attack of identical leak to make described Cloud Server.

A2, method according to A1, described criterion behavior feature comprises:

Hide IP, illegal scanning, login main frame, remove record, reserved back door, edit the registry, code implant, steal information, information back, amendment DNS.

A3, method according to A1, described attack logs comprises: the mark of the process attacked by leak, attack type, bug code and described agenda feature.

4, the method according to 3, the mark of described process comprises:

The store path of process title, process ID, process handle, process file.

A5, method according to A3, described attack type comprises:

Denial of service, unauthorized access trial, pre-detection attack, protocol-decoding, System Agent are attacked.

A6, method according to A1, described method comprises further:

Simulation leak attack detecting is carried out to described process;

If successfully realize simulation leak to attack, then the behavioural characteristic that described simulation leak is attacked is recorded in described behavioural characteristic storehouse as described criterion behavior feature;

To the attack logs that described Cloud Server reports described simulation leak to attack.

A7, method according to any one of A1 to A6, described method comprises further:

Receive the described attack logs that described Cloud Server issues;

Using the agenda feature in described attack logs as criterion behavior feature, be recorded in described behavioural characteristic storehouse;

According to described behavioural characteristic storehouse, the leak attack that may occur is found and Initiative Defense.

B8, a kind of method of defending leak to attack, described method comprises:

The attack logs that receiving terminal reports, carries the agenda feature of the leak attack that described terminal suffers in described attack logs;

Criterion behavior feature in described agenda feature and behavioural characteristic storehouse, high in the clouds compared, described criterion behavior feature is for describing the behavior involved by leak attack;

If described agenda feature is consistent with described criterion behavior feature, then described attack logs is handed down to other-end, according to described attack logs, Initiative Defense is carried out to the attack of identical leak to make described other-end.

B9, method according to B8, described criterion behavior feature comprises:

Hide IP, illegal scanning, login main frame, remove record, reserved back door, edit the registry, code implant, steal information, information back, amendment DNS.

B10, method according to B8, described attack logs comprises: the mark of the process attacked by leak, attack type, bug code and described agenda feature.

B11, method according to B10, the mark of described process comprises:

The store path of process title, process ID, process handle, process file.

B12, method according to B10, described attack type comprises:

Denial of service, unauthorized access trial, pre-detection attack, protocol-decoding, System Agent are attacked.

B13, method according to B8, described method comprises further:

The attack logs that the simulation leak receiving described terminal to report is attacked.

B14, method according to any one of B8 to B13, if described agenda feature is consistent with described criterion behavior feature, then described method comprises further:

Search the defence policies that corresponding leak is attacked;

Described described attack logs is handed down to other-end, comprises:

Described defence policies and described attack logs are bound, and is together handed down to other-end.

C15, a kind of terminal, described terminal comprises:

Monitoring means, for monitoring operating process, obtain the agenda feature of described process, wherein, described process comprises application process and system process;

Comparing unit, compares for the criterion behavior feature in the described agenda feature that obtained by described monitoring means and behavioural characteristic storehouse, described criterion behavior feature for describe leak attack involved by behavior;

Transmitting element, for when the comparison result of described comparing unit be described agenda feature consistent with described criterion behavior feature time, to the attack logs that Cloud Server reports leak to attack, according to described attack logs notice other-end, Initiative Defense is carried out to the attack of identical leak to make described Cloud Server.

C16, terminal according to C15, the described criterion behavior feature of described comparing unit comparison comprises:

Hide IP, illegal scanning, login main frame, remove record, reserved back door, edit the registry, code implant, steal information, information back, amendment DNS.

C17, terminal according to C15, the described attack logs that described transmitting element sends comprises: the mark of the process attacked by leak, attack type, bug code and described agenda feature.

C18, terminal according to C17, the mark of the described process that described transmitting element sends comprises:

The store path of process title, process ID, process handle, process file.

C19, terminal according to C17, the described attack type that described transmitting element sends comprises:

Denial of service, unauthorized access trial, pre-detection attack, protocol-decoding, System Agent are attacked.

C20, terminal according to C15, described terminal also comprises:

Detecting unit, for carrying out simulation leak attack detecting to described process;

First record cell, during for successfully realizing the attack of simulation leak when described detecting unit, is recorded in described behavioural characteristic storehouse using the behavioural characteristic that described simulation leak is attacked as described criterion behavior feature;

Described transmitting element, the attack logs that the described simulation leak for reporting described detecting unit to realize to described Cloud Server is attacked.

C21, terminal according to any one of C15 to C20, described terminal also comprises:

Receiving element, for receiving the described attack logs that described Cloud Server issues;

Second record cell, for the agenda feature in the described attack logs that received by described receiving element as criterion behavior feature, is recorded in described behavioural characteristic storehouse;

Processing unit, finds and Initiative Defense the leak attack that may occur for the described behavioural characteristic storehouse according to described second recording unit records.

D22, a kind of Cloud Server, described Cloud Server comprises:

Receiving element, for the attack logs that receiving terminal reports, carries the agenda feature of the leak attack that described terminal suffers in described attack logs;

Comparing unit, compares for the criterion behavior feature in the described agenda feature that received by described receiving element and behavioural characteristic storehouse, high in the clouds, described criterion behavior feature for describe leak attack involved by behavior;

Transmitting element, for when the comparison result of described comparing unit be described agenda feature consistent with described criterion behavior feature time, the described attack logs received by described receiving element is handed down to other-end, carries out Initiative Defense to make described other-end according to described attack logs to the attack of identical leak.

D23, Cloud Server according to D22, the described criterion behavior feature of described comparing unit comparison comprises:

Hide IP, illegal scanning, login main frame, remove record, reserved back door, edit the registry, code implant, steal information, information back, amendment DNS.

D24, Cloud Server according to D22, the described attack logs that described receiving element receives comprises: the mark of the process attacked by leak, attack type, bug code and described agenda feature.

D25, Cloud Server according to D24, the mark of the described process that described receiving element receives comprises:

The store path of process title, process ID, process handle, process file.

D26, Cloud Server according to D24, the described attack type that described receiving element receives comprises:

Denial of service, unauthorized access trial, pre-detection attack, protocol-decoding, System Agent are attacked.

D27, Cloud Server according to D22, described receiving element, the attack logs that the simulation leak for receiving described terminal to report is attacked.

D28, Cloud Server according to any one of D22 to D27, described Cloud Server also comprises:

Search unit, for when the comparison result of described comparing unit be described agenda feature consistent with described criterion behavior feature time, search corresponding leak attack defence policies;

Described transmitting element, for searching described defence policies that unit finds and described attack logs is bound by described, and is together handed down to other-end.

E28, a kind of system of defending leak to attack, described system comprises: first terminal, Cloud Server and the second terminal; Wherein,

Described first terminal, for monitoring operating process, obtain the agenda feature of described process, wherein, described process comprises application process and system process, the criterion behavior feature in described agenda feature and behavioural characteristic storehouse is compared, and described criterion behavior feature is for describing the behavior involved by leak attack, if described agenda feature is consistent with described criterion behavior feature, then to the attack logs that Cloud Server reports leak to attack;

Described Cloud Server, for receiving the described attack logs that described first terminal reports, described agenda feature in described attack logs and the criterion behavior feature in behavioural characteristic storehouse, high in the clouds are compared, if described agenda feature is consistent with described criterion behavior feature, then described attack logs is handed down to described second terminal;

Described second terminal, for receiving the described attack logs that described Cloud Server issues, using the agenda feature in described attack logs as criterion behavior feature, be recorded in behavioural characteristic storehouse, according to described behavioural characteristic storehouse, the leak attack that may occur found and Initiative Defense.

In the above-described embodiments, the description of each embodiment is all emphasized particularly on different fields, in certain embodiment, there is no the part described in detail, can see the associated description of other embodiments.

Be understandable that, the correlated characteristic in said method and device can reference mutually.In addition, " first ", " second " in above-described embodiment etc. are for distinguishing each embodiment, and do not represent the quality of each embodiment.

Those skilled in the art can be well understood to, and for convenience and simplicity of description, the system of foregoing description, the specific works process of device and unit, with reference to the corresponding process in preceding method embodiment, can not repeat them here.

Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.

In specification provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.

Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.

Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.

In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary compound mode.

All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions of the some or all parts in the denomination of invention (as determined the device of website internal chaining grade) that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the embodiment of the present invention.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.

The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computer of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.

Claims (10)

1. a method of defending leak to attack, is characterized in that, described method comprises:

Monitor operating process, obtain the agenda feature of described process, wherein, described process comprises application process and system process;

Criterion behavior feature in described agenda feature and behavioural characteristic storehouse compared, described criterion behavior feature is for describing the behavior involved by leak attack;

If described agenda feature is consistent with described criterion behavior feature, then to the attack logs that Cloud Server reports leak to attack, according to described attack logs notice other-end, Initiative Defense is carried out to the attack of identical leak to make described Cloud Server.

2. method according to claim 1, is characterized in that, described criterion behavior feature comprises:

Hide IP, illegal scanning, login main frame, remove record, reserved back door, edit the registry, code implant, steal information, information back, amendment DNS.

3. method according to claim 1, is characterized in that, described attack logs comprises: the mark of the process attacked by leak, attack type, bug code and described agenda feature.

4. method according to claim 3, is characterized in that, the mark of described process comprises:

The store path of process title, process ID, process handle, process file.

5. method according to claim 3, is characterized in that, described attack type comprises:

Denial of service, unauthorized access trial, pre-detection attack, protocol-decoding, System Agent are attacked.

6. method according to claim 1, is characterized in that, described method comprises further:

Simulation leak attack detecting is carried out to described process;

If successfully realize simulation leak to attack, then the behavioural characteristic that described simulation leak is attacked is recorded in described behavioural characteristic storehouse as described criterion behavior feature;

To the attack logs that described Cloud Server reports described simulation leak to attack.

7. a method of defending leak to attack, is characterized in that, described method comprises:

The attack logs that receiving terminal reports, carries the agenda feature of the leak attack that described terminal suffers in described attack logs;

Criterion behavior feature in described agenda feature and behavioural characteristic storehouse, high in the clouds compared, described criterion behavior feature is for describing the behavior involved by leak attack;

If described agenda feature is consistent with described criterion behavior feature, then described attack logs is handed down to other-end, according to described attack logs, Initiative Defense is carried out to the attack of identical leak to make described other-end.

8. a terminal, is characterized in that, described terminal comprises:

Monitoring means, for monitoring operating process, obtain the agenda feature of described process, wherein, described process comprises application process and system process;

Comparing unit, compares for the criterion behavior feature in the described agenda feature that obtained by described monitoring means and behavioural characteristic storehouse, described criterion behavior feature for describe leak attack involved by behavior;

Transmitting element, for when the comparison result of described comparing unit be described agenda feature consistent with described criterion behavior feature time, to the attack logs that Cloud Server reports leak to attack, according to described attack logs notice other-end, Initiative Defense is carried out to the attack of identical leak to make described Cloud Server.

9. a Cloud Server, is characterized in that, described Cloud Server comprises:

Receiving element, for the attack logs that receiving terminal reports, carries the agenda feature of the leak attack that described terminal suffers in described attack logs;

Comparing unit, compares for the criterion behavior feature in the described agenda feature that received by described receiving element and behavioural characteristic storehouse, high in the clouds, described criterion behavior feature for describe leak attack involved by behavior;

Transmitting element, for when the comparison result of described comparing unit be described agenda feature consistent with described criterion behavior feature time, the described attack logs received by described receiving element is handed down to other-end, carries out Initiative Defense to make described other-end according to described attack logs to the attack of identical leak.

10. a system of defending leak to attack, is characterized in that, described system comprises: first terminal, Cloud Server and the second terminal; Wherein,

Described first terminal, for monitoring operating process, obtain the agenda feature of described process, wherein, described process comprises application process and system process, the criterion behavior feature in described agenda feature and behavioural characteristic storehouse is compared, and described criterion behavior feature is for describing the behavior involved by leak attack, if described agenda feature is consistent with described criterion behavior feature, then to the attack logs that Cloud Server reports leak to attack;

Described Cloud Server, for receiving the described attack logs that described first terminal reports, described agenda feature in described attack logs and the criterion behavior feature in behavioural characteristic storehouse, high in the clouds are compared, if described agenda feature is consistent with described criterion behavior feature, then described attack logs is handed down to described second terminal;

Described second terminal, for receiving the described attack logs that described Cloud Server issues, using the agenda feature in described attack logs as criterion behavior feature, be recorded in behavioural characteristic storehouse, according to described behavioural characteristic storehouse, the leak attack that may occur found and Initiative Defense.