CN101827104B - Multi anti-virus engine-based network virus joint defense method - Google Patents

Multi anti-virus engine-based network virus joint defense method Download PDF

Info

Publication number
CN101827104B
CN101827104B CN 201010158969 CN201010158969A CN101827104B CN 101827104 B CN101827104 B CN 101827104B CN 201010158969 CN201010158969 CN 201010158969 CN 201010158969 A CN201010158969 A CN 201010158969A CN 101827104 B CN101827104 B CN 101827104B
Authority
CN
China
Prior art keywords
virus
resource
user
server
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN 201010158969
Other languages
Chinese (zh)
Other versions
CN101827104A (en
Inventor
徐小龙
程春玲
赵昌耀
熊婧夷
柴倩
杨宝春
钱建屹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Post and Telecommunication University
Nanjing University of Posts and Telecommunications
Original Assignee
Nanjing Post and Telecommunication University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Post and Telecommunication University filed Critical Nanjing Post and Telecommunication University
Priority to CN 201010158969 priority Critical patent/CN101827104B/en
Publication of CN101827104A publication Critical patent/CN101827104A/en
Application granted granted Critical
Publication of CN101827104B publication Critical patent/CN101827104B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Computer And Data Communications (AREA)

Abstract

The invention discloses a multi anti-virus engine-based network virus joint defense method. In the method, various anti-virus engines are integrated by using cluster servers in the cloud computing to assist or even substitute for a user terminal to defense network virus so as to ensure fast network system and effectively defense the attack of the network virus. At present, the problems of spreading, infection and attack of the virus on the network become more and more serious, and the main means of defending the network virus depends on anti-virus software. The invention provides the multi anti-virus engine-based network virus joint defense method which is suitable for both Internet and Intranet. The method comprises the following steps of: deploying various anti-virus engines on the cluster servers of the cloud computing, wherein the different anti-virus engines focus on different types of network viruses; dividing the server cluster into a plurality of defense areas according to the engines arranged on the servers; and in addition, selecting a server node as a gateway node for the user terminal to access the cluster server.

