CN107103238A - System and method for protecting computer system to exempt from malicious objects activity infringement - Google Patents
System and method for protecting computer system to exempt from malicious objects activity infringement Download PDFInfo
- Publication number
- CN107103238A CN107103238A CN201710150404.2A CN201710150404A CN107103238A CN 107103238 A CN107103238 A CN 107103238A CN 201710150404 A CN201710150404 A CN 201710150404A CN 107103238 A CN107103238 A CN 107103238A
- Authority
- CN
- China
- Prior art keywords
- event
- file
- objects
- malicious objects
- malicious
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Abstract
The invention discloses for protecting computer to exempt from the system of malicious objects activity infringement, method and computer program product.This method includes:Execution event to one or more processes on computer is monitored;Verifiable event among the monitored event of identification, includes establishment, change or the deletion event of file, the change event of system registry, and the network access event carried out by process performed on computers;The verifiable event identified is recorded in single file, registration table and network event logs;Malware inspection is performed to one or more software objects on computer;If it is determined that object is malice, then recognize the event associated with the malicious objects from file, registration table and network event logs;Pair file event associated with the malicious objects performs rollback operation;Pair registration list event associated with the malicious objects performs rollback operation;Terminate the network connection associated with the malicious objects.
Description
The application is divisional application, the China national Application No. 201210050079.X of its original application, entitled
" being used for the system and method for protecting computer system to exempt from malicious objects activity infringement ".
Technical field
Content disclosed in this invention relates generally to computer safety field, also, specifically, is related to for protecting
Computer system exempts from system, the method and computer program of file, registration table, system and the network activity infringement of malicious objects
Product.
Background technology
The development of current computer technology has reached very high level.With the development of computer technology, digital number
According to quantity increased with more allegro speed.At the same time, numerical data is rapid wear and needs preventing malice object
The such as infringement of virus, Trojan Horse, worm, spyware and other kinds of Malware.
Carry out infringement of the protection information from Malware using Antivirus system, the basic task of the Antivirus system is resistance
The only hazardous activity of malicious objects.But situation is:Antivirus system can not prevent the activity of malice in timely mode.It is this
Situation is appeared in, for example, when new Malware occurs, the methods availalbe of Antivirus system can not be detected
Come, because these systems are known nothing new Malware.Another situation is also likely to be:Malware utilizes operating system
Weakness or the weak point of Antivirus system itself bypass Antivirus system.
Different types of rogue activity can be shown by having invaded the Malware in computer system:File is lived
Dynamic, registration table activity, system activity and network activity.During the file activity of malice, malicious objects can be performed to file
Different operations, such as removal, change or the establishment of new file.Malicious registration table activity typically comprises registration table parameter
Establishment, modification or removal with value.Many situations on registration table activity are all known, for example, malicious objects are changed
The parameter of registration table causes the automatic start (auto-launch) of Malware to load during operating system.When malice is soft
When part starts either to stop in computer systems process or when it starts new hold in system or program process
When line journey, it may occur however that the system activity of malice.The network activity of malice typically comprises by malicious objects to create
New network connection.
Using the activity of these malice, Malware can be invaded in computer system, and can obtain institute thereon
The data of storage.Accordingly, it would be desirable to detect the activity of malice, and rogue activity is damaged, changed or mobile data
Recovered.
The content of the invention
Disclosed herein is for protecting computer to exempt from file, registration table, system and the network activity infringement of malicious objects
System, method and computer program product.In one exemplary embodiment, the system includes anti-virus database, with
And verifiable event database, wherein anti-virus database include the information relevant with known malicious object, verifiable event number
The list of verifiable event is included according to storehouse, the verifiable event at least includes establishment, change or the deletion event of file, system
Establishment, change or the deletion event of registration table, and the network access event carried out by process performed on computers.
The system also includes data collection module, and it is operatively used for the execution thing for monitoring one or more processes on computer
Part;Based on the list of the verifiable event included in verifiable event data storage, in the monitored event of identification can core
Look into event;And record is identified in single file, registration table and the network event logs that memory is included
Verifiable event.
The system also includes anti-virus module, and it is configured to:Using included in anti-virus database on
Know the information of malicious objects, Malware inspection is performed to one or more software objects on computer.If it is determined that right
As if malice, then anti-virus module recognizes one or more associated with the malicious objects from network event logs
Network event, and terminate the one or more network connections set up by the malicious objects.The system also includes recovering
Module, it is configured to:If it is determined that object is malice, then from file and registration table event log recognize one or
Multiple files associated with the malicious objects and registration list event, and pair file thing associated with the malicious objects
Part and registration list event perform rollback operation (rollback).
In one exemplary embodiment, the method for protecting computer to exempt from Malware infringement includes:To calculating
The execution event of one or more processes is monitored on machine;Verifiable event among the monitored event of identification, wherein can core
Looking into event includes establishment, change or the deletion event of file, establishment, change or the deletion event of system registry, and
The network access event carried out by process performed on computers;In single file, registration table and network event day
The verifiable event identified is recorded in will;Malware inspection is performed to one or more software objects on computer;
If it is determined that object is malice, then identification and the malicious objects phase from file, registration table and network event logs
The event of association;Pair file event associated with the malicious objects performs rollback operation;It is pair related to the malicious objects
The registration list event of connection performs rollback operation;Terminate the network connection associated with the malicious objects.
Above-mentioned example embodiment be briefly summarized for provide for the present invention basic comprehension.This summary is not right
The extensive overview ot in all concern directions of the present invention, and its key or determinant for being both not intended to determine all embodiments,
Also it is not intended to delimit the range limit of any one embodiment or all embodiments.Its unique purpose is, below more
Before present invention is described in detail, one or more embodiments are proposed in simplified form.In order to complete foregoing thing
, one or more of embodiments include the feature described in claim and specifically noted.
Brief description of the drawings
The accompanying drawing for being incorporated to this specification and constituting a part for this specification illustrates one or more examples of the present invention
Property embodiment, also, be used for together with describing in detail explaining the principle and implementation process of these embodiments.
In the accompanying drawings:
Fig. 1 shows the schematic diagram of the malware protection system according to an exemplary embodiment;
Fig. 2 shows the operation chart of the malware protection system according to another exemplary embodiment;
Fig. 3 shows the operation chart of the malware protection system according to another exemplary embodiment;
Fig. 4 A-4E show the operative algorithm of the malware protection system according to multiple exemplary embodiments;
Fig. 5 shows the schematic diagram of the computer system according to an exemplary embodiment.
Embodiment
Surrounding herein is used to protect computer to exempt from the system of Malware infringement, method and computer program product to retouch
State the exemplary embodiment of the present invention.Those skilled in the art will recognize that following description is merely illustrative
And be not intended to be defined in any way.The displosure content is benefited from, those skilled in the art are easily envisaged that it
Its embodiment.Introduced to realize exemplary embodiment of the invention illustrated in accompanying drawing in detail now.All is attached
All make identical to be denoted by the same reference numerals or similar project as far as possible in figure and subsequent description.
Fig. 1 shows the schematic diagram of the malware protection system 100 according to an exemplary embodiment.System 100 can
Realized, it is entered by the software application configured on personal computer or the webserver in following Fig. 5
Go described in more detail.In one exemplary embodiment, system 100 includes anti-virus module 120, and it performs software
The anti-virus inspection of object 110, the software object 110 includes object 111,112 and 113, such as system and program file, pin
Sheet and other executable program codes run on the personal computer or server of the system that is deployed with 100.Software object
Object 112 in 110 is malice.In one exemplary embodiment, anti-virus module 120 can be program module, and it makes
Interacted with driver come the core of the operating system of the computer with being deployed with system 100 thereon.Anti-virus module 120 can
To use different malware detection techniques, for example signature checks (signal check), or sounds out and behavioural analysis
(heuristic and behavioral analysis), or other methods analyzed for object 110.
Signature inspection is the different malice from being stored in malware signature with the syllabified code for being analyzed object 110
Based on comparison between object identification code.When searching for malicious objects, heuristic analysis has used analysis engine, the analysis engine
Setting pattern (set pattern) has neatly been used, for example, has utilized fuzzy logic to the pattern of description.In particular case,
Behavioural analysis is based on the observation to system event.Determination for malicious objects is existed with its behavior in systems
Based in framework regular set by Malware behavior.
During anti-virus inspection is carried out for object 110, anti-virus module 120 can also check holding in these objects
The process and thread started between the departure date.During the analysis of object 110 and associated process and thread, anti-virus module 120
Malware signature and behavior signature included in anti-virus database 121 can be used.The signature of malware object is
Byte sequence, the program code of itself and examined object is compared.In one example, signature can be considered as with
What verification and (checksum) form were present, it is that each malicious objects are created and are stored in anti-virus database
In 121.In this case, anti-virus module 120 can be by the verification of analyzed object and right with known malice
The signature of elephant is compared.If there is matching therebetween, then it represents that analyzed object is malice.
And behavior signature contains information about the possible behavior of potential malicious objects, such as activation system function, draw
With registry data etc..Anti-virus module 120 can be with the behavior of monitored object 110 and the process and thread of correlation;If
The behavior of the object is similar to the behavior signature of the known malicious objects from anti-virus database 121, then will be monitored
Object 112 is regarded as being malice.
In one exemplary embodiment, if anti-virus module 120 detects malicious objects 112, it will be on
The identification information of the malicious objects sends data collection module 150 to.The identification information can cover the road of malicious objects 112
Footpath, the title of the object or, for example, the verification of Malware and.In addition, anti-virus module 120 can be collected with request data
Module 150 provides the information relevant with some system activities, the system activity and the malice recognized to anti-virus module 120
The execution of object 112 is associated, to detect any relevant malicious process being associated with the malicious objects and thread.
In another exemplary embodiment, anti-virus module 120 can also will be relevant with detected Malware
Information long-range central antivirus services device (not shown) is sent to via internet 180.And the antivirus services device can be with
The malice that the information relevant with detected malicious objects is distributed into antivirus services device described in other Internet access is soft
Part protects system.By central antivirus services device, evil of the malware information on the different computers being deployed in network
Swapped between meaning security system for software 100, it is possible thereby to prevent the propagation of new Malware.
When anti-virus module 120 detects the system activity of danger, the dangerous process for example started by the object 112
Or by the startup of the object 112 dangerous thread performed in another process, then anti-virus module 120 is configured as end
The only hazardous activity.Especially, anti-virus module 120 terminates the execution of dangerous process or execution thread, and will identification
Information transmission is to data collection module 150, the identification information and the malicious objects 112 for starting this process or execution thread
It is relevant.
In one exemplary embodiment, data collection module 150 is configured to the activity performed by different objects 110
It is monitored, and by the historical collection of object activity to file or registration table or other event 152-154 daily record.Example
Such as, in object 110, during such as execution of object 111,112 and 113, these objects, which can start, realizes file modification
The change (registration table activity) of (file activity), registration table, and/or the process of the establishment (network activity) of network connection.The number
It is configured to record this movable history according to collection module 150.In one exemplary embodiment, the data collection module 150
It may be referred to the list that verifiable (auditable) event database 151 answers monitored event with acquisition.The verifiable event
List 151 includes but is not limited to, document creation, modification and deletion event, registry change event, process or thread life
Into event, network connection creates event, and other events may with rogue activity feature.In addition, for Collection Events
Data, data collection module 150 can also be which process when which file to be mounted with, and be by which by by tracking
When individual process which process (that is, set membership) is being generated, to recognize the set membership between different objects.
In one of these embodiments, data collection module 150 can monitor all in verifiable event database 151
The system event identified and/or the event associated with special object.Finally, data collection module 150 can include quilt
The index list for the software object 110 that malware protection system 100 is monitored, such as system address.For pair monitored
As, data collection module 150 can by document creation, the event for removing or changing, also the establishment of registry value, remove or
The event of person's change, and other logouts being instructed in verifiable event database 151 are to the daily record 152- of event
154.If for example, some object in the computer system creates file in the system folder of operating system, wherein
Anti-virus module 120 does not determine the malicious of the object, then data collection module 150 can record this event, and
It is that what file will be known by what Object Creation.Then, when anti-virus is checked, if it find that this file is
Created, then can be removed this file by recovery module 160, it will be carried out in more detail by malicious objects below
Description.
In one exemplary embodiment, data collection module 150 or different types of verifiable event safeguard single
The daily record 152 of only daily record, such as file event and the daily record 153 for registering list event, it is used to store and monitored object
File and the relevant information of registration table activity.In other embodiments, system 100 can also preserve the day of other events
Will 154, such as User Activity event, data input-outgoing event, network activity event etc..By this way, system 100
The history of system, file, registration table and the network activity of different objects can be collected.
In one exemplary embodiment, this document event log 152 can include the mark for the object for performing file activity
Accord with (for example, filename, process or thread identifier), (for example, the establishment of new file, file is more for the type of file activity
Change, the removal of file) and it is performed operation file identifier.The file identifier can be realized, for example, file
Path, file verification and or file-path (file-path) verification and.
In one exemplary embodiment, the registration table event log 153 can include the object for performing registration table activity
Identifier, the type of registration table activity are (for example, the establishment of new registration table parameter, the change of registration table parameter value, registration table ginseng
Number or value removal) and it is performed operation registration table parameter title.
In one exemplary embodiment, network event logs 154 can include the identifier for the object for performing network activity
(for example, filename, process or thread identifier), the type of network activity are (for example, the establishment of new network connection, network
The port number or type of connection, such as TCP, UDP or FTP etc.) and transmit/receive via the connection set up
The type (for example, identifier of the file of institute's reception/transmission) of data.The file identifier can be realized, for example, file road
Footpath, file verification and or the verification of file-path and.
In one exemplary embodiment, verifiable event database 151 and anti-virus database can be regularly updated
121.The anti-virus database 121 can be updated periodically along with the appearance of new threat, so that the anti-virus module 120
Reliable perform to malicious objects and other detections threatened is come in timely mode.It should also be as to being stored in database 151
The list of verifiable event is updated periodically, to ensure that new rogue activity can be supervised by the malware protection system
Control.Storehouse 121 and 151 can be updated the data by update module 170, the update module 170 is used to internet 180
Connection, can download the latest edition of antivirus definitions and verifiable event from the central antivirus services device.The renewal mould
Block 170 can be implemented as the software module based on the network adapter for providing network connection.
In one exemplary embodiment, during conventional Malware is checked, when the anti-virus module 120 detects evil
During meaning object 112, the information relevant with the malicious objects 112 is conveyed to data collection module 150 by module 120.Module 150 from
Extracted in file event daily record 152, registration table event log 153 and network event logs 154 on the malicious objects 112
File, registration table and the information of network activity.In addition, all parent processes that the identification of module 150 is generated with object 112 and
Subprocess and execution thread associated All Files, registration table and network activity.Then, module 150 is by this information
It is sent to recovery module 160.It is extensive if once creating new file or registration table parameter according to received information
Multiple module 160 determines which file or registration table parameter need to be removed;And if these files or registration table parameter
It has been modified or has removed, then recovery module 160 determines which file or registration table parameter need to be repaired.
In one exemplary embodiment, 160 pairs of the recovery module of data is have received using data collection module 150
The file and registration list event associated with malicious objects performs rollback operation.For example, recovery module 160 can delete it is all by
New nonsystematic file and registration table parameter that the malicious objects 112 are created.If have changed some any files or
Registry value, or removed any some files, registry value or parameter, then perform original document, registration table
The recovery of value and parameter.For original document and registry data, recovery module 160 may be referred to file backup database
161 and registration table backup database 162.In other embodiments, system 100 can also include other data backup data
Storehouse 163, other categorical datas for such as user data.
In one exemplary embodiment, this document backup database 161 can be included to being deployed with system 100 thereon
The copy of the file 130 acquired a special sense for the operation of computer system.This class file may include system file, for example
Ntoskrnl.exe, ntdetect.com, hal.dll, boot.ini and it is otherNT families
File in operating system.In addition, file backup database 161 can also store alternative document, the integrality pair of these files
It is very important for the computer system or system user.The registration table backup database 162 can include influence behaviour
Make the copy of the registry data 140 of systematic function.
In order to recover the file 130 and registry data 140 of computer system, 160 pairs of recovery module is from Data Collection
Data received by module 150 are handled, and are received on the file that is modified or removes or registration table parameter
Information.Hereafter, recovery module 160 retrieves corresponding file and registration table parameter in backup database 161 and 162.If
It has found such file and registry data, then recovery module 160, which is repaired, to be changed or removed by the malicious objects
File and registry data.
In certain embodiments, recovery module 160 only the modification part that is modified file can be repaired and simultaneously
It is non-that whole file is repaired.In this case, backup document data bank 161 also by comprising file it is most possible by
The part encroached on to malicious act.
In one exemplary embodiment, can be by user or via update module 170 from long-range central anti-virus number
File is carried out to the backup database 161-163 according to storehouse and registry information is filled in.In the latter case, update
Module 170 is filled in using new file and registry value to start to backup database 161-163, wherein the new text
The list of part and registry value be by update module 170 by internet 180 from central antivirus services device or it is other can
Depend on what data sources came.Hereafter, update module 170 can start renewal process, and recovery module 160 is by file, note
Volume table and the backup copies of other data are filled up in backup database 161-163 respectively.
Fig. 2 shows the operation chart of the malware protection system according to an exemplary embodiment.Malicious objects
File activity not can only include the establishment and removal of file, and will in the case where only including the establishment and removal of file
File is carried out by recovery module 160 correspondingly to remove or repair.Other behaviors of malicious objects be also it is possible, for example more
Change file.In fig. 2, malicious objects 212 have changed object 213, and the object 213 is harmless before the change behavior.Should
Change behavior can include for example malicious code is incorporated into original document 213.Occur these in object 213 and change it
Afterwards, object 212 stops performing any activity.On the other hand, object 213 start perform for example with file 130 or registration table
The activity that the removal of value 140 is associated.At the same time, the behavior associated with the activity of object 213 may be by Data Collection
Module 150 is recorded.
If during anti-virus is checked, anti-virus module 120 determines that object 213 has menace, that is, its
It is malice;Module 120 can block the activity of object 213 and will give Data Collection mould about the information transmission of this object
Block 150 and antivirus services device (not shown).Data collection module 150 will be given about the information transmission of activity history to be recovered
Module 160, wherein recovery module 160 repair the data being modified using backup database 161-163.At the same time, such as
The copy of fruit object 213 is in file backup database 161, then recovery module 160 is also repaired to object 213.
In addition, anti-virus module 120 can be provided about the work associated with object 213 with request data collection module 150
Dynamic information.As response, data collection module 150 can provide object 213 by object 212 to anti-virus module 120
The information changed.Then anti-virus module 120 can carry out the anti-virus inspection for object 212, and it is malice to determine it
And it is blocked, thus the further malicious act of this object is prevented.
Fig. 3 shows the operation chart of the malware protection system according to another exemplary embodiment.It is some right
New network connection can be created in its implementation procedure as 310, for example, to the connection of internet 180.If network connection is
Created, then due to which increasing the susceptibility of computer, then may result in for computer by malicious objects
Threaten.Malicious objects can transmit data from the computer or download other dangerous objects to the computer from internet
On., can be by the monitored object of data collection module 150 according to an example embodiments in order to prevent this from occurring
Network activity and it recorded in network event logs 154.
More specifically, if anti-virus module 120 detects malicious objects, then anti-virus module 120 can be to
Network activity or any with the malicious objects related object, process of the request of data collection module 150 to malicious objects
Or the relevant information of thread.In above-mentioned example, object 312 is the malicious objects with network activity, wherein being received by data
Collect module 150 to record the network activity in network event logs 154.It is malice and knows object 312 is determined
Do not go out after the network event associated with object 312, anti-virus module 120 can terminate/block all by malicious objects 312
The network connection set up, terminates the execution of malicious objects 312, and if for this object or any related object
Had been observed that malice file or registration table activity, then by about the information transmission of object 312 to data collection module
150 to file and registry data then to repair.
Situation is also likely to be:Malicious objects 312 generated in the Security Object or process 311 of computer process or
Execution thread, then the process or execution thread create network connection of the record in network event logs 154 again.With
The appearance of such case, two kinds of situations can be distinguished:When malicious objects 312 by its own be incorporated into Security Object 311 or
Without influenceing when systematic function in person's security procedure, or when its own is incorporated into expression system by malicious objects 312
When in the object 313 of file or system process.
In the first situation, when infected object or process not system process, anti-virus module 120
The actual conditions of infection and subsequent network activity can be then recorded, and block the object 311 changed.Blocking the object
During, stop its following activity:
File activity:The object can not perform file operation;
Registration table activity:Block the possibility for accessing system registry;
System activity:Terminate all processes and flow started by the object;
Network activity:Block the possibility for creating network connection.
If it is to be generated by malicious objects 312 in process 311 that anti-virus module 120, which detects execution thread, then
The thread will be terminated by anti-virus module 120, and all and process 311 can be also automatically terminated by anti-virus module 120
Associated network connection.
In the case where system file or process 313 are by modification, anti-virus module 120 generally can not block system object
313, because can so cause the failure of operating system.However, once detecting the net of the system file 313 changed
Network activity, anti-virus module 120 can stop the network activity, and terminate what is only started by introduced part code
Network connection, while object 313 keeps operation.Then can be standby in file backup database 161 using system object 313
Part copy is repaired to it.
If malice execution thread is to be generated by object 312 in system object 313, then the malice thread is performed can
Object 313 is had no effect on to be terminated.
Fig. 4 A show the operative algorithm of the malware protection system according to an exemplary embodiment.In step 401-
403, anti-virus database 121, verifiable event database 151 and backup database can be updated using update module 170
161-163.And then, in step 404, anti-virus module 120 performs the anti-virus inspection for object 110 in computer systems
Look into.If in step 405, it is found that the object checked or the process started by these objects are not malice,
So can subsequent period repeat step 405 process.If however, any one in object 110 or accordingly process
Individual is malice, then then stop the execution of the malicious objects in a step 406.In addition, in step 407, will recognize this pair
The information transmission of elephant sends antivirus services device to data collection module 150, and in step 408.In addition it is also possible to from anti-
Virus server receives the information movable in the computer of other users on the object that is detected.Can also be by anti-virus mould
Block 120 uses this information.In next step 409, inspection is performed for the activity with the presence or absence of this object.Specifically
Ground, for the activity of the malicious objects or any associated process, thread etc., in file event daily record 152, registration list event
Data search is performed in daily record 153 and other available event daily records 154.If it find that the malicious files of the malicious objects or
The record of person's registration table activity, then will be related in step 410 and send recovery to as the movable data performed by the object
Module 160.In step 411, recovery module 160 uses this data, and utilizes file and note from database 161 and 162
Volume table Backup Data, is repaired to file and registry data.
Fig. 4 B show an exemplary reality of the malware protection system in response to the operative algorithm of hostile network activity
Apply example.Whether the malicious objects 312 or process associated there being detected in step 501, the inspection of anti-virus module 120
Have requested that or open any network connection.This information can be obtained using data collection module 150.In step 502,
After the malicious objects 312 are blocked by anti-virus module 120, automatic terminate directly is created by the malicious objects 312 itself
Network connection.If the information from data collection module 150 further indicates this malicious objects to other objects
311st, 312 it is modified, wherein having had also been observed that network activity in object 311,312, then in step 503, anti-disease
Malicious module 120 checks whether the object changed is system object.If the object 311 changed is not system object, then
In step 502, anti-virus module 120 blocks this object, and terminates the network connection automatically.If system object 313
Changed, then the object can not possibly be blocked, because so may result in the failure of operating system.However,
In step 504, anti-virus module 120 can terminate what is started by the part being introduced into the system object 313 by modification
Network connection.The object still keeps operation in itself.It is then possible to repair this system object using recovery module 160.It is being
In the case of malice thread is loaded with system process, this malice execution thread can also be stopped.
Fig. 4 C show an exemplary reality of the malware protection system in response to the operative algorithm of rogue system activity
Apply example.System activity includes the appearance of process started by malicious objects, and in other processes execution thread startup.
In step 601, if anti-virus module 120 carrys out solicited message to identify evil by, for example, data collection module 150
The system activity of meaning object, then anti-virus module 120 can terminate all processes associated with the object and line in step 602
Journey.In addition, the information relevant with the process being terminated can be transmitted to recovery module 160, the recovery module 160 determines whether
There are any infected file or registry data to need renewal.
Fig. 4 D show that malware protection system is exemplary in response to one of operative algorithm of the activity of malicious registration table
Embodiment.In step 701, anti-virus module 120 determines whether registration table 140 is infected using data collection module 150,
New registration table entry is for example generated by the activity of malicious objects., can be with step 702 if detecting this activity
Instruction recovery module 160 removes newdata from registration table.If the value of registration table parameter has been modified or removed, or
If person's registration table parameter has been deleted, then check that infected registry value and parameter are in step 703 recovery module 160
It is no in backup registry database 162.If it find that Backup Data, then in step 705 recovery module 160 using backup
Copy repairs the registry value for being modified or being removed or parameter.
Fig. 4 E show an exemplary reality of the malware protection system in response to the operative algorithm of malicious file activity
Apply example.In step 801, anti-virus module 120 asks to be created by malicious objects on all using data collection module 150
New file information.If creating new file, this file is removed in step 802 instruction recovery module 160.If not yet
Have and create new file, but malicious objects are modified or remove existing file, then in step 803, recovery module
160 determine whether the backup copies of the infected file in database 161 can use.If needed for step 804 is found that
File, then repair infected file in step 805 recovery module 160.
Fig. 5 depicts the exemplary embodiment for the computer system 5 that can dispose malware protection system 100 thereon.Meter
Calculation machine system 5 can include the webserver, personal computer, notebook, tablet personal computer, smart phone, media source or
The other types of data processing of person and computing device.Computer 5 can include one or more being connected by system bus 10
Processor 15, memory 20, one or more hard disk drives 30, one or more CD drives 35, one or more strings
Row port 40, graphics card 45, sound card 50 and network interface card 55.System bus 10 can be any one in polytype bus structures
Kind, wherein the bus structures include memory bus or Memory Controller, peripheral bus and using various known
Bus architecture in the local bus of any one.Processor 15 can include one or moreCore 2Quad
The microprocessor of 2.33GHz processors or other species.
System storage 20 can include read-only storage (ROM) 21 and random access memory (RAM) 23.Memory
20 can realize as DRAM (dynamic random access memory), EPROM, EEPROM, flash memory or other types of memory architecture.
ROM 21 stores the basic input/output 22 (BIOS) for including basic routine, and the basic routine has
Help transmit information between the component of computer system 5, such as during starting.RAM 23 stores operating system 24
(OS), for exampleXP Professional or other types of operating system, the operating system are responsible for meter
Process in calculation machine system 5 is managed and coordinated, and the hardware resource in computer system 5 is configured and shared.
System storage 20 also stores application program and program 25, for example, service 306.System storage 20 is also stored by program 25
(runtime) data 26 during used various operations.
Computer system 5 can further include hard disk drive 30, such as SATA magnetic hard drives (HDD),
And driven for the CD for being read out or writing from removable CD, such as CD-ROM, DVD-ROM or other optical mediums
Dynamic device 35.Driver 30 and 35 and its associated computer-readable media provide computer-readable instruction, data structure, answered
With program and the non-volatile memories of program module/subprogram, wherein above computer readable instruction, data structure, using journey
Sequence and program module/subprogram realize algorithm disclosed herein and method.Although exemplary computer system 5 is used
Disk and CD, but those skilled in the art will be appreciated that and also may be used in the alternative embodiment of the computer system
So that the computer-readable medium of the addressable data of computer system 5, such as cassette, sudden strain of a muscle can be stored using other kinds of
Deposit card, digital video disk, random access memory, read-only storage, Erasable Programmable Read Only Memory EPROM and other types
Memory.
Computer system 5 further include multiple serial ports 40, such as USB (USB), it is used for
Connect data input device 75, such as keyboard, mouse, touch pad and miscellaneous equipment.Serial port 40 can also be used for connecting data
Output equipment 80, such as printer, scanner and other equipment, and the other ancillary equipment 85 of connection, such as external data
Storage device etc..System 5 may also comprise graphics card 45, for exampleGT 240M or other video cards,
For being connected with monitor 60 or other video reproducing apparatus.System 5 may also comprise sound card 50, for via internal or
Person's external loudspeaker 65 reproduces sound.In addition, system 5 can include network interface card 55, for example Ethernet, WiFi, GSM, bluetooth or
Other wired, wireless or cellular network interfaces, for computer system 5 to be connected into network 70, such as internet.
In various embodiments, algorithm described herein and method can by hardware, software, firmware or
Its any combinations mode is realized.If realized with software, then its function can be with one or more instructions or code
Mode be stored in non-transitory computer-readable medium.Computer-readable medium, which stores and communicated including computer simultaneously, to be situated between
Matter, both contributes to computer program being sent to another place from a place.Storage medium can be can be by computer
Any usable medium of access.For example, and and it is non-limiting, this computer-readable medium can include RAM, ROM,
EEPROM, CD-ROM or other disk storage, magnetic disk storage or other magnetic storage apparatus or any other available
In carry or storage needed for instruct or data structure in the form of the program code that exists and can be accessed by computer
Medium.In addition, any connection is all referred to alternatively as computer-readable medium.If for example, utilizing coaxial cable, fiber optic cables, double
Twisted wire, digital subscriber line (DSL) or wireless technology such as infrared ray, radio and microwave come from website, server or its
Its remote resource transmitting software, then its be included in the definition of the medium.
For the sake of clarity, all general characteristics of embodiment are not shown and described herein.It should be recognized that
In the development process of any this kind of actual embodiment, it is necessary to make a large amount of specific embodiment decision-makings to realize exploitation
The specific objective of person, while it should be recognized that these specific objectives will change with the difference of embodiment and the difference of developer
Become.Moreover, it should recognize that this kind of development is probably overly complex and time consuming, but for benefiting from disclosed herein
All will be conventional engineering duty for one of ordinary skill in the art of appearance.
Furthermore, it is to be appreciated that words or terms as used herein are to describe and infinite purpose, so as to this
The technical staff in field solves according to the teaching and guide herein proposed and with reference to the knowledge that various equivalent modifications are grasped
Words or terms in reader specification.Moreover, clearly illustrated except being far from it, otherwise in this specification or claim
Any term be not intended to be attributed to unconventional or special implication.
Various embodiments disclosed here include mentioned known tip assemblies present and will by way of example herein
The known equivalents come.Although moreover, embodiment and its application are had been shown and describe, for benefiting from sheet of the invention
It is readily apparent that in the case where not departing from inventive concept disclosed herein for the technical staff in field, than with
On more modifications for referring to be possible.
Claims (16)
1. a kind of method protected for computer malware, methods described includes:
Identification is stored in the verifiable list of thing regularly updated in verifiable event database, and the verifiable list of thing is known
The not execution activity of one or more software objects on the computer that should be monitored, the execution activity at least include by
Establishment, change or the deletion event for the file that one or more of software objects are carried out, the parameter and value of system registry
Establishment, change or deletion event, and network connection event;
Execution event to one or more of software objects on the computer is monitored;
Based on the verifiable list of thing in the verifiable event database, in single file, recognize and record
Event log, registration table event log and the network event logs of monitored one or more of software objects, including
Recognize any file created by monitored one or more software objects;
Relation between identification father and son's process and the execution thread generated by the monitored software object;
Malware inspection is performed to monitored one or more software objects on the computer, is included in execution
All processes and thread generated during monitored one or more software objects;
If based on the malicious process generated during the object is performed or thread is detected so as to being examined by the Malware
It is malice to look into and object is determined, then the file event daily record, registration from the verifiable event data is stored in
One or more file events associated with the malicious objects, registration table are recognized in list event daily record and network event logs
Event and network connection event, and further recognize the father of one or more identifications generated by the malicious objects
The network connection set up with subprocess and execution thread and created by each father and son's process and execution thread
Each file;
All identified files for being created by deleting by the malicious objects and by each father and son's process and hold
Each file that line journey is created, pair one or more file events associated with the malicious objects perform the behaviour that retracts
Make;
Pair one or more registration list events associated with the malicious objects perform rollback operation;
The one or more network connections associated with the malicious objects are terminated, and are further terminated by the malicious objects
One or more identified network connections that the father and son's process and execution thread generated is set up.
2. method according to claim 1, wherein performing the rollback operation of file event includes:
Based on the file event associated with the malicious objects that be identifying, identification changed by the malicious objects or
One or more files that person deletes;And recover at least part of text for being modified and deleting from believable backup
Part.
3. method according to claim 1, wherein performing the rollback operation of registration list event includes:
Based on the registration list event associated with the malicious objects that be identifying, identification is created by the malicious objects
The one or more registration table parameters and value built, change or deleted;
Delete the new registration table parameter and value created by the malicious objects;And
Recover the registration table parameter and value for being modified or deleting from believable backup.
4. method according to claim 1, wherein further including:From the file event daily record, registration list event day
The execution thread that identification is generated to one or more related father and son's processes and by the malicious objects in will is associated
One or more file events and registration list event.
5. method according to claim 4, further includes:
The one or more execution threads generated by father and son's process and by the malicious objects of identification are created, more
The system and nonsystematic file for changing or deleting;
Recover at least part of system and nonsystematic file or deleted system being modified from believable backup
With nonsystematic file;
All execution threads generated by father and son's process and by the malicious objects identified are deleted to create
New nonsystematic file.
6. method according to claim 4, further includes:
The one or more execution threads generated by father and son's process and by the malicious objects of identification are created, more
The registration table parameter and value for changing or deleting;
Delete one or more execution threads generated by father and son's process and by the malicious objects identified
The new registration table parameter and value created;And
Recover the registration table parameter and value for being modified or deleting from believable backup.
7. method according to claim 1, further includes:
At least one thread generated by the malicious objects or process are recognized, the malicious objects are performed in the computer
Security Object or process in and create network connection;
8. method according to claim 7, wherein, if the Security Object or process are the system for computer files,
The network connection is then terminated, and recovers using the backup copies of the file obtained in backup database the system
System.
9. a kind of system protected for computer malware, wherein the computer has processor and memory, it is described
System at least include it is following be loaded into the memory of the computer and can by the computer the processor
The software module of execution:
Anti-virus database, it includes the information relevant with known malicious object;
Verifiable event database is regularly updated, it includes the list of verifiable event, the list identification of the verifiable event
The execution activity of one or more software objects on the computer that should be monitored, the activity at least includes by the meter
Establishment, change or the deletion event for the file that one or more of software objects on calculation machine are carried out, system registry
Establishment, change or the deletion event of parameter and value, and network connection event;
Data collection module, it is configured to:
Execution event to one or more of processes on the computer is monitored;
Based on the verifiable list of thing in the verifiable event database, in single file, recognize and record
Event log, registration table event log and the network event logs of monitored one or more software objects, including
Recognize any file created by monitored one or more software objects;
Relation between identification father and son's process and the execution thread generated by the monitored software object;
The one or more networks set up by the father and son's process and execution thread that are generated by the malicious objects of identification
Connection;
Anti-virus module, it is configured to:
Using relevant with known malicious object information described in included in the anti-virus database, on the computer
Monitored one or more software objects perform Malware inspection, the anti-virus database is included in the execution quilt
All processes and thread generated during one or more software objects of monitoring;
If based on the malicious process generated during the object is performed or thread is detected so as to being examined by the Malware
It is malice to look into and object is determined, then terminates the one or more network connections set up by the malicious objects, and enters
One step terminates the one or more of network connections identified and created by each father and son's process and execution thread
Each file, the father that the one or more of network connections identified are generated by the malicious objects and
Subprocess and execution thread are set up;
Recovery module, it is configured to:
If it is malice that the object, which is determined, by the Malware inspection,
All identified files for so being created by deleting by the malicious objects and by each father and son's process with
And each file that execution thread is created, a pair one or more file events associated with the malicious objects perform rollback
Operation;And
Pair one or more registration list events associated with the malicious objects perform rollback operation.
10. system according to claim 9, wherein for performing rollback operation to file event, the recovery module more enters one
Step it is configured to:
Based on the file event associated with the malicious objects that be identifying, identification changed by the malicious objects or
One or more files that person deletes;And
Recover at least part of file for being modified and deleting from believable backup.
11. system according to claim 9, wherein for performing rollback operation to registration list event, the recovery module is more entered
One step it is configured to:
Based on the registration list event associated with the malicious objects that be identifying, identification is created by the malicious objects
The one or more registration table parameters and value built, change or deleted;
Delete the new registration table parameter and value created by the malicious objects;And
Recover the registration table parameter and value for being modified or deleting from believable backup.
12. system according to claim 9, wherein the data collection module is further configured to:From the file
Identification is to one or more related father and son's processes and by the malicious objects in event log and registration table event log
One or more file events and registration list event that the execution thread generated is associated.
13. system according to claim 10, wherein the recovery module is further configured to:
The one or more execution threads generated by father and son's process and by the malicious objects of identification are created, more
The system and nonsystematic file for changing or deleting;
Recover at least part of system and nonsystematic file or deleted system being modified from believable backup
With nonsystematic file;
All execution threads generated by father and son's process and by the malicious objects identified are deleted to create
New nonsystematic file.
14. system according to claim 10, wherein the recovery module is further configured to:
The one or more execution threads generated by father and son's process and by the malicious objects of identification are created, more
The registration table parameter and value for changing or deleting;
Delete one or more execution threads generated by father and son's process and by the malicious objects identified
The new registration table parameter and value created;And
Recover the registration table parameter and value for being modified or deleting from believable backup.
15. system according to claim 9, wherein the data collection module is further configured to recognize at least one
Or multiple threads generated by the malicious objects or process, Security Object of the malicious objects execution in the computer
Or in process and create network connection
16. system according to claim 15, wherein, if the Security Object is the system for computer file, institute
Anti-virus module is stated further to be configured to terminate the network connection, and using obtained in backup database
The backup copies of file recover the system.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710150404.2A CN107103238A (en) | 2012-02-29 | 2012-02-29 | System and method for protecting computer system to exempt from malicious objects activity infringement |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210050079XA CN102629310A (en) | 2012-02-29 | 2012-02-29 | System and method for protecting computer system from being infringed by activities of malicious objects |
CN201710150404.2A CN107103238A (en) | 2012-02-29 | 2012-02-29 | System and method for protecting computer system to exempt from malicious objects activity infringement |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201210050079XA Division CN102629310A (en) | 2012-02-29 | 2012-02-29 | System and method for protecting computer system from being infringed by activities of malicious objects |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107103238A true CN107103238A (en) | 2017-08-29 |
Family
ID=46587568
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710150404.2A Pending CN107103238A (en) | 2012-02-29 | 2012-02-29 | System and method for protecting computer system to exempt from malicious objects activity infringement |
CN201210050079XA Pending CN102629310A (en) | 2012-02-29 | 2012-02-29 | System and method for protecting computer system from being infringed by activities of malicious objects |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201210050079XA Pending CN102629310A (en) | 2012-02-29 | 2012-02-29 | System and method for protecting computer system from being infringed by activities of malicious objects |
Country Status (1)
Country | Link |
---|---|
CN (2) | CN107103238A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110119619A (en) * | 2018-02-06 | 2019-08-13 | 卡巴斯基实验室股份制公司 | The system and method for creating anti-virus record |
CN111656350A (en) * | 2018-01-25 | 2020-09-11 | 微软技术许可有限责任公司 | Malware sequence detection |
CN111819559A (en) * | 2017-11-17 | 2020-10-23 | 爱维士软件有限责任公司 | Using machine learning models with quantized step sizes for malware detection |
CN111886594A (en) * | 2018-03-20 | 2020-11-03 | 北京嘀嘀无限科技发展有限公司 | Malicious process tracking |
CN113254397A (en) * | 2021-06-15 | 2021-08-13 | 成都统信软件技术有限公司 | Data checking method and computing device |
Families Citing this family (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102867146B (en) * | 2012-09-18 | 2016-01-27 | 珠海市君天电子科技有限公司 | Method and system for preventing computer virus from repeatedly infecting system |
CN102902913B (en) * | 2012-09-19 | 2016-08-03 | 无锡华御信息技术有限公司 | Prevent the security method of software in malicious sabotage computer |
CN104050413A (en) * | 2013-03-13 | 2014-09-17 | 腾讯科技(深圳)有限公司 | Method for data processing and terminal |
US20140379637A1 (en) | 2013-06-25 | 2014-12-25 | Microsoft Corporation | Reverse replication to rollback corrupted files |
CN103413091B (en) * | 2013-07-18 | 2016-01-20 | 腾讯科技(深圳)有限公司 | The method for supervising of malicious act and device |
CN103679031B (en) * | 2013-12-12 | 2017-10-31 | 北京奇虎科技有限公司 | A kind of immune method and apparatus of file virus |
US9588848B2 (en) * | 2015-06-19 | 2017-03-07 | AO Kaspersky Lab | System and method of restoring modified data |
US10742665B2 (en) * | 2016-02-01 | 2020-08-11 | NortonLifeLock Inc. | Systems and methods for modifying file backups in response to detecting potential ransomware |
CN107292169B (en) * | 2016-03-31 | 2021-04-16 | 阿里巴巴集团控股有限公司 | Threat tracing method and device for malicious software |
US10715533B2 (en) * | 2016-07-26 | 2020-07-14 | Microsoft Technology Licensing, Llc. | Remediation for ransomware attacks on cloud drive folders |
US10678921B2 (en) * | 2016-09-30 | 2020-06-09 | AVAST Software s.r.o. | Detecting malware with hash-based fingerprints |
WO2018200451A1 (en) * | 2017-04-26 | 2018-11-01 | Cylance Inc. | Endpoint detection and response system with endpoint-based artifact storage |
RU2651196C1 (en) * | 2017-06-16 | 2018-04-18 | Акционерное общество "Лаборатория Касперского" | Method of the anomalous events detecting by the event digest popularity |
CN111435392B (en) * | 2019-01-14 | 2021-09-24 | 武汉网宇信息技术有限公司 | Network data instant updating method |
CN110598410B (en) * | 2019-09-16 | 2021-11-16 | 腾讯科技(深圳)有限公司 | Malicious process determination method and device, electronic device and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1737722A (en) * | 2005-08-03 | 2006-02-22 | 珠海金山软件股份有限公司 | System and method for detecting and defending computer worm |
CN101022662A (en) * | 2007-02-26 | 2007-08-22 | 华为技术有限公司 | Calling log service device, system and method thereof |
CN101408919A (en) * | 2008-12-09 | 2009-04-15 | 吕欣 | Method and system for monitoring computer espionage behavior |
CN101414997A (en) * | 2007-10-15 | 2009-04-22 | 北京瑞星国际软件有限公司 | Method and apparatus for preventing malevolence program from accessing network |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7114184B2 (en) * | 2001-03-30 | 2006-09-26 | Computer Associates Think, Inc. | System and method for restoring computer systems damaged by a malicious computer program |
US7080408B1 (en) * | 2001-11-30 | 2006-07-18 | Mcafee, Inc. | Delayed-delivery quarantining of network communications having suspicious contents |
CN101231682B (en) * | 2007-01-26 | 2011-01-26 | 李贵林 | Computer information safe method |
-
2012
- 2012-02-29 CN CN201710150404.2A patent/CN107103238A/en active Pending
- 2012-02-29 CN CN201210050079XA patent/CN102629310A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1737722A (en) * | 2005-08-03 | 2006-02-22 | 珠海金山软件股份有限公司 | System and method for detecting and defending computer worm |
CN101022662A (en) * | 2007-02-26 | 2007-08-22 | 华为技术有限公司 | Calling log service device, system and method thereof |
CN101414997A (en) * | 2007-10-15 | 2009-04-22 | 北京瑞星国际软件有限公司 | Method and apparatus for preventing malevolence program from accessing network |
CN101408919A (en) * | 2008-12-09 | 2009-04-15 | 吕欣 | Method and system for monitoring computer espionage behavior |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111819559A (en) * | 2017-11-17 | 2020-10-23 | 爱维士软件有限责任公司 | Using machine learning models with quantized step sizes for malware detection |
CN111656350A (en) * | 2018-01-25 | 2020-09-11 | 微软技术许可有限责任公司 | Malware sequence detection |
CN111656350B (en) * | 2018-01-25 | 2023-08-29 | 微软技术许可有限责任公司 | Malware Sequence Detection |
CN110119619A (en) * | 2018-02-06 | 2019-08-13 | 卡巴斯基实验室股份制公司 | The system and method for creating anti-virus record |
CN110119619B (en) * | 2018-02-06 | 2023-08-04 | 卡巴斯基实验室股份制公司 | System and method for creating anti-virus records |
CN111886594A (en) * | 2018-03-20 | 2020-11-03 | 北京嘀嘀无限科技发展有限公司 | Malicious process tracking |
CN111886594B (en) * | 2018-03-20 | 2023-08-18 | 北京嘀嘀无限科技发展有限公司 | Malicious process tracking |
CN113254397A (en) * | 2021-06-15 | 2021-08-13 | 成都统信软件技术有限公司 | Data checking method and computing device |
Also Published As
Publication number | Publication date |
---|---|
CN102629310A (en) | 2012-08-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107103238A (en) | System and method for protecting computer system to exempt from malicious objects activity infringement | |
US8181247B1 (en) | System and method for protecting a computer system from the activity of malicious objects | |
CN101777062B (en) | Context-aware real-time computer-protection systems and methods | |
RU2607231C2 (en) | Fuzzy whitelisting anti-malware systems and methods | |
US9614867B2 (en) | System and method for detection of malware on a user device using corrected antivirus records | |
US8782793B2 (en) | System and method for detection and treatment of malware on data storage devices | |
US20210056209A1 (en) | Method, system, and storage medium for security of software components | |
CN102902924B (en) | The method that file behavioural characteristic is detected and device | |
US20140053267A1 (en) | Method for identifying malicious executables | |
US20050262567A1 (en) | Systems and methods for computer security | |
BR102015017215A2 (en) | computer-implemented method for classifying mobile applications, and computer program encoded on non-transient storage medium | |
US9804948B2 (en) | System, method, and computer program product for simulating at least one of a virtual environment and a debugging environment to prevent unwanted code from executing | |
US8336100B1 (en) | Systems and methods for using reputation data to detect packed malware | |
CN103065094A (en) | System and method for detecting malware targeting the boot process of a computer using boot process emulation | |
EP1828902A2 (en) | System and method for identifying and removing malware on a computer system | |
US10839074B2 (en) | System and method of adapting patterns of dangerous behavior of programs to the computer systems of users | |
EP3531324B1 (en) | Identification process for suspicious activity patterns based on ancestry relationship | |
CN103109295A (en) | Systems and methods for creating customized confidence bands for use in malware detection | |
CN104811453A (en) | Active defense method and device | |
US11003772B2 (en) | System and method for adapting patterns of malicious program behavior from groups of computer systems | |
US20240054210A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program | |
EP2584484B1 (en) | System and method for protecting a computer system from the activity of malicious objects | |
Lee et al. | Analysis of application installation logs on android systems | |
RU2468427C1 (en) | System and method to protect computer system against activity of harmful objects | |
RU2757807C1 (en) | System and method for detecting malicious code in the executed file |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170829 |
|
RJ01 | Rejection of invention patent application after publication |