CN104899511B - A kind of active defense method based on program behavior algorithm - Google Patents

A kind of active defense method based on program behavior algorithm Download PDF

Info

Publication number
CN104899511B
CN104899511B CN201510262180.5A CN201510262180A CN104899511B CN 104899511 B CN104899511 B CN 104899511B CN 201510262180 A CN201510262180 A CN 201510262180A CN 104899511 B CN104899511 B CN 104899511B
Authority
CN
China
Prior art keywords
behavior
malicious act
program
file
algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510262180.5A
Other languages
Chinese (zh)
Other versions
CN104899511A (en
Inventor
晏平
赵象元
刘丁源
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Chinafirst Technology Co Ltd
Original Assignee
Chengdu Chinafirst Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Chinafirst Technology Co Ltd filed Critical Chengdu Chinafirst Technology Co Ltd
Priority to CN201510262180.5A priority Critical patent/CN104899511B/en
Publication of CN104899511A publication Critical patent/CN104899511A/en
Application granted granted Critical
Publication of CN104899511B publication Critical patent/CN104899511B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of active defense method based on program behavior algorithm, it comprises the following steps:S1:When the malicious act perception point on rogue program behavior triggering system api interface, active perception is carried out to rogue program behavior and is modeled;Described rogue program behavior includes the malicious act of traversal disk file, changes the malicious act of file attribute, the malicious act for accessing registration table, the malicious act of service activity, the malicious act of termination system process and the malicious act for linking up with behavior;S2:Rogue program behavior is identified, is judged as single malicious act either malicious act sequence, and being handled accordingly.The present invention can reach the ability of Real-time defence unknown attack using behavior algorithm; perceived, identified and handled by the behavior to program, behavior purpose; real-time guard main frame, server meet the requirement that real-time oppositional is defendd in thing from virus, wooden horse, assault.

Description

A kind of active defense method based on program behavior algorithm
Technical field
The present invention relates to a kind of active defense method based on program behavior algorithm.
Background technology
Operating system is provided out abundant system api interface, facilitates access of the upper level applications to system resource, opens Send out types of functionality software, program behavior refer to journey logic bomb to operating-system resources for example file system, registration table, internal memory, kernel, The access operation of network, service, process etc..Although antivirus software consumption and enterprise market obtained it is widely available, in disease Seed culture of viruses class is constantly increased sharply instantly, when this passive protection mechanism has been subjected to, can not meet growing demand for security.It is existing Self-protection mode do not worked, but kill virus industry whole theory failed.
California data security firm Imperva also proves with the current research that the Institute of Technology of Israel is co-stretched This point.Imperva CTO Ah rice's ability Shu Erman and researcher collect and analyze 82 kinds of new computer virus, and at 40 kinds It is tested in traditional antivirus software product.Although these product majorities both are from Microsoft, Symantec, McAfee and kappa Si Ji, but its initial probe rate is less than 5%.
The antivirus inherent passivity of product is come from, this flow at least needs a few houres, most long or even can reach Several years.For example, this base of kappa is found that flame virus in May, 2012, this is a kind of complicated virus, is begun to before about 5 years Steal computer data.
Therefore need it is a kind of can be with the defence method of the ability of Real-time defence unknown attack.
The content of the invention
It is an object of the invention to overcome the deficiencies of the prior art and provide a kind of Initiative Defense based on program behavior algorithm Method, the ability of Real-time defence unknown attack can be reached using behavior algorithm, pass through the behavior to program, behavior purpose Perceived, identified and handled, real-time guard main frame, server meet to defend in fact in thing from virus, wooden horse, assault When the requirement that resists.
The purpose of the present invention is achieved through the following technical solutions:A kind of Initiative Defense based on program behavior algorithm Method, it comprises the following steps:
Behavior, the behavior purpose of program are identified by behavior algorithm, when program behavior triggering system API connects Malicious act on mouth perceives point, to carrying out active perception with the rogue program behavior of the malicious act purpose and modeling;
Described rogue program behavior include traversal disk file malicious act, change file attribute malicious act, Access malicious act, the malicious act of service activity, the malicious act of termination system process and the evil for linking up with behavior of registration table Meaning behavior;
The malicious act of described modification file attribute was included the file under system directory or the time of executable file It is arranged to the system file time and by file attribute to be changed to system file or hidden file;The malice of described access registration table Behavior includes the startup association of modification system, obtains IE proxy informations and the display system hidden file function screen by operating system Cover;The malicious act of described service activity include creating self-starting service routine, start service routine, delete service routine and Change the state of service routine;The malicious act of described termination system process includes the process that termination system is currently running;
Described behavior purpose include for the purpose of destruction, for the purpose of controlling, for the purpose of stealing secret information, using resource consumption as Purpose, for the purpose of infiltration and for the purpose of deception;
Identification to complex behavior can only be identified with algorithm;
S2:Rogue program behavior is identified, is judged as single malicious act either malicious act sequence, and carrying out Corresponding processing, decide whether to intercept the program behavior, terminate the execution program or clear up the program:
(1)If triggering is single malicious act, user is reminded:Whether the tissue rogue program row is needed For;
(2)If triggering is malicious act sequence, the rogue program behavior is prevented.
Corresponding processing described in step S2 includes behavior Intelligent treatment, behavior defence is reinforced.
Described modeling includes the rule modeling of single behavior and the rule modeling of the behavior sequence of multiple behaviors composition,
Described single behavior rule modeling form be:Behavior::Behavior description::Threat level<Function name 1, ginseng Number 1, parameter value feature ... parameter m, parameter value feature>;
The form of the rule modeling of the behavior sequence of described multiple behaviors composition is:Behavior sequence::Behavior description::Prestige Coerce grade<Behavior 1><Behavior 2>…<Behavior n>;
The wherein number of parameters of m representative functions, n represent the behavior number that behavior sequence includes;Described threat level generation The rogue program of table different stage;Described parameter value is characterized as ginseng when corresponding function call behavior expression goes out malicious Several specific values.
The malicious act of described modification file attribute was included the file under system directory or the time of executable file It is arranged to the system file time and by file attribute to be changed to system file or hidden file.
The described malicious act for accessing registration table includes the startup association of modification system, obtains IE proxy informations and will grasp Make the display system hidden file functional shielding of system.
The malicious act of described service activity includes creating self-starting service routine, starts service routine, deletes service Program and the state for changing service routine.
The malicious act of described termination system process includes the process that termination system is currently running.
A kind of active defense method based on program behavior algorithm also includes a rogue program behavioral data and collects and open up Show step:Time, place, attack meanses, target of attack and the attack effect that rogue program behavior occurs are collected and opened up Show.
The beneficial effects of the invention are as follows:(1)The present invention can reach the energy of Real-time defence unknown attack using behavior algorithm Power, perceived, identified and handled by the behavior to program, behavior purpose, real-time guard main frame, server are from disease Poison, wooden horse, assault, meet the requirement that real-time oppositional is defendd in thing;(2)Possibility is deployed in using the system of defense of this method On the server of target of attack and it is likely to become on user's PC of attacked site, client directly handles security incident, only It is that result is reported into console, avoids console from divulging a secret problem.
Brief description of the drawings
Fig. 1 is the inventive method flow chart.
Embodiment
Technical scheme is described in further detail below in conjunction with the accompanying drawings:As shown in figure 1, a kind of be based on program behavior The active defense method of algorithm, it comprises the following steps:
S1:In system api interface, active perception is carried out to rogue program behavior and is modeled;
Described rogue program behavior include traversal disk file malicious act, change file attribute malicious act, Access malicious act, the malicious act of service activity, the malicious act of termination system process and the evil for linking up with behavior of registration table Meaning behavior;
S2:Rogue program behavior is identified, is judged as single malicious act either malicious act sequence, and carrying out Corresponding processing, decide whether to intercept the program behavior, terminate the execution program or clear up the program:
(1)If triggering is single malicious act, user is reminded:Whether the tissue rogue program row is needed For;
(2)If triggering is malicious act sequence, the rogue program behavior is prevented:
I.e. when rogue program on system api interface continuous trigger malicious act, successively trigger malicious act 1, malice row For 2, malicious act 3, malicious act 5, then it is determined as malicious act sequence, prevents the rogue program behavior.
Corresponding processing described in step S2 includes behavior Intelligent treatment, behavior defence is reinforced.
Purpose for complexity is completed by behavior, and generally, there are 6 classifications:Attacking for the purpose of the 1st, destroying Hit, 2, the attack for the purpose of control, 3, the attack for the purpose of stealing secret information, 4, the attack for the purpose of resource consumption, 5, to ooze Attack for the purpose of thoroughly, 6, the attack for the purpose of deception.Different purposes goes to complete with corresponding different behavior.For example break and change Sexual assault, there is file to break transsexual behavior, destroy the behavior of systemic-function, destroy network function sexual behaviour.For the purpose of and for example permeating Attack, if attacked by WEB, may there is injection behavior, have SQL injection, system command injection, script injection, it is also possible to Have attack account behavior, such as account cracks, Session Hijack, session forge behavior.
Identification to complex behavior can only be identified with algorithm.
Described modeling includes the rule modeling of single behavior and the rule modeling of the behavior sequence of multiple behaviors composition,
Described single behavior rule modeling form be:Behavior::Behavior description::Threat level<Function name 1, ginseng Number 1, parameter value feature ... parameter m, parameter value feature>;
The form of the rule modeling of the behavior sequence of described multiple behaviors composition is:Behavior sequence::Behavior description::Prestige Coerce grade<Behavior 1><Behavior 2>…<Behavior n>;
The wherein number of parameters of m representative functions, n represent the behavior number that behavior sequence includes;Described threat level has 4 Level, it is respectively low, in, it is higher and high, represent the rogue program of different stage;Described parameter value is characterized as corresponding letter The specific value of parameter when number calling behavior expression goes out malicious.
In the present embodiment, the modeling of the malicious act of described traversal disk file is specially three kinds of situations:
(1)Behavior::Locating file::It is medium<FindNextFile, parameter 1, " * .* ">;
(2)Behavior::Locating file::It is medium<FindNextFile, parameter 0, NULL>;
(3)Behavior sequence::Travel through all disk files::It is higher<CreateFile><WriteFile>.
Wherein, parameter 0 represents that the parameter information of the behavior need not be analyzed, and corresponding parameter value feature is arranged to NULL.
The malicious act of described modification file attribute includes setting the time of system file now or executable file It is set to the system file time and by file attribute to be changed to system file or hidden file;
Wherein, the file under system directory or the time of executable file are arranged to being modeled as system file time:
Behavior::Change document time::It is medium<SetFileTime, parameter 1, " exe, scr, pif, com, bat, inf " | " %system ", parameter 2, " system file time ", parameter 3, " system file time ", parameter 4, " system file time ",>.
It is to be changed to being modeled as system file or hidden file by file attribute:
Behavior::Change file attribute::It is medium<SetFileAttribute, parameter 1, " exe, scr, pif, com, bat, Inf " | " %system ", parameter 2, " FILE_ATTRIBUTE_HIDDEN | SYSTEM ">.
The described malicious act for accessing registration table includes the startup association of modification system, obtains IE proxy informations and will grasp Make the display system hidden file functional shielding of system.
Wherein, being modeled as the startup association of system is changed:
Behavior::The startup association of modification system::It is medium<RegCreateKey, parameter 1, " HKLM SOFTWARE Microsoft Windows CurrentVersion ", parameter 2, " Run, parameter 9, " REG_CREATED_NEW_KEY | REG_ OPENED_EXISTING_KEY”>。
Obtain being modeled as IE proxy informations:
Behavior::Obtain IE proxy informations::It is medium<RegQueryValueEx, parameter 1, " HKCU SOFTWARE Microsoft Windows CurrentVersion Internet Settings ", parameter 2, " ProxyServer " | “ProxyEnable”>。
By being modeled as the display system hidden file functional shielding of operating system:
Behavior::Forbid display system hidden file::It is higher<RegSetValueEx, parameter 1, " HKLM SOFTWARE Microsoft Windows CurrentVersion Explorer Adcanced Folder Hidden SHOWALL ", ginseng Number 2, " CheckedValue ", parameter 5,0X00>.
The malicious act of described service activity includes creating self-starting service routine, starts service routine, deletes service Program and the state for changing service routine.
Wherein, being modeled as self-starting service routine is created:
Behavior::Create self-starting service routine::It is medium<CreateService, parameter 5, " SERVICE_WIN32_ OWN_PROCESS | KERNEL_DRIVER | WIN32_SHARE_PROCESS ", parameter 6, " SERVICE_SYSTEM_START | AUTO_START | DEMAND_START ", parameter 8, " %system32% " | " kavsvc, AVP, ccProxy etc. are serviced ">.
Start being modeled as service routine:
Behavior::Start service routine::It is medium<StartService, parameter 1,0>.
Delete being modeled as service routine:
Behavior::Delete service routine::It is medium<DeleteService, parameter 1, " %system32% " | " kavsvc, AVP, ccProxy etc. are serviced ">.
Change being modeled as the state of service routine:
Behavior::Control service routine state::It is medium<ControlService, parameter 1, " %system32% " | " kavsvc, AVP, ccProxy etc. are serviced ", parameter 1, SERVICE_CONTROL_STOP | CONTROL_PAUSE | CONTROL_ CONTINUE>。
The malicious act of described termination system process includes the process that termination system is currently running.
The process that termination system is currently running is modeled as:
Behavior::Termination system process::It is medium<TerminateProcess, parameter 1, " Mcshield.exe | Scan32.ece | the process such as naPrdMgr.exe ">.
Hook behavior is modeled as:
Behavior::Hook behavior::It is higher<SetWindowsHookEx, parameter 1, WH_KEYBOARD>.
A kind of active defense method based on program behavior algorithm also includes a rogue program behavioral data and collects and open up Show step:Time, place, attack meanses, target of attack and the attack effect that rogue program behavior occurs are collected and opened up Show.
By using adaptive multidimensional function Y=k*f (X1, X2 ... Xn) and behavior algorithm model, Xn is some row of program For risk weight, determined by program behavior algorithm, k is programs categories Risk rated ratio, and Y is the value-at-risk of whole program, the mould Logical relation between type analysis program behavior, the decision procedure legitimacy of behavior, realize automatic identification and the master of malicious code Dynamic defence.

Claims (4)

  1. A kind of 1. active defense method based on program behavior algorithm, it is characterised in that:It comprises the following steps:
    S1:Behavior, the behavior purpose of program are identified by behavior algorithm, when program behavior triggering system API connects Malicious act on mouth perceives point, to carrying out active perception with the rogue program behavior of the malicious act purpose and modeling;
    Described rogue program behavior includes the malicious act of traversal disk file, the malicious act for changing file attribute, accessed The malicious act of registration table, the malicious act of service activity, the malicious act of termination system process and the malice row for linking up with behavior For;
    The malicious act of described modification file attribute includes setting the time of the file under system directory or executable file It is to be changed to system file or hidden file for the system file time and by file attribute;The malicious act of described access registration table Startup association including modification system, obtain IE proxy informations and the display system hidden file functional shielding by operating system; The malicious act of described service activity includes creating self-starting service routine, starts service routine, deletes service routine and change Become the state of service routine;The malicious act of described termination system process includes the process that termination system is currently running;
    Described behavior purpose include for the purpose of destruction, for the purpose of controlling, for the purpose of stealing secret information, using resource consumption as mesh , for the purpose of infiltration and for the purpose of deception;
    Identification to complex behavior can only be identified with algorithm;
    S2:Rogue program behavior is identified, is judged as single malicious act either malicious act sequence, and carry out corresponding Processing, decide whether to intercept the program behavior, terminate and perform the program or clear up the program;
    By using the legal of adaptive multidimensional function Y=k*f (X1, X2 ... Xn) and behavior algorithm model decision procedure behavior Property, automatic identification and the Initiative Defense of malicious code are realized, wherein, Xn is the risk weight of some behavior of program, by program line Determined for algorithm, k is programs categories Risk rated ratio, and Y is the value-at-risk of whole program, patrolling between the model analysis programs behavior The relation of collecting.
  2. A kind of 2. active defense method based on program behavior algorithm according to claim 1, it is characterised in that:Described Modeling includes the rule modeling of single behavior and the rule modeling of the behavior sequence of multiple behaviors composition,
    Described single behavior rule modeling form be:Behavior::Behavior description::Threat level<Function name 1, parameter 1, Parameter value feature ... parameter m, parameter value feature>;
    The form of the rule modeling of the behavior sequence of described multiple behaviors composition is:Behavior sequence::Behavior description::Threaten etc. Level<Behavior 1><Behavior 2>…<Behavior n>;
    The wherein number of parameters of m representative functions, n represent the behavior number that behavior sequence includes;Described threat level represents not The rogue program of same level;Described parameter value is characterized as parameter when corresponding function call behavior expression goes out malicious Specific value.
  3. A kind of 3. active defense method based on program behavior algorithm according to claim 1, it is characterised in that:Step S2 Described in corresponding processing include behavior Intelligent treatment, behavior defence reinforce.
  4. A kind of 4. active defense method based on program behavior algorithm according to claim 1, it is characterised in that:It is also wrapped A rogue program behavioral data is included to collect and displaying step:To rogue program behavior occur time, place, attack meanses, Target of attack and attack effect are collected and shown.
CN201510262180.5A 2015-05-21 2015-05-21 A kind of active defense method based on program behavior algorithm Active CN104899511B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510262180.5A CN104899511B (en) 2015-05-21 2015-05-21 A kind of active defense method based on program behavior algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510262180.5A CN104899511B (en) 2015-05-21 2015-05-21 A kind of active defense method based on program behavior algorithm

Publications (2)

Publication Number Publication Date
CN104899511A CN104899511A (en) 2015-09-09
CN104899511B true CN104899511B (en) 2018-01-19

Family

ID=54032171

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510262180.5A Active CN104899511B (en) 2015-05-21 2015-05-21 A kind of active defense method based on program behavior algorithm

Country Status (1)

Country Link
CN (1) CN104899511B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107315952A (en) * 2016-04-26 2017-11-03 华为技术有限公司 Method and apparatus for determining application program suspicious actions
CN106096397B (en) * 2016-05-26 2019-05-28 倪茂志 A kind of prevention method that extorting software and system
CN106650436B (en) * 2016-12-29 2019-09-27 北京奇虎科技有限公司 A kind of safety detection method and device based on local area network
CN109871690A (en) * 2018-05-04 2019-06-11 360企业安全技术(珠海)有限公司 The management method and device of equipment permission, storage medium, electronic device
CN109271787A (en) * 2018-07-03 2019-01-25 中国银联股份有限公司 A kind of operating system security active defense method and operating system
CN110619214A (en) * 2019-08-15 2019-12-27 苏州浪潮智能科技有限公司 Method and device for monitoring normal operation of software
CN111079146A (en) * 2019-12-10 2020-04-28 苏州浪潮智能科技有限公司 Malicious software processing method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6775780B1 (en) * 2000-03-16 2004-08-10 Networks Associates Technology, Inc. Detecting malicious software by analyzing patterns of system calls generated during emulation
CN1648869A (en) * 2004-01-19 2005-08-03 中国人民解放军理工大学 Action control method based on LSM programme
CN1818857A (en) * 2005-02-07 2006-08-16 福建东方微点信息安全有限责任公司 Method and system for identifying computer programm

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7376970B2 (en) * 2004-02-20 2008-05-20 Microsoft Corporation System and method for proactive computer virus protection

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6775780B1 (en) * 2000-03-16 2004-08-10 Networks Associates Technology, Inc. Detecting malicious software by analyzing patterns of system calls generated during emulation
CN1648869A (en) * 2004-01-19 2005-08-03 中国人民解放军理工大学 Action control method based on LSM programme
CN1818857A (en) * 2005-02-07 2006-08-16 福建东方微点信息安全有限责任公司 Method and system for identifying computer programm

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
恶意代码云主动防御系统设计与实现;邹航;《重庆理工大学学报》;20140531;第28卷(第5期);第84-92页 *

Also Published As

Publication number Publication date
CN104899511A (en) 2015-09-09

Similar Documents

Publication Publication Date Title
CN104899511B (en) A kind of active defense method based on program behavior algorithm
Shaukat et al. RansomWall: A layered defense system against cryptographic ransomware attacks using machine learning
JP6522707B2 (en) Method and apparatus for coping with malware
US9916447B2 (en) Active defense method on the basis of cloud security
Moustafa et al. Data analytics-enabled intrusion detection: Evaluations of ToN_IoT linux datasets
Javaheri et al. Detection and elimination of spyware and ransomware by intercepting kernel-level system routines
DE60303753T2 (en) Selective recognition of malicious computer code
EP3407235A1 (en) A computer-implemented method, a system and a computer program for identifying malicious uri data items
US6742128B1 (en) Threat assessment orchestrator system and method
KR100910761B1 (en) Anomaly Malicious Code Detection Method using Process Behavior Prediction Technique
Singhal et al. Malware detection module using machine learning algorithms to assist in centralized security in enterprise networks
DE202010018642U1 (en) System for detection of previously unknown malware
KR101230271B1 (en) System and method for detecting malicious code
CN101350053A (en) Method and apparatus for preventing web page browser from being used by leak
DE202012013609U1 (en) System for distributing processing of computer security tasks
WO2018017498A1 (en) Inferential exploit attempt detection
Barabosch et al. Host-based code injection attacks: A popular technique used by malware
Al-Maksousy et al. NIDS: Neural network based intrusion detection system
Borana et al. An assistive tool for fileless malware detection
CN115906184B (en) Method, device, medium and electronic equipment for controlling process to access files
DE202013103358U1 (en) Selective assessment of the harmfulness of software code executed in the address space of a trustworthy process
Chen et al. Which is the greenest way home? A lightweight eco-route recommendation framework based on personal driving habits
Mugisha Android Application Malware Analysis
Grégio et al. Pinpointing malicious activities through network and system-level malware execution behavior
US11934515B2 (en) Malware deterrence using computer environment indicators

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant