Active defense method on the basis of cloud security
First Claim
1. A server, comprising:
- one or more processors;
one or more memories having program instructions stored thereon that are executable by the one or more processors to cause the server to perform the operations comprising;
recording a black/white list in a database, which black/white list including different program features and corresponding program behaviors;
receiving at least one of a program behavior and a program feature of a first program from a client;
comparing the received program feature/program behavior with the recorded program feature/program behavior in the database, and making a determination on the first program based on the comparison result;
feeding back the determination result to the client;
wherein, when the comparison result indicates that the program behavior of the first program is included into the black/white list, the black/white list is updated by;
adding a program feature of the first program that corresponds to the program behavior of the first program to the black/white list, andadding a program behavior and a program feature of a second program into the black/white list based on an associated relationship between the first program and the second program; and
/orwhen the comparison result indicates that the program feature of the first program is included into the black/white list, the black/white list is updated by;
adding a program behavior of the first program that corresponds to the program feature of the first program to the black/white list, andadding the program behavior and the program feature of the second program to the black/white list based on the associated relationship between the first program and the second program.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention relates to an active defense method based on cloud security comprising: a client collecting and sending a program behavior launched by a program thereon and/or a program feature of the program launching the program behavior to a server; with respect to the program feature and/or the program behavior sent by the client, the server performing an analysis and comparison in its database, making a determination on the program based on the comparison result, and feeding back to the client; based on the feedback determination result, the client deciding whether to intercept the program behavior, terminate execution of the program and/or clean up the program, and restore the system environment. The invention introduces a cloud security architecture, and employs a behavior feature based on active defense to search and kill a malicious program, thereby ensuring network security.
-
Citations
12 Claims
-
1. A server, comprising:
-
one or more processors; one or more memories having program instructions stored thereon that are executable by the one or more processors to cause the server to perform the operations comprising; recording a black/white list in a database, which black/white list including different program features and corresponding program behaviors; receiving at least one of a program behavior and a program feature of a first program from a client; comparing the received program feature/program behavior with the recorded program feature/program behavior in the database, and making a determination on the first program based on the comparison result; feeding back the determination result to the client; wherein, when the comparison result indicates that the program behavior of the first program is included into the black/white list, the black/white list is updated by; adding a program feature of the first program that corresponds to the program behavior of the first program to the black/white list, and adding a program behavior and a program feature of a second program into the black/white list based on an associated relationship between the first program and the second program; and
/orwhen the comparison result indicates that the program feature of the first program is included into the black/white list, the black/white list is updated by; adding a program behavior of the first program that corresponds to the program feature of the first program to the black/white list, and adding the program behavior and the program feature of the second program to the black/white list based on the associated relationship between the first program and the second program. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A client computer, comprising:
-
one or more processors, one or more memories having program instructions stored thereon that are executable by the one or more processors to cause the client computer to perform the operations comprising; collecting a program feature and/or a program behavior of a first program; sending the collected program feature and/or program behavior to a server; receiving a determination result from the server, and deciding how to handle the first program based on the determination result; wherein the determination result is made by the serve based on a comparison of the program feature/program behavior of the first program and a black/white list, and when the comparison indicates that the program behavior of the first program is included in the black/white list, the black/white list is updated by; adding a program feature of the first program that corresponds to the program behavior of the first program to the black/white list, and adding a program behavior and a program feature of a second program into the black/white list based on an associated relationship between the first program and the second program; and
/orwhen the comparison indicates that the program feature of the first program is included in the black/white list, the black/white list is updated by; adding a program behavior of the first program that corresponds to the program feature of the first program to the black/white list, and adding the program behavior and the program feature of the second program to the black/white list based on the associated relationship between the first program and the second program. - View Dependent Claims (10, 11)
-
-
12. An active defense method based on cloud security, comprising:
-
recording a black/white list in a database, which black/white list including different program features and corresponding program behaviors; receiving at least one of a program behavior and a program feature of a first program from a client; comparing the received program feature/program behavior with the recorded program feature/program behavior in the database, and making a determination on the first program based on the comparison result; feeding back the determination result to the client; wherein, when the comparison result indicates that the program behavior of a first program is included in the black/white list, the black/white list is updated by; adding a program feature of the first program that corresponds to the program behavior of the first program to the black/white list, and adding a program behavior and a program feature of a second program into the black/white list based on an associated relationship between the first program and the second program; and
/orwhen the comparison result indicates that the program feature of the first program is included in the black/white list, the black/white list is updated by; adding a program behavior of the first program that corresponds to the program feature of the first program to the black/white list, and adding the program behavior and the program feature of the second program to the black/white list based on the associated relationship between the first program and the second program.
-
Specification