CN103065088B - Based on the system and method for the ruling detection computations machine security threat of computer user - Google Patents

Based on the system and method for the ruling detection computations machine security threat of computer user Download PDF

Info

Publication number
CN103065088B
CN103065088B CN201210352269.7A CN201210352269A CN103065088B CN 103065088 B CN103065088 B CN 103065088B CN 201210352269 A CN201210352269 A CN 201210352269A CN 103065088 B CN103065088 B CN 103065088B
Authority
CN
China
Prior art keywords
user
computer
ruling
role
software
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210352269.7A
Other languages
Chinese (zh)
Other versions
CN103065088A (en
Inventor
安德烈·P·多克瓦罗夫
安东·V·季霍米罗夫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Kaspersky Lab AO
Original Assignee
Kaspersky Lab AO
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kaspersky Lab AO filed Critical Kaspersky Lab AO
Publication of CN103065088A publication Critical patent/CN103065088A/en
Application granted granted Critical
Publication of CN103065088B publication Critical patent/CN103065088B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Computer And Data Communications (AREA)

Abstract

Disclose the system for detecting unknown security threat, method and computer program product.In one example, system from dispose anti-virus application program on the user computer receive about the unknown security incident be associated with the software performed on computers information and indicate this software object to be harmful to or harmless user's ruling.The user of system identification computing machine and the role of user.The professional knowledge level of this role instruction user in computer safety field.If user has high professional knowledge level in computer security, then system accepts user's ruling.If user has low professional knowledge level, then systematic analysis carrys out inspection user ruling about the information of security incident is correct.If user's ruling is accepted or correct through verifying as, then the anti-virus database that is associated with anti-virus application program of system update.

Description

Based on the system and method for the ruling detection computations machine security threat of computer user
Technical field
Present invention relates in general to computer safety field, and be specifically related to system, the method and computer program product for carrying out detection computations machine security threat based on the ruling of computer user.
Background technology
Recently, increasing information technology companies carries out that " cloud computing technical research is to realize their web hosting service (Webhosting), data Storage and Processing needs.Cloud computing mean when with the form of Internet service to provide data processing during required computing power.Therefore, cloud computing client does not need to worry that infrastructure---this is realized by service provider.On the one hand, it is instrument very easily for domestic consumer, and user does not need to worry complicated software and hardware interface, and on the other hand, these responsibilities are transferred and give provider.
Cloud data processing means the distributed treatment of the various data types in various rank.In one case, that can mean to provide hardware and system software (infrastructure is as service) to use.In other cases, the whole platform (platform is as service) of exploitation, test, application program support is provided for.At present, one of modal selection is that software provides service (software is as service).Other abstract provide trend also to develop with the hardware and software of extendible service for some.For simplicity, hereinafter we will claim cloud data processing for " cloud service ".
At present, there is much different cloud computings to select.Such as, GoogleApp allows only to adopt explorer to carry out the various types of document of online editing, and stores data on Google server.A up-to-date Google development---Chrome operating system (OS)---also uses browser to visit other resources in the pivotal player of instrument, for reduce client computer (such as net book) load, good reliability and operation simplification (whole infrastructure is positioned on server) ready.Another good example of cloud computing is Onlive platform, this platform is by processing all game datas on the server and being sent to client with multimedia form, and on the computing machine that even hardware capabilities is very limited, (identical with net book or panel computer) provides enjoying in real time of latest computed machine game.Microsoft is just developing its Azure platform at present, for creating distribution Web application program.Platform operations principle is to pay to used resource the problem that network fee (subscriptionfee) in return solves scale and resource access.
Fig. 1 shows the high-level schematic diagram of above-mentioned cloud service.Cloud service 120 illustrates with software and hardware resource 110, and it can be asked by personal computer (PC) 100.The development of this model is just actively pushed forward at present, and as previously mentioned, significant responsibility is put into it the provider of cloud service 120 by it, and these responsibilities are with such as secure user data and problem this kind of safely and be associated with the flexible expansion of provided software and hardware resource 110.
Consider the advantage of cloud computing, it those can be attracted to see recently threaten number to increase above all interest imagining the anti-viral software company of limit just not at all surprising.Hereinafter, threat will mean various Malware, such as Trojan Horse, network worm, virus and other unwelcome software, and to having the link etc. of malice with the web page of other unwelcome software, approval software leaks etc.Unwelcome software can comprise the software (extorting software) of crime software, spyware and obstruction data or computing machine operability.The quantity that Fig. 2 shows the malicious file of the new uniqueness of being tackled by ZAO Card Buskie laboratory and being analyzed increases.Obviously, obviously exponentially, this is determined by the number of the reason occurred recently in this increase.Meanwhile, the ability of anti-virus company---hardware and employee (virus analysis teacher) for the treatment of new threat--is very limited, can not increase with the paces same with threat amount.One of reason of the increase of the Malware amount of new uniqueness is the great development of telecommunications, comprises the corresponding quick increase of internet and number of users.This stimulates the development of the various online service based on web conversely: Web bank, ideal money (such as WebMoney), living journal and write blog, to migrate to the already mentioned GoogleApp of web(be good example to a lot of software configuration).Correspondingly, the web that the network crime person of current generation is just actively using their development to carry out being intended to steal and extort money with the form of Malware attacks.Recently, their activity has not only affected banking (so-called bank Trojan Horse), and the game on line account also expanding to pop carries out hacker's behavior, and uses Trojan Horse-ransom money type software to extort.Several factors helps and they is succeeded and the corresponding increase of Malware as shown in Figure 2: much online service safety is not enough, a lot of country lack or lack completely Internet crime law and sometimes Jin Shi computer user to the basic ignorant of computer security.
The potentiality that usually in fact run out of them with signature and the heuristic existing Malware means of defence being detected as representative should be admitted.Heuristic analysis is based on the search to the distinctive specific features of Malware (code segment, some register key, filename or process), but the debugging of each inspirational education scene all needs the cost plenty of time and always there is error risk (wrong report detects).The efficiency of current Heuristic detection method rests on 60 ~ 70%, and in fact this is maximum possible level.
Traditional signature analysis still allows to identify Malware fast and accurately, but only when this Malware is known.Signature is thus continually updated (as at present, in per hour), and this brings significantly negative---and as shown in Figure 3, such protection can allow Malware have the regular hour to propagate according to himself character.From Malware issue that time and play antivirus protection company obtain it sample (being generally executable file), it is analyzed, detects it malicious act, put it into signature database and a few hours or even time a couple of days may be there is before it being tested before renewal is distributed to antivirus services device.Whole process may spend the time of a few hours, sometimes a couple of days, and such situation just due to can not all malware detection process steps of always robotization this is true and constantly worsen.
At present, the positive active development of antivirus protection industry is based on other detection methods of different principle.The technology of Symantec is based on the wisdom (WisdomoftheCrowd) used for the so-called masses of the prestige of unknown executable file.This prestige is created by user, and user manually determines the degree of the danger representated by file.This is not a new idea---the book " WisdomofCrowds " of JamesSurowiecki contains the theory based on following interesting fact: large numbers of non-expert can make decision more better than expert.Therefore, " ballot " file is that the user of malice is more, then " malice " prestige being assigned to this file is more.On the one hand, allow to rely on most suggestion, but simultaneously because most of user is not that therefore computer security expert also may make this fact of decision made mistake, this key element becomes error generator, and this may cause the software hindering non-malicious.In addition, most Malware belongs to Trojan Horse type, i.e. the program of " imitation " safety and useful program, and it makes inexperienced user easily trust them.If the common software of such as counter (calc.exe) infects virus, then the domestic consumer not possessing enough professional standards can not draw correct conclusion.
Another kind of technology, the Artemis of such as McAfee, provides the analysis to unknown executable file fingerprint.This technology sequence start from user's anti-virus application program detect such as encrypted or packing apocrypha.Hereinafter, packaging file means executable file, and it is compressed specially and comprises additional opens bag routine.UPX is the typical case of the program for compact executable file.Detect cannot local (namely, user side) ' white list ' and ' blacklist ' software database in after the apocrypha that finds, whether anti-virus application program transmits the execute file marking (Hash and (hash-sum)) to server, be Malware Hash on that server and check the marking.Which eliminate the problem in Fig. 3 that in upgrading with customer data base, time delay is associated.But because antivirus protection company must have the marking (Hash and) of concrete file (' clean ' or Malware), this causes antivirus protection company to obtain the problem of this file in time conversely, and therefore this method neither be immaculate.All generate a large amount of executable files due to per minute, it is very difficult for will obtaining rapidly such file.
But, the generation of a series of relevant issues is caused at present at the successful development that field of cloud calculation is up-to-date.One of them is associated with such situation: when a large amount of users adopts cloud service to work, and is usually regarded as the unit with equal rights and ability at any time for all each users.Business cloud service uses various business model to distinguish user capability.Such as, Azure collects different expense by for the different stock number of use.If but user self participates in cloud service operation directly, and use certain regular set to divide into groups to it with regard to being necessary, this can organization service operate better, and particularly, for faster and more accurate threat detection.For example, this is also applicable to " wisdom of the masses " technology.
The present invention it is of concern that the solution of following task: by creating user's classification and being segmented to it qualification using a lot of user in malware detection according to the role of user.
Summary of the invention
Disclose the system for detecting computer security threat based on the ruling of computer user, method and computer program product.In an exemplary embodiment, system receives the information about the unknown security incident be associated with the software performed on described computing machine from the anti-virus application program of disposing on the user computer, and indicates described software to be harmful or harmless user's ruling for the safety of described computing machine.The user of computing machine described in described system identification and the role of described user, wherein the professional knowledge level of user role instruction user in computer safety field.If role's instruction of described user has high professional knowledge level described user in computer safety field, then described system accepts described software is harmful or harmless user's ruling.If the role of described user indicates described user to have low professional knowledge level in computer safety field, then described system checks described user's ruling to be correct to the information analysis about described security incident received from anti-virus application program.If described user's ruling is accepted or correct through verifying as, then described system adopt about the described information of described security incident and associated software be harmful or harmless instruction to upgrade anti-virus database, described anti-virus database is associated with described anti-virus application program and comprises the information about known harmful and harmless software.
Also disclose for automatically distributes calculation resources for the treatment of system, the method and computer program product of security information.In an exemplary embodiment, described system receives information about the user action relevant to the safety of described computing machine from disposing anti-virus application program on the user computer.Described system pair user action analyze relevant to the safety of described computing machine determines the professional knowledge level of user in computer safety field.Subsequently, based on the professional knowledge level of user in computer safety field, user is classified as one of two or more different role by described system.Based on described user role, the configuration that described system selects anti-virus application program is automatically arranged, for collecting the information about the security threat detected by described user, wherein for compared with there is the user of lower professional knowledge level in computer safety field, collect more about the information of the security threat detected by user from the user in computer safety field with higher professional knowledge level.Based on described user role, described system also automatically distribute and configure computational resource and service for the treatment of collected by the described anti-virus application program be deployed on described subscriber computer, about the information of the security threat detected by user, wherein compared with there is the user of lower professional knowledge level, distribute more computational resource and process the information in comfortable computer safety field with the user of higher professional knowledge level with service.
Also disclose, for the professional knowledge level based on user in computer safety field, the system of classification, method and the computer program for method are carried out to the user of anti-viral software.In an exemplary embodiment, described system receives the information using history about the safety of subscriber computer and the user of anti-viral software from the anti-viral software disposed on the user computer.Received information is divided into multiple classification by described system, comprise the number of the computer threat that at least (I) is detected by described user, the frequency of (II) described subscriber computer infected with malware, and (III) is to the fluency level of anti-viral software user.Then each classification that described system is information is selected one or more condition-action rule and selected condition-action rule is applied to sorted information to determine the professional knowledge level of user in computer safety field.Finally, based on the professional knowledge level of determined user in computer safety field, user is classified as expert user, one of advanced level user or typical user by described system.
Be used for providing basic comprehension of the present invention to the brief overview of one exemplary embodiment above.This summarizes is not the extensive overview of all contemplated aspects of the present invention, and has both been not intended to determine the scope that the key of all embodiments or important element are also not intended to limit any or all embodiment.Its unique object is to represent one or more embodiment in simplified form, as the preorder of following more detailed description of the present invention.For realizing aforesaid object, one or more embodiment comprises the feature describing in the claims and specifically note.
Accompanying drawing explanation
Accompanying drawing to be incorporated in instructions and to form a part for instructions, shows one or more one exemplary embodiment of the present invention, and and describes one in detail and be used from the principle and implementation of explaining embodiment.
In the accompanying drawings:
Fig. 1 shows the high-level schematic diagram of cloud service.
Fig. 2 shows the schematic diagram of the recent increase that computer malware is propagated.
Fig. 3 shows the time shaft distribution detected new computer malware.
Fig. 3 A shows the schematic diagram of the anti-viral software according to an one exemplary embodiment.
Fig. 4 shows according to an one exemplary embodiment, forms the sample parameter collection of user's prestige.
Fig. 4 A shows according to an one exemplary embodiment, according to the user prestige figure of the user's prestige parameter from Fig. 4.
Fig. 5 shows according to an one exemplary embodiment, for the prestige analytic system of cloud service user.
Fig. 6 shows the user's notifier processes method according to an one exemplary embodiment.
Fig. 7 shows the threat detection notifier processes method according to an one exemplary embodiment.
Fig. 8 shows according to an one exemplary embodiment, for the threat detection notifier processes method of the threat detected in subscriber computer.
Fig. 9 shows according to an one exemplary embodiment, the diary record system of subscriber computer event.
Figure 10 shows according to an one exemplary embodiment, the log recording method of subscriber computer event.
