CN111191239A - Process detection method and system for application program - Google Patents

Process detection method and system for application program Download PDF

Info

Publication number
CN111191239A
CN111191239A CN201911397865.5A CN201911397865A CN111191239A CN 111191239 A CN111191239 A CN 111191239A CN 201911397865 A CN201911397865 A CN 201911397865A CN 111191239 A CN111191239 A CN 111191239A
Authority
CN
China
Prior art keywords
behavior
observable
vector
characteristic diagram
behavior vector
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911397865.5A
Other languages
Chinese (zh)
Other versions
CN111191239B (en
Inventor
张文博
杨松
朱鼎成
徐秀兰
胡冰城
孙志敏
雷凯
程艳
邓晏宁
张晓光
唐先锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Beijing University of Posts and Telecommunications
Original Assignee
Huawei Technologies Co Ltd
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd, Beijing University of Posts and Telecommunications filed Critical Huawei Technologies Co Ltd
Priority to CN201911397865.5A priority Critical patent/CN111191239B/en
Publication of CN111191239A publication Critical patent/CN111191239A/en
Application granted granted Critical
Publication of CN111191239B publication Critical patent/CN111191239B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Biomedical Technology (AREA)
  • Evolutionary Computation (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Computational Linguistics (AREA)
  • Mathematical Physics (AREA)
  • Biophysics (AREA)
  • Artificial Intelligence (AREA)
  • Computer Hardware Design (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Virology (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The embodiment of the invention provides a process detection method and a system for an application program, wherein the method comprises the following steps: acquiring observable behavior vectors corresponding to the processes according to the contents of the safety logs; converting the observable behavior vector into a process behavior feature map; detecting the process behavior characteristic diagram based on the trained convolutional neural network model to obtain a detection result of the process; the trained convolutional neural network model is obtained by training a sample process behavior characteristic diagram marked with a normal process label and a process behavior characteristic diagram marked with a malicious process label. The embodiment of the invention can effectively identify the abnormal process, overcomes the defect of low accuracy of identifying the abnormal process by the existing manual technology, and has good adaptability and higher robustness to different types of malicious processes.

Description

Process detection method and system for application program
Technical Field
The invention relates to the technical field of computers, in particular to a process detection method and system for an application program.
Background
In recent years, the number of malicious programs has increased exponentially and has become one of the key factors threatening the security of the internet. How to effectively detect and kill the malicious programs also becomes one of the problems of great thought by enterprises and network security personnel. With the continuous development and improvement of the artificial intelligence technology, how to apply the artificial intelligence technology to malicious program detection to realize the self-detection of the system in an unsupervised or semi-supervised mode also becomes one of the current enterprise demands.
For the detection and the killing of malicious programs, most of the existing technologies analyze source codes of the malicious programs, extract corresponding characteristics, and then kill the malicious programs with the corresponding characteristics. Mainstream malware source code detection techniques can be divided into two categories: heuristic detection method and detection method based on feature code. Malicious code obfuscation techniques are also divided into two categories according to their implementation principles: the source code detection of the malicious program has certain limitation because the confusion of reverse (disassembly) and the confusion of instructions and control flow are interfered. The existing malicious program source code detection technology cannot effectively detect the malicious programs and the malicious program source codes.
Therefore, a method and a system for detecting processes of an application are needed to solve the above problems.
Disclosure of Invention
To solve the problems in the prior art, embodiments of the present invention provide a method and a system for detecting a process of an application.
In a first aspect, an embodiment of the present invention provides a process detection method for an application program, including:
acquiring observable behavior vectors corresponding to the processes according to the contents of the safety logs;
converting the observable behavior vector into a process behavior feature map;
detecting the process behavior characteristic diagram based on the trained convolutional neural network model to obtain a detection result of the process; the trained convolutional neural network model is obtained by training a sample process behavior characteristic diagram marked with a normal process label and a process behavior characteristic diagram marked with a malicious process label.
Further, the obtaining the observable behavior vector corresponding to the process according to the content of the security log includes:
acquiring the behavior characteristics of the process according to the contents of the safety log;
mapping the behavior characteristics of the process into corresponding individual behavior vectors;
and acquiring the observable behavior vector of the process through the individual behavior vector according to the parent-child process relation of the process.
Further, the mapping the behavior characteristics of the process to the corresponding individual behavior vector includes:
dividing the behavior characteristics of the process into basic behavior characteristics and extended behavior characteristics;
acquiring an individual behavior vector of the process according to the basic behavior feature and the extended behavior feature:
IBVi=pi*pi+si
wherein, IBViAn individual behavior vector, p, representing the ith processiRepresenting the number of basic behavior features, s, in the ith processiIndicating the number of extended behavior features in the ith process.
Further, after the dividing the behavior feature of the process into the basic behavior feature and the extended behavior feature, the method further includes:
and carrying out logical operation on the process behaviors belonging to the basic behavior characteristics through a logical operator to obtain corresponding secondary joint behavior characteristics so as to obtain an individual behavior vector according to the secondary joint behavior characteristics and the extended behavior characteristics.
Further, the obtaining the observable behavior vector of the process through the individual behavior vector according to the parent-child process relationship of the process includes:
according to the parent-child process relation of the process, constructing an observable behavior vector formula through the individual behavior vectors, wherein if no child process exists in the process, the observable behavior vector formula is as follows:
OBVi=IBVi
if there is a sub-process in the process, the observable behavior vector formula is:
Figure BDA0002346784560000031
wherein, OBViObservable behavior vector, IBV, representing the ith processiIndividual behavior vectors representing the ith process, OBVjObservable behavior vector, n, representing the jth sub-processiIndicating that the ith process includes n sub-processes,
Figure BDA0002346784560000032
representing a logical or operator.
Further, the converting the observable behavior vector into a process behavior feature map includes:
and converting the observable behavior vector into a two-dimensional logic image to obtain a process behavior characteristic diagram.
In a second aspect, an embodiment of the present invention provides a process detection system for an application program, including:
the behavior vector generation module is used for acquiring observable behavior vectors corresponding to the processes according to the contents of the safety logs;
the characteristic diagram conversion module is used for converting the observable behavior vector into a process behavior characteristic diagram;
the detection module is used for detecting the process behavior characteristic diagram based on the trained convolutional neural network model to obtain a detection result of the process; the trained convolutional neural network model is obtained by training a sample process behavior characteristic diagram marked with a normal process label and a process behavior characteristic diagram marked with a malicious process label.
Further, the behavior vector generation module includes:
the behavior characteristic acquisition unit is used for acquiring the behavior characteristic of the process according to the content of the security log;
an individual behavior vector mapping unit, configured to map the behavior features of the processes into corresponding individual behavior vectors;
and the processing unit is used for acquiring the observable behavior vector of the process through the individual behavior vector according to the parent-child process relation of the process.
In a third aspect, an embodiment of the present invention provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor implements the steps of the method provided in the first aspect when executing the program.
In a fourth aspect, an embodiment of the present invention provides a non-transitory computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of the method as provided in the first aspect.
The process detection method and system for the application program, provided by the embodiment of the invention, can effectively identify the abnormal process, make up for the defect of low accuracy rate of identifying the abnormal process through manual technology in the prior art, and have good adaptability and higher robustness to different types of malicious processes.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a process detection method for an application according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating an individual behavior vector of a process according to an embodiment of the present invention;
fig. 3 is a schematic diagram illustrating the generation of observable behavior vectors according to an embodiment of the present invention;
FIG. 4 is a diagram illustrating an embodiment of a process behavior feature map for transforming observable behavior vectors into process behavior features;
fig. 5 is a process behavior feature diagram corresponding to a process observable behavior vector provided in an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a process detection system for an application according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic flowchart of a process detection method for an application according to an embodiment of the present invention, and as shown in fig. 1, a process detection method for an application according to an embodiment of the present invention includes:
step 101, acquiring observable behavior vectors corresponding to processes according to the contents of the security logs;
step 102, converting the observable behavior vector into a process behavior characteristic diagram;
103, detecting the process behavior characteristic diagram based on the trained convolutional neural network model to obtain a detection result of the process; the trained convolutional neural network model is obtained by training a sample process behavior characteristic diagram marked with a normal process label and a process behavior characteristic diagram marked with a malicious process label.
In the embodiment of the invention, security log contents are obtained from a Windows system, and the Behaviors of processes in an application program are defined according to the security log contents, so that an Observable behavior Vector (OBV for short) corresponding to each process is constructed, and behavior characteristics of a malicious process and a normal process in a computer system are represented by the Observable behavior Vector; and further, the observable behavior vector is converted into a picture, namely, a process behavior characteristic diagram is obtained and input into the convolutional neural network, and the abnormal process in the system is identified through the identification and detection of the convolutional neural network, so that the detection results of the normal process and the malicious process in the system are obtained.
The process detection method for the application program provided by the embodiment of the invention can effectively identify the abnormal process, overcomes the defect of low accuracy rate of identifying the abnormal process by the existing manual technology, and has good adaptability and higher robustness to different types of malicious processes.
On the basis of the above embodiment, the obtaining the observable behavior vector corresponding to the process according to the content of the security log includes:
step S1, acquiring the behavior characteristics of the process according to the contents of the security log;
in the embodiment of the invention, the behavior of each process is defined according to the content of the security log in the Windows system.
And step S2, mapping the behavior characteristics of the process into corresponding individual behavior vectors.
In the embodiment of the present invention, mapping the behavior of the process into an individual behavior Vector (IBV for short) specifically includes:
the behavior characteristics of the process are divided into basic behavior characteristics and extended behavior characteristics. In the embodiment of the invention, p behaviors of the process are extracted and obtained according to the content of the security log in the Windows system, and are defined as basic behavior characteristics.
Acquiring an individual behavior vector of the process according to the basic behavior feature and the extended behavior feature:
IBVi=pi*pi+si
wherein, IBViAn individual behavior vector, p, representing the ith processiRepresenting the number of basic behavior features, s, in the ith processiThe number of the extended behavior features in the ith process is shown, i is 1, …, m represents the total number of processes contained in one security log file.
Further, on the basis of the above embodiment, after the dividing the behavior feature of the process into the basic behavior feature and the extended behavior feature, the method further includes:
and carrying out logical operation on the process behaviors belonging to the basic behavior characteristics through a logical operator to obtain corresponding secondary joint behavior characteristics so as to obtain an individual behavior vector according to the secondary joint behavior characteristics and the extended behavior characteristics.
In the embodiment of the invention, the basic behavior characteristics are subjected to logic operationThereby introducing quadratic nonlinear behavior information. Further, in the present embodiment, it is assumed that xaAnd xbThe behavior type is expressed, a and b are integers, then
Figure BDA0002346784560000061
Represents a behavior xaAnd behavior xbA secondary combined action of wherein
Figure BDA0002346784560000062
Operators denoted as "logical AND" and "logical OR". Specifically, in the embodiment of the present invention, if the "logical and" operation is used, the "logical and" operation is performed
Figure BDA0002346784560000063
Then the behavior x is representedaAnd behavior xbSimultaneously; while
Figure BDA0002346784560000064
Then the behavior x is representedaAnd behavior xbNot simultaneously. When using a logical OR operation, if
Figure BDA0002346784560000065
Then the behavior x is representedaAnd behavior xbOne of which occurs; while
Figure BDA0002346784560000066
Then the behavior x is representedaAnd behavior xbNone occurs. And obtaining secondary combined behavior characteristics corresponding to the basic behavior characteristics through the logic operation processing. Therefore, in the embodiment of the present invention, the behavior characteristics of an individual process can be represented by an individual behavior vector, i.e. the individual behavior vector of process i is represented as IBViFig. 2 is a schematic diagram of an individual behavior vector of a process according to an embodiment of the present invention, and reference may be made to fig. 2, where components in the individual behavior vector are used to record whether a certain behavior occurs in the process.
And step S3, acquiring the observable behavior vector of the process through the individual behavior vector according to the parent-child process relation of the process.
Since a more complex process will typically launch sub-processes for performing operations that are more functionally simple. Therefore, in the embodiment of the present invention, the behavior characteristics of the child process are integrated with the behavior characteristics of the parent process, and the observable behavior vector is further constructed by analyzing the process tree to determine the interdependence relationship between the processes, wherein it is assumed that a process i (i is 1, …, m) has j (j is 1, …, n)i) The sub-process, the individual behavior vector of the process i is IBViThe observable behavior vector is OBVi
On the basis of the above embodiment, the obtaining the observable behavior vector of the process through the individual behavior vector according to the parent-child process relationship of the process includes:
according to the parent-child process relation of the process, constructing an observable behavior vector formula through the individual behavior vectors, wherein if no child process exists in the process, the observable behavior vector formula is as follows:
OBVi=IBVi
if there is a sub-process in the process, the observable behavior vector formula is:
Figure BDA0002346784560000071
wherein, OBViObservable behavior vector, IBV, representing the ith processiIndividual behavior vectors representing the ith process, OBVjObservable behavior vector, n, representing the jth sub-processiIndicating that the ith process includes n sub-processes,
Figure BDA0002346784560000072
representing a logical or operator.
In the embodiment of the invention, the observable behavior vectors of all processes are obtained by traversing the process tree with depth first. Fig. 3 is a schematic diagram for generating observable behavior vectors according to an embodiment of the present invention, and as shown in fig. 3, a process 1 has two sub-processes, namely a process 2 and a process 3, and the process 3 has a sub-process 4, and it is assumed that an individual behavior vector of a process only includes three elements, and each element is a logical value (if the process has a certain behavior, a corresponding bit in the individual behavior vector of the process takes a value of 1), OBV of all processes can be calculated according to an observable behavior vector formula. It should be noted that, in the embodiment of the present invention, in a general case, a process includes sub-processes, so an observable behavior vector of the process is different from an individual behavior vector thereof, and the observable behavior vector can better see a comprehensive behavior of the process, and has an ability to analyze a total behavior of the process from a higher level, so that a comprehensive analysis is performed according to a behavior of the process running in a computer system.
On the basis of the above embodiment, the converting the observable behavior vector into a process behavior feature map includes:
and converting the observable behavior vector into a two-dimensional logic image to obtain a process behavior characteristic diagram.
Fig. 4 is a schematic diagram of an observable behavior vector converted into a process behavior feature diagram according to an embodiment of the present invention, which can be referred to in fig. 4, in the embodiment of the present invention, OBV vectors are rearranged into a square matrix, and if the bit number of OBV vectors is not enough to be arranged into the square matrix, the square matrix is complemented by a zero padding method and is rearranged into the square matrix; filling according to the value of the corresponding bit, and if the value is 1, defining the value as white; if the value is 0, the color can be defined as black; and finally, inputting the generated process behavior characteristic diagram into the trained convolutional neural network model so as to obtain a process detection result.
Further, based on the process detection method for the application program provided by the embodiment of the present invention, the representation of the malicious program behavior and the construction of the observable behavior vector OBV are experimentally described. In the embodiment of the present invention, first, 16 basic behaviors of a process are extracted through a security log of a Windows system, and specifically, it can be seen that table 1 shows:
TABLE 1
Figure BDA0002346784560000081
The security log also provides target program information called by the process, and one process often requires different other functions according to the function requirement of the process, and the functions comprise functions provided by the system or tools provided by the operating system, so that the features can be regarded as extended behaviors. In addition, during the execution of a process, the security log may also record a lot of log information about the process, that is, a series of event logs generated by the same process in the security log, and the sequence of the events may also be regarded as an extended behavior.
Further, observable behavior vectors OBV for the above processes are obtained. Specifically, in the embodiment of the present invention, the first 256 bits of the individual behavior vector IBV of the process represent secondary joint behavior information; bits 257-3766 represent target program information for a process call; 3767-4874 bits are reserved expandable bits, and are complemented by a 0 complementing mode; the 4875-5120 bits are the order in which the 16 basic behaviors occur. Observable behavior vectors OBV are then generated from the individual behavior vectors IBV of the process, and OBV vectors are converted into a feature map of the process. Fig. 5 is a process behavior feature diagram corresponding to a process observable behavior vector provided in the embodiment of the present invention, and the conversion method is as follows:
bits 1-256, converted into a square matrix of 16 × 16, and generated into a picture of size 96 × 96; 257 th to 2560 th, converted into 48 × 48 square matrix, and generated 96 × 96 pictures; 2561-4864, transformed into 48 × 48 square matrix and generated 96 × 96 pictures; bits 4865-5120, transformed into a square matrix of 16 × 16, and a 96 × 96 picture was generated. The four pictures are arranged in rows and combined into a picture with size of 192 × 192, as shown in fig. 5.
Further, the generated process behavior feature map is input into a trained convolutional neural network model, and the number of training processes and the number of testing processes of the convolutional neural network model are shown in table 2:
TABLE 2
Normal process Exception procedures
Training set 402472 20557
Test set 28010 2100
The results of the model testing are shown in table 3:
TABLE 3
Figure BDA0002346784560000101
The results of the model evaluations are shown in table 4:
TABLE 4
Index name Formula for calculation Value taking
Accuracy (Acc) (TP+FN)/(TP+TN+FP+FN) 98.89%
Precision (p) TP/(TP+FP) 92.33%
Recall rate (r) TP/(TP+FN) 93.76%
F1-score 2*(p*r)/(p+r) 0.9304
As can be seen from the data in table 4, the process detection method for the application program provided in the embodiment of the present invention can better identify the normal process or the abnormal process according to the behavior of the process.
Fig. 6 is a schematic structural diagram of a process detection system for an application according to an embodiment of the present invention, and as shown in fig. 6, an embodiment of the present invention provides a process detection system for an application, including a behavior vector generation module 601, a feature map conversion module 602, and a detection module 603, where the behavior vector generation module 601 is configured to obtain an observable behavior vector corresponding to a process according to a security log content; the feature map conversion module 602 is configured to convert the observable behavior vector into a process behavior feature map; the detection module 603 is configured to detect the process behavior feature map based on the trained convolutional neural network model, so as to obtain a detection result of the process; the trained convolutional neural network model is obtained by training a sample process behavior characteristic diagram marked with a normal process label and a process behavior characteristic diagram marked with a malicious process label.
In the embodiment of the present invention, the behavior Vector generation module 601 obtains the security log contents from the Windows system, and defines the behavior of the processes in the application according to the security log contents, so as to construct Observable behavior vectors (OBV for short) corresponding to each process, so as to represent behavior characteristics of the malicious process and the normal process in the computer system through the Observable behavior vectors; further, the feature map conversion module 602 converts the observable behavior vector into a picture, that is, obtains a process behavior feature map, and inputs the process behavior feature map into the convolutional neural network, and the detection module 603 identifies an abnormal process in the system through identification and detection of the convolutional neural network, so as to obtain a detection result of a normal process and a malicious process in the system.
The process detection system for the application program provided by the embodiment of the invention can effectively identify the abnormal process, overcomes the defect of low accuracy rate of identifying the abnormal process by the existing manual technology, and has good adaptability and higher robustness to different types of malicious processes.
On the basis of the above embodiment, the behavior vector generation module includes:
the behavior characteristic acquisition unit is used for acquiring the behavior characteristic of the process according to the content of the security log;
an individual behavior vector mapping unit, configured to map the behavior features of the processes into corresponding individual behavior vectors;
the system provided by the embodiment of the present invention is used for executing the above method embodiments, and for details of the process and the details, reference is made to the above embodiments, which are not described herein again.
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, and referring to fig. 7, the electronic device may include: a processor (processor)701, a communication Interface (Communications Interface)702, a memory (memory)703 and a communication bus 704, wherein the processor 701, the communication Interface 702 and the memory 703 complete communication with each other through the communication bus 704. The processor 701 may call logic instructions in the memory 703 to perform the following method: acquiring observable behavior vectors corresponding to the processes according to the contents of the safety logs; converting the observable behavior vector into a process behavior feature map; detecting the process behavior characteristic diagram based on the trained convolutional neural network model to obtain a detection result of the process; the trained convolutional neural network model is obtained by training a sample process behavior characteristic diagram marked with a normal process label and a process behavior characteristic diagram marked with a malicious process label.
In addition, the logic instructions in the memory 703 can be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented to, when executed by a processor, perform the process detection method for an application program provided in the foregoing embodiments, for example, including: acquiring observable behavior vectors corresponding to the processes according to the contents of the safety logs; converting the observable behavior vector into a process behavior feature map; detecting the process behavior characteristic diagram based on the trained convolutional neural network model to obtain a detection result of the process; the trained convolutional neural network model is obtained by training a sample process behavior characteristic diagram marked with a normal process label and a process behavior characteristic diagram marked with a malicious process label.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. A process detection method for an application program, comprising:
acquiring observable behavior vectors corresponding to the processes according to the contents of the safety logs;
converting the observable behavior vector into a process behavior feature map;
detecting the process behavior characteristic diagram based on the trained convolutional neural network model to obtain a detection result of the process; the trained convolutional neural network model is obtained by training a sample process behavior characteristic diagram marked with a normal process label and a process behavior characteristic diagram marked with a malicious process label.
2. The method for detecting the progress of the application program according to claim 1, wherein the obtaining the observable behavior vector corresponding to the progress according to the content of the security log comprises:
acquiring the behavior characteristics of the process according to the contents of the safety log;
mapping the behavior characteristics of the process into corresponding individual behavior vectors;
and acquiring the observable behavior vector of the process through the individual behavior vector according to the parent-child process relation of the process.
3. The method for detecting the progress of the application program according to claim 2, wherein the mapping the behavior characteristics of the progress to corresponding individual behavior vectors comprises:
dividing the behavior characteristics of the process into basic behavior characteristics and extended behavior characteristics;
acquiring an individual behavior vector of the process according to the basic behavior feature and the extended behavior feature:
IBVi=pi*pi+si
wherein, IBViAn individual behavior vector, p, representing the ith processiRepresenting the number of basic behavior features, s, in the ith processiIndicating the number of extended behavior features in the ith process.
4. The process detection method for an application program according to claim 3, wherein after said dividing the behavior feature of the process into a basic behavior feature and an extended behavior feature, the method further comprises:
and carrying out logical operation on the process behaviors belonging to the basic behavior characteristics through a logical operator to obtain corresponding secondary joint behavior characteristics so as to obtain an individual behavior vector according to the secondary joint behavior characteristics and the extended behavior characteristics.
5. The method according to claim 2, wherein the obtaining the observable behavior vector of the process through the individual behavior vector according to the parent-child process relationship of the process comprises:
according to the parent-child process relation of the process, constructing an observable behavior vector formula through the individual behavior vectors, wherein if no child process exists in the process, the observable behavior vector formula is as follows:
OBVi=IBVi
if there is a sub-process in the process, the observable behavior vector formula is:
Figure FDA0002346784550000021
wherein, OBViObservable behavior vector, IBV, representing the ith processiIndividual behavior vectors representing the ith process, OBVjObservable behavior vector, n, representing the jth sub-processiIndicating that the ith process includes n sub-processes,
Figure FDA0002346784550000022
representing a logical or operator.
6. The method of claim 1, wherein converting the observable behavior vector into a process behavior feature map comprises:
and converting the observable behavior vector into a two-dimensional logic image to obtain a process behavior characteristic diagram.
7. A process detection system for an application, comprising:
the behavior vector generation module is used for acquiring observable behavior vectors corresponding to the processes according to the contents of the safety logs;
the characteristic diagram conversion module is used for converting the observable behavior vector into a process behavior characteristic diagram;
the detection module is used for detecting the process behavior characteristic diagram based on the trained convolutional neural network model to obtain a detection result of the process; the trained convolutional neural network model is obtained by training a sample process behavior characteristic diagram marked with a normal process label and a process behavior characteristic diagram marked with a malicious process label.
8. The process detection system for an application program of claim 7, wherein the behavior vector generation module comprises:
the behavior characteristic acquisition unit is used for acquiring the behavior characteristic of the process according to the content of the security log;
an individual behavior vector mapping unit, configured to map the behavior features of the processes into corresponding individual behavior vectors;
and the processing unit is used for acquiring the observable behavior vector of the process through the individual behavior vector according to the parent-child process relation of the process.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the process detection method for an application program according to any of claims 1 to 6 are implemented when the processor executes the program.
10. A non-transitory computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the process detection method for an application program according to any one of claims 1 to 6.
CN201911397865.5A 2019-12-30 2019-12-30 Process detection method and system for application program Active CN111191239B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911397865.5A CN111191239B (en) 2019-12-30 2019-12-30 Process detection method and system for application program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911397865.5A CN111191239B (en) 2019-12-30 2019-12-30 Process detection method and system for application program

Publications (2)

Publication Number Publication Date
CN111191239A true CN111191239A (en) 2020-05-22
CN111191239B CN111191239B (en) 2022-04-29

Family

ID=70709701

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911397865.5A Active CN111191239B (en) 2019-12-30 2019-12-30 Process detection method and system for application program

Country Status (1)

Country Link
CN (1) CN111191239B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112307475A (en) * 2020-09-29 2021-02-02 北京软慧科技有限公司 System detection method and device
CN113971285A (en) * 2020-07-24 2022-01-25 深信服科技股份有限公司 Method, device and equipment for identifying malicious process of terminal and readable storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107330326A (en) * 2017-05-12 2017-11-07 中国科学院信息工程研究所 A kind of malice trojan horse detection processing method and processing device
CN107341401A (en) * 2017-06-21 2017-11-10 清华大学 A kind of malicious application monitoring method and equipment based on machine learning
CN108563951A (en) * 2018-04-13 2018-09-21 腾讯科技(深圳)有限公司 Method for detecting virus and device
CN109165510A (en) * 2018-09-04 2019-01-08 中国民航大学 Android malicious application detection method based on binary channels convolutional neural networks
CN110119810A (en) * 2019-03-29 2019-08-13 华东师范大学 A kind of human behavior dependency degree analysis method neural network based

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107330326A (en) * 2017-05-12 2017-11-07 中国科学院信息工程研究所 A kind of malice trojan horse detection processing method and processing device
CN107341401A (en) * 2017-06-21 2017-11-10 清华大学 A kind of malicious application monitoring method and equipment based on machine learning
CN108563951A (en) * 2018-04-13 2018-09-21 腾讯科技(深圳)有限公司 Method for detecting virus and device
CN109165510A (en) * 2018-09-04 2019-01-08 中国民航大学 Android malicious application detection method based on binary channels convolutional neural networks
CN110119810A (en) * 2019-03-29 2019-08-13 华东师范大学 A kind of human behavior dependency degree analysis method neural network based

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113971285A (en) * 2020-07-24 2022-01-25 深信服科技股份有限公司 Method, device and equipment for identifying malicious process of terminal and readable storage medium
CN112307475A (en) * 2020-09-29 2021-02-02 北京软慧科技有限公司 System detection method and device

Also Published As

Publication number Publication date
CN111191239B (en) 2022-04-29

Similar Documents

Publication Publication Date Title
Kapoor et al. Leakage and the reproducibility crisis in ML-based science
Lin et al. What do you see? Evaluation of explainable artificial intelligence (XAI) interpretability through neural backdoors
CN108737406B (en) Method and system for detecting abnormal flow data
Saxe et al. Visualization of shared system call sequence relationships in large malware corpora
CN112468347B (en) Security management method and device for cloud platform, electronic equipment and storage medium
CN111191239B (en) Process detection method and system for application program
CN112131249A (en) Attack intention identification method and device
AU2022215147B2 (en) Machine learning methods and systems for determining file risk using content disarm and reconstruction analysis
CN114491523A (en) Malicious software detection method and device, electronic equipment, medium and product
CN109241739B (en) API-based android malicious program detection method and device and storage medium
AU2021204470A1 (en) Benefit surrender prediction
CN111859862A (en) Text data labeling method and device, storage medium and electronic device
CN110262950A (en) Abnormal movement detection method and device based on many index
Li et al. VRPTEST: Evaluating Visual Referring Prompting in Large Multimodal Models
CN114841579A (en) Index data generation method, device, equipment and storage medium
CN113935847A (en) Online process risk processing method, device, server and medium
Wallace et al. Behavior Bounding: Toward effective comparisons of agents & humans
CN113065132B (en) Method and device for detecting confusion of macro program, electronic equipment and storage medium
CN114493379B (en) Enterprise evaluation model automatic generation method, device and system based on government affair data
Burrell et al. Testing conventional wisdom (of the crowd)
CN114756401B (en) Abnormal node detection method, device, equipment and medium based on log
CN118036008B (en) Malicious file disguising detection method
CN112379922B (en) Program comparison method and system
CN117216766A (en) Vulnerability assessment method, vulnerability assessment system, storage medium and electronic equipment
EP4398152A1 (en) Analytics platform optimisation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant