Cloud security into the "second kill" era, the user's gospel?

Safety is always the most mouth of the industry, which can be explained at least two points, one is that the field of profit is sufficient, the second is that the field of competition is too intense. The core of competition is the innovation of concept, the skill of hype and the real progress of technology. Since the trend and rising first cloud security concept, has become the biggest bright spot of security software, there is no talk about cloud security you are not a real security potential.

After the 3Q war, 360 quickly listed, become a dark horse in the IT field, the thought of the listing after 360 will be silent, the results of a period of time before because of the second level cloud identification and Jinshan. The cause is this, Jinshan 2012 release, the 3D defense concept, and the introduction of 99-second cloud identification, with the 3Q War as a, 360 immediately launched its own new version, played pro3d comprehensive defense system, and launched 1 seconds Cloud identification, the spear pointed at Jinshan.

Revealing cloud identification

In the past, cloud security used the full text hash method for cloud authentication, the fatal flaw of this technology is that it is unable to better identify the virus sample variants, the manufacturer can easily bypass the Yunan system by changing only one byte. This time the two played the second-level cloud identification concept, are based on the above problems of the improved version. Two common is to discard the previous full text hash method and the use of local characteristics.

Jinshan adopts the technology of micro-feature plus file scanning. The essence of micro-feature is to select several key locations for each program file. Use these key points to identify each type of file, each type of file has a different local hash algorithm, when matching to the appropriate type, then select a section of data to calculate local hash, and then upload to the cloud to do the black and white list of matches, When the match is unsuccessful, it uploads the file to the cloud, using the cloud's background scanning system to authenticate the file two times. The way to judge the key points and then take the hash can eliminate a large number of files, played an accelerating role.

The cloud identification of 360 uses the fuzzy vector technique. The essence of fuzzy vectors is based on the characteristics of file structure, the file is decomposed into a number of structures, the characteristics of each structure, and then classify the features to form a structural feature library, sent to the local, most of the documents through this way can be identified, this is the 360 claims can be 1 seconds cloud identification reasons.

99 seconds vs 1 seconds vs 0 seconds, lies or hype?

Put aside the manufacturer's own words, let's analyze what the biggest security threat is today. After more than 20 years of development, the virus has entered the era of the pan-technology, they are no longer pursuing the possibility of technology implementation, but more attention to how to obtain illegal income. In this case, the Trojan has become the most popular type of virus, and the site hanging horse became the most popular way of transmission, every day there will be thousands of malicious links and malicious programs generated, and some malicious links even in seconds for dynamic transformation.

Unfortunately, while every major security vendor has its own capture system and exchange channels, it is still not possible to capture all the samples in time, and these samples, which have not been identified by any vendors, have become a new threat to the group--oday virus. Today, the Oday virus is the biggest threat to the cloud's safety, and they can bring more economic loss to the user every day.

Whether 99 seconds, 1 seconds or 0 seconds, is the speed of document identification, manufacturers in the concept of speculation has misled the user, to form a document to identify the speed of high clouds security effective psychological expectations. In fact, the real value of cloud security to the user is the speed of the virus samples, not the speed of identification, in the shortest possible time oday virus into a recognizable virus, in order to truly reduce the loss of users.

Now let's take a little test to see how fast the "second kill" cloud security engine captures the sample. We get 768 0day samples by tracking the horse site, scan first, then scan every other day, and the virus identification curve is shown in the following image:

1 hours later, Jinshan and QQ recognition rate under 20%, 360 can reach 40%, 24 hours, Jinshan and QQ samples of the detection rate in about 30%, 360 to 60%, and the sample of all the killing, then all in three days. In other words, three days later, the virus will reduce the user's harm to 0. If a large number of oday virus can not be captured in time, the back-end analysis is also the same as a fake, ordinary users after poisoning, it is difficult to find suspicious files and upload the cloud system to identify, so how to build a more powerful sample capture system, more than the speed of the identification of the more important.

Reshape dynamic virtual technology to curb oday virus

At present, the mainstream security vendors are using the idea of active defense to find unknown samples, that is, set broad rules, will trigger the rules of the file uploaded to the cloud analysis. This idea will create several problems: Users lose a lot of traffic, vendors get a lot of invalid samples, can only be dynamic monitoring and reporting through a large client.

In fact, the most effective way to deal with the Oday virus is based on the dynamic virtual technology of heuristic drug search. Mention of dynamic virtual technology, may be professionals will immediately think of rising virtual machine technology, in fact, the two have the same place, there are different.

Rising virtual machine technology is based on this principle, it virtual CPU commonly used X86 instructions, the file loaded into the virtual machine to carry out, and then analyze and judge the behavior of the file. This technology in the age of infection virus, but also very effective, but the Trojan rampage today is useless. The reason is that most of the virus is the Trojan form, Mumari a large number of use of the operating system provided by the API, operating system API is a relatively closed instruction set, the need to do input, output and stack processing, the situation is very complex, and rising virtual machine does not deal with this, So the trojan killing and shell treatment effect is very bad.

The dynamic virtual technology we mentioned today refers to the addition of CPU instructions, but also to simulate the virus commonly used in the system API, as well as the virus commonly used in the reverse tracking and debugging means of identification, we study the virus in the process, we found that many viruses use floating-point MMX instructions to do encryption and deformation means, Therefore, dynamic virtual machines not only support the X86 instruction set, but also support the MMX floating point instruction set of multimedia extension, and in the future, it is a chore to support the instruction of the X86 architecture and the API of other operating system, this is a hard job, now few security vendors are willing to work on this.

Dynamic virtual technology has been out of the concept of monitoring, any file does not need to run real to see its behavior, if the application of this point to the crawler system, you can directly determine whether the end of the link is a virus directly collected, no need to enter the cloud analysis system. On the other hand, dynamic virtual technology has a good defensive effect on oday virus, as depicted in the film Minority Report, it is possible to reproduce a crime in a virtual space and then defend it in real space, rather than having the virus run first, then look at the action, then defend the active defensive thought, Much more advanced.

Editor PostScript:

When the safety flow in the market hype skills, will often make manufacturers lose the continued research technology of the practical mentality, so that users lose the ability to judge the authenticity. Safety needs to be packaged, but safety needs to be abandoned by those who float, calm down to do the practical skills of the pedantic mentality. From the hundred-Sharp information security laboratory in contact with the process, small series feel that the hundred sharp is a focus on the technology team, and in the internal testing, small series also marvel at the performance of the hundred sharp products of professional standards, we actually hope that in the road of safety, more to give users the ability to distinguish between right and wrong, Because what users need is real security.