CN107315952A

CN107315952A - Method and apparatus for determining application program suspicious actions

Info

Publication number: CN107315952A
Application number: CN201610266466.5A
Authority: CN
Inventors: 刘振华
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2016-04-26
Filing date: 2016-04-26
Publication date: 2017-11-03
Also published as: WO2017185827A1

Abstract

The embodiments of the invention provide a kind of method and apparatus for determining application program suspicious actions.This method includes：Terminal device is when it is determined that the data that the process behavior of the first application program is accessed belong to the second application program different from first application program, the process behavior is defined as candidate's suspicious actions, the data include at least one in process, thread, file, catalogue and registry entry；The terminal device sends the behavior characteristic information of the process behavior to data analytics server, in order to which the data analytics server determines whether the process behavior is suspicious actions according to the behavior characteristic information of the process behavior.The method and apparatus of the embodiment of the present invention, it is capable of determining that the suspicious actions of unauthorized access application data in terminal device, compared with prior art, this method need not rely on fail-safe software, and do not need user to participate in determining, the degree of accuracy and the reliability of the judgement of suspicious actions can be improved, so as to improve systematic entirety energy.

Description

Method and apparatus for determining application program suspicious actions

Technical field

It is used for determination application the present embodiments relate to computer realm, and more particularly, to one kind The method and apparatus of program suspicious actions.

Background technology

Enterprises threaten (Advanced Persistent Threat, APT) attack for senior continuation Inspection generally tend to analyze using big data, including to the flow analysis in enterprise network, use sand Case is analyzed file and tries to find out that those are senior using traditional signatures matching way None- identified Threaten, the early warning daily record for checking equipment to various conventional securities is analyzed.These analysis purposes be all The safety problem of enterprises is found in time, and the loss that Advanced threat is brought to enterprise is reduced as far as possible.

The defence method of traditional Intrusion Detection based on host is primarily to prevent suspicious actions attacking system.It is this anti- Imperial method is necessarily dependent upon fail-safe software, passes through entering for all application programs in fail-safe software monitoring host computer Cheng Hangwei.IT personnel can pre-set an access control policy in fail-safe software, control application program Access to system data.If a process behavior is unsatisfactory for above-mentioned access control policy, then the peace Full software decides that this process behavior is suspicious actions.After suspicious actions are monitored, fail-safe software meeting Directly alerted to the user using main frame, allow user to choose whether to block the suspicious actions Cut.

But, traditional defence method pertains only to access rule of the application program to system data, it is impossible to anti- Only suspicious actions of unauthorized access application data, for example, steal or distort application data can The behavior of doubting.Further, since domestic consumer does not have too many computer literacy, so being allowed in traditional human method User judges whether that the mode for intercepting suspicious actions is not very appropriate.

The content of the invention

The embodiment of the present invention provides a kind of method and apparatus for determining application program suspicious actions, can The suspicious actions of unauthorized access application data are determined, so as to improve systematic entirety energy.

First aspect there is provided a kind of method for determining application program suspicious actions, including：Terminal Equipment is it is determined that the data that the process behavior of the first application program is accessed belong to different from first application During the second application program of program, the process behavior is defined as candidate's suspicious actions, the data include into At least one in journey, thread, file, catalogue and registry entry；The terminal device is to data analysis Server sends the behavior characteristic information of the process behavior, in order to which the data analytics server is entered according to this Cheng Hangwei behavior characteristic information determines whether the process behavior is suspicious actions.

Specifically, when the data that the process behavior of the first application program of the terminal device is accessed belong to During two application programs, the terminal device determines that the process behavior is candidate's suspicious actions.For example, this second Application program includes process P1 and process P2, if carry out P1 creates file F in the process of implementation, So this document F belongs to second application program, if process P2 accesses this document in the process of implementation F, then process P2 behavior can be considered as it is legal, if applying journey different from the first of the second application program Process P3 in sequence have accessed this document F, then process P3 behavior is candidate's suspicious actions.

So, the embodiment of the present invention is led to based on the data access rule between application program and application program Cross terminal device and determine candidate's suspicious actions from all process behaviors detected, and by the time of determination The behavior characteristic information of suspicious actions is selected to be sent to data analytics server, by the data analytics server root Determine whether candidate's suspicious actions are suspicious actions according to the behavior characteristic information of candidate's suspicious actions, from And determine the suspicious actions of unauthorized access application data in the terminal device.With prior art phase Than this method need not rely on fail-safe software, and not need user to participate in determining, it is possible to increase suspicious row For judgement the degree of accuracy and reliability, so as to improve systematic entirety energy.

Alternatively, the terminal device can be main frame or client.

Alternatively, before the process behavior is defined as candidate's suspicious actions by the terminal device, the terminal Equipment can be between application program and data in several ways in determination system relation information.The end End equipment can by way of gathering system information, in acquisition system existing application program and data it Between relation information；The terminal device can each should by way of monitoring in real time in real-time acquisition system With the relation information between program and its data created；Just whether the terminal device can also judge system One application program is being installed, if the system is installing an application program, will created in installation process The data built are set up with the application program and contacted.So, it is determined that application program and data in system it Between relation information after, the terminal device can just be believed according to the relation between the application program and data Breath, judges the application program belonging to the data that the process behavior of the first application program is accessed, so as to enter One step determines candidate's suspicious actions.

In the first possible implementation of first aspect, the terminal device is it is determined that first applies journey When the data that the process behavior of sequence is accessed belong to the second application program different from first application program, The process behavior is defined as candidate's suspicious actions, including：If the process behavior is first application program Dynamic link library (DLL) file loading behavior, then the terminal device determine what the process behavior was loaded Whether dll file is system dll file；, should if the dll file is not system dll file Terminal device determines the application program belonging to the dll file；If the dll file belong to different from this Second application program of one application program, then the terminal device process behavior is defined as the candidate can The behavior of doubting.

With reference to the above-mentioned possible implementation of first aspect, in second of possible realization of first aspect In mode, the terminal device is it is determined that the data that the process behavior of the first application program is accessed belong to different When the second application program of first application program, the process behavior is defined as candidate's suspicious actions, Including：If the process behavior is the registry access behavior of first application program, the terminal device is true Surely the application program in the path for the registration table that the process behavior is accessed is created；If the path of the registration table by Second application program different from first application program is created, then the terminal device determines the registration table Path whether be public accessible paths；If the path of the registration table is not public accessible paths, The process behavior is defined as candidate's suspicious actions by the terminal device.

With reference to the above-mentioned possible implementation of first aspect, in the third possible realization of first aspect In mode, the terminal device is it is determined that the data that the process behavior of the first application program is accessed belong to different When the second application program of first application program, the process behavior is defined as candidate's suspicious actions, Including：If the process behavior is the file access behavior of first application program, the terminal device is determined Create the application program for the file that the process behavior is accessed；If the file that the process behavior is accessed is not by Second application program for being same as first application program is created, then the terminal device determines the process behavior The type of the file accessed；, should if the type for the file that the process behavior is accessed is program file The process behavior is defined as candidate's suspicious actions by terminal device.

With reference to the above-mentioned possible implementation of first aspect, in the 4th kind of possible realization of first aspect In mode, if the type for the file that the process behavior is accessed is non-program file, the terminal device is true The application program that the extension name for the file that the fixed process behavior is accessed is registered；If the process behavior is visited The application program that the extension name for the file asked is registered is the 3rd application different from first application program Program, then the terminal device process behavior is defined as candidate's suspicious actions.

With reference to the above-mentioned possible implementation of first aspect, in the 5th kind of possible realization of first aspect In mode, if first process behavior is process creation behavior, the terminal device determines first process Whether the process that behavior is created belongs to first application program；If what first process behavior was created enters Journey is not belonging to first application program, then the terminal device determines whether the process is the first terminal equipment System process；If the process is not the system process of the first terminal equipment, the first terminal equipment First process behavior is defined as the first candidate suspicious actions.

With reference to the above-mentioned possible implementation of first aspect, in the 6th kind of possible realization of first aspect In mode, if first process behavior is thread creation behavior, the terminal device determines first process The application program that the thread that behavior is created is somebody's turn to do；If the thread that first process behavior is created belongs to different In second application program of first application program, then the first terminal equipment is by first process behavior It is defined as the first candidate suspicious actions.

It should be understood that the suspicious actions species of application program is various, following species can be included but is not limited to： Striding course thread injects, loads of unknown origin dll file, accesses the file for being not belonging to oneself, visit Ask be not belonging to oneself registration table, modification system file, deletion system file, modification system registry, Deletion system registration table etc..Therefore, above-mentioned is to list some of which situation to be described, its His situation is similar.

With reference to the above-mentioned possible implementation of first aspect, in the 7th kind of possible realization of first aspect In mode, behavior characteristic information includes：Application information, the process row belonging to the process behavior The application information belonging to data that the information of data to be accessed is accessed with the process behavior.

With reference to the above-mentioned possible implementation of first aspect, in the 8th kind of possible realization of first aspect In mode, the terminal device to data analytics server send the process behavior behavior characteristic information it Afterwards, this method also includes：The terminal device receives the configured information of data analytics server transmission, should Configured information is used to indicate that the process behavior is normal behaviour；The terminal device is according to the instruction message, really The fixed process behavior is normal behaviour.

So, just will not be again to data analysis service if the terminal device detects the process behavior again Device sends the behavior characteristic information of the process behavior.Therefore, this method can not only improve the terminal device Detect the accuracy rate of candidate's suspicious actions, moreover it is possible to the transmission of unnecessary behavior characteristic information is avoided, so as to save Save the expense of signaling.

With reference to the above-mentioned possible implementation of first aspect, in the 9th kind of possible realization of first aspect In mode, the terminal device to data analytics server send the process behavior behavior characteristic information it Afterwards, this method also includes：The terminal device receives the request message of data analytics server transmission, should Request message is used for the information of tracing to the source for asking the process behavior, and the information of tracing to the source is included in following message extremely Few one kind：The progress information of the process behavior, the information of program file corresponding with the process behavior, should Relation information between the process creation person and program file founder of process behavior；The terminal device according to The request message, the information of tracing to the source is sent to the data analytics server.

Specifically, the data analytics server is being determined after the process behavior is suspicious actions, can be with To the information of tracing to the source of the premises equipment requests process behavior.The terminal device is to the data analytics server The information of tracing to the source of suspicious actions is sent, so, IT administrative staff obtain this by data analytics server and traced back Source information, just can go out when suspicious actions occur and how to occur according to information reverting of tracing to the source , be conducive to the investigation and evidence collection of the attack in later stage.

Second aspect there is provided another method for determining application program suspicious actions, including：Number The behavior characteristic information for the first process behavior that first terminal equipment is sent is received according to Analysis server, its In, first process behavior belongs to the first application program, and the data that first process behavior is accessed Belong to the second application program different from first application program, the data include process, thread, file, At least one in catalogue and registry entry；The data analytics server is according to first process behavior Whether behavior characteristic information, it is suspicious actions to determine first process behavior.

In the first possible implementation of second aspect, the data analytics server according to this first The behavior characteristic information of process behavior, whether determine first process behavior is suspicious actions, including：Should Data analytics server determines first process behavior according to the behavior characteristic information of first process behavior Whether trusted behavior set is belonged to, wherein, the trusted behavior set includes at least one trusted row For；If it is determined that first process behavior is not belonging to the trusted behavior set, the data analytics server is true Fixed first process behavior is suspicious actions.

With reference to the above-mentioned possible implementation of second aspect, in second of possible realization of second aspect In mode, in behavior characteristic information of the data analytics server according to first process behavior, it is determined that should Whether the first process behavior belongs to before trusted behavior set, and this method also includes：The data analysis takes Business device receives multiple second that each second terminal equipment at least one second terminal equipment sends and entered Cheng Hangwei behavior characteristic information；The data analytics server is sent out according at least one the second terminal equipment The behavior characteristic information of multiple second process behaviors sent, the trusted row is determined using data mining algorithm For set, wherein, the trusted behavior set include in the plurality of second process behavior at least one the Two process behaviors.

Alternatively, the data mining algorithm can be frequent item set algorithm, algorithm of support vector machine or decision-making Tree algorithm etc..

With reference to the above-mentioned possible implementation of second aspect, in the third possible realization of second aspect In mode, the behavior characteristic information of first process behavior includes：Application belonging to first process behavior What the information and first process behavior for the data that program information, first process behavior are accessed were accessed Application information belonging to data；The behavior characteristic information of the plurality of second process behavior includes：This is more The data that application information, the plurality of second process behavior belonging to individual second process behavior are accessed The application information belonging to data that information and the plurality of second process behavior are accessed.

With reference to the above-mentioned possible implementation of second aspect, in the 4th kind of possible realization of second aspect In mode, this method also includes：If the data analytics server determines that first process behavior is normal row For then the data analytics server sends configured information to the first terminal equipment, and the configured information is used for Indicate that first process behavior is normal behaviour.

With reference to the above-mentioned possible implementation of second aspect, in the 5th kind of possible realization of second aspect In mode, this method also includes：If the data analytics server determines that first process behavior is suspicious row For then the data analytics server sends request message to the first terminal equipment, and the request message is used for The information of tracing to the source of first process behavior is asked, the process of the information including first process behavior of tracing to the source is believed Breath, the information of program file corresponding with first process behavior, the process creation of first process behavior At least one of relation information of person and program file founder；The data analytics server receive this The information of tracing to the source that one terminal device is sent according to the request message；The data analytics server passes through backstage Administration interface shows the information of tracing to the source.

Specifically, data analytics server can be by back-stage management interface by the information of tracing to the source of suspicious actions Show IT administrative staff so that IT administrative staff can go out suspicious actions according to information reverting of tracing to the source is It is when occurring and how to occur, be conducive to the investigation and evidence collection of the attack in later stage.

The third aspect is there is provided a kind of device for being used to determine application program suspicious actions, for execution State the method in any possible implementation of first aspect or first aspect.

Specifically, the device can include any possibility for being used to perform above-mentioned first aspect or first aspect Implementation in method unit.

Fourth aspect is there is provided a kind of device for being used to determine application program suspicious actions, for execution State the method in any possible implementation of second aspect or second aspect.

Specifically, the device can include any possibility for being used to perform above-mentioned second aspect or second aspect Implementation in method unit.

5th aspect includes there is provided a kind of device for being used to determine application program suspicious actions, the device： Receiver, transmitter, memory, processor and bus system.Wherein, the receiver, the transmitter, The memory is connected with the processor by the bus system, and the memory is used for store instruction, the processing Device is used for the instruction for performing the memory storage, to control receiver to receive signal, and controls transmitter to send out The number of delivering letters, and when the instruction of the computing device memory storage, the execution causes the processor Perform the method in any possible implementation of first aspect or first aspect.

6th aspect includes there is provided a kind of device for being used to determine application program suspicious actions, the device： Receiver, transmitter, memory, processor and bus system.Wherein, the receiver, the transmitter, The memory is connected with the processor by the bus system, and the memory is used for store instruction, the processing Device is used for the instruction for performing the memory storage, to control receiver to receive signal, and controls transmitter to send out The number of delivering letters, and when the instruction of the computing device memory storage, the execution causes the processor Perform the method in any possible implementation of second aspect or second aspect.

7th aspect is there is provided a kind of system for determining application program suspicious actions, and the system includes Device and fourth aspect in any possible implementation of the above-mentioned third aspect or the third aspect or Device in the possible implementation of any of fourth aspect；Or

The system includes the device in any possible implementation of the above-mentioned 5th aspect or the 5th aspect And the 6th any of aspect or the 6th aspect may be in implementation device.

Eighth aspect is there is provided a kind of computer-readable medium, for storing computer program, the calculating Machine program includes being used to perform the method in any possible implementation of first aspect or first aspect Instruction.

9th aspect is there is provided a kind of computer-readable medium, for storing computer program, the calculating Machine program includes being used to perform the method in any possible implementation of second aspect or second aspect Instruction.

Brief description of the drawings

In order to illustrate the technical solution of the embodiments of the present invention more clearly, below will be in the embodiment of the present invention The required accompanying drawing used is briefly described, it should be apparent that, drawings described below is only this Some embodiments of invention, for those of ordinary skill in the art, are not paying creative work Under the premise of, other accompanying drawings can also be obtained according to these accompanying drawings.

Fig. 1 is the schematic diagram of the system of application of the embodiment of the present invention.

Fig. 2 is the schematic of the method provided in an embodiment of the present invention for being used to determine application program suspicious actions Flow chart.

Fig. 3 is showing for another system for being used to determine application program suspicious actions provided in an embodiment of the present invention It is intended to.

Fig. 4 is the schematic of the device provided in an embodiment of the present invention for being used to determine application program suspicious actions Block diagram.

Fig. 5 is showing for another device for being used to determine application program suspicious actions provided in an embodiment of the present invention Meaning property block diagram.

Fig. 6 is showing for another device for being used to determine application program suspicious actions provided in an embodiment of the present invention Meaning property block diagram.

Fig. 7 is showing for another device for being used to determine application program suspicious actions provided in an embodiment of the present invention Meaning property block diagram.

Embodiment

Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out Clearly and completely describe, it is clear that described embodiment is a part of embodiment of the present invention, without It is whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making wound The every other embodiment that the property made is obtained on the premise of working, should all belong to the scope of protection of the invention.

Some technologies involved by the application program in operating system are simply introduced first.Should Understand, an application program is made up of multiple program files, and program file is also known as executable program file.

Program file can initiate operating system system service request during running.System service is asked Application programming interface (Application Programming Interface, API) is properly termed as to call. API Calls can include the read-write of file, the distribution of internal memory, the input and output of network (Input Output, IO), the operation of hardware device, the read-write of system configuration etc., the embodiment of the present invention is not construed as limiting to this. Program file is once run, and will produce process in system, therefore program file and process are one a pair The relation answered.By the program file of application program, middle API Calls are referred to as program text during running herein " process behavior " of part.It should be understood that one behavior characteristic information of each process behavior correspondence, Mei Gehang It is characterized information and is included in the path being related to during the process behavior corresponding to performing.

In addition, herein by the process related to application program, thread, file, catalogue and registry entry Etc. be referred to as " data " of application program.One application program is often installed and often run and is once applied Program, can all produce corresponding data, it should be appreciated that the data in addition to system data are all to belong to tool Some application program of body.

Fig. 1 shows the system 100 of application of the embodiment of the present invention.The system 100 can include at least one Individual terminal device 110 and a data analytics server 120.The terminal device 110 can be mobile Or fixed.The terminal device 110 can refer to the accession to terminal, user equipment (User Equipment, Referred to as " UE "), subscriber unit, subscriber station, movement station, mobile station, remote station, remote terminal, Mobile device, user terminal, terminal, Wireless Telecom Equipment, user agent or user's set.Access is eventually End can be cell phone, wireless phone, session initiation protocol (Session Initiation Protocol, Referred to as " SIP ") phone, WLL (Wireless Local Loop, referred to as " WLL ") Stand, personal digital assistant (Personal Digital Assistant, referred to as " PDA "), with channel radio The handheld device of telecommunication function, computing device are connected to other processing equipments of radio modem, car Carry equipment, wearable device, the terminal device in future 5G networks or the public land of following evolution Terminal device in mobile network (Public Land Mobile Network, referred to as " PLMN ") etc.. In embodiments of the present invention, alternatively, the terminal device 100 is main frame or client.

The data analytics server 120 can be file server, database server, application program clothes Business device, WEB server etc., the embodiment of the present invention is not construed as limiting to this.

Fig. 1 schematically illustrates a terminal device and a data analytics server, alternatively, should System 100 can include multiple terminal devices, and the embodiment of the present invention is not limited this.

In embodiments of the present invention, multiple terminal devices independently can be believed with data analytics server Breath interaction.Therefore, data analytics server may enter row information in synchronization with multiple terminal devices Transmission, so that it is determined that in multiple terminal devices each terminal device application program suspicious actions.Due to number Determine that the process of application program suspicious actions in each terminal device is similar according to Analysis server, for the ease of Understand and illustrate, below, the first terminal equipment in multiple terminal devices is determined with data analytics server Illustrated exemplified by the flow of middle application program suspicious actions.

Fig. 2 shows showing for the method provided in an embodiment of the present invention for being used to determine application program suspicious actions Meaning property flow chart.This method 200 can apply to the system 100 shown in Fig. 1, but the embodiment of the present invention Not limited to this.This method 200 includes：

S210, first terminal equipment is it is determined that the data that the first process behavior of the first application program is accessed When belonging to the second application program different from first application program, first process behavior is defined as to wait Suspicious actions are selected, the data include at least one in process, thread, file, catalogue and registry entry It is individual.

Specifically, multiple application programs can be mounted with first terminal equipment, when the first terminal equipment Detect a process behavior, the first application program that the process behavior belongs in multiple application programs, so And, the second application program that the data that the process behavior is accessed belong in multiple application programs, here One application program is different from the second application program, then the first terminal equipment is considered as process behavior visit Ask and be not belonging to the data of oneself, then the process behavior can be defined as to candidate's suspicious actions.

It should be understood that in embodiments of the present invention, first terminal equipment is not institute simply in detection system There is the process behavior of application program, but can be filtered to detecting all process behaviors, according to process Whether the data that behavior is accessed belong to the application program belonging to the process behavior, by doubtful suspicious process Behavior is screened from all process behaviors.

It should also be understood that be only described in the present embodiment by taking the determination process of a process behavior as an example, The determination of all process behaviors detected for first terminal equipment, can use the above method.

Alternatively, the first terminal equipment by first process behavior be defined as candidate's suspicious actions it Before, the first terminal equipment determines the relation information between the application program in system and data.Here, The determination of relation information between application program and data can specifically be divided into following three kinds of situations：

(1) the first terminal equipment can be existing in acquisition system by way of gathering system information Application program and data between relation information.For example, the first terminal equipment can pass through registration table The installation directory of application program is positioned, by the program text of file creation time and the directory creating time consistency Part and non-program are incorporated into be owned for the application program, and counts the ProductName of the program file of the application program Title, company's copyright title, digital signature information etc. are stored in information database.

(2) the first terminal equipment can each should by way of monitoring in real time in real-time acquisition system With the relation information between program and its data created.If for example, the first terminal equipment detects one The data creation action of individual process, then just the relation information of the data being created and founder are stored in and believed Cease database.

(3) the first terminal equipment may determine that whether system is installing an application program, if should System is installing an application program, then sets up the data created in installation process and the application program Contact.If for example, the subprocess for detecting a process or the process is created into a fixed catalogue Multiple program files, then the first terminal equipment may determine that whether the process or the subprocess have registered One application program, if it is then the first terminal equipment set up the application program and program file, Relation between registration table, and corresponding relation information is stored in information database.

After relation information between application program and data is determined, the first terminal equipment just can be with The process behavior detected screen according to the relation information between the application program and data.Tool Body, for example, first application program includes process P1 and process P2, performed if carrying out P1 During create file F, then this document F belongs to first application program, if process P2 is being held This document F is accessed during row, then process P2 behavior can be considered as it is legal, if different from first Process P3 in second application program of application program have accessed this document F, then process P3 behavior It is candidate's suspicious actions.

S220, the behavior that the first terminal equipment sends first process behavior to data analytics server is special Reference ceases.

Specifically, in embodiments of the present invention, first terminal equipment by candidate's suspicious actions of screening (i.e. First process behavior) behavior characteristic information directly report data analytics server, taken by data analysis Business device is analyzed and handled to first process behavior.

S230, the data analytics server receives the behavior characteristic information of first process behavior, and according to Whether the behavior characteristic information of first process behavior, it is suspicious actions to determine first process behavior.

Specifically, the data analytics server can receive the first process that first terminal equipment thinks suspicious The behavior characteristic information of behavior, then according to behavior characteristic information judge first process behavior whether be Suspicious actions.

As an optional embodiment, the data analytics server is according to the behavior of first process behavior Characteristic information, whether determine first process behavior is suspicious actions, including：

The data analytics server determines that this first enters according to the behavior characteristic information of first process behavior Whether Cheng Hangwei belongs to trusted behavior set, wherein, the trusted behavior set can including at least one Trusting behavior；

If it is determined that first process behavior is not belonging to the trusted behavior set, the data analytics server is true Fixed first process behavior is suspicious actions.

Specifically, the data analytics server may determine that whether first process behavior belongs to trusted row For set, the trusted behavior set includes at least one trusted behavior.If first process behavior belongs to In the trusted behavior set, then the data analytics server determines that first process behavior is normal row For；If first process behavior is not belonging to the trusted behavior set, then the data analytics server is true Fixed first process behavior is suspicious actions.

So, the embodiment of the present invention is led to based on the data access rule between application program and application program Cross terminal device and determine candidate's suspicious actions from all process behaviors detected, and by the time of determination The behavior characteristic information of suspicious actions is selected to be sent to data analytics server, it is true by the data analytics server Whether fixed candidate's suspicious actions are suspicious actions.The embodiment of the present invention be used for determine that application program is suspicious The method of behavior can determine the suspicious actions of unauthorized access application data, without relying on peace Full software, and do not need user to participate in.

It should be understood that the size of the sequence number of above-mentioned each process is not meant to the priority of execution sequence, each process Execution sequence should be determined with its function and internal logic, the implementation process without tackling the embodiment of the present invention Constitute any limit.

In the prior art, determination of the main frame to suspicious actions is direct using fail-safe software, passes through peace The process behavior of all application programs in full software monitoring system.IT personnel can be in fail-safe software in advance Visit of the process behavior of application program in one access control policy, control system to system data is set Ask.If a process behavior is unsatisfactory for above-mentioned access control policy, then the fail-safe software decides that this Individual process behavior is suspicious actions.After suspicious actions are monitored, fail-safe software can be directly to using The user of main frame is alerted, and allows user to choose whether to intercept the suspicious actions.Therefore, it is traditional Intrusion Detection based on host defence method primarily to prevent suspicious actions attacking system, and this defence method It is necessarily dependent upon fail-safe software.

However, traditional defence method pertains only to access rule of the application program to system data, not Consider the data access rule between application program and application program, it is impossible to prevent unauthorized access application program The suspicious actions of data, for example, stealing or distorting the suspicious actions of application data.Further, since Domestic consumer does not have too many computer literacy, so allowing user to judge whether that interception can in traditional human method The mode for the behavior of doubting is not very appropriate.

Therefore, the embodiment of the present invention is led to based on the data access rule between application program and application program Cross terminal device and candidate's suspicious actions are determined from the process behavior detected, and the candidate of determination is suspicious The behavior characteristic information of behavior is sent to data analytics server, and the time is determined by the data analytics server Whether be suspicious actions, so as to determine unauthorized access application program in terminal device if selecting suspicious actions The suspicious actions of data, compared with prior art, this method need not rely on fail-safe software, and need not User participates in determining, it is possible to increase the degree of accuracy of the judgement of suspicious actions and reliability, so as to improve system Overall performance.

As an optional embodiment, in S210, the first terminal equipment determines the suspicious row of candidate For a variety of situations can be divided into according to the particular type of process behavior.

Alternatively, if first process behavior is the dynamic link library (Dynamic of first application program Link Library, DLL) file loading behavior, then the first terminal equipment determine first process behavior Whether the dll file loaded is system dll file；If the dll file is not system DLL texts Part, then the first terminal equipment determine the application program belonging to the dll file；If the dll file belongs to In second application program different from first application program, then the first terminal equipment first enters this Cheng Hangwei is defined as candidate's suspicious actions.

Alternatively, should if first process behavior is the registry access behavior of first application program First terminal equipment determines to create the application program in the path for the registration table that first process behavior is accessed； If the path of the registration table is by second application program establishment different from first application program, this One terminal device determines whether the path of the registration table is public accessible paths；If the path of the registration table It is not public accessible paths, then that first process behavior is defined as into candidate is suspicious for the first terminal equipment Behavior.

Alternatively, if first process behavior is the file access behavior of first application program, this One terminal device determines to create the application program for the file that first process behavior is accessed；If this first enters The file that Cheng Hangwei is accessed then should by second application program establishment different from first application program First terminal equipment determines the type for the file that first process behavior is accessed；If first process behavior The type of the file accessed is program file, then the first terminal equipment can be directly by first process Behavior is defined as candidate's suspicious actions.

Alternatively, if the type for the file that first process behavior is accessed is non-program file, this One terminal device determines the application program that the extension name for the file that first process behavior is accessed is registered； If the application program that the extension name for the file that first process behavior is accessed is registered as different from this 3rd application program of one application program, then the first terminal equipment by first process behavior be defined as wait Select suspicious actions；

Alternatively, if first process behavior is process creation behavior, the terminal device determine this first Whether the process that process behavior is created belongs to first application program；If first process behavior is created Process be not belonging to first application program, then the terminal device determines whether the process is the first terminal The system process of equipment；If the process is not the system process of the first terminal equipment, the first terminal First process behavior is defined as the first candidate suspicious actions by equipment.

Here, the first process behavior is interpreted as the behavior of virus, and the program file of the first application program is taken Band virus, during the system operation program file, virus can create new process, but this process is not Belong to first application program.Therefore, according to above-mentioned Rule of judgment it may determine that out application program is It is no to carry virus.

Alternatively, if first process behavior is thread creation behavior, the terminal device determine this first The application program that the thread that process behavior is created is somebody's turn to do；If the thread that first process behavior is created belongs to Different from second application program of first application program, then the first terminal equipment is by first process Behavior is defined as the first candidate suspicious actions.

It should be understood that the suspicious actions species of application program is various, following species can be included but is not limited to： Striding course thread injects, loads of unknown origin dll file, accesses the file for being not belonging to oneself, visit Ask be not belonging to oneself registration table, modification system file, deletion system file, modification system registry, Deletion system registration table etc..Therefore, simply some of which situation is listed above to be described, its His situation is similar, will not be repeated here.

As an optional embodiment, in row of the data analytics server according to first process behavior Information is characterized, before determining whether first process behavior be suspicious actions, this method also includes：

The data analytics server receives each second terminal equipment at least one second terminal equipment The behavior characteristic information of multiple second process behaviors sent；

Multiple second processes that the data analytics server is sent according at least one the second terminal equipment The behavior characteristic information of behavior, the trusted behavior set is determined using data mining algorithm, wherein, should Trusted behavior set includes at least one second process behavior in the plurality of second process behavior.

It should be understood that second terminal equipment in the embodiment and above-mentioned first terminal equipment can with identical, It can differ；Second process behavior be able to can also be differed with above-mentioned first process behavior with identical, The embodiment of the present invention is not construed as limiting to this.

As an optional embodiment, the behavior characteristic information of first process behavior includes：This first The information for the data that application information, first process behavior belonging to process behavior are accessed and this The application information belonging to data that one process behavior is accessed；

The behavior characteristic information of the plurality of second process behavior includes：Belonging to the plurality of second process behavior The information and the plurality of second process for the data that application information, the plurality of second process behavior are accessed The application information belonging to data that behavior is accessed.

Specifically, the method that the generation of the trusted behavior characteristic information set can use data mining, Accordingly, it would be desirable to which second terminal equipment sends the row that data mining algorithm can be used to data analytics server It is characterized information.Second terminal equipment is after the second process behavior is determined, to second process behavior Information pre-processed, the information of second process behavior is converted into behavior characteristic information.Alternatively, Behavior characteristic information by second terminal equipment can be sent to data analysis as the mode of a set Server, can include in set：The behavior of second process behavior, the destination path of the second process behavior, The filename path information of second process behavior owning application, the copyright information of the application program, should The version information of application program, the head cryptographic Hash of the program file of the application program, the application program Digital signature information of program file etc..

Because the APT inspections attacked generally are tended to analyze using big data, so passing through data mining Algorithm can excavate the suspicious actions that fail-safe software None- identified comes out.Alternatively, number here Can be frequent item set algorithm, algorithm of support vector machine and decision Tree algorithms etc., this hair according to mining algorithm Bright embodiment is not construed as limiting to this.

As an optional embodiment, in behavior of the data analytics server according to first process behavior Characteristic information, after determining whether first process behavior is suspicious actions, this method also includes：

If the data analytics server determines that first process behavior is normal behaviour, data analysis clothes Device be engaged in first terminal equipment transmission configured information, the configured information is used to indicate first process behavior It is normal behaviour.

The first terminal equipment receives the configured information of data analytics server transmission, and according to the instruction Message, determines that first process behavior is normal behaviour.

So, just will not be again to data point if first terminal equipment detects first process behavior again Analysis server sends the behavior characteristic information of first process behavior.

If the data analytics server determines that first process behavior is suspicious actions, data analysis clothes Device be engaged in first terminal equipment transmission request message, the request message is used to ask first process behavior Information of tracing to the source, progress information of the information including first process behavior of tracing to the source, with the first process row For the information of corresponding program file, the process creation person and program file founder of first process behavior At least one of relation information；

The first terminal equipment receives the request message of data analytics server transmission, and according to the request Message, the information of tracing to the source is sent to the data analytics server；

The data analytics server receives this that the first terminal equipment sent according to the request message and traced to the source Information, and pass through the back-stage management interface display information of tracing to the source.

In this embodiment, the data analytics server is after suspicious actions are determined, can will be suspicious The information of tracing to the source of behavior is come out by back-stage management interface display, in order to information technology (Information Technology, IT) administrative staff determine the sources of suspicious actions by the information of tracing to the source.

In a specific embodiment, above-mentioned terminal device is specifically as follows client, and above-mentioned true The method for determining suspect program can apply to include the enterprises of multiple client.As shown in figure 3, example Such as, the enterprise includes client 301, client 302 and client 303, divides in each client Monitoring programme, such as probe program 304, probe program 305 and probe program 306 are not disposed.These Probe program is responsible for all process behaviors in implementing monitoring enterprise client, and the process row to monitoring To be filtered, if some process behavior, which have accessed, is not belonging to the data of oneself, probe program judges should Process behavior is candidate's suspicious actions.

After candidate's suspicious actions are determined, each client can extract the suspicious row of respective candidate respectively For behavior characteristic information.

Probe program in client sends the behavior characteristic information of candidate's suspicious actions of determination to number According to Analysis server 307.The data analytics server 307 is constantly received to be sent from different clients Candidate's suspicious actions behavior characteristic information, the behavioural characteristic that receives is believed using data mining algorithm Breath carries out statistical analysis, and generation includes the trusted behavior set of at least one trusted behavior.In data Analysis server 307 is generated after trusted behavior set, it is possible to according to the row of candidate's suspicious actions Information is characterized, whether judge candidate's suspicious actions is suspicious actions.

For example, the behavior that data analytics server connects 307 process behaviors for receiving the transmission of client 301 is special Reference ceases, i.e., the behavior characteristic information of above-mentioned candidate's suspicious actions can be according to behavior characteristic information pair The process behavior is judged.

The data analytics server 307 is if it is determined that the process behavior is normal behaviour, then will be to client End 301 sends configured information, and it is normal behaviour to indicate the process behavior.Client 301 is receiving this After configured information, the process behavior will be defined as normal behaviour.If the follow-up client 301 is again It is secondary to detect the process behavior, the behavior of the process behavior will not be sent to data analytics server 307 again Characteristic information.

The data analytics server 307 is if it is determined that the process behavior is suspicious actions, then can be to client 301 send request message, ask the information of tracing to the source of the process behavior.Client 301 receive this please Ask after message, the information of tracing to the source of the process behavior, data point can be sent to data analytics server 307 Analyse server 307 and receive the information of tracing to the source that client 301 is sent, this traces back by back-stage management interface display Source information.

Alternatively, this can the be traced to the source information of data analytics server 307 is sent to system management server 308.System management server 308 can be in real time to the relevant staff of enterprise, such as IT management Personnel, show the information of tracing to the source, in order to which IT administrative staff go out suspicious actions according to information reverting of tracing to the source When occur and how to occur, be so beneficial to the investigation and evidence collection of the attack in later stage.

It should be understood that in the establishment stage of above-mentioned trusted set, data analytics server is to suspicious actions Judgement may not be accurate.Because this statistical analysis is to rely on the process behavior of accumulation in a period of time, Some possible behavior is seldom in the quantity for just starting to count, but follow-up quantity is stepped up, therefore, Need data analytics server to carry out backtracking iteration to the process behavior being previously received, improve judged result Accuracy.

The method for determining application program suspicious actions of the embodiment of the present invention, based on application program with answering With the data access rule between program, candidate is determined from the process behavior detected by terminal device Suspicious actions, and the behavior characteristic information of candidate's suspicious actions of determination is sent to data analysis service Device, determines whether candidate's suspicious actions are suspicious actions, so as to true by the data analytics server The suspicious actions of unauthorized access application data are made, compared with prior art, this method is without relying on Fail-safe software, and do not need user participate in determine, it is possible to increase the degree of accuracy of the judgement of suspicious actions and Reliability, so as to improve systematic entirety energy.Herein on basis, the embodiment of the present invention can be by rear The information of tracing to the source of suspicious actions is showed IT administrative staff by platform administration interface so that IT administrative staff's energy It is enough to go out when suspicious actions occur and how to occur according to information reverting of tracing to the source, be conducive to the later stage Attack investigation and evidence collection.

Above in conjunction with Fig. 1 to Fig. 3, the determination that is used for according to embodiments of the present invention is described in detail and applies The method of program suspicious actions, below in conjunction with Fig. 4 to Fig. 7, is described in detail according to embodiments of the present invention Be used for determine the devices of application program suspicious actions.

Fig. 4 shows the device provided in an embodiment of the present invention for being used to determine application program suspicious actions 400, the device 400 includes：

Determining unit 410, for it is determined that the data that the process behavior of the first application program is accessed belong to Different from first application program the second application program when, the process behavior is defined as the suspicious row of candidate For the data include at least one in process, thread, file, catalogue and registry entry；

Transmitting element 420, the behavior characteristic information for sending the process behavior to data analytics server, In order to which the data analytics server determines the process behavior according to the behavior characteristic information of the process behavior Whether it is suspicious actions.

Alternatively, the determining unit 410 specifically for：

If the process behavior is the dynamic link library (DLL) file loading behavior of first application program, Determine whether the dll file that the process behavior is loaded is system dll file；

If the dll file is not system dll file, it is determined that the application journey belonging to the dll file Sequence；

If the dll file belongs to second application program different from first application program, should Process behavior is defined as candidate's suspicious actions.

Alternatively, the determining unit 410 specifically for：

If the process behavior is the registry access behavior of first application program, it is determined that create the process The application program in the path for the registration table that behavior is accessed；

If the path of the registration table is by second application program establishment different from first application program, Whether the path for determining the registration table is public accessible paths；

If the path of the registration table is not public accessible paths, the process behavior is defined as the candidate Suspicious actions.

Alternatively, the determining unit 410 specifically for：

If the process behavior is the file access behavior of first application program, it is determined that create the process row For the application program of the file accessed；

If the file that the process behavior is accessed second applies journey by this different from first application program Sequence is created, it is determined that the type for the file that the process behavior is accessed；

If the type for the file that the process behavior is accessed is program file, the process behavior is defined as Candidate's suspicious actions.

Alternatively, the determining unit 410 specifically for：

If the type for the file that the process behavior is accessed is non-program file, it is determined that the process behavior institute Whether the application program that the extension name of the file of access is registered is as first application program；

If the application program that the extension name for the file that the process behavior is accessed is registered as different from this 3rd application program of one application program, then be defined as candidate's suspicious actions by the process behavior.

Alternatively, behavior characteristic information includes：Application information belonging to the process behavior, this enters Application program letter belonging to the data that the information for the data that Cheng Hangwei is accessed and the process behavior are accessed Breath.

Alternatively, the device 400 also includes：

First receiving unit, the behavioural characteristic for sending the process behavior to data analytics server at this After information, the configured information of data analytics server transmission is received, the configured information is used to indicate this Process behavior is normal behaviour；

The determining unit 410 is additionally operable to：

According to the instruction message, it is normal behaviour to determine the process behavior.

Alternatively, the device 400 also includes：

Second receiving unit, the behavioural characteristic for sending the process behavior to data analytics server at this After information, the request message of data analytics server transmission is received, the request message is used to ask this The information of tracing to the source of process behavior, the information of tracing to the source includes at least one of following message：The process behavior Progress information, the information of program file corresponding with the process behavior, the process creation of the process behavior Relation information between person and program file founder；

The transmitting element 420 is additionally operable to：According to the request message, being sent to the data analytics server should Trace to the source information.

It should be understood that device 400 here is embodied in the form of functional unit.Here term " unit " Can refer to using peculiar integrated circuit (Application Specific Integrated Circuit, ASIC), Electronic circuit, for perform one or more softwares or firmware program processor (such as shared processor, Proprietary processor or group processor etc.) and memory, merging logic circuit and/or other supports described by The suitable assembly of function.In an optional example, it will be understood by those skilled in the art that device 400 Can be specially the first terminal equipment in above-described embodiment, device 400 can be used for performing the above method Corresponding with first terminal equipment each flow and/or step in embodiment, to avoid repeating, herein no longer Repeat.

Fig. 5 shows the device provided in an embodiment of the present invention for being used to determine application program suspicious actions 500, the device 500 includes：

Receiving unit 510, the behavioural characteristic of the first process behavior for receiving the transmission of first terminal equipment Information, wherein, first process behavior belongs to the first application program, and first process behavior is visited The data asked belong to the second application program different from first application program, and the data include process, line At least one in journey, file, catalogue and registry entry；

Determining unit 520, for the behavior characteristic information according to first process behavior, determine this first Whether process behavior is suspicious actions.

Alternatively, the determining unit 520 specifically for：

According to the behavior characteristic information of first process behavior, determining whether first process behavior belongs to can Trusting behavior set, wherein, the trusted behavior set includes at least one trusted behavior；

If first process behavior is not belonging to the trusted behavior set, it is determined that first process behavior is Suspicious actions.

Alternatively, the receiving unit 510 is additionally operable to：

In behavior characteristic information of the data analytics server according to first process behavior, determine this first Whether process behavior belongs to before trusted behavior set, receives every at least one second terminal equipment The behavior characteristic information for multiple second process behaviors that individual second terminal equipment is sent；

The determining unit 520 is additionally operable to：

The behavior characteristic information of multiple second process behaviors sent according to each second terminal equipment, is adopted The trusted behavior set is determined with data mining algorithm, wherein, it is many that the trusted behavior set includes this At least one second process behavior in individual second process behavior.

Alternatively, the behavior characteristic information of first process behavior includes：Belonging to first process behavior The information and first process behavior for the data that application information, first process behavior are accessed are visited The application information belonging to data asked；

Alternatively, the device also includes：

First transmitting element, for the determining unit determine first process behavior be normal behaviour it Afterwards, configured information is sent to the first terminal equipment, the configured information is used to indicate first process behavior It is normal behaviour.

Alternatively, the device also includes：

Second transmitting element, for the determining unit determine first process behavior be suspicious actions it Afterwards, request message is sent to the first terminal equipment, the request message is used to ask first process behavior Information of tracing to the source, the information of tracing to the source includes progress information, first process behavior of first process behavior Program file information, the process creation person of first process behavior and the relation of program file founder letter At least one of breath；

The receiving unit 510 is additionally operable to：The first terminal equipment is received according to being somebody's turn to do that the request message is sent Trace to the source information；

The device also includes：Display unit, for passing through the back-stage management interface display information of tracing to the source.

It should be understood that device 500 here is embodied in the form of functional unit.Here term " unit " Can refer to using peculiar integrated circuit (Application Specific Integrated Circuit, ASIC), Electronic circuit, for perform one or more softwares or firmware program processor (such as shared processor, Proprietary processor or group processor etc.) and memory, merging logic circuit and/or other supports described by The suitable assembly of function.In an optional example, it will be understood by those skilled in the art that device 500 Can be specially the data analytics server in above-described embodiment, device 500 can be used for performing above-mentioned side Corresponding with data analytics server each flow and/or step in method embodiment, to avoid repeating, herein Repeat no more.

Fig. 6 shows the device provided in an embodiment of the present invention for being used to determine application program suspicious actions 600.The device 600 includes processor 610, transmitter 620, receiver 630, the and of memory 640 Bus system 650.Wherein, processor 610, transmitter 620, receiver 630 and memory 640 It is connected by bus system 650, the memory 640 is used for store instruction, the processor 610 is used to hold The instruction of the row memory 640 storage, to control the transmitter 620 to send signal, and controls the reception Device 630 receives signal.

Wherein, the processor 610 is used for it is determined that the data that the process behavior of the first application program is accessed When belonging to the second application program different from first application program, the process behavior is defined as into candidate can The behavior of doubting, the data include at least one in process, thread, file, catalogue and registry entry；

The transmitter 620 is used for the behavior characteristic information that the process behavior is sent to data analytics server, In order to which the data analytics server determines the process behavior according to the behavior characteristic information of the process behavior Whether it is suspicious actions.

Alternatively, the processor 610 specifically for：

Alternatively, the receiver 630 is used to send the row of the process behavior to data analytics server at this It is characterized after information, receives the configured information of data analytics server transmission, the configured information is used for It is normal behaviour to indicate the process behavior；

The processor 610 is additionally operable to：According to the instruction message, it is normal behaviour to determine the process behavior.

Alternatively, the receiver 630 is used to send the row of the process behavior to data analytics server at this It is characterized after information, receives the request message of data analytics server transmission, the request message is used for The information of tracing to the source of the process behavior is asked, the information of tracing to the source includes at least one of following message：This enters Cheng Hangwei progress information, the information of program file corresponding with the process behavior, the process behavior enter Relation information between journey founder and program file founder；

The transmitter 620 is additionally operable to：According to the request message, send this to the data analytics server and trace back Source information.

It should be understood that device 600 can be specially the terminal device in above-described embodiment, and it can be used for Perform corresponding with terminal device each step and/or flow in above method embodiment.Alternatively, this is deposited Reservoir 640 can include read-only storage and random access memory, and provide instruction sum to processor According to.The a part of of memory can also include nonvolatile RAM.For example, memory is also Can be with the information of storage device type.The processor 630 can be used for performing the instruction stored in memory, And when the instruction stored in the computing device memory, the processor is used to perform above method reality Apply each step and/or flow of example.

Fig. 7 shows the device provided in an embodiment of the present invention for being used to determine application program suspicious actions 700.The device 700 includes receiver 710, processor 720, transmitter 730, the and of memory 740 Bus system 750.Wherein, receiver 710, processor 720, transmitter 730 and memory 740 It is connected by bus system 750, the memory 740 is used for store instruction, the processor 720 is used to hold The instruction of the row memory 740 storage, to control the receiver 710 to receive signal, and controls the transmission Device 730 sends instruction.

Wherein, the receiver 710 is used for the behavior for receiving the first process behavior of first terminal equipment transmission Characteristic information, wherein, first process behavior belongs to the first application program, and first process behavior The data accessed belong to the second application program different from first application program, the data include into At least one in journey, thread, file, catalogue and registry entry；

The processor 720 is used for according to the behavior characteristic information of first process behavior, determines that this first enters Whether Cheng Hangwei is suspicious actions.

Alternatively, the processor 720 specifically for：

Alternatively, the receiver 710 is additionally operable to：

The processor 720 is additionally operable to：

Alternatively, the transmitter 730 is used to determine that first process behavior is normal row in the determining unit For after, configured information is sent to the first terminal equipment, the configured information is used to indicate first process Behavior is normal behaviour.

Alternatively, the transmitter 730 is used to determine that first process behavior is suspicious row in the determining unit For after, request message is sent to the first terminal equipment, the request message is used to ask first process The information of tracing to the source of behavior, progress information of the information including first process behavior of tracing to the source, first enters with this The information of the corresponding program files of Cheng Hangwei, the process creation person of first process behavior and program file wound At least one of relation information for the person of building；

The receiver 710 is additionally operable to：This for receiving that the first terminal equipment sent according to the request message traces back Source information；

The processor 720 is used for by the back-stage management interface display information of tracing to the source.

It should be understood that device 700 can be specially the data analytics server in above-described embodiment, and can For performing corresponding with data analytics server each step and/or flow in above method embodiment. Alternatively, the memory 740 can include read-only storage and random access memory, and to processor Instruction and data is provided.The a part of of memory can also include nonvolatile RAM.Example Such as, memory can be with the information of storage device type.The processor 720 can be used for performing memory The instruction of middle storage, and during the computing device instruction, it is real that the processor can perform the above method Apply corresponding with data analytics server each step and/or flow in example.

It should be understood that in embodiments of the present invention, the processor can be CPU (Central Processing Unit, CPU), the processor can also be other general processors, Digital Signal Processing Device (DSP), application specific integrated circuit (ASIC), field programmable gate array (FPGA) or other PLD, discrete gate or transistor logic, discrete hardware components etc..General procedure Device can be microprocessor or the processor can also be any conventional processor etc..

In implementation process, each step of the above method can be patrolled by the integrated of the hardware in processor The instruction for collecting circuit or software form is completed.The step of method with reference to disclosed in the embodiment of the present invention, can Completion is performed to be embodied directly in hardware processor, or is combined with the hardware in processor and software module Perform completion.Software module can be located at random access memory, and flash memory, read-only storage may be programmed read-only In the ripe storage medium in this area such as memory or electrically erasable programmable memory, register.Should Storage medium is located at the instruction in memory, computing device memory, and above-mentioned side is completed with reference to its hardware The step of method.To avoid repeating, it is not detailed herein.

Those of ordinary skill in the art are it is to be appreciated that with reference to described in the embodiments described herein Various method steps and unit, can be realized with electronic hardware, computer software or the combination of the two, It is general according to function in the above description in order to clearly demonstrate the interchangeability of hardware and software The step of ground describes each embodiment and composition.These functions are held with hardware or software mode actually OK, depending on the application-specific and design constraint of technical scheme.Those of ordinary skill in the art can be with Described function is realized using distinct methods to each specific application, but this realization should not Think beyond the scope of this invention.

It is apparent to those skilled in the art that, it is for convenience of description and succinctly, above-mentioned The specific work process of the system of description, device and unit, may be referred to pair in preceding method embodiment Process is answered, be will not be repeated here.

In several embodiments provided herein, it should be understood that disclosed system, device and Method, can be realized by another way.For example, device embodiment described above is only to show Meaning property, for example, the division of the unit, only a kind of division of logic function can when actually realizing To there is other dividing mode, such as multiple units or component can combine or be desirably integrated into another System, or some features can be ignored, or not perform.In addition, it is shown or discussed each other Coupling or direct-coupling or communication connection can be by the INDIRECT COUPLING of some interfaces, device or unit or Communication connection or electricity, mechanical or other forms are connected.

The unit illustrated as separating component can be or may not be it is physically separate, make It can be for the part that unit is shown or may not be physical location, you can with positioned at a place, Or can also be distributed on multiple NEs.Can select according to the actual needs part therein or Person's whole units realize the purpose of scheme of the embodiment of the present invention.

In addition, each functional unit in each embodiment of the invention can be integrated in a processing unit In or unit is individually physically present or two or more units are integrated in In one unit.Above-mentioned integrated unit can both be realized in the form of hardware, it would however also be possible to employ software The form of functional unit is realized.

If the integrated unit is realized using in the form of SFU software functional unit and is used as independent product pin Sell or in use, can be stored in a computer read/write memory medium.Understood based on such, The part that technical scheme substantially contributes to prior art in other words, or the technical side The all or part of case can be embodied in the form of software product, and the computer software product is stored in In one storage medium, including some instructions are to cause a computer equipment (can be individual calculus Machine, server, or network equipment etc.) perform whole or the portion of each of the invention embodiment methods described Step by step.And foregoing storage medium includes：USB flash disk, mobile hard disk, read-only storage (Read-Only Memory, referred to as " ROM "), random access memory (Random Access Memory, letter Referred to as " RAM "), magnetic disc or CD etc. are various can be with the medium of store program codes.

The foregoing is only a specific embodiment of the invention, but protection scope of the present invention is not limited to In this, any one skilled in the art the invention discloses technical scope in, can be easily Expect various equivalent modifications or substitutions, these modifications or substitutions should all cover in protection scope of the present invention Within.Therefore, protection scope of the present invention should be defined by scope of the claims.

Claims

1. a kind of method for determining application program suspicious actions, it is characterised in that including：

Terminal device is it is determined that the data that the process behavior of the first application program is accessed belong to different from institute When stating the second application program of the first application program, the process behavior is defined as candidate's suspicious actions, The data include at least one in process, thread, file, catalogue and registry entry；

The terminal device sends the behavior characteristic information of the process behavior to data analytics server, with It is easy to the data analytics server to determine the process according to the behavior characteristic information of the process behavior Whether behavior is suspicious actions.

2. according to the method described in claim 1, it is characterised in that the terminal device is it is determined that The data that the process behavior of one application program is accessed belong to second different from first application program During application program, the process behavior is defined as candidate's suspicious actions, including：

If the process behavior is the dynamic link library (DLL) file loading behavior of first application program, Then the terminal device determines whether the dll file that the process behavior is loaded is system DLL texts Part；

If the dll file is not system dll file, the terminal device determines the DLL Application program belonging to file；

If the dll file belongs to second application program different from first application program, Then the process behavior is defined as candidate's suspicious actions by the terminal device.

3. according to the method described in claim 1, it is characterised in that the terminal device is it is determined that The data that the process behavior of one application program is accessed belong to second different from first application program During application program, the process behavior is defined as candidate's suspicious actions, including：

If the process behavior is the registry access behavior of first application program, the terminal is set The standby application program for determining to create the path for the registration table that the process behavior is accessed；

If the path of the registration table is by second application program different from first application program Create, then the terminal device determines whether the path of the registration table is public accessible paths；

If the path of the registration table is not public accessible paths, the terminal device is by the process Behavior is defined as candidate's suspicious actions.

4. according to the method described in claim 1, it is characterised in that the terminal device is it is determined that The data that the process behavior of one application program is accessed belong to second different from first application program During application program, the process behavior is defined as candidate's suspicious actions, including：

If the process behavior is the file access behavior of first application program, the terminal device It is determined that creating the application program for the file that the process behavior is accessed；

If the file that the process behavior is accessed is by described second different from first application program Application program is created, then the terminal device determines the type for the file that the process behavior is accessed；

If the type for the file that the process behavior is accessed is program file, the terminal device is by institute State process behavior and be defined as candidate's suspicious actions.

5. method according to claim 4, it is characterised in that if the process behavior is accessed The type of file be non-program file, then the terminal device determines the text that the process behavior is accessed The application program that the extension name of part is registered；

If the application program that the extension name for the file that the process behavior is accessed is registered is different from institute The 3rd application program of the first application program is stated, then the process behavior is defined as institute by the terminal device State candidate's suspicious actions.

6. method according to any one of claim 1 to 5, it is characterised in that the behavior Characteristic information includes：

The information for the data that application information, the process behavior belonging to the process behavior are accessed The application information belonging to data accessed with the process behavior.

7. method according to any one of claim 1 to 6, it is characterised in that at the end End equipment is sent to data analytics server after the behavior characteristic information of the process behavior, methods described Also include：

The terminal device receives the configured information that the data analytics server is sent, the configured information For indicating that the process behavior is normal behaviour；

The terminal device is according to the instruction message, and it is normal behaviour to determine the process behavior.

8. method according to any one of claim 1 to 6, it is characterised in that at the end End equipment is sent to data analytics server after the behavior characteristic information of the process behavior, methods described Also include：

The terminal device receives the request message that the data analytics server is sent, the request message Information of tracing to the source for asking the process behavior, the information of tracing to the source includes at least one in following message Kind：The progress information of the process behavior, the information of program file corresponding with the process behavior, institute State the relation information between the process creation person of process behavior and program file founder；

The terminal device according to the request message, to the data analytics server send described in trace to the source Information.

9. a kind of method for determining application program suspicious actions, it is characterised in that including：

Data analytics server receives the behavioural characteristic letter for the first process behavior that first terminal equipment is sent Breath, wherein, first process behavior belongs to the first application program, and the first process behavior institute The data of access belong to the second application program different from first application program, the data include into At least one in journey, thread, file, catalogue and registry entry；

The data analytics server is according to the behavior characteristic information of first process behavior, it is determined that described Whether the first process behavior is suspicious actions.

10. method according to claim 9, it is characterised in that the data analytics server root Whether according to the behavior characteristic information of first process behavior, it is suspicious row to determine first process behavior For, including：

The data analytics server is according to the behavior characteristic information of first process behavior, it is determined that described Whether the first process behavior belongs to trusted behavior set, wherein, the trusted behavior set is included extremely A few trusted behavior；

If it is determined that first process behavior is not belonging to the trusted behavior set, the data analysis clothes Business device determines that first process behavior is suspicious actions.

11. method according to claim 10, it is characterised in that in the data analysis service Device determines whether first process behavior belongs to according to the behavior characteristic information of first process behavior Before trusted behavior set, methods described also includes：

Each second terminal that the data analytics server is received at least one second terminal equipment is set The behavior characteristic information for multiple second process behaviors that preparation is sent；

The data analytics server is according to multiple the second of at least one second terminal equipment transmission The behavior characteristic information of process behavior, the trusted behavior set is determined using data mining algorithm, its In, the trusted behavior set includes at least one second process in the multiple second process behavior Behavior.

12. method according to claim 11, it is characterised in that first process behavior Behavior characteristic information includes：

The number that application information, first process behavior belonging to first process behavior are accessed According to the data that are accessed of information and first process behavior belonging to application information；

The behavior characteristic information of the multiple second process behavior includes：

Application information, the multiple second process behavior institute belonging to the multiple second process behavior The application program belonging to data that the information of the data of access and the multiple second process behavior are accessed Information.

13. the method according to any one of claim 9 to 12, it is characterised in that the side Method also includes：

If the data analytics server determines that first process behavior is normal behaviour, the data Analysis server sends configured information to the first terminal equipment, and the configured information is described for indicating First process behavior is normal behaviour.

14. the method according to any one of claim 9 to 12, it is characterised in that the side Method also includes：

If the data analytics server determines that first process behavior is suspicious actions, the data Analysis server sends request message to the first terminal equipment, and the request message is used to ask described The information of tracing to the source of first process behavior, the process of the information including first process behavior of tracing to the source is believed Breath, the information of program file corresponding with first process behavior, the process of first process behavior At least one of relation information of founder and program file founder；

The data analytics server receives what the first terminal equipment was sent according to the request message The information of tracing to the source；

The data analytics server passes through information of being traced to the source described in back-stage management interface display.

15. a kind of device for being used to determine application program suspicious actions, it is characterised in that including：

Determining unit, for it is determined that the data that the process behavior of the first application program is accessed belong to different When the second application program of first application program, the process behavior is defined as the suspicious row of candidate For the data include at least one in process, thread, file, catalogue and registry entry；

Transmitting element, the behavior characteristic information for sending the process behavior to data analytics server, In order to which the data analytics server is entered according to being determined the behavior characteristic information of the process behavior Whether Cheng Hangwei is suspicious actions.

16. device according to claim 15, it is characterised in that the determining unit is specifically used In：

If the process behavior is the dynamic link library (DLL) file loading behavior of first application program, Then determine whether the dll file that the process behavior is loaded is system dll file；

If the dll file is not system dll file, it is determined that answering belonging to the dll file Use program；

If the dll file belongs to second application program different from first application program, The process behavior is then defined as candidate's suspicious actions.

17. device according to claim 15, it is characterised in that the determining unit is specifically used In：

If the process behavior is the registry access behavior of first application program, it is determined that create institute State the application program in the path for the registration table that process behavior is accessed；

If the path of the registration table is by second application program different from first application program Create, it is determined that whether the path of the registration table is public accessible paths；

If the path of the registration table is not public accessible paths, the process behavior is defined as institute State candidate's suspicious actions.

18. device according to claim 15, it is characterised in that the determining unit is specifically used In：

If the process behavior is the file access behavior of first application program, it is determined that create described The application program for the file that process behavior is accessed；

If the file that the process behavior is accessed is by described second different from first application program Application program is created, it is determined that the type for the file that the process behavior is accessed；

It is if the type for the file that the process behavior is accessed is program file, the process behavior is true It is set to candidate's suspicious actions.

19. device according to claim 18, it is characterised in that if the process behavior is visited The type for the file asked is non-program file, it is determined that the extension name for the file that the process behavior is accessed Whether the application program registered is as first application program；

If the application program that the extension name for the file that the process behavior is accessed is registered is different from institute The 3rd application program of the first application program is stated, then the process behavior is defined as the suspicious row of the candidate For.

20. the device according to any one of claim 15 to 19, it is characterised in that the row Being characterized information includes：

21. the device according to any one of claim 15 to 20, it is characterised in that the dress Putting also includes：

First receiving unit, in the behavior that the process behavior is sent to data analytics server After characteristic information, the configured information that the data analytics server is sent is received, the configured information is used In indicating that the process behavior is normal behaviour；

The determining unit is additionally operable to：

22. the device according to any one of claim 15 to 20, it is characterised in that the dress Putting also includes：

Second receiving unit, in the behavior that the process behavior is sent to data analytics server After characteristic information, the request message that the data analytics server is sent is received, the request message is used In the information of tracing to the source for asking the process behavior, the information of tracing to the source includes at least one in following message Kind：The progress information of the process behavior, the information of program file corresponding with the process behavior, institute State the relation information between the process creation person of process behavior and program file founder；

The transmitting element is additionally operable to：

According to the request message, to information of being traced to the source described in data analytics server transmission.

23. a kind of device for being used to determine application program suspicious actions, it is characterised in that including：

Receiving unit, the behavioural characteristic letter of the first process behavior for receiving the transmission of first terminal equipment Breath, wherein, first process behavior belongs to the first application program, and the first process behavior institute The data of access belong to the second application program different from first application program, the data include into At least one in journey, thread, file, catalogue and registry entry；

Determining unit, for the behavior characteristic information according to first process behavior, determines described first Whether process behavior is suspicious actions.

24. device according to claim 23, it is characterised in that the determining unit is specifically used In：

According to the behavior characteristic information of first process behavior, determine whether first process behavior belongs to In trusted behavior set, wherein, the trusted behavior set includes at least one trusted behavior；

25. device according to claim 24, it is characterised in that the receiving unit is additionally operable to：

In behavior characteristic information of the data analytics server according to first process behavior, institute is determined State whether the first process behavior belongs to before trusted behavior set, receive at least one second terminal equipment In each second terminal equipment send multiple second process behaviors behavior characteristic information；

The determining unit is additionally operable to：

The behavior characteristic information of multiple second process behaviors sent according to each second terminal equipment, The trusted behavior set is determined using data mining algorithm, wherein, the trusted behavior set bag Include at least one second process behavior in the multiple second process behavior.

26. device according to claim 25, it is characterised in that first process behavior Behavior characteristic information includes：

27. the device according to any one of claim 23 to 26, it is characterised in that the dress Putting also includes：

First transmitting element, for determining that first process behavior is normal behaviour in the determining unit Afterwards, configured information is sent to the first terminal equipment, the configured information is used to indicate described first Process behavior is normal behaviour.

28. the device according to any one of claim 23 to 26, it is characterised in that the dress Putting also includes：

Second transmitting element, for determining that first process behavior is suspicious actions in the determining unit Afterwards, request message is sent to the first terminal equipment, the request message is used to ask described first The information of tracing to the source of process behavior, the progress information of the information including first process behavior of tracing to the source, with The information of the corresponding program file of first process behavior, the process creation person of first process behavior At least one of with the relation information of program file founder；

The receiving unit is additionally operable to：

The first terminal equipment is received to trace to the source information according to being sent the request message；

Described device also includes：

Display unit, for passing through information of being traced to the source described in back-stage management interface display.