CN111831395A - Behavior monitoring and analyzing method and system - Google Patents
Behavior monitoring and analyzing method and system Download PDFInfo
- Publication number
- CN111831395A CN111831395A CN202010655805.5A CN202010655805A CN111831395A CN 111831395 A CN111831395 A CN 111831395A CN 202010655805 A CN202010655805 A CN 202010655805A CN 111831395 A CN111831395 A CN 111831395A
- Authority
- CN
- China
- Prior art keywords
- virtual client
- monitoring
- behavior
- virtual
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 138
- 238000000034 method Methods 0.000 title claims abstract description 63
- 230000008569 process Effects 0.000 claims abstract description 54
- 238000013519 translation Methods 0.000 claims abstract description 16
- 238000005516 engineering process Methods 0.000 claims abstract description 13
- 238000012423 maintenance Methods 0.000 claims abstract description 6
- 230000006399 behavior Effects 0.000 claims description 100
- 230000006870 function Effects 0.000 claims description 76
- 238000004458 analytical method Methods 0.000 claims description 17
- 230000003542 behavioural effect Effects 0.000 claims description 2
- 230000001960 triggered effect Effects 0.000 claims description 2
- 230000008859 change Effects 0.000 abstract description 6
- 230000007547 defect Effects 0.000 abstract description 4
- 241000700605 Viruses Species 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 210000004556 brain Anatomy 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000009385 viral infection Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/301—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is a virtual computing platform, e.g. logically partitioned systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3051—Monitoring arrangements for monitoring the configuration of the computing system or of the computing system component, e.g. monitoring the presence of processing resources, peripherals, I/O links, software programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45575—Starting, stopping, suspending or resuming virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Quality & Reliability (AREA)
- Mathematical Physics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a behavior monitoring and analyzing method and a system, wherein a virtual client candidate system set is established on a host machine, and a corresponding virtual client is started according to a system selected by a user from the set; after the virtual client is started, the user controls the virtual client to initialize the function monitoring function through the host machine; and after the initialization is finished, controlling the virtual client to perform behavior triggering, monitoring the running condition of the virtual client and outputting a monitoring log. The system comprises a virtual client system mirror image maintenance module, a virtual client behavior monitoring initialization module and a virtual client behavior monitoring module. The invention monitors the behavior of the virtual client machine based on the binary instruction translation virtualization technology; and through modifying the virtualization process, the source code of the client system does not need to be modified, and the defects that the traditional dynamic monitoring system is not flexible enough and cannot change the monitored system randomly under the environment that the version of the operating system is continuously updated and iterated and the operating system is various in the market are overcome.
Description
Technical Field
The invention relates to the technical field of virtualization monitoring, in particular to a behavior monitoring analysis method and system.
Background
In recent years, a '2019 Android malware thematic report' issued by a 360-degree safety brain shows that the 360-degree safety brain captures about 180.9 thousands of newly added malware samples of a mobile terminal in 2019. The network safety report of China in 2019 issued by Switzerland shows that the total amount of virus samples intercepted by the cloud safety system of Switzerland in 2019 is 1.03 hundred million, the number of virus infections is 4.38 hundred million, and the total number of viruses rises 32.69 percent compared with the total number of viruses synchronously in 2018. Under the relatively severe safety environment, the malicious software is layered endlessly, and the interests of each user and the normal development of numerous industries are threatened all the time, and even the national safety is influenced.
In order to analyze and identify malware more accurately and comprehensively, and to cope with the shell of most malware, various applications are generally analyzed by adopting a dynamic analysis method. Monitoring the behavior of the operating system and the application program is an essential stage of dynamic analysis and is the root of the dynamic analysis.
At present, the widely adopted operating system and application behavior monitoring mode is mainly the Hook technology, or adopts a customized operating system. The operating system and application behaviors are typically monitored by modifying the system kernel, static instrumentation, dynamic injection, or replacing function addresses. Although this approach may provide good monitoring of operating system and application behavior, the above monitoring approaches are inflexible, and dynamic monitoring platforms are typically designed to support only a single version of the operating system, and it is difficult to change versions or other systems. This is difficult to adapt to the environment where the operating systems used by the mass users are numerous and the versions of the operating systems are different and the versions of the operating systems are continuously updated and iterated.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention aims to provide a behavior monitoring analysis method and a behavior monitoring analysis system which are compatible with multiple systems and do not depend on a specific system or a system version, perform behavior monitoring on a client which runs by using a virtualization technology based on binary instruction translation, and acquire behavior information of the client such as instruction running, process creation, system call, function call and the like; the invention supports the user to select different systems to start the virtual client and install and run the application program, and provides the monitoring of the virtual client instruction, the monitoring of the virtual client process list, the monitoring of the virtual client system calling condition, the monitoring of the virtual client function calling condition and the like. And outputting the formatted log. The result shows that the method can effectively monitor the behavior of the virtual machine under different systems, and can conveniently replace the operating system or the system version.
In order to achieve the purpose, the invention adopts the technical scheme that:
a method of behavioral monitoring analysis, comprising:
establishing a virtual client candidate system set on a host machine, starting a corresponding virtual client according to a system selected by a user from the set, wherein the virtual client runs by adopting a binary instruction translation virtualization technology and corresponds to the system selected by the user one by one;
after the virtual client is started, the user controls the virtual client to initialize the function monitoring function through the host machine;
and after the initialization is finished, controlling the virtual client to perform behavior triggering, monitoring the running condition of the virtual client and outputting a monitoring log.
The host machine is an operation platform of the virtual client machine, and a user selects any one system in the virtual client machine candidate system set as an operation system of the virtual client machine through the host machine to trigger and monitor the behavior of the virtual client machine.
The function monitoring function of the virtual client is to add a self-defined system call in a virtual client system and then add a call instruction of the self-defined system call into a required monitoring function to realize the purpose of setting a monitoring point for a target function; the self-defined system call allows the kernel to respond to a new system call number added by a user, theoretically, the self-defined system call can be a null function, but the system can monitor a call instruction of the system call, the call instruction is added into a required monitoring function, when the required monitoring function is called, the call instruction of the system call can be monitored, and the system call number corresponds to the required monitoring function one by one.
The operation condition of the monitoring virtual client comprises a process establishing behavior of the monitoring virtual client, an instruction operation behavior of the monitoring virtual client, a system calling behavior of the monitoring virtual client and a function calling behavior of the monitoring virtual client; in the behavior triggering, the triggered behavior comprises clicking and inputting in the virtual client manually or automatically by writing a script to operate an operating system or install running software. That is, the behavior monitored in the virtual client running condition is the bottom-level expression of the trigger behavior, and the system cannot directly monitor the operation of the user, but can monitor the corresponding bottom-level expression.
The monitoring of the virtual client process creation behavior is realized by modifying the flow of creating the page table by the virtual translation look-aside buffer in the virtualization technology, and the process specifically includes mining the virtual CPU information and the virtual client memory information when the page table is created by the virtual translation look-aside buffer, judging whether a new process is created, and acquiring the new process information.
The monitoring of the virtual client instruction running behavior is realized by modifying the flow of the virtualization technology for binary instruction translation, and the process specifically includes intercepting the virtual client binary instruction and converting the virtual client binary instruction into an assembly instruction when the virtual platform translates the virtual client binary instruction.
The monitoring of the system call behavior of the virtual client specifically comprises the steps of analyzing the monitored assembly instructions in real time, analyzing the semantics of the assembly instructions and obtaining the system call information of the virtual client.
The specific process of the monitoring of the function calling behavior of the virtual client is that after the virtual client is started, a user or a host controls the virtual client to initialize the function calling monitoring function, a calling instruction called by a self-defined system is inserted into a target function, and when the virtual client calls the target function, the calling instruction can be monitored, namely the monitoring of the calling of the target function is realized.
The invention also provides a virtual client behavior monitoring system, which comprises a virtual client system mirror image maintenance module, a virtual client behavior monitoring initialization module and a virtual client behavior monitoring module, wherein: the virtual client system mirror image maintenance module runs on a host machine, establishes a virtual client candidate system set for a user to select a system from the set and start a corresponding virtual client; the virtual client behavior monitoring initialization module initializes the behavior monitoring function of the virtual client, starts the process of the virtual client to establish the monitoring function and initializes the function of the virtual client to call the monitoring function; the virtual client behavior monitoring module monitors the instruction running condition, the process creation condition, the system calling condition and the function calling condition of the virtual client from the virtual machine layer by modifying the virtual machine platform and outputs a monitoring log.
The host machine is an operation platform of the virtual client machine, a user selects any one system in the virtual client machine candidate system set as an operation system of the virtual client machine through the host machine to trigger and monitor the behavior of the virtual client machine, and the virtual machine platform has the monitoring functions of process creation, instruction operation, system calling and function calling behaviors of the virtual client machine.
The core part of the invention is that:
1. virtual client system image maintenance module: the invention monitors the behavior of the virtual client without depending on a certain customized operating system. A set of virtual client system images is then maintained on the host machine that can be selected by the user, from which the user can select a system image to boot the virtual client.
2. The virtual client behavior monitoring initialization module: the virtual client behavior monitoring initialization module initializes the virtual client behavior monitoring function, starts the virtual client process to create the monitoring function, and initializes the virtual client function to call the monitoring function.
3. A virtual client behavior monitoring module: the virtual client behavior monitoring module monitors the instruction running condition, the process creation condition, the system calling condition and the function calling condition of the virtual client from the virtual machine layer, and outputs a monitoring log.
The method uses the open source virtual machine Qemu as a virtual machine platform for running the virtual client, and realizes the monitoring of the behavior of the virtual client by modifying the binary instruction translation process and the virtual page table creation process. The monitoring method for monitoring the behavior of the virtual client through the virtual machine layer without modifying the operating system of the virtual client realizes the complete isolation of the host machine and the virtual client environment, does not depend on a certain operating system, and has strong compatibility with the existing operating system. The user can freely change the operating system of the virtual client during the use process without performing complex modification on the operating system.
Compared with the prior art, the invention has the beneficial effects that:
1) applications have difficulty escaping monitoring by virtual machines;
2) the method monitors the behavior of the virtual client based on the binary instruction translation virtualization technology, monitors the behaviors of assembly instruction operation, process creation, system call, function call and the like of the virtual client by modifying a virtualization flow on the basis of the binary instruction translation virtualization, does not need to modify a client system source code, and has strong compatibility with the existing operating system;
3) the operating system of the virtual machine can be conveniently replaced, the defects that the traditional dynamic monitoring system is not flexible enough and cannot randomly change the monitored system under the environment that the version of the operating system is continuously updated and iterated and the operating system is various in the market are overcome, and the system can be compatible with future operating system versions on the basis that the updating of the operating system versions does not change the processor architecture.
Drawings
Fig. 1 is a general flowchart of the behavior monitoring analysis method of the present invention.
FIG. 2 is a diagram of a virtual client behavior monitoring system architecture according to the present invention.
FIG. 3 is a flow chart of monitoring a virtual machine platform according to the present invention.
FIG. 4 is a flow chart of monitoring the operation behavior of the virtual client instruction according to the present invention.
FIG. 5 is a flow chart of virtual client process creation behavior monitoring according to the present invention.
FIG. 6 is a flow chart of the virtual client system call behavior and function call behavior monitoring of the present invention.
Detailed Description
The invention is described in further detail below with reference to the figures and the embodiments.
The general flow chart of the virtual client behavior monitoring of the present invention is shown in fig. 1. First, a virtual client is started by an operating system specified by a user. After the virtual client is completely started, uploading and running a function monitoring function initialization script in the virtual client, registering a user-defined system calling program and inserting a calling instruction called by the user-defined system into a required monitoring function. And finally triggering the behavior of the virtual client, monitoring the behavior of the virtual client and outputting a monitoring log.
The virtual client behavior monitoring system architecture is shown in fig. 2, which details the architecture of the virtual client behavior monitoring system and the interaction among the host, the virtual machine platform and the virtual client. The functions and the workflow of each part are described in the following 2a) -2c), respectively.
2a) The host machine is the running environment of the virtual machine platform and is responsible for maintaining the virtual client machine system image set and storing the monitoring log. The virtual client system image set comprises a common version of an Android system, a common version of a Linux system and the like, and the system image is obtained by compiling system source codes or is obtained by downloading from an official website. A user selects a system image in the system image set through the host machine, starts the virtual client machine by using the virtual machine platform, and sends a control command, uploads a file, triggers behaviors and the like to the virtual client machine through the host machine.
2b) The virtual machine platform is used for monitoring the instruction running behavior, the process creating behavior, the system calling behavior, the function calling behavior and the like of the virtual client. The virtual machine platform uses an open source simulator Qemu based on a binary instruction translation technology to modify an instruction translation process and a virtual page table creation process, so that a behavior monitoring function of a virtual client is realized.
Referring to fig. 3, the overall flow of monitoring of virtual client behavior by the virtual machine platform is described in detail. The flow is described in detail below.
After the virtual client is started, monitoring a process establishing behavior and an instruction running behavior by a virtual machine platform;
the virtual machine platform acquires process information and maintains a process list through the monitored virtual client process creation behavior;
after capturing an instruction of the virtual client machine, the virtual machine platform judges whether the instruction is an instruction of a target process, and writes the instruction into a cache, otherwise, does not record the instruction and obtains a next instruction;
after the instruction is written into the cache, analyzing the meaning of the instruction, and monitoring system call and function call;
and v, judging whether the monitoring is stopped or not, outputting a monitoring log if the monitoring is stopped, and otherwise, acquiring the next instruction.
Referring to fig. 4, the flow of monitoring the operation behavior of the virtual machine platform on the virtual guest instruction is described in detail. The flow is described in detail below.
i >, inserting a monitoring point in the process of translating and executing the virtual client instruction by Qemu;
acquiring processor state information of a current virtual client when Qemu is about to run a code block;
step iii, inquiring whether the translation of the code block to be executed is completed or not through the state information of the virtual client processor, if the translation is completed, entering the step vi, and if not, entering the step v;
obtaining the total number of the instructions of the code block to be executed, thereby obtaining the instructions to be executed in the code block;
intercepting a code block translation process so as to obtain an instruction to be executed;
judging whether the obtained instruction is a target process instruction, if so, writing the instruction into a cache, otherwise, releasing the instruction for execution;
and vii > if the monitoring is finished, writing the content in the cache into a monitoring log, otherwise, continuously monitoring the behavior of the Qemu executing code block.
Referring to fig. 5, the flow of the virtual machine platform creating behavior monitoring for the virtual client process is described in detail. The flow is described in detail below.
Modifying the process of creating the virtual client page table by Qemu, and monitoring the behavior of creating the virtual client page table;
when Qemu creates the page table of the virtual client, the CPU state of the current virtual client is obtained;
iii, according to the state of a register in the current CPU, searching whether a current process exists in a process list maintained by the behavior monitoring analysis method and system;
if the current process exists, the step vi is directly carried out after execution, otherwise, the information of the current process, including process PID, process name, father process PID and the like, is searched according to the current virtual client CPU register state and virtual client system kernel symbol offset;
v, storing the current process information and the current virtual client CPU register state into a process list;
and vi, if the monitoring is finished, writing the creating condition of the virtual client process into a monitoring log, and otherwise, continuously monitoring the behavior of the Qemu for creating the virtual client page table.
Before the monitoring function is called using the virtual client function, the function call function needs to be initialized. Before starting the virtual client, setting the corresponding relation between the user-defined system calling number and the monitored function in the configuration file provided by the invention; registering a custom system call function in the virtual client; and inserting an instruction for calling the custom system call into the function to be monitored.
The above three steps do not need to modify the source code of the virtual client machine system. Registering the custom system call function in the virtual client may use the kernel module to add the custom system call function to the sys _ call _ table. Inserting the instruction calling the custom system call into the function to be monitored can be realized by adding a syscall function into the target function through inlinehook or directly inserting an assembly instruction of the system call (such as svc assembly instruction of arm 64).
Referring to fig. 6, the flow of monitoring the virtual client system call behavior and function call behavior by the virtual machine platform is described in detail. The flow is described in detail below.
Acquiring a virtual client instruction obtained by a virtual client instruction monitoring function, wherein the instruction is a machine code instruction of a CPU (central processing unit) framework of the virtual client in a Qemu virtual machine platform;
parsing the machine code instructions into assembly instructions;
judging whether the assembly instruction is a system call instruction, if not, skipping the instruction, and continuing to obtain the next instruction, otherwise, entering the next step;
before a system call instruction, a system call number is put into a specific register by an instruction such as mov and the like, and the previous instruction is analyzed to obtain the system call number;
and v, judging a system calling number, if the system calling number is customized, converting the system calling number into calling information corresponding to the monitored function according to the information in the configuration file, and otherwise, converting the system calling number into the calling information corresponding to the system calling through sys _ call _ table.
2c) The client monitors the running environment of the process for the user needs. The operating system of the client is not fixed and the operating system on which it runs is specified by the user from the set of system images.
In summary, the invention monitors the behavior of the virtual client based on the binary instruction translation virtualization technology, monitors the behaviors of assembly instruction operation, process creation, system call, function call and the like of the virtual client by modifying the virtualization flow on the basis of the binary instruction translation virtualization, does not need to modify the system source code of the client, and overcomes the defects that the traditional dynamic monitoring system is not flexible enough and cannot randomly change the monitored system under the environments that the version of the operating system is continuously updated and iterated and the operating system is numerous in the market.
Claims (10)
1. A method for behavioral monitoring analysis, comprising:
establishing a virtual client candidate system set on a host machine, starting a corresponding virtual client according to a system selected by a user from the set, wherein the virtual client runs by adopting a binary instruction translation virtualization technology and corresponds to the system selected by the user one by one;
after the virtual client is started, a user controls the virtual client through a host machine to initialize a function monitoring function;
and after the initialization is finished, controlling the virtual client to perform behavior triggering, monitoring the running condition of the virtual client and outputting a monitoring log.
2. The behavior monitoring analysis method according to claim 1, wherein the host is a running platform of the virtual client, and the user selects any one system in the candidate system set of the virtual client as the operating system of the virtual client through the host to perform behavior triggering and monitoring on the virtual client.
3. The behavior monitoring analysis method according to claim 1, wherein the function of monitoring the initialization function performed by the virtual client is to add a customized system call to the virtual client system, and add a call instruction of the customized system call to the desired monitoring function to set a monitoring point for the target function.
4. The behavior monitoring analysis method according to claim 1, wherein the monitoring of the operation of the virtual client comprises monitoring of virtual client process creation behavior, virtual client instruction execution behavior, virtual client system call behavior, and virtual client function call behavior; in the action triggering, the triggered action comprises that a user manually clicks and inputs in the virtual client machine or writes a script automatically, so as to complete the system operation or install the running software.
5. The behavior monitoring analysis method according to claim 4, wherein the monitoring of the virtual client process creation behavior is implemented by modifying a process of creating a page table in the virtualization technology, and the process is specifically configured to, when the page table is created in the virtualization technology, mine virtual CPU information and virtual client memory information, determine whether a new process is created, and acquire new process information.
6. The behavior monitoring analysis method of claim 4, wherein the monitoring of the virtual client instruction execution behavior is implemented by modifying the flow of binary instruction translation performed by the virtualization technology, and specifically, when the virtual platform translates the virtual client binary instruction, the virtual client binary instruction is intercepted and converted into the assembly instruction.
7. The behavior monitoring analysis method according to claim 4, wherein the monitoring of the virtual client system call behavior is performed by parsing the monitored assembly instructions in real time and analyzing the semantics thereof to obtain the virtual client system call information.
8. The behavior monitoring analysis method according to claim 4, wherein the monitoring of the function call behavior of the virtual client is implemented by the specific process that after the virtual client is started, a user or a host controls the virtual client to initialize a function call monitoring function, a call instruction of a custom system call is inserted into the target function, and when the virtual client calls the target function, the call instruction can be monitored, so that the monitoring of the call of the target function is implemented.
9. The virtual client behavior monitoring system is characterized by comprising a virtual client system mirror image maintenance module, a virtual client behavior monitoring initialization module and a virtual client behavior monitoring module, wherein: the virtual client system mirror image maintenance module runs on a host machine, establishes a virtual client candidate system set for a user to select a system from the set and start a corresponding virtual client; the virtual client behavior monitoring initialization module initializes the behavior monitoring function of the virtual client and configures a function call monitoring function of the virtual client; the virtual client behavior monitoring module monitors the instruction running condition, the process creation condition, the system calling condition and the function calling condition of the virtual client from the virtual machine layer by modifying the virtual machine platform and outputs a monitoring log.
10. The system for monitoring behavior of a virtual client according to claim 9, wherein the host is an operating environment of the virtual client, and a user selects any one of systems in a candidate system set of the virtual client as an operating system of the virtual client through the host, starts the virtual client using the virtual machine platform, and performs behavior triggering and monitoring on the virtual client; the virtual machine platform has monitoring functions for virtual machine client process creation, instruction execution, system calls, and function call behaviors.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010655805.5A CN111831395B (en) | 2020-07-09 | 2020-07-09 | Behavior monitoring analysis method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010655805.5A CN111831395B (en) | 2020-07-09 | 2020-07-09 | Behavior monitoring analysis method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111831395A true CN111831395A (en) | 2020-10-27 |
| CN111831395B CN111831395B (en) | 2024-01-09 |
Family
ID=72900386
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010655805.5A Active CN111831395B (en) | 2020-07-09 | 2020-07-09 | Behavior monitoring analysis method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111831395B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112346946A (en) * | 2020-11-13 | 2021-02-09 | 西安交通大学 | User software operation behavior monitoring method and system based on control positioning |
| CN112667361A (en) * | 2020-12-31 | 2021-04-16 | 北京北信源软件股份有限公司 | Management method and device based on system virtual machine, electronic equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007115425A1 (en) * | 2006-03-30 | 2007-10-18 | Intel Corporation | Method and apparatus for supporting heterogeneous virtualization |
| CN101403983A (en) * | 2008-11-25 | 2009-04-08 | 北京航空航天大学 | Resource monitoring method and system for multi-core processor based on virtual machine |
| CN103294956A (en) * | 2013-06-25 | 2013-09-11 | 北京奇虎科技有限公司 | Method and device for processing behaviors on Windows platform |
-
2020
- 2020-07-09 CN CN202010655805.5A patent/CN111831395B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007115425A1 (en) * | 2006-03-30 | 2007-10-18 | Intel Corporation | Method and apparatus for supporting heterogeneous virtualization |
| CN101403983A (en) * | 2008-11-25 | 2009-04-08 | 北京航空航天大学 | Resource monitoring method and system for multi-core processor based on virtual machine |
| CN103294956A (en) * | 2013-06-25 | 2013-09-11 | 北京奇虎科技有限公司 | Method and device for processing behaviors on Windows platform |
Non-Patent Citations (1)
| Title |
|---|
| 沈济南;胡俊鹏;梁芳;杨洁勇;: "基于API Hook的进程行为监控系统", 云南大学学报(自然科学版), no. 03 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112346946A (en) * | 2020-11-13 | 2021-02-09 | 西安交通大学 | User software operation behavior monitoring method and system based on control positioning |
| CN112346946B (en) * | 2020-11-13 | 2022-06-21 | 西安交通大学 | User software operation behavior monitoring method and system based on control positioning |
| CN112667361A (en) * | 2020-12-31 | 2021-04-16 | 北京北信源软件股份有限公司 | Management method and device based on system virtual machine, electronic equipment and storage medium |
| CN112667361B (en) * | 2020-12-31 | 2023-10-17 | 北京北信源软件股份有限公司 | Management method and device based on system virtual machine, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111831395B (en) | 2024-01-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Kong et al. | Automated testing of android apps: A systematic literature review | |
| Zheng et al. | {FIRM-AFL}:{High-Throughput} greybox fuzzing of {IoT} firmware via augmented process emulation | |
| CN108133139B (en) | Android malicious application detection system based on multi-operation environment behavior comparison | |
| Spreitzenbarth et al. | Mobile-sandbox: having a deeper look into android applications | |
| CN1318932C (en) | Method and apparatus for the automatic determination of potentially worm-like behaviour of a program | |
| US9720799B1 (en) | Validating applications using object level hierarchy analysis | |
| CN100365590C (en) | Debugging method for applied programm in simulator of embedded system | |
| EP3220307B1 (en) | System and method of performing an antivirus scan of a file on a virtual machine | |
| US20150046908A1 (en) | System and method for hypervisor breakpoints | |
| CN102591696A (en) | Method and system for extracting behavioral data of mobile phone software | |
| CN111831395B (en) | Behavior monitoring analysis method and system | |
| KR20080023728A (en) | Selective pre-compilation of virtual code to enhance emulator performance | |
| US10705858B2 (en) | Automatic import of third party analytics | |
| WO2020231745A1 (en) | Analyzing time-series data in an automated application testing system | |
| CN111654495A (en) | Method, apparatus, device and storage medium for determining traffic generation source | |
| CN113448690B (en) | Monitoring method and device | |
| Coppola et al. | Translation from layout-based to visual android test scripts: An empirical evaluation | |
| KR101431192B1 (en) | Method for Rooting Attack Events Detection on Mobile Device | |
| Kim et al. | FIRM-COV: high-coverage greybox fuzzing for IoT firmware via optimized process emulation | |
| US20140298002A1 (en) | Method and device for identifying a disk boot sector virus, and storage medium | |
| CN111597557A (en) | Malicious application detection method, system, device, equipment and storage medium | |
| CN116244186A (en) | Operating system test management method and device and computing equipment | |
| CN111858302B (en) | Method and device for testing small program, electronic equipment and storage medium | |
| CN113934632A (en) | Code detection method and device | |
| CN113220586A (en) | Automatic interface pressure test execution method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |