CN100557545C - A kind of method of distinguishing the harmful program behavior - Google Patents
A kind of method of distinguishing the harmful program behavior Download PDFInfo
- Publication number
- CN100557545C CN100557545C CNB2004101031484A CN200410103148A CN100557545C CN 100557545 C CN100557545 C CN 100557545C CN B2004101031484 A CNB2004101031484 A CN B2004101031484A CN 200410103148 A CN200410103148 A CN 200410103148A CN 100557545 C CN100557545 C CN 100557545C
- Authority
- CN
- China
- Prior art keywords
- program
- behavior
- harmful
- action
- differentiation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 105
- 230000009471 action Effects 0.000 claims abstract description 85
- 241000700605 Viruses Species 0.000 claims abstract description 53
- 230000000052 comparative effect Effects 0.000 claims abstract description 4
- 230000006399 behavior Effects 0.000 claims description 148
- 230000004069 differentiation Effects 0.000 claims description 71
- 230000008569 process Effects 0.000 claims description 13
- 238000012544 monitoring process Methods 0.000 claims description 11
- 230000004048 modification Effects 0.000 claims description 9
- 238000012986 modification Methods 0.000 claims description 9
- 239000007787 solid Substances 0.000 claims description 8
- 230000002155 anti-virotic effect Effects 0.000 claims description 7
- 239000010410 layer Substances 0.000 claims description 7
- KKIMDKMETPPURN-UHFFFAOYSA-N 1-(3-(trifluoromethyl)phenyl)piperazine Chemical compound FC(F)(F)C1=CC=CC(N2CCNCC2)=C1 KKIMDKMETPPURN-UHFFFAOYSA-N 0.000 claims description 6
- 241000726445 Viroids Species 0.000 claims description 6
- 238000011112 process operation Methods 0.000 claims description 6
- 230000008859 change Effects 0.000 claims description 4
- 102100033641 Bromodomain-containing protein 2 Human genes 0.000 claims description 3
- 101000871850 Homo sapiens Bromodomain-containing protein 2 Proteins 0.000 claims description 3
- 208000032826 Ring chromosome 3 syndrome Diseases 0.000 claims description 3
- 239000012792 core layer Substances 0.000 claims description 3
- 231100001261 hazardous Toxicity 0.000 claims description 3
- 230000008901 benefit Effects 0.000 abstract description 4
- 230000003612 virological effect Effects 0.000 abstract description 3
- 230000009545 invasion Effects 0.000 description 6
- 230000003542 behavioural effect Effects 0.000 description 3
- 208000027418 Wounds and injury Diseases 0.000 description 1
- 230000001740 anti-invasion Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 208000014674 injury Diseases 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 239000002245 particle Substances 0.000 description 1
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 1
- 230000007480 spreading Effects 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The present invention relates to a kind of method of distinguishing the harmful program behavior, it is characterized in that, used virus attack identification storehouse, comprised the steps: 1.1 based on the state action collection) action behavior of unknown program is monitored and record; 1.2) action behavior that this program is recorded does as a wholely, compare with described virus attack recognition rule storehouse; 1.3) distinguish the harmful program behavior according to comparative result; Be, then to User Alarms or stop this program to continue operation; , then program does not continue operation and returns step 1.1).Use method of the present invention, do not rely on the viral code feature, but the unknown program action behavior is analyzed, judge whether to be the harmful program behavior, therefore, this method has efficiently, advantage accurately, and can make alarm in advance to new life's attacker.
Description
Technical field
The present invention relates to a kind of computer virus, attack guarding method, particularly for a kind of method of distinguishing the harmful program behavior of unknown program.
Background technology
, the invasion of computer virus and the struggle of anti-invasion are all being carried out intensely, along with computing machine uses more and more widely, the fierce degree of this struggle also rises to a new height all the time.Through long-term struggle practice, people sum up many concrete grammars and prevent invasion to computer virus, develop many corresponding strick precaution products.These products can be divided into two classes substantially, and a class is that intrusive viruses is isolated, and for example fire wall prevents entering of intrusive viruses by PORT COM, agreement etc. is limited; Another kind of is to search forming the malicious file of catching an illness of invasion, antivirus software for example, and utilization may be formed into the code characteristic that infects virus document, by scanning discovery and remove harmful malicious file of catching an illness.Though it is many that this two series products has play a part in the struggle of anti-virus invasion, all has the shortcoming that some can't overcome, they are respectively:
(1) though fire wall can be blocked some illegal viruses or hacker's invasion, the monitored object of fire wall is main port and protocol, need by user oneself be provided with to allow by otherwise do not allow to pass through.Its major defect 1. requires the user very familiar to system, could effectively be provided with it; 2. because monitor particles is too big, can't be provided with substantially,, then may cause virus or hacker attacks to take place if allow to pass through for the port and protocol that must use in the network application; If do not allow to pass through, then may directly influence the normal operation of network again.
(2) utilize the antivirus software of virus signature will lag behind viral development forever, because after only capturing Virus Sample, just can extract the condition code of virus, this makes this antivirus software can't take precautions against emerging unknown virus invasion, even the user has equipped antivirus software, also can be subjected to the attack injury of this virus once more, have only by upgrading, renewal virus database just can solve, and this solution lag behind the virus generation.
Summary of the invention
The present invention is exactly in order to address the above problem, its purpose be to provide a kind of can protect effectively that computing machine avoids that virus, wooden horse etc. in the unknown program attack based on method to the differentiation harmful program behavior of program behavior behavioural characteristic.
The method of differentiation harmful program of the present invention behavior can be applied in the antivirus protection real-time monitoring system based on the program behavior mode; For the legal known procedure that is stored in the program behavior knowledge base, compare by fair play behavior this program of its action behavior and program behavior identification library storage, judge whether known procedure is under attack; But for the unknown program that is not stored in the program behavior knowledge base, then by monitoring and write down the action behavior of unknown program, and with virus attack recognition rule storehouse in the harmful program attack feature of storing make comparisons, thereby the program behavior that identification is harmful, and in time tackle the attack of harmful program to system.
Based on virus attack recognition rule storehouse, the attack feature of multiple virus, wooden horse and harmful program has been write down in described virus attack recognition rule storehouse, each writes down a corresponding viroid, the corresponding behavior aggregate of each viroid, this behavior aggregate comprise a series of actions and between specific incidence relation.
The method of harmful program behavior of the present invention comprises the steps:
1.1) action behavior of unknown program is monitored and record;
1.2) action behavior that this unknown program is recorded does as a wholely, compare with described virus attack recognition rule storehouse;
1.3) distinguish the harmful program behavior according to comparative result; Be, then to User Alarms or stop this unknown program to continue operation; , then program does not continue operation and returns step 1.1).
In the method for differentiation harmful program of the present invention behavior, the described action behavior that is recorded comprises: type of action, action time of origin and caller.
In the method for differentiation harmful program of the present invention behavior, the action behavior of described monitoring and record comprises:
Supervisory control action refers to that this action may influence computer security, need monitor in real time it;
Dangerous play, this action at first are supervisory control actions, and in program run, this action may threaten computer security;
Described in addition action behavior comprises that also non-supervisory control action does not influence the action that computer security need not to monitor.
The method of differentiation harmful program of the present invention behavior influence each supervisory control action and the dangerous play of computer security when intercepting and capturing program run, and with attack recognition rule storehouse in the attack feature that writes down compare.
In the method for differentiation harmful program of the present invention behavior, described incidence relation comprises the time relationship between the action of front and back and calls and the relation of being called.
In the method for differentiation harmful program of the present invention behavior, described attack recognition rule storehouse comprises virus rule one:
A) run on the program of client layer RING3, change system core layer RING0 operation over to.
The method of differentiation harmful program of the present invention behavior is characterized in that, described attack recognition rule storehouse comprises virus rule two:
B) this program is carried out the operation of revising other program files.
The method of differentiation harmful program of the present invention behavior is characterized in that, described attack recognition rule storehouse comprises long-range attack rule one:
C) after this program is accepted data by listening port, call the SHELL program immediately.
The method of differentiation harmful program of the present invention behavior is characterized in that, described attack recognition rule storehouse comprises long-range attack rule two:
D) after this program receives data by listening port, buffer zone takes place overflow.
The method of differentiation harmful program of the present invention behavior is characterized in that, described attack recognition rule storehouse comprises long-range attack rule three:
E) after this program receives data by listening port, call generic-document host-host protocol tftp procedure immediately.
The method of differentiation harmful program of the present invention behavior is characterized in that, described attack recognition rule storehouse comprises mail worm rule one:
F) this program is generated automatically by mailing system, and revises the self-starting item of registration table during this program run, and this program does not have window, pallet-free, and begins to send mail immediately.
The method of differentiation harmful program of the present invention behavior is characterized in that, described attack recognition rule storehouse comprises suspicious wooden horse rule one:
G) this program is generated automatically by mailing system, and revises the self-starting item of registration table during this program run, and this program does not have window, pallet-free, and begins to create listening port immediately.
The method of differentiation harmful program of the present invention behavior is characterized in that: described supervisory control action comprises file operation; Network operation; Establishment process, establishment thread; Registry operations; Window, pallet operation; Storehouse overflows; Inject thread; Intercepting system API Calls and visit, modification and establishment user account number.
The method of differentiation harmful program of the present invention behavior is characterized in that: described dangerous play, comprise, and call the SHELL program; The update routine file or the file of writing a program; Call FTP or TFTP; Create FTP or TFTP service; Send mail; Browser or mailing system are moved other programs automatically; Create a large amount of identical threads; Revise and create user account number; Dangerous network operation; Add the startup item to system registry; Revise the system start-up file; Inject thread to other processes; Storehouse overflows; Automatically promote during the operation of application layer process and be system-level process operation; The intercepting system API Calls.
The method of differentiation harmful program of the present invention behavior is characterized in that: monitored described unknown program is in running status, after it withdraws from, no longer monitors and record.
The method of differentiation harmful program of the present invention behavior is characterized in that, comprises the steps:
16.1) discovery unknown program or process operation;
16.2) the establishment behavior description structural solid corresponding with this program;
16.3) catch monitoring behavior and hazardous act that this program may endanger computer security;
16.4) judge its type of action;
16.5) recognized action is recorded in the corresponding behavior description structural solid;
16.6) contrast attack recognition rule storehouse, the weights of calculating behavior description scheme entity
16.7) judge whether to surpass the weights upper limit, not, return step 16.3); Be to enter next step;
16.8) be judged to be the harmful program behavior.
The method of differentiation harmful program of the present invention behavior is characterized in that: described behavior description structural solid is consistent with the structure in described attack recognition rule storehouse.
The method of differentiation harmful program of the present invention behavior is characterized in that: described behavior is the api function that routine call operating system provides.
The method of differentiation harmful program of the present invention behavior is characterized in that: step 16.6) described in weights be to provide the empirical value of every behavior criterion by rule base, and obtain describing the weights of entity after the described empirical value of its multinomial behavior added up.
The method of differentiation harmful program of the present invention behavior is characterized in that: step 16.7) described in the weights upper limit, judge by empirical value provided by the invention, or according to User Defined.
The method of differentiation harmful program of the present invention behavior is characterized in that: after being judged as the harmful program behavior, by the user whether it being continued execution and judge.
The method of differentiation harmful program of the present invention behavior is characterized in that, described attack recognition rule storehouse, and its data structure comprises:
Complete trails, founder's complete trails, founder's characteristic, the founder that can carry out the PE file have or not window, with the founder whether same file, whether copy self, file have or not descriptions, whether self-starting, whose establishment the self-starting item, whether be not created the person and start, whether ownly create the startup item, whether window or tray icon, modification registry entry chained list and network action chained list are arranged.
The method of differentiation harmful program of the present invention behavior is characterized in that, the sub-data structure of described modification registry entry chained list comprises: inlet tabulation, key name, value name and value.
The method of differentiation harmful program of the present invention behavior is characterized in that, the sub-data structure of described network action chained list comprises: type, local port, local address, remote port, remote address and use agreement.
The invention has the advantages that; the method that the present invention distinguishes the harmful program behavior can be checked out the harmful program behavior of unknown program accurately; the protection computing machine is avoided the attack of harmful programs such as virus, wooden horse, and compared with prior art have efficiently, advantage accurately.
Description of drawings
Fig. 1 distinguishes the schematic flow sheet of the method for harmful program behavior for the present invention.
Embodiment
Below in conjunction with accompanying drawing specific embodiments of the invention are elaborated.
The method of differentiation harmful program of the present invention behavior, be based on virus attack recognition rule storehouse, the attack feature of multiple virus, wooden horse and harmful program has been write down in described virus attack recognition rule storehouse, each writes down a corresponding viroid, the corresponding behavior aggregate of each viroid, this behavior aggregate comprise a series of actions and between specific incidence relation.
The method of differentiation harmful program of the present invention behavior comprises the steps:
1.1) action behavior of unknown program is monitored and record;
1.2) action behavior that this program is recorded does as a wholely, compare with described virus attack recognition rule storehouse;
1.3) distinguish the harmful program behavior according to comparative result; Be, then to User Alarms or stop this program to continue operation; , then program does not continue operation and returns step 1.1).
In the method for differentiation harmful program of the present invention behavior, the described action behavior that is recorded comprises: type of action, action time of origin and caller.
In the method for differentiation harmful program of the present invention behavior, the action behavior of described monitoring and record comprises:
Supervisory control action refers to that this action may influence computer security, need monitor in real time it;
Dangerous play, this action at first are supervisory control actions, and in program run, this action may threaten computer security;
Described in addition action behavior comprises that also non-supervisory control action does not influence the action that computer security need not to monitor.
The method of differentiation harmful program of the present invention behavior influence each supervisory control action and the dangerous play of computer security when intercepting and capturing program run, and with attack recognition rule storehouse in the attack feature that writes down compare.
In the method for differentiation harmful program of the present invention behavior, described incidence relation comprises the time relationship between the action of front and back and calls and the relation of being called.
In the method for differentiation harmful program of the present invention behavior, described attack recognition rule storehouse comprises virus rule one:
A) run on the program of client layer RING3, change system core layer RING0 operation over to.
In the method for differentiation harmful program of the present invention behavior, in the described attack recognition rule storehouse, comprise virus rule two:
B) this program is carried out the operation of revising other program files.
Virus rule as mentioned above, if certain unknown program carried out aforementioned a) or b) operation, have the behavior of virus attack just can judge this program.As everyone knows, above-mentioned action is extremely dangerous action, and be the common trait that most Virus has, for example: virus CIH then has above-mentioned two features, it is carried out at the beginning and just changes the execution of the RING0 of system layer over to, therefore rely on above-mentioned rule just can when virus CIH just brings into operation, just find, and it is forbidden, thereby effective protection system is avoided the attack of virus CIH by method following among the present invention; And,, can no longer rely on the check of virus pattern code for many unknown virus programs or newborn virus, feature by viral action behavior identifies it, accomplished that the accurate and execution efficient of checking improves, and reduces system overhead, and can accomplish the timely interception of discovery in time.
In the method for differentiation harmful program of the present invention behavior, in the described attack recognition rule storehouse, comprise long-range attack rule one:
C) after this program is accepted data by listening port, call the SHELL program immediately.
The method of differentiation harmful program of the present invention behavior is characterized in that, described attack recognition rule storehouse comprises long-range attack rule two:
D) after this program receives data by listening port, buffer zone takes place overflow.
In the method for differentiation harmful program of the present invention behavior, in the described attack recognition rule storehouse, comprise long-range attack rule three:
E) after this program receives data by listening port, call generic-document host-host protocol tftp procedure immediately.
Long-range attack rule c as mentioned above), d) and e) form by a plurality of combination of actions, though can't judge the purpose of above-mentioned attacker for independent action wherein, but pass through a plurality of action behaviors relation in time, just can judge this program easily and whether have aggressiveness, therefore, can be judged as the long-range attack program for unknown program, thereby it is forbidden with above-mentioned behavioural characteristic.Compare with existing firewall technology, not only for more accurate in the forecast of long-range attack, and reduced user's trouble, needn't browse new web page at every turn or send the reception mail in the time of need carrying out the network connection, all to receive the alarm of fire wall earlier, if but stopped fire wall, it is dangerous that system then becomes.
The attack that utilizes the present invention to intercept and capture " Sasser " worm below, above-mentioned long-range attack rule is done with brief description: the Sasser worm-type virus is different with other worm-type viruses, does not send mail, and its principle of work is, opens up the back door in this locality.Monitor TCP 5554 ports, wait for remote control command as ftp server.Virus provides file to transmit with the form of FTP.The hacker can be by file and other information of this port stealing subscriber set.Virus is opened up 128 scanning threads.Based on local ip address, get IP address at random, mad exploration connects 445 ports, attempt to utilize and exist a buffer-overflow vulnerability to attack among the LSASS in the windows operating system, in case success attack can cause the other side's machine to infect this virus and carry out the propagation of next round, attack failure and also can cause the buffer zone of the other side's machine to overflow, cause the illegal operation of the other side's machine program, and system exception.
Utilize the method for differentiation harmful program of the present invention behavior, when the computing machine that has infected Sasser sends attack packets when using guard system of the present invention, the LSASS process of local computer is overflowed, flooding code can call GetProcAddress, will be caught by monitoring mechanism of the present invention, is judged as buffer zone and overflows, and before overflowing, the LSASS process can receive data, this and above-mentioned d from 139,445 ports of system) the regular rule that is provided conforms to; Therefore the present invention can accurately judge this long-range attack, so system call ExitThread this thread is finished, thereby local computer has effectively been protected in the action that makes the Sasser worm can't enter next step.
In the method for differentiation harmful program of the present invention behavior, in the described attack recognition rule storehouse, comprise mail worm rule one:
F) this program is generated automatically by mailing system, and revises the self-starting item of registration table during this program run, and this program does not have window, pallet-free, and begins to send mail immediately.
The worm rule constitutes the worm attack behavioural characteristic by a plurality of action behaviors as mentioned above, according to information as mentioned above, just can effectively take precautions against worm attack, and can effectively contain worm spreading on network.
In the method for differentiation harmful program of the present invention behavior, in the described attack recognition rule storehouse, comprise suspicious wooden horse rule one:
G) this program is generated automatically by mailing system, and revises the self-starting item of registration table during this program run, and this program does not have window, pallet-free, and begins to create listening port immediately.
According to suspicious wooden horse rule as mentioned above, also can not rely on existing firewall system, it is identified, monitor mode is more easy, and has simplified the complexity that the user uses.
Utilize the present invention to intercept and capture famous bounce-back row wooden horse black hole below to regular g) do with brief description: because it belongs to unknown program, this process initiation is promptly caught by supervisory system of the present invention, and this program is not created application window and system tray district icon simultaneously; And can revise the registry boot item behind this program start, to guarantee that oneself can start automatically when next user logins, this action behavior also is dangerous play, therefore also caught by supervisory system of the present invention, this process continues execution will connect far-end web server to obtain the address of client service, port information, carry out information transmission so that connect with it, after this networking action is hunted down, above-mentioned action is together compared with the rule of attacking in the recognition rule storehouse, just can be judged as suspicious wooden horse, and to User Alarms, the attribute that this illegal program is described simultaneously is suspicious wooden horse, so that the user understands information more accurately, avoided existing firewall system as long as network action takes place just reports to the police, and needed the judgement of user the actuation of an alarm security.
In the method according to differentiation harmful program of the present invention behavior, described supervisory control action comprises, file operation; Network operation; Establishment process, thread; Registry operations; Window, pallet operation; Storehouse overflows; Inject thread; Intercepting system API Calls and visit, modification and establishment user account number.
Described dangerous play comprises, calls the SHELL program; The update routine file or the file of writing a program; Call FTP or TFTP; Create FTP or TFTP service; Send mail; Browser or mailing system are moved other programs automatically; Create a large amount of identical threads; Revise and create user account number; Dangerous network operation; Add the startup item to system registry; Revise the system start-up file; Inject thread to other processes; Storehouse overflows; Automatically promote during the operation of application layer process and be system-level process operation; The intercepting system API Calls.
In the method for differentiation harmful program of the present invention behavior, described monitored program is in running status, after it withdraws from, no longer monitors and record, therefore can discharge more system resource, reduces the expense of system.
The method of differentiation harmful program of the present invention behavior comprises the steps:
16.1) discovery unknown program or process operation;
16.2) create the description scheme entity of the behavior corresponding with this program;
16.3) catch monitoring behavior and hazardous act that this program may endanger computer security;
16.4) judge its type of action;
16.5) recognized action is recorded in the corresponding behavior description structural solid;
16.6) contrast attack recognition rule storehouse, the weights of calculating behavior description scheme entity
16.7) judge whether to surpass the weights upper limit, not, return step 16.3); Be to enter next step;
16.8) be judged to be the harmful program behavior.
In the method for differentiation harmful program of the present invention behavior, described behavior description structural solid is consistent with the structure in described attack recognition rule storehouse.
In the method for differentiation harmful program of the present invention behavior, described behavior is the api function that routine call operating system provides.
The method of differentiation harmful program of the present invention behavior, wherein step 16.6) described in weights be to provide the empirical value of every behavior criterion by rule base, and obtain describing the weights of entity after the described empirical value of its multinomial behavior added up.
The method of differentiation harmful program of the present invention behavior, wherein step 16.7) described in the weights upper limit, judge by empirical value provided by the invention, or according to User Defined.Many have the dark user who understands often to need some own design or other do not have the program of formal source to computer program, and these programs probably are in order to improve system performance or to improve system's ease for use, therefore, these unknown programs can be carried out a lot of supervisory control actions or dangerous play, be consistent with the rule of attacking the recognition rule storehouse, if directly this program is judged as harmful program by method of the present invention, forbid then carrying out, make troubles also can for above-mentioned these certain customers, thereby, the present invention also provides the setting according to the weights of a certain program of User Defined, promptly, though after being judged as the harmful program behavior, do not continue to carry out this program by user's decision.
In the method for differentiation harmful program of the present invention behavior, described attack recognition rule storehouse, wherein, the data structure entity of each record is:
struct?UnknowPEFileInMem
{
Char WeighofDanger; // dangerous weights
Char FileName[MAX_PATH]; The complete trails of // new PE the file of creating
Char CreatorName[MAX_PATH]; // founder's complete trails
Char CharacterOfCreator; // founder's characteristic
Char NoWindowOfCreator; // founder has or not window
Char SameAsCreator; // with the founder be same file
Char CopySelf; // copy self is CopySelf for the founder, is SameAsCreator for the file that is replicated, // distinguish both in proper order
Char FileDescription; // file has or not description
Char AutoRun; // whether self-starting
Char WhoWriteAutoRun; The self-starting item of // whose establishment
BOOLEAN RunByCreator; // whether be not created the person to start
BOOLEAN RunBySelf; // whether oneself create and start
BOOLEAN bCreateWindow; // whether window or tray icon are arranged
LIST_ENTRY RegList; // modification registry entry chained list
LIST_NET ListNetAction; // network action chained list
}
The concrete data recording and the description of above-mentioned founder's characteristic " CharacterOfCreator " are:
-1: unknown program;
0: other known procedure;
1: mailing system;
2: web browser;
3: internet exchange system (as QQ, MSN etc.);
The concrete data recording and the description of the self-starting item " WhoWriteAutoRun " of above-mentioned whose establishment are:
0: the unknown;
1: oneself;
2: the founder;
Oneself, the founder can write
The sub-data structure entity of wherein revising the registry entry chained list is.
struct?REG_DATA
{
LIST_ENTRY List; The tabulation of // inlet
Char Key[]; // key name
Char ValueName[]; // value name
Char Value[]; // value
}
Wherein the sub-data structure entity of network action chained list is:
struct?LIST_NET
{
Int type; // type
Short lport; // local port
IPADDR lipaddr; // local ip address
Short dport; // remote port
IPADDR dipaddr; // remote ip address
Short protocol; // use agreement
};
In sum; the method of differentiation harmful program of the present invention behavior; can check out the harmful program behavior of unknown program accurately, the protection computing machine is avoided the attack of harmful programs such as virus, wooden horse, and compared with prior art have efficiently, advantage accurately.
By above-mentioned description, the related work personnel can carry out various change and modification fully in the scope that does not depart from this invention technological thought.Therefore, the technical scope of this invention is not limited to the content on the instructions, must determine its technical scope according to interest field.
Claims (23)
1, a kind of method of distinguishing the harmful program behavior, it is characterized in that: this method is based on virus attack recognition rule storehouse, the attack feature of multiple virus, wooden horse and harmful program has been write down in described virus attack recognition rule storehouse, each writes down a corresponding viroid, the corresponding behavior aggregate of each viroid, this behavior aggregate comprise a series of actions and between specific incidence relation, and the method for described differentiation harmful program behavior comprises the steps
1.1) action behavior of unknown program is monitored and record;
1.2) action behavior that this unknown program is recorded does as a wholely, compare with described virus attack recognition rule storehouse;
1.3) distinguish the harmful program behavior according to comparative result; Be, then to User Alarms or stop this unknown program to continue operation; , then program does not continue operation and returns step 1.1);
The described action behavior that is recorded comprises: type of action, action time of origin and caller;
The action behavior of described monitoring and record comprises,
Supervisory control action refers to that this action may influence computer security, need monitor in real time it;
Dangerous play, this action at first are supervisory control actions, and in program run, this action may threaten computer security;
Described in addition action behavior comprises that also non-supervisory control action does not influence the action that computer security need not to monitor.
2, according to the method for the described differentiation harmful program of claim 1 behavior, it is characterized in that: influence each supervisory control action and the dangerous play of computer security when intercepting and capturing program run, and with attack recognition rule storehouse in the attack feature that writes down compare.
According to the method for the described differentiation harmful program of claim 1 behavior, it is characterized in that 3, described incidence relation comprises the time relationship between the action of front and back and calls and the relation of being called.
According to the method for the described differentiation harmful program of claim 1 behavior, it is characterized in that 4, described attack recognition rule storehouse comprises virus rule one:
A) run on the program of client layer RING3, change system core layer RING0 operation over to.
According to the method for the described differentiation harmful program of claim 1 behavior, it is characterized in that 5, described attack recognition rule storehouse comprises virus rule two:
B) this program is carried out the operation of revising other program files.
According to the method for the described differentiation harmful program of claim 1 behavior, it is characterized in that 6, described attack recognition rule storehouse comprises long-range attack rule one:
C) after this program is accepted data by listening port, call the SHELL program immediately.
According to the method for the described differentiation harmful program of claim 1 behavior, it is characterized in that 7, described attack recognition rule storehouse comprises long-range attack rule two:
D) after this program receives data by listening port, buffer zone takes place overflow.
According to the method for the described differentiation harmful program of claim 1 behavior, it is characterized in that 8, described attack recognition rule storehouse comprises long-range attack rule three:
E) after this program receives data by listening port, call generic-document host-host protocol tftp procedure immediately.
According to the method for the described differentiation harmful program of claim 1 behavior, it is characterized in that 9, described attack recognition rule storehouse comprises mail worm rule one:
F) this program is generated automatically by mailing system, and revises the self-starting item of registration table during this program run, and this program does not have window, pallet-free, and begins to send mail immediately.
According to the method for the described differentiation harmful program of claim 1 behavior, it is characterized in that 10, described attack recognition rule storehouse comprises suspicious wooden horse rule one:
G) this program is generated automatically by mailing system, and revises the self-starting item of registration table during this program run, and this program does not have window, pallet-free, and begins to create listening port immediately.
11, according to the method for the described differentiation harmful program of claim 1 behavior, it is characterized in that: described supervisory control action comprises file operation; Network operation; Establishment process, establishment thread; Registry operations; Window, pallet operation; Storehouse overflows; Inject thread; Intercepting system API Calls and visit, modification and establishment user account number.
12, according to the method for the described differentiation harmful program of claim 1 behavior, it is characterized in that: described dangerous play, comprise, call the SHELL program; The update routine file or the file of writing a program; Call FTP or TFTP; Create FTP or TFTP service; Send mail; Browser or mailing system are moved other programs automatically; Create a large amount of identical threads; Revise and create user account number; Dangerous network operation; Add the startup item to system registry; Revise the system start-up file; Inject thread to other processes; Storehouse overflows; Automatically promote during the operation of application layer process and be system-level process operation; Intercepting system API Calls and visit.
13, according to the method for the described differentiation harmful program of claim 1 behavior, it is characterized in that: monitored described unknown program is in running status, after it withdraws from, no longer monitors and record.
14, according to the method for the described differentiation harmful program of claim 1 behavior, it is characterized in that, comprise the steps:
16.1) discovery unknown program or process operation;
16.2) the establishment behavior description structural solid corresponding with this program;
16.3) catch monitoring behavior and hazardous act that this program may endanger computer security;
16.4) judge its type of action;
16.5) recognized action is recorded in the corresponding behavior description structural solid;
16.6) contrast attack recognition rule storehouse, the weights of calculating behavior description scheme entity
16.7) judge whether to surpass the weights upper limit, not, then return step 16.3); Be then to enter next step;
16.8) be judged to be the harmful program behavior.
15, according to the method for the described differentiation harmful program of claim 14 behavior, it is characterized in that: described behavior description structural solid is consistent with the structure in described attack recognition rule storehouse.
16, according to the method for the described differentiation harmful program of claim 14 behavior, it is characterized in that: described behavior is the api function that routine call operating system provides.
17, according to the method for the described differentiation harmful program of claim 14 behavior, it is characterized in that: step 16.6) described in weights be, provide the empirical value of every behavior criterion by rule base, and obtain describing the weights of entity after the described empirical value of its multinomial behavior added up.
18, according to the method for the described differentiation harmful program of claim 14 behavior, it is characterized in that: step 16.7) described in the weights upper limit, judge by empirical value provided by the invention, or according to User Defined.
19, according to the method for the described differentiation harmful program of claim 14 behavior, it is characterized in that: after being judged as the harmful program behavior, by the user whether it being continued execution and judge.
20, according to the method for claim 1 or 14 described differentiation harmful program behaviors, it is characterized in that, described attack recognition rule storehouse, its data structure comprises:
Complete trails, founder's complete trails, founder's characteristic, the founder that can carry out the PE file have or not window, with the founder whether same file, whether copy self, file have or not descriptions, whether self-starting, whose establishment the self-starting item, whether be not created the person and start, whether ownly create the startup item, whether window or tray icon, modification registry entry chained list and network action chained list are arranged.
According to the method for the described differentiation harmful program of claim 20 behavior, it is characterized in that 21, the sub-data structure of described modification registry entry chained list comprises: inlet tabulation, key name, value name and value.
According to the method for the described differentiation harmful program of claim 20 behavior, it is characterized in that 22, the sub-data structure of described network action chained list comprises: type, local port, local address, remote port, remote address and use agreement.
23, according to the method for the described differentiation harmful program of claim 1 behavior, it is characterized in that: described method is applied in the antivirus protection real-time monitoring system based on the program behavior mode, monitoring may be performed supervisory control action of the unknown program of harmful program and dangerous play, and in time tackles the attack of harmful program to system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004101031484A CN100557545C (en) | 2004-12-31 | 2004-12-31 | A kind of method of distinguishing the harmful program behavior |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004101031484A CN100557545C (en) | 2004-12-31 | 2004-12-31 | A kind of method of distinguishing the harmful program behavior |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1801030A CN1801030A (en) | 2006-07-12 |
| CN100557545C true CN100557545C (en) | 2009-11-04 |
Family
ID=36811075
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004101031484A Expired - Fee Related CN100557545C (en) | 2004-12-31 | 2004-12-31 | A kind of method of distinguishing the harmful program behavior |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100557545C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102567674A (en) * | 2012-02-10 | 2012-07-11 | 联信摩贝软件(北京)有限公司 | Method and equipment for judging whether software contains viruses or not on basis of behaviors |
Families Citing this family (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100437614C (en) * | 2005-11-16 | 2008-11-26 | 白杰 | Method for identifying unknown virus programe and clearing method thereof |
| CN101350054B (en) * | 2007-10-15 | 2011-05-25 | 北京瑞星信息技术有限公司 | Method and apparatus for automatically protecting computer noxious program |
| CN101350052B (en) * | 2007-10-15 | 2010-11-03 | 北京瑞星信息技术有限公司 | Method and apparatus for discovering malignancy of computer program |
| CN101286986B (en) * | 2008-05-15 | 2011-09-14 | 成都市华为赛门铁克科技有限公司 | Active defense method, device and system |
| CN102111400B (en) * | 2010-12-07 | 2014-07-09 | 华为数字技术(成都)有限公司 | Trojan horse detection method, device and system |
| CN102789559A (en) * | 2011-05-20 | 2012-11-21 | 北京网秦天下科技有限公司 | Method and device for monitoring program installation and program operation in mobile device |
| CN103136475B (en) * | 2011-11-29 | 2017-07-04 | 姚纪卫 | A kind of method and apparatus for checking computer virus |
| CN102724182B (en) * | 2012-05-30 | 2015-03-25 | 北京像素软件科技股份有限公司 | Recognition method of abnormal client side |
| CN102831338B (en) * | 2012-06-28 | 2015-09-30 | 北京奇虎科技有限公司 | A kind of safety detection method of Android application program and system |
| CN103428223B (en) * | 2013-08-28 | 2016-08-10 | 北京永信至诚科技股份有限公司 | A kind of wooden horse Activity recognition method and system |
| CN103425798A (en) * | 2013-09-02 | 2013-12-04 | 成都网安科技发展有限公司 | Heuristic type behavioral parameter analysis algorithm |
| CN103501300A (en) * | 2013-09-30 | 2014-01-08 | 华为技术有限公司 | Method, terminal and server for detecting phishing attack |
| CN103957193A (en) * | 2014-04-04 | 2014-07-30 | 华为技术有限公司 | Client terminal, server and event type determining method |
| CN105488405A (en) * | 2014-12-25 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | PDB debug information based malicious code analysis method and system |
| CN105488393B (en) * | 2014-12-27 | 2018-07-03 | 哈尔滨安天科技股份有限公司 | A kind of attack intent classifier method and system based on database honey jar |
| CN110647743A (en) * | 2018-06-26 | 2020-01-03 | 北京安天网络安全技术有限公司 | Malicious behavior identification method and device and storage device |
| CN115203699B (en) * | 2022-09-16 | 2022-12-27 | 北京网藤科技有限公司 | Virus identification method and system based on behavior characteristics |
-
2004
- 2004-12-31 CN CNB2004101031484A patent/CN100557545C/en not_active Expired - Fee Related
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102567674A (en) * | 2012-02-10 | 2012-07-11 | 联信摩贝软件(北京)有限公司 | Method and equipment for judging whether software contains viruses or not on basis of behaviors |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1801030A (en) | 2006-07-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100547513C (en) | Computer protecting method based on the program behavior analysis | |
| CN100401224C (en) | Computer anti-virus protection system and method | |
| CN100557545C (en) | A kind of method of distinguishing the harmful program behavior | |
| US7870612B2 (en) | Antivirus protection system and method for computers | |
| EP2106085B1 (en) | System and method for securing a network from zero-day vulnerability exploits | |
| CA2533853C (en) | Method and system for detecting unauthorised use of a communication network | |
| US8397292B2 (en) | Method and device for online secure logging-on | |
| Chen et al. | A model-based approach to self-protection in computing system | |
| CN101098226B (en) | Virus online real-time processing system and method | |
| Cuppens et al. | Correlation in an intrusion detection process | |
| CN101986324A (en) | Asynchronous processing of events for malware detection | |
| KR102222377B1 (en) | Method for Automatically Responding to Threat | |
| CN101147143A (en) | Methods and apparatus providing security to computer systems and networks | |
| CN113364750B (en) | Method for inducing APT attack to introduce honeypots based on Snort and OpenFlow heuristic method | |
| CN109787964B (en) | Process behavior tracing device and method | |
| CN100407164C (en) | Software-action description, fetching and controlling method with virtual address space characteristic | |
| CN115086081B (en) | Escape prevention method and system for honeypots | |
| CN112073371A (en) | Malicious behavior detection method for weak supervision routing equipment | |
| CN1801031B (en) | Method for judging whether a know program has been attacked by employing program behavior knowledge base | |
| CN116415300A (en) | File protection method, device, equipment and medium based on eBPF | |
| CN115587357A (en) | Threat scene analysis method and system based on big data | |
| CN115134106A (en) | Method and computer program product for detecting hacker attacks | |
| Rafa et al. | Detecting Intrusion in Cloud using Snort: An Application towards Cyber-Security | |
| KR100961438B1 (en) | System and method for real-time intrusion detection, and record media recoded program for implement thereof | |
| CN102867148B (en) | Safety protection method and device for electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: BEIJING EASTERN MICROPOINT INFO-TECH CO., LTD. Free format text: FORMER OWNER: FUJIAN ORIENT MICROPOINT INFORMATION SECURITY CO., LTD. Effective date: 20150715 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20150715 Address after: 100097 Beijing city Haidian District landianchang road A Jin Yuan era business center No. 2 block 5E Patentee after: Beijing Dongfang Micropoint Information Technology Co.,Ltd. Address before: 350002, No. 548, industrial road, Gulou District, Fujian, Fuzhou, five Patentee before: Fujian Orient Micropoint Information Security Co.,Ltd. |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20180507 Address after: 100097 Jin Yuan, A 5E, business center, 2 East Road, Haidian District, Beijing. Patentee after: Weidian Baihui (Beijing) Information Security Technology Co.,Ltd. Address before: 100097 Jin Yuan, A 5E, business center, 2 East Road, Haidian District, Beijing. Patentee before: Beijing Dongfang Micropoint Information Technology Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20091104 Termination date: 20211231 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |