CN105303107A - Abnormal process detection method and apparatus - Google Patents
Abnormal process detection method and apparatus Download PDFInfo
- Publication number
- CN105303107A CN105303107A CN201410250798.5A CN201410250798A CN105303107A CN 105303107 A CN105303107 A CN 105303107A CN 201410250798 A CN201410250798 A CN 201410250798A CN 105303107 A CN105303107 A CN 105303107A
- Authority
- CN
- China
- Prior art keywords
- path
- executive routine
- legal
- self
- complete trails
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
- Debugging And Monitoring (AREA)
Abstract
The present invention discloses an abnormal process detection method and apparatus. The abnormal process detection method provided by the present invention comprises: determining an executive program corresponding to a running process in an apparatus; and determining whether a path of the executive program belongs to a preset valid path, if no, marking that the process corresponding to the executive program is abnormal. According to the method provided by the present invention, the preset valid path is set in advance, and is a path for storing a valid program. If the executive program corresponding to a currently allowed process is not in the valid path, it proves that the executive program of the process is invalid, and therefore, the process is abnormal. According to the method provided by the present invention, a state of the process can be determined only by determining whether the path of the executive program of the process belongs to the preset valid path, so as to determine whether the process is a virus process, thereby searching and killing a virus. Therefore, according to the abnormal process detection method provided by the present invention, a virus can be searched and killed without knowing a property of the virus.
Description
Technical field
The present invention relates to field of electronic security, particularly relate to a kind of detection method and device of abnormal process.
Background technology
Flourish at present along with internet, computer hacker, wooden horse, virus also emerge in an endless stream, and electronics (such as computing machine) information security in serious threat.Safety problem is more and more subject to people and payes attention to, and therefore various virus investigation software also arises at the historic moment.Existing virus investigation mode is generally condition code virus investigation.Condition code virus investigation is that it mainly carries out scan matching according to simple virus signature to file or internal memory to known viruse analysis, the virus investigation technology looking into solution, and the match is successful then reports the Virus Type name of individual features code correspondence.Have employed the principle of " a certain partial code of same virus or similar virus is identical ".That is, if virus and mutation, changeable viruses have homogeneity, then to this homogeneity, then can be described this homogeneity.But also not all virus can describe its condition code, a lot of virus is difficult to description and even cannot be described by condition code.Visible, adopting this mode of condition code virus investigation to carry out killing to virus needs to know condition code that is viral or similar virus in advance, also namely needs the characteristic knowing virus in advance, for not knowing that the virus of characteristic cannot killing.
Summary of the invention
The main technical problem to be solved in the present invention is, provides a kind of abnormal process detection method and device, solves the problem cannot carrying out killing in prior art to unknown virus.
For solving the problems of the technologies described above, the invention provides a kind of abnormal process detection method, comprising: the executive routine that the process run in certainty annuity is corresponding; Judge the legal the path whether path of executive routine belongs to default, if not, then mark process exception corresponding to executive routine.
In an embodiment of the present invention, legal path comprises system folder set of paths and the set of self-defined legal procedure complete trails; Judge whether the path of executive routine belongs to default legal path and comprise: judge the system folder the set of paths whether path of executive routine belongs to default, the process if so, then marking executive routine corresponding is legal; If not, then judge the self-defined legal procedure complete trails the set whether path of executive routine belongs to default, if not, then mark process exception corresponding to executive routine; Judge whether the path of executive routine belongs to default system folder set of paths and comprise: judge that whether the path of the file at executive routine place is identical with the system folder path of in system folder set of paths, or be whether the subpath under a system folder path in system folder set of paths, if so, the system folder set of paths that the path of executive routine belongs to default is then judged; Judge whether the path of executive routine belongs to default self-defined legal procedure complete trails set and comprise: judge that whether the complete trails of executive routine is identical with the self-defined legal complete trails of in the set of self-defined legal procedure complete trails, if so, the self-defined legal procedure complete trails set that the path of executive routine belongs to default is then judged.
In an embodiment of the present invention, also comprised before judging the self-defined legal procedure complete trails the set whether path of executive routine belongs to default: the content identification information storing the legal procedure that each self-defined legal complete trails is corresponding in the set of self-defined legal procedure complete trails; When judging that result that whether path of executive routine belongs to default self-defined legal procedure complete trails set is for being, also comprise: judge that whether the legal procedure that complete trails is identical is identical with the content identification information of executive routine, if not, then process exception corresponding to executive routine is marked.
In an embodiment of the present invention, content identification information is data summarization value.
In an embodiment of the present invention, after process is marked, corresponding state is marked to executive routine corresponding with it; After the executive routine that the process run in certainty annuity is corresponding, also comprise before judging the legal the path whether path of executive routine belongs to default: judge the executive routine whether process mark that current process is corresponding, if so, then the direct flag state according to executive routine marks current process.
In an embodiment of the present invention, after the process exception that mark executive routine is corresponding, also comprise: artificially judge that whether process is abnormal, if not, then the path of executive routine corresponding for process is set to legal path.
In an embodiment of the present invention, also comprised before judging the legal the path whether path of executive routine belongs to default: at least one in the following ways determines the legal path of presetting: carry out the legal path that system process snapshot obtains legitimate processes when terminal is virus-free; User is thought path corresponding to legal process is as legal path.
Present invention also offers a kind of abnormal process pick-up unit, comprising: program determination module, path judge module and Processes Tag module; The executive routine that the process that program determination module is used for running in certainty annuity is corresponding; Path judge module is for judging the legal the path whether path of executive routine belongs to default, and if not, then notification process mark module marks process exception corresponding to executive routine.
In an embodiment of the present invention, path judge module also comprises system and judges submodule and self-defined judgement submodule, system judges that submodule is for judging the system folder the set of paths whether path of executive routine belongs to default, if so, the process that then notification process mark module mark executive routine is corresponding is legal; If not, then self-defined judgement submodule is notified; Self-definedly judge that submodule is for judging the self-defined legal procedure complete trails the set whether path of executive routine belongs to default, if not, then the process exception that notification process mark module mark executive routine is corresponding; System judges that submodule comprises file and judges submodule, whether identical with the system folder path of in system folder set of paths for judging the path of the file at executive routine place, or be the subpath under a system folder path in system folder set of paths, if so, the system folder set of paths that the path of executive routine belongs to default is then judged; Self-defined judgement submodule comprises complete trails and judges submodule, whether identical with the self-defined legal complete trails of in the set of self-defined legal procedure complete trails for judging the complete trails of executive routine, if so, the self-defined legal procedure complete trails set that the path of executive routine belongs to default is then judged.
In an embodiment of the present invention, also comprise memory module, for storing the content identification information of the legal procedure that each self-defined legal complete trails is corresponding in the set of self-defined legal procedure complete trails; Whether device also comprises signal judgement module, identical with the content identification information of executive routine for judging the legal procedure that complete trails is identical, if not, then and the process exception that notification process mark module mark executive routine is corresponding.
Whether in an embodiment of the present invention, signal judgement module also comprises data summarization and judges submodule, identical with the data summarization value of executive routine for judging the legal procedure that complete trails is identical.
In a kind of embodiment provided by the invention, device also comprises programming indicia module, for after marking process, marks corresponding state to executive routine corresponding with it; Device also comprises program judge module, for after the executive routine that the process run in program determination module certainty annuity is corresponding, judge the executive routine whether process mark that current process is corresponding, if so, then notification process mark module directly marks current process according to the flag state of executive routine.
The invention has the beneficial effects as follows:
The invention provides a kind of abnormal process detection method and device, abnormal process detection method provided by the invention comprises: the executive routine that the process run in determining device is corresponding; Judge if not, then to mark the process exception that described executive routine is corresponding in the legal the path whether path of executive routine belongs to default.In method provided by the invention, the legal path of presetting is what preset, for storing the path of legal procedure, if executive routine corresponding to the process of current permission be not in legal path, just prove that the executive routine of this process is illegal, therefore this process is also abnormal.Method provided by the invention only need judge the legal the path whether path of the executive routine of this process belongs to default, just can determine state of a process, and then determines whether this process is viral process, thus realizes the killing to virus.Visible, abnormal process detection method provided by the invention does not need to know that the characteristic of virus just can carry out killing to virus.
Accompanying drawing explanation
The schematic flow sheet of a kind of abnormal process detection method that Fig. 1 provides for the embodiment of the present invention one;
The schematic flow sheet of a kind of abnormal process detection method that Fig. 2 provides for the embodiment of the present invention two;
The structural representation of a kind of abnormal process pick-up unit that Fig. 3 provides for the embodiment of the present invention three;
The structural representation of the another kind of abnormal process pick-up unit that Fig. 4 provides for the embodiment of the present invention three;
The structural representation of another abnormal process pick-up unit that Fig. 5 provides for the embodiment of the present invention three;
The structural representation of another abnormal process pick-up unit that Fig. 6 provides for the embodiment of the present invention three.
Embodiment
As understood by those skilled in the art, the present invention can be presented as system, device, method or computer program.Therefore, the present invention can take the form of complete hardware embodiment, completely software implementation (comprising firmware, resident software, microcode etc.).In addition, the present invention can take the form of the computer program be embodied in any tangible expression medium (comprising computer usable program code in media as well).
Can use one or more computing machine can with or the combination in any of computer-readable medium.Described computing machine can with or computer-readable medium can be such as (but being not limited to) electricity, magnetic, optical, electrical magnetic, infrared ray or semiconductor system, device, equipment or propagation medium.The example more specifically (non-exhaustive listing) of computer-readable medium will comprise following item: have the electrical connection of one or more line, portable computer diskette, hard disk, random access memory (RAM), ROM (read-only memory) (ROM), the transmission medium of Erarable Programmable Read only Memory (EPROM or flash memory), optical fiber, portable optic disk ROM (read-only memory) (CD-ROM), light storage device, such as those support the Internets or Intranet or magnetic storage apparatus.It is to be noted, described computing machine can with or computer-readable medium can be even that program is printed on paper on it or other media be applicable to, because described program can be caught electronically by such as paper described in photoscanning or other media, then be compiled, explain or in addition in a suitable manner processed (if necessary), be then stored in computer memory.In the context of this document, computing machine can with or computer-readable medium can be any medium that can comprise, store, transmit, propagate or transmit the program combined by instruction executing device, device or equipment use or and instruction executive system, device or equipment.Computer usable medium can comprise the propagation data signal wherein comprising computer usable program code (in a base band or as the part of carrier wave).Any suitable medium (including but not limited to wireless, cable, optical cable, RF etc.) can be used to transmit computer usable program code.
Computer program code for performing operation of the present invention can use the combination in any comprising one or more programming languages to write, described programming language comprises such as Java, the OO programming language of Smalltalk, C++ and so on or the conventional process programming language of such as " C " programming language or similar programming language and so on.Described procedure code can fully in the calculating of user perform, partly on the computing machine of user perform, as one independently software package perform, part perform on the remote computer in the computing machine upper part of user or perform on remote computer or server completely.In rear a kind of situation, remote computer can be connected to (comprising LAN (Local Area Network) (LAN) or wide area network (WAN)) computing machine of user by the network of any kind, or, (can such as utilize ISP to pass through the Internet) and be connected to outer computer.
Also can computer program instructions be loaded on computing machine or other programmable data treating apparatus, make to perform sequence of operations step on computing machine or other programmable data treating apparatus, to produce computer implemented process, thus the instruction performed on computing machine or other programmable device just provides the process of the function/operation of specifying in the square frame in realization flow figure and/or block diagram.
Before the abnormal process detection method proposed the application with specific embodiment and device are described, first the noun in the present invention is described.Process is a program executed activity on computers.Process is the running example of program, is a Dynamic Execution of program.A process (also can there is the situation of the corresponding multiple process of same executive routine) is just started when an operation program.Therefore process can be interpreted as it is the executive routine of the current operation of operating means.Process can be divided into device process and consumer process.The process of every various functions for complete operation device is exactly device process; Consumer process is exactly the process started by User Defined, such as QQ, browser etc.Comprise in the executive routine of the current operation of device: device management individual computer and complete the necessary program of various operation; The additional programs that user opens, perform, certainly also comprises user and does not know, and the illegal program automatically run (they are likely just Viruses).Endanger larger performed virus and appear at device inside with " process " form equally, check and accurately kill illegal process that critical effect is played for virus killing so in time.The content of executive routine generally uses computing machine language, general available content identification information represents the content of executive routine, the data summarization value of such as program is exactly the one of content identification information, if the content identification information of two programs is identical, then the content of these two programs is also identical.
When path refers to that user finds file on the disk of terminal, the file circuit gone through.Complete trails value from root directory to the path of concrete filename, such as, under Windows C: abcd abcd under a.txt, Linux /mnt/media/xxxx.txt.Use complete trails just uniquely can locate a file.
Method provided by the invention is not only applicable to computing machine, is equally applicable to the terminal such as mobile phone, panel computer.
The abnormal process detection method proposed the present invention with specific embodiment below and device are described.
Embodiment one:
Present embodiments provide a kind of abnormal process detection method, please refer to Fig. 1, Fig. 1 is the schematic flow sheet of the method, and the method comprises the steps:
Step S101: the executive routine that the process run in certainty annuity is corresponding;
Step S102: judge the legal the path whether path of executive routine belongs to default, if not, then marks process exception corresponding to executive routine.
Before judging the legal the path whether path of executive routine belongs to default can in the following ways at least one determine the legal path of presetting: carry out the legal path that system process snapshot obtains legitimate processes when terminal is virus-free; User is thought path corresponding to legal process is as legal path.Legal path generally can comprise system folder set of paths and the set of self-defined legal procedure complete trails.System folder set of paths is the set of the store path of system file (comprising system program) in terminal, because file corresponding to these store paths is for storage system file, can not write so its attribute is generally, so virus also generally can not enter.In the present embodiment, the program of default storage under system folder path is legal procedure.The store path of system default generally can be got in system folder path, as/bin ,/sbin ,/usr/bin ,/usr/sbin etc.The setting means of self-defined legal complete trails is: user is self-defined legal complete trails by storing the path setting of self-defined legal procedure, because complete trails uniquely can locate a file, so the corresponding legal procedure of self-defined legal complete trails.Legal procedure system of generally can getting normally starts a snapshot of the process of rear all existence, more manually increases the application program that some known native systems must start.It should be noted that, system folder path and the clear and definite boundary of self-defined legal complete trails neither one, self-defined legal complete trails also may be under system folder path.
In the present embodiment, the legal path of presetting comprises system folder set of paths and the set of self-defined legal procedure complete trails, because if the path of executive routine belongs to system folder set of paths just illustrate that this executive routine is in system folder, system folder is storage system file, under system folder, just illustrate that it is normal program, its corresponding process is also normal.So first can judge whether the path of executive routine belongs to system folder set of paths, if do not belonged to, then judge whether it belongs to the set of self-defined legal procedure complete trails.If not only the path of executive routine does not belong to system folder path but also do not belong to self-defined legal complete trails, illustrate that this executive routine is abnormal, the process of its correspondence is also abnormal.Therefore, judge whether the path of executive routine belongs to default legal path and comprise: judge the system folder the set of paths whether path of executive routine belongs to default, the process if so, then marking executive routine corresponding is legal; If not, then judge the self-defined legal procedure complete trails the set whether path of executive routine belongs to default, if not, then mark process exception corresponding to executive routine.
Because system folder path exists different from self-defined legal complete trails, so, judge whether the path of executive routine belongs to the mode in default legal path also different.Because system folder path point is a file, so file below this file or file are all belong to the content in this file.Therefore, when judging the system folder the set of paths whether path of executive routine belongs to default, can judge that whether the path of the file at executive routine place is identical with the system folder path of in system folder set of paths, or be whether the subpath under a system folder path in system folder set of paths, if so, the system folder set of paths that the path of executive routine belongs to default is then judged.For this point is described, be described with an exemplary example below, system folder set of paths comprises: C: a b, if the path of the file at executive routine place be C: a b, because the path of the file at executive routine place is identical with system folder path, so the path of executive routine belongs to default legal path; If the path of the file at executive routine place be C: a b c, the path of executive routine belongs to default legal path equally, because C: a b c be C: a the subpath of b, be stored in C: a b executive routine under c be also stored in C: a under b.Whether to belong to default system folder set of paths identical with the path of the file judging executive routine place: judge that whether the complete trails of executive routine is the subpath of a system folder in default system folder set of paths, because the complete trails of executive routine is exactly the subpath in the path of the file at executive routine place, these two kinds of its essence of judgment mode are the same.Directly by judging path whether this mode in system folder path very quick, because only need judge that whether the path of the file at executive routine place is just passable under system folder path.
Some is different to judge whether belong to the default set of self-defined legal procedure complete trails and above-mentioned judgment mode in the path of executive routine, because complete trails points to file, also namely program is pointed to, subpath is not had under complete trails, therefore when judging the self-defined legal procedure complete trails the set whether path of executive routine belongs to default, then need the complete trails judging executive routine whether identical with the self-defined legal complete trails of in the set of self-defined legal procedure complete trails, if, then judge the self-defined legal procedure complete trails set that the path of executive routine belongs to default.If have the self-defined legal complete trails identical with the complete trails of executive routine in the set of self-defined legal procedure complete trails, illustrate that the title of the program that these two complete trailss are corresponding is identical.The complete trails of such as executive routine be C: a b c.exe, also have in the set of self-defined legal procedure complete trails one C: a b c.exe, illustrate that the program that executive routine is corresponding with self-defined legal complete trails is identical.But just can not judge that executive routine is exactly legal procedure because of the complete trails of legal procedure is identical with the complete trails of executive routine, because virus is except directly running the program of himself in the terminal, also possible spoofing is original legal procedure in terminal, therefore, even if self-defined legal complete trails is identical with the complete trails of executive routine, can not illustrate that executive routine is exactly legal procedure, also need to confirm further its content.So, also comprised before judging the self-defined legal procedure complete trails the set whether path of executive routine belongs to default: the content identification information storing the legal procedure that each self-defined legal complete trails is corresponding in the set of self-defined legal procedure complete trails; When judging that the path of executive routine, when belonging to default self-defined legal procedure complete trails set, also comprises: judge that whether the legal procedure that complete trails is identical is identical with the content identification information of executive routine, if not, then process exception corresponding to executive routine is marked.And judge whether content identification information identical can be whether identical by judging the routine data digest value that two complete trailss are identical.
Because the situation of the corresponding multiple process of same executive routine can be there is, so the situation of executive routine corresponding to current process through detecting can be there is, if perform testing process again will seem unnecessary.Therefore the situation of duplicate detection can be avoided in the following ways: after process is marked, corresponding state is marked to corresponding executive routine, after the executive routine that the process run in certainty annuity is corresponding, judge whether path that executive routine is belongs to default legal path and also comprise: judge that whether executive routine corresponding to current process be through mark, if so, then direct according to executive routine flag state current process is marked.
In the present embodiment, also can list in white list by legal path, convenience is to the management in legal path and check, and in follow-up testing process, also facilitates from white list, obtain legal path.
The detection method that the present embodiment provides also can regularly be carried out, and after determining legal path, just can start the scheduling strategy arranging abnormal process to monitor.Crontab generally can be utilized to carry out timer-triggered scheduler, within such as every 5 minutes, perform an abnormal process and detect.
After determining process exception, can according to pre-configured strategy, abnormal process is selected to kill, or carry out alarm, the information (as executive routine complete trails, data summarization value, start-up time, start-up parameter etc.) of abnormal process is reported supvr, is decided how to process by supvr.Supvr can pass through artificial judgment, if think this process exception, can be killed, delete its executable program, and does investigation further; If judged result is this process is not abnormal process, but legitimate processes, then the path of executive routine corresponding for process can be set to legal path, such as, complete trails corresponding for its executive routine be joined in the set of self-defined legal procedure complete trails.
Embodiment two:
For illustrating in greater detail a kind of abnormal process detection method that embodiment one proposes, present embodiments provide an embodiment more specifically, please refer to Fig. 2, the schematic flow sheet of a kind of abnormal process detection method that Fig. 2 provides for the present embodiment, comprises the following steps:
Step S201: start.
Step S202: this trace routine of system call, enters step S203.
Before this step, first a legitimate processes white list is generated.White list is a text, and every a line represents a record.In white list, record system folder set of paths, the set of self-defined legal procedure complete trails, and the data summarization value of the application program corresponding with the set of self-defined legal procedure complete trails.
