CN103065088A - System and method for detecting computer security threat based on decision of computer use - Google Patents

Abstract

Disclosed are a system, a method and a computer program product for detection unknown security threats. In one embodiment, the system receives information of unknown security events related to software executed on a computer and a user decision indicting the software is harmful or harmless from an anti-virus application program installed in a use computer. The system recognizes a user and a role of the user of the computer. The role indicates the level of professional knowledge of the user in the field of computer security. If the user has a high level of professional knowledge in computer security, the system accepts the decision of the user, and if the user has a low level of professional knowledge in computer security, the system analyzes information of a security event to check out whether the decision of the user is correct or not. If the decision of the user is accepted or correct through verification, the system updates an anti-virus data base correlated to the anti-virus application program.

Description

System and method based on computer user's ruling detection computations machine security threat

Technical field

Present invention relates in general to computer safety field, and be specifically related to come for the ruling based on the computer user system, the method and computer program product of detection computations machine security threat.

Background technology

Recently, increasing information technology companies carries out " web hosting service (Web hosting), the data Storage and Processing needs of cloud computing technical research to realize them.The data that cloud computing means when the form with Internet service provides desired computing power are processed.Therefore, cloud computing client does not need to worry that infrastructure---this is realized by the service provider.On the one hand, it is instrument very easily for domestic consumer, and the user does not need to worry complicated software and hardware interface, and on the other hand, these responsibilities have been transferred to provider.

The cloud data are processed the distributed treatment that means the various data types on various ranks.In one case, that can mean to provide hardware and system software (infrastructure is as service) to use.In other cases, the whole platform (platform is as service) of be provided for developing, test, application program being supported.At present, one of modal selection is that software provides service (software is as service).Other are used for some abstractly provides trend also to develop with hardware and software extendible service.For simplicity, hereinafter we will claim the cloud data to be treated to " cloud service ".

At present, exist a lot of different cloud computings to select.For example, Google App allows only to adopt explorer to come the various types of documents of online editing, and stores data on the Google server.Up-to-date Google development---Chrome operating system (OS)---also uses browser to visit other resources in the pivotal player of instrument, for the simplification (whole infrastructure is positioned on the server) of client computer (for example net book) load, good reliability and the operation that reduce ready.The example that another of cloud computing is good is the Onlive platform, this platform is by processing all game datas and being sent to client with multimedia form at server, come in addition the very limited computing machine of hardware capabilities on (identical with net book or panel computer) enjoying in real time of latest computed machine game is provided.Microsoft is just developing its Azure platform at present, is used for creating the distribution Web application program.The platform operations principle is in return to solve the problem of scale and resource access to employed resource payment network fee (subscription fee).

Fig. 1 shows the high-level synoptic diagram of above-mentioned cloud service.Cloud service 120 illustrates with software and hardware resource 110, and they can be by 100 requests of personal computer (PC).This model developments is just actively pushed forward at present, and as previously mentioned, it is put into significant responsibility with it the provider of cloud service 120, these responsibilities be associated such as the problem of secure user data and this class of safety and with the flexible expansion of the software and hardware resource 110 that provides.

Consider the advantage of cloud computing, the interest that it can attract those increases of seeing recently the threat number to surpass all the anti-viral software companies that can imagine limit is just not at all surprising.Hereinafter, threat will mean various Malwares, such as Trojan Horse, network worm, virus and other unwelcome software, and to the link of the web page or leaf with malice and other unwelcome softwares, approval software leak etc. etc.Unwelcome software can comprise the software (extorting software) of crime software, spyware and obstruction data or computing machine operability.The quantity that Fig. 2 shows the malicious file of the new uniqueness of being tackled and being analyzed by this basic laboratory of ZAO kappa increases.Obviously, this increase obviously is index, and this number by the reason of nearest appearance is determined.Simultaneously, the ability of anti-virus company---for the treatment of hardware and employee (virus analysis teacher) of new threat--is very limited, can not be to increase with the same paces of threat amount.One of reason of the increase of the Malware amount of new uniqueness is the great development of telecommunications, comprises the corresponding quick increase of internet and number of users.This stimulates the development of various online services based on web conversely: Web bank, ideal money (for example WebMoney), live diary and write blog, a lot of software configuration to migrate to the already mentioned Google App of web(be good example).Correspondingly, the network crime person of current generation just actively uses their development to be intended to steal and extort the web attack of money with the form of Malware.Recently, their activity has not only affected banking (so-called bank Trojan Horse), and the game on line account that also expands to pop is carried out hacker's behavior, and uses Trojan Horse-ransom money type software to extort.Several factors helps so that they succeed and the corresponding increase of as shown in Figure 2 Malware: many online services safety are not enough, lack or lack the Internet crime law fully and only be that the computer user is to the basic ignorant of computer security sometimes in a lot of countries.

Should admit usually in fact to have exhausted as the existing Malware means of defence of representative take signature and heuristic detection their potentiality.Heuristic analysis is based on the search to the distinctive specific features of Malware (code segment, some register key, filename or process), but the debugging of each heuristic scanning scene all need spend the plenty of time and always have error risk (wrong report detects).The efficient of present heuristic detection method rests on 60 ~ 70%, and in fact this is maximum possible level.

Traditional signature analysis still allows to identify fast and accurately Malware, but only at this Malware when being known.Signature is constantly updated (as at present, in per hour), and this brings obvious negative property---and as shown in Figure 3, such protection can allow Malware have the regular hour to propagate according to himself character.From Malware issue play that time sample (being generally executable file) that antivirus protection company obtains it, to its analyze, detect it malicious act, put it into signature database and before renewal is distributed to the antivirus services device, it is tested before may have a few hours or even time a couple of days.Whole process may spend a few hours, the just constantly deterioration owing to this fact of all malware detection process steps of always robotization of the sometimes time of a couple of days, and such situation.

At present, the positive active development of antivirus protection industry is based on other detection methods of different principle.The technology of Symantec is based on the wisdom (Wisdom of the Crowd) of use for the so-called masses of the prestige of unknown executable file.This prestige is created by the user, and the user manually determines the degree of the danger of file representative.This is not a new idea---the book " Wisdom of Crowds " of James Surowiecki has comprised the theory based on the following interesting fact: large numbers of non-experts can make the better decision than the expert.Therefore, " ballot " file is that the user of malice is more, and " malice " prestige that then is assigned to this file is more.On the one hand, allow to rely on most suggestion, but simultaneously because most of users are not the computer security expert and therefore may make this fact of decision that makes mistake, and this key element becomes the error maker, this may cause hindering the software of non-malice.In addition, most Malwares belong to the Trojan Horse type, i.e. " imitation " safety and the program of useful program, and it is so that inexperienced user trusts them easily.If the common software such as counter (calc.exe) infects virus, the domestic consumer that does not then possess enough professional standards can not draw correct conclusion.

Another kind of technology such as the Artemis of McAfee, provides the analysis to unknown executable file fingerprint.This technology sequence start from user's anti-virus application program detect for example encrypted or the packing apocrypha.Hereinafter, packaging file means executable file, and it is compressed specially and comprises the additional bag routine of opening.UPX is the typical case for the program of compact executable file.Detect can't local (namely, user's side) after the apocrypha of finding in ' white list ' and ' blacklist ' software database, whether the anti-virus application program transmits the execute file marking (Hash and (hash-sum)) to server, be the Malware Hash to the marking on this server and check.This has eliminated the problem among the Fig. 3 that is associated with time delay in the customer data base renewal.But because antivirus protection company must have the marking (Hash and) of concrete file (' clean ' or Malware), this causes antivirus protection company to obtain in time the problem of this document conversely, so this method neither be immaculate.Because per minute all generates a large amount of executable files, it is very difficult obtaining rapidly such file.

But at present up-to-date develop product causes the generation of a series of relevant issues in the cloud computing field.One of them is associated with such situation: when a large amount of users adopts cloud service work, and the unit that at any time all each users is regarded as having equal right and ability usually.Commercial cloud service is distinguished user capability with various business models.For example, Azure will collect different expenses for using different stock numbers.If but user self participates in the cloud service operation directly, comes it is divided into groups with certain regular set with regard to being necessary, this better organization service operation, and particularly, be used for faster and more accurate threat detection.For instance, this also is applicable to " masses' wisdom " technology.

The solution of the following task that is that the present invention is concerned about: by creating user's classification and according to user's role it being segmented the evaluation of using a lot of users in malware detection.

Summary of the invention

The system, the method and computer program product that computer security threat are detected for the ruling based on the computer user are disclosed.In an example embodiment, system receives information about the unknown security incident that is associated with the software of carrying out on described computing machine from being deployed in anti-virus application program on the subscriber computer, and to indicate described software be harmful or harmless user's ruling for the safety of described computing machine.The user of the described computing machine of described system identification and described user's role, wherein user role indication user's in computer safety field professional knowledge level.If described user's role indication has high professional knowledge level described user in computer safety field, then described system accepts described software for being harmful to or harmless user's ruling.If described user's role indicates described user to have low professional knowledge level in computer safety field, then the information analysis about described security incident that receives from the anti-virus application program is checked described user's ruling is correct in described system.If described user's ruling is accepted or is correct through verifying as, then described system adopts about described information and the associated software of described security incident and upgrades anti-virus database for harmful or harmless indication, and described anti-virus database is associated with described anti-virus application program and comprises information about known harmful and harmless software.

Also disclose and be used for automatically distributes calculation resources for the treatment of system, the method and computer program product of security information.In an example embodiment, described system receives information about the user action relevant with the safety of described computing machine from being deployed in anti-virus application program on the subscriber computer.Described system pair user action analyze relevant with the safety of described computing machine determined the professional knowledge level of user in computer safety field.Subsequently, based on the professional knowledge level of user in computer safety field, described system is classified as one of two or more different role with the user.Based on described user role, described system selects the configuration setting of anti-virus application program automatically, be used for collecting the information about the security threat that is detected by described user, wherein for comparing with the user who in computer safety field, has low professional knowledge level, collect more information about the security threat that is detected by the user from the user who in computer safety field, has higher professional knowledge level.Based on described user role, described system also automatically distribute and dispose computational resource and service for the treatment of by be deployed in described anti-virus application program on the described subscriber computer collected, about the information of the security threat that detected by the user, wherein compare with the user with low professional knowledge level, distribute more computational resource and service to process the information that has the user of higher professional knowledge level in the comfortable computer safety field.

Also disclose and be used for based in computer safety field user's professional knowledge level the user of anti-viral software being carried out system, the method for classification and being used for the computer program of method.In an example embodiment, described system uses historical information from the anti-viral software reception that is deployed on the subscriber computer about the safety of subscriber computer and the user of anti-viral software.Described system is divided into a plurality of classifications with the information that receives, the number that comprises the computer threat that at least (ⅰ) detected by described user, (ⅱ) frequency of described subscriber computer infected with malware, and (ⅲ) to anti-viral software user's the level of being proficient in.Then described system is that each classification of information is selected one or more condition-action rules and condition-action rules of selecting is applied to sorted information to determine the professional knowledge level of user in computer safety field.At last, based on determined in computer safety field user's professional knowledge level, described system is classified as one of expert user, advanced level user or typical user with the user.

More than the brief overview of example embodiment is used for providing basic comprehension of the present invention.This summary is not the extensive overview of all contemplated aspects of the present invention, and both has been not intended to determine the key of all embodiment or the scope that important element also is not intended to limit any or all embodiment.The form that its unique purpose is to simplify represents one or more embodiment, as the preorder of following more detailed description of the present invention.For realizing aforesaid purpose, one or more embodiment comprise the feature of describing in the claims and specifically noting.

Description of drawings

Accompanying drawing is incorporated in the instructions and is consisted of the part of instructions, shows one or more example embodiment of the present invention, and is used from principle and the implementation of explaining embodiment with detailed description one.

In the accompanying drawings:

Fig. 1 shows the high-level synoptic diagram of cloud service.

Fig. 2 shows the synoptic diagram of the recent increase of computer malware propagation.

Fig. 3 shows the time shaft that new computer malware is detected and distributes.

Fig. 3 A shows the synoptic diagram according to the anti-viral software of an example embodiment.

Fig. 4 shows according to an example embodiment, consists of the sample parameter collection of user's prestige.

Fig. 4 A shows according to an example embodiment, according to the user's prestige figure from user's prestige parameter of Fig. 4.

Fig. 5 shows according to an example embodiment, is used for cloud service user's prestige analytic system.

Fig. 6 shows the user notification disposal route according to an example embodiment.

Fig. 7 shows the threat detection notifier processes method according to an example embodiment.

Fig. 8 shows according to an example embodiment, for the threat detection notifier processes method of the threat that detects in subscriber computer.

Fig. 9 shows according to an example embodiment, the diary record system of subscriber computer event.

Figure 10 shows according to an example embodiment, the log recording method of subscriber computer event.

Figure 11 shows according to an example embodiment, cloud service user's the sample classification based on the role.

Figure 11 A shows according to an example embodiment, is used for the method that the user role weight is determined.

Figure 12 shows according to an example embodiment, the sample synoptic diagram of cloud service user role.

Figure 13 shows according to an example embodiment, depends on the user-role assignment method of prestige and other parameters.

Figure 14 shows according to an example embodiment, the temporal evolution curve map estimated to the threat that detects.

Figure 15 shows according to an example embodiment, depends on the distribution of the data volume that the user transmits of user role.

Figure 16 shows according to an example embodiment, is used for the cloud service computational resource allocation method to processing from specific user's notice.

Figure 17 shows according to an example embodiment, is used for making cloud service to avoid the illegal subscriber checking mechanism of using.

Figure 18 shows according to an example embodiment, cloud service user identification and distribute some resource to user's method.

Figure 19 shows according to an example embodiment, is used for coming based on computer user's ruling the method for detection computations machine security threat.

Figure 20 shows the synoptic diagram according to the computer system of an example embodiment.

Embodiment

This paper is around being used for coming system, the method and computer program product of detection computations machine security threat to come example embodiment of the present invention is described based on computer user's ruling.Will be understood by those skilled in the art that following description only is exemplary, but not intention limits by any way.Benefit from this disclosure, those skilled in the art expect other embodiment easily.Now describe to realize as shown in drawings example embodiment of the present invention in detail.Run through accompanying drawing and subsequently description and all represent identical or similar project with identical Reference numeral as far as possible.

Although example embodiment of the present invention is for providing computer security relevant service in cloud computing environment, but it should be understood by one skilled in the art that principle of the present invention can be used for other computation paradigms in other embodiments, for example at client-side, at server side, in distributed computing environment etc.

At first, the problem of cloud service user's (client) classification and protection cloud service and user thereof being avoided various computer threats will be discussed.

Current computer security product such as anti-viral software or security system comprises a large amount of module that is used for various solutions through disposing.Fig. 3 a illustrates the example of current anti-viral software 300, this anti-viral software can be installed on the subscriber equipment 100.Some modules are important for software operation---such as upgrading and file reverse virus module.Update module is mainly used in anti-virus database through design and upgrades, and the last state of this database is that to relate to the reliable operation that Malware and other threats are in time detected ready.Should note, this threat can represent by known malware, to link (harmful resource address) and the unknown Malware of harmful content, and potential dangerous software can implement similarly to move with those Malwares (similar conversion situation about installing be the characteristic of a lot of malicious software programs).Anti-virus database self can comprise such as known malware signature, necessary anti-spam modules service data collection etc.Anti-virus database also comprises external service, and such as the database of anti-virus company, it comprises the large scale knowledge base such as ' white list ' storehouse that comprises trusted software information.We will regard external service as cloud service 120.Depend on the availability such as the various selections of e-mail or the Internet, need other modules, such as e-mail anti-virus, web anti-virus, IM anti-virus (checking that instant message transmits data), network firewall.Other are aid: be used for filtering anti-spam modules, backup module, the personal data management device (being used for the most important data of isolation and protection) that imports e-mail into and be used for the secure data clauses and subclauses not by the dummy keyboard that is jeopardized such as this class method of Key Logger.Some modules of similar anti-net width of cloth image ad (anti-banner) can be used with the web-browsing device during Internet surfing.Some modules need a lot of times and resource to be used for operation, but they also can process unknown malware and attack.These modules include but not limited to: HIPS(main frame intrusion prevention system), it is restricted to the unknown softward interview of computer resource; The active defensive module, it can determine movable infective stage (that is, having begun the moment of its operation in computing machine when Malware); Emulator and virtual machine, it can be used for the not Secure execution of common executable file.This accessories list is mutually different to anti-viral software---various modules can have different titles, some modules and can be structured in other modules etc.

Usually, each module of anti-virus application program 300 all has the user interface of oneself and the function that is associated.For example, anti-spam modules provides this module of training, editor credible address and the Resources list that is obstructed, creates the ability through license and vulgar list of phrases etc.The HIPS module allows user installation and revises resource access authority for a certain software, makes various program trusteds, forms the software group based on level of trust.Therefore, each module user interface rank of all having himself is obtained additional information.Even being operating in automatic mode lower time in most of modules, certain operations still requires user's input.Everything is all being reminded, and in the ever-increasing world of computer threat amount, although the automation mechanized operation of most of anti-viral software module, user's final action is still played an important role.

Be further noted that, just require user's input when only having following situation: when one of anti-viral software module can not draw for the threat of suspect object sure conclusion, the link in the browser that the unknown file that this suspect object such as user attempts carrying out or user attempt following.Whether harmful or harmless decision or the module of ruling can comprise initiatively defensive module and virtual machine to this user of request about object.In addition, along with the development that threatens, the importance of this generic module constantly increases.Therefore, need to obtain user's decision, and for this purpose, select the most competent user and can avoid mentioned not long ago mistake.Therefore, for the position from computer security knowledge detects the most competent user, select (classification) of carrying out the cloud service user is necessary.

User's classification means as user grouping is selected some common traits for some classifications.Classification can be predefined and relate to the each side of the User Activity in the anti-viral software framework: the frequency of the number of the threat that detects, their uniqueness, the use of being proficient in the anti-viral software interface, computer infected, about the information that is installed in the program on the subscriber computer and user's operating position of described program etc.

Activity for each feature all can be expressed as a certain value,, uses numeral that is.For reduced representation and better assessment, umerical value can be corresponding to the terminology in the fuzzy logic.Fuzzy logic system is considered three phases:

The introducing of obfuscation---ambiguity.In this operation, all input variables and linguistic variable are mated, created terminology and be each term establishment subordinate function for each linguistic variable.For example, the terminology that is used for linguistic variable " number of the threat that detects " will be { " very little ", " little ", " on average ", " height ", " very high " }, and its permission breaks away from from a large amount of numerals.

The establishment of fuzzy knowledge base and use.Fuzzy knowledge base comprises the condition-action rules with Types Below: if IF()＜rule hypothesis THEN(so)＜rule conclusion.For example, can use following rule: " if the threat that detects outnumber setting value, the threat activity that detects that quantizes so is for high ".Because this rule-like is intelligible and is various " language codes ", therefore formulates this rule-like and normally is easy to.

The output of de-fuzzy---different number, it for example is the assessment of a certain User Activity, its indication user's in computer safety field professional knowledge level.

The activity value that obtains for each feature can be interpreted as single concept together, and this is called ' prestige '.Usually, user's prestige indication user's in computer safety field professional knowledge level.Various prestige aspect is used to determine user's role, that is, and and for the user's that will describe subsequently classification.Fig. 4 shows for the sample parameter collection that creates prestige.Should be noted that prestige can be by numeral, perhaps in other embodiments by a certain feature set or vector representation in one embodiment.

If prestige is expressed as set of digits, but not single value, this prestige can schematically show and be collection or vector so.Fig. 4 a shows the example of this expression, has wherein used two movement parameters---number and the software interface use activity of the threat that detects.Therefore, user's prestige can be expressed as follows:

	The number of the threat that detects	Application programming interfaces use activity
			User's 1 prestige	Low	On average
User's 2 prestige	High	High

Table 1

When adding other Activity Types, prestige will have following general expression: prestige=movable 1, movable 2 ..., movable N}.

Fig. 5 illustrates the prestige analytic system that is used for the cloud service user according to an example embodiment.User 100 action is carried out log recording and is sent to cloud service 120 in its this locality.Transmission can be carried out with the form that sends immediately or send every now and then notice after action.The notice that receives enters user action handling implement 510, and this user action handling implement 510 is processed for some movable user action with reference to prestige rule database 520.User action handling implement 510 also transmits notifying to the user action instruments of inspection 540 of receiving.The user action instruments of inspection 540 service test rule databases 550 are to check that user action is whether in the restriction that sets.If user action does not cause any suspection, then user's handling implement 510 is revised user's prestige by changing corresponding User Activity value and it being stored in user's credit database 530.

The below is an example of notice:

Table 2

Another example of notice:

Table 3

User ID also can comprise the anti-viral software data, such as: the anti-viral software version; Software I D accurately; Integrate number; Applied patch/security update/rescue bag ID; License information.

For each task all generates the unique data collection.For example, for the inspection of document, this data set can comprise fileinfo (Hash and, the availability of digital signature, size, position, order line attribute, author's (if there is), file attribute (hiding, file), be received from (network, such as media such as CD), the last time of revising etc.), and the web page inspection task can comprise page address (link), for check setting of scene simulation device (check what scene type, to what degree of depth, should check what object) etc.

User action can be described by the setting template of working with anti-viral software interface (GUI) through design.Below can be used as example:

Action ID

Type of action

...	...
		12	The subscriber authorisation program is credible
13	User's disable program is carried out
		...	...
46	The user starts dummy keyboard
		47	The user starts head of a family's control
...	...

Table 4

In general, such detailed data is transmitted by various anti-viral software modules usually.For example, for emulator, these data can comprise information about number of instructions, operation code, about information, the virtual memory dump of setting operation restriction.In an example embodiment, when threat was detected by one or more modules, detailed data can be transmitted in notice by described module.In another detailed example, translator unit data in the first notice, and if these data be found to be not enough to the inspection user ruling, then can transmit additional datas by anti-virus application program 300 according to the request that comes from cloud service 120.

Like this, all notices all can adopt comprise as the structure of metadata describe: WHO(is about the information of user, its computing machine etc.), WHERE(is about the anti-viral software module that triggers and the information of other needed system hardwares and application state data), WHEN(event time framework and possible repetition frequency), the type of the security incident that detects of WHAT(and the detailed content of security incident).

Database 520,530,550(and every other similar database discussed below) can adopt common DBMS(data base management system (DBMS)s such as MySQL, MSSQL, PostgreSQL, DB2) realize.User action handling implement 510 users notice compares with the rule that is stored in the prestige rule database 520.These rules can be expressed as " if＜condition so＜action " production rule of type.Below be to can be used as example:

If

＜notification type 〉=" user action ID "

＜detailed content 〉=" startup of computing machine vulnerability scanning "

＜user action 〉=" proofreading and correct detected leak: the automatic startup of closing removable driver "

So

By＜setting value〉improve＜adopt the activity of application programming interfaces 〉

Restriction:＜activity value can not surpass N 〉

Because it is easy adding new rule and revision regular, it should be noted that therefore the tissue of these rules is simplified.Rule can be the XML language, and the grammer of this XML language provides for example following advantage: be independent of platform, describe the ability of the structure for example tabulate and to set, in the support of various ranks (hardware and software).

In addition, each rule all can limit the correction to one or the other activity of user.A plurality of simple actions from causing activity is increased to high-level but this purpose is to prevent.Good example can be the frequent scanning to same removable driver (for example flash disk), and it can be considered to simple and common software application.But starting the computing machine vulnerability scanning is not inessential inspection, and it indicates this action the software interface activity can be increased to higher level.

After check had triggered the rule that is included in the prestige rule database 520, user action handling implement 510 was revised the user's who sends notice prestige with reference to user's credit database 530.Use comes from the correction that the user action instruments of inspection 540 regular in the inspection rule database 550 also is used for prestige.Rule and their check be organized as with prestige rule database 520 Regularias seemingly.Let us is the necessity of inspection user action in more detail.

Although true is to hide at cloud service 120 place's user action processing rules for them, some users may adopt fraudulent policies in order to increase their prestige.This can include but not limited to forge notice by user 100, or number and the uniqueness of the threat that for example detects of artificial increase, or the very high activity of software interface.Such action is called unusually.In order to count such action, inspection rule database 550 comprises the abnormality detection rule.User action handling implement 510 transmits from notifying to the user action instruments of inspection 540 that the user receives.The user action instruments of inspection 540 reference gauges then database 550 determine to describe the rule of a certain Exception Type, and ask for the prestige correction from its notification received this user historical with reference to user's credit database 530.Be stored in the history display (such time period can be the moon or week) during the nearest time period in user's credit database 530, this user's last action (notice that receives).By historical record and up-to-date user notification are compared, the user action instruments of inspection 540 can detect unusually.

As illustrated among Fig. 6, let us is understood in more detail user notification and is processed.In step 610, the user action notice arrives user action handling implement 510 places, in this user action handling implement 510 information extraction from the notice that receives of step 620.Then in step 630, adopt the user action instruments of inspection 540 to check the data that receive.If detect unusually in step 640, so step 660 just for this user record unusual, in user's credit database 530, produce corresponding journal entries.If do not detect unusually, will be corrected in step 650 prestige (relevant activity) so.The back is with the method for more detailed description abnormal quantity and type registration.

Below, with regard to prestige aspect (that is, active characteristics) next some example summarizeds to mainly being associated with threat detection.

Notice in describing such as above method in " wisdom of colony " that each is with having per family different infotech (IT) know-how.At present, except a large amount of legal use (white list) programs and harmful (blacklist) program, noticed the growth that is referred to as " gray list " program, the characteristics of being somebody's turn to do " gray list " program can not be described with " in vain " or " deceiving ".This is associated with several factors, but one of basic factor is the continuing to increase of executable file and harmful program (Fig. 2) generally, and this processes the data stream that continues to increase so that the ability of anti-virus company lags behind.Therefore, can not determine unknown file when anti-viral software whether in the harmful or clean situation, one of possible solution is that whether unknown harmful or clean rely on the user to assess file.The file that can offer user profile is described, such as: the availability of size, position, file name, digital signature etc.In addition, the user can have the information that anti-viral software is difficult to obtain, such as file source (come from buy in the shop the mail that is transmitted by friend without the disk of licence, before for a long time etc.).The user might determine this file execution is stoped based on this information, and this means the user and thinks that file is suspicious or harmful.We will claim this event to be " ruling ".Except unknown file carry out to allow or the ruling that stops, also relevant for the ruling of the permission of link being opened (for example, in browser), network activity etc./prevention.

Therefore, each user can be assessed by his number of ruling and the correct level of ruling.The ruling correctness can be subsequently calculated by anti-virus company, these anti-virus company check executable file data and just the user about file harmful or clean conclusion make its conclusion.An embodiment also considers the quantity of case---when the user stoped the various copy of same program (that is, same file) for several times, such ruling can be considered to individual event.Another embodiment does not assess user's ruling activity immediately, but introduces time delay, and unexpected user's prestige fluctuation situation (such as in the situation of being carried out initial anti-viral software installation by the user) is foreclosed.In addition, in another embodiment ruling assessment can be for (usually, such during limited by the anti-viral software license term) during the whole User Activity, and carry out for the time durations of setting.

Unusual (deception) that be associated also is worth remembeing, in order to obtain higher activity grade based on the threat that detects, the user may adopt these unusual, such as using available harmful file set to be used for their follow-up scanning.Domestic consumer can not detect a lot of threats usually in its computing machine within short-term.Even the full scan of hard disk shows that most of Malwares often are the copies of same program.

Fig. 7 shows threat detection notifier processes sequence.Be that step 710 receives after the unknown threat detection notice, extracts necessary information in step 720 from this notice and is used for further analyzing.Necessary information comprises threat detailed content and user action.Only it should be noted that when one of anti-viral software 300 modules theme of inquiry just when--for example user's unknown file of attempting starting or user are just attempting the link of following in browser--makes clearly conclusion, just need user action.Also with such event binding to the notice in.Whether then analyze threat information in step 730 in cloud service place correct or incorrect to confirm user's ruling.Analysis can be based on this basic secure network (KSN) technology of kappa, and some embodiment of this technology are at United States Patent (USP) 7,640, describes in 589 and 7,743,419, and it is incorporated herein in full by the mode of quoting.For example, checkout procedure can comprise the unknown white list that threatens or blacklist analysis, based on the analysis of emulation, based on analysis, heuristic analysis and the other technologies of signature.

If threat not confirmed, but user action shows that he believes that for example unknown file stops this unknown link during attempting to become Malware during its execution (opening) or attempting to follow unknown link in browser, be used for further analyzing in step 740 with preserving such information.If afterwards in step 785, user action will be confirmed to be correct (that is, ruling is correct), and that will mean him in the first user of detection of malicious software or harmful link.In this case, user's prestige will be revised in step 790, and particularly, its activity of being judged by detected unique number that threatens will increase.

If threaten in step 730 to be identified, so in order to detect abnormal conditions in step 760, in step 750, the user action instruments of inspection 540 reference gauges are relatively give notice user's statistics of database 550 and user's credit database 530 then.Unusually can be expressed as and within short-term, detect too many malicious software program (for example, in order to increase prestige, scanning has the disk of the known malware set of preserving) or malware detection too frequently.The low ripe level etc. that the latter can be by the same infected website of access carry out the user of patch to leak in his software is explained.To count so unusual in step 780.Otherwise, because the increase of the number of the threat that detects will improve user's prestige in step 770.In addition, be identified in case threaten, then Cloud Server 120 can adopt about the information of the threat that detects and upgrade the anti-virus database that is associated with anti-viral software 300.

Unusually the very important aspect that detects is to refuse to attempt those notices of the service of restarting 120.For example, the author of rogue program can be by attempting closing the anti-virus protection to the user at service 120 deploy DoS attacks.This can be by (for example finishing with a plurality of copies of the anti-virus application program 300 with automatic action lists, within short-term, detect the difference copy of identical rogue program), it will cause notifies the service of being sent to 120 with magnanimity, in fact will cause DoS attack.The analysis of closing the notice that comes from this class client will cause the stable operation to every other user's service 120.In another embodiment, the author of rogue program can be with anti-virus application program 300(and thereby and service 120) " slide (slip) " to incorrect response---and for example, indicate clean software for malice.For their response does not extend to other users, service 120 can be collected the statistics of this detection, and if this wrong report too many---then it also is unusual, and also abandons the response from these users.

Also assess each user by the number of the threat of finding in the computing machine the user after threatening infect computers and starting their harmful activity.This can be associated with following event:

The user seldom upgrades anti-virus database, or issue renewal version (owing to reason mentioned in the description to Fig. 2 and 3) can not be caught up with by anti-virus company self;

The user is forbidden anti-viral software (passing through bolt down procedure) continually;

The user does not arrange his anti-viral software suitably.

Fig. 8 is illustrated in threat and has entered after the subscriber computer of an example embodiment to(for) the threat detection notifier processes method of the threat that detects.This can comprise for example following content:

1, active infective stage.This means for example this executable file not to be found in the inspection first time of executable file in the Malware database, and its emulation does not detect any harmful activity.When this file is performed and its harmful activity when having begun, initiatively defensive module can be forbidden it.

2, adopt the User Activity of anti-viral software not enough.This means the user and arranges suitably or forbidden anti-viral software, and it causes full spectrum of threats to enter subscriber computer.

3, the shortage of regularly anti-virus database renewal.Some anti-viral software 300 modules do not guarantee 100% of Malware is detected, but only report that institute's scanning document may be the possibility that is harmful to.Initiatively defence and virtual machine are such modules.

After being that step 810 receives that threat detection is notified, from notice, extracting information needed in step 820 and be used for further analysis.Information needed means threat object detailed content (such as potential harmful unknown file or link) and user action.Then analyze threat information in step 830 in cloud service place.

If threaten not confirmed in step 830, but user action shows that he thinks that for example unknown file is attempted to become Malware or stoped unknown link during its execution (opening), then will be saved for further analysis in the such information of step 840.If confirm that in step 885 user action is correct (that is, ruling is correct) afterwards, this will mean him in the first user of the Malware that detects harmful link.In this case, will revise user's prestige in step 890, particularly, his movement parameter based on detected unique number that threatens will increase.

If be identified in step 830 threat, will follow the tracks of so threatening the date that enters subscriber computer in step 850.This can finish by the activity log of analyzing Malware timestamp (that is, its establishment or modification time), safeguarded by the active defensive module.Then determine to cause threatening the reason that enters computing machine in step 860, such as disabled anti-viral software module, incorrect anti-viral software setting, irregular database update etc.After reason is determined, revise user's prestige in step 870, particularly, the infection activity increases.

It should be noted that to be that step 810-820 receives after threat detection notice and relevant information and the user's ruling, the latter can be used for stoping such threat until be identified in step 830 or step 885 ruling.

Another important prestige aspect is software interface use activity (or user's being proficient in anti-viral software).With regard to regard to the modern anti-viral software of the total protection of this basic internet security 2011 of kappa or McAfee, the type of action that such activity comprises as:

The setting of various software modules.Example can be the installation of manual anti-virus database regeneration characteristics.Arrange and to be used for various modules, be used for the selection that scanning is imported the anti-spam modules of E-mail flow into or is used for the rule of head of a family's control module such as training.

Answer software issue, follow the tracks of various software message with interactive mode.Use the interactive mode hypothesis user of anti-viral software will implement some operation, such as determining to stop unknown program (in Malware database or credible program data base, not finding), determining that enforcement is to the fully scanning of removable medium etc.

The user responds the time of software interface message.Anti-viral software with the interactive mode operation can also supervisory user respond the time (for example, being used for the user for the stand-by period of the response that stops unknown program) of pointing out.

The nested check of interface.Modern anti-viral software comprises the anti-virus application program, has a lot of different settings, and it is hidden in the each several part of graphic interface.Have by the user action of nested more interface setting and illustrate that he is interested in the more detailed research to the anti-viral software ability.

The use of non-automatic salvo or additional capabilities.Usually, anti-viral software all arranged well at first and can be in the situation of the participation that does not need the user automatic operation.But will be operated by user oneself such as personal data management or the such module of dummy keyboard.This shows that he is interested in comprehensive use of anti-viral software function.

From software, withdraw from, it close.Although modern anti-viral software, will stand long-term and tests various operating systems usually in order to check the compatibility of it and other application programs, has the risk of failing to report always, this moment, believable application program may be confirmed as being harmful to.The result is, anti-viral software can stop the startup of this application program or restriction to the access of resource (such as Internet resources), upsets the user.Because such mistake and anti-viral software usually " prompting " user carry out the fact of such or such action (for example, in mutual mode), some users would rather be temporarily or are forever forbidden anti-viral software.Such action is regarded as utilizing the minimizing of the User Activity of software interface work.

It is movable unusual that the application programs setting changes too frequently, identical interface actions (inspection of the same characteristic features of several during the short time/do not check) etc. can be considered to software interface.

After summarizeds are selected in assessment to various User Activities, be necessary to consider that the activity according to the user carries out the desired means of log recording to the event that occurs in the subscriber computer.Fig. 9 shows out an example embodiment of the event log recorder system of subscriber computer.

The user 910 who works at its PC 100 operates, and this operation can be by anti-viral software 300 and its module record in addition, and when use anti-viral software interface 920 by direct record.To be sent to about the information of these actions event log recorder instrument 930.Table 1 and 2 comprises the example of the data type that transmits.Also user activity information is sent to User Activity trace tool 940, it is used for the user of the reality of identification PC 100.Do like this is that PC100 can be by several users 910 operated (even at different time) with different behaviors because from the computer security angle.

For example, father and mother may understand computer security basis (do not carry out unknown file, do not follow unknown link etc.) in the family, but child may not know these rules.The simplest user determines that one of method is based on the account for computer system (or OS) access.In order to determine most typical user, another selection comprises the tracking user action: start some application program, open the file of a certain type, typical system resources consumption level etc.Therefore, great majority are to use the user's of text behavior to come with user's difference of playing computer game.User Activity trace tool 940, as an embodiment, can be based on the pattern that the interception from the data of input equipment (keyboard, mouse) is defined user behavior.For example, U.S. Patent application 2006/0224898 and 2004/0221171 has been described the use based on mouse dynamic parameter (average cursor speed, cursor path, in the cursor movement distance of all directions, free time etc.), the user who is based upon on the behavior pattern identifies concept, and it merges to herein in full by the mode of quoting.U.S. Patent application 2004/0172562 described individual text input details based on the user (such as, time-out between the keystroke, button time etc.) user's recognition system and the method for---so-called keyboard rhythm--, it also merges herein in full by the mode of quoting.Identification based on: to these parameters during the current Password Input be stored in before the user that obtains during the session compare with reference to the template of login parameters.

Event log recorder instrument 930 obtains users' 910 activity datas, actual user's indication from User Activity trace tool 940, and obtains data from anti-viral software 300 modules, and these and the event schema that is stored in the event database 950 are compared.Such comparison is for determining that the event that will transmit as notice is necessary.If event database 950 comprises event-template, event log recorder instrument 930 transmits event notice to notifying means of transportation 960 so, and it generates the notice that is used for being sent to cloud service 120, more precisely---be sent to user action handling implement 510.If must assemble some information for event type, if or will close data owing to lack the event that useful information is provided and transmit, renewable event database 950 also then.

Figure 10 shows according to an example embodiment, the log recording method of subscriber computer event.Equivalent step 1010 and 1015 users can do some things (for example, via interface 920) or some anti-viral software 300 modules can detect event (such as, attempt to carry out unknown file).Then step 1020 by transmit desired data to event log recorder instrument 930 with event log recorder in system, this event log recorder instrument 930 checks event database 950 templates in step 1030 for similar incidents.If in event database 950, do not find this event, then be dropped in this event of step 1035.In another embodiment, can store event information is used in the future using when computer security begins to play a role when such event.Not so, determine actual user in step 1040 user activity trace tool 940.Then generate notice in step 1050 by notice means of transportation 960, described notice means of transportation transmits in step 1060 and notifies to cloud service 120.One of embodiment also is included in step 1060 and uses the similar action repeat counter that transmits with notification package, to save flow and resource in the situation of the high event frequency of user's side.

After the subscriber computer event of cloud service transmits, utilize their subsequent analysis and determining of user's prestige in the form with notice summarized, can determine how to use the prestige that obtains to be used for role's generation.The role is a certain abstractdesription to the user, and this abstractdesription is mainly based on user's action, described user's action comprise the ruling through check that is associated with computer security (with, as a result of---prestige and activity).The role not only take the user that presented based on the characteristic of prestige as the basis, also comprise following parameter:

---prestige and all are used to form the activity of such prestige;

---what be associated with the prestige activity is unusual;

---about the information of employed anti-viral software.Such information comprises licensc e data (such as business software or freeware);

---about the information of subscriber computer, its ability (resource) and their use.

Figure 11 shows according to an example embodiment, and cloud service 120 users are based on their role's classification.Whole user's collection can be decomposed into colony, each colony includes the user who has substantially similar professional knowledge level in computer safety field.To it should be noted that in order being conducive to and to understand that classification shown in Figure 11 only is exemplary diagram.This synoptic diagram has illustrated following role constellation: " conventional user ", " experienced user ", " expert " and " bait user (lure users) ".This tabulation only is example and can expands.Sample role's detailed description is shown in Figure 12.

" conventional user " is the user with the prestige that comprises following content: the uniqueness of the quantity of the low threat that detects, the low threat that detects, low interface activity, low infection activity.Such user is not self-confident computer user usually, and often never checks their anti-viral software operation.One of embodiment assigns this role to all new users automatically.Therefore, conventional user is the user who has usually low professional knowledge level in computer safety field.Just because of this, according to an example embodiment, for the conventional user's 100 of the malice of the unknown security threat that is just detected at subscriber computer by user 100 or clean property ruling, can be checked by the user action instruments of inspection 540 of cloud service 120.

" experienced user " has the user who comprises following content: the uniqueness of the quantity of the low or average threat that detects, the average threat that detects, average interface activity, low or average infection activity.Such user has enough experiences to understand the danger of carrying out unknown program.They also understand when using the important precautionary measures basic during with personal data.Yet the increase of infection activity directly is associated with user's activity, for example, and when using the Internet.Therefore, experienced user is the user who has in computer safety field usually above conventional user's professional knowledge level.Just because of this, according to an example embodiment, for the experienced user's 100 of the malice of the unknown security threat that is just detected at subscriber computer by user 100 or clean property ruling, also can be checked by the user action instruments of inspection 540 of cloud service 120.

" expert "---they are not a lot of usually, but they have the unique of the quantity of the average threat that detects, the average or high threat that detects and show high anti-viral software interface activity.Because they often are " discoverers " that new the unknown threatens, their feedback and suggestion (decision) are of crucial importance.Therefore, expert user is to have in computer safety field usually above experienced user and than the user of the high a lot of professional knowledge level of typical user.Just because of this, according to an example embodiment, ruling for the expert user 100 of the malice of the unknown security threat that is just detected at subscriber computer by user 100 or clean property, can be accepted by the user action handling implement 510 of cloud service 120, need not by the user action instruments of inspection 540 check or need not at least immediately check.

" bait user " is the quantity with high threat that detects, the user of common low or average uniqueness.Such user seldom arranges anti-viral software 300 or forbids a lot of necessary modules fully, and this means low interface activity.As a result, they have high infection activity.Such user often spent a lot of hours to carry out the new software of Internet surfing, download and execution, may not be hidden in one group of new encoding and decoding of video module but usually understand Trojan.Therefore, the bait user is the user who has in computer safety field even be lower than conventional user's professional knowledge level.Just because of this, according to an example embodiment, for the bait user's 100 of the malice of the unknown security threat that is just detected at subscriber computer by user 100 or clean property ruling, should also be checked by the user action instruments of inspection 540 of cloud service 120.

Although Figure 11 only shows the roughly user classification according to the role in the professional knowledge level of computer safety field based on the user, many times expert user is less than other roles' representative, most interested these users' of anti-virus company action.In order to count the importance of the user with more significant role, introduce role's weight concept.When the user of different role makes their decision, can be empirical or automatic control role's weight is set.In one of embodiment, can determine weight based on several parameters: anti-viral software Setup Type (normal or through expansion), os release, be installed in software on the subscriber computer, hardware set etc.

In an example embodiment, can dynamically change weight---for example, when the sale number of anti-virus application program 300 increased and cause the number of typical user to increase, role's weight of expert user also should increase.

Following table shows various roles' estimation weight:

The role	Role's weight
		Conventional user	1
Advanced level user	10
		The expert	500

Table 5

Like this, stoping or allowing in the decision of execution of identical unknown program, the suggestion of " expert " Role Users is equivalent to 500 " conventional user " roles' user's suggestion.The method is so that might " quantitatively surpass " a large amount of experience unknown malwares and the rawness user's who makes mistakes action.Another embodiment comprises that only consideration has a certain role's user's suggestion, such as " expert ".In this embodiment, in order to use their professional knowledge, determine that in the initial period user is very important in such role.

Figure 11 a shows according to an example embodiment, and the purpose that detects for unknown computer threat is in the fall into a trap method of access customer role weight of ruling.After the step 820 that comes from Fig. 8, in order to revise the ruling weight for threat object (data file or link) in step 1120, count user's weight and ruling in step 1110.In one of embodiment, if the user considered the event that is associated with threat object be harmful to and stoped its (for example, stoping the startup of executable file), so ruling weight can increase certain quantity.In another embodiment, the ruling weight can increase and the proportional value of user role weight, and this allows the main user who considers to have a certain role.In another embodiment, if considering the event that is associated with threat object, the user is safe and allows it that the ruling weight also can reduce.In step 1130, implement to check to find whether the ruling weight has surpassed to set threshold value, and if surpassed, then in the angle of step 1140 from the user, object is claimed as harmful.Next be the step 830 that comes from Fig. 8.According to an example embodiment, can be based on user's ruling in step 1130 threshold value and be determined empirically, or determine from various roles' the ruling that the user was received between analyzing at a time section with statistical method.

Each role can also have and the additional segmentation that for example unusually is associated.To unusual consideration allow this type of event of monitoring as:

---unknown malware (can affect the detection to the unknown threat and their uniquenesses) appears;

---use the cloud service resource with malicious intent; Forge notice;

---for the prestige that obtains to expect, use robot program (bot program) and other movable increase methods.

What for example, count in " conventional user " role's interface activity is unusually as follows:

Table 6

Figure 13 shows out an example embodiment of the user-role assignment method that depends on prestige and other parameters.In step 1310, any change in the recording user parameter, for example based on the number of the threat that detects, movable change from " low " to " on average ".In step 1320, implement to check the standard that whether satisfies one of role to establish customer parameter.The example of check is as follows like this:

If

＜threat the quantity that detects 〉=" on average "

＜the threat that detects is unique 〉=" low "

＜interface activity 〉=" on average "

＜infection activity 〉=" on average "

So

＜user role 〉=" experienced user "

If parameter does not satisfy any current available role, finish in step 1330 method so.Otherwise, in step 1340, implement to check to find whether be different from Current Delegations to this user's role based on the role of parameter.This is because some roles have the fact that value changes for customer parameter; For example, for the threat uniqueness that detects, " expert " role has " on average " and " height " two values.If the role is different from current role, so in step 1350, implement the inspection to customer parameter stability that checks by the time (for example, the moon).If in the establishing time section, customer parameter satisfies desired role, revises user role in step 1360 so.

Mention through time period of setting up in step 1350 and to implement inspection to customer parameter stability.To can not keeping in time the customer parameter of its constant value to assess, such inspection be necessary for constantly.Such example has been shown among Figure 14, and its quantity estimation in time that shows the threat that detects changes.(timeline begins) is installed afterwards at anti-viral software 300, in computing machine, detects a large amount of Malwares (for example, during the complete scan of DISK to Image driver), and the threat activity that detects is for high.After the most of Malwares of deletion, new activity increase in time may be associated with various factors, such as: user's PI unknown malware, anti-virus database upgrade for a long time or the user is not activated necessary anti-virus scan etc.At last, the user stops to meet with a large amount of Malwares in his computing machine, and this also is associated with several factors.For instance, the user learnt computer security basis (no longer follow the suspicious link on the Internet), improved he the anti-viral software setting, reduce his computer activity etc.The threat activity that all these will detect is reduced to low level.Therefore, an example embodiment allows to revise in time user's prestige and forms activity.

Depend on the role, assign different abilities for each user, wherein some are listed following (tabulation is example and can expands):

● selecting of the data set of collecting comprises for notice;

The change of anti-viral software interface capability;

● the change that the anti-viral software module of recommending arranges;

● the change of the Internet resources (for example, bandwidth) that distribute for receive data;

● distribute to the change of the server process resource (for example, CPU time) of the data that receive;

● the performance of computer security inter-related task.

Selecting of the data set of collecting.Anti-virus company is interested in notice and obtains most important data, and this data owner will mean the data about unknown (unique) Malware, in case and detect known threat then minimize the data volume of transmitting.The role allows to aim at such user: for the threat of uniqueness, can receive a large amount of data from it.As example, in the context of the present invention, it can be " expert " Role Users.

For example, unknown file on computers will be collected data from the user who is designated as " conventional user " role between the starting period, will comprise following data in the notice:

● MD 5 files and

● digital signature, if any

● optional: order line attribute, file attribute

Simultaneously, the notice that is transmitted by " expert " Role Users will comprise larger data set (hereinafter collected data are relevant with Windows OS family):

● MD 5 files and

● digital signature, if any

● optional: order line attribute, file attribute

● DDL library information, their description, which computing machine

● the kernel objects data.Their size, description, source

● information on services.State (moving/stop/available automatic operation), description

● the driver data.State (operation or not operation), file, group

● file main frame etc.

Another example can be used with emulator and be associated.During unknown file emulation, following data can be included in the notice from the user who is designated as " conventional user " role:

● MD 5 files and

● the brief description of emulator operation: the number of instruction, the safety grading that receives, it is at United States Patent (USP) 7,530, describes and merges to herein by the mode of quoting in 106.

On the other hand, when emulator is used to same file from " expert " Role Users, notice will comprise larger data set:

● MD 5 files and

● the brief description of emulator operation: the number of instruction, the safety grading that receives

● be used for the setting restriction (for the restriction of running time, memory size, central processing unit instruction) of emulator operation

●---memory dump (dump) (that is, the data that obtain from storer during emulation) is apparent that, the data that sent by " expert " Role Users are in quality and quantitatively equal different.Figure 15 shows the exemplary distribution of the user's transmitted data amount that depends on user role.Can find out, can submit to more users's (these are " expert " Role Users in this case) additional and significant data may need with cloud service 120 between independent communication linkage (linking such as the limit priority of setting up), this is that importance and scope because of the data that receive from such user in this case plays an important role.

In another example embodiment, the user of different role has different anti-viral software interface capabilities.For example, with for the user who in computer safety field, has low professional knowledge level for example the user interface setting of typical user compare, for the user who in computer safety field, has higher professional knowledge level for example the user interface setting of the software application of expert user of control to(for) the higher level of the operation of anti-virus application program and various modules thereof can be provided.For example, can allow the emulator module restriction of running time, memory size and central processing unit instruction (for example, for) or other analysis modules of the sick application program of expert user configuration anti-virus.

Figure 16 shows according to an example embodiment, for the treatment of the cloud service 120 computational resource allocation methods from specific user's notice.Determine user role in step 1610, and then determine to distribute to this role's computational resource in step 1620.In this case, computational resource includes but not limited to: preservable maximum amount of data, network link capacity (quality of service) on CPU time, memory size, the driver.Because all these resources all are associated with actual computer in the cloud service 120 that is assigned to process the notice that receives from the user, therefore according to various embodiments of the present invention, take in addition different priority assignment scheme, be used for processing carrying out higher priority from the user's with more remarkable role (in this case---" expert " Role Users) notice.

Let us is summarized the example of the network link service quality of optimizing user.For example, there are the TAG field of features enabled, the desired service class of the value representation of this field in ethernet frame level (second level of osi model).Because the IP agreement is not only to Ethernet but also to needn't be effective based on the WAN of ethernet frame, so the IP bag also has the tos field of special service level data that reception requires.Developed afterwards new Differentiated Services (DS or DiffServ) agreement, this agreement is used for coming mark IP bag according to service class at present.

Small-sized and medium company switch, and the access level switch in catenet only takes the ethernet frame qos field to be used for priority ranking usually.Switch of company level can consider that all current standards sequence the priority ranking of flow.Packet has special 802.1p agreement 3 bit priority level fields, and its permission comes mark local network data with one of 8 grades of service.

Another priority ordering example can be described below:

For the user who is designated as " conventional user " role, cloud service can distribute the server with following configuration:

● processor: Xeon 5130

● storer: 4GB RAM

● the hard-disk capacity of distributing: 74GB SCSI HDD

● connection protocol type: UDP

For " expert " Role Users, cloud service can distribute the server with following configuration:

● processor: 2 * Xeon 5620

● processor: 24GB RAM

● the hard-disk capacity of distributing: 600GB SCSI HDD

● connection protocol type: TCP

Significantly, divide the server that is used in " expert " Role Users to have to be significantly higher than capacity for the server of " conventional user " Role Users.Explain that as above-mentioned this is that since these data, for instance, it is unique movable to show the higher threat that detects owing to quantity and the remarkable higher fact of importance owing to the data that receive from " expert " Role Users.

Distributing for after the computational resource of this user role, determine in addition from the number (that is, data volume) of the notice of user's reception in step 1630.Such information can be stored in user's credit database 530.This is necessary for processing not only from preferential Role Users (" expert " role) but also the data that receive from the user with other roles that show heap file processing activity, network activity etc.

Based on the information that obtains in step 1630, be identified for processing the desired computational resource of current notification streams from given user in step 1640.Then, in step 1650, use the computational resource that distributes to process the user notification that (week or the moon) receives in the setting-up time framework, and then in the step 1660 pair new assessment of computational resource abundance enforcement for notifier processes.If resource is inadequate, then sequence turns back to step 1640 and redefines for the treatment of the desired computational resource of current notification streams from the user, otherwise proceeds to step 1670 in current computational resource video sequence.

As implied above, the role not only take based on the user personality of prestige as the basis, also comprise following parameter:

● prestige

● what be associated with the prestige activity is unusual

● comprise licence current anti-viral software data (such as, business software or freeware)

● about the information of subscriber computer, its resource and their use.

● up to the present, only considered user's prestige and be associated unusual.Current anti-viral software data and about the Information Availability of subscriber computer and resource thereof in the potential computer security task of determining to implement at subscriber computer.

● to cloud service and user's thereof protection.

For ready to exchanges data reliable and safe between cloud service 120 and user thereof (and storage), will finish following task:

● privacy of user and data are revealed the regulation of protecting.

● the data between protection cloud service and the user thereof transmit link.

● the protection cloud service is avoided illegal and is used and the malice overload.

Can be by privacy of user (personal data safety) can be provided by the Data Division of anti-viral software 300 resume module.It should be noted that, a lot of malware detection modules (are for example only exported a certain standard data set, the indication of the api function that triggers), however to use hash function, described hash function be irreversible to traditional signature check and can not and recover from the Hash that obtained by same file.Following steps can be used for personal data safety in addition:

The anti-viral software module arranges, purpose be to prevent personal data at them by the recovery after these resume module.

In the appointment in Computer Data territory (such as, some user folders), this data field will be only by seldom the scanning of anti-viral software module or scanning.

Figure 17 shows an example embodiment avoiding the illegal User identification mechanism that uses for the protection of cloud service.Authentication means 1710 is used for being operated in the authentication of the user 910 on the computing machine 100, and this authentication means 1710 is considered at least two parameters: licence 1710 information (more accurately, its ID) and from the information of user action trace tool 940.Notice that such as preamble user action trace tool 940 is followed the tracks of the user behavior model based on user's action (namely, he is to the use of anti-viral software 300).One group widely motion tracking instrument 940 functions can comprise tracking to the user biological continuous data: finger mark and impression of the hand, signature, the iris marking, input equipment (aforementioned keyboard and mouse) operation style.Then the user identifier that is obtained by user action trace tool 940 is transferred into authentication means 1710, and this authentication means 1710 enables the user is accurately identified.In this case, user identifier does not also mean that single unique numeral, but means by the determined a certain set of digits of user action (top described in activity determine to be described).

The identifier that obtains is to (pair)---user and anti-viral software---is sent to the recognition and verification instrument 1720 that is positioned at cloud service 120 places by authentication means 1710 via encrypted link.Instrument 1720 with the data that receive and storage user and issue/authentication database 1730 and the license database 1740 of the licence identifier of selling compare.Like this, only after these two identifiers all mated, user's 910 anti-viral softwares 300 were just in place with the interface of cloud service.Here should be noted that such possibility: close with take a large amount of unusually as the user's of characteristics cloud service 120 interfaces.Also there is such possibility: by the differentiating and processing to various user actions of being undertaken by user action trace tool 940, also exist several computer users to use the possibility of a licence 1710.

Figure 18 shows the cloud service user and authenticates and distribute some resource to give an example embodiment of his method.Determine anti-viral software 300 licence identifiers in step 1810 occupancy permit 1710 information.Then in step 1820, determine user identifier by user action trace tool 940.In step 1830 identifier that obtains is sent to cloud service 120, checks identifier in step 1840 at these cloud service 120 places.If this identifier pair and the identifier that retrieves from inspection database 1730 and license database 1740 be not to mating, the access of 910 pairs of cloud services 120 of user will be stoped so in step 1850, and the inquiry of the anti-viral software 300 that comes from him will be do not processed.If this identifier is to being identified, then will determines user 910 roles in step 1860, and distribution will be used in reference to the role's who tasks user 910 necessary resource in step 1870.

Figure 19 shows according to an example embodiment, is used for coming based on computer user's ruling the usage of detection computations machine security threat.In step 910, the event relevant with computer security on the subscriber computer carried out log recording, such event can be to attempt to start unknown program or follow unknown link.Then in step 1920, determine and the user action on subscriber computer that the event through log recording is associated.Such action can be to prevention or permission through the event of log recording.Then, in step 1930, will be sent to cloud service through the event of log recording and the user action data that are associated, determine user role in step 1940 in this cloud service place.In next step 1950, if the event through log recording is stoped by the user, then increase weight through the event of log recording in cloud service place by the user role weight, if perhaps the event through log recording is allowed by the user, then reduce weight through the event of log recording in cloud service place by the user role weight.For example, if the user under " conventional user " role stops the execution of unknown file, he will make the weight through the event of log recording add 1(step 1960 from the weight of for example table 5 so), allowed if carry out at that time " expert " Role Users with weight 500, the weight through the event of log recording will reduce 500(in step 1965 so).Should be appreciated that described scheme can be used other events through log recording that produce weighing computation method.In addition, in one of embodiment, not only consider individual event, also consider the whole event string, download and attempt to start it such as unknown file.If the event that other user's encountereds are so is then upgraded through the weight of the event of log recording in step 1970 continuation.If surpass the weight threshold that sets, will be defined as event to be associated with the unknown threat in step 1980 so.For example, carrying out the event that is associated with unknown file will make this document be associated with unknown malware.Role's weight of user allows to even up the have conventional character a large number of users of (such as " conventional role "), and described conventional character user may make a mistake in determining new threat, considers simultaneously to have the impact such as the senior role's of " expert " user.As example, be in the situation of 1000 nominal unit in the weight threshold of setting, having the suggestion of 2 " expert " Role Users or 1000 " conventional user " roles' suggestion will be enough to specify unknown software is Malware.Such situation is possible: although the fact is possible use the recent development instrument of Malware in creating (modally to be, the user is confused by trojan-horse program), when the user with " conventional user " role has occurred when more wrong, will still allow to specify unknown software from the suggestion of the enough numbers of the user with " advanced level user " and " expert " role is Malware.In another embodiment, if be lower than the second setting weight threshold (for example, weight becomes and is lower than-1000) through the event weights of log recording, can determine that then event and unknown threat do not have related.

Figure 20 describes an example embodiment such as the computer system 5 of the webserver, and this computer system 5 can be suitable for realizing the embodiment of system of the present invention.In alternate embodiment, system of the present invention can realize at personal computer, laptop computer, panel computer, smart mobile phone and other data processing equipments.As directed, computing machine 5 can comprise one or more processors 15, storer 20, one or more hard disk drive 30, CD drive 35, serial port 40, graphics card 45, sound card 50 and network interface card 55, is connected by system bus 10.System bus 10 can be one of polytype bus structure of using in the various known bus architectures any one, comprises memory bus or Memory Controller, peripheral bus and local bus.Processor 15 can comprise one or more

The microprocessor of Core 2 Quad 2.33GHz processors or other types.

System storage 20 can comprise ROM (read-only memory) (ROM) 21 and random-access memory (ram) 23.Storer 20 can be embodied as the DRAM(dynamic ram), the memory architecture of EPROM, EEPROM, flash memory or other type.ROM 21 storages include the basic input/output 22(BIOS of basic routine), described basic routine helps transmission information between the assembly of computer system 5, for example between the starting period.RAM 23 storage operating system 24(OS), for example

The operating system of XP professional version or other type, described operating system are responsible for the process in the computer system 5 is managed and coordinates, and the hardware resource in the computer system 5 is distributed and shares.System storage 20 is also stored application program and program 25, such as service 306.(runtime) data 26 when system storage 20 is also stored by program 25 employed various operation.

Computer system 5 can further comprise hard disk drive 30, SATA magnetic hard drive (HDD) for example, and be used for CD drive 35 that the removable CD such as CD-ROM, DVD-ROM or other light medium is read or writes.Driver 30 and 35 and the computer-readable medium that is associated non-volatile memories to computer-readable instruction, data structure, application program and the program module/subroutine that realizes algorithm disclosed herein and method is provided.Although exemplary computer system 5 has been used disk and CD, but those skilled in the art should recognize and also can use can the storing of other types can be by the computer-readable medium of the data of computer system 5 access, such as the storer of tape cassete, flash card, digital video disc, RAM, ROM, EPROM and other type in the alternate embodiment of computer system.

Computer system 5 comprises a plurality of serial ports 40 further, and such as USB (universal serial bus) (USB), it is used for connection data input equipment 75, such as keyboard, mouse, Trackpad and other equipment.Serial port 40 also can be used for connecting the data output apparatus 80 such as printer, scanner and other equipment, and connects other peripherals 85 such as external data storage device etc.System 5 also can comprise graphics card 45, such as

GT 240M or other video card are used for and monitor 60 or other video reproducing apparatus interface.System 5 also can comprise sound card 50, is used for via inside or external loudspeaker 65 producing sounds.In addition, system 5 can comprise network interface card 55, such as Ethernet, WiFi, GSM, bluetooth or other wired, wireless or cellular network interface, is used for computer system 5 is connected to network 70, such as the Internet.

In different embodiment, algorithm described herein and method can realize by hardware, software, firmware or its any array mode.If realize with software, its function can be stored in the mode of one or more instructions or code on the nonvolatile computer-readable medium so.Computer-readable medium comprises Computer Storage and communication media simultaneously, and the two helps computer program is sent to another place from a place.Storage medium can be can be by any usable medium of computer access.For instance, and and non-limiting, this computer-readable medium can comprise that RAM, ROM, EEPROM, CD-ROM or other optical disc storage, disk storage or other magnetic storage apparatus or any other can be used for carrying or store program code that the required form with instruction or data structure exists and can be by the medium of computer access.In addition, any connection all can be called as computer-readable medium.For example, if use concentric cable, fiber optic cables, twisted-pair feeder, digital subscriber line (DSL) or such as the wireless technology of infrared ray, radio and microwave come from the website, server or other remote resource transmitting software, then it includes in the definition of described medium.

For the sake of clarity, all conventional features of embodiment are not illustrated and described at this.Should recognize in the performance history of the implementation of any this class reality, must make in a large number decision-making specific to implementation to realize developer's specific objective, should recognize that these specific objectives will change with the difference of implementation and developer's difference simultaneously.And, should recognize that this class development may be complicated and time-consuming, but for the those of ordinary skill in the art who benefits from this paper disclosure, all will be conventional engineering duty.

In addition, be understandable that as used herein wording or term are infinite purpose in order to describe, so that those skilled in the art is according to separating wording or term in the reader instructions in the instruction of this proposition and guide and in conjunction with the knowledge that various equivalent modifications is grasped.And, except being far from it clear and definite being set forth, otherwise all being intention, any term in this instructions or the claim is not summed up as unconventional or special implication.

Various embodiment disclosed here is included in this by way of example known equivalents of the present and the future of mentioned known tip assemblies.And, although illustrated and described embodiment and application thereof, but it is evident that for benefiting from those skilled in the art of the present invention, in the situation that does not break away from the invention disclosed herein design, is possible than above-mentioned more modification.

Claims (7)

1. computer implemented method for detection of unknown security threat, described method comprises:

Receive information about the unknown security incident that is associated with the software object of carrying out at described computing machine from being deployed in anti-virus application program on the subscriber computer, and indicate described software object to be harmful or harmless user's ruling for the described safety of described computing machine;

Identify the described user of described computing machine and described user's role, role's indication user's in computer safety field of wherein said user professional knowledge level;

If described user's described role indicates described user to have high professional knowledge level in described computer safety field, then accept described software object and be harmful or harmless described user's ruling;

If described user's described role indicates described user to have low professional knowledge level in described computer safety field, it is correct then the described information analysis about described security incident that receives from described anti-virus application program being checked described user's ruling; And

If described user's ruling is accepted or is correct through verifying as, then adopt about the described information of described security incident and the software object that is associated and upgrade anti-virus database for harmful or harmless indication, described anti-virus database is associated with described anti-virus application program and comprises information about known harmful and harmless software object.

2. method according to claim 1 further comprises:

If described user's ruling is correct through check, then increase described user's professional knowledge level;

If described user's professional knowledge level reaches predefined threshold value, then increase user's role.

3. method according to claim 1, wherein in one or more based on the following of the professional knowledge level of user described in the described computer safety field:

Total number of the computer threat that is detected by described user;

The number of the unique computer threat that is detected by described user;

User to described anti-viral software is proficient in level;

The infection frequency of described user's described computing machine; And

About being installed in program on the described subscriber computer and described user to the information of the use of described program.

4. method according to claim 1 further comprises:

Compare with the historical record of the threat that is detected by described user by the information that will receive, come unusually detecting the described information that receives from described anti-virus application program;

Based on detecting one or more roles that unusually reduce described user.

5. method according to claim 1, wherein different roles has the different weight coefficients that is associated, and wherein according to the described weight coefficient that is associated with described user's described role, during the described user's ruling of check, give described user's ruling higher or lower weight.

6. method according to claim 1, if it is correct or incorrect that the described information about described security incident that wherein receives from described anti-virus application program is not enough to check described user's ruling, then processor further is configured to from the additional information of described computing machine collection about described security incident and the described software that is associated, and wherein said additional information comprises the one or more of the following:

The information of the described security incident that generates about the one or more different security module by described anti-virus application program, each module is implemented different Antivirus analyzes;

Information about the software and hardware state of the computing machine when described security incident occurring; And

The date of described security incident, time and repetition frequency.

7. method according to claim 1, wherein said software object comprises one of executable file, data file and link.

Images