Description

A kind of internet worm Alliance Defense method based on many Anti-Virus Engines
Technical field
The present invention is a kind of for the network computing environment at Internet-based or Intranet, improves each host node to the defensive ability/resistance ability of internet worm, adoptable a kind of internet worm Alliance Defense method based on many Anti-Virus Engines.Present technique belongs to the interleaving techniques application of Distributed Calculation, information security, computer network and computer software.
Background technology
Internet worm comprises computer virus, network worm, back door wooden horse, spy's part etc., and the resource-sharing that network is outstanding and communication function provide natural hotbed for propagation, infection and the destruction of internet worm.By network particularly the internet worm propagated of the Internet and application system thereof, involve that scope is large, broad covered area, just can cause at short notice that network congestion even paralysis, shared resource are lost, confidential information is had things stolen, thereby cause huge loss.
The Main Means of defending against network virus is to rely on patch system leak (being patch installing) and anti-viral software or anti-viral software at present.The common integrated Real Time Monitoring identification of anti-viral software, virus scan and the functions such as removing, auto-update and data recovery have become the computer and network system of defense important component part of (also comprising fire compartment wall, intrusion detection, intrusion prevention system etc.).
But present anti-viral software is at first will find and confirm an internet worm substantially, and then takes precautions against, and exists series of problems:
(1) can't effectively process increasing rogue program, most of anti-viral software is manufacturing and the propagation that lags behind internet worm, and the feature database diagnostic method of at present the most normal employing is obviously out-of-date;
(2) the rogue program defence policies of at present the most normal employing mainly is simple multimachine defence, and the anti-viral software of a cover identification and killing rogue program namely is installed on every computer, mainly relies on the virus base in the local hard drive, and is weak in strength;
(3) kind of anti-viral software is many at present, emphasis is had nothing in common with each other, even from the progressive fixed point gateway virus killing to network level of single-point defence, but a cover anti-viral software only is installed generally on the gateway of responsible defence or the computer, therefore usually is difficult to effectively defend diverse network virus;
(4) internet worm of in recent years attacking anti-viral software is also more and more, even present most of anti-viral software has the self-protection function, but still has internet worm can shield the process of anti-viral software now, causes its paralysis and can't protected host.
For day by day serious Network Virus Propagation, infection and attack problem, the present invention proposes a kind of both applicable to the internet worm Alliance Defense method based on many Anti-Virus Engines that also is applicable to Intranet in the Internet.
Summary of the invention
Technical problem: virus propagation, infection and the attack problem on the network is day by day serious at present, and the Main Means of defending against network virus is the anti-viral software that relies on.Yet present anti-viral software exists hysteresis quality and the series of problems such as incomprehensive, causes its effectively defending against network virus.Various Anti-Virus Engine emphasis are different, exist complementary.The present invention proposes a kind of both applicable to the internet worm Alliance Defense method based on many Anti-Virus Engines that also is applicable to Intranet in the Internet.
Technical scheme: it is a kind of that the present invention proposes mainly had been to utilize the integrated multiple Anti-Virus Engine of cluster server in the cloud computing to assist even replace user terminal to come defending against network virus applicable to the internet worm Alliance Defense method based on many Anti-Virus Engines that also is applicable to Intranet in the Internet both, so that network system can be resisted the attack of internet worm more quickly and efficiently.
Cloud computing is distributed in calculation task on the cluster server resource pool of a large amount of computers formations, make various application systems can obtain as required required service, generally possess following 3 characteristic features: the hardware infrastructure framework is on large-scale low-cost server cluster; Application program and the exploitation of bottom service collaboration maximally utilise resource; By the redundancy between a plurality of low-cost servers, use software to obtain high availability.The network application system that employing makes up based on the cloud computing technology of the computer cluster of high performance-price ratio, can come operational network application program and network service with the server cluster of powerful in function by network, any one user can obtain by suitable internet access facility the network service of high performance-price ratio.
The internet worm problem that the present invention utilizes the cloud computing framework to solve in the network has embodied new approaches that ensure information security cybertimes, and it has merged emerging technology and the concepts such as associated treatment, Distributed Calculation, data mining.
At first at the multiple Anti-Virus Engine of cloud computing cluster server end deploy, different Anti-Virus Engines lays particular emphasis on respectively dissimilar internet worms to the method; Server is divided into a plurality of defence zone according to the engine of installing on it with server cluster, selects in addition a server node as the door node of user terminal access cluster server;
The major function of server end is that the Internet resources that the user asks for are detected filtration, virus sweep and system upgrade by many Anti-Virus Engines, when user terminal obtained network by networking client software, the Anti-Virus Engine of reliance server end replaced own defending against network virus.
The Alliance Defense method may further comprise the steps:
Step 1. user terminal at first mails to network resources address the door node of cluster server end,
Harmful resources bank in a continuous renewal of cluster server end maintenance has comprised the relevant informations such as malicious websites, malicious file; If the system discovery user wishes that the resource address that obtains is comprised in harmful resources bank, send a warning information to the user at once, and whether the inquiry user determines will continue to obtain this resource; , the user finishes this session if abandoning; If user selection continues to obtain this resource, or this resource address does not have danger, then changes step over to 2.;
Step is the system server website that access is correlated with according to resource address 2.,
Step 3. system server is obtained the network of relation resource,
Step 4. system server terminal is carried out the parallel detection of many Anti-Virus Engines to resource at once after getting access to Internet resources, soon resource is dispatched to simultaneously on the regional server node of a plurality of defence and detects; If the server node in these defence zones all detects this resource without any safety problem, be about to resource and be sent to user's reception; If wherein at least one regional server node detects this resource and has safety problem, as has comprised the internet worms such as worm, wooden horse, then send a warning information to the user at once, and whether the inquiry user determines will continue to obtain this resource;
, the user finishes this session if abandoning; If user selection continues to obtain this resource, then attempt removing the internet worm in the resource, if remove successfully and then clean resource sent to the user, if server can't be removed, then submit at once virus to report to the viral report database of server end, leave the relevant unit that is responsible for solution internet worm problem for and carry out analyze and solve, simultaneously the information such as this resource address are write in harmful resources bank, and inquire again whether the user determines to receive this resource; , the user finishes this session if abandoning; If user selection continues to obtain this resource, then this resource is sent to this user, and give the alarm to other user terminal of system.
No longer only rely on virus base in the user terminal local hard drive based on identification and killing virus in the internet worm Alliance Defense method of many Anti-Virus Engines, but rely on huge system for cloud computing service, gather in real time, analyze, the whole fast upgrading of processing and network system, the internet worm that constantly occurs with collaborative antagonism.Whole network has just formed huge " an internet worm Alliance Defense system ", and server end is responsible for assisting even is replaced user terminal to concentrate defending against network virus.
At cluster server end deploy multiclass anti-viral software or the multiple Anti-Virus Engine of cloud computing system, different anti-viral softwares or engine lay particular emphasis on respectively the various rogue programs such as wooden horse, virus, worm, spy's part, game steal-number or password theft program.Cluster server is divided into a plurality of defence zones according to the engine of installing on it with server cluster.Select in addition a server node as the door node of user terminal access cluster server.Also corresponding anti-viral software can be installed independently on the user terminal computer, therefore the difference according to the anti-viral software of installing also is divided into user terminal computer a plurality of Virtual Organization.Sometimes, user terminal computer can be installed a plurality of anti-viral softwares that do not conflict mutually; Also can select not install any anti-viral software, the defense work that is about to internet worm is transferred to server fully and is brought in and finish.
The major function of server end is that Internet resources are detected filtration, virus sweep and system upgrade by many Anti-Virus Engines, in addition, also need catch the virus report of submitting to analysis user; The user terminal of enormous amount can be to the rogue program that occurs on the Internet, and there is the sensitiveest perception dangerous website, so its major function is in time the internet worm of discovery or the abnormal conditions of system to be submitted to server end.
Beneficial effect: the internet worm Alliance Defense method based on many Anti-Virus Engines of the present invention can reach following beneficial effect:
(1) internet worm is defendd more comprehensively, and systems approach effectively forms and has complementary advantages each viroid in the more effective solution network by at the integrated many Anti-Virus Engines of server end
(2) alleviated the burden of user side, the user side poison defence software Gains resources of just can surfing the Net that can uneasiness pretends to be sick.
(3) the Antivirus system upgrading is more prone to, and can improve by the Antivirus program of concentrating the upgrade server end virus defense ability of network system.
Description of drawings
Fig. 1 is cluster server subregion schematic diagram.
Fig. 2 is based on the internet worm Alliance Defense method workflow schematic diagram of many Anti-Virus Engines.
Embodiment
