CN109784052B

CN109784052B - Management method for software behavior detection, server, terminal and system

Info

Publication number: CN109784052B
Application number: CN201811640645.6A
Authority: CN
Inventors: 王腾; 李宇; 李宗越; 王宜云; 卢杨渐; 黄瀚; 胡彬; 黄鉴廷
Original assignee: 360 Enterprise Security Technology Zhuhai Co ltd; Beijing Qianxin Technology Co Ltd
Current assignee: Qianxin Technology Group Co Ltd; Qianxin Safety Technology Zhuhai Co Ltd
Priority date: 2018-12-29
Filing date: 2018-12-29
Publication date: 2021-07-20
Anticipated expiration: 2038-12-29
Also published as: CN109784052A

Abstract

The invention discloses a management method, a server side, a terminal and a system for software behavior detection, relates to the technical field of communication and information, and mainly aims to solve the problem that unknown software behaviors cannot be accurately judged when operation and maintenance personnel check the software behaviors. The method comprises the following steps: the method comprises the steps that a terminal obtains software behaviors of software operation and identifies the operation states of the software behaviors according to a preset behavior set; if the operation state is identified to be failed, software behavior information of the software behavior is uploaded to a server; the server receives the software behavior information to be detected; classifying the software behavior information, and distributing the software behavior information to a detection end according to a classification result; if a detection result fed back by the detection end is received, feeding back the detection result to the terminal; and the terminal receives the detection result and processes the software behavior according to the detection result.

Description

Management method for software behavior detection, server, terminal and system

Technical Field

The invention relates to the technical field of communication and information, in particular to a management method, a server, a terminal and a system for software behavior detection.

Background

With the continuous development of the cloud control technology, security departments of enterprises can monitor the security protection of computers inside the enterprises and can monitor the operation behavior of software deployed on each computer.

At present, the existing management of software behavior detection is to manually check each computer respectively to detect whether the software behavior is abnormal, but when checking the software behavior on each computer, operation and maintenance personnel cannot accurately judge the unknown software behavior, thereby reducing the management efficiency of software behavior detection.

Disclosure of Invention

In view of this, the present invention provides a management method for software behavior detection, a server, a terminal, and a system, and mainly aims to solve the problem that an operation and maintenance worker cannot accurately judge an unknown software behavior when examining and verifying software behaviors on each computer.

According to an aspect of the present invention, there is provided a management method for software behavior detection, including:

receiving software behavior information to be detected, wherein the software behavior information is information for identifying abnormal behaviors existing in software operation according to a preset behavior set by a terminal;

classifying the software behavior information, and distributing the software behavior information to a detection end according to a classification result, so that the detection end detects the running state of the software behavior according to the software behavior information, and determines a detection result;

and if a detection result fed back by the detection end is received, feeding back the detection result to the terminal so that the terminal processes the software behavior according to the detection result, wherein the detection result is a management mode of the software behavior detection fed back to the server end after the detection of the detection end.

Further, the classifying the software behavior information and distributing the software behavior information to the detection end according to the classification result includes:

classifying the software behavior information according to behavior monitoring types, wherein the behavior monitoring types comprise a process monitoring type, a file monitoring type, a network monitoring type, a registry monitoring type and a drive monitoring type;

calculating the number of devices of the detection end, and determining the distribution mode of the detection end corresponding to the number of the devices according to a preset distribution rule, wherein the preset distribution rule is the corresponding relation between the number of the devices and the identity identification information and the behavior monitoring type of the terminal;

and distributing the classified software behavior information to the detection end according to the distribution mode.

Further, the calculating the number of the devices at the detection end and determining the distribution mode of the detection end corresponding to the number of the devices according to a preset distribution rule includes:

calculating the number of devices of the detection end, performing type division on the detection end corresponding to the number of the devices according to the behavior monitoring type, matching the divided detection end with the identity identification information, and determining the corresponding relation after matching as the distribution mode of the detection end.

Further, after the detecting result is fed back to the terminal if the detecting result fed back by the detecting end is received, the method further includes:

and recording the detection result, and storing the corresponding relation between the detection result and the software behavior information into a preset storage position.

Further, the method further comprises:

receiving a detection result query request according to a preset time interval, if a detection result corresponding to the software behavior information exists in the preset storage position, extracting the detection result from the preset storage position and feeding the detection result back to the terminal, wherein the detection result query request carries the software behavior information to be queried.

According to an aspect of the present invention, there is provided another management method for software behavior detection, including:

acquiring software behaviors of software operation, and identifying the operation state of the software behaviors according to a preset behavior set;

if the operation state is identified to be failed, software behavior information of the software behavior is uploaded to a server side, and the software behavior information is behavior information corresponding to the abnormal behavior identified according to the preset behavior set;

and receiving a detection result, and processing the software behavior according to the detection result, wherein the detection result is a management mode of the software behavior detection fed back to the server after the detection of the detection end.

Further, before the acquiring the software behavior of the software operation and identifying the operation state of the software behavior according to the preset behavior set, the method further includes:

determining the running state of the software behavior according to the software behavior of the running software, wherein the running state comprises dangerous running and legal running;

and updating the software behaviors of which the running states can be determined into the preset behavior set so as to identify the running states of all the software behaviors according to the preset behavior set.

Further, before the receiving the detection result and processing the software behavior according to the detection result, the method further includes:

and sending a detection result query request, wherein the detection result query request carries the software behavior information to be queried.

According to an aspect of the present invention, there is provided a server, including:

the software behavior information is information that the terminal identifies that the software runs and has abnormal behaviors according to a preset behavior set;

the classification unit is used for classifying the software behavior information and distributing the software behavior information to the detection end according to a classification result so that the detection end detects the running state of the software behavior according to the software behavior information and determines a detection result;

and the feedback unit is used for feeding back the detection result to the terminal if the detection result fed back by the detection end is received, so that the terminal processes the software behavior according to the detection result, and the detection result is a management mode of the software behavior detection fed back to the service end after the detection of the detection end.

Further, the classification unit includes:

the classification module is used for classifying the software behavior information according to behavior monitoring types, wherein the behavior monitoring types comprise a process monitoring type, a file monitoring type, a network monitoring type, a registry monitoring type and a drive monitoring type;

the calculation module is used for calculating the number of the devices of the detection end and determining the distribution mode of the detection end corresponding to the number of the devices according to a preset distribution rule, wherein the preset distribution rule is the corresponding relation between the number of the devices and the identity identification information and the behavior monitoring type of the terminal;

and the distribution module is used for distributing the classified software behavior information to the detection end according to the distribution mode.

Further, the air conditioner is provided with a fan,

the calculation module is specifically configured to calculate the number of devices of the detection end, perform type division on the detection end corresponding to the number of devices according to the behavior monitoring type, match the divided detection end with the identity information, and determine a corresponding relationship after matching as a distribution manner of the detection end.

Further, the server further includes:

and the recording unit is used for recording the detection result and storing the corresponding relation between the detection result and the software behavior information into a preset storage position.

Further, the server further includes:

and the extraction unit is used for receiving a detection result query request according to a preset time interval, if the detection result corresponding to the software behavior information exists in the preset storage position, extracting the detection result from the preset storage position and feeding the detection result back to the terminal, wherein the detection result query request carries the software behavior information to be queried.

According to an aspect of the present invention, there is provided a terminal including:

the device comprises an acquisition unit, a processing unit and a control unit, wherein the acquisition unit is used for acquiring software behaviors of software operation and identifying the operation state of the software behaviors according to a preset behavior set;

the uploading unit is used for uploading the software behavior information of the software behavior to a server if the operation state is identified to be failed, wherein the software behavior information is the behavior information corresponding to the abnormal behavior identified according to the preset behavior set;

and the receiving unit is used for receiving a detection result and processing the software behavior according to the detection result, wherein the detection result is a management mode of the software behavior detection fed back to the server after the detection of the detection end.

Further, the terminal further includes:

the determining unit is used for determining the running state of the software behavior according to the software behavior of the running software, wherein the running state comprises dangerous running and legal running;

and the updating unit is used for updating the software behaviors of which the running states can be determined into the preset behavior set so as to identify the running states of all the software behaviors according to the preset behavior set.

Further, the terminal further includes:

and the sending unit is used for sending a detection result query request, and the detection result query request carries the software behavior information to be queried.

According to an aspect of the present invention, there is provided a storage medium having at least one executable instruction stored therein, the executable instruction causing a processor to perform an operation corresponding to a management party of the software behavior detection.

According to an aspect of the present invention, there is provided a computer apparatus including: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;

the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the software behavior detection manager.

According to an aspect of the present invention, there is provided another storage medium having at least one executable instruction stored therein, the executable instruction causing a processor to perform an operation corresponding to the manager of another software behavior detection as described above.

According to an aspect of the present invention, there is provided another computer apparatus, including: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;

the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the other software behavior detection management method.

According to an aspect of the present invention, there is provided a management system for software behavior detection, including: a server and a terminal, wherein the server is connected with the terminal,

the terminal is used for acquiring software behaviors of software operation and identifying the operation state of the software behaviors according to a preset behavior set;

the terminal is further used for uploading software behavior information of the software behavior to a server if the operation state is identified to be failed, wherein the software behavior information is behavior information corresponding to the abnormal behavior identified according to the preset behavior set;

the server is used for receiving software behavior information to be detected, wherein the software behavior information is information for identifying abnormal behaviors in software operation according to a preset behavior set by the terminal;

the server is further used for classifying the software behavior information and distributing the software behavior information to the detection end according to a classification result, so that the detection end detects the running state of the software behavior according to the software behavior information and determines a detection result;

the server is further configured to feed the detection result back to the terminal if the detection result fed back by the detection end is received, so that the terminal processes the software behavior according to the detection result, wherein the detection result is a management mode of the software behavior detection fed back to the server after the detection of the detection end;

and the terminal is also used for receiving a detection result and processing the software behavior according to the detection result, wherein the detection result is a management mode of the software behavior detection fed back to the server after the detection of the detection end.

By the technical scheme, the technical scheme provided by the embodiment of the invention at least has the following advantages:

the invention provides a management method for software behavior detection, a server, a terminal and a system, wherein the terminal acquires software behaviors of software operation and identifies the operation states of the software behaviors according to a preset behavior set; if the operation state is identified to be failed, software behavior information of the software behavior is uploaded to a server side, and the software behavior information is behavior information corresponding to the abnormal behavior identified according to the preset behavior set; the method comprises the steps that a server side receives software behavior information to be detected, wherein the software behavior information is information for identifying abnormal behaviors existing in software operation according to a preset behavior set by a terminal; classifying the software behavior information, and distributing the software behavior information to a detection end according to a classification result, so that the detection end detects the running state of the software behavior according to the software behavior information, and determines a detection result; if a detection result fed back by the detection end is received, feeding back the detection result to the terminal so that the terminal processes the software behavior according to the detection result, wherein the detection result is a management mode of the software behavior detection fed back to the service end after the detection of the detection end; and the terminal receives a detection result and processes the software behavior according to the detection result, wherein the detection result is a management mode of the software behavior detection fed back to the server after the detection of the detection end. Compared with the existing management of software behavior detection, namely, the management of manual examination of each computer is respectively carried out to detect whether the software behavior is abnormal or not, the embodiment of the invention carries out preliminary detection on the software behavior by using the preset behavior set through the terminal, if the running state of the behavior cannot be determined, the software behavior is sent to the server side, the server side manages the uploaded software behavior information and distributes the software behavior information to the detection sides corresponding to different classifications for detection, the automatic detection on the abnormal software behavior is realized, the software behavior is distributed and detected according to the unified standard, the scheduling on the unknown software behavior detection is completed, and the management efficiency on the software behavior detection is improved.

The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.

Drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:

FIG. 1 is a flow chart of a management method for software behavior detection according to an embodiment of the present invention;

FIG. 2 is a flow chart of another management method for software behavior detection according to an embodiment of the present invention;

FIG. 3 is a flow chart of another management method for software behavior detection according to an embodiment of the present invention;

FIG. 4 is a flow chart of a method for managing software behavior detection according to another embodiment of the present invention;

fig. 5 is a block diagram of an apparatus of a server according to an embodiment of the present invention;

fig. 6 is a block diagram of another server according to an embodiment of the present invention;

fig. 7 is a block diagram of a terminal device according to an embodiment of the present invention;

fig. 8 is a block diagram of another terminal apparatus provided in an embodiment of the present invention;

FIG. 9 is a schematic diagram of a computer device according to an embodiment of the present invention;

FIG. 10 is a schematic diagram of a computer device according to an embodiment of the present invention;

fig. 11 is a schematic structural diagram illustrating a management system for detecting software behavior according to an embodiment of the present invention.

Detailed Description

Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.

An embodiment of the present invention provides a management method for software behavior detection, as shown in fig. 1, the method includes:

101. and receiving the software behavior information to be detected.

The software behavior information is information that a terminal identifies that an abnormal behavior exists in software operation according to a preset behavior set, that is, the information includes process class information, file class information, and feature class information, where the process class information includes a process chain, a process path, a process context, a process calling relationship, and the like, the file class information includes a file chain and a file attribute, the file attribute includes a file name, a file size, and executable file PE structure information, that is, whether the information is a PE file, and the feature class information includes action information, window information, and the like.

It should be noted that the current server may correspond to a plurality of terminals, and each terminal may identify whether the software behavior information is abnormal according to its own preset behavior set, but in the embodiment of the present invention, a behavior standard that can determine whether the software behavior is legal or dangerous is stored in the preset behavior set, and if the software behavior is not legal or dangerous according to the preset behavior set, it indicates that the software behavior is abnormal, and further processing is required by the server, so that each terminal may upload the software behavior information corresponding to the abnormal behavior to the server for processing, and the server receives the software behavior information to be detected. In addition, the software in the embodiment of the invention is application program software suitable for different application platforms, and the corresponding purpose can be executed by running the software.

102. And classifying the software behavior information, and distributing the software behavior information to a detection end according to a classification result.

In order to facilitate management of different types of software behavior information, the detection end detects the running state of the software behavior according to the software behavior information, determines the detection result, and needs to classify the received software behavior information, where the classification manner may include a process monitoring type, a file monitoring type, a network monitoring type, a registry monitoring type, a driver monitoring type, and the like, and embodiments of the present invention are not particularly limited. In addition, in order to facilitate detection of operators, classified software behavior information is issued to different detection ends according to terminals used by different operators, so that the operators can perform targeted detection.

It should be noted that after receiving the distributed software behavior information, each detection end may select manual review, or may select non-manual automatic review according to a preset detection rule, and determine a detection result according to the detected running state of the software behavior. The operation state comprises legal operation and dangerous operation, the detection result comprises interception and release, manual auditing is that the software behavior information is displayed in the detection end, the detection result input by an operator is received, automatic auditing is a judgment formula which can be used for selecting the software behavior information according to a preset detection rule and can be identified, if the window size is smaller than 2 x 2 pixels, if so, the operation state of the software behavior information is determined to be dangerous operation, the detection result is interception, if the window size is larger than 2 x 2 pixels, the operation state of the software behavior information is determined to be legal operation, and the detection result is release.

103. And if the detection result fed back by the detection end is received, feeding back the detection result to the terminal.

For the embodiment of the invention, after the detection result is obtained by the detection end, the detection end feeds back the detection result to the service end, so that the service end feeds back the detection result to the terminal after receiving the detection result, and the terminal processes the software behavior according to the detection result.

The invention provides a management method for software behavior detection, which comprises the steps of firstly receiving software behavior information to be detected, wherein the software behavior information is information for identifying abnormal behaviors existing in software operation according to a preset behavior set by a terminal; classifying the software behavior information, and distributing the software behavior information to a detection end according to a classification result, so that the detection end detects the running state of the software behavior according to the software behavior information, and determines a detection result; and if a detection result fed back by the detection end is received, feeding back the detection result to the terminal so that the terminal processes the software behavior according to the detection result, wherein the detection result is a management mode of the software behavior detection fed back to the server end after the detection of the detection end. Compared with the existing management of software behavior detection, namely, the management of manual examination of each computer is respectively carried out to detect whether the software behavior is abnormal or not, the embodiment of the invention carries out preliminary detection on the software behavior by using the preset behavior set through the terminal, if the running state of the behavior cannot be determined, the software behavior is sent to the server side, the server side manages the uploaded software behavior information and distributes the software behavior information to the detection sides corresponding to different classifications for detection, the automatic detection on the abnormal software behavior is realized, the software behavior is distributed and detected according to the unified standard, and the management efficiency of the software behavior detection is improved.

An embodiment of the present invention provides another management method for software behavior detection, as shown in fig. 2, where the method includes:

201. and receiving the software behavior information to be detected.

This step is the same as step 101 shown in fig. 1, and is not described herein again.

202. And classifying the software behavior information according to the behavior monitoring type.

The behavior monitoring type includes a process monitoring type, a file monitoring type, a network monitoring type, a registry monitoring type and a driver monitoring type, for example, the software behavior information includes process information, file information and feature information, further, the process information is divided into the process monitoring type, the file information is divided into the class file monitoring type, and the file information is divided into the network monitoring type, the registry monitoring type and the driver monitoring type according to specific information content in the feature information. By dividing according to the behavior monitoring class, the detection efficiency is further improved for detection of the detection end, and the detection standard is unified.

203. And calculating the number of the devices of the detection end, and determining the distribution mode of the detection end corresponding to the number of the devices according to a preset distribution rule.

The preset allocation rule is a corresponding relationship between the number of devices and the identity information and the behavior monitoring type of the terminal, in order to calculate the number of devices at the detection end, the current service end may send detection invitation information to the detection end capable of performing detection, and if feedback is received, information such as a device number fed back is recorded so as to calculate the number of devices, and the number of devices at the detection end capable of performing detection may also be determined by human input. In addition, the identity information may be an IP segment of the terminal, and may also be a device number of a unique identifier of the terminal, and the like, and is carried in the software behavior information when the terminal sends the software behavior information to the server, and the embodiment of the present invention is not particularly limited.

It should be noted that, the number of the devices may be greater than the number of the software behavior information to be detected, or may be less than or equal to the number of the software behavior information to be detected, and when the number of the devices is greater than the number of the software behavior information to be detected, the software behavior information may be randomly allocated to the detection terminals respectively corresponding to the monitoring types according to the types, and when the number of the devices is less than the number of the detection terminals, the software behavior information may be sorted according to the identification information, and the sorted software behavior information is circularly allocated to the detection terminals corresponding to the behavior monitoring types, respectively.

For example, the number of the detection ends operated by the operator is calculated to be 20, 6 detection ends used for detecting the process monitoring class, 10 detection ends used for detecting the file monitoring class, 4 detection ends used for detecting the network monitoring class, the number of the software behavior information to be detected is 10, the behavior monitoring types are respectively 5 process monitoring classes, 2 file monitoring classes and 3 network monitoring classes, and then 5 pieces of software behavior information to be monitored can be randomly distributed to 6 detection ends used for detecting the process monitoring class, so on and repeated description is omitted.

For the embodiment of the present invention, the step 203 is further refined and expanded, which may specifically be: calculating the number of devices of the detection end, performing type division on the detection end corresponding to the number of the devices according to the behavior monitoring type, matching the divided detection end with the identity identification information, and determining the corresponding relation after matching as the distribution mode of the detection end.

For example, the number of devices at the detection end is 10, the behavior monitoring types are divided to obtain 2 process monitoring types, 2 file monitoring types, 4 network monitoring types and 2 registry monitoring types, the software behavior information to be detected comprises 10 process chains, the identity of each process chain is 001-, namely, 10 process chains corresponding to 001-010 with identity are circularly distributed to the detection ends corresponding to 2 process monitoring classes after being sequenced, after 20 files with the identity marks corresponding to 020-, and sorting 10 window information corresponding to 040-plus-050 with the identity marks and then distributing the window information to 2 network monitoring detection terminals.

204. And distributing the classified software behavior information to the detection end according to the distribution mode.

205. And if the detection result fed back by the detection end is received, feeding back the detection result to the terminal.

This step is the same as step 103 shown in fig. 1, and is not described herein again.

It should be noted that, after the detection result is fed back to the current service end, the detection result may carry a detection end device number for performing detection, so that when a situation that the software behavior information needs to be backtracked and determined to be detected occurs, which detection end the software behavior information is specifically detected can be tracked, thereby improving the efficiency and diversity of detection.

206. And recording the detection result, and storing the corresponding relation between the detection result and the software behavior information into a preset storage position.

For the embodiment of the present invention, in order to directly determine the detection result of the software behavior information when the same software behavior information is received next time, improve the detection efficiency, reduce the detection steps, improve the management efficiency of the server for receiving the software behavior information, record the detection result corresponding to each piece of software behavior information fed back, and store the corresponding relationship between the detection result and the corresponding software behavior information in the preset storage location, where the preset storage location may be a local storage location or a cloud storage, the embodiment of the present invention is not particularly limited.

Further, the embodiment of the present invention further includes: receiving a detection result query request according to a preset time interval, if a detection result corresponding to the software behavior information exists in the preset storage position, extracting the detection result from the preset storage position and feeding the detection result back to the terminal, wherein the detection result query request carries the software behavior information to be queried.

For the embodiment of the invention, in order to improve the efficiency of the terminal for acquiring the detection result, the detection result query request sent by the terminal can be received according to the preset time interval, so that when the detection result corresponding to the software behavior information exists in the preset storage position, the detection result is directly extracted and fed back to the terminal, and the speed of acquiring the detection result by the terminal is accelerated. And when the detection result does not exist in the preset storage position, the detection result is still made by the detection end, and the terminal is required to continue waiting until the server end receives the detection result fed back by the detection end.

The invention provides another management method for software behavior detection, compared with the existing management of software behavior detection that whether software behaviors are abnormal or not is detected by respectively carrying out manual examination and verification on each computer, the embodiment of the invention carries out preliminary detection on the software behaviors by using a preset behavior set through a terminal, if the running state of the behaviors cannot be determined, the software behaviors are sent to a server, and the server manages uploaded software behavior information and distributes the software behavior information to detection terminals corresponding to different classifications for detection, so that the abnormal software behaviors are automatically detected, the software behaviors are distributed and detected according to a unified standard, and the management efficiency of the software behavior detection is improved.

An embodiment of the present invention provides another management method for software behavior detection, as shown in fig. 3, where the method includes:

301. and acquiring software behaviors of software operation, and identifying the operation state of the software behaviors according to a preset behavior set.

The software behavior is a specific action generated in the software running process, and comprises a running process, a file reading and the like, the running state comprises legal running and dangerous running, the preset behavior set comprises a behavior standard which can judge whether the software behavior is legal or dangerous, namely, the software behavior is compared with the software behavior in the preset behavior set to determine whether the software behavior is legal running or dangerous running.

302. And if the operation state is identified to be failed, uploading the software behavior information of the software behavior to a server.

In the embodiment of the invention, the abnormal behavior is the software behavior which cannot be identified to be legally or dangerously operated through the preset behavior set, namely the behavior standard in the preset behavior set is non-black or white. When the terminal is identified by the behavior standard in the preset behavior set and the software behavior cannot be determined to be legal or dangerous, the software behavior information needs to be uploaded to the server side and detected by the server side.

It should be noted that, in order to prepare and determine the software behavior information uploaded by the terminal, the software behavior information carries the identity information of the terminal, so that when the detection result query request is sent, the detection result can be accurately obtained.

303. And receiving a detection result, and processing the software behavior according to the detection result.

The detection result is a management mode of the software behavior detection fed back to the server after the detection of the detection end, the management mode is a release operation or an interception operation of the software behavior, and the embodiment of the invention is not particularly limited.

In the embodiment of the invention, a plurality of terminals correspondingly send the software behavior information to one server, so that the server can carry out unified management, and the accuracy and efficiency of software behavior information detection are improved.

The invention provides a management method for software behavior detection, which comprises the steps of firstly obtaining software behaviors of software operation, and identifying the operation states of the software behaviors according to a preset behavior set; if the operation state is identified to be failed, software behavior information of the software behavior is uploaded to a server side, and the software behavior information is behavior information corresponding to the abnormal behavior identified according to the preset behavior set; and receiving a detection result, and processing the software behavior according to the detection result, wherein the detection result is a management mode of the software behavior detection fed back to the server after the detection of the detection end. Compared with the existing management of software behavior detection, namely, the management of manual examination of each computer is respectively carried out to detect whether the software behavior is abnormal or not, the embodiment of the invention carries out preliminary detection on the software behavior by using the preset behavior set through the terminal, if the running state of the behavior cannot be determined, the software behavior is sent to the server side, the server side manages the uploaded software behavior information and distributes the software behavior information to the detection sides corresponding to different classifications for detection, the automatic detection on the abnormal software behavior is realized, the software behavior is distributed and detected according to the unified standard, and the management efficiency of the software behavior detection is improved.

An embodiment of the present invention provides another management method for software behavior detection, as shown in fig. 4, where the method includes:

401. and determining the running state of the software behavior according to the software behavior of the running software.

In the embodiment of the invention, in order to accurately divide the software behaviors of dangerous operation and legal operation, the operation state is defined for the software behavior of the operated software, and the operation state comprises dangerous operation and legal operation. The definition of the software behavior can be obtained by running a certain software on different platforms to obtain behavior characteristics for statistics, that is, by counting five types of behaviors such as files, processes, networks, registries, drivers and the like, the behaviors counted according to the types are divided into definite behavior characteristics of dangerous operation and legal operation according to commonalities, such as black behavior or white behavior. If the behavior characteristics do not match with the behavior characteristics of the dangerous operation and the legal operation, the behavior is defined as gray behavior, and the embodiment of the present invention is not particularly limited.

402. And updating the software behavior capable of determining the running state to the preset behavior set.

For the embodiment of the invention, in order to enhance the accuracy of determining the operation behavior of the software behavior and avoid that the operation state of the software behavior in the preset behavior set is too old, the preset behavior set needs to be updated in time so as to identify the operation state of all the software behaviors according to the preset behavior set.

It should be noted that the software behavior stored in the preset behavior set is obtained by performing common statistics on five types of files, processes, networks, registries, drivers and the like after running batch software, and has behaviors of obviously dividing black and white features.

403. And acquiring software behaviors of software operation, and identifying the operation state of the software behaviors according to a preset behavior set.

This step is the same as step 301 shown in fig. 3, and is not described herein again.

404. And if the operation state is identified to be failed, uploading the software behavior information of the software behavior to a server.

This step is the same as step 302 shown in fig. 3, and is not described herein again.

405. And receiving a detection result, and processing the software behavior according to the detection result.

This step is the same as step 303 shown in fig. 3, and is not described herein again.

Further, in order to avoid that the server side feeds back the detection result in an untimely manner or that the detection result is not fed back due to unavoidable factors, the embodiment of the present invention further includes: and sending a detection result query request, wherein the detection result query request carries the software behavior information to be queried.

The invention provides a management method for software behavior detection, which is characterized in that compared with the existing management of software behavior detection, namely, whether software behaviors are abnormal or not is detected by respectively carrying out manual examination and verification on each computer.

Further, as an implementation of the method shown in fig. 1, an embodiment of the present invention provides a server, and as shown in fig. 5, the server includes: receiving unit 51, classifying unit 52, and feedback unit 53.

The receiving unit 51 is configured to receive software behavior information to be detected, where the software behavior information is information that a terminal identifies that an abnormal behavior exists in software running according to a preset behavior set;

the classification unit 52 is configured to classify the software behavior information and allocate the software behavior information to a detection end according to a classification result, so that the detection end detects an operating state of a software behavior according to the software behavior information and determines a detection result;

and the feedback unit 53 is configured to, if a detection result fed back by the detection end is received, feed back the detection result to the terminal so that the terminal processes the software behavior according to the detection result, where the detection result is a management manner of software behavior detection fed back to the service end after the detection of the detection end.

The invention provides a server, which is characterized by comprising the following steps of firstly receiving software behavior information to be detected, wherein the software behavior information is information for identifying abnormal behaviors existing in software operation according to a preset behavior set by a terminal; classifying the software behavior information, and distributing the software behavior information to a detection end according to a classification result, so that the detection end detects the running state of the software behavior according to the software behavior information, and determines a detection result; and if a detection result fed back by the detection end is received, feeding back the detection result to the terminal so that the terminal processes the software behavior according to the detection result, wherein the detection result is a management mode of the software behavior detection fed back to the server end after the detection of the detection end. Compared with the existing management of software behavior detection, namely, the management of manual examination of each computer is respectively carried out to detect whether the software behavior is abnormal or not, the embodiment of the invention carries out preliminary detection on the software behavior by using the preset behavior set through the terminal, if the running state of the behavior cannot be determined, the software behavior is sent to the server side, the server side manages the uploaded software behavior information and distributes the software behavior information to the detection sides corresponding to different classifications for detection, the automatic detection on the abnormal software behavior is realized, the software behavior is distributed and detected according to the unified standard, and the management efficiency of the software behavior detection is improved.

Further, as an implementation of the method shown in fig. 2, an embodiment of the present invention provides another server, as shown in fig. 6, where the server includes: a receiving unit 61, a classifying unit 62, a feedback unit 63, a recording unit 64, and an extracting unit 65.

The receiving unit 61 is configured to receive software behavior information to be detected, where the software behavior information is information that a terminal identifies that abnormal behavior exists in software operation according to a preset behavior set;

the classification unit 62 is configured to classify the software behavior information and allocate the software behavior information to a detection end according to a classification result, so that the detection end detects an operating state of a software behavior according to the software behavior information and determines a detection result;

and a feedback unit 63, configured to, if a detection result fed back by the detection end is received, feed back the detection result to the terminal, so that the terminal processes the software behavior according to the detection result, where the detection result is a management manner of software behavior detection fed back to the service end after the detection by the detection end.

Further, the classification unit 62 includes:

a classification module 6201, configured to classify the software behavior information according to a behavior monitoring type, where the behavior monitoring type includes a process monitoring type, a file monitoring type, a network monitoring type, a registry monitoring type, and a driver monitoring type;

a calculating module 6202, configured to calculate the number of devices at the detection end, and determine, according to a preset allocation rule, an allocation manner of the detection end corresponding to the number of devices, where the preset allocation rule is a correspondence between the number of devices and the identity information of the terminal and the behavior monitoring type;

an allocating module 6203, configured to allocate the classified software behavior information to the detecting end according to the allocation manner.

Further, the calculating module 6202 is specifically configured to calculate the number of devices of the detection end, perform type division on the detection end corresponding to the number of devices according to the behavior monitoring type, match the divided detection end with the identity information, and determine a corresponding relationship after matching as an allocation manner of the detection end.

Further, the server further includes:

and the recording unit 64 is configured to record the detection result, and store the corresponding relationship between the detection result and the software behavior information in a preset storage location.

Further, the server further includes:

the extracting unit 65 is configured to receive a detection result query request according to a preset time interval, and if a detection result corresponding to the software behavior information exists in the preset storage location, extract the detection result from the preset storage location and feed the detection result back to the terminal, where the detection result query request carries the software behavior information to be queried.

The invention provides another server, compared with the existing management of software behavior detection, namely, the management of manual examination on each computer respectively to detect whether the software behavior is abnormal or not, the embodiment of the invention preliminarily detects the software behavior by using the preset behavior set through the terminal, if the running state of the behavior cannot be determined, the software behavior is sent to the server, and the server manages the uploaded software behavior information and distributes the software behavior information to the detection terminals corresponding to different classifications for detection, so that the abnormal software behavior is automatically detected, the software behavior is distributed and detected according to a unified standard, and the management efficiency of software behavior detection is improved.

Further, as an implementation of the method shown in fig. 3, an embodiment of the present invention provides a terminal, and as shown in fig. 7, the terminal includes: an acquisition unit 71, an upload unit 72, and a reception unit 73.

The acquiring unit 71 is configured to acquire a software behavior of software operation, and identify an operation state of the software behavior according to a preset behavior set;

the uploading unit 72 is configured to upload software behavior information of the software behavior to a server if the operation state is identified to be failed, where the software behavior information is behavior information corresponding to an abnormal behavior identified according to the preset behavior set;

and the receiving unit 73 is configured to receive a detection result, and process the software behavior according to the detection result, where the detection result is a management manner of software behavior detection fed back to the server after detection by the detection end.

The invention provides a terminal, which comprises the steps of firstly obtaining software behaviors of software operation, and identifying the operation states of the software behaviors according to a preset behavior set; if the operation state is identified to be failed, software behavior information of the software behavior is uploaded to a server side, and the software behavior information is behavior information corresponding to the abnormal behavior identified according to the preset behavior set; and receiving a detection result, and processing the software behavior according to the detection result, wherein the detection result is a management mode of the software behavior detection fed back to the server after the detection of the detection end. Compared with the existing management of software behavior detection, namely, the management of manual examination of each computer is respectively carried out to detect whether the software behavior is abnormal or not, the embodiment of the invention carries out preliminary detection on the software behavior by using the preset behavior set through the terminal, if the running state of the behavior cannot be determined, the software behavior is sent to the server side, the server side manages the uploaded software behavior information and distributes the software behavior information to the detection sides corresponding to different classifications for detection, the automatic detection on the abnormal software behavior is realized, the software behavior is distributed and detected according to the unified standard, and the management efficiency of the software behavior detection is improved.

Further, as an implementation of the method shown in fig. 4, an embodiment of the present invention provides another terminal, as shown in fig. 8, where the terminal includes: an acquisition unit 81, an upload unit 82, a reception unit 83, a determination unit 84, an update unit 85, and a transmission unit 86.

The acquiring unit 81 is configured to acquire a software behavior of software operation, and identify an operation state of the software behavior according to a preset behavior set;

the uploading unit 82 is configured to upload software behavior information of the software behavior to a server if the operation state is identified to be failed, where the software behavior information is behavior information corresponding to an abnormal behavior identified according to the preset behavior set;

and the receiving unit 83 is configured to receive a detection result, and process the software behavior according to the detection result, where the detection result is a management manner of software behavior detection fed back to the server after detection by the detection end.

Further, the terminal further includes:

a determining unit 84, configured to determine, according to the software behavior of the executed software, an operation state of the software behavior, where the operation state includes a dangerous operation and a legal operation;

an updating unit 85, configured to update the software behaviors of which the operating states can be determined to the preset behavior set, so that the operating states of all the software behaviors are identified according to the preset behavior set.

Further, the terminal further includes:

the sending unit 86 is configured to send a detection result query request, where the detection result query request carries software behavior information to be queried.

The invention provides a terminal, which is compared with the existing management of software behavior detection that whether software behavior is abnormal or not is detected by respectively carrying out manual examination and verification on each computer.

According to an embodiment of the present invention, a storage medium is provided, where at least one executable instruction is stored, and the computer executable instruction can execute the management method for software behavior detection in any of the above method embodiments.

Fig. 9 is a schematic structural diagram of a computer device according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the computer device.

As shown in fig. 9, the computer apparatus may include: a processor (processor)902, a communication Interface 904, a memory 906, and a communication bus 908.

Wherein: the processor 902, communication interface 904, and memory 906 communicate with one another via a communication bus 908.

A communication interface 904 for communicating with network elements of other devices, such as clients or other servers.

The processor 902 is configured to execute the program 910, and may specifically perform the relevant steps in the management embodiment of software behavior detection.

In particular, the program 910 may include program code that includes computer operating instructions.

The processor 902 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement an embodiment of the invention. The computer device includes one or more processors, which may be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.

A memory 906 for storing a program 910. The memory 906 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.

The program 910 may specifically be configured to cause the processor 902 to perform the following operations:

Fig. 10 is a schematic structural diagram of a computer device according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the computer device.

As shown in fig. 10, the computer apparatus may include: a processor (processor)1002, a Communications Interface 1004, a memory 1006, and a Communications bus 1008.

Wherein: the processor 1002, communication interface 1004, and memory 1006 communicate with each other via a communication bus 1008.

A communication interface 1004 for communicating with network elements of other devices, such as clients or other servers.

The processor 1002 is configured to execute the program 1010, and may specifically perform relevant steps in the management embodiment of software behavior detection.

In particular, the program 1010 may include program code that includes computer operating instructions.

The processor 1002 may be a central processing unit CPU, or an application Specific Integrated circuit asic, or one or more Integrated circuits configured to implement an embodiment of the present invention. The computer device includes one or more processors, which may be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.

The memory 1006 is used for storing the program 1010. The memory 1006 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.

The program 1010 may be specifically configured to cause the processor 1002 to perform the following operations:

An embodiment of the present invention provides a management system for software behavior detection, as shown in fig. 11, including: the set of services 1101, the terminal 1102,

the terminal 1102 is configured to acquire a software behavior of software operation, and identify an operation state of the software behavior according to a preset behavior set;

the terminal 1102 is further configured to upload software behavior information of the software behavior to a server if the operation state is identified to be failed, where the software behavior information is behavior information corresponding to an abnormal behavior identified according to the preset behavior set;

the server 1101 is configured to receive software behavior information to be detected, where the software behavior information is information that a terminal recognizes that abnormal behavior exists in software running according to a preset behavior set;

the server 1101 is further configured to classify the software behavior information and allocate the software behavior information to a detection end according to a classification result, so that the detection end detects the running state of the software behavior according to the software behavior information and determines a detection result;

the server 1101 is further configured to, if a detection result fed back by the detection end is received, feed back the detection result to the terminal, so that the terminal processes the software behavior according to the detection result, where the detection result is a management manner of software behavior detection fed back to the server after the detection by the detection end;

the terminal 1102 is further configured to receive a detection result, and process the software behavior according to the detection result, where the detection result is a management manner of software behavior detection fed back to the server after detection by the detection end.

The invention provides a management system for software behavior detection, which comprises the steps that firstly, a terminal obtains software behaviors of software operation, and identifies the operation states of the software behaviors according to a preset behavior set; if the operation state is identified to be failed, software behavior information of the software behavior is uploaded to a server side, and the software behavior information is behavior information corresponding to the abnormal behavior identified according to the preset behavior set; the method comprises the steps that a server side receives software behavior information to be detected, wherein the software behavior information is information for identifying abnormal behaviors existing in software operation according to a preset behavior set by a terminal; classifying the software behavior information, and distributing the software behavior information to a detection end according to a classification result, so that the detection end detects the running state of the software behavior according to the software behavior information, and determines a detection result; if a detection result fed back by the detection end is received, feeding back the detection result to the terminal so that the terminal processes the software behavior according to the detection result, wherein the detection result is a management mode of the software behavior detection fed back to the service end after the detection of the detection end; and the terminal receives a detection result and processes the software behavior according to the detection result, wherein the detection result is a management mode of the software behavior detection fed back to the server after the detection of the detection end. Compared with the existing management of software behavior detection, namely, the management of manual examination of each computer is respectively carried out to detect whether the software behavior is abnormal or not, the embodiment of the invention carries out preliminary detection on the software behavior by using the preset behavior set through the terminal, if the running state of the behavior cannot be determined, the software behavior is sent to the server side, the server side manages the uploaded software behavior information and distributes the software behavior information to the detection sides corresponding to different classifications for detection, the automatic detection on the abnormal software behavior is realized, the software behavior is distributed and detected according to the unified standard, and the management efficiency of the software behavior detection is improved.

The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.

In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.

Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.

Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.

The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. It will be appreciated by those skilled in the art that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components of the asset data management method and apparatus according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.

It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.

The embodiment of the invention also comprises the following steps:

a1, a management method for software behavior detection, comprising:

A2, according to the method of A1, the step of classifying the software behavior information and distributing the software behavior information to a detection end according to a classification result comprises the steps of:

A3, according to the method of A2, the calculating the number of the devices at the detection end, and determining the distribution mode of the detection end corresponding to the number of the devices according to a preset distribution rule includes:

A4, the method according to a1 or a2, wherein if the detection result fed back by the detection terminal is received, the method further comprises:

A5, the method of A4, the method further comprising:

B6, a management method for software behavior detection, comprising:

B7, before the acquiring the software behavior of the software operation and identifying the operation state of the software behavior according to the preset behavior set according to the method B6, the method further comprises:

B8, before the receiving the detection result and processing the software behavior according to the detection result according to the method of B7, the method further comprises:

C9, a server, comprising:

C10, the server according to C9, the classification unit comprises:

C11, the server according to C10,

C12, the server according to C8 or C9, the server further comprising:

C13, the server according to C12, the server further comprising:

D14, a terminal comprising:

D15, the terminal according to D14, further comprising:

D16, the terminal according to D15, further comprising:

E17, a storage medium having at least one executable instruction stored therein, the executable instruction causing a processor to execute the operation corresponding to the management method for detecting software behavior as described in any one of A1-A5.

F18, a computer device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;

the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the management method of the software behavior detection as described in any one of A1-A5.

G19, a storage medium having at least one executable instruction stored therein, the executable instruction causing a processor to execute the operation corresponding to the management method for software behavior detection as described in any one of B6-B8.

H20, a computer device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;

the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the management method of the software behavior detection as described in any one of B6-B8.

I21, a management system for software behavior detection, comprising: the server side of any one of C9-C13 and the terminal side of any one of D14-D16.

Claims

1. A management method for software behavior detection is characterized by comprising the following steps:

receiving software behavior information to be detected, wherein the software behavior information is information for identifying abnormal behaviors existing in software operation according to a preset behavior set by a terminal, and the preset behavior set comprises a behavior standard for judging whether the software behavior information is legal behaviors or dangerous behaviors;

classifying the software behavior information, and distributing the software behavior information to a detection end according to a classification result so that the detection end detects the running state of the software behavior according to the software behavior information and determines a detection result, wherein the detection end is determined after classifying the software behavior information based on a behavior monitoring type and determining a distribution mode according to the number of devices;

if a detection result fed back by the detection end is received, feeding back the detection result to the terminal so that the terminal processes the software behavior according to the detection result, wherein the detection result is a management mode of the software behavior detection fed back to the service end after the detection of the detection end;

the step of classifying the software behavior information and distributing the software behavior information to the detection end according to the classification result comprises the following steps:

2. The method of claim 1, wherein the calculating the number of the devices at the detection end and determining the distribution mode of the detection end corresponding to the number of the devices according to a preset distribution rule comprises:

3. The method according to claim 1, wherein after the detecting result is fed back to the terminal if the detecting result fed back by the detecting end is received, the method further comprises:

4. The method of claim 3, further comprising:

5. A management method for software behavior detection is characterized by comprising the following steps:

acquiring software behaviors of software operation, and identifying the operation states of the software behaviors according to a preset behavior set, wherein the operation states comprise dangerous operation and legal operation;

if the operation state is identified to be failed, software behavior information of the software behavior is uploaded to a server, the software behavior information is behavior information corresponding to the abnormal behavior identified according to the preset behavior set, the preset behavior set comprises a behavior standard for judging whether the software behavior information is legal behavior or dangerous behavior, so that the server classifies the software behavior information and distributes the software behavior information to a detection end according to a classification result;

receiving a detection result, and processing the software behavior according to the detection result, wherein the detection result is a management mode of the software behavior detection fed back to the server after the detection of the detection end;

6. The method of claim 5, wherein before obtaining the software behavior of the software operation and identifying the operation state of the software behavior according to the preset behavior set, the method further comprises:

determining the running state of the software behavior according to the software behavior of the running software;

7. The method of claim 6, wherein prior to receiving the detection result and processing the software behavior based on the detection result, the method further comprises:

8. A server, comprising:

the software behavior information to be detected is information that the terminal identifies abnormal behavior in software operation according to a preset behavior set, and the preset behavior set comprises a behavior standard for judging whether the software behavior information is legal behavior or dangerous behavior;

the classification unit is used for classifying the software behavior information and distributing the software behavior information to a detection end according to a classification result so that the detection end detects the running state of the software behavior according to the software behavior information and determines the detection result, wherein the detection end is determined after classifying the software behavior information based on a behavior monitoring type and determining a distribution mode according to the number of devices;

the feedback unit is used for feeding back the detection result to the terminal if the detection result fed back by the detection end is received, so that the terminal processes the software behavior according to the detection result, and the detection result is a management mode of the software behavior detection fed back to the service end after the detection of the detection end;

the classification unit includes:

9. The server according to claim 8,

10. The server according to claim 9, wherein the server further comprises:

11. The server according to claim 10, wherein the server further comprises:

12. A terminal, comprising:

the device comprises an acquisition unit, a processing unit and a control unit, wherein the acquisition unit is used for acquiring software behaviors of software operation and identifying the operation states of the software behaviors according to a preset behavior set, and the operation states comprise dangerous operation and legal operation;

the uploading unit is used for uploading the software behavior information of the software behavior to a server if the operation state is identified to be failed, wherein the software behavior information is behavior information corresponding to the abnormal behavior identified according to the preset behavior set, and the preset behavior set comprises a behavior standard for judging whether the software behavior information is legal behavior or dangerous behavior, so that the server classifies the software behavior information and distributes the software behavior information to a detection end according to a classification result;

the receiving unit is used for receiving a detection result and processing the software behavior according to the detection result, wherein the detection result is a management mode of the software behavior detection fed back to the server after the detection of the detection end;

wherein, the classification unit of the server comprises:

13. The terminal of claim 12, wherein the terminal further comprises:

the determining unit is used for determining the running state of the software behavior according to the software behavior of the running software;

14. The terminal of claim 13, wherein the terminal further comprises:

15. A storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the management method for software behavior detection as claimed in any one of claims 1 to 4.

16. A computer device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;

the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the management method for the software behavior detection as claimed in any one of claims 1-4.

17. A storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the management method for software behavior detection as claimed in any one of claims 5 to 7.

18. A computer device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;

the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the management method for the software behavior detection as claimed in any one of claims 5-7.

19. A management system for software behavior detection, comprising: the server side according to any of claims 8-11 and the terminal according to any of claims 12-14.