CN105809033A - Malicious process processing method and device - Google Patents
Malicious process processing method and device Download PDFInfo
- Publication number
- CN105809033A CN105809033A CN201410844002.9A CN201410844002A CN105809033A CN 105809033 A CN105809033 A CN 105809033A CN 201410844002 A CN201410844002 A CN 201410844002A CN 105809033 A CN105809033 A CN 105809033A
- Authority
- CN
- China
- Prior art keywords
- malicious
- relation
- monitored
- filiation
- relevant information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a malicious process processing method and device, and relates to the technical field of computer software. The method comprises the following steps: determining whether a process relationship has malicious processes or not according to a preset rule; determining processing manners corresponding to the malicious processes when the process relationship has malicious processes. During the judgement of the malicious processes, the judged object is the process relationship, but not a single process, so that the malicious processes can be correctly judged and the processing of the malicious processes can be effectively realized.
Description
Technical field
The present invention relates to computer software technical field, particularly to a kind of malicious process processing method and device.
Background technology
Malicious process, it is the process that can perform malicious act in the process of implementation, described malicious act is the hurtful behaviors of the interests to user, for instance: for realizing the behavior of the rogue programs such as virus, anthelmintic or wooden horse, again or for realizing the behavior that binding download program is installed.
In order to malicious process is processed, need first to determine malicious process, but prior art is for independent process to determine malicious process, have matched preset rules in certain behavior performed by certain process, then it is defined as malicious process, is namely determined that the mode of malicious process is isolated.
If process A creates process B, process B creates process C, process B downloads certain program, process C starts this program, individually judge that performed by process A, B, C be all normally performed activity, but the behavior combination of these processes gets up when being exactly a malicious act, and prior art then cannot intercept, process so malicious process cannot effectively be realized.
Summary of the invention
In view of the above problems, it is proposed that the present invention is to provide a kind of and overcome the problems referred to above or solve a kind of software purification erecting device of the problems referred to above and corresponding a kind of software purification installation method at least in part.
According to one aspect of the present invention, it is provided that a kind of malicious process processes device, and described device includes:
Relation sets up unit, it is adapted to set up the process relation of process to be monitored, described process relation includes the relevant information of the first process that described process to be monitored is associated and each process with described process to be monitored, and described first process is descendants's process of described process to be monitored;
Process judging unit, is suitable to determine whether have malicious process in described process relation according to preset rules, and when having malicious process in described process relation, it is determined that the processing mode corresponding with described malicious process;
Process processing unit, described malicious process is processed by the processing mode of malicious process being suitable for use with determining.
Alternatively, described relevant information is the information of reflection behavior performed by this process;Or,
Described relevant information is the information of the behavior performed by descendants's process reflecting this process and the generation of this process.
Alternatively, described process judging unit, when being further adapted for that the combination of at least two process can complete malicious act in described process relation, described at least two process is defined as malicious process.
Alternatively, described relation sets up unit, is further adapted for determining the first process being associated with described process to be monitored, and determines the filiation of each process, sets up the process relation of described process to be monitored according to described filiation.
Alternatively, described relation sets up unit, is further adapted for arranging hereditable labelling in each process, determines the filiation of each process according to described labelling.
Alternatively, described relation sets up unit, and the mode by inquiry of command line that is further adapted for determines the filiation of each process.
Alternatively, described process processing unit, it is further adapted for terminating described malicious process;
Or,
Described malicious process is made to forbid networking.
Alternatively, described process processing unit, it is further adapted in interface and ejects prompt window, described prompt window is used for pointing out user to select a kind of mode of operation that described malicious process is operated;
Or,
If described malicious process meets pre-conditioned, directly the behavior of this process is intercepted.
According to another aspect of the present invention, it is provided that a kind of malicious process processing method, described method includes:
Setting up the process relation of process to be monitored, described process relation includes the relevant information of the first process that described process to be monitored is associated and each process with described process to be monitored, and described first process is descendants's process of described process to be monitored;
Determine whether described process relation has malicious process according to preset rules, and when having malicious process in described process relation, it is determined that the processing mode corresponding with described malicious process;
Described malicious process is processed by the processing mode adopting the malicious process determined.
Alternatively, described relevant information is the information of reflection behavior performed by this process;Or,
Described relevant information is the information of the behavior performed by descendants's process reflecting this process and the generation of this process.
Alternatively, described determine in described process relation whether there is malicious process according to preset rules, farther include:
When the combination of at least two process can complete malicious act in described process relation, described at least two process is defined as malicious process.
Alternatively, the described process relation setting up process to be monitored, including:
Determine the first process being associated with described process to be monitored, and determine the filiation of each process, set up the process relation of described process to be monitored according to described filiation.
Alternatively, the described filiation determined between each process, including:
Each process arranges hereditable labelling, determines the filiation of each process according to described labelling.
Alternatively, the described filiation determined between each process, including:
The filiation of each process is determined by the mode of inquiry of command line.
Alternatively, described malicious process is processed by the processing mode of the malicious process that described employing is determined, including:
Terminate described malicious process;
Or,
Described malicious process is made to forbid networking.
Alternatively, described malicious process is processed by the processing mode of the malicious process that described employing is determined, including:
Ejecting prompt window in interface, described prompt window is used for pointing out user to select a kind of mode of operation that described malicious process is operated;
Or,
If described malicious process meets pre-conditioned, directly the behavior of this process is intercepted.
Present invention preset rules determines in described process relation whether have malicious process, and when having malicious process in described process relation, determine the processing mode corresponding with described malicious process, due to when carrying out the judgement of malicious process, judge liking process relation, rather than single process such that it is able to judge malicious process exactly, it is possible to effectively realize the process to malicious process.
Accompanying drawing explanation
By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit those of ordinary skill in the art be will be clear from understanding.Accompanying drawing is only for illustrating the purpose of preferred implementation, and is not considered as limitation of the present invention.And in whole accompanying drawing, it is denoted by the same reference numerals identical parts.In the accompanying drawings:
Fig. 1 is the flow chart of steps of a kind of malicious process processing method of one embodiment of the invention;
Fig. 2 is the flow chart of steps of a kind of malicious process processing method of one embodiment of the invention;
Fig. 3 is the structured flowchart of a kind of malicious process process device of one embodiment of the invention.
Detailed description of the invention
Below in conjunction with drawings and Examples, the specific embodiment of the present invention is described in further detail.Following example are used for illustrating the present invention, but are not limited to the scope of the present invention.
Fig. 1 is the flow chart of steps of a kind of malicious process processing method of one embodiment of the invention;With reference to Fig. 1, described method includes:
S101: set up the process relation of process to be monitored, described process relation includes the relevant information of the first process that described process to be monitored is associated and each process with described process to be monitored, and described first process is descendants's process of described process to be monitored;
Will be understood that, in the running of process to be monitored, one or more subprocess may be generated further, and the subprocess generated be likely to also can the one or more subprocess of regeneration further, in the present embodiment, these subprocess are called the first process, according to the above description, can determine that, described first process is descendants's process of process to be monitored.
Certainly, it is divided into system process and application process two types due to process, owing to system process is that computer system is generated, there is usually no malicious process, so, described process to be monitored is application process;
It addition, descendants's process that the first process is described process to be monitored, so, described first process also belongs to application process.
S102: determine whether there is in described process relation malicious process according to preset rules, and when having malicious process in described process relation, it is determined that the processing mode corresponding with described malicious process;
It will be appreciated that step S102, to malicious process timing really, can adopt various ways, be example below in two ways:
First kind of way is local implementation, namely malicious process fixes on this locality really and completes;
For realization, malicious process is fixed on this locality really to complete, first described preset rules can be stored in this locality, when malicious process is determined, just can directly according to the preset rules being stored in this locality, malicious process be determined, owing to which completes in this locality, so can realize without connecting network, relatively simple in realization;
The second way is cloud inquiry mode, namely the determination of malicious process is realized by cloud inquiry;
Realized by cloud inquiry for realizing the determination to malicious process, first described preset rules can be stored in Cloud Server, when carrying out cloud inquiry, described process relation is sent to Cloud Server, malicious process is determined according to the preset rules having by Cloud Server, receive the malicious process sent by Cloud Server again, complete owing to malicious process being fixed on high in the clouds by which really, so without in locally stored preset rules, malicious process is determined without in this locality, not only save the memory space of this locality, and reduce the processing pressure of this locality;
Certainly, also can adopting other modes when realizing step S102, this is not any limitation as by the embodiment of the present invention.
In the present embodiment, in step S102 during the malicious process in determine described process relation according to preset rules, multiple rule can be adopted, the present embodiment adopts following rule:
When the combination of at least two process can complete malicious act in described process relation, described at least two process is defined as malicious process.
Such as: having three processes of X, Y and Z in described process relation, process X generates process Y, process Y and realizes the download of program, process Z realizes the installation of program, owing to the combination of X, Y and Z these three process can complete malicious act, so, X, Y and Z these three process can be defined as malicious process.
Certainly, in step S102, other rules also can being adopted to determine the malicious process in described process relation, this is not any limitation as by the present embodiment.
Will be understood that, if described process relation includes described process to be monitored and the first process being associated with described process to be monitored, only can reflect the relation of described process to be monitored and the first process, but which behavior is these processes can carry out is unknowable, then cannot judge whether described process relation has malicious process, so described process relation also needs to include the relevant information of each process, described relevant information is for reflecting the behavior of process, in realizing process, described relevant information can include two kinds of information;
The information of the first type is the information of reflection behavior performed by this process;
Such as: process A generates process B, process B generation process C, process B and carries out download program, and this program is performed by process C, and now, then corresponding with process A relevant information includes the information D of the behavior that reflection process generatesA, the relevant information corresponding with process B is the information D of the behavior of reflection download programB, the relevant information corresponding with process C is the information D of the behavior that reflection program performsC。
According to above-mentioned rule, for the information of the first type, if DA、DBAnd DCBe combined as malicious act, then process A, B, C are defined as malicious process.
The information of the second type is the information of the behavior performed by descendants's process reflecting this process and the generation of this process.
Such as: process A generates process B, process B generation process C, process B and carries out download program, and this program is performed by process C, and now, the relevant information corresponding with A is DA、DBAnd DC, the relevant information corresponding with B is DBAnd DC, the relevant information corresponding with C is DC。
According to above-mentioned rule, for the information of Second Type, if DA、DBAnd DCBe combined as malicious act, then process A and descendants process B, C can be defined as malicious process.
Owing to the information of the second type is the mode of employing process backtracking, by on the information also labelling of the behavior performed by descendants's process to process, so when realizing malicious process and judging, the front M shell that can have only to treat monitoring process (assumes that process A generates process B, process B and generates process C, then process A is ground floor process, process B is second layer process, process C is third layer process, the like) process judges, thus decreasing the data volume of process relation, described M be not less than 2 integer.
Described behavioural information can include the type of process behavior, and described type can identify different operations, as registry operations, network access operation etc..
It is, of course, understood that described relevant information may also include that process describes information, described process describes the information that information is embodiment process correspondence program, for instance: the information such as program ID, program version number.
S103: adopt the processing mode of the malicious process determined that described malicious process is processed.
It should be noted that the processing mode of malicious process is had various ways, below for four kinds of processing modes:
The first processing mode is for terminating described malicious process;
Adopt the malicious process that this processing mode carries out processing be backstage mourn in silence perform process, due to this kind of process operationally, any intervention is carried out without user, direct execution malicious act of mourning in silence on backstage, for this kind of process, the mode terminating described malicious process can be adopted, this process is directly terminated;
The second processing mode forbids networking for making described malicious process;
Adopting the malicious process that this processing mode carries out processing is the process (such as: download the process installing binding program) needing networking, due to this kind of process operationally, need networking could perform malicious act, after having only to make this kind of process to forbid networking, even if this process is still in running status, malicious act also cannot be performed;
It should be noted that make process forbid, networking can adopt various ways, is example below in two ways:
The first forbids that the mode networked is fire wall mode;
Assume to need to make process X forbid networking, can first fire wall be configured, after fire wall is configured, fire wall make process X forbid networking;
The second forbids that the mode of networking is port shutdown mode;
Assume to need to make process X forbid networking, receive/send message owing to process X requires over port when being downloaded installation, and by downloading request message and complete the download of bundled software, so, can first determine the port that process X networking is required, record the port numbers of these ports;
When needs make process X forbid networking, directly close the port that the port numbers recorded is corresponding, owing to port is closed, so process X cannot send from this locality/receive message, and then also allow for process X and cannot network, so that process X forbids networking;
Forbidding networking it will be appreciated that mentioned here, refer to and forbid that this process network, be not necessarily referring to all processes are all forbidden networking, except being prohibited except the process that networks, other processes all can normally use network;
The third processing mode is ejection prompt window in interface, and described prompt window is used for pointing out user to select a kind of mode of operation that described malicious process is operated;Owing to user has different needs, in order to make user have the space of selection, this processing mode can be selected mode of operation that malicious process is operated voluntarily by user, owing to being that user selects mode of operation voluntarily, so adopting the malicious process that this processing mode carries out processing can be all of malicious process.
Will be understood that, mode of operation is selected for the ease of user, the information of described malicious process can be shown in described prompt window, and the OptionButton that mode of operation is corresponding, when receiving the OptionButton that user clicks, according to the mode of operation corresponding with this OptionButton, malicious process is operated.
Such as: described malicious process is to eject the process making hook square frame of bundled software, described prompt window is shown the information of this process, and intercept the OptionButton of this process and allow to perform the OptionButton of this process, when user clicks the OptionButton intercepting this process, then directly by this process intercept, what do not allow its ejection bundled software makes hook square frame, to avoid the false triggering of user, when user clicks the OptionButton allowing to perform this process, then allow the execution of this process, by this process eject bundled software make hook square frame, thus avoid binding installation.
It should be noted that, owing to this processing mode is ejection prompt window in interface, if this prompt window is also easily directly neglected by user only with general window display form, and do not have the effect of prompting, for ease of prompting user, the mode with prompt tone this prompt window can will adopt redness etc. have the color of warning function, it addition, also can be adopted to point out user further.
4th kind of processing mode is for when described malicious process meets pre-conditioned, directly intercepting the behavior of this process;Adopting the malicious process that this processing mode carries out processing is all of malicious process, it is only necessary to the behavior of process meets pre-conditioned, then directly the behavior of this process is intercepted.
Such as: malicious process is the process making hook square frame for ejecting bundled software, due to its behavior be eject bundled software make hook square frame, include the behavior if pre-conditioned, then directly the behavior is intercepted, do not allow this malicious process to carry out ejecting the behavior making hook square frame of bundled software.
Again such as: malicious process is the process for down loading mounting software of mourning in silence, owing to its behavior is that bundled software is downloaded installation, include the behavior if pre-conditioned, then directly the behavior is intercepted, do not allow this malicious process to carry out mourning in silence the behavior of down loading mounting software.
Certainly, the process of malicious process also can being adopted other modes, this is not any limitation as by the embodiment of the present invention.
The present embodiment determines in described process relation whether have malicious process according to preset rules, and when having malicious process in described process relation, determine the processing mode corresponding with described malicious process, due to when carrying out the judgement of malicious process, judge liking process relation, rather than single process such that it is able to judge malicious process exactly, it is possible to effectively realize the process to malicious process.
Fig. 2 is the flow chart of steps of a kind of malicious process processing method of one embodiment of the invention;With reference to Fig. 2, described method includes:
S201: determine the first process being associated with described process to be monitored, and determine the filiation of each process, the process relation of described process to be monitored is set up according to described filiation, described process relation includes the relevant information of the first process that described process to be monitored is associated and each process with described process to be monitored, and described first process is descendants's process of described process to be monitored;
It should be noted that, when setting up the process relation of described process to be monitored, various ways can be adopted, for improving the efficiency of the process relation setting up described process to be monitored in the present embodiment, first determine the first process being associated with described process to be monitored, and determine the filiation of each process, the process relation of described process to be monitored is set up further according to described filiation;
Certainly, other modes also can being adopted to set up the process relation of described process to be monitored, this is not any limitation as by the embodiment of the present invention.
So step S201 can be regarded as the preferred implementation of the step S101 of the method shown in Fig. 1.
In order to determine the filiation of each process, various ways can be adopted, be example below in two ways:
First kind of way, for arrange hereditable labelling in each process, determines the filiation of each process according to described labelling;
Illustrate which with a specific example below, when the first process A generates, the first process A arranges a hereditable labelling SAIf the first process A generates the second process B and C, now the first process B and C all can inherit this labelling SA, thus may determine that the second process B and C is the subprocess of the first process A, so that it is determined that process A, filiation between B, C;
When the second process B and C is generated, the second process B arranges a hereditable labelling SB, the second process C arranges a hereditable labelling SCIf the second process B generates the second process D, the second process C generates the second process E, and now, the second process D can inherit labelling SB, the second process E can inherit labelling SC, thus may determine that the subprocess that the second process D is the second process B, the second process E is the subprocess of the second process C.
The like, even if the second process D and E is further continued for generation process, can determine the filiation of each process too, adopt the manner can very simply and quickly determine the filiation of each process.
It should be noted that described hereditable labelling can be a specific field or character string, can being also other forms certainly, this be any limitation as by the embodiment of the present invention.
The second way is the filiation that the mode by inquiry of command line determines each process;Namely the information existed according to query procedure itself determines the filiation of each process, but compared with first kind of way, it is consuming time longer, it is determined that process is relative complex also;
S202: determine whether there is in described process relation malicious process according to preset rules, and when having malicious process in described process relation, it is determined that the processing mode corresponding with described malicious process;
S203: adopt the processing mode of the malicious process determined that described malicious process is processed.
The step S102 of the embodiment shown in step S202~S203 and Fig. 1~S103 is identical, does not repeat them here.
For embodiment of the method, in order to be briefly described, therefore it is all expressed as a series of combination of actions, but those skilled in the art should know, the embodiment of the present invention is not by the restriction of described sequence of movement, because according to the embodiment of the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, embodiment described in this description belongs to preferred embodiment, necessary to the involved action not necessarily embodiment of the present invention.
Fig. 3 is the structured flowchart of a kind of malicious process process device of one embodiment of the invention;With reference to Fig. 3, described device includes:
Relation sets up unit 301, it is adapted to set up the process relation of process to be monitored, described process relation includes the relevant information of the first process that described process to be monitored is associated and each process with described process to be monitored, and described first process is descendants's process of described process to be monitored;
Process judging unit 302, is suitable to determine whether have malicious process in described process relation according to preset rules, and when having malicious process in described process relation, it is determined that the processing mode corresponding with described malicious process;
Process processing unit 303, described malicious process is processed by the processing mode of malicious process being suitable for use with determining.
In a kind of alternative embodiment of the present invention, described process judging unit, when being further adapted for that the combination of at least two process can complete malicious act in described process relation, described at least two process is defined as malicious process.
In a kind of alternative embodiment of the present invention, described relation sets up unit, is further adapted for determining the first process being associated with described process to be monitored, and determines the filiation of each process, sets up the process relation of described process to be monitored according to described filiation.
In a kind of alternative embodiment of the present invention, described relation sets up unit, is further adapted for arranging hereditable labelling in each process, determines the filiation of each process according to described labelling.
In a kind of alternative embodiment of the present invention, described relation sets up unit, and the mode by inquiry of command line that is further adapted for determines the filiation of each process.
In a kind of alternative embodiment of the present invention, described process processing unit, it is further adapted for terminating described malicious process;
Or,
Described malicious process is made to forbid networking.
In a kind of alternative embodiment of the present invention, described process processing unit, it is further adapted in interface and ejects prompt window, described prompt window is used for pointing out user to select a kind of mode of operation that described malicious process is operated;
Or,
If described malicious process meets pre-conditioned, directly the behavior of this process is intercepted.
For device embodiment, due to itself and embodiment of the method basic simlarity, so what describe is fairly simple, relevant part illustrates referring to the part of embodiment of the method.
Embodiment of the invention discloses that:
A1, a kind of malicious process process device, and described device includes:
Relation sets up unit, it is adapted to set up the process relation of process to be monitored, described process relation includes the relevant information of the first process that described process to be monitored is associated and each process with described process to be monitored, and described first process is descendants's process of described process to be monitored;
Process judging unit, is suitable to determine whether have malicious process in described process relation according to preset rules, and when having malicious process in described process relation, it is determined that the processing mode corresponding with described malicious process;
Process processing unit, described malicious process is processed by the processing mode of malicious process being suitable for use with determining.
A2, method as described in A1, described relevant information includes the information reflecting the behavior performed by this process;Or,
Described relevant information includes the information reflecting the behavior performed by descendants's process of this process and the generation of this process.
A3, device as according to any one of A1~A2, described process judging unit, when being further adapted for that the combination of at least two process can complete malicious act in described process relation, described at least two process is defined as malicious process.
A4, device as according to any one of A1~A2, described relation sets up unit, is further adapted for determining the first process being associated with described process to be monitored, and determines the filiation of each process, sets up the process relation of described process to be monitored according to described filiation.
A5, device as described in A3, described relation sets up unit, is further adapted for arranging hereditable labelling in each process, determines the filiation of each process according to described labelling.
A6, device as described in A3, described relation sets up unit, and the mode by inquiry of command line that is further adapted for determines the filiation of each process.
A7, device as according to any one of A1~A6, described process processing unit, it is further adapted for terminating described malicious process;
Or,
Described malicious process is made to forbid networking.
A8, device as according to any one of A1~A6, described process processing unit, it is further adapted in interface ejection prompt window, described prompt window is used for pointing out user to select a kind of mode of operation that described malicious process is operated;
Or,
If described malicious process meets pre-conditioned, directly the behavior of this process is intercepted.
B9, a kind of malicious process processing method, described method includes:
Setting up the process relation of process to be monitored, described process relation includes the relevant information of the first process that described process to be monitored is associated and each process with described process to be monitored, and described first process is descendants's process of described process to be monitored;
Determine whether described process relation has malicious process according to preset rules, and when having malicious process in described process relation, it is determined that the processing mode corresponding with described malicious process;
Described malicious process is processed by the processing mode adopting the malicious process determined.
B10, method as described in B9, described relevant information includes the information reflecting the behavior performed by this process;Or,
Described relevant information includes the information reflecting the behavior performed by descendants's process of this process and the generation of this process.
B11, method as according to any one of B9~B10, described determine in described process relation whether have malicious process according to preset rules, farther includes:
When the combination of at least two process can complete malicious act in described process relation, described at least two process is defined as malicious process.
B12, method as according to any one of B9~B10, the described process relation setting up process to be monitored, including:
Determine the first process being associated with described process to be monitored, and determine the filiation of each process, set up the process relation of described process to be monitored according to described filiation.
B13, method as described in B12, the described filiation determined between each process, including:
Each process arranges hereditable labelling, determines the filiation of each process according to described labelling.
B14, method as described in B12, the described filiation determined between each process, including:
The filiation of each process is determined by the mode of inquiry of command line.
B15, method as according to any one of B9~B14, described malicious process is processed by the processing mode of the malicious process that described employing is determined, including:
Terminate described malicious process;
Or,
Described malicious process is made to forbid networking.
B16, method as according to any one of B9~B14, described malicious process is processed by the processing mode of the malicious process that described employing is determined, including:
Ejecting prompt window in interface, described prompt window is used for pointing out user to select a kind of mode of operation that described malicious process is operated;
Or,
If described malicious process meets pre-conditioned, directly the behavior of this process is intercepted.
Should be noted that, in all parts of assembly of the invention, according to its function to realize, parts therein are carried out logical partitioning, but, the present invention is not only restricted to this, it is possible to as required all parts is repartitioned or combines, for instance, can be single parts by some unit constructions, or some parts can be further broken into more subassembly.
The all parts embodiment of the present invention can realize with hardware, or realizes with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize the some or all parts in device according to embodiments of the present invention.The present invention is also implemented as part or all the equipment for performing method as described herein or device program (such as, computer program and computer program).The program of such present invention of realization can store on a computer-readable medium, or can have the form of one or more signal.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described rather than limits the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment without departing from the scope of the appended claims.In the claims, any reference marks that should not will be located between bracket is configured to limitations on claims.Word " comprises " and does not exclude the presence of the element or step not arranged in the claims.Word "a" or "an" before being positioned at element does not exclude the presence of multiple such element.The present invention by means of including the hardware of some different elements and can realize by means of properly programmed computer.In the unit claim listing some devices, several in these devices can be through same hardware branch and specifically embody.Word first, second and third use do not indicate that any order.Can be title by these word explanations.
Embodiment of above is merely to illustrate the present invention; and it is not limitation of the present invention; those of ordinary skill about technical field; without departing from the spirit and scope of the present invention; can also make a variety of changes and modification; therefore all equivalent technical schemes fall within scope of the invention, and the scope of patent protection of the present invention should be defined by the claims.
Claims (10)
1. a malicious process processes device, it is characterised in that described device includes:
Relation sets up unit, it is adapted to set up the process relation of process to be monitored, described process relation includes the relevant information of the first process that described process to be monitored is associated and each process with described process to be monitored, and described first process is descendants's process of described process to be monitored;
Process judging unit, is suitable to determine whether have malicious process in described process relation according to preset rules, and when having malicious process in described process relation, it is determined that the processing mode corresponding with described malicious process;
Process processing unit, described malicious process is processed by the processing mode of malicious process being suitable for use with determining.
2. the method for claim 1, it is characterised in that described relevant information includes the information reflecting the behavior performed by this process;Or,
Described relevant information includes the information reflecting the behavior performed by descendants's process of this process and the generation of this process.
3. the device as according to any one of claim 1~2, it is characterised in that described process judging unit, when being further adapted for that the combination of at least two process can complete malicious act in described process relation, is defined as malicious process by described at least two process.
4. the device as according to any one of claim 1~2, it is characterized in that, described relation sets up unit, is further adapted for determining the first process being associated with described process to be monitored, and determine the filiation of each process, the process relation of described process to be monitored is set up according to described filiation.
5. device as claimed in claim 3, it is characterised in that described relation sets up unit, is further adapted for arranging hereditable labelling in each process, determines the filiation of each process according to described labelling.
6. device as claimed in claim 3, it is characterised in that described relation sets up unit, and the mode by inquiry of command line that is further adapted for determines the filiation of each process.
7. the device as according to any one of claim 1~6, it is characterised in that described process processing unit, is further adapted for terminating described malicious process;
Or,
Described malicious process is made to forbid networking.
8. the device as according to any one of claim 1~6, it is characterised in that described process processing unit, is further adapted in interface and ejects prompt window, and described prompt window is used for pointing out user to select a kind of mode of operation that described malicious process is operated;
Or,
If described malicious process meets pre-conditioned, directly the behavior of this process is intercepted.
9. a malicious process processing method, it is characterised in that described method includes:
Setting up the process relation of process to be monitored, described process relation includes the relevant information of the first process that described process to be monitored is associated and each process with described process to be monitored, and described first process is descendants's process of described process to be monitored;
Determine whether described process relation has malicious process according to preset rules, and when having malicious process in described process relation, it is determined that the processing mode corresponding with described malicious process;
Described malicious process is processed by the processing mode adopting the malicious process determined.
10. method as claimed in claim 9, it is characterised in that described relevant information includes the information reflecting the behavior performed by this process;Or,
Described relevant information includes the information reflecting the behavior performed by descendants's process of this process and the generation of this process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410844002.9A CN105809033A (en) | 2014-12-30 | 2014-12-30 | Malicious process processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410844002.9A CN105809033A (en) | 2014-12-30 | 2014-12-30 | Malicious process processing method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105809033A true CN105809033A (en) | 2016-07-27 |
Family
ID=56420096
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410844002.9A Pending CN105809033A (en) | 2014-12-30 | 2014-12-30 | Malicious process processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105809033A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106650436A (en) * | 2016-12-29 | 2017-05-10 | 北京奇虎科技有限公司 | Safety detecting method and device based on local area network |
| CN106778232A (en) * | 2016-12-26 | 2017-05-31 | 努比亚技术有限公司 | A kind of information analysis method and electronic equipment |
| CN110598410A (en) * | 2019-09-16 | 2019-12-20 | 腾讯科技(深圳)有限公司 | Malicious process determination method and device, electronic device and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350052A (en) * | 2007-10-15 | 2009-01-21 | 北京瑞星国际软件有限公司 | Method and apparatus for discovering malignancy of computer program |
| CN101944167A (en) * | 2010-09-29 | 2011-01-12 | 中国科学院计算技术研究所 | Method and system for identifying malicious program |
| CN102761458A (en) * | 2011-12-20 | 2012-10-31 | 北京安天电子设备有限公司 | Detection method and system of rebound type Trojan |
-
2014
- 2014-12-30 CN CN201410844002.9A patent/CN105809033A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350052A (en) * | 2007-10-15 | 2009-01-21 | 北京瑞星国际软件有限公司 | Method and apparatus for discovering malignancy of computer program |
| CN101944167A (en) * | 2010-09-29 | 2011-01-12 | 中国科学院计算技术研究所 | Method and system for identifying malicious program |
| CN102761458A (en) * | 2011-12-20 | 2012-10-31 | 北京安天电子设备有限公司 | Detection method and system of rebound type Trojan |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106778232A (en) * | 2016-12-26 | 2017-05-31 | 努比亚技术有限公司 | A kind of information analysis method and electronic equipment |
| CN106650436A (en) * | 2016-12-29 | 2017-05-10 | 北京奇虎科技有限公司 | Safety detecting method and device based on local area network |
| CN106650436B (en) * | 2016-12-29 | 2019-09-27 | 北京奇虎科技有限公司 | A kind of safety detection method and device based on local area network |
| CN110598410A (en) * | 2019-09-16 | 2019-12-20 | 腾讯科技(深圳)有限公司 | Malicious process determination method and device, electronic device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10783241B2 (en) | System and methods for sandboxed malware analysis and automated patch development, deployment and validation | |
| US10341378B2 (en) | Methods, systems, and media for inhibiting attacks on embedded devices | |
| US8732836B2 (en) | System and method for correcting antivirus records to minimize false malware detections | |
| EP3547189A1 (en) | Method for runtime mitigation of software and firmware code weaknesses | |
| US10887340B2 (en) | Methods, systems, and media for inhibiting attacks on embedded devices | |
| JP6513716B2 (en) | Dynamic patching for diversity based software security | |
| US20140096184A1 (en) | System and Method for Assessing Danger of Software Using Prioritized Rules | |
| US20170068810A1 (en) | Method and apparatus for installing an application program based on an intelligent terminal device | |
| US8799874B2 (en) | Static analysis of computer software applications | |
| CN103034803B (en) | Dress software prompt system by mistake | |
| CN104199703A (en) | Unattended setup management method and device | |
| CN104517054A (en) | Method, device, client and server for detecting malicious APK | |
| CN102929768A (en) | Method for prompting software misloading and client | |
| CN105809033A (en) | Malicious process processing method and device | |
| CN104461741B (en) | Graphics device interface based computing device optimizing method and device | |
| US11023575B2 (en) | Security sanitization of USB devices | |
| CN105528230A (en) | Method and device for setting configuration parameters | |
| Shen et al. | Insights into rooted and non-rooted android mobile devices with behavior analytics | |
| CN105808275A (en) | Software purified installation device and method | |
| CN105099766A (en) | Method and device for preventing interface from occupying resource excessively | |
| EP2815350B1 (en) | Methods, systems, and media for inhibiting attacks on embedded devices | |
| CN110222508A (en) | Extort virus defense method, electronic equipment, system and medium | |
| US8347387B1 (en) | Addressing security in writes to memory | |
| CN103632086B (en) | The method and apparatus for repairing basic input-output system BIOS rogue program | |
| CN109857474A (en) | Start the method and apparatus of application program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160727 |
|
| RJ01 | Rejection of invention patent application after publication |