CN101827104B - Multi anti-virus engine-based network virus joint defense method - Google Patents
Multi anti-virus engine-based network virus joint defense method Download PDFInfo
- Publication number
- CN101827104B CN101827104B CN 201010158969 CN201010158969A CN101827104B CN 101827104 B CN101827104 B CN 101827104B CN 201010158969 CN201010158969 CN 201010158969 CN 201010158969 A CN201010158969 A CN 201010158969A CN 101827104 B CN101827104 B CN 101827104B
- Authority
- CN
- China
- Prior art keywords
- virus
- resource
- user
- server
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention discloses a multi anti-virus engine-based network virus joint defense method. In the method, various anti-virus engines are integrated by using cluster servers in the cloud computing to assist or even substitute for a user terminal to defense network virus so as to ensure fast network system and effectively defense the attack of the network virus. At present, the problems of spreading, infection and attack of the virus on the network become more and more serious, and the main means of defending the network virus depends on anti-virus software. The invention provides the multi anti-virus engine-based network virus joint defense method which is suitable for both Internet and Intranet. The method comprises the following steps of: deploying various anti-virus engines on the cluster servers of the cloud computing, wherein the different anti-virus engines focus on different types of network viruses; dividing the server cluster into a plurality of defense areas according to the engines arranged on the servers; and in addition, selecting a server node as a gateway node for the user terminal to access the cluster server.
Description
Technical field
The present invention is a kind of for the network computing environment at Internet-based or Intranet, improves each host node to the defensive ability/resistance ability of internet worm, adoptable a kind of internet worm Alliance Defense method based on many Anti-Virus Engines.Present technique belongs to the interleaving techniques application of Distributed Calculation, information security, computer network and computer software.
Background technology
Internet worm comprises computer virus, network worm, back door wooden horse, spy's part etc., and the resource-sharing that network is outstanding and communication function provide natural hotbed for propagation, infection and the destruction of internet worm.By network particularly the internet worm propagated of the Internet and application system thereof, involve that scope is large, broad covered area, just can cause at short notice that network congestion even paralysis, shared resource are lost, confidential information is had things stolen, thereby cause huge loss.
The Main Means of defending against network virus is to rely on patch system leak (being patch installing) and anti-viral software or anti-viral software at present.The common integrated Real Time Monitoring identification of anti-viral software, virus scan and the functions such as removing, auto-update and data recovery have become the computer and network system of defense important component part of (also comprising fire compartment wall, intrusion detection, intrusion prevention system etc.).
But present anti-viral software is at first will find and confirm an internet worm substantially, and then takes precautions against, and exists series of problems:
(1) can't effectively process increasing rogue program, most of anti-viral software is manufacturing and the propagation that lags behind internet worm, and the feature database diagnostic method of at present the most normal employing is obviously out-of-date;
(2) the rogue program defence policies of at present the most normal employing mainly is simple multimachine defence, and the anti-viral software of a cover identification and killing rogue program namely is installed on every computer, mainly relies on the virus base in the local hard drive, and is weak in strength;
(3) kind of anti-viral software is many at present, emphasis is had nothing in common with each other, even from the progressive fixed point gateway virus killing to network level of single-point defence, but a cover anti-viral software only is installed generally on the gateway of responsible defence or the computer, therefore usually is difficult to effectively defend diverse network virus;
(4) internet worm of in recent years attacking anti-viral software is also more and more, even present most of anti-viral software has the self-protection function, but still has internet worm can shield the process of anti-viral software now, causes its paralysis and can't protected host.
For day by day serious Network Virus Propagation, infection and attack problem, the present invention proposes a kind of both applicable to the internet worm Alliance Defense method based on many Anti-Virus Engines that also is applicable to Intranet in the Internet.
Summary of the invention
Technical problem: virus propagation, infection and the attack problem on the network is day by day serious at present, and the Main Means of defending against network virus is the anti-viral software that relies on.Yet present anti-viral software exists hysteresis quality and the series of problems such as incomprehensive, causes its effectively defending against network virus.Various Anti-Virus Engine emphasis are different, exist complementary.The present invention proposes a kind of both applicable to the internet worm Alliance Defense method based on many Anti-Virus Engines that also is applicable to Intranet in the Internet.
Technical scheme: it is a kind of that the present invention proposes mainly had been to utilize the integrated multiple Anti-Virus Engine of cluster server in the cloud computing to assist even replace user terminal to come defending against network virus applicable to the internet worm Alliance Defense method based on many Anti-Virus Engines that also is applicable to Intranet in the Internet both, so that network system can be resisted the attack of internet worm more quickly and efficiently.
Cloud computing is distributed in calculation task on the cluster server resource pool of a large amount of computers formations, make various application systems can obtain as required required service, generally possess following 3 characteristic features: the hardware infrastructure framework is on large-scale low-cost server cluster; Application program and the exploitation of bottom service collaboration maximally utilise resource; By the redundancy between a plurality of low-cost servers, use software to obtain high availability.The network application system that employing makes up based on the cloud computing technology of the computer cluster of high performance-price ratio, can come operational network application program and network service with the server cluster of powerful in function by network, any one user can obtain by suitable internet access facility the network service of high performance-price ratio.
The internet worm problem that the present invention utilizes the cloud computing framework to solve in the network has embodied new approaches that ensure information security cybertimes, and it has merged emerging technology and the concepts such as associated treatment, Distributed Calculation, data mining.
At first at the multiple Anti-Virus Engine of cloud computing cluster server end deploy, different Anti-Virus Engines lays particular emphasis on respectively dissimilar internet worms to the method; Server is divided into a plurality of defence zone according to the engine of installing on it with server cluster, selects in addition a server node as the door node of user terminal access cluster server;
The major function of server end is that the Internet resources that the user asks for are detected filtration, virus sweep and system upgrade by many Anti-Virus Engines, when user terminal obtained network by networking client software, the Anti-Virus Engine of reliance server end replaced own defending against network virus.
The Alliance Defense method may further comprise the steps:
Step 1. user terminal at first mails to network resources address the door node of cluster server end,
Harmful resources bank in a continuous renewal of cluster server end maintenance has comprised the relevant informations such as malicious websites, malicious file; If the system discovery user wishes that the resource address that obtains is comprised in harmful resources bank, send a warning information to the user at once, and whether the inquiry user determines will continue to obtain this resource; , the user finishes this session if abandoning; If user selection continues to obtain this resource, or this resource address does not have danger, then changes step over to 2.;
Step is the system server website that access is correlated with according to resource address 2.,
Step 3. system server is obtained the network of relation resource,
Step 4. system server terminal is carried out the parallel detection of many Anti-Virus Engines to resource at once after getting access to Internet resources, soon resource is dispatched to simultaneously on the regional server node of a plurality of defence and detects; If the server node in these defence zones all detects this resource without any safety problem, be about to resource and be sent to user's reception; If wherein at least one regional server node detects this resource and has safety problem, as has comprised the internet worms such as worm, wooden horse, then send a warning information to the user at once, and whether the inquiry user determines will continue to obtain this resource;
, the user finishes this session if abandoning; If user selection continues to obtain this resource, then attempt removing the internet worm in the resource, if remove successfully and then clean resource sent to the user, if server can't be removed, then submit at once virus to report to the viral report database of server end, leave the relevant unit that is responsible for solution internet worm problem for and carry out analyze and solve, simultaneously the information such as this resource address are write in harmful resources bank, and inquire again whether the user determines to receive this resource; , the user finishes this session if abandoning; If user selection continues to obtain this resource, then this resource is sent to this user, and give the alarm to other user terminal of system.
No longer only rely on virus base in the user terminal local hard drive based on identification and killing virus in the internet worm Alliance Defense method of many Anti-Virus Engines, but rely on huge system for cloud computing service, gather in real time, analyze, the whole fast upgrading of processing and network system, the internet worm that constantly occurs with collaborative antagonism.Whole network has just formed huge " an internet worm Alliance Defense system ", and server end is responsible for assisting even is replaced user terminal to concentrate defending against network virus.
At cluster server end deploy multiclass anti-viral software or the multiple Anti-Virus Engine of cloud computing system, different anti-viral softwares or engine lay particular emphasis on respectively the various rogue programs such as wooden horse, virus, worm, spy's part, game steal-number or password theft program.Cluster server is divided into a plurality of defence zones according to the engine of installing on it with server cluster.Select in addition a server node as the door node of user terminal access cluster server.Also corresponding anti-viral software can be installed independently on the user terminal computer, therefore the difference according to the anti-viral software of installing also is divided into user terminal computer a plurality of Virtual Organization.Sometimes, user terminal computer can be installed a plurality of anti-viral softwares that do not conflict mutually; Also can select not install any anti-viral software, the defense work that is about to internet worm is transferred to server fully and is brought in and finish.
The major function of server end is that Internet resources are detected filtration, virus sweep and system upgrade by many Anti-Virus Engines, in addition, also need catch the virus report of submitting to analysis user; The user terminal of enormous amount can be to the rogue program that occurs on the Internet, and there is the sensitiveest perception dangerous website, so its major function is in time the internet worm of discovery or the abnormal conditions of system to be submitted to server end.
Beneficial effect: the internet worm Alliance Defense method based on many Anti-Virus Engines of the present invention can reach following beneficial effect:
(1) internet worm is defendd more comprehensively, and systems approach effectively forms and has complementary advantages each viroid in the more effective solution network by at the integrated many Anti-Virus Engines of server end
(2) alleviated the burden of user side, the user side poison defence software Gains resources of just can surfing the Net that can uneasiness pretends to be sick.
(3) the Antivirus system upgrading is more prone to, and can improve by the Antivirus program of concentrating the upgrade server end virus defense ability of network system.
Description of drawings
Fig. 1 is cluster server subregion schematic diagram.
Fig. 2 is based on the internet worm Alliance Defense method workflow schematic diagram of many Anti-Virus Engines.
Embodiment
Key based on the internet worm Alliance Defense method of many Anti-Virus Engines is at cloud computing cluster server end deploy multiclass anti-viral software or multiple Anti-Virus Engine, and different anti-viral softwares or engine lay particular emphasis on respectively the various rogue programs such as wooden horse, virus, worm, spy's part, game steal-number or password theft program.
1, cluster server subregion
Suppose this 5 cover Anti-Virus Engine of existing A, B, C, D and E, server is divided into A, B, C, D, 5 defence zones of E according to the Anti-Virus Engine of installing on it with server cluster, as shown in Figure 1.Select in addition a server node as the door node of user terminal access cluster server.
2, user terminal computer grouping
Also corresponding anti-viral software can be installed independently on the user terminal computer of cloud computing environment, therefore the difference according to the anti-viral software of installing also is divided into user terminal computer a plurality of Virtual Organization, the user of the purpose different grouping of grouping can corresponding different subregions cluster server, be responsible for renewal user terminal anti-viral software by the server of the identical Anti-Virus Engine of employing of correspondence.User terminal also can select not install any anti-viral software, and the defense work that is about to internet worm is transferred to server fully and brought in and finish.
The major function of server end is that Internet resources are detected filtration, virus sweep and system upgrade by many Anti-Virus Engines, in addition, also need catch the virus report of submitting to analysis user; The rogue program of the user terminal of enormous amount to occurring on the Internet, there is the sensitiveest perception dangerous website, so its major function is in time internet worm or the abnormal conditions of system found to be submitted to server end and other user terminal.Particularly the accessing user terminal to network according to anti-viral software does not pass through browser, FTP (File Transfer Protocol in this locality when user terminal, file transfer protocol (FTP)) or P2P (Peer-to-Peer computing, equity is calculated) etc. client software when obtaining the various resource such as webpage, video, software, Anti-Virus Engine that can the reliance server end replaces own defending against network virus, system can be according to following works, as shown in Figure 2:
1. user terminal at first mails to the resource address such as the URL of Internet resources (Uniform Resource Locator, URL(uniform resource locator) are used to specify the method for expressing of information position on the web services program) the door node of cluster server end.
Harmful resources bank in a continuous renewal of cluster server end maintenance has comprised the relevant informations such as malicious websites, malicious file.If the system discovery user wishes that the resource address that obtains is comprised in harmful resources bank, send a warning information to the user at once, and whether the inquiry user determines will continue to obtain this resource., the user finishes this session if abandoning; If user selection continues to obtain this resource, or this resource address does not have danger, then changes step over to 2..
2. system server is according to the relevant website of resource address access, and 3. system server obtains the network of relation resource.
4. system server terminal is carried out the parallel detection of many Anti-Virus Engines to resource at once after getting access to Internet resources, is about to detect on the server node that resource is dispatched to A, B, C, D, 5 defence zones of E simultaneously.If the server node in A, B, C, D, 5 defence zones of E all detects this resource without any safety problem, be about to resource and be sent to user's reception, referring to the step among the figure 5.; If wherein at least one regional server node detects this resource and has safety problem, as has comprised the internet worms such as worm, wooden horse, then send a warning information to the user at once, and whether the inquiry user determines will continue to obtain this resource.
, the user finishes this session if abandoning; If user selection continues to obtain this resource, then attempt removing the internet worm in the resource, successfully then clean resource is sent to user's (referring to the step among the figure 5.) if remove, if server can't be removed, then submit at once virus to report to the viral report database of server end, leave the relevant unit that is responsible for solution internet worm problem for and carry out analyze and solve, simultaneously the information such as this resource address are write in harmful resources bank, and inquire again whether the user determines to receive this resource., the user finishes this session if abandoning; If user selection continues to obtain this resource, then this resource is sent to this user (referring to the step among the figure 5.), and give the alarm to other user terminal of system.
Particularly, the mode that this method can software realizes.In order to make the software systems of using the method have general applicability, namely can either be applicable to server end, can be applicable to various clients again, internet worm Alliance Defense software systems based on many Anti-Virus Engines should adopt the JAVA language with cross-platform characteristic to make up, and based on the Eclipse development platform, harmful resources bank that the cluster server end is safeguarded then adopts the MySQL Database Systems to realize.This software is comprised of server end module and user side module.In order be simultaneously to wait service for a plurality of users provide virus detections, system must can support multi-user, Multi-task Concurrency operation, and server OS employing linux system, employing multithreading are implemented in and being connected of a plurality of user nodes.
Claims (1)
1. internet worm Alliance Defense method based on many Anti-Virus Engines is characterized in that at first at the multiple Anti-Virus Engine of cloud computing cluster server end deploy, different Anti-Virus Engines lays particular emphasis on respectively dissimilar internet worms; Server is divided into a plurality of defence zone according to the engine of installing on it with server cluster, selects in addition a server node as the door node of user terminal access cluster server;
The major function of server end is that the Internet resources that the user asks for are detected filtration, virus sweep and system upgrade by many Anti-Virus Engines, when user terminal obtained network by networking client software, the Anti-Virus Engine of reliance server end replaced own defending against network virus;
The Alliance Defense method may further comprise the steps:
Step 1. user terminal at first mails to network resources address the door node of cluster server end,
Harmful resources bank in a continuous renewal of cluster server end maintenance has comprised malicious websites, malicious file relevant information; If the system discovery user wishes that the resource address that obtains is comprised in harmful resources bank, send a warning information to the user at once, and whether the inquiry user determines will continue to obtain this resource; , the user finishes this session if abandoning; If user selection continues to obtain this resource, or this resource address does not have danger, then changes step over to 2.;
Step is the system server website that access is correlated with according to resource address 2.,
Step 3. system server is obtained the network of relation resource,
Step 4. system server terminal is carried out the parallel detection of many Anti-Virus Engines to resource at once after getting access to Internet resources, soon resource is dispatched to simultaneously on the regional server node of a plurality of defence and detects; If the server node in these defence zones all detects this resource without any safety problem, be about to resource and be sent to user's reception; If wherein at least one regional server node detects this resource and has safety problem, comprised worm, wooden horse internet worm, then send a warning information to the user at once, and whether the inquiry user determines will continue to obtain this resource;
, the user finishes this session if abandoning; If user selection continues to obtain this resource, then attempt removing the internet worm in the resource, if remove successfully and then clean resource sent to the user, if server can't be removed, then submit at once virus to report to the viral report database of server end, leave the relevant unit that is responsible for solution internet worm problem for and carry out analyze and solve, simultaneously this resource address information is write in harmful resources bank, and inquire again whether the user determines to receive this resource; , the user finishes this session if abandoning; If user selection continues to obtain this resource, then this resource is sent to this user, and give the alarm to other user terminal of system.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 201010158969 CN101827104B (en) | 2010-04-27 | 2010-04-27 | Multi anti-virus engine-based network virus joint defense method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 201010158969 CN101827104B (en) | 2010-04-27 | 2010-04-27 | Multi anti-virus engine-based network virus joint defense method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101827104A CN101827104A (en) | 2010-09-08 |
CN101827104B true CN101827104B (en) | 2013-01-02 |
Family
ID=42690805
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN 201010158969 Expired - Fee Related CN101827104B (en) | 2010-04-27 | 2010-04-27 | Multi anti-virus engine-based network virus joint defense method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101827104B (en) |
Families Citing this family (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101977188A (en) * | 2010-10-14 | 2011-02-16 | 中国科学院计算技术研究所 | Malicious program detection system |
CN107016287A (en) * | 2010-11-19 | 2017-08-04 | 北京奇虎科技有限公司 | A kind of method of safe web browsing, browser, server and computing device |
CN102123396B (en) * | 2011-02-14 | 2014-08-13 | 恒安嘉新(北京)科技有限公司 | Cloud detection method of virus and malware of mobile phone based on communication network |
CN102148712B (en) * | 2011-04-21 | 2014-05-14 | 天讯天网(福建)网络科技有限公司 | Cloud computing-based service management system |
CN102254120B (en) | 2011-08-09 | 2014-05-21 | 华为数字技术(成都)有限公司 | Method, system and relevant device for detecting malicious codes |
CN102970272B (en) * | 2011-09-01 | 2015-05-20 | 腾讯科技(深圳)有限公司 | Method, device and cloud server for detesting viruses |
CN102346828A (en) * | 2011-09-20 | 2012-02-08 | 海南意源高科技有限公司 | Malicious program judging method based on cloud security |
CN102419803B (en) * | 2011-11-01 | 2014-12-03 | 华为数字技术(成都)有限公司 | Method, system and device for searching and killing computer virus |
CN102694820B (en) * | 2012-06-13 | 2015-01-21 | 华为技术有限公司 | Processing method of signature rule, server and intrusion defending system |
CN103036745A (en) * | 2012-12-21 | 2013-04-10 | 北京邮电大学 | Anomaly detection system based on neural network in cloud computing |
CN104008331A (en) * | 2013-02-21 | 2014-08-27 | 腾讯科技(深圳)有限公司 | Access method, device and system of malicious web |
CN103632094B (en) * | 2013-11-04 | 2017-11-14 | 天津汉柏信息技术有限公司 | A kind of cloud computing big data uploads virus defense system |
CN103679026B (en) * | 2013-12-03 | 2016-11-16 | 西安电子科技大学 | Rogue program intelligence system of defense under a kind of cloud computing environment and defence method |
CN104123501B (en) * | 2014-08-06 | 2017-11-07 | 厦门大学 | A kind of viral online test method based on many assessor set |
CN107864677B (en) * | 2015-07-22 | 2022-05-27 | 爱维士软件有限责任公司 | Content access authentication system and method |
CN108566396B (en) * | 2018-04-20 | 2021-11-09 | 成都亚信网络安全产业技术研究院有限公司 | Dead wood creep treatment method and system |
CN111159708B (en) * | 2019-12-02 | 2022-08-19 | 中国建设银行股份有限公司 | Apparatus, method and storage medium for detecting web Trojan horse in server |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1725759A (en) * | 2004-07-21 | 2006-01-25 | 微软公司 | Containment of worms |
CN101582887A (en) * | 2009-05-20 | 2009-11-18 | 成都市华为赛门铁克科技有限公司 | Safety protection method, gateway device and safety protection system |
CN101656632A (en) * | 2008-08-21 | 2010-02-24 | 中国建设银行股份有限公司 | Virus monitoring method and virus monitoring device in large network |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7854007B2 (en) * | 2005-05-05 | 2010-12-14 | Ironport Systems, Inc. | Identifying threats in electronic messages |
-
2010
- 2010-04-27 CN CN 201010158969 patent/CN101827104B/en not_active Expired - Fee Related
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1725759A (en) * | 2004-07-21 | 2006-01-25 | 微软公司 | Containment of worms |
CN101656632A (en) * | 2008-08-21 | 2010-02-24 | 中国建设银行股份有限公司 | Virus monitoring method and virus monitoring device in large network |
CN101582887A (en) * | 2009-05-20 | 2009-11-18 | 成都市华为赛门铁克科技有限公司 | Safety protection method, gateway device and safety protection system |
Also Published As
Publication number | Publication date |
---|---|
CN101827104A (en) | 2010-09-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101827104B (en) | Multi anti-virus engine-based network virus joint defense method | |
US11151258B2 (en) | System and method for identifying network security threats and assessing network security | |
US20200259858A1 (en) | Identifying security actions based on computing asset relationship data | |
US10826872B2 (en) | Security policy for browser extensions | |
US9628508B2 (en) | Discovery of suspect IP addresses | |
CN108353079B (en) | Detection of cyber threats against cloud-based applications | |
US9942270B2 (en) | Database deception in directory services | |
JP2021114332A (en) | Reactive and preemptive security system for protecting computer network and system | |
US9027128B1 (en) | Automatic identification of malicious budget codes and compromised websites that are employed in phishing attacks | |
CN104580249B (en) | A kind of compacted network analysis method of deadlock wood and system based on log | |
WO2015200308A1 (en) | Entity group behavior profiling | |
US20160366176A1 (en) | High-level reputation scoring architecture | |
Wang et al. | NetSpy: Automatic generation of spyware signatures for NIDS | |
US11785044B2 (en) | System and method for detection of malicious interactions in a computer network | |
Maroofi et al. | Are you human? resilience of phishing detection to evasion techniques based on human verification | |
Kurniawan et al. | Detection and analysis cerber ransomware based on network forensics behavior | |
Akiyama et al. | Active credential leakage for observing web-based attack cycle | |
US9111092B2 (en) | Security event management apparatus, systems, and methods | |
CN112583841B (en) | Virtual machine safety protection method and system, electronic equipment and storage medium | |
Park et al. | How to design practical client honeypots based on virtual environment | |
Nagaonkar et al. | Finding the malicious URLs using search engines | |
Vyawahare et al. | Survey on Detection and Prediction Techniques of Drive-by Download Attack in OSN | |
Ali et al. | Wireshark window authentication based packet captureing scheme to pervent DDoS related security issues in cloud network nodes | |
Alhomoud et al. | A next-generation approach to combating botnets | |
Fujii et al. | Stargazer: Long-Term and Multiregional Measurement of Timing/Geolocation-Based Cloaking |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130102 Termination date: 20150427 |
|
EXPY | Termination of patent right or utility model |