CN104899511A - Program behavior algorithm based active defense method - Google Patents
Program behavior algorithm based active defense method Download PDFInfo
- Publication number
- CN104899511A CN104899511A CN201510262180.5A CN201510262180A CN104899511A CN 104899511 A CN104899511 A CN 104899511A CN 201510262180 A CN201510262180 A CN 201510262180A CN 104899511 A CN104899511 A CN 104899511A
- Authority
- CN
- China
- Prior art keywords
- behavior
- program
- malicious act
- file
- malicious
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The present invention discloses a program behavior algorithm based active defense method, comprising the following steps: S1, when a malicious program behavior triggers a malicious behavior sensing point on an API interface in a system, actively sensing the malicious program behavior and performing modeling, wherein the malicious program behavior comprises traversing files in a hard disk, modifying attributes of the files, terminating system processes and hooking behavior; S2, identifying the malicious program behavior, and judging the behavior as a single malicious behavior or a malicious behavior sequence, and performing corresponding processing. The behavior algorithm employed in the present invention can achieve the capability of battling against unknown attacks, and senses, identifies and processes the behavior manners and behavior objectives of the program in real time, thereby protecting in real time the host and server from attacks from the virus, Trojan and hackers and satisfying the requirement of battling against real-time attacks.
Description
Technical field
The present invention relates to a kind of active defense method based on program behavior algorithm.
Background technology
Operating system outwards provides abundant system api interface, facilitate upper level applications to the access of system resource, exploitation types of functionality software, program behavior refers to that journey logic bomb is to the accessing operation of operating-system resources as file system, registration table, internal memory, kernel, network, service, process etc.Although antivirus software obtains extensively universal in consumption and enterprise market, constantly increase sharply instantly at viral species, this passive protection mechanism is out-of-date, cannot meet growing demand for security.Existing self-protection mode is inoperative, but the whole theory of virus killing industry lost efficacy.
The current research that California data security firm Imperva and the Institute of Technology of Israel launch jointly has also proved this point.Imperva CTO Ah rice just Shu Erman and researchist collects and analyzes 82 kinds of new computer virus, and tests in 40 kinds of traditional antivirus software products.Although these product majorities are all from this base of Microsoft, Symantec, McAfee and kappa, its initial probe rate is less than 5%.
Come from virus killing product inherent passivity, the minimum needs of this flow process several hours, the longlyest even can reach the several years.Such as, this base of kappa has found flame virus in May, 2012, and this is a kind of virus of complexity, just starts to steal computer data before about 5 years.
Therefore need a kind of can the defence method of ability of Real-time defence unknown attack.
Summary of the invention
The object of the invention is to overcome the deficiencies in the prior art; a kind of active defense method based on program behavior algorithm is provided; employing behavior algorithm can reach the ability of Real-time defence unknown attack; perception, identification and process is carried out by the behavior to program, behavior object; real-time guard main frame, server, from virus, wooden horse, assault, meet in thing the requirement defending real-time oppositional.
The object of the invention is to be achieved through the following technical solutions: a kind of active defense method based on program behavior algorithm, it comprises the following steps:
By behavior algorithm, the behavior of program, behavior object are identified, when the malicious act perception point on program behavior triggering system api interface, active perception is carried out and modeling to the rogue program behavior with this malicious act object;
Described rogue program behavior comprises the malicious act of the malicious act of traversal disk file, the malicious act of amendment file attribute, the access malicious act of registration table, the malicious act of service activity, the malicious act of termination system process and hook behavior;
The malicious act of described amendment file attribute comprises and is the system file time by the set of time of the file under system directory or executable file and will has no attribute for changing system file or hidden file into; The malicious act of described access registration table comprise amendment system startup association, obtain IE room information and by the display system hidden file functional shielding of operating system; The malicious act of described service activity comprises the state creating self-starting service routine, start service routine, delete service routine and change service routine; The malicious act of described termination system process comprises the process that termination system is running;
Described behavior object comprises for the purpose of destroying, for the purpose of controlling, for the purpose of stealing secret information, for the purpose of resource consumption, for the purpose of permeating and for the purpose of deception;
Algorithm identification can only be used to the identification of complex behavior;
S2: identify rogue program behavior, is judged as single malicious act or malicious act sequence, and processes accordingly, determines whether tackle this program behavior, stops performing this program or clearing up this program:
(1) if trigger be single malicious act, then user is reminded: the need of organizing this rogue program behavior;
(2) if trigger be malicious act sequence, then stop this rogue program behavior.
Corresponding process described in step S2 comprises behavior Intelligent treatment, behavior defence is reinforced.
Described modeling comprises the regular modeling of the regular modeling of single behavior and the behavior sequence of multiple behavior composition,
The form of the regular modeling of described single behavior is: behavior:: behavior description:: threat level < function name 1, parameter 1, parameter value feature ... parameter m, parameter value feature >;
The form of the regular modeling of the behavior sequence of described multiple behavior compositions is: behavior sequence:: behavior description:: threat level < behavior 1>< behavior 2> ... < behavior n>;
The wherein number of parameters of m representative function, n represents the behavior number that behavior sequence comprises; Described threat level represents the rogue program of different stage; Described parameter value is characterized as the concrete value of parameter when corresponding function call behavior expression goes out malicious.
The malicious act of described amendment file attribute comprises and is the system file time by the set of time of the file under system directory or executable file and will has no attribute for changing system file or hidden file into.
The malicious act of described access registration table comprise amendment system startup association, obtain IE room information and by the display system hidden file functional shielding of operating system.
The malicious act of described service activity comprises the state creating self-starting service routine, start service routine, delete service routine and change service routine.
The malicious act of described termination system process comprises the process that termination system is running.
A kind of active defense method based on program behavior algorithm also comprises rogue program behavioral data and collects and show step: the time occurred rogue program behavior, place, attack means, target of attack and attack effect carry out collecting and show.
The invention has the beneficial effects as follows: (1) the present invention adopts behavior algorithm can reach the ability of Real-time defence unknown attack, perception, identification and process is carried out by the behavior to program, behavior object, real-time guard main frame, server, from virus, wooden horse, assault, meet in thing the requirement defending real-time oppositional; (2) use the system of defense of the method to be deployed on the server of target of attack and may to become on user's PC of attacked site, client directly processes security incident, just result is reported control desk, avoids control desk to divulge a secret problem.
Accompanying drawing explanation
Fig. 1 is the inventive method process flow diagram.
Embodiment
Below in conjunction with accompanying drawing, technical scheme of the present invention is described in further detail: as shown in Figure 1, a kind of active defense method based on program behavior algorithm, it comprises the following steps:
S1: at system api interface, carries out active perception and modeling to rogue program behavior;
Described rogue program behavior comprises the malicious act of the malicious act of traversal disk file, the malicious act of amendment file attribute, the access malicious act of registration table, the malicious act of service activity, the malicious act of termination system process and hook behavior;
S2: identify rogue program behavior, is judged as single malicious act or malicious act sequence, and processes accordingly, determines whether tackle this program behavior, stops performing this program or clearing up this program:
(1) if trigger be single malicious act, then user is reminded: the need of organizing this rogue program behavior;
(2) if trigger be malicious act sequence, then stop this rogue program behavior:
Namely when rogue program continuous trigger malicious act on system api interface, trigger malicious behavior 1 successively, malicious act 2, malicious act 3, malicious act 5, be then judged to be malicious act sequence, stops this rogue program behavior.
Corresponding process described in step S2 comprises behavior Intelligent treatment, behavior defence is reinforced.
Object for complexity is completed by behavior, and generally, have 6 classifications: the attack for the purpose of 1, destroying, 2, attack for the purpose of controlling, 3, the attack for the purpose of stealing secret information, 4, the attack for the purpose of resource consumption, 5, the attack for the purpose of permeating, 6, attack for the purpose of cheating.Different objects has been gone with corresponding different behavior.Such as broken transsexual attack, has file to break transsexual behavior, destroys the behavior of systemic-function, destroy network function sexual behaviour.Attack and for example for the purpose of infiltration, if attacked by WEB, may have injection behavior, has that SQL injects, system command injects, script injects, and also may have and attack the behavior of account, as account crack, Session Hijack, the behavior such as session forgery.
Algorithm identification can only be used to the identification of complex behavior.
Described modeling comprises the regular modeling of the regular modeling of single behavior and the behavior sequence of multiple behavior composition,
The form of the regular modeling of described single behavior is: behavior:: behavior description:: threat level < function name 1, parameter 1, parameter value feature ... parameter m, parameter value feature >;
The form of the regular modeling of the behavior sequence of described multiple behavior compositions is: behavior sequence:: behavior description:: threat level < behavior 1>< behavior 2> ... < behavior n>;
The wherein number of parameters of m representative function, n represents the behavior number that behavior sequence comprises; Described threat level has 4 grades, be respectively low, in, higher and high, represent the rogue program of different stage; Described parameter value is characterized as the concrete value of parameter when corresponding function call behavior expression goes out malicious.
In the present embodiment, the modeling of the malicious act of described traversal disk file is specially three kinds of situations:
(1) behavior:: locating file:: medium <FindNextFile, parameter 1, " * .* " >;
(2) behavior:: locating file:: medium <FindNextFile, parameter 0, NULL>;
(3) behavior sequence:: travel through all disk files:: higher <CreateFile><Wri teFile>.
Wherein, parameter 0 represents the parameter information without the need to analyzing the behavior, and corresponding parameter value feature is set to NULL.
The malicious act of described amendment file attribute comprises and is the system file time by the set of time of system file now or executable file and will has no attribute for changing system file or hidden file into;
Wherein, be being modeled as of system file time by the set of time of the file under system directory or executable file:
Behavior:: amendment document time:: medium <SetFileTime, parameter 1, " exe; scr, pif, com; bat, inf " | " %system ", parameter 2, " system file time ", parameter 3, " system file time ", parameter 4, " system file time ", >.
Be change being modeled as of system file or hidden file into by having no attribute:
Behavior:: amendment file attribute:: medium <SetFileAttribute, parameter 1, " exe, scr; pif, com, bat; inf " | " %system ", parameter 2, " FILE_ATTRIBUTE_HIDDEN|SYSTEM " >.
The malicious act of described access registration table comprise amendment system startup association, obtain IE room information and by the display system hidden file functional shielding of operating system.
Wherein, being modeled as of the startup association of system is revised:
Behavior:: the startup association of amendment system:: medium <RegCreateKey, parameter 1, " HKLM SOFTWARE Microsoft Windows CurrentVersion ", parameter 2, " Run; parameter 9, " REG_CREATED_NEW_KEY|REG_OPENED_EXISTING_KEY " >.
Obtain being modeled as of IE room information:
Behavior:: obtain IE proxy information:: medium <RegQueryValueEx, parameter 1, " HKCU SOFTWARE Microsoft Windows CurrentVersion Internet Settings ", parameter 2, " ProxyServer " | " ProxyEnable " >.
By being modeled as of the display system hidden file functional shielding of operating system:
Behavior:: forbid display system hidden file:: higher <RegSetValueEx, parameter 1, " HKLM SOFTWARE Microsoft Windows CurrentVersion Explorer Adcanced Folder Hidden SHOWALL ", parameter 2, " CheckedValue ", parameter 5,0X00>.
The malicious act of described service activity comprises the state creating self-starting service routine, start service routine, delete service routine and change service routine.
Wherein, being modeled as of self-starting service routine is created:
Behavior:: create self-starting service routine:: medium <CreateService, parameter 5, " SERVICE_WIN32_OWN_PROCESS|KERNEL_DRIVER|WIN32_SHARE_PROC ESS ", parameter 6, " SERVICE_SYSTEM_START|AUTO_START|DEMAND_START ", parameter 8, " %system32% " | " kavsvc; the services such as AVP, ccProxy " >.
Start being modeled as of service routine:
Behavior:: start service routine:: medium <StartService, parameter 1,0>.
Delete being modeled as of service routine:
Behavior:: delete service routine:: medium <DeleteService, parameter 1, " %system32% " | the > such as " kavsvc, AVP, ccProxy service ".
Change being modeled as of the state of service routine:
Behavior:: control service routine state:: medium <ControlService, parameter 1, " %system32% " | " kavsvc; AVP; the services such as ccProxy ", parameter 1, SERVICE_CONTROL_STOP|CONTROL_PAUSE|CONTROL_CONTINUEGreat T.GreaT.GT.
The malicious act of described termination system process comprises the process that termination system is running.
Being modeled as of the process that termination system is running:
Behavior:: termination system process:: medium <TerminateProcess, parameter 1, " process such as Mcshield.exe|scan32.ece|naPrdMgr.exe " >.
Being modeled as of hook behavior:
Behavior:: hook behavior:: higher <SetWindowsHookEx, parameter 1, WH_KEYBOARD>.
A kind of active defense method based on program behavior algorithm also comprises rogue program behavioral data and collects and show step: the time occurred rogue program behavior, place, attack means, target of attack and attack effect carry out collecting and show.
By adopting self-adaptation multidimensional function Y=k*f (X1, X2 ... and behavior algorithm model Xn), Xn is the risk weight of certain behavior of program, determined by program behavior algorithm, k is programs categories Risk rated ratio, and Y is the value-at-risk of whole program, the logical relation between this model analysis programs behavior, the decision procedure legitimacy of behavior, realizes automatic Identification and the Initiative Defense of malicious code.
Claims (4)
1. based on an active defense method for program behavior algorithm, it is characterized in that: it comprises the following steps:
S1: by behavior algorithm, the behavior of program, behavior object are identified, when the malicious act perception point on program behavior triggering system api interface, active perception is carried out and modeling to the rogue program behavior with this malicious act object;
Described rogue program behavior comprises the malicious act of the malicious act of traversal disk file, the malicious act of amendment file attribute, the access malicious act of registration table, the malicious act of service activity, the malicious act of termination system process and hook behavior;
The malicious act of described amendment file attribute comprises and is the system file time by the set of time of the file under system directory or executable file and will has no attribute for changing system file or hidden file into; The malicious act of described access registration table comprise amendment system startup association, obtain IE room information and by the display system hidden file functional shielding of operating system; The malicious act of described service activity comprises the state creating self-starting service routine, start service routine, delete service routine and change service routine; The malicious act of described termination system process comprises the process that termination system is running;
Described behavior object comprises for the purpose of destroying, for the purpose of controlling, for the purpose of stealing secret information, for the purpose of resource consumption, for the purpose of permeating and for the purpose of deception;
Algorithm identification can only be used to the identification of complex behavior;
S2: identify rogue program behavior, is judged as single malicious act or malicious act sequence, and processes accordingly, determines whether tackle this program behavior, stops performing this program or clearing up this program.
2. a kind of active defense method based on program behavior algorithm according to claim 1, is characterized in that: described modeling comprises the regular modeling of the regular modeling of single behavior and the behavior sequence of multiple behavior composition,
The form of the regular modeling of described single behavior is: behavior:: behavior description:: threat level < function name 1, parameter 1, parameter value feature ... parameter m, parameter value feature >;
The form of the regular modeling of the behavior sequence of described multiple behavior compositions is: behavior sequence:: behavior description:: threat level < behavior 1>< behavior 2> ... < behavior n>;
The wherein number of parameters of m representative function, n represents the behavior number that behavior sequence comprises; Described threat level represents the rogue program of different stage; Described parameter value is characterized as the concrete value of parameter when corresponding function call behavior expression goes out malicious.
3. a kind of active defense method based on program behavior algorithm according to claim 1, is characterized in that: the corresponding process described in step S2 comprises behavior Intelligent treatment, behavior defence is reinforced.
4. a kind of active defense method based on program behavior algorithm according to claim 1, is characterized in that: it also comprises rogue program behavioral data and collects and show step: the time occurred rogue program behavior, place, attack means, target of attack and attack effect carry out collecting and show.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510262180.5A CN104899511B (en) | 2015-05-21 | 2015-05-21 | A kind of active defense method based on program behavior algorithm |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510262180.5A CN104899511B (en) | 2015-05-21 | 2015-05-21 | A kind of active defense method based on program behavior algorithm |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104899511A true CN104899511A (en) | 2015-09-09 |
CN104899511B CN104899511B (en) | 2018-01-19 |
Family
ID=54032171
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510262180.5A Active CN104899511B (en) | 2015-05-21 | 2015-05-21 | A kind of active defense method based on program behavior algorithm |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104899511B (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106096397A (en) * | 2016-05-26 | 2016-11-09 | 倪茂志 | A kind of prevention method extorting software and system |
CN106650436A (en) * | 2016-12-29 | 2017-05-10 | 北京奇虎科技有限公司 | Safety detecting method and device based on local area network |
WO2017185827A1 (en) * | 2016-04-26 | 2017-11-02 | 华为技术有限公司 | Method and apparatus for determining suspicious activity of application program |
CN109271787A (en) * | 2018-07-03 | 2019-01-25 | 中国银联股份有限公司 | A kind of operating system security active defense method and operating system |
CN109711171A (en) * | 2018-05-04 | 2019-05-03 | 360企业安全技术(珠海)有限公司 | Localization method and device, system, storage medium, the electronic device of software vulnerability |
CN110619214A (en) * | 2019-08-15 | 2019-12-27 | 苏州浪潮智能科技有限公司 | Method and device for monitoring normal operation of software |
CN111079146A (en) * | 2019-12-10 | 2020-04-28 | 苏州浪潮智能科技有限公司 | Malicious software processing method and device |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6775780B1 (en) * | 2000-03-16 | 2004-08-10 | Networks Associates Technology, Inc. | Detecting malicious software by analyzing patterns of system calls generated during emulation |
CN1648869A (en) * | 2004-01-19 | 2005-08-03 | 中国人民解放军理工大学 | Action control method based on LSM programme |
US20050187740A1 (en) * | 2004-02-20 | 2005-08-25 | Marinescu Adrian M. | System and method for proactive computer virus protection |
CN1818857A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Method and system for identifying computer programm |
-
2015
- 2015-05-21 CN CN201510262180.5A patent/CN104899511B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6775780B1 (en) * | 2000-03-16 | 2004-08-10 | Networks Associates Technology, Inc. | Detecting malicious software by analyzing patterns of system calls generated during emulation |
CN1648869A (en) * | 2004-01-19 | 2005-08-03 | 中国人民解放军理工大学 | Action control method based on LSM programme |
US20050187740A1 (en) * | 2004-02-20 | 2005-08-25 | Marinescu Adrian M. | System and method for proactive computer virus protection |
CN1818857A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Method and system for identifying computer programm |
Non-Patent Citations (1)
Title |
---|
邹航: "恶意代码云主动防御系统设计与实现", 《重庆理工大学学报》 * |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2017185827A1 (en) * | 2016-04-26 | 2017-11-02 | 华为技术有限公司 | Method and apparatus for determining suspicious activity of application program |
CN107315952A (en) * | 2016-04-26 | 2017-11-03 | 华为技术有限公司 | Method and apparatus for determining application program suspicious actions |
CN106096397A (en) * | 2016-05-26 | 2016-11-09 | 倪茂志 | A kind of prevention method extorting software and system |
CN106096397B (en) * | 2016-05-26 | 2019-05-28 | 倪茂志 | A kind of prevention method that extorting software and system |
CN106650436A (en) * | 2016-12-29 | 2017-05-10 | 北京奇虎科技有限公司 | Safety detecting method and device based on local area network |
CN106650436B (en) * | 2016-12-29 | 2019-09-27 | 北京奇虎科技有限公司 | A kind of safety detection method and device based on local area network |
CN109711171A (en) * | 2018-05-04 | 2019-05-03 | 360企业安全技术(珠海)有限公司 | Localization method and device, system, storage medium, the electronic device of software vulnerability |
CN109271787A (en) * | 2018-07-03 | 2019-01-25 | 中国银联股份有限公司 | A kind of operating system security active defense method and operating system |
CN110619214A (en) * | 2019-08-15 | 2019-12-27 | 苏州浪潮智能科技有限公司 | Method and device for monitoring normal operation of software |
CN111079146A (en) * | 2019-12-10 | 2020-04-28 | 苏州浪潮智能科技有限公司 | Malicious software processing method and device |
Also Published As
Publication number | Publication date |
---|---|
CN104899511B (en) | 2018-01-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11657152B2 (en) | Methods for behavioral detection and prevention of cyberattacks, and related apparatus and techniques | |
CN104899511A (en) | Program behavior algorithm based active defense method | |
EP3430557B1 (en) | System and method for reverse command shell detection | |
Javaheri et al. | Detection and elimination of spyware and ransomware by intercepting kernel-level system routines | |
CN106796639B (en) | Data mining algorithms for trusted execution environments | |
Wang et al. | Detecting stealth software with strider ghostbuster | |
US8397292B2 (en) | Method and device for online secure logging-on | |
US9183377B1 (en) | Unauthorized account monitoring system and method | |
US20120324575A1 (en) | System, Method, Program, and Recording Medium for Detecting and Blocking Unwanted Programs in Real Time Based on Process Behavior Analysis and Recording Medium for Storing Program | |
US20100306851A1 (en) | Method and apparatus for preventing a vulnerability of a web browser from being exploited | |
WO2018099206A1 (en) | Apt detection method, system, and device | |
CN113422771A (en) | Threat early warning method and system | |
CN107770125A (en) | A kind of network security emergency response method and emergency response platform | |
US7941850B1 (en) | Malware removal system and method | |
US20220417255A1 (en) | Managed detection and response system and method based on endpoints | |
Barabosch et al. | Host-based code injection attacks: A popular technique used by malware | |
Barabosch et al. | Bee master: Detecting host-based code injection attacks | |
KR101003510B1 (en) | System for Detection and Prevent of Recrudescence of Mal-Process | |
US7840958B1 (en) | Preventing spyware installation | |
US8239946B2 (en) | Methods and systems for computer security | |
CN109460658B (en) | Detection method for malicious Lesso sample | |
CN115086081B (en) | Escape prevention method and system for honeypots | |
Kono et al. | An unknown malware detection using execution registry access | |
CN103679015A (en) | Attacking control method for protecting kernel system | |
Reti et al. | Deep down the rabbit hole: On references in networks of decoy elements |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |