Method and system for detecting malicious code
First Claim
1. A method for detecting malicious code by a server storing a file reputation scoring policy and a plurality of malicious code detectors having different types of malicious code detection, the method comprising:
- receiving, by the server, a testing sample sent by a client computer from a network, wherein the file reputation scoring policy associates each of the plurality of malicious code detectors with at least one type of malicious code each corresponding to a credibility scale and a reputation value, the file reputation scoring policy recording each type of the plurality of malicious code detectors, at least one type of malicious code detected by each type of the plurality of malicious code detectors, and the credibility scale and the reputation value of the at least one type of malicious code detected by each type of the plurality of malicious code detectors;
testing, by the server, the testing sample with the plurality of malicious code detectors to acquire a plurality of testing results;
comparing, by the server, the plurality of testing results with the type of malicious code recorded in the file reputation scoring policy;
dismissing, by the server, testing results which do not match the type of malicious code recorded in the file reputation scoring policy;
determining, by the server, the credibility scale and the reputation value for each of the testing results matching the type of malicious code recorded in the file reputation scoring policy based on the file reputation scoring policy, the credibility scale indicating whether the testing result is malicious, and the reputation value indicating a quantified trust level corresponding to the credibility scale; and
determining, by the server, a final detection result of the testing sample based on the respective determined credibility scales and the reputation values of the testing results matching the type of malicious code recorded in the file reputation scoring policy, wherein the determining the final detection result of the testing sample based on the credibility scales and the reputation values of the testing results matching the type of malicious code recorded in the file reputation scoring policy comprises;
processing the credibility scales and the reputation values of the testing results matching the type of malicious code recorded in the file reputation scoring policy based on a decision policy for the credibility scale and the reputation value to obtain the final detection result of the testing sample, wherein the credibility scale comprises any one of;
black, white, gray, suspected black and suspected white, wherein black represents the testing sample being malicious, white represents the testing sample being safe, gray represents being uncertain, suspected black represents the sample being potentially malicious, and suspected white represents the testing sample being potentially safe,wherein the decision policy comprises;
in response to the determination that the testing results are suspected black, the final detection result of the testing sample is determined to be black when a sum of the reputation values of the testing results is above a first preset threshold, otherwise the final detection result of the testing sample is determined to be gray;
in response to the determination that the testing results are suspected white, the final detection result of the testing sample is determined to be white when a sum of the reputation values of the testing results is above a second preset threshold, otherwise the final detection result of the testing sample is determined to be gray, andin response to the determination that a conflict exists between the testing results, between two or more of the plurality of malicious code detectors, the conflict being that some of the testing results are suspected black while the rest are suspected white, the test result with higher reputation between the testing result of suspected black and the testing result of suspected white is determined as the final detection result of the testing sample, a difference between the reputation value of the testing result of suspected black and the reputation value of the testing result of suspected white being above a third preset threshold, otherwise the final detection result of the testing sample is determined to be gray;
providing, by the server, the final detection result of the testing sample to the client computer;
obtaining, by the server, false positive rates of respective types of the malicious code detectors according to the final detection result, different types of the malicious code detectors having different testing approaches; and
setting, by the server, the reputation values of respective types of the malicious code detectors in the file reputation scoring policy based on the false positive rates of respective types of the malicious code detectors.
3 Assignments
0 Petitions
Accused Products
Abstract
The present application discloses a method and a system for detecting malicious code. The method comprises receiving a testing sample; testing the sample with a plurality of malicious code detectors to obtain a plurality of testing results; determining a credibility scale and a reputation value of each of the testing results, wherein the credibility scale indicates whether the testing result is malicious or safe, and the reputation value indicates a quantified trust level corresponding to the credibility scale; and determining a final detection result of the testing sample based on the determined credibility scales and the reputation values of the testing results. According to the technical solution of the present application, the testing results obtained from various malicious code detectors are rationally utilized to improve the testing accuracy for the malicious code.
-
Citations
9 Claims
-
1. A method for detecting malicious code by a server storing a file reputation scoring policy and a plurality of malicious code detectors having different types of malicious code detection, the method comprising:
-
receiving, by the server, a testing sample sent by a client computer from a network, wherein the file reputation scoring policy associates each of the plurality of malicious code detectors with at least one type of malicious code each corresponding to a credibility scale and a reputation value, the file reputation scoring policy recording each type of the plurality of malicious code detectors, at least one type of malicious code detected by each type of the plurality of malicious code detectors, and the credibility scale and the reputation value of the at least one type of malicious code detected by each type of the plurality of malicious code detectors; testing, by the server, the testing sample with the plurality of malicious code detectors to acquire a plurality of testing results; comparing, by the server, the plurality of testing results with the type of malicious code recorded in the file reputation scoring policy; dismissing, by the server, testing results which do not match the type of malicious code recorded in the file reputation scoring policy; determining, by the server, the credibility scale and the reputation value for each of the testing results matching the type of malicious code recorded in the file reputation scoring policy based on the file reputation scoring policy, the credibility scale indicating whether the testing result is malicious, and the reputation value indicating a quantified trust level corresponding to the credibility scale; and determining, by the server, a final detection result of the testing sample based on the respective determined credibility scales and the reputation values of the testing results matching the type of malicious code recorded in the file reputation scoring policy, wherein the determining the final detection result of the testing sample based on the credibility scales and the reputation values of the testing results matching the type of malicious code recorded in the file reputation scoring policy comprises; processing the credibility scales and the reputation values of the testing results matching the type of malicious code recorded in the file reputation scoring policy based on a decision policy for the credibility scale and the reputation value to obtain the final detection result of the testing sample, wherein the credibility scale comprises any one of;
black, white, gray, suspected black and suspected white, wherein black represents the testing sample being malicious, white represents the testing sample being safe, gray represents being uncertain, suspected black represents the sample being potentially malicious, and suspected white represents the testing sample being potentially safe,wherein the decision policy comprises; in response to the determination that the testing results are suspected black, the final detection result of the testing sample is determined to be black when a sum of the reputation values of the testing results is above a first preset threshold, otherwise the final detection result of the testing sample is determined to be gray; in response to the determination that the testing results are suspected white, the final detection result of the testing sample is determined to be white when a sum of the reputation values of the testing results is above a second preset threshold, otherwise the final detection result of the testing sample is determined to be gray, and in response to the determination that a conflict exists between the testing results, between two or more of the plurality of malicious code detectors, the conflict being that some of the testing results are suspected black while the rest are suspected white, the test result with higher reputation between the testing result of suspected black and the testing result of suspected white is determined as the final detection result of the testing sample, a difference between the reputation value of the testing result of suspected black and the reputation value of the testing result of suspected white being above a third preset threshold, otherwise the final detection result of the testing sample is determined to be gray;
providing, by the server, the final detection result of the testing sample to the client computer;obtaining, by the server, false positive rates of respective types of the malicious code detectors according to the final detection result, different types of the malicious code detectors having different testing approaches; and setting, by the server, the reputation values of respective types of the malicious code detectors in the file reputation scoring policy based on the false positive rates of respective types of the malicious code detectors. - View Dependent Claims (2, 3, 9)
-
-
4. A system for detecting malicious code, the system comprising:
-
a cloud-based detecting server for receiving a testing sample sent by a client computer from a network, the cloud-based detecting server being coupled to the client computer and the network, providing a final detection result of the testing sample to the client computer, obtaining false positive rates of respective types of the malicious code detectors according to the final detection result, setting the reputation values of respective types of the malicious code detectors in the file reputation scoring policy based on the false positive rates of respective types of the malicious code detectors, wherein the server stores the malicious code detectors having different types of malicious code detection and the file reputation scoring policy associating each of a plurality of malicious code detectors with at least one type of malicious code each corresponding to the credibility scale and a reputation value, the file reputation scoring policy recording each type of the malicious code detectors, at least one type of malicious code detected by each type of the plurality of malicious code detectors, and the credibility scale and the reputation value of the at least one type of malicious code detected by each type of the plurality of malicious code detectors; the client computer; the plurality of malicious code detectors, including computer readable instructions for receiving the testing sample from the cloud-based detecting server and testing the testing sample to acquire a plurality of testing results; a file reputation decider for comparing the plurality of testing results with the type of malicious code recorded in the file reputation scoring policy, dismissing testing results which do not match the type of malicious code recorded in the file reputation scoring policy, determining a credibility scale and the reputation value for each of the testing results matching the type of malicious code recorded in the file reputation scoring policy and determining a final detection result of the testing sample for each of the testing results matching the type of malicious code recorded in the file reputation scoring policy based on the credibility scales and the reputation values of the testing results, wherein the credibility scale indicates whether the testing result is malicious, and the reputation value indicates a quantified trust level corresponding to the credibility scale, wherein the file reputation decider comprises a decision unit for processing the respective credibility scales and the respective reputation values of the testing results matching the type of malicious code recorded in the file reputation scoring policy based on a decision policy for the credibility scale and the reputation value to obtain the final detection result of the testing sample, wherein the credibility scale comprises any one of;
black, white, gray, suspected black and suspected white, wherein black represents the testing sample being malicious, white represents the testing sample being safe, gray represents being uncertain, suspected black represents the sample being potentially malicious, and suspected white represents the testing sample being potentially safe;wherein the decision policy comprises; in response to the determination that the testing results are suspected black, the final detection result of the testing sample is determined to be black when a sum of the reputation values of the testing results is above a first preset threshold, otherwise the final detection result of the testing sample is determined to be gray, in response to the determination that the testing results are suspected white, the final detection result of the testing sample is determined to be white when a sum of the reputation values of the testing results is above a second preset threshold, otherwise the final detection result of the testing sample is determined to be gray, and in response to the determination that a conflict exists between the testing results, between two or more of the plurality of malicious code detectors, the conflict being that some of the testing results are suspected black while the rest are suspected white, the test result with higher reputation between the testing result of suspected black and the testing result of suspected white is determined as the final detection result of the testing sample, a difference between the reputation value of the testing result of suspected black and the reputation value of the testing result of suspected white being above a third preset threshold, otherwise the final detection result of the testing sample is determined to be gray; and
,a determination unit for determining the credibility scale and the reputation value of the testing result for each of the testing results matching the type of malicious code recorded in the file reputation scoring policy based on the file reputation scoring policy. - View Dependent Claims (5, 6)
-
-
7. An apparatus comprising, a memory and a processor, the memory storing computer code, a file reputation scoring policy and a plurality of malicious code detectors having different types of malicious code detection and the processor being configured to execute the computer code to implement a method comprising:
-
receiving a testing sample sent by a client computer from a network, the apparatus being coupled to the client computer and the network, wherein the file reputation scoring policy associates each of the plurality of malicious code detectors with at least one type of malicious code each corresponding to a credibility scale and a reputation value, the file reputation scoring policy recording each type of the plurality of malicious code detectors, at least one type of malicious code detected by each type of the plurality of malicious code detectors, and the credibility scale and the reputation value of the at least one type of malicious code detected by each type of the plurality of malicious code detectors; testing the testing sample with the plurality of malicious code detectors to acquire a plurality of testing results; comparing, by the server, the plurality of testing results with the type of malicious code recorded in the file reputation scoring policy; dismissing, by the server, testing results which do not match the type of malicious code recorded in the file reputation scoring policy; determining the credibility scale and the reputation value for each of the testing results matching the type of malicious code recorded in the file reputation scoring policy based on the file reputation scoring policy, the credibility scale indicating whether the testing result is malicious, and the reputation value indicating a quantified trust level corresponding to the credibility scale; determining a final detection result of the testing sample based on the respective determined credibility scales and the reputation values of the testing results matching the type of malicious code recorded in the file reputation scoring policy, wherein the determining the final detection result of the testing sample based on the credibility scales and the reputation values of the testing results matching the type of malicious code recorded in the file reputation scoring policy comprises; processing the credibility scales and the reputation values of the testing results matching the type of malicious code recorded in the file reputation scoring policy, based on a decision policy for the credibility scale and the reputation value to obtain the final detection result of the testing sample, wherein the credibility scale comprises any, one of;
black, white, gray, suspected black and suspected white, wherein black represents the testing sample being malicious, white represents the testing sample being safe, gray represents being uncertain, suspected black represents the sample being potentially malicious, and suspected white represents the testing sample being potentially safe,wherein the decision policy comprises; in response to the determination that the testing results are suspected black, the final detection result of the testing sample is determined to be black when a sum of the reputation values of the testing results is above a first preset threshold, otherwise the final detection result of the testing sample is determined to be gray, in response to the determination that the testing results are suspected white, the final detection result of the testing sample is determined to be white when a sum of the reputation values of the testing results is above a second preset threshold, otherwise the final detection result of the testing sample is determined to be gray, and in response to the determination that a conflict exists between the testing results, between two or more of the plurality of malicious code detectors, the conflict being that some of the testing results are suspected black while the rest are suspected white, the test result with higher reputation between the testing result of suspected black and the testing result of suspected white is determined as the final detection result of the testing sample, a difference between the reputation value of the testing result of suspected black and the reputation value of the testing result of suspected white being above a third preset threshold, otherwise the final detection result of the testing sample is determined to be gray; providing, by the server, the final detection result of the testing sample to the client computer; obtaining, by the server, false positive rates of respective types of the malicious code detectors according to the final detection result, different types of the malicious code detectors having different testing approaches; and setting, by the server, the reputation values of respective types of the malicious code detectors in the file reputation scoring policy based on the false positive rates of respective types of the malicious code detectors. - View Dependent Claims (8)
-
Specification