CN101645125B - Method for filtering and monitoring behavior of program - Google Patents

Method for filtering and monitoring behavior of program Download PDF

Info

Publication number
CN101645125B
CN101645125B CN2008100300015A CN200810030001A CN101645125B CN 101645125 B CN101645125 B CN 101645125B CN 2008100300015 A CN2008100300015 A CN 2008100300015A CN 200810030001 A CN200810030001 A CN 200810030001A CN 101645125 B CN101645125 B CN 101645125B
Authority
CN
China
Prior art keywords
behavior
sample
program
behavior sample
storehouse
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN2008100300015A
Other languages
Chinese (zh)
Other versions
CN101645125A (en
Inventor
黄声声
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Kingsoft Internet Security Software Co Ltd
Original Assignee
Zhuhai Kingsoft Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhuhai Kingsoft Software Co Ltd filed Critical Zhuhai Kingsoft Software Co Ltd
Priority to CN2008100300015A priority Critical patent/CN101645125B/en
Priority to PCT/CN2009/000871 priority patent/WO2010015145A1/en
Priority to JP2011521424A priority patent/JP5370486B2/en
Publication of CN101645125A publication Critical patent/CN101645125A/en
Application granted granted Critical
Publication of CN101645125B publication Critical patent/CN101645125B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)
  • Stored Programmes (AREA)

Abstract

The invention relates to a method for filtering and monitoring the behavior of a program. The method for filtering the behavior of the program comprises the following steps: constructing a behavior sample database which comprises behavior samples collected from a plurality of program samples, and the weight of each behavior sample calculated based on the frequency of occurrence of the behavior sample, wherein the weight can be an inverse document frequency index, the probability of occurrence and the like; acquiring the behavior of the program to be processed, judging whether a behavior sample identical to the behavior of the program exists in the behavior sample database, if the behavior sample identical to the behavior of the program does not exist in the behavior sample database, keeping the behavior of the program; and if the behavior sample identical to the behavior of the program exists in the behavior sample database, judging whether the weight of the behavior sample falls into a preset filtering threshold range, if so, filtering the behavior of the program, otherwise, keeping the behavior of the program. The method can reduce the interferences to monitoring or analysis caused by non-characteristic behaviors, reduce the treating capacity, and improve the accuracy.

Description

The method of the behavior of filtration and watchdog routine
Technical field
The present invention relates to the security fields of computing machine, more specifically, relate to the method that the behavior of program is filtered and monitored.
Background technology
The means commonly used that are fail-safe softwares when the defend against computer virus are tackled and are monitored in the behavior of program.In practice, the fail-safe software product that detects based on non-condition code identifies suspicious program (for example virus, wooden horse) by the monitoring to program behavior with analysis usually.For example, can be (for example based on some specific intercept point, calling of system resource) interception and the behavior of watchdog routine, comprise to file read-write operate, to the registration table read-write operation etc., then according to the type (virus, wooden horse, system program etc.) of these behavior determining programs.
In statistical language is handled, parts of speech such as some adverbial words commonly used, conjunction, for example " ", " get ", " in " etc., uses too extensively, to such an extent as to all can occur in the article of the overwhelming majority, so these vocabulary do not have to act in text classification substantially.Correspondingly, these words are called " stop-word " (Stop Words) in Statistical Linguistics." stop-word " is usually deleted in the process of text classification to be fallen, in order to avoid influence is handled.
Similarly, program behavior can be divided into two types: the behavior (being called " characteristic behavior " again) with category significance; The behavior (being called " non-characteristic behavior " again) that does not have category significance.For example, the behavior that has is that most programs all use, and is perhaps frequently used by most programs, and this behavior does not just have classification and the meaning of analyzing, and belongs to non-characteristic behavior.In the middle of the processing of program behavior, identify this non-characteristic behavior, and classify or analyzing and processing before delete these non-characteristic behaviors, (for example can effectively reduce non-characteristic behavior to the interference of program sample classification, if the non-characteristic behavior of this class is used as virus characteristic and handles, may bring serious wrong report problem).
Existing a kind of behavior to program is carried out in the method for supervising, monitors all behaviors of program to be monitored, and all behaviors are analyzed and monitored.The defective of this scheme is that data processing amount is very big, the complexity height, and have higher error rate (for example, handle, bring serious wrong report problem possibly) if the non-characteristic behavior of this class is used as virus characteristic.
Existing another kind carries out in the method for supervising the behavior of program, at first uses the identification of artificial identification mode and filters out this non-characteristic behavior, remaining behavior is carried out again and is analyzed.This method for supervising needs great amount of manpower, and cost is very high, and monitored results is also stable inadequately and accurate, is difficult to promote.
Summary of the invention
One object of the present invention is to provide the method for the behavior of two kinds of filters, these two kinds of methods are used for the non-characteristic behavior of the program that filtered out before the behavior of monitoring or routine analyzer, to reduce of the interference of non-characteristic behavior to monitoring or analysis, reduce the treatment capacity of computing machine, the accuracy that improves monitoring and analyze.
For this reason, the method of the behavior of first kind of filter provided by the invention, may further comprise the steps: step S1, structure behavior sample storehouse, described behavior sample storehouse comprise the weight that the frequency of occurrences based on this kind behavior sample of behavior sample from some program sample collections, each behavior sample is calculated; Step S2, obtain pending program behavior, judge whether described behavior sample storehouse exists the behavior sample identical with described program behavior,, just keep described program behavior if there be not the behavior sample identical with described program behavior in described behavior sample storehouse; If described behavior sample stock at the behavior sample identical with described program behavior, just judges whether the weight of described behavior sample falls into default filtration threshold range, just filter out described program behavior if fall into, otherwise, just keep described program behavior.
Compared with prior art, the present invention is before monitoring or analyzer behavior, according to the behavior sample in the behavior sample storehouse, default filtration threshold range to filtering out non-characteristic behavior wherein, reduced of the interference of non-characteristic behavior to monitoring or analysis, reduced the treatment capacity of computing machine, the accuracy that has improved monitoring and analyzed
In described behavior sample storehouse, the frequency of occurrences of each behavior sample is the ratio that the total amount of the quantity of program sample of this kind behavior sample and all program samples occurs, or the occurrence number of this kind behavior sample in all program samples and the ratio of the behavior sample total amount that comprises of all program samples; The weight of behavior sample is the frequency of occurrences of this kind behavior sample; The step whether described weight of judging behavior sample falls into default filtration threshold range is specially: if the frequency of occurrences of described behavior sample just is judged to be and falls into described default filtration threshold range greater than default filtration threshold value lower limit.In this preferred version, judge according to the frequency of occurrences whether certain program behavior belongs to the non-characteristic behavior that needs filter out, because the excessive behavior of the frequency of occurrences belongs to the non-characteristic behavior with classification or analysis significance usually, therefore, this preferred version filters out these non-characteristic behaviors according to default filtration threshold value lower limit.This preferred version is simple, and calculated amount is little, realizes easily.
The difference of the method for the behavior of the method for the behavior of second kind of filter provided by the invention and first kind of filter is: in described behavior sample storehouse, the frequency of occurrences of each behavior sample is the ratio that the total amount of the quantity of program sample of this kind behavior sample and all program samples occurs, or the occurrence number of this kind behavior sample in all program samples and the ratio of the behavior sample total amount that comprises of all program samples; The weight of behavior sample is the inverse document frequency of this kind behavior sample, and the inverse document frequency of behavior sample equals the logarithm of inverse of the frequency of occurrences of this kind behavior sample; The step whether described weight of judging behavior sample falls into default filtration threshold range is specially: if the inverse document frequency of described behavior sample just is judged to be and falls into described default filtration threshold range less than default filtration upper threshold.In this preferred version, judge according to inverse document frequency whether certain behavior belongs to the non-characteristic behavior that needs filter out, in field of statistics, inverse document frequency is a kind of important parameter of measuring correlativity, value of generally acknowledging.Usually, the too small behavior of inverse document frequency belongs to the non-characteristic behavior with classification or analysis significance usually, and therefore, this preferred version filters out these non-characteristic behaviors according to default filtration upper threshold.This preferred version adopts inverse document frequency to discern and filter out " non-characteristic behavior ", better effects if, and filter result is more reliable.
Preferably, in the method for the behavior of the method for the behavior of first kind of filter and second kind of filter, described behavior sample storehouse also comprises the total amount of all program samples, the total amount of all behavior samples; Described method also comprises upgrades described behavior sample storehouse, described renewal comprises: if there be not the behavior sample identical with described program behavior in the behavior sample storehouse described in the step S2, then after step S2, described program behavior is added in the described behavior sample storehouse as new behavior sample, upgrade the program sample in described behavior sample storehouse total amount, behavior sample total amount and recomputate the weight of each behavior sample.In this preferred version, according to current disposition behavior sample to be upgraded timely, the content that makes the behavior sample storehouse comprise is wider, more comprehensively and more accurate, thereby further improved the accuracy of filtering.
Preferably, described renewal also comprises: if the behavior sample stock is at the behavior sample identical with described program behavior described in the step S2, then after step S2, upgrade the program sample in described behavior sample storehouse total amount, behavior sample total amount and recomputate the weight of each behavior sample.Similarly, in this preferred version, according to current disposition behavior sample is upgraded timely, the content that makes the behavior sample storehouse comprise is wider, more comprehensively and more accurate, thereby further improved the accuracy of filtering.
On the other hand, another goal of the invention of the present invention is to provide the method for the behavior of two kinds of watchdog routines, and these two kinds of methods can filter out the non-characteristic behavior of program, to reduce non-characteristic behavior to monitoring or the interference analyzed, reduce the treatment capacity of computing machine, the accuracy that improves monitoring and analyze.
For this reason, the method for the behavior of first kind of watchdog routine provided by the invention comprises: step S0: the program behavior of collecting monitored program; Step S4: analyze and monitor described program behavior; Between described step S0 and step S4, further comprising the steps of: step S1, structure behavior sample storehouse, described behavior sample storehouse comprise the weight that the frequency of occurrences based on this kind behavior sample of behavior sample from some program sample collections, each behavior sample is calculated; Step S2, obtain the program behavior of described monitored program, judge whether described behavior sample storehouse exists the behavior sample identical with described program behavior, if there be not the behavior sample identical with described program behavior in described behavior sample storehouse, just keep described program behavior; If described behavior sample stock at the behavior sample identical with described program behavior, just judges whether the weight of described behavior sample falls into default filtration threshold range, just filter out described program behavior if fall into, otherwise, just keep described program behavior.
Similarly, compared with prior art, the method of the behavior of watchdog routine provided by the invention is before the behavior of monitoring or routine analyzer, according to the behavior sample in the behavior sample storehouse, default filtration threshold range the behavior of program is compared, filter out non-characteristic behavior, thereby, reduced the treatment capacity of computing machine to reduce of the interference of non-characteristic behavior to monitoring or analysis, the accuracy that has improved monitoring and analyzed
In described behavior sample storehouse, the frequency of occurrences of each behavior sample is the ratio that the total amount of the quantity of program sample of this kind behavior sample and all program samples occurs, or the occurrence number of this kind behavior sample in all program samples and the ratio of the behavior sample total amount that comprises of all program samples; The weight of behavior sample is the frequency of occurrences of this kind behavior sample; The step whether described weight of judging behavior sample falls into default filtration threshold range is specially: if the frequency of occurrences of described behavior sample just is judged to be and falls into described default filtration threshold range greater than default filtration threshold value lower limit.In this preferred version, judge according to the frequency of occurrences whether certain behavior belongs to " non-characteristic behavior " that needs filter out, because the excessive behavior of the frequency of occurrences belongs to " the non-characteristic behavior " with classification or analysis significance usually, therefore, this preferred version filters out these non-characteristic behaviors according to default filtration threshold value lower limit.This preferred version is simple, and calculated amount is little, realizes easily.
The difference of the method for the behavior of the method for the behavior of second kind of watchdog routine provided by the invention and first kind of watchdog routine is: in described behavior sample storehouse, the frequency of occurrences of each behavior sample is the ratio that the total amount of the quantity of program sample of this kind behavior sample and all program samples occurs, or the occurrence number of this kind behavior sample in all program samples and the ratio of the behavior sample total amount that comprises of all program samples; The weight of behavior sample is the inverse document frequency of this kind behavior sample, and the inverse document frequency of behavior sample equals the logarithm of inverse of the frequency of occurrences of this kind behavior sample; The step whether described weight of judging behavior sample falls into default filtration threshold range is specially: if the inverse document frequency of described behavior sample just is judged to be and falls into described default filtration threshold range less than default filtration upper threshold.In this preferred version, judge according to inverse document frequency whether certain behavior belongs to the non-characteristic behavior that needs filter out, in field of statistics, inverse document frequency is a kind of important parameter of measuring correlativity, value of generally acknowledging.Usually, the too small behavior of inverse document frequency belongs to the non-characteristic behavior with classification or analysis significance usually, and therefore, this preferred version filters out these non-characteristic behaviors according to default filtration upper threshold.This preferred version adopts inverse document frequency to discern and filter out " non-characteristic behavior ", better effects if, and filter result is more reliable.
Preferably, in the method for the behavior of the method for the behavior of first kind of watchdog routine and second kind of watchdog routine, described behavior sample storehouse also comprises the total amount of all program samples, the total amount of all behavior samples; Described method also comprises upgrades described behavior sample storehouse, described renewal comprises: if there be not the behavior sample identical with described program behavior in the behavior sample storehouse described in the step S2, then after step S2, described program behavior is added in the described behavior sample storehouse as new behavior sample, upgrade the program sample in described behavior sample storehouse total amount, behavior sample total amount and recomputate the weight of each behavior sample.In this preferred version, according to current disposition behavior sample to be upgraded timely, the content that makes the behavior sample storehouse comprise is wider, more comprehensively and more accurate, thereby further improved the accuracy of filtering.
Preferably, described renewal also comprises: if the behavior sample stock is at the behavior sample identical with described program behavior described in the step S2, then after step S2, upgrade the program sample in described behavior sample storehouse total amount, behavior sample total amount and recomputate the weight of each behavior sample.Similarly, in this preferred version, according to current disposition behavior sample is upgraded timely, the content that makes the behavior sample storehouse comprise is wider, more comprehensively and more accurate, thereby further improved the accuracy of filtering.
Description of drawings
Fig. 1 is the process flow diagram in structure behavior sample storehouse in the one embodiment of the invention;
Fig. 2 uses the process flow diagram that filter the behavior of program in behavior sample storehouse shown in Figure 1;
Fig. 3 is the process flow diagram in structure behavior sample storehouse in the another embodiment of the present invention;
Fig. 4 uses the process flow diagram that filter the behavior of program in behavior sample storehouse shown in Figure 3.
Embodiment
The present invention relates to monitor or the behavioral approach of routine analyzer, especially relate to the method that before the behavior of monitoring or routine analyzer, filters out the non-characteristic behavior of program.Implement the present invention, can reduce of the interference of non-characteristic behavior, reduce the treatment capacity of computing machine, the accuracy that improves monitoring and analyze monitoring or analysis.
For this reason, at first construct the behavior sample storehouse, described behavior sample storehouse comprises the weight that the frequency of occurrences based on this kind behavior sample of behavior sample from some program sample collections, each behavior sample is calculated.Wherein, the weight of behavior sample is used for representing value, correlativity or the importance of this behavior.Weight can be but the probability of occurrence that is not limited to the frequency of occurrences, estimates according to the frequency of occurrences, perhaps inverse document frequency.Further, the frequency of occurrences of behavior sample can be the ratio that the total amount of the quantity of program sample of this kind behavior sample and all program samples occurs.For example, if in the process in structure behavior sample storehouse, collected the behavior sample of 100 program samples, if there are 30 program samples behavior sample A to occur, so, the frequency of occurrences of behavior sample A is 30/100=30%.Alternatively, the frequency of occurrences of behavior sample also can be the occurrence number of this kind behavior sample in all program samples and the ratio of the behavior sample total amount that comprises of all program samples, for example, in above-mentioned example, if described 100 program samples have 9000 behavior samples altogether, and the occurrence number of behavior sample A is 2500 times, and so, the frequency of occurrences of behavior sample A is 2500/9000 ≈ 27.8%.
After construct in the behavior sample storehouse, can be used for program behavior is filtered.Particularly, obtain pending program behavior earlier, judge whether described behavior sample storehouse exists the behavior sample identical with described program behavior,, just keep described program behavior if there be not the behavior sample identical with described program behavior in described behavior sample storehouse; If described behavior sample stock at the behavior sample identical with described program behavior, just judges whether the weight of described behavior sample falls into default filtration threshold range, just filter out described program behavior if fall into, otherwise, just keep described program behavior.
Below in conjunction with accompanying drawing the present invention is set forth in more detail.
Embodiment one
Fig. 1 is the process flow diagram in structure behavior sample storehouse in the one embodiment of the invention, and Fig. 2 uses the process flow diagram that filter the behavior of program in behavior sample storehouse shown in Figure 1.
As shown in Figure 1, after the beginning step S100, in step S102, collect the behavior of a large amount of program samples, obtain a large amount of behavior samples, and write down the total amount D of collected behavior sample.According to Principle of Statistics, the scale of sample is big more, and the statistics that obtains is more near actual value.Therefore, in the process in structure behavior sample storehouse, preferably collect the behavior sample of program sample as much as possible.Those skilled in the art will realize that the existing technology of utilizing, can collect the behavior of a large amount of program samples by modes such as intercept point are set, for example to file read-write operation, to the registration table read-write operation etc.
Then, among the step S104, calculate the occurrence number D of behavior sample Wi, wherein, D WiRepresent the number of times of i kind behavior sample in appearing at described behavior sample storehouse, obviously, D WiThe number of the behavior sample identical in the as many as behavior sample storehouse with i kind behavior sample.
Then, among the step S106, calculate the frequency of occurrences f of behavior sample i, wherein, f iRepresent the frequency of i kind behavior sample in appearing at described behavior sample storehouse, the frequency f of behavior sample among the i iEqual the occurrence number D of this kind behavior sample WiWith the ratio of the total amount D of behavior sample in the behavior sample storehouse, i.e. f i=D Wi/ D.As mentioned above, frequency of occurrences fi is as a kind of manifestation mode of behavior sample, is used to represent correlativity, importance of this behavior sample etc.Obviously, 0≤fi≤1, and f iThe frequency of occurrences or the probability of occurrence of big more this kind of expression behavior sample are high more.As mentioned above, though in this embodiment, with certain behavior sample in all program samples occurrence number and the ratio of the behavior sample total amount that comprises of all program samples as the frequency of occurrences of this kind behavior sample, but the ratio of total amount that the quantity of program sample of certain behavior sample and all program samples also will occur is as the frequency of occurrences of this kind behavior sample.
Calculated the frequency of occurrences f of all behavior samples iAfterwards, preserve total amount D, the occurrence number D of each behavior sample of above-mentioned behavior sample WiAnd frequency of occurrences f i, just finished the structure in behavior sample storehouse, shown in step S108.
Then, as shown in Figure 2, when practical application, after beginning step S200, in step S201, collect or read the program behavior that needs processing.Equally, those skilled in the art will realize that the existing technology of utilizing, can collect the behavior of a large amount of program samples by modes such as intercept point are set, for example to file read-write operation, to the registration table read-write operation etc.
Then, among the step S202, judge whether described behavior sample storehouse exists the behavior sample identical with described program behavior.If there is no, just illustrate that this program behavior is a kind of new program behavior or the lower program behavior of the frequency of occurrences, do not belong to non-characteristic behavior, therefore, keep this program behavior, so that in the subsequent step this program behavior is handled (for example monitor, analyze or monitor), shown in step S205.
Otherwise, if find among the step S202 that the behavior sample stock at the behavior sample identical with described program behavior, just further reads the frequency of occurrences of this identical behavior sample, as step S203.
Then, after the step S203, judge in step S204 whether this frequency of occurrences falls into default filtration threshold range.As mentioned above, because the high more program behavior of frequency just may belong to non-characteristic behavior more, therefore, if the frequency of occurrences of certain program behavior is greater than default filtration threshold value lower limit, shown in step S206, just can filter out this program behavior with this program behavior as non-characteristic behavior.Like this, in the follow-up treatment scheme, no longer need to this program behavior analyze, monitor, monitoring etc., reduced the treatment capacity in later stage effectively, and reduced this non-characteristic behavior monitoring or the interference analyzed, the accuracy that has improved monitoring and analyzed.
On the contrary, if in step S204, the frequency of occurrences of finding this this program behavior does not fall into default filtration threshold range, that is to say, if this frequency of occurrences is less than default filtration threshold value lower limit, the frequency of occurrences that this program behavior just is described is lower, do not belong to non-characteristic behavior, therefore, flow process enters step S205, in step S205, keep this program behavior, so that in the subsequent step this program behavior is handled (for example monitor, analyze or monitor).
Step S205 and step S206 end at step S207, and so far, whole filtering process finishes.
In this embodiment, judge according to the frequency of occurrences whether certain behavior belongs to the non-characteristic behavior that needs filter out, if program behavior belongs to non-characteristic behavior, just filters out this program behavior,, improve the accuracy of subsequent treatment to alleviate follow-up treatment capacity.This scheme is simple, and calculated amount is little, realizes easily.
Embodiment two
Fig. 3 is the process flow diagram in structure behavior sample storehouse in the another embodiment of the present invention; Fig. 4 uses the process flow diagram that filter the behavior of program in behavior sample storehouse shown in Figure 3.
The flow process in structure behavior sample storehouse shown in Figure 3 and structure flow process shown in Figure 1 are similar.More specifically, step S300 shown in Figure 3 is identical to step S104 with step S100 shown in Figure 1 to step S304, be respectively the beginning step, collect a large amount of behavior samples and write down behavior sample total amount D, calculate the occurrence number D of each behavior sample Wi
Then, among the step S306, calculate the inverse document frequency (IDF) of each behavior sample.As mentioned above, inverse document frequency is a kind of important parameter of measuring correlativity, value of generally acknowledging.The inverse document frequency IDF (i) of i kind behavior sample equals the logarithm of the inverse of the frequency of occurrences of this i kind behavior sample in behavior sample storehouse, that is: IDF ( i ) = log ( D Dwi ) . Wherein, D is the total amount of the behavior sample in the behavior sample storehouse; D WiIt is the number of times that the behavior of i kind occurred in behavior sample storehouse.Obviously, the IDF of certain behavior sample (i) and its frequency of occurrences (D Wi/ D) be inversely proportional to, particularly, if i kind behavior sample occurs very frequently, the contrary text index IDF (i) of this behavior sample will be more little, and the minimum value of IDF (i) equals 0.Otherwise if i kind behavior sample occurs seldom, its IDF (i) will be high more.Therefore, when ID F (i) is lower than certain default filtration threshold value, can think that this behavior sample belongs to non-characteristic behavior, can be filtered.
Constructed after the behavior sample storehouse, just can utilize the behavior sample storehouse behavior of program is discerned and to be judged.Specifically as shown in Figure 4.
Step S400 shown in Figure 4 is basic identical to step S207 to step S407 and step S200 shown in Figure 2, and distinguishing slightly place is step S403 and step S404.Particularly, in step S403, what read is the IDF value of behavior sample identical with pending program sample in the behavior sample storehouse.And in step S404, if this IDF value less than default filtration upper threshold, just illustrates that this IDF value falls into default filtration threshold range, correspondingly, this program behavior belongs to non-characteristic behavior, can filter out (step S406); Otherwise flow process enters step S405 from step S404, promptly keep this program behavior, waits until follow-up processing (analyze, monitor or monitoring) etc.
In the scheme that present embodiment adopts, judge according to inverse document frequency whether certain behavior belongs to the non-characteristic behavior that needs filter out, in field of statistics, inverse document frequency is a kind of important parameter of measuring correlativity, value of generally acknowledging.Usually, the too small behavior of inverse document frequency belongs to the non-characteristic behavior with classification or analysis significance usually, and therefore, this preferred version filters out these non-characteristic behaviors according to default filtration upper threshold.This preferred version adopts inverse document frequency to discern and filter out non-characteristic behavior, better effects if, and filter result is more reliable.
In conjunction with the accompanying drawings the present invention is set forth above.Should recognize that the present invention not only can be used to filter out non-characteristic behavior, can also be applied in the monitoring to program, for example is applied in the fail-safe software.Particularly, after fail-safe software utilizes existing technology to obtain the behavior of monitored program, can utilize above-mentioned filter method to filter out wherein non-characteristic behavior, and then remaining program behavior be monitored according to existing method for supervising.Compared with prior art, the method of the behavior of this watchdog routine provided by the invention is before the behavior of monitoring or routine analyzer, according to the behavior sample in the behavior sample storehouse, default filtration threshold range the behavior of program is compared, filter out non-characteristic behavior, thereby to reduce of the interference of non-characteristic behavior to monitoring or analysis, reduced the treatment capacity of computing machine, the accuracy that has improved monitoring and analyzed.
As a kind of improvement to above-mentioned various embodiment, can also be termly or upgrade the behavior sample storehouse in real time.In order to upgrade the behavior sample storehouse better, the total amount of program sample, the information such as total amount D of behavior sample should stored in described behavior sample storehouse.When implementing, for example, if find that in step S202 shown in Figure 2 there be not the behavior sample identical with described program behavior in the behavior sample storehouse, so, can after flow process finishes, add to described program behavior in the described behavior sample storehouse as new behavior sample, the total amount of refresh routine sample, the information such as total amount D of described behavior sample, and recomputate the frequency of occurrences of each behavior sample.Again for example, if find that in step S402 shown in Figure 4 there be not the behavior sample identical with described program behavior in the behavior sample storehouse, so, can after flow process finishes, described program behavior be added in the described behavior sample storehouse as new behavior sample, upgrade the total amount D of described behavior sample and recomputate the inverse document frequency IDF of each behavior sample.Like this, by behavior sample is upgraded timely, the content that makes the behavior sample storehouse comprise is wider, more comprehensively and more accurate, thereby further improved the accuracy of filtering.
Similarly, if find among the step S202 shown in Figure 2 that the behavior sample stock is at the behavior sample identical with described program behavior, so, after flow process finishes, can upgrade the frequency of occurrences of the total amount D and the described identical behavior sample of described behavior sample, and recomputate the frequency of occurrences of each behavior sample.Similarly, if find among the step S402 shown in Figure 4 that the behavior sample stock is at the behavior sample identical with described program behavior, so, after flow process finishes, can upgrade the total amount D of described behavior sample and the inverse document frequency IDF of described identical behavior sample.In this preferred version, according to current disposition behavior sample to be upgraded timely, the content that makes the behavior sample storehouse comprise is wider, more comprehensively and more accurate, thereby further improved the accuracy of filtering.
Above-described embodiment of the present invention does not constitute the qualification to protection domain of the present invention.Any modification of being done within the spirit and principles in the present invention, be equal to and replace and improvement etc., all should be included within the claim protection domain of the present invention.

Claims (12)

1. the method for the behavior of a filter is characterized in that, may further comprise the steps:
Step S1, structure behavior sample storehouse, described behavior sample storehouse comprise the weight that the frequency of occurrences based on this kind behavior sample of behavior sample from some program sample collections, each behavior sample is calculated;
Step S2, obtain pending program behavior, judge whether described behavior sample storehouse exists the behavior sample identical with described program behavior,, just keep described program behavior if there be not the behavior sample identical with described program behavior in described behavior sample storehouse; If described behavior sample stock at the behavior sample identical with described program behavior, just judges whether the weight of described behavior sample falls into default filtration threshold range, just filter out described program behavior if fall into, otherwise, just keep described program behavior,
In described behavior sample storehouse, the frequency of occurrences of each behavior sample is the ratio that the total amount of the quantity of program sample of this kind behavior sample and all program samples occurs, or the occurrence number of this kind behavior sample in all program samples and the ratio of the behavior sample total amount that comprises of all program samples; The weight of behavior sample is the frequency of occurrences of this kind behavior sample;
The step whether described weight of judging behavior sample falls into default filtration threshold range is specially: if the frequency of occurrences of described behavior sample just is judged to be and falls into described default filtration threshold range greater than default filtration threshold value lower limit.
2. the method for the behavior of filter according to claim 1, it is characterized in that: described behavior sample storehouse also comprises the total amount of all program samples, the total amount of all behavior samples;
Described method also comprises upgrades described behavior sample storehouse, described renewal behavior sample storehouse comprises: if there be not the behavior sample identical with described program behavior in the behavior sample storehouse described in the step S2, then after step S2, described program behavior is added in the described behavior sample storehouse as new behavior sample, upgrade the program sample in described behavior sample storehouse total amount, behavior sample total amount and recomputate the weight of each behavior sample.
3. the method for the behavior of filter according to claim 2, it is characterized in that, described renewal behavior sample storehouse also comprises: if the behavior sample stock is at the behavior sample identical with described program behavior described in the step S2, then after step S2, upgrade the program sample in described behavior sample storehouse total amount, behavior sample total amount and recomputate the weight of each behavior sample.
4. the method for the behavior of a filter is characterized in that, may further comprise the steps:
Step S1, structure behavior sample storehouse, described behavior sample storehouse comprise the weight that the frequency of occurrences based on this kind behavior sample of behavior sample from some program sample collections, each behavior sample is calculated;
Step S2, obtain pending program behavior, judge whether described behavior sample storehouse exists the behavior sample identical with described program behavior,, just keep described program behavior if there be not the behavior sample identical with described program behavior in described behavior sample storehouse; If described behavior sample stock at the behavior sample identical with described program behavior, just judges whether the weight of described behavior sample falls into default filtration threshold range, just filter out described program behavior if fall into, otherwise, just keep described program behavior,
In described behavior sample storehouse, the frequency of occurrences of each behavior sample is the ratio that the total amount of the quantity of program sample of this kind behavior sample and all program samples occurs, or the occurrence number of this kind behavior sample in all program samples and the ratio of the behavior sample total amount that comprises of all program samples; The weight of behavior sample is the inverse document frequency of this kind behavior sample, and the inverse document frequency of behavior sample equals the logarithm of inverse of the frequency of occurrences of this kind behavior sample;
The step whether described weight of judging behavior sample falls into default filtration threshold range is specially: if the inverse document frequency of described behavior sample just is judged to be and falls into described default filtration threshold range less than default filtration upper threshold.
5. the method for the behavior of filter according to claim 4, it is characterized in that: described behavior sample storehouse also comprises the total amount of all program samples, the total amount of all behavior samples;
Described method also comprises upgrades described behavior sample storehouse, described renewal behavior sample storehouse comprises: if there be not the behavior sample identical with described program behavior in the behavior sample storehouse described in the step S2, then after step S2, described program behavior is added in the described behavior sample storehouse as new behavior sample, upgrade the program sample in described behavior sample storehouse total amount, behavior sample total amount and recomputate the weight of each behavior sample.
6. the method for the behavior of filter according to claim 5, it is characterized in that, described renewal behavior sample storehouse also comprises: if the behavior sample stock is at the behavior sample identical with described program behavior described in the step S2, then after step S2, upgrade the program sample in described behavior sample storehouse total amount, behavior sample total amount and recomputate the weight of each behavior sample.
7. the method for the behavior of a watchdog routine comprises: step S0: the program behavior of collecting monitored program; Step S4: analyze and monitor described program behavior; It is characterized in that, between described step S0 and step S4, further comprising the steps of:
Step S1, structure behavior sample storehouse, described behavior sample storehouse comprise the weight that the frequency of occurrences based on this kind behavior sample of behavior sample from some program sample collections, each behavior sample is calculated;
Step S2, obtain the program behavior of described monitored program, judge whether described behavior sample storehouse exists the behavior sample identical with described program behavior, if there be not the behavior sample identical with described program behavior in described behavior sample storehouse, just keep described program behavior; If described behavior sample stock at the behavior sample identical with described program behavior, just judges whether the weight of described behavior sample falls into default filtration threshold range, just filter out described program behavior if fall into, otherwise, just keep described program behavior,
In described behavior sample storehouse, the frequency of occurrences of each behavior sample is the ratio that the total amount of the quantity of program sample of this kind behavior sample and all program samples occurs, or the occurrence number of this kind behavior sample in all program samples and the ratio of the behavior sample total amount that comprises of all program samples; The weight of behavior sample is the frequency of occurrences of this kind behavior sample;
The step whether described weight of judging behavior sample falls into default filtration threshold range is specially: if the frequency of occurrences of described behavior sample just is judged to be and falls into described default filtration threshold range greater than default filtration threshold value lower limit.
8. the method for the behavior of watchdog routine according to claim 7, it is characterized in that: described behavior sample storehouse also comprises the total amount of all program samples, the total amount of all behavior samples;
Described method also comprises upgrades described behavior sample storehouse, described renewal comprises: if there be not the behavior sample identical with described program behavior in the behavior sample storehouse described in the step S2, then after step S2, described program behavior is added in the described behavior sample storehouse as new behavior sample, upgrade the program sample in described behavior sample storehouse total amount, behavior sample total amount and recomputate the weight of each behavior sample.
9. the method for the behavior of watchdog routine according to claim 8, it is characterized in that, described renewal also comprises: if the behavior sample stock is at the behavior sample identical with described program behavior described in the step S2, then after step S2, upgrade the program sample in described behavior sample storehouse total amount, behavior sample total amount and recomputate the weight of each behavior sample.
10. the method for the behavior of a watchdog routine comprises: step S0: the program behavior of collecting monitored program; Step S4: analyze and monitor described program behavior; It is characterized in that, between described step S0 and step S4, further comprising the steps of:
Step S1, structure behavior sample storehouse, described behavior sample storehouse comprise the weight that the frequency of occurrences based on this kind behavior sample of behavior sample from some program sample collections, each behavior sample is calculated;
Step S2, obtain the program behavior of described monitored program, judge whether described behavior sample storehouse exists the behavior sample identical with described program behavior, if there be not the behavior sample identical with described program behavior in described behavior sample storehouse, just keep described program behavior; If described behavior sample stock at the behavior sample identical with described program behavior, just judges whether the weight of described behavior sample falls into default filtration threshold range, just filter out described program behavior if fall into, otherwise, just keep described program behavior,
In described behavior sample storehouse, the frequency of occurrences of each behavior sample is the ratio that the total amount of the quantity of program sample of this kind behavior sample and all program samples occurs, or the occurrence number of this kind behavior sample in all program samples and the ratio of the behavior sample total amount that comprises of all program samples; The weight of behavior sample is the inverse document frequency of this kind behavior sample, and the inverse document frequency of behavior sample equals the logarithm of inverse of the frequency of occurrences of this kind behavior sample;
The step whether described weight of judging behavior sample falls into default filtration threshold range is specially: if the inverse document frequency of described behavior sample just is judged to be and falls into described default filtration threshold range less than default filtration upper threshold.
11. the method for the behavior of watchdog routine according to claim 10 is characterized in that: described behavior sample storehouse also comprises the total amount of all program samples, the total amount of all behavior samples;
Described method also comprises upgrades described behavior sample storehouse, described renewal comprises: if there be not the behavior sample identical with described program behavior in the behavior sample storehouse described in the step S2, then after step S2, described program behavior is added in the described behavior sample storehouse as new behavior sample, upgrade the program sample in described behavior sample storehouse total amount, behavior sample total amount and recomputate the weight of each behavior sample.
12. the method for the behavior of watchdog routine according to claim 11, it is characterized in that, described renewal also comprises: if the behavior sample stock is at the behavior sample identical with described program behavior described in the step S2, then after step S2, upgrade the program sample in described behavior sample storehouse total amount, behavior sample total amount and recomputate the weight of each behavior sample.
CN2008100300015A 2008-08-05 2008-08-05 Method for filtering and monitoring behavior of program Active CN101645125B (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN2008100300015A CN101645125B (en) 2008-08-05 2008-08-05 Method for filtering and monitoring behavior of program
PCT/CN2009/000871 WO2010015145A1 (en) 2008-08-05 2009-08-04 Method and system for filtering and monitoring program behaviors
JP2011521424A JP5370486B2 (en) 2008-08-05 2009-08-04 Method and system for filtering and monitoring program behavior

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2008100300015A CN101645125B (en) 2008-08-05 2008-08-05 Method for filtering and monitoring behavior of program

Publications (2)

Publication Number Publication Date
CN101645125A CN101645125A (en) 2010-02-10
CN101645125B true CN101645125B (en) 2011-07-20

Family

ID=41657008

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2008100300015A Active CN101645125B (en) 2008-08-05 2008-08-05 Method for filtering and monitoring behavior of program

Country Status (3)

Country Link
JP (1) JP5370486B2 (en)
CN (1) CN101645125B (en)
WO (1) WO2010015145A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103106366B (en) * 2010-08-18 2016-05-04 北京奇虎科技有限公司 A kind of sample database dynamic maintaining method based on cloud
CN101923617B (en) * 2010-08-18 2013-03-20 北京奇虎科技有限公司 Cloud-based sample database dynamic maintaining method
CN101984450B (en) * 2010-12-15 2012-10-24 北京安天电子设备有限公司 Malicious code detection method and system
CN102831153B (en) * 2012-06-28 2015-09-30 北京奇虎科技有限公司 A kind of method and apparatus choosing sample
CN103902894B (en) * 2012-12-24 2017-12-22 珠海市君天电子科技有限公司 Virus defense method and system based on user behavior differentiation
JP6711000B2 (en) * 2016-02-12 2020-06-17 日本電気株式会社 Information processing apparatus, virus detection method, and program
CN111249691B (en) * 2018-11-30 2021-11-23 百度在线网络技术(北京)有限公司 Athlete training method and system based on body shape recognition
CN110415828B (en) * 2019-06-21 2023-03-31 深圳壹账通智能科技有限公司 Pre-detection information interaction method based on data analysis and related equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1421771A (en) * 2001-11-27 2003-06-04 四川安盟科技有限责任公司 Guard system to defend network invansion of unkown attack trick effectively
CN1859398A (en) * 2006-01-05 2006-11-08 珠海金山软件股份有限公司 System and method for reverse network fishing

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH09171460A (en) * 1995-12-20 1997-06-30 Hitachi Ltd Diagnostic system for computer
JP3844193B2 (en) * 2001-01-24 2006-11-08 Kddi株式会社 Information automatic filtering method, information automatic filtering system, and information automatic filtering program
JP3992136B2 (en) * 2001-12-17 2007-10-17 学校法人金沢工業大学 Virus detection method and apparatus
GB2400197B (en) * 2003-04-03 2006-04-12 Messagelabs Ltd System for and method of detecting malware in macros and executable scripts
ES2423491T3 (en) * 2003-11-12 2013-09-20 The Trustees Of Columbia University In The City Of New York Apparatus, procedure and means for detecting a payload anomaly using the distribution in normal data n-grams
US20050262058A1 (en) * 2004-05-24 2005-11-24 Microsoft Corporation Query to task mapping
US8516583B2 (en) * 2005-03-31 2013-08-20 Microsoft Corporation Aggregating the knowledge base of computer systems to proactively protect a computer from malware
WO2007069337A1 (en) * 2005-12-15 2007-06-21 Netstar, Inc. Improper communication program restriction system and program

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1421771A (en) * 2001-11-27 2003-06-04 四川安盟科技有限责任公司 Guard system to defend network invansion of unkown attack trick effectively
CN1859398A (en) * 2006-01-05 2006-11-08 珠海金山软件股份有限公司 System and method for reverse network fishing

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
JP特开2004-62416A 2004.02.26
王斌.基于贝叶斯的Windows注册表访问的异常检测研究.《现代电子技术》.2007,参见第86页第2段至第88页第3段,表1-2、图1. *

Also Published As

Publication number Publication date
JP5370486B2 (en) 2013-12-18
JP2011530121A (en) 2011-12-15
WO2010015145A1 (en) 2010-02-11
CN101645125A (en) 2010-02-10

Similar Documents

Publication Publication Date Title
CN101645125B (en) Method for filtering and monitoring behavior of program
CN107577588B (en) Intelligent operation and maintenance system for mass log data
US8359450B2 (en) Memory utilization analysis
CN111866016B (en) Log analysis method and system
CN107229849A (en) Towards the database user behavior safety auditing method on power information intranet and extranet border
CN111309539A (en) Abnormity monitoring method and device and electronic equipment
CN105656886A (en) Method and device for detecting website attack behaviors based on machine learning
CN104376023A (en) Auditing method and system based on logs
CN106776102A (en) A kind of application system health examination method and system
CN105243147A (en) Slow query log management method and system of MySQL database
CN105721406A (en) Method and device for obtaining IP black list
CN103679030A (en) Malicious code analysis and detection method based on dynamic semantic features
CN113505044B (en) Database warning method, device, equipment and storage medium
CN108566392B (en) Machine learning-based system and method for preventing CC attack
Vadrevu et al. Maxs: Scaling malware execution with sequential multi-hypothesis testing
CN116187861A (en) Isotope-based water quality traceability monitoring method and related device
CN106407246B (en) SQL execution plan management method and device
CN117538492B (en) On-line detection method and system for pollutants in building space
CN108089978A (en) A kind of diagnostic method for analyzing ASP.NET application software performance and failure
CN117852893A (en) Engineering security risk detection method and system based on artificial intelligence technology
CN117349502A (en) Operation and maintenance data query analysis method and system based on internet data center
CN116610567A (en) Early warning method and device for abnormal application program, processor and electronic equipment
CN116644437A (en) Data security assessment method, device and storage medium
CN110795308A (en) Server inspection method, device, equipment and storage medium
CN115097070A (en) Intelligent integrated management system and method for laboratory

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
ASS Succession or assignment of patent right

Owner name: KINGSOFT CORPORATION LIMITED

Free format text: FORMER OWNER: ZHUHAI KINGSOFT SOFTWARE CO., LTD.

Effective date: 20140904

C41 Transfer of patent application or patent right or utility model
COR Change of bibliographic data

Free format text: CORRECT: ADDRESS; FROM: 519015 ZHUHAI, GUANGDONG PROVINCE TO: 100085 HAIDIAN, BEIJING

TR01 Transfer of patent right

Effective date of registration: 20140904

Address after: Kingsoft No. 33 building, 100085 Beijing city Haidian District Xiaoying Road

Patentee after: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd.

Address before: Jinshan computer Building No. 8 Jingshan Hill Road, Lane 519015 Zhuhai Jida Lianshan Guangdong city of Zhuhai Province

Patentee before: Zhuhai Kingsoft Software Co.,Ltd.

EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20100210

Assignee: Zhuhai Kingsoft Software Co.,Ltd.

Assignor: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd.

Contract record no.: 2014990000778

Denomination of invention: Method for filtering and monitoring behavior of program

Granted publication date: 20110720

License type: Common License

Record date: 20140926

LICC Enforcement, change and cancellation of record of contracts on the licence for exploitation of a patent or utility model