CN111831395B - Behavior monitoring analysis method and system - Google Patents
Behavior monitoring analysis method and system Download PDFInfo
- Publication number
- CN111831395B CN111831395B CN202010655805.5A CN202010655805A CN111831395B CN 111831395 B CN111831395 B CN 111831395B CN 202010655805 A CN202010655805 A CN 202010655805A CN 111831395 B CN111831395 B CN 111831395B
- Authority
- CN
- China
- Prior art keywords
- virtual client
- monitoring
- behavior
- virtual
- instruction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 134
- 238000004458 analytical method Methods 0.000 title claims abstract description 16
- 238000000034 method Methods 0.000 claims abstract description 62
- 238000005516 engineering process Methods 0.000 claims abstract description 16
- 238000013519 translation Methods 0.000 claims abstract description 13
- 238000012423 maintenance Methods 0.000 claims abstract description 6
- 230000006399 behavior Effects 0.000 claims description 104
- 230000006870 function Effects 0.000 claims description 81
- 230000008569 process Effects 0.000 claims description 56
- 238000009434 installation Methods 0.000 claims 2
- 230000008859 change Effects 0.000 abstract description 4
- 230000007547 defect Effects 0.000 abstract description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 230000009471 action Effects 0.000 description 2
- 210000004556 brain Anatomy 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000009385 viral infection Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/301—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is a virtual computing platform, e.g. logically partitioned systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3051—Monitoring arrangements for monitoring the configuration of the computing system or of the computing system component, e.g. monitoring the presence of processing resources, peripherals, I/O links, software programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45575—Starting, stopping, suspending or resuming virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Quality & Reliability (AREA)
- Mathematical Physics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a behavior monitoring analysis method and a behavior monitoring analysis system, wherein a virtual client candidate system set is established in a host machine, and a corresponding virtual client is started according to a system selected by a user from the set; after the virtual client is started, a user controls the virtual client to initialize a function monitoring function through a host; and after the initialization is finished, controlling the virtual client to perform behavior triggering, monitoring the running condition of the virtual client, and outputting a monitoring log. The system comprises a virtual client system mirror maintenance module, a virtual client behavior monitoring initialization module and a virtual client behavior monitoring module. The invention monitors the behavior of the virtual client based on the binary instruction translation virtualization technology; by modifying the virtualization flow, the method does not need to modify the source code of the client system, and overcomes the defects that the traditional dynamic monitoring system is not flexible enough and can not change the monitored system at will under the environment of multiple operating systems on the market because the operating system version is updated and iterated continuously.
Description
Technical Field
The invention relates to the technical field of virtualization monitoring, in particular to a behavior monitoring analysis method and system.
Background
Recently, the report of Android malicious software thematic in 2019 issued by 360 safety brains shows that the number of newly added malicious software samples of the mobile terminal is about 180.9 ten thousand in 2019 by 360 safety brains. The report of network safety in China in 2019 published by the ruixing shows that the total number of intercepted virus samples is 1.03 hundred million, the number of virus infection is 4.38 hundred million, and the total number of viruses rises 32.69% in the same period as 2018 in the system of cloud safety in 2019. When the safety environment is relatively bad, malicious software is endangered by the interests of each user, the normal development of a plurality of industries and even the national safety is influenced.
To analyze and identify malware more accurately and comprehensively, and to cope with the encrusting of most malware, we generally analyze various application programs by adopting a dynamic analysis method. The monitoring of the behavior of the operating system and the application programs is an essential stage of dynamic analysis and is the root of the dynamic analysis.
Currently, the operating system and application behavior monitoring modes widely adopted are mainly Hook technology or customized operating system systems. Operating system and application behavior is typically monitored by modifying system kernel, static instrumentation, dynamic injection, or replacing function addresses. Although this method can monitor the behavior of the operating system and the application program well, the monitoring methods are inflexible, and the designed dynamic monitoring platform usually only supports a single version of the operating system, and is difficult to replace the version or other systems. This is difficult to accommodate in environments where operating systems are numerous and operating system versions are not identical and operating system versions are continually updated for use by a large number of users.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention aims to provide a behavior monitoring analysis method and a behavior monitoring analysis system which are compatible with multiple systems and are not dependent on a specific system or system version, and the behavior monitoring is carried out on a client running by using a virtualization technology based on binary instruction translation, so as to acquire behavior information such as instruction running, process creation, system call, function call and the like of the client; the invention supports the user to select different systems to start the virtual client and install and run the application program, and provides monitoring of virtual client instructions, monitoring of a virtual client process list, monitoring of virtual client system call conditions, monitoring of virtual client function call conditions and the like. While outputting the formatted log. The result shows that the method can effectively monitor the behavior of the virtual machine under different systems, and can conveniently replace the operating system or the system version.
In order to achieve the above purpose, the technical scheme adopted by the invention is as follows:
the behavior monitoring analysis method comprises the following steps:
establishing a candidate system set of the virtual client in the host machine, and starting a corresponding virtual client according to a system selected by a user from the set, wherein the virtual client operates by adopting a binary instruction translation virtualization technology and corresponds to the system selected by the user one by one;
after the virtual client is started, a user controls the virtual client to initialize a function monitoring function through a host;
and after the initialization is finished, controlling the virtual client to perform behavior triggering, monitoring the running condition of the virtual client, and outputting a monitoring log.
The host is an operation platform of the virtual client, and a user selects any one system in the candidate system set of the virtual client as an operation system of the virtual client through the host to conduct behavior triggering and monitoring on the virtual client.
The initialization function monitoring function performed by the virtual client is to add a custom system call in the virtual client system, and then add a call instruction of the custom system call to a required monitoring function, so as to realize the purpose of setting a monitoring point for a target function; the self-defined system call allows the kernel to respond to a new system call number added by a user, and theoretically, the self-defined system call can be an empty function, but the system can monitor a call instruction of the system call, the call instruction is added into a required monitoring function, when the required monitoring function is called, the call instruction of the system call is monitored, and the system call number corresponds to the required monitoring function one by one.
The monitoring of the running condition of the virtual client comprises monitoring of the process creation behavior of the virtual client, the running behavior of the virtual client instruction, the system call behavior of the virtual client and the function call behavior of the virtual client; in the action triggering, the triggering action comprises that a user clicks and inputs in a virtual client machine manually or automatically by writing a script to operate an operating system or install running software. That is, the behavior monitored in the virtual client running situation is the underlying performance of the triggering behavior, and the system cannot directly monitor the operation of the user, but can monitor the corresponding underlying performance.
The monitoring of the virtual client process creation behavior is realized by modifying the flow of creating a page table by a virtual translation backup buffer in the virtualization technology, and the process specifically comprises the steps of mining virtual CPU information and virtual client memory information when the virtual translation backup buffer creates the page table, judging whether a new process is created or not, and acquiring new process information.
The monitoring of the operation behavior of the virtual client machine instruction is realized by modifying the process of translating the binary machine instruction by the virtualization technology, and the process is specifically that when the virtual platform translates the virtual client machine binary machine instruction, the virtual client machine binary machine instruction is intercepted and converted into an assembly instruction.
The monitoring of the calling behavior of the virtual client system comprises the steps of analyzing the monitored assembly instruction in real time, analyzing the semantics of the assembly instruction and obtaining the calling information of the virtual client system.
The monitoring of the function calling behavior of the virtual client comprises the specific processes that after the virtual client is started, a user or a host machine controls the virtual client to initialize a function calling monitoring function, a calling instruction of a user-defined system call is inserted into a target function, and when the virtual client calls the target function, the calling instruction can be monitored, namely, the monitoring of the target function call is realized.
The invention also provides a virtual client behavior monitoring system, which comprises a virtual client system mirror maintenance module, a virtual client behavior monitoring initialization module and a virtual client behavior monitoring module, wherein: the virtual client system mirror maintenance module operates on a host machine, establishes a virtual client candidate system set, allows a user to select a system from the set, and starts a corresponding virtual client; the virtual client behavior monitoring initialization module initializes the virtual client behavior monitoring function, starts the virtual client process to create the monitoring function, and initializes the virtual client function to call the monitoring function; the virtual client behavior monitoring module monitors the instruction running condition, the process creation condition, the system call condition and the function call condition of the virtual client from the virtual machine layer by modifying the virtual machine platform, and outputs a monitoring log.
The host is an operation platform of the virtual client, a user selects any one system in the candidate system set of the virtual client as an operation system of the virtual client through the host, the operation triggering and monitoring are carried out on the virtual client, and the virtual machine platform has monitoring functions of virtual client process creation, instruction operation, system call and function call operation.
The core part of the invention is as follows:
1. virtual client system image maintenance module: the present invention monitors virtual client behavior independent of a customized operating system. A set of virtual client system images is then maintained on the host machine for selection by the user, from which the user can select a system image to launch the virtual client.
2. Virtual client behavior monitoring initialization module: the virtual client behavior monitoring initialization module initializes the virtual client behavior monitoring function, starts the virtual client process to create the monitoring function, and initializes the virtual client function to call the monitoring function.
3. Virtual client behavior monitoring module: the virtual client behavior monitoring module monitors instruction running conditions, process creation conditions, system call conditions and function call conditions of the virtual client from the virtual machine layer, and outputs a monitoring log.
The invention uses the open source virtual machine Qemu as a virtual machine platform for the virtual client to run, and monitors the behavior of the virtual client through the modification of the binary instruction translation flow and the modification of the virtual page table creation flow. The monitoring method for monitoring the virtual client behavior through the virtual machine layer without modifying the operating system of the virtual client not only realizes the complete isolation between the host and the virtual client environment, but also does not depend on a customized operating system, and has strong compatibility with the existing operating system. The user can change the operating system of the virtual client at will in the using process without complex modification of the operating system itself.
Compared with the prior art, the invention has the beneficial effects that:
1) The application program is difficult to evade monitoring by the virtual machine;
2) The invention monitors the behavior of the virtual client based on the binary instruction translation virtualization technology, monitors the behaviors of assembly instruction operation, process creation, system call, function call and the like of the virtual client by modifying the virtualization flow on the basis of binary instruction translation virtualization, does not need to modify the source code of the client system, and has strong compatibility to the prior operating system;
3) The operating system of the virtual machine operation can be conveniently replaced, the defects that the traditional dynamic monitoring system is not flexible enough and can not change the monitored system at will under the environment that the operating system version is continuously updated and iterated and the operating system is numerous in the market are overcome, and the system can be compatible with future updating of the operating system version on the basis that the updating of the operating system version does not change the processor architecture.
Drawings
FIG. 1 is a general flow chart of a behavior monitoring analysis method according to the present invention.
FIG. 2 is a diagram of a virtual client behavior monitoring system architecture in accordance with the present invention.
FIG. 3 is a flow chart of the virtual machine platform monitoring of the present invention.
FIG. 4 is a flow chart of the monitoring of the behavior of virtual client instruction execution according to the present invention.
FIG. 5 is a flow chart of the virtual client process creation behavior monitoring of the present invention.
FIG. 6 is a flow chart of the virtual client system call behavior and function call behavior monitoring of the present invention.
Detailed Description
The invention is described in further detail below with reference to the accompanying drawings and specific examples.
The general flow chart of the virtual client behavior monitoring of the present invention is shown in FIG. 1. The virtual client is first started by the operating system specified by the user. After the virtual client is completely started, uploading and running a function monitoring function initialization script in the virtual client, registering a self-defined system calling program and inserting a calling instruction of the self-defined system call into a required monitoring function. And finally triggering the virtual client behavior, monitoring the virtual client behavior and outputting a monitoring log.
Virtual client behavior monitoring system architecture the architecture of the virtual client behavior monitoring system is shown in figure 2, which details the architecture of the virtual client behavior monitoring system, as well as the interactions between hosts, virtual machine platforms, and virtual clients. The functions and workflow of each part are described in the following 2 a) -2 c).
2a) The host is an operating environment of the virtual machine platform and is responsible for maintaining a virtual client system image set and storing a monitoring log. The virtual client system image set comprises a common version of an Android system, a common version of a Linux system and the like, and the system image is compiled by system source codes or downloaded from an official website. The user selects the system mirror image in the system mirror image set through the host machine, the virtual machine platform is utilized to start the virtual client machine, and control command transmission, file uploading, behavior triggering and the like can be carried out on the virtual client machine through the host machine.
2b) The virtual machine platform is used for monitoring instruction operation behaviors, process creation behaviors, system call behaviors, function call behaviors and the like of the virtual client. The virtual machine platform uses an open source simulator Qemu based on a binary instruction translation technology to modify the instruction translation flow and the virtual page table creation flow, so as to realize the behavior monitoring function of the virtual client.
Referring to FIG. 3, the overall flow of virtual machine platform to virtual client behavior monitoring is described in detail. The flow is described in detail below.
i >. After the virtual client is started, the virtual machine platform monitors the process creation behavior and the instruction operation behavior;
the virtual machine platform creates behaviors through the monitored virtual client processes, acquires process information and maintains a process list;
after capturing the instruction operated by the virtual client, the virtual machine platform judges that the instruction is the instruction of the target process, and writes the instruction into a cache, otherwise, does not record the instruction and acquires the next instruction;
after the instruction is written into the cache, analyzing the meaning of the instruction, and monitoring the system call and the function call;
and v >. Judging whether the monitoring is stopped, if so, outputting a monitoring log, otherwise, acquiring the next instruction.
Referring to FIG. 4, the flow of the virtual machine platform monitoring the behavior of virtual client instruction execution is described in detail. The flow is described in detail below.
I >. Inserting monitoring points in the process of translating and executing the virtual client instructions by Qemu;
when Qemu is about to run a code block, acquiring the processor state information of the current virtual client;
inquiring whether the translation of the code block to be executed is completed or not through the state information of the virtual client processor, if so, entering a vi > step, otherwise, entering a v > step;
acquiring the total number of instructions of the code block to be executed, thereby acquiring the instructions to be executed in the code block;
v > -intercepting the code block translation flow, thereby obtaining an instruction to be executed;
judging whether the obtained instruction is a target process instruction, if so, writing the instruction into a cache, otherwise, putting the instruction into execution;
and writing the content in the cache into a monitoring log if the monitoring is finished, and otherwise, continuing to monitor the behavior of the Qemu execution code block.
Referring to FIG. 5, the flow of the virtual machine platform to create behavior monitoring for a virtual client process is described in detail. The flow is described in detail below.
Modifying Qemu to create virtual page table, and monitoring the behavior of creating virtual page table;
when Qemu creates virtual client page table, obtaining current CPU state of virtual client;
searching whether a current process exists in a process list maintained by the behavior monitoring analysis method and the system according to the state of a register in the current CPU;
if the current process exists, directly carrying out the vi > step by executing, otherwise, searching the information of the current process according to the current virtual client CPU register state and the virtual client system kernel symbol offset, wherein the information comprises process PID, process name, father process PID and the like;
v > the current process information is stored in a process list corresponding to the current CPU register state of the virtual client;
writing the creation condition of the virtual client process into the monitoring log if the monitoring is finished, and otherwise, continuing to monitor the behavior of Qemu for creating the virtual client page table.
Before the monitoring function is invoked using the virtual client function, the function invocation function needs to be initialized. Before a virtual client is started, setting the corresponding relation between a custom system call number and a monitored function in a configuration file provided by the invention; registering a custom system call function in the virtual client; and inserting an instruction for calling the custom system call into the function to be monitored.
The virtual client system source code is not required to be modified in all the three steps. Registering the custom system call function in the virtual client may use the kernel module to add the custom system call function to the sys_call_table. The instruction of inserting the call custom system call into the function to be monitored can be realized by adding a syscall function into the target function through inlinehook, or directly inserting an assembly instruction of the system call (such as an svc assembly instruction of arm 64).
Referring to FIG. 6, the flow of the virtual machine platform monitoring virtual client system call behavior and function call behavior is described in detail. The flow is described in detail below.
i >. Obtaining a virtual client instruction obtained by a virtual client instruction monitoring function, wherein the virtual client instruction is a machine code instruction of a virtual client CPU architecture in a Qemu virtual machine platform;
resolving the machine code instruction into an assembler instruction;
judging whether the assembly instruction is a system call instruction, if not, skipping the instruction, and continuing to acquire the next instruction, otherwise, entering the next step;
before the system call instruction, the mov and other instructions will put the system call number into a specific register, and analyze the previous instruction to obtain the system call number;
and v > judging the system call number, if the system call number is customized, converting the system call number into call information corresponding to the monitored function according to the information in the configuration file, otherwise, converting the system call number into call information of corresponding system call through sys_call_table.
2c) The client monitors the running environment of the process for the user. The operating system of the client is not fixed, and the operating system on which it runs is specified by the user from the set of system images.
In summary, the invention monitors the behavior of the virtual client based on the binary instruction translation virtualization technology, monitors the running of the assembly instruction, the creation of the process, the system call, the function call and other behaviors of the virtual client by modifying the virtualization flow on the basis of the binary instruction translation virtualization.
Claims (6)
1. A behavior monitoring analysis method, comprising:
establishing a candidate system set of the virtual client in the host machine, and starting a corresponding virtual client according to a system selected by a user from the set, wherein the virtual client operates by adopting a binary instruction translation virtualization technology and corresponds to the system selected by the user one by one;
after the virtual client is started, a user controls the virtual client through a host machine to initialize a function monitoring function, wherein the function monitoring function is to add a self-defined system call in a virtual client system, and then add a call instruction of the self-defined system call to a required monitoring function to realize the purpose of setting a monitoring point for a target function;
after the initialization is finished, controlling the virtual client to perform behavior triggering, monitoring the running condition of the virtual client, and outputting a monitoring log;
the monitoring of the running condition of the virtual client comprises monitoring of the process creation behavior of the virtual client, the running behavior of the virtual client instruction, the system call behavior of the virtual client and the function call behavior of the virtual client; in the behavior triggering, the triggering behavior comprises that a user clicks and inputs in a virtual client machine manually or automatically by writing a script, and system operation or installation of running software is completed;
the monitoring of the virtual client process creation behavior is realized by modifying the flow of creating a page table in the virtualization technology, and the process is specifically that when the virtualization technology creates the page table, virtual CPU information and virtual client memory information are mined, whether a new process is created or not is judged, and new process information is acquired;
the monitoring of the operation behavior of the virtual client machine instruction is realized by modifying the process of translating the binary machine instruction by the virtualization technology, and the process is specifically that the virtual client machine binary machine instruction is intercepted and converted into an assembly instruction when the virtual platform translates the virtual client machine binary machine instruction.
2. The behavior monitoring analysis method according to claim 1, wherein the host is an operation platform of a virtual client, and the user selects any one system in the candidate system set of the virtual client as an operating system of the virtual client through the host to perform behavior triggering and monitoring on the virtual client.
3. The behavior monitoring and analyzing method according to claim 1, wherein the monitoring of the behavior of the virtual client system call is performed by analyzing the monitored assembly instructions in real time, analyzing the semantics thereof, and obtaining the virtual client system call information.
4. The behavior monitoring analysis method according to claim 1, wherein the monitoring of the function call behavior of the virtual client machine comprises the specific process that after the virtual client machine is started, a user or a host machine controls the virtual client machine to initialize a function call monitoring function, a call instruction of a custom system call is inserted into a target function, and when the virtual client machine calls the target function, the call instruction can be monitored, namely, the monitoring of the target function call is realized.
5. The virtual client behavior monitoring system is characterized by comprising a virtual client system mirror maintenance module, a virtual client behavior monitoring initialization module and a virtual client behavior monitoring module, wherein: the virtual client system mirror maintenance module operates on a host machine, establishes a virtual client candidate system set, allows a user to select a system from the set, and starts a corresponding virtual client; the virtual client behavior monitoring initialization module initializes the virtual client behavior monitoring function, configures a virtual client function call monitoring function, wherein the virtual client function initialization monitoring function is to add a self-defined system call in a virtual client system, and then add a call instruction of the self-defined system call to a required monitoring function to realize the purpose of setting a monitoring point for a target function; the virtual client behavior monitoring module monitors the instruction running condition, the process creation condition, the system call condition and the function call condition of the virtual client from the virtual machine layer by modifying the virtual machine platform, and outputs a monitoring log;
the monitoring of the running condition of the virtual client comprises monitoring of the process creation behavior of the virtual client, the running behavior of the virtual client instruction, the system call behavior of the virtual client and the function call behavior of the virtual client; in the behavior triggering, the triggering behavior comprises that a user clicks and inputs in a virtual client machine manually or automatically by writing a script, and system operation or installation of running software is completed;
the monitoring of the virtual client process creation behavior is realized by modifying the flow of creating a page table in the virtualization technology, and the process is specifically that when the virtualization technology creates the page table, virtual CPU information and virtual client memory information are mined, whether a new process is created or not is judged, and new process information is acquired;
the monitoring of the operation behavior of the virtual client machine instruction is realized by modifying the process of translating the binary machine instruction by the virtualization technology, and the process is specifically that the virtual client machine binary machine instruction is intercepted and converted into an assembly instruction when the virtual platform translates the virtual client machine binary machine instruction.
6. The system according to claim 5, wherein the host is an operating environment of a virtual client, and the user selects any one of the candidate systems of the virtual client as an operating system of the virtual client through the host, starts the virtual client by using the virtual machine platform, and performs behavior triggering and monitoring on the virtual client; the virtual machine platform has monitoring functions for virtual machine client process creation, instruction execution, system call and function call behavior.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010655805.5A CN111831395B (en) | 2020-07-09 | 2020-07-09 | Behavior monitoring analysis method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010655805.5A CN111831395B (en) | 2020-07-09 | 2020-07-09 | Behavior monitoring analysis method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111831395A CN111831395A (en) | 2020-10-27 |
| CN111831395B true CN111831395B (en) | 2024-01-09 |
Family
ID=72900386
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010655805.5A Active CN111831395B (en) | 2020-07-09 | 2020-07-09 | Behavior monitoring analysis method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111831395B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112346946B (en) * | 2020-11-13 | 2022-06-21 | 西安交通大学 | User software operation behavior monitoring method and system based on control positioning |
| CN112667361B (en) * | 2020-12-31 | 2023-10-17 | 北京北信源软件股份有限公司 | Management method and device based on system virtual machine, electronic equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007115425A1 (en) * | 2006-03-30 | 2007-10-18 | Intel Corporation | Method and apparatus for supporting heterogeneous virtualization |
| CN101403983A (en) * | 2008-11-25 | 2009-04-08 | 北京航空航天大学 | Resource monitoring method and system for multi-core processor based on virtual machine |
| CN103294956A (en) * | 2013-06-25 | 2013-09-11 | 北京奇虎科技有限公司 | Method and device for processing behaviors on Windows platform |
-
2020
- 2020-07-09 CN CN202010655805.5A patent/CN111831395B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007115425A1 (en) * | 2006-03-30 | 2007-10-18 | Intel Corporation | Method and apparatus for supporting heterogeneous virtualization |
| CN101403983A (en) * | 2008-11-25 | 2009-04-08 | 北京航空航天大学 | Resource monitoring method and system for multi-core processor based on virtual machine |
| CN103294956A (en) * | 2013-06-25 | 2013-09-11 | 北京奇虎科技有限公司 | Method and device for processing behaviors on Windows platform |
Non-Patent Citations (1)
| Title |
|---|
| 基于API Hook的进程行为监控系统;沈济南;胡俊鹏;梁芳;杨洁勇;;云南大学学报(自然科学版)(第03期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111831395A (en) | 2020-10-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Zheng et al. | {FIRM-AFL}:{High-Throughput} greybox fuzzing of {IoT} firmware via augmented process emulation | |
| US20180357068A1 (en) | Method And System For Automated Agent Injection In Container Environments | |
| US8826240B1 (en) | Application validation through object level hierarchy analysis | |
| US8448165B1 (en) | System and method for logging operations of virtual machines | |
| CN107451474B (en) | Software bug fixing method and device for terminal | |
| US10140145B1 (en) | Displaying guest operating system statistics in host task manager | |
| CN111831395B (en) | Behavior monitoring analysis method and system | |
| KR20080023728A (en) | Selective pre-compilation of virtual code to enhance emulator performance | |
| US10705858B2 (en) | Automatic import of third party analytics | |
| CN113391874A (en) | Virtual machine detection countermeasure method and device, electronic equipment and storage medium | |
| Kröll et al. | Aristoteles–dissecting apple’s baseband interface | |
| CN109597952B (en) | Webpage information processing method, system, electronic equipment and storage medium | |
| US7861230B2 (en) | Profiling API shims | |
| CN107273745B (en) | Dynamic analysis method for malicious code in dynamic link library form | |
| CN113157554A (en) | Software automation question making test method and related equipment | |
| CN115454856B (en) | Multi-application security detection method, device, medium and electronic equipment | |
| US9710360B2 (en) | Optimizing error parsing in an integrated development environment | |
| CN109426546B (en) | Application starting method and device, computer storage medium and equipment | |
| CN115705294B (en) | Method, device, electronic equipment and medium for acquiring function call information | |
| US11886589B2 (en) | Process wrapping method for evading anti-analysis of native codes, recording medium and device for performing the method | |
| CN113656291B (en) | Dynamic calling method for software script engine | |
| CN113986263A (en) | Code automation test method, device, electronic equipment and storage medium | |
| CN109634636B (en) | Application processing method, device, equipment and medium | |
| CN113031964A (en) | Management method, device, equipment and storage medium for big data application | |
| CN109445798B (en) | LuaJIT byte code processing method, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |