Summary of the invention
The present invention is exactly in order to address the above problem, its purpose be to provide a kind of can protect effectively that computing machine avoids that virus, wooden horse etc. in the unknown program attack based on method to the differentiation harmful program behavior of program behavior behavioural characteristic.
The method of differentiation harmful program of the present invention behavior can be applied in the antivirus protection real-time monitoring system based on the program behavior mode; For the legal known procedure that is stored in the program behavior knowledge base, compare by fair play behavior this program of its action behavior and program behavior identification library storage, judge whether known procedure is under attack; But for the unknown program that is not stored in the program behavior knowledge base, then by monitoring and write down the action behavior of unknown program, and with virus attack recognition rule storehouse in the harmful program attack feature of storing make comparisons, thereby the program behavior that identification is harmful, and in time tackle the attack of harmful program to system.
Based on virus attack recognition rule storehouse, the attack feature of multiple virus, wooden horse and harmful program has been write down in described virus attack recognition rule storehouse, each writes down a corresponding viroid, the corresponding behavior aggregate of each viroid, this behavior aggregate comprise a series of actions and between specific incidence relation.
The method of harmful program behavior of the present invention comprises the steps:
1.1) action behavior of unknown program is monitored and record;
1.2) action behavior that this unknown program is recorded does as a wholely, compare with described virus attack recognition rule storehouse;
1.3) distinguish the harmful program behavior according to comparative result; Be, then to User Alarms or stop this unknown program to continue operation; , then program does not continue operation and returns step 1.1).
In the method for differentiation harmful program of the present invention behavior, the described action behavior that is recorded comprises: type of action, action time of origin and caller.
In the method for differentiation harmful program of the present invention behavior, the action behavior of described monitoring and record comprises:
Supervisory control action refers to that this action may influence computer security, need monitor in real time it;
Dangerous play, this action at first are supervisory control actions, and in program run, this action may threaten computer security;
Described in addition action behavior comprises that also non-supervisory control action does not influence the action that computer security need not to monitor.
The method of differentiation harmful program of the present invention behavior influence each supervisory control action and the dangerous play of computer security when intercepting and capturing program run, and with attack recognition rule storehouse in the attack feature that writes down compare.
In the method for differentiation harmful program of the present invention behavior, described incidence relation comprises the time relationship between the action of front and back and calls and the relation of being called.
In the method for differentiation harmful program of the present invention behavior, described attack recognition rule storehouse comprises virus rule one:
A) run on the program of client layer RING3, change system core layer RING0 operation over to.
The method of differentiation harmful program of the present invention behavior is characterized in that, described attack recognition rule storehouse comprises virus rule two:
B) this program is carried out the operation of revising other program files.
The method of differentiation harmful program of the present invention behavior is characterized in that, described attack recognition rule storehouse comprises long-range attack rule one:
C) after this program is accepted data by listening port, call the SHELL program immediately.
The method of differentiation harmful program of the present invention behavior is characterized in that, described attack recognition rule storehouse comprises long-range attack rule two:
D) after this program receives data by listening port, buffer zone takes place overflow.
The method of differentiation harmful program of the present invention behavior is characterized in that, described attack recognition rule storehouse comprises long-range attack rule three:
E) after this program receives data by listening port, call generic-document host-host protocol tftp procedure immediately.
The method of differentiation harmful program of the present invention behavior is characterized in that, described attack recognition rule storehouse comprises mail worm rule one:
F) this program is generated automatically by mailing system, and revises the self-starting item of registration table during this program run, and this program does not have window, pallet-free, and begins to send mail immediately.
The method of differentiation harmful program of the present invention behavior is characterized in that, described attack recognition rule storehouse comprises suspicious wooden horse rule one:
G) this program is generated automatically by mailing system, and revises the self-starting item of registration table during this program run, and this program does not have window, pallet-free, and begins to create listening port immediately.
The method of differentiation harmful program of the present invention behavior is characterized in that: described supervisory control action comprises file operation; Network operation; Establishment process, establishment thread; Registry operations; Window, pallet operation; Storehouse overflows; Inject thread; Intercepting system API Calls and visit, modification and establishment user account number.
The method of differentiation harmful program of the present invention behavior is characterized in that: described dangerous play, comprise, and call the SHELL program; The update routine file or the file of writing a program; Call FTP or TFTP; Create FTP or TFTP service; Send mail; Browser or mailing system are moved other programs automatically; Create a large amount of identical threads; Revise and create user account number; Dangerous network operation; Add the startup item to system registry; Revise the system start-up file; Inject thread to other processes; Storehouse overflows; Automatically promote during the operation of application layer process and be system-level process operation; The intercepting system API Calls.
The method of differentiation harmful program of the present invention behavior is characterized in that: monitored described unknown program is in running status, after it withdraws from, no longer monitors and record.
The method of differentiation harmful program of the present invention behavior is characterized in that, comprises the steps:
16.1) discovery unknown program or process operation;
16.2) the establishment behavior description structural solid corresponding with this program;
16.3) catch monitoring behavior and hazardous act that this program may endanger computer security;
16.4) judge its type of action;
16.5) recognized action is recorded in the corresponding behavior description structural solid;
16.6) contrast attack recognition rule storehouse, the weights of calculating behavior description scheme entity
16.7) judge whether to surpass the weights upper limit, not, return step 16.3); Be to enter next step;
16.8) be judged to be the harmful program behavior.
The method of differentiation harmful program of the present invention behavior is characterized in that: described behavior description structural solid is consistent with the structure in described attack recognition rule storehouse.
The method of differentiation harmful program of the present invention behavior is characterized in that: described behavior is the api function that routine call operating system provides.
The method of differentiation harmful program of the present invention behavior is characterized in that: step 16.6) described in weights be to provide the empirical value of every behavior criterion by rule base, and obtain describing the weights of entity after the described empirical value of its multinomial behavior added up.
The method of differentiation harmful program of the present invention behavior is characterized in that: step 16.7) described in the weights upper limit, judge by empirical value provided by the invention, or according to User Defined.
The method of differentiation harmful program of the present invention behavior is characterized in that: after being judged as the harmful program behavior, by the user whether it being continued execution and judge.
The method of differentiation harmful program of the present invention behavior is characterized in that, described attack recognition rule storehouse, and its data structure comprises:
Complete trails, founder's complete trails, founder's characteristic, the founder that can carry out the PE file have or not window, with the founder whether same file, whether copy self, file have or not descriptions, whether self-starting, whose establishment the self-starting item, whether be not created the person and start, whether ownly create the startup item, whether window or tray icon, modification registry entry chained list and network action chained list are arranged.
The method of differentiation harmful program of the present invention behavior is characterized in that, the sub-data structure of described modification registry entry chained list comprises: inlet tabulation, key name, value name and value.
The method of differentiation harmful program of the present invention behavior is characterized in that, the sub-data structure of described network action chained list comprises: type, local port, local address, remote port, remote address and use agreement.
The invention has the advantages that; the method that the present invention distinguishes the harmful program behavior can be checked out the harmful program behavior of unknown program accurately; the protection computing machine is avoided the attack of harmful programs such as virus, wooden horse, and compared with prior art have efficiently, advantage accurately.
Embodiment
Below in conjunction with accompanying drawing specific embodiments of the invention are elaborated.
The method of differentiation harmful program of the present invention behavior, be based on virus attack recognition rule storehouse, the attack feature of multiple virus, wooden horse and harmful program has been write down in described virus attack recognition rule storehouse, each writes down a corresponding viroid, the corresponding behavior aggregate of each viroid, this behavior aggregate comprise a series of actions and between specific incidence relation.
The method of differentiation harmful program of the present invention behavior comprises the steps:
1.1) action behavior of unknown program is monitored and record;
1.2) action behavior that this program is recorded does as a wholely, compare with described virus attack recognition rule storehouse;
1.3) distinguish the harmful program behavior according to comparative result; Be, then to User Alarms or stop this program to continue operation; , then program does not continue operation and returns step 1.1).
In the method for differentiation harmful program of the present invention behavior, the described action behavior that is recorded comprises: type of action, action time of origin and caller.
In the method for differentiation harmful program of the present invention behavior, the action behavior of described monitoring and record comprises:
Supervisory control action refers to that this action may influence computer security, need monitor in real time it;
Dangerous play, this action at first are supervisory control actions, and in program run, this action may threaten computer security;
Described in addition action behavior comprises that also non-supervisory control action does not influence the action that computer security need not to monitor.
The method of differentiation harmful program of the present invention behavior influence each supervisory control action and the dangerous play of computer security when intercepting and capturing program run, and with attack recognition rule storehouse in the attack feature that writes down compare.
In the method for differentiation harmful program of the present invention behavior, described incidence relation comprises the time relationship between the action of front and back and calls and the relation of being called.
In the method for differentiation harmful program of the present invention behavior, described attack recognition rule storehouse comprises virus rule one:
A) run on the program of client layer RING3, change system core layer RING0 operation over to.
In the method for differentiation harmful program of the present invention behavior, in the described attack recognition rule storehouse, comprise virus rule two:
B) this program is carried out the operation of revising other program files.
Virus rule as mentioned above, if certain unknown program carried out aforementioned a) or b) operation, have the behavior of virus attack just can judge this program.As everyone knows, above-mentioned action is extremely dangerous action, and be the common trait that most Virus has, for example: virus CIH then has above-mentioned two features, it is carried out at the beginning and just changes the execution of the RING0 of system layer over to, therefore rely on above-mentioned rule just can when virus CIH just brings into operation, just find, and it is forbidden, thereby effective protection system is avoided the attack of virus CIH by method following among the present invention; And,, can no longer rely on the check of virus pattern code for many unknown virus programs or newborn virus, feature by viral action behavior identifies it, accomplished that the accurate and execution efficient of checking improves, and reduces system overhead, and can accomplish the timely interception of discovery in time.
In the method for differentiation harmful program of the present invention behavior, in the described attack recognition rule storehouse, comprise long-range attack rule one:
C) after this program is accepted data by listening port, call the SHELL program immediately.
The method of differentiation harmful program of the present invention behavior is characterized in that, described attack recognition rule storehouse comprises long-range attack rule two:
D) after this program receives data by listening port, buffer zone takes place overflow.
In the method for differentiation harmful program of the present invention behavior, in the described attack recognition rule storehouse, comprise long-range attack rule three:
E) after this program receives data by listening port, call generic-document host-host protocol tftp procedure immediately.
Long-range attack rule c as mentioned above), d) and e) form by a plurality of combination of actions, though can't judge the purpose of above-mentioned attacker for independent action wherein, but pass through a plurality of action behaviors relation in time, just can judge this program easily and whether have aggressiveness, therefore, can be judged as the long-range attack program for unknown program, thereby it is forbidden with above-mentioned behavioural characteristic.Compare with existing firewall technology, not only for more accurate in the forecast of long-range attack, and reduced user's trouble, needn't browse new web page at every turn or send the reception mail in the time of need carrying out the network connection, all to receive the alarm of fire wall earlier, if but stopped fire wall, it is dangerous that system then becomes.
The attack that utilizes the present invention to intercept and capture " Sasser " worm below, above-mentioned long-range attack rule is done with brief description: the Sasser worm-type virus is different with other worm-type viruses, does not send mail, and its principle of work is, opens up the back door in this locality.Monitor TCP 5554 ports, wait for remote control command as ftp server.Virus provides file to transmit with the form of FTP.The hacker can be by file and other information of this port stealing subscriber set.Virus is opened up 128 scanning threads.Based on local ip address, get IP address at random, mad exploration connects 445 ports, attempt to utilize and exist a buffer-overflow vulnerability to attack among the LSASS in the windows operating system, in case success attack can cause the other side's machine to infect this virus and carry out the propagation of next round, attack failure and also can cause the buffer zone of the other side's machine to overflow, cause the illegal operation of the other side's machine program, and system exception.
Utilize the method for differentiation harmful program of the present invention behavior, when the computing machine that has infected Sasser sends attack packets when using guard system of the present invention, the LSASS process of local computer is overflowed, flooding code can call GetProcAddress, will be caught by monitoring mechanism of the present invention, is judged as buffer zone and overflows, and before overflowing, the LSASS process can receive data, this and above-mentioned d from 139,445 ports of system) the regular rule that is provided conforms to; Therefore the present invention can accurately judge this long-range attack, so system call ExitThread this thread is finished, thereby local computer has effectively been protected in the action that makes the Sasser worm can't enter next step.
In the method for differentiation harmful program of the present invention behavior, in the described attack recognition rule storehouse, comprise mail worm rule one:
F) this program is generated automatically by mailing system, and revises the self-starting item of registration table during this program run, and this program does not have window, pallet-free, and begins to send mail immediately.
The worm rule constitutes the worm attack behavioural characteristic by a plurality of action behaviors as mentioned above, according to information as mentioned above, just can effectively take precautions against worm attack, and can effectively contain worm spreading on network.
In the method for differentiation harmful program of the present invention behavior, in the described attack recognition rule storehouse, comprise suspicious wooden horse rule one:
G) this program is generated automatically by mailing system, and revises the self-starting item of registration table during this program run, and this program does not have window, pallet-free, and begins to create listening port immediately.
According to suspicious wooden horse rule as mentioned above, also can not rely on existing firewall system, it is identified, monitor mode is more easy, and has simplified the complexity that the user uses.
Utilize the present invention to intercept and capture famous bounce-back row wooden horse black hole below to regular g) do with brief description: because it belongs to unknown program, this process initiation is promptly caught by supervisory system of the present invention, and this program is not created application window and system tray district icon simultaneously; And can revise the registry boot item behind this program start, to guarantee that oneself can start automatically when next user logins, this action behavior also is dangerous play, therefore also caught by supervisory system of the present invention, this process continues execution will connect far-end web server to obtain the address of client service, port information, carry out information transmission so that connect with it, after this networking action is hunted down, above-mentioned action is together compared with the rule of attacking in the recognition rule storehouse, just can be judged as suspicious wooden horse, and to User Alarms, the attribute that this illegal program is described simultaneously is suspicious wooden horse, so that the user understands information more accurately, avoided existing firewall system as long as network action takes place just reports to the police, and needed the judgement of user the actuation of an alarm security.
In the method according to differentiation harmful program of the present invention behavior, described supervisory control action comprises, file operation; Network operation; Establishment process, thread; Registry operations; Window, pallet operation; Storehouse overflows; Inject thread; Intercepting system API Calls and visit, modification and establishment user account number.
Described dangerous play comprises, calls the SHELL program; The update routine file or the file of writing a program; Call FTP or TFTP; Create FTP or TFTP service; Send mail; Browser or mailing system are moved other programs automatically; Create a large amount of identical threads; Revise and create user account number; Dangerous network operation; Add the startup item to system registry; Revise the system start-up file; Inject thread to other processes; Storehouse overflows; Automatically promote during the operation of application layer process and be system-level process operation; The intercepting system API Calls.
In the method for differentiation harmful program of the present invention behavior, described monitored program is in running status, after it withdraws from, no longer monitors and record, therefore can discharge more system resource, reduces the expense of system.
The method of differentiation harmful program of the present invention behavior comprises the steps:
16.1) discovery unknown program or process operation;
16.2) create the description scheme entity of the behavior corresponding with this program;
16.3) catch monitoring behavior and hazardous act that this program may endanger computer security;
16.4) judge its type of action;
16.5) recognized action is recorded in the corresponding behavior description structural solid;
16.6) contrast attack recognition rule storehouse, the weights of calculating behavior description scheme entity
16.7) judge whether to surpass the weights upper limit, not, return step 16.3); Be to enter next step;
16.8) be judged to be the harmful program behavior.
In the method for differentiation harmful program of the present invention behavior, described behavior description structural solid is consistent with the structure in described attack recognition rule storehouse.
In the method for differentiation harmful program of the present invention behavior, described behavior is the api function that routine call operating system provides.
The method of differentiation harmful program of the present invention behavior, wherein step 16.6) described in weights be to provide the empirical value of every behavior criterion by rule base, and obtain describing the weights of entity after the described empirical value of its multinomial behavior added up.
The method of differentiation harmful program of the present invention behavior, wherein step 16.7) described in the weights upper limit, judge by empirical value provided by the invention, or according to User Defined.Many have the dark user who understands often to need some own design or other do not have the program of formal source to computer program, and these programs probably are in order to improve system performance or to improve system's ease for use, therefore, these unknown programs can be carried out a lot of supervisory control actions or dangerous play, be consistent with the rule of attacking the recognition rule storehouse, if directly this program is judged as harmful program by method of the present invention, forbid then carrying out, make troubles also can for above-mentioned these certain customers, thereby, the present invention also provides the setting according to the weights of a certain program of User Defined, promptly, though after being judged as the harmful program behavior, do not continue to carry out this program by user's decision.
In the method for differentiation harmful program of the present invention behavior, described attack recognition rule storehouse, wherein, the data structure entity of each record is:
struct?UnknowPEFileInMem
{
Char WeighofDanger; // dangerous weights
Char FileName[MAX_PATH]; The complete trails of // new PE the file of creating
Char CreatorName[MAX_PATH]; // founder's complete trails
Char CharacterOfCreator; // founder's characteristic
Char NoWindowOfCreator; // founder has or not window
Char SameAsCreator; // with the founder be same file
Char CopySelf; // copy self is CopySelf for the founder, is SameAsCreator for the file that is replicated, // distinguish both in proper order
Char FileDescription; // file has or not description
Char AutoRun; // whether self-starting
Char WhoWriteAutoRun; The self-starting item of // whose establishment
BOOLEAN RunByCreator; // whether be not created the person to start
BOOLEAN RunBySelf; // whether oneself create and start
BOOLEAN bCreateWindow; // whether window or tray icon are arranged
LIST_ENTRY RegList; // modification registry entry chained list
LIST_NET ListNetAction; // network action chained list
}
The concrete data recording and the description of above-mentioned founder's characteristic " CharacterOfCreator " are:
-1: unknown program;
0: other known procedure;
1: mailing system;
2: web browser;
3: internet exchange system (as QQ, MSN etc.);
The concrete data recording and the description of the self-starting item " WhoWriteAutoRun " of above-mentioned whose establishment are:
0: the unknown;
1: oneself;
2: the founder;
Oneself, the founder can write
The sub-data structure entity of wherein revising the registry entry chained list is.
struct?REG_DATA
{
LIST_ENTRY List; The tabulation of // inlet
Char Key[]; // key name
Char ValueName[]; // value name
Char Value[]; // value
}
Wherein the sub-data structure entity of network action chained list is:
struct?LIST_NET
{
Int type; // type
Short lport; // local port
IPADDR lipaddr; // local ip address
Short dport; // remote port
IPADDR dipaddr; // remote ip address
Short protocol; // use agreement
};
In sum; the method of differentiation harmful program of the present invention behavior; can check out the harmful program behavior of unknown program accurately, the protection computing machine is avoided the attack of harmful programs such as virus, wooden horse, and compared with prior art have efficiently, advantage accurately.
By above-mentioned description, the related work personnel can carry out various change and modification fully in the scope that does not depart from this invention technological thought.Therefore, the technical scope of this invention is not limited to the content on the instructions, must determine its technical scope according to interest field.