Active Defense Method on The Basis of Cloud Security

US 20130174257A1
Filed: 08/08/2011
Published: 07/04/2013
Est. Priority Date: 08/18/2010
Status: Active Grant

First Claim

Patent Images

1. An active defense method based on cloud security, comprising:

collecting a program behavior launched by a program and/or a program feature of the program launching the behavior;

with respect to the program feature and/or the program behavior, performing an analysis and comparison in a database, making a determination on the program based on the comparison result;

based on the feedback determination result, deciding whether to intercept the program behavior, terminate execution of the program and/or clean up the program, restore the system environment.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to an active defense method based on cloud security comprising: a client collecting and sending a program behavior launched by a program thereon and/or a program feature of the program launching the program behavior to a server; with respect to the program feature and/or the program behavior sent by the client, the server performing an analysis and comparison in its database, making a determination on the program based on the comparison result, and feeding back to the client; based on the feedback determination result, the client deciding whether to intercept the program behavior, terminate execution of the program and/or clean up the program, and restore the system environment. The invention introduces a cloud security architecture, and employs a behavior feature based on active defense to search and kill a malicious program, thereby ensuring network security.

29 Citations

View as Search Results

12 Claims

1. An active defense method based on cloud security, comprising:
- collecting a program behavior launched by a program and/or a program feature of the program launching the behavior;
  
  with respect to the program feature and/or the program behavior, performing an analysis and comparison in a database, making a determination on the program based on the comparison result;
  
  based on the feedback determination result, deciding whether to intercept the program behavior, terminate execution of the program and/or clean up the program, restore the system environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method as claimed in claim 1, wherein the program behavior comprises the program behavior itself and the attributes of the object of the program behavior;
    - the attributes of the object of the program behavior further comprise the black and white level to which the behavioral object itself belongs, the position in the system and type of the behavioral object, the behavior itself made by the behavioral object and the black and white level to which the behavior itself belongs.
  - 3. A method as claimed in claim 1, wherein comparing the program feature of the program launching the behavior with feature codes of the blacklist stored in the database, and if hit, determining the program as a malicious program.
  - 4. A method as claimed in claim 2, wherein comparing a series of collected program behaviors made by a program with a sequence of identified malicious behaviors stored in the database, accumulating on weight values of the hit program behaviors, comparing the accumulated value with a preset threshold, and if the value exceeds the threshold, then determining the program as a malicious program.
  - 5. A method as claimed in claim 4, wherein assigning a corresponding weight value to a respective malicious behavior stored in the database, and the setting of the weight values is obtained according to experiences of the skilled in the art or based on a large amount of collected client data through statistical computation.
  - 6. A method as claimed in claim 2, wherein comparing a series of collected program behaviors made by a program with a sequence of identified malicious behaviors stored in the database, accumulating on weight values of the hit program behaviors, comparing the accumulated value with a preset threshold, and if the value exceeds the threshold, then analyzing on the program, obtaining its feature code, comparing its feature code with feature codes of the blacklist stored in the database, and if hit, then determining the program as a malicious program.
  - 7. A method as claimed in claim 3, wherein the step of with respect to the program feature and/or the program behavior, performing an analysis and comparison in the database, making a determination on the program based on the comparison result further comprising a step of updating:
    - updating in real time or periodically the program feature of the malicious program and/or the behavior of the malicious program into the database for storing.
  - 8. A method as claimed in claim 2, wherein before the step of collecting a behavior of a program and/or a program feature of the program launching the behavior, further comprising:
    - collecting the program feature and the corresponding program behavior thereof;
      
      recording in the database different program features and the corresponding program behaviors thereof as well as a black/white list;
      
      based on program features and the corresponding program behaviors thereof in an existing known black/white list, performing an analysis on an unknown program feature and program behavior to update the black/white list.
  - 9. A method as claimed in claim 8, wherein the step of performing an analysis on an unknown program feature and program behavior thereof comprising:
    - if the unknown program feature is identical to a known program feature in the existing black/white list, then including the unknown program feature and the program behavior thereof into the black/white list;
      
      if the unknown program behavior is identical or similar to a known program behavior in the existing black/white list, then including the unknown program behavior and the program feature thereof into the black/white list;
      
      when a certain program behavior is included into the black/white list, including in the database the program feature corresponding to the program behavior into the black/white list, and also including other program behaviors and program features having an associated relationship with the program behavior into the black/white list; and
      
      /orwhen a certain program feature is included into the black/white list, including in the database the program behavior corresponding to the program feature into the black/white list, and also including other program behaviors and program features having an associated relationship with the program feature into the black/white list.
  - 10. A method as claimed in claim 9, further comprising:
    - establishing an associated relationship of behavior and feature among programs having an identical or similar behavior, and based on the associated relationship among the programs having an identical or similar behavior, performing an analysis on an unknown program feature and program behavior to update the black/white list;
      
      for a program included into the blacklist in the database, further recording the reverse behavior of the program to perform the reverse behavior when it is confirmed that the program included into the blacklist exists in the client computer;
      
      for a program included into the blacklist in the database, based on the behavior of the program, determining the information on an infected file in the client computer, and based on the information on the infected file, downloading a corresponding intact file stored in the database to the client computer to overwrite the infected file; and
      
      /orfurther recording in the database change in number of an identical program feature collected by different client computers within a preset time, and if within a preset time, the increase or decrease in number of a certain unknown program feature collected by different client computers exceeds a threshold, then including in the database the program feature and its corresponding program behavior into the blacklist.
  - 11. A method as claimed in claim 4, wherein the step of with respect to the program feature and/or the program behavior, performing an analysis and comparison in the database, making a determination on the program based on the comparison result further comprising a step of updating:
    - updating in real time or periodically the program feature of the malicious program and/or the behavior of the malicious program into the database for storing.
  - 12. A method as claimed in claim 6, wherein the step of with respect to the program feature and/or the program behavior, performing an analysis and comparison in the database, making a determination on the program based on the comparison result further comprising a step of updating:
    - updating in real time or periodically the program feature of the malicious program and/or the behavior of the malicious program into the database for storing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Beijing Qihu Technology Co. Ltd. (360 Security Technology, Inc.), Qizhi Software (Beijing) Company Limited (360 Security Technology, Inc.)
Original Assignee
Beijing Qihu Technology Co. Ltd. (360 Security Technology, Inc.), Qizhi Software (Beijing) Company Limited (360 Security Technology, Inc.)
Inventors
Zhou, Hongyi, Zheng, Wenbin, Yu, He, Fan, Paul

Granted Patent

US 9,177,141 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/567   using dedicated hardware

G06F 2221/033   Test or assess software

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Active Defense Method on The Basis of Cloud Security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

29 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Active Defense Method on The Basis of Cloud Security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links