Key based on the internet worm Alliance Defense method of many Anti-Virus Engines is at cloud computing cluster server end deploy multiclass anti-viral software or multiple Anti-Virus Engine, and different anti-viral softwares or engine lay particular emphasis on respectively the various rogue programs such as wooden horse, virus, worm, spy's part, game steal-number or password theft program.
1, cluster server subregion
Suppose this 5 cover Anti-Virus Engine of existing A, B, C, D and E, server is divided into A, B, C, D, 5 defence zones of E according to the Anti-Virus Engine of installing on it with server cluster, as shown in Figure 1.Select in addition a server node as the door node of user terminal access cluster server.
2, user terminal computer grouping
Also corresponding anti-viral software can be installed independently on the user terminal computer of cloud computing environment, therefore the difference according to the anti-viral software of installing also is divided into user terminal computer a plurality of Virtual Organization, the user of the purpose different grouping of grouping can corresponding different subregions cluster server, be responsible for renewal user terminal anti-viral software by the server of the identical Anti-Virus Engine of employing of correspondence.User terminal also can select not install any anti-viral software, and the defense work that is about to internet worm is transferred to server fully and brought in and finish.
The major function of server end is that Internet resources are detected filtration, virus sweep and system upgrade by many Anti-Virus Engines, in addition, also need catch the virus report of submitting to analysis user; The rogue program of the user terminal of enormous amount to occurring on the Internet, there is the sensitiveest perception dangerous website, so its major function is in time internet worm or the abnormal conditions of system found to be submitted to server end and other user terminal.Particularly the accessing user terminal to network according to anti-viral software does not pass through browser, FTP (File Transfer Protocol in this locality when user terminal, file transfer protocol (FTP)) or P2P (Peer-to-Peer computing, equity is calculated) etc. client software when obtaining the various resource such as webpage, video, software, Anti-Virus Engine that can the reliance server end replaces own defending against network virus, system can be according to following works, as shown in Figure 2:
1. user terminal at first mails to the resource address such as the URL of Internet resources (Uniform Resource Locator, URL(uniform resource locator) are used to specify the method for expressing of information position on the web services program) the door node of cluster server end.
Harmful resources bank in a continuous renewal of cluster server end maintenance has comprised the relevant informations such as malicious websites, malicious file.If the system discovery user wishes that the resource address that obtains is comprised in harmful resources bank, send a warning information to the user at once, and whether the inquiry user determines will continue to obtain this resource., the user finishes this session if abandoning; If user selection continues to obtain this resource, or this resource address does not have danger, then changes step over to 2..
2. system server is according to the relevant website of resource address access, and 3. system server obtains the network of relation resource.
4. system server terminal is carried out the parallel detection of many Anti-Virus Engines to resource at once after getting access to Internet resources, is about to detect on the server node that resource is dispatched to A, B, C, D, 5 defence zones of E simultaneously.If the server node in A, B, C, D, 5 defence zones of E all detects this resource without any safety problem, be about to resource and be sent to user's reception, referring to the step among the figure 5.; If wherein at least one regional server node detects this resource and has safety problem, as has comprised the internet worms such as worm, wooden horse, then send a warning information to the user at once, and whether the inquiry user determines will continue to obtain this resource.
, the user finishes this session if abandoning; If user selection continues to obtain this resource, then attempt removing the internet worm in the resource, successfully then clean resource is sent to user's (referring to the step among the figure 5.) if remove, if server can't be removed, then submit at once virus to report to the viral report database of server end, leave the relevant unit that is responsible for solution internet worm problem for and carry out analyze and solve, simultaneously the information such as this resource address are write in harmful resources bank, and inquire again whether the user determines to receive this resource., the user finishes this session if abandoning; If user selection continues to obtain this resource, then this resource is sent to this user (referring to the step among the figure 5.), and give the alarm to other user terminal of system.
Particularly, the mode that this method can software realizes.In order to make the software systems of using the method have general applicability, namely can either be applicable to server end, can be applicable to various clients again, internet worm Alliance Defense software systems based on many Anti-Virus Engines should adopt the JAVA language with cross-platform characteristic to make up, and based on the Eclipse development platform, harmful resources bank that the cluster server end is safeguarded then adopts the MySQL Database Systems to realize.This software is comprised of server end module and user side module.In order be simultaneously to wait service for a plurality of users provide virus detections, system must can support multi-user, Multi-task Concurrency operation, and server OS employing linux system, employing multithreading are implemented in and being connected of a plurality of user nodes.

Claims (1)

1. internet worm Alliance Defense method based on many Anti-Virus Engines is characterized in that at first at the multiple Anti-Virus Engine of cloud computing cluster server end deploy, different Anti-Virus Engines lays particular emphasis on respectively dissimilar internet worms; Server is divided into a plurality of defence zone according to the engine of installing on it with server cluster, selects in addition a server node as the door node of user terminal access cluster server;
The major function of server end is that the Internet resources that the user asks for are detected filtration, virus sweep and system upgrade by many Anti-Virus Engines, when user terminal obtained network by networking client software, the Anti-Virus Engine of reliance server end replaced own defending against network virus;
The Alliance Defense method may further comprise the steps:
Step 1. user terminal at first mails to network resources address the door node of cluster server end,
Harmful resources bank in a continuous renewal of cluster server end maintenance has comprised malicious websites, malicious file relevant information; If the system discovery user wishes that the resource address that obtains is comprised in harmful resources bank, send a warning information to the user at once, and whether the inquiry user determines will continue to obtain this resource; , the user finishes this session if abandoning; If user selection continues to obtain this resource, or this resource address does not have danger, then changes step over to 2.;
Step is the system server website that access is correlated with according to resource address 2.,
Step 3. system server is obtained the network of relation resource,
Step 4. system server terminal is carried out the parallel detection of many Anti-Virus Engines to resource at once after getting access to Internet resources, soon resource is dispatched to simultaneously on the regional server node of a plurality of defence and detects; If the server node in these defence zones all detects this resource without any safety problem, be about to resource and be sent to user's reception; If wherein at least one regional server node detects this resource and has safety problem, comprised worm, wooden horse internet worm, then send a warning information to the user at once, and whether the inquiry user determines will continue to obtain this resource;
, the user finishes this session if abandoning; If user selection continues to obtain this resource, then attempt removing the internet worm in the resource, if remove successfully and then clean resource sent to the user, if server can't be removed, then submit at once virus to report to the viral report database of server end, leave the relevant unit that is responsible for solution internet worm problem for and carry out analyze and solve, simultaneously this resource address information is write in harmful resources bank, and inquire again whether the user determines to receive this resource; , the user finishes this session if abandoning; If user selection continues to obtain this resource, then this resource is sent to this user, and give the alarm to other user terminal of system.
CN 201010158969 2010-04-27 2010-04-27 Multi anti-virus engine-based network virus joint defense method Expired - Fee Related CN101827104B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201010158969 CN101827104B (en) 2010-04-27 2010-04-27 Multi anti-virus engine-based network virus joint defense method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201010158969 CN101827104B (en) 2010-04-27 2010-04-27 Multi anti-virus engine-based network virus joint defense method

Publications (2)

Publication Number Publication Date
CN101827104A CN101827104A (en) 2010-09-08
CN101827104B true CN101827104B (en) 2013-01-02

Family

ID=42690805

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201010158969 Expired - Fee Related CN101827104B (en) 2010-04-27 2010-04-27 Multi anti-virus engine-based network virus joint defense method

Country Status (1)

Country Link
CN (1) CN101827104B (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101977188A (en) * 2010-10-14 2011-02-16 中国科学院计算技术研究所 Malicious program detection system
CN107016287A (en) * 2010-11-19 2017-08-04 北京奇虎科技有限公司 A kind of method of safe web browsing, browser, server and computing device
CN102123396B (en) * 2011-02-14 2014-08-13 恒安嘉新(北京)科技有限公司 Cloud detection method of virus and malware of mobile phone based on communication network
CN102148712B (en) * 2011-04-21 2014-05-14 天讯天网(福建)网络科技有限公司 Cloud computing-based service management system
CN102254120B (en) 2011-08-09 2014-05-21 华为数字技术(成都)有限公司 Method, system and relevant device for detecting malicious codes
CN102970272B (en) * 2011-09-01 2015-05-20 腾讯科技(深圳)有限公司 Method, device and cloud server for detesting viruses
CN102346828A (en) * 2011-09-20 2012-02-08 海南意源高科技有限公司 Malicious program judging method based on cloud security
CN102419803B (en) * 2011-11-01 2014-12-03 华为数字技术(成都)有限公司 Method, system and device for searching and killing computer virus
CN102694820B (en) * 2012-06-13 2015-01-21 华为技术有限公司 Processing method of signature rule, server and intrusion defending system
CN103036745A (en) * 2012-12-21 2013-04-10 北京邮电大学 Anomaly detection system based on neural network in cloud computing
CN104008331A (en) * 2013-02-21 2014-08-27 腾讯科技(深圳)有限公司 Access method, device and system of malicious web
CN103632094B (en) * 2013-11-04 2017-11-14 天津汉柏信息技术有限公司 A kind of cloud computing big data uploads virus defense system
CN103679026B (en) * 2013-12-03 2016-11-16 西安电子科技大学 Rogue program intelligence system of defense under a kind of cloud computing environment and defence method
CN104123501B (en) * 2014-08-06 2017-11-07 厦门大学 A kind of viral online test method based on many assessor set
CN107864677B (en) * 2015-07-22 2022-05-27 爱维士软件有限责任公司 Content access authentication system and method
CN108566396B (en) * 2018-04-20 2021-11-09 成都亚信网络安全产业技术研究院有限公司 Dead wood creep treatment method and system
CN111159708B (en) * 2019-12-02 2022-08-19 中国建设银行股份有限公司 Apparatus, method and storage medium for detecting web Trojan horse in server

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1725759A (en) * 2004-07-21 2006-01-25 微软公司 Containment of worms
CN101582887A (en) * 2009-05-20 2009-11-18 成都市华为赛门铁克科技有限公司 Safety protection method, gateway device and safety protection system
CN101656632A (en) * 2008-08-21 2010-02-24 中国建设银行股份有限公司 Virus monitoring method and virus monitoring device in large network

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7854007B2 (en) * 2005-05-05 2010-12-14 Ironport Systems, Inc. Identifying threats in electronic messages

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1725759A (en) * 2004-07-21 2006-01-25 微软公司 Containment of worms
CN101656632A (en) * 2008-08-21 2010-02-24 中国建设银行股份有限公司 Virus monitoring method and virus monitoring device in large network
CN101582887A (en) * 2009-05-20 2009-11-18 成都市华为赛门铁克科技有限公司 Safety protection method, gateway device and safety protection system

Also Published As

Publication number Publication date
CN101827104A (en) 2010-09-08

Similar Documents

Publication Publication Date Title
CN101827104B (en) Multi anti-virus engine-based network virus joint defense method
US11151258B2 (en) System and method for identifying network security threats and assessing network security
US20200259858A1 (en) Identifying security actions based on computing asset relationship data
US10826872B2 (en) Security policy for browser extensions
US9628508B2 (en) Discovery of suspect IP addresses
CN108353079B (en) Detection of cyber threats against cloud-based applications
US9942270B2 (en) Database deception in directory services
JP2021114332A (en) Reactive and preemptive security system for protecting computer network and system
US9027128B1 (en) Automatic identification of malicious budget codes and compromised websites that are employed in phishing attacks
CN104580249B (en) A kind of compacted network analysis method of deadlock wood and system based on log
WO2015200308A1 (en) Entity group behavior profiling
US20160366176A1 (en) High-level reputation scoring architecture
Wang et al. NetSpy: Automatic generation of spyware signatures for NIDS
US11785044B2 (en) System and method for detection of malicious interactions in a computer network
Maroofi et al. Are you human? resilience of phishing detection to evasion techniques based on human verification
Kurniawan et al. Detection and analysis cerber ransomware based on network forensics behavior
Akiyama et al. Active credential leakage for observing web-based attack cycle
US9111092B2 (en) Security event management apparatus, systems, and methods
CN112583841B (en) Virtual machine safety protection method and system, electronic equipment and storage medium
Park et al. How to design practical client honeypots based on virtual environment
Nagaonkar et al. Finding the malicious URLs using search engines
Vyawahare et al. Survey on Detection and Prediction Techniques of Drive-by Download Attack in OSN
Ali et al. Wireshark window authentication based packet captureing scheme to pervent DDoS related security issues in cloud network nodes
Alhomoud et al. A next-generation approach to combating botnets
Fujii et al. Stargazer: Long-Term and Multiregional Measurement of Timing/Geolocation-Based Cloaking

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20130102

Termination date: 20150427

EXPY Termination of patent right or utility model