CN106033513A - Method and device for detecting software - Google Patents
Method and device for detecting software Download PDFInfo
- Publication number
- CN106033513A CN106033513A CN201510111921.XA CN201510111921A CN106033513A CN 106033513 A CN106033513 A CN 106033513A CN 201510111921 A CN201510111921 A CN 201510111921A CN 106033513 A CN106033513 A CN 106033513A
- Authority
- CN
- China
- Prior art keywords
- monitoring entity
- entity
- monitoring
- merged
- subelement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention provides a method and a device for detecting software. The method and the device for detecting software combine a plurality of associated processes into a monitoring entity, and the monitoring entity is used as a monitoring unit. Through using the monitoring entity formed by the plurality of associated processes as the monitoring unit, defects of single process monitoring are prevented. Through comprehensive analysis on behaviors of all processes in the monitoring entity, a practical object of the behaviors of software can be effectively obtained, so as to accurately determine whether the software is malicious software. In addition, since a rule matching library used for rule matching is based on configuration files, the rule matching library has high flexibility, and rules can be maintained and updated through modification of the configuration files, so as to improve flexibility and accuracy of software detection.
Description
Technical field
The application relates to communication and computer realm, particularly relates to a kind of software detecting method and equipment.
Background technology
Traditional malware detection scheme is to be examined by the condition code of scanning comparison binary file
Surveying, there is the renewal of certain hysteresis quality, i.e. condition code and lags behind new Malware in this detection scheme
Update, be therefore difficult to accomplish Detection results timely, efficient.
The detection technique of dynamic behaviour can make up the deficiency of tradition Scanning Detction, by monitoring software is being
API (Application Programming Interface, application programming interface) in system calls row
For, which is distinguished and is likely to be Malware.
Currently there are some product sections and have employed the technology of dynamic behaviour detection, but exist
Limitation, does not possess good Detection results.Some products in the market generally are directed to certain and enter
The monitoring of Cheng Jinhang API Calls, when finding have invoked the API of some sensitivity, such as, writes the API of registration table,
Product can remind some process of user carrying out risky operation.This behavior is actually decision-making
It is pushed to user, by the user decide whether it is Malware.But, user does not possess this kind of decision-making often
Knowledge.Therefore, the most solely monitored by API Calls and carry out the technology of dynamic behaviour detection also
Can not tackle the problem at its root.
Summary of the invention
It is an object of the invention to provide a kind of multiple processes being associated can be monitored and analyze soft
Part detection method and equipment.
In view of this, the application provides a kind of software detecting method, and wherein, described method includes:
Some processes being associated are merged into a monitoring entity;And
The behavior of all processes in described monitoring entity is comprehensively analyzed and rule match.
Further, some processes being associated are merged into a monitoring entity to include:
Obtain the corelation behaviour information of described process;
Corelation behaviour information according to described process, selects that described process is merged into corresponding described monitoring real
In body.
Further, according to the corelation behaviour information of described process, select to be merged into described process accordingly
Described monitoring entity includes:
When described process is not monitoring process, then described process is not merged;Or
When described process is monitoring process, then described process is merged in corresponding described monitoring entity.
Further, described process is merged into corresponding described monitoring entity to include:
When described process belongs to existing corresponding monitoring entity, then described process is incorporated into this monitoring real
In body;Or
When described process is not belonging to any existing monitoring entity, then creates and monitor entity described in one and incite somebody to action
Described process is incorporated in this monitoring entity.
Further, described process is merged into corresponding described monitoring entity to include:
Determine described process logical type in corresponding described monitoring entity;And
According to described logical type, described process is merged in corresponding described monitoring entity.
Further, described process logical type in corresponding described monitoring entity includes:
Root process and subprocess.
Preferably, described process is merged into corresponding described monitoring entity fullness in the epigastrium and abdomen as root process and be enough to lower condition:
This process is not system process;
This process does not belong to the process of other any monitoring entities existing;
This process is not in white list;And
This process exist the time be not above set time.
Preferably, described process is merged into corresponding described monitoring entity fullness in the epigastrium and abdomen as subprocess and be enough to lower condition:
This process is started by the process of a certain monitoring entity;
This process is not system process;
This process is not in white list;And
This process exist the time be not above set time.
Preferably, described process is merged into corresponding described monitoring entity fullness in the epigastrium and abdomen as subprocess and be enough to lower condition:
This process is injected by the process of a certain monitoring entity.
Further, described process is sorted in described monitoring entity as subprocess and also includes:
Determine the logical relation between other processes in described process and described monitoring entity;And
According to described logical type, described process is merged in corresponding described monitoring entity.
Further, the behavior of all processes in described monitoring entity is comprehensively analyzed and rule match
Including:
Behavior to each process in described monitoring entity is analyzed;And
The behavior of all processes in described monitoring entity is carried out rule match.
Further, the behavior of all processes in described monitoring entity is carried out rule match to include:
Described monitoring entity is mated with white list;And
Described monitoring entity is mated with matching rule base.
Further, described method also includes:
Analyze and the result generation test results report of rule match according to comprehensive.
The application also provides for a kind of software detection equipment, and wherein, described equipment includes:
First device, for merging into a monitoring entity by some processes being associated;And
Second device, for comprehensively analyzing the behavior of all processes in described monitoring entity and rule
Coupling.
Further, described first device includes:
First module, for obtaining the corelation behaviour information of described process;And
Second unit, for the corelation behaviour information according to described process, selects to be merged into described process
In corresponding described monitoring entity.
Further, described second unit includes:
First subelement, for when described process is not monitoring process, does not then close described process
And;Or when described process is monitoring process, then described process is merged in corresponding described monitoring entity.
Further, described first subelement includes:
2nd 1 subelement, for when described process belongs to existing corresponding monitoring entity, then by described
Process is incorporated in this monitoring entity;Or when described process is not belonging to any existing monitoring entity, then
Create and monitor entity described in one and described process is incorporated in this monitoring entity.
Further, described second unit includes:
Second subelement, for determining described process logical type in corresponding described monitoring entity.
Further, described process logical type in corresponding described monitoring entity includes:
Root process and subprocess.
Preferably, described process is merged into corresponding described monitoring in fact as root process by described second subelement
Body fullness in the epigastrium and abdomen be enough to lower condition:
This process is not system process;
This process does not belong to the process of other any monitoring entities existing;
This process is not in white list;And
This process exist the time be not above set time.
Preferably, described process is merged into corresponding described monitoring in fact as subprocess by described second subelement
Body fullness in the epigastrium and abdomen be enough to lower condition:
This process is started by the process of a certain monitoring entity;
This process is not system process;
This process is not in white list;And
This process exist the time be not above set time.
Preferably, described process is merged into corresponding described monitoring in fact as subprocess by described second subelement
Body fullness in the epigastrium and abdomen be enough to lower condition:
This process is injected by the process of a certain monitoring entity.
Further, described process is sorted in described monitoring entity as subprocess by described second subelement
In also include:
Determine the logical relation between other processes in this process and described monitoring entity.
Further, described second device includes:
Unit the 3rd, for being analyzed the behavior of each process in described monitoring entity;And
Unit the 4th, for being merged into line discipline coupling to the behavior of all processes in described monitoring entity.
Further, described Unit the 4th includes:
4th subelement, for mating described monitoring entity with white list;And
5th subelement, for mating described monitoring entity with matching rule base.
Further, described equipment also includes:
3rd device, for generating test results report according to the comprehensive result analyzed with rule match.
Compared with prior art, herein described software detecting method and equipment are by being associated some
Process merges into a monitoring entity, and with monitoring entity as monitoring means.By by some relevant processes
The monitoring entity of composition is as a monitoring unit, it is possible to avoid the defect that one process monitors.
Further, by comprehensively analyze the behavior of all processes in described monitoring entity can be more
Effectively obtain the actual purpose of the behavior of software, thus with judging whether software is Malware exactly.
Additionally, carry out the rule match storehouse that rule match is utilized, owing to rule match storehouse is based on configuration
File, therefore there is the motility of height, the maintenance of rule can be carried out by the amendment of configuration file
And upgrading, and then improve motility and the accuracy of software detection.
Accompanying drawing explanation
The detailed description that non-limiting example is made made with reference to the following drawings by reading, this
The other features, objects and advantages of application will become more apparent upon:
Fig. 1 illustrates the software detection equipment schematic diagram on the one hand provided according to the application;
Fig. 2 illustrates the first device schematic diagram provided according to the application one preferred embodiment;
Fig. 3 illustrates the monitoring entity schematic diagram according to the application one preferred embodiment;
Fig. 4 illustrates the second device schematic diagram provided according to the application one preferred embodiment;
Fig. 5 illustrates the software detection equipment schematic diagram provided according to the application one embodiment;
Fig. 6 illustrates the software detecting method flow chart on the other hand provided according to the application;
Fig. 7 illustrates the flow chart of step S11 provided according to the application one preferred embodiment;
Fig. 8 illustrates the flow chart of step S12 provided according to the application one preferred embodiment;
Fig. 9 illustrates the software detecting method flow chart provided according to the application one preferred embodiment.
In accompanying drawing, same or analogous reference represents same or analogous parts.
Detailed description of the invention
In one typical configuration of the application, terminal, the equipment of service network and trusted party all include
One or more processors (CPU), input/output interface, network interface and internal memory.
Internal memory potentially includes the volatile memory in computer-readable medium, random access memory
(RAM) and/or the form such as Nonvolatile memory, such as read only memory (ROM) or flash memory (flash
RAM).Internal memory is the example of computer-readable medium.
Computer-readable medium includes that removable media permanent and non-permanent, removable and non-is permissible
Information storage is realized by any method or technology.Information can be computer-readable instruction, data knot
Structure, the module of program or other data.The example of the storage medium of computer includes, but are not limited to phase
Become internal memory (PRAM), static RAM (SRAM), dynamic random access memory
(DRAM), other kinds of random access memory (RAM), read only memory (ROM), electricity
Erasable Programmable Read Only Memory EPROM (EEPROM), fast flash memory bank or other memory techniques, read-only
Compact disc read-only memory (CD-ROM), digital versatile disc (DVD) or other optical storage,
Magnetic cassette tape, magnetic disk storage or other magnetic storage apparatus or any other non-transmission medium,
Can be used for the information that storage can be accessed by a computing device.According to defining herein, computer-readable
Medium does not include non-temporary computer readable media (transitory media), as modulation data signal and
Carrier wave.
Fig. 1 illustrates the software detection equipment schematic diagram on the one hand provided according to the application, wherein said sets
For including: first device 11 and the second device 12.
Wherein, some processes being associated are merged into a monitoring entity, institute by described first device 11
State the second device 12 behavior of all processes in described monitoring entity comprehensively to be analyzed and rule
Join.
Here, described equipment 1 include but not limited to subscriber equipment, the network equipment or subscriber equipment with
The network equipment passes through the mutually integrated equipment constituted of network.Described subscriber equipment its include but not limited to appoint
What is a kind of can carry out the mobile electronic product of man-machine interaction, such as intelligent hands with user by touch pad
Machine, PDA etc., described mobile electronic product can use any operating system, as android operates
System, iOS operating system etc..Wherein, the described network equipment includes that one can be according to being previously set
Or storage instruction, automatically carry out the electronic equipment of numerical computations and information processing, its hardware include but
It is not limited at microprocessor, special IC (ASIC), programmable gate array (FPGA), numeral
Reason device (DSP), embedded device etc..The described network equipment its include but not limited to computer, network
The cloud that main frame, single network server, multiple webserver collection or multiple server are constituted;Here,
Cloud is made up of a large amount of computers based on cloud computing (Cloud Computing) or the webserver, its
In, cloud computing is the one of Distributed Calculation, be made up of a group loosely-coupled computer collection
Virtual supercomputer.Described network includes but not limited to the Internet, wide area network, Metropolitan Area Network (MAN), local
Net, VPN, wireless self-organization network (Ad Hoc network) etc..Those skilled in the art should
Being understood that, other touch control equipment is equally applicable to the application, also should be included in the application protection
Within scope, and it is incorporated herein with way of reference at this.
It is constant work between above-mentioned each device, here, it will be understood by those skilled in the art that and " hold
Continuous " refer to that above-mentioned each device the most in real time or is wanted according to mode of operation that is that set or that adjust in real time
Ask, after i.e. some processes being associated are merged into a monitoring entity by first device 11, the second dress
Put 12 constantly the behavior of all processes in described monitoring entity comprehensively to be analyzed and rule match etc.,
Until described equipment 1 quits work.
Fig. 2 illustrate according to the application one preferred embodiment provide first device schematic diagram, further,
Described first device 11 includes: first module 101 and second unit 102.
Wherein, described first module 101 obtains the corelation behaviour information of described process;Described second is single
Unit 102, according to the corelation behaviour information of described process, selects to be merged into described process corresponding described prison
In control entity.
Specifically, described first module 101 intercepts and captures the corelation behaviour information of process by system drive,
Such as create process, create the information etc. such as file, then, process will be comprised by message distribution center
The message of corelation behaviour information, be distributed to second unit 102 and merge and analyze.
Then, after described second unit 102 receives the message of the corelation behaviour information comprising process,
First according to the corelation behaviour information of process, select to be merged into described process corresponding described monitoring entity
In.
In the present embodiment, described monitoring entity can have several, and each monitoring entity is a prison
Control unit.The quantity of process included in described monitoring entity is not limited, real with specific reference to monitoring
The analysis logic of body and the difference of the process of involved association and different.By by some relevant processes
The monitoring entity of composition is as a monitoring unit, it is possible to avoid the defect that one process monitors.Process phase
The logic of mutual correlation is customary means based on true Malware.Specifically, generally commonly use with two kinds
Means as a example by:
One, the software of malice generally starts and creates PE (Portable Executable, transplantation afterwards
Execution body) file, and start this PE file as realizing the main steps of malicious act, thus
(root has only been made establishment PE file and has started process two pieces thing, is therefore difficult to avoid root to be found
Make the decision-making of killing).
Two, the software of malice is injected into other process, with entering of being injected into by the way of remotely injection
Journey is that carrier realizes malicious act, and the process owing to being injected into is usually system process or common application
Process, also therefore is difficult to make the decision-making of killing.
For similar above-mentioned situation, process can be carried out by behaviors such as the startup of process and injections
Association, thus safeguard some monitoring entities, carry out unified for all process behaviors of a monitoring entity
Analyze and differentiate, and then the behavior that Malware is deliberately split in different process malicious act is carried out
Gather, thus be more beneficial for detection.
Further, described second unit 102 includes the first subelement (not shown), described second
Unit 102 selects to be merged into described process corresponding described monitoring entity by described first subelement
In.Whether it is monitoring process according to described process, chooses whether to merge.Specifically, if entering described in Dang
When journey is not monitoring process, then described process is not merged by the first subelement;If or entering described in working as
When journey is monitoring process, then during described process is merged into corresponding described monitoring entity by the first subelement.
Further, the first subelement includes the 2nd 1 subelement (not shown), the 2nd 1 subelement
Carrying out for being merged by needs is classified merging further, specifically, when described process belongs to
During the corresponding monitoring entity having, then described process is incorporated in this monitoring entity by the 2nd 1 subelement;
Or when described process is not belonging to any existing monitoring entity, then the 2nd 1 subelement creates described in one
Described process is also incorporated in this monitoring entity by monitoring entity.
Specifically, second unit 102 can also include the second subelement (not shown), described second
Subelement determines described process logical type in corresponding described monitoring entity.Wherein, described process
Logical type in corresponding described monitoring entity includes: root process and subprocess.
The maintenance process of monitoring entity is with root process as starting point, therefore, and the establishment ten of root process
Divide important.If the selection logic of root process is problematic, then can cause consumption and the erroneous judgement of performance.Warp
Crossing analysis, reasonably create in logic, described process is merged by described second subelement as root process
Need to meet following condition in corresponding described monitoring entity simultaneously:
This process is not system process;
This process does not belong to the process of other any monitoring entities existing;
This process is not in white list;And
This process exist the time be not above set time.
The correlation logic of subprocess determines the effectiveness of a monitoring entity, the process of too much association
Can cause erroneous judgement, very few pass joint conference causes verification and measurement ratio to decline, therefore in rational correlation logic, described
Described process is merged in corresponding described monitoring entity by the second subelement as subprocess to be needed simultaneously
Meet following condition:
This process is started by the process of a certain monitoring entity;
This process is not system process;
This process is not in white list;And
This process exist the time be not above set time.
Or, it is real that described process is merged into corresponding described monitoring as subprocess by described second subelement
Body fullness in the epigastrium and abdomen be enough to lower condition:
This process is injected by the process of a certain monitoring entity.
Referring to here, this process is injected by the process of a certain monitoring entity, such as this process is injected into
Monitor to certain in the process of entity and be performed, or it is real to create an a certain monitoring of control
The Remote Thread (remote control thread) etc. of the process of body.
Here, described process is sorted in described monitoring entity by described second subelement as subprocess
Also comprise determining that the logical relation between other processes in this process and described monitoring entity.
Fig. 3 illustrates monitoring entity 100 schematic diagram according to the application one preferred embodiment, described monitoring
Entity 100 includes that process 1, process 2, process 3 and process 4, wherein said process 1 are entered for root
Journey, described process 2 is described process 2 and the subprocess of described process 3 with described process 3, described
Process 4 is the subprocess of described process 3.
Further, described second unit 102 also includes the 3rd subelement (not shown), described
Three subelements are used for safeguarding described monitoring entity.Specifically, described 3rd subelement is used for safeguarding
And newly created monitoring entity, the relevant API that driver capture process creation and thread inject adjusts
With, by process sequence number (ProcessID) and thread sequence number (ThreadID) to described prison
Control entity is safeguarded and calls.
Further, the behavior of all processes in described monitoring entity is carried out by described second device 12
Comprehensive analysis and rule match.
The comprehensive analysis with rule match that described second device 12 is carried out is based on monitoring entity,
To the process in analysis monitoring entity, to understand the bottom event performed by software, these bottom events
Including startup process, thread injection, hidden file and special API Calls etc..Comprehensive analysis and rule
Then coupling main purpose is to analyze the behavior purpose of described monitoring entity rather than simple API tune
With.Such as create the root process self-starting of monitoring entity, key logger (Key Logger) is set
User's keyboard behavior of being recorded, read user sensitive information etc..Here, the analysis of behavior purpose is
Comprehensive analyses based on multiple simple events.Described second device 12 first passes through process sequence number
(ProcessID) and thread sequence number (ThreadID) find correspondence monitoring entity, then enter
Row is comprehensive to be analyzed and rule match, and then obtains monitoring the behavior of entity.Such as by CreateFile
The Parameter analysis of the API Calls of (establishment file), can be monitored a behavior of entity:
Create a PE file.
Fig. 4 illustrate according to the application one preferred embodiment provide the second device schematic diagram, described second
Device 12 includes: the 3rd unit 103 and the 4th unit 104.
Wherein, the behavior of each process in described monitoring entity is carried out point by described 3rd unit 103
Analysis;Described 3rd unit 103 is except being responsible for analyzing these simple behaviors, in addition it is also necessary to by these row
For comprehensively analyzing, by the comprehensive actual purpose analyzing acquisition monitoring entity.Such as, monitoring is worked as
The process of entity has three kinds of simple behaviors, it is possible to analyze of this monitoring unit dangerous
Purpose, i.e. hides a suspicious PE file and can not the user discover that with system start-up.
This behavior is dangerous and normal software generally will not do so, and this is the oneself guarantor of Malware
Protect.When there being multiple similar suspicious purpose to occur, Malware can be judged as.
Then, described 4th unit 104 carries out rule to the behavior of all processes in described monitoring entity
Coupling.Wherein, described 4th unit 104 includes the 4th subelement (not shown) and the 5th subelement
(not shown).Described monitoring entity is mated by the 4th subelement with white list;5th subelement
Described monitoring entity is mated with matching rule base.Here, described white list is non-malicious software
List storehouse, for avoid rule match be the erroneous judgement to software.Described 5th subelement is real to monitoring
Body carries out rule match, owing to rule match storehouse is based on configuration file, therefore has the spirit of height
Activity, can carry out maintenance and the upgrading of rule, and then the software improved by the amendment of configuration file
The motility of detection and accuracy.
Fig. 5 illustrates the software detection equipment schematic diagram provided according to the application one embodiment, wherein said
Equipment 1 includes: first device 11 ', the second device 12 ' and the 3rd device 13 '.
The first device 11 ' of described equipment 1 and the content of the second device 12 ' fill with first shown in Fig. 1
Put 11 identical or essentially identical with the content of the second device 12, for simplicity's sake, repeat no more, only
Comprise by reference in this embodiment.
Described 3rd device 13 ' is for generating testing result according to the comprehensive result analyzed with rule match
Report.Such as, when the second device 12 ' detects that software is Malware, then the 3rd device 13 '
Then generate test results report, to remind user.
Fig. 6 illustrates the software detecting method flow chart on the other hand provided according to the application, wherein said
Method includes: step S11 and step S12.
Wherein, in described step S11, some processes being associated are merged into a monitoring entity;
In step S12 described in place, the behavior of all processes in described monitoring entity is comprehensively analyzed and
Rule match.
Fig. 7 illustrates the flow chart of step S11 provided according to the application one preferred embodiment, described step
Rapid S11 includes: step S101 and step S102.
Wherein, in described step S101, obtain the corelation behaviour information of described process;Described step
Rapid S102 is according to the corelation behaviour information of described process, and described process is merged into corresponding described by selection
In monitoring entity.
Specifically, in described step S101, the corelation behaviour being intercepted and captured process by system drive is believed
Breath, such as, created process, create the information etc. such as file, then, will be comprised by message distribution center
The message of the corelation behaviour information of process, is distributed to follow up device and merges and analyze.
Then, in described step S102, the message of the corelation behaviour information comprising process is received
After, first according to the corelation behaviour information of process, select to be merged into described process corresponding described monitoring
In entity.
In the present embodiment, described monitoring entity can have several, and each monitoring entity is a prison
Control unit.The quantity of process included in described monitoring entity is not limited, real with specific reference to monitoring
The analysis logic of body and the difference of the process of involved association and different.By by some relevant processes
The monitoring entity of composition is as a monitoring unit, it is possible to avoid the defect that one process monitors.Process phase
The logic of mutual correlation is customary means based on true Malware.Specifically, generally commonly use with two kinds
Means as a example by:
One, the software of malice generally starts and creates PE (Portable Executable, transplantation afterwards
Execution body) file, and start this PE file as realizing the main steps of malicious act, thus
(root has only been made establishment PE file and has started process two pieces thing, is therefore difficult to avoid root to be found
Make the decision-making of killing).
Two, the software of malice is injected into other process, with entering of being injected into by the way of remotely injection
Journey is that carrier realizes malicious act, and the process owing to being injected into is usually system process or common application
Process, also therefore is difficult to make the decision-making of killing.
For similar above-mentioned situation, process can be carried out by behaviors such as the startup of process and injections
Association, thus safeguard some monitoring entities, carry out unified for all process behaviors of a monitoring entity
Analyze and differentiate, and then the behavior that Malware is deliberately split in different process malicious act is carried out
Gather, thus be more beneficial for detection.
Further, in described step S102, including selecting to be merged into described process corresponding institute
State in monitoring entity, whether be monitoring process according to described process, choose whether to merge.Specifically,
If when described process is not monitoring process, then described process not being merged;If or entering described in working as
When journey is monitoring process, then described process is merged in corresponding described monitoring entity.Farther include:
The carrying out merged by needs is classified merging further, specifically, when described process belongs to existing
During corresponding monitoring entity, then described process is incorporated in this monitoring entity;Or when described process does not belongs to
When any existing monitoring entity, then create and monitor entity described in one and described process is incorporated into this
In monitoring entity.
Specifically, in described step S102, it is also possible to comprise determining that described process is in corresponding institute
State the logical type in monitoring entity.Wherein, described process logic in corresponding described monitoring entity
Type includes: root process and subprocess.
The maintenance process of monitoring entity is with root process as starting point, therefore, and the establishment ten of root process
Divide important.If the selection logic of root process is problematic, then can cause consumption and the erroneous judgement of performance.Warp
Crossing analysis, reasonably create in logic, described process is merged by described second subelement as root process
Need to meet following condition in corresponding described monitoring entity simultaneously:
This process is not system process;
This process does not belong to the process of other any monitoring entities existing;
This process is not in white list;And
This process exist the time be not above set time.
The correlation logic of subprocess determines the effectiveness of a monitoring entity, the process of too much association
Can cause erroneous judgement, very few pass joint conference causes verification and measurement ratio to decline, therefore in rational correlation logic, described
Described process is merged in corresponding described monitoring entity by the second subelement as subprocess to be needed simultaneously
Meet following condition:
This process is started by the process of a certain monitoring entity;
This process is not system process;
This process is not in white list;And
This process exist the time be not above set time.
Or, it is real that described process is merged into corresponding described monitoring as subprocess by described second subelement
Body fullness in the epigastrium and abdomen be enough to lower condition:
This process is injected by the process of a certain monitoring entity.
Here, the step that described process is sorted in described monitoring entity as subprocess is also included:
Determine the logical relation between other processes in this process and described monitoring entity.
Continuing with Fig. 3, described monitoring entity 100 includes process 1, process 2, process 3 and enters
Journey 4, wherein said process 1 is root process, and described process 2 is described process 2 with described process 3
With the subprocess of described process 3, described process 4 is the subprocess of described process 3.
Further, described step S102 also includes: safeguard described monitoring entity.Specifically, dimension
Protecting existing and newly created monitoring entity, it is relevant that driver capture process creation and thread inject
API Calls is right by process sequence number (ProcessID) and thread sequence number (ThreadID)
Described monitoring entity is safeguarded and calls.
Further, in described step S12, the behavior of all processes in described monitoring entity is entered
Row is comprehensive to be analyzed and rule match.
In described step S12, the comprehensive analysis with rule match carried out is to monitor entity as base
Plinth, to the process in analysis monitoring entity, to understand the bottom event performed by software, these bottoms
Event includes the injection of startup process, thread, hidden file and special API Calls etc..Comprehensive analysis
It is to analyze the behavior purpose of described monitoring entity rather than simple with rule match main purpose
API Calls.Such as create the root process self-starting of monitoring entity, (keyboard is remembered to arrange key logger
Record device) recorded user's keyboard behavior, read user sensitive information etc..Here, behavior purpose
Analysis is comprehensive analyses based on multiple simple events.In described step S12, first pass through into
Journey serial number (ProcessID) and thread sequence number (ThreadID) find the monitoring entity of correspondence,
The most comprehensively analyze and rule match, and then obtain monitoring the behavior of entity.Such as by right
The Parameter analysis of the API Calls of CreateFile (establishment file), can be monitored the one of entity
Individual behavior: create a PE file.
Fig. 8 illustrates the flow chart of step S12 provided according to the application one preferred embodiment, described
In step S12, including: step S103 and step S104.
Wherein, the behavior of each process in described monitoring entity is analyzed by described step S103;
Described step S103 is except being responsible for analyzing these simple behaviors, in addition it is also necessary to these behaviors carried out
Comprehensive analysis, by the comprehensive actual purpose analyzing acquisition monitoring entity.Such as, when monitoring entity
Process has three kinds of simple behaviors, it is possible to analyze a dangerous purpose of this monitoring unit,
I.e. hide a suspicious PE file and can not the user discover that with system start-up.This
Behavior is dangerous and normal software generally will not do so, and this is the self-protection of Malware.
When there being multiple similar suspicious purpose to occur, Malware can be judged as.
Then, in described step S104, the behavior of all processes in described monitoring entity is carried out
Rule match.Wherein, described step S104 includes the 4th subelement and the 5th subelement.4th son
Described monitoring entity is mated by unit with white list;5th subelement by described monitoring entity with
Join rule base to mate.Here, the list storehouse that described white list is non-malicious software, it is used for avoiding
Rule match is the erroneous judgement to software.Described 5th subelement carries out rule match to monitoring entity, by
In rule match storehouse based on configuration file, therefore there is the motility of height, can be by configuring
The amendment of file carries out maintenance and the upgrading of rule, and then the motility of the software detection improved is with accurate
Property.
Fig. 9 illustrate according to the application one preferred embodiment provide software detecting method flow chart, wherein,
Described method includes: step S11 ', step S12 ' and step S13 '.
The content of step S11 in described method ' and step S12 ' and step S11 shown in Fig. 6 and
The content of step S12 is identical or essentially identical, for simplicity's sake, repeats no more, only with the side quoted
Formula comprises in this embodiment.
In described step S13 ' in, analyze and the result generation testing result report of rule match according to comprehensive
Accuse.Such as, when in step S12 ' in detect when software is Malware, then the 3rd device 13 ' is then
Generate test results report, to remind user.
Compared to prior art, herein described software detecting method and equipment are by being associated some
Process merge into a monitoring entity, and with monitoring entity as monitoring means.By by some relevant
The monitoring entity of process composition is as a monitoring unit, it is possible to avoid the defect that one process monitors.
Further, by comprehensively analyze the behavior of all processes in described monitoring entity can
More effectively obtain the actual purpose of the behavior of software, thus with judging whether software is malice exactly
Software.
Additionally, carry out the rule match storehouse that rule match is utilized, owing to rule match storehouse is based on joining
Put file, therefore there is the motility of height, rule can be carried out by the amendment of configuration file
Safeguard and upgrading, and then improve motility and the accuracy of software detection.
Obviously, those skilled in the art the application can be carried out various change and modification without deviating from
Spirit and scope.So, if these amendments of the application and modification belong to the application power
Profit requires and within the scope of equivalent technologies, then the application is also intended to comprise these changes and modification exists
In.
It should be noted that the application can be carried out in the assembly of hardware at software and/or software,
Such as, special IC (ASIC), general purpose computer can be used or any other is similar hard
Part equipment realizes.In one embodiment, the software program of the application can be performed by processor
To realize steps described above or function.Similarly, the software program of the application (includes the number being correlated with
According to structure) can be stored in computer readable recording medium storing program for performing, such as, and RAM memory, magnetic
Or CD-ROM driver or floppy disc and similar devices.It addition, some steps of the application or function can use
Hardware realizes, and such as, performs the circuit of each step or function as coordinating with processor.
It addition, the part of the application can be applied to computer program, such as computer program
Instruction, when it is computer-executed, by the operation of this computer, can call or provide basis
The present processes and/or technical scheme.And call the programmed instruction of the present processes, may be deposited
Store up fixing or movably in record medium, and/or by broadcast or other signal bearing medias
Data stream and be transmitted, and/or be stored in the computer equipment that runs according to described programmed instruction
In working storage.Here, include a device according to an embodiment of the application, this device bag
Include the memorizer for storing computer program instructions and for performing the processor of programmed instruction, its
In, when this computer program instructions is performed by this processor, trigger this plant running based on aforementioned
The method of multiple embodiments and/or technical scheme according to the application.
It is obvious to a person skilled in the art that the application is not limited to the thin of above-mentioned one exemplary embodiment
Joint, and in the case of without departing substantially from spirit herein or basic feature, it is possible to concrete with other
Form realizes the application.Therefore, no matter from the point of view of which point, embodiment all should be regarded as exemplary
, and be nonrestrictive, scope of the present application is limited by claims rather than described above
It is fixed, it is intended that all changes fallen in the implication of equivalency and scope of claim are included
In the application.Any reference in claim should not be considered as limit involved right want
Ask.Furthermore, it is to be understood that " an including " word is not excluded for other unit or step, odd number is not excluded for plural number.Dress
Multiple unit or the device of putting statement in claim can also be passed through software by a unit or device
Or hardware realizes.The first, the second word such as grade is used for representing title, and is not offered as any specific
Order.
Claims (26)
1. a software detecting method, wherein, described method includes:
Some processes being associated are merged into a monitoring entity;And
The behavior of all processes in described monitoring entity is comprehensively analyzed and rule match.
Some processes being associated wherein, are merged into a monitoring by method the most according to claim 1
Entity includes:
Obtain the corelation behaviour information of described process;
Corelation behaviour information according to described process, selects to be merged into described process corresponding described monitoring entity
In.
Software detecting method the most according to claim 2, wherein, according to the corelation behaviour of described process
Information, selects that described process is merged into corresponding described monitoring entity and includes:
When described process is not monitoring process, then described process is not merged;Or
When described process is monitoring process, then described process is merged in corresponding described monitoring entity.
Software detecting method the most according to claim 3, wherein, is merged into corresponding institute by described process
State monitoring entity to include:
When described process belongs to existing corresponding monitoring entity, then described process is incorporated into this monitoring entity
In;Or
When described process is not belonging to any existing monitoring entity, then creates and monitor entity described in one and by institute
The process of stating is incorporated in this monitoring entity.
5. according to the method described in claim 3 or 4, wherein, described process is merged into corresponding described prison
Control entity includes:
Determine described process logical type in corresponding described monitoring entity;And
According to described logical type, described process is merged in corresponding described monitoring entity.
6. according to the method according to any one of claim 3 to 5, wherein, described process is corresponding described
Logical type in monitoring entity includes:
Root process and subprocess.
Method the most according to claim 6, wherein, described process is merged into corresponding institute as root process
State monitoring entity fullness in the epigastrium and abdomen and be enough to lower condition:
This process is not system process;
This process does not belong to the process of other any monitoring entities existing;
This process is not in white list;And
This process exist the time be not above set time.
8. according to the method described in claim 6 or 7, wherein, described process is merged into phase as subprocess
Lower condition should be enough to by described monitoring entity fullness in the epigastrium and abdomen:
This process is started by the process of a certain monitoring entity;
This process is not system process;
This process is not in white list;And
This process exist the time be not above set time.
9. according to the method described in claim 6 or 7, wherein, described process is merged into phase as subprocess
Lower condition should be enough to by described monitoring entity fullness in the epigastrium and abdomen:
This process is injected by the process of a certain monitoring entity.
10. according to the method according to any one of claim 6 to 9, wherein, described process is as subprocess
It is sorted in described monitoring entity and also includes:
Determine the logical relation between other processes in described process and described monitoring entity;And
According to described logical type, described process is merged in corresponding described monitoring entity.
11. software detecting methods according to any one of claim 1 to 10, wherein, to described prison
In control entity, the behavior of all processes is comprehensively analyzed and is included with rule match:
Behavior to each process in described monitoring entity is analyzed;And
The behavior of all processes in described monitoring entity is carried out rule match.
12. software detecting methods according to claim 11, wherein, to all in described monitoring entity
The behavior of process carries out rule match and includes:
Described monitoring entity is mated with white list;And
Described monitoring entity is mated with matching rule base.
13. according to the software detecting method according to any one of claim 1 to 12, wherein, and described method
Also include:
Analyze and the result generation test results report of rule match according to comprehensive.
14. 1 kinds of software detection equipment, wherein, described equipment includes:
First device, for merging into a monitoring entity by some processes being associated;And
Second device, for comprehensively analyzing the behavior of all processes in described monitoring entity and rule
Join.
15. equipment according to claim 14, wherein, described first device includes:
First module, for obtaining the corelation behaviour information of described process;And
Second unit, for the corelation behaviour information according to described process, selects described process is merged into phase
Answer in described monitoring entity.
16. software detection equipment according to claim 15, wherein, described second unit includes:
First subelement, for when described process is not monitoring process, does not then merge described process;
Or when described process is monitoring process, then described process is merged in corresponding described monitoring entity.
17. software detection equipment according to claim 16, wherein, described first subelement includes:
2nd 1 subelement, for when described process belongs to existing corresponding monitoring entity, then by described enter
Journey is incorporated in this monitoring entity;Or when described process is not belonging to any existing monitoring entity, then create
Build and monitor entity described in one and described process is incorporated in this monitoring entity.
18. according to the equipment described in claim 16 or 17, and wherein, described second unit includes:
Second subelement, for determining described process logical type in corresponding described monitoring entity.
19. according to the equipment according to any one of claim 16 to 18, and wherein, described process is in corresponding institute
The logical type stated in monitoring entity includes:
Root process and subprocess.
20. equipment according to claim 19, wherein, described second subelement using described process as
Root process is merged into corresponding described monitoring entity fullness in the epigastrium and abdomen and be enough to lower condition:
This process is not system process;
This process does not belong to the process of other any monitoring entities existing;
This process is not in white list;And
This process exist the time be not above set time.
21. according to the equipment described in claim 19 or 20, and wherein, described second subelement is by described process
It is merged into corresponding described monitoring entity fullness in the epigastrium and abdomen as subprocess and be enough to lower condition:
This process is started by the process of a certain monitoring entity;
This process is not system process;
This process is not in white list;And
This process exist the time be not above set time.
22. according to the equipment described in claim 19 or 20, and wherein, described second subelement is by described process
It is merged into corresponding described monitoring entity fullness in the epigastrium and abdomen as subprocess and be enough to lower condition:
This process is injected by the process of a certain monitoring entity.
23. according to the equipment according to any one of claim 19 to 22, and wherein, described second subelement will
Described process is sorted in described monitoring entity as subprocess and also includes:
Determine the logical relation between other processes in this process and described monitoring entity.
24. according to the software detection equipment according to any one of claim 14 to 23, wherein, described second
Device includes:
Unit the 3rd, for being analyzed the behavior of each process in described monitoring entity;And
Unit the 4th, for being merged into line discipline coupling to the behavior of all processes in described monitoring entity.
25. software detection equipment according to claim 24, wherein, described Unit the 4th includes:
4th subelement, for mating described monitoring entity with white list;And
5th subelement, for mating described monitoring entity with matching rule base.
26. according to the software detection equipment according to any one of claim 14 to 25, wherein, described equipment
Also include:
3rd device, for generating test results report according to the comprehensive result analyzed with rule match.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510111921.XA CN106033513A (en) | 2015-03-13 | 2015-03-13 | Method and device for detecting software |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510111921.XA CN106033513A (en) | 2015-03-13 | 2015-03-13 | Method and device for detecting software |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106033513A true CN106033513A (en) | 2016-10-19 |
Family
ID=57150689
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510111921.XA Pending CN106033513A (en) | 2015-03-13 | 2015-03-13 | Method and device for detecting software |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106033513A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106682495A (en) * | 2016-11-11 | 2017-05-17 | 腾讯科技(深圳)有限公司 | Safety protection method and safety protection device |
| CN109492391A (en) * | 2018-11-05 | 2019-03-19 | 腾讯科技(深圳)有限公司 | A kind of defence method of application program, device and readable medium |
| CN115220993A (en) * | 2022-04-20 | 2022-10-21 | 广州汽车集团股份有限公司 | Process monitoring method, device, vehicle and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350052A (en) * | 2007-10-15 | 2009-01-21 | 北京瑞星国际软件有限公司 | Method and apparatus for discovering malignancy of computer program |
-
2015
- 2015-03-13 CN CN201510111921.XA patent/CN106033513A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350052A (en) * | 2007-10-15 | 2009-01-21 | 北京瑞星国际软件有限公司 | Method and apparatus for discovering malignancy of computer program |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106682495A (en) * | 2016-11-11 | 2017-05-17 | 腾讯科技(深圳)有限公司 | Safety protection method and safety protection device |
| CN106682495B (en) * | 2016-11-11 | 2020-01-10 | 腾讯科技(深圳)有限公司 | Safety protection method and safety protection device |
| CN109492391A (en) * | 2018-11-05 | 2019-03-19 | 腾讯科技(深圳)有限公司 | A kind of defence method of application program, device and readable medium |
| CN109492391B (en) * | 2018-11-05 | 2023-02-28 | 腾讯科技(深圳)有限公司 | Application program defense method and device and readable medium |
| CN115220993A (en) * | 2022-04-20 | 2022-10-21 | 广州汽车集团股份有限公司 | Process monitoring method, device, vehicle and storage medium |
| CN115220993B (en) * | 2022-04-20 | 2024-03-12 | 广州汽车集团股份有限公司 | Process monitoring method and device, vehicle and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Milajerdi et al. | Holmes: real-time apt detection through correlation of suspicious information flows | |
| KR102017756B1 (en) | Apparatus and method for detecting abnormal behavior | |
| US9864676B2 (en) | Bottleneck detector application programming interface | |
| Panichella et al. | Cross-project defect prediction models: L'union fait la force | |
| US20150302198A1 (en) | Detection of Malicious Code Insertion in Trusted Environments | |
| CN110765000B (en) | Program testing method and device | |
| CN105653956A (en) | Android malicious software sorting method based on dynamic behavior dependency graph | |
| CN112668010B (en) | Method, system and computing device for scanning loopholes of industrial control system | |
| CN106874763B (en) | Android software malicious behavior triggering system and method for simulating user behavior | |
| US20170083702A1 (en) | Detecting Software Attacks on Processes in Computing Devices | |
| KR101640479B1 (en) | Software vulnerability attack behavior analysis system based on the source code | |
| CN105138916A (en) | Multi-track malicious program feature detecting method based on data mining | |
| CN109766697A (en) | Vulnerability scanning method, storage medium, equipment and system applied to linux system | |
| CN115277127A (en) | Attack detection method and device for searching matching attack mode based on system tracing graph | |
| CN108234426B (en) | APT attack warning method and APT attack warning device | |
| CN106033513A (en) | Method and device for detecting software | |
| CN106055479A (en) | Android application software test method based on compulsory execution | |
| Autili et al. | Software engineering techniques for statically analyzing mobile apps: research trends, characteristics, and potential for industrial adoption | |
| Zuo | Defense of Computer Network Viruses Based on Data Mining Technology. | |
| Dietz et al. | Harnessing digital twin security simulations for systematic cyber threat intelligence | |
| CN112751863B (en) | Attack behavior analysis method and device | |
| CN105912467A (en) | Performance test method and device | |
| CN107800683A (en) | A kind of method and device for excavating malice IP | |
| CN111885088A (en) | Log monitoring method and device based on block chain | |
| Syeed et al. | Open source prediction methods: a systematic literature review |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161019 |
|
| RJ01 | Rejection of invention patent application after publication |