CN101388056B - Method, system and apparatus for preventing worm - Google Patents

Method, system and apparatus for preventing worm Download PDF

Info

Publication number
CN101388056B
CN101388056B CN 200810167606 CN200810167606A CN101388056B CN 101388056 B CN101388056 B CN 101388056B CN 200810167606 CN200810167606 CN 200810167606 CN 200810167606 A CN200810167606 A CN 200810167606A CN 101388056 B CN101388056 B CN 101388056B
Authority
CN
China
Prior art keywords
program
suspicious
suspicious program
terminal
judged result
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN 200810167606
Other languages
Chinese (zh)
Other versions
CN101388056A (en
Inventor
孙灵峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Huawei Digital Technologies Chengdu Co Ltd
Original Assignee
Huawei Symantec Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Symantec Technologies Co Ltd filed Critical Huawei Symantec Technologies Co Ltd
Priority to CN 200810167606 priority Critical patent/CN101388056B/en
Publication of CN101388056A publication Critical patent/CN101388056A/en
Application granted granted Critical
Publication of CN101388056B publication Critical patent/CN101388056B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

An embodiment of the invention discloses a method, a system and a device for preventing malicious programs. The method comprises receiving at least one suspicious program from at least one terminal, judging whether the suspicious program is a malicious program or not according to the behavior feature of the suspicious program, then updating the center database according to the judged result, enabling the center database to send the updated result to the other terminals, and further, sending the judged result of at least one suspicious program to the corresponding terminal. In the method, according to an interactive distributed type processing mode, data of the suspicious program judged by the user terminal is sent to the center analog equipment to process, and the result is returned in time to delete the judged malicious program timely. Additionally, the processed result data is transmitted to the center database by the center analog equipment distributed at different places, thereby solving the problem of fast response to unknown viruses by transmitting the suspicious programs to the center analog equipment to perform analog computation.

Description

A kind of method, system and device that prevent rogue program
Technical field
The present invention relates to areas of information technology, particularly relate to a kind of method, system and device that prevent rogue program.
Background technology
Virus is meant the destruction computer function that inserts or destroys data in computer program, influence computing machine use and a set of computer instructions or program code that can self-replacation, tends to utilize the weakness of computer operating system to propagate.After a kind of new virus technology occurred, this new virus can develop rapidly, and the technology of then anti-this new virus also can develop, thereby suppresses spreading of this new virus, and behind operating system update, this new virus can be adjusted into new mode, produces another new virus.
In the prior art, be to adopt condition code to look into malicious technology virus is carried out killing, this condition code is looked into malicious technology and is based on the antivirus techniques identical to a certain partial code of known same virus or similar virus.When looking into virus, adopt condition code to look into poison, when killing the virus, adopt artificial system detoxifcation code virus killing of compiling, condition code is looked into poison and is actually and manually looks into the simple statement that poisons are tested, it is the conventional method of Artificial Cognition's virus, adopted the principle of " a certain partial code of same virus or similar virus is identical ",, then can be described this homogeneity if virus and mutation thereof, changeable viruses have homogeneity, and pass through program body and description result, promptly condition code compares and searches virus.
In realizing process of the present invention, the inventor finds that there are the following problems at least in the prior art:
It is not the condition code that all viruses can be described virus, can't can't look into poison by condition code with the virus that condition code is described, people's subjective factor is depended in the description of condition code, need be by manually reporting, and right and wrong are distributed reports, but the non-distributed efficient of virus that reports is not high, looks into poison and has very serious lag thereby make.
Summary of the invention
The embodiment of the invention provides a kind of method, system and device that prevent rogue program, to search virus fast.
In order to achieve the above object, the embodiment of the invention has proposed a kind of method of preventing rogue program, comprising:
The center analog machine receives at least one the suspicious program from least one terminal;
According to the behavioural characteristic of described at least one suspicious program, judge whether described at least one suspicious program is rogue program, upgrade central database according to judged result, so that will upgrading the result, described central database sends to other terminal; Describedly upgrade central database according to judged result and comprise: described center analog machine sends suspicious program and updating message according to described judged result to described central database;
To the judged result of described at least one suspicious program be sent to the terminal of correspondence.
The embodiment of the invention has also proposed a kind of network system, comprising:
At least one terminal is used for sending suspicious program to the center analog machine; Reception is from the judged result of described center analog machine to described suspicious program; According to described judged result described suspicious program is handled;
The center analog machine is used to receive the suspicious program from described at least one terminal; According to the behavioural characteristic of described at least one the suspicious program that receives, judge whether described at least one suspicious program is rogue program, upgrade central database according to judged result; To the judged result of described at least one suspicious program be sent to the terminal of correspondence;
Central database is used for the renewal result is sent to other terminal; Also be used for carrying out alternately, receive suspicious program from described center analog machine with described center analog machine.
The embodiment of the invention has also proposed a kind of network equipment, comprising:
The information gathering module is used to collect the behavioural characteristic of suspicious program;
Judge module is used for the behavioural characteristic of described suspicious program and the behavior storehouse of terminal are mated;
Information storage module is used to store the wherein weights of corresponding different behavioural characteristics of default behavior storehouse;
Data transmission blocks is used for judging whether that according to the result of described coupling needs send described suspicious program, if desired, then described suspicious program is sent to the center analog machine.
The embodiment of the invention has also proposed a kind of network equipment, comprising:
Receiver module is used to receive at least one the suspicious program from least one terminal;
Judge module is used for the behavioural characteristic according to described at least one suspicious program, judges whether described at least one suspicious program is rogue program;
Update module, the judged result that is used for obtaining according to described judge module is upgraded central database, sends to other terminal so that described central database will upgrade the result;
Sending module is used for the judged result to described at least one suspicious program is sent to the terminal of correspondence.
The embodiment of the invention has also proposed a kind of network equipment, comprising:
Interactive module is used for carrying out alternately with the center analog machine, receives suspicious program and updating message from described center analog machine;
First memory module is used to store rogue program; When updating message that described interactive module receives comprises indication or the described suspicious program when being the judged result of rogue program of described suspicious procedure stores in described first memory module, with described suspicious procedure stores in described first memory module;
Second memory module is used to store white list; When updating message that described interactive module receives comprises indication or the described suspicious program when not being the judged result of rogue program of described suspicious procedure stores in described second memory module, with described suspicious program updates in described second memory module;
Sending module is used for the lastest imformation that described first memory module and described second memory module are stored is sent.
Compared with prior art, the embodiment of the invention has the following advantages:
By a kind of mutual distributed processing mode, will be judged as suspicious programmed data transfer in client and handle, and the result in time be returned with the program that will be judged to be rogue program in time delete to the center analog machine.The center analog machine that is distributed in various places to central database, carries out the result data sync analog computation and has solved quick response problem to unknown virus by suspicious program being sent to the center analog machine.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
A kind of method flow diagram that prevents rogue program that Fig. 1 proposes for the embodiment of the invention one;
A kind of method flow diagram that prevents rogue program that Fig. 2 proposes for the embodiment of the invention two;
A kind of system construction drawing that prevents rogue program that Fig. 3 proposes for the embodiment of the invention three;
A kind of structure drawing of device that prevents rogue program that Fig. 4 proposes for the embodiment of the invention four;
A kind of structure drawing of device that prevents rogue program that Fig. 5 proposes for the embodiment of the invention four;
A kind of structure drawing of device that prevents rogue program that Fig. 6 proposes for the embodiment of the invention five;
A kind of structure drawing of device that prevents rogue program that Fig. 7 proposes for the embodiment of the invention six.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
In following examples, network type can be mobile network, fixed network, mobile fixed mobile convergence network etc., can be LAN (Local Area Network), Metropolitan Area Network (MAN), wide area network, can be Access Network, core net, transmission network, can be network (C/S) of point to point network (P2P), client/server architecture etc.
In following examples, terminal type can be mobile phone, PDA, computing machine, server, household electrical appliance and various electronic equipment, the network equipment or computer-related devices etc.
In following examples, the center analog machine can be a server, also can be peer node among the P2P etc.
In following examples, program can be based on operating systems such as Linux or Windows.Program can be various types of files.
A kind of method of preventing rogue program that the embodiment of the invention one proposes as shown in Figure 1, comprising:
Step S101 receives at least one the suspicious program from least one terminal;
Step S102 according to the behavioural characteristic of described at least one suspicious program, judges whether described at least one suspicious program is rogue program, upgrades central database according to judged result, sends to other terminal so that described central database will upgrade the result;
In this step, can be that central database is upgraded synchronously;
Step S103 will send to the terminal of correspondence the judged result of described at least one suspicious program.
As seen, in the embodiment of the invention,, will be judged as suspicious programmed data transfer in client and handle, and the result in time be returned with the program that will be judged to be rogue program in time delete to the center analog machine by a kind of mutual distributed processing mode.The center analog machine that is distributed in various places to central database, carries out the result data sync analog computation and has solved quick response problem to unknown virus by suspicious program being sent to the center analog machine.
A kind of method of preventing rogue program that the embodiment of the invention two proposes as shown in Figure 2, comprising:
Step S201, terminal is collected the behavioural characteristic of the trace routine of wanting, and the program that this program that will detect is promptly suspected, the behavioural characteristic of the above-mentioned program that will detect can comprise information such as digital signature, system property, program publisher's title, program structure.
Step S202, mate in behavior characteristic information and behavior storehouse that will trace routine, and obtain the weights of wanting trace routine according to the common concrete behavior feature of rogue program in the behavior storehouse with corresponding weights.
Concrete, in the sense terminals of unknown virus, can store the behavior storehouse of the common concrete behavior feature of rogue program, in the behavior storehouse, can also store the matching relationship of the common concrete behavior feature of rogue program and corresponding weights.As shown in table 1ly be a kind of behavior description in the behavior storehouse and the corresponding relation of weights.
Table 1
Numbering Behavior description Weights
001 Revise system file 10
002 Hide system file 10
003 The deletion system file 10
Step S203 is weighted judgement according to the weights that obtain, and judges whether to send this program under a cloud to the center analog machine.When needs send, forward step S204 to, otherwise process ends.
Step S204 carries out the mutual of data with the center analog machine, the code of less suspicious program directly can be sent to the center analog machine, the critical data of bigger suspicious program can be sent to the center analog machine.
Step S205, the suspicious program that center analog machine receiving terminal sends, to the fixed attribute of this suspicious program of centre data library inquiry, this fixed attribute can be the unique identification of each file.
Step S206, center analog machine directly carry out suspicious program, judge whether to be rogue program according to the dynamic behaviour of suspicious program.
Concrete, the trace routine of the unknown virus of enhancing is installed, the static attribute that this trace routine not only can trace routine, dynamic behaviour feature that also can trace routine in the analog machine of center.When the complete suspicious program of this reception is less suspicious program, should suspicious program in virtual environment, activate, according to its behavioural characteristic, thereby judge whether it is rogue program.When the complete suspicious program of this reception is the critical data of bigger suspicious program, the white list that needs the known normal procedure in Help Center's database at first, if can't on white list, inquire the behavioural characteristic of this suspicious program, whether then obtain the weights of this suspicious program according to the experience of the rogue program that accumulates, be rogue program thereby judge this suspicious program.The experience of this rogue program is to obtain according to the content of storing in the rogue program experience storehouse, has write down the characteristics of the common program structure of rogue program in this rogue program experience storehouse.
When judging this suspicious program and whether be rogue program, need to upgrade the content in the central database, if judging this suspicious program is rogue program, fixed attribute value that then will this suspicious program is updated in the rogue program storehouse in the database at center synchronously, and the information such as feature that are judged to be rogue program have been write down in this rogue program storehouse.If judging this suspicious program is not rogue program, fixed attribute value that then will this suspicious program is updated in the white list in the database at center synchronously, has write down a large amount of characteristic informations of regarding as normal program in this white list.After information synchronization that will this suspicious program is updated in the central database,, just can directly judge whether according to the content in the central database to rogue program if there is next time identical program to need to detect again.According to judging that whether this suspicious program is the judged result renewal central database of rogue program, promptly sends this suspicious program and updating message according to judged result to this central database.When judging this suspicious program and be rogue program, send this suspicious program and updating message to this central database, this updating message comprises: will this suspicious procedure stores indication in the rogue program storehouse of this central database; Perhaps, this suspicious program judged result that is rogue program; When judging that this suspicious program is not rogue program, to this central database transmission this suspicious program and updating message, this updating message comprises: will this suspicious procedure stores indication in the white list of this central database; Perhaps, this suspicious program judged result that is not rogue program.
Can be after reaching a default time, central database sends the renewal result of the suspicious program of storing in this central database to other terminal (terminal outside the terminal of suspicious program place).When above-mentioned suspicious program is rogue program, central database sends to other terminal with the fixed attribute value of the rogue program in this rogue program storehouse, so that rogue program in the behavior storehouse in this other terminal of other terminal updating, when this other terminal when finding the suspicious program of same alike result value, other terminal can judge directly that just this suspicious program is a rogue program, do not judge thereby do not need this suspicious program sent in the analog machine of center, solved quick response problem unknown virus.Same, when above-mentioned suspicious program is not rogue program, central database sends to other terminal with the fixed attribute value of the suspicious program in this white list, so that the behavior storehouse in this other terminal of other terminal updating, when this other terminal when finding the suspicious program of same alike result value, this other terminal can judge directly that just this suspicious program is not a rogue program, will this suspicious program send in the analog machine of center to judge, has solved the quick response problem to unknown virus.
Step S207, center analog machine will this suspicious program judged result return to the terminal user.
Step S208, the judged result that terminal receiving center analog machine returns is handled accordingly to this suspicious program.
Concrete, when this terminal receives the signal that the center analog machine sends, can be the terminal identifiable information with this conversion of signals, and to the processing of this suspicious program, when the center analog machine judges that this suspicious program is a rogue program, need this suspicious program is deleted processing, judge that when the center analog machine this suspicious program is not a rogue program, then this suspicious program is not handled.
Step S209, terminal is shown to terminal user with result and processing mode.
As seen, in the embodiment of the invention,, will be judged as suspicious programmed data transfer in client and handle, and the result in time be returned with the program that will be judged to be rogue program in time delete to the center analog machine by a kind of mutual distributed processing mode.The center analog machine that is distributed in various places arrives central database with the result data sync, can accomplish like this on wide region or net territory the quick response of new virus, carry out analog computation and solved quick response problem unknown virus by suspicious program being sent to the center analog machine.
A kind of network system that the embodiment of the invention three proposes, the number of terminal can be for arbitrarily, in the present embodiment, the number of terminal is an example with 2, and in the application of reality, terminal was determined on a case-by-case basis with being connected of center analog machine, in the present embodiment, the respectively corresponding center analog machine of each terminal, in the present embodiment, these two center analog machines are connected with a central database.As shown in Figure 3, comprising:
Terminal 31 is used for sending suspicious program to center analog machine 32, receives the judged result from 32 pairs of these suspicious programs of this center analog machine, and according to this judged result this suspicious program is handled;
Concrete, this terminal 31 according to this judged result to this suspicious program handle accordingly can for: when this suspicious program is rogue program, delete this suspicious program;
When described suspicious program is not rogue program, this suspicious program is not processed.
Center analog machine 32, be used to receive suspicious program from this terminal 31, behavioural characteristic according to this suspicious program that receives, judge whether this suspicious program is rogue program, and according to judged result renewal central database, send to other terminal so that described central database will upgrade the result, will the judgement knot of this suspicious program be sent to terminal 31.
Further, this network system also comprises: terminal 33 and center analog machine 34, above-mentioned corresponding terminal 31 of terminal 33 and center analog machine 34 and center analog machine 32 the same do not repeat them here.
This network system also comprises:
Central database 35, be used for carrying out alternately with this center analog machine 32 and center analog machine 34, receive this suspicious program, and receive this suspicious program, and the renewal result of suspicious program is sent to other terminal from center analog machine 34 from center analog machine 32.For example, in the present embodiment, central database 35 can send the renewal result of the suspicious program in the terminal 31 to terminal 33, when in the terminal 31 can program be rogue program the time, suspicious program in the terminal 31 after will upgrading in central database 35 is that the result of rogue program sends to terminal 33, so that terminal 33 is judged to be rogue program between when finding identical suspicious program, thereby solved quick response problem to unknown virus, same, central database 35 can also send the renewal result of the suspicious program in the terminal 33 to terminal 31.
As seen, in the embodiment of the invention,, will be judged as suspicious programmed data transfer in client and handle, and the result in time be returned with the program that will be judged to be rogue program in time delete to the center analog machine by a kind of distributed processing mode.The center analog machine that is distributed in various places arrives central database with the result data sync, can accomplish like this on wide region or net territory the quick response of new virus, carry out analog computation and solved quick response problem unknown virus by suspicious program being sent to the center analog machine.
A kind of network equipment that the embodiment of the invention four proposes, this device is the sense terminals of unknown virus, as shown in Figure 4, can comprise:
Information gathering module 41, be used to collect the behavioural characteristic of the trace routine of wanting, the program that this program that will detect is promptly suspected, the behavioural characteristic of the above-mentioned program that will detect comprises information such as digital signature, system property, Business Name, program structure, and the behavior characteristic information of the program that will detect is input in the judge module 42.
Judge module 42 is used for the behavior characteristic information of wanting trace routine and the behavior storehouse of this information gathering module 41 input are mated, and obtains the weights of wanting trace routine according to the common concrete behavior feature of rogue program in the behavior storehouse with corresponding weights.The common concrete behavior feature of this rogue program is stored in the information storage module 43 with the matching relationship of corresponding weights.
Concrete, in the sense terminals of unknown virus, can store the behavior storehouse of the common concrete behavior feature of rogue program, in behavior storehouse, can also store the corresponding relation of the common concrete behavior feature of rogue program and corresponding weights.The weights that obtain are weighted judgement, judge whether and to send this program under a cloud to the center analog machine, when needs send, this program is sent in the data transmitting module 44.
Information storage module 43 is used to store the wherein weights of corresponding different behavioural characteristics of default behavior storehouse.
Data transmission blocks 44 is used for judging whether that according to the matching result of judge module 42 needs send this suspicious program, if desired, then should suspicious program send to the center analog machine.Less suspicious program is directly uploaded to the center analog machine, and the critical data of suspicious program that will be bigger uploads to the center analog machine.
Further, as shown in Figure 5, the sense terminals of this unknown virus can also comprise:
Receiver module 45 is used to receive from the judged result of center analog machine to this suspicious program;
Processing module 46, be used for according to this receiver module 45 receive from the judged result of this center analog machine to this suspicious program, suspicious program is handled accordingly, this processing comprises when this suspicious program is rogue program, deletes this suspicious program.
Display module 47 is used for the result of processing module 46 and the processing mode of processing module 46 are shown to terminal user.
This processing module 46 can comprise:
Signal receiving unit 461 is used for the signal that the receiving center analog machine sends, and this conversion of signals is the information that can discern in the routine processes unit 462.
Routine processes unit 462 is used for the processing to program of the signal deciding that receives according to signal receiving unit 461, comprises the clearance processing of the encryption isolation processing when be judged to be rogue program, non-rogue program and suspicious program is deleted processing.
Information output unit 463 outputs to interactive module 47 with the information of the result of routine processes unit 462.
As seen, in the embodiment of the invention,, will be judged as suspicious programmed data transfer in client and handle, and the result in time be returned with the program that will be judged to be rogue program in time delete to the center analog machine by a kind of mutual distributed processing mode.The center analog machine that is distributed in various places arrives central database with the result data sync, can accomplish like this on wide region or net territory the quick response of new virus, carry out analog computation and solved quick response problem unknown virus by suspicious program being sent to the center analog machine.
A kind of network equipment that the embodiment of the invention five proposes, this device is the center analog machine, as shown in Figure 6, can comprise:
Receiver module 61 is used to receive at least one the suspicious program from least one terminal;
Judge module 62 is used for the behavioural characteristic according at least one suspicious program of receiver module 61 receptions, judges whether this at least one suspicious program is rogue program;
Update module 63 is used for judging the judged result renewal central database that obtains according to judge module 62, sends to other terminal so that this central database can upgrade the result;
Sending module 64 is used for the judged result of judge module 62 at least one suspicious program sent to counterpart terminal.
Further, this update module 63 can comprise:
First update module 631, be used for when this judge module 62 is judged this suspicious program and is rogue program, send this suspicious program and updating message to central database, this updating message comprises: will this suspicious procedure stores indication in the rogue program storehouse of this central database; Perhaps, this suspicious program judged result that is rogue program;
Second update module 632, be used for when this judge module 62 is judged this suspicious program and is not rogue program, send this suspicious program and updating message to this central database, this updating message comprises: will this suspicious procedure stores indication in the white list of this central database; Perhaps, this suspicious program judged result that is not rogue program.
As seen, in the embodiment of the invention,, will be judged as suspicious programmed data transfer in client and handle, and the result in time be returned with the program that will be judged to be rogue program in time delete to the center analog machine by a kind of mutual distributed processing mode.The center analog machine that is distributed in various places arrives central database with the result data sync, can accomplish like this on wide region or net territory the quick response of new virus, carry out analog computation and solved quick response problem unknown virus by suspicious program being sent to the center analog machine.
A kind of memory storage that the embodiment of the invention six proposes, this memory storage can be a central database 7, as shown in Figure 7, can comprise:
Interactive module 71 is used for carrying out alternately with the center analog machine, receives suspicious program and updating message from this center analog machine.
First memory module 72 is used to store rogue program; When updating message that this interactive module 71 receives comprises with this suspicious procedure stores indication or this suspicious program when being the judged result of rogue program in first memory module 72, should suspicious procedure stores in this first memory module 72.
Second memory module 73 is used to store white list; When updating message that this interactive module 71 receives comprises with this suspicious procedure stores indication or this suspicious program when not being the judged result of rogue program in this second memory module 73, should suspicious procedure stores in second memory module 73.
Sending module 74 is used for the lastest imformation of first memory module 72 and 73 storages of second memory module is sent.
As seen, in the embodiment of the invention,, will be judged as suspicious programmed data transfer in client and handle, and the result in time be returned with the program that will be judged to be rogue program in time delete to the center analog machine by a kind of mutual distributed processing mode.The center analog machine that is distributed in various places arrives central database with the result data sync, can accomplish like this on wide region or net territory the quick response of new virus, carry out analog computation and solved quick response problem unknown virus by suspicious program being sent to the center analog machine.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by hardware, also can realize by the mode that software adds necessary general hardware platform.Based on such understanding, technical scheme of the present invention can embody with the form of software product, it (can be CD-ROM that this software product can be stored in a non-volatile memory medium, USB flash disk, portable hard drive etc.) in, comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be looked protection scope of the present invention.

Claims (12)

1. a method of preventing rogue program is characterized in that, comprising:
The center analog machine receives at least one the suspicious program from least one terminal;
According to the behavioural characteristic of described at least one suspicious program, judge whether described at least one suspicious program is rogue program, upgrade central database according to judged result, so that will upgrading the result, described central database sends to other terminal; Describedly upgrade central database according to judged result and comprise: described center analog machine sends suspicious program and updating message according to described judged result to described central database;
To the judged result of described at least one suspicious program be sent to the terminal of correspondence.
2. the method for claim 1 is characterized in that, the suspicious program of described reception comprises:
Receive the code of suspicious program; Or
Receive the critical data of suspicious program.
3. method as claimed in claim 1 or 2 is characterized in that, also comprises before the suspicious program of described reception from least one terminal:
Terminal is collected the behavioural characteristic of described suspicious program;
Described terminal is mated the behavioural characteristic of described suspicious program and the behavior storehouse of described terminal;
Described terminal judges whether that according to the result of described coupling needs send described suspicious program, if desired, then described suspicious program is sent.
4. method as claimed in claim 3 is characterized in that, the behavioural characteristic of described suspicious program comprises:
In digital signature or system property or program publisher title or the program structure one or more.
5. the method for claim 1 is characterized in that, describedly sends described suspicious program and updating message comprises according to judged result to central database:
When judging that described suspicious program is rogue program, send described suspicious program and updating message to described central database, described updating message comprises: with the indication of described suspicious procedure stores in the rogue program storehouse of described central database, perhaps described suspicious program is the judged result of rogue program;
When judging that described suspicious program is not rogue program, send described suspicious program and updating message to described central database, described updating message comprises: with the indication of described suspicious procedure stores in the white list of described central database, perhaps described suspicious program is not the judged result of rogue program.
6. the method for claim 1 is characterized in that, will also comprise to the judged result of at least one suspicious program after the terminal of correspondence sends described:
Described terminal is handled described suspicious program accordingly according to described judged result;
Described processing comprises: when described suspicious program is rogue program, delete described suspicious program.
7. a network system is characterized in that, comprising:
At least one terminal is used for sending suspicious program to the center analog machine; Reception is from the judged result of described center analog machine to described suspicious program; According to described judged result described suspicious program is handled;
The center analog machine is used to receive the suspicious program from described at least one terminal; According to the behavioural characteristic of described at least one the suspicious program that receives, judge whether described at least one suspicious program is rogue program, upgrade central database according to judged result; To the judged result of described at least one suspicious program be sent to the terminal of correspondence;
Central database is used for the renewal result is sent to other terminal; Also be used for carrying out alternately, receive suspicious program from described center analog machine with described center analog machine.
8. a network equipment is characterized in that, comprising:
The information gathering module is used to collect the behavioural characteristic of suspicious program;
Judge module is used for the behavioural characteristic of described suspicious program and the behavior storehouse of terminal are mated;
Information storage module is used to store the wherein weights of corresponding different behavioural characteristics of default behavior storehouse;
Data transmission blocks is used for judging whether that according to the result of described coupling needs send described suspicious program, if desired, then described suspicious program is sent to the center analog machine.
9. network equipment as claimed in claim 8 is characterized in that, also comprises:
Receiver module is used to receive from the judged result of described center analog machine to described suspicious program;
Processing module, be used for according to described receiver module receive from the judged result of described center analog machine to described suspicious program, handle accordingly, described processing comprises:
When described suspicious program is rogue program, delete described suspicious program.
10. a network equipment is characterized in that, comprising:
Receiver module is used to receive at least one the suspicious program from least one terminal;
Judge module is used for the behavioural characteristic according to described at least one suspicious program, judges whether described at least one suspicious program is rogue program;
Update module, the judged result that is used for obtaining according to described judge module is upgraded central database, sends to other terminal so that described central database will upgrade the result;
Sending module is used for the judged result to described at least one suspicious program is sent to the terminal of correspondence.
11. device as claimed in claim 10 is characterized in that, described update module comprises:
First update module, be used for when described judge module judges that described suspicious program is rogue program, send described suspicious program and updating message to central database, described updating message comprises: with the indication of described suspicious procedure stores in the rogue program storehouse of described central database, perhaps described suspicious program is the judged result of rogue program;
Second update module, be used for when described judge module judges that described suspicious program is not rogue program, send described suspicious program and updating message to described central database, described updating message comprises: with the indication of described suspicious procedure stores in the white list of described central database, perhaps described suspicious program is not the judged result of rogue program.
12. a network equipment is characterized in that, comprising:
Interactive module is used for carrying out alternately with the center analog machine, receives suspicious program and updating message from described center analog machine;
First memory module is used to store rogue program; When updating message that described interactive module receives comprises indication or the described suspicious program when being the judged result of rogue program of described suspicious procedure stores in described first memory module, with described suspicious procedure stores in described first memory module;
Second memory module is used to store white list; When updating message that described interactive module receives comprises indication or the described suspicious program when not being the judged result of rogue program of described suspicious procedure stores in described second memory module, with described suspicious program updates in described second memory module;
Sending module is used for the lastest imformation that described first memory module and described second memory module are stored is sent.
CN 200810167606 2008-10-20 2008-10-20 Method, system and apparatus for preventing worm Active CN101388056B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200810167606 CN101388056B (en) 2008-10-20 2008-10-20 Method, system and apparatus for preventing worm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200810167606 CN101388056B (en) 2008-10-20 2008-10-20 Method, system and apparatus for preventing worm

Publications (2)

Publication Number Publication Date
CN101388056A CN101388056A (en) 2009-03-18
CN101388056B true CN101388056B (en) 2010-06-02

Family

ID=40477472

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200810167606 Active CN101388056B (en) 2008-10-20 2008-10-20 Method, system and apparatus for preventing worm

Country Status (1)

Country Link
CN (1) CN101388056B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102012982A (en) * 2010-11-17 2011-04-13 许丽涛 Method and device for protecting safe operation of intelligent device

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101593253B (en) * 2009-06-22 2012-04-04 成都市华为赛门铁克科技有限公司 Method and device for judging malicious programs
CN101990200A (en) * 2009-07-31 2011-03-23 北京大学 Method for collecting malicious code of mobile terminal
CN103475671B (en) * 2010-08-18 2017-12-29 北京奇虎科技有限公司 Malware detection methods
CN102480483A (en) * 2010-11-22 2012-05-30 财团法人资讯工业策进会 Server, user device and malware detection methods for server and user device
CN102045368A (en) * 2011-01-20 2011-05-04 中兴通讯股份有限公司 Virus preventing method of intelligent mobile terminal and system
DE102012006309A1 (en) * 2011-03-29 2012-10-04 Htc Corp. A method of handling a malicious application in an application sales system of a telecommunications company and associated communications device
CN102955912B (en) * 2011-08-23 2013-11-20 腾讯科技(深圳)有限公司 Method and server for identifying application malicious attribute
US9439077B2 (en) * 2012-04-10 2016-09-06 Qualcomm Incorporated Method for malicious activity detection in a mobile station
CN103778371A (en) * 2012-10-22 2014-05-07 腾讯科技(深圳)有限公司 Plug-in installation monitoring method and terminal
CN103067391A (en) * 2012-12-28 2013-04-24 广东欧珀移动通信有限公司 Method, system and device of malicious permission detection
CN104700029B (en) * 2013-12-04 2018-06-26 中国移动通信集团广东有限公司 A kind of software online test method, device and server
CN103905423B (en) * 2013-12-25 2017-08-11 武汉安天信息技术有限责任公司 A kind of harmful advertising member detection method and system analyzed based on dynamic behaviour
US9357397B2 (en) * 2014-07-23 2016-05-31 Qualcomm Incorporated Methods and systems for detecting malware and attacks that target behavioral security mechanisms of a mobile device
CN104298920A (en) * 2014-10-14 2015-01-21 百度在线网络技术(北京)有限公司 Virus file processing method, system and device
CN112906062A (en) * 2021-02-20 2021-06-04 方圆标志认证集团浙江有限公司 Portable information equipment based on information security management system authentication
CN112948831B (en) * 2021-03-12 2024-02-13 安天科技集团股份有限公司 Application risk identification method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US708000A (en) * 1901-12-11 1902-09-02 Charles C Allen Polishing-strip.
CN101039177A (en) * 2007-04-27 2007-09-19 珠海金山软件股份有限公司 Apparatus and method for on-line searching virus
CN101140611A (en) * 2007-09-18 2008-03-12 北京大学 Malevolence code automatic recognition method
CN101226570A (en) * 2007-09-05 2008-07-23 江启煜 Method for monitoring and eliminating generalized unknown virus

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US708000A (en) * 1901-12-11 1902-09-02 Charles C Allen Polishing-strip.
CN101039177A (en) * 2007-04-27 2007-09-19 珠海金山软件股份有限公司 Apparatus and method for on-line searching virus
CN101226570A (en) * 2007-09-05 2008-07-23 江启煜 Method for monitoring and eliminating generalized unknown virus
CN101140611A (en) * 2007-09-18 2008-03-12 北京大学 Malevolence code automatic recognition method

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102012982A (en) * 2010-11-17 2011-04-13 许丽涛 Method and device for protecting safe operation of intelligent device

Also Published As

Publication number Publication date
CN101388056A (en) 2009-03-18

Similar Documents

Publication Publication Date Title
CN101388056B (en) Method, system and apparatus for preventing worm
CN102105884B (en) Streaming malware definition updates
CN105303112B (en) The detection method and device of component call loophole
CN112311612B (en) Information construction method and device and storage medium
CN102332072A (en) The system and method that is used for detection of malicious software and management Malware relevant information
CN109618176B (en) Processing method, equipment and storage medium for live broadcast service
CN104281809A (en) Method, device and system for searching and killing viruses
CN111563015B (en) Data monitoring method and device, computer readable medium and terminal equipment
CN103366117A (en) Repairing method and system for files infected by infectious viruses
CN103166911A (en) Version management server authority management method and version management server authority management equipment
CN106534268A (en) Data sharing method and apparatus
CN111314063A (en) Big data information management method, system and device based on Internet of things
KR20180079434A (en) Virus database acquisition methods and devices, equipment, servers and systems
CN112418259A (en) Method for configuring real-time rules based on user behaviors in live broadcast process, computer equipment and readable storage medium
CN114662108A (en) Software detection method and device and electronic equipment
CN102739776A (en) Method, device and system for revealing information
CN105162805A (en) User account login method and apparatus
CN106156210B (en) Method and device for determining application identifier matching list
CN104298521A (en) Window updating method and device
CN109324801B (en) Algorithm downloading method, equipment and related product
CN108960378B (en) Data downloading method, system, device and storage medium
CN107124330B (en) Data downloading control method and system
CN113114734B (en) Information processing method, device, equipment and storage medium
CN104243604A (en) File disabling method and device
US11281674B2 (en) Grouping data in a heap using tags

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
ASS Succession or assignment of patent right

Owner name: HUAWEI TECHNOLOGY CO., LTD.

Free format text: FORMER OWNER: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD.

Effective date: 20130724

C41 Transfer of patent application or patent right or utility model
C56 Change in the name or address of the patentee

Owner name: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD.

Free format text: FORMER NAME: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD.

COR Change of bibliographic data

Free format text: CORRECT: ADDRESS; FROM: 611731 CHENGDU, SICHUAN PROVINCE TO: 518129 SHENZHEN, GUANGDONG PROVINCE

CP01 Change in the name or title of a patent holder

Address after: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River

Patentee after: HUAWEI DIGITAL TECHNOLOGIES (CHENG DU) Co.,Ltd.

Address before: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River

Patentee before: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES Co.,Ltd.

TR01 Transfer of patent right

Effective date of registration: 20130724

Address after: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee after: HUAWEI TECHNOLOGIES Co.,Ltd.

Address before: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River

Patentee before: HUAWEI DIGITAL TECHNOLOGIES (CHENG DU) Co.,Ltd.