CN104135479A - Cloud real-time defense method and system - Google Patents

Cloud real-time defense method and system Download PDF

Info

Publication number
CN104135479A
CN104135479A CN201410367587.XA CN201410367587A CN104135479A CN 104135479 A CN104135479 A CN 104135479A CN 201410367587 A CN201410367587 A CN 201410367587A CN 104135479 A CN104135479 A CN 104135479A
Authority
CN
China
Prior art keywords
behavior
program
client
program behavior
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201410367587.XA
Other languages
Chinese (zh)
Inventor
聂子潇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201410367587.XA priority Critical patent/CN104135479A/en
Publication of CN104135479A publication Critical patent/CN104135479A/en
Pending legal-status Critical Current

Links

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention provides a cloud real-time defense method and system. The method comprises the following steps: receiving first inquiry information transmitted by clients, wherein the first inquiry information comprises first actions acquired by the clients; acquiring action analysis results matched with the first actions in a file action result library according to the first inquiry information, wherein the file action result library is used for storing action analysis results obtained by performing identification and recognition on a second action uploaded by each client; and transmitting the action analysis results to the clients. By adopting the cloud real-time defense method and system provided by the invention, the false alarm times of active defense are reduced effectively, the interception effect on unknown malicious programs is improved, the occupation rate of system resources is lowered, and the response rate of the active defense is increased.

Description

High in the clouds Real-time defence method and system
Technical field
The present invention relates to internet security field, particularly relate to a kind of high in the clouds Real-time defence method and a kind of high in the clouds Real-time defence system.
Background technology
Along with the Internet is continuous and human lives is merged, the main body of economic, politics, cultural etc. mankind's society is constantly associated and integrated with this virtual world, the Internet, and this virtualized social boundary of the essential element of society and the Internet is also more and more fuzzyyer.The thing followed is that the problem of real world also occurs and outburst in virtual the Internet.Wherein safety is exactly a very crucial and responsive Internet Problems, and viral wooden horse is main source and the pusher of this problem.At present, the antagonism between the shield of Prevention-Security and the lance of viral wooden horse is more and more fierce.
In traditional defence method, be mainly that viral wooden horse is carried out to feature identification, this is based on identifying on the basis of the viral wooden horse that meets accident, and by analyzing and extract feature, identifies the similar file occurring again.Yet, although use conventional methods, can effectively hit known rogue program and mutation thereof, for new viral wooden horse or undiscovered unknown latent virus wooden horse, it is awkward that this detection mode just seems.In the face of this day by day serious problem, Initiative Defense technology is arisen at the historic moment.
Initiative Defense is no longer to defend tenaciously the thinking of known file being carried out to feature extraction, but what is summed up by conclusion, it is the behavior feature to some extent whether of rogue program, rogue program, by the behavior of known malicious program being analyzed and learnt to extract the feature of behavior sequence, thus interception rogue program.Initiative Defense technology provides method very efficiently to the strike of unknown rogue program because no matter how program code changes, the behavior of malice be not can time be carved with new technological means, thereby improved greatly the controllability of the side of defence.
Current Initiative Defense technology, mainly be divided into two classes, one class is based on single-point cloud, to look into the Initiative Defense of interception, just system individual part behavior is monitored, then operator's file of action being carried out to feature cloud looks into, the file black and white result checking in by cloud, does interception or the processing of letting pass; An other class is the Initiative Defense of multistep behavior coupling, and to system, association detection is carried out in a plurality of actions, and by built-in local behavior feature database, thereby the mode of coupling behavior sequence judges whether the behavior of this program is tackling of malice.
But, in above-mentioned active defense method, be no matter single-point interception or multistep behavior coupling, all to rely on white list accomplish non-black in vain, larger for the degree of dependence of white list.Yet the collection of white list lags behind often, very difficult assurance is not reported by mistake or reports by mistake controlled, causes traditional active defense method not high to the ease for use of unknown rogue program interception, than being easier to, reports by mistake.
Summary of the invention
Based on this, being necessary, for the problem of above-mentioned high wrong report, provides a kind of high in the clouds Real-time defence method and system.
For achieving the above object, in the embodiment of the present invention, adopt following technical scheme:
A high in the clouds Real-time defence method, comprises the following steps:
Receive the first Query Information that client sends; Described the first Query Information comprises the first program behavior that client collects;
According to described the first Query Information, obtain the behavioural analysis result matching with described the first program behavior in file behavior results repository; Wherein, described file behavior results repository is carried out the behavioural analysis result after Identification for storing to the second program behavior of each client upload;
Described behavioural analysis result is sent to described client.
A high in the clouds Real-time defence method, comprises the following steps:
After default system event being detected and being triggered, corresponding the first program behavior of this system event is gathered;
Send the first Query Information to server; Described the first Query Information comprises the first collected program behavior;
The behavioural analysis result matching with described the first program behavior that reception server feeds back, and carry out the corresponding action of processing according to described behavioural analysis result.
A high in the clouds Real-time defence system, comprises server, and described server comprises:
The first receiver module, the first Query Information sending for receiving client; Described the first Query Information comprises the first program behavior that client collects;
Result acquisition module, the behavioural analysis result matching for obtain file behavior results repository and described the first program behavior according to described the first Query Information; Wherein, described file behavior results repository is carried out the behavioural analysis result after Identification for storing to the second program behavior of each client upload;
Result sending module, for sending to described client by described behavioural analysis result.
A high in the clouds Real-time defence system, comprises client, and described client comprises:
Program behavior acquisition module, for after default system event being detected and being triggered, gathers corresponding the first program behavior of this system event;
The first sending module, for sending the first Query Information to server; Described the first Query Information comprises the first collected program behavior;
Processing module, the behavioural analysis result matching with described the first program behavior of feeding back for reception server, and carry out the corresponding action of processing according to described behavioural analysis result.
By above scheme, can be found out, a kind of high in the clouds Real-time defence method and system in the embodiment of the present invention, the corresponding program behavior of system event is gathered and uploaded onto the server, then the behavioural analysis result that inquiry and described program behavior match in the file behavior results repository of server, client can be carried out corresponding processing action afterwards according to behavior analysis result.Adopt the scheme of the embodiment of the present invention, whether by program behavior is mated, can to judge fast application program be rogue program, thereby effectively reduced the wrong report number of times of Initiative Defense, promoted the interception result to unknown rogue program; And because client in the scheme of the embodiment of the present invention is only responsible for gathering and uploading program behavior, do not need to detect identification, therefore reduced the occupancy of system resource, improved the response speed of Initiative Defense.
Accompanying drawing explanation
Fig. 1 is the schematic flow sheet of a kind of high in the clouds Real-time defence method in the embodiment of the present invention one;
Fig. 2 is the schematic flow sheet of a kind of high in the clouds Real-time defence method in the embodiment of the present invention two;
Fig. 3 is the schematic flow sheet of a kind of high in the clouds Real-time defence method in the embodiment of the present invention three;
Fig. 4 is the defence cloud framework distribution schematic diagram in the embodiment of the present invention four;
Fig. 5 is a kind of high in the clouds Real-time defence system configuration schematic diagram in the embodiment of the present invention;
Fig. 6 is the part-structure schematic diagram of the terminal equipment in the embodiment of the present invention.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearer, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein, only in order to explain the present invention, is not intended to limit the present invention.
Embodiment mono-
Fig. 1 shows the schematic flow sheet of a kind of high in the clouds of the present invention Real-time defence embodiment of the method one.In this embodiment mono-, be to take the processing procedure of server to describe as example.
As shown in Figure 1, in this embodiment mono-, the processing procedure of server comprises the following steps:
Step S102, server receives the first Query Information that client sends, and then enters step S104; Wherein, in described the first Query Information, at least comprise the first program behavior that client collects.
Step S104, server obtains the behavioural analysis result matching with described the first program behavior in file behavior results repository according to described the first Query Information, then enter step S106; Wherein, described file behavior results repository is carried out the behavioural analysis result after Identification for storing to the second program behavior of each client upload.
Step S106, server sends to described client by described behavioural analysis result.
It should be noted that, the operation that application program is carried out at run duration is called as " program behavior " (Action), the relative performance that general general reference application program is carried out significantly operates, such as creating reading and writing of files, access registration table, interconnection network, calling some application level functions etc.In an embodiment, described program behavior can comprise as follows therein: file behavior, registration table behavior, network behavior or process threads behavior etc.
In the embodiment of the present invention, the file behavior results repository in described step S104 is the database that is used for specially storing behavior analysis result.Server receives each client and gathers after the program behavior of uploading, and carries out Identification, and the behavioural analysis result after Identification is all kept in described file behavior results repository.In an embodiment, in described behavioural analysis result, can comprise therein: the interception rule that the black and white attribute of application program and each attribute are corresponding etc.
In an embodiment, receive the first Query Information of client transmission at described step S102 before, can also comprise the steps: therein
Step S1011, receives the second Query Information that client sends; Described the second Query Information comprises the descriptor of the second program behavior that client collects.
Although the first program behavior in the embodiment of the present invention and the second program are all program behaviors, but program behavior that all the time all can application programs due to client gathers, and before this step occurs in and receive the first Query Information that client sends, therefore be appreciated that, on ordinary meaning, the program behavior in described the first Query Information and the program behavior in the second Query Information do not refer to same program behavior.
Step S1012, judges the second program behavior that whether has had correspondence in file behavior storehouse according to described descriptor; Wherein, described file behavior storehouse is for receiving the second program behavior of each client upload.
File behavior storehouse in the embodiment of the present invention is in server, to be used for specially storing the database that each client gathers the second program behavior of uploading, in this database, program behavior is generally pressed MD5 (Message Digest Algorithm MD5, Message Digest Algorithm 5) and is stored for key.
Step S1013, if the determination result is NO for step S1012, the second program behavior that does not also have correspondence in the current file behavior storehouse of server is described, can send upload described the second program behavior notice to client, and receive the second program behavior that client is uploaded, then the second received program behavior is saved in described file behavior storehouse.
Step S1014, carries out Identification to described the second program behavior, and the behavioural analysis result obtaining is saved in described file behavior results repository, for client query.
It should be noted that, in step S1011, in received the second Query Information of server, be not the data itself that comprise the second program behavior, but the descriptor of the second program behavior, this descriptor is much smaller than the data volume of the second program behavior itself, only has when client is when uploading the notice of the second program behavior, just can truly the data of the second program behavior be sent to server.
In an embodiment, the process of described the second program behavior being carried out to Identification specifically can comprise the steps: therein
From known black file and text of an annotated book part, extract rule of conduct feature; Above-mentioned black file is viral wooden horse file, and text of an annotated book part is normal procedure file;
According to described rule of conduct feature, described the second program behavior is carried out to Identification, obtain described behavioural analysis result.
Therein in an embodiment, can also receive the rule of conduct feature of the viral wooden horse of some special projects by extracting after manual analysis, and join in the aforementioned rule of conduct feature extracting from known black file and text of an annotated book part and go, to the viral wooden horse of those special projects is hit.
In fact, why Initiative Defense technology can detect a rogue program, is because Initiative Defense finds that this application program has suspicious program behavior; And why Initiative Defense can be reported by mistake, because a just system API (Application Programming Interface of this suspicious program behavior own, calling application programming interface), valid application program and illegal malicious application are all operable, so legal application program is also likely detected to tackling by the behavior of Initiative Defense, thereby caused wrong report.So from the mode of the extreme scenes imagination of getting off, if known all program behaviors of an application program, whether to endanger user be exactly a sure thing to this application program naturally so, and the problem that does not now also just have wrong report occurs.But after having known all program behaviors of this application program, although known this application program this time, be harmful to, occur, then tackle the best opportunity of also having missed yet endanger, system is destroyed.
Since know that all program behaviors of an application program just can not report by mistake, suppose so an application program also not operation just known all program behaviors of this application program, just can directly judge to be malicious application.It is invalid that this proposition seems, because not operation of application program does not just have the generation of program behavior, that nature is with regard to the program behavior of this application program of there is no telling.But Internet era be no longer before age of unit fail-safe software, large data have determined that this proposition can set up.Because many times, an application program can only not moved on a subscriber set, as long as there is a user to move this program, all program behaviors of this application program are exactly visible for this user so, if now the storage of uploading onto the server of these program behaviors, for all users that are connected to this station server, all program behaviors of this application program are all just visible so.So, an application program just knows that before operation its all program behavior just becomes possibility.
Based on above-mentioned theory, in the scheme of the embodiment of the present invention, distributedly upload program behavior to server and deposit database in, form the program behavior list collection of an application program, all program behaviors of an application program are all in this database.As long as had this huge database, behavior matching algorithm has just had performance space so, and whether the program behavior of an application program of judgement endangers user also just enough information.
Initiative Defense technology want large-scale application and effect splendid, generally to consider low wrong report, interception is unknown and three aspects of occupying system resources not.Low wrong report is that the survival of Initiative Defense technology is crucial, before be resolved, unknown about second index interception, mainly by rule of conduct, identify here.This rule can be processed in automation, and the behavioral data collection by the known black file of machine learning and text of an annotated book part collides extraction, can also be that the strike of the scheme of specifically runing coordinates.Server has very large performance space to come deal with data to identify the legal or illegal attribute of an application program, obtains the result attribute of this Unknown Applications.This result attributes importation to database, for client query, just can be realized to the interception to Unknown Applications.
The 3rd index is system resource to be taken low, because client in the invention process row just gathers and uploads program behavior, and detect identification, is all server process beyond the clouds, therefore can't take too many system resource.
The high in the clouds behavior of below the single-point cloud in traditional scheme being looked in technology, behavioural characteristic matching technique and the embodiment of the present invention identifies that interception scheme contrasts, and the pluses and minuses of three schemes are as shown in the table:
In an embodiment, a kind of high in the clouds of the present invention Real-time defence method can also comprise the steps: therein
Step S108, if there is not the behavioural analysis result matching with described the first program behavior in described file behavior results repository, the transmission information that it fails to match is to client.
In addition, in an embodiment, described the first Query Information can also comprise the file characteristic of the application program that client collects therein.File characteristic in the embodiment of the present invention can comprise: whether file size, file type, file have the description of digital signature, file etc.Now, corresponding, the process of described the second program behavior being carried out to Identification can also comprise: according to described file characteristic, described the second program behavior is carried out to Identification.Be that above-mentioned file characteristic can be identified malicious application for server a part of foundation is provided, for example, file detected and contain believable digital signature, can judge not to be malicious application; The rule that can also extract program behavior in addition be done supplementary, and the scope of feature is extracted in restricted program behavior, the rule of just going matcher behavior to extract such as the file that is less than a certain size.
Embodiment bis-
Fig. 2 shows the schematic flow sheet of a kind of high in the clouds of the present invention Real-time defence embodiment of the method two.In this embodiment bis-, be to take the processing procedure of client to describe as example.
As shown in Figure 2, in this embodiment bis-, the processing procedure of client comprises the following steps:
Step S202, after client detects default system event and is triggered, gathers corresponding the first program behavior of this system event.
System event in the embodiment of the present invention refers to the event of application call systemic-function, comprises registry operations, file operation, network operation and some application level function operations etc.Because this event is very many, so in the embodiment of the present invention, arranged in advance system event control point, only those high-risk system events have been monitored.
Step S204, client sends the first Query Information to server; Described the first Query Information comprises the first collected program behavior.
Step S206, the behavioural analysis result matching with described the first program behavior that client server feeds back, and carry out the corresponding action of processing according to described behavioural analysis result.For example, if described behavioural analysis result shows application program, be normal application program, can let alone described the first program behavior; Otherwise will tackle.
Therein in an embodiment, client send the first Query Information to server before, can also comprise the steps:
Client sends the second Query Information to server; Described the second Query Information comprises the descriptor of the second collected program behavior;
When client to server, feed back upload the notice of described the second program behavior time, described the second program behavior group is wrapped to biography.
Described group of bag refer to data network consisting request bag.
In an embodiment, a kind of high in the clouds of the present invention Real-time defence method can also comprise the steps: therein
After client sends to server the information that it fails to match, allow described program behavior operation; Wherein, the described information that it fails to match is for detecting and do not have the information sending after the behavioural analysis result matching with described the first program behavior in file behavior results repository when server.
Embodiment tri-
Fig. 3 shows the schematic flow sheet of a kind of high in the clouds of the present invention Real-time defence embodiment of the method three.In this embodiment tri-, in conjunction with the processing procedure of client and server, describe.
As shown in Figure 3, a kind of high in the clouds Real-time defence method, comprises the following steps:
Step S301, client gathers the second program behavior, generates the descriptor of the second program behavior;
Step S302, client sends the second Query Information to server; Described the second Query Information comprises the descriptor of the second collected program behavior;
Step S303, server judges the second program behavior that whether has had correspondence in file behavior storehouse according to described descriptor;
Step S304, if so, server notification client does not need to upload; Otherwise the notice that described the second program behavior is uploaded in server transmission is to client;
Step S305, when client to server, feed back upload the notice of described the second program behavior time, described the second program behavior group bag is uploaded onto the server;
Step S306, server receives the second program behavior that client is uploaded, the second received program behavior is saved in file behavior storehouse, and described the second program behavior is carried out to Identification, the behavioural analysis result obtaining is saved in file behavior results repository;
Step S307, after client detects default system event and is triggered, gathers corresponding the first program behavior of this system event;
Step S308, client sends the first Query Information to server; Described the first Query Information comprises the first collected program behavior;
Step S309, server receives after the first Query Information of client transmission, obtains the behavioural analysis result matching with described the first program behavior in file behavior results repository according to described the first Query Information;
Step S310, server sends to described client by described behavioural analysis result;
Step S311, the behavioural analysis result that client server feeds back, and carry out the corresponding action of processing according to described behavioural analysis result.
Embodiment tetra-
Fig. 4 shows the specific implementation frame diagram of a kind of high in the clouds Real-time defence method in the embodiment of the present invention.In this frame diagram, comprise server and client, in client, be provided with following functional module: main anti-control point, local behavior feature database, behavior gather cache, behavior collector, behavior cloud cache, behavior cloud; In server, be provided with following functional module: behavioural characteristic storehouse, MD5 behavior storehouse, MD5 results repository, behavior assessor, black file learning machine, text of an annotated book part learning machine, special operation rule; Below the course of work of each functional module is described in detail:
1) lead the program behavior of anti-control point monitoring application program;
2) behavior gathers cache, the main anti-control point of behavior collector packing passes the information of the program behavior of coming, and uploads to MD5 behavior storehouse;
3) information of the program behavior that the collection of MD5 behavior library storage client is uploaded is that key stores by MD5;
4) behavior of the black file that black file learning machine study has been identified, extracts rule of conduct feature;
5) behavior of the text of an annotated book part that the study of text of an annotated book part learning machine has been identified, extracts rule of conduct feature;
6) special operation rule is the rule of conduct feature of the artificial viral wooden horse extracting by analysis;
7) the behavioural characteristic rule base that behavior assessor generates according to black file learning machine, text of an annotated book part learning machine, three modules of special operation rule, removes to scan the MD5 of the inside, MD5 behavior storehouse, backstage, MD5 is identified to judgement malice or legal;
8) behavioural characteristic storehouse, is that inside the behavioural characteristic of using for behavior assessor, wrong report is lower, can be handed down to client and use, and is equivalent to the virus base of client behavior interception;
9) local behavior feature database, be exactly that server is handed down to the storage file after client by behavioural characteristic storehouse, this database mates for carrying out behavior with the anti-control point of client master, and the program behavior that the match is successful will be carried out corresponding interception action according to the recognition property in storehouse and interception rule;
10) behavior cloud cache, behavior cloud, after being exactly the monitor event triggering of main anti-control point, by the information of this behavior of event, send to the behavior interception rule of server lookup MD5 results repository the inside configuration, the interception of then returning according to server rule is carried out corresponding processing action;
11) MD5 results repository, is exactly the database of the result store after the identification of behavior assessor, and the black and white attribute of this database meeting store M D5 identification and client interception rule corresponding to each attribute, inquire about for behavior cloud.
According to above-mentioned high in the clouds Real-time defence method, in the embodiment of the present invention, also provide a kind of high in the clouds Real-time defence system.A kind of high in the clouds of the present invention Real-time defence system, can only include in client, server, also can comprise client and server simultaneously.For convenience of description, in Fig. 5, take in conjunction with client and server is example, shows the structural representation of a kind of high in the clouds Real-time defence system of the embodiment of the present invention.
As shown in Figure 5, a kind of high in the clouds Real-time defence system, comprises server, and described server comprises 10:
The first receiver module 102, the first Query Information sending for receiving client; Described the first Query Information comprises the first program behavior that client collects;
Result acquisition module 104, the behavioural analysis result matching for obtain file behavior results repository and described the first program behavior according to described the first Query Information; Wherein, described file behavior results repository is carried out the behavioural analysis result after Identification for storing to the second program behavior of each client upload;
Result sending module 106, for sending to described client by described behavioural analysis result.
In an embodiment, described server can also comprise therein:
The second receiver module, the second Query Information sending for receiving client; Described the second Query Information comprises the descriptor of the second program behavior that client collects;
Judge module, for judging according to described descriptor whether file behavior storehouse has existed the second corresponding program behavior; Wherein, described file behavior storehouse is for receiving the second program behavior of each client upload;
Communication module, for in the situation that described judge module the determination result is NO, transmission is uploaded the notice of described the second program behavior to client, and receives the second program behavior that client is uploaded, and the second received program behavior is saved in described file behavior storehouse;
Identification module, for described the second program behavior is carried out to Identification, and is saved in the behavioural analysis result obtaining in described file behavior results repository.
In an embodiment, described identification module can comprise therein:
Characteristic extracting module, extracts rule of conduct feature for the black file from known and text of an annotated book part;
Identify module, for described the second program behavior being carried out to Identification according to described rule of conduct feature, obtain described behavioural analysis result.
In an embodiment, in described behavioural analysis result, can comprise therein: the interception rule that the black and white attribute of application program and each attribute are corresponding etc.
In an embodiment, described server can also comprise therein:
Failure information sending module, if while there is not for described file behavior results repository the behavioural analysis result matching with described the first program behavior, the transmission information that it fails to match is to client.
In an embodiment, described program behavior can comprise therein: file behavior, registration table behavior, network behavior or process threads behavior etc.
In an embodiment, described the first Query Information can also comprise the file characteristic of the application program that client collects therein.Now, described identification module can also further comprise:
Assistant identification module, for carrying out Identification according to described file characteristic to described the second program behavior.Be that file characteristic in the embodiment of the present invention can be identified malicious application for server a part of foundation is provided.
In addition, a kind of high in the clouds Real-time defence system in the present embodiment, can also comprise client 20, and as shown in Figure 5, described client 20 comprises:
Program behavior acquisition module 202, for after default system event being detected and being triggered, gathers corresponding the first program behavior of this system event;
The first sending module 204, for sending the first Query Information to server; Described the first Query Information comprises the first collected program behavior;
Processing module 206, the behavioural analysis result matching with described the first program behavior of feeding back for reception server, and carry out the corresponding action of processing according to described behavioural analysis result.
In an embodiment, described client can also comprise therein:
The second sending module, for sending the second Query Information to server; Described the second Query Information comprises the descriptor of the second collected program behavior;
Upper transmission module, for when receive that server feeds back upload the notice of described the second program behavior time, described the second program behavior group is wrapped to biography.
In an embodiment, described client can also comprise therein:
Clearance module, for after receiving the server transmission information that it fails to match, allows described program behavior operation; Wherein, the described information that it fails to match is for detecting and do not have the information sending after the behavioural analysis result matching with described the first program behavior in file behavior results repository when server.
Other technical characterictic of above-mentioned a kind of high in the clouds Real-time defence system is identical with a kind of high in the clouds of the present invention Real-time defence method, and it will not go into details herein.
By above scheme, can find out, a kind of high in the clouds Real-time defence method and system in the embodiment of the present invention, the corresponding program behavior of system event is gathered and uploaded onto the server, then the behavioural analysis result that inquiry and described program behavior match in the file behavior results repository of server, client can be carried out corresponding processing action afterwards according to behavior analysis result.Adopt the scheme of the embodiment of the present invention, whether by program behavior is mated, can to judge fast application program be rogue program, thereby effectively reduced the wrong report number of times of Initiative Defense, promoted the interception result to unknown rogue program; And because client in the scheme of the embodiment of the present invention is only responsible for gathering and uploading program behavior, do not need to detect identification, therefore reduced the occupancy of system resource, improved the response speed of Initiative Defense.
What one of ordinary skill in the art will appreciate that is, realize all or part of flow process in the invention described above embodiment method, to come the hardware that instruction is relevant to complete by computer program, described program can be stored in a computer read/write memory medium, this program, when carrying out, can comprise as the flow process of the embodiment of above-mentioned each side method.Wherein, described storage medium can be magnetic disc, CD, read-only store-memory body (Read-Only Memory, ROM) or random store-memory body (Random Access Memory, RAM) etc.Therefore; according to the invention described above embodiment scheme; the present invention also provides a kind of storage medium that comprises computer-readable program, when the computer-readable program in this storage medium is carried out, can realize the intelligent heartbeat keepalive method of the present invention in above-mentioned any mode.
The method of the embodiment of the present invention as above, can be installed on the form of software in corresponding machinery equipment, and when this running software, by controlling relevant treatment facility, completes the process of above-mentioned intelligent heartbeat keep-alive.Correspondingly; above-mentioned intelligent heartbeat keep-alive system can be to arrange to be arranged on corresponding terminal equipment; also can be corresponding terminal equipment itself; the terminal equipment here can be the terminal equipment arbitrarily such as mobile phone, panel computer, PDA (Personal Digital Assistant, personal digital assistant), vehicle-mounted computer.
Accordingly, scheme based on the invention described above, the present invention also provides a kind of terminal equipment, this terminal equipment can be mobile phone, panel computer, PDA (Personal Digital Assistant, personal digital assistant), vehicle-mounted computer etc. any one can carry out the terminal equipment of path navigation.
Accordingly, below to take wherein a kind of terminal equipment be example, and the part-structure block diagram of this terminal equipment has been shown in Fig. 6.With reference to figure 6, this terminal equipment comprises: the parts such as memory 610, input unit 620, display unit 630, processor 640, communication module 650.It will be appreciated by those skilled in the art that, structure shown in Fig. 6, it is only the block diagram of the part-structure relevant to embodiment of the present invention scheme, do not form being applied in the restriction of the terminal equipment in the present invention program, concrete terminal equipment can comprise than more or less parts in diagram, or combine some parts, or different parts are arranged.
Below in conjunction with Fig. 6, each component parts of this terminal equipment is carried out to concrete introduction.
Memory 610 can be used for storing software program and module, and processor 640 is stored in software program and the module of memory 610 by operation, thereby carries out various function application and the data processing relevant to this terminal equipment.Memory 610 can mainly comprise storage program district and storage data field, wherein, and the application program (such as sound-playing function, image player function etc.) that storage program district can storage operation system, at least one function is required etc.; The data that create according to the use of terminal equipment etc. can be stored in storage data field.In addition, memory 610 can comprise high-speed random access memory, can also comprise nonvolatile memory, for example at least one disk memory, flush memory device or other volatile solid-state parts.
Input unit 620 can be used for receiving numeral, character or other information of input, and generation arranges with the user of terminal equipment and function is controlled relevant key signals input.Specifically, in the scheme of the embodiment of the present invention, can accept the definite destination information of user by this input unit 620.
Particularly, take terminal equipment as mobile phone be example, this input unit 620 can comprise contact panel and other input equipments.Contact panel, also referred to as touch-screen, can collect user or near touch operation (using any applicable object or near the operations of annex on contact panel or contact panel such as finger, stylus such as user) thereon, and drive corresponding jockey according to predefined formula.Optionally, contact panel can comprise touch detecting apparatus and two parts of touch controller.Wherein, touch detecting apparatus detects user's touch orientation, and detects the signal that touch operation is brought, and sends signal to touch controller; Touch controller receives touch information from touch detecting apparatus, and converts it to contact coordinate, then gives processor 640, and the order that energy receiving processor 640 is sent is also carried out.In addition, can adopt the polytypes such as resistance-type, condenser type, infrared ray and surface acoustic wave to realize contact panel.Except contact panel, input unit 620 can also comprise other input equipments.Particularly, other input equipments can include but not limited to one or more in physical keyboard, function key (controlling button, switch key etc. such as volume), trace ball, mouse, action bars etc.
Display unit 630 can be used for showing information or the information that offers user and the various menu of being inputted by user.Display unit 630 can comprise display floater, optionally, can adopt the forms such as liquid crystal display (Liquid Crystal Display, LCD), Organic Light Emitting Diode (Organic Light-Emitting Diode, OLED) to configure display floater.
Terminal equipment by communication module 650 can realize with server between communicate by letter, this communication module 650 can adopt any possible mode to realize, for example WiFi module, Bluetooth communication, optical fiber communication etc., by communication module 650, realized communicating by letter between terminal equipment and server, thereby can be so that terminal equipment can send relevant information to server, and receive the relevant information of being returned by server.
Processor 640 is control centres of terminal equipment, utilize the various piece of various interface and the whole terminal equipment of connection, by moving or carry out software program and/or the module being stored in memory 610, and call the data that are stored in memory 610, carry out various functions and the data processing of terminal equipment, thereby terminal equipment is carried out to integral monitoring.Optionally, processor 640 can comprise one or more processing units.
The above embodiment has only expressed several execution mode of the present invention, and it describes comparatively concrete and detailed, but can not therefore be interpreted as the restriction to the scope of the claims of the present invention.It should be pointed out that for the person of ordinary skill of the art, without departing from the inventive concept of the premise, can also make some distortion and improvement, these all belong to protection scope of the present invention.Therefore, the protection range of patent of the present invention should be as the criterion with claims.

Claims (20)

1. a high in the clouds Real-time defence method, is characterized in that, comprises the following steps:
Receive the first Query Information that client sends; Described the first Query Information comprises the first program behavior that client collects;
According to described the first Query Information, obtain the behavioural analysis result matching with described the first program behavior in file behavior results repository; Wherein, described file behavior results repository is carried out the behavioural analysis result after Identification for storing to the second program behavior of each client upload;
Described behavioural analysis result is sent to described client.
2. high in the clouds according to claim 1 Real-time defence method, is characterized in that, before receiving the first Query Information of client transmission, also comprises step:
Receive the second Query Information that client sends; Described the second Query Information comprises the descriptor of the second program behavior that client collects;
According to described descriptor, judge the second program behavior that whether has had correspondence in file behavior storehouse; Wherein, described file behavior storehouse is for receiving the second program behavior of each client upload;
If not, send upload described the second program behavior notice to client, and receive the second program behavior that client is uploaded, the second received program behavior is saved in described file behavior storehouse;
Described the second program behavior is carried out to Identification, and the behavioural analysis result obtaining is saved in described file behavior results repository.
3. high in the clouds according to claim 2 Real-time defence method, is characterized in that, the process that described the second program behavior is carried out to Identification comprises:
From known black file and text of an annotated book part, extract rule of conduct feature;
According to described rule of conduct feature, described the second program behavior is carried out to Identification, obtain described behavioural analysis result.
4. high in the clouds according to claim 3 Real-time defence method, is characterized in that, described the first Query Information also comprises the file characteristic of the application program that client collects;
The process that described the second program behavior is carried out to Identification also comprises: according to described file characteristic, described the second program behavior is carried out to Identification.
5. high in the clouds according to claim 2 Real-time defence method, is characterized in that, described behavioural analysis result comprises: the interception rule that the black and white attribute of application program and each attribute are corresponding.
6. high in the clouds according to claim 1 Real-time defence method, is characterized in that, also comprises step:
If there is not the behavioural analysis result matching with described the first program behavior in described file behavior results repository, the transmission information that it fails to match is to client.
7. according to the high in the clouds Real-time defence method described in claim 1 to 6 any one, it is characterized in that, described program behavior comprises: file behavior, registration table behavior, network behavior or process threads behavior.
8. a high in the clouds Real-time defence method, is characterized in that, comprises the following steps:
After default system event being detected and being triggered, corresponding the first program behavior of this system event is gathered;
Send the first Query Information to server; Described the first Query Information comprises the first collected program behavior;
The behavioural analysis result matching with described the first program behavior that reception server feeds back, and carry out the corresponding action of processing according to described behavioural analysis result.
9. high in the clouds according to claim 8 Real-time defence method, is characterized in that, before transmission the first Query Information is to server, also comprises step:
Send the second Query Information to server; Described the second Query Information comprises the descriptor of the second collected program behavior;
When receive that server feeds back upload the notice of described the second program behavior time, described the second program behavior group is wrapped to biography.
10. high in the clouds Real-time defence method according to claim 8 or claim 9, is characterized in that, also comprises step:
After receiving the server transmission information that it fails to match, allow described program behavior operation; Wherein, the described information that it fails to match is for detecting and do not have the information sending after the behavioural analysis result matching with described the first program behavior in file behavior results repository when server.
11. 1 kinds of high in the clouds Real-time defence systems, is characterized in that, comprise server, described server comprises:
The first receiver module, the first Query Information sending for receiving client; Described the first Query Information comprises the first program behavior that client collects;
Result acquisition module, the behavioural analysis result matching for obtain file behavior results repository and described the first program behavior according to described the first Query Information; Wherein, described file behavior results repository is carried out the behavioural analysis result after Identification for storing to the second program behavior of each client upload;
Result sending module, for sending to described client by described behavioural analysis result.
12. high in the clouds according to claim 11 Real-time defence systems, is characterized in that, described server also comprises:
The second receiver module, the second Query Information sending for receiving client; Described the second Query Information comprises the descriptor of the second program behavior that client collects;
Judge module, for judging according to described descriptor whether file behavior storehouse has existed the second corresponding program behavior; Wherein, described file behavior storehouse is for receiving the second program behavior of each client upload;
Communication module, for in the situation that described judge module the determination result is NO, transmission is uploaded the notice of described the second program behavior to client, and receives the second program behavior that client is uploaded, and the second received program behavior is saved in described file behavior storehouse;
Identification module, for described the second program behavior is carried out to Identification, and is saved in the behavioural analysis result obtaining in described file behavior results repository.
13. high in the clouds according to claim 12 Real-time defence systems, is characterized in that, described identification module comprises:
Characteristic extracting module, extracts rule of conduct feature for the black file from known and text of an annotated book part;
Identify module, for described the second program behavior being carried out to Identification according to described rule of conduct feature, obtain described behavioural analysis result.
14. high in the clouds according to claim 13 Real-time defence systems, is characterized in that, described the first Query Information also comprises the file characteristic of the application program that client collects;
Described identification module also comprises:
Assistant identification module, for carrying out Identification according to described file characteristic to described the second program behavior.
15. high in the clouds according to claim 12 Real-time defence systems, is characterized in that, described behavioural analysis result comprises: the interception rule that the black and white attribute of application program and each attribute are corresponding.
16. high in the clouds according to claim 11 Real-time defence systems, is characterized in that, described server also comprises:
Failure information sending module, if while there is not for described file behavior results repository the behavioural analysis result matching with described the first program behavior, the transmission information that it fails to match is to client.
17. according to claim 11 to the high in the clouds Real-time defence system described in 16 any one, it is characterized in that, described program behavior comprises: file behavior, registration table behavior, network behavior or process threads behavior.
18. 1 kinds of high in the clouds Real-time defence systems, is characterized in that, comprise client, described client comprises:
Program behavior acquisition module, for after default system event being detected and being triggered, gathers corresponding the first program behavior of this system event;
The first sending module, for sending the first Query Information to server; Described the first Query Information comprises the first collected program behavior;
Processing module, the behavioural analysis result matching with described the first program behavior of feeding back for reception server, and carry out the corresponding action of processing according to described behavioural analysis result.
19. high in the clouds according to claim 18 Real-time defence systems, is characterized in that, described client also comprises:
The second sending module, for sending the second Query Information to server; Described the second Query Information comprises the descriptor of the second collected program behavior;
Upper transmission module, for when receive that server feeds back upload the notice of described the second program behavior time, described the second program behavior group is wrapped to biography.
20. according to the high in the clouds Real-time defence system described in claim 18 or 19, it is characterized in that, described client also comprises:
Clearance module, for after receiving the server transmission information that it fails to match, allows described program behavior operation; Wherein, the described information that it fails to match is for detecting and do not have the information sending after the behavioural analysis result matching with described the first program behavior in file behavior results repository when server.
CN201410367587.XA 2014-07-29 2014-07-29 Cloud real-time defense method and system Pending CN104135479A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410367587.XA CN104135479A (en) 2014-07-29 2014-07-29 Cloud real-time defense method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410367587.XA CN104135479A (en) 2014-07-29 2014-07-29 Cloud real-time defense method and system

Publications (1)

Publication Number Publication Date
CN104135479A true CN104135479A (en) 2014-11-05

Family

ID=51808001

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410367587.XA Pending CN104135479A (en) 2014-07-29 2014-07-29 Cloud real-time defense method and system

Country Status (1)

Country Link
CN (1) CN104135479A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104468632A (en) * 2014-12-31 2015-03-25 北京奇虎科技有限公司 Loophole attack prevention method, device and system
CN105791221A (en) * 2014-12-22 2016-07-20 北京奇虎科技有限公司 Rule sending method and device
CN106961450A (en) * 2017-05-24 2017-07-18 深信服科技股份有限公司 Safety defense method, terminal, cloud server and safety defense system
CN106980787A (en) * 2017-03-30 2017-07-25 杭州网蛙科技有限公司 A kind of method and apparatus for recognizing malice feature
CN109214182A (en) * 2017-07-03 2019-01-15 阿里巴巴集团控股有限公司 To the processing method for extorting software in virtual machine operation under cloud platform
CN110399721A (en) * 2018-12-28 2019-11-01 腾讯科技(深圳)有限公司 A kind of software identification method and server and client

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101924762A (en) * 2010-08-18 2010-12-22 奇智软件(北京)有限公司 Cloud security-based active defense method
CN102082802A (en) * 2011-03-01 2011-06-01 陈彪 Behavior-based mobile terminal security protection system and method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101924762A (en) * 2010-08-18 2010-12-22 奇智软件(北京)有限公司 Cloud security-based active defense method
CN102082802A (en) * 2011-03-01 2011-06-01 陈彪 Behavior-based mobile terminal security protection system and method

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105791221A (en) * 2014-12-22 2016-07-20 北京奇虎科技有限公司 Rule sending method and device
CN105791221B (en) * 2014-12-22 2020-06-05 北京奇虎科技有限公司 Rule issuing method and device
CN104468632A (en) * 2014-12-31 2015-03-25 北京奇虎科技有限公司 Loophole attack prevention method, device and system
CN106980787A (en) * 2017-03-30 2017-07-25 杭州网蛙科技有限公司 A kind of method and apparatus for recognizing malice feature
CN106961450A (en) * 2017-05-24 2017-07-18 深信服科技股份有限公司 Safety defense method, terminal, cloud server and safety defense system
CN109214182A (en) * 2017-07-03 2019-01-15 阿里巴巴集团控股有限公司 To the processing method for extorting software in virtual machine operation under cloud platform
CN110399721A (en) * 2018-12-28 2019-11-01 腾讯科技(深圳)有限公司 A kind of software identification method and server and client

Similar Documents

Publication Publication Date Title
CN104135479A (en) Cloud real-time defense method and system
Shukla et al. Beware, your hands reveal your secrets!
CN103324280B (en) The automatic termination of interactive white board session
CN104392175B (en) Cloud application attack processing method, apparatus and system in a kind of cloud computing system
CN108429721B (en) Identification method and device for web crawler
CN108293044A (en) System and method for detecting malware infection via domain name service flow analysis
CN105989268A (en) Safety access method and system for human-computer identification
CN109376078A (en) Test method, terminal device and the medium of mobile application
CN103428196A (en) URL white list-based WEB application intrusion detecting method and apparatus
CN104036160A (en) Web browsing method, device and browser
CN110933103A (en) Anti-crawler method, device, equipment and medium
CN104954340B (en) A kind of detection method and device of agent IP address
CN110008234B (en) Service data searching method and device and electronic equipment
US20210209162A1 (en) Method for processing identity information, electronic device, and storage medium
CN111221625A (en) File detection method, device and equipment
CN111970189B (en) Content sharing control method and device, electronic equipment and storage medium
CN112235303B (en) Account logout method and device and computer equipment
CN111859374B (en) Method, device and system for detecting social engineering attack event
CN106650490A (en) Cloud account number login method and device
CN103488947A (en) Method and device for identifying instant messaging client-side account number stealing Trojan horse program
CN106845272A (en) The leakage-preventing method and system of threat monitoring and data based on terminal agent
US10832485B1 (en) CAPTCHA authentication via augmented reality
CN105227528B (en) To the detection method and device of the attack of Web server group
CN103023891B (en) The detection method of Botnet and device, the countercheck of Botnet and device
CN105373715A (en) Wearable device based data access method and apparatus

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20141105