Talking about 360 cloud QVM and Jin Shanyun appraisal system

First of all, 360 cloud QVM.

To understand Cloud QVM, first understand what QVM is. QVM in my opinion is a kind of heuristic engine, also can be called heuristic appraiser. is an anti-virus product that uses known things to identify unknown things. But its principle is different from the normal heuristic scan. It's not a static heuristic, it's not a virtual machine, it's a method based on mathematical statistics. In fact, a word to describe QVM I think the most appropriate. That's--"macro".

QVM's way of working, I think is: First of all, QVM to extract some of the characteristics of a file, these characteristics for example, may be the file called which API, suffix name is hidden, file size, whether it is self-extracting and so on. Of course, I do not know what is extracted from the characteristics, because 360 is thousand other characteristics of the number, the above mentioned "examples" are also my assumptions and guesses, but that type of feature bar. 360 If you are interested, you can make a little explanation after the post.

After QVM extracts these features, the values of these features are recorded. For example, a file called an API, and I counted this feature to be 1, no call to 0. Then write down the thousands of features.

Then, the QVM scanned the mass of samples. Of course, the black and white samples are divided in advance. For example, scan the QVM for black samples first, then qvm the values of each feature of each black sample, and then make a statistic. For example, QVM found that in all black files, the probability of invoking an API was 90%, and the probability of invoking another API was 20%. The same can be compared to the white file record. After that, the programmer builds a mathematical model for the values of the thousands of features, using complex weights or other kinds of calculations to get the Black-and-white of files that have not been scanned. For example, when I scan an unknown file, I find that it invokes that API, which, based on previous experience, calls the API black, and the file is black. The extension of this conclusion to thousands of features is the working principle of QVM.

In this way, QVM daily scan a large amount of black and white files, and constantly expand their knowledge of the characteristics of the known black and white files of the database, to determine the black and white of the file, so that every day to improve the detection rate of the virus and reduce the false alarm rate, making the results more accurate and

In other words, QVM does not care about the details of each file, it is not a virus behavior or how, it is not a shell and so on, it is through a mathematical statistical way to judge a file in black and white.

To put it more generally, to cite an example is like a policeman catching a thief. The police first caught a lot of thieves and a lot of good people who were not thieves. Found that thieves are generally the eyes of thieves, crooked eyes squint, dressed in sloppy, the good people are facing the front, dressed decently, generous. Then the next time the police found a hot thief with an eye, crooked eyes and sloppy clothes, he thought the man was a thief. Then it day after day, grasping more thieves, summed up more rules and experience, catching thieves are more and more accurate. The same is true of good people, and it is seldom wrong to catch them.

This is the principle of QVM. It is not like the act of defense, the thief reached to confirm to seize it, or the signature code, confirmed by the identity of the person is a thief to catch.

Finished QVM, said the cloud QVM. Now the QVM is divided into two parts, local and cloud. The principles of both are the same, all of which are the same. Not the same is the cloud QVM daily scan more massive samples, in the constant self-learning, their own experience, so the cloud of QVM identification accuracy rate is definitely higher than the local accuracy rate.

Therefore, the local first through the local QVM extract features, upload, upload features due to the small amount of data, so quickly upload. Then there are 3 qvm in the cloud. Because the principle is the same, so it is to scan the results immediately. But clouds because of learning more samples, summed up more experience, so than the local killing rate is higher, so such a cloud identification is meaningful. Then the instant results can be fed back to the local, the overall time is very short, of course, not 0, but can also reach the second or the millisecond level.

I think that the purpose of cloud QVM is to solve the problem of virus mutation and cloud land linkage rapid identification. Its goal is not the most accurate 100%, because mathematically based on the way, it is difficult to achieve a very accurate identification rate. Its aim is to detect more than 90% viruses. Because 360 more than rely on a QVM to anti-virus, so reach 90% I think it can.

As for the cloud QVM will be used to where, I really do not pay attention to, and occasionally see what QVM to join the main defense, which means QVM can be used to many places. I really know 360 of the product and defense system is not very thorough understanding of these problems I do not say, wrong is not good, distorted the truth even worse.

Next, Jinshan Cloud Identification system.

Jinshan Cloud Identification System and 360 of the cloud QVM is used in a completely different way. Jinshan Cloud is a micro-feature of the way, is a micro-feature matching n files, through the micro-feature and file corresponding to the way to determine the black and white of a file. The cloud of Jinshan is relative to cloud QVM, can use "microcosmic" to express.

Jin Shanyun Security is currently in the way of border defense, for each file into the computer to verify its Black-and-white. For the unknown file uploaded to the cloud for identification, the use of black-white concept to do.

Cloud currently has more than 30 kinds of appraiser, heuristic, also have behavior to determine, there are other specifically targeted at certain viruses, and these experts are updated every day, and even replaced. But it's definitely not something that some people think is a multiple-engine scan. It can be said that Jinshan cloud detector is very advanced, in a variety of ways to identify a sample security, and then by weighting or other algorithms to give a rating, to finally determine the security of the file. The engineers make adjustments to the results of some of the appraisers by the results of daily sweep and artificial identification, and for some of the low accreditation, the elimination process. So, the killing rate of Jinshan is embodied in the cloud, so the general people can not see the progress of Jinshan. But can say, the killing rate of Jinshan is every day progress. Some people may say, progress every day, that is not the identification rate of more than 100%? There are new forms of virus every day, and it is entirely possible to identify today's virus with an appraiser that has not been modified yesterday. So it needs to be constantly modified. Any manufacturer's products are like this.

Jinshan Cloud Appraiser's idea is not quite the same as QVM. Jinshan Cloud Appraiser asks is the precision, is all uploaded files, must be approaching 100% of the identification accuracy rate. In this way, you can use the cloud to solve other problems.

If the appraiser does not come out, it will turn artificial.

Many people will think that such a cloud is not effective. According to the data, it is very effective. First of all, the number of artificial samples per day is actually not much, at hundred levels, so many virus analysts can fully cope. Second, more than half of the samples are actually able to produce results within 30 seconds. I had seen it backstage appraisal, several samples are in a few seconds to identify. In fact, that cloud, as long as the file is uploaded to the past, the efficiency of identification is very high. The accuracy of the identification was almost 100%.

For ordinary users and ordinary logic, Jinshan cloud works this way:

Generally an unknown file into the user's computer, if the user actively upload, that is, using the cloud appraiser, then the result will be returned in 99 seconds.

If the user does not authenticate manually, the file will be uploaded automatically. After automatic uploading, the cloud appraiser gives priority to identification based on the breadth of the file. A wide range of priority will be identified, not wide will be slightly delayed identification some time. But this time is not long, that is, a short period of time. When the results are obtained, file monitoring automatically makes it clear that the file is black and does not require two scans by the average user.

Or take the example of a policeman catching a thief. Jinshan's Cloud security system is: The police hold a DNA spectrum, and then can match a lot of people. And then find a DNA match to the person, query the database of this person is not a thief, yes, then catch up, not to let go. If the database does not have to go to the analysis. Then the police through a variety of ways to analyze whether the person is a thief, and finally in 99 seconds to make the results public. This method is very accurate, almost not misjudged. But you need to wait a little while.

Jinshan concept has been emphasized is to reduce the user burden, the calculation of the amount of the cloud up. In fact, for ordinary users, the probability of encountering unknown files is very small. Because the cloud system of Jinshan is not only collects the sample from the user's client, also has the Mi-guan, the reptile and so on the system to collect the sample automatically. So the probability of a user encountering an unknown file is even smaller.

For those who can't wait 99 seconds, they can actually put the files in the sandbox to run first.

In short, Jinshan's cloud security system is a brisk and compact as the goal of the way to do.