WO2017071148A1 - Cloud computing platform-based intelligent defense system - Google Patents

Cloud computing platform-based intelligent defense system Download PDF

Info

Publication number
WO2017071148A1
WO2017071148A1 PCT/CN2016/076042 CN2016076042W WO2017071148A1 WO 2017071148 A1 WO2017071148 A1 WO 2017071148A1 CN 2016076042 W CN2016076042 W CN 2016076042W WO 2017071148 A1 WO2017071148 A1 WO 2017071148A1
Authority
WO
WIPO (PCT)
Prior art keywords
event
intrusion
rule base
tested
configured
Prior art date
Application number
PCT/CN2016/076042
Other languages
French (fr)
Chinese (zh)
Inventor
李红波
侯林利
邱吉刚
Original Assignee
四川九洲电器集团有限责任公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to CN201510729240.XA priority Critical patent/CN105376222A/en
Priority to CN201510729240.X priority
Application filed by 四川九洲电器集团有限责任公司 filed Critical 四川九洲电器集团有限责任公司
Publication of WO2017071148A1 publication Critical patent/WO2017071148A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L29/00Arrangements, apparatus, circuits or systems, not covered by a single one of groups H04L1/00 - H04L27/00
    • H04L29/02Communication control; Communication processing
    • H04L29/06Communication control; Communication processing characterised by a protocol

Abstract

Disclosed in the present invention is a cloud computing platform-based intelligent defense system, comprising a client and a cloud processor. The client acquires event data of an event under detection and provides event features, performs detection on the event features according to a first intrusion rule stored in a local first low-level defense rule library so as to determine whether the event under detection is an intrusion event; if the event under detection is determined to be a non-intrusion event, sending the event features to a cloud server and notifying the cloud server to perform detection on the event features according to a second intrusion rule stored in a local high-level defense rule library so as to determine whether the event under detection is an intrusion event, wherein the first low-level defense rule library is a subset of the high-level defense rule library. The present invention can greatly reduce resources and traffic consumption for electronic equipment, and can also effectively detect an intrusion attack in time to make response and take measures as soon as possible, thus alleviating the damage caused to a user by a malware and significantly improving security assurance.

Description

Intelligent defense system based on cloud computing platform

The present application claims priority to Chinese Patent Application No. CN201510729240.X filed on Oct. 30, 2015, which is incorporated herein by reference.

Technical field

The present invention relates to the field of computer network information security technologies, and in particular, to an intelligent defense system based on a cloud computing platform, which includes a client and a cloud processor.

Background technique

With the proliferation of smartphone users, the insecurities caused by malware have attracted more and more attention. The promotion of a large number of free applications on smartphones provides a convenient condition for attackers to bundle Trojans. Malicious service providers can illegally connect specific targets or send value-added short messages to specific targets through Trojan secrets, which greatly damages the user's interests. Since the Android (Android) system occupies the largest share of the global smartphone market, and the Android platform is an open source system, the attack on the Android platform smartphone becomes easier than other smartphone systems.

The number of Android users is huge, and the open source is strong. Users can install third-party programs such as software and games. However, the user does not know the security of the information, so many attackers perform abnormal intrusions based on this. Not only that, but with the development of mobile smart technology, the abnormal invasion of smart phones has become more diverse. Although the open source, open, free and other features of the Android platform have brought a large market share to Google, this has also brought a lot of security risks to consumers. Once the personal privacy of the mobile phone is leaked, the loss to the user cannot be estimated.

Traditional mobile phones typically defend against malware through a security defense system running on them. Generally speaking, the security defense system will occupy a large storage space of the mobile phone, which will affect the running speed of the mobile phone and also affect the user experience.

Therefore, it is of great practical significance to provide an intelligent defense system that can guarantee the running speed of the mobile phone and effectively prevent malicious intrusion.

Summary of the invention

The technical problem to be solved by the present invention is that a conventional mobile phone generally protects against malware through a security defense system running thereon, and the storage space required for the defense system is large, thereby affecting the running speed of the mobile phone and the user experience.

In order to solve the above technical problem, the present invention provides a smart defense system based on a cloud computing platform, which includes a client and a cloud server.

According to an aspect of the present invention, a client is provided, comprising:

a data acquisition module, configured to acquire event data of the event to be tested;

a feature extraction module, configured to extract an event feature of the event data;

The first detecting module is configured to detect the event feature according to the first intrusion rule saved in the local first lightweight defense rule base to determine whether the event to be tested is an intrusion event;

The first communication module is configured to: when the first detection module determines that the event to be tested is a non-intrusion event, send the event feature to the cloud server, and notify the cloud server according to its local depth level defense rule a second intrusion rule saved in the library to detect the event feature to determine whether the event to be tested is an intrusion event, wherein the first lightweight defense rule library belongs to a child of the depth defense rule base set.

Preferably, the first detecting module comprises:

a first matching unit, configured to determine whether the event feature matches at least one of the first intrusion rules in the first lightweight defense rule base;

a first determining unit, configured to: when the first matching unit determines that the event feature matches at least one of the first intrusion rules, determine that the event to be tested is an intrusion event;

a second determining unit, configured to: when the first matching unit determines that the event feature does not match all the first intrusion rules in the first lightweight defense rule base, determine that the event to be tested is Non-invasive events.

Preferably, the client further includes a response module, configured to passively respond to the event to be tested when the first detecting module determines that the event to be tested is an intrusion event.

Preferably, the response module is further configured to actively respond to the event to be tested when the first detecting module determines that the event to be tested is an intrusion event.

Preferably, the client further includes a first update module, configured to receive an updated second lightweight defense rule base sent by the cloud server, and according to the updated second lightweight defense rule base. Updating the first lightweight defense rule base.

According to another aspect of the present invention, a cloud server is provided, comprising:

a second communication module, configured to receive an event feature sent by the client, where the event feature is determined by the client in the first intrusion rule saved according to the local first lightweight defense rule base to determine the event to be tested Sent to the cloud server when it is a non-intrusive event;

a second detection module, configured to detect the event feature according to a second intrusion rule saved in a local depth defense rule base to determine whether the event to be tested is an intrusion event, the first lightweight Defense rule library A subset of the depth rule defense rule base.

Preferably, the second detecting module comprises:

a second matching unit, configured to determine whether the event feature matches at least one of the second intrusion rules in the depth defense rule base;

a third determining unit, configured to determine that the event to be tested is an intrusion event when the second matching unit determines that the event feature matches at least one of the second intrusion rules;

a fourth determining unit, configured to determine, when the second matching unit determines that the event feature does not match all the second intrusion rules in the depth defense rule base, determine that the event to be tested is a non-intrusion event .

Preferably, the second communication module is further configured to notify the client to respond to the event to be tested when the second detecting module determines that the event to be tested is an intrusion event.

Preferably, the cloud server further includes a second update module, configured to: the local depth level defense rule base and the local second lightweight defense rule base according to the input event sample and/or the detected event. Updating, and sending, by the second communication module, the updated second lightweight defense rule base to the client, so that the client updates the client according to the updated second lightweight defense rule base The first lightweight defense rule library local to the local.

Preferably, the second update module is specifically configured to: according to the input event sample and/or the detected event, combined with the support vector machine learning algorithm, the neural network learning algorithm or the Adaboost learning algorithm, to the local depth The level defense rule base and the local second lightweight defense rule base are updated.

One or more of the above aspects may have the following advantages or benefits compared to the prior art:

The invention can not only greatly reduce the resource and traffic consumption of the electronic device, but also can detect the intrusion attack in time and effectively, react and deal with it as soon as possible, reduce the damage caused by the malware to the user, and greatly improve the security guarantee.

Other features and advantages of the present invention will be set forth in the description in the description which follows. The objectives and other advantages of the invention may be realized and obtained by means of the structure particularly pointed in the appended claims.

DRAWINGS

The drawings are intended to provide a further understanding of the invention, and are intended to be a part of the description of the invention. In the drawing:

FIG. 1 is a schematic structural diagram of an intelligent defense system based on a cloud computing platform according to an embodiment of the present invention;

2 is a schematic structural view of the first detecting module of FIG. 1;

Figure 3 is a block diagram showing the structure of the second detecting module of Figure 1;

FIG. 4 is a schematic flowchart diagram of an intelligent defense method based on a cloud computing platform according to an embodiment of the present invention.

detailed description

The embodiments of the present invention will be described in detail below with reference to the accompanying drawings and embodiments, in which the present invention can be applied to the technical problems, and the implementation of the technical effects can be fully understood and implemented. It should be noted that the various embodiments of the present invention and the various features of the various embodiments may be combined with each other, and the technical solutions formed are all within the scope of the present invention.

The technical problem to be solved by the present invention is that a conventional mobile phone generally protects against malware through a security defense system running thereon, and the storage space required for the defense system is large, thereby affecting the running speed of the mobile phone and the user experience. To solve the above technical problem, an embodiment of the present invention provides an Android mobile phone intelligent defense system based on a cloud computing platform.

FIG. 1 is a schematic structural diagram of an intelligent defense system according to an embodiment of the present invention. The smart defense system of this embodiment mainly includes a client 100 and a cloud server 200.

First, the client 100 is introduced: the client 100 is a client of an electronic device such as an Android smartphone. It is mainly used to collect the most original event data, that is, the source of the event, and extract the event characteristics from the event data. Then, the local first lightweight defense rule base 108 is matched to perform feature detection to identify whether the event to be tested is an intrusion event. When it is not determined whether the event to be tested is an intrusion event, it is sent to the cloud server 200 through the first communication module 106, and receives the cloud detection result from the cloud server 200. Finally, respond to the event to be tested based on the test results.

The client 100 includes a sequence connection event generation module 102, a data acquisition module 103, a feature extraction module 104, a first detection module 105, and a response module 107, and a first communication module 106 and a first lightweight defense rule base 108, The first detection module 105 is coupled to the first communication module 106 and the first lightweight defense rule base 108, respectively.

Specifically, the event generation module 102 generates an event to be tested based on the event source 101. The data acquisition module 103 acquires event data of the event to be tested. Here, the event data mainly includes system feature data and network feature data. The client 100 is divided into six data collection modules, which are a CPU information collection module, a memory information collection module, a network information collection module, a process information collection module, a disk information collection module, and a short message collection module. The feature extraction module 104 performs preliminary collation on the event data acquired by the data acquisition module 103 and extracts event features.

The first detecting module 105 is configured to detect an event feature according to the first intrusion rule saved in the local first lightweight defense rule base 108 to determine whether the event to be tested is an intrusion event. In particular, referring to FIG. 2, the first detection module 105 preferably includes a first matching unit 301 and a first determining unit 302 and a second determining unit 303 each connected to the first matching unit 301. The first matching unit 301 is configured to determine whether the event feature matches at least one first intrusion rule in the first lightweight defense rule base 108. The first determining unit 302 is configured to determine that the event to be tested is an intrusion event when the first matching unit 301 determines that the event feature matches the at least one first intrusion rule. The second determining unit 303 is configured to determine, at the first matching unit 301, an event feature and a first lightweight defense When all the first intrusion rules in the rule base 108 do not match, it is determined that the event to be tested is a non-intrusive event.

In this embodiment, the first lightweight defense rule base 108 relates to the most important/core lightweight feature attributes, namely: CPU information: cpu_usage; memory information: mem_usage, mem_cached, mem_active, mem_inactive; network information: Int_output, int_input, int_tcp, int_udp; disk information: /SD_card. The rule base is usually expressed in the form of a decision tree, which embodies all the feature attributes involved in the rule base, and the relationship between different feature attribute combinations and decision results (intrusion events). As long as certain event characteristics for the event to be tested meet a rule in the rule base, the event to be tested can be obtained as the result of the intrusion event, and thus the conclusion that the event to be tested is an intrusion event can be obtained. Since the method for judging whether the event to be tested satisfies a certain attribute based on the decision tree is a technical means conventionally employed by those skilled in the art, no expansion description will be made herein.

The first communication module 106 is configured to send the event feature and the detection command to the cloud server 200 when the first detection module 105 determines that the event to be tested is a non-intrusion event, to notify the cloud server 200 according to its local depth level defense rule base. The second intrusion rule saved in 206 detects the event feature to determine whether the event to be tested is an intrusion event, wherein the first lightweight defense rule base 108 belongs to a subset of the depth level defense rule base 206.

In the present embodiment, the depth level defense rule base 206 relates to depth level key feature attributes, and the first lightweight defense rule base library 108 is a subset of the depth level defense rule base 206. The depth level defense rule base 206 covers all of the feature attributes required for the study, including the most dominant/core feature attributes stored in the first lightweight defense rule base 108. Specifically, the depth level defense rule base 206 stores: CPU information: cpu_usage; memory information: mem_usage, mem_cached, mem_active, mem_inactive, mem_active(anon), mem_inactive(anon), mem_active(file), mem_inactive(file); Information: int_output, int_input, int_tcp, int_udp; disk information: /SD_card; process information: process_number; SMS message: message_send, message_received.

The response module 107 of the client 100 is configured to respond to the event to be tested when the first detection module 105 determines that the event to be tested is an intrusion event. Here, the data response module 107 can respond in various forms according to the type of the intrusion message, and can generally be divided into a passive response and an active response.

The passive response includes some initial response actions after the intrusion is discovered. The system simply records and reports the detected problems, and does not take more measures. Instead, it waits for the administrator to make certain according to the situation after receiving the message. The processing, such as activating more detailed log auditing, activating more detailed intrusion detection, and estimating the scope of the event, the degree of hazard, the potential hazard, collecting event-related information, and generating an incident report based on this.

Active response includes active measures based on a detected intrusion. Possible proactive measures include shutting down the attacked system, shutting down the attacked service, disconnecting the network, disabling access, deleting files, and so on.

The cloud server 200 is mainly described below. The cloud server 200 mainly includes a network data acquiring module 201 and an event database. 202. The second communication module 203, the second update module 204, the second detection module 205, the depth level defense rule base 206, and the second lightweight defense rule base 207. The second communication module 203 is coupled to the first communication module 106 to enable communication with the client 100. The second communication module 203 and the network data acquisition module 201 are both connected to the event database 202. The event database 202 is coupled to the second update module 204. The second update module 204 is coupled to the depth level defense rule base 206 and the second lightweight defense rule base 207, respectively. The second communication module 203 is also connected to the second lightweight defense rule base 207 through the second detection module 205.

The cloud server 200 receives commands or data from the client 100 through the first communication module 106 through the second communication module 203. The first communication module 106 and the second communication module 203 are bridges connecting the client 100 and the cloud server 200. Here, the cloud server 200 receives the event features and detection commands sent by the client 100 and places the event features in the event database 202. The second detecting module 205 takes out the event feature from the event database 202 in response to the detection command, performs feature detection analysis according to the local depth level defense rule base 206, and then returns the analyzed result to the client through the second communication module 203. At the terminal 100, the client 100 receives the return data of the cloud server 200 by using the first communication module 106 (ie, determining whether the event to be tested is a detection result of the intrusion event).

Specifically, the second communication module 203 is configured to receive the event feature and the detection command sent by the client 100, and the event feature and the detection command are saved by the client 100 in the first lightweight defense rule base 108 according to the locality thereof. The first intrusion rule determines that the event to be tested is sent to the cloud server 200 when it is a non-intrusion event.

The second detecting module 205 is configured to detect the event feature according to the second intrusion rule saved in the local depth level defense rule base 206 to determine whether the event to be tested is an intrusion event, and the first lightweight defense rule base 108 A subset of the depth defense rule base 206. In particular, referring to FIG. 3, the second detecting module 205 preferably includes a second matching unit 401 and a third determining unit 402 and a fourth determining unit 403 each connected to the second matching unit 401. The second matching unit 401 is configured to determine whether the event feature matches at least one second intrusion rule in the depth level defense rule base 206. The third determining unit 402 is configured to determine that the event to be tested is an intrusion event when the second matching unit 401 determines that the event feature matches the at least one second intrusion rule. The fourth determining unit 403 is configured to determine that the event to be tested is a non-intrusive event when the second matching unit 401 determines that the event feature does not match all the second intrusion rules in the depth level defense rule base 206. The working principle of the second detecting module 205 is the same as that of the first detecting module 105, and details are not described herein.

When it is determined that the event to be tested is an intrusion event, the second communication module 203 sends a response command to the client 100, so that the response module 107 of the client 100 passively/actively responds to the event to be tested.

In this embodiment, the client 100 of the electronic device mainly performs core information detection. When the event to be tested cannot be determined as an intrusion event according to the core information, the cloud server 200 is further used to use the depth-level defense rule with more information. Library 206 performs a more detailed inspection. Such a setting can greatly reduce the burden on the client 100, and the detection of the event to be tested is not It will affect the running speed of the electronic device, and overcome the technical defects in the prior art that the storage space required by the defense system is large, which affects the running speed of the mobile phone and the user experience.

In a preferred embodiment of the present invention, the cloud server 200 further includes a second update module 204. The second update module 204 is configured to: perform the local depth level defense rule base 206 and the local second lightweight defense rule base 207 according to the event samples and/or the detected events input by the network data acquiring module 201. Updating, and transmitting the updated second lightweight defense rule base 207 to the client 100 through the second communication module 203, so that the client 100 updates the client 100 according to the updated second lightweight defense rule base 207. The local first lightweight defense rule base 108. Correspondingly, the client 100 further includes a first update module 109, configured to receive the updated second lightweight defense rule base 207 sent by the cloud server 200, and update the first according to the updated second lightweight defense rule base 207. A lightweight defense rule base 108.

In particular, the second update module 204 is specifically configured to: local depth defense based on input event samples and/or detected events, combined with a support vector machine learning algorithm, a neural network learning algorithm, or an Adaboost learning algorithm. The rule base 206 and the local second lightweight defense rule base 207 are updated.

The update method in this embodiment can implement continuous updating of the lightweight defense rule base of the client 100 and the depth defense rule base 206 of the cloud, so as to more accurately determine whether the event to be tested is an intrusion event, and improve intelligence. The effectiveness of the defense system ensures that the virus is detected in time. In addition, since the update operation of the time-consuming rule base is completed by the cloud server 200, the resource consumption of the client 100 is further alleviated, thereby ensuring the running speed of the electronic device on the basis of accurately detecting the intrusion event.

Correspondingly, the embodiment further provides an Android mobile phone intelligent defense method based on a cloud computing platform.

As shown in FIG. 4, it is a schematic flowchart of the smart defense method of this embodiment. The smart defense method of this embodiment mainly includes steps 1 to 9.

In step 1, event data of the event to be tested is acquired.

In step 2, the event characteristics of the event data are extracted.

In step 3, the event feature is detected according to the first intrusion rule saved in the local first lightweight defense rule base 108 to determine whether the event to be tested is an intrusion event.

In step 4, when it is determined that the event to be tested is a non-intrusion event, the event feature and the detection command are sent to the cloud server 200.

In step 5, the cloud server 200 receives the event feature and the detection command sent by the client 100, and detects the event feature according to the second intrusion rule saved in the local depth-level defense rule base 206 to determine whether the event to be tested is For the invasion event. Here, the first lightweight defense rule base 108 belongs to a subset of the depth level defense rule base 206.

In step 6, the cloud server 200 sends a response to the client 100 when it determines that the event to be tested is an intrusion event. make.

In step 7, when the client 100 locally detects that the event to be tested is an intrusion event or receives a response command sent by the cloud server 200, the client 100 responds to the event to be tested. Here, the client 100 passively or actively responds to the event to be tested.

In a preferred embodiment of the invention, an update step 8-10 of the rule base is also included.

Specifically, in step 8, the cloud server 200 updates the local depth level defense rule base 206 and the local second lightweight defense rule base 207 according to the input event samples and/or the detected events.

In step 9, the cloud server 200 transmits the updated second lightweight defense rule base 207 to the client 100.

In step 10, the client 100 receives the updated second lightweight defense rule base 207 sent by the cloud server 200, and updates the local first lightweight class with the updated second lightweight defense rule base 207. Defense rule base 108.

For details of the operations in the above various method steps, reference may be made to the description of the system of the present invention in conjunction with FIG. 1 and will not be described in detail herein.

Applying the intelligent defense system and method provided by the embodiment of the present invention, the client 100 collects system and network feature data, and combines the local first lightweight defense rule base 108 to match the extracted event features, and cannot determine whether the event to be tested is The intrusion event is uploaded to the cloud server 200 and combined with the depth level defense rule base 206 for deeper detection. When it is determined that the event to be tested is an intrusion event, the client 100 is notified to respond to the event to be tested. In addition, the cloud server 200 also performs lightweight and deep machine learning according to event samples sent from the network and the client 100 to update the second lightweight defense rule base 207 and the depth level defense rule base 206 of the cloud, and will update The second lightweight defense rule base 207 is sent to the client 100 to cause the client 100 to update the first lightweight defense rule base 108 according to the updated second lightweight defense rule base 207. The intelligent defense system of the invention can greatly reduce the resource and traffic consumption of the smart phone, and can detect the intrusion attack in a timely and effective manner, react and deal with it as soon as possible, reduce the damage caused by the malware to the user, and greatly improve the security guarantee.

While the embodiments of the present invention have been described above, the described embodiments are merely illustrative of the embodiments of the invention and are not intended to limit the invention. Any modification and variation of the form and details of the embodiments may be made by those skilled in the art without departing from the spirit and scope of the invention, but the scope of protection of the present invention remains It is subject to the scope defined by the appended claims.

Claims (10)

  1. A client, comprising:
    a data acquisition module, configured to acquire event data of the event to be tested;
    a feature extraction module, configured to extract an event feature of the event data;
    The first detecting module is configured to detect the event feature according to the first intrusion rule saved in the local first lightweight defense rule base to determine whether the event to be tested is an intrusion event;
    The first communication module is configured to: when the first detection module determines that the event to be tested is a non-intrusion event, send the event feature to the cloud server, and notify the cloud server according to its local depth level defense rule a second intrusion rule saved in the library to detect the event feature to determine whether the event to be tested is an intrusion event, wherein the first lightweight defense rule library belongs to a child of the depth defense rule base set.
  2. The client according to claim 1, wherein the first detecting module comprises:
    a first matching unit, configured to determine whether the event feature matches at least one of the first intrusion rules in the first lightweight defense rule base;
    a first determining unit, configured to: when the first matching unit determines that the event feature matches at least one of the first intrusion rules, determine that the event to be tested is an intrusion event;
    a second determining unit, configured to: when the first matching unit determines that the event feature does not match all the first intrusion rules in the first lightweight defense rule base, determine that the event to be tested is Non-invasive events.
  3. The client according to claim 1, further comprising a response module configured to passively respond to the event to be tested when the first detecting module determines that the event to be tested is an intrusion event.
  4. The client according to claim 1, wherein the response module is further configured to actively respond to the event to be tested when the first detecting module determines that the event to be tested is an intrusion event.
  5. The client according to any one of claims 1 to 4, further comprising a first update module, configured to receive an updated second lightweight defense rule base sent by the cloud server, and according to the The updated second lightweight defense rule base updates the first lightweight defense rule base.
  6. A cloud server, comprising:
    a second communication module, configured to receive an event feature sent by the client, where the event feature is determined by the client in the first intrusion rule saved according to the local first lightweight defense rule base to determine the event to be tested Sent to the cloud server when it is a non-intrusive event;
    a second detection module, configured to detect the event feature according to a second intrusion rule saved in a local depth defense rule base to determine whether the event to be tested is an intrusion event, the first lightweight The defense rule base belongs to a subset of the depth level defense rule base.
  7. The cloud server according to claim 6, wherein the second detecting module comprises:
    a second matching unit, configured to determine whether the event feature matches at least one of the second intrusion rules in the depth defense rule base;
    a third determining unit, configured to determine that the event to be tested is an intrusion event when the second matching unit determines that the event feature matches at least one of the second intrusion rules;
    a fourth determining unit, configured to determine, when the second matching unit determines that the event feature does not match all the second intrusion rules in the depth defense rule base, determine that the event to be tested is a non-intrusion event .
  8. The cloud server according to claim 6, wherein the second communication module is further configured to notify the client to respond to the waiting when the second detecting module determines that the event to be tested is an intrusion event Measure the event.
  9. The cloud server according to claim 6, further comprising a second update module configured to: localize the local depth level defense rule base and the local second according to the input event sample and/or the detected event The lightweight defense rule base is updated, and the updated second lightweight defense rule base is sent to the client by the second communication module, so that the client is based on the updated second lightweight defense The rule base updates the first lightweight defense rule base local to the client.
  10. The cloud server according to claim 9, wherein the second update module is specifically configured to: according to the input event sample and/or the detected event, combined with the support vector machine learning algorithm and the neural network learning algorithm Or Adaboost learning algorithm to update the local depth defense rule base and the local second lightweight defense rule base.
PCT/CN2016/076042 2015-10-30 2016-03-10 Cloud computing platform-based intelligent defense system WO2017071148A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201510729240.XA CN105376222A (en) 2015-10-30 2015-10-30 Intelligent defense system based on cloud computing platform
CN201510729240.X 2015-10-30

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
ZA2018/00006A ZA201800006B (en) 2015-10-30 2018-01-02 Intelligent defense system based on cloud computing platform

Publications (1)

Publication Number Publication Date
WO2017071148A1 true WO2017071148A1 (en) 2017-05-04

Family

ID=55378027

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/076042 WO2017071148A1 (en) 2015-10-30 2016-03-10 Cloud computing platform-based intelligent defense system

Country Status (3)

Country Link
CN (1) CN105376222A (en)
WO (1) WO2017071148A1 (en)
ZA (1) ZA201800006B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106778266A (en) * 2016-11-24 2017-05-31 天津大学 A kind of Android Malware dynamic testing method based on machine learning

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105376222A (en) * 2015-10-30 2016-03-02 四川九洲电器集团有限责任公司 Intelligent defense system based on cloud computing platform
CN106713293A (en) * 2016-12-14 2017-05-24 武汉虹旭信息技术有限责任公司 Cloud platform malicious behavior detecting system and method

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120191972A1 (en) * 2004-12-03 2012-07-26 Fortinet, Inc. Selective authorization of the loading of dependent code modules by running processes
CN102831338A (en) * 2012-06-28 2012-12-19 北京奇虎科技有限公司 Security detection method and system of Android application program
CN102916983A (en) * 2012-11-22 2013-02-06 北京奇虎科技有限公司 Protection system for network access behavior
CN102932375A (en) * 2012-11-22 2013-02-13 北京奇虎科技有限公司 Protection method and device for network access behavior
CN102932370A (en) * 2012-11-20 2013-02-13 华为技术有限公司 Safety scanning method, equipment and system
CN103281301A (en) * 2013-04-28 2013-09-04 上海海事大学 System and method for judging cloud safety malicious program
CN103812840A (en) * 2012-11-13 2014-05-21 腾讯科技(深圳)有限公司 Method and system for identifying malicious web sites
US20140331318A1 (en) * 2013-05-03 2014-11-06 Fortinet, Inc. Securing email communications
CN104168293A (en) * 2014-09-05 2014-11-26 北京奇虎科技有限公司 Method and system for recognizing suspicious phishing web page in combination with local content rule base
CN105376222A (en) * 2015-10-30 2016-03-02 四川九洲电器集团有限责任公司 Intelligent defense system based on cloud computing platform

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120191972A1 (en) * 2004-12-03 2012-07-26 Fortinet, Inc. Selective authorization of the loading of dependent code modules by running processes
CN102831338A (en) * 2012-06-28 2012-12-19 北京奇虎科技有限公司 Security detection method and system of Android application program
CN103812840A (en) * 2012-11-13 2014-05-21 腾讯科技(深圳)有限公司 Method and system for identifying malicious web sites
CN102932370A (en) * 2012-11-20 2013-02-13 华为技术有限公司 Safety scanning method, equipment and system
CN102916983A (en) * 2012-11-22 2013-02-06 北京奇虎科技有限公司 Protection system for network access behavior
CN102932375A (en) * 2012-11-22 2013-02-13 北京奇虎科技有限公司 Protection method and device for network access behavior
CN103281301A (en) * 2013-04-28 2013-09-04 上海海事大学 System and method for judging cloud safety malicious program
US20140331318A1 (en) * 2013-05-03 2014-11-06 Fortinet, Inc. Securing email communications
CN104168293A (en) * 2014-09-05 2014-11-26 北京奇虎科技有限公司 Method and system for recognizing suspicious phishing web page in combination with local content rule base
CN105376222A (en) * 2015-10-30 2016-03-02 四川九洲电器集团有限责任公司 Intelligent defense system based on cloud computing platform

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106778266A (en) * 2016-11-24 2017-05-31 天津大学 A kind of Android Malware dynamic testing method based on machine learning

Also Published As

Publication number Publication date
ZA201800006B (en) 2018-11-28
CN105376222A (en) 2016-03-02

Similar Documents

Publication Publication Date Title
US10235524B2 (en) Methods and apparatus for identifying and removing malicious applications
US10198574B1 (en) System and method for analysis of a memory dump associated with a potentially malicious content suspect
Andronio et al. Heldroid: Dissecting and detecting mobile ransomware
US20180025157A1 (en) Automated behavioral and static analysis using an instrumented sandbox and machine learning classification for mobile security
Zhou et al. Identity, location, disease and more: Inferring your secrets from android public resources
US10412115B1 (en) Behavioral scanning of mobile applications
US9712560B2 (en) Web page and web browser protection against malicious injections
US9753796B2 (en) Distributed monitoring, evaluation, and response for multiple devices
US20180367560A1 (en) Distributed monitoring and evaluation of multiple devices
US9509714B2 (en) Web page and web browser protection against malicious injections
Zhou et al. Dissecting android malware: Characterization and evolution
US10469531B2 (en) Fraud detection network system and fraud detection method
EP2839406B1 (en) Detection and prevention of installation of malicious mobile applications
Ham et al. Analysis of android malware detection performance using machine learning classifiers
US9424424B2 (en) Client based local malware detection method
Chen et al. Finding unknown malice in 10 seconds: Mass vetting for new threats at the google-play scale
Lin et al. Identifying android malicious repackaged applications by thread-grained system call sequences
US8782792B1 (en) Systems and methods for detecting malware on mobile platforms
EP3120286B1 (en) Behavior profiling for malware detection
US9661003B2 (en) System and method for forensic cyber adversary profiling, attribution and attack identification
CN103617395B (en) Method, device and system for intercepting advertisement programs based on cloud security
US9330257B2 (en) Adaptive observation of behavioral features on a mobile device
US9357397B2 (en) Methods and systems for detecting malware and attacks that target behavioral security mechanisms of a mobile device
JP5087661B2 (en) Malignant code detection device, system and method impersonated into normal process
CN103685575B (en) A kind of web portal security monitoring method based on cloud framework

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16858597

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16858597

Country of ref document: EP

Kind code of ref document: A1