CN104243470A - Cloud searching and killing method and system based on self-adaption classifier - Google Patents
Cloud searching and killing method and system based on self-adaption classifier Download PDFInfo
- Publication number
- CN104243470A CN104243470A CN201410459367.XA CN201410459367A CN104243470A CN 104243470 A CN104243470 A CN 104243470A CN 201410459367 A CN201410459367 A CN 201410459367A CN 104243470 A CN104243470 A CN 104243470A
- Authority
- CN
- China
- Prior art keywords
- file
- clouds
- feature
- black
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention provides a cloud searching and killing method and system based on a self-adaption classifier. The cloud searching and killing method comprises the steps that a client can carry out classification detection on files based on hamming distance classifier, the client sends the files to a cloud terminal when the characteristics of the files are not successfully matched with characteristics in a lightweight class blacklist and whitelist characteristic base, the cloud terminal can carry out classification detection on the files based on a hash classifier with at least two levels of hamming distances, and the cloud terminal can send the files with the hit rate ranking in the preset range at the preset time interval based on the hit rate of the statistic file characteristics when the file characteristics are successfully matched with characteristics in the blacklist and whitelist characteristic base of the cloud terminal. Meanwhile, the hamming distance classifier an finish self-adaption updating. By means of the cloud searching and killing method and system based on the self-adaption classifier, the filtering rate and the hit rate of the file characteristics are improved, the data sent to the cloud terminal from the client are reduced, meanwhile the searching distance of the file characteristics in the cloud terminal is shortened, and the characteristic searching efficiency is improved.
Description
Technical field
The present invention relates to cloud security technical field, more specifically, relate to a kind of cloud checking and killing method based on adaptive classifier and system.
Background technology
Cloud security is the up-to-date embodiment of information security cybertimes, and cloud security technology is then the result of P2P technology, network technology and cloud computing technology distributed computing technique mixing development, natural evolvement.The feature database stored due to high in the clouds can be more much larger than original hardware device, therefore cloud security technology is utilized feature database to be transferred to the expense that high in the clouds can reduce device memory, utilize the high performance disposal ability in high in the clouds simultaneously, security sweep is also transferred to high in the clouds and can reduce the impact of security sweep on hardware device performance.Have above advantage just because of cloud security technology, therefore it has become the selection of more and more safe producer, but this also brings new problem to cloud security.
Consider from safety perspective, no matter in the world Ge great information security manufacturer or domestic main information security firm, its cloud security product has all presented more and more significantly centralization, this caused by following two aspects: one, terminal no longer preserves data, and the effect of attacking terminal is more and more not obvious; Its two, the reasons such as the lightweightization of terminal and variation cause the difficulty of attacking terminal to increase gradually.Based on the reason of above-mentioned two aspects, nowadays the spearhead of attack has been pointed to server end by malicious attacker more, i.e. high in the clouds.Nearly APT (Advanced Persistent Threat, senior continuation threatens) occurred for 2 years just can use multiple infiltration means to carry out malicious attack to high in the clouds platform.For above-mentioned situation, if reduce the data volume that client mails to high in the clouds as far as possible, then the probability that this high in the clouds is attacked can be reduced to a certain extent.
Consider from performance perspective, along with the arriving of cloud computing epoch safe centralization trend, unprecedented height is also reached to the high performance requirements of cloud security.The network attack of cloud security in the face of emerging in an endless stream, how it reduces the dependence of client to high in the clouds, how to improve response speed and has become the critical path improving himself fail safe.Current many mainstream vendors (such as Palo Alto, Checkpoint, Fortinet, 360, Trend Micro etc.) mostly adopt the mode of black and white lists to reduce the matching process of feature database as far as possible, so that improve whole cloud killing performance and reduce corresponding loss simultaneously, but its black and white lists technology still there are the following problems:
1, the order of magnitude is that several black and white lists of ten million still can take very large resource and bring certain performance loss in search procedure;
2, the sample that in black and white lists, a lot of frequency of utilization is low occupies quite a high proportion of query time.
For the problems referred to above, a lot of manufacturer all adopts hardware based secondary black and white lists mechanism, be deployed in the stronger high in the clouds of disposal ability by the black and white lists that the order of magnitude is larger, the black and white lists of lightweight be deployed in local client to play a pre-filtered effect.But there are the following problems equally to adopt hardware based secondary black and white lists mechanism:
1, black and white lists is all arranged on hardware, is unfavorable for the adjustment of black and white lists, and As time goes on, the data volume being sent to high in the clouds inspection can get more and more, and finally causes taking and the loss of performance of high in the clouds resource;
2, the filter efficiency of client and the match hit rate of feature database low.
Summary of the invention
In view of the above problems, the object of this invention is to provide a kind of cloud checking and killing method based on adaptive classifier and system, with solve existing hardware based secondary black and white lists mechanism resource occupation amount beyond the clouds and loss large, and in the filter efficiency of client and the low problem of the match hit rate of feature database.
According to an aspect of the present invention, a kind of cloud checking and killing method based on adaptive classifier is provided, comprises:
Client carries out classification and Detection based on Hamming distance grader to file; Wherein, when the characteristic matching in the feature of file and the lightweight black and white lists feature database of client is unsuccessful, file is sent to high in the clouds by client;
High in the clouds carries out classification and Detection based on the hash value grader of at least two-stage Hamming distance to file; Wherein, when the characteristic matching in the feature of file and the black and white lists feature database in high in the clouds is successful, the probability of the feature in the black and white lists feature database in the feature hit high in the clouds of statistics file;
According to added up probability, the probability rank in predetermined time interval is sent to client at the file of preset range by high in the clouds;
Client carries out the renewal of the lightweight black and white lists feature database of client according to the file that high in the clouds sends; Wherein, client is while renewal lightweight black and white lists feature database, and Hamming distance grader completes adaptive updates.
Wherein, according to predetermined time interval, the file reverse of probability rank in preset range of feature in the black and white lists feature database in the feature of the file of client hit high in the clouds is fed the lightweight black and white lists feature database of client as client by high in the clouds.
Wherein, when the characteristic matching in the feature of file and the black and white lists feature database in high in the clouds is successful, the probability that the progression at feature place in the black and white lists feature database in statistics high in the clouds is hit, the probability adaptation be hit according to progression regulates the hash value grader of Hamming distance putting in order beyond the clouds.
On the other hand, the invention provides a kind of cloud killing system based on adaptive classifier, comprising:
First classification and Detection unit, for carrying out classification and Detection based on Hamming distance grader to the file of client;
File transmitting element, for go out when the first classification and Detection unit inspection characteristic matching in the feature of file and the lightweight black and white lists feature database of client unsuccessful time, the file of client is sent to high in the clouds;
Second classification and Detection unit, carries out classification and Detection for the hash value grader based at least two-stage Hamming distance to the file that file transmitting element sends;
First probability statistics unit, during for going out the characteristic matching success in the feature of the file that file transmitting element sends and the black and white lists feature database in high in the clouds when the second classification and Detection unit inspection, the probability of the feature in the black and white lists feature database in the feature hit high in the clouds of the file that statistics file transmitting element sends;
Updating block, for upgrading the lightweight black and white lists feature database of client; Wherein, this renewal is the probability that high in the clouds counts according to the first probability statistics unit, sends to client to realize the probability rank in predetermined time interval at the file of preset range; Wherein, while the lightweight black and white lists feature database upgrading client, Hamming distance grader completes adaptive updates.
Utilize above-mentioned according to the cloud checking and killing method based on adaptive classifier of the present invention and system, by carrying out classification and Detection based on adaptive classifier to file, on the one hand, filter efficiency and the hit probability of the feature in client lightweight black and white lists feature database can be improved, reduce the data volume being sent to high in the clouds; The inquiry distance of the feature in the black and white lists feature database of high in the clouds can be shortened on the other hand, improve the efficiency of search characteristics.
In order to realize above-mentioned and relevant object, will describe in detail and the feature particularly pointed out in the claims after one or more aspect of the present invention comprises.Explanation below and accompanying drawing describe some illustrative aspects of the present invention in detail.But what these aspects indicated is only some modes that can use in the various modes of principle of the present invention.In addition, the present invention is intended to comprise all these aspects and their equivalent.
Accompanying drawing explanation
By reference to the content below in conjunction with the description of the drawings and claims, and understand more comprehensively along with to of the present invention, other object of the present invention and result will be understood and easy to understand more.In the accompanying drawings:
Fig. 1 is the first pass schematic diagram of the cloud killing based on adaptive classifier according to the embodiment of the present invention;
Fig. 2 is the second schematic flow sheet of the cloud killing based on adaptive classifier according to the embodiment of the present invention;
Fig. 3 is the logical construction block diagram of the cloud killing system based on adaptive classifier according to the embodiment of the present invention.
Label identical in all of the figs indicates similar or corresponding feature or function.
Embodiment
Below with reference to accompanying drawing, specific embodiments of the invention are described in detail.
Dumb to the adjustment of black and white lists for aforementioned existing hardware based secondary black and white lists mechanism, the problem that the match hit rate of filter efficiency and feature database is low.The present invention is based on adaptive classifier and classification and Detection is carried out to file.Wherein, in client, the present invention is based on adaptive Hamming distance grader and classification and Detection is carried out to the file sending to client, wherein, when the feature of the file sending to classification and Detection is not hit the lightweight black and white lists feature database of client and has hit the black and white lists feature database in high in the clouds, hit rate rank in predetermined time interval is carried out the renewal of the lightweight black and white lists feature database of client in the file reverse of preset range client of feeding by high in the clouds, and while upgrading lightweight black and white lists feature database, this Hamming distance grader completes adaptive updates.Filter efficiency and the hit probability of the feature in client lightweight black and white lists feature database can be improved by said method, reduce the data volume being sent to high in the clouds.
In addition, beyond the clouds, the hash value grader that the present invention is based on multistage Hamming distance makes classification and Detection to the file sending to high in the clouds, when sending to the characteristic matching success that high in the clouds is done in the feature of the file of classification and Detection and the black and white lists feature database in high in the clouds, the probability adaptation be hit according to the progression at the feature place in the black and white lists feature database in high in the clouds regulates the hash value grader of this Hamming distance putting in order beyond the clouds.The inquiry distance of the feature in the black and white lists feature database of high in the clouds can be shortened by this kind of method, improve performance and the efficiency of search characteristics.
In order to the cloud checking and killing method based on adaptive classifier provided by the invention is described, Fig. 1 shows the flow process of the cloud checking and killing method based on adaptive classifier according to the embodiment of the present invention.
As shown in Figure 1, the cloud checking and killing method based on adaptive classifier provided by the invention comprises:
S110: client carries out classification and Detection based on Hamming distance grader to file.
Particularly, client is before carrying out classification and Detection based on Hamming distance grader to file, and client has had the black and white lists feature database of lightweight.Due to the impact by flow and external data environment, the file that each client will carry out detecting is different, therefore, the black and white lists feature database of this lightweight be high in the clouds for specific client, client of being fed by the file reverse of probability rank in preset range of the feature in the black and white lists feature database in the feature of the file of the client in predetermined time interval hit high in the clouds obtains.
That is, according to predetermined time interval, the file reverse of probability rank in preset range of feature in the black and white lists feature database in the feature of the file of client hit high in the clouds is fed the lightweight black and white lists feature database of client as client by high in the clouds.It should be noted that, predetermined time interval can by hour or in units of sky, and preset range can be before probability rank 100 or 1000.
Such as, for specific client, high in the clouds can using before the probability rank of the feature in the black and white lists feature database in the feature of the file of client in 8 hours hit high in the clouds 100 file reverse to feed the lightweight black and white lists feature database of client as this client.
It should be noted that, client carries out to file the process that the process of classification and Detection and the feature of file mate with the feature in the lightweight black and white lists feature database of client.Wherein, carry out in the process of classification and Detection in client based on Hamming distance grader to file, this Hamming distance grader carries out classification and Detection based on the MD5 value of file or SHA1 value to file.That is, the feature of file gets based on to the MD5 value of file or the calculating of SHA1 value.Wherein, common practise is calculated as to the MD5 value of file and SHA1 value, does not repeat them here.
S120: when the characteristic matching in the feature of file and the lightweight black and white lists feature database of client is unsuccessful, file is sent to high in the clouds by client.
Particularly, first the feature of file is mated with the feature in the blacklist feature database in the lightweight black and white lists feature database of client, if the match is successful, then directly return results; If mate unsuccessful, then mate with the feature in the white list feature database in the lightweight black and white lists feature database of client, if the match is successful, then directly return results; If mate unsuccessful, illustrate that this file does not belong to any one in the lightweight black and white lists feature database of client, for this kind of situation, this file then can be directly sent to high in the clouds and process by client.
S130: high in the clouds carries out classification and Detection based on the hash value grader of at least two-stage Hamming distance to file.
Particularly, because the feature in the black and white lists feature database in high in the clouds belongs to magnanimity level, therefore for the feature of magnanimity level, the present invention carries out classification and Detection based on the hash value grader of eight grades of Hamming distances to file beyond the clouds.That is, the present invention devises eight grades of hash value graders based on Hamming distance, wherein, the Hamming distance grader of every 16 designs one based on hash value, when distance is less than " 4 " time, be namely considered as a class, so every first-level class device all can be divided into four classes, and eight grades of graders are divided into 16384 classes, with the black and white lists feature database of 3,000 ten thousand, the characteristic comprised in final every class is about 1832.Can maximize class interval by this kind of method, the distance that grader is learnt is the difference weight between bit vector.Wherein, between the less explanation bit vector of distance, similitude is higher, when distance is less than certain limit, can thinks and belong to same class.
Wherein, the process that the feature in the feature of the file in high in the clouds and the black and white lists feature database in high in the clouds mates is given to the process that file carries out classification and Detection in high in the clouds namely.
Wherein, when the characteristic matching in the black and white lists feature database sending to the feature of the file in high in the clouds and high in the clouds is unsuccessful, feature in the blacklist feature database that the feature of this file neither belongs in the black and white lists feature database in high in the clouds is then described, it does not belong to the feature in the white list feature database in the black and white lists feature database in high in the clouds yet, now then utilizes multi engine to carry out killing to this file.The mode that the multi engine killing in high in the clouds can adopt inspirational education engine to combine with artificial intelligence engine, mode as adopted BitDefender and QVM (Qihoo Support Vector Machine, Qihoo's SVMs) artificial intelligence engine etc. to combine carries out killing to this file.
In addition, when the characteristic matching in the feature of file sending to high in the clouds and the black and white lists feature database in high in the clouds is successful, also need to add up the probability that the progression at feature place in the black and white lists feature database in high in the clouds is hit, the probability adaptation be then hit according to place progression regulates the hash value grader of Hamming distance putting in order beyond the clouds.
That is, the hash value grader based on Hamming distance beyond the clouds adopts hit rate rank mechanism too, before namely the grader shot straight can be adjusted to by automatically.Because the whole hash value grader based on Hamming distance is always divided into eight grades, from which rank of grader, its classifying quality is all same in theory, but the present invention dynamically regulates the sequencing residing for himself can reduce the quantity of grader handling process according to the hit rate of these eight grades of graders as far as possible, thus improve performance and the efficiency of searching feature.
S140: when the characteristic matching in the feature of file and the black and white lists feature database in high in the clouds is successful, the probability of the feature in the black and white lists feature database in the feature hit high in the clouds of statistics file.
It should be noted that, carry out adding up the lightweight black and white lists feature database can being convenient to upgrade client to the probability of the feature sending to the feature of the file in high in the clouds to hit in the black and white lists feature database in high in the clouds, thus improve the probability of the feature in the lightweight black and white lists feature database of the feature hit client of file further, and then reduce the data volume that client is sent to the file that high in the clouds is detected.
S150: according to added up probability, the probability rank in predetermined time interval is sent to client at the file of preset range by high in the clouds.
S160: client carries out the renewal of the lightweight black and white lists feature database of client according to the file that high in the clouds sends; Wherein, client is while renewal lightweight black and white lists feature database, and Hamming distance grader completes adaptive updates.
Known through experiment, carry out in the process of classification and Detection based on Hamming distance grader to file in client, the accuracy rate of this grader can reach more than 95%, can save the performance loss of about 50% from the angle of probability.For the black and white lists feature of the new lightweight that each high in the clouds is sent, this grader all can carry out self study self-training, waits new grader to train and just can lock, replace original lightweight black and white lists feature database and grader afterwards.
In order to further illustrate the cloud checking and killing method based on adaptive classifier provided by the invention, Fig. 2 shows the second flow process of the cloud killing based on adaptive classifier according to the embodiment of the present invention.As shown in Figure 2:
First carry out MD5 value to the file sending to client detection to calculate, then based on the MD5 value calculated, Hamming distance grader judges whether this file hits the blacklist feature database in the lightweight black and white lists feature database of client, if hit, then directly returns results; If hit, then do not judge whether it hits the white list feature database in lightweight black and white lists feature database; If hit, equally directly return results, if still do not hit, then direct this file is sent to high in the clouds.
Classify to the file that client sends over based on the MD5 value of file equally in high in the clouds, when the black and white lists feature database in this file hit high in the clouds, add up the probability of feature in the black and white lists feature database in the feature hit high in the clouds of this file, then the feature in n black and white lists feature database before the highest for hit rate in T time is sent to client according to added up probability by high in the clouds.Wherein, the predetermined time interval in flow process shown in T and above-mentioned Fig. 1, and n and preset range.
The feature that last client sends according to high in the clouds, the Hamming distance grader of client carries out self study self-training, after new grader trains, the feature in original lightweight black and white lists feature database and grader are locked, replaced, upgrade while completing black and white lists feature database and grader.
Corresponding with said method, the invention provides a kind of cloud killing system based on adaptive classifier.Fig. 3 shows the logical construction of the cloud killing system based on adaptive classifier according to the embodiment of the present invention.
As shown in Figure 3, the cloud killing system 300 based on adaptive classifier provided by the invention comprises the first classification and Detection unit 310, file transmitting element 320, second classification and Detection unit 330, first probability statistics unit 340 and updating block 350.
Wherein, the first classification and Detection unit 310 is for carrying out classification and Detection based on Hamming distance grader to the file of client.
Particularly, client is before carrying out classification and Detection based on Hamming distance grader to file, and client has had the black and white lists feature database of lightweight.Due to the impact by flow and external data environment, the file that each client will carry out detecting is different, therefore, the black and white lists feature database of this lightweight be high in the clouds for specific client, client of being fed by the file reverse of probability rank in preset range of the feature in the black and white lists feature database in the feature of the file of the client in predetermined time interval hit high in the clouds obtains.That is, cloud killing system based on adaptive classifier provided by the invention comprises feature database transmitting element (not shown) further, for according to predetermined time interval, the probability rank of the feature in the black and white lists feature database in the feature of the file of client hit high in the clouds to be fed the lightweight black and white lists feature database of client as client at the file reverse of preset range.
It should be noted that, the first classification and Detection unit 310 pairs file carries out the process that the process of classification and Detection and the feature of file are mated with the feature in the lightweight black and white lists feature database of client.Wherein, carry out in the process of classification and Detection in client based on Hamming distance grader to file, this Hamming distance grader carries out classification and Detection based on the MD5 value of file or SHA1 value to file.That is, the feature of file gets based on to the MD5 value of file or the calculating of SHA1 value.Wherein, common practise is calculated as to the MD5 value of file and SHA1 value, does not repeat them here.
When file transmitting element 320 is for detecting that when the first classification and Detection unit 310 characteristic matching in the feature of file and the lightweight black and white lists feature database of client is unsuccessful, the file of client is sent to high in the clouds.
Particularly, first the feature of file is mated with the feature in the blacklist feature database in the lightweight black and white lists feature database of client, if the match is successful, then directly return results; If mate unsuccessful, then mate with the feature in the white list feature database in the lightweight black and white lists feature database of client, if the match is successful, then directly return results; If mate unsuccessful, illustrate that this file does not belong to any one in the lightweight black and white lists feature database of client, for this kind of situation, this file then can be directly sent to high in the clouds and process by client.
Second classification and Detection unit 330 carries out classification and Detection for the hash value grader based at least two-stage Hamming distance to the file that file transmitting element 320 sends.
Wherein, cloud killing system based on adaptive classifier provided by the invention comprises multi engine killing unit (not shown) further, for go out when the second classification and Detection unit inspection characteristic matching in the feature of the file that file transmitting element sends and the black and white lists feature database in high in the clouds unsuccessful time, utilize multi engine to carry out killing to this file.
In addition, because the feature in the black and white lists feature database in high in the clouds belongs to magnanimity level, therefore for the feature of magnanimity level, the present invention carries out classification and Detection based on the hash value grader of eight grades of Hamming distances to file beyond the clouds.That is, the present invention devises eight grades of hash value graders based on Hamming distance, wherein, the Hamming distance grader of every 16 designs one based on hash value, when distance is less than " 4 " time, be namely considered as a class, so every first-level class device all can be divided into four classes, and eight grades of graders are divided into 16384 classes, with the black and white lists feature database of 3,000 ten thousand, the characteristic comprised in final every class is about 1832.Can maximize class interval by this kind of method, the distance that grader is learnt is the difference weight between bit vector.Wherein, between the less explanation bit vector of distance, similitude is higher, when distance is less than certain limit, can thinks and belong to same class.Wherein, the process that the feature in the feature of the file in high in the clouds and the black and white lists feature database in high in the clouds mates is given to the process that file carries out classification and Detection in high in the clouds namely.
Wherein, cloud killing system based on adaptive classifier provided by the invention comprises the second probability statistics unit and sequential adjustment unit (all not shown in figure) further, wherein, when second probability statistics unit is used for the characteristic matching success detected when the second classification and Detection unit 330 in the feature of the file that file transmitting element sends and the black and white lists feature database in high in the clouds, the probability that the progression adding up the feature place in the black and white lists feature database in high in the clouds is hit; The probability adaptation that sequential adjustment unit is used for adding up according to the second probability statistics unit regulates the hash value grader of Hamming distance putting in order beyond the clouds.
That is, the hash value grader based on Hamming distance beyond the clouds adopts hit rate rank mechanism too, before namely the grader shot straight can be adjusted to by automatically.Because the whole hash value grader based on Hamming distance is always divided into eight grades, from which rank of grader, its classifying quality is all same in theory, but the present invention dynamically regulates the sequencing residing for himself can reduce the quantity of grader handling process according to the hit rate of these eight grades of graders as far as possible, thus improve performance and the efficiency of searching feature.
First probability statistics unit 340 is for detecting the characteristic matching success in the feature of the file that file transmitting element 320 sends and the black and white lists feature database in high in the clouds during when the second classification and Detection unit 330, the probability of the feature in the black and white lists feature database in the feature hit high in the clouds of the file that statistics file transmitting element sends.
It should be noted that, carry out adding up the lightweight black and white lists feature database can being convenient to upgrade client to the probability of the feature sending to the feature of the file in high in the clouds to hit in the black and white lists feature database in high in the clouds, thus improve the probability of the feature in the lightweight black and white lists feature database of the feature hit client of file further, and then reduce the data volume that client is sent to the file that high in the clouds is detected.
Updating block 350 is for upgrading the lightweight black and white lists feature database of client; Wherein, this renewal is the probability that high in the clouds counts according to the first probability statistics unit 340, sends to client to realize the probability rank in predetermined time interval at the file of preset range; Wherein, while the lightweight black and white lists feature database upgrading client, Hamming distance grader completes adaptive updates.
By above-mentioned, according to the cloud checking and killing method based on adaptive classifier provided by the invention and system, on the one hand, filter efficiency and the hit probability of the feature in client lightweight black and white lists feature database can be improved, reduce the data volume being sent to high in the clouds; The inquiry distance of the feature in the black and white lists feature database of high in the clouds can be shortened on the other hand, improve the efficiency of search characteristics.
Describe in an illustrative manner according to the cloud checking and killing method based on adaptive classifier of the present invention and system above with reference to accompanying drawing.But, it will be appreciated by those skilled in the art that the cloud checking and killing method based on adaptive classifier and system that the invention described above is proposed, various improvement can also be made on the basis not departing from content of the present invention.Therefore, protection scope of the present invention should be determined by the content of appending claims.
Claims (10)
1., based on a cloud checking and killing method for adaptive classifier, comprising:
Client carries out classification and Detection based on Hamming distance grader to file; Wherein, when the characteristic matching in the feature of described file and the lightweight black and white lists feature database of client is unsuccessful,
Described file is sent to high in the clouds by described client;
Described high in the clouds carries out classification and Detection based on the hash value grader of at least two-stage Hamming distance to described file; Wherein, when the characteristic matching in the feature of described file and the black and white lists feature database in high in the clouds is successful,
The feature of adding up described file hits the probability of the feature in the black and white lists feature database in described high in the clouds;
According to added up probability, the probability rank in predetermined time interval is sent to described client at the file of preset range by described high in the clouds;
Described client carries out the renewal of the lightweight black and white lists feature database of described client according to the file that high in the clouds sends; Wherein, described client is while the described lightweight black and white lists feature database of renewal, and described Hamming distance grader completes adaptive updates.
2., as claimed in claim 1 based on the cloud checking and killing method of adaptive classifier, wherein, when the characteristic matching in the feature of described file and the black and white lists feature database in described high in the clouds is unsuccessful, utilize multi engine to carry out killing to described file.
3. as claimed in claim 1 based on the cloud checking and killing method of adaptive classifier, also comprise: according to predetermined time interval, the file reverse of probability rank in preset range of the feature that the feature of the file of described client is hit in the black and white lists feature database in described high in the clouds by high in the clouds is fed described client, as the lightweight black and white lists feature database of described client.
4. as claimed in claim 1 based on the cloud checking and killing method of adaptive classifier, wherein, the hash value grader of described Hamming distance grader and described Hamming distance carries out classification and Detection based on the MD5 value of file or SHA1 value to described file.
5. as claimed in claim 1 based on the cloud checking and killing method of adaptive classifier, wherein, when the characteristic matching in the feature of described file and the black and white lists feature database in high in the clouds is successful, the probability that the progression adding up the feature place in the black and white lists feature database in described high in the clouds is hit, the probability adaptation be hit according to described progression regulates hash value grader the putting in order in described high in the clouds of described Hamming distance.
6., based on a cloud killing system for adaptive classifier, comprising:
First classification and Detection unit, for carrying out classification and Detection based on Hamming distance grader to the file of client;
File transmitting element, for go out when described first classification and Detection unit inspection characteristic matching in the feature of described file and the lightweight black and white lists feature database of client unsuccessful time, the file of described client is sent to high in the clouds;
Second classification and Detection unit, carries out classification and Detection for the hash value grader based at least two-stage Hamming distance to the file that described file transmitting element sends;
First probability statistics unit, during for going out the characteristic matching success in the feature of the file that described file transmitting element sends and the black and white lists feature database in high in the clouds when described second classification and Detection unit inspection, the feature of adding up the file that described file transmitting element sends hits the probability of the feature in the black and white lists feature database in described high in the clouds;
Updating block, for upgrading the lightweight black and white lists feature database of described client; Wherein, described renewal is the probability that described high in the clouds counts according to described first probability statistics unit, sends to described client to realize the probability rank in predetermined time interval at the file of preset range; Wherein, while the lightweight black and white lists feature database upgrading described client, described Hamming distance grader completes adaptive updates.
7. as claimed in claim 6 based on the cloud killing system of adaptive classifier, comprise further: multi engine killing unit, for go out when described second classification and Detection unit inspection characteristic matching in the feature of the file that described file transmitting element sends and the black and white lists feature database in high in the clouds unsuccessful time, utilize multi engine to carry out killing to described file.
8. as claimed in claim 6 based on the cloud killing system of adaptive classifier, comprise further: feature database transmitting element, for according to predetermined time interval, the probability rank of the feature of the file of described client being hit the feature in the black and white lists feature database in described high in the clouds to be fed the lightweight black and white lists feature database of described client as described client at the file reverse of preset range.
9. as claimed in claim 6 based on the cloud killing system of adaptive classifier, wherein, the hash value grader of described Hamming distance grader and described Hamming distance carries out classification and Detection based on the MD5 value of file or SHA1 value to described file.
10., as claimed in claim 6 based on the cloud killing system of adaptive classifier, comprise further:
Second probability statistics unit, during for going out the characteristic matching success in the feature of the file that described file transmitting element sends and the black and white lists feature database in high in the clouds when described second classification and Detection unit inspection, the probability that the progression adding up the feature place in the black and white lists feature database in described high in the clouds is hit;
Sequential adjustment unit, the probability adaptation for adding up according to described second probability statistics unit regulates hash value grader the putting in order in described high in the clouds of described Hamming distance.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410459367.XA CN104243470B (en) | 2014-09-10 | 2014-09-10 | Cloud checking and killing method and system based on adaptive classifier |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410459367.XA CN104243470B (en) | 2014-09-10 | 2014-09-10 | Cloud checking and killing method and system based on adaptive classifier |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104243470A true CN104243470A (en) | 2014-12-24 |
| CN104243470B CN104243470B (en) | 2018-04-06 |
Family
ID=52230820
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410459367.XA Active CN104243470B (en) | 2014-09-10 | 2014-09-10 | Cloud checking and killing method and system based on adaptive classifier |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104243470B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105624074A (en) * | 2016-03-25 | 2016-06-01 | 福建师范大学 | Harmless treatment method for antibiotic mycelium residues |
| CN107294929A (en) * | 2016-04-05 | 2017-10-24 | 阿里巴巴集团控股有限公司 | Rule match and management method and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102811213A (en) * | 2011-11-23 | 2012-12-05 | 北京安天电子设备有限公司 | Fuzzy hashing algorithm-based malicious code detection system and method |
| US8375450B1 (en) * | 2009-10-05 | 2013-02-12 | Trend Micro, Inc. | Zero day malware scanner |
| US20130111547A1 (en) * | 2011-10-28 | 2013-05-02 | Scargo, Inc. | Security Policy Deployment and Enforcement System for the Detection and Control of Polymorphic and Targeted Malware |
| CN103500305A (en) * | 2013-09-04 | 2014-01-08 | 中国航天科工集团第二研究院七〇六所 | System and method for malicious code analysis based on cloud computing |
| CN103530557A (en) * | 2013-03-12 | 2014-01-22 | Tcl集团股份有限公司 | Method and system for scanning virus apk based on cloud terminal mass samples |
-
2014
- 2014-09-10 CN CN201410459367.XA patent/CN104243470B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8375450B1 (en) * | 2009-10-05 | 2013-02-12 | Trend Micro, Inc. | Zero day malware scanner |
| US20130111547A1 (en) * | 2011-10-28 | 2013-05-02 | Scargo, Inc. | Security Policy Deployment and Enforcement System for the Detection and Control of Polymorphic and Targeted Malware |
| CN102811213A (en) * | 2011-11-23 | 2012-12-05 | 北京安天电子设备有限公司 | Fuzzy hashing algorithm-based malicious code detection system and method |
| CN103530557A (en) * | 2013-03-12 | 2014-01-22 | Tcl集团股份有限公司 | Method and system for scanning virus apk based on cloud terminal mass samples |
| CN103500305A (en) * | 2013-09-04 | 2014-01-08 | 中国航天科工集团第二研究院七〇六所 | System and method for malicious code analysis based on cloud computing |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105624074A (en) * | 2016-03-25 | 2016-06-01 | 福建师范大学 | Harmless treatment method for antibiotic mycelium residues |
| CN107294929A (en) * | 2016-04-05 | 2017-10-24 | 阿里巴巴集团控股有限公司 | Rule match and management method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104243470B (en) | 2018-04-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104142999B (en) | Search result methods of exhibiting and device | |
| US7716297B1 (en) | Message stream analysis for spam detection and filtering | |
| EP3507960B1 (en) | Clustering approach for detecting ddos botnets on the cloud from ipfix data | |
| CA2859131C (en) | Systems and methods for spam detection using character histograms | |
| CN111919427A (en) | Account level Lego software affected service identification | |
| CN106817248B (en) | APT attack detection method | |
| CN106161451A (en) | The method of defence CC attack, Apparatus and system | |
| WO2016208158A1 (en) | Information processing device, information processing system, information processing method, and storage medium | |
| CN102915421A (en) | Method and system for scanning files | |
| CN104901971A (en) | Method and device for carrying out safety analysis on network behaviors | |
| Siracusano et al. | Detection of LDDoS attacks based on TCP connection parameters | |
| Cao et al. | Combating friend spam using social rejections | |
| CN103546449A (en) | E-mail virus detection method and device based on attachment formats | |
| CN104243470A (en) | Cloud searching and killing method and system based on self-adaption classifier | |
| Li et al. | Detecting adversarial patch attacks through global-local consistency | |
| US8356076B1 (en) | Apparatus and method for performing spam detection and filtering using an image history table | |
| CN113242233B (en) | Multi-classification botnet detection device | |
| US10965696B1 (en) | Evaluation of anomaly detection algorithms using impersonation data derived from user data | |
| US10263998B1 (en) | Automated determination of relevance of a security alert to one or more other security alerts based on shared markers | |
| Yu et al. | Design of DDoS attack detection system based on intelligent bee colony algorithm | |
| CN107124410A (en) | Network safety situation feature clustering method based on machine deep learning | |
| CN104951559B (en) | A kind of two-value code rearrangement method based on position weight | |
| CN114398635A (en) | Layered security federal learning method and device, electronic equipment and storage medium | |
| CN110138723A (en) | The determination method and system of malice community in a kind of mail network | |
| CN111212039A (en) | Host mining behavior detection method based on DNS flow |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |