Active defense method on the basis of cloud security
First Claim
1. An active defense method based on cloud security, comprising:
- recording a black/white list in a database, which black/white list including different program features and corresponding program behaviors;
receiving at least one program behavior and a program feature of a program from a client;
comparing the received program feature/program behavior with the recorded program feature/program behavior in the database, and making a determination on the program based on the comparison result;
feeding back the determination result to the client;
wherein, said method further comprisingbased on the program features and the corresponding program behaviors thereof in the black/white list, performing an analysis of unknown program features and program behaviors of a first program and a second program to update the black/white list comprisingestablishing an associated relationship between the first program and the second program based on their program features and their program behaviors;
when a program behavior of the first program is included into the black/white list, updating the black/white list by;
adding a program feature of the first program that corresponds to the program behavior of the first program to the black/white list, andadding a program behavior and a program feature of the second program into the black/white list based on the associated relationship between the first program and the second program; and
/orwhen a program feature of the first program is included into the black/white list, updating the black/white list by;
adding a program behavior of the first program that corresponds to the program feature of the first program to the black/white list, andadding the program behavior and the program feature of the second program to the black/white list based on the associated relationship between the first program and the second program.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention relates to an active defense method based on cloud security comprising: a client collecting and sending a program behavior launched by a program thereon and/or a program feature of the program launching the program behavior to a server; with respect to the program feature and/or the program behavior sent by the client, the server performing an analysis and comparison in its database, making a determination on the program based on the comparison result, and feeding back to the client; based on the feedback determination result, the client deciding whether to intercept the program behavior, terminate execution of the program and/or clean up the program, and restore the system environment. The invention introduces a cloud security architecture, and employs a behavior feature based on active defense to search and kill a malicious program, thereby ensuring network security.
14 Citations
8 Claims
-
1. An active defense method based on cloud security, comprising:
-
recording a black/white list in a database, which black/white list including different program features and corresponding program behaviors; receiving at least one program behavior and a program feature of a program from a client; comparing the received program feature/program behavior with the recorded program feature/program behavior in the database, and making a determination on the program based on the comparison result; feeding back the determination result to the client; wherein, said method further comprising based on the program features and the corresponding program behaviors thereof in the black/white list, performing an analysis of unknown program features and program behaviors of a first program and a second program to update the black/white list comprising establishing an associated relationship between the first program and the second program based on their program features and their program behaviors; when a program behavior of the first program is included into the black/white list, updating the black/white list by; adding a program feature of the first program that corresponds to the program behavior of the first program to the black/white list, and adding a program behavior and a program feature of the second program into the black/white list based on the associated relationship between the first program and the second program; and
/orwhen a program feature of the first program is included into the black/white list, updating the black/white list by; adding a program behavior of the first program that corresponds to the program feature of the first program to the black/white list, and adding the program behavior and the program feature of the second program to the black/white list based on the associated relationship between the first program and the second program. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
Specification