CN107315952A - Method and apparatus for determining application program suspicious actions - Google Patents
Method and apparatus for determining application program suspicious actions Download PDFInfo
- Publication number
- CN107315952A CN107315952A CN201610266466.5A CN201610266466A CN107315952A CN 107315952 A CN107315952 A CN 107315952A CN 201610266466 A CN201610266466 A CN 201610266466A CN 107315952 A CN107315952 A CN 107315952A
- Authority
- CN
- China
- Prior art keywords
- behavior
- process behavior
- application program
- information
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Abstract
The embodiments of the invention provide a kind of method and apparatus for determining application program suspicious actions.This method includes:Terminal device is when it is determined that the data that the process behavior of the first application program is accessed belong to the second application program different from first application program, the process behavior is defined as candidate's suspicious actions, the data include at least one in process, thread, file, catalogue and registry entry;The terminal device sends the behavior characteristic information of the process behavior to data analytics server, in order to which the data analytics server determines whether the process behavior is suspicious actions according to the behavior characteristic information of the process behavior.The method and apparatus of the embodiment of the present invention, it is capable of determining that the suspicious actions of unauthorized access application data in terminal device, compared with prior art, this method need not rely on fail-safe software, and do not need user to participate in determining, the degree of accuracy and the reliability of the judgement of suspicious actions can be improved, so as to improve systematic entirety energy.
Description
Technical field
It is used for determination application the present embodiments relate to computer realm, and more particularly, to one kind
The method and apparatus of program suspicious actions.
Background technology
Enterprises threaten (Advanced Persistent Threat, APT) attack for senior continuation
Inspection generally tend to analyze using big data, including to the flow analysis in enterprise network, use sand
Case is analyzed file and tries to find out that those are senior using traditional signatures matching way None- identified
Threaten, the early warning daily record for checking equipment to various conventional securities is analyzed.These analysis purposes be all
The safety problem of enterprises is found in time, and the loss that Advanced threat is brought to enterprise is reduced as far as possible.
The defence method of traditional Intrusion Detection based on host is primarily to prevent suspicious actions attacking system.It is this anti-
Imperial method is necessarily dependent upon fail-safe software, passes through entering for all application programs in fail-safe software monitoring host computer
Cheng Hangwei.IT personnel can pre-set an access control policy in fail-safe software, control application program
Access to system data.If a process behavior is unsatisfactory for above-mentioned access control policy, then the peace
Full software decides that this process behavior is suspicious actions.After suspicious actions are monitored, fail-safe software meeting
Directly alerted to the user using main frame, allow user to choose whether to block the suspicious actions
Cut.
But, traditional defence method pertains only to access rule of the application program to system data, it is impossible to anti-
Only suspicious actions of unauthorized access application data, for example, steal or distort application data can
The behavior of doubting.Further, since domestic consumer does not have too many computer literacy, so being allowed in traditional human method
User judges whether that the mode for intercepting suspicious actions is not very appropriate.
The content of the invention
The embodiment of the present invention provides a kind of method and apparatus for determining application program suspicious actions, can
The suspicious actions of unauthorized access application data are determined, so as to improve systematic entirety energy.
First aspect there is provided a kind of method for determining application program suspicious actions, including:Terminal
Equipment is it is determined that the data that the process behavior of the first application program is accessed belong to different from first application
During the second application program of program, the process behavior is defined as candidate's suspicious actions, the data include into
At least one in journey, thread, file, catalogue and registry entry;The terminal device is to data analysis
Server sends the behavior characteristic information of the process behavior, in order to which the data analytics server is entered according to this
Cheng Hangwei behavior characteristic information determines whether the process behavior is suspicious actions.
Specifically, when the data that the process behavior of the first application program of the terminal device is accessed belong to
During two application programs, the terminal device determines that the process behavior is candidate's suspicious actions.For example, this second
Application program includes process P1 and process P2, if carry out P1 creates file F in the process of implementation,
So this document F belongs to second application program, if process P2 accesses this document in the process of implementation
F, then process P2 behavior can be considered as it is legal, if applying journey different from the first of the second application program
Process P3 in sequence have accessed this document F, then process P3 behavior is candidate's suspicious actions.
So, the embodiment of the present invention is led to based on the data access rule between application program and application program
Cross terminal device and determine candidate's suspicious actions from all process behaviors detected, and by the time of determination
The behavior characteristic information of suspicious actions is selected to be sent to data analytics server, by the data analytics server root
Determine whether candidate's suspicious actions are suspicious actions according to the behavior characteristic information of candidate's suspicious actions, from
And determine the suspicious actions of unauthorized access application data in the terminal device.With prior art phase
Than this method need not rely on fail-safe software, and not need user to participate in determining, it is possible to increase suspicious row
For judgement the degree of accuracy and reliability, so as to improve systematic entirety energy.
Alternatively, the terminal device can be main frame or client.
Alternatively, before the process behavior is defined as candidate's suspicious actions by the terminal device, the terminal
Equipment can be between application program and data in several ways in determination system relation information.The end
End equipment can by way of gathering system information, in acquisition system existing application program and data it
Between relation information;The terminal device can each should by way of monitoring in real time in real-time acquisition system
With the relation information between program and its data created;Just whether the terminal device can also judge system
One application program is being installed, if the system is installing an application program, will created in installation process
The data built are set up with the application program and contacted.So, it is determined that application program and data in system it
Between relation information after, the terminal device can just be believed according to the relation between the application program and data
Breath, judges the application program belonging to the data that the process behavior of the first application program is accessed, so as to enter
One step determines candidate's suspicious actions.
In the first possible implementation of first aspect, the terminal device is it is determined that first applies journey
When the data that the process behavior of sequence is accessed belong to the second application program different from first application program,
The process behavior is defined as candidate's suspicious actions, including:If the process behavior is first application program
Dynamic link library (DLL) file loading behavior, then the terminal device determine what the process behavior was loaded
Whether dll file is system dll file;, should if the dll file is not system dll file
Terminal device determines the application program belonging to the dll file;If the dll file belong to different from this
Second application program of one application program, then the terminal device process behavior is defined as the candidate can
The behavior of doubting.
With reference to the above-mentioned possible implementation of first aspect, in second of possible realization of first aspect
In mode, the terminal device is it is determined that the data that the process behavior of the first application program is accessed belong to different
When the second application program of first application program, the process behavior is defined as candidate's suspicious actions,
Including:If the process behavior is the registry access behavior of first application program, the terminal device is true
Surely the application program in the path for the registration table that the process behavior is accessed is created;If the path of the registration table by
Second application program different from first application program is created, then the terminal device determines the registration table
Path whether be public accessible paths;If the path of the registration table is not public accessible paths,
The process behavior is defined as candidate's suspicious actions by the terminal device.
With reference to the above-mentioned possible implementation of first aspect, in the third possible realization of first aspect
In mode, the terminal device is it is determined that the data that the process behavior of the first application program is accessed belong to different
When the second application program of first application program, the process behavior is defined as candidate's suspicious actions,
Including:If the process behavior is the file access behavior of first application program, the terminal device is determined
Create the application program for the file that the process behavior is accessed;If the file that the process behavior is accessed is not by
Second application program for being same as first application program is created, then the terminal device determines the process behavior
The type of the file accessed;, should if the type for the file that the process behavior is accessed is program file
The process behavior is defined as candidate's suspicious actions by terminal device.
With reference to the above-mentioned possible implementation of first aspect, in the 4th kind of possible realization of first aspect
In mode, if the type for the file that the process behavior is accessed is non-program file, the terminal device is true
The application program that the extension name for the file that the fixed process behavior is accessed is registered;If the process behavior is visited
The application program that the extension name for the file asked is registered is the 3rd application different from first application program
Program, then the terminal device process behavior is defined as candidate's suspicious actions.
With reference to the above-mentioned possible implementation of first aspect, in the 5th kind of possible realization of first aspect
In mode, if first process behavior is process creation behavior, the terminal device determines first process
Whether the process that behavior is created belongs to first application program;If what first process behavior was created enters
Journey is not belonging to first application program, then the terminal device determines whether the process is the first terminal equipment
System process;If the process is not the system process of the first terminal equipment, the first terminal equipment
First process behavior is defined as the first candidate suspicious actions.
With reference to the above-mentioned possible implementation of first aspect, in the 6th kind of possible realization of first aspect
In mode, if first process behavior is thread creation behavior, the terminal device determines first process
The application program that the thread that behavior is created is somebody's turn to do;If the thread that first process behavior is created belongs to different
In second application program of first application program, then the first terminal equipment is by first process behavior
It is defined as the first candidate suspicious actions.
It should be understood that the suspicious actions species of application program is various, following species can be included but is not limited to:
Striding course thread injects, loads of unknown origin dll file, accesses the file for being not belonging to oneself, visit
Ask be not belonging to oneself registration table, modification system file, deletion system file, modification system registry,
Deletion system registration table etc..Therefore, above-mentioned is to list some of which situation to be described, its
His situation is similar.
With reference to the above-mentioned possible implementation of first aspect, in the 7th kind of possible realization of first aspect
In mode, behavior characteristic information includes:Application information, the process row belonging to the process behavior
The application information belonging to data that the information of data to be accessed is accessed with the process behavior.
With reference to the above-mentioned possible implementation of first aspect, in the 8th kind of possible realization of first aspect
In mode, the terminal device to data analytics server send the process behavior behavior characteristic information it
Afterwards, this method also includes:The terminal device receives the configured information of data analytics server transmission, should
Configured information is used to indicate that the process behavior is normal behaviour;The terminal device is according to the instruction message, really
The fixed process behavior is normal behaviour.
So, just will not be again to data analysis service if the terminal device detects the process behavior again
Device sends the behavior characteristic information of the process behavior.Therefore, this method can not only improve the terminal device
Detect the accuracy rate of candidate's suspicious actions, moreover it is possible to the transmission of unnecessary behavior characteristic information is avoided, so as to save
Save the expense of signaling.
With reference to the above-mentioned possible implementation of first aspect, in the 9th kind of possible realization of first aspect
In mode, the terminal device to data analytics server send the process behavior behavior characteristic information it
Afterwards, this method also includes:The terminal device receives the request message of data analytics server transmission, should
Request message is used for the information of tracing to the source for asking the process behavior, and the information of tracing to the source is included in following message extremely
Few one kind:The progress information of the process behavior, the information of program file corresponding with the process behavior, should
Relation information between the process creation person and program file founder of process behavior;The terminal device according to
The request message, the information of tracing to the source is sent to the data analytics server.
Specifically, the data analytics server is being determined after the process behavior is suspicious actions, can be with
To the information of tracing to the source of the premises equipment requests process behavior.The terminal device is to the data analytics server
The information of tracing to the source of suspicious actions is sent, so, IT administrative staff obtain this by data analytics server and traced back
Source information, just can go out when suspicious actions occur and how to occur according to information reverting of tracing to the source
, be conducive to the investigation and evidence collection of the attack in later stage.
Second aspect there is provided another method for determining application program suspicious actions, including:Number
The behavior characteristic information for the first process behavior that first terminal equipment is sent is received according to Analysis server, its
In, first process behavior belongs to the first application program, and the data that first process behavior is accessed
Belong to the second application program different from first application program, the data include process, thread, file,
At least one in catalogue and registry entry;The data analytics server is according to first process behavior
Whether behavior characteristic information, it is suspicious actions to determine first process behavior.
In the first possible implementation of second aspect, the data analytics server according to this first
The behavior characteristic information of process behavior, whether determine first process behavior is suspicious actions, including:Should
Data analytics server determines first process behavior according to the behavior characteristic information of first process behavior
Whether trusted behavior set is belonged to, wherein, the trusted behavior set includes at least one trusted row
For;If it is determined that first process behavior is not belonging to the trusted behavior set, the data analytics server is true
Fixed first process behavior is suspicious actions.
With reference to the above-mentioned possible implementation of second aspect, in second of possible realization of second aspect
In mode, in behavior characteristic information of the data analytics server according to first process behavior, it is determined that should
Whether the first process behavior belongs to before trusted behavior set, and this method also includes:The data analysis takes
Business device receives multiple second that each second terminal equipment at least one second terminal equipment sends and entered
Cheng Hangwei behavior characteristic information;The data analytics server is sent out according at least one the second terminal equipment
The behavior characteristic information of multiple second process behaviors sent, the trusted row is determined using data mining algorithm
For set, wherein, the trusted behavior set include in the plurality of second process behavior at least one the
Two process behaviors.
Alternatively, the data mining algorithm can be frequent item set algorithm, algorithm of support vector machine or decision-making
Tree algorithm etc..
With reference to the above-mentioned possible implementation of second aspect, in the third possible realization of second aspect
In mode, the behavior characteristic information of first process behavior includes:Application belonging to first process behavior
What the information and first process behavior for the data that program information, first process behavior are accessed were accessed
Application information belonging to data;The behavior characteristic information of the plurality of second process behavior includes:This is more
The data that application information, the plurality of second process behavior belonging to individual second process behavior are accessed
The application information belonging to data that information and the plurality of second process behavior are accessed.
With reference to the above-mentioned possible implementation of second aspect, in the 4th kind of possible realization of second aspect
In mode, this method also includes:If the data analytics server determines that first process behavior is normal row
For then the data analytics server sends configured information to the first terminal equipment, and the configured information is used for
Indicate that first process behavior is normal behaviour.
With reference to the above-mentioned possible implementation of second aspect, in the 5th kind of possible realization of second aspect
In mode, this method also includes:If the data analytics server determines that first process behavior is suspicious row
For then the data analytics server sends request message to the first terminal equipment, and the request message is used for
The information of tracing to the source of first process behavior is asked, the process of the information including first process behavior of tracing to the source is believed
Breath, the information of program file corresponding with first process behavior, the process creation of first process behavior
At least one of relation information of person and program file founder;The data analytics server receive this
The information of tracing to the source that one terminal device is sent according to the request message;The data analytics server passes through backstage
Administration interface shows the information of tracing to the source.
Specifically, data analytics server can be by back-stage management interface by the information of tracing to the source of suspicious actions
Show IT administrative staff so that IT administrative staff can go out suspicious actions according to information reverting of tracing to the source is
It is when occurring and how to occur, be conducive to the investigation and evidence collection of the attack in later stage.
The third aspect is there is provided a kind of device for being used to determine application program suspicious actions, for execution
State the method in any possible implementation of first aspect or first aspect.
Specifically, the device can include any possibility for being used to perform above-mentioned first aspect or first aspect
Implementation in method unit.
Fourth aspect is there is provided a kind of device for being used to determine application program suspicious actions, for execution
State the method in any possible implementation of second aspect or second aspect.
Specifically, the device can include any possibility for being used to perform above-mentioned second aspect or second aspect
Implementation in method unit.
5th aspect includes there is provided a kind of device for being used to determine application program suspicious actions, the device:
Receiver, transmitter, memory, processor and bus system.Wherein, the receiver, the transmitter,
The memory is connected with the processor by the bus system, and the memory is used for store instruction, the processing
Device is used for the instruction for performing the memory storage, to control receiver to receive signal, and controls transmitter to send out
The number of delivering letters, and when the instruction of the computing device memory storage, the execution causes the processor
Perform the method in any possible implementation of first aspect or first aspect.
6th aspect includes there is provided a kind of device for being used to determine application program suspicious actions, the device:
Receiver, transmitter, memory, processor and bus system.Wherein, the receiver, the transmitter,
The memory is connected with the processor by the bus system, and the memory is used for store instruction, the processing
Device is used for the instruction for performing the memory storage, to control receiver to receive signal, and controls transmitter to send out
The number of delivering letters, and when the instruction of the computing device memory storage, the execution causes the processor
Perform the method in any possible implementation of second aspect or second aspect.
7th aspect is there is provided a kind of system for determining application program suspicious actions, and the system includes
Device and fourth aspect in any possible implementation of the above-mentioned third aspect or the third aspect or
Device in the possible implementation of any of fourth aspect;Or
The system includes the device in any possible implementation of the above-mentioned 5th aspect or the 5th aspect
And the 6th any of aspect or the 6th aspect may be in implementation device.
Eighth aspect is there is provided a kind of computer-readable medium, for storing computer program, the calculating
Machine program includes being used to perform the method in any possible implementation of first aspect or first aspect
Instruction.
9th aspect is there is provided a kind of computer-readable medium, for storing computer program, the calculating
Machine program includes being used to perform the method in any possible implementation of second aspect or second aspect
Instruction.
Brief description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, below will be in the embodiment of the present invention
The required accompanying drawing used is briefly described, it should be apparent that, drawings described below is only this
Some embodiments of invention, for those of ordinary skill in the art, are not paying creative work
Under the premise of, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is the schematic diagram of the system of application of the embodiment of the present invention.
Fig. 2 is the schematic of the method provided in an embodiment of the present invention for being used to determine application program suspicious actions
Flow chart.
Fig. 3 is showing for another system for being used to determine application program suspicious actions provided in an embodiment of the present invention
It is intended to.
Fig. 4 is the schematic of the device provided in an embodiment of the present invention for being used to determine application program suspicious actions
Block diagram.
Fig. 5 is showing for another device for being used to determine application program suspicious actions provided in an embodiment of the present invention
Meaning property block diagram.
Fig. 6 is showing for another device for being used to determine application program suspicious actions provided in an embodiment of the present invention
Meaning property block diagram.
Fig. 7 is showing for another device for being used to determine application program suspicious actions provided in an embodiment of the present invention
Meaning property block diagram.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out
Clearly and completely describe, it is clear that described embodiment is a part of embodiment of the present invention, without
It is whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making wound
The every other embodiment that the property made is obtained on the premise of working, should all belong to the scope of protection of the invention.
Some technologies involved by the application program in operating system are simply introduced first.Should
Understand, an application program is made up of multiple program files, and program file is also known as executable program file.
Program file can initiate operating system system service request during running.System service is asked
Application programming interface (Application Programming Interface, API) is properly termed as to call.
API Calls can include the read-write of file, the distribution of internal memory, the input and output of network (Input Output,
IO), the operation of hardware device, the read-write of system configuration etc., the embodiment of the present invention is not construed as limiting to this.
Program file is once run, and will produce process in system, therefore program file and process are one a pair
The relation answered.By the program file of application program, middle API Calls are referred to as program text during running herein
" process behavior " of part.It should be understood that one behavior characteristic information of each process behavior correspondence, Mei Gehang
It is characterized information and is included in the path being related to during the process behavior corresponding to performing.
In addition, herein by the process related to application program, thread, file, catalogue and registry entry
Etc. be referred to as " data " of application program.One application program is often installed and often run and is once applied
Program, can all produce corresponding data, it should be appreciated that the data in addition to system data are all to belong to tool
Some application program of body.
Fig. 1 shows the system 100 of application of the embodiment of the present invention.The system 100 can include at least one
Individual terminal device 110 and a data analytics server 120.The terminal device 110 can be mobile
Or fixed.The terminal device 110 can refer to the accession to terminal, user equipment (User Equipment,
Referred to as " UE "), subscriber unit, subscriber station, movement station, mobile station, remote station, remote terminal,
Mobile device, user terminal, terminal, Wireless Telecom Equipment, user agent or user's set.Access is eventually
End can be cell phone, wireless phone, session initiation protocol (Session Initiation Protocol,
Referred to as " SIP ") phone, WLL (Wireless Local Loop, referred to as " WLL ")
Stand, personal digital assistant (Personal Digital Assistant, referred to as " PDA "), with channel radio
The handheld device of telecommunication function, computing device are connected to other processing equipments of radio modem, car
Carry equipment, wearable device, the terminal device in future 5G networks or the public land of following evolution
Terminal device in mobile network (Public Land Mobile Network, referred to as " PLMN ") etc..
In embodiments of the present invention, alternatively, the terminal device 100 is main frame or client.
The data analytics server 120 can be file server, database server, application program clothes
Business device, WEB server etc., the embodiment of the present invention is not construed as limiting to this.
Fig. 1 schematically illustrates a terminal device and a data analytics server, alternatively, should
System 100 can include multiple terminal devices, and the embodiment of the present invention is not limited this.
In embodiments of the present invention, multiple terminal devices independently can be believed with data analytics server
Breath interaction.Therefore, data analytics server may enter row information in synchronization with multiple terminal devices
Transmission, so that it is determined that in multiple terminal devices each terminal device application program suspicious actions.Due to number
Determine that the process of application program suspicious actions in each terminal device is similar according to Analysis server, for the ease of
Understand and illustrate, below, the first terminal equipment in multiple terminal devices is determined with data analytics server
Illustrated exemplified by the flow of middle application program suspicious actions.
Fig. 2 shows showing for the method provided in an embodiment of the present invention for being used to determine application program suspicious actions
Meaning property flow chart.This method 200 can apply to the system 100 shown in Fig. 1, but the embodiment of the present invention
Not limited to this.This method 200 includes:
S210, first terminal equipment is it is determined that the data that the first process behavior of the first application program is accessed
When belonging to the second application program different from first application program, first process behavior is defined as to wait
Suspicious actions are selected, the data include at least one in process, thread, file, catalogue and registry entry
It is individual.
Specifically, multiple application programs can be mounted with first terminal equipment, when the first terminal equipment
Detect a process behavior, the first application program that the process behavior belongs in multiple application programs, so
And, the second application program that the data that the process behavior is accessed belong in multiple application programs, here
One application program is different from the second application program, then the first terminal equipment is considered as process behavior visit
Ask and be not belonging to the data of oneself, then the process behavior can be defined as to candidate's suspicious actions.
It should be understood that in embodiments of the present invention, first terminal equipment is not institute simply in detection system
There is the process behavior of application program, but can be filtered to detecting all process behaviors, according to process
Whether the data that behavior is accessed belong to the application program belonging to the process behavior, by doubtful suspicious process
Behavior is screened from all process behaviors.
It should also be understood that be only described in the present embodiment by taking the determination process of a process behavior as an example,
The determination of all process behaviors detected for first terminal equipment, can use the above method.
Alternatively, the first terminal equipment by first process behavior be defined as candidate's suspicious actions it
Before, the first terminal equipment determines the relation information between the application program in system and data.Here,
The determination of relation information between application program and data can specifically be divided into following three kinds of situations:
(1) the first terminal equipment can be existing in acquisition system by way of gathering system information
Application program and data between relation information.For example, the first terminal equipment can pass through registration table
The installation directory of application program is positioned, by the program text of file creation time and the directory creating time consistency
Part and non-program are incorporated into be owned for the application program, and counts the ProductName of the program file of the application program
Title, company's copyright title, digital signature information etc. are stored in information database.
(2) the first terminal equipment can each should by way of monitoring in real time in real-time acquisition system
With the relation information between program and its data created.If for example, the first terminal equipment detects one
The data creation action of individual process, then just the relation information of the data being created and founder are stored in and believed
Cease database.
(3) the first terminal equipment may determine that whether system is installing an application program, if should
System is installing an application program, then sets up the data created in installation process and the application program
Contact.If for example, the subprocess for detecting a process or the process is created into a fixed catalogue
Multiple program files, then the first terminal equipment may determine that whether the process or the subprocess have registered
One application program, if it is then the first terminal equipment set up the application program and program file,
Relation between registration table, and corresponding relation information is stored in information database.
After relation information between application program and data is determined, the first terminal equipment just can be with
The process behavior detected screen according to the relation information between the application program and data.Tool
Body, for example, first application program includes process P1 and process P2, performed if carrying out P1
During create file F, then this document F belongs to first application program, if process P2 is being held
This document F is accessed during row, then process P2 behavior can be considered as it is legal, if different from first
Process P3 in second application program of application program have accessed this document F, then process P3 behavior
It is candidate's suspicious actions.
S220, the behavior that the first terminal equipment sends first process behavior to data analytics server is special
Reference ceases.
Specifically, in embodiments of the present invention, first terminal equipment by candidate's suspicious actions of screening (i.e.
First process behavior) behavior characteristic information directly report data analytics server, taken by data analysis
Business device is analyzed and handled to first process behavior.
S230, the data analytics server receives the behavior characteristic information of first process behavior, and according to
Whether the behavior characteristic information of first process behavior, it is suspicious actions to determine first process behavior.
Specifically, the data analytics server can receive the first process that first terminal equipment thinks suspicious
The behavior characteristic information of behavior, then according to behavior characteristic information judge first process behavior whether be
Suspicious actions.
As an optional embodiment, the data analytics server is according to the behavior of first process behavior
Characteristic information, whether determine first process behavior is suspicious actions, including:
The data analytics server determines that this first enters according to the behavior characteristic information of first process behavior
Whether Cheng Hangwei belongs to trusted behavior set, wherein, the trusted behavior set can including at least one
Trusting behavior;
If it is determined that first process behavior is not belonging to the trusted behavior set, the data analytics server is true
Fixed first process behavior is suspicious actions.
Specifically, the data analytics server may determine that whether first process behavior belongs to trusted row
For set, the trusted behavior set includes at least one trusted behavior.If first process behavior belongs to
In the trusted behavior set, then the data analytics server determines that first process behavior is normal row
For;If first process behavior is not belonging to the trusted behavior set, then the data analytics server is true
Fixed first process behavior is suspicious actions.
So, the embodiment of the present invention is led to based on the data access rule between application program and application program
Cross terminal device and determine candidate's suspicious actions from all process behaviors detected, and by the time of determination
The behavior characteristic information of suspicious actions is selected to be sent to data analytics server, it is true by the data analytics server
Whether fixed candidate's suspicious actions are suspicious actions.The embodiment of the present invention be used for determine that application program is suspicious
The method of behavior can determine the suspicious actions of unauthorized access application data, without relying on peace
Full software, and do not need user to participate in.
It should be understood that the size of the sequence number of above-mentioned each process is not meant to the priority of execution sequence, each process
Execution sequence should be determined with its function and internal logic, the implementation process without tackling the embodiment of the present invention
Constitute any limit.
In the prior art, determination of the main frame to suspicious actions is direct using fail-safe software, passes through peace
The process behavior of all application programs in full software monitoring system.IT personnel can be in fail-safe software in advance
Visit of the process behavior of application program in one access control policy, control system to system data is set
Ask.If a process behavior is unsatisfactory for above-mentioned access control policy, then the fail-safe software decides that this
Individual process behavior is suspicious actions.After suspicious actions are monitored, fail-safe software can be directly to using
The user of main frame is alerted, and allows user to choose whether to intercept the suspicious actions.Therefore, it is traditional
Intrusion Detection based on host defence method primarily to prevent suspicious actions attacking system, and this defence method
It is necessarily dependent upon fail-safe software.
However, traditional defence method pertains only to access rule of the application program to system data, not
Consider the data access rule between application program and application program, it is impossible to prevent unauthorized access application program
The suspicious actions of data, for example, stealing or distorting the suspicious actions of application data.Further, since
Domestic consumer does not have too many computer literacy, so allowing user to judge whether that interception can in traditional human method
The mode for the behavior of doubting is not very appropriate.
Therefore, the embodiment of the present invention is led to based on the data access rule between application program and application program
Cross terminal device and candidate's suspicious actions are determined from the process behavior detected, and the candidate of determination is suspicious
The behavior characteristic information of behavior is sent to data analytics server, and the time is determined by the data analytics server
Whether be suspicious actions, so as to determine unauthorized access application program in terminal device if selecting suspicious actions
The suspicious actions of data, compared with prior art, this method need not rely on fail-safe software, and need not
User participates in determining, it is possible to increase the degree of accuracy of the judgement of suspicious actions and reliability, so as to improve system
Overall performance.
As an optional embodiment, in S210, the first terminal equipment determines the suspicious row of candidate
For a variety of situations can be divided into according to the particular type of process behavior.
Alternatively, if first process behavior is the dynamic link library (Dynamic of first application program
Link Library, DLL) file loading behavior, then the first terminal equipment determine first process behavior
Whether the dll file loaded is system dll file;If the dll file is not system DLL texts
Part, then the first terminal equipment determine the application program belonging to the dll file;If the dll file belongs to
In second application program different from first application program, then the first terminal equipment first enters this
Cheng Hangwei is defined as candidate's suspicious actions.
Alternatively, should if first process behavior is the registry access behavior of first application program
First terminal equipment determines to create the application program in the path for the registration table that first process behavior is accessed;
If the path of the registration table is by second application program establishment different from first application program, this
One terminal device determines whether the path of the registration table is public accessible paths;If the path of the registration table
It is not public accessible paths, then that first process behavior is defined as into candidate is suspicious for the first terminal equipment
Behavior.
Alternatively, if first process behavior is the file access behavior of first application program, this
One terminal device determines to create the application program for the file that first process behavior is accessed;If this first enters
The file that Cheng Hangwei is accessed then should by second application program establishment different from first application program
First terminal equipment determines the type for the file that first process behavior is accessed;If first process behavior
The type of the file accessed is program file, then the first terminal equipment can be directly by first process
Behavior is defined as candidate's suspicious actions.
Alternatively, if the type for the file that first process behavior is accessed is non-program file, this
One terminal device determines the application program that the extension name for the file that first process behavior is accessed is registered;
If the application program that the extension name for the file that first process behavior is accessed is registered as different from this
3rd application program of one application program, then the first terminal equipment by first process behavior be defined as wait
Select suspicious actions;
Alternatively, if first process behavior is process creation behavior, the terminal device determine this first
Whether the process that process behavior is created belongs to first application program;If first process behavior is created
Process be not belonging to first application program, then the terminal device determines whether the process is the first terminal
The system process of equipment;If the process is not the system process of the first terminal equipment, the first terminal
First process behavior is defined as the first candidate suspicious actions by equipment.
Here, the first process behavior is interpreted as the behavior of virus, and the program file of the first application program is taken
Band virus, during the system operation program file, virus can create new process, but this process is not
Belong to first application program.Therefore, according to above-mentioned Rule of judgment it may determine that out application program is
It is no to carry virus.
Alternatively, if first process behavior is thread creation behavior, the terminal device determine this first
The application program that the thread that process behavior is created is somebody's turn to do;If the thread that first process behavior is created belongs to
Different from second application program of first application program, then the first terminal equipment is by first process
Behavior is defined as the first candidate suspicious actions.
It should be understood that the suspicious actions species of application program is various, following species can be included but is not limited to:
Striding course thread injects, loads of unknown origin dll file, accesses the file for being not belonging to oneself, visit
Ask be not belonging to oneself registration table, modification system file, deletion system file, modification system registry,
Deletion system registration table etc..Therefore, simply some of which situation is listed above to be described, its
His situation is similar, will not be repeated here.
As an optional embodiment, in row of the data analytics server according to first process behavior
Information is characterized, before determining whether first process behavior be suspicious actions, this method also includes:
The data analytics server receives each second terminal equipment at least one second terminal equipment
The behavior characteristic information of multiple second process behaviors sent;
Multiple second processes that the data analytics server is sent according at least one the second terminal equipment
The behavior characteristic information of behavior, the trusted behavior set is determined using data mining algorithm, wherein, should
Trusted behavior set includes at least one second process behavior in the plurality of second process behavior.
It should be understood that second terminal equipment in the embodiment and above-mentioned first terminal equipment can with identical,
It can differ;Second process behavior be able to can also be differed with above-mentioned first process behavior with identical,
The embodiment of the present invention is not construed as limiting to this.
As an optional embodiment, the behavior characteristic information of first process behavior includes:This first
The information for the data that application information, first process behavior belonging to process behavior are accessed and this
The application information belonging to data that one process behavior is accessed;
The behavior characteristic information of the plurality of second process behavior includes:Belonging to the plurality of second process behavior
The information and the plurality of second process for the data that application information, the plurality of second process behavior are accessed
The application information belonging to data that behavior is accessed.
Specifically, the method that the generation of the trusted behavior characteristic information set can use data mining,
Accordingly, it would be desirable to which second terminal equipment sends the row that data mining algorithm can be used to data analytics server
It is characterized information.Second terminal equipment is after the second process behavior is determined, to second process behavior
Information pre-processed, the information of second process behavior is converted into behavior characteristic information.Alternatively,
Behavior characteristic information by second terminal equipment can be sent to data analysis as the mode of a set
Server, can include in set:The behavior of second process behavior, the destination path of the second process behavior,
The filename path information of second process behavior owning application, the copyright information of the application program, should
The version information of application program, the head cryptographic Hash of the program file of the application program, the application program
Digital signature information of program file etc..
Because the APT inspections attacked generally are tended to analyze using big data, so passing through data mining
Algorithm can excavate the suspicious actions that fail-safe software None- identified comes out.Alternatively, number here
Can be frequent item set algorithm, algorithm of support vector machine and decision Tree algorithms etc., this hair according to mining algorithm
Bright embodiment is not construed as limiting to this.
As an optional embodiment, in behavior of the data analytics server according to first process behavior
Characteristic information, after determining whether first process behavior is suspicious actions, this method also includes:
If the data analytics server determines that first process behavior is normal behaviour, data analysis clothes
Device be engaged in first terminal equipment transmission configured information, the configured information is used to indicate first process behavior
It is normal behaviour.
The first terminal equipment receives the configured information of data analytics server transmission, and according to the instruction
Message, determines that first process behavior is normal behaviour.
So, just will not be again to data point if first terminal equipment detects first process behavior again
Analysis server sends the behavior characteristic information of first process behavior.
As an optional embodiment, in behavior of the data analytics server according to first process behavior
Characteristic information, after determining whether first process behavior is suspicious actions, this method also includes:
If the data analytics server determines that first process behavior is suspicious actions, data analysis clothes
Device be engaged in first terminal equipment transmission request message, the request message is used to ask first process behavior
Information of tracing to the source, progress information of the information including first process behavior of tracing to the source, with the first process row
For the information of corresponding program file, the process creation person and program file founder of first process behavior
At least one of relation information;
The first terminal equipment receives the request message of data analytics server transmission, and according to the request
Message, the information of tracing to the source is sent to the data analytics server;
The data analytics server receives this that the first terminal equipment sent according to the request message and traced to the source
Information, and pass through the back-stage management interface display information of tracing to the source.
In this embodiment, the data analytics server is after suspicious actions are determined, can will be suspicious
The information of tracing to the source of behavior is come out by back-stage management interface display, in order to information technology (Information
Technology, IT) administrative staff determine the sources of suspicious actions by the information of tracing to the source.
In a specific embodiment, above-mentioned terminal device is specifically as follows client, and above-mentioned true
The method for determining suspect program can apply to include the enterprises of multiple client.As shown in figure 3, example
Such as, the enterprise includes client 301, client 302 and client 303, divides in each client
Monitoring programme, such as probe program 304, probe program 305 and probe program 306 are not disposed.These
Probe program is responsible for all process behaviors in implementing monitoring enterprise client, and the process row to monitoring
To be filtered, if some process behavior, which have accessed, is not belonging to the data of oneself, probe program judges should
Process behavior is candidate's suspicious actions.
After candidate's suspicious actions are determined, each client can extract the suspicious row of respective candidate respectively
For behavior characteristic information.
Probe program in client sends the behavior characteristic information of candidate's suspicious actions of determination to number
According to Analysis server 307.The data analytics server 307 is constantly received to be sent from different clients
Candidate's suspicious actions behavior characteristic information, the behavioural characteristic that receives is believed using data mining algorithm
Breath carries out statistical analysis, and generation includes the trusted behavior set of at least one trusted behavior.In data
Analysis server 307 is generated after trusted behavior set, it is possible to according to the row of candidate's suspicious actions
Information is characterized, whether judge candidate's suspicious actions is suspicious actions.
For example, the behavior that data analytics server connects 307 process behaviors for receiving the transmission of client 301 is special
Reference ceases, i.e., the behavior characteristic information of above-mentioned candidate's suspicious actions can be according to behavior characteristic information pair
The process behavior is judged.
The data analytics server 307 is if it is determined that the process behavior is normal behaviour, then will be to client
End 301 sends configured information, and it is normal behaviour to indicate the process behavior.Client 301 is receiving this
After configured information, the process behavior will be defined as normal behaviour.If the follow-up client 301 is again
It is secondary to detect the process behavior, the behavior of the process behavior will not be sent to data analytics server 307 again
Characteristic information.
The data analytics server 307 is if it is determined that the process behavior is suspicious actions, then can be to client
301 send request message, ask the information of tracing to the source of the process behavior.Client 301 receive this please
Ask after message, the information of tracing to the source of the process behavior, data point can be sent to data analytics server 307
Analyse server 307 and receive the information of tracing to the source that client 301 is sent, this traces back by back-stage management interface display
Source information.
Alternatively, this can the be traced to the source information of data analytics server 307 is sent to system management server
308.System management server 308 can be in real time to the relevant staff of enterprise, such as IT management
Personnel, show the information of tracing to the source, in order to which IT administrative staff go out suspicious actions according to information reverting of tracing to the source
When occur and how to occur, be so beneficial to the investigation and evidence collection of the attack in later stage.
It should be understood that in the establishment stage of above-mentioned trusted set, data analytics server is to suspicious actions
Judgement may not be accurate.Because this statistical analysis is to rely on the process behavior of accumulation in a period of time,
Some possible behavior is seldom in the quantity for just starting to count, but follow-up quantity is stepped up, therefore,
Need data analytics server to carry out backtracking iteration to the process behavior being previously received, improve judged result
Accuracy.
The method for determining application program suspicious actions of the embodiment of the present invention, based on application program with answering
With the data access rule between program, candidate is determined from the process behavior detected by terminal device
Suspicious actions, and the behavior characteristic information of candidate's suspicious actions of determination is sent to data analysis service
Device, determines whether candidate's suspicious actions are suspicious actions, so as to true by the data analytics server
The suspicious actions of unauthorized access application data are made, compared with prior art, this method is without relying on
Fail-safe software, and do not need user participate in determine, it is possible to increase the degree of accuracy of the judgement of suspicious actions and
Reliability, so as to improve systematic entirety energy.Herein on basis, the embodiment of the present invention can be by rear
The information of tracing to the source of suspicious actions is showed IT administrative staff by platform administration interface so that IT administrative staff's energy
It is enough to go out when suspicious actions occur and how to occur according to information reverting of tracing to the source, be conducive to the later stage
Attack investigation and evidence collection.
It should be understood that the size of the sequence number of above-mentioned each process is not meant to the priority of execution sequence, each process
Execution sequence should be determined with its function and internal logic, the implementation process without tackling the embodiment of the present invention
Constitute any limit.
Above in conjunction with Fig. 1 to Fig. 3, the determination that is used for according to embodiments of the present invention is described in detail and applies
The method of program suspicious actions, below in conjunction with Fig. 4 to Fig. 7, is described in detail according to embodiments of the present invention
Be used for determine the devices of application program suspicious actions.
Fig. 4 shows the device provided in an embodiment of the present invention for being used to determine application program suspicious actions
400, the device 400 includes:
Determining unit 410, for it is determined that the data that the process behavior of the first application program is accessed belong to
Different from first application program the second application program when, the process behavior is defined as the suspicious row of candidate
For the data include at least one in process, thread, file, catalogue and registry entry;
Transmitting element 420, the behavior characteristic information for sending the process behavior to data analytics server,
In order to which the data analytics server determines the process behavior according to the behavior characteristic information of the process behavior
Whether it is suspicious actions.
Alternatively, the determining unit 410 specifically for:
If the process behavior is the dynamic link library (DLL) file loading behavior of first application program,
Determine whether the dll file that the process behavior is loaded is system dll file;
If the dll file is not system dll file, it is determined that the application journey belonging to the dll file
Sequence;
If the dll file belongs to second application program different from first application program, should
Process behavior is defined as candidate's suspicious actions.
Alternatively, the determining unit 410 specifically for:
If the process behavior is the registry access behavior of first application program, it is determined that create the process
The application program in the path for the registration table that behavior is accessed;
If the path of the registration table is by second application program establishment different from first application program,
Whether the path for determining the registration table is public accessible paths;
If the path of the registration table is not public accessible paths, the process behavior is defined as the candidate
Suspicious actions.
Alternatively, the determining unit 410 specifically for:
If the process behavior is the file access behavior of first application program, it is determined that create the process row
For the application program of the file accessed;
If the file that the process behavior is accessed second applies journey by this different from first application program
Sequence is created, it is determined that the type for the file that the process behavior is accessed;
If the type for the file that the process behavior is accessed is program file, the process behavior is defined as
Candidate's suspicious actions.
Alternatively, the determining unit 410 specifically for:
If the type for the file that the process behavior is accessed is non-program file, it is determined that the process behavior institute
Whether the application program that the extension name of the file of access is registered is as first application program;
If the application program that the extension name for the file that the process behavior is accessed is registered as different from this
3rd application program of one application program, then be defined as candidate's suspicious actions by the process behavior.
Alternatively, behavior characteristic information includes:Application information belonging to the process behavior, this enters
Application program letter belonging to the data that the information for the data that Cheng Hangwei is accessed and the process behavior are accessed
Breath.
Alternatively, the device 400 also includes:
First receiving unit, the behavioural characteristic for sending the process behavior to data analytics server at this
After information, the configured information of data analytics server transmission is received, the configured information is used to indicate this
Process behavior is normal behaviour;
The determining unit 410 is additionally operable to:
According to the instruction message, it is normal behaviour to determine the process behavior.
Alternatively, the device 400 also includes:
Second receiving unit, the behavioural characteristic for sending the process behavior to data analytics server at this
After information, the request message of data analytics server transmission is received, the request message is used to ask this
The information of tracing to the source of process behavior, the information of tracing to the source includes at least one of following message:The process behavior
Progress information, the information of program file corresponding with the process behavior, the process creation of the process behavior
Relation information between person and program file founder;
The transmitting element 420 is additionally operable to:According to the request message, being sent to the data analytics server should
Trace to the source information.
It should be understood that device 400 here is embodied in the form of functional unit.Here term " unit "
Can refer to using peculiar integrated circuit (Application Specific Integrated Circuit, ASIC),
Electronic circuit, for perform one or more softwares or firmware program processor (such as shared processor,
Proprietary processor or group processor etc.) and memory, merging logic circuit and/or other supports described by
The suitable assembly of function.In an optional example, it will be understood by those skilled in the art that device 400
Can be specially the first terminal equipment in above-described embodiment, device 400 can be used for performing the above method
Corresponding with first terminal equipment each flow and/or step in embodiment, to avoid repeating, herein no longer
Repeat.
Fig. 5 shows the device provided in an embodiment of the present invention for being used to determine application program suspicious actions
500, the device 500 includes:
Receiving unit 510, the behavioural characteristic of the first process behavior for receiving the transmission of first terminal equipment
Information, wherein, first process behavior belongs to the first application program, and first process behavior is visited
The data asked belong to the second application program different from first application program, and the data include process, line
At least one in journey, file, catalogue and registry entry;
Determining unit 520, for the behavior characteristic information according to first process behavior, determine this first
Whether process behavior is suspicious actions.
Alternatively, the determining unit 520 specifically for:
According to the behavior characteristic information of first process behavior, determining whether first process behavior belongs to can
Trusting behavior set, wherein, the trusted behavior set includes at least one trusted behavior;
If first process behavior is not belonging to the trusted behavior set, it is determined that first process behavior is
Suspicious actions.
Alternatively, the receiving unit 510 is additionally operable to:
In behavior characteristic information of the data analytics server according to first process behavior, determine this first
Whether process behavior belongs to before trusted behavior set, receives every at least one second terminal equipment
The behavior characteristic information for multiple second process behaviors that individual second terminal equipment is sent;
The determining unit 520 is additionally operable to:
The behavior characteristic information of multiple second process behaviors sent according to each second terminal equipment, is adopted
The trusted behavior set is determined with data mining algorithm, wherein, it is many that the trusted behavior set includes this
At least one second process behavior in individual second process behavior.
Alternatively, the behavior characteristic information of first process behavior includes:Belonging to first process behavior
The information and first process behavior for the data that application information, first process behavior are accessed are visited
The application information belonging to data asked;
The behavior characteristic information of the plurality of second process behavior includes:Belonging to the plurality of second process behavior
The information and the plurality of second process for the data that application information, the plurality of second process behavior are accessed
The application information belonging to data that behavior is accessed.
Alternatively, the device also includes:
First transmitting element, for the determining unit determine first process behavior be normal behaviour it
Afterwards, configured information is sent to the first terminal equipment, the configured information is used to indicate first process behavior
It is normal behaviour.
Alternatively, the device also includes:
Second transmitting element, for the determining unit determine first process behavior be suspicious actions it
Afterwards, request message is sent to the first terminal equipment, the request message is used to ask first process behavior
Information of tracing to the source, the information of tracing to the source includes progress information, first process behavior of first process behavior
Program file information, the process creation person of first process behavior and the relation of program file founder letter
At least one of breath;
The receiving unit 510 is additionally operable to:The first terminal equipment is received according to being somebody's turn to do that the request message is sent
Trace to the source information;
The device also includes:Display unit, for passing through the back-stage management interface display information of tracing to the source.
It should be understood that device 500 here is embodied in the form of functional unit.Here term " unit "
Can refer to using peculiar integrated circuit (Application Specific Integrated Circuit, ASIC),
Electronic circuit, for perform one or more softwares or firmware program processor (such as shared processor,
Proprietary processor or group processor etc.) and memory, merging logic circuit and/or other supports described by
The suitable assembly of function.In an optional example, it will be understood by those skilled in the art that device 500
Can be specially the data analytics server in above-described embodiment, device 500 can be used for performing above-mentioned side
Corresponding with data analytics server each flow and/or step in method embodiment, to avoid repeating, herein
Repeat no more.
Fig. 6 shows the device provided in an embodiment of the present invention for being used to determine application program suspicious actions
600.The device 600 includes processor 610, transmitter 620, receiver 630, the and of memory 640
Bus system 650.Wherein, processor 610, transmitter 620, receiver 630 and memory 640
It is connected by bus system 650, the memory 640 is used for store instruction, the processor 610 is used to hold
The instruction of the row memory 640 storage, to control the transmitter 620 to send signal, and controls the reception
Device 630 receives signal.
Wherein, the processor 610 is used for it is determined that the data that the process behavior of the first application program is accessed
When belonging to the second application program different from first application program, the process behavior is defined as into candidate can
The behavior of doubting, the data include at least one in process, thread, file, catalogue and registry entry;
The transmitter 620 is used for the behavior characteristic information that the process behavior is sent to data analytics server,
In order to which the data analytics server determines the process behavior according to the behavior characteristic information of the process behavior
Whether it is suspicious actions.
Alternatively, the processor 610 specifically for:
If the process behavior is the dynamic link library (DLL) file loading behavior of first application program,
Determine whether the dll file that the process behavior is loaded is system dll file;
If the dll file is not system dll file, it is determined that the application journey belonging to the dll file
Sequence;
If the dll file belongs to second application program different from first application program, should
Process behavior is defined as candidate's suspicious actions.
Alternatively, the processor 610 specifically for:
If the process behavior is the registry access behavior of first application program, it is determined that create the process
The application program in the path for the registration table that behavior is accessed;
If the path of the registration table is by second application program establishment different from first application program,
Whether the path for determining the registration table is public accessible paths;
If the path of the registration table is not public accessible paths, the process behavior is defined as the candidate
Suspicious actions.
Alternatively, the processor 610 specifically for:
If the process behavior is the file access behavior of first application program, it is determined that create the process row
For the application program of the file accessed;
If the file that the process behavior is accessed second applies journey by this different from first application program
Sequence is created, it is determined that the type for the file that the process behavior is accessed;
If the type for the file that the process behavior is accessed is program file, the process behavior is defined as
Candidate's suspicious actions.
Alternatively, the processor 610 specifically for:
If the type for the file that the process behavior is accessed is non-program file, it is determined that the process behavior institute
Whether the application program that the extension name of the file of access is registered is as first application program;
If the application program that the extension name for the file that the process behavior is accessed is registered as different from this
3rd application program of one application program, then be defined as candidate's suspicious actions by the process behavior.
Alternatively, behavior characteristic information includes:Application information belonging to the process behavior, this enters
Application program letter belonging to the data that the information for the data that Cheng Hangwei is accessed and the process behavior are accessed
Breath.
Alternatively, the receiver 630 is used to send the row of the process behavior to data analytics server at this
It is characterized after information, receives the configured information of data analytics server transmission, the configured information is used for
It is normal behaviour to indicate the process behavior;
The processor 610 is additionally operable to:According to the instruction message, it is normal behaviour to determine the process behavior.
Alternatively, the receiver 630 is used to send the row of the process behavior to data analytics server at this
It is characterized after information, receives the request message of data analytics server transmission, the request message is used for
The information of tracing to the source of the process behavior is asked, the information of tracing to the source includes at least one of following message:This enters
Cheng Hangwei progress information, the information of program file corresponding with the process behavior, the process behavior enter
Relation information between journey founder and program file founder;
The transmitter 620 is additionally operable to:According to the request message, send this to the data analytics server and trace back
Source information.
It should be understood that device 600 can be specially the terminal device in above-described embodiment, and it can be used for
Perform corresponding with terminal device each step and/or flow in above method embodiment.Alternatively, this is deposited
Reservoir 640 can include read-only storage and random access memory, and provide instruction sum to processor
According to.The a part of of memory can also include nonvolatile RAM.For example, memory is also
Can be with the information of storage device type.The processor 630 can be used for performing the instruction stored in memory,
And when the instruction stored in the computing device memory, the processor is used to perform above method reality
Apply each step and/or flow of example.
Fig. 7 shows the device provided in an embodiment of the present invention for being used to determine application program suspicious actions
700.The device 700 includes receiver 710, processor 720, transmitter 730, the and of memory 740
Bus system 750.Wherein, receiver 710, processor 720, transmitter 730 and memory 740
It is connected by bus system 750, the memory 740 is used for store instruction, the processor 720 is used to hold
The instruction of the row memory 740 storage, to control the receiver 710 to receive signal, and controls the transmission
Device 730 sends instruction.
Wherein, the receiver 710 is used for the behavior for receiving the first process behavior of first terminal equipment transmission
Characteristic information, wherein, first process behavior belongs to the first application program, and first process behavior
The data accessed belong to the second application program different from first application program, the data include into
At least one in journey, thread, file, catalogue and registry entry;
The processor 720 is used for according to the behavior characteristic information of first process behavior, determines that this first enters
Whether Cheng Hangwei is suspicious actions.
Alternatively, the processor 720 specifically for:
According to the behavior characteristic information of first process behavior, determining whether first process behavior belongs to can
Trusting behavior set, wherein, the trusted behavior set includes at least one trusted behavior;
If first process behavior is not belonging to the trusted behavior set, it is determined that first process behavior is
Suspicious actions.
Alternatively, the receiver 710 is additionally operable to:
In behavior characteristic information of the data analytics server according to first process behavior, determine this first
Whether process behavior belongs to before trusted behavior set, receives every at least one second terminal equipment
The behavior characteristic information for multiple second process behaviors that individual second terminal equipment is sent;
The processor 720 is additionally operable to:
The behavior characteristic information of multiple second process behaviors sent according to each second terminal equipment, is adopted
The trusted behavior set is determined with data mining algorithm, wherein, it is many that the trusted behavior set includes this
At least one second process behavior in individual second process behavior.
Alternatively, the behavior characteristic information of first process behavior includes:Belonging to first process behavior
The information and first process behavior for the data that application information, first process behavior are accessed are visited
The application information belonging to data asked;
The behavior characteristic information of the plurality of second process behavior includes:Belonging to the plurality of second process behavior
The information and the plurality of second process for the data that application information, the plurality of second process behavior are accessed
The application information belonging to data that behavior is accessed.
Alternatively, the transmitter 730 is used to determine that first process behavior is normal row in the determining unit
For after, configured information is sent to the first terminal equipment, the configured information is used to indicate first process
Behavior is normal behaviour.
Alternatively, the transmitter 730 is used to determine that first process behavior is suspicious row in the determining unit
For after, request message is sent to the first terminal equipment, the request message is used to ask first process
The information of tracing to the source of behavior, progress information of the information including first process behavior of tracing to the source, first enters with this
The information of the corresponding program files of Cheng Hangwei, the process creation person of first process behavior and program file wound
At least one of relation information for the person of building;
The receiver 710 is additionally operable to:This for receiving that the first terminal equipment sent according to the request message traces back
Source information;
The processor 720 is used for by the back-stage management interface display information of tracing to the source.
It should be understood that device 700 can be specially the data analytics server in above-described embodiment, and can
For performing corresponding with data analytics server each step and/or flow in above method embodiment.
Alternatively, the memory 740 can include read-only storage and random access memory, and to processor
Instruction and data is provided.The a part of of memory can also include nonvolatile RAM.Example
Such as, memory can be with the information of storage device type.The processor 720 can be used for performing memory
The instruction of middle storage, and during the computing device instruction, it is real that the processor can perform the above method
Apply corresponding with data analytics server each step and/or flow in example.
It should be understood that in embodiments of the present invention, the processor can be CPU (Central
Processing Unit, CPU), the processor can also be other general processors, Digital Signal Processing
Device (DSP), application specific integrated circuit (ASIC), field programmable gate array (FPGA) or other
PLD, discrete gate or transistor logic, discrete hardware components etc..General procedure
Device can be microprocessor or the processor can also be any conventional processor etc..
In implementation process, each step of the above method can be patrolled by the integrated of the hardware in processor
The instruction for collecting circuit or software form is completed.The step of method with reference to disclosed in the embodiment of the present invention, can
Completion is performed to be embodied directly in hardware processor, or is combined with the hardware in processor and software module
Perform completion.Software module can be located at random access memory, and flash memory, read-only storage may be programmed read-only
In the ripe storage medium in this area such as memory or electrically erasable programmable memory, register.Should
Storage medium is located at the instruction in memory, computing device memory, and above-mentioned side is completed with reference to its hardware
The step of method.To avoid repeating, it is not detailed herein.
Those of ordinary skill in the art are it is to be appreciated that with reference to described in the embodiments described herein
Various method steps and unit, can be realized with electronic hardware, computer software or the combination of the two,
It is general according to function in the above description in order to clearly demonstrate the interchangeability of hardware and software
The step of ground describes each embodiment and composition.These functions are held with hardware or software mode actually
OK, depending on the application-specific and design constraint of technical scheme.Those of ordinary skill in the art can be with
Described function is realized using distinct methods to each specific application, but this realization should not
Think beyond the scope of this invention.
It is apparent to those skilled in the art that, it is for convenience of description and succinctly, above-mentioned
The specific work process of the system of description, device and unit, may be referred to pair in preceding method embodiment
Process is answered, be will not be repeated here.
In several embodiments provided herein, it should be understood that disclosed system, device and
Method, can be realized by another way.For example, device embodiment described above is only to show
Meaning property, for example, the division of the unit, only a kind of division of logic function can when actually realizing
To there is other dividing mode, such as multiple units or component can combine or be desirably integrated into another
System, or some features can be ignored, or not perform.In addition, it is shown or discussed each other
Coupling or direct-coupling or communication connection can be by the INDIRECT COUPLING of some interfaces, device or unit or
Communication connection or electricity, mechanical or other forms are connected.
The unit illustrated as separating component can be or may not be it is physically separate, make
It can be for the part that unit is shown or may not be physical location, you can with positioned at a place,
Or can also be distributed on multiple NEs.Can select according to the actual needs part therein or
Person's whole units realize the purpose of scheme of the embodiment of the present invention.
In addition, each functional unit in each embodiment of the invention can be integrated in a processing unit
In or unit is individually physically present or two or more units are integrated in
In one unit.Above-mentioned integrated unit can both be realized in the form of hardware, it would however also be possible to employ software
The form of functional unit is realized.
If the integrated unit is realized using in the form of SFU software functional unit and is used as independent product pin
Sell or in use, can be stored in a computer read/write memory medium.Understood based on such,
The part that technical scheme substantially contributes to prior art in other words, or the technical side
The all or part of case can be embodied in the form of software product, and the computer software product is stored in
In one storage medium, including some instructions are to cause a computer equipment (can be individual calculus
Machine, server, or network equipment etc.) perform whole or the portion of each of the invention embodiment methods described
Step by step.And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (Read-Only
Memory, referred to as " ROM "), random access memory (Random Access Memory, letter
Referred to as " RAM "), magnetic disc or CD etc. are various can be with the medium of store program codes.
The foregoing is only a specific embodiment of the invention, but protection scope of the present invention is not limited to
In this, any one skilled in the art the invention discloses technical scope in, can be easily
Expect various equivalent modifications or substitutions, these modifications or substitutions should all cover in protection scope of the present invention
Within.Therefore, protection scope of the present invention should be defined by scope of the claims.
Claims (28)
1. a kind of method for determining application program suspicious actions, it is characterised in that including:
Terminal device is it is determined that the data that the process behavior of the first application program is accessed belong to different from institute
When stating the second application program of the first application program, the process behavior is defined as candidate's suspicious actions,
The data include at least one in process, thread, file, catalogue and registry entry;
The terminal device sends the behavior characteristic information of the process behavior to data analytics server, with
It is easy to the data analytics server to determine the process according to the behavior characteristic information of the process behavior
Whether behavior is suspicious actions.
2. according to the method described in claim 1, it is characterised in that the terminal device is it is determined that
The data that the process behavior of one application program is accessed belong to second different from first application program
During application program, the process behavior is defined as candidate's suspicious actions, including:
If the process behavior is the dynamic link library (DLL) file loading behavior of first application program,
Then the terminal device determines whether the dll file that the process behavior is loaded is system DLL texts
Part;
If the dll file is not system dll file, the terminal device determines the DLL
Application program belonging to file;
If the dll file belongs to second application program different from first application program,
Then the process behavior is defined as candidate's suspicious actions by the terminal device.
3. according to the method described in claim 1, it is characterised in that the terminal device is it is determined that
The data that the process behavior of one application program is accessed belong to second different from first application program
During application program, the process behavior is defined as candidate's suspicious actions, including:
If the process behavior is the registry access behavior of first application program, the terminal is set
The standby application program for determining to create the path for the registration table that the process behavior is accessed;
If the path of the registration table is by second application program different from first application program
Create, then the terminal device determines whether the path of the registration table is public accessible paths;
If the path of the registration table is not public accessible paths, the terminal device is by the process
Behavior is defined as candidate's suspicious actions.
4. according to the method described in claim 1, it is characterised in that the terminal device is it is determined that
The data that the process behavior of one application program is accessed belong to second different from first application program
During application program, the process behavior is defined as candidate's suspicious actions, including:
If the process behavior is the file access behavior of first application program, the terminal device
It is determined that creating the application program for the file that the process behavior is accessed;
If the file that the process behavior is accessed is by described second different from first application program
Application program is created, then the terminal device determines the type for the file that the process behavior is accessed;
If the type for the file that the process behavior is accessed is program file, the terminal device is by institute
State process behavior and be defined as candidate's suspicious actions.
5. method according to claim 4, it is characterised in that if the process behavior is accessed
The type of file be non-program file, then the terminal device determines the text that the process behavior is accessed
The application program that the extension name of part is registered;
If the application program that the extension name for the file that the process behavior is accessed is registered is different from institute
The 3rd application program of the first application program is stated, then the process behavior is defined as institute by the terminal device
State candidate's suspicious actions.
6. method according to any one of claim 1 to 5, it is characterised in that the behavior
Characteristic information includes:
The information for the data that application information, the process behavior belonging to the process behavior are accessed
The application information belonging to data accessed with the process behavior.
7. method according to any one of claim 1 to 6, it is characterised in that at the end
End equipment is sent to data analytics server after the behavior characteristic information of the process behavior, methods described
Also include:
The terminal device receives the configured information that the data analytics server is sent, the configured information
For indicating that the process behavior is normal behaviour;
The terminal device is according to the instruction message, and it is normal behaviour to determine the process behavior.
8. method according to any one of claim 1 to 6, it is characterised in that at the end
End equipment is sent to data analytics server after the behavior characteristic information of the process behavior, methods described
Also include:
The terminal device receives the request message that the data analytics server is sent, the request message
Information of tracing to the source for asking the process behavior, the information of tracing to the source includes at least one in following message
Kind:The progress information of the process behavior, the information of program file corresponding with the process behavior, institute
State the relation information between the process creation person of process behavior and program file founder;
The terminal device according to the request message, to the data analytics server send described in trace to the source
Information.
9. a kind of method for determining application program suspicious actions, it is characterised in that including:
Data analytics server receives the behavioural characteristic letter for the first process behavior that first terminal equipment is sent
Breath, wherein, first process behavior belongs to the first application program, and the first process behavior institute
The data of access belong to the second application program different from first application program, the data include into
At least one in journey, thread, file, catalogue and registry entry;
The data analytics server is according to the behavior characteristic information of first process behavior, it is determined that described
Whether the first process behavior is suspicious actions.
10. method according to claim 9, it is characterised in that the data analytics server root
Whether according to the behavior characteristic information of first process behavior, it is suspicious row to determine first process behavior
For, including:
The data analytics server is according to the behavior characteristic information of first process behavior, it is determined that described
Whether the first process behavior belongs to trusted behavior set, wherein, the trusted behavior set is included extremely
A few trusted behavior;
If it is determined that first process behavior is not belonging to the trusted behavior set, the data analysis clothes
Business device determines that first process behavior is suspicious actions.
11. method according to claim 10, it is characterised in that in the data analysis service
Device determines whether first process behavior belongs to according to the behavior characteristic information of first process behavior
Before trusted behavior set, methods described also includes:
Each second terminal that the data analytics server is received at least one second terminal equipment is set
The behavior characteristic information for multiple second process behaviors that preparation is sent;
The data analytics server is according to multiple the second of at least one second terminal equipment transmission
The behavior characteristic information of process behavior, the trusted behavior set is determined using data mining algorithm, its
In, the trusted behavior set includes at least one second process in the multiple second process behavior
Behavior.
12. method according to claim 11, it is characterised in that first process behavior
Behavior characteristic information includes:
The number that application information, first process behavior belonging to first process behavior are accessed
According to the data that are accessed of information and first process behavior belonging to application information;
The behavior characteristic information of the multiple second process behavior includes:
Application information, the multiple second process behavior institute belonging to the multiple second process behavior
The application program belonging to data that the information of the data of access and the multiple second process behavior are accessed
Information.
13. the method according to any one of claim 9 to 12, it is characterised in that the side
Method also includes:
If the data analytics server determines that first process behavior is normal behaviour, the data
Analysis server sends configured information to the first terminal equipment, and the configured information is described for indicating
First process behavior is normal behaviour.
14. the method according to any one of claim 9 to 12, it is characterised in that the side
Method also includes:
If the data analytics server determines that first process behavior is suspicious actions, the data
Analysis server sends request message to the first terminal equipment, and the request message is used to ask described
The information of tracing to the source of first process behavior, the process of the information including first process behavior of tracing to the source is believed
Breath, the information of program file corresponding with first process behavior, the process of first process behavior
At least one of relation information of founder and program file founder;
The data analytics server receives what the first terminal equipment was sent according to the request message
The information of tracing to the source;
The data analytics server passes through information of being traced to the source described in back-stage management interface display.
15. a kind of device for being used to determine application program suspicious actions, it is characterised in that including:
Determining unit, for it is determined that the data that the process behavior of the first application program is accessed belong to different
When the second application program of first application program, the process behavior is defined as the suspicious row of candidate
For the data include at least one in process, thread, file, catalogue and registry entry;
Transmitting element, the behavior characteristic information for sending the process behavior to data analytics server,
In order to which the data analytics server is entered according to being determined the behavior characteristic information of the process behavior
Whether Cheng Hangwei is suspicious actions.
16. device according to claim 15, it is characterised in that the determining unit is specifically used
In:
If the process behavior is the dynamic link library (DLL) file loading behavior of first application program,
Then determine whether the dll file that the process behavior is loaded is system dll file;
If the dll file is not system dll file, it is determined that answering belonging to the dll file
Use program;
If the dll file belongs to second application program different from first application program,
The process behavior is then defined as candidate's suspicious actions.
17. device according to claim 15, it is characterised in that the determining unit is specifically used
In:
If the process behavior is the registry access behavior of first application program, it is determined that create institute
State the application program in the path for the registration table that process behavior is accessed;
If the path of the registration table is by second application program different from first application program
Create, it is determined that whether the path of the registration table is public accessible paths;
If the path of the registration table is not public accessible paths, the process behavior is defined as institute
State candidate's suspicious actions.
18. device according to claim 15, it is characterised in that the determining unit is specifically used
In:
If the process behavior is the file access behavior of first application program, it is determined that create described
The application program for the file that process behavior is accessed;
If the file that the process behavior is accessed is by described second different from first application program
Application program is created, it is determined that the type for the file that the process behavior is accessed;
It is if the type for the file that the process behavior is accessed is program file, the process behavior is true
It is set to candidate's suspicious actions.
19. device according to claim 18, it is characterised in that if the process behavior is visited
The type for the file asked is non-program file, it is determined that the extension name for the file that the process behavior is accessed
Whether the application program registered is as first application program;
If the application program that the extension name for the file that the process behavior is accessed is registered is different from institute
The 3rd application program of the first application program is stated, then the process behavior is defined as the suspicious row of the candidate
For.
20. the device according to any one of claim 15 to 19, it is characterised in that the row
Being characterized information includes:
The information for the data that application information, the process behavior belonging to the process behavior are accessed
The application information belonging to data accessed with the process behavior.
21. the device according to any one of claim 15 to 20, it is characterised in that the dress
Putting also includes:
First receiving unit, in the behavior that the process behavior is sent to data analytics server
After characteristic information, the configured information that the data analytics server is sent is received, the configured information is used
In indicating that the process behavior is normal behaviour;
The determining unit is additionally operable to:
According to the instruction message, it is normal behaviour to determine the process behavior.
22. the device according to any one of claim 15 to 20, it is characterised in that the dress
Putting also includes:
Second receiving unit, in the behavior that the process behavior is sent to data analytics server
After characteristic information, the request message that the data analytics server is sent is received, the request message is used
In the information of tracing to the source for asking the process behavior, the information of tracing to the source includes at least one in following message
Kind:The progress information of the process behavior, the information of program file corresponding with the process behavior, institute
State the relation information between the process creation person of process behavior and program file founder;
The transmitting element is additionally operable to:
According to the request message, to information of being traced to the source described in data analytics server transmission.
23. a kind of device for being used to determine application program suspicious actions, it is characterised in that including:
Receiving unit, the behavioural characteristic letter of the first process behavior for receiving the transmission of first terminal equipment
Breath, wherein, first process behavior belongs to the first application program, and the first process behavior institute
The data of access belong to the second application program different from first application program, the data include into
At least one in journey, thread, file, catalogue and registry entry;
Determining unit, for the behavior characteristic information according to first process behavior, determines described first
Whether process behavior is suspicious actions.
24. device according to claim 23, it is characterised in that the determining unit is specifically used
In:
According to the behavior characteristic information of first process behavior, determine whether first process behavior belongs to
In trusted behavior set, wherein, the trusted behavior set includes at least one trusted behavior;
If first process behavior is not belonging to the trusted behavior set, it is determined that first process
Behavior is suspicious actions.
25. device according to claim 24, it is characterised in that the receiving unit is additionally operable to:
In behavior characteristic information of the data analytics server according to first process behavior, institute is determined
State whether the first process behavior belongs to before trusted behavior set, receive at least one second terminal equipment
In each second terminal equipment send multiple second process behaviors behavior characteristic information;
The determining unit is additionally operable to:
The behavior characteristic information of multiple second process behaviors sent according to each second terminal equipment,
The trusted behavior set is determined using data mining algorithm, wherein, the trusted behavior set bag
Include at least one second process behavior in the multiple second process behavior.
26. device according to claim 25, it is characterised in that first process behavior
Behavior characteristic information includes:
The number that application information, first process behavior belonging to first process behavior are accessed
According to the data that are accessed of information and first process behavior belonging to application information;
The behavior characteristic information of the multiple second process behavior includes:
Application information, the multiple second process behavior institute belonging to the multiple second process behavior
The application program belonging to data that the information of the data of access and the multiple second process behavior are accessed
Information.
27. the device according to any one of claim 23 to 26, it is characterised in that the dress
Putting also includes:
First transmitting element, for determining that first process behavior is normal behaviour in the determining unit
Afterwards, configured information is sent to the first terminal equipment, the configured information is used to indicate described first
Process behavior is normal behaviour.
28. the device according to any one of claim 23 to 26, it is characterised in that the dress
Putting also includes:
Second transmitting element, for determining that first process behavior is suspicious actions in the determining unit
Afterwards, request message is sent to the first terminal equipment, the request message is used to ask described first
The information of tracing to the source of process behavior, the progress information of the information including first process behavior of tracing to the source, with
The information of the corresponding program file of first process behavior, the process creation person of first process behavior
At least one of with the relation information of program file founder;
The receiving unit is additionally operable to:
The first terminal equipment is received to trace to the source information according to being sent the request message;
Described device also includes:
Display unit, for passing through information of being traced to the source described in back-stage management interface display.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610266466.5A CN107315952A (en) | 2016-04-26 | 2016-04-26 | Method and apparatus for determining application program suspicious actions |
PCT/CN2017/070468 WO2017185827A1 (en) | 2016-04-26 | 2017-01-06 | Method and apparatus for determining suspicious activity of application program |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610266466.5A CN107315952A (en) | 2016-04-26 | 2016-04-26 | Method and apparatus for determining application program suspicious actions |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107315952A true CN107315952A (en) | 2017-11-03 |
Family
ID=60160690
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610266466.5A Pending CN107315952A (en) | 2016-04-26 | 2016-04-26 | Method and apparatus for determining application program suspicious actions |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN107315952A (en) |
WO (1) | WO2017185827A1 (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109255238A (en) * | 2018-08-24 | 2019-01-22 | 成都网思科平科技有限公司 | terminal threat detection and response method and engine |
CN109327433A (en) * | 2018-09-03 | 2019-02-12 | 北京智游网安科技有限公司 | Threat cognitive method and system based on Run-time scenario analysis |
CN109784051A (en) * | 2018-12-29 | 2019-05-21 | 360企业安全技术(珠海)有限公司 | Protecting information safety method, device and equipment |
CN109784052A (en) * | 2018-12-29 | 2019-05-21 | 360企业安全技术(珠海)有限公司 | The management method and server-side, terminal, system of software action detection |
CN109815702A (en) * | 2018-12-29 | 2019-05-28 | 360企业安全技术(珠海)有限公司 | Safety detection method, device and the equipment of software action |
CN110750561A (en) * | 2018-07-20 | 2020-02-04 | 深圳市诚壹科技有限公司 | Method and device for mining associated application program |
CN115412320A (en) * | 2022-08-19 | 2022-11-29 | 奇安信网神信息技术(北京)股份有限公司 | Attack behavior tracing method, device and system |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113672925B (en) * | 2021-08-26 | 2024-01-26 | 安天科技集团股份有限公司 | Method and device for preventing lux software attack, storage medium and electronic equipment |
CN114676429A (en) * | 2022-03-18 | 2022-06-28 | 山东鼎夏智能科技有限公司 | Method and device for detecting unknown risk of startup item |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101556608A (en) * | 2009-02-27 | 2009-10-14 | 浙大网新科技股份有限公司 | File system operation intercepting method based on event monitoring mechanism |
CN103902892A (en) * | 2012-12-24 | 2014-07-02 | 珠海市君天电子科技有限公司 | Behavior-based virus defense method and system |
CN104899511A (en) * | 2015-05-21 | 2015-09-09 | 成都中科慧创科技有限公司 | Program behavior algorithm based active defense method |
CN105243324A (en) * | 2015-10-20 | 2016-01-13 | 珠海市君天电子科技有限公司 | Method and device for identifying malicious software in user terminal and user terminal |
CN105279433A (en) * | 2014-07-10 | 2016-01-27 | 腾讯科技(深圳)有限公司 | Application protection method and apparatus |
-
2016
- 2016-04-26 CN CN201610266466.5A patent/CN107315952A/en active Pending
-
2017
- 2017-01-06 WO PCT/CN2017/070468 patent/WO2017185827A1/en active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101556608A (en) * | 2009-02-27 | 2009-10-14 | 浙大网新科技股份有限公司 | File system operation intercepting method based on event monitoring mechanism |
CN103902892A (en) * | 2012-12-24 | 2014-07-02 | 珠海市君天电子科技有限公司 | Behavior-based virus defense method and system |
CN105279433A (en) * | 2014-07-10 | 2016-01-27 | 腾讯科技(深圳)有限公司 | Application protection method and apparatus |
CN104899511A (en) * | 2015-05-21 | 2015-09-09 | 成都中科慧创科技有限公司 | Program behavior algorithm based active defense method |
CN105243324A (en) * | 2015-10-20 | 2016-01-13 | 珠海市君天电子科技有限公司 | Method and device for identifying malicious software in user terminal and user terminal |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110750561A (en) * | 2018-07-20 | 2020-02-04 | 深圳市诚壹科技有限公司 | Method and device for mining associated application program |
CN109255238A (en) * | 2018-08-24 | 2019-01-22 | 成都网思科平科技有限公司 | terminal threat detection and response method and engine |
CN109327433A (en) * | 2018-09-03 | 2019-02-12 | 北京智游网安科技有限公司 | Threat cognitive method and system based on Run-time scenario analysis |
CN109784051A (en) * | 2018-12-29 | 2019-05-21 | 360企业安全技术(珠海)有限公司 | Protecting information safety method, device and equipment |
CN109784052A (en) * | 2018-12-29 | 2019-05-21 | 360企业安全技术(珠海)有限公司 | The management method and server-side, terminal, system of software action detection |
CN109815702A (en) * | 2018-12-29 | 2019-05-28 | 360企业安全技术(珠海)有限公司 | Safety detection method, device and the equipment of software action |
CN109815702B (en) * | 2018-12-29 | 2022-07-05 | 奇安信安全技术(珠海)有限公司 | Software behavior safety detection method, device and equipment |
CN115412320A (en) * | 2022-08-19 | 2022-11-29 | 奇安信网神信息技术(北京)股份有限公司 | Attack behavior tracing method, device and system |
Also Published As
Publication number | Publication date |
---|---|
WO2017185827A1 (en) | 2017-11-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107315952A (en) | Method and apparatus for determining application program suspicious actions | |
US9154516B1 (en) | Detecting risky network communications based on evaluation using normal and abnormal behavior profiles | |
US9306889B2 (en) | Method and device for processing messages | |
CN107294808A (en) | The methods, devices and systems of interface testing | |
CN109525558A (en) | Leaking data detection method, system, device and storage medium | |
US20160197947A1 (en) | System for detecting abnormal behavior by analyzing personalized use behavior pattern during entire access period | |
US20120185936A1 (en) | Systems and Methods for Detecting Fraud Associated with Systems Application Processing | |
CN108206830B (en) | Vulnerability scanning method, apparatus, computer equipment and storage medium | |
CN108123939A (en) | Malicious act real-time detection method and device | |
CN110365674B (en) | Method, server and system for predicting network attack surface | |
CN104392177A (en) | Android platform based virus forensics system and method | |
Lindqvist et al. | eXpert-BSM: A host-based intrusion detection solution for Sun Solaris | |
CN109347806A (en) | A kind of the digging mine malware detection system and method for Intrusion Detection based on host monitoring technology | |
CN110516448A (en) | A kind of grey box testing method, apparatus, equipment and readable storage medium storing program for executing | |
Zheng et al. | Blockchain intelligence: When blockchain meets artificial intelligence | |
US11606377B1 (en) | Device classification for identifying anomolous activity | |
CN110381047B (en) | Network attack surface tracking method, server and system | |
Deeter et al. | Aphids: A mobile agent-based programmable hybrid intrusion detection system | |
CN110365673B (en) | Method, server and system for isolating network attack plane | |
CN110365714A (en) | Host-based intrusion detection method, apparatus, equipment and computer storage medium | |
CN114158080B (en) | Monitoring method, device and computer readable storage medium | |
CN113965341A (en) | Intrusion detection system based on software defined network | |
CN115296936B (en) | Automatic method and system for assisting detection of anti-network crime | |
CN112685301A (en) | Fuzzy test method and device | |
CN110378120A (en) | Application programming interfaces attack detection method, device and readable storage medium storing program for executing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171103 |
|
RJ01 | Rejection of invention patent application after publication |