Active defense method on the basis of cloud security

摘要

The present invention relates to an active defense method based on cloud security comprising: a client collecting and sending a program behavior launched by a program thereon and/or a program feature of the program launching the program behavior to a server; with respect to the program feature and/or the program behavior sent by the client, the server performing an analysis and comparison in its database, making a determination on the program based on the comparison result, and feeding back to the client; based on the feedback determination result, the client deciding whether to intercept the program behavior, terminate execution of the program and/or clean up the program, and restore the system environment. The invention introduces a cloud security architecture, and employs a behavior feature based on active defense to search and kill a malicious program, thereby ensuring network security.

主权项

1. An active defense method based on cloud security, comprising:
recording a black/white list in a database, which black/white list including different program features and corresponding program behaviors; receiving at least one program behavior and a program feature of a program from a client; comparing the received program feature/program behavior with the recorded program feature/program behavior in the database, and making a determination on the program based on the comparison result; feeding back the determination result to the client; wherein, said method further comprising based on the program features and the corresponding program behaviors thereof in the black/white list, performing an analysis of unknown program features and program behaviors of a first program and a second program to update the black/white list comprising establishing an associated relationship between the first program and the second program based on their program features and their program behaviors; when a program behavior of the first program is included into the black/white list, updating the black/white list by:
adding a program feature of the first program that corresponds to the program behavior of the first program to the black/white list, andadding a program behavior and a program feature of the second program into the black/white list based on the associated relationship between the first program and the second program; and/or when a program feature of the first program is included into the black/white list, updating the black/white list by:
adding a program behavior of the first program that corresponds to the program feature of the first program to the black/white list, andadding the program behavior and the program feature of the second program to the black/white list based on the associated relationship between the first program and the second program.