Step S203: by means such as ps, access/proc, obtains the list of all processes and the details such as executive routine, start-up time of each process in current system.Then step S204 is entered.
Step S204: get first process from the process list obtained, enter step S205.
Step S205: by the path at the executive routine place of current process, judge whether the path of the executive routine of current process belongs to the system folder set of paths in white list, deterministic process is: judge that whether the path of the file at executive routine place is identical with the system folder path of in system folder set of paths, or be whether the subpath under a system folder path in system folder set of paths, in this way, then step S206 is entered; As no, then enter step S209.
Step S206: mark this process legal, then performs step S207.
Step S207: judge whether process detects complete, if so, then enter step S212, process ends; If not, then step S208 is performed.
Step S208: then take off a process from process list, then enter step S205
Step S209: judge whether the path of the executive routine of current process belongs to the self-defined legal procedure complete trails set in white list, deterministic process is: judge that whether the complete trails of executive routine is identical with the self-defined legal complete trails of in the set of self-defined legal procedure complete trails, if so, then step S210 is entered; If not, then step S211 is entered.
Step S210: the data summarization value of verification executive routine further: the data summarization value calculating the executive routine of current process, compared with the data summarization value of then corresponding with self-defined legal complete trails identical with the complete trails of this executive routine in white list legal procedure.Judge whether consistent, the executive routine that if so, then this process is corresponding is legal procedure, enters step S206; If not, then this process is abnormal process, enters step S211.
Step S211: mark this process exception, and according to pre-configured strategy, abnormal process can be selected to kill, or carry out alarm, the information (as process complete trails, data summarization value, start-up time, start-up parameter etc.) of abnormal process is reported supvr, is decided how to process by supvr.Supvr can pass through artificial judgment, if think this process exception, can be killed, delete its executable program, and does investigation further; If think that this process is legitimate processes, then can be joined in white list.Step S207 is entered after this step terminates.
Step S212: terminate.
Embodiment three:
Present embodiments provide a kind of abnormal process pick-up unit, refer to Fig. 3, a kind of abnormal process pick-up unit that Fig. 3 provides for the present embodiment, this device comprises: program determination module 301, path judge module 302 and Processes Tag module 303; Program determination module 301 is for executive routine corresponding to the process run in certainty annuity; Path judge module 302 is for judging the legal the path whether path of executive routine belongs to default, and if not, then notification process mark module 303 marks process exception corresponding to executive routine.
In the present embodiment, additionally provide another kind of abnormal process pick-up unit, refer to Fig. 4, this device comprises above module, wherein path judge module 302 also comprises system and judges submodule 3021 and self-defined judgement submodule 3022, system judges that submodule 3021 is for judging the system folder the set of paths whether path of executive routine belongs to default, and if so, then notification process mark module 303 process that marks executive routine corresponding is legal; If not, then self-defined judgement submodule 3022 is notified; Self-definedly judge that submodule 3022 is for judging the self-defined legal procedure complete trails the set whether path of executive routine belongs to default, if not, then notification process mark module 303 marks process exception corresponding to executive routine; System judges that submodule 3021 comprises file and judges submodule, whether identical with the system folder path of in system folder set of paths for judging the path of the file at executive routine place, or be the subpath under a system folder path in system folder set of paths, if so, the system folder set of paths that the path of executive routine belongs to default is then judged; Self-defined judgement submodule 3022 comprises complete trails and judges submodule, whether identical with the self-defined legal complete trails of in the set of self-defined legal procedure complete trails for judging the complete trails of executive routine, if so, the self-defined legal procedure complete trails set that the path of executive routine belongs to default is then judged.
In the present embodiment, additionally provide another abnormal process pick-up unit, refer to Fig. 5, this device comprises above module, also comprise memory module 304, for storing the content identification information of the legal procedure that each self-defined legal complete trails is corresponding in the set of self-defined legal procedure complete trails; Device also comprises signal judgement module 305, and whether identical with the content identification information of executive routine for judging the legal procedure that complete trails is identical, if not, then notification process mark module 303 marks process exception corresponding to executive routine.Whether signal judgement module 305 also comprises data summarization and judges submodule, identical with the data summarization value of executive routine for judging the legal procedure that complete trails is identical.
In the present embodiment, additionally provide another abnormal process pick-up unit, refer to Fig. 6, this device comprises above module, and this device also comprises programming indicia module 306, for after marking process, corresponding state is marked to executive routine corresponding with it; Device also comprises program judge module 307, for after the executive routine that the process run in program determination module 301 certainty annuity is corresponding, judge the executive routine whether process mark that current process is corresponding, if so, then notification process mark module 303 directly marks current process according to the flag state of executive routine.
Above content is in conjunction with concrete embodiment further description made for the present invention, can not assert that specific embodiment of the invention is confined to these explanations.For general technical staff of the technical field of the invention, without departing from the inventive concept of the premise, some simple deduction or replace can also be made, all should be considered as belonging to protection scope of the present invention.
Claims (12)
1. an abnormal process detection method, is characterized in that, comprising:
The executive routine that the process run in certainty annuity is corresponding;
Judge if not, then to mark the process exception that described executive routine is corresponding in the legal the path whether path of described executive routine belongs to default.
2. abnormal process detection method as claimed in claim 1, it is characterized in that, described legal path comprises system folder set of paths and the set of self-defined legal procedure complete trails;
Describedly judge whether the path of described executive routine belongs to default legal path and comprise: judge the system folder the set of paths whether path of described executive routine belongs to default, the process if so, then marking described executive routine corresponding is legal; If not, then judge the self-defined legal procedure complete trails the set whether path of described executive routine belongs to default if not, then to mark the process exception that described executive routine is corresponding;
Describedly judge whether the path of described executive routine belongs to default system folder set of paths and comprise: judge that whether the path of the file at described executive routine place is identical with a system folder path in described system folder set of paths, or be whether the subpath under a system folder path in described system folder set of paths, if so, the system folder set of paths that the path of described executive routine belongs to default is then judged;
Describedly judge whether the path of described executive routine belongs to default self-defined legal procedure complete trails set and comprise: judge that whether the complete trails of described executive routine is identical with the self-defined legal complete trails of in the set of described self-defined legal procedure complete trails, if so, the self-defined legal procedure complete trails set that the path of described executive routine belongs to default is then judged.
3. abnormal process detection method as claimed in claim 2, it is characterized in that, described judge the self-defined legal procedure complete trails the set whether path of described executive routine belongs to default before also comprise: the content identification information storing the legal procedure that each self-defined legal complete trails is corresponding in the set of described self-defined legal procedure complete trails;
When described judge that result that whether path of described executive routine belong to default self-defined legal procedure complete trails set is for being time, also comprise: judge that whether the legal procedure that complete trails is identical is identical with the content identification information of executive routine, if not, then process exception corresponding to described executive routine is marked.
4. abnormal process detection method as claimed in claim 3, it is characterized in that, described content identification information is data summarization value.
5. the abnormal process detection method as described in any one of claim 1-4, is characterized in that, also comprise: after marking process, marks corresponding state to executive routine corresponding with it;
After the executive routine that the process run in described certainty annuity is corresponding, also comprise before judging the legal the path whether path of described executive routine belongs to default: judge the executive routine whether process mark that current process is corresponding, if so, then the direct flag state according to described executive routine marks current process.
6. the abnormal process detection method as described in any one of claim 1-4, it is characterized in that, after the process exception that mark executive routine is corresponding, also comprise: artificially judge that whether described process is abnormal, if not, then the path of executive routine corresponding for described process is set to legal path, and adds in default legal path.
7. the abnormal process detection method as described in any one of claim 1-4, it is characterized in that, described judge the legal the path whether path of described executive routine belongs to default before also comprise: at least one in the following ways determines the legal path of presetting:
The legal path that system process snapshot obtains legitimate processes is carried out when terminal is virus-free;
User is thought path corresponding to legal process is as legal path.
8. an abnormal process pick-up unit, is characterized in that, comprising: program determination module, path judge module and Processes Tag module;
The executive routine that the process that described program determination module is used for running in certainty annuity is corresponding;
Described path judge module is for judging the legal the path whether path of described executive routine belongs to default, and if not, then notification process mark module marks process exception corresponding to described executive routine.
9. abnormal process pick-up unit as claimed in claim 8, is characterized in that,
Described path judge module also comprises system and judges submodule and self-defined judgement submodule, described system judges that submodule is for judging the system folder the set of paths whether path of described executive routine belongs to default, if so, then the notification process mark module process that marks described executive routine corresponding is legal; If not, then self-defined judgement submodule is notified; Describedly self-definedly judge that submodule is for judging the self-defined legal procedure complete trails the set whether path of described executive routine belongs to default, if not, then notification process mark module marks process exception corresponding to described executive routine;
Described system judges that submodule comprises file and judges submodule, whether identical with a system folder path in described system folder set of paths for judging the path of the file at described executive routine place, or be whether the subpath under a system folder path in described system folder set of paths, if so, the system folder set of paths that the path of described executive routine belongs to default is then judged;
Described self-defined judgement submodule comprises complete trails and judges submodule, whether identical with the self-defined legal complete trails of in the set of described self-defined legal procedure complete trails for judging the complete trails of described executive routine, if so, the self-defined legal procedure complete trails set that the path of described executive routine belongs to default is then judged.
10. abnormal process pick-up unit as claimed in claim 9, is characterized in that, also comprise memory module, for storing the content identification information of the legal procedure that each self-defined legal complete trails is corresponding in the set of described self-defined legal procedure complete trails;
Described device also comprises signal judgement module, and whether identical with the content identification information of executive routine for judging the legal procedure that described complete trails is identical, if not, then notification process mark module marks process exception corresponding to described executive routine.
11. abnormal process pick-up units as claimed in claim 10, whether it is characterized in that, described signal judgement module also comprises data summarization and judges submodule, identical with the data summarization value of executive routine for judging the legal procedure that described complete trails is identical.
12. abnormal process pick-up units as described in any one of claim 8-11, is characterized in that, also comprise programming indicia module, for after marking process, mark corresponding state to executive routine corresponding with it;
Described device also comprises program judge module, for after the executive routine that the process run in described program determination module certainty annuity is corresponding, judge the executive routine whether process mark that current process is corresponding, if so, then notification process mark module directly marks current process according to the flag state of described executive routine.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410250798.5A CN105303107A (en) | 2014-06-06 | 2014-06-06 | Abnormal process detection method and apparatus |
| PCT/CN2014/092824 WO2015184752A1 (en) | 2014-06-06 | 2014-12-02 | Abnormal process detection method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410250798.5A CN105303107A (en) | 2014-06-06 | 2014-06-06 | Abnormal process detection method and apparatus |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105303107A true CN105303107A (en) | 2016-02-03 |
Family
ID=54766016
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410250798.5A Withdrawn CN105303107A (en) | 2014-06-06 | 2014-06-06 | Abnormal process detection method and apparatus |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN105303107A (en) |
| WO (1) | WO2015184752A1 (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105912948A (en) * | 2016-04-06 | 2016-08-31 | 北京金山安全软件有限公司 | Data protection method and device |
| CN107077561A (en) * | 2017-01-10 | 2017-08-18 | 深圳怡化电脑股份有限公司 | Verify method, self-aided terminal and the application server of upper layer application identity |
| CN107545169A (en) * | 2016-06-27 | 2018-01-05 | 联想(上海)信息技术有限公司 | Application authentication management method, device and electronic equipment |
| CN108268365A (en) * | 2016-12-30 | 2018-07-10 | 腾讯科技(深圳)有限公司 | Abnormal task method for implanting, device and system |
| CN109472144A (en) * | 2017-12-29 | 2019-03-15 | 北京安天网络安全技术有限公司 | It is a kind of to defend the viral method, apparatus operated to file and storage medium |
| CN110197064A (en) * | 2019-02-18 | 2019-09-03 | 腾讯科技(深圳)有限公司 | Process handling method and device, storage medium and electronic device |
| CN110855649A (en) * | 2019-11-05 | 2020-02-28 | 西安交通大学 | Method and device for detecting abnormal process in server |
| CN111190707A (en) * | 2019-08-02 | 2020-05-22 | 腾讯科技(深圳)有限公司 | Data processing method and device |
| CN111310180A (en) * | 2020-02-18 | 2020-06-19 | 上海迅软信息科技有限公司 | Computer process anti-counterfeiting method for enterprise information security |
| CN112162913A (en) * | 2020-10-30 | 2021-01-01 | 珠海格力电器股份有限公司 | Operation execution method and device, storage medium and electronic device |
| CN112268576A (en) * | 2019-07-08 | 2021-01-26 | 上海隽珑信息技术有限公司 | Safety inspection method and inspection system |
| CN116796308A (en) * | 2023-02-03 | 2023-09-22 | 安芯网盾(北京)科技有限公司 | Method and device for detecting executable program of camouflage process based on Linux kernel |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112182579B (en) * | 2020-08-28 | 2024-05-28 | 杭州数梦工场科技有限公司 | Process list generation method and device and abnormal process detection method and device |
| US11790084B2 (en) * | 2021-11-08 | 2023-10-17 | Cloud Linux Software, Inc. | Systems and methods for protecting core files in a content management systems |
| CN115148030A (en) * | 2022-07-29 | 2022-10-04 | 中国第一汽车股份有限公司 | Generation method and device of custom layer, vehicle and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102163161A (en) * | 2011-04-01 | 2011-08-24 | 奇智软件(北京)有限公司 | Process management method and device thereof |
| CN102222194A (en) * | 2011-07-14 | 2011-10-19 | 哈尔滨工业大学 | Module and method for LINUX host computing environment safety protection |
| CN102819713A (en) * | 2012-06-29 | 2012-12-12 | 北京奇虎科技有限公司 | Method and system for detecting security of popup window |
| CN102855274A (en) * | 2012-07-17 | 2013-01-02 | 北京奇虎科技有限公司 | Method and device for detecting suspicious progresses |
| CN102855430A (en) * | 2012-08-23 | 2013-01-02 | 福建升腾资讯有限公司 | Process blacklist and whitelist control method based on Windows system |
| CN103065092A (en) * | 2012-12-24 | 2013-04-24 | 公安部第一研究所 | Method for intercepting operating of suspicious programs |
| CN103607381A (en) * | 2010-08-18 | 2014-02-26 | 北京奇虎科技有限公司 | White list generation method, malicious program detection method, client and server |
-
2014
- 2014-06-06 CN CN201410250798.5A patent/CN105303107A/en not_active Withdrawn
- 2014-12-02 WO PCT/CN2014/092824 patent/WO2015184752A1/en active Application Filing
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103607381A (en) * | 2010-08-18 | 2014-02-26 | 北京奇虎科技有限公司 | White list generation method, malicious program detection method, client and server |
| CN102163161A (en) * | 2011-04-01 | 2011-08-24 | 奇智软件(北京)有限公司 | Process management method and device thereof |
| CN102222194A (en) * | 2011-07-14 | 2011-10-19 | 哈尔滨工业大学 | Module and method for LINUX host computing environment safety protection |
| CN102819713A (en) * | 2012-06-29 | 2012-12-12 | 北京奇虎科技有限公司 | Method and system for detecting security of popup window |
| CN102855274A (en) * | 2012-07-17 | 2013-01-02 | 北京奇虎科技有限公司 | Method and device for detecting suspicious progresses |
| CN102855430A (en) * | 2012-08-23 | 2013-01-02 | 福建升腾资讯有限公司 | Process blacklist and whitelist control method based on Windows system |
| CN103065092A (en) * | 2012-12-24 | 2013-04-24 | 公安部第一研究所 | Method for intercepting operating of suspicious programs |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105912948B (en) * | 2016-04-06 | 2019-03-15 | 珠海豹趣科技有限公司 | A kind of data guard method and device |
| CN105912948A (en) * | 2016-04-06 | 2016-08-31 | 北京金山安全软件有限公司 | Data protection method and device |
| CN107545169B (en) * | 2016-06-27 | 2020-07-24 | 联想(上海)信息技术有限公司 | Application program authentication management method and device and electronic equipment |
| CN107545169A (en) * | 2016-06-27 | 2018-01-05 | 联想(上海)信息技术有限公司 | Application authentication management method, device and electronic equipment |
| CN108268365A (en) * | 2016-12-30 | 2018-07-10 | 腾讯科技(深圳)有限公司 | Abnormal task method for implanting, device and system |
| WO2018129658A1 (en) * | 2017-01-10 | 2018-07-19 | 深圳怡化电脑股份有限公司 | Upper-layer application identity verification method, self-service terminal, and application server |
| CN107077561A (en) * | 2017-01-10 | 2017-08-18 | 深圳怡化电脑股份有限公司 | Verify method, self-aided terminal and the application server of upper layer application identity |
| CN109472144A (en) * | 2017-12-29 | 2019-03-15 | 北京安天网络安全技术有限公司 | It is a kind of to defend the viral method, apparatus operated to file and storage medium |
| CN109472144B (en) * | 2017-12-29 | 2021-09-28 | 北京安天网络安全技术有限公司 | Method, device and storage medium for operating file by defending virus |
| CN110197064A (en) * | 2019-02-18 | 2019-09-03 | 腾讯科技(深圳)有限公司 | Process handling method and device, storage medium and electronic device |
| CN110197064B (en) * | 2019-02-18 | 2023-08-25 | 腾讯科技(深圳)有限公司 | Process processing method and device, storage medium and electronic device |
| CN112268576A (en) * | 2019-07-08 | 2021-01-26 | 上海隽珑信息技术有限公司 | Safety inspection method and inspection system |
| CN111190707A (en) * | 2019-08-02 | 2020-05-22 | 腾讯科技(深圳)有限公司 | Data processing method and device |
| CN110855649A (en) * | 2019-11-05 | 2020-02-28 | 西安交通大学 | Method and device for detecting abnormal process in server |
| CN111310180A (en) * | 2020-02-18 | 2020-06-19 | 上海迅软信息科技有限公司 | Computer process anti-counterfeiting method for enterprise information security |
| CN112162913A (en) * | 2020-10-30 | 2021-01-01 | 珠海格力电器股份有限公司 | Operation execution method and device, storage medium and electronic device |
| CN116796308A (en) * | 2023-02-03 | 2023-09-22 | 安芯网盾(北京)科技有限公司 | Method and device for detecting executable program of camouflage process based on Linux kernel |
| CN116796308B (en) * | 2023-02-03 | 2024-04-12 | 安芯网盾(北京)科技有限公司 | Method and device for detecting executable program of camouflage process based on Linux kernel |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2015184752A1 (en) | 2015-12-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105303107A (en) | Abnormal process detection method and apparatus | |
| CN109583193B (en) | System and method for cloud detection, investigation and elimination of target attacks | |
| US9734337B1 (en) | Behavior-based ransomware detection | |
| CN105320883B (en) | File security loads implementation method and device | |
| CN102663288B (en) | Virus killing method and device thereof | |
| US10148689B2 (en) | Method and apparatus for monitoring malicious link injection into website source code | |
| US9235706B2 (en) | Preventing execution of task scheduled malware | |
| US9679136B2 (en) | Method and system for discrete stateful behavioral analysis | |
| KR101899589B1 (en) | System and method for authentication about safety software | |
| CN103390130B (en) | Based on the method for the rogue program killing of cloud security, device and server | |
| US8484739B1 (en) | Techniques for securely performing reputation based analysis using virtualization | |
| US20140237593A1 (en) | Method, device and system for detecting security of download link | |
| US9015844B1 (en) | Techniques for web application vulnerability scanning | |
| US8307434B2 (en) | Method and system for discrete stateful behavioral analysis | |
| US20120102568A1 (en) | System and method for malware alerting based on analysis of historical network and process activity | |
| US10216934B2 (en) | Inferential exploit attempt detection | |
| US11785044B2 (en) | System and method for detection of malicious interactions in a computer network | |
| RU2661533C1 (en) | System and method of detecting the signs of computer attacks | |
| CN107666464B (en) | Information processing method and server | |
| WO2014137321A1 (en) | Modification of application store output | |
| CN105791250B (en) | Application program detection method and device | |
| CN114065196A (en) | Java memory horse detection method and device, electronic equipment and storage medium | |
| US9239907B1 (en) | Techniques for identifying misleading applications | |
| CN110505246A (en) | Client network communication detecting method, device and storage medium | |
| US8516100B1 (en) | Method and apparatus for detecting system message misrepresentation using a keyword analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20160203 |
|
| WW01 | Invention patent application withdrawn after publication |