Figure 11 shows according to an one exemplary embodiment, the sample classification of the based role of cloud service user.
Figure 11 A shows according to an one exemplary embodiment, for the method that user role weight is determined.
Figure 12 shows according to an one exemplary embodiment, the sample schematic diagram of cloud service user role.
Figure 13 shows according to an one exemplary embodiment, depends on the user-role assignment method of prestige and other parameters.
Figure 14 shows according to an one exemplary embodiment, to the change curve in time estimated by the threat detected.
Figure 15 shows according to an one exemplary embodiment, depend on the user of user role transmit the distribution of data volume.
Figure 16 shows according to an one exemplary embodiment, for the cloud service computational resource allocation method processed the notice from specific user.
Figure 17 shows according to an one exemplary embodiment, for making cloud service from the subscriber checking mechanism of illegal use.
Figure 18 shows according to an one exemplary embodiment, and cloud service user identifies and distributes some resource to the method for user.
Figure 19 shows according to an one exemplary embodiment, for carrying out the method for detection computations machine security threat based on the ruling of computer user.
Figure 20 shows the schematic diagram of the computer system according to an one exemplary embodiment.
Embodiment
Around the system for carrying out detection computations machine security threat based on the ruling of computer user, method and computer program product, one exemplary embodiment of the present invention is described herein.Will be understood by those skilled in the art that following description is only exemplary, and be not intended to limit by any way.Benefit from this disclosure, those skilled in the art easily expect other embodiments.Now describe in detail to realize one exemplary embodiment of the present invention as shown in drawings.Run through accompanying drawing and description subsequently uses identical Reference numeral to represent identical or similar project all as far as possible.
Although one exemplary embodiment of the present invention is for providing the service that computer security is relevant in cloud computing environment, but it should be understood by one skilled in the art that principle of the present invention can be used for other computation paradigms in other embodiments, such as at client-side, at server side, in a distributed computing environment etc.
First, will discuss the classification of cloud service user (client) and protection cloud service and user thereof the problem from various computer threat.
The current computer security product of such as anti-viral software or security system comprises a large amount of module through disposing for various solution.Fig. 3 a illustrates the example of current anti-viral software 300, this anti-viral software can be arranged on subscriber equipment 100.Some modules are important for software operation---such as upgrading and file reverse virus module.Update module is mainly used in anti-virus database through design and upgrades, and the last state of this database is relate to threatening the reliable operation carrying out detecting in time ready to Malware and other.Should note, this threat can represent by known malware, to the link (harmful resource address) of harmful content and the Malware of the unknown, and potential dangerous software can implement the action similar with those Malwares (the similar conversion situation of installing is the characteristic of a lot of malicious software program).Anti-virus database self can comprise such as known malware signature, necessary anti-spam modules service data collection etc.Anti-virus database also comprises external service, such as the database of anti-virus company, and it comprises the large scale knowledge base in ' white list ' storehouse such as comprising trusted software information.We will regard cloud service 120 as external service.Depend on the availability of the various selections of such as e-mail or the Internet, need other modules, such as e-mail anti-virus, web anti-virus, IM anti-virus (checking that instant message transmits data), network firewall.Other are aid: for filter import e-mail into anti-spam modules, backup module, personal data management device (for the most important data of isolation and protection) and for secure data entry not the dummy keyboard that jeopardizes by such as this class method of Key Logger.Some modules of similar anti-net width image ad (anti-banner) can use during Internet surfing together with web browser.Some modules need a lot of time and resource to be used for operation, but they also can process unknown malware and attack.These modules include but not limited to: HIPS(main frame intrusion prevention system), it is restricted to the unknown softward interview of computer resource; Initiatively defensive module, it can determine the active infection stage (that is, when Malware has started the moment of its operation in a computer); Emulator and virtual machine, it can be used for the Secure execution of uncommon executable file.This accessories list is mutually different concerning anti-viral software---various module can have different titles, some modules can be structured in other modules etc.
Usually, each module of anti-virus application program 300 all has the user interface of oneself and the function be associated.Such as, the anti-spam modules ability that this module of training is provided, edits credible address and the Resources list that is obstructed, create the list of phrases etc. through license and vulgarity.HIPS module allow user installation and revise for a certain software resource access authority, make various program trusted, form software group based on level of trust.Therefore, each module all there is himself user interface rank to obtain additional information.Even when most of module is operating under automatic mode, certain operations still requires the input of user.Everything is all in prompting, and in the ever-increasing world of computer threat amount, although the automation mechanized operation of most of anti-viral software module, the final action of user is still played an important role.
Be further noted that, only have during following situation and just require the input of user: when one of anti-viral software module can not draw the conclusion of affirmative for the threat of suspect object, this suspect object such as user attempts the link that the unknown file that performs or user attempt in the browser of following.Whether this user of request is that harmful or harmless decision or ruling module can comprise initiatively defensive module and virtual machine about object.In addition, along with the development threatened, the importance of this generic module constantly increases.Therefore, need the decision obtaining user, and in order to this purpose, select the most competent user and can avoid mistake mentioned not long ago.Therefore, in order to the position from computer security knowledge detects the most competent user, select (classification) of carrying out cloud service user is necessary.
User's classification means as user grouping is selected some common traits for some classifications.Classification can be predefined and relate to each side of the User Activity in anti-viral software framework: the frequency of the number of the threat detected, their uniqueness, the use being proficient in anti-viral software interface, computer infected, about the information of program of installing on the user computer and user's service condition etc. of described program.
Activity for each feature all can be expressed as a certain value, that is, use numeral.In order to reduced representation and better assess, umerical value can correspond to the terminology in fuzzy logic.Fuzzy logic system considers three phases:
The introducing of obfuscation---ambiguity.In this operation, all input variables and linguistic variable are carried out mate, create terminology for each linguistic variable and create subordinate function for each term.Such as, the terminology for linguistic variable " number of the threat detected " will be { " very little ", " little ", " on average ", " height ", " very high " }, and its permission departs from from a large amount of numeral.
The establishment of fuzzy knowledge base and use.Fuzzy knowledge base comprises with the condition-action of Types Below rule: if IF() the hypothesis >THEN(of < rule so) the conclusion > of < rule.Such as, following rule can be used: " if the number of the threat detected exceedes setting value, so the quantized threat activity detected is for high ".Be intelligible due to this rule-like and be various " language codes ", therefore formulate this rule-like and be normally easy to.
De-fuzzy---the output of different number, it is such as the assessment of a certain User Activity, the professional knowledge level of its instruction user in computer safety field.
The activity value obtained for each feature can be interpreted as single concept together, and this is called ' prestige '.Usually, the professional knowledge level of user's prestige instruction user in computer safety field.Various prestige aspect is used to the role determining user, that is, the classification of user for describing subsequently.Fig. 4 shows the sample parameter collection for creating prestige.It should be noted that prestige can by numeral in one embodiment, or in other embodiments by a certain feature set or vector representation.
If prestige is expressed as set of digits, but not single value, so this prestige can be schematically represented as collection or vector.Fig. 4 a shows the example of this expression, which uses two movement parameters---the number of the threat detected and software interface use activity.Therefore, user's prestige can be expressed as follows:
The number of the threat detected Application programming interfaces use activity
User 1 prestige Low On average
User 2 prestige High High
table 1
When adding other Activity Types, prestige will have following general expression: prestige=movable 1, movable 2 ..., movable N}.
Fig. 5 illustrates the prestige analytic system for cloud service user according to an one exemplary embodiment.The action of user 100 is carried out log recording in its this locality and is sent to cloud service 120.Transmission can be carried out with the form sending or send every now and then notice upon actuation immediately.The notice received enters user action handling implement 510, and this user action handling implement 510 processes the user action for some activity with reference to prestige rule database 520.User action handling implement 510 also transmits the notice that receives to the user action instruments of inspection 540.The user action instruments of inspection 540 service test rule database 550 is to check user action whether in set restriction.If user action does not cause any suspection, then user's handling implement 510 revises user's prestige by changing corresponding User Activity value and being stored in user's credit database 530.
Here is an example of notice:
table 2
Another example of notice:
table 3
User ID also can comprise anti-viral software data, such as: anti-viral software version; Software I D accurately; Integrate number; Patch/security update/rescue bag the ID applied; License information.
For each task all generates unique data collection.Such as, for the inspection of document, this data set can comprise fileinfo (Hash and, the availability of digital signature, size, position, order line attribute, author's (if there is), file attribute (hiding, file), be received from media such as () networks, such as CD, the last time etc. revised), and web page inspection task can comprise page address (link), arrange (check what scene type, to what degree of depth, should check what object) etc. for the inspection of scene simulation device.
User action is by describing through designing the setting template worked together with anti-viral software interface (GUI).Below can be used as example:
Action ID Type of action
... ...
12 Subscriber authorisation program is credible
13 User's disable program performs
... ...
46 User starts dummy keyboard
47 User starts the head of a family and controls
... ...
table 4
In general, such detailed data is transmitted by various anti-viral software module usually.Such as, for emulator, these data can comprise about the information of number of instructions, operation code, the information about setting operation restriction, virtual memory dump.In an exemplary embodiment, when threat is detected by one or more module, detailed data can be transmitted in the notification by described module.In another detailed example, translator unit data in the first notice, and if these data are found to be not enough to inspection user ruling, then can transmit additional data according to the request coming from cloud service 120 by anti-virus application program 300.
Like this, all notices all can adopt the structure of the metadata comprised as such to describe: WHO(is about the information of user, its computing machine etc.), WHERE(is about the information of triggered anti-viral software module and the system hardware required for other and software state data), WHEN(event time framework and possible repetition frequency), the type of security incident that detects of WHAT(and the detailed content of security incident).
Database 520,530,550(and every other similar database discussed below) common DBMS(data base management system (DBMS) such as such as MySQL, MSSQL, PostgreSQL, DB2 etc. can be adopted) realize.User action handling implement 510 uses user to notify to compare with the rule be stored in prestige rule database 520.The production rule of type that these rules can be expressed as " if < condition > is so < action > ".Below can be used as example:
If
< notification type >=" user action ID "
< detailed content >=" startup of computing machine vulnerability scanning "
< user action >=" leak detected by correction: the automatic startup of closing removable driver "
So
The movable > that < adopts application programming interfaces is improved by < setting value >
Restriction: < activity value can not more than N>
Due to add new rule and revision regular be easy, therefore it should be noted that these rules tissue simplify.Rule can be XML language, and the grammer of this XML language provides such as following advantage: independent of platform, describe the ability of the structure of such as list and tree, the support at various rank (hardware and software).
In addition, each rule all can limit the correction of one or the other activity to user.But this object is to prevent because multiple simple action causes activity to be increased to high-level.Good example can be the frequent scanning to same removable driver (such as flash disk), and it can be considered to simple and common software application.But start-up simulation machine vulnerability scanning is not inessential inspection, it indicates this action software interface activity can be increased to higher level.
After inspection triggers the rule be included in prestige rule database 520, user action handling implement 510 revises the prestige of the user sending notice with reference to user's credit database 530.Use the user action instruments of inspection 540 coming from rule in inspection rule database 550 also for the correction of prestige.Rule and their inspection be organized as with prestige rule database 520 Regularia seemingly.The necessity of let us inspection user action in more detail.
Although the fact is hiding at cloud service 120 place user action processing rule for them, some users, in order to increase their prestige, may adopt fraudulent policies.This can include but not limited to forge notice by user 100, or the number of threat that such as detects of artificial increase and uniqueness, or the very high activity of software interface.Such action is called exception.In order to count such action, inspection rule database 550 comprises abnormality detection rule.User action handling implement 510 transmits the notice that receives from user to the user action instruments of inspection 540.The user action instruments of inspection 540 reference gauge then database 550 determines the rule describing a certain Exception Type, and asks for the prestige correction history from its this user notification received with reference to user's credit database 530.Be stored in the history display (such time period can be the moon or week) during the nearest time period in user's credit database 530, the last action (notice received) of this user.By being compared with up-to-date user's notice by historical record, the user action instruments of inspection 540 can detect exception.
As illustrated in figure 6, let us understands user's notifier processes in more detail.In step 610, user action notice arrives user action handling implement 510 place, in this user action handling implement 510 information extraction from the notice received of step 620.Then in step 630, the user action instruments of inspection 540 is adopted to check the data received.If exception detected in step 640, so in step 660 just for the exception that this user records, in user's credit database 530, produce corresponding journal entries.If exception do not detected, so will be corrected in step 650 prestige (relevant activity).The method of abnormal quantity and type registration will be described in more detail below.
Below, with regard to prestige aspect (that is, active characteristics), main some examples be associated with threat detection are summarized.
As method above in " wisdom of colony " describe in notice, each use has different infotech (IT) know-how per family.At present, except a large amount of legal use (white list) programs and harmful (blacklist) program, noticed the growth being referred to as " gray list " program, the feature of being somebody's turn to do " gray list " program can not describe with " in vain " or " black ".This is associated with several factors, but one of basic factor is the continuing to increase (Fig. 2) of executable file and harmful program generally, and this makes the ability of anti-virus company lag behind the data stream processing and continue to increase.Therefore, when can not determine when anti-viral software whether unknown file is harmful or clean, whether one of possible solution relies on user to be unknown harmful or clean to assess file.The file that can be supplied to user profile describes, such as: the availability etc. of size, position, file name, digital signature.In addition, user can have the information that anti-viral software is difficult to obtain, such as file source (coming from the disk without licence, for a long time front mail etc. transmitted by friend bought in shop).User likely determines to perform this file to be stoped based on this information, and this means user and thinks that file is suspicious or harmful.We will claim this event for " ruling ".Except unknown file performs the ruling allowed or stop, also has the ruling about the permission/prevention of link being opened to (such as, in a browser), network activity etc.
Therefore, each user can be assessed by the correct level of the number of his ruling and ruling.Ruling correctness can be calculated by anti-virus company subsequently, this anti-virus company inspection executable file data and just user to be harmful to about file or clean conclusion makes its conclusion.An embodiment also considers the quantity of case---when user stops the various copy of same program (that is, same file) for several times, such ruling can be considered to individual event.Another embodiment does not assess user's ruling activity immediately, but introduces time delay, unexpected user's prestige fluctuation situation (such as when being carried out initial anti-viral software by user and installing) is foreclosed.In addition, ruling assessment in another embodiment (usually, can be limited by anti-viral software license term during such) for during whole User Activity, and carries out for the time durations of setting.
The exception (deception) be associated also is worth remembeing, in order to obtain higher activity grade based on the threat detected, user may adopt these abnormal, such as uses available harmful file collection for their follow-up scanning.Domestic consumer can not detect a lot of threat usually within short-term in its computing machine.Even the full scan of hard disk shows the copy that most of Malware is often same program.
Fig. 7 shows threat detection notifier processes sequence.After being that step 710 receives unknown threat detection notice, extracting necessary information in step 720 from this notice and be used for further analyzing.Necessary information comprises threat detailed content and user action.It should be noted that only can not the theme of just inquiry when one of anti-viral software 300 module--such as user attempts the link that the unknown file that starts or user are just attempting following in a browser--make clearly conclusion time, just need user action.Also by such event binding to notice in.Then threat information is analyzed to confirm that whether user's ruling is correct or incorrect in step 730 in cloud service place.Analysis can based on this base secure network (KSN) technology of kappa, some embodiments of this technology at United States Patent (USP) 7,640,589 and 7,743, describe in 419, it is incorporated herein in full by the mode quoted.Such as, checkout procedure can comprise the unknown white list that threatens or blacklist analysis, based on the analysis of emulation, analysis based on signature, heuristic analysis and other technologies.
If threat not confirmed, but user action shows that he believes that such as unknown file attempts to become Malware or stop this unknown link during attempting to follow unknown link in a browser during it performs (opening), the such information of preservation is used for analyzing further in step 740.If afterwards in step 785, user action will be confirmed to be correct (that is, ruling is correct), and that will mean him in the first user of detection of malicious software or harmful link.In this case, user's prestige will be revised in step 790, and particularly, the activity that its number threatened by detected uniqueness judges will increase.
Be identified if threatened in step 730, so in order to detect abnormal conditions in step 760, in step 750, the user action instruments of inspection 540 reference gauge then database 550 and user's credit database 530 compares the statistics of the user that gives notice.Extremely can be expressed as within short-term, too many malicious software program (such as, in order to increase prestige, scanning has the disk of preserved known malware set) or malware detection too frequently to be detected.The latter can not explained the low mature level etc. that leak in his software carries out the user of patch by the same infected website of access.Such exception will be counted in step 780.Otherwise, due to the increase of the number of threat detected, user's prestige will be improved in step 770.In addition, be identified once threaten, then Cloud Server 120 can adopt the information about the threat detected to upgrade the anti-virus database be associated with anti-viral software 300.
The abnormal very important aspect detected is to those notices of refusing to attempt restarting service 120.Such as, the author of rogue program protects the anti-virus of user by attempting at service 120 deploy DoS attack closing.This can come (such as by using multiple copies with the anti-virus application program 300 of automatic action lists, the difference copy of identical rogue program is detected) within short-term, its will cause by magnanimity notice be sent to service 120, in fact will cause DoS attack.Close the stable operation of service 120 that the analysis that comes from the notice of this kind of client will cause every other user.In another embodiment, the author of rogue program can by anti-virus application program 300(and thus with service 120) " sliding (slip) " to incorrect response---such as, indicate clean software to be malice.In order to their response does not extend to other users, service 120 can collect the statistics of this detection, and if this wrong report is too many---and then it is also abnormal, and also abandons the response from these users.
Also by the number of the threat found in the computing machine user after threatening infect computers and start their harmful activity to assess each user.This can be associated with following event:
User seldom upgrades anti-virus database, or issue renewal version (reason due to mentioned in the description to Fig. 2 and 3) can not be caught up with by anti-virus company self;
User forbids anti-viral software (passing through bolt down procedure) continually;
User does not arrange his anti-viral software suitably.
Fig. 8 illustrates an one exemplary embodiment for the threat detection notifier processes method of the threat detected after threat has entered subscriber computer.This can comprise such as following content:
1, active infective stage.This means such as to check the first time of executable file and in malware data storehouse, does not find this executable file, and its emulation does not detect any harmful activity.When this file is performed and its harmful activity starts, initiatively defensive module can forbid it.
2, adopt the User Activity of anti-viral software not enough.This means user and does not arrange suitably or forbidden anti-viral software, and it causes full spectrum of threats to enter subscriber computer.
3, the shortage of regularly anti-virus database renewal.Some anti-viral software 300 modules do not ensure to detect 100% of Malware, but only report that institute's scanning document may be harmful possibility.Initiatively defence and virtual machine are such modules.
After being that step 810 receives threat detection notice, from notice, extract information needed for further analysis in step 820.Information needed means threat object detailed content (such as potential harmful unknown file or link) and user action.Then threat information is analyzed in step 830 in cloud service place.
If threaten not confirmed in step 830, but user action shows that he thinks that such as unknown file attempts to become Malware or prevent unknown link during it performs (opening), then will be saved for further analysis in the information that step 840 is such.If confirm that user action is correct (that is, ruling is correct) in step 885 afterwards, this will mean him in the first user of Malware detecting harmful link.In this case, will revise user's prestige in step 890, particularly, the movement parameter of his number based on the threat of detected uniqueness will increase.
Be identified if threatened in step 830, so will follow the tracks of the date threatening and enter subscriber computer in step 850.This by analyzing Malware timestamp (that is, its establishment or modification time), the activity log safeguarded by active defensive module come.Then determine to cause threatening the reason entering computing machine in step 860, the setting of such as disabled anti-viral software module, incorrect anti-viral software, irregular database update etc.After reason is determined, revise user's prestige in step 870, particularly, infection activity increases.
It should be noted that, after being that step 810-820 receives threat detection notice and relevant information and user's ruling, the latter can be used for the such threat of prevention until be identified in step 830 or step 885 ruling.
Another important prestige aspect is software interface use activity (or user's being proficient in anti-viral software).With regard to the modern anti-viral software that such as this base internet security 2011 of kappa or McAfee always protect, the type of action that such activity comprises as:
The setting of various software module.Example can be the installation of manual anti-virus database regeneration characteristics.Arranging and can also be used for various module, such as training the selection for scanning the anti-spam modules of importing E-mail flow into or the rule for head of a family's control module.
Answer software issue with interactive mode, follow the tracks of various software message.Use the interactive mode of anti-viral software hypothesis user will implement some operation, such as determine to stop unknown program (not finding in malware data storehouse or trusted program database), determine to implement the scanning completely etc. to removable medium.
User responds the time of software interface message.Supervisory user the time (such as, for the stand-by period of user for the response of prevention unknown program) of pointing out can also be responded with the anti-viral software of interactive mode operation.
The nested inspection of interface.Modern anti-viral software, comprises anti-virus application program, and have a lot of different setting, it is hidden in each several part of graphic interface.The user action had by interface nested is more arranged illustrates that he is interested in the more detailed research to anti-viral software ability.
The use of non-automatic salvo or additional capabilities.Usually, anti-viral software all arranged well at first and can when not needing the participation of user automatic operation.But the such module of such as personal data management or dummy keyboard will be operated by user oneself.This shows his the comprehensive use sense interest to anti-viral software function.
Exit from software, its closedown.Although modern anti-viral software is in order to check the compatibility of it and other application programs, usually will stand long-term with test that is various operating system, there is the risk failed to report, now believable application program may be confirmed as being harmful to always.As a result, anti-viral software can stop startup or the access of restriction to resource (such as Internet resources) of this application program, upset user.Due to such mistake and anti-viral software usually " prompting " user carry out the fact of such or such action (such as, in mutual mode), some users temporarily or forever would rather forbid anti-viral software.Such action is regarded as the minimizing of the User Activity utilizing software interface work.
Application programs arrange change too frequently, that the identical interface actions inspection/do not check of same characteristic features for several times (during the short time) etc. can be considered to software interface is movable abnormal.
After selecting summarize to the assessment of various User Activity, be necessary the means that consideration is carried out required by log recording according to the activity of user to the event occurred in subscriber computer.Fig. 9 shows out an one exemplary embodiment of the event log recorder system of subscriber computer.
The user 910 that its PC100 works operates, and this operation can by anti-viral software 300 and its module in addition record, and when use anti-viral software interface 920 by direct record.Information about these actions is sent to event log recorder instrument 930.Table 1 and 2 comprises the example of transmitted data type.Also user activity information is sent to User Activity trace tool 940, it is for identifying the user of the reality of PC100.Doing like this is because from computer security angle, and PC100 can by several users 910 operated (even if at different time) with different behavior.
Such as, father and mother may understand computer security basis (do not perform unknown file, do not follow unknown link etc.) in the family, but child may not know these rules.One of the simplest user's defining method is the account based on accessing for computer system (or OS).In order to determine most typical user, another selection comprises tracking user action: start some application program, open the file of a certain type, typical system resources consumption level etc.Therefore, great majority use the behavior of the user of text can distinguish with the user playing computer game to come.User Activity trace tool 940, as an embodiment, can based on the pattern interception of the data from input equipment (keyboard, mouse) being defined to user behavior.Such as, U.S. Patent application 2006/0224898 and 2004/0221171 describes the use based on mouse dynamic parameter (average cursor speed, cursor path, cursor displacement, free time etc.) in all directions, the user be based upon in behavior pattern identifies concept, and it is merged into herein in full by the mode quoted.U.S. Patent application 2004/0172562 describe based on user individual Text Input details (such as, time-out between keystroke, key press time etc.) user's recognition system of---so-called keyboard rhythm--and method, it is also merged herein in full by the mode quoted.Identify based on: to these parameters during current Password Input be stored in before the user that obtains during session compare with reference to the template of login parameters.
Event log recorder instrument 930 obtains the instruction of user 910 activity data, actual user from User Activity trace tool 940, and obtains data from anti-viral software 300 module, and these and the event schema be stored in event database 950 is compared.Such comparison is necessary for the event determined carrying out transmitting as notice.If event database 950 comprises event-template, so event log recorder instrument 930 transmits event notice to notice means of transportation 960, and it generates the notice for being sent to cloud service 120, more precisely---be sent to user action handling implement 510.If some information must be assembled for event type, if or owing to lacking the event that provides useful information and data transmission will be closed, then also renewable event database 950.
Figure 10 shows according to an one exemplary embodiment, the log recording method of subscriber computer event.Some things (such as, via interface 920) or some anti-viral software 300 modules can be done equivalent step 1010 and 1015 user and can detect event (such as, attempting to perform unknown file).Then step 1020 by the data required by transmitting to event log recorder instrument 930 by event log recorder in systems in which, this event log recorder instrument 930 checks event database 950 template in step 1030 for similar incidents.If do not find this event in event database 950, be then dropped in this event of step 1035.In another embodiment, event information can be stored for using when such event starts to play a role in computer security in the future.Not so, User Activity trace tool 940 is used to determine actual user in step 1040.Then generate notice in step 1050 by notice means of transportation 960, described notice means of transportation transmits notice to cloud service 120 in step 1060.One of embodiment is also included in step 1060 and uses the similar action repeat counter transmitted together with notification package, saves flow and resource with when the event frequency high in user side.
The form reviewing to notify to cloud service subscriber computer event transmit after, utilize their subsequent analysis and the determination of user's prestige, the generation how using obtained prestige for role can be determined.Role is a certain abstractdesription to user, this abstractdesription mainly based on the action of user, the action of described user comprise be associated with computer security ruling through checking (with, as a result---prestige and activity).Role not only by presented user based on based on the characteristic of prestige, also comprise following parameter:
---prestige and all activities for the formation of such prestige;
---the exception be associated with prestige activity;
---about the information of used anti-viral software.Such information comprises licensc e data (such as business software or freeware);
---about the information of subscriber computer, its ability (resource) and their use.
Figure 11 shows according to an one exemplary embodiment, and cloud service 120 user is based on the classification of their role.Whole user's collection can be decomposed into colony, each colony includes the user in computer safety field with substantially similar professional knowledge level.It should be noted that the classification shown in Figure 11 is only exemplary diagram in order to be conducive to understanding.The schematic shows following role constellation: " common user ", " experienced user ", " expert " and " bait user (lureusers) ".This list is only example and can expands.The detailed description of sample role is shown in Figure 12.
" common user " is the user with the prestige comprising following content: the quantity of the low threat detected, the uniqueness of the low threat detected, low interface activity, low infection activity.Such user is not self-confident computer user usually, and often never checks their anti-viral software operation.One of embodiment assigns this role to all new users automatically.Therefore, common user is the user in computer safety field usually with low professional knowledge level.Just because of this, according to an one exemplary embodiment, for the ruling of the common user 100 of the malicious or clean property of the unknown security threat just detected on the user computer by user 100, can be checked by the user action instruments of inspection 540 of cloud service 120.
" experienced user " has the user comprising following content: the quantity of the low or average threat detected, the uniqueness of the average threat detected, average interface activity, low or average infection activity.Such user has enough experiences to understand the danger performing unknown program.They also understand when use is important in the precautionary measures basic during personal data.Such as, but the increase of infection activity is directly associated with the activity of user, when using the internet.Therefore, experienced user is the user of the professional knowledge level had in computer safety field usually above common user.Just because of this, according to an one exemplary embodiment, for the ruling of the experienced user 100 of the malicious or clean property of the unknown security threat just detected on the user computer by user 100, also can be checked by the user action instruments of inspection 540 of cloud service 120.
" expert "---they are not a lot of usually, but they have the quantity of the average threat detected, the uniqueness of the average or high threat detected and show high anti-viral software interface activity.Because they are often " discoverers " that new the unknown threatens, their feedback and suggestion (decision) of crucial importance.Therefore, expert user has in computer safety field usually above experienced user and the user of a lot of professional knowledge level higher than typical user.Just because of this, according to an one exemplary embodiment, for the ruling of the expert user 100 of the malicious or clean property of the unknown security threat just detected on the user computer by user 100, can accept by the user action handling implement 510 of cloud service 120, without the need to be checked by the user action instruments of inspection 540 or at least without the need to inspection immediately.
" bait user " is the user of quantity, the usually low or average uniqueness with the high threat detected.Such user seldom arranges anti-viral software 300 or forbids a lot of necessary module completely, and this means low interface activity.As a result, they have high infection activity.Such user often spends a lot of hours to carry out the new software of Internet surfing, download and execution, but does not usually understand Trojan and may be hidden in one group of new encoding and decoding of video module.Therefore, bait user has in computer safety field even lower than the user of the professional knowledge level of common user.Just because of this, according to an one exemplary embodiment, for the ruling of the bait user 100 of the malicious or clean property of the unknown security threat just detected on the user computer by user 100, should also be checked by the user action instruments of inspection 540 of cloud service 120.
Although Figure 11 illustrate only based on the roughly user classification according to role of user in the professional knowledge level of computer safety field, many times expert user is less than the representative of other roles, and anti-virus company is most interested in the action of these users.In order to count the importance of the user with more significant role, introduce role's weight concept.When the user of different role makes their decision, empirical or automatic control role's weight can be set.In one of embodiment, can based on several parameter determination weight: anti-viral software Setup Type (normal or through expansion), os release, installation software on the user computer, hardware set etc.
In an exemplary embodiment, dynamically weight can be changed---such as, when the sale number of anti-virus application program 300 increases and causes the number of typical user to increase, role's weight of expert user also should increase.
Under indicate the estimation weight of various role:
Role Role's weight
Common user 1
Advanced level user 10
Expert 500
table 5
Like this, stoping or allowing in the decision of execution of identical unknown program, the suggestion of " expert " Role Users is equivalent to the suggestion of the user of 500 " common user " roles.The method makes likely " quantitatively exceeding " a large amount of experience unknown malware the action of the rawness user made mistakes.Another embodiment comprises the suggestion only considering to have the user of a certain role, such as " expert ".In this embodiment, in order to use their professional knowledge, determine that user is very important in such role in the initial period.
Figure 11 a shows according to an one exemplary embodiment, in order to the object that unknown computer threat detects, and the method for access customer role weight of falling into a trap in ruling.After the step 820 coming from Fig. 8, in order to revise the ruling weight for threat object (data file or link) in step 1120, count user's weight and ruling in step 1110.In one of embodiment, be harmful if user has considered the event be associated with threat object and prevent its (such as, stoping the startup of executable file), so ruling weight can increase certain quantity.In another embodiment, ruling weight can increase the value proportional with user role weight, and this allows the main user considering to have a certain role.In another embodiment, if the event that user considers to be associated with threat object is safe and allows it, ruling weight also can reduce.In step 1130, implement to check to find whether ruling weight has exceeded set threshold value, and if exceed, then in the angle of step 1140 from user, object is claimed as harmful.Next be the step 830 coming from Fig. 8.According to an one exemplary embodiment, empirically determined based on user's ruling in step 1130 threshold value, or Using statistics method is determined to analyze the ruling received from the user of various role within certain time period.
Each role can also have and the such as abnormal additional segmentation be associated.To the consideration of exception allow this type of event of monitoring as:
---there is unknown malware (detection to the unknown threat and their uniquenesses can be affected);
---use the cloud service resource with malicious intent; Forge notice;
---in order to obtain the prestige of expectation, use robot program (botprogram) and other movable increase methods.
Such as, what count in " common user " role interface activity is abnormal as follows:
table 6
Figure 13 shows out an one exemplary embodiment of the user-role assignment method depending on prestige and other parameters.In step 1310, any change in recording user parameter, such as, based on the number of the threat detected, movable from " low " to the change of " on average ".In step 1320, implement to check to establish the standard whether customer parameter meets one of role.The example of such inspection is as follows:
If
The threat quantity >=" on average " that < detects
The unique >=" low " of the threat that < detects
< interface activity >=" on average "
< infection activity >=" on average "
So
< user role >=" experienced user "
If parameter does not meet any current available role, so terminate in step 1330 method.Otherwise, in step 1340, implement to check to find whether the role based on parameter is different from the role being currently assigned to this user.This be due to some roles for customer parameter have value change the fact; Such as, unique for the threat detected, " expert " role has " on average " and " height " two values.If role is different from current character, so in step 1350, implement temporally (such as, the moon) inspection to customer parameter stability of checking.If in establishing time section, customer parameter meets required role, so revises user role in step 1360.
The inspection to customer parameter stability is implemented in step 1350 time period mentioned through setting up.In order to constantly to the customer parameter of its constant value can not be kept in time to assess, such inspection is necessary.Such example is shown in Figure 14, has it illustrates the quantity estimation change in time of the threat detected.After anti-viral software 300 installs (timeline starts), a large amount of Malware (such as, during the complete scan of DISK to Image driver) detected in a computer, and the threat activity detected is for high.After the most of Malware of deletion, new activity increase in time may be associated with various factors, such as: user's PI unknown malware, anti-virus database do not upgrade for a long time or user is not activated necessary anti-virus scan etc.Finally, user stops meeting with a large amount of Malware in his computing machine, and this is also associated with several factors.For example, user have learned computer security basis (no longer following the suspicious link on the Internet), has improved the computer activity etc. that his anti-viral software arranged, reduced him.The threat activity detected is reduced to low level by all these.Therefore, an one exemplary embodiment allows to revise user's prestige in time and forms activity.
Depend on role, assign different abilities to each user, wherein some are listed as follows (list is example and can expands):
● selecting of the data set collected, comprises for notice;
The change of anti-viral software interface capability;
● the change of the anti-viral software module installation recommended;
● for receiving the change of the Internet resources (such as, bandwidth) that data are distributed;
● distribute to the change of the server process resource (such as, CPU time) of the data received;
● the performance of computer security inter-related task.
Selecting of the data set collected.Anti-virus company is interested in and obtains most important data in the notification, and these data mainly mean the data about unknown (uniqueness) Malware, and once known threat be detected, minimize transmitted data volume.Role allows to aim at such user: for the threat of uniqueness, can receive a large amount of data from it.Exemplarily, in the context of the present invention, it can be " expert " Role Users.
Such as, between the unknown file starting period on computers, data to be collected from the user being designated as " common user " role, in notice, following data will be comprised:
● MD5 file and
● digital signature, if any
● optional: order line attribute, file attribute
Meanwhile, the notice transmitted by " expert " Role Users will comprise larger data set (hereinafter collected data are relevant with WindowsOS family):
● MD5 file and
● digital signature, if any
● optional: order line attribute, file attribute
● DDL library information, their description, which computing machine
● kernel objects data.Their size, description, source
● information on services.State (running/stop/available automatic operation), to describe
● driver data.State (run or do not run), file, group
● file host etc.
Another example can use with emulator and be associated.During unknown file emulation, following data can be included in the notice from the user being designated as " common user " role:
● MD5 file and
● the brief description of emulator operation: the number of instruction, the safety grading received, it is at United States Patent (USP) 7, and 530, describe in 106 and be also merged into herein by the mode quoted.
On the other hand, when emulator is used to the same file from " expert " Role Users, notify to comprise larger data set:
● MD5 file and
● the brief description of emulator operation: the number of instruction, the safety grading received
● for setting restriction (restriction for running time, memory size, central processing unit instruction) of emulator operation
●---memory dump (dump) (that is, during emulating from the data that storer obtains) is apparent that, the data sent by " expert " Role Users are in quality and quantitatively all different.Figure 15 shows the exemplary distribution of the user's transmitted data amount depending on user role.Can find out, the independent communication linkage (such as set up limit priority links) that more user'ss (these are " expert " Role Users in this case) that is additional and significant data may need between cloud service 120 can be submitted to, this is because the importance of the data received from such user in this case and scope play an important role.
In a further exemplary embodiment, the user of different role has different anti-viral software interface capabilities.Such as, compared with arranging with the user interface for the user such as typical user in computer safety field with lower professional knowledge level, the user interface of software application for user's such as expert user in computer safety field with higher professional knowledge level arranges and can provide control for the operation of anti-virus application program and the higher level of various module thereof.Such as, expert user can be allowed to configure emulator module (such as, for the restriction of running time, memory size and central processing unit instruction) or other analysis modules of the sick application program of anti-virus.
Figure 16 shows according to an one exemplary embodiment, for the treatment of the cloud service 120 computational resource allocation method of the notice from specific user.Determine user role in step 1610, and then determine in step 1620 computational resource can distributing to this role.In this case, computational resource includes but not limited to: preservable maximum amount of data, network link capacity (quality of service) on CPU time, memory size, driver.Due to all these resources all be assigned to the actual computer processed in the cloud service 120 of the notice received from user and be associated, therefore according to various embodiments of the present invention, take different priority assignment scheme in addition, for carrying out higher priority process to the notice from user's (in this case---" expert " Role Users) with more remarkable role.
Let us summarizes the example of the network link service quality of optimizing user.Such as, there is the TAG field of features enabled in ethernet frame level (second level of osi model), the value of this field represents required service class.Due to IP agreement not only to Ethernet but also to need not be effective based on the WAN of ethernet frame, so IP bag also has the tos field of service level data required by special reception.Developed new Differentiated Services (DS or DiffServ) agreement afterwards, this agreement is at present for marking IP bag according to service class.
Small-sized and medium business's switch, and the access level switch in catenet only takes ethernet frame qos field for priority ranking usually.Switch of company level can consider that all Current standards are to sequence the priority ranking of flow.Packet has special 802.1p agreement 3 bit priority field, and its permission marks local network data with one of 8 grades of service.
Another priority ordering example can be described below:
For the user being designated as " common user " role, cloud service can distribute the server with following configuration:
● processor: Xeon5130
● storer: 4GBRAM
● the hard-disk capacity of distributing: 74GBSCSIHDD
● connection protocol type: UDP
For " expert " Role Users, cloud service can distribute the server with following configuration:
● processor: 2 × Xeon5620
● processor: 24GBRAM
● the hard-disk capacity of distributing: 600GBSCSIHDD
● connection protocol type: TCP
Significantly, the server being used in " expert " Role Users is divided to have the capacity of the server be significantly higher than for " common user " Role Users.Explain as above-mentioned, this is due to the quantity of the data owing to receiving from " expert " Role Users and the significantly higher fact of importance, since these data, for example, shows the higher threat detected unique movable.
After being assigned with the computational resource for this user role, determine the number (that is, data volume) of the notice received from user in addition in step 1630.Such information can be stored in user's credit database 530.This for process not only from preferential Role Users (" expert " role) and also from have other roles showing heap file process activity, network activity etc. user receive data be necessary.
Based on the information obtained in step 1630, determine processing the computational resource from required by the current notifications stream of given user in step 1640.Then, in step 1650, use the computational resource that distributes to process user's notice that in setting-up time framework (week or the moon) receive, and then in step 1660, new assessment is implemented to the computational resource abundance for notifier processes.If resource is inadequate, then sequence turns back to step 1640 to redefine for the treatment of the computational resource required by the current notifications stream from user, otherwise proceeds to step 1670 in current computational resource video sequence.
As implied above, role, not only by based on based on the user personality of prestige, also comprises following parameter:
● prestige
● the exception be associated with prestige activity
● comprise the current anti-viral software data (such as, business software or freeware) of licence
● about the information of subscriber computer, its resource and their use.
● up to the present, the exception only considering user's prestige and be associated.Current anti-viral software data and about the Information Availability of subscriber computer and resource thereof in the potential computer security task determining to implement on the user computer.
● to the protection of cloud service and user thereof.
In order to reliable between cloud service 120 and user thereof and the exchanges data of safety (and storage) is ready, following task will be completed:
● to the regulation that privacy of user and leaking data are protected.
● protect the data transfer link between cloud service and user thereof to connect.
● protection cloud service is from illegal use and malice overload.
By privacy of user (personal data safety) can be provided by the Data Division of anti-viral software 300 resume module.It should be noted that, a lot of malware detection module only exports a certain standard data set (such as, the instruction of the api function triggered), but traditional signature check uses hash function, and described hash function is for irreversible and from the Hash obtained by same file and can not recover.Following steps can in addition for personal data safety:
Anti-viral software module installation, object is to prevent personal data at them by the recovery after these resume module.
The appointment (such as, some user folders) of data field in a computer, this data field is by only by little anti-viral software module scans or do not scan.
Figure 17 shows for the protection of the one exemplary embodiment of cloud service from the User identification mechanism of illegal use.Authentication means 1710 is for being operated in the certification of the user 910 on computing machine 100, and this authentication means 1710 considers at least two parameters: licence 1710 information (more accurately, its ID) and the information from user action trace tool 940.As noticed above, user action trace tool 940 follows the tracks of personal behavior model based on the action (namely, he is to the use of anti-viral software 300) of user.One group widely motion tracking instrument 940 function can comprise the tracking to user biological continuous data: finger mark and impression of the hand, signature, the iris marking, input equipment (aforementioned keyboard and mouse) operation style.Then the user identifier obtained by user action trace tool 940 is transferred into authentication means 1710, and authentication means 1710 is enable accurately identifies user for this.In this case, user identifier does not also mean that single unique number, but means by the determined a certain set of digits of user action (determining to be described in description in activity above).
The identifier obtained is to (pair)---user and anti-viral software---is sent to the recognition and verification instrument 1720 being positioned at cloud service 120 via encrypted link by authentication means 1710.Instrument 1720 by the data received with store user with issue/sell licence identifier authentication database 1730 compare with license database 1740.Like this, only after these two identifiers all mate, user 910 anti-viral software 300 is just in place with the interface of cloud service.Here should be noted that such possibility: close and cloud service 120 interface being the user of feature with a large amount of exception.Also there is such possibility: by the differentiating and processing to various user action of being undertaken by user action trace tool 940, also there is the possibility that several computer user uses a licence 1710.
Figure 18 shows cloud service user authentication and distributes some resource to an one exemplary embodiment of his method.In step 1810 occupancy permit 1710 information determination anti-viral software 300 licence identifier.Then in step 1820, user identifier is determined by user action trace tool 940.In step 1830, obtained identifier is sent to cloud service 120, in step 1840 in this cloud service 120 place inspection identifier.If this identifier pair with the identifier retrieved from inspection database 1730 and license database 1740 to not mating, so will stop the access of user's 910 pairs of cloud services 120 in step 1850, and will the inquiry of the anti-viral software 300 coming from him do not processed.If this identifier is to being identified, then will determine user 910 role in step 1860, and will the necessary resource being used in reference to the role tasking user 910 be distributed in step 1870.
Figure 19 shows according to an one exemplary embodiment, for carrying out the usage of detection computations machine security threat based on the ruling of computer user.In step 910, carry out log recording to the event relevant to computer security on subscriber computer, such event can be attempt to start unknown program or follow unknown link.Then in step 1920, the user action be on the user computer associated with the event through log recording is determined.Such action can be prevention to the event through log recording or permission.Then, in step 1930, the event through log recording is sent to cloud service with the user action data be associated, determines user role in step 1940 in this cloud service place.In next step 1950, if stoped by user through the event of log recording, then increase the weight of the event through log recording in cloud service place by user role weight, if or allowed by user through the event of log recording, then reduce the weight of the event through log recording in cloud service place by user role weight.Such as, if the user under " common user " role stops the execution of unknown file, so he adds 1(step 1960 by making through the weight of the event of log recording from the weight of such as table 5), if at that time perform had " expert " Role Users of weight 500 allow, the weight so through the event of log recording will reduce 500(in step 1965).Should be appreciated that, described scheme can use other events through log recording producing weighing computation method.In addition, in one of embodiment, not only consider individual event, also consider whole event string, such as unknown file is downloaded and is attempted to start it.If the event that other user's encountereds are such, then continue to upgrade through the weight of the event of log recording in step 1970.If exceed set weight threshold, so event will be defined as threatening with the unknown being associated in step 1980.Such as, performing the event be associated with unknown file will make this file be associated with unknown malware.Use role's weight of user to allow to even up a large number of users with conventional character (such as " traditional role "), described conventional character user is determining may make a mistake in new threat, considers the impact such as with the user of the senior role of " expert " simultaneously.Exemplarily, when the weight threshold set is 1000 nominal unit, the suggestion of 2 " expert " Role Users or the suggestion of 1000 " common user " roles is had will to be enough to specify unknown software to be Malware.Such situation is possible: although the fact be may have been used Malware create in recent development instrument (be modally, user confuse by trojan-horse program), when more mistake has appearred in the user with " common user " role, the suggestion of enough numbers from the user with " advanced level user " and " expert " role will still allow to specify unknown software to be Malware.In another embodiment, if set weight threshold (such as, weight becomes lower than-1000) through the event weights of log recording lower than second, then can determine that event threatens with the unknown and not associate.
Figure 20 describes an one exemplary embodiment of the computer system 5 of the such as webserver, and this computer system 5 can be suitable for the embodiment realizing system of the present invention.In alternative embodiments, system of the present invention can realize on personal computer, laptop computer, panel computer, smart mobile phone and other data processing equipments.As directed, computing machine 5 can comprise one or more processor 15, storer 20, one or more hard disk drive 30, CD drive 35, serial port 40, graphics card 45, sound card 50 and network interface card 55, connected by system bus 10.System bus 10 can be one of polytype bus structure using in various known bus architecture any one, comprises memory bus or Memory Controller, peripheral bus and local bus.Processor 15 can comprise one or more the microprocessor of Core2Quad2.33GHz processor or other types.
System storage 20 can comprise ROM (read-only memory) (ROM) 21 and random-access memory (ram) 23.Storer 20 can be embodied as DRAM(dynamic ram), the memory architecture of EPROM, EEPROM, flash memory or other type.ROM21 storage includes the basic input/output 22(BIOS of basic routine), described basic routine contributes to transmission information between the assembly of computer system 5, such as, between the starting period.RAM23 stores operating system 24(OS), such as the operating system of XP professional version or other type, described operating system is responsible for managing the process in computer system 5 and coordinating, and distributes the hardware resource in computer system 5 and share.System storage 20 also stores application program and program 25, such as serves 306.(runtime) data 26 when system storage 20 also stores the various operation used by program 25.
Computer system 5 can further comprise hard disk drive 30, such as SATA magnetic hard drive (HDD), and the CD drive 35 for reading the removable CD of such as CD-ROM, DVD-ROM or other light medium or write.Driver 30 and 35 and the computer-readable medium be associated thereof provide the non-volatile memories to the computer-readable instruction realizing algorithm disclosed herein and method, data structure, application program and program module/subroutine.Although exemplary computer system 5 employs disk and CD, but those skilled in the art should recognize the computer-readable medium that can store the data can accessed by computer system 5 that also can use other types in the alternate embodiment of computer system, the such as storer of tape cassete, flash card, digital video disc, RAM, ROM, EPROM and other type.
Computer system 5 comprises multiple serial port 40 further, such as USB (universal serial bus) (USB), and it is for connection data input equipment 75, such as keyboard, mouse, Trackpad and miscellaneous equipment.Serial port 40 also can be used for the data output apparatus 80 connecting such as printer, scanner and other equipment, and connects other peripherals 85 of such as external data storage device etc.System 5 also can comprise graphics card 45, such as gT240M or other video card, for monitor 60 or other video reproducing apparatus interface.System 5 also can comprise sound card 50, for via inner or external loudspeaker 65 producing sound.In addition, system 5 can comprise network interface card 55, such as Ethernet, WiFi, GSM, bluetooth or other wired, wireless or cellular network interface, for computer system 5 is connected to network 70, and such as the Internet.
In various embodiments, algorithm described herein and method can be realized by hardware, software, firmware or its any array mode.If realized with software, so its function can be stored in non-transitory computer-readable medium in the mode of one or more instruction or code.Computer-readable medium comprises Computer Storage and communication media simultaneously, and the two contributes to computer program to be sent to another place from a place.Storage medium can be can by any usable medium of computer access.For example, and and non-limiting, this computer-readable medium can comprise RAM, ROM, EEPROM, CD-ROM or other optical disc storage, disk storage or other magnetic storage apparatus or any other and can be used for carrying or store the required program code that exists with the form of instruction or data structure and can by the medium of computer access.In addition, any connection all can be called as computer-readable medium.Such as, if use concentric cable, fiber optic cables, twisted-pair feeder, the wireless technology of digital subscriber line (DSL) or such as infrared ray, radio and microwave is come from website, server or other remote resource transmitting software, then it includes in the definition of described medium.
For the sake of clarity, not at this all general characteristics of embodiment are illustrated and described.Should recognize in the performance history of the implementation of any this kind of reality, a large amount of decision-making specific to implementation must be made to realize the specific objective of developer, should recognize that these specific objectives change with the difference of implementation and the difference of developer simultaneously.And, should recognize that this kind of development may be complicated and time-consuming, but for benefiting from those of ordinary skill in the art of disclosure herein, will be all conventional engineering duty.
In addition, be understandable that wording or term are infinite object in order to describe as used herein, so that those skilled in the art separates wording in reader instructions or term according to the instruction proposed at this and guide in conjunction with the knowledge that various equivalent modifications is grasped.And except clear and definite being set forth of being far from it, otherwise any term in this instructions or claim is all not intended to be summed up as unconventional or special implication.
Various embodiment disclosed here is included in the known equivalents of the present and the future of this known tip assemblies mentioned by way of example.And, although illustrated and described embodiment and application thereof, but it is evident that for benefiting from for those skilled in the art of the present invention, when not departing from the invention disclosed herein design, is possible than above-mentioned more amendment.

Claims (7)

1., for detecting a computer implemented method for unknown security threat, described method comprises:
Receive the information about the unknown security incident be associated with the software object performed at described computing machine from the anti-virus application program of disposing on the user computer, and indicate described software object to be harmful or harmless user's ruling for the described safety of described computing machine;
Identify the described user of described computing machine and the role of user, the role of wherein said user indicates the professional knowledge level of user in computer safety field and mainly based on the action of user, the action of described user comprises the ruling through checking be associated with computer security;
If the role of described user indicates described user to have high professional knowledge level in described computer safety field, then accepting described software object is harmful or harmless described user's ruling;
If the role of described user indicates described user to have low professional knowledge level in described computer safety field, then described user's ruling is checked to be correct to the described information analysis about described security incident received from described anti-virus application program; And
If described user's ruling is accepted or correct through verifying as, then adopt about the described information of described security incident and the software object that is associated be harmful or harmless instruction to upgrade anti-virus database, described anti-virus database is associated with described anti-virus application program and comprises the information about known harmful and harmless software object.
2. method according to claim 1, comprises further:
If described user's ruling is correct through inspection, then increase the professional knowledge level of described user;
If the professional knowledge level of described user reaches predefined threshold value, then increase the role of described user.
3. method according to claim 1, wherein one or more based on the following of the professional knowledge level of user described in described computer safety field:
Total number of the computer threat detected by described user;
The number that the unique computer detected by described user threatens;
To user's fluency level of described anti-viral software;
The infection frequency of the described computing machine of described user; And
About the program be arranged on described subscriber computer and described user to the information of the use of described program.
4. method according to claim 1, comprises further:
By by received information compared with the historical record of the threat detected by described user, the exception in the described information received from described anti-virus application program is detected;
Based on detecting that one or more exception reduces the role of described user.
5. method according to claim 1, wherein different roles has the different weight coefficients be associated, and wherein according to the described weight coefficient that is associated with the role of described user, during the described user's ruling of inspection, give described user's ruling higher or lower weight.
6. method according to claim 1, if the described information about described security incident wherein received from described anti-virus application program is not enough to check described user's ruling to be correct or incorrect, then processor is configured to collect additional information about described security incident and the described software be associated from described computing machine further, and wherein said additional information comprises the one or more of the following:
About the information of the described security incident that the one or more different security module by described anti-virus application program generates, each module implements different Antivirus analyzes;
About the information of the software and hardware state of the computing machine when the described security incident of appearance; And
Date of described security incident, time and repetition frequency.
7. method according to claim 1, wherein said software object comprises executable file, one of data file and link.
CN201210352269.7A 2011-09-20 2012-09-20 Based on the system and method for the ruling detection computations machine security threat of computer user Active CN103065088B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
RU2011138462 2011-09-20
RU2011138462/08A RU2011138462A (en) 2011-09-20 2011-09-20 USE OF USER SOLUTIONS TO DETECT UNKNOWN COMPUTER THREATS

Publications (2)

Publication Number Publication Date
CN103065088A CN103065088A (en) 2013-04-24
CN103065088B true CN103065088B (en) 2016-03-30

Family

ID=48107716

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210352269.7A Active CN103065088B (en) 2011-09-20 2012-09-20 Based on the system and method for the ruling detection computations machine security threat of computer user

Country Status (2)

Country Link
CN (1) CN103065088B (en)
RU (1) RU2011138462A (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104283703A (en) * 2013-07-08 2015-01-14 中国移动通信集团黑龙江有限公司 User login reminding method and system
US9697365B2 (en) * 2013-09-06 2017-07-04 Microsoft Technology Licensing, Llc World-driven access control using trusted certificates
US9117077B2 (en) * 2013-09-27 2015-08-25 Bitdefender IPR Management Ltd. Systems and methods for using a reputation indicator to facilitate malware scanning
CN104572844B (en) * 2014-12-11 2018-03-23 百度在线网络技术(北京)有限公司 The method and apparatus of prompting message corresponding to target search result is provided
RU2587424C1 (en) * 2015-02-20 2016-06-20 Закрытое акционерное общество "Лаборатория Касперского" Method of controlling applications
RU2679783C2 (en) * 2015-12-18 2019-02-12 Закрытое акционерное общество "Лаборатория Касперского" Method of creating script of popular activation events
CN110383238B (en) * 2016-05-15 2024-01-05 新思科技有限公司 System and method for model-based software analysis
RU2637997C1 (en) * 2016-09-08 2017-12-08 Акционерное общество "Лаборатория Касперского" System and method of detecting malicious code in file
US10237293B2 (en) * 2016-10-27 2019-03-19 Bitdefender IPR Management Ltd. Dynamic reputation indicator for optimizing computer security operations
CN107403097A (en) * 2017-08-10 2017-11-28 清远博云软件有限公司 A kind of core system software running guard method
CN109241734A (en) * 2018-08-10 2019-01-18 航天信息股份有限公司 A kind of securing software operational efficiency optimization method and system
RU2739866C2 (en) * 2018-12-28 2020-12-29 Акционерное общество "Лаборатория Касперского" Method for detecting compatible means for systems with anomalies
RU2708353C1 (en) * 2018-12-28 2019-12-05 Акционерное общество "Лаборатория Касперского" System and method of proofing against scanning of eds files
CN110602119A (en) * 2019-09-19 2019-12-20 迈普通信技术股份有限公司 Virus protection method, device and system
CN112231750B (en) * 2020-10-14 2021-10-08 海南大学 Multi-mode privacy protection method
CN114064360B (en) * 2021-11-15 2024-04-09 南方电网数字电网研究院有限公司 Important information backup and encryption method based on combination of big data analysis and cloud computing
CN114826707B (en) * 2022-04-13 2022-11-25 中国人民解放军战略支援部队航天工程大学 Method, apparatus, electronic device and computer readable medium for handling user threats

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2169582A1 (en) * 2008-09-25 2010-03-31 Symantec Corporation Method and apparatus for determining software trustworthiness
EP2169583A1 (en) * 2008-09-26 2010-03-31 Symantec Corporation Method and apparatus for reducing false positive detection of malware
EP2306357A2 (en) * 2009-10-01 2011-04-06 Kaspersky Lab Zao Method and system for detection of previously unknown malware
CN102203791A (en) * 2008-08-29 2011-09-28 Avg技术捷克有限责任公司 System and method for detection of malware

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102203791A (en) * 2008-08-29 2011-09-28 Avg技术捷克有限责任公司 System and method for detection of malware
EP2169582A1 (en) * 2008-09-25 2010-03-31 Symantec Corporation Method and apparatus for determining software trustworthiness
EP2169583A1 (en) * 2008-09-26 2010-03-31 Symantec Corporation Method and apparatus for reducing false positive detection of malware
EP2306357A2 (en) * 2009-10-01 2011-04-06 Kaspersky Lab Zao Method and system for detection of previously unknown malware

Also Published As

Publication number Publication date
CN103065088A (en) 2013-04-24
RU2011138462A (en) 2013-04-10

Similar Documents

Publication Publication Date Title
CN103065088B (en) Based on the system and method for the ruling detection computations machine security threat of computer user
US8214905B1 (en) System and method for dynamically allocating computing resources for processing security information
US12111918B2 (en) Microservice adaptive security hardening
US10154066B1 (en) Context-aware compromise assessment
US8209758B1 (en) System and method for classifying users of antivirus software based on their level of expertise in the field of computer security
Su et al. Evil under the sun: Understanding and discovering attacks on ethereum decentralized applications
CN102651061B (en) System and method of protecting computing device from malicious objects using complex infection schemes
US8214904B1 (en) System and method for detecting computer security threats based on verdicts of computer users
CN102176224B (en) Methods and apparatus for dealing with malware
CN103679031B (en) A kind of immune method and apparatus of file virus
EP2790122B1 (en) System and method for correcting antivirus records to minimize false malware detections
Ahmed Automated analysis approach for the detection of high survivable ransomwares
EP2975873A1 (en) A computer implemented method for classifying mobile applications and computer programs thereof
CN103065094A (en) System and method for detecting malware targeting the boot process of a computer using boot process emulation
CN101901314A (en) The detection of wrong report and minimizing during anti-malware is handled
CN103109295B (en) Be created in the system and method for the customization confidence belt used in malware detection
EP2584488B1 (en) System and method for detecting computer security threats based on verdicts of computer users
RU2481633C2 (en) System and method for automatic investigation of safety incidents
Albishry et al. An attribute extraction for automated malware attack classification and detection using soft computing techniques
Gupta et al. Developing a blockchain-based and distributed database-oriented multi-malware detection engine
Hiremath A novel approach for analyzing and classifying malicious web pages
Luh et al. Advanced threat intelligence: detection and classification of anomalous behavior in system processes
Chukwu Leveraging the MITRE ATT&CK Framework to Enhance Organizations Cyberthreat Detection Procedures
Sarath et al. Malware Forensics Analysis and Detection in Cyber Physical Systems
Marulli et al. Let’s gossip: Exploring malware zero-day time windows by social network analysis

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant