CN105630636A - Dynamical recovery method and device for operating system of intelligent electronic device - Google Patents
Dynamical recovery method and device for operating system of intelligent electronic device Download PDFInfo
- Publication number
- CN105630636A CN105630636A CN201610052269.3A CN201610052269A CN105630636A CN 105630636 A CN105630636 A CN 105630636A CN 201610052269 A CN201610052269 A CN 201610052269A CN 105630636 A CN105630636 A CN 105630636A
- Authority
- CN
- China
- Prior art keywords
- behavior
- operating system
- electronic device
- intelligent electronic
- malicious act
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/14—Error detection or correction of the data by redundancy in operation
- G06F11/1402—Saving, restoring, recovering or retrying
- G06F11/1415—Saving, restoring, recovering or retrying at system level
- G06F11/142—Reconfiguring to eliminate the error
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/14—Error detection or correction of the data by redundancy in operation
- G06F11/1402—Saving, restoring, recovering or retrying
- G06F11/1446—Point-in-time backing up or restoration of persistent data
- G06F11/1458—Management of the backup or restore process
- G06F11/1469—Backup restoration techniques
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides a dynamical recovery method and device for an operating system of an intelligent electronic device. The dynamical recovery method comprises: step 1, recording all actions in an intelligent electronic device operating process, and binding and storing actions with correlation as an event; step 2, traversing the all actions to detect whether a malicious action exists in the operating system; if the malicious action exists in the operating system, looking up an event correlated with the malicious action, and canceling all actions correlated with the event. According to the dynamical recovery method and device for the operating system of the intelligent electronic device, the all actions in the intelligent electronic system are monitored, the malicious action is located in the all actions, and by canceling all actions correlated with the malicious action, the operating system of the intelligent electronic device is recovered to a state before the malicious action influences the operating system.
Description
Technical field
The invention belongs to intelligent electronic device field, particularly to Dynamic-Recovery method and the device thereof of a kind of intelligent electronic device operating system.
Background technology
Along with the popularization of intelligent electronic device strengthens, the dependency of electronic equipment is also progressively strengthened by people, and the capsule information of the aspects such as increasing work and individual privacy are stored on electronic equipment, for user, these capsule information are operated.
But these electronic equipment intelligence performs the utility command of user, can not record the behavior that it is performed and the relatedness between behavior, it is impossible to the operating process of accurate recording operating system. therefore, in prior art, data under a certain for electronic equipment state can be backed-up by people, it it is a kind of static backup, as the data of the factory state of electronic equipment are backed-up, when there is malicious code or the operating system of spyware infringement electronic equipment, when affecting the normal operation of operating system intelligence, in prior art, people are only with the system file recovery operation system of backup, passively by operating system recovery to a certain initial condition, and electronic equipment can only recover to static backup state, many loss of vital data in the electronic device are stored after making static backup state, and cannot recover.
Summary of the invention
It is an object of the invention to solve at least the above or defect, and the advantage that at least will be described later is provided.
It is an object of the invention to all operations behavior in recorded electronic equipment, the operation behavior of intelligent electronic device is backed-up, realize dynamic backup, time that each behavior of complete documentation occurs, the content of behavior and the result completed, and the interaction relationship between each behavior.
A further object of the invention is all behaviors in record intelligent electronic device, and search in all behaviors whether there is malicious act, when there is malicious act, then relevant by cancelling this malicious act all behaviors so that intelligent electronic device recovers the state before invading to malicious act.
A further object of the invention is all behaviors in record intelligent electronic device, and the behavior with relatedness is stored as an event binding, when determining malicious act, then extract the event relevant to this malicious act, determined by this event further and cancel all behaviors relevant to this malicious act, thus effectively preventing from causing the hiding of malicious code of this malicious act, all malicious in thorough intelligent electronic device.
In order to realize these purposes according to the present invention and further advantage, it is provided that a kind of Dynamic-Recovery method of intelligent electronic device operating system, including:
All behaviors in step one, record intelligent electronic device running, store as an event using the described behavior binding with relatedness; Monitor and record the status change of system, the increase of file is deleted, the transmitting-receiving of mail, the increase of system service and minimizing, the increase of kernel module and minimizing, the behaviors such as the renewal of system configuration information, each behavior one record of note, including the PID of the time of origin of the behavior, generation event, one complete system change track is so described, for follow-up analysis and recovery reduction.
Step 2, travel through in this operating system of all behavioral value whether there is malicious act; If there is malicious act, search the event of this malicious act association, and cancel all behaviors that this event is associated.
Kernel-driven by the intelligent electronic device such as computer, smart mobile phone, monitor all threads in whole operating system, process, file, registration table, network, internal memory transition, file transmission, Key Functions such as call at a series of operation details, generate detailed, continuous print, the complete record describing intelligent electronic device operation action. Meanwhile, the behavior contiguity according to record, the behavior of record is analyzed, concludes, extracts the event obtaining multiple behavior association, described event includes program startup, thread injection, module loading, APIHook etc. All behaviors of record in Ergodic Theory. By overall monitor and the running orbit describing whole system, would fit snugly within the behavior of the module in system process to make a distinction from system process, the behavior of the concrete each wooden horse file (DLL or script) of accurate description, thus accurately describing the process of wooden horse sample releasing document, and the operation details of its each file and process, it is achieved labor report that wooden horse runs and the operating analysis report of its each file. When behavior exists the malicious act affecting operating system work, then determined all behaviors of this event by the event associated by this malicious act, and pass through all behaviors cancelling this event by the state between control system recovery to malicious act impact.
Preferably, in the Dynamic-Recovery method of described intelligent electronic device operating system, in described step one, the described behavior with relatedness refers to, by multiple thread behaviors of a thread or process initiation or process behavior. The generation of event always starts with certain process or thread. The present invention starts with from thread monitor, describes continuously the running orbit of each thread, including: 1) startup of unknown process; 2) generation of thread is overflowed; 3) generation of unknown process network behavior; 4) transition of system start-up item; 5) destructive behavior; 6) infectious behavior (amendment file content). From above-mentioned behavior, extracting it and perform thread, in conjunction with file analysis, correspond to the code file of thread, this code file can be an exe or Dll file, it is also possible to be the script files such as VBS, VBE, BAT, a CMD. The relation such as creation relation and the establishment of file of its correspondence, amendment, renaming, link, loading, duplication, transmission according to thread, confirm the file family of " event ", the relations such as other threads inquiring about thread corresponding to the All Files of this family, the sequential of startup, the thread of association, interference again, extract all behavioural informations of an event, the information such as sequential, system environments occurs, as the basis analyzed. Thus mixed and disorderly system is run record and be generalized into independent " event ". Later then with event for analyze object, follow the tracks of its behavior record, analyze its implementation effect.
Preferably, in the Dynamic-Recovery method of described intelligent electronic device operating system, also include the condition code prestoring malignant activity;
When there is described condition code in a behavior, then the behavior is malignant activity.
Identify that the condition code of malignant activity includes file eigenvalue and memory features code. File eigenvalue is present in some unenforced files, for instance being likely to there is file eigenvalue in EXE file, RMVB file, jpg file or even txt file, these file eigenvalues can by killing. And memory features code is present in the application program run in internal memory.
Preferably, the Dynamic-Recovery method of described intelligent electronic device operating system, it is characterised in that in described step 2, before the operating system starting described intelligent electronic device, detects in this operating system whether there is malicious act;
If the malicious act of being absent from, then start the operating system of described intelligent electronic device;
If there is malicious act, search the event of this malicious act association, and cancel all behaviors that this event is associated, restart described operating system. User is when starting computer or smart mobile phone, and first whether detection operating system receives the impact of malignant activity, if not being subject to the impact of malignant activity, directly initiates the operating system of this computer or smart mobile phone; If being subject to the impact of malignant activity, then the Operation Log of the existing operating system of traversal determines malignant activity and all behaviors relevant to malignant activity event, after cancelling all behaviors of malignant event, restart computer or smart mobile phone, the safety of its operating system during to guarantee that the intelligent electronic devices such as computer start every time.
Preferably, in the Dynamic-Recovery method of described intelligent electronic device operating system, in described step one, all behaviors in record intelligent electronic device running, and described behavior is arranged in Operation Log sequentially in time.
Preferably, in the Dynamic-Recovery method of described intelligent electronic device operating system, described behavior includes: the HOOK behavior of file modification behavior, memory resident behavior, network activity behavior, registration table change behavior, system journal change behavior, mailing system change behavior, kernel module change behavior, application program change behavior and application programming interface. File modification behavior mainly includes the establishment of file, rewrites, calls by name, deletes, moves, revises attribute. Record memory resident behavior, virus etc. harmful program generally adopt terminate-and-stay-resident by some way, therefore describe internal memory Evolution be conducive to disclose virus and identify attack generation. Network activity behavior, wooden horse, anthelmintic, hacker's attack etc. all be unable to do without network behavior, and the network state transition of system are to analyze the significant data that network safety event occurs, and including newly-built connection, open listening port, send or accept data, corresponding discharge etc. Registration table changes behavior, and the registration table under Windows is to directly affect the significant data that system is run, and is also the place that often accesses of virus, wooden horse, Hacker Program, and therefore the Evolution of registration table is to analyze and one of necessary data of recovery. The change of registration table is monitored by kernel-driven. Behavior is changed in system journal, and the exception of system often can show in system journal, and many Hacker Program require scavenging system daily record, in order to reach the purpose of " the elimination criminal evidence ", and therefore, it is also one of necessary analytical data that system journal transition describe. Mailing system change behavior, many viral anthelmintics are propagated by mail, and the track description to system Mail system is one of necessary data analyzing worm-type virus. Kernel module change behavior, many Hacker Program can pass through drive load kernel module, and these drive the very harmful of class malicious code, almost " omnipotent ", if only at application layer analysis, it is clear that there is very big leak and danger, it is necessary to monitor the kernel Evolution of system simultaneously. Kernel-driven is enumerated all of driving code, analyzes the associated with of its main code and the function of realization, as a composition aspect of file family, to ensure the analysis of wooden horse family paper is not omitted. Application program change behavior, some particular application of system are that virus is shown appreciation for somebody especially with trojan horse program, the userinit.exe of such as Windows, explorer.exe, the running orbit of these programs needs be under close watch and describe, the distribution of thread/module memory especially therein, GAP code analysis etc. And the HOOK behavior of application programming interface, when the crucial api function of system is by Hook, the changes of function of system, the Hook process of record description key api function can be directly resulted in, be the basic foundation of record description wooden horse behavior.
Preferably, in the Dynamic-Recovery method of described intelligent electronic device operating system, described file modification behavior includes the duplication of All Files in event described in, transmission, packing and download behavior. File is tracked by the present invention, when file undertaken replicating by any program in computer, encrypt duplication, network delivery, encryption transmit time, by extracting condition code when file reading of content, mate according to write content when file writes, in order to determine the generation of file duplicate event; Or when network sends, send content matching according to network, in order to determine that network sends the generation of event. Pass through said process; any file can be monitored when by what program copy becomes what file; or where it is sent to; it is able to know that this document is from what IP address, saves what file, identify between file the incidence relations such as duplication, network reception, transmission; the behavior of generation in analysis operation system is carried out with this; completely extract behavior, fully ensure that the accuracy of behavior analysis and the integrity of evidence obtaining, it is possible to protect user data information well.
The present invention also provides for the Dynamic-Recovery device of a kind of intelligent electronic device operating system, including:
Logging modle, all behaviors in its record intelligent electronic device running; All behaviors are arranged in Operation Log by described logging modle sequentially in time, and described Operation Log is uploaded to data base;
Described data base, it receives described Operation Log, and binds as an event using the behavior in described Operation Log with relatedness;
Detection module, it prestores the condition code of described malicious act; Described detection module transfers described Operation Log from described data base, and whether all behaviors detecting described Operation Log exist described condition code, using there is described condition code behavior as malicious act, and described malicious act is sent to controller;
Described controller, it transfers the event corresponding with described malicious act from described data base, and cancels all behaviors associated by this event.
In the present invention, logging modle record can monitor the behavior of certain process or certain thread by kernel-driven, can be corresponded to concrete .exe file or .dll module file by this process or thread. When detection module finds malicious act in the behavior of record, further determine that all corelation behaviours of .exe file corresponding to this malicious act or .dll module file, and cancel above-mentioned corelation behaviour so that operating system recovery to malicious act affect before state.
Preferably, in the Dynamic-Recovery device of described intelligent electronic device operating system, before starting the operating system of described intelligent electronic device, described detection module detects the malicious act in the behavior in described Operation Log;
If there is malicious act, described malicious act is sent to controller by described detection module;
And, the event corresponding with described malicious act transferred by described controller from described data base, and cancels all behaviors associated by this event, restarts described operating system;
If the malicious act of being absent from, then start described operating system.
Beneficial effects of the present invention is as follows:
1, in the Dynamic-Recovery method of described intelligent electronic device operating system, all behaviors in record intelligent electronic device, and search in all behaviors whether there is malicious act, when there is malicious act, then relevant by cancelling this malicious act all behaviors, intelligent electronic device is made to recover the state before invading to malicious act, this method is by recording the operation behavior of operating system, accurately determine all malignant activity, and cancel these malignant activity, reach the state before being affected by operating system recovery to malignant activity, realize the dynamically recovery operation system according to malignant activity.
In the Dynamic-Recovery method of 2, described intelligent electronic device operating system, behavior in overall monitor operating system, and the behavior with relatedness is stored as an event binding, when determining malicious act, then extract the event relevant to this malicious act, determined by this event further and cancel all behaviors relevant to this malicious act, thus effectively preventing from causing the hiding of malicious code of this malicious act, all malicious in thorough intelligent electronic device.
3, in the Dynamic-Recovery device of intelligent electronic device operating system, detection module travels through the behavior of described logging modle record, and in all behaviors search and position malignant activity, malignant activity cancelled again by controller, this apparatus structure is simple, it is easy to operation, quickly positions and cancel malignant activity, quickly eliminate the malignant activity impact on operating system.
Accompanying drawing explanation
Fig. 1 is the flow chart of the Dynamic-Recovery method of intelligent electronic device operating system of the present invention;
Fig. 2 is the flow chart of the Dynamic-Recovery method of the intelligent electronic device operating system described in one of them embodiment of the present invention;
Fig. 3 is the workflow diagram of the Dynamic-Recovery device of intelligent electronic device operating system of the present invention;
Fig. 4 is the record behavior flow chart of the logging modle of the Dynamic-Recovery device of the intelligent electronic device operating system described in one of them embodiment of the present invention;
Fig. 5 is the workflow diagram of the detection module of the Dynamic-Recovery device of the intelligent electronic device operating system described in one of them embodiment of the present invention;
Fig. 6 is the workflow diagram of the Dynamic-Recovery device of the intelligent electronic device operating system described in one of them embodiment of the present invention.
Detailed description of the invention
Below in conjunction with accompanying drawing, the present invention is described in further detail, to make those skilled in the art can implement according to this with reference to description word.
The invention discloses a kind of Dynamic-Recovery method of intelligent electronic device operating system, as it is shown in figure 1, the method at least includes:
All behaviors in step one, record intelligent electronic device running, generate behavior list; Using the multiple thread behaviors having a thread or process to cause or process behavior as the behavior with relatedness, and bind and stored as an event
Step 2, prestore the condition code of malignant activity, travel through behavior list, detect in this operating system whether there is malicious act; If there is malicious act, search the event of this malicious act association, and cancel all behaviors that this event is associated.
In such scheme, in described step one, all behaviors in record intelligent electronic device running, and described behavior is arranged in Operation Log sequentially in time.
In such scheme, described behavior includes: the HOOK behavior of file modification behavior, memory resident behavior, network activity behavior, registration table change behavior, system journal change behavior, mailing system change behavior, kernel module change behavior, application program change behavior and application programming interface.
In such scheme, described file modification behavior includes the duplication of All Files in event described in, transmission, packing and download behavior.
As in figure 2 it is shown, the Dynamic-Recovery method of the energy electronic device system described in one of them embodiment of the present invention, including:
All behaviors in step one, record intelligent electronic device running, generate behavior list; Using the multiple thread behaviors having a thread or process to cause or process behavior as the behavior with relatedness, and bind and stored as an event
Step 2, prestore the condition code of malignant activity; Before the operating system starting described intelligent electronic device, travel through behavior list, detect in this operating system whether there is malicious act; If the malicious act of being absent from, then start the operating system of described intelligent electronic device;
If there is malicious act, search the event of this malicious act association, and cancel all behaviors that this event is associated, restart described operating system.
In such scheme, in described step one, all behaviors in record intelligent electronic device running, and described behavior is arranged in Operation Log sequentially in time.
In such scheme, described behavior includes: the HOOK behavior of file modification behavior, memory resident behavior, network activity behavior, registration table change behavior, system journal change behavior, mailing system change behavior, kernel module change behavior, application program change behavior and application programming interface.
In such scheme, described file modification behavior includes the duplication of All Files in event described in, transmission, packing and download behavior.
As shown in Fig. 3, Fig. 4 and Fig. 5, the present invention also provides for the Dynamic-Recovery device of a kind of intelligent electronic device operating system, comprising:
Logging modle, all behaviors in its record intelligent electronic device running; All behaviors are arranged in Operation Log by described logging modle sequentially in time, and described Operation Log is uploaded to data base;
Described data base, it receives described Operation Log, and binds as an event using the behavior in described Operation Log with relatedness;
Detection module, it prestores the condition code of described malicious act; Described detection module transfers described Operation Log from described data base, and whether all behaviors detecting described Operation Log exist described condition code, using there is described condition code behavior as malicious act, and described malicious act is sent to controller;
Described controller, it transfers the event corresponding with described malicious act from described data base, and cancels all behaviors associated by this event.
As shown in Figure 6, the Dynamic-Recovery device of the intelligent electronic device operating system described in one of them embodiment of the present invention, comprising:
Logging modle, all behaviors in its record intelligent electronic device running; All behaviors are arranged in Operation Log by described logging modle sequentially in time, and described Operation Log is uploaded to data base;
Described data base, it receives described Operation Log, and binds as an event using the behavior in described Operation Log with relatedness;
Detection module, it prestores the condition code of described malicious act; Before starting the operating system of described intelligent electronic device, described detection module transfers described Operation Log from described data base, and whether all behaviors detecting described Operation Log exist described condition code, if there is the behavior of described condition code as malicious act, and described malicious act is sent to controller; If be absent from malicious act, then send the report being absent from malicious act to described controller;
Described controller, when it receives described malicious act, it transfers the event corresponding with described malicious act from described data base, and cancels all behaviors associated by this event, restarts described operating system; When described controller receives the report being absent from malicious act, then directly initiate described operating system.
Although embodiments of the invention are disclosed as above, but listed utilization that it is not restricted in description and embodiment, it can be applied to various applicable the field of the invention completely, for those skilled in the art, it is easily achieved other amendment, therefore, under the general concept limited without departing substantially from claim and equivalency range, the present invention is not limited to specific details.
Claims (9)
1. the Dynamic-Recovery method of intelligent electronic device operating system, it is characterised in that including:
All behaviors in step one, record intelligent electronic device running, store as an event using the described behavior binding with relatedness;
Step 2, travel through in this operating system of all behavioral value whether there is malicious act; If there is malicious act, search the event of this malicious act association, and cancel all behaviors that this event is associated.
2. the Dynamic-Recovery method of intelligent electronic device operating system as claimed in claim 1, it is characterised in that in described step one, the described behavior with relatedness refers to, a thread or the process multiple thread behaviors caused or process behavior.
3. the Dynamic-Recovery method of intelligent electronic device operating system as claimed in claim 2, it is characterised in that also include the condition code prestoring malignant activity;
When there is described condition code in a behavior, then the behavior is malignant activity.
4. the Dynamic-Recovery method of intelligent electronic device operating system as claimed in claim 3, it is characterised in that in described step 2, before the operating system starting described intelligent electronic device, detect in this operating system whether there is malicious act;
If the malicious act of being absent from, then start the operating system of described intelligent electronic device;
If there is malicious act, search the event of this malicious act association, and cancel all behaviors that this event is associated, restart described operating system.
5. the Dynamic-Recovery method of intelligent electronic device operating system as claimed in claim 4, it is characterised in that in described step one, all behaviors in record intelligent electronic device running, and described behavior is arranged in Operation Log sequentially in time.
6. the Dynamic-Recovery method of intelligent electronic device operating system as claimed in claim 1, it is characterized in that, described behavior includes: the HOOK behavior of file modification behavior, memory resident behavior, network activity behavior, registration table change behavior, system journal change behavior, mailing system change behavior, kernel module change behavior, application program change behavior and application programming interface.
7. the Dynamic-Recovery method of intelligent electronic device operating system as claimed in claim 6, it is characterised in that described file modification behavior includes the duplication of All Files in event described in, transmission, packing and download behavior.
8. the Dynamic-Recovery device of intelligent electronic device operating system, it is characterised in that including:
Logging modle, all behaviors in its record intelligent electronic device running; All behaviors are arranged in Operation Log by described logging modle sequentially in time, and described Operation Log is uploaded to data base;
Described data base, it receives described Operation Log, and binds as an event using the behavior in described Operation Log with relatedness;
Detection module, it prestores the condition code of described malicious act; Described detection module transfers described Operation Log from described data base, and whether all behaviors detecting described Operation Log exist described condition code, using there is described condition code behavior as malicious act, and described malicious act is sent to controller;
Described controller, it transfers the event corresponding with described malicious act from described data base, and cancels all behaviors associated by this event.
9. the Dynamic-Recovery device of intelligent electronic device operating system as claimed in claim 8, it is characterised in that before starting the operating system of described intelligent electronic device, described detection module detects the malicious act in the behavior in described Operation Log;
If there is malicious act, described malicious act is sent to controller by described detection module;
And, the event corresponding with described malicious act transferred by described controller from described data base, and cancels all behaviors associated by this event, restarts described operating system;
If the malicious act of being absent from, then start described operating system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610052269.3A CN105630636A (en) | 2016-01-26 | 2016-01-26 | Dynamical recovery method and device for operating system of intelligent electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610052269.3A CN105630636A (en) | 2016-01-26 | 2016-01-26 | Dynamical recovery method and device for operating system of intelligent electronic device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105630636A true CN105630636A (en) | 2016-06-01 |
Family
ID=56045611
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610052269.3A Pending CN105630636A (en) | 2016-01-26 | 2016-01-26 | Dynamical recovery method and device for operating system of intelligent electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105630636A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106856477A (en) * | 2016-12-29 | 2017-06-16 | 北京奇虎科技有限公司 | A kind of threat treating method and apparatus based on LAN |
| CN106897168A (en) * | 2017-01-11 | 2017-06-27 | 广东小天才科技有限公司 | The system recovery method and device of a kind of mobile device |
| WO2019047104A1 (en) * | 2017-09-07 | 2019-03-14 | 深圳传音通讯有限公司 | Smart terminal-based usage state recording method and system |
| CN109472134A (en) * | 2017-12-25 | 2019-03-15 | 北京安天网络安全技术有限公司 | A kind of method and system based on API Calls sequential extraction procedures control terminal |
| CN110443675A (en) * | 2019-06-27 | 2019-11-12 | 北京三快在线科技有限公司 | Determine method, apparatus, electronic equipment and the storage medium of order life-cycle |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1737722A (en) * | 2005-08-03 | 2006-02-22 | 珠海金山软件股份有限公司 | System and method for detecting and defending computer worm |
| US20100293615A1 (en) * | 2007-10-15 | 2010-11-18 | Beijing Rising International Software Co., Ltd. | Method and apparatus for detecting the malicious behavior of computer program |
| CN101944167A (en) * | 2010-09-29 | 2011-01-12 | 中国科学院计算技术研究所 | Method and system for identifying malicious program |
| CN101996287A (en) * | 2009-08-13 | 2011-03-30 | 财团法人资讯工业策进会 | Method and system for removing malicious software as well as computer program product and storage media |
| CN103853979A (en) * | 2010-12-31 | 2014-06-11 | 北京奇虎科技有限公司 | Program identification method and device based on machine learning |
-
2016
- 2016-01-26 CN CN201610052269.3A patent/CN105630636A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1737722A (en) * | 2005-08-03 | 2006-02-22 | 珠海金山软件股份有限公司 | System and method for detecting and defending computer worm |
| US20100293615A1 (en) * | 2007-10-15 | 2010-11-18 | Beijing Rising International Software Co., Ltd. | Method and apparatus for detecting the malicious behavior of computer program |
| CN101996287A (en) * | 2009-08-13 | 2011-03-30 | 财团法人资讯工业策进会 | Method and system for removing malicious software as well as computer program product and storage media |
| CN101944167A (en) * | 2010-09-29 | 2011-01-12 | 中国科学院计算技术研究所 | Method and system for identifying malicious program |
| CN103853979A (en) * | 2010-12-31 | 2014-06-11 | 北京奇虎科技有限公司 | Program identification method and device based on machine learning |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106856477A (en) * | 2016-12-29 | 2017-06-16 | 北京奇虎科技有限公司 | A kind of threat treating method and apparatus based on LAN |
| CN106856477B (en) * | 2016-12-29 | 2020-05-19 | 北京奇虎科技有限公司 | Threat processing method and device based on local area network |
| CN106897168A (en) * | 2017-01-11 | 2017-06-27 | 广东小天才科技有限公司 | The system recovery method and device of a kind of mobile device |
| WO2019047104A1 (en) * | 2017-09-07 | 2019-03-14 | 深圳传音通讯有限公司 | Smart terminal-based usage state recording method and system |
| CN109472134A (en) * | 2017-12-25 | 2019-03-15 | 北京安天网络安全技术有限公司 | A kind of method and system based on API Calls sequential extraction procedures control terminal |
| CN109472134B (en) * | 2017-12-25 | 2022-04-19 | 北京安天网络安全技术有限公司 | Method and system for extracting control terminal based on API (application program interface) calling sequence |
| CN110443675A (en) * | 2019-06-27 | 2019-11-12 | 北京三快在线科技有限公司 | Determine method, apparatus, electronic equipment and the storage medium of order life-cycle |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Martignoni et al. | A layered architecture for detecting malicious behaviors | |
| US10984097B2 (en) | Methods and apparatus for control and detection of malicious content using a sandbox environment | |
| US9230100B2 (en) | Securing anti-virus software with virtualization | |
| CN104598809B (en) | Program monitoring method and defending method thereof, as well as relevant device | |
| Moser et al. | Exploring multiple execution paths for malware analysis | |
| CN102314561B (en) | Automatic analysis method and system of malicious codes based on API (application program interface) HOOK | |
| CN105630636A (en) | Dynamical recovery method and device for operating system of intelligent electronic device | |
| CN102902909B (en) | A kind of system and method preventing file to be tampered | |
| US20200311260A1 (en) | Behavioral threat detection engine | |
| CN108121914B (en) | Document divulgence protection tracking system | |
| CN103927484B (en) | Rogue program behavior catching method based on Qemu simulator | |
| US10853483B2 (en) | Identification device, identification method, and identification program | |
| CN104598823A (en) | Kernel level rootkit detection method and system in Andriod system | |
| CN104182688A (en) | Android malicious code detection device and method based on dynamic activation and behavior monitoring | |
| CN102521543B (en) | Method for information semantic analysis based on dynamic taint analysis | |
| CN104281808B (en) | A kind of general Android malicious act detection methods | |
| US10783041B2 (en) | Backup and recovery of data files using hard links | |
| US8037529B1 (en) | Buffer overflow vulnerability detection and patch generation system and method | |
| CN101877039A (en) | Fault detection technology of server operating system | |
| CN107273748A (en) | A kind of method that Android system Hole Detection is realized based on leak poc | |
| CN102035847A (en) | User access behavior processing method and system and client | |
| CN117453344A (en) | Container credibility enhancement mechanism based on Linux system call | |
| Rana et al. | Automated Windows behavioral tracing for malware analysis | |
| CN106709357A (en) | Kernel internal storage monitoring based vulnerability prevention system for Android platform | |
| Zhang et al. | Hey, you, get off of my image: detecting data residue in android images |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160601 |
|
| RJ01 | Rejection of invention patent application after publication |