CN103294948A - Software malicious behavior modeling and judging method and device, and mobile terminal - Google Patents

Software malicious behavior modeling and judging method and device, and mobile terminal Download PDF

Info

Publication number
CN103294948A
CN103294948A CN2012100479445A CN201210047944A CN103294948A CN 103294948 A CN103294948 A CN 103294948A CN 2012100479445 A CN2012100479445 A CN 2012100479445A CN 201210047944 A CN201210047944 A CN 201210047944A CN 103294948 A CN103294948 A CN 103294948A
Authority
CN
China
Prior art keywords
malicious act
software
sensitive
sensitive action
action
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2012100479445A
Other languages
Chinese (zh)
Other versions
CN103294948B (en
Inventor
乜聚虎
李厚辰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN201210047944.5A priority Critical patent/CN103294948B/en
Publication of CN103294948A publication Critical patent/CN103294948A/en
Application granted granted Critical
Publication of CN103294948B publication Critical patent/CN103294948B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a software malicious behavior modeling method. The method comprises the steps as follows: generating at least one sensitive action according to the access to a sensitive resource in a mobile terminal; generating at least one context according to a persistent state of a system in the mobile terminal; and generating a malicious behavior model according to one or more sensitive action in the at least one sensitive action and/or one context in the at least one context. According to the method, the malicious behavior model is generated according to the sensitive action acquired by detecting the sensitive resource and the context expressing the state of the system, and whether any behavior executed by software is malicious behavior can be effectively found, so that malicious software can be accurately judged, and the security of the mobile terminal is improved. The invention further discloses a software malicious behavior molding device, a software malicious behavior and malicious software judgment method, and a mobile terminal.

Description

The modeling of software malicious act and determination methods, device and portable terminal
Technical field
The present invention relates to the mobile communication technology field, particularly the determination methods of the determination methods of the portable terminal of a kind of software malicious act modeling method and model building device, the above-mentioned model building device of employing and software malicious act and software malice.
Background technology
Along with the development of software and mobile communication technology, in portable terminal (for example mobile phone), implant the principal character that software has become smart mobile phone.Be accompanied by increasing software and be implanted in the mobile phone, the part Malware is also implanted.Wherein, Malware refers to carry out the software of malicious act.These malicious acts comprise the privacy information of stealing the user, eavesdropping user's communication content etc.For this reason, need set up model in order to the malicious act of above-mentioned Malware is managed to the Malware in the mobile phone.
The malicious act modeling method of traditional Malware comprises following two classes:
1) based on the malicious act modeling method of executable file: the executable file of the main analysis software of this method, carry out method analysis and abstract in to set up the malicious act model to the feature of Malware executable file.Wherein, the feature of Malware executable file comprises: file characteristic and API Calls sequence etc.Usually, corresponding malicious act feature of each Malware.
Defective based on the malicious act modeling method of executable file is: this method is set up a malicious act feature for each Malware, along with Malware is more and more, the malicious act model quantity that adopts this method to set up is too much, when thereby the system of giving or fail-safe software use above-mentioned modeling method to carry out the malicious act detection, bring the ample resources expense, thereby greatly influence system performance.And a logical Malware can change the executable file feature by adding technology such as shell, thereby existing malicious act model was lost efficacy.
2) based on the malicious act modeling method of single responsive authority.This method is with the single authority visit of the application program main body as the malicious act model.When software has adopted this single authority, think that then this software meets this malicious act model.
Defective based on the malicious act modeling method of single responsive authority is: this method is too general, can't distinguish real Malware and the normal software of having used identical authority effectively, thereby has lost the meaning of malicious act modeling.
In addition, traditional malicious act modeling method do not consider between the authority visit inner link with and residing system state, thereby also just can't embody essence and the purpose of malicious act.Traditional malicious act modeling method does not have customizability, thereby the user can't be according to the self-defined malicious act model of the demand of oneself, and then causes satisfying user's customized demand, and user's Experience Degree is low.
Summary of the invention
Purpose of the present invention is intended to solve at least one of above-mentioned technological deficiency.
For this reason, first purpose of the present invention is to propose a kind of software malicious act modeling method, and this method can improve user's Experience Degree so that the user defines according to self-demand.Second purpose of the present invention is a kind of software malicious act model building device.The 3rd purpose of the present invention is to provide a kind of portable terminal with above-mentioned model building device.The 4th purpose of the present invention is to provide a kind of determination methods of software malicious act, and this method can be judged the malicious act that software is carried out.The 5th purpose of the present invention is to provide a kind of portable terminal with above-mentioned model building device, and this portable terminal can be judged the malicious act of software.The 6th purpose of the present invention is to provide a kind of determination methods of software malice, and this method can judge whether software is Malware according to the malicious act model that above-mentioned modeling method is set up.The 7th purpose of the present invention is to provide a kind of portable terminal with above-mentioned model building device, and this portable terminal can be used for judging whether software is Malware.
For achieving the above object, the embodiment of a first aspect of the present invention provides a kind of software malicious act modeling method, comprises the steps:
Generate at least one sensitive action according to the visit to sensitive resource in the portable terminal;
Generate at least one context according to the residing persistent state of system in the described portable terminal; And
Generate the malicious act model according to a context in the one or more sensitive action in described at least one sensitive action and/or described at least one context.
Software malicious act modeling method according to the embodiment of the invention, by detecting the context generation malicious act model that sensitive resource obtains sensitive action and expression system state of living in, thereby can find effectively whether arbitrary behavior that software is carried out is malicious act in order to accurately judge Malware, improve the security of portable terminal.
The embodiment of second aspect present invention provides a kind of software malicious act model building device, comprises the sensitive action generation module, is used for the visit of portable terminal sensitive resource is generated at least one sensitive action; The context generation module is used for generating at least one context according to described portable terminal system present located persistent state; And MBM, be used for generating the malicious act model according to one or more sensitive action of described at least one sensitive action and/or a context in described at least one context.
Software malicious act model building device according to the embodiment of the invention, by detecting the context generation malicious act model that sensitive resource obtains sensitive action and expression system state of living in, thereby can find effectively whether arbitrary behavior that software is carried out is malicious act in order to accurately judge Malware, improve the security of portable terminal.
The embodiment of third aspect present invention provides a kind of portable terminal, comprise software malicious act model building device and malice model editing module that second embodiment of the invention provides, the malicious act models show that is used for described software malicious act model building device has been set up is given described mobile terminal user, edits, browses or delete for described user.
Portable terminal according to the embodiment of the invention, by detecting the context generation malicious act model that sensitive resource obtains sensitive action and expression system state of living in, and the user can make amendment to the malicious act model according to number one and security consideration, thereby identification and process user institute do not wish the software that moves, and then at utmost satisfy user's customized demand and raising user's use viscosity.
The embodiment of fourth aspect present invention provides a kind of determination methods of software malicious act, comprises the steps: that the software malicious act modeling method that adopts first aspect present invention embodiment to provide sets up the malicious act model; System's present located persistent state in the record portable terminal, and generate current context; Record current software to the visit of sensitive resource in the described portable terminal and generate corresponding one or more sensitive action; And according to described current context and the corresponding one or more sensitive action of current software, and described malicious act model judges whether described current software is malicious act to the visit of described sensitive resource.
Determination methods according to the software malicious act of the embodiment of the invention, by detecting the context generation malicious act model that sensitive resource obtains sensitive action and expression system state of living in, thereby can find effectively whether arbitrary behavior that software is carried out is malicious act, and the user can make amendment to the malicious act model according to number one and security consideration, thereby identification and process user institute do not wish the software that moves, and then at utmost satisfy user's customized demand and raising user's use viscosity.
Fifth aspect present invention embodiment provides a kind of portable terminal, comprising: the software malicious act model building device that second aspect present invention embodiment provides; Logging modle is used for record portable terminal system present located persistent state, and generates current context, and records current software to the visit of sensitive resource in the described portable terminal and generate corresponding one or more sensitive action; And judge module, be used for according to described current context and the corresponding one or more sensitive action of current software, and the malicious act model that described software malicious act model building device is set up judges whether described current software is malicious act to the visit of described sensitive resource.
Portable terminal according to the embodiment of the invention, by detecting the context generation malicious act model that sensitive resource obtains sensitive action and expression system state of living in, thereby can find effectively whether arbitrary behavior that software is carried out is malicious act, and the user can make amendment to the malicious act model according to number one and security consideration, thereby identification and process user institute do not wish the software that moves, and then at utmost satisfy user's customized demand and raising user's use viscosity.
Sixth aspect present invention embodiment provides a kind of determination methods of software malice, comprises the steps: that the software malicious act modeling method that adopts first aspect present invention embodiment to provide sets up the malicious act model; System's present located persistent state in the record portable terminal, and generate current context; Record current software to the visit of sensitive resource in the described portable terminal and generate corresponding one or more sensitive action; According to described current context and the corresponding one or more sensitive action of current software, and described malicious act model judges whether described current software is malicious act to the visit of described sensitive resource; And if be judged as malicious act, then the described malicious act with described current software is prompted to described mobile terminal user, judges by described user whether described current software is Malware.
Determination methods according to the software malice of the embodiment of the invention, by detecting the context generation malicious act model that sensitive resource obtains sensitive action and expression system state of living in, thereby can find effectively whether arbitrary behavior that software is carried out is malicious act, and whether further can judge current software be malicious act.In addition, the user can make amendment to the malicious act model according to number one and security consideration, thereby identification and process user institute do not wish the software that moves, and then at utmost satisfies user's customized demand and raising user's use viscosity.
Seventh aspect present invention embodiment provides a kind of portable terminal, comprising: the software malicious act model building device that the embodiment of second aspect present invention provides; Logging modle is used for record portable terminal system present located persistent state, and generates current context, and records current software to the visit of sensitive resource in the described portable terminal and generate corresponding one or more sensitive action; Judge module is used for according to described current context and the corresponding one or more sensitive action of current software, and judges whether described current software is malicious act to the visit of described sensitive resource; And reminding module, be used for when being judged as malicious act, the described malicious act of described current software is prompted to described mobile terminal user, judge by described user whether described current software is Malware.
Portable terminal according to the embodiment of the invention, by detecting the context generation malicious act model that sensitive resource obtains sensitive action and expression system state of living in, thereby can find effectively whether arbitrary behavior that software is carried out is malicious act, and whether further can judge current software be malicious act.In addition, the user can make amendment to the malicious act model according to number one and security consideration, thereby identification and process user institute do not wish the software that moves, and then at utmost satisfies user's customized demand and raising user's use viscosity.
The aspect that the present invention adds and advantage part in the following description provide, and part will become obviously from the following description, or recognize by practice of the present invention.
Description of drawings
Above-mentioned and/or the additional aspect of the present invention and advantage are from obviously and easily understanding becoming the description of embodiment below in conjunction with accompanying drawing, wherein:
Fig. 1 is the synoptic diagram of software malicious act modeling method according to an embodiment of the invention;
Fig. 2 is the synoptic diagram according to the modeling of the software malicious act of the embodiment of the invention;
Fig. 3 is the process flow diagram of software malicious act modeling method in accordance with another embodiment of the present invention;
Fig. 4 is the structural representation according to the software malicious act model building device of the embodiment of the invention;
Fig. 5 is the synoptic diagram of portable terminal according to an embodiment of the invention;
Fig. 6 is the process flow diagram according to the determination methods of the software malicious act of the embodiment of the invention;
Fig. 7 is the synoptic diagram of portable terminal in accordance with another embodiment of the present invention;
Fig. 8 is the process flow diagram according to the determination methods of the software malice of the embodiment of the invention; And
Fig. 9 is the synoptic diagram of the portable terminal of another embodiment according to the present invention.
Embodiment
Describe embodiments of the invention below in detail, the example of described embodiment is shown in the drawings, and wherein identical or similar label is represented identical or similar elements or the element with identical or similar functions from start to finish.Be exemplary below by the embodiment that is described with reference to the drawings, only be used for explaining the present invention, and can not be interpreted as limitation of the present invention.
With reference to following description and accompanying drawing, these and other aspects of embodiments of the invention will be known.These describe and accompanying drawing in, some specific implementations in the embodiments of the invention are specifically disclosed, represent to implement some modes of the principle of embodiments of the invention, still should be appreciated that the scope of embodiments of the invention is not limited.On the contrary, embodiments of the invention comprise spirit and interior all changes, modification and the equivalent of intension scope that falls into institute's additional claims.
The present invention is by taking out the behavior sequence that Malware is carried out malicious act to Malware to action and the current persistent state of portable terminal of the sensitive resource of portable terminal visit, the behavior sequence be the Malware behavior model.This Malware behavior model can reflect purpose and the essence of Malware execution malicious act, thereby the user can identify and handle the software action of not wishing to appear in the own system.
Describe according to embodiment of the invention software malicious act modeling method below with reference to Fig. 1 to Fig. 3.
As shown in Figure 1, the software malicious act modeling method that the embodiment of the invention provides comprises the steps:
Step S101 generates at least one sensitive action according to the visit to sensitive resource in the portable terminal.
Store ample resources in portable terminal, wherein, according to the difference of resource to the susceptibility of system, above-mentioned resource can be divided into sensitive resource and non-sensitive resource.Particularly, can be defined as sensitive resource for the resource that relates to security of system and privacy of user, for example: recording, device number, GPS (Global Positioning System, GPS) information, paying note, switching on and shutting down password, telephone directory, secret note, certificate and private key for user etc. arrange responsive authority to the visit of this part resource.
Need to prove that software can not exert an influence to external world to the visit of the non-sensitive authority of own resource and system, thereby the above-mentioned action definition that software is carried out is non-sensitive action.Wherein, the own resource of software comprises file that belongs to this software self etc.
When installed software is visited the sensitive resource of system in the portable terminal at every turn, then generate a sensitive action, thereby generate a plurality of sensitive action according to the access times of software.Wherein, has execution sequence between a plurality of sensitive action.Each sensitive action includes a plurality of attributes, these attribute records this sensitive action carry out the software of action itself and the present situation of system when taking place.
In one embodiment of the invention, the responsive authority of the one or more sensitive action in the malicious act model and system all can choose to determine by the user.
Below in conjunction with concrete example responsive authority and sensitive action are described.
1)
Malicious intent: malice eavesdropping
Responsive authority: visit sound-recording function resource and call function resource simultaneously.
Sensitive action: recording, phone.
2)
Malicious intent: utilize short message malicious positioning position information
Responsive authority: visit GPS information resources and note resource simultaneously.
Sensitive action: GPS, transmitting-receiving note.
3)
Malicious intent: utilize short message malicious positioning equipment information
Responsive authority: device resource and the note resource of visiting portable terminal simultaneously.
Sensitive action: obtain device number, transmitting-receiving note in the system information.
Wherein, the device number of portable terminal can be IMEI (International Mobile Equipment Identity)
4)
Malicious intent: utilize network malice positioning position information
Responsive authority: visit GPS information resources and Internet resources simultaneously.
Sensitive action: GPS, network-in-dialing.
5)
Malicious intent: utilize short message malicious positioning equipment information
Responsive authority: device resource and the Internet resources of visiting portable terminal simultaneously.
Sensitive action: obtain device number, network-in-dialing in the system information.
6)
Malicious intent: malice is stolen user's Financial Information
Responsive authority: the charge note resource of calling party.
Sensitive action: transmitting-receiving charge note.
Be understandable that above-mentioned responsive authority and sensitive action only are the purposes that is in example, rather than in order to limit the present invention.The user can arrange responsive authority and sensitive action voluntarily according to self to the security of portable terminal and the consideration of number one.
Step S102 generates at least one context according to the residing persistent state of system in the portable terminal.
Context is used for reflection system present located persistent state, for example: in the conversation, in the recording, in the navigation, in the charging, take pictures medium.Be understandable that a context can corresponding a plurality of sensitive action.For example: the persistent state of file description is in conversation and the recording up and down, and then Dui Ying sensitive action is for conversing and recording.
Different contexts can corresponding same sensitive action, and the same action in the different context can have different implications according to sensitivity.
For example: context is in conversation and the recording time, and then conversing and recording is sensitive action; Context is in the conversation time, and then conversation is for sensitive action.
In one embodiment of the invention, context can select to determine by mobile terminal user.
Step S103 generates the malicious act model according to a context in the one or more sensitive action at least one sensitive action and/or at least one context.
Generate the malicious act model according to a context at least one context that generates among the one or more sensitive action that generate among the step S101 and/or the step S102, and judge according to this malicious act model whether software carries out malicious act.Wherein, in the malicious act model, defined the execution sequence of a plurality of sensitive action, above-mentioned execution sequence can represent purpose and the essence of malicious act.In other words, if Malware will be realized a malicious intent, must be according to execution sequence through above-mentioned a plurality of sensitive action.
In the use of portable terminal, if the behavior of software comprises a plurality of sensitive action simultaneously and has identical execution sequence, then the malicious act model of above-mentioned generation can judge that the behavior is malicious act, and the software of then carrying out this malicious act is Malware.Wherein, because the one or more sensitive action in the malicious act model and context all can select to determine by mobile terminal user, thereby the user can arrange according to self security and number one to portable terminal, and model is set up and the dirigibility of use and user's Experience Degree thereby can improve.
In one embodiment of the invention, can only generate the malicious act model according to one or more sensitive action.For convenience of description, in following embodiment, will generate the malicious act model jointly with sensitive action and context is that example is described.In one embodiment of the invention, after the malicious act model judges that the behavior of behavior Malware execution is malicious act, record the attribute information of malicious act, and attribute information is showed mobile terminal user.
In an example of the present invention, attribute information can comprise one or more of following content: the time interval and the residing context of each sensitive action between the type of action of the time of origin of each sensitive action, each sensitive action, each sensitive action executor's identify label and current state in the malicious act, two sensitive action.
Malicious act model below with reference to the embodiment of the invention of Fig. 2 is described in detail.
Step S201, the attribute of definition malicious act model.
In one embodiment of the invention, the attribute of malicious act model comprises the attribute such as title, description, processing mode of malicious act model.
Step S202 adds sensitive action.
Sensitive action can generate according to the visit to sensitive resource in the portable terminal.
Step S203 judges whether the details of the sensitive action of need adding.Execution in step S204 then if desired, otherwise execution in step S205.
Step S204, definition is also added the action details.
In one embodiment of the invention, the details of sensitive action can be the attribute of action, for example: the time of origin of sensitive action, type of action, action executor's identify label etc.
Step S205 judges whether sensitive action is in the specific context.If, execution in step S206 then, otherwise execution in step S207.
Particularly, whether the sensitive action of judge adding is in the context corresponding to responsive authority.For example: the sensitive action of adding among the step S202 is recording, if this sensitive action is in the context of " in recording and the conversation ", can judge that then this sensitive action is in the specific context.This is that then dialog context may be eavesdropped by Malware because recording and conversation are carried out simultaneously.
Step S206 adds contextual information.
Contextual information can generate according to the residing persistent state of system in the portable terminal.
Step S207 has judged whether further action, if having then execution in step S202, sets up process otherwise finish the malicious act model.
As from the foregoing, can comprise one or more contextual informations and comprise at least one sensitive action in the malicious act model.
As required the malicious act model is adjusted for the ease of the user, can give mobile terminal user with the malicious act models show of having set up among the step S103, thereby can edit, browse or delete for the user, and then according to the malicious act that makes the user detect and control according to the self-demand Adjustment System.Because the number one of different user is different, each user thinks that the behavior that can damage number one also can be different.By above-mentioned User Defined mechanism, be conducive to satisfy requirements of different users.In addition, the user also can make amendment to existing malicious act model of not meeting consumers' demand in the current system, thereby makes system's demand of can being close to the users more.
For example, if mobile terminal user is initiatively carried out recording and two sensitive action of conversing, then visit recording resource and conversation resource are set to non-sensitive authority simultaneously, because action is initiatively initiated by the user, have obtained user's mandate.
If recording action is not that the user initiatively carries out, then may be that Malware is in malicious intent and carries out, with the malicious intent of the dialog context of realizing the eavesdropping user, then needing simultaneously, visit recording resource and conversation resource are set to responsive authority.Because action is not initiatively initiated by the user, does not obtain user's mandate.
When the executive agent of action changed to Malware by the user, then the user can adjust to responsive authority by non-sensitive authority with the resource of visit recording simultaneously and the authority of conversation resource.
As from the foregoing, as shown in Figure 3, in the malicious act model, to a plurality of contexts and many sensitive action should be arranged.Wherein, in the malicious act model, comprise n sensitive action, be respectively action 1, action 2, action 3......, action n, wherein, the corresponding context of one or more actions.For example: context 1 respective action 2 and action 3.
Software malicious act modeling method according to the embodiment of the invention, by detecting the context generation malicious act model that sensitive resource obtains sensitive action and expression system state of living in, thereby can find effectively whether arbitrary behavior that software is carried out is malicious act in order to accurately judge Malware, improve the security of portable terminal.
In addition, though the kind of Malware is a lot of and have a lot of mutation, but the kind that increases is also few, and the behavior basically identical of the Malware of identical type, thereby the malicious act model unanimity that the software malicious act modeling method by the embodiment of the invention takes out goes for multiple class and large batch of Malware.
Below with reference to the software malicious act model building device of Fig. 4 description according to the embodiment of the invention.
As shown in Figure 4, the software malicious act model building device 400 that provides of the embodiment of the invention comprises: sensitive action generation module 410, context generation module 420 and MBM 430.Wherein, sensitive action generation module 410 is used for the visit of portable terminal sensitive resource is generated at least one sensitive action.Context generation module 420 is used for generating at least one context according to portable terminal system present located persistent state.MBM 430 is used for generating the malicious act model according to one or more sensitive action of at least one sensitive action and/or a context at least one context.
According to the difference of resource to the susceptibility of system, resource can be divided into sensitive resource and non-sensitive resource.Particularly, can be defined as sensitive resource for the resource that relates to security of system and privacy of user, for example: recording, device number, GPS (Global Positioning System, GPS) information, paying note, switching on and shutting down password, telephone directory, secret note, certificate and private key for user etc. arrange responsive authority to the visit of this part resource.
Need to prove that software can not exert an influence to external world to the visit of the non-sensitive authority of own resource and system, thereby the above-mentioned action definition that software is carried out is non-sensitive action.Wherein, the own resource of software comprises file that belongs to this software self etc.
When sensitive action generation module 410 is visited the sensitive resource of system in the portable terminal installed software at every turn, then generate a sensitive action.Thereby sensitive action generation module 410 can generate a plurality of sensitive action according to the access times of software.Wherein, has execution sequence between a plurality of sensitive action.Each sensitive action includes a plurality of attributes, these attribute records this sensitive action carry out the software of action itself and the present situation of system when taking place.
In one embodiment of the invention, the responsive authority of one or more sensitive action of sensitive action generation module 410 generations and system all can choose to determine by the user.For example: responsive authority can be for visiting sound-recording function resource and call function resource simultaneously, and then Dui Ying sensitive action is recording and phone.Responsive authority is for visiting device resource and the note resource of portable terminal simultaneously, and then Dui Ying sensitive action is device number, the transmitting-receiving note of obtaining in the system information.
Be understandable that above-mentioned responsive authority and sensitive action only are the purposes that is in example, rather than in order to limit the present invention.The user can arrange responsive authority and sensitive action voluntarily according to self to the security of portable terminal and the consideration of number one.
Context generation module 420 generates at least one context according to the residing persistent state of system in the portable terminal.Wherein, context is used for reflection system present located persistent state, for example: in the conversation, in the recording, in the navigation, in the charging, take pictures medium.Be understandable that a context can corresponding a plurality of sensitive action.For example: the persistent state of file description is in conversation and the recording up and down, and then Dui Ying sensitive action is for conversing and recording.Wherein, different contexts can corresponding same sensitive action, and the same action in the different context can have different implications according to sensitivity.
MBM 430 generates the malicious act model according to a context at least one context of the one or more sensitive action at least one sensitive action of sensitive action generation module 410 generations and based on context generation module 420 generations.Wherein, in the malicious act model, defined the execution sequence of a plurality of sensitive action, above-mentioned execution sequence can represent purpose and the essence of malicious act.In other words, if Malware will be realized a malicious intent, must be according to execution sequence through above-mentioned a plurality of sensitive action.If behavior comprises a plurality of sensitive action and has identical execution sequence that then the malicious act model can judge that the behavior is malicious act simultaneously.
In one embodiment of the invention, the one or more sensitive action in the malicious act model of MBM 430 foundation and context can select to determine by mobile terminal user.
In yet another embodiment of the present invention, software malicious act model building device 400 also comprises the attribute information logging modle.Wherein, attribute information logging modle 400 can be after malicious act model judgement behavior be malicious act, record the attribute information of malicious act, and above-mentioned attribute information is showed mobile terminal user, as required the malicious act model is adjusted thereby be convenient to the user.The user can edit, browse or delete the malicious act model, and then according to the malicious act that makes the user detect and control according to the self-demand Adjustment System.Because the number one of different user is different, each user thinks that the behavior that can damage number one also can be different.Particularly, the user can browse and edit existing malicious act model, and can delete existing malicious act model according to number one and security consideration.
By above-mentioned User Defined mechanism, be conducive to satisfy requirements of different users.In addition, the user also can make amendment to existing malicious act model of not meeting consumers' demand in the current system, thereby makes system's demand of can being close to the users more.
In an example of the present invention, attribute information can comprise one or more of following content: the time interval and the residing context of each sensitive action between the type of action of the time of origin of each sensitive action, each sensitive action, each sensitive action executor's identify label and current state in the malicious act, two sensitive action.
Software malicious act model building device according to the embodiment of the invention, by detecting the context generation malicious act model that sensitive resource obtains sensitive action and expression system state of living in, thereby can find effectively whether arbitrary behavior that software is carried out is malicious act in order to accurately judge Malware, improve the security of portable terminal.
In addition, though the kind of Malware is a lot of and have a lot of mutation, but the kind that increases is also few, and the behavior basically identical of the Malware of identical type, thereby the malicious act model unanimity that the software malicious act modeling method by the embodiment of the invention takes out goes for multiple class and large batch of Malware.
Below with reference to the portable terminal of Fig. 5 description according to the embodiment of the invention.
As shown in Figure 5, the portable terminal that provides of the embodiment of the invention comprises: software malicious act model building device and malice model editing module 510.Wherein, the software malicious act model building device software malicious act model building device 400 that can provide for the above embodiment of the present invention.The malicious act models show that malice model editing module is used for software malicious act model building device 400 has been set up is given the user, thereby edits, browses or delete for the user.
The user can be by malice model editing module 510 according to the malicious act that makes the user detect and control according to the self-demand Adjustment System.Because the number one of different user is different, each user thinks that the behavior that can damage number one also can be different.By above-mentioned User Defined mechanism, be conducive to satisfy requirements of different users.In addition, the user also can make amendment to existing malicious act model of not meeting consumers' demand in the current system, thereby makes system's demand of can being close to the users more.
Portable terminal according to the embodiment of the invention, by detecting the context generation malicious act model that sensitive resource obtains sensitive action and expression system state of living in, and the user can make amendment to the malicious act model according to number one and security consideration, thereby identification and process user institute do not wish the software that moves, and then at utmost satisfy user's customized demand and raising user's use viscosity.
Below with reference to the determination methods of Fig. 6 description according to the software malicious act of the embodiment of the invention.
As shown in Figure 6, the determination methods of the software malicious act that provides of the embodiment of the invention comprises the steps:
Step S601 sets up the malicious act model.
In one embodiment of the invention, adopt the software malicious act modeling method of first aspect present invention embodiment to set up the malicious act model.
Step S602, system's present located persistent state in the record portable terminal, and generate current context.
Context is used for reflection system present located persistent state, for example: in the conversation, in the recording, in the navigation, in the charging, take pictures medium.Be understandable that a context can corresponding a plurality of sensitive action.For example: the persistent state of file description is in conversation and the recording up and down, and then Dui Ying sensitive action is for conversing and recording.
Different contexts can corresponding same sensitive action, and the same action in the different context can have different implications according to sensitivity.
In one embodiment of the invention, context can select to determine by mobile terminal user.
Step S603 records current software to the visit of sensitive resource in the portable terminal and generates corresponding one or more sensitive action.
When the current software in the portable terminal is visited the sensitive resource of system, then generate a sensitive action, thereby generate a plurality of sensitive action according to the access times of current software.Wherein, has execution sequence between a plurality of sensitive action.Each sensitive action includes a plurality of attributes, these attribute records this sensitive action carry out the software of action itself and the present situation of system when taking place.
In one embodiment of the invention, the responsive authority of the one or more sensitive action in the malicious act model and system all can choose to determine by the user.
Step S604, according to current context and the corresponding one or more sensitive action of current software, and the malicious act model judges whether current software is malicious act to the visit of sensitive resource.
In the malicious act model of setting up in step S60 1, defined the execution sequence of a plurality of sensitive action, above-mentioned execution sequence can represent purpose and the essence of malicious act.In other words, if Malware will be realized a malicious intent, must be according to execution sequence through above-mentioned a plurality of sensitive action.
In the use of portable terminal, if a plurality of sensitive action of the current software that step S603 generates be a plurality of sensitive action in the malicious act model of setting up among the step S601 and have with the malicious act model in the identical execution sequence that defines, can judge that then current software is malicious act to the visit of responsive wording.
In one embodiment of the invention, after judging that the visit of current software to sensitive resource is malicious act, record the attribute information of malicious act, and attribute information is showed mobile terminal user, thereby edit, browse or delete for the user.The malicious act that the user can detect and control according to the self-demand Adjustment System.Because the number one of different user is different, each user thinks that the behavior that can damage number one also can be different.By above-mentioned User Defined mechanism, be conducive to satisfy requirements of different users.In addition, the user also can make amendment to existing malicious act model of not meeting consumers' demand in the current system, thereby makes system's demand of can being close to the users more.
In one embodiment of the invention, attribute information can comprise one or more of following content: the time interval and the residing context of each sensitive action between the type of action of the time of origin of each sensitive action, each sensitive action, each sensitive action executor's identify label and current state in the malicious act, two sensitive action.
Determination methods according to the software malicious act of the embodiment of the invention, by detecting the context generation malicious act model that sensitive resource obtains sensitive action and expression system state of living in, thereby can find effectively whether arbitrary behavior that software is carried out is malicious act, and the user can make amendment to the malicious act model according to number one and security consideration, thereby identification and process user institute do not wish the software that moves, and then at utmost satisfy user's customized demand and raising user's use viscosity.
Below with reference to the portable terminal of Fig. 7 description according to the embodiment of the invention.
As shown in Figure 7, the portable terminal that provides of the embodiment of the invention comprises software malicious act model building device, logging modle 710 and judge module 720.
In one embodiment of the invention, the software malicious act model building device 400 that software malicious act model building device can provide for the above embodiment of the present invention is used for setting up the malicious act model.In the malicious act model, defined the execution sequence of a plurality of sensitive action, above-mentioned execution sequence can represent purpose and the essence of malicious act.In other words, if Malware will be realized a malicious intent, must be according to execution sequence through above-mentioned a plurality of sensitive action.
System's present located persistent state in the logging modle 710 record portable terminals, and generate current context, record current software to the visit of sensitive resource in the portable terminal and generate corresponding one or more sensitive action.Wherein, sensitive action can be recording, shooting or location etc.
Judge module 720 is according to current context and the corresponding one or more sensitive action of current software, and the malicious act model that above-mentioned software malicious act model building device 400 is set up judges whether current software is malicious act to the visit of sensitive resource.
Particularly, if a plurality of sensitive action of the current software that logging modle 710 generates be a plurality of sensitive action in the malicious act model and have with the malicious act model in the identical execution sequence that defines, then judge module 720 can judge that current software is malicious act to the visit of responsive wording.
Portable terminal according to the embodiment of the invention, by detecting the context generation malicious act model that sensitive resource obtains sensitive action and expression system state of living in, thereby can find effectively whether arbitrary behavior that software is carried out is malicious act, and the user can make amendment to the malicious act model according to number one and security consideration, thereby identification and process user institute do not wish the software that moves, and then at utmost satisfy user's customized demand and raising user's use viscosity.
Below with reference to the determination methods of Fig. 8 description according to the software malice of the embodiment of the invention.
As shown in Figure 8, the determination methods of the software malice that provides of the embodiment of the invention comprises the steps:
Step S801 sets up the malicious act model.
In one embodiment of the invention, adopt the software malicious act modeling method of first aspect present invention embodiment to set up the malicious act model.
Step S802, system's present located persistent state in the record portable terminal, and generate current context.
Context is used for reflection system present located persistent state, for example: in the conversation, in the recording, in the navigation, in the charging, take pictures medium.Be understandable that a context can corresponding a plurality of sensitive action.For example: the persistent state of file description is in conversation and the recording up and down, and then Dui Ying sensitive action is for conversing and recording.
Different contexts can corresponding same sensitive action, and the same action in the different context can have different implications according to sensitivity.
In one embodiment of the invention, context can select to determine by mobile terminal user.
Step S803 records current software to the visit of sensitive resource in the portable terminal and generates corresponding one or more sensitive action.
When the current software in the portable terminal is visited the sensitive resource of system, then generate a sensitive action, thereby generate a plurality of sensitive action according to the access times of current software.Wherein, has execution sequence between a plurality of sensitive action.Each sensitive action includes a plurality of attributes, these attribute records this sensitive action carry out the software of action itself and the present situation of system when taking place.
In one embodiment of the invention, the responsive authority of the one or more sensitive action in the malicious act model and system all can choose to determine by the user.
Step S804 according to current context and the corresponding one or more sensitive action of current software, and judges according to the malicious act model whether current software is malicious act to the visit of sensitive resource.
In the malicious act model of setting up in step S801, defined the execution sequence of a plurality of sensitive action, above-mentioned execution sequence can represent purpose and the essence of malicious act.In other words, if Malware will be realized a malicious intent, must be according to execution sequence through above-mentioned a plurality of sensitive action.
In the use of portable terminal, if a plurality of sensitive action of the current software that step S803 generates be a plurality of sensitive action in the malicious act model of setting up among the step S801 and have with the malicious act model in the identical execution sequence that defines, can judge that then current software is malicious act to the visit of responsive wording.
Step S805, if judge malicious act, then the malicious act with current software is prompted to mobile terminal user, judges by the user whether current software is Malware.
After judging that the visit of current software to sensitive resource is malicious act, record the attribute information of the malicious act of current software, and attribute information is showed mobile terminal user, thereby edit, browse or delete for the user.The malicious act that the user can detect and control according to the self-demand Adjustment System.Because the number one of different user is different, each user thinks that the behavior that can damage number one also can be different.By above-mentioned User Defined mechanism, be conducive to satisfy requirements of different users.In addition, the user also can make amendment to existing malicious act model of not meeting consumers' demand in the current system, thereby makes system's demand of can being close to the users more.
In one embodiment of the invention, attribute information can comprise one or more of following content: the time interval and the residing context of each sensitive action between the type of action of the time of origin of each sensitive action, each sensitive action, each sensitive action executor's identify label and current state in the malicious act, two sensitive action.
Determination methods according to the software malice of the embodiment of the invention, by detecting the context generation malicious act model that sensitive resource obtains sensitive action and expression system state of living in, thereby can find effectively whether arbitrary behavior that software is carried out is malicious act, and whether further can judge current software be malicious act.In addition, the user can make amendment to the malicious act model according to number one and security consideration, thereby identification and process user institute do not wish the software that moves, and then at utmost satisfies user's customized demand and raising user's use viscosity.
Below with reference to the portable terminal of Fig. 9 description according to the embodiment of the invention.
As shown in Figure 9, the portable terminal that provides of the embodiment of the invention comprises: software malicious act model building device, logging modle 910, judge module 920 and reminding module 930.
In one embodiment of the invention, the software malicious act model building device software malicious act model building device 400 that can provide for the above embodiment of the present invention.
Logging modle 910 is used for record portable terminal system present located persistent state, and generates current context.Wherein context is used for reflection system present located persistent state, for example: in the conversation, in the recording, in the navigation, in the charging, take pictures medium.Be understandable that a context can corresponding a plurality of sensitive action.For example: the persistent state of file description is in conversation and the recording up and down, and then Dui Ying sensitive action is for conversing and recording.
Different contexts can corresponding same sensitive action, and the same action in the different context can have different implications according to sensitivity.
In one embodiment of the invention, context can select to determine by mobile terminal user.
Logging modle 910 also is used for the current software of record to the visit of portable terminal sensitive resource and generates corresponding one or more sensitive action.Wherein, has execution sequence between a plurality of sensitive action.Each sensitive action includes a plurality of attributes, these attribute records this sensitive action carry out the software of action itself and the present situation of system when taking place.
In one embodiment of the invention, the responsive authority of the one or more sensitive action in the malicious act model of software malicious act model building device 400 foundation and system all can choose to determine by the user.
Judge module 920 is used for according to current context and the corresponding one or more sensitive action of current software, and judges whether current software is malicious act to the visit of sensitive resource.
Particularly, if a plurality of sensitive action of the current software that logging modle 910 generates be a plurality of sensitive action in the malicious act model and have with the malicious act model in the identical execution sequence that defines, then judge module 920 can judge that current software is malicious act to the visit of responsive wording.
When reminding module 930 judges that at judge module 920 current software is malicious act to the visit of sensitive resource, the malicious act of current software is prompted to mobile terminal user, judge by the user whether current software is Malware, thereby edit, browse or delete for the user.The malicious act that the user can detect and control according to the self-demand Adjustment System.Because the number one of different user is different, each user thinks that the behavior that can damage number one also can be different.By above-mentioned User Defined mechanism, be conducive to satisfy requirements of different users.In addition, the user also can make amendment to existing malicious act model of not meeting consumers' demand in the current system, thereby makes system's demand of can being close to the users more.
Portable terminal according to the embodiment of the invention, by detecting the context generation malicious act model that sensitive resource obtains sensitive action and expression system state of living in, thereby can find effectively whether arbitrary behavior that software is carried out is malicious act, and whether further can judge current software be malicious act.In addition, the user can make amendment to the malicious act model according to number one and security consideration, thereby identification and process user institute do not wish the software that moves, and then at utmost satisfies user's customized demand and raising user's use viscosity.
Describe and to be understood that in the process flow diagram or in this any process of otherwise describing or method, expression comprises module, fragment or the part of code of the executable instruction of the step that one or more is used to realize specific logical function or process, and the scope of preferred implementation of the present invention comprises other realization, wherein can be not according to order shown or that discuss, comprise according to related function by the mode of basic while or by opposite order, carry out function, this should be understood by the embodiments of the invention person of ordinary skill in the field.
In process flow diagram the expression or in this logic of otherwise describing and/or step, for example, can be considered to the sequencing tabulation for the executable instruction that realizes logic function, may be embodied in any computer-readable medium, use for instruction execution system, device or equipment (as the computer based system, comprise that the system of processor or other can be from the systems of instruction execution system, device or equipment instruction fetch and execution command), or use in conjunction with these instruction execution systems, device or equipment.With regard to this instructions, " computer-readable medium " can be anyly can comprise, storage, communication, propagation or transmission procedure be for instruction execution system, device or equipment or the device that uses in conjunction with these instruction execution systems, device or equipment.The example more specifically of computer-readable medium (non-exhaustive list) comprises following: the electrical connection section (electronic installation) with one or more wirings, portable computer diskette box (magnetic device), random-access memory (ram), ROM (read-only memory) (ROM), can wipe and to edit ROM (read-only memory) (EPROM or flash memory), fiber device, and portable optic disk ROM (read-only memory) (CDROM).In addition, computer-readable medium even can be paper or other the suitable media that to print described program thereon, because can be for example by paper or other media be carried out optical scanning, then edit, decipher or handle to obtain described program in the electronics mode with other suitable methods in case of necessity, then it is stored in the computer memory.
Should be appreciated that each several part of the present invention can realize with hardware, software, firmware or their combination.In the above-described embodiment, a plurality of steps or method can realize with being stored in the storer and by software or firmware that suitable instruction execution system is carried out.For example, if realize with hardware, the same in another embodiment, in the available following technology well known in the art each or their combination realize: have for the discrete logic of data-signal being realized the logic gates of logic function, special IC with suitable combinational logic gate circuit, programmable gate array 0 (PGA), field programmable gate array (FPGA) etc.
Those skilled in the art are appreciated that and realize that all or part of step that above-described embodiment method is carried is to instruct relevant hardware to finish by program, described program can be stored in a kind of computer-readable recording medium, this program comprises one of step or its combination of method embodiment when carrying out.
In addition, each functional unit in each embodiment of the present invention can be integrated in the processing module, also can be that the independent physics in each unit exists, and also can be integrated in the module two or more unit.Above-mentioned integrated module both can adopt the form of hardware to realize, also can adopt the form of software function module to realize.If described integrated module realizes with the form of software function module and during as independently production marketing or use, also can be stored in the computer read/write memory medium.
The above-mentioned storage medium of mentioning can be ROM (read-only memory), disk or CD etc.
In the description of this instructions, concrete feature, structure, material or characteristics that the description of reference term " embodiment ", " some embodiment ", " example ", " concrete example " or " some examples " etc. means in conjunction with this embodiment or example description are contained at least one embodiment of the present invention or the example.In this manual, the schematic statement to above-mentioned term not necessarily refers to identical embodiment or example.And concrete feature, structure, material or the characteristics of description can be with the suitable manner combination in any one or more embodiment or example.
Although illustrated and described embodiments of the invention, for the ordinary skill in the art, be appreciated that without departing from the principles and spirit of the present invention and can carry out multiple variation, modification, replacement and modification to these embodiment that scope of the present invention is by claims and be equal to and limit.

Claims (17)

1. a software malicious act modeling method is characterized in that, may further comprise the steps:
Generate at least one sensitive action according to the visit to sensitive resource in the portable terminal;
Generate at least one context according to the residing persistent state of system in the described portable terminal; And
Generate the malicious act model according to a context in the one or more sensitive action in described at least one sensitive action and/or described at least one context.
2. software malicious act modeling method as claimed in claim 1, it is characterized in that, comprise a plurality of sensitive action in the described malicious act model, has execution sequence between described a plurality of sensitive action, if behavior comprises described a plurality of sensitive action and has identical execution sequence that then described malicious act model is judged as malicious act simultaneously.
3. software malicious act modeling method as claimed in claim 1 or 2 is characterized in that, the described one or more sensitive action in the described malicious act model and/or described context are selected to determine by described mobile terminal user.
4. as each described software malicious act modeling method of claim 1-3, it is characterized in that, after described malicious act model judges that described behavior is malicious act, also comprise:
Record the attribute information of described malicious act, and described attribute information is showed described mobile terminal user.
5. software malicious act modeling method as claimed in claim 4, it is characterized in that, described attribute information comprise time interval between type of action, each sensitive action executor's the identify label of time of origin, each sensitive action of each sensitive action in the malicious act and current state, two sensitive action, and the residing context of each sensitive action in one or more.
6. software malicious act modeling method as claimed in claim 5 is characterized in that, described sensitive resource comprises recording, device number, GPS information, paying note.
7. software malicious act modeling method as claimed in claim 1 is characterized in that, also comprises:
Give described mobile terminal user with the malicious act models show of having set up, edit, browse or delete for described user.
8. a software malicious act model building device is characterized in that, comprising:
The sensitive action generation module is used for the visit of portable terminal sensitive resource is generated at least one sensitive action;
The context generation module is used for generating at least one context according to described portable terminal system present located persistent state; And
MBM is used for generating the malicious act model according to one or more sensitive action of described at least one sensitive action and/or a context in described at least one context.
9. software malicious act model building device as claimed in claim 8, it is characterized in that, comprise a plurality of sensitive action in the described malicious act model, has execution sequence between described a plurality of sensitive action, if behavior comprises described a plurality of sensitive action and has identical execution sequence that then described malicious act model is judged as malicious act simultaneously.
10. software malicious act model building device as claimed in claim 8 is characterized in that, the described one or more sensitive action in the described malicious act model and/or described context are selected to determine by described mobile terminal user.
11. software malicious act model building device as claimed in claim 8 is characterized in that, also comprises:
The attribute information logging modle is used for recording the attribute information of described malicious act after judging that described behavior is malicious act, and described attribute information is showed described mobile terminal user.
12. software malicious act model building device as claimed in claim 11, it is characterized in that, described attribute information comprise time interval between type of action, each sensitive action executor's the identify label of time of origin, each sensitive action of each sensitive action in the malicious act and current state, two sensitive action, and the residing context of each sensitive action in one or more.
13. a portable terminal is characterized in that, comprising:
As each described software malicious act model building device of claim 8-12;
Malice model editing module, the malicious act models show that is used for described software malicious act model building device has been set up is given described mobile terminal user, edits, browses or delete for described user.
14. the determination methods of a software malicious act is characterized in that, may further comprise the steps:
Adopt and set up the malicious act model as each described software malicious act modeling method of claim 1-7;
System's present located persistent state in the record portable terminal, and generate current context;
Record current software to the visit of sensitive resource in the described portable terminal and generate corresponding one or more sensitive action; And
According to described current context and the corresponding one or more sensitive action of current software, and described malicious act model judges whether described current software is malicious act to the visit of described sensitive resource.
15. a portable terminal is characterized in that, comprising:
As each described software malicious act model building device of claim 8-12;
Logging modle is used for record portable terminal system present located persistent state, and generates current context, and records current software to the visit of sensitive resource in the described portable terminal and generate corresponding one or more sensitive action; And
Judge module, be used for according to described current context and the corresponding one or more sensitive action of current software, and the malicious act model that described software malicious act model building device is set up judges whether described current software is malicious act to the visit of described sensitive resource.
16. the determination methods of a software malice is characterized in that, may further comprise the steps:
Adopt and set up the malicious act model as each described software malicious act modeling method of claim 1-7;
System's present located persistent state in the record portable terminal, and generate current context;
Record current software to the visit of sensitive resource in the described portable terminal and generate corresponding one or more sensitive action;
According to described current context and the corresponding one or more sensitive action of current software, and described malicious act model judges whether described current software is malicious act to the visit of described sensitive resource; And
If the malicious act of being judged as, then the described malicious act with described current software is prompted to described mobile terminal user, judges by described user whether described current software is Malware.
17. a portable terminal is characterized in that, comprising:
As each described software malicious act model building device of claim 8-12;
Logging modle is used for record portable terminal system present located persistent state, and generates current context, and records current software to the visit of sensitive resource in the described portable terminal and generate corresponding one or more sensitive action;
Judge module is used for according to described current context and the corresponding one or more sensitive action of current software, and judges whether described current software is malicious act to the visit of described sensitive resource; And
Reminding module is used for when being judged as malicious act, and the described malicious act of described current software is prompted to described mobile terminal user, judges by described user whether described current software is Malware.
CN201210047944.5A 2012-02-27 2012-02-27 Software malicious behavior modeling and judging method and device, and mobile terminal Active CN103294948B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210047944.5A CN103294948B (en) 2012-02-27 2012-02-27 Software malicious behavior modeling and judging method and device, and mobile terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210047944.5A CN103294948B (en) 2012-02-27 2012-02-27 Software malicious behavior modeling and judging method and device, and mobile terminal

Publications (2)

Publication Number Publication Date
CN103294948A true CN103294948A (en) 2013-09-11
CN103294948B CN103294948B (en) 2017-02-08

Family

ID=49095790

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210047944.5A Active CN103294948B (en) 2012-02-27 2012-02-27 Software malicious behavior modeling and judging method and device, and mobile terminal

Country Status (1)

Country Link
CN (1) CN103294948B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103778372A (en) * 2014-01-13 2014-05-07 陈黎飞 Spectral method for identifying computer software action

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101132438A (en) * 2007-03-20 2008-02-27 中国移动通信集团江苏有限公司 Method for screen selecting and catching vicious disturbing calls
CN101180598A (en) * 2005-04-15 2008-05-14 微软公司 Method and apparatus for providing process guidance
CN101228517A (en) * 2005-07-26 2008-07-23 微软公司 Augmenting a call with context
CN101266550A (en) * 2007-12-21 2008-09-17 北京大学 Malicious code detection method
US7962918B2 (en) * 2004-08-03 2011-06-14 Microsoft Corporation System and method for controlling inter-application association through contextual policy control
US8042186B1 (en) * 2011-04-28 2011-10-18 Kaspersky Lab Zao System and method for detection of complex malware

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7962918B2 (en) * 2004-08-03 2011-06-14 Microsoft Corporation System and method for controlling inter-application association through contextual policy control
CN101180598A (en) * 2005-04-15 2008-05-14 微软公司 Method and apparatus for providing process guidance
CN101228517A (en) * 2005-07-26 2008-07-23 微软公司 Augmenting a call with context
CN101132438A (en) * 2007-03-20 2008-02-27 中国移动通信集团江苏有限公司 Method for screen selecting and catching vicious disturbing calls
CN101266550A (en) * 2007-12-21 2008-09-17 北京大学 Malicious code detection method
US8042186B1 (en) * 2011-04-28 2011-10-18 Kaspersky Lab Zao System and method for detection of complex malware

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李佳静等: "一种基于语义的恶意行为分析方法", 《北京大学学报(自然科学版)》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103778372A (en) * 2014-01-13 2014-05-07 陈黎飞 Spectral method for identifying computer software action
CN103778372B (en) * 2014-01-13 2016-10-19 福建师范大学 A kind of spectral method identifying computer software behavior

Also Published As

Publication number Publication date
CN103294948B (en) 2017-02-08

Similar Documents

Publication Publication Date Title
US11790109B2 (en) Privacy control operation modes
CN103002124B (en) A kind of processing method of communication data, device
CN102779255B (en) Method and device for judging malicious program
CN104737101A (en) Computing device with force-triggered non-visual responses
CN109040419B (en) Screen recording method and device, mobile terminal and storage medium
CN104967758B (en) A kind of method and user terminal for controlling data transfer
CN103914646A (en) Touch event processing method and portable device implementing the same
CN103281375B (en) A kind of contact management method of third-party application and device, system
CN103631580B (en) Method and device for generating theme icon
CN105281906A (en) Safety authentication method and device
CN106445783A (en) Method and device for detecting jamming of electronic equipment and electronic equipment
CN103780731A (en) Method and device for obtaining privacy contacts
CN102937913B (en) A kind of method and device managing default application
CN105339874A (en) Method for handling pen input and apparatus for the same
CN103218552B (en) Based on method for managing security and the device of user behavior
CN105574437A (en) Method and device for protecting privacy information and electronic equipment
CN104917796A (en) Credit account creating method, system and method
CN106484518A (en) A kind of display methods, device and terminal for opening application more
CN106959754A (en) Control the method and mobile terminal of mobile terminal
CN109543891A (en) Method for building up, equipment and the computer readable storage medium of capacity prediction model
CN106453802A (en) Cipher verification method and device, and terminal
CN107038074A (en) Internal memory optimization device and method based on associating policy
CN106776908A (en) Data clearing method, device and terminal
CN109246467A (en) Label is to the method, apparatus of sharing video frequency, video camera and smart phone
CN105468947A (en) Information processing method and device and electronic equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant