CN103607381B - White list generation method, malicious program detection method, client and server - Google Patents
White list generation method, malicious program detection method, client and server Download PDFInfo
- Publication number
- CN103607381B CN103607381B CN201310552867.3A CN201310552867A CN103607381B CN 103607381 B CN103607381 B CN 103607381B CN 201310552867 A CN201310552867 A CN 201310552867A CN 103607381 B CN103607381 B CN 103607381B
- Authority
- CN
- China
- Prior art keywords
- program
- behavior
- white list
- performance
- feature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 84
- 230000006399 behavior Effects 0.000 claims abstract description 154
- 238000004458 analytical method Methods 0.000 claims abstract description 13
- 238000012545 processing Methods 0.000 claims description 21
- 230000003068 static effect Effects 0.000 claims description 5
- 238000001514 detection method Methods 0.000 claims description 4
- 238000011084 recovery Methods 0.000 claims description 4
- 230000001960 triggered effect Effects 0.000 claims description 3
- 238000000151 deposition Methods 0.000 claims 2
- 238000010586 diagram Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 230000008859 change Effects 0.000 description 2
- 238000004140 cleaning Methods 0.000 description 2
- 125000004122 cyclic group Chemical group 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 230000007717 exclusion Effects 0.000 description 1
- 238000004880 explosion Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000001537 neural effect Effects 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
Abstract
The invention discloses a malicious program detection method based on a white list. The method comprises: the database at a server end establishing the white list of valid programs and performing collecting and updating; a client collecting the program characteristics and/or program behaviors of a program for sending to the server end for inquiring; and the server end, according to the program characteristics and/or program behaviors, making an analysis and comparison in the white list, and according to a comparison result, determining the validity or trust value of the program and feeding back to the client. By using the white list to determine a valid program, it can be determined that a non-valid program excluded in the white list is a malicious program, and determining and searching and destroying of the malicious program can be carried out from another perspective.
Description
Present patent application is to be August in 2010 18 days, Application No. 201010256973.3, entitled the applying date
A kind of divisional application of the Chinese invention patent application of " method carrying out rogue program detection according to white list ".
Technical field
The invention belongs to network safety filed, specifically, it is related to a kind of foundation white list and carries out rogue program detection
Method.
Background technology
Traditional rogue program is prevented killing depending on feature database pattern.Feature database is the rogue program collected by manufacturer
The condition code composition of sample, and condition code to be then analysis project be an apprentice of the difference finding in rogue program with proprietary software,
Intercept one section of program code similar to " search keyword ".During killing, engine can read file and with feature database in
All condition codes " key word " mated, if it find that file routine code is hit it is possible to judge this document program
For rogue program.
Derive the mode in locally heuristic antivirus afterwards again, be the dynamic height device realized in a specific way or anti-
Compiler, by being progressively understood and determined by the real motive that it is contained to the decompiling about job sequence.Rogue program and just
The difference of Chang Chengxu can embody in many aspects, such as:A usual application program, in initial instruction, is to check order line
Input has or not parameter item, cls and preservation original screen and shows, and the generally initial instruction of rogue program is then directly to write disk
Operation, solution code instruction, or search for the associative operation job sequences such as the executable program under certain path.These significant differences
Place, skilled programmer only need to take a glance in a debug state just can be very clear.Heuristic code scans technology is actually
The specific procedure exactly this experience and knowledge being transplanted in a killing bogusware embodies.
But the method for above-mentioned killing Malware is all based on malicious act and/or malice feature, first to a program
Judge that it, whether as rogue program, then decides whether to carry out killing or cleaning again.This just inevitably result in occur in that as
Lower drawback.
According to statistics, global rogue program quantity is in that geometry level increases now, based on the speedup of this explosion type, feature database
It is often delayed for generating and updating, and in feature database, the supplement of the condition code of rogue program does not catch up with the unknown malice emerging in an endless stream
Program.
In addition, in recent years, with the application to technology free to kill for the rogue program producer, by rogue program shell adding or repair
The maneuver changing the condition code of this rogue program more and more occurs;And many trojan horse programs employ more frequently quick
Auto Deformation, these result in difficulty rogue program being judged by malicious act and/or malice feature increasingly
Greatly, thus causing the difficulty of the killing to rogue program or cleaning.
Content of the invention
In view of this, the technical problem to be solved there is provided and a kind of carries out rogue program inspection according to white list
The method surveyed, does not rely on local data base, and reversely judges rogue program based on to the identification of legal procedure.
In order to solve above-mentioned technical problem, the invention discloses a kind of side carrying out rogue program detection according to white list
Method, including:The white list of Database legal procedure of server end simultaneously is collected updating;The journey to a program for the client
Sequence characteristics and/or program behavior are collected and are sent to server end being inquired about, and server end is according to described program feature
And/or program behavior is analyzed comparing, according to comparison result to the legitimacy of described program or trust in described white list
Value is judged and is fed back to described client.
Further, described server end preserves according in described program feature and/or program behavior, with described white list
Legal procedure feature and/or legal procedure behavior compare, if hit, judge described program as legal procedure, and
Feed back to described client;Without hit, then judge described program as rogue program, and feed back to described client.
Further, described server end is according to the batch processing feature of program and/or batch processing behavior, white with described
In list, the legal procedure feature preserving and/or legal procedure behavior are compared, and according to the degree of hit, described program are assigned
Give a trust value, and described trust value is fed back to described client;Described client presets a threshold value, according to described trust value
Compare with described threshold value, if described trust value is not less than described threshold value, judge described described program as legal procedure,
If described trust value is less than described threshold value, judge described program as rogue program.
Further, if described batch processing feature and/or batch processing behavior are all hit in described white list,
Then described server end gives a highest trust value to described program;If described batch processing feature and/or batch processing row
It is all miss in described white list, then described server end gives a minimum trust value to described program.
Further, also include:Described client determines rogue program behavior carried out to intercept according to described result of determination,
Terminate executing this rogue program and/or clear up this rogue program, recovery system environment.
Further, also include:Described client according to described result of determination and combine described rogue program attribute, certainly
Determine whether this rogue program behavior is carried out intercepting, terminates executing this rogue program and/or clear up this rogue program.
Further, described attribute, including:Whether described rogue program is self-triggered program and/or described rogue program
With the presence or absence of in system directory.
Further, the data base of described server end is collected the step updating, bag to the white list of legal procedure
Include:Periodically through manual, using Aranea or web crawlers and/or user's upload, legal procedure is collected;By craft
Or by the automatic performance of program screening described legal procedure of instrument and/or program behavior and be saved in described white list.
Further, the data base of described server end is collected the step updating, bag to the white list of legal procedure
Include:According to the legal procedure feature in existing known white list and its corresponding program behavior, to unknown program feature and program
Behavior is analyzed, to update white list.
Further, described program feature, including:Static nature in program file and/or static nature string.
Further, the described step that unknown program feature and its program behavior are analyzed, including:If unknown journey
Sequence characteristics are identical with the known procedure feature in existing white list, then list this unknown program feature and its program behavior in white name
Single;If unknown program behavior is identical or approximate with the known procedure behavior in existing white list, by this unknown program behavior
And its performance of program lists white list in;When certain program behavior is put into white list, in data base, this program behavior is corresponded to
Performance of program list white list in, and other program behaviors relevant with this program behavior and performance of program are also listed in
White list;And/or when certain performance of program is put into white list, in data base, corresponding for this performance of program program behavior is arranged
Enter white list, and other program behaviors relevant with this performance of program and performance of program are also listed in white list.
Further, also include:Associating of behavior and feature is set up having between the program of identical or approximate behavior
System, according to the incidence relation between the described program with identical or approximate behavior, enters to unknown program feature and program behavior
Row analysis, to update white list.
Compared with currently existing scheme, the technique effect that the present invention is obtained:
By the present invention in that being judged to legal procedure with white list, thus will not belong to the non-legally of white list category
Programmed decision is rogue program, carries out the determining and killing of rogue program from another angle;
It is simultaneously introduced cloud security framework, will own " cloud security " client and be connected in real time with " cloud security " server, will close
The decision analysis of method program is placed on server end to complete;
In addition, the present invention also by client collection procedure behavior and is associated with performance of program, thus remembering in data base
Record performance of program and its corresponding program behavior, according to the incidence relation of the program behavior collected and performance of program, Ke Yi
In data base, sample is analyzed concluding, thus contributing to carrying out legal differentiation to software or program.
Brief description
Fig. 1 is the enforcement pattern diagram of the present invention;
The method flow diagram carrying out rogue program detection according to white list of Fig. 2 present invention;
Fig. 3 is the incidence relation schematic diagram according to the embodiment of the present invention.
Specific embodiment
To describe embodiments of the present invention in detail below in conjunction with schema and embodiment, thereby how the present invention to be applied
Technological means are solving technical problem and to reach realizing process and fully understanding and implement according to this of technology effect.
The core idea of the present invention is:The white list of Database legal procedure of server end is simultaneously collected more
Newly;Client is collected and is sent to server end inquiring about to the performance of program of a program and/or program behavior, service
Device end is analyzed comparing according to described program feature and/or program behavior in described white list, according to comparison result to institute
The program of stating is judged and is fed back to described client.
Below for the white list inspection under Yunan County's syntype being made up of a large amount of client computer 102- server ends 104
Survey rogue program method to illustrate.Cloud structure is exactly a large-scale client/server(CS)Framework, as shown in figure 1, be
The enforcement pattern diagram of the present invention.
The method flow diagram carrying out rogue program detection according to white list being the present invention with reference to Fig. 2, including:
S1, the white list of Database legal procedure of server end simultaneously is collected updating;
S2, client is collected and is sent to server end carrying out to the performance of program of a program and/or program behavior
Inquiry;
S3, server end is analyzed comparing according to described program feature and/or program behavior in described white list, root
According to comparison result, described program is judged and fed back to described client;
S4, described client determines rogue program behavior is carried out intercepting, terminates executing this evil according to described result of determination
Meaning program and/or clear up this rogue program, recovery system environment;Or
Described client according to described result of determination and combine described rogue program attribute, decide whether to this malice journey
Sequence behavior carries out intercepting, terminates executing this rogue program and/or clear up this rogue program;
Described attribute, including:Whether described rogue program is self-triggered program and/or described rogue program whether there is in
In system directory.
For step S3, can specifically be realized by the following manner.
First method:Described server end preserves according in described program feature and/or program behavior, with described white list
Legal procedure feature and/or legal procedure behavior compare, if hit, judge described program as legal procedure, and
Feed back to described client;Without hit, then judge described program as rogue program, and feed back to described client.
Second method:Described server end is according to the batch processing feature of program and/or batch processing behavior, white with described
In list, the legal procedure feature preserving and/or legal procedure behavior are compared, and according to the degree of hit, described program are assigned
Give a trust value, and described trust value is fed back to described client;Described client presets a threshold value, according to described trust value
Compare with described threshold value, if described trust value is not less than described threshold value, judge described described program as legal procedure,
If described trust value is less than described threshold value, judge described program as rogue program.
For the setting of trust value, if described batch processing feature and/or batch processing behavior are in described white list
All hit, then described server end gives a highest trust value to described program;If described batch processing feature and/or one
Group program behavior is all miss in described white list, then described server end gives a minimum trust value to described program;
The program being between above-mentioned two hit rates is set by described above-mentioned trend.
For step S1, the data base of described server end is collected the step updating to the white list of legal procedure,
Can be realized by the following manner.
First method:Pairing is uploaded periodically through manual, using Aranea or web crawlers and/or user by technical staff
Method program is collected;By automatically screening the performance of program of described legal procedure and/or program behavior manually or by instrument simultaneously
It is saved in described white list.
Second method:According to the legal procedure feature in existing known white list and its corresponding program behavior, to unknown
Performance of program and program behavior are analyzed, to update white list.
Described program feature, can be the static nature in program file, such as via MD5(Message-Digest
Algorithm5, md5-challenge)The MD5 identifying code that computing draws, or SHA1 code, or CRC(Cyclic Redundancy
Check, cyclic redundancy check (CRC))Code etc. can unique mark original program condition code;It can also be the static nature in program file
String.
Carry out lower explanation below for the structure of data base's white list of server end and Dynamic Maintenance in second method.
Its roadmap is mainly:According to the performance of program in existing known white list and its corresponding program behavior, right
Unknown program feature and program behavior are analyzed, to update white list.This relative analyses sometimes do not need to program
Behavior do follow-up analysis in itself it is only necessary to simple with existing white list in known procedure behavior compare can determine that unknown
The property of program.
Due to have recorded performance of program and the corresponding behavior record of this feature in data base, therefore can be in conjunction with known white
Name single pair of unknown program is analyzed.
For example, if unknown program feature is identical with the known procedure feature in existing white list, by this unknown program
Feature and its program behavior all list white list in.
If unknown program behavior is identical or approximate with the known procedure behavior in existing white list, by this unknown program
Behavior and its performance of program all list white list in.
By the record analyses in data base, we it is found that have some programs behavior identical or approximate, but program
Feature is different, at this moment, as long as we are having the incidence relation setting up behavior and feature between the program of identical or approximate behavior,
And according to this incidence relation it is possible to more easily be analyzed to unknown program feature and program behavior, to update white name
Single.
As shown in figure 3, being the incidence relation schematic diagram according to the embodiment of the present invention.Assume unknown program A, B and C
Feature is respectively A, B and C, and its each self-corresponding program behavior is A1~A4, B1~B4, C1~C4.If the analysis found that
Program behavior A1~A4, substantially the same or very approximate between B1~B4, C1~C4, then just can feature A, B, C and
Behavior A1~A4, sets up the incidence relation of feature and behavior between B1~B4, C1~C4.
By this incidence relation, can more efficiently from extend, data base be safeguarded under certain conditions.
For example, when the program behavior B1~B4 of program B is confirmed to be legal procedure behavior and is put into white list, can be in data base
In automatically performance of program B corresponding with this program behavior is listed in white list, meanwhile, according to incidence relation, can automatically by with
This program behavior relevant program behavior A1~A4, C1~C4 and corresponding performance of program A, feature C also lists white name in
Single.
Again for example, if program A, B and C broadly fall into the unknown program of black and white when initial, and via other checking and killing virus ways
Footpath, performance of program B is confirmed to be the feature belonging to legal procedure first, then can be automatically by behavior B1~B4's in data base
White list is listed in combination in, also can also list feature A and C with identical or approximate behavior in white list according to incidence relation,
And by program behavior A1~A4, C1~C4 also lists white list in.
Due to have recorded the corresponding behavior of performance of program in data base, this allows for the behavior to unknown program to the present invention
Analysis provides great convenience.The present invention above-mentioned analysis method not limited to this, can also be using similar to decision tree, Bayes
Algorithm, the method such as neural domain calculating, or use simple analysis of threshold, can obtain in the Basis of Database of the present invention
Apply to good.
Described above illustrate and describes some preferred embodiments of the present invention, but as previously mentioned it should be understood that the present invention
Be not limited to form disclosed herein, be not to be taken as the exclusion to other embodiment, and can be used for various other combinations,
Modification and environment, and can be in invention contemplated scope described herein, by technology or the knowledge of above-mentioned teaching or association area
It is modified.And the change that those skilled in the art are carried out and change without departing from the spirit and scope of the present invention, then all should be at this
In the protection domain of bright claims.
Claims (23)
1. a kind of white list generation method, it includes:
Periodically legal procedure is collected;
Screen out performance of program and/or the program behavior of described legal procedure;
Described program feature and/or program behavior are preserved to generate white list;
Legal procedure feature in white list according to generation and its corresponding program behavior, to unknown program feature and program
Behavior is analyzed, to update white list;
Described unknown program feature and program behavior are analyzed further including:If unknown program feature and generation
Known procedure feature in white list is identical, then list this unknown program feature and its program behavior in this white list;
If unknown program behavior is identical or approximate with the known procedure behavior in the white list of generation, by this unknown program
Behavior and its performance of program list this white list in;
When certain program behavior is put into white list, corresponding for this program behavior performance of program is listed in this white list, and will be with
Other relevant program behaviors of this program behavior and performance of program also list this white list in;And/or
When certain performance of program is put into white list, corresponding for this performance of program program behavior is listed in this white list, and will be with
Other relevant program behaviors of this performance of program and performance of program also list this white list in.
2. method as described in any of claims 1, also includes:
Having the incidence relation setting up behavior and feature between the program of identical or approximate behavior, according to described have identical or
Incidence relation between the program of approximate behavior, is analyzed to unknown program feature and program behavior, to update white list.
3. method as claimed in claim 2, wherein, described program feature includes static nature in program file and/or quiet
State feature string.
4. a kind of malware detection methods, it includes:
The performance of program and/or program behavior of one program is collected and sends for inquiry, wherein, described inquiry includes:
Legal procedure feature in white list according to generation and its corresponding program behavior, to described program feature and program behavior
It is analyzed, to update white list;Described described program feature and program behavior are analyzed further including:If described
The performance of program of program is identical with the known procedure feature in the white list of generation, then by the performance of program of described program and its
Program behavior lists this white list in;
If the program behavior of described program is identical or approximate with the known procedure behavior in the white list of generation, will be described
The program behavior of program and its performance of program list this white list in;
When the program behavior of described program is put into white list, corresponding for the program behavior of described program performance of program is listed in
This white list, and the program behavior of other programs relevant with the program behavior of described program and performance of program are also arranged
Enter this white list;And/or
When the performance of program of described program is put into white list, corresponding for the performance of program of described program program behavior is listed in
This white list, and the program behavior of other programs relevant with the performance of program of described program and performance of program are also arranged
Enter this white list;
Judged described program whether as rogue program according to the Query Result feeding back to.
5. malware detection methods as claimed in claim 4, wherein, judge described journey according to the Query Result feeding back to
Whether sequence is that rogue program further includes:
A default threshold value;
The Query Result feeding back to is compared with described threshold value;
If the Query Result feeding back to is not less than described threshold value, judge described program as legal procedure, if feed back to
Query Result is less than described threshold value, then judge described program as rogue program.
6. the method as described in claim 4 or 5, also includes:Determined to rogue program according to the described Query Result feeding back to
Behavior carries out intercepting, terminates executing this rogue program and/or clear up this rogue program, recovery system environment.
7. the method as described in claim 4 or 5, also includes:According to described result of determination and combine described rogue program genus
Property, decide whether this rogue program behavior to be carried out intercept, terminate executing this rogue program and/or clear up this rogue program.
8. method as claimed in claim 7, wherein, described attribute includes:Described rogue program be whether self-triggered program and/
Or described rogue program whether there is in system directory.
9. a kind of client, it includes:
Collector unit, is suitable to the performance of program to a program and/or program behavior is collected and sends for being inquired about, wherein,
Described inquiry includes:Legal procedure feature in white list according to generation and its corresponding program behavior, to described program
Feature and program behavior are analyzed, to update white list;Described described program feature and program behavior are analyzed into one
Step includes:If the performance of program of described program is identical with the known procedure feature in the white list of generation, by described journey
The performance of program of sequence and its program behavior list this white list in;
If the program behavior of described program is identical or approximate with the known procedure behavior in the white list of generation, will be described
The program behavior of program and its performance of program list this white list in;
When the program behavior of described program is put into white list, corresponding for the program behavior of described program performance of program is listed in
This white list, and the program behavior of other programs relevant with the program behavior of described program and performance of program are also arranged
Enter this white list;And/or
When the performance of program of described program is put into white list, corresponding for the performance of program of described program program behavior is listed in
This white list, and the program behavior of other programs relevant with the performance of program of described program and performance of program are also arranged
Enter this white list;
Whether identifying unit, be suitable to be judged according to the Query Result that feeds back to described program as rogue program.
10. client as claimed in claim 9, wherein, described identifying unit includes:
Threshold setting unit, is suitable to a default threshold value;
Comparing unit, is suitable to the Query Result feeding back to is compared with described threshold value;
Result determining unit, if being suitable to the Query Result that feeds back to be not less than described threshold value, judges described program as legal
Program, if the Query Result feeding back to is less than described threshold value, judges described program as rogue program.
11. clients as described in claim 9 or 10, also include:
First processing units, are suitable to determine rogue program behavior is carried out intercepting, terminates according to the described Query Result feeding back to
Execute this rogue program and/or clear up this rogue program, recovery system environment.
12. clients as described in claim 9 or 10, also include:
Second processing unit, is suitable to according to described result of determination and combines the attribute of described rogue program, decide whether to this evil
Meaning program behavior carries out intercepting, terminates executing this rogue program and/or clear up this rogue program.
13. clients as claimed in claim 12, wherein, described attribute includes:Whether described rogue program is self-starting journey
Sequence and/or described rogue program whether there is in system directory.
A kind of 14. malware detection methods, it includes:
Receive the performance of program of a program and/or the program behavior that sender sends;
It is analyzed comparing in white list according to described program feature and/or program behavior, described white list is used for depositing conjunction
Method performance of program and/or legal procedure behavior, wherein, described analyses and comparison includes:If the performance of program of described program with
Known procedure feature in the white list generating is identical, then list the performance of program of described program and its program behavior in this white name
Single;
If the program behavior of described program is identical or approximate with the known procedure behavior in the white list of generation, will be described
The program behavior of program and its performance of program list this white list in;
When the program behavior of described program is put into white list, corresponding for the program behavior of described program performance of program is listed in
This white list, and the program behavior of other programs relevant with the program behavior of described program and performance of program are also arranged
Enter this white list;And/or
When the performance of program of described program is put into white list, corresponding for the performance of program of described program program behavior is listed in
This white list, and the program behavior of other programs relevant with the performance of program of described program and performance of program are also arranged
Enter this white list;
According to comparison result, the legitimacy of described program or trust value are judged and fed back to described sender.
15. methods as claimed in claim 14, wherein, described comparison result includes hitting and does not hit, wherein,
If hit, judge described program as legal procedure;Without hit, then judge described program as rogue program.
16. methods as claimed in claim 15, wherein, are carried out to the legitimacy of described program or trust value according to comparison result
Judge and feed back to described sender to further include:
According to the degree of hit, give a trust value to described program, and described trust value is fed back to described sender.
17. methods as claimed in claim 16, wherein, if batch processing feature and/or batch processing behavior are described white
All hit in list, then give a highest trust value to described program;If described batch processing feature and/or batch processing
Behavior is all miss in described white list, then give a minimum trust value to described program.
18. methods as any one of claim 14 to 17, also include the white list of legal procedure is collected more
Newly.
A kind of 19. servers, it includes:
Receiving unit, is suitable to receive the performance of program of a program and/or the program behavior that sender sends;
Comparing unit, is suitable to be analyzed comparing in white list according to described program feature and/or program behavior, described white name
Alone in depositing legal procedure feature and/or legal procedure behavior, wherein, described analyse and compare include:If described program
Performance of program is identical with the known procedure feature in the white list of generation, then by the performance of program of described program and its program line
For listing this white list in;
If the program behavior of described program is identical or approximate with the known procedure behavior in the white list of generation, will be described
The program behavior of program and its performance of program list this white list in;
When the program behavior of described program is put into white list, corresponding for the program behavior of described program performance of program is listed in
This white list, and the program behavior of other programs relevant with the program behavior of described program and performance of program are also arranged
Enter this white list;And/or
When the performance of program of described program is put into white list, corresponding for the performance of program of described program program behavior is listed in
This white list, and the program behavior of other programs relevant with the performance of program of described program and performance of program are also arranged
Enter this white list;
Identifying unit, is suitable to according to comparison result, the legitimacy of described program or trust value be judged and send out described in being fed back to
The side of sending.
20. servers as claimed in claim 19, wherein, described comparison result includes hitting and does not hit, wherein,
If hit, judge described program as legal procedure;Without hit, then judge described program as rogue program.
21. servers as claimed in claim 20, wherein, described identifying unit is further adapted for:
According to the degree of hit, give a trust value to described program, and described trust value is fed back to described sender.
22. servers as claimed in claim 21, wherein, described identifying unit is further adapted for:
If batch processing feature and/or batch processing behavior are all hit in described white list, described program is given
One highest trust value;If described batch processing feature and/or batch processing behavior are all miss in described white list,
Give a minimum trust value to described program.
23. servers as any one of claim 19 to 22, also include:
White list updating unit, is suitable to the white list of legal procedure is collected update.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310552867.3A CN103607381B (en) | 2010-08-18 | 2010-08-18 | White list generation method, malicious program detection method, client and server |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310552867.3A CN103607381B (en) | 2010-08-18 | 2010-08-18 | White list generation method, malicious program detection method, client and server |
| CN2010102569733A CN101924761B (en) | 2010-08-18 | 2010-08-18 | Method for detecting malicious program according to white list |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010102569733A Division CN101924761B (en) | 2010-08-18 | 2010-08-18 | Method for detecting malicious program according to white list |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103607381A CN103607381A (en) | 2014-02-26 |
| CN103607381B true CN103607381B (en) | 2017-02-15 |
Family
ID=50125581
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310552867.3A Active CN103607381B (en) | 2010-08-18 | 2010-08-18 | White list generation method, malicious program detection method, client and server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103607381B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105303107A (en) * | 2014-06-06 | 2016-02-03 | 中兴通讯股份有限公司 | Abnormal process detection method and apparatus |
| CN104252372A (en) * | 2014-09-19 | 2014-12-31 | 北京数字天域科技股份有限公司 | Methods, devices and system for generating application reservation lists and deleting pre-installed applications |
| US10104107B2 (en) | 2015-05-11 | 2018-10-16 | Qualcomm Incorporated | Methods and systems for behavior-specific actuation for real-time whitelisting |
| CN105786579B (en) * | 2016-03-28 | 2020-06-23 | 联想(北京)有限公司 | Processing method and device, and method and device for preventing program from starting |
| CN106971106A (en) * | 2017-03-30 | 2017-07-21 | 维沃移动通信有限公司 | A kind of method, mobile terminal and server for recognizing unauthorized applications |
| CN107729753A (en) * | 2017-09-22 | 2018-02-23 | 郑州云海信息技术有限公司 | A kind of defence method and system of computer unknown virus |
| CN107835317B (en) * | 2017-11-21 | 2021-05-04 | Oppo广东移动通信有限公司 | Scheduling job control method, device, terminal equipment and storage medium |
| CN112597494A (en) * | 2020-12-21 | 2021-04-02 | 成都安思科技有限公司 | Behavior white list automatic collection method for malicious program detection |
| TWI796683B (en) * | 2021-04-30 | 2023-03-21 | 精品科技股份有限公司 | Method of client-side application control |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101593253A (en) * | 2009-06-22 | 2009-12-02 | 成都市华为赛门铁克科技有限公司 | A kind of rogue program determination methods and device |
-
2010
- 2010-08-18 CN CN201310552867.3A patent/CN103607381B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101593253A (en) * | 2009-06-22 | 2009-12-02 | 成都市华为赛门铁克科技有限公司 | A kind of rogue program determination methods and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103607381A (en) | 2014-02-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103607381B (en) | White list generation method, malicious program detection method, client and server | |
| US9715588B2 (en) | Method of detecting a malware based on a white list | |
| US9916447B2 (en) | Active defense method on the basis of cloud security | |
| US10110619B2 (en) | Method and product for providing a predictive security product and evaluating existing security products | |
| Zheng et al. | Droid analytics: a signature based analytic system to collect, extract, analyze and associate android malware | |
| CN103475671B (en) | Malware detection methods | |
| US8667583B2 (en) | Collecting and analyzing malware data | |
| CN101923617B (en) | Cloud-based sample database dynamic maintaining method | |
| KR101693370B1 (en) | Fuzzy whitelisting anti-malware systems and methods | |
| CN106529294B (en) | A method of determine for mobile phone viruses and filters | |
| CN104573515A (en) | Virus processing method, device and system | |
| WO2016058403A1 (en) | Processing method, system and device for virus file | |
| KR102120200B1 (en) | Malware Crawling Method and System | |
| CN103501294B (en) | The determining program whether method of malice | |
| Huh et al. | A comprehensive analysis of today’s malware and its distribution network: Common adversary strategies and implications | |
| Huang et al. | A large-scale study of android malware development phenomenon on public malware submission and scanning platform | |
| Luh et al. | Behavior-based malware recognition | |
| Matin | Ransomware Extraction Using Static Portable Executable (PE) Feature-Based Approach | |
| Mora | Feature Selection and Improving Classification Performance for Malware Detection | |
| CN117610001A (en) | Automatic analysis method for fine-grained malicious behaviors in Internet of things malicious software | |
| CN117521068A (en) | Linux host malicious software detection method, system, device and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220707 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right |