Summary of the invention
The embodiment of the invention provides a kind of method, system and device that prevent rogue program, to search virus fast.
In order to achieve the above object, the embodiment of the invention has proposed a kind of method of preventing rogue program, comprising:
Reception is from least one suspicious program of at least one terminal;
According to the behavioural characteristic of described at least one suspicious program, judge whether described at least one suspicious program is rogue program, upgrade central database according to judged result, so that will upgrading the result, described central database sends to other terminal;
To the judged result of described at least one suspicious program be sent to the terminal of correspondence.
The embodiment of the invention has also proposed a kind of network system, comprising:
At least one terminal is used for sending suspicious program to the center analog machine; Reception is from the judged result of described center analog machine to described suspicious program; According to described judged result described suspicious program is handled;
The center analog machine is used to receive the suspicious program from described at least one terminal; According to the behavioural characteristic of described at least one the suspicious program that receives, judge whether described at least one suspicious program is rogue program, upgrade central database according to judged result; To the judged result of described at least one suspicious program be sent to the terminal of correspondence;
Central database is used for the renewal result is sent to other terminal.
The embodiment of the invention has also proposed a kind of network equipment, comprising:
The information gathering module is used to collect the behavioural characteristic of suspicious program;
Judge module is used for the behavioural characteristic of described suspicious program and the behavior storehouse of described terminal are mated;
Data transmission blocks is used for judging whether that according to the result of described coupling needs send described suspicious program, if desired, then described suspicious program is sent to the center analog machine.
The embodiment of the invention has also proposed a kind of network equipment, comprising:
Receiver module is used to receive at least one the suspicious program from least one terminal;
Judge module is used for the behavioural characteristic according to described at least one suspicious program, judges whether described at least one suspicious program is rogue program;
Update module, the judged result that is used for obtaining according to described judge module is upgraded central database, sends to other terminal so that described central database will upgrade the result;
Sending module is used for the judged result to described at least one suspicious program is sent to the terminal of correspondence.
The embodiment of the invention has also proposed a kind of network equipment, comprising:
Interactive module is used for carrying out alternately with the center analog machine, receives suspicious program and updating message from described center analog machine;
First memory module is used to store rogue program; When updating message that described interactive module receives comprises indication or the described suspicious program when being the judged result of rogue program of described suspicious procedure stores in described first memory module, with described suspicious procedure stores in described first memory module;
Second memory module is used to store white list; When updating message that described interactive module receives comprises indication or the described suspicious program when not being the judged result of rogue program of described suspicious procedure stores in described second memory module, with described suspicious program updates in described second memory module.
Compared with prior art, the embodiment of the invention has the following advantages:
By a kind of mutual distributed processing mode, will be judged as suspicious programmed data transfer in client and handle, and the result in time be returned with the program that will be judged to be rogue program in time delete to the center analog machine.The center analog machine that is distributed in various places to central database, carries out the result data sync analog computation and has solved quick response problem to unknown virus by suspicious program being sent to the center analog machine.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
In following examples, network type can be mobile network, fixed network, mobile fixed mobile convergence network etc., can be LAN (Local Area Network), Metropolitan Area Network (MAN), wide area network, can be Access Network, core net, transmission network, can be network (C/S) of point to point network (P2P), client/server architecture etc.
In following examples, terminal type can be mobile phone, PDA, computing machine, server, household electrical appliance and various electronic equipment, the network equipment or computer-related devices etc.
In following examples, the center analog machine can be a server, also can be peer node among the P2P etc.
In following examples, program can be based on operating systems such as Linux or Windows.Program can be various types of files.
A kind of method of preventing rogue program that the embodiment of the invention one proposes as shown in Figure 1, comprising:
Step S101 receives at least one the suspicious program from least one terminal;
Step S102 according to the behavioural characteristic of described at least one suspicious program, judges whether described at least one suspicious program is rogue program, upgrades central database according to judged result, sends to other terminal so that described central database will upgrade the result;
In this step, can be that central database is upgraded synchronously;
Step S103 will send to the terminal of correspondence the judged result of described at least one suspicious program.
As seen, in the embodiment of the invention,, will be judged as suspicious programmed data transfer in client and handle, and the result in time be returned with the program that will be judged to be rogue program in time delete to the center analog machine by a kind of mutual distributed processing mode.The center analog machine that is distributed in various places to central database, carries out the result data sync analog computation and has solved quick response problem to unknown virus by suspicious program being sent to the center analog machine.
A kind of method of preventing rogue program that the embodiment of the invention two proposes as shown in Figure 2, comprising:
Step S201, terminal is collected the behavioural characteristic of the trace routine of wanting, and the program that this program that will detect is promptly suspected, the behavioural characteristic of the above-mentioned program that will detect can comprise information such as digital signature, system property, program publisher's title, program structure.
Step S202, mate in behavior characteristic information and behavior storehouse that will trace routine, and obtain the weights of wanting trace routine according to the common concrete behavior feature of rogue program in the behavior storehouse with corresponding weights.
Concrete, in the sense terminals of unknown virus, can store the behavior storehouse of the common concrete behavior feature of rogue program, in the behavior storehouse, can also store the matching relationship of the common concrete behavior feature of rogue program and corresponding weights.As shown in table 1ly be a kind of behavior description in the behavior storehouse and the corresponding relation of weights.
Table 1
Numbering |
Behavior description |
Weights |
001 |
Revise system file |
10 |
002 |
Hide system file |
10 |
003 |
The deletion system file |
10 |
Step S203 is weighted judgement according to the weights that obtain, and judges whether to send this program under a cloud to the center analog machine.When needs send, forward step S204 to, otherwise process ends.
Step S204 carries out the mutual of data with the center analog machine, the code of less suspicious program directly can be sent to the center analog machine, the critical data of bigger suspicious program can be sent to the center analog machine.
Step S205, the suspicious program that center analog machine receiving terminal sends, to the fixed attribute of this suspicious program of centre data library inquiry, this fixed attribute can be the unique identification of each file.
Step S206, center analog machine directly carry out suspicious program, judge whether to be rogue program according to the dynamic behaviour of suspicious program.
Concrete, the trace routine of the unknown virus of enhancing is installed, the static attribute that this trace routine not only can trace routine, dynamic behaviour feature that also can trace routine in the analog machine of center.When the complete suspicious program of this reception is less suspicious program, should suspicious program in virtual environment, activate, according to its behavioural characteristic, thereby judge whether it is rogue program.When the complete suspicious program of this reception is the critical data of bigger suspicious program, the white list that needs the known normal procedure in Help Center's database at first, if can't on white list, inquire the behavioural characteristic of this suspicious program, whether then obtain the weights of this suspicious program according to the experience of the rogue program that accumulates, be rogue program thereby judge this suspicious program.The experience of this rogue program is to obtain according to the content of storing in the rogue program experience storehouse, has write down the characteristics of the common program structure of rogue program in this rogue program experience storehouse.
When judging this suspicious program and whether be rogue program, need to upgrade the content in the central database, if judging this suspicious program is rogue program, fixed attribute value that then will this suspicious program is updated in the rogue program storehouse in the database at center synchronously, and the information such as feature that are judged to be rogue program have been write down in this rogue program storehouse.If judging this suspicious program is not rogue program, fixed attribute value that then will this suspicious program is updated in the white list in the database at center synchronously, has write down a large amount of characteristic informations of regarding as normal program in this white list.After information synchronization that will this suspicious program is updated in the central database,, just can directly judge whether according to the content in the central database to rogue program if there is next time identical program to need to detect again.According to judging that whether this suspicious program is the judged result renewal central database of rogue program, promptly sends this suspicious program and updating message according to judged result to this central database.When judging this suspicious program and be rogue program, send this suspicious program and updating message to this central database, this updating message comprises: will this suspicious procedure stores indication in the rogue program storehouse of this central database; Perhaps, this suspicious program judged result that is rogue program; When judging that this suspicious program is not rogue program, to this central database transmission this suspicious program and updating message, this updating message comprises: will this suspicious procedure stores indication in the white list of this central database; Perhaps, this suspicious program judged result that is not rogue program.
Can be after reaching a default time, central database sends the renewal result of the suspicious program of storing in this central database to other terminal (terminal outside the terminal of suspicious program place).When above-mentioned suspicious program is rogue program, central database sends to other terminal with the fixed attribute value of the rogue program in this rogue program storehouse, so that rogue program in the behavior storehouse in this other terminal of other terminal updating, when this other terminal when finding the suspicious program of same alike result value, other terminal can judge directly that just this suspicious program is a rogue program, do not judge thereby do not need this suspicious program sent in the analog machine of center, solved quick response problem unknown virus.Same, when above-mentioned suspicious program is not rogue program, central database sends to other terminal with the fixed attribute value of the suspicious program in this white list, so that the behavior storehouse in this other terminal of other terminal updating, when this other terminal when finding the suspicious program of same alike result value, this other terminal can judge directly that just this suspicious program is not a rogue program, will this suspicious program send in the analog machine of center to judge, has solved the quick response problem to unknown virus.
Step S207, center analog machine will this suspicious program judged result return to the terminal user.
Step S208, the judged result that terminal receiving center analog machine returns is handled accordingly to this suspicious program.
Concrete, when this terminal receives the signal that the center analog machine sends, can be the terminal identifiable information with this conversion of signals, and to the processing of this suspicious program, when the center analog machine judges that this suspicious program is a rogue program, need this suspicious program is deleted processing, judge that when the center analog machine this suspicious program is not a rogue program, then this suspicious program is not handled.
Step S209, terminal is shown to terminal user with result and processing mode.
As seen, in the embodiment of the invention,, will be judged as suspicious programmed data transfer in client and handle, and the result in time be returned with the program that will be judged to be rogue program in time delete to the center analog machine by a kind of mutual distributed processing mode.The center analog machine that is distributed in various places arrives central database with the result data sync, can accomplish like this on wide region or net territory the quick response of new virus, carry out analog computation and solved quick response problem unknown virus by suspicious program being sent to the center analog machine.
A kind of network system that the embodiment of the invention three proposes, the number of terminal can be for arbitrarily, in the present embodiment, the number of terminal is an example with 2, and in the application of reality, terminal was determined on a case-by-case basis with being connected of center analog machine, in the present embodiment, the respectively corresponding center analog machine of each terminal, in the present embodiment, these two center analog machines are connected with a central database.As shown in Figure 3, comprising:
Terminal 31 is used for sending suspicious program to center analog machine 32, receives the judged result from 32 pairs of these suspicious programs of this center analog machine, and according to this judged result this suspicious program is handled;
Concrete, this terminal 31 according to this judged result to this suspicious program handle accordingly can for: when this suspicious program is rogue program, delete this suspicious program;
When described suspicious program is not rogue program, this suspicious program is not processed.
Center analog machine 32, be used to receive suspicious program from this terminal 31, behavioural characteristic according to this suspicious program that receives, judge whether this suspicious program is rogue program, and according to judged result renewal central database, send to other terminal so that described central database will upgrade the result, will the judgement knot of this suspicious program be sent to terminal 31.
Further, this network system also comprises: terminal 33 and center analog machine 34, above-mentioned corresponding terminal 31 of terminal 33 and center analog machine 34 and center analog machine 32 the same do not repeat them here.
This network system also comprises:
Central database 35, be used for carrying out alternately with this center analog machine 32 and center analog machine 34, receive this suspicious program, and receive this suspicious program, and the renewal result of suspicious program is sent to other terminal from center analog machine 34 from center analog machine 32.For example, in the present embodiment, central database 35 can send the renewal result of the suspicious program in the terminal 31 to terminal 33, when in the terminal 31 can program be rogue program the time, suspicious program in the terminal 31 after will upgrading in central database 35 is that the result of rogue program sends to terminal 33, so that terminal 33 is judged to be rogue program between when finding identical suspicious program, thereby solved quick response problem to unknown virus, same, central database 35 can also send the renewal result of the suspicious program in the terminal 33 to terminal 31.
As seen, in the embodiment of the invention,, will be judged as suspicious programmed data transfer in client and handle, and the result in time be returned with the program that will be judged to be rogue program in time delete to the center analog machine by a kind of distributed processing mode.The center analog machine that is distributed in various places arrives central database with the result data sync, can accomplish like this on wide region or net territory the quick response of new virus, carry out analog computation and solved quick response problem unknown virus by suspicious program being sent to the center analog machine.
A kind of network equipment that the embodiment of the invention four proposes, this device is the sense terminals of unknown virus, as shown in Figure 4, can comprise:
Information gathering module 41, be used to collect the behavioural characteristic of the trace routine of wanting, the program that this program that will detect is promptly suspected, the behavioural characteristic of the above-mentioned program that will detect comprises information such as digital signature, system property, Business Name, program structure, and the behavior characteristic information of the program that will detect is input in the judge module 42.
Judge module 42 is used for the behavior characteristic information of wanting trace routine and the behavior storehouse of this information gathering module 41 input are mated, and obtains the weights of wanting trace routine according to the common concrete behavior feature of rogue program in the behavior storehouse with corresponding weights.The common concrete behavior feature of this rogue program is stored in the information storage module 43 with the matching relationship of corresponding weights.
Concrete, in the sense terminals of unknown virus, can store the behavior storehouse of the common concrete behavior feature of rogue program, in behavior storehouse, can also store the corresponding relation of the common concrete behavior feature of rogue program and corresponding weights.The weights that obtain are weighted judgement, judge whether and to send this program under a cloud to the center analog machine, when needs send, this program is sent in the data transmitting module 44.
Information storage module 43 is used to store the wherein weights of corresponding different behavioural characteristics of default behavior storehouse.
Data transmission blocks 44 is used for judging whether that according to the matching result of judge module 42 needs send this suspicious program, if desired, then should suspicious program send to the center analog machine.Less suspicious program is directly uploaded to the center analog machine, and the critical data of suspicious program that will be bigger uploads to the center analog machine.
Further, as shown in Figure 5, the sense terminals of this unknown virus can also comprise:
Receiver module 45 is used to receive from the judged result of center analog machine to this suspicious program;
Processing module 46, be used for according to this receiver module 45 receive from the judged result of this center analog machine to this suspicious program, suspicious program is handled accordingly, this processing comprises when this suspicious program is rogue program, deletes this suspicious program.
Display module 47 is used for the result of processing module 46 and the processing mode of processing module 46 are shown to terminal user.
This processing module 46 can comprise:
Signal receiving unit 461 is used for the signal that the receiving center analog machine sends, and this conversion of signals is the information that can discern in the routine processes unit 462.
Routine processes unit 462 is used for the processing to program of the signal deciding that receives according to signal receiving unit 461, comprises the clearance processing of the encryption isolation processing when be judged to be rogue program, non-rogue program and suspicious program is deleted processing.
Information output unit 463 outputs to interactive module 47 with the information of the result of routine processes unit 462.
As seen, in the embodiment of the invention,, will be judged as suspicious programmed data transfer in client and handle, and the result in time be returned with the program that will be judged to be rogue program in time delete to the center analog machine by a kind of mutual distributed processing mode.The center analog machine that is distributed in various places arrives central database with the result data sync, can accomplish like this on wide region or net territory the quick response of new virus, carry out analog computation and solved quick response problem unknown virus by suspicious program being sent to the center analog machine.
A kind of network equipment that the embodiment of the invention five proposes, this device is the center analog machine, as shown in Figure 6, can comprise:
Receiver module 61 is used to receive at least one the suspicious program from least one terminal;
Judge module 62 is used for the behavioural characteristic according at least one suspicious program of receiver module 61 receptions, judges whether this at least one suspicious program is rogue program;
Update module 63 is used for judging the judged result renewal central database that obtains according to judge module 62, sends to other terminal so that this central database can upgrade the result;
Sending module 64 is used for the judged result of judge module 62 at least one suspicious program sent to counterpart terminal.
Further, this update module 63 can comprise:
First update module 631, be used for when this judge module 62 is judged this suspicious program and is rogue program, send this suspicious program and updating message to central database, this updating message comprises: will this suspicious procedure stores indication in the rogue program storehouse of this central database; Perhaps, this suspicious program judged result that is rogue program;
Second update module 632, be used for when this judge module 62 is judged this suspicious program and is not rogue program, send this suspicious program and updating message to this central database, this updating message comprises: will this suspicious procedure stores indication in the white list of this central database; Perhaps, this suspicious program judged result that is not rogue program.
As seen, in the embodiment of the invention,, will be judged as suspicious programmed data transfer in client and handle, and the result in time be returned with the program that will be judged to be rogue program in time delete to the center analog machine by a kind of mutual distributed processing mode.The center analog machine that is distributed in various places arrives central database with the result data sync, can accomplish like this on wide region or net territory the quick response of new virus, carry out analog computation and solved quick response problem unknown virus by suspicious program being sent to the center analog machine.
A kind of memory storage that the embodiment of the invention six proposes, this memory storage can be a central database 7, as shown in Figure 7, can comprise:
Interactive module 71 is used for carrying out alternately with the center analog machine, receives suspicious program and updating message from this center analog machine.
First memory module 72 is used to store rogue program; When updating message that this interactive module 71 receives comprises with this suspicious procedure stores indication or this suspicious program when being the judged result of rogue program in first memory module 72, should suspicious procedure stores in this first memory module 72.
Second memory module 73 is used to store white list; When updating message that this interactive module 71 receives comprises with this suspicious procedure stores indication or this suspicious program when not being the judged result of rogue program in this second memory module 73, should suspicious procedure stores in second memory module 73.
Sending module 74 is used for the lastest imformation of first memory module 72 and 73 storages of second memory module is sent.
As seen, in the embodiment of the invention,, will be judged as suspicious programmed data transfer in client and handle, and the result in time be returned with the program that will be judged to be rogue program in time delete to the center analog machine by a kind of mutual distributed processing mode.The center analog machine that is distributed in various places arrives central database with the result data sync, can accomplish like this on wide region or net territory the quick response of new virus, carry out analog computation and solved quick response problem unknown virus by suspicious program being sent to the center analog machine.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by hardware, also can realize by the mode that software adds necessary general hardware platform.Based on such understanding, technical scheme of the present invention can embody with the form of software product, it (can be CD-ROM that this software product can be stored in a non-volatile memory medium, USB flash disk, portable hard drive etc.) in, comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be looked protection scope of the present invention.