CN102542186A - Malicious program detection device and malicious program detection method - Google Patents
Malicious program detection device and malicious program detection method Download PDFInfo
- Publication number
- CN102542186A CN102542186A CN2010106018091A CN201010601809A CN102542186A CN 102542186 A CN102542186 A CN 102542186A CN 2010106018091 A CN2010106018091 A CN 2010106018091A CN 201010601809 A CN201010601809 A CN 201010601809A CN 102542186 A CN102542186 A CN 102542186A
- Authority
- CN
- China
- Prior art keywords
- malicious act
- rogue program
- processing unit
- program
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a malicious program detection device and a malicious program detection method. The malicious program detection device is used for detecting a program executing a first processing program, and comprises a storage unit and a processing unit. The storage unit is used for storing a malicious behavior norm of a malicious program, and the processing unit is used for building a first behavior norm according to the first processing program. The malicious program detection method includes of comparing the first behavior norm to the malicious behavior norm to acquire a comparison result, updating a behavior recording table according to the comparison result, and judging the program to be the malicious program according to the behavior recording table.
Description
Technical field
The invention relates to a kind of rogue program pick-up unit and rogue program detection method.In more detail, the invention relates to a kind of rogue program pick-up unit and rogue program detection method in order to detect a program.
Background technology
Along with the application of numerical information is increasingly extensive, the consciousness of protecting information safety comes into one's own gradually, drives the development of protecting information safety technology, in the mode of protecting information safety, generally utilizes antivirus software to be directed against Virus and detects at present.In detail, stolen or destroyed, carried antivirus software in the general computer usually with virus database for fear of data.Wherein, virus database is in order to write down known Virus condition code (signature) at present.Thus, antivirus software detects condition code capable of using mode relatively one by one to the file in the computer.If comparative result finds that the file identical with condition code arranged, then can confirm as Virus.
Yet, along with developing rapidly of Virus, and variously adding deriving of shell variant virus program, the speed that the virus database of antivirus software is upgraded the Virus condition code will be not enough to deal with the growth rate of rogue program.Particularly; Existing antivirus software is that the detection that utilizes the condition code comparison techniques to carry out Virus is compared; Just the condition code comparison techniques can be subject to the integrality of virus database, if virus database do not upgrade one add the Virus of shell mutation condition code, then antivirus software promptly can't detect the Virus that this adds the shell mutation; In addition, the detection of carrying out Virus of antivirus software use characteristic sign indicating number comparison techniques also need spend the long time.Thus, will reduce the verification and measurement ratio of Virus, cause the leak of protecting information safety, and in order to bring in constant renewal in virus database, also must the high cost of burden.
In sum, how to quicken the relative efficiency of malicious act and the verification and measurement ratio that improves Virus, the real problem of needing solution for the operator in this field badly.
Summary of the invention
A purpose of the present invention is to provide a kind of rogue program pick-up unit.This rogue program pick-up unit is in order to detect a program, and this program is carried out one first handling procedure, and this rogue program pick-up unit comprises a storage element and a processing unit.This storage element is in order to store a malicious act database, a malicious act standard of this malicious act data-base recording one rogue program.This processing unit is connected with this storage element relevance, and in order to set up one first behavioural norm according to this first handling procedure; Relatively this first behavioural norm and this malicious act standard, and produce a comparative result; Upgrade a behavior record sheet according to this comparative result; And according to the behavior record sheet judge that this program is this rogue program.
Another object of the present invention is to provide a kind of rogue program detection method that is used for aforementioned rogue program pick-up unit.This rogue program pick-up unit is in order to detect a program; And comprise a storage element and a processing unit; This storage element is in order to storing a malicious act database, a malicious act standard of this malicious act data-base recording one rogue program, and this processing unit is connected with this storage element relevance; This program is carried out one first handling procedure, and this rogue program detection method comprises the following step: (a) make this processing unit set up one first behavioural norm according to this first handling procedure; (b) make this processing unit relatively this first behavioural norm and this malicious act standard, and produce a comparative result; (c) make this processing unit upgrade a behavior record sheet according to this comparative result; And (d) make this processing unit according to the behavior record sheet judge that this program is this rogue program.
Another purpose of the present invention is to provide a kind of computer program product; In a kind of programmed instruction that is used for the rogue program detection method of a rogue program pick-up unit of storage, this rogue program pick-up unit is in order to detecting a program, and comprises a storage element and a processing unit; This storage element is in order to store a malicious act database; One malicious act standard of this malicious act data-base recording one rogue program, this processing unit is connected with this storage element relevance, and this program is carried out one first handling procedure; This programmed instruction comprises: a programmed instruction A makes this processing unit set up one first behavioural norm according to this first handling procedure; One programmed instruction B makes this processing unit relatively this first behavioural norm and this malicious act standard, and produces a comparative result; One programmed instruction C makes this processing unit upgrade a behavior record sheet according to this comparative result; And a programmed instruction D, make this processing unit according to the behavior record sheet judge that this program is this rogue program.
Useful technique effect of the present invention is: rogue program pick-up unit of the present invention stores a malicious act database, a malicious act standard of this malicious act data-base recording one rogue program.When a program when rogue program pick-up unit of the present invention is carried out one first handling procedure; The rogue program pick-up unit can be set up one first behavioural norm according to this first handling procedure; Relatively this first behavioural norm and this malicious act standard, and produce a comparative result; Then, upgrade a behavior record sheet according to this comparative result, and according to the behavior record sheet judge that this program is this rogue program.By this, the present invention can overcome the renewal speed of existing antivirus software can't catch up with the shortcoming that gathers way that adds shell mutation rogue program, has relative efficiency that quickens malicious act and the advantage that improves the verification and measurement ratio of Virus simultaneously.
Behind the embodiment of consulting accompanying drawing and describing subsequently, this technical field has common knowledge the knowledgeable just can understand other purpose of the present invention, and technological means of the present invention and enforcement aspect.
Description of drawings
Fig. 1 is the synoptic diagram of first embodiment of the invention;
Fig. 2 is the synoptic diagram of behavioural norm of the present invention;
Fig. 3 is the synoptic diagram of malicious act database of the present invention;
Fig. 4 is the synoptic diagram in threshold data of the present invention storehouse;
Fig. 5 is the synoptic diagram of behavior record table of the present invention; And
Fig. 6 is the process flow diagram of second embodiment of the invention.
Embodiment
Below will explain content of the present invention through embodiment, embodiments of the invention are not must can implement like the described any particular environment of embodiment, application or particular form in order to restriction the present invention.Therefore, be merely explaination the object of the invention about the explanation of embodiment, but not in order to restriction the present invention.Must explanation be, in following examples and the accompanying drawing, omit and do not illustrate, and each interelement size relationship is merely and asks easy understanding in the accompanying drawing with the non-directly related element of the present invention, non-in order to the restriction actual ratio.
The first embodiment of the present invention is a rogue program pick-up unit 1, and its synoptic diagram is depicted in Fig. 1.Rogue program pick-up unit 1 comprises a storage element 11, a processing unit 13 and an output unit 15, and wherein storage element 11 and output unit 15 electrically connect with processing unit 13 respectively.Storage element 11 can be storer, floppy disk, hard disk, CD, with oneself dish, tape, can be by having the Storage Media that common knowledge the knowledgeable can think and have identical function easily in the database of network access or the affiliated technical field; Processing unit 13 can be have in the present or following various processors, central processing unit, microprocessor, counter or the affiliated technical field common knowledge the knowledgeable can think and have the device of computing power easily.
In present embodiment, rogue program pick-up unit 1 is a computer.In other embodiment; Rogue program pick-up unit 1 also can be server, notebook computer, personal digital assistant (Personal Digital Assistant, PDA), mobile phone, game machine, Digital Media player or other can be in order to the rogue program pick-up units of detection of malicious program.The enforcement aspect of rogue program pick-up unit 1 is not in order to limit scope of the present invention.
Generally speaking, a rogue program comprises one or more malicious acts usually, and each malicious act also comprises one or more handling procedures (process).And, must use rules specific to describe each handling procedure of rogue program for effective detection of malicious program, therefore, the present invention has defined a kind of behavioural norm (behavior profile) in order to describe a handling procedure.
See also Fig. 2, it is a synoptic diagram of describing behavioural norm of the present invention.The present invention is directed to the defined behavioural norm 2 of a handling procedure and comprise three parts; Be respectively and carry out target, carry out action and link information; Wherein carry out action and be meant the action that this handling procedure carries out; Carry out target and be meant that this handling procedure carries out a target of this action, link information is meant that this handling procedure carries out the related execution information of this action to this target.For example; Suppose that a handling procedure is the htm file of a random designations " create ", what mean that this handling procedure institute will carry out is that file name of creation is a random designations, and extension name is called the file of .htm; Therefore; This handles program implementation target be " File ", carries out action and is " Creat ", and link information is the path of this random designations of creation htm file " C~LOCALS~XXX.htm " in this instance.
More particularly; Handling procedure usually can through the mode of system calling (system call) accomplish the operation that will carry out; System calling then has the relevant necessary information of handling procedure of carrying out; Therefore, execution target in the behavioural norm 2 and execution action just can capture in the system calling that the processing program is carried out.Link information in the behavioural norm 2 is then different according to handling procedure; Different handling procedures is because of relating to different execution information; So link information can be any relevant execution information; Look closely practical situations and decide, the form of link information and content be not in order to limit scope of the present invention.
Store a malicious act database in the storage element 11 of rogue program pick-up unit 1 of the present invention; This malicious act data-base recording the various malicious act standards of various rogue programs, rogue program pick-up unit 1 of the present invention below will be detailed how set up this malicious act database.When a rogue program was carried out on rogue program pick-up unit 1, this rogue program can carry out one or more malicious acts, and each malicious act is then accomplished through carrying out one or more handling procedures.In view of the above; When a rogue program is carried out a handling procedure on rogue program pick-up unit 1; Processing unit 13 just according to the execution target of this handling procedure of aforementioned manner acquisition, carry out action and link information to set up a malicious act standard of this handling procedure; Simultaneously; Processing unit 13 is according to the corresponding coding of this malicious act standard generation one and this malicious act standard, and this coding is in order to represent this malicious act standard, so that whether subsequent treatment unit 13 can be a rogue program according to this code detection one program.
Below illustrate the content of malicious act database, and the coded system of behavioural norm.One rogue program A has a malicious act A-1 and a malicious act A-2; Malicious act A-1 is " revising Internet Explorer browser "; And more carry out a handling procedure A-1:1 and " open the KEY among the Internet Explorer ", and a handling procedure A-1:2 " chooses the proposed password field "; Malicious act A-2 is " open Internet Explorer and attempt line ", and also carries out a handling procedure A-2:1 and " create the htm file of a random designations ", and a handling procedure A-2:2 " writes the htm file of random designations ".Processing unit 13 captures execution target, execution action and the link information among handling procedure A-1:1, handling procedure A-1:2, handling procedure A-2:1 and the handling procedure A-2:2 respectively, and sets up its malicious act standard respectively; Then; Processing unit 13 produces the malicious act standard that a coding A-1:1 represents handling procedure A-1:1; Produce the malicious act standard that a coding A-1:2 represents handling procedure A-1:2; Produce the malicious act standard that a coding A-2:1 represents handling procedure A-2:1, produce the malicious act standard that a coding A-2:2 represents handling procedure A-2:2.
Malicious act database according to aforesaid way is set up is as shown in Figure 3, and it is a synoptic diagram of describing the malicious act database.The malicious act standard that comprises each handling procedure among the rogue program A in the malicious act database 3, promptly the i.e. execution target of each handling procedure, carry out action, link information, and with the corresponding coding of each handling procedure.
As previously mentioned; One rogue program comprises one or more malicious acts, and each malicious act also comprises one or more handling procedures, therefore; When desire judges whether a program is this rogue program; Need judge then whether this program carries out this one or more handling procedures, judge then whether the performed handling procedure of this program accumulates these one or more malicious acts of formation, and then judge whether the malicious act that this program is carried out accumulates this rogue program of formation.In view of the above, also store a threshold data storehouse in the storage element 11 of rogue program pick-up unit 1 of the present invention, this threshold data storehouse has been write down and has been constituted that threshold value is counted in the needed behavior of a rogue program, behavioural norm is counted threshold value and behavioural norm kind.
Particularly, see also Fig. 4, it is a synoptic diagram of describing threshold data of the present invention storehouse." malicious act coding " field in the threshold data storehouse is the kind of the various malicious acts of record, and with aforesaid coded system record; " malicious act standard coding " field is the kind of the malicious act standard that comprised of record one malicious act, and with the coded system record; " behavioural norm is counted threshold value " field is that record constitutes the needed malicious act standard of malicious act number; " threshold value is counted in behavior " field is that record constitutes the needed malicious act number of a rogue program.
For instance, a rogue program A has a malicious act A-1, therefore " malicious act coding " field record A-1; Malicious act A-1 can carry out five handling procedures; Therefore " malicious act standard coding " field record 1,2,3,4 and 5 is respectively the coding with these five pairing five malicious act standards of handling procedure, promptly 1 represent malicious act A-1 the first malicious act standard; 2 represent the second malicious act standard of malicious act A-1, by that analogy.Because malicious act A-1 comprises five malicious act standards, so " behavioural norm is counted threshold value " field of malicious act A-1 is 5, and representative promptly constitutes malicious act A-1 if carried out with corresponding five handling procedures of these five malicious act standards; Because rogue program A comprises malicious act A-1 and malicious act A-2, therefore " threshold value is counted in behavior " field is 2, and representative is as if having carried out malicious act A-1 and two malicious acts of malicious act A-2 promptly constitute rogue program A.
Further, the malicious act standard that comprised of a malicious act can be divided into basic malicious act standard and selectivity malicious act standard.Specifically, basic malicious act standard be meant constitute a malicious act indispensable malicious act standard, selectivity malicious act standard then is not for constituting the necessary malicious act standard of a malicious act.For example; See also the malicious act C-4 among Fig. 4; Its " malicious act coding " field record 1,2,3,4,5,6 and 7; Wherein 1,2,3,4 and 5 belong to basic malicious act standard, that is desire constitutes malicious act C-4 and must comprise 1,2,3,4 and 5 these five malicious act standards, indispensable; 6 and 7 then belong to selectivity malicious act standard, and desire formation malicious act C-4 only need comprise 6 and 7 these two malicious act standards, and one of them gets final product.In view of the above, it is 6 that the behavioural norm of malicious act C-4 is counted threshold value, and it is to add that by five basic malicious act standards selectivity malicious act standard calculates and get.The characteristic of each rogue program when the kind of basic malicious act standard and selectivity malicious act standard and number are looked closely practical application and deciding is not in order to limit scope of the present invention.
What must specify is; Stored malicious act database 3 and threshold data storehouse 4 except can being set up and be stored in the storage element 11 by rogue program pick-up unit 1 of the present invention in the aforementioned storage element 11; Also can install and be resent to rogue program pick-up unit 1 after (like computer, server, arithmetic unit etc.) are set up in advance, and be stored in storage element 11 by other; Be stored in a storage device after perhaps can setting up by other device, rogue program pick-up unit 1 just through with this storage device line with malicious act database 3 and the threshold data storehouse 4 of access stored in this storage device.Therefore, the device of setting up and store malicious act database 3 and threshold data storehouse 4 is not in order to limit scope of the present invention.
Then, how detection of malicious program of rogue program pick-up unit of the present invention 1 will be detailed below, for ease of understanding, below the flow process collocation instance of detection of malicious program be explained.At first; When a program is carried out on rogue program pick-up unit 1; This program is carried out one first handling procedure; At this moment; Processing unit 13 is just carried out target, one first from one first of this first handling procedure of this first handling procedure acquisition and is carried out action and one first link information, and it is respectively " Reg ", " Openkey " and " Microsoft Main ", and sets up one first behavioural norm " Microsoft Main ".Then; Processing unit 13 just searches in malicious act database 3 whether the malicious act standard identical with this first behavioural norm is arranged; Malicious act database 3 by Fig. 3 can be known; This first behavioural norm is identical with the malicious act standard that is encoded to A-1:1, so processing unit 13 just captures coding A-1:1 from malicious act database 3, and the A-1:1 that will encode is deposited in the serial table.
On the other hand, rogue program pick-up unit 1 also possibly carried out a plurality of programs simultaneously in cycle time, and each program also comprises a plurality of handling procedures, and whether the detection of rogue program is to make comparisons to single program, be rogue program to detect each program; Therefore, must to discern a handling procedure be performed by which program to rogue program pick-up unit 1.In view of the above, processing unit 13 will be also in order to being additional to this first behavioural norm with the corresponding procedure identification information of this program (process ID).For example, processing unit 13 additional codes 70 are in coding A-1:1, and this first behavioural norm is with coding A-1:1 at this moment, and 70 represent, wherein code 70 expressions first behavioural norm is performed by this program.The visual practical application situation of the form of procedure identification information and append mode and adjusting is not in order to limit scope of the present invention.
For instance, processing unit 13 meets coding A-1:1 in this first handling procedure relatively, after 70 the malicious act standard; Be convenient to " rogue program/malicious act " field record A-1 of hash tabulation 5; In " procedure identification information " field record 70, and the number of " cumulative number " field increased by 1, in this embodiment; The cumulative number of A-1 increases to 5 by 4, represents processing unit 13 relatively to five malicious act standards that belong to malicious act A-1.Then; Processing unit 13 according to the behavioural norm of malicious act A-1 in the threshold data storehouse 4 count threshold value be 5 judge these five relatively to the malicious act standard constituted malicious act A-1; Therefore; Processing unit 13 further increases by 1 with the cumulative number of rogue program A in the hash tabulation 5, represents processing unit 13 at present relatively to a malicious act that belongs to rogue program A.
In like manner, when this program is carried out one second executive routine, processing unit 13 also according to above-mentioned flow process relatively this second executive routine whether meet a malicious act standard, and upgrade hash tabulation 5 according to comparative result; At last, processing unit 13 also can according to the numerical value in " threshold value is counted in behavior " field in the threshold data storehouse 4 judge relatively to the malicious act number whether constitute a rogue program.By aforesaid way, rogue program pick-up unit 1 of the present invention can compare each handling procedure in the program one by one, and judges whether this program is a rogue program.
In addition; Threshold data storehouse 4 by Fig. 4 can be learnt; The malicious act standard that malicious act A-1 comprised is 1,2,3,4 and 5, and relatively one of them just can upgrade the cumulative number of malicious act A-1 in the hash tabulation 5 to processing unit 13 to these five kinds of malicious act standards, yet a program also possibly repeat twice of identical handling procedure; For instance; One program has been carried out the malicious act standard 1 that twice malicious act A-1 comprised, but the cumulative number of malicious act A-1 can only increase by 1 in the case, otherwise will cause the erroneous judgement of relatively going up.Therefore, for fear of such situation, whether processing unit 13 further affirmation repeats comparison.
As previously mentioned; Processing unit 13 is after capturing one first coding from malicious act database 3; Just this first coding is deposited in the serial table; Whether this serial table can repeat to occur in order to check identical coding, when processing unit 13 after malicious act database 3 captures one second coding, whether processing unit 13 at first relatively this second coding has come across in this serial table; If identical malicious act standard is relatively arrived in representative, this moment, processing unit 13 did not promptly upgrade hash tabulation 5; If not, different malicious act standards is relatively arrived in representative, and this moment, processing unit 13 promptly can upgrade hash tabulation 5.By this mode, rogue program pick-up unit 1 of the present invention can be avoided because of repeating the erroneous judgement that comparison causes.
In aforementioned manner of comparison; Processing unit 13 is set up a behavior standard according to a handling procedure of a program; And whether comparison behavior standard meets a malicious act standard; Whether the mode that wherein, compares meets the malicious act standard that is write down in the malicious act database 3 for execution target, execution action and the link information that compares behavior standard.Just to add the link information in the handling procedure of shell mutation rogue program also possibly be random fluctuation to part; In other words; The behavioural norm of setting up out possibly can't cause the leak of relatively going up in malicious act database 3 relatively to the malicious act standard that meets fully.
In view of the above; In order to overcome this shortcoming; Rogue program pick-up unit 1 of the present invention also is divided three classes the link information in the handling procedure of rogue program; It is respectively fixed link information, random mode link information and at random and continous way link information, and the manner of comparison to these three types link information below will be detailed respectively.At first; When a handling procedure is classified as fixed link information; It is changeless representing the link information of this handling procedure; That is this handling procedure all can produce identical link information when carrying out at every turn; Processing unit 13 is all identical at every turn according to the behavioural norm that this handling procedure produced, thus processing unit 13 can be directly with the execution target of this handling procedure, carry out action and link information made comparisons with malicious act database 3, that is belong to fixed link information behavioural norm relatively be relatively to carry out target simultaneously, carry out and move and link information.
Secondly, when a handling procedure was classified as random mode link information, representing the link information of this handling procedure was random fluctuation, and the literal that promptly chains in the information content produces at random, and only can occur once and not can reusing.For instance, link comprises a file name in the information content and is the .exe groove of name at random, and the file name of these .exe shelves is for producing at random, so this document title is each neither together.In brief; Branch produced different link information when this handling procedure was carried out at every turn; Processing unit 13 is each neither identical according to the behavioural norm that this handling procedure produced; Therefore processing unit 13 is when this type of handling procedure relatively, only with the execution target of handling procedure and carry out action and make comparisons with malicious act database 3, that is belongs to relatively only relatively the carrying out target and carry out action of behavioural norm of random mode link information.
At last, classified as at random and during continous way link information, the link information of representing this handling procedure is random fluctuation and can occurs continuously that the literal that promptly chains in the information content produces at random, but can reuse when a handling procedure.For instance; One first handling procedure of one rogue program is " a htm file of creating random designations ", promptly comprises the .htm file of a file name for naming at random in its link information, is assumed to be abc.htm; And one second handling procedure of this rogue program is " writing the htm file of random designations "; Its link information also can comprise abc.htm, though so abc.htm at random the name, can repeat to come across in the different handling procedure of this rogue program.In view of the above; When one first handling procedure of a program is classified as at random and during continous way link information; Processing unit 13 can be deposited at the link information of this first handling procedure one and deposit in the hash tabulation, when one second handling procedure of this program relatively, processing unit 13 relatively this second handling procedure whether have with deposit the hash tabulation in identical link information; If have, promptly represent this second handling procedure to meet a malicious act standard.In view of the above, through above-mentioned manner of comparison, rogue program pick-up unit 1 of the present invention can detect the various rogue programs that add the shell mutation effectively.
When a program by relatively when meeting a rogue program; Processing unit 13 is also in order to transmit a testing result to output unit 15; Output unit 15 also detects a rogue program in order to produce an image or an audio to notify a user; Output unit 15 can be display, loudspeaker or other can be in order to present the device of testing result, not as limit.
The second embodiment of the present invention is as shown in Figure 6, and it is a kind of rogue program detection method that is used for like the described rogue program pick-up unit of first embodiment.This rogue program pick-up unit is in order to detect a program; And comprise a storage element and a processing unit; This storage element is in order to store a malicious act database; One malicious act standard of this malicious act data-base recording one rogue program, this processing unit and this storage element electrically connect, and this program is carried out one first handling procedure.
In addition; The described rogue program detection method of second embodiment can be carried out by a computer program product; When the rogue program pick-up unit loads this computer program product and carries out a plurality of programmed instruction that this computer program product comprises through a computer after, can accomplish the described rogue program detection method of second embodiment.Aforesaid computer program product can be stored in the computer-readable recording medium, for example ROM (read-only memory) (read only memory; ROM), flash memory, floppy disk, hard disk, CD, with oneself dish, tape, can or be familiar with this operator and know and have in any other Storage Media of identical function by the database of network access.
Fig. 6 is a process flow diagram of describing the rogue program detection method of second embodiment.At first, this rogue program detection method execution in step 601 makes this processing unit set up one first behavioural norm according to this first handling procedure.Then, execution in step 602 makes this processing unit relatively this first behavioural norm and this malicious act standard, and produces a comparative result.
This storage element of this rogue program pick-up unit also stores a threshold data storehouse; One behavior standard of this threshold data storehouse this rogue program of record counts threshold value and threshold value is counted in a behavior; The behavior, record sheet write down a behavior standard number and a behavior number; This rogue program detection method is followed execution in step 603, makes this processing unit upgrade behavior standard number according to this comparative result.And execution in step 604 when the behavior, the standard number reached that the behavior, standard was counted threshold value, makes this processing unit upgrade behavior number.At last, execution in step 605, when the behavior number reach the behavior when counting threshold value, make this processing unit judge that this program is this rogue program.
In addition; Aforesaid this rogue program comprises a malicious act; This malicious act is carried out one second handling procedure, and this rogue program detection method also can be carried out a step 606 (not illustrating among Fig. 6) before step 601, makes this processing unit set up this malicious act standard according to this second handling procedure.
In step 602, be to make this processing unit relatively this first behavioural norm and this malicious act standard, and produce a comparative result.More detailed; This first behavioural norm comprises one first of this first handling procedure and carries out target, one first execution action and one first link information; This malicious act standard comprises one second of this second handling procedure and carries out target, one second execution action and one second link information; This rogue program detection method is to carry out in step 602; Make this processing unit through relatively this first is carried out target and second carry out target with this, relatively this first is carried out action and second carries out and move with this, and relatively this first link information and this second link information to produce this comparative result.
Except above-mentioned steps; This rogue program detection method also can be carried out a step 607 (not illustrating among Fig. 6); This processing unit make this processing unit be additional to this first behavioural norm, so that can judge that this first behavioural norm corresponds to this program according to this procedure identification information with the corresponding procedure identification information of this program; And a step 608 (not illustrating among Fig. 6), make this processing unit produce and the corresponding coding of this malicious act standard, and with this malicious act standard of this coded representation.
Except above-mentioned steps, second embodiment also can carry out first embodiment the operation described and the function, affiliated technical field have common knowledge the knowledgeable can be directly acquainted with second embodiment how based on above-mentioned first embodiment to carry out these operations and function, so do not give unnecessary details.
In sum; The present invention sets up a malicious act database and a threshold data storehouse in advance; One malicious act standard of this malicious act data-base recording one rogue program, a behavior standard of this threshold data storehouse this rogue program of record counts threshold value and threshold value is counted in a behavior.When a program when rogue program pick-up unit of the present invention is carried out a handling procedure, the rogue program pick-up unit is set up a behavior standard according to this handling procedure, relatively the behavior standard and this malicious act standard, and produce a comparative result; Then, upgrade a behavior standard number, when the behavior, the standard number reached that the behavior, standard was counted threshold value, upgrade a behavior number according to this comparative result, when the behavior number reach the behavior when counting threshold value, judge that this program is this rogue program.By this, the present invention is that the renewal speed that can overcome existing antivirus software can't be caught up with the shortcoming that gathers way that adds shell mutation rogue program, has relative efficiency that quickens malicious act and the advantage that improves the verification and measurement ratio of Virus simultaneously.
The above embodiments enforcement aspect of the present invention that only is used for giving an example, and explain technical characterictic of the present invention, be not to be used for limiting protection category of the present invention.Any be familiar with this operator can unlabored change or the arrangement of the isotropism scope that all belongs to the present invention and advocated, rights protection scope of the present invention should be as the criterion with claim.
Claims (14)
1. one kind in order to detect the rogue program pick-up unit of a program, and this program is carried out one first handling procedure, it is characterized in that, this rogue program pick-up unit comprises:
One storage element is in order to store a malicious act database, a malicious act standard of this malicious act data-base recording one rogue program; And
One processing unit electrically connects with this storage element, and in order to:
Set up one first behavioural norm according to this first handling procedure;
Relatively this first behavioural norm and this malicious act standard, and produce a comparative result;
Upgrade a behavior record sheet according to this comparative result; And
According to this program of behavior record sheet judgement is this rogue program.
2. rogue program pick-up unit according to claim 1 is characterized in that this rogue program comprises a malicious act, and this malicious act is carried out one second handling procedure, and this processing unit is set up this malicious act standard according to this second handling procedure.
3. rogue program pick-up unit according to claim 2; It is characterized in that; This first behavioural norm comprises one first of this first handling procedure and carries out target and one first execution action; This malicious act standard comprises one second of this second handling procedure to be carried out target and one second and carries out action, and this processing unit is also in order to through relatively this first is carried out target and second carry out target with this, and relatively this first is carried out action and second carry out and move to produce this comparative result with this.
4. rogue program pick-up unit according to claim 2; It is characterized in that; This first behavioural norm comprises one first link information of this first handling procedure; This malicious act standard comprises one second link information of this second handling procedure, this processing unit also in order to through relatively this first link information and this second link information to produce this comparative result.
5. rogue program pick-up unit according to claim 1; It is characterized in that; This storage element is also in order to store a threshold data storehouse; One behavior standard of this threshold data storehouse this rogue program of record counts threshold value and threshold value is counted in a behavior, the behavior record sheet write down a behavior standard number and a behavior number, this processing unit also in order to:
Upgrade behavior standard number according to this comparative result;
When the behavior, the standard number reached that the behavior, standard was counted threshold value, upgrade behavior number; And
When the behavior number reach the behavior when counting threshold value, judge that this program is this rogue program.
6. rogue program pick-up unit according to claim 1; It is characterized in that; This processing unit will be also in order to being additional to this first behavioural norm with the corresponding procedure identification information of this program, so that this processing unit can judge that this first behavioural norm corresponds to this program according to this procedure identification information.
7. rogue program pick-up unit according to claim 1 is characterized in that, this processing unit is also encoded in order to produce with this malicious act standard corresponding, and with this malicious act standard of this coded representation.
8. a rogue program detection method that is used for a rogue program pick-up unit is characterized in that, this rogue program pick-up unit is in order to detect a program; And comprise a storage element and a processing unit; This storage element is in order to store a malicious act database, a malicious act standard of this malicious act data-base recording one rogue program, this processing unit and the electric connection of this storage element; This program is carried out one first handling procedure, and this rogue program detection method comprises the following step:
(a) make this processing unit set up one first behavioural norm according to this first handling procedure;
(b) make this processing unit relatively this first behavioural norm and this malicious act standard, and produce a comparative result;
(c) make this processing unit upgrade a behavior record sheet according to this comparative result; And
(d) make this processing unit be this rogue program according to this program of behavior record sheet judgement.
9. rogue program detection method according to claim 8 is characterized in that this rogue program comprises a malicious act, and this malicious act is carried out one second handling procedure, and this rogue program detection method also comprises the following step:
(e) make this processing unit set up this malicious act standard according to this second handling procedure.
10. rogue program detection method according to claim 9; It is characterized in that; This first behavioural norm comprises one first of this first handling procedure and carries out target and one first execution action; This malicious act standard comprises one second of this second handling procedure and carries out target and one second execution action, and this rogue program detection method also comprises the following step:
(f) make this processing unit through relatively this first is carried out target and second carry out target with this, and relatively this first is carried out action and second carries out and move to produce this comparative result with this.
11. rogue program detection method according to claim 9; It is characterized in that; This first behavioural norm comprises one first link information of this first handling procedure; This malicious act standard comprises one second link information of this second handling procedure, and this rogue program detection method also comprises the following step:
(g) make this processing unit through relatively this first link information and this second link information to produce this comparative result.
12. rogue program detection method according to claim 8; It is characterized in that; This storage element also stores a threshold data storehouse; One behavior standard of this threshold data storehouse this rogue program of record counts threshold value and threshold value is counted in a behavior, the behavior record sheet write down a behavior standard number and a behavior number, this rogue program detection method also comprises the following step:
(h) make this processing unit upgrade behavior standard number according to this comparative result;
(i) when the behavior, the standard number reached that the behavior, standard was counted threshold value, make this processing unit upgrade behavior number; And
(j) when the behavior number reach the behavior when counting threshold value, make this processing unit judge that this program is this rogue program.
13. rogue program detection method according to claim 8 is characterized in that, also comprises the following step:
(k) make this processing unit be additional to this first behavioural norm, so that this processing unit can judge that this first behavioural norm corresponds to this program according to this procedure identification information with the corresponding procedure identification information of this program.
14. rogue program detection method according to claim 8 is characterized in that, also comprises the following step:
(l) make this processing unit produce and the corresponding coding of this malicious act standard, and with this malicious act standard of this coded representation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010106018091A CN102542186A (en) | 2010-12-15 | 2010-12-15 | Malicious program detection device and malicious program detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010106018091A CN102542186A (en) | 2010-12-15 | 2010-12-15 | Malicious program detection device and malicious program detection method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102542186A true CN102542186A (en) | 2012-07-04 |
Family
ID=46349055
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010106018091A Pending CN102542186A (en) | 2010-12-15 | 2010-12-15 | Malicious program detection device and malicious program detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102542186A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104426881A (en) * | 2013-09-03 | 2015-03-18 | 深圳市腾讯计算机系统有限公司 | Method and device for detecting malicious behavior |
| CN104992117A (en) * | 2015-06-16 | 2015-10-21 | 北京航空航天大学 | Abnormal behavior detection method and behavior model establishment method of HTML5 mobile application program |
| CN105022957A (en) * | 2014-04-30 | 2015-11-04 | 财团法人资讯工业策进会 | Method for detecting malicious program on demand, electronic device and user interface thereof |
| CN107342967A (en) * | 2016-05-03 | 2017-11-10 | 宏碁股份有限公司 | Botnet detecting system and its method |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1936910A (en) * | 2005-11-16 | 2007-03-28 | 白杰 | Method for identifying unknown virus programe and clearing method thereof |
| US20070240217A1 (en) * | 2006-04-06 | 2007-10-11 | George Tuvell | Malware Modeling Detection System And Method for Mobile Platforms |
| US20090019546A1 (en) * | 2007-07-10 | 2009-01-15 | Samsung Electronics Co., Ltd. | Method and Apparatus for Modeling Computer Program Behaviour for Behavioural Detection of Malicious Program |
-
2010
- 2010-12-15 CN CN2010106018091A patent/CN102542186A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1936910A (en) * | 2005-11-16 | 2007-03-28 | 白杰 | Method for identifying unknown virus programe and clearing method thereof |
| US20070240217A1 (en) * | 2006-04-06 | 2007-10-11 | George Tuvell | Malware Modeling Detection System And Method for Mobile Platforms |
| US20090019546A1 (en) * | 2007-07-10 | 2009-01-15 | Samsung Electronics Co., Ltd. | Method and Apparatus for Modeling Computer Program Behaviour for Behavioural Detection of Malicious Program |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104426881A (en) * | 2013-09-03 | 2015-03-18 | 深圳市腾讯计算机系统有限公司 | Method and device for detecting malicious behavior |
| CN104426881B (en) * | 2013-09-03 | 2019-06-11 | 深圳市腾讯计算机系统有限公司 | A kind of method and device detecting malicious act |
| CN105022957A (en) * | 2014-04-30 | 2015-11-04 | 财团法人资讯工业策进会 | Method for detecting malicious program on demand, electronic device and user interface thereof |
| CN105022957B (en) * | 2014-04-30 | 2018-04-13 | 财团法人资讯工业策进会 | Method for detecting malicious program on demand and electronic device thereof |
| CN104992117A (en) * | 2015-06-16 | 2015-10-21 | 北京航空航天大学 | Abnormal behavior detection method and behavior model establishment method of HTML5 mobile application program |
| CN104992117B (en) * | 2015-06-16 | 2018-04-13 | 北京航空航天大学 | The anomaly detection method and behavior model method for building up of HTML5 mobile applications |
| CN107342967A (en) * | 2016-05-03 | 2017-11-10 | 宏碁股份有限公司 | Botnet detecting system and its method |
| CN107342967B (en) * | 2016-05-03 | 2020-07-31 | 安碁资讯股份有限公司 | Botnet detection system and method thereof |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7405596B2 (en) | System and method for object classification of computer systems | |
| TWI435236B (en) | Malware detection apparatus, malware detection method and computer program product thereof | |
| RU2680738C1 (en) | Cascade classifier for the computer security applications | |
| JP6636096B2 (en) | System and method for machine learning of malware detection model | |
| JP6731988B2 (en) | System and method for detecting malicious files using a trained machine learning model | |
| CN111382434B (en) | System and method for detecting malicious files | |
| CN108520180B (en) | Multi-dimension-based firmware Web vulnerability detection method and system | |
| US20190050567A1 (en) | System and method of managing computing resources for detection of malicious files based on machine learning model | |
| US20170091461A1 (en) | Malicious code analysis method and system, data processing apparatus, and electronic apparatus | |
| US20120131675A1 (en) | Server, user device and malware detection method thereof | |
| EP2975873A1 (en) | A computer implemented method for classifying mobile applications and computer programs thereof | |
| US20150154500A1 (en) | Match engine for detection of multi-pattern rules | |
| CN107103238A (en) | System and method for protecting computer system to exempt from malicious objects activity infringement | |
| JP6731981B2 (en) | System and method for managing computational resources for malicious file detection based on machine learning model | |
| RU2523112C1 (en) | System and method of selecting optimum type of antiviral verification when accessing file | |
| EP3220307A1 (en) | System and method of performing an antivirus scan of a file on a virtual machine | |
| CN102542186A (en) | Malicious program detection device and malicious program detection method | |
| Casolare et al. | Dynamic Mobile Malware Detection through System Call-based Image representation. | |
| CN114253866A (en) | Malicious code detection method and device, computer equipment and readable storage medium | |
| CN105793864A (en) | System and method of detecting malicious multimedia files | |
| Fang et al. | A hybrid detection method for android malware | |
| RU2747464C2 (en) | Method for detecting malicious files based on file fragments | |
| JP5619851B2 (en) | PATTERN MATCHING ENGINE, TERMINAL DEVICE HAVING THE SAME, AND METHOD THEREOF | |
| CN115664863B (en) | Network attack event processing method, device, storage medium and equipment | |
| RU2757265C1 (en) | System and method for assessing an application for the presence of malware |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20120704 |