CN101013461A - Method of computer protection based on program behavior analysis - Google Patents
Method of computer protection based on program behavior analysis Download PDFInfo
- Publication number
- CN101013461A CN101013461A CNA2007100802337A CN200710080233A CN101013461A CN 101013461 A CN101013461 A CN 101013461A CN A2007100802337 A CNA2007100802337 A CN A2007100802337A CN 200710080233 A CN200710080233 A CN 200710080233A CN 101013461 A CN101013461 A CN 101013461A
- Authority
- CN
- China
- Prior art keywords
- program
- instruction
- behavior
- known procedure
- instruction set
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/54—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention involves protection method based on the analysis of the behavior of programs, which also set risk rate of instructions; And on basis of this, it monitors the operation of procedures by accumulating risk rate of instructions been or to be run. When the sum is greater than the threshold, it sends out interruption. Therefore, the invention will take the judgment for the behavior of programs to prevent destroying from computer viruses.
Description
Technical field
The present invention relates to a kind of computer protecting method, the action behavior that relates in particular to program is the computer protecting method of feature.
Background technology
Existing computer virus is taken precautions against product can be divided into two classes substantially, and it is that Virus to the invasion computing machine is isolated that a class is used for, and for example fire wall prevents entering of intrusive viruses program by PORT COM, agreement etc. is limited; Another kind of being used for scanned the Virus file that may form invasion, and for example existing antivirus software utilizes the code characteristic of intrusive viruses program, finds and remove this Virus.Although some Virus can be found and eliminate to this two series products, also all have the shortcoming that some can't overcome, for example:
(1) fire wall prevents that the Virus invasion is main by the monitoring realization to communication port and/or agreement, the condition that need program permission that use certain communication port or agreement is set or not allow to pass through by user oneself, therefore, 1. require the user very familiar, could effectively be provided with fire wall to system; 2. monitor particles is too big, also needs to use if port of being forbidden and/or agreement are normal procedures, and perhaps Virus has adopted and allowed port or the agreement normally passed through, then may cause judging by accident or directly influencing the normal operation of network.
(2) utilize the mode of the clear virus of virus signature will lag behind viral development forever, because after only capturing Virus Sample, just can extract the condition code of virus, this makes this antivirus software can't take precautions against emerging unknown virus invasion.
Summary of the invention
The problem to be solved in the present invention is, can initiatively judge the method that prevents that computing machine from being destroyed by Virus to program behavior thereby provide a kind of.
The computer protecting method of analyzing based on program behavior provided by the invention comprises:
Instruction or instruction set to computer run are classified, and danger coefficient are set for described instruction or instruction set;
The program behavior of monitoring operation, the instruction that accumulative total will be moved or move or the danger coefficient of instruction set, described coefficient and during greater than preset threshold, interrupt the operation of described program.
Further, selecting the instruction or the instruction set that may jeopardize computer security classifies.
Described instruction or instruction set are the instruction or the instruction set of following operation:
File operation; Network operation; Establishment process or threading operation; Registry operations; Window, pallet operation; Stack manipulation; Inject threading operation; Intercepting system API Calls and visit, modification and the operation of establishment user account number.
Described program behavior is the family behavior of following program:
Call operation system shell program; The update routine file or the file of writing a program; Call FTP or TFTP; Create FTP or TFTP service; Send mail; Browser or mailing system are moved other programs automatically; Create the identical thread of a predetermined level is exceeded; Revise and create user account number; Add the startup item to system registry; Revise the system start-up file; Inject thread to other processes; Stack manipulation; The application layer process promotes automatically and is system-level process operation; The intercepting system API Calls.
Further, watchdog routine is embedded in the api function of operating system, realizes monitoring the action behavior of program.
And, by the instruction of monitored program run, write down the action behavior of monitored program.
Described method also comprises:
Set up the known procedure file store, be used to store the sign of known procedure and the characteristic of described known procedure; And, judge whether monitored program is known procedure, if, utilize the characteristic in the known procedure file store to judge whether described monitored program is intact, if intact, finish to judge, otherwise end the execution of described known procedure.
Described method also comprises:
Set up and attack the recognition rule storehouse, be used to store the computer instruction or the instruction set of obvious destruction computer security; And when monitored program was not known procedure, refering in particular in the utilization attack recognition rule storehouse makes or instruction set judges whether described monitored program is dangerous program, if end the execution of described known procedure.
In the present invention, instruction or instruction set to computer run are classified, and danger coefficient is set for described instruction or instruction set, like this, the instruction that monitors or the danger coefficient of instruction set correspondence are added up, just can judge the behavior of monitored program, and then whether decision interrupts the operation of described program.Need to prove, the present invention only is not provided with danger coefficient to the instruction or the instruction set of harm computer security, but instruction that whole computer instructions is comprised or instruction set are classified and danger coefficient are set, can avoid a plurality of harmless instructions in conjunction with after become the situation of harmful instruction, for example unlimited circulation, to the read-write of important storage unit etc.As seen, thus the present invention can initiatively judge and prevent that computing machine from being destroyed by Virus program behavior.
Description of drawings
Fig. 1 is the first embodiment process flow diagram of the method for the invention;
Fig. 2 is the second embodiment process flow diagram of the method for the invention;
Fig. 3 is the 3rd embodiment process flow diagram of the method for the invention.
Embodiment
With reference to the accompanying drawings, and, embodiments of the invention are elaborated in conjunction with the most frequently used Windows of Microsoft operating system.
As shown in Figure 1, be the first embodiment process flow diagram of the method for the invention.The instruction or the instruction set of pair computer run of the step 11 of the described embodiment of Fig. 1 are classified, and for described instruction or instruction set danger coefficient are set in step 12 then.In the present embodiment, step 11 and step 12 can realize by an instruction or instruction set table.This table can be called the command factor table, and two fields only are set, and an instruction field is used to store the instruction or the instruction set that are classified out, and a field is the coefficient field, is used to store the danger coefficient of different instruction or instruction set correspondence.Wherein, a different instruction, since the parameter that has different parameters or different reach may make a concrete instruction by to computing machine harmless become harmful, for example, limited and harmless to computing machine when reasonable when the cycle index of describing the round-robin instruction, but when cycle index was wireless, then the resource of transition consumption calculations machine became harmful to possibility owing to being absorbed in endless loop.Therefore, instruction may be because the parameter difference that has, and perhaps the scope of parameter is different and have different danger coefficients, and an instruction is because the parameter difference that has, perhaps the scope of parameter is different and become different instructions, occupies more row in described command factor table.In like manner, may be harmless when different instruction individualism to computing machine, but when instructing, this instruction and other but may become harmful when combining instruction set of formation.For example, harmless during the instruction of read memory cell data, but when the storage unit that reads is the unit of storage stack pointer, then should " reading " instruction with a numerical value operational order with write storage unit and instruct when combining, just may constitute a harmful instruction set.Therefore, one group of instruction accounts for delegation in described command factor table possibly.In another embodiment of the present invention, this command factor table also comprises a classification field, and what be used to discern described instruction field storage is a single instruction or an instruction set that is made of many instructions.
Then in step 13, the program behavior of monitoring operation, instruction or instruction set that i.e. monitoring will move or move, find the danger coefficient of described instruction or instruction set correspondence, the instruction that will move or move in step 14 accumulative total or the danger coefficient of instruction set then, be about to described danger coefficient and make sum operation, judge that in step 15 whether the result of described sum operation is greater than preset threshold then, if greater than, the behavior that monitored program has had is enough to endanger computer system security is described, therefore interrupts the operation of described program in step 16; Otherwise, the behavior that monitored program has is enough to endanger computer system security is described, turn back to step 13 this moment and continue monitoring.
The described method of Fig. 1 can staticly be used and also can dynamically use.So-called static the use is to remaining static or the monitored program of unactivated state scans judgement, thereby whether be Virus or be infracting by virus if obtaining this program; Also can be in active state, promptly it be monitored during running status, especially before an instruction or instruction set operation, it be judged, also might prevent actual generation the computer hazard result in monitored program.
In another embodiment of the present invention, the policer operation of step 13 assists to finish by classification field, promptly judge the classification of an instruction earlier, thereby determine that this is the instruction that needs are done the instruction of judging separately or belonged to an instruction set, thereby make things convenient for the operation of step 13.
In another embodiment of the present invention, select the instruction or the instruction set that may jeopardize computer security and classify, rather than to all instruction classification, get rid of some obviously can not Cheng Sheng to the instruction of computer hazard, for example non-operation instruction can improve the monitoring efficiency to monitored program.
Fig. 2 is the second embodiment process flow diagram of the method for the invention; Compare with the described embodiment of Fig. 1, present embodiment has increased the step 21 of setting up the known procedure file store, and described known procedure file store is used to store the sign of known procedure and the characteristic of described known procedure; Also increased a determining step 22, judge whether monitored program is known procedure, if, utilize characteristic in the known procedure file store to judge described monitored program whether intact (step 23), if it is intact, finish to judge (step 24), otherwise end the execution of described known procedure.
Fig. 3 is the 3rd embodiment process flow diagram of the method for the invention; Compare with the described embodiment of Fig. 2, increased and set up the step 31 of attacking the recognition rule storehouse, described attack recognition rule storehouse is used to store the computer instruction or the instruction set of obvious destruction computer security; And, increased when monitored program is not known procedure, refering in particular in the utilization attack recognition rule storehouse makes or instruction set judges whether described monitored program is the step 32 of dangerous program, if brilliant step 32 judges that being advanced empty program is dangerous program, directly ends the execution of described known procedure through step 16.
In Fig. 1, Fig. 2 and the described embodiment of Fig. 3, also comprise instruction by monitored program run, write down the step (not drawing among the figure) of the action behavior of monitored program.
In Fig. 1, Fig. 2 and the described embodiment of Fig. 3.Watchdog routine is embedded in the api function of operating system, thereby obtains the monitoring of system is weighed, realize monitoring the action behavior of monitored program.
If it is dangerous program that comparative result proves monitored program, not only interrupt the continuation operation of this program, and to User Alarms, or products for further is handled.Therefore, adopt aforesaid method that known procedure is checked, not only can guarantee to known procedure whether normally operation judge, and can check out whether known procedure is under attack, and adopt the method for virus pattern code comparison to compare with prior art, the accuracy of not only checking virus attack is better, and it is higher to carry out efficient.
As mentioned above, compare,, illustrate that then described known procedure operation is normal if known procedure is carried out according to the aforementioned legal program behavior that writes down according to the legal action behavior that will write down in known procedure and the program behavior knowledge base; If in case action behavior beyond this known procedure fair play behavior occurred, can determine that then described known procedure receives attack, it should be stopped.
And, in an embodiment of the present invention, according to the different calling system api functions end current process of monitored program; Perhaps the calling system api function finishes current thread.
Because in known procedure, it is the bottom service of system that its function of quite a few program is arranged, if directly with these EOP (end of program), system is restarted, so that systemic breakdown.Therefore, cannot interrupt for those in the present invention, and program under attack, the thread that illegal operation has been carried out in direct interruption finishes to get final product, promptly guarantee the safety of system, can not influence the work of system again, make system stable operation, avoid existing virus firewall instrument, because when the program virus of the critical services in the system is checked, in the time of kill virus, make program file important in the system cause damage, influence the stability of system.For example in the Windows of the Microsoft operating system, Lsass.exe is a system service program, if this program is subjected to the attack of Virus, the thread that directly this program is taken place to attack finishes, like this, promptly security of system can be guaranteed, the infringement of harmful program can be stoped again system.
Whether be in the step judged of harmful action behavior to the action behavior of monitored program, the action behavior of this program of capturing compared with the attack recognition rule of attacking in the recognition rule storehouse, thereby judge whether this program is harmful program
Described attack recognition rule storehouse is to be the database that has write down the attack feature of harmful program, and the corresponding behavior aggregate of each record is promptly to specific incidence relation between the destructive behavior of computing machine and these behaviors or the action.
Described instruction or instruction set are the instruction or the instruction set of following operation:
File operation; Network operation; Establishment process or threading operation; Registry operations; Window, pallet operation; Stack manipulation; Inject threading operation; Intercepting system API Calls and visit, modification and the operation of establishment user account number.
Described program behavior is the family behavior of following program:
Call operation system shell program; The update routine file or the file of writing a program; Call FTP or TFTP; Create FTP or TFTP service; Send mail; Browser or mailing system are moved other programs automatically; Create the identical thread of a predetermined level is exceeded; Revise and create user account number; Add the startup item to system registry; Revise the system start-up file; Inject thread to other processes; Stack manipulation; The application layer process promotes automatically and is system-level process operation; The intercepting system API Calls.
For example, program changes the operation level voluntarily, as in the Windows of Microsoft operating system, certain Automatic Program is carried out from application layer elevator system level, owing to have only the normal procedure of minority just to have this feature, therefore, can judge that much being had this feature branch is Virus or by the program of virus attack.
In the embodiments of the invention, described attack recognition rule storehouse comprises any single of following rule or combination arbitrarily more than two.
A) run on the program of client layer, change system core layer RINGO operation over to; And/or;
B) carry out the operation of revising other program files; And/or;
C) receive data by listening port after, the shell of call operation system immediately; And/or;
D) by after the listening port reception data, the system buffer is overflowed; And/or;
E) by after the listening port reception data, call generic-document host-host protocol program transmission data immediately; And/or;
F) generated automatically by mailing system, and revise the self-starting item of registration table during this program run, this program does not have window, pallet-free, and begins to send mail immediately; And/or;
G) generated automatically by mailing system, and revise the self-starting item of registration table during this program run, this program does not have window, pallet-free, and begins to create listening port immediately.
For example, for a known procedure, when if this program behavior does not comprise the behavior that can revise other program files, and when this program run, other program files have but been revised, above-mentioned dangerous play just can monitoredly be arrived, and compares with the characteristic of this known procedure of storing in the known procedure file store then, just can judge that this known procedure must be by virus infections.
By above-mentioned description, field related work personnel of the present invention can carry out various change and modification fully in the scope that does not depart from this invention technological thought.Therefore, the technical scope of this invention is not limited to the content on the instructions, must determine its technical scope according to interest field.The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (9)
1, a kind of computer protecting method of analyzing based on program behavior is characterized in that:
Instruction or instruction set to computer run are classified, and danger coefficient are set for described instruction or instruction set;
The program behavior of monitoring operation, the instruction that accumulative total will be moved or move or the danger coefficient of instruction set, described coefficient and during greater than preset threshold, interrupt the operation of described program.
2, according to the described computer protecting method of analyzing based on program behavior of claim 1, it is characterized in that, select the instruction or the instruction set that may jeopardize computer security and classify.
3, according to the described computer protecting method of analyzing based on program behavior of claim 2, it is characterized in that described instruction or instruction set are the instruction or the instruction set of following operation:
File operation; Network operation; Establishment process or threading operation; Registry operations; Window, pallet operation; Stack manipulation; Inject threading operation; Intercepting system API Calls and visit, modification and the operation of establishment user account number.
4, according to the described computer protecting method of analyzing based on program behavior of claim 3, it is characterized in that described program behavior is the family behavior of following program:
Call operation system shell program; The update routine file or the file of writing a program; Call FTP or TFTP; Create FTP or TFTP service; Send mail; Browser or mailing system are moved other programs automatically; Create the identical thread of a predetermined level is exceeded; Revise and create user account number; Add the startup item to system registry; Revise the system start-up file; Inject thread to other processes; Stack manipulation; The application layer process promotes automatically and is system-level process operation; The intercepting system API Calls.
5, according to the described computer protecting method of analyzing based on program behavior of claim 1, it is characterized in that: watchdog routine is embedded in the api function of operating system, realizes monitoring the action behavior of program.
6, according to the described computer protecting method of analyzing based on program behavior of claim 5, it is characterized in that:, write down the action behavior of monitored program by the instruction of monitored program run.
7, according to claim 1,2,3,4, the 5 or 6 described computer protecting methods of analyzing based on program behavior, it is characterized in that also comprising:
Set up the known procedure file store, be used to store the sign of known procedure and the characteristic of described known procedure; And, judge whether monitored program is known procedure, if, utilize the characteristic in the known procedure file store to judge whether described monitored program is intact, if intact, finish to judge, otherwise end the execution of described known procedure.
8, according to the described computer protecting method of analyzing based on program behavior of claim 7, it is characterized in that also comprising:
Set up and attack the recognition rule storehouse, be used to store the computer instruction or the instruction set of obvious destruction computer security; And when monitored program was not known procedure, refering in particular in the utilization attack recognition rule storehouse makes or instruction set judges whether described monitored program is dangerous program, if end the execution of described known procedure.
According to the described computer protecting method of analyzing based on program behavior of claim 8, it is characterized in that 9, described attack recognition rule storehouse comprises following rule and the combination in any of following rule more than:
A) run on the program of client layer, change system core layer RING0 operation over to; And/or;
B) carry out the operation of revising other program files; And/or;
C) receive data by listening port after, the shell of call operation system immediately; And/or;
D) by after the listening port reception data, the system buffer is overflowed; And/or;
E) by after the listening port reception data, call generic-document host-host protocol program transmission data immediately; And/or;
F) generated automatically by mailing system, and revise the self-starting item of registration table during this program run, this program does not have window, pallet-free, and begins to send mail immediately; And/or;
G) generated automatically by mailing system, and revise the self-starting item of registration table during this program run, this program does not have window, pallet-free, and begins to create listening port immediately.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007100802337A CN101013461A (en) | 2007-02-14 | 2007-02-14 | Method of computer protection based on program behavior analysis |
| PCT/CN2008/070303 WO2008098519A1 (en) | 2007-02-14 | 2008-02-14 | A computer protection method based on a program behavior analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007100802337A CN101013461A (en) | 2007-02-14 | 2007-02-14 | Method of computer protection based on program behavior analysis |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101013461A true CN101013461A (en) | 2007-08-08 |
Family
ID=38700968
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2007100802337A Pending CN101013461A (en) | 2007-02-14 | 2007-02-14 | Method of computer protection based on program behavior analysis |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101013461A (en) |
| WO (1) | WO2008098519A1 (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008098519A1 (en) * | 2007-02-14 | 2008-08-21 | Jie Bai | A computer protection method based on a program behavior analysis |
| CN100504903C (en) * | 2007-09-18 | 2009-06-24 | 北京大学 | Malevolence code automatic recognition method |
| CN102053927A (en) * | 2010-12-29 | 2011-05-11 | 北京握奇数据系统有限公司 | Attack monitoring method and device with attack monitoring function |
| CN102591965A (en) * | 2011-12-30 | 2012-07-18 | 奇智软件(北京)有限公司 | Method and device for detecting black chain |
| CN103020524A (en) * | 2012-12-11 | 2013-04-03 | 北京奇虎科技有限公司 | Computer virus monitoring system |
| CN103049695A (en) * | 2012-12-11 | 2013-04-17 | 北京奇虎科技有限公司 | Computer virus monitoring method and device |
| CN103136475A (en) * | 2011-11-29 | 2013-06-05 | 姚纪卫 | Method and device for detecting computer viruses |
| CN103136471A (en) * | 2011-11-25 | 2013-06-05 | 中国科学院软件研究所 | Method and system for testing malicious Android application programs |
| CN103679028A (en) * | 2013-12-06 | 2014-03-26 | 深圳酷派技术有限公司 | Software behavior monitoring method and terminal |
| CN104077110A (en) * | 2014-07-09 | 2014-10-01 | 肖龙旭 | File scheduling method based on system behaviors |
| CN104321782A (en) * | 2012-03-30 | 2015-01-28 | 爱迪德加拿大公司 | Secured execution of a web application |
| WO2015185015A1 (en) * | 2014-06-05 | 2015-12-10 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for monitoring security of terminal system |
| CN105607518A (en) * | 2016-01-27 | 2016-05-25 | 云南电网有限责任公司电力科学研究院 | Power transmission line robot control method, robot and terminal |
| CN104077110B (en) * | 2014-07-09 | 2016-11-30 | 肖龙旭 | A kind of file dispatching method based on system action |
| CN107408331A (en) * | 2014-04-04 | 2017-11-28 | 通用电子有限公司 | For the system and method for the distant control function for configuring portable set |
| CN116663005A (en) * | 2023-08-01 | 2023-08-29 | 长扬科技(北京)股份有限公司 | Method, device, equipment and storage medium for defending composite Lesu virus |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100547513C (en) * | 2005-02-07 | 2009-10-07 | 福建东方微点信息安全有限责任公司 | Computer protecting method based on the program behavior analysis |
| CN100374972C (en) * | 2005-08-03 | 2008-03-12 | 珠海金山软件股份有限公司 | System and method for detecting and defending computer worm |
| CN101013461A (en) * | 2007-02-14 | 2007-08-08 | 白杰 | Method of computer protection based on program behavior analysis |
-
2007
- 2007-02-14 CN CNA2007100802337A patent/CN101013461A/en active Pending
-
2008
- 2008-02-14 WO PCT/CN2008/070303 patent/WO2008098519A1/en active Application Filing
Cited By (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008098519A1 (en) * | 2007-02-14 | 2008-08-21 | Jie Bai | A computer protection method based on a program behavior analysis |
| CN100504903C (en) * | 2007-09-18 | 2009-06-24 | 北京大学 | Malevolence code automatic recognition method |
| CN102053927A (en) * | 2010-12-29 | 2011-05-11 | 北京握奇数据系统有限公司 | Attack monitoring method and device with attack monitoring function |
| CN102053927B (en) * | 2010-12-29 | 2013-11-27 | 北京握奇数据系统有限公司 | Attack monitoring method and device with attack monitoring function |
| CN103136471B (en) * | 2011-11-25 | 2015-12-16 | 中国科学院软件研究所 | A kind of malice Android application program detection method and system |
| CN103136471A (en) * | 2011-11-25 | 2013-06-05 | 中国科学院软件研究所 | Method and system for testing malicious Android application programs |
| CN103136475B (en) * | 2011-11-29 | 2017-07-04 | 姚纪卫 | A kind of method and apparatus for checking computer virus |
| CN103136475A (en) * | 2011-11-29 | 2013-06-05 | 姚纪卫 | Method and device for detecting computer viruses |
| CN102591965B (en) * | 2011-12-30 | 2014-07-09 | 奇智软件(北京)有限公司 | Method and device for detecting black chain |
| CN102591965A (en) * | 2011-12-30 | 2012-07-18 | 奇智软件(北京)有限公司 | Method and device for detecting black chain |
| CN104321782A (en) * | 2012-03-30 | 2015-01-28 | 爱迪德加拿大公司 | Secured execution of a web application |
| CN104321782B (en) * | 2012-03-30 | 2018-01-12 | 爱迪德技术有限公司 | The safety execution of web applications |
| CN103020524A (en) * | 2012-12-11 | 2013-04-03 | 北京奇虎科技有限公司 | Computer virus monitoring system |
| CN103020524B (en) * | 2012-12-11 | 2015-08-05 | 北京奇虎科技有限公司 | Computer virus supervisory system |
| CN103049695B (en) * | 2012-12-11 | 2015-12-09 | 北京奇虎科技有限公司 | A kind of method for supervising of computer virus and device |
| CN103049695A (en) * | 2012-12-11 | 2013-04-17 | 北京奇虎科技有限公司 | Computer virus monitoring method and device |
| CN103679028A (en) * | 2013-12-06 | 2014-03-26 | 深圳酷派技术有限公司 | Software behavior monitoring method and terminal |
| CN107408331A (en) * | 2014-04-04 | 2017-11-28 | 通用电子有限公司 | For the system and method for the distant control function for configuring portable set |
| US10540497B2 (en) | 2014-06-05 | 2020-01-21 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for monitoring security of terminal system |
| CN105204825A (en) * | 2014-06-05 | 2015-12-30 | 腾讯科技(深圳)有限公司 | Terminal system security monitoring method and device |
| WO2015185015A1 (en) * | 2014-06-05 | 2015-12-10 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for monitoring security of terminal system |
| CN105204825B (en) * | 2014-06-05 | 2020-07-14 | 腾讯科技(深圳)有限公司 | Method and device for monitoring terminal system safety |
| CN104077110B (en) * | 2014-07-09 | 2016-11-30 | 肖龙旭 | A kind of file dispatching method based on system action |
| CN104077110A (en) * | 2014-07-09 | 2014-10-01 | 肖龙旭 | File scheduling method based on system behaviors |
| CN105607518A (en) * | 2016-01-27 | 2016-05-25 | 云南电网有限责任公司电力科学研究院 | Power transmission line robot control method, robot and terminal |
| CN116663005A (en) * | 2023-08-01 | 2023-08-29 | 长扬科技(北京)股份有限公司 | Method, device, equipment and storage medium for defending composite Lesu virus |
| CN116663005B (en) * | 2023-08-01 | 2023-10-13 | 长扬科技(北京)股份有限公司 | Method, device, equipment and storage medium for defending composite Lesu virus |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2008098519A1 (en) | 2008-08-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101013461A (en) | Method of computer protection based on program behavior analysis | |
| RU2645268C2 (en) | Complex classification for detecting malware | |
| JP4629332B2 (en) | Status reference monitor | |
| US10657251B1 (en) | Multistage system and method for analyzing obfuscated content for malware | |
| KR102307534B1 (en) | Systems and methods for tracking malicious behavior across multiple software entities | |
| US8161552B1 (en) | White list creation in behavior monitoring system | |
| CN100401224C (en) | Computer anti-virus protection system and method | |
| US8640243B2 (en) | Detecting malicious computer code in an executing program module | |
| US7665139B1 (en) | Method and apparatus to detect and prevent malicious changes to tokens | |
| US20150213260A1 (en) | Device and method for detecting vulnerability attack in program | |
| JP2017216018A (en) | Kernel-level security agent | |
| US11438349B2 (en) | Systems and methods for protecting devices from malware | |
| TWI396995B (en) | Method and system for cleaning malicious software and computer program product and storage medium | |
| US11042633B2 (en) | Methods for protecting software hooks, and related computer security systems and apparatus | |
| US20090013407A1 (en) | Intrusion detection system/intrusion prevention system with enhanced performance | |
| KR101086203B1 (en) | A proactive system against malicious processes by investigating the process behaviors and the method thereof | |
| CN101599113A (en) | Driven malware defence method and device | |
| KR100666562B1 (en) | Method for protecting kernel driver and process | |
| US8566585B2 (en) | System and a method for processing system calls in a computerized system that implements a kernel | |
| EP3831031B1 (en) | Listen mode for application operation whitelisting mechanisms | |
| US8533833B2 (en) | System, a method, and a data-structure for processing system calls in a computerized system that implements a kernel | |
| EP3535681B1 (en) | System and method for detecting and for alerting of exploits in computerized systems | |
| CN107818260B (en) | Method and device for guaranteeing system safety | |
| KR20110057297A (en) | Dynamic analyzing system for malicious bot and methods therefore | |
| CN115086081A (en) | Escape prevention method and system for honeypots |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20070808 |