CN101923617B - Cloud-based sample database dynamic maintaining method - Google Patents
Cloud-based sample database dynamic maintaining method Download PDFInfo
- Publication number
- CN101923617B CN101923617B CN2010102569589A CN201010256958A CN101923617B CN 101923617 B CN101923617 B CN 101923617B CN 2010102569589 A CN2010102569589 A CN 2010102569589A CN 201010256958 A CN201010256958 A CN 201010256958A CN 101923617 B CN101923617 B CN 101923617B
- Authority
- CN
- China
- Prior art keywords
- program
- behavior
- black
- white list
- performance
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 230000006399 behavior Effects 0.000 claims abstract description 127
- 230000009286 beneficial effect Effects 0.000 abstract 1
- 238000010586 diagram Methods 0.000 description 10
- 241000700605 Viruses Species 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 6
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 2
- 238000010835 comparative analysis Methods 0.000 description 2
- 125000004122 cyclic group Chemical group 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000006698 induction Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000035772 mutation Effects 0.000 description 1
- 210000004218 nerve net Anatomy 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000003786 synthesis reaction Methods 0.000 description 1
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a cloud-based sample database dynamic maintaining method comprising the following steps of: firstly, collecting program characteristics and program behaviors corresponding to the program characteristics and transmitting the program characteristics and the program behaviors corresponding to the program characteristics to a server end by a client computer; secondly, recording different program characteristics and the program behaviors corresponding to the program characteristics in a server end database and a black/white list; and finally analyzing unknown program characteristics and the program behaviors by combining with the program characteristics and the program behaviors corresponding to the program characteristics in the existing black/white list so as to update the black/white list. By collecting the program behaviors and linking to the program characteristics through a client, the invention can be used for recording the program characteristics and the program behaviors corresponding to the program characteristics in the database, analyzing and inducting a sample in the database according to the linking relationship between the collected program behaviors and the program characteristics, thereby being beneficial to classifying and discriminating black software or programs from white software or programs. In addition, the invention can be used for formulating corresponding clearing or restoring measures aiming at malicious software in a blacklist.
Description
Technical field
The present invention relates to field of information security technology, relate in particular to a kind of sample database dynamic maintaining method based on cloud security.
Background technology
Along with the in social life extensive utilization of every field of computer technology, rogue program (Malwar, malicious software refers to that any intentional establishment is used for carrying out without permission and the software program of harmful act normally) also as its accessory, come one after another.Because the infectivity that these rogue programs have, replicability and destructiveness, it has become the significant problem that the puzzlement computing machine uses, therefore, in today that Cyberthreat rises violently, upgrading virus signature becomes the work of enterprise and netizen's indispensability every day, from once in a week to once a day, until constantly upgrade, and traditional antivirus software is that virus base is placed on client computer, carry out the analytical work of file in client, in scanning process, can repeatedly in local virus library, compare, take a large amount of system resources, and the continuous upgrading along with virus base, the capacity of virus base is increasing, and the time spent during Study document is also more and more longer, allows client computer use slower and slower, therefore, the anti-virus industry must be sought new technological breakthrough.
" cloud security (Cloud Security) " plan namely is the up-to-date embodiment of information security cybertimes, it has merged the emerging technology concepts such as parallel processing, grid computing, unknown virus behavior judgement, with " theory of cloud computing has been applied to security fields.
The realization of " cloud security " plan is closely bound up with the structure of its sample database, therefore, how effectively to organize and to safeguard sample database, then becomes the industry problem demanding prompt solution.
Summary of the invention
Technical matters to be solved by this invention is to provide a kind of sample database dynamic maintaining method based on cloud, to improve the efficient of database maintenance and process analysis, helps program is carried out the recovery of black and white differentiation and file.
For solving the problems of the technologies described above, the invention provides a kind of sample database dynamic maintaining method based on cloud, comprise the steps:
By client computer collection procedure feature and corresponding program behavior thereof, and be sent to server end;
Different performance of program and the corresponding program behaviors thereof of record in the servers' data storehouse, and black/white list;
In conjunction with the performance of program in the existing known black/white list and corresponding program behavior thereof, unknown program feature and program behavior are analyzed, to upgrade the black/white list.
Wherein, the described step that unknown program feature and program behavior thereof are analyzed can comprise:
If the unknown program feature is identical with known procedure feature in the existing black/white list, then list this unknown program feature and program behavior thereof in the black/white list.
Wherein, the described step that unknown program feature and program behavior thereof are analyzed can comprise:
If the unknown program behavior is identical or approximate with the known procedure behavior in the existing black/white list, then list this unknown program behavior and performance of program thereof in the black/white list.
Wherein, described method may further include:
Between the program with identical or approximate behavior, set up the incidence relation of behavior and feature;
According to the incidence relation between the described program with identical or approximate behavior, unknown program feature and program behavior are analyzed, to upgrade the black/white list.
Wherein, the described step that unknown program feature and program behavior thereof are analyzed can comprise:
When certain program behavior was put into the black/white list, performance of program in database that this program behavior is corresponding was listed the black/white list in, and will also list the black/white list in other program behaviors and the performance of program of the relevant relation of this program behavior.
Wherein, the described step that unknown program feature and program behavior thereof are analyzed can comprise:
When certain performance of program was put into the black/white list, program behavior in database that this performance of program is corresponding was listed the black/white list in, and will also list the black/white list in other program behaviors and the performance of program of the relevant relation of this performance of program.
Wherein, described method may further include:
In database, for the program that is put on the blacklist, further record the reverse behavior of this program, when in confirming client computer, having or moving the program that this is put on the blacklist, carry out described reverse behavior.
Wherein, described method may further include:
In database, for the program that is put on the blacklist, according to the behavior of this program, determine the information of the infected file of client computer;
According to the information of infected file, a intact respective file that is stored in the database is downloaded to the infected file of covering in the client computer.
Wherein, described method may further include:
In database, further be recorded in the number change of the identical performance of program of being collected by the different clients computing machine in the Preset Time;
According to the number change of described performance of program, unknown program feature and program behavior are analyzed, to upgrade the black/white list.
Wherein, described number change according to performance of program, the step to unknown program feature and program behavior are analyzed can comprise:
If in a Preset Time, the increase and decrease of the quantity of certain unknown program feature of being collected by the different clients computing machine surpasses threshold value, then in database this performance of program and corresponding program behavior thereof is piped off.
The present invention is by the behavior of client collection procedure and be associated with performance of program, thereby logging program feature and corresponding program behavior thereof in database, incidence relation according to the program behavior of collecting and performance of program, can in database, carry out analytic induction to sample, thereby help software or program are carried out the discriminant classification of black and white, can also formulate corresponding removal or restoration measure for the Malware in the blacklist.
Description of drawings
Fig. 1 is Implementation Modes synoptic diagram of the present invention;
Fig. 2 is according to the described sample database dynamic maintaining method process flow diagram based on cloud of the embodiment of the invention;
Fig. 3 is according to the described incidence relation synoptic diagram of the embodiment of the invention;
Fig. 4 recovers process flow diagram according to the described file of the embodiment of the invention;
Fig. 5 is according to the described analysis process synoptic diagram of the embodiment of the invention.
Embodiment
The present invention is described further with reference to the accompanying drawings.
Cloud structure is exactly a large-scale client/server (CS) framework, as shown in Figure 1, is Implementation Modes synoptic diagram of the present invention.Core concept of the present invention is that the behavior of collecting various programs by a large amount of client computers 102 (can be single behavior, also can be the combination of one group of behavior), the particularly behavior of suspicious program, and program behavior is associated with the feature of this program, in the database 104 of server end, then can record feature and the corresponding behavior record thereof of a program.Like this, at server end, can in database, conclude and analyze according to program behavior or performance of program or batch processing behavior and performance of program, thereby help software or program are carried out the discriminant classification of black and white.Further, can also formulate corresponding removal or restoration measure for the Malware in the blacklist.
The said procedure behavior can be for example drive load behavior, the file generated behavior, and the loading behavior of program or code, the behavior of add-on system startup item, or the act of revision of file or program etc., or the combination of a series of behaviors.
The said procedure feature can be via MD5 (Message-Digest Algorithm 5, md5-challenge) the MD5 identifying code that draws of computing, or SHA1 code, or the condition code of the unique identification original programs such as CRC (Cyclic Redundancy Check, cyclic redundancy check (CRC)) but code.
As shown in Figure 2, for according to the described sample database dynamic maintaining method process flow diagram based on cloud of the embodiment of the invention, at first, by client computer collection procedure feature and corresponding program behavior thereof, and be sent to server end (step 202); Then different performance of program and the corresponding program behaviors thereof of record in the servers' data storehouse, and black/white list (step 204); In conjunction with the performance of program in the existing known black/white list and corresponding program behavior thereof, unknown program feature and program behavior are analyzed, to upgrade black/white list (step 206).
Owing in database, recorded performance of program and behavior record corresponding to this feature, therefore can analyze unknown program in conjunction with known black/white list.
For example, if the unknown program feature is identical with known procedure feature in the existing black/white list, then all list this unknown program feature and program behavior thereof in the black/white list.
If the unknown program behavior is identical or approximate with the known procedure behavior in the existing black/white list, then all list this unknown program behavior and performance of program thereof in the black/white list.
Because some virus is by mutation or add the technology such as shell and can change condition code, but its behavior does not have very large change, therefore, by the comparative analysis of program behavior record, can determine comparatively easily whether some unknown programs are rogue program.This comparative analysis does not sometimes even need follow-up analysis is done in the behavior of program itself, only needs known procedure behavior in simple and the existing black/white list to compare and can judge the character of unknown program.
By the record analysis in the database, we can find, there is the behavior of some programs identical or approximate, but performance of program is different, at this moment, as long as we set up the incidence relation of behavior and feature between the program with identical or approximate behavior, and according to this incidence relation, just can analyze unknown program feature and program behavior more easily, to upgrade the black/white list.
As shown in Figure 3, for according to the described incidence relation synoptic diagram of the embodiment of the invention.The feature of supposing unknown program A, B and C is respectively A, B and C, and its each self-corresponding program behavior is A1~A4, B1~B4, C1~C4.If the analysis found that program behavior A1~A4, B1~B4, identical in fact or very approximate between C1~C4, so just can be at feature A, B, C and behavior A1~A4, B1~B4 sets up the incidence relation of feature and behavior between C1~C4.
By this incidence relation, under certain condition can be more efficiently from expand database be safeguarded.For example, when program behavior B1~B4 of program B is confirmed to be the rogue program behavior and is put on the blacklist, performance of program B that can automatically will be corresponding with this program behavior in database pipes off, simultaneously, according to incidence relation, can be automatically with the program behavior A1~A4 of the relevant relation of this program behavior, C1~C4 and corresponding performance of program A, feature C also lists the black/white list in.
Again for example, if program A, B and C belong to the program of black and white the unknown when initial, and via other checking and killing virus approach, performance of program B at first is confirmed to be the feature that belongs to rogue program, then not only can be automatically in database the combination of behavior B1~B4 be piped off, can also be according to incidence relation, feature A and the C that automatically will have identical or approximate behavior also pipe off, and with program behavior A1~A4, C1~C4 also pipes off.
The present invention has been owing to recorded behavior corresponding to performance of program in database, this is just so that provide great convenience to the behavioural analysis of unknown program.For example, if when interested in the behavior of load driver, whole program behaviors with the load driver behavior can be accessed analysis-by-synthesis, if in the model with the load driver behavior in the existing blacklist, after load driver, generally all follow a special file generated behavior, so for just listing indicating risk in the program behavior of similar behavior combination equally in the unknown program or directly piping off.
The adoptable analytical approach of the present invention is not limited to above-mentioned, can also utilize to be similar to decision tree, and bayesian algorithm, the methods such as nerve net territory calculating are perhaps used simple Threshold Analysis, can well be used in Basis of Database of the present invention.
In addition, can also further record the reverse behavior of this program for the program that is put on the blacklist in database, when in confirming client computer, having or moving the program that this is put on the blacklist, carry out described reverse behavior.
For example, the information of collecting according to the foreground after the killing of foundation cloud or other are found certain program such as the condition code mode and are rogue program, can be carried out according to the reverse behavior of described record and recover action.
For some files that can't be restored by carrying out reverse behavior, can also be restored by the mode of replacing, as shown in Figure 4, for recovering process flow diagram according to the described file of the embodiment of the invention, at first in database for the program that is put on the blacklist, according to the behavior of this program, determine the information (step 402) of the infected file of client computer; Then according to the information of infected file, a intact respective file that is stored in the database is downloaded to covering infected file (step 404) in the client computer.
For obtaining of the information of infected file, can pass through file path, system version, the relevant information such as application component that are linked to inquire abouts definite in database.
In addition, because the present invention utilizes the mode of the behavior of a large amount of client computer collection procedure and performance of program that relevant information is recorded in the database, therefore, can also come by the velocity of propagation of a certain program of monitoring analysis within short-term the attribute of decision procedure.Please refer to Fig. 5, for according to the described analysis process synoptic diagram of the embodiment of the invention, at first in database, further be recorded in the number change (step 502) of the identical performance of program of being collected by the different clients computing machine in the Preset Time; Then according to the number change of described performance of program, unknown program feature and program behavior are analyzed, to upgrade black/white list (step 504).
For example, if in a Preset Time, the increase and decrease of the quantity of certain unknown program feature of being collected by the different clients computing machine surpasses threshold value, then in database this performance of program and corresponding program behavior thereof is piped off.
Utilize this mode, the program information that the foreground is collected passes to the background server cluster, if this program is a trojan horse program, but it no longer does any propagation, it then is a quiet dead horse, at this moment just can think that this wooden horse does not threaten, if but this wooden horse propagates into again a new machine the inside, then utilize the present invention just can perceive very soon, because this client computer also can be reported to server, when 100,500,1000 machines have been reported, the information of the quantity growth that server database will statistics collection arrives, and analyze and feed back, the increased number of this program has surpassed threshold value within a very short time, perhaps occurred much having the deformation procedure of similar behavior to the behavior of this program, utilize the present invention just can to analyze automatically and judge, in case judging just to finish to add in the blacklist, and utilize the present invention dynamically from the more new database blacklist of expansion, to have improved greatly the efficient of database maintenance and process analysis.
Claims (8)
1. the sample database dynamic maintaining method based on cloud is characterized in that, comprises the steps:
By client computer collection procedure feature and corresponding program behavior thereof, and be sent to server end;
Different performance of program and the corresponding program behaviors thereof of record in the servers' data storehouse, and black/white list;
In conjunction with the performance of program in the existing known black/white list and corresponding program behavior thereof, between the program with identical or approximate behavior, set up the incidence relation of behavior and feature, according to the incidence relation between the described program with identical or approximate behavior, unknown program feature and program behavior are analyzed, to upgrade the black/white list.
2. the method for claim 1 is characterized in that, the described step that unknown program feature and program behavior thereof are analyzed further comprises:
If the unknown program feature is identical with known procedure feature in the existing black/white list, then list this unknown program feature and program behavior thereof in the black/white list;
If the unknown program behavior is identical or approximate with the known procedure behavior in the existing black/white list, then list this unknown program behavior and performance of program thereof in the black/white list.
3. the method for claim 1 is characterized in that, the described step that unknown program feature and program behavior thereof are analyzed further comprises:
When certain program behavior was put into the black/white list, performance of program in database that this program behavior is corresponding was listed the black/white list in, and will also list the black/white list in other program behaviors and the performance of program of the relevant relation of this program behavior.
4. the method for claim 1 is characterized in that, the described step that unknown program feature and program behavior thereof are analyzed further comprises:
When certain performance of program was put into the black/white list, program behavior in database that this performance of program is corresponding was listed the black/white list in, and will also list the black/white list in other program behaviors and the performance of program of the relevant relation of this performance of program.
5. the method for claim 1 is characterized in that, further comprises:
In database, for the program that is put on the blacklist, further record the reverse behavior of this program, when in confirming client computer, having or moving the program that this is put on the blacklist, carry out described reverse behavior.
6. the method for claim 1 is characterized in that, further comprises:
In database, for the program that is put on the blacklist, according to the behavior of this program, determine the information of the infected file of client computer;
According to the information of infected file, a intact respective file that is stored in the database is downloaded to the infected file of covering in the client computer.
7. the method for claim 1 is characterized in that, further comprises:
In database, further be recorded in the number change of the identical performance of program of being collected by the different clients computing machine in the Preset Time;
According to the number change of described performance of program, unknown program feature and program behavior thereof are analyzed, to upgrade the black/white list.
8. method as claimed in claim 7 is characterized in that, described number change according to performance of program, and the step to unknown program feature and program behavior are analyzed comprises:
If in a Preset Time, the increase and decrease of the quantity of certain unknown program feature of being collected by the different clients computing machine surpasses threshold value, then in database this performance of program and corresponding program behavior thereof is piped off.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310039473.8A CN103106366B (en) | 2010-08-18 | 2010-08-18 | A kind of sample database dynamic maintaining method based on cloud |
| CN2010102569589A CN101923617B (en) | 2010-08-18 | 2010-08-18 | Cloud-based sample database dynamic maintaining method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102569589A CN101923617B (en) | 2010-08-18 | 2010-08-18 | Cloud-based sample database dynamic maintaining method |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310039473.8A Division CN103106366B (en) | 2010-08-18 | 2010-08-18 | A kind of sample database dynamic maintaining method based on cloud |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101923617A CN101923617A (en) | 2010-12-22 |
| CN101923617B true CN101923617B (en) | 2013-03-20 |
Family
ID=43338547
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010102569589A Active CN101923617B (en) | 2010-08-18 | 2010-08-18 | Cloud-based sample database dynamic maintaining method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101923617B (en) |
Families Citing this family (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102955912B (en) * | 2011-08-23 | 2013-11-20 | 腾讯科技(深圳)有限公司 | Method and server for identifying application malicious attribute |
| CN102750463A (en) * | 2011-12-16 | 2012-10-24 | 北京安天电子设备有限公司 | System and method for improving file rescanning speed |
| CN103369003A (en) * | 2012-03-30 | 2013-10-23 | 网秦无限(北京)科技有限公司 | A method and a system for scanning redundancy files in a mobile device by using cloud computing |
| CN103365882A (en) * | 2012-03-30 | 2013-10-23 | 网秦无限(北京)科技有限公司 | Method and system for cleaning junk files on mobile terminal |
| CN102819713B (en) * | 2012-06-29 | 2015-09-16 | 北京奇虎科技有限公司 | A kind of method and system detecting bullet window safe |
| CN105160244B (en) * | 2012-09-19 | 2019-02-22 | 北京奇安信科技有限公司 | A kind of document handling method and system |
| CN102945349B (en) * | 2012-10-19 | 2016-06-22 | 北京奇虎科技有限公司 | unknown file processing method and device |
| CN103795695A (en) * | 2012-10-31 | 2014-05-14 | 珠海市君天电子科技有限公司 | Self-learning file identification method and system |
| CN103019676B (en) * | 2012-11-16 | 2016-03-30 | 北京奇虎科技有限公司 | A kind of method of managing software and system |
| CN103023882B (en) * | 2012-11-26 | 2015-09-16 | 北京奇虎科技有限公司 | For judging the method and system of Information Security |
| CN103023885B (en) * | 2012-11-26 | 2015-09-16 | 北京奇虎科技有限公司 | Secure data processing method and system |
| TWI528173B (en) * | 2013-10-25 | 2016-04-01 | 緯創資通股份有限公司 | Method, apparatus and computer program product for debugging and error prevention |
| CN103761476B (en) * | 2013-12-30 | 2016-11-09 | 北京奇虎科技有限公司 | The method and device of feature extraction |
| CN104134143B (en) * | 2014-07-15 | 2017-05-03 | 北京奇付通科技有限公司 | Mobile payment security protection method, mobile payment security protection device and cloud server |
| CN104486123B (en) * | 2014-12-18 | 2018-09-25 | 北京奇安信科技有限公司 | The method, apparatus and system of black and white lists management |
| CN106909839B (en) * | 2015-12-22 | 2020-04-17 | 北京奇虎科技有限公司 | Method and device for extracting sample code features |
| CN105607934A (en) * | 2015-12-24 | 2016-05-25 | 北京奇虎科技有限公司 | Application processing method and terminal |
| CN106548069B (en) * | 2016-07-18 | 2020-04-24 | 北京安天网络安全技术有限公司 | Feature extraction system and method based on sorting algorithm |
| CN107729753A (en) * | 2017-09-22 | 2018-02-23 | 郑州云海信息技术有限公司 | A kind of defence method and system of computer unknown virus |
| CN109815702B (en) * | 2018-12-29 | 2022-07-05 | 奇安信安全技术(珠海)有限公司 | Software behavior safety detection method, device and equipment |
| CN113360904A (en) * | 2021-05-17 | 2021-09-07 | 杭州美创科技有限公司 | Unknown virus detection method and system |
| CN113364764B (en) * | 2021-06-02 | 2022-07-12 | ***通信集团广东有限公司 | Information security protection method and device based on big data |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1936910A (en) * | 2005-11-16 | 2007-03-28 | 白杰 | Method for identifying unknown virus programe and clearing method thereof |
| JP2007164338A (en) * | 2005-12-12 | 2007-06-28 | Isamu Kiyu | Virus intrusion prevention system |
| CN101039177A (en) * | 2007-04-27 | 2007-09-19 | 珠海金山软件股份有限公司 | Apparatus and method for on-line searching virus |
| CN101308533A (en) * | 2008-06-30 | 2008-11-19 | 华为技术有限公司 | Method, apparatus and system for virus checking and killing |
| CN101645125A (en) * | 2008-08-05 | 2010-02-10 | 珠海金山软件股份有限公司 | Method for filtering and monitoring behavior of program |
-
2010
- 2010-08-18 CN CN2010102569589A patent/CN101923617B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1936910A (en) * | 2005-11-16 | 2007-03-28 | 白杰 | Method for identifying unknown virus programe and clearing method thereof |
| JP2007164338A (en) * | 2005-12-12 | 2007-06-28 | Isamu Kiyu | Virus intrusion prevention system |
| CN101039177A (en) * | 2007-04-27 | 2007-09-19 | 珠海金山软件股份有限公司 | Apparatus and method for on-line searching virus |
| CN101308533A (en) * | 2008-06-30 | 2008-11-19 | 华为技术有限公司 | Method, apparatus and system for virus checking and killing |
| CN101645125A (en) * | 2008-08-05 | 2010-02-10 | 珠海金山软件股份有限公司 | Method for filtering and monitoring behavior of program |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101923617A (en) | 2010-12-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101923617B (en) | Cloud-based sample database dynamic maintaining method | |
| US9715588B2 (en) | Method of detecting a malware based on a white list | |
| CN101924762B (en) | Cloud security-based active defense method | |
| Rieck et al. | Automatic analysis of malware behavior using machine learning | |
| US11423146B2 (en) | Provenance-based threat detection tools and stealthy malware detection | |
| Bayer et al. | Scalable, behavior-based malware clustering. | |
| US8667583B2 (en) | Collecting and analyzing malware data | |
| US8108931B1 (en) | Method and apparatus for identifying invariants to detect software tampering | |
| US7854006B1 (en) | Differential virus scan | |
| CN103839003A (en) | Malicious file detection method and device | |
| EP2975873A1 (en) | A computer implemented method for classifying mobile applications and computer programs thereof | |
| CN102413142A (en) | Active defense method based on cloud platform | |
| CN102314561A (en) | Automatic analysis method and system of malicious codes based on API (application program interface) HOOK | |
| US8205261B1 (en) | Incremental virus scan | |
| Huang et al. | Android malware development on public malware scanning platforms: A large-scale data-driven study | |
| CN103942491A (en) | Internet malicious code disposal method | |
| CN103607381A (en) | White list generation method, malicious program detection method, client and server | |
| Vadrevu et al. | Maxs: Scaling malware execution with sequential multi-hypothesis testing | |
| CN103475671A (en) | Method for detecting rogue programs | |
| Sahoo et al. | Signature based malware detection for unstructured data in Hadoop | |
| CN103646213B (en) | The sorting technique of a kind of malice software and device | |
| CN103106366B (en) | A kind of sample database dynamic maintaining method based on cloud | |
| Li et al. | Converting unstructured system logs into structured event list for anomaly detection | |
| Bernardi et al. | Process mining meets malware evolution: a study of the behavior of malicious code | |
| US20150007324A1 (en) | System and method for antivirus protection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: BEIJING QIHU TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: QIZHI SOFTWARE (BEIJING) CO., LTD. Effective date: 20110520 Owner name: QIZHI SOFTWARE (BEIJING) CO., LTD. |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100016 EAST UNIT, 4/F, C + W BUILDING, NO. 14, JIUXIANQIAO ROAD, CHAOYANG DISTRICT, BEIJING TO: 100088 ROOM 112 (DESHENG PARK), TOWER D, NO. 28, XINJIEKOU OUTER STREET, XICHENG DISTRICT, BEIJING |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20110520 Address after: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Applicant after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Co-applicant after: Qizhi software (Beijing) Co.,Ltd. Address before: The 4 layer 100016 unit of Beijing city Chaoyang District Jiuxianqiao Road No. 14 Building C Applicant before: Qizhi software (Beijing) Co.,Ltd. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220714 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |