CN100401224C - Computer anti-virus protection system and method - Google Patents
Computer anti-virus protection system and method Download PDFInfo
- Publication number
- CN100401224C CN100401224C CNB200510079638XA CN200510079638A CN100401224C CN 100401224 C CN100401224 C CN 100401224C CN B200510079638X A CNB200510079638X A CN B200510079638XA CN 200510079638 A CN200510079638 A CN 200510079638A CN 100401224 C CN100401224 C CN 100401224C
- Authority
- CN
- China
- Prior art keywords
- program
- behavior
- virus
- action
- procedure
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The present invention relates to a computer anti-virus protection system and method, which adopts a computer protection system and method based on program behavior analysis. The present invention is characterized in that the computer anti-virus protection system comprises a program judging part which is used for identifying programs existing in a computer of a user and dividing the programs into normal programs and abnormal programs, a program monitoring part which is used for monitoring and recording program behavior, a relevance analyzing part which creates a relevance tree and analyzes relevance of program behavior through the relevance tree which comprises a relevance loading tree and a relevance creating tree, a virus identifying knowledge base which comprises a program behavior knowledge base and an attack identifying rule base, and a virus protection and identification part which compares captured behavior and information in the virus identifying knowledge base and judges whether the program is a virus program. The method of the present invention is used, so that the efficiency is enhanced, the hysteresis of virus code upgrading is avoided, and unknown viruses and Trojan horse viruses can be effectively intercepted.
Description
Technical field
The present invention relates to a kind of computer safeguard and method, different compared with prior art is, do not adopt virus pattern code to compare, but be feature, be based on computer anti-virus protection system and method that program behavior is analyzed with the action behavior of program.
Background technology
, the invasion of computer virus and the struggle of anti-invasion are all being carried out intensely, along with computing machine uses more and more widely, the fierce degree of this struggle also rises to a new height all the time.Through long-term struggle practice, people sum up many concrete grammars and prevent invasion to computer virus, develop many corresponding strick precaution products.These products can be divided into two classes substantially, and a class is that intrusive viruses is isolated, and for example fire wall prevents entering of intrusive viruses by PORT COM, agreement etc. is limited; Another kind of is to search forming the malicious file of catching an illness of invasion, for example existing antivirus software, and utilization may form the code characteristic of invasion infective virus file, by scanning discovery and the harmful malicious file of catching an illness of removing.Though it is many that this two series products has play a part in the struggle of anti-virus invasion, all has the shortcoming that some can't overcome, they are respectively:
(1) though fire wall can be blocked some illegal viruses or hacker's invasion, the monitored object of fire wall is main port and protocol, need by user oneself be provided with to allow by otherwise do not allow to pass through.Its major defect 1. requires the user very familiar to system, could effectively be provided with it; 2. because monitor particles is too big, can't be provided with substantially,, then may cause virus or hacker attacks to take place if allow to pass through for the port and protocol that must use in the network application; If do not allow to pass through, then may directly influence the normal operation of network again.
(2) utilize the antivirus software of virus signature will lag behind viral development forever, because after only capturing Virus Sample, just can extract the condition code of virus, this makes this antivirus software can't take precautions against emerging unknown virus invasion, even the user has equipped antivirus software, also can be subjected to the attack injury of this virus once more, have only by upgrading, renewal virus database just can solve, and this solution lag behind the virus generation.
Except that above-mentioned various passive protection system, the present inventor also provides a kind of virus protection method of analyzing based on program behavior, see also the patented claim of exercise question for " based on the computer protecting method of program behavior analysis ", application number is 200510007682.X, a kind of brand-new antivirus protection method has been proposed in this application, analyze by action behavior program, thereby judge whether the program in the computing machine is harmful program or is subjected to virus attack, can overcome the weak point of aforementioned passive protection system.
Summary of the invention
The present invention produces for the shortcoming that solves prior art just, and further perfect analyze the ground computer protecting method based on program behavior, and provide stronger system scheme for it, by the relevant action between program or program is formed the method that significant logic behavior is analyzed, solved the disadvantage that existing antivirus software, fire wall can not effectively protect unknown virus and wooden horse.Its purpose is to provide a kind of computer anti-virus protection system, can initiatively effectively tackle the attack of emerging virus, wooden horse, guarantees the safety of computing machine.
Anti-virus protection system of the present invention from the diverse approach of prior art, define the computer virus notion by the program behavior behavior, therefore whether meet virus definition according to the behavior of program and can judge virus; And by the manual analysis program behavior is unique effective ways of judging new virus at present; Therefore, the present invention proposes a kind of anti-virus protection system that adopts the dynamic simulation mode, according to a kind of new approaches of program behavior identification virus and its implementation method.
Computer anti-virus protection system of the present invention comprises: program judging part, program monitoring portion, correlation analysis portion, virus identification knowledge base and antivirus protection identification part.
Described program judging part: be used for identifying the program that subscriber computer exists, and these programs are divided into normal procedure and unusual program.
Wherein, described normal procedure comprises: program in the computing machine and aftermentioned known procedure knowledge base are compared all known procedure that identify; The program that icon is arranged on the computer desktop; The program that appears at the program in the package and install by installation procedure;
Wherein, described installation procedure is window to be arranged, creation procedure group or establishment desktop icons, and the anti-program that item is installed of establishment during operation.
Described unusual program is the program beyond the above-mentioned normal procedure.Normal procedure, majority is a known procedure, and the program of determining the source is arranged, so its reliability is higher; But unusual program because its source is not clear, therefore need be carried out key monitoring to it.
Distinguish normal procedure and be, simulate of the influence of a program the dissimilar programs in the computing machine with unusual its purpose of program.For known procedure, owing to its virus that has been recorded in the computer anti-virus protection system of the present invention is discerned in the knowledge base, so its reliability is very high; And,, therefore can think that also this program is a normal procedure because it has reliable source, and meets common program installation process for the unknown program of creating by the defined installation procedure of the present invention.But, for other unknown program, because reliability is unable to estimate, therefore should be as the object of key monitoring of the present invention, think that promptly this program might be a harmful program, especially for for example trojan horse program, in a single day a trojan horse program enters into the computing machine that computer anti-virus recognition system of the present invention is installed, or bring into operation, can be hunted down, and be judged as unusual program according to the method for differentiation normal procedure of the present invention and unusual program, thus can carry out key monitoring to it, same worm is when carrying out long-range attack, usually to attack a known procedure, in case success attack will generate a program, this program also can be judged as unusual program according to the present invention; Therefore, distinguishing normal procedure is an important component part of the present invention with unusual program.
Described program monitoring portion, this part by collude hang programming system API (ApplicationProgramming Interface: application programming interface) function call to program monitor, record.In existing operating system, program need be carried out calling of API that system provides usually when carrying out, therefore, only need can monitor the performed action behavior of program by colluding system's API Calls of extension program.
Monitor, the operation of recording behavior comprises: supervisory control action and dangerous play.
Described supervisory control action, this action may influence computer security, need monitor in real time it; And described supervisory control action is the performed common action of computer program, is the action that most normal procedures also must be carried out; Described supervisory control action comprises: file operation; Network operation; Establishment process, establishment thread; Registry operations; Window, pallet operation; Storehouse overflows; Inject thread; Intercepting system API Calls and visit, modification and establishment user account number.
Described dangerous play, this action at first are supervisory control actions, and in program run, this action may threaten computer security; And the action that described dangerous play can be carried out for the minority normal procedure, and the action that most Viruses or trojan horse program need be carried out, therefore the program of carrying out such action has harmfulness can be bigger, for example, program changes the operation level voluntarily, in the Windows of Microsoft operating system, certain Automatic Program is carried out from application layer (RING3) elevator system level (RING0), have only the normal procedure of minority just to have this feature, but but be the feature that much has aggressive Virus and had jointly.
Described dangerous play comprises: call the SHELL program; The update routine file or the file of writing a program; Call FTP or TFTP; Create FTP or TFTP service; Send mail; Browser or mailing system are moved other programs automatically; Create a large amount of identical threads; Revise and create user account number; Dangerous network operation; Add the startup item to system registry; Revise the system start-up file; Inject thread to other processes; Storehouse overflows; The application layer process promotes automatically and is system-level process operation; The intercepting system API Calls.
In addition, also comprise non-supervisory control action, promptly do not influence the action that computer security need not to monitor.
Described correlation analysis portion: create relevance tree, and correlation analysis is carried out in the program behavior behavior by this relevance tree;
Described relevance tree comprises loading relevance tree and establishment relevance tree, wherein:
In the described loading relevance tree, each node is represented a process, action behavior information and the index information in creating relevance tree thereof when preserving this process operation; And the father node of each node is its parent process.The information that each node is preserved in the described loading relevance tree comprises:
Complete trails, loading person's complete trails, the file of transplantable execution body file (PE file) have or not description, whether self-starting, whose establishment self-starting item, self other feature, whether be not created that the person starts, own process unique identification (pid) number, modification registry entry chained list, the network action chained list that starts, whether has window or tray icon, parent process of creating whether.Wherein, described registration table chained list comprises following structure:
Inlet tabulation, key name, value name, value; Described network action chained list comprises following structure: type, local port, local ip address, remote port, remote ip address, use agreement.
In the described establishment relevance tree, each node is represented a program, relevant information when preserving this program file establishment and index information in loading relevance tree thereof; And the father node of each node is its founder.Computer anti-virus protection system of the present invention, wherein, the information that each node is preserved in the described establishment relevance tree comprises:
PE file complete trails, founder's complete trails, founder's characteristic, founder have or not window, with the founder whether identical file, copy self.
Wherein, described founder's characteristic is the classification to all programs in the system, comprise unknown program, other known procedure, mailing system, web browser, internet exchange system, each program necessarily belongs to a kind of in the above-mentioned classification and only belongs to a kind of in the above-mentioned classification.
Because the program in the computing machine is not only to finish specific function by an action of a program, but the behavior that the behavior of forming by a series of actions of a program or a series of action of a plurality of programs are formed could realize, therefore, based on these characteristics, in computer anti-virus protection system of the present invention, the action behavior that also needs a plurality of associated action in front and back of a plurality of processes of being associated according to front and back to be formed is analyzed, is judged.Therefore, set up correlation analysis portion among the present invention, carried out comprehensive analysis and judgement with this action behavior to incidence relation between the program and program.
Described virus identification knowledge base: comprise the program behavior knowledge base and attack the recognition rule storehouse; Wherein, described program behavior knowledge base is, by aforementioned program monitoring portion, one by one the performed action behavior of legal known procedure analyzed tabulation, and the database that described analysis tabulation is stored.Its structrual description comprises:
Program ID, Program Type, program run level, write PE file permission, calling system SHELL authority, network behavior and registry operations.And described Program Type is the class of procedures enumeration type, is divided into the program and the common applications that can be cushioned district's flooding.Its network behavior, its structrual description comprises:
Network connecting moves type, use port number and connection are described; Wherein connect to describe and comprise: local port, local address, remote port, remote address and use agreement.Its registry operations, its structrual description comprises:
The operated registration table item number of this program, the key assignments of every operation.
And, described program behavior knowledge base, by using software to check to local computer, add record with the corresponding known procedure behavior of the already used known procedure of user, as the program behavior knowledge base of local computer, and need replenish the known procedure that the user will use according to the user.
Described attack recognition rule storehouse is, sum up the rule of Antivirus analyze identification, write down the database of the attack feature of harmful programs such as computer virus, wooden horse, each writes down a corresponding viroid, the corresponding behavior aggregate of each viroid, this behavior aggregate comprise a series of actions and between specific incidence relation, this incidence relation comprise before and after the action between time relationship and call and the relation of being called.
Described attack recognition rule storehouse, its structure comprises: complete trails, founder's complete trails, founder's characteristic, the founder that can carry out the PE file have or not window, with the founder whether identical file, whether copy self, file have or not descriptions, whether self-starting, whose establishment the self-starting item, whether be not created the person start, whether oneself establishment self-starting item, whether window or tray icon, modification registry entry chained list and network action chained list are arranged; The sub-data structure of described modification registry entry chained list comprises: inlet tabulation, key name, value name and value; The sub-data structure of described network action chained list comprises: type, local port, local address, remote port, remote address and use agreement.
Wherein, described attack recognition rule storehouse comprises:
Virus rule one,
A) run on the program of client layer RING3, change system core layer RING0 operation over to;
Virus rule two,
B) this program and be not antivirus software, no window, and carry out the operation of the program file that other and this program of revising has nothing to do;
Long-range attack rule one,
C) after this program is accepted data by listening port, call the SHELL program immediately;
Long-range attack rule two,
D) after this program receives data by listening port, buffer zone takes place overflow;
Long-range attack rule three,
E) after this program receives data by listening port, call generic-document host-host protocol tftp procedure immediately;
Mail worm rule one,
F) this program is generated automatically by mailing system, and revises the self-starting item of registration table during this program run, and this program does not have window, pallet-free, and begins to send mail immediately;
Suspicious wooden horse rule one,
G) this program is generated automatically by mailing system, and revises the self-starting item of registration table during this program run, and this program does not have window, pallet-free, and begins to create listening port immediately;
The internet worm rule
H) if during a unusual program run, its all associated programs all do not have window, and this unusual program copy self, revise registration table, make own or self backup has system's self-starting function, and carried out and comprise and send packet, create listening port, a thread is implanted in other processes, creates overall hook, sends the action of mail.
The worm-type virus rule
I) unusual program, this program file is received by mailing system or Instant Messenger (IM) software, and after this program run, commander's keyboard or mouse, and the action of analog subscriber sends mail automatically or sends file automatically by Instant Messenger (IM) software by mailing system.
The worm-type virus rule
J) a unusual program does not have window during this program run, and it creates thread identical more than 10, and in 1 second, each thread all has the action that sends packet.
As mentioned above, because when computer anti-virus protection system of the present invention is monitored program behind program start, by program has been carried out correlation analysis, and set up the loading relevance tree and created relevance tree, carry out the inquiry of relevant information when therefore can in program behavior knowledge base and attack rule identification storehouse, compare afterwards easily.
Described antivirus protection identification part: receive the program behavior behavior that aforementioned program monitoring portion catches, information in conjunction with aforementioned program judging part, the action behavior of catching and program behavior knowledge base or the information of attacking in the recognition rule storehouse are compared, and whether call correlation analysis portion be that Virus is made judgement to this program.
Whether therefore, computer anti-virus protection system of the present invention as mentioned above can carry out mutual communication according to the difference in functionality of its each several part, be that harmful program such as virus is made accurately and being judged thereby make the antivirus protection identification part to program.
Computer anti-virus protection method of the present invention comprises the steps:
16.1) after computer program started, the system's api function that colludes this program of extension called;
16.2) monitoring is the action of this program, and with the action record of this program to loading in the relevance tree;
16.3) judge whether this action is the action of creation procedure;
16.4) if this program has been carried out the action of creation procedure, then program creation information is added to and create in the relevance tree, judge whether be created program is normal procedure, the line item of going forward side by side;
If this program is not carried out the action of creation procedure, judge then whether this action is dangerous play;
16.5) if this action is not dangerous play, then return step 16.2); If this program has been carried out dangerous play, then judge by the antivirus protection identification part whether this action behavior is the harmful program behavior;
16.6) if judged result is not the harmful program behavior, then return step 16.2); If judged result is the evil program behavior, then this program is correspondingly processed by the antivirus protection identification part.
Computer anti-virus protection method of the present invention, described step 16.5) in, respectively known procedure and unknown program are judged.
On the one hand, the dangerous play with its execution compares with the fair play behavior that is recorded in the program behavior knowledge base for known procedure, judges whether it is under attack; If comparative result is legal procedure then returns step 16.2); If comparative result proves then that for not this program has been subjected to virus attack, and stop this program continuation operation.
On the other hand, for unknown program, the dangerous play and the virus of its execution are discerned the rule that is write down in the attack recognition rule storehouse of knowledge base compare, and judge whether this program is harmful program;
If the judgment is Yes, then stop this program run; If judged result is then returned step 16.2 for not).Computer anti-virus protection method of the present invention, wherein said known procedure are the program that is recorded in the aforementioned program behavior knowledge base, and described unknown program is other programs except that known procedure.
In the computer anti-virus protection method of the present invention,, comprise the steps: known procedure judgement whether under attack
19.1) monitor and catch the dangerous play that this known procedure is carried out;
19.2) dangerous play and the information in the program behavior knowledge base of catching is compared, judge whether to be lawful acts;
19.3) if judged result is for being then to return step 19.1); If judged result then according to the definition of program behavior knowledge base, judges whether the end process for not;
19.4) if judged result is for being that then calling system API finishes the current process of this known procedure; If judged result is that then calling system API does not finish the current thread of this known procedure.
Wherein, described step 19.3) in, knowledge base can be defined as, and when system process was overflowed, calling system API finished current thread.In order to guarantee the safety of system, need usually program process under attack is finished, but when system process is under attack, then need current thread is finished to guarantee the stability of system.
In the computing machine anti-virus guard system of the present invention, whether be the judgement of harmful program, comprise the steps: unknown program
22.1) monitor and catch the dangerous play that this unknown program is carried out;
22.2) judge whether to be normal procedure;
22.3) if normal procedure then records the program behavior knowledge base with the action behavior that monitors, and return step 22.1); If not normal procedure, then compare with the rule of attacking in the recognition rule storehouse, judge whether to be the harmful program behavior;
22.4) if judged result for not, is then returned step 22.1); If judged result is the harmful program behavior, then confirm whether to allow current action by the user;
22.5) if the user confirms to allow current action, be normal procedure then with this program identification, this action behavior is recorded the program behavior knowledge base, and return step 22.1); If the user does not allow this action, then the calling system api function finishes the current process of this unknown program.
In addition, in step 22.5) in, also can select direct calling system API to finish the current process of this unknown program according to user's needs.
As mentioned above, be each ingredient and the principle of work of computer anti-virus protection system of the present invention.
It should be noted that, computer anti-virus protection system of the present invention is when analyzing the harmful program behavior, be not only just to judge according to an action of program, he will constitute significant behavior according to a series of actions of source, program or the package of program, just can make judging whether it is virus.And these information as far back as program bring into operation or create at that time just associated property analysis portion recorded and load tree or create in the tree, for example, a wooden horse, it is in order to exist a computing machine midium or long term, it is copied self in the system directory usually, be that it has plural copy program, during these program run, the work of working in coordination, for single copy program, may be difficult to judge it is virus behavior, still, if judge, just be easy to judge to be virus in conjunction with the loading of its integral body and the relation of creating.The program correlation analysis is an important component part of the present invention.
Description of drawings
Fig. 1 is the block diagram of computer anti-virus protection system of the present invention;
Fig. 2 is the loading relevance tree synoptic diagram of computer anti-virus protection system of the present invention;
Fig. 3 is the establishment relevance tree synoptic diagram of computer anti-virus protection system of the present invention;
Fig. 4 is the process flow diagram of computer anti-virus protection method of the present invention;
Fig. 5 is the process flow diagram whether known procedure is under attack of judging of computer anti-virus protection system of the present invention;
Whether Fig. 6 is the process flow diagram of harmful program for the unknown program of judging of computer anti-virus protection system of the present invention;
Embodiment
Below in conjunction with specific embodiment computer anti-virus protection system of the present invention and method are elaborated, in order to understand the convenient content of the present invention of understanding, to be that example describes with the Windows of Microsoft operating system commonly used among the embodiment, but the present invention not only be confined to this.
The block scheme of computer anti-virus protection system of the present invention as shown in Figure 1, comprising: program judging part, monitoring part, correlation analysis portion, virus identification knowledge base, antivirus protection identification part, each part all has its specific function.Respectively various piece is described in detail below.
Described program judging part is used for identifying the program that subscriber computer exists, and these programs are divided into normal procedure and unusual program.Wherein normal procedure comprises: all known procedure that the program in the computing machine and aftermentioned program behavior knowledge base are compared and identified, the program that icon is arranged on the computer desktop, the program that appears at the program in the package and installed by installation procedure is confirmed as normal program through the user.Wherein said installation procedure is window to be arranged, creation procedure group or establishment desktop icons, and the anti-program that item is installed of establishment during operation.Described unusual program, that is, and the whole programs except that aforementioned normal procedure.
As mentioned above normal procedure be security preferably, the higher program of reliability, therefore, the differentiation for normal procedure and unusual program can provide foundation for the judgement of security of system.
Program monitoring portion: monitoring, logging program action behavior.This part by collude hang programming system API (Application Programming Interface: application programming interface) function call to program monitor, record.Usually need carry out calling of API that system provides when existing operating system, program are carried out, therefore, only need can monitor the performed action behavior of program by colluding system's API Calls of extension program.
The performed action behavior of computer program is divided into: supervisory control action, dangerous play and non-supervisory control action.
Described supervisory control action is, may influence computer security, need be to its action of monitoring in real time; And described supervisory control action is the performed common action of computer program, is the action that most normal procedures also must be carried out.
And described supervisory control action comprises: file operation; Network operation; Establishment process, establishment thread; Registry operations; Window, pallet operation; Storehouse overflows; Inject thread; Intercepting system API Calls and visit, modification and establishment user account number.
Described dangerous play, this action at first are supervisory control actions, and in program run, this action may threaten computer security; And the action that described dangerous play can be carried out for the minority normal procedure, but the action that most Viruses or trojan horse program need be carried out, therefore the program of carrying out such action has harmfulness can be bigger, for example, program changes the operation level voluntarily, in the Windows of Microsoft operating system, certain Automatic Program is carried out from application layer (RING3) elevator system level (RING0), have only the normal procedure of minority just to have this feature, but but be the feature that much has aggressive Virus and had jointly.
And described dangerous play comprises: call the SHELL program; The update routine file or the file of writing a program; Call FTP or TFTP; Create FTP or TFTP service; Send mail; Browser or mailing system are moved other programs automatically; Create a large amount of identical threads; Revise and create user account number; Dangerous network operation; Add the startup item to system registry; Revise the system start-up file; Inject thread to other processes; Storehouse overflows; Automatically promote during the application layer process and be system-level process operation; The intercepting system API Calls.
Correlation analysis portion: create relevance tree, and correlation analysis is carried out in the program behavior behavior by this relevance tree.Wherein, relevance tree comprises the loading relevance tree and creates relevance tree.
Load in the relevance tree, each node is represented a process in the tree, action behavior information and the index information in creating relevance tree thereof when preserving this process operation; And the father node of each node is its parent process; The entity structure of its node is:
struct?RuntimePEFileInMem
{
Char FileName[MAX_PATH]; //PE file complete trails
Char LoaderFileName[MAX_PATH]; // loading person complete trails
Char LoaderDescription; // file has or not description
Char AutoRun; // whether self-starting
Char WhoWriteAutoRun; The self-starting item of // whose establishment,
0 the unknown;
1 oneself;
The founder;
Char CharacterOfSelf: // self other characteristic
BOOLEAN RunByCreator; // whether be not created the person to start
BOOLEAN RunBySelf: // whether oneself create and start
BOOLEAN CreateWindow; // whether window or tray icon are arranged
UNIT ppid; // parent process pid
LIST_ENTRY RegList; // modification registry entry chained list
LIST_NET ListNetAction; // network action chained list
}
Wherein the RegList structure is as follows
struct?REG_DATA
{
:LIST_ENTRY?List;
char?Key[];
char?ValueName[];
char?Value[];
}
struct?LIST_NET
{
int?type;
short?lport;
IPADDR?lipaddr;
short?dport;
IPADDR?dipaddr;
short?protocol;
};
And, as shown in Figure 2, be example to load MSN and ICQ software in the Windows of the Microsoft operating system, the structure of described loading relevance tree is elaborated.
As shown in the figure, shown the incidence relation that system process loads, can know the loading relation of each process of grasp for the staff in present technique field, and be appreciated that, begin at first to load the system process then progressively to each user's software from computer starting, therefore, loading relevance tree is along with not coexisting of each time of system constantly changes renewal.Set up this loading relevance tree and can conveniently understand each running state of a process in the computing machine, and make things convenient for the management of process.
In the described establishment relevance tree, each node is represented a program in the tree, relevant information when preserving this program file establishment and index information in loading relevance tree thereof; And the father node of each node is its founder.
Wherein, the information that each node is preserved in the described establishment relevance tree comprises:
PE file complete trails, founder's complete trails, founder's characteristic, founder have or not window, with the founder whether identical file, copy self.
Wherein, described founder's characteristic is, comprises a kind of of unknown program, other known procedure, mailing system, web browser, internet exchange system.Its entity structure is as follows:
struct?StaticPEFileInMem
{
Char FileName[MAX_PATH]; The complete trails of //PE file
Char CreatorName[MAX_PATH]; // founder complete trails
Char CharacterOfCreator; // founder characteristic:
-1 unknown program;
0 other known procedure;
1 mailer;
2 web browsers;
3 internet exchange systems (as MSN, ICQ)
Char NoWindowOfCreator; // founder has or not window
Char SameAsCreator; // with the founder be same file
Char CopySelf; // copy self
}
And, as shown in Figure 3, be example with the Windows of Microsoft operating system, the structure of described establishment relevance tree is elaborated.
As shown in the figure, shown the incidence relation that system program is created, can know the establishment relation of each program of grasp for this area staff, and be appreciated that, this MSN and OUTLOOK program are by the misexec program creation, and therefore the initial set membership of program creation that this has created relation record creates relevance tree in case create, promptly be saved to get off to be provided with the back and use as the daily record of system, therefore described establishment relevance tree is constant in the computer run process.
Virus identification knowledge base: comprise the program behavior knowledge base and attack the recognition rule storehouse.
Wherein, described program behavior knowledge base is, by aforementioned program monitoring portion, one by one the performed action behavior of legal known procedure analyzed tabulation, and the database that described analysis tabulation is stored.
Its structrual description comprises: program ID, Program Type, program run level, write PE file permission, calling system SHELL authority, network behavior and registry operations.And described Program Type is the class of procedures enumeration type, is divided into the program and the common applications that can be cushioned district's flooding.Its network behavior, its structrual description comprises: network connecting moves type, use port number and connection are described; Wherein connect to describe and comprise: local port, local address, remote port, remote address and use agreement.Its registry operations, its structrual description comprises: the operated registration table item number of this program, the key assignments of every operation.
Described program behavior knowledge base structure entity description is as follows:
struct?Know
{
DWORD typel; // class of procedures enumeration type temporarily is divided at present and can be cushioned the district
The program of flooding and common applications two classes are described as,
enum?KnowType{OVERFLOW,NORMAL}
BOOL bAllowedWriteFile; Whether // this program can be write can be carried out the PE file
BOOL bCreateShell; Whether // this program can calling system shell
DWORD NetOffset; // what position of skew is to this journey in knowledge Base article
The description of sequence network behavior
DWORD RegOffset; // what position of skew is to this in knowledge Base article
The description of program registration table handling behavior
};
The structural solid that uses following separation structure to describe the network action behavior of this program in the program behavior knowledge base is described as:
struct?Net
{
Shorttype2; The type of action that // network connects is divided into two classes, monitors and is connected, and retouches
State for,
enum?NetType{Listen,Connect}
Int num; // the port number that relates to
ListenPort?port[];
};
Wherein, ListenPort at the specific descriptions of each connection, uses following structure to represent,
struct?ListenPort
{
Short lport; The local port of // use
IPADDR lipadr; The local address of // use
Short dport; // the remote port that connected
IPADDR dipaddr; // the remote address that connected
Short protocol; // employed agreement is used the ICP/IP protocol definition
};
The structural solid that uses following separation structure to describe the registry operations action behavior of this program in the program behavior knowledge base is described as:
struct?Reg
{
Int num; The registration table item number of // operation
Char fullregname[]; The key assignments of // each operation
};
And, described program behavior knowledge base, by using software to check to local computer, add record with the corresponding known procedure behavior of the already used known procedure of user, program behavior knowledge base as local computer, and need replenish the known procedure that the user will use, thereby can save taking of system resource according to the user.
Described attack recognition rule storehouse is, sum up the rule of Antivirus analyze identification, write down the database of the attack feature of computer virus, wooden horse and harmful program, each writes down a corresponding viroid, the corresponding behavior aggregate of each viroid, this behavior aggregate comprise a series of actions and between specific incidence relation, this incidence relation comprise before and after the action between time relationship and call and the relation of being called.
Described attack recognition rule storehouse, its structure comprises: complete trails, founder's complete trails, founder's characteristic, the founder that can carry out the PE file have or not window, with the founder whether identical file, whether copy self, file have or not descriptions, whether self-starting, whose establishment the self-starting item, whether be not created the person start, whether oneself establishment self-starting item, whether window or tray icon, modification registry entry chained list and network action chained list are arranged; The sub-data structure of described modification registry entry chained list comprises: inlet tabulation, key name, value name and value; The sub-data structure of described network action chained list comprises: type, local port, local address, remote port, remote address and use agreement.
Wherein, the data structure entity of each record is:
struct?UnknowPEFileInMem
{
Char WeighofDanger; // dangerous weights
Char FileName[MAX_PATH]; The complete trails of // new PE the file of creating
Char CreatorName[MAX_PATH]; // founder's complete trails
Char CharacterOfCreator; // founder's characteristic
Char NoWindowOfCreator; // founder has or not window
Char SameAsCreator; // with the founder be same file
Char CopySelf; // copy self is CopySelf for the founder, and is multiple for quilt
The file of system is SameAsCreator, distinguishes both with this
Char FileDescription; // file has or not description
CharAutoRun; // whether self-starting
Char WhoWriteAutoRun; The self-starting item of // whose establishment
BOOLEAN RunByCreator; // whether be not created the person to start
BOOLEAN RunBySelf; // whether oneself create and start
BOOLEAN bCreateWindow; // whether window or tray icon are arranged
LIST_ENTRY RegList; // modification registry entry chained list
LIST_NET ListNetAction; // network action chained list
}
The concrete data recording and the description of above-mentioned founder's characteristic " CharacterOfCreator " are:
-1: unknown program;
0: other known procedure;
1: mailing system;
2: web browser;
3: internet exchange system (as QQ, MSN etc.);
The concrete data recording and the description of the self-starting item " WhoWriteAutoRun " of above-mentioned whose establishment are:
0: the unknown;
1: oneself;
2: the founder;
3: oneself, the founder can write
The sub-data structure entity of wherein revising the registry entry chained list is.
struct?REG_DATA
{
LIST_ENTRY List; The tabulation of // inlet
Char Key[]; // key name
Char ValueName[]; // value name
Char Value[]; // value
}
Wherein the sub-data structure entity of network action chained list is:
struct?LIST_NET
{
Int type; // type
Short lport; // local port
IPADDR lipaddr; // local ip address
Short dport; // remote port
IPADDR dipaddr; // remote ip address
Short protocol; // use agreement
};
Wherein, described attack recognition rule storehouse comprises:
Virus rule one,
A) run on the program of client layer RING3, change system core layer RING0 operation over to;
Virus rule two,
B) this program and be not antivirus software, no window, and carry out the operation of the program file that other and this program of revising has nothing to do;
Long-range attack rule one,
C) after this program is accepted data by listening port, call the SHELL program immediately;
Long-range attack rule two,
D) after this program receives data by listening port, buffer zone takes place overflow;
Long-range attack rule three,
E) after this program receives data by listening port, call generic-document host-host protocol tftp procedure immediately;
Mail worm rule one,
F) this program is generated automatically by mailing system, and revises the self-starting item of registration table during this program run, and this program does not have window, pallet-free, and begins to send mail immediately;
Suspicious wooden horse rule one,
G) this program is generated automatically by mailing system, and revises the self-starting item of registration table during this program run, and this program does not have window, pallet-free, and begins to create listening port immediately;
The internet worm rule
H) if during a unusual program run, its all associated programs all do not have window, and this unusual program copy self, revise registration table, make own or self backup has system's self-starting function, and carried out and comprise and send packet, create listening port, a thread is implanted in other processes, creates overall hook, sends the action of mail.
The worm-type virus rule
I) unusual program, this program file is received by mailing system or Instant Messenger (IM) software, and after this program run, commander's keyboard or mouse, and the action of analog subscriber sends mail automatically or sends file automatically by Instant Messenger (IM) software by mailing system.
The worm-type virus rule
J) a unusual program does not have window during this program run, and it creates thread identical more than 10, and in 1 second, each thread all has the action that sends packet.
Antivirus protection identification part: receive the action behavior that aforementioned program monitoring portion program is caught, information in conjunction with aforementioned program judging part, the program behavior behavior of catching and information in the virus identification knowledge base are compared, and whether call correlation analysis portion when needed be that Virus is made judgement to this program.
It should be noted that, computer anti-virus protection system of the present invention is that behavior is analyzed to program behavior, thereby judge whether this program is harmful program, therefore, when in virus identification knowledge base, searching, not merely current action is searched to this program, also needs simultaneously in conjunction with the last action of this program analysis and judgement to be carried out in the behavior that program is whole.
Be example with the virus attack below, embodiments of the invention are elaborated.
For a known procedure, can not the update routine file if program behavior is described as, when this program run, other program files have but been revised, above-mentioned dangerous play is by system monitoring, compare with the fair play behavior of this known procedure of storing in the program behavior knowledge base then, produce different actions, therefore can judge that this known procedure must be by virus infections.Utilize this method can find viruses such as CIH, when being moved by the known procedure of virus infectionses such as CIH, this known procedure will attempt to infect other PE files, therefore can be under to virus and uncomprehending situation, it is stoped, thereby avoided newborn virus being had an opportunity to take advantage of owing to the hysteresis quality that viral code upgrades.
Utilize interception Sasser virus below, embodiments of the invention are explained: the Sasser worm-type virus is different with other worm-type viruses, does not send mail, and its principle of work is, opens up the back door in this locality.Monitor TCP 5554 ports, wait for remote control command as ftp server.Virus provides file to transmit with the form of FTP.The hacker can be by file and other information of this port stealing subscriber set.Virus is opened up 128 scanning threads, based on local ip address, get IP address at random, mad exploration connects 445 ports, attempt to utilize to exist a buffer-overflow vulnerability to attack among the LSASS in the windows operating system, in case success attack can cause the other side's machine to infect this virus and carry out the propagation of next round.
When infected Sasser virus computing machine send attack packets when having used guard system of the present invention, the LSASS process of local computer is overflowed, flooding code can call GetProcAddress, will be caught by monitoring mechanism of the present invention, be judged as buffer zone and overflow, and before overflowing, the LSASS process can be from 139 of system, 445 ports receive data, this and above-mentioned d) the regular rule that is provided conforms to; Therefore the present invention can accurately judge this long-range attack, so system call ExitThread this thread is finished, thereby local computer has effectively been protected in the action that makes the Sasser worm can't enter next step.
Utilize the famous bounce-back row wooden horse black hole of intercepting and capturing that embodiments of the invention are explained below again: because it belongs to unknown program, this process initiation is promptly caught by supervisory system of the present invention, and this program is not created application window and system tray district icon simultaneously; And can revise the registry boot item behind this program start, to guarantee that oneself can start automatically when next user logins, this action behavior also is dangerous play, therefore also caught by supervisory system of the present invention, this process continues execution will connect far-end web server to obtain the address of client service, port information, carry out information transmission so that connect with it, after this networking action is hunted down, above-mentioned action is together compared with the rule of attacking in the recognition rule storehouse, meet the regular g that attacks in the recognition rule storehouse), just can be judged as suspicious wooden horse, and to User Alarms, the attribute that this illegal program is described simultaneously is suspicious wooden horse, so that the user understands information more accurately, avoided existing firewall system as long as network action takes place just reports to the police, and need the user to actuation of an alarm security make judgement, avoided the less user of computer literacy when using guard system, to produce trouble.
Network highly skilled thief chain timbers horse software enters user machine system by forms such as mails.When it moves first, oneself can be copied under the system directory, and implicit attribute is set.Then the copy under its system directory is started, oneself has just withdrawed from.Find under system directory, then not do copy during its copy operation, directly revise the registry boot item own, oneself is set to self-starting, then according to self-contained far-end server information, connects far-end server, current computer information is provided, and accepts Long-distance Control.When this copy attempts that this machine information is sent to remote server, trigger the judgement of anti-virus protection system of the present invention to this program, at first it is unusual program, finds that by creating relation its founder also is unusual program, and do not have window when creating this copy, and copy self.Find that by the process context tree its loading person and founder are same programs, and this copy is provided with the self-starting item, we can know that this is that this program is moved first so, if not operation first, then its loading person should be Explorer, it attempts sending packet to a remote address simultaneously, can judge accurately that then this virus is and regular h) be consistent, and can be according to the establishment relation of this virus, know the source of this virus, such as from mailing system, then can further search the troublemaker according to this information.
The sexy chicken virus of MSN, this virus simulation contact person sends self to the user, and user misoperation is with its preservation and operation, and this viral founder is MSN, and it is by commander's keyboard or mouse, and analog subscriber sends self to the MSN contact person, finishes virus disseminating.Therefore this virus meets regular i), can be defined as harmful program.
And, because when computer anti-virus protection system of the present invention is monitored program behind program start, by program has been carried out correlation analysis, and set up the loading relevance tree and created relevance tree, therefore can when being analyzed, call program behavior easily relevant information, be implemented in the virus identification knowledge base and search efficiently, also saved system overhead.
Because the diversity of virus, but as harmful program, each viroid of the destruction methods of this Virus all has its common ground, and therefore the common ground of the action behavior of a GPRS one its destruction of viroid program just can effectively be found and before its destruction of computer systems it be stopped.The present invention produces according to these characteristics of Virus just; not only have and compare higher execution efficient system overhead still less with existing antivirus software, and the most important thing is to protect effectively computer system not destroyed by harmful programs such as the virus of those new generations, wooden horses.
In order to make implementation method of the present invention more clear, now computer protecting method of the present invention is elaborated.
The block scheme of computer anti-virus protection system of the present invention as shown in Figure 1.As shown in the figure, program monitoring portion is sent to correlation analysis portion to set up the loading tree and to create tree with the program monitoring action and the dangerous play of catching; Triggering the antivirus protection identification part by dangerous play simultaneously analyzes program behavior; In analytic process, the antivirus protection identification part also needs the information in calling program judging part, viral recognition rule storehouse and the correlation analysis portion to finish the judgement whether the program behavior behavior is harmful to.
As shown in Figure 4, the method for computer anti-virus protection system of the present invention comprises the steps:
16.1) after computer program started, the system's api function that colludes this program of extension called;
16.2) monitoring is the action of this program, and with the action record of this program to loading in the relevance tree;
16.3) judge whether this action is the action of creation procedure;
16.4) if this program has been carried out the action of creation procedure, then program creation information is added to and create in the relevance tree, judge whether be created program is normal procedure, the line item of going forward side by side;
If this program is not carried out the action of creation procedure, judge then whether this action is dangerous play;
16.5) if this action is not dangerous play, then return step 16.2); If this program has been carried out dangerous play, then judge by the antivirus protection identification part whether this action behavior is the harmful program behavior;
16.6) if judged result is not the harmful program behavior, then return step 16.2); If judged result is the evil program behavior, then this program is correspondingly processed by the antivirus protection identification part.
In the computer anti-virus protection method of the present invention, described step 16.5) adopts, the method that known procedure and unknown program are judged respectively for known procedure, is compared the fair play behavior of the known procedure of the action behavior of this program and program behavior knowledge base record; For unknown program, with the action behavior of this program with attack the rule that writes down in the recognition rule storehouse and compare; Whether known procedure is subjected to virus attack and whether unknown program is harmful program thereby can judge respectively.To be elaborated to the step of in the antivirus protection identification part known procedure and unknown program being judged and handle below.
As shown in Figure 5, judge that whether known procedure is under attack, comprises the steps:
19.1) monitor and catch the dangerous play that this known procedure is carried out;
19.2) dangerous play and the information in the program behavior knowledge base of catching is compared, judge whether to be lawful acts;
19.3) if judged result is for being then to return step 19.1); If judged result then according to the definition of program behavior knowledge base, judges whether the end process for not;
19.4) if judged result is for being that then calling system API finishes the current process of this known procedure; If judged result is that then calling system API does not finish the current thread of this known procedure.
Wherein, described step 19.3) in, knowledge base is defined as, and when system process was overflowed, calling system API finished current thread.
Because in known procedure, it is the bottom service of system that its function of quite a few program is arranged, if directly with these EOP (end of program), system is restarted, so that systemic breakdown.Therefore, in the present invention, define, only just finish its current thread by flooding the time when those system programs for the program in the program behavior knowledge base.As mentioned above, promptly guarantee the safety of system, can not influence the work of system again, make system stable operation, avoided existing virus firewall instrument, because when the program virus of the critical services in the system checked, in the time of kill virus, make program file important in the system cause damage, influence the stability of system.For example in the Windows of the Microsoft operating system, Lsass.exe is a system service program, if this program may be subjected to flooding, then its process can not be finished, and system is restarted cause system's instability; Therefore, according in method of the present invention and the program behavior knowledge base it being defined, the thread end with this program generation flooding like this, promptly can guarantee security of system, can organize the infringement of harmful program to system again; The Word of Microsoft copy editor software and for example; also there is the danger of flooding, but because it is not a system service software, so the definition of the method according to this invention and program behavior knowledge base; whole Word process can be finished, protect the safety of system with this.
As shown in Figure 6, judge that whether unknown program is harmful program, comprises the steps:
22.1) monitor and catch the dangerous play that this unknown program is carried out;
22.2) judge whether this unknown program is normal procedure;
22.3) if normal procedure then records the program behavior knowledge base with the action behavior that monitors, and return step 22.1); If not normal procedure, then compare with the rule of attacking in the recognition rule storehouse, judge whether to be the harmful program behavior;
22.4) if judged result for not, is then returned step 22.1); If judged result is the harmful program behavior, then confirm whether to allow current action by the user;
22.5) if the user confirms to allow current action, be normal procedure then with this program identification, this action behavior is recorded the program behavior knowledge base, and return step 22.1); If the user does not allow this action, then the calling system api function finishes the current process of this unknown program.
In addition, in step 22.5) in, also can select direct calling system API to finish the current process of this unknown program according to user's needs.Like this, the user's that more convenient those computer literacy are less use.
As mentioned above, computer anti-virus protection system of the present invention, not only can effectively tackle, equally can active detecting go out the existence of harmful programs such as unknown virus, wooden horse and, thereby guarantee the safety of computer system its interception to known Virus.
And, computer anti-virus protection system of the present invention has fundamentally avoided existing antivirus software can only identify existing virus, and upgrade the drawback that lags behind the new virus generation forever for virus base, set up brand-new computer anti-virus protection system, have epoch making significance for computer safety field.
By above-mentioned description, field related work personnel of the present invention can carry out various change and modification fully in the scope that does not depart from this invention technological thought.Therefore, the technical scope of this invention is not limited to the content on the instructions, must determine its technical scope according to interest field.
Claims (23)
1. a computer anti-virus protection system is characterized in that, comprises as the lower part:
Program judging part: be used for identifying the program that subscriber computer exists, and these programs are divided into normal procedure and unusual program;
Program monitoring portion: hang programming system application programming interface function call prize procedure action behavior, the line item of going forward side by side by colluding;
Correlation analysis portion: create relevance tree, and correlation analysis is carried out in the program behavior behavior by this relevance tree; Described relevance tree comprises the loading relevance tree and creates relevance tree;
Virus identification knowledge base: comprise the program behavior knowledge base and attack the recognition rule storehouse;
Antivirus protection identification part: receive the action behavior that aforementioned program monitoring portion program is caught, information in conjunction with aforementioned program judging part, the action behavior of catching and information in the virus identification knowledge base are compared, and whether call correlation analysis portion when needed be that Virus is made judgement to this program.
2. according to the described computer anti-virus protection system of claim 1, it is characterized in that,
Described normal procedure comprises: program in the computing machine and known procedure knowledge base are compared all known procedure that identify; The program that icon is arranged on the computer desktop; The program that appears at the program in the package and install by installation procedure;
Described unusual program is the program beyond the above-mentioned normal procedure.
3. according to the described computer anti-virus protection system of claim 2, it is characterized in that: the basis for estimation of described installation procedure is window to be arranged, creation procedure group or establishment desktop icons, and the anti-item of installing of this installation procedure establishment during this program run.
4. according to the described computer anti-virus protection system of claim 1, it is characterized in that: in the described loading relevance tree, each node is represented a process, action behavior information and the index information in creating relevance tree thereof when preserving this process operation; And the father node of each node is its parent process.
5. according to the described computer anti-virus protection system of claim 4, it is characterized in that the information that each node is preserved in the described loading relevance tree comprises:
The complete trails of transplantable execution body file, loading person's complete trails, file have or not description, whether self-starting, whose establishment self-starting item, self other feature, whether be not created that the person starts, whether own the establishment starts, whether has window or tray icon, the process unique identifying number of parent process, modification registry entry chained list, network action chained list.
6. according to the described computer anti-virus protection system of claim 5, it is characterized in that: described registration table chained list comprises following structure: inlet tabulation, key name, value name, value.
7. according to the described computer anti-virus protection system of claim 5, it is characterized in that: described network action chained list comprises following structure: type, local port, local ip address, remote port, remote ip address, use agreement.
8. according to the described computer anti-virus protection system of claim 1, it is characterized in that: in the described establishment relevance tree, each node is represented a program, relevant information when preserving this program file establishment and index information in loading relevance tree thereof; And the father node of each node is its founder.
9. according to the described computer anti-virus protection system of claim 8, it is characterized in that the information that each node is preserved in the described establishment relevance tree comprises:
Transplantable execution body file complete trails, founder's complete trails, founder's characteristic, founder have or not window, with the founder whether identical file, copy self.
10. according to the described computer anti-virus protection system of claim 9, it is characterized in that: described founder's characteristic comprises unknown program, mailing system, web browser, internet exchange system, other known procedure for the classification to all programs in the system.
11. according to the described computer anti-virus protection system of claim 1, it is characterized in that: described program behavior knowledge base is, by colluding the application programming interface function of hanging computer system, one by one the performed action behavior of legal known procedure is analyzed tabulation, and the database that described analysis tabulation is stored;
Described attack recognition rule storehouse is, by colluding the application programming interface function of hanging computer system, write down the database of the attack behavioural characteristic of computer virus, wooden horse and harmful program, each writes down a corresponding viroid, the corresponding behavior aggregate of each viroid, this behavior aggregate comprise a series of actions and between incidence relation.
12., it is characterized in that described attack recognition rule storehouse comprises the internet worm rule according to the described computer anti-virus protection system of claim 11:
H) if during a unusual program run, its all associated programs all do not have window, and this unusual program copy self, revise registration table, make own or self backup has system's self-starting function, and carried out and comprise and send packet, create listening port, a thread is implanted in other processes, creates overall hook, sends the action of mail.
13., it is characterized in that described attack recognition rule storehouse comprises the worm-type virus rule according to the described computer anti-virus protection system of claim 11:
I) unusual program, this program file is received by mailing system or Instant Messenger (IM) software, and after this program run, commander's keyboard or mouse, and the action of analog subscriber sends mail automatically or sends file automatically by Instant Messenger (IM) software by mailing system.
14., it is characterized in that described attack recognition rule storehouse comprises the worm-type virus rule according to the described computer anti-virus protection system of claim 11:
J) a unusual program does not have window during this program run, and it creates thread identical more than 10, and in 1 second, each thread all has the action that sends packet.
15., it is characterized in that according to the described computer anti-virus protection system of claim 1: described antivirus protection identification part, respectively known procedure and unknown program are judged;
The dangerous play performed to known procedure compared with the action behavior that is recorded in the said procedure behavior knowledge base, judges whether it is fair play;
The dangerous play performed to unknown program compared with the viral rule that is recorded in the above-mentioned attack recognition rule storehouse, judges whether to be harmful action behavior.
16. a computer anti-virus protection method is characterized in that, comprises the steps:
16.1) after computer program starts, collude the system applies DLL (dynamic link library) function call of this program of extension;
16.2) monitoring is the action of this program, and with the action record of this program to loading in the relevance tree;
16.3) judge whether this action is the action of creation procedure;
16.4) if this program has been carried out the action of creation procedure, then program creation information is added to and create in the relevance tree, judge whether be created program is normal procedure, the line item of going forward side by side;
If this program is not carried out the action of creation procedure, judge then whether this action is dangerous play;
16.5) if this action is not dangerous play, then return step 16.2); If this program has been carried out dangerous play, then judge by the antivirus protection identification part whether this action behavior is the harmful program behavior;
16.6) if judged result is not the harmful program behavior, then return step 16.2); If judged result is the evil program behavior, then this program is correspondingly processed by the antivirus protection identification part.
17. according to the described computer anti-virus protection method of claim 16, it is characterized in that: described step 16.5), respectively known procedure and unknown program are judged.
18. according to claim 16 or 17 described computer anti-virus protection methods, it is characterized in that: the dangerous play with its execution compares with the fair play behavior that is recorded in the program behavior knowledge base for known procedure, judges whether it is under attack;
If comparative result is the fair play behavior then returns step 16.2); If comparative result proves then that for not this known procedure has been subjected to virus attack, stop this program and continue operation.
19. according to the described computer anti-virus protection method of claim 18, it is characterized in that,, comprise the steps: to known procedure judgement whether under attack
19.1) monitor and catch the dangerous play that this known procedure is carried out;
19.2) dangerous play and the information in the program behavior knowledge base of catching is compared, judge whether to be lawful acts;
19.3) if judged result is for being then to return step 19.1); If judged result then according to the definition of program behavior knowledge base, judges whether the end process for not;
19.4) if judged result is for being that then the calling system application programming interface finishes the current process of this known procedure; If judged result is that then the calling system application programming interface does not finish the current thread of this known procedure.
20. according to the described computer anti-virus protection method of claim 19, it is characterized in that: described step 19.3), knowledge base is defined as, when system process was overflowed, the calling system application programming interface finished current thread.
21. according to claim 16 or 17 described computer anti-virus protection methods, it is characterized in that: for unknown program, the viral rule that is write down in the dangerous play of its execution and the described attack recognition rule storehouse is compared, and judge whether this program is harmful program;
If the judgment is Yes, then stop this program run; If judged result is then returned step 16.2 for not).
22., it is characterized in that according to the described computer anti-virus protection method of claim 17, whether be the judgement of harmful program to unknown program, comprise the steps:
22.1) monitor and catch the dangerous play that this unknown program is carried out;
22.2) judge whether to be normal procedure;
22.3) if normal procedure then records the program behavior knowledge base with the action behavior that monitors, and return step 22.1); If not normal procedure, then compare with the rule of attacking in the recognition rule storehouse, judge whether to be the harmful program behavior;
22.4) if judged result for not, is then returned step 22.1); If judged result is the harmful program behavior, then confirm whether to allow current action by the user;
22.5) if the user confirms to allow current action, be normal procedure then with this program identification, this action behavior is recorded the program behavior knowledge base, and return step 22.1); If the user does not allow this action, then calling system application programming interface function finishes the current process of this unknown program.
23., it is characterized in that: in described step 22.5 according to the described computer anti-virus protection method of claim 22) in according to user's needs, adopt direct calling system application programming interface to finish the current process of this unknown program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200510079638XA CN100401224C (en) | 2005-06-23 | 2005-06-23 | Computer anti-virus protection system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200510079638XA CN100401224C (en) | 2005-06-23 | 2005-06-23 | Computer anti-virus protection system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1885224A CN1885224A (en) | 2006-12-27 |
| CN100401224C true CN100401224C (en) | 2008-07-09 |
Family
ID=37583397
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB200510079638XA Expired - Fee Related CN100401224C (en) | 2005-06-23 | 2005-06-23 | Computer anti-virus protection system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100401224C (en) |
Families Citing this family (29)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350054B (en) | 2007-10-15 | 2011-05-25 | 北京瑞星信息技术有限公司 | Method and apparatus for automatically protecting computer noxious program |
| CN101350053A (en) * | 2007-10-15 | 2009-01-21 | 北京瑞星国际软件有限公司 | Method and apparatus for preventing web page browser from being used by leak |
| CN101350052B (en) | 2007-10-15 | 2010-11-03 | 北京瑞星信息技术有限公司 | Method and apparatus for discovering malignancy of computer program |
| CN101604361A (en) * | 2008-06-11 | 2009-12-16 | 北京奇虎科技有限公司 | A kind of detection method of Malware and device |
| CN101872400B (en) * | 2009-04-24 | 2012-10-17 | 北京中天安泰信息科技有限公司 | Method for establishing computer information security protection capable of judging security of computer operation request according to associative relation of computing system operation request |
| CN101996287B (en) * | 2009-08-13 | 2012-09-05 | 财团法人资讯工业策进会 | Method and system for removing malicious software |
| CN102012982A (en) * | 2010-11-17 | 2011-04-13 | 许丽涛 | Method and device for protecting safe operation of intelligent device |
| CN102982043B (en) * | 2011-09-07 | 2015-12-02 | 腾讯科技(深圳)有限公司 | The disposal route of PE file and device |
| CN102521101B (en) * | 2011-12-08 | 2015-05-13 | 曙光信息产业(北京)有限公司 | Illegal job monitor method based on process scanning |
| CN102737203B (en) * | 2012-07-13 | 2015-10-21 | 珠海市君天电子科技有限公司 | Virus defense method and system based on program parent-child gene relationship |
| CN103020524B (en) * | 2012-12-11 | 2015-08-05 | 北京奇虎科技有限公司 | Computer virus supervisory system |
| CN103902892B (en) * | 2012-12-24 | 2017-08-04 | 珠海市君天电子科技有限公司 | Behavior-based virus defense method and system |
| CN103428212A (en) * | 2013-08-08 | 2013-12-04 | 电子科技大学 | Malicious code detection and defense method |
| CN103810427B (en) * | 2014-02-20 | 2016-09-21 | 中国科学院信息工程研究所 | A kind of malicious code hidden behaviour method for digging and system |
| CN106033511A (en) * | 2015-03-17 | 2016-10-19 | 阿里巴巴集团控股有限公司 | Method and device for preventing website data from leaking |
| CN104899514B (en) * | 2015-06-17 | 2018-07-31 | 上海斐讯数据通信技术有限公司 | The detection method and system of mobile terminal from malicious behavior based on guidance quality symbol |
| US20160381051A1 (en) * | 2015-06-27 | 2016-12-29 | Mcafee, Inc. | Detection of malware |
| CN106022115A (en) * | 2016-07-20 | 2016-10-12 | 浪潮电子信息产业股份有限公司 | Method for tracing risk program |
| CN106657102A (en) * | 2016-12-29 | 2017-05-10 | 北京奇虎科技有限公司 | LAN based threat processing method and device |
| RU2697954C2 (en) * | 2018-02-06 | 2019-08-21 | Акционерное общество "Лаборатория Касперского" | System and method of creating antivirus record |
| CN110798427A (en) * | 2018-08-01 | 2020-02-14 | 深信服科技股份有限公司 | Anomaly detection method, device and equipment in network security defense |
| CN109271760A (en) * | 2018-08-08 | 2019-01-25 | 北京奇虎科技有限公司 | File retrogressive method, device and equipment |
| CN110532775A (en) * | 2019-07-26 | 2019-12-03 | 苏州浪潮智能科技有限公司 | A kind of Method and kit for of computer processes control |
| CN111143848A (en) * | 2019-12-31 | 2020-05-12 | 成都科来软件有限公司 | System for recording sample behaviors and formulating virus rules |
| CN111552962B (en) * | 2020-03-25 | 2024-03-01 | 三六零数字安全科技集团有限公司 | Interception method of USB flash disk PE format file viruses based on Windows operating system |
| CN111680296A (en) * | 2020-06-15 | 2020-09-18 | 杭州安恒信息技术股份有限公司 | Method, device and equipment for identifying malicious program in industrial control system |
| CN112328614A (en) * | 2020-11-13 | 2021-02-05 | 北京鸿腾智能科技有限公司 | Virus library updating method, equipment, storage medium and device |
| CN112364284B (en) * | 2020-11-23 | 2024-01-30 | 北京八分量信息科技有限公司 | Method and device for detecting abnormality based on context and related product |
| CN117240623B (en) * | 2023-11-13 | 2024-02-02 | 杭州海康威视数字技术股份有限公司 | Worm virus blocking system, method and device for guaranteeing service continuity |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1409222A (en) * | 2001-09-14 | 2003-04-09 | 北京瑞星科技股份有限公司 | Computer memory virus monitoring method and method for operation with virus |
| WO2004040449A1 (en) * | 2002-10-29 | 2004-05-13 | E Frontier, Inc. | Method and system for exterminating computer virus, computer virus exterminating program, and recording medium |
| CN1556448A (en) * | 2003-12-31 | 2004-12-22 | 珠海金山软件股份有限公司 | Mobile sterilization device and its manufacturing method |
| WO2005022440A1 (en) * | 2003-08-29 | 2005-03-10 | Trend Micro Incorporated | Network isolation techniques suitable for virus protection |
-
2005
- 2005-06-23 CN CNB200510079638XA patent/CN100401224C/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1409222A (en) * | 2001-09-14 | 2003-04-09 | 北京瑞星科技股份有限公司 | Computer memory virus monitoring method and method for operation with virus |
| WO2004040449A1 (en) * | 2002-10-29 | 2004-05-13 | E Frontier, Inc. | Method and system for exterminating computer virus, computer virus exterminating program, and recording medium |
| WO2005022440A1 (en) * | 2003-08-29 | 2005-03-10 | Trend Micro Incorporated | Network isolation techniques suitable for virus protection |
| CN1556448A (en) * | 2003-12-31 | 2004-12-22 | 珠海金山软件股份有限公司 | Mobile sterilization device and its manufacturing method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1885224A (en) | 2006-12-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100401224C (en) | Computer anti-virus protection system and method | |
| CN100547513C (en) | Computer protecting method based on the program behavior analysis | |
| US7870612B2 (en) | Antivirus protection system and method for computers | |
| US10657251B1 (en) | Multistage system and method for analyzing obfuscated content for malware | |
| US10417420B2 (en) | Malware detection and classification based on memory semantic analysis | |
| US8397292B2 (en) | Method and device for online secure logging-on | |
| Cuppens et al. | Correlation in an intrusion detection process | |
| CN101350054B (en) | Method and apparatus for automatically protecting computer noxious program | |
| RU2571723C2 (en) | System and method of reducing load on operating system when executing antivirus application | |
| CN101098226B (en) | Virus online real-time processing system and method | |
| US7555777B2 (en) | Preventing attacks in a data processing system | |
| US7673137B2 (en) | System and method for the managed security control of processes on a computer system | |
| CN113661693A (en) | Detecting sensitive data exposure via logs | |
| US7665139B1 (en) | Method and apparatus to detect and prevent malicious changes to tokens | |
| US20050203921A1 (en) | System for protecting database applications from unauthorized activity | |
| KR101230271B1 (en) | System and method for detecting malicious code | |
| Cuppens et al. | Recognizing Malicious Intention in an Intrusion Detection Process. | |
| CN100557545C (en) | A kind of method of distinguishing the harmful program behavior | |
| US20210200870A1 (en) | Performing threat detection by synergistically combining results of static file analysis and behavior analysis | |
| CN101986324A (en) | Asynchronous processing of events for malware detection | |
| KR101404882B1 (en) | A system for sorting malicious code based on the behavior and a method thereof | |
| EP2637121A1 (en) | A method for detecting and removing malware | |
| EP3345116A1 (en) | Process launch, monitoring and execution control | |
| WO2008098519A1 (en) | A computer protection method based on a program behavior analysis | |
| CN113364750A (en) | Method for inducing APT attack to introduce honeypots based on Snort and OpenFlow heuristic method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: BEIJING EASTERN MICROPOINT INFO-TECH CO., LTD. Free format text: FORMER OWNER: FUJIAN ORIENT MICROPOINT INFORMATION SECURITY CO., LTD. Effective date: 20150715 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20150715 Address after: 100097 Beijing city Haidian District landianchang road A Jin Yuan era business center No. 2 block 5E Patentee after: Beijing Dongfang Micropoint Information Technology Co.,Ltd. Address before: 350002, No. 548, industrial road, Gulou District, Fujian, Fuzhou, five Patentee before: Fujian Orient Micropoint Information Security Co.,Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080709 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |