CN1818823A - Computer protecting method based on programm behaviour analysis - Google Patents

Computer protecting method based on programm behaviour analysis Download PDF

Info

Publication number
CN1818823A
CN1818823A CN 200510007682 CN200510007682A CN1818823A CN 1818823 A CN1818823 A CN 1818823A CN 200510007682 CN200510007682 CN 200510007682 CN 200510007682 A CN200510007682 A CN 200510007682A CN 1818823 A CN1818823 A CN 1818823A
Authority
CN
China
Prior art keywords
program
behavior
action
analyzing
procedure
Prior art date
Application number
CN 200510007682
Other languages
Chinese (zh)
Other versions
CN100547513C (en
Inventor
刘旭
Original Assignee
福建东方微点信息安全有限责任公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 福建东方微点信息安全有限责任公司 filed Critical 福建东方微点信息安全有限责任公司
Priority to CNB200510007682XA priority Critical patent/CN100547513C/en
Publication of CN1818823A publication Critical patent/CN1818823A/en
Application granted granted Critical
Publication of CN100547513C publication Critical patent/CN100547513C/en

Links

Abstract

A computer protection method based on program behavior analysis includes monitoring its actuation behavior and comparing it with its legal actuation behavior stored in program behavior knowledge bank then judging whether known program is attacked illegally or not for known program; monitoring its actuation behavior and comparing it with attack identification rule stored in attack identification rule bank then judging whether it is harmful program or not for unknown program.

Description

Computer protecting method based on the program behavior analysis
Technical field
The present invention relates to a kind of computer protecting method, different compared with prior art is, does not adopt virus pattern code to compare, but is feature with the action behavior of program, is based on the computer protecting method that program behavior is analyzed.
Background technology
, the invasion of computer virus and the struggle of anti-invasion are all being carried out intensely, along with computing machine uses more and more widely, the fierce degree of this struggle also rises to a new height all the time.Through long-term struggle practice, people sum up many concrete grammars and prevent invasion to computer virus, develop many corresponding strick precaution products.These products can be divided into two classes substantially, and a class is that intrusive viruses is isolated, and for example fire wall prevents entering of intrusive viruses by PORT COM, agreement etc. is limited; Another kind of is to search forming the malicious file of catching an illness of invasion, for example existing antivirus software, and utilization may be formed into the code characteristic that infects virus document, by scanning discovery and the harmful malicious file of catching an illness of removing.Though it is many that this two series products has play a part in the struggle of anti-virus invasion, all has the shortcoming that some can't overcome, they are respectively:
(1) though fire wall can be blocked some illegal viruses or hacker's invasion, the monitored object of fire wall is main port and protocol, need by user oneself be provided with to allow by otherwise do not allow to pass through.Its major defect 1. requires the user very familiar to system, could effectively be provided with it; 2. because monitor particles is too big, can't be provided with substantially,, then may cause virus or hacker attacks to take place if allow to pass through for the port and protocol that must use in the network application; If do not allow to pass through, then may directly influence the normal operation of network again.
(2) utilize the antivirus software of virus signature will lag behind viral development forever, because after only capturing Virus Sample, just can extract the condition code of virus, this makes this antivirus software can't take precautions against emerging unknown virus invasion, even the user has equipped antivirus software, also can be subjected to the attack injury of this virus once more, have only by upgrading, renewal virus database just can solve, and this solution lag behind the virus generation.
Summary of the invention
The present invention produces for the shortcoming that solves prior art just, has solved existing antivirus software, fire wall can not effectively protect unknown virus and wooden horse, and solved existing antivirus software, fire wall uses too complicated disadvantage.Its purpose is to provide a kind of computer protecting method of analyzing based on program behavior, and can effectively tackle the attack of virus, wooden horse, guarantees the safety of computing machine.
The computer protecting method of analyzing based on program behavior of the present invention is characterized in that:
For known procedure, monitor its action behavior, and with the program behavior knowledge base in the fair play behavior of the described known procedure that writes down compare, judge whether this known procedure is subjected to rogue attacks;
For unknown program, monitor its action behavior, and compare with attacking the attack recognition rule that writes down in the recognition rule storehouse, judge whether it is harmful program;
Aforementioned program behavior knowledge base is, utilizes automation tools, one by one the performed action behavior of legal known procedure analyzed tabulation, and the database that described analysis tabulation is stored;
Described attack recognition rule storehouse is, utilize automation tools, write down the database of the attack feature of computer virus, wooden horse and harmful program, each writes down a corresponding viroid, the corresponding behavior aggregate of each viroid, this behavior aggregate comprise a series of actions and between specific incidence relation.
As mentioned above, the attack feature of the harmful program that writes down in the aforementioned as can be known attack recognition rule storehouse is not the single action of certain or certain virus, wooden horse.According to following actions behavior classification as can be known, single action is not a standard of judging harmful program.Therefore, attack being recorded as of storing in the recognition rule storehouse, corresponding viroid of the described record of each bar or wooden horse, and a plurality of action behaviors that comprise this viroid or wooden horse are as its feature, and write down between a plurality of action behaviors of described this viroid or wooden horse incidence relation, thereby can make judgement to harmful program accurately at aspects such as times.
And, for each supervisory control action and dangerous play weights are set, carry out described supervisory control action or dangerous play when unknown program and reach on the weights in limited time, then can be to User Alarms; And this weights upper limit can be used empirical value provided by the present invention, also can bring convenience in the use for the user by User Defined.
As mentioned above, the action behavior of monitoring, writing down comprises:
Supervisory control action, this action may influence computer security, need monitor in real time it; And described supervisory control action is the performed common action of computer program, is the action that most normal procedures also must be carried out.
And described supervisory control action comprises: file operation; Network operation; Establishment process, establishment thread; Registry operations; Window, pallet operation; Storehouse overflows; Inject thread; Intercepting system API Calls and visit, modification and establishment user account number.
Dangerous play, this action at first are supervisory control actions, and in program run, this action may threaten computer security; And the action that described dangerous play can be carried out for the minority normal procedure, and the program that most Viruses or trojan horse program need be carried out, therefore the program of carrying out such action has harmfulness can be bigger, for example, program changes the operation level voluntarily, in the Windows of Microsoft operating system, certain Automatic Program is carried out from application layer (RING3) elevator system level (RING0), have only the normal procedure of minority just to have this feature, but but be the feature that much has aggressive Virus and had jointly.
And described dangerous play comprises: call the SHELL program; The update routine file or the file of writing a program; Call FTP or TFTP; Create FTP or TFTP service; Send mail; Browser or mailing system are moved other programs automatically; Create a large amount of identical threads; Revise and create user account number; Dangerous network operation; Add the startup item to system registry; Revise the system start-up file; Inject thread to other processes; Storehouse overflows; Automatically promote during the application layer process and be system-level process operation; The intercepting system API Calls.
Except that aforementioned supervisory control action and dangerous play, also comprise non-supervisory control action, promptly do not influence the action that computer security need not to monitor.For example, revise to show be provided with, to calling of GDI resource etc.
In the computer protecting method of analyzing based on program behavior of the present invention, described automation tools is, the API by colluding the extension system (Application Programming Interface: application programming interface) monitor the action behavior of program by function.Usually need carry out calling of API that system provides when existing operating system, program are carried out, therefore, only need can monitor the performed action behavior of program by colluding system's API Calls of extension program.
The computer protecting method of analyzing based on program behavior of the present invention is characterized in that, comprises the steps:
6.1) program brings into operation;
6.2) judge whether this program is known procedure;
6.3) as being judged as known procedure, then monitor, write down the action behavior of this known procedure, and with the program behavior knowledge base in the legal action behavior of the known procedure of storing compare, and judge whether this program is attacked; As be judged as unknown program, whether be that harmful action behavior is judged to the action behavior of this program.
And, after described program is judged as known procedure,, also comprise the steps: this known procedure step of judging under attack whether
7.1) collude and hang the programming system API Calls;
7.2) the watchdog routine action behavior, supervisory control action that prize procedure is performed and dangerous play;
7.3) the known procedure fair play behavior of storing in the action behavior that write down and the program behavior knowledge base is compared, judge whether this known procedure is under attack;
7.4) if comparative result is the fair play behavior, then return step 7.1); If comparative result proves then that for not this known procedure is under attack, and stop this program continuation operation, to User Alarms, or products for further is handled.Therefore, adopt aforesaid method that known procedure is checked, not only can guarantee to known procedure whether normally operation judge, and can check out whether known procedure is under attack, and adopt the method for virus pattern code comparison to compare with prior art, the accuracy of not only checking virus attack is better, and it is higher to carry out efficient.
Therefore, compare,, illustrate that then described known procedure operation is normal if known procedure is carried out according to the aforementioned legal program behavior that writes down according to the legal action behavior that will write down in known procedure and the program behavior knowledge base; If in case action behavior beyond this known procedure fair play behavior occurred, can determine that then described known procedure receives attack, it should be stopped.
And, described step 7.4) in also comprise the steps:
8.1) according to the definition of program behavior knowledge base, judge whether the end process;
8.2) if judged result is for being, then the calling system api function finishes current process; If judged result is not, then the calling system api function finishes current thread.
Because in known procedure, it is the bottom service of system that its function of quite a few program is arranged, if directly with these EOP (end of program), system is restarted, so that systemic breakdown.Therefore, in the present invention, define, as above-mentioned step 8.1 for the program in the program behavior knowledge base), cannot stop for those, and program under attack, will be according to step 8.2) described, the thread of having carried out illegal operation is finished to get final product.As mentioned above, promptly guarantee the safety of system, can not influence the work of system again, make system stable operation, avoided existing virus firewall instrument, because when the program virus of the critical services in the system checked, in the time of kill virus, make program file important in the system cause damage, influence the stability of system.
If, after described program is judged as unknown program, whether be the step that harmful action behavior is judged to the action behavior of this program, comprise the steps:
9.1) collude and hang the programming system API Calls;
9.2) the watchdog routine action behavior, supervisory control action that prize procedure is performed and dangerous play;
9.3) judge whether this program has the program source;
9.4) action behavior and the attack recognition rule of attacking in the recognition rule storehouse of this program that will capture compare;
9.5) judge whether this program is harmful program; If judged result is for being then to enter next step;
9.6) confirm whether to allow this program to continue to carry out by the user;
9.7) if the user confirms to allow this program to continue operation, then this program continues operation, if the user confirms not allow this program to continue operation, then stop this program and continue operation.
As mentioned above for unknown program, according to aforementioned attack recognition rule storehouse, can judge whether this program is harmful program, analyze from program behavior and not only to have saved frequently the upgrade trouble of virus base of user the existing antivirus software, and more can play good interception result for harmful programs such as the virus of the unknown, wooden horses, this is the difficult problem that prior art cann't be solved, and has higher execution efficient.
In the computer protecting method based on the program behavior analysis of the present invention, if this program has the program source-information, then the action behavior of this program that will monitor records in the program behavior knowledge base, and returns step 9.2), continue to the action behavior of this program monitor, record.
When having the action behavior of the program in program source to record in the program behavior knowledge base this, the structure of its record is identical with the program behavior knowledge base, and returning step 9.2) after, continue to catch the supervisory control action and the dangerous play of this program, and continue in the program behavior knowledge base, to add the record of this program.
Whether abovementioned steps 9.3), described program source-information is for comprising: be that installation procedure is created; Whether be the program of confirming through the user.When certain unknown program is when being created by installation procedure, this program has very high reliability, therefore can be by the system default setting, think that this program is a legal procedure, therefore with its action behavior, add in the program behavior knowledge base, therefore under the prerequisite that guarantees security of system, reduced the expense of system.If the action behavior of certain its execution of unknown program has passed through user's affirmation, illustrate that then the user understands the action behavior of this program, therefore add it to program behavior knowledge base, and later action behavior is also added in the program behavior knowledge base.
The computer protecting method of analyzing based on program behavior of the present invention, described step 9.6) in, after the nothing source unknown program that the user confirms to allow to be judged as harmful program continues to carry out, the described action behavior of this program is recorded in the program behavior knowledge base; And return step 9.2).
The user confirms the action behavior of unknown program, and when adding in the program behavior knowledge base, the structure of its record is identical with the program behavior knowledge base, and returning step 9.2) after, continue to catch the supervisory control action and the dangerous play of this program, and continue in the program behavior knowledge base, to add the record of this program.
As mentioned above, can make the program behavior knowledge base obtain constantly replenishing, after the record of unknown program is added in the program behavior knowledge base, this unknown program just changes for known procedure, when carrying out this program once more, then judge, thereby improved the efficient of system according to the determination methods of known procedure.
In the computer protecting method based on the program behavior analysis of the present invention, described step 7.4) or described step 9.7) in, by calling system API, known procedure under attack and the unknown program with harmful action behavior are stopped.Described api function is the fixing function that operating system provides.
The computer protecting method of analyzing based on program behavior of the present invention, wherein said step 9.4) or described step 9.5) in, whether the action behavior of judging this program is harmful action behavior, by in step 9.4) in compare with the attack recognition rule of attacking in the recognition rule storehouse, obtain the weights of this supervisory control action or dangerous play, and in step 9.5) in weights are added up; When the weights accumulation result reaches the weights upper limit, then this program behavior is judged as the harmful program behavior.
In the computer protecting method of analyzing based on program behavior of the present invention, the described weights upper limit judged by empirical value provided by the invention, or according to User Defined.
The computer protecting method of analyzing based on program behavior of the present invention, described monitored program is in running status, after it withdraws from, no longer monitors and record.Like this, effective protection system not only, and can reduce system overhead.
In the computer protecting method based on the program behavior analysis of the present invention, described program behavior knowledge base, its structrual description comprises: program ID, Program Type, program run level, write PE file permission, calling system SHELL authority, network behavior and registry operations.
In the wherein said program behavior knowledge base, described Program Type is the class of procedures enumeration type, is divided into the program and the common applications that can be cushioned district's flooding.
Wherein said network behavior, its structrual description comprises: network connecting moves type, use port number and connection are described.
Wherein said connection is described and is comprised: local port, local address, remote port, remote address and use agreement.
Wherein said registry operations, its structrual description comprises: the operated registration table item number of this program, the key assignments of every operation.
And, described program behavior knowledge base, by using software to check to local computer, add record with the corresponding known procedure behavior of the already used known procedure of user, as the program behavior knowledge base of local computer, and need replenish the known procedure that the user will use according to the user.
Wherein, described attack recognition rule storehouse comprises:
Virus rule one,
A) run on the program of client layer RING3, change system core layer RING0 operation over to;
Virus rule two,
B) this program is carried out the operation of revising other program files;
Long-range attack rule one,
C) after this program is accepted data by listening port, call the SHELL program immediately;
Long-range attack rule two,
D) after this program receives data by listening port, buffer zone takes place overflow;
Long-range attack rule three,
E) after this program receives data by listening port, call generic-document host-host protocol tftp procedure immediately;
Mail worm rule one,
F) this program is generated automatically by mailing system, and revises the self-starting item of registration table during this program run, and this program does not have window, pallet-free, and begins to send mail immediately;
Suspicious wooden horse rule one,
G) this program is generated automatically by mailing system, and revises the self-starting item of registration table during this program run, and this program does not have window, pallet-free, and begins to create listening port immediately;
In the computer protecting method based on the program behavior analysis of the present invention, described attack recognition rule storehouse, its structrual description comprises: complete trails, founder's complete trails, founder's characteristic, the founder that can carry out the PE file have or not window, with the founder whether identical file, whether copy self, file have or not descriptions, whether self-starting, whose establishment the self-starting item, whether be not created the person start, whether oneself establishment self-starting item, whether window or tray icon, modification registry entry chained list and network action chained list are arranged.
Wherein, the sub-data structure of described modification registry entry chained list comprises: inlet tabulation, key name, value name and value.
Wherein, the sub-data structure of described network action chained list comprises: type, local port, local address, remote port, remote address and use agreement.
Description of drawings
Fig. 1 is the process flow diagram of the computer protecting method of analyzing based on program behavior of the present invention;
Fig. 2 is the process flow diagram of the weights calculating of the action behavior of judgement unknown program.
Embodiment
With reference to the accompanying drawings, and, the computer protecting method based on the program behavior analysis of the present invention is applied in the Windows of this Microsoft operating system embodiments of the invention be elaborated in conjunction with the most frequently used Windows of Microsoft operating system.
As shown in Figure 1, be the process flow diagram of the computer protecting method of analyzing based on program behavior of the present invention.
The computer protecting method of analyzing based on program behavior of the present invention is characterized in that:
For known procedure, monitor its action behavior, and with the program behavior knowledge base in the fair play behavior of the described known procedure that writes down compare, judge whether this known procedure is subjected to rogue attacks;
For unknown program, monitor its action behavior, and compare with attacking the attack recognition rule that writes down in the recognition rule storehouse, judge whether it is harmful program;
The computer protecting method of analyzing based on program behavior of the present invention is characterized in that, comprises the steps:
6.1) program brings into operation;
6.2) judge whether this program is known procedure;
6.3) as being judged as known procedure, then monitor, write down the action behavior of this known procedure, and with the program behavior knowledge base in the legal action behavior of the known procedure of storing compare, and judge whether this program is attacked; As be judged as unknown program, whether be that harmful action behavior is judged to the action behavior of this program.
And, after described program is judged as known procedure,, also comprise the steps: this known procedure step of judging under attack whether
7.1) collude and hang the programming system API Calls;
7.2) the watchdog routine action behavior, supervisory control action that prize procedure is performed and dangerous play;
7.3) the known procedure fair play behavior of storing in the action behavior that write down and the program behavior knowledge base is compared, judge whether this known procedure is under attack;
7.4) if comparative result is the fair play behavior, then return step 7.1); If comparative result proves then that for not this known procedure is under attack, and stop this program continuation operation, to User Alarms, or products for further is handled.Therefore, adopt aforesaid method that known procedure is checked, not only can guarantee to known procedure whether normally operation judge, and can check out whether known procedure is under attack, and adopt the method for virus pattern code comparison to compare with prior art, the accuracy of not only checking virus attack is better, and it is higher to carry out efficient.
As mentioned above, compare,, illustrate that then described known procedure operation is normal if known procedure is carried out according to the aforementioned legal program behavior that writes down according to the legal action behavior that will write down in known procedure and the program behavior knowledge base; If in case action behavior beyond this known procedure fair play behavior occurred, can determine that then described known procedure receives attack, it should be stopped.
And, described step 7.4) in also comprise the steps:
8.1) according to the definition of program behavior knowledge base, judge whether the end process;
8.2) if judged result is for being, then the calling system api function finishes current process; If judged result is not, then the calling system api function finishes current thread.
Because in known procedure, it is the bottom service of system that its function of quite a few program is arranged, if directly with these EOP (end of program), system is restarted, so that systemic breakdown.Therefore, in the present invention, define, as above-mentioned step 8.1 for the program in the program behavior knowledge base), cannot stop for those, and program under attack, will be according to step 8.2) described, the thread of having carried out illegal operation is finished to get final product.As mentioned above, promptly guarantee the safety of system, can not influence the work of system again, make system stable operation, avoided existing virus firewall instrument, because when the program virus of the critical services in the system checked, in the time of kill virus, make program file important in the system cause damage, influence the stability of system.For example in the Windows of the Microsoft operating system, Lsass.exe is a system service program, if this program may be subjected to flooding, then its process can not be finished, and system is restarted cause system's instability; Therefore, according in method of the present invention and the program behavior knowledge base it being defined, the thread end with this program generation flooding like this, promptly can guarantee security of system, can organize the infringement of harmful program to system again; The Word of Microsoft copy editor software and for example; also there is the danger of flooding, but because it is not a system service software, so the definition of the method according to this invention and program behavior knowledge base; whole Word process can be finished, protect the safety of system with this.
If, after described program is judged as unknown program, whether be the step that harmful action behavior is judged to the action behavior of this program, comprise the steps:
9.1) collude and hang the programming system API Calls;
9.2) the watchdog routine action behavior, supervisory control action that prize procedure is performed and dangerous play;
9.3) judge whether this program has the program source;
9.4) action behavior and the attack recognition rule of attacking in the recognition rule storehouse of this program that will capture compare;
9.5) judge whether this program is harmful program; If judged result is for being then to enter next step;
9.6) confirm whether to allow this program to continue to carry out by the user;
9.7) if the user confirms to allow this program to continue operation, then this program continues operation, if the user confirms not allow this program to continue operation, then stop this program and continue operation.
In the computer protecting method based on the program behavior analysis of the present invention, if this program has the program source-information, then the action behavior of this program that will monitor records in the program behavior knowledge base, and returns step 9.2), continue to the action behavior of this program monitor, record.
When having the action behavior of the program in program source to record in the program behavior knowledge base this, the structure of its record is identical with the program behavior knowledge base, and returning step 9.2) after, continue to catch the supervisory control action and the dangerous play of this program, and continue in the program behavior knowledge base, to add the record of this program.As mentioned above, can make the program behavior knowledge base obtain constantly replenishing, after the record of unknown program is added in the program behavior knowledge base, this unknown program just changes for known procedure, when carrying out this program once more, then judge, thereby improved the efficient of system according to the determination methods of known procedure.
And, as shown in Figure 2, the process flow diagram that calculates for the weights of the action behavior of judging unknown program.
The computer protecting method of analyzing based on program behavior of the present invention, wherein said step 9.4) or described step 9.5) in, whether the action behavior of judging this program is harmful action behavior, by in step 9.4) in compare with the attack recognition rule of attacking in the recognition rule storehouse, obtain the weights of this supervisory control action or dangerous play, and in step 9.5) in weights are added up; When the weights accumulation result reaches the weights upper limit, then this program behavior is judged as the harmful program behavior.Wherein, the described weights upper limit judged by empirical value provided by the invention, or according to User Defined.
The computer protecting method of analyzing based on program behavior of the present invention, wherein, aforementioned program behavior knowledge base is to utilize automation tools, one by one the performed action behavior of legal known procedure is analyzed tabulation, and the database that described analysis tabulation is stored;
Described attack recognition rule storehouse is, utilize automation tools, write down the database of the attack feature of computer virus, wooden horse and harmful program, each writes down a corresponding viroid, the corresponding behavior aggregate of each viroid, this behavior aggregate comprise a series of actions and between specific incidence relation.
As mentioned above, the attack feature of the harmful program that writes down in the aforementioned as can be known attack recognition rule storehouse is not the single action of certain or certain virus, wooden horse.According to following actions behavior classification as can be known, single action is not a standard of judging harmful program.Therefore, attack being recorded as of storing in the recognition rule storehouse, corresponding viroid of the described record of each bar or wooden horse, and a plurality of action behaviors that comprise this viroid or wooden horse are as its feature, and write down between a plurality of action behaviors of described this viroid or wooden horse incidence relation, thereby can make judgement to harmful program accurately at aspects such as times.
And as mentioned above, weights are set, carry out described supervisory control action or dangerous play when unknown program and reach on the weights in limited time for each supervisory control action and dangerous play, then can be to User Alarms; And this weights upper limit can be used empirical value provided by the present invention, also can bring convenience in the use for the user by User Defined.
As mentioned above, the action behavior of monitoring, writing down comprises:
Supervisory control action, this action may influence computer security, need monitor in real time it; And described supervisory control action is the performed common action of computer program, is the action that most normal procedures also must be carried out.
And described supervisory control action comprises: file operation; Network operation; Establishment process, establishment thread; Registry operations; Window, pallet operation; Storehouse overflows; Inject thread; Intercepting system API Calls and visit, modification and establishment user account number.
Dangerous play, this action at first are supervisory control actions, and in program run, this action may threaten computer security; And the action that described dangerous play can be carried out for the minority normal procedure, and the program that most Viruses or trojan horse program need be carried out, therefore the program of carrying out such action has harmfulness can be bigger, for example, program changes the operation level voluntarily, in the Windows of Microsoft operating system, certain Automatic Program is carried out from application layer (RING3) elevator system level (RING0), have only the normal procedure of minority just to have this feature, but but be the feature that much has aggressive Virus and had jointly.
And described dangerous play comprises: call the SHELL program; The update routine file or the file of writing a program; Call FTP or TFTP; Create FTP or TFTP service; Send mail; Browser or mailing system are moved other programs automatically; Create a large amount of identical threads; Revise and create user account number; Dangerous network operation; Add the startup item to system registry; Revise the system start-up file; Inject thread to other processes; Storehouse overflows; Automatically promote during the application layer process and be system-level process operation; The intercepting system API Calls.
Except that aforementioned supervisory control action and dangerous play, also comprise non-supervisory control action, promptly do not influence the action that computer security need not to monitor.For example, revise to show be provided with, to calling of GDI resource etc.These actions can not cause harmful effect to system, therefore in order to save system overhead, these action behaviors are not monitored.
In the computer protecting method of analyzing based on program behavior of the present invention, described automation tools is, the API by colluding the extension system (Application Programming Interface: application programming interface) monitor the action behavior of program by function.Usually need carry out calling of API that system provides when existing operating system, program are carried out, therefore, only need can monitor the performed action behavior of program by colluding system's API Calls of extension program.
As mentioned above for unknown program, according to aforementioned attack recognition rule storehouse, can judge whether this program is harmful program, analyze from program behavior and not only to have saved frequently the upgrade trouble of virus base of user the existing antivirus software, and more can play good interception result for harmful programs such as the virus of the unknown, wooden horses, this is the difficult problem that prior art cann't be solved, and has higher execution efficient.
And, abovementioned steps 9.3) in, whether described program source-information is for comprising: whether be that installation procedure is created, be the program of confirming through the user.As shown in Figure 1, when certain unknown program is when being created by installation procedure, this program has very high reliability, therefore can be by the system default setting, think that this program is a legal procedure,, add in the program behavior knowledge base therefore with its action behavior, therefore under the prerequisite that guarantees security of system, reduced the expense of system.If the action behavior of certain its execution of unknown program has passed through user's affirmation, illustrate that then the user understands the action behavior of this program, therefore add it to program behavior knowledge base, and later action behavior is also added in the program behavior knowledge base.
In the computer protecting method based on the program behavior analysis of the present invention, described step 7.4) or described step 9.7) in, by calling system API, known procedure under attack and the unknown program with harmful action behavior are stopped.Described api function is the fixing function that operating system provides.
The computer protecting method of analyzing based on program behavior of the present invention, described monitored program is in running status, after it withdraws from, no longer monitors and record.Like this, effective protection system not only, and can reduce system overhead.
In the computer protecting method based on the program behavior analysis of the present invention, described program behavior knowledge base, its structrual description comprises: program ID, Program Type, program run level, write PE file permission, calling system SHELL authority, network behavior and registry operations.
Described program behavior knowledge base structure entity description is as follows:
struct?Know
{
DWORD?type1;
BOOL?bAllowedWriteFile;
BOOL?bCreateShell;
DWORD?NetOffset;
DWORD?RegOffset;
};
Wherein: type1 is the class of procedures enumeration type, temporarily is divided into the program and common applications two classes that can be cushioned district's flooding at present, be described below,
enum?KnowType{OVERFLOW,NORMAL};
BAllowedWriteFile represents whether this program can be write can carry out the PE file.
BCreateShell represents whether this program can calling system shell.
NetOffset is illustrated in the position what are offset in the knowledge Base article and is the description to this program network behavior.
RegOffset is illustrated in the position what are offset in the knowledge Base article and is the description to this program registration table handling behavior.
The structural solid that uses following separation structure to describe the network action behavior of this program in the program behavior knowledge base is described as:
struct?Net
{
short?type2;
int?num;
ListenPort?port[];
};
Wherein, Type2 is used for describing the type of action that network connects, and is divided into two classes, monitors and is connected, uses the following amount of enumerating description,
enum?NetType{Listen,Connect};
Num is the port number that relates to;
ListenPort at the specific descriptions of each connection, uses following structure to represent,
struct?ListenPort
{
short?lport;
IPADDR?lipaddr;
short?dport;
IPADDR?dipaddr;
short?protocol;
};
Lport: the local port of use;
Lipaddr: the local address of use;
Dport: the remote port that is connected;
Dipaddr: the remote address that is connected;
Protocol: employed agreement, use the ICP/IP protocol definition.
The structural solid that uses following separation structure to describe the registry operations action behavior of this program in the program behavior knowledge base is described as:
struct?Reg
{
int?num;
char*fullregname[];
};
Num represents the registration table item number that this program is operated.
Fullregname, the key assignments of each operation.
And, described program behavior knowledge base, by using software to check to local computer, add record with the corresponding known procedure behavior of the already used known procedure of user, as the program behavior knowledge base of local computer, and need replenish the known procedure that the user will use according to the user.
In the computer protecting method based on the program behavior analysis of the present invention, described attack recognition rule storehouse, its structrual description comprises: complete trails, founder's complete trails, founder's characteristic, the founder that can carry out the PE file have or not window, with the founder whether identical file, whether copy self, file have or not descriptions, whether self-starting, whose establishment the self-starting item, whether be not created the person start, whether oneself establishment self-starting item, whether window or tray icon, modification registry entry chained list and network action chained list are arranged.
In the method for differentiation harmful program of the present invention behavior, described attack recognition rule storehouse, wherein, the data structure entity of each record is:
struct?UnknowPEFileInMem
{
Char WeighofDanger; // dangerous weights
Char FileName[MAX_PATH]; The complete trails of // new PE the file of creating
Char CreatorName[MAX_PATH]; // founder's complete trails
Char CharacterOfCreator; // founder's characteristic
Char NoWindowOfCreator; // founder has or not window
Char SameAsCreator; // with the founder be same file
Char CopySelf; // copy self is CopySelf for the founder, is SameAsCreator for the file that is replicated, // distinguish both in proper order
Char FileDescription; // file has or not description
Char AutoRun; // whether self-starting
Char WhoWriteAutoRun; The self-starting item of // whose establishment
BOOLEAN RunByCreator; // whether be not created the person to start
BOOLEAN RunBySelf; // whether oneself create and start
BOOLEAN bCreateWindow; // whether window or tray icon are arranged
LIST_ENTRY RegList; // modification registry entry chained list
LIST_NET ListNetAction; // network action chained list
}
The concrete data recording and the description of above-mentioned founder's characteristic " CharacterOfCreator " are:
-1: unknown program;
0: other known procedure;
1: mailing system;
2: web browser;
3: internet exchange system (as QQ, MSN etc.);
The concrete data recording and the description of the self-starting item " WhoWriteAutoRun " of above-mentioned whose establishment are:
0: the unknown;
1: oneself;
2: the founder;
Oneself, the founder can write
The sub-data structure entity of wherein revising the registry entry chained list is.
struct?REG_DATA
{
LIST_ENTRY List; The tabulation of // inlet
Char Key[]; // key name
Char ValueName[]; // value name
Char Value[]; // value
}
Wherein the sub-data structure entity of network action chained list is:
struct?LIST_NET
{
Int type; // type
Short lport; // local port
IPADDR lipaddr; // local ip address
Short dport; // remote port
IPADDR dipaddr; // remote ip address
Short protocol; // use agreement
};
According to attacking the recognition rule storehouse as mentioned above, comprising:
Virus rule one,
A) run on the program of client layer RING3, change system core layer RING0 operation over to;
Virus rule two,
B) this program is carried out the operation of revising other program files;
Long-range attack rule one,
C) after this program is accepted data by listening port, call the SHELL program immediately;
Long-range attack rule two,
D) after this program receives data by listening port, buffer zone takes place overflow;
Long-range attack rule three,
E) after this program receives data by listening port, call generic-document host-host protocol tftp procedure immediately;
Mail worm rule one,
F) this program is generated automatically by mailing system, and revises the self-starting item of registration table during this program run, and this program does not have window, pallet-free, and begins to send mail immediately;
Suspicious wooden horse rule one,
G) this program is generated automatically by mailing system, and revises the self-starting item of registration table during this program run, and this program does not have window, pallet-free, and begins to create listening port immediately;
Be example with the virus attack below, embodiments of the invention are elaborated.
For a known procedure, can not the update routine file if program behavior is described as, when this program run, other program files have but been revised, above-mentioned dangerous play is by system monitoring, compare with the fair play behavior of this known procedure of storing in the program behavior knowledge base then, produce different actions, therefore can judge that this known procedure must be by virus infections.Utilize this method can find viruses such as CIH, when being moved by the known procedure of virus infectionses such as CIH, this known procedure will attempt to infect other PE files, therefore can be under to virus and uncomprehending situation, it is stoped, thereby avoided newborn virus being had an opportunity to take advantage of owing to the hysteresis quality that viral code upgrades.
Utilize interception Sasser virus below, embodiments of the invention are explained: the Sasser worm-type virus is different with other worm-type viruses, does not send mail, and its principle of work is, opens up the back door in this locality.Monitor TCP 5554 ports, wait for remote control command as ftp server.Virus provides file to transmit with the form of FTP.The hacker can be by file and other information of this port stealing subscriber set.Virus is opened up 128 scanning threads, based on local ip address, get IP address at random, mad exploration connects 445 ports, attempt to utilize to exist a buffer-overflow vulnerability to attack among the LSASS in the windows operating system, in case success attack can cause the other side's machine to infect this virus and carry out the propagation of next round.
When infected Sasser virus computing machine send attack packets when having used guard system of the present invention, the LSASS process of local computer is overflowed, flooding code can call GetProcAddress, will be caught by monitoring mechanism of the present invention, be judged as buffer zone and overflow, and before overflowing, the LSASS process can be from 139 of system, 445 ports receive data, this and above-mentioned d) the regular rule that is provided conforms to; Therefore the present invention can accurately judge this long-range attack, so system call ExitThread this thread is finished, thereby local computer has effectively been protected in the action that makes the Sasser worm can't enter next step.
Utilize the famous bounce-back row wooden horse black hole of intercepting and capturing that embodiments of the invention are explained below again: because it belongs to unknown program, this process initiation is promptly caught by supervisory system of the present invention, and this program is not created application window and system tray district icon simultaneously; And can revise the registry boot item behind this program start, to guarantee that oneself can start automatically when next user logins, this action behavior also is dangerous play, therefore also caught by supervisory system of the present invention, this process continues execution will connect far-end web server to obtain the address of client service, port information, carry out information transmission so that connect with it, after this networking action is hunted down, above-mentioned action is together compared with the rule of attacking in the recognition rule storehouse, meet the regular g that attacks in the recognition rule storehouse), just can be judged as suspicious wooden horse, and to User Alarms, the attribute that this illegal program is described simultaneously is suspicious wooden horse,,, avoided existing firewall system and just reported to the police as long as network action takes place so that the user understands information more accurately, and need the user to actuation of an alarm security make judgement, avoided the less user of computer literacy when using guard system, to produce trouble.
By above-mentioned description, field related work personnel of the present invention can carry out various change and modification fully in the scope that does not depart from this invention technological thought.Therefore, the technical scope of this invention is not limited to the content on the instructions, must determine its technical scope according to interest field.

Claims (36)

1, a kind of computer protecting method of analyzing based on program behavior, it is characterized in that: for known procedure, monitor its action behavior, and with the program behavior knowledge base in the fair play behavior of this known procedure of writing down compare, judge whether this known procedure is subjected to rogue attacks; For unknown program, monitor its action behavior, and compare with attacking the attack recognition rule that writes down in the recognition rule storehouse, judge whether it is harmful program;
Described program behavior knowledge base is, utilizes automation tools, one by one the performed action behavior of legal known procedure analyzed tabulation, and the database that described analysis tabulation is stored;
Described attack recognition rule storehouse is, utilize automation tools, write down the database of the attack feature of computer virus, wooden horse and harmful program, each writes down a corresponding viroid, the corresponding behavior aggregate of each viroid, this behavior aggregate comprise a series of actions and between incidence relation.
2, according to the described computer protecting method of analyzing based on program behavior of claim 1, it is characterized in that, describedly monitor, the operation of recording behavior comprises:
Supervisory control action, this action may influence computer security, need monitor in real time it;
Dangerous play, this action at first are supervisory control actions, and in program run, this action may threaten computer security;
In addition, also comprise non-supervisory control action, promptly do not influence the action that computer security need not to monitor.
3, according to the described computer protecting method of analyzing based on program behavior of claim 2, it is characterized in that described supervisory control action comprises:
File operation; Network operation; Establishment process, establishment thread; Registry operations; Window, pallet operation; Storehouse overflows; Inject thread; Intercepting system API Calls and visit, modification and establishment user account number.
4, according to the described computer protecting method of analyzing based on program behavior of claim 2, it is characterized in that described dangerous play comprises:
Call the SHELL program; The update routine file or the file of writing a program; Call FTP or TFTP; Create FTP or TFTP service; Send mail; Browser or mailing system are moved other programs automatically; Create a large amount of identical threads; Revise and create user account number; Dangerous network operation; Add the startup item to system registry; Revise the system start-up file; Inject thread to other processes; Storehouse overflows; The application layer process promotes automatically and is system-level process operation; The intercepting system API Calls.
5, according to the described computer protecting method of analyzing based on program behavior of claim 1, it is characterized in that: described automation tools is by the api function that colludes the extension system action behavior of program to be monitored.
6, according to the described computer protecting method of analyzing based on program behavior of claim 1, it is characterized in that, comprise the steps:
6.1) program brings into operation;
6.2) judge whether this program is known procedure;
6.3) as being judged as known procedure, then monitor, write down the action behavior of this known procedure, and with the program behavior knowledge base in the legal action behavior of the known procedure of storing compare, and judge whether this program is attacked; As be judged as unknown program, whether be that harmful action behavior is judged to the action behavior of this program.
7, according to claim 1 or the 6 described computer protecting methods of analyzing based on program behavior, it is characterized in that, after described program is judged as known procedure,, also comprise the steps: this known procedure step of judging under attack whether
7.1) collude and hang the programming system API Calls;
7.2) the watchdog routine action behavior, supervisory control action that prize procedure is performed and dangerous play;
7.3) the known procedure fair play behavior of storing in the action behavior that write down and the program behavior knowledge base is compared, judge whether this known procedure is under attack;
7.4) if comparative result is the fair play behavior, then return step 7.1); If comparative result proves then that for not this known procedure is under attack, and stop this program continuation operation, to User Alarms, or products for further is handled.
8, according to the described computer protecting method of analyzing based on program behavior of claim 7, it is characterized in that described step 7.4) in also comprise the steps:
8.1) according to the definition of program behavior knowledge base, judge whether the end process;
8.2) if judged result is for being, then the calling system api function finishes current process; If judged result is not, then the calling system api function finishes current thread.
Whether, described program be judged as unknown program after, to the action behavior of this program be step that harmful action behavior judge, comprise the steps: according to claim 1 or the 6 described computer protecting methods of analyzing based on program behavior if 9,, it is characterized in that
9.1) collude and hang the programming system API Calls;
9.2) the watchdog routine action behavior, supervisory control action that prize procedure is performed and dangerous play;
9.3) judge whether this program has the program source;
9.4) action behavior and the attack recognition rule of attacking in the recognition rule storehouse of this program that will capture compare;
9.5) judge whether this program is harmful program; If judged result is for being then to enter next step;
9.6) confirm whether to allow this program to continue to carry out by the user;
9.7) if the user confirms to allow this program to continue operation, then this program continues operation, if the user confirms not allow this program to continue operation, then stop this program and continue operation.
10, according to the described computer protecting method of analyzing based on program behavior of claim 9, it is characterized in that: described step 9.3), if this program has the program source-information, then the action behavior of this program that will monitor records in the program behavior knowledge base, and returns step 9.2).
11, according to the described computer protecting method of analyzing based on program behavior of claim 10, it is characterized in that: when having the action behavior of the program in program source to record in the program behavior knowledge base this, the structure of its record is identical with the program behavior knowledge base, and returning step 9.2) after, continue to catch the supervisory control action and the dangerous play of this program, and continue in the program behavior knowledge base, to add the record of this program.
12, according to the described computer protecting method of analyzing based on program behavior of claim 9, it is characterized in that described step 9.3) in, whether described program source-information comprises: be that installation procedure is created; Whether be the program of confirming through the user.
13, according to the described computer protecting method of analyzing based on program behavior of claim 9, it is characterized in that: described step 9.6), after the nothing source unknown program that the user confirms to allow to be judged to harmful program continues to carry out, the described action behavior of this program is recorded in the program behavior knowledge base; And return step 9.2).
14, according to the described computer protecting method of analyzing based on program behavior of claim 13, it is characterized in that: the user confirms the action behavior of unknown program, and when adding in the program behavior knowledge base, the structure of its record is identical with the program behavior knowledge base, and returning step 9.2) after, continue to catch the supervisory control action and the dangerous play of this program, and continue in the program behavior knowledge base, to add the record of this program.
15, according to any described computer protecting method of analyzing based on program behavior in the claim 7 to 11,13 or 14, it is characterized in that: recorded the unknown program that the program source is arranged of program behavior knowledge base and the unknown program of its action behavior being confirmed through the user, when moving this program once more, will judge it according to the determination methods of known procedure.
16, according to any described computer protecting method of analyzing based on program behavior in the claim 1,7 or 9, it is characterized in that: described step 7.4) or described step 9.7) in, by calling system API, known procedure under attack and the unknown program with harmful action behavior are stopped.
17, according to the described computer protecting method of analyzing based on program behavior of claim 9, it is characterized in that:
Described step 9.4) or described step 9.5) in, whether the action behavior of judging this program is harmful action behavior,
By in step 9.4) in the action behavior of this unknown program of catching compare with the attack recognition rule of attacking in the recognition rule storehouse, obtain the weights of this supervisory control action or dangerous play;
In step 9.5) in weights are added up; When the weights accumulation result reaches the weights upper limit, then this program behavior is judged as the harmful program behavior.
18, according to the described computer protecting method of analyzing based on program behavior of claim 17, it is characterized in that: the described weights upper limit judged by empirical value provided by the invention, or according to User Defined.
19, according to any described computer protecting method of analyzing based on program behavior in the claim 6 to 9, it is characterized in that: described monitored program is in running status, after it withdraws from, no longer monitors and record.
20, according to the described computer protecting method of analyzing based on program behavior of claim 1, it is characterized in that, described program behavior knowledge base, its structrual description comprises: program ID, Program Type, program run level, write PE file permission, calling system SHELL authority, network behavior and registry operations.
21, according to the described computer protecting method of analyzing based on program behavior of claim 20, it is characterized in that: in the described program behavior knowledge base, described Program Type is the class of procedures enumeration type, is divided into the program and the common applications that can be cushioned district's flooding.
22, according to the described computer protecting method of analyzing based on program behavior of claim 20, it is characterized in that, described network behavior, its structrual description comprises: network connecting moves type, use port number and connection are described.
According to the described computer protecting method of analyzing based on program behavior of claim 22, it is characterized in that 23, described connection is described and comprised: local port, local address, remote port, remote address and use agreement.
24, according to the described computer protecting method of analyzing based on program behavior of claim 20, it is characterized in that, described registry operations, its structrual description comprises: the operated registration table item number of this program, the key assignments of every operation.
25, according to claim 1 or the 20 described computer protecting methods of analyzing based on program behavior, it is characterized in that: described program behavior knowledge base, by using software to check to local computer, add record with the corresponding known procedure behavior of the already used known procedure of user, as the program behavior knowledge base of local computer, and need replenish the known procedure that the user will use according to the user.
According to the described computer protecting method of analyzing based on program behavior of claim 1, it is characterized in that 26, in the described attack recognition rule storehouse, described incidence relation comprises the time relationship between the action of front and back and calls and the relation of being called.
According to the described computer protecting method of analyzing based on program behavior of claim 26, it is characterized in that 27, described attack recognition rule storehouse comprises virus rule one:
A) run on the program of client layer RING3, change system core layer RING0 operation over to.
According to the described computer protecting method of analyzing based on program behavior of claim 26, it is characterized in that 28, described attack recognition rule storehouse comprises virus rule two:
B) this program is carried out the operation of revising other program files.
29, according to the described computer protecting method of analyzing based on program behavior of claim 26, it is characterized in that described attack recognition rule storehouse comprises long-range attack rule one:
C) after this program is accepted data by listening port, call the SHELL program immediately.
30, according to the described computer protecting method of analyzing based on program behavior of claim 26, it is characterized in that described attack recognition rule storehouse comprises long-range attack rule two:
D) after this program receives data by listening port, buffer zone takes place overflow.
31, according to the described computer protecting method of analyzing based on program behavior of claim 26, it is characterized in that described attack recognition rule storehouse comprises long-range attack rule three:
E) after this program receives data by listening port, call generic-document host-host protocol tftp procedure immediately.
32, according to the described computer protecting method of analyzing based on program behavior of claim 26, it is characterized in that described attack recognition rule storehouse comprises mail worm rule one:
F) this program is generated automatically by mailing system, and revises the self-starting item of registration table during this program run, and this program does not have window, pallet-free, and begins to send mail immediately.
33, according to the described computer protecting method of analyzing based on program behavior of claim 26, it is characterized in that described attack recognition rule storehouse comprises suspicious wooden horse rule one:
G) this program is generated automatically by mailing system, and revises the self-starting item of registration table during this program run, and this program does not have window, pallet-free, and begins to create listening port immediately.
34, according to the described computer protecting method of analyzing based on program behavior of claim 26, it is characterized in that, described attack recognition rule storehouse, its structure comprises: complete trails, founder's complete trails, founder's characteristic, the founder that can carry out the PE file have or not window, with the founder whether identical file, whether copy self, file have or not descriptions, whether self-starting, whose establishment the self-starting item, whether be not created the person start, whether oneself establishment self-starting item, whether window or tray icon, modification registry entry chained list and network action chained list are arranged.
35, according to the described computer protecting method of analyzing based on program behavior of claim 34, it is characterized in that the sub-data structure of described modification registry entry chained list comprises: inlet tabulation, key name, value name and value.
36, according to the described computer protecting method of analyzing based on program behavior of claim 34, it is characterized in that the sub-data structure of described network action chained list comprises: type, local port, local address, remote port, remote address and use agreement.
CNB200510007682XA 2005-02-07 2005-02-07 Computer protecting method based on the program behavior analysis CN100547513C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB200510007682XA CN100547513C (en) 2005-02-07 2005-02-07 Computer protecting method based on the program behavior analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB200510007682XA CN100547513C (en) 2005-02-07 2005-02-07 Computer protecting method based on the program behavior analysis

Publications (2)

Publication Number Publication Date
CN1818823A true CN1818823A (en) 2006-08-16
CN100547513C CN100547513C (en) 2009-10-07

Family

ID=36918868

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB200510007682XA CN100547513C (en) 2005-02-07 2005-02-07 Computer protecting method based on the program behavior analysis

Country Status (1)

Country Link
CN (1) CN100547513C (en)

Cited By (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008098519A1 (en) * 2007-02-14 2008-08-21 Jie Bai A computer protection method based on a program behavior analysis
CN100437614C (en) * 2005-11-16 2008-11-26 白杰 Method for identifying unknown virus programe and clearing method thereof
US7870612B2 (en) 2006-09-11 2011-01-11 Fujian Eastern Micropoint Info-Tech Co., Ltd Antivirus protection system and method for computers
CN102073816A (en) * 2010-12-31 2011-05-25 兰雨晴 Behavior-based software trusted measurement system and method
CN101127638B (en) * 2007-06-07 2011-06-15 飞塔公司 A system and method with active virus automatic prevention and control
CN101593249B (en) * 2008-05-30 2011-08-03 成都市华为赛门铁克科技有限公司 Suspicious file analyzing method and suspicious file analyzing system
CN101286986B (en) * 2008-05-15 2011-09-14 成都市华为赛门铁克科技有限公司 Active defense method, device and system
CN102694817A (en) * 2012-06-08 2012-09-26 奇智软件(北京)有限公司 Method, device and system for identifying abnormality of network behavior of program
CN102752290A (en) * 2012-06-13 2012-10-24 腾讯科技(深圳)有限公司 Method and device for determining safety information of unknown file in cloud safety system
CN102789559A (en) * 2011-05-20 2012-11-21 北京网秦天下科技有限公司 Method and device for monitoring program installation and program operation in mobile device
CN101470620B (en) * 2007-12-29 2013-01-16 珠海金山软件有限公司 Method and apparatus for judging PE file source code consistency
CN103136471A (en) * 2011-11-25 2013-06-05 中国科学院软件研究所 Method and system for testing malicious Android application programs
CN103136475A (en) * 2011-11-29 2013-06-05 姚纪卫 Method and device for detecting computer viruses
CN103207969A (en) * 2013-04-12 2013-07-17 百度在线网络技术(北京)有限公司 Device and method for detecting Android malware
CN103294947A (en) * 2012-02-23 2013-09-11 株式会社日立制作所 Program analysis system and method thereof
US8561192B2 (en) 2007-10-15 2013-10-15 Beijing Rising Information Technology Co., Ltd. Method and apparatus for automatically protecting a computer against a harmful program
CN103366115A (en) * 2013-07-03 2013-10-23 中国联合网络通信集团有限公司 Safety detecting method and device
CN103428223A (en) * 2013-08-28 2013-12-04 北京永信至诚科技有限公司 Trojan horse behavior identification method and system
WO2014012441A1 (en) * 2012-07-16 2014-01-23 Tencent Technology (Shenzhen) Company Limited Method and apparatus for determining malicious program
CN103810424A (en) * 2012-11-05 2014-05-21 腾讯科技(深圳)有限公司 Method and device for identifying abnormal application programs
CN103839003A (en) * 2012-11-22 2014-06-04 腾讯科技(深圳)有限公司 Malicious file detection method and device
US8898775B2 (en) 2007-10-15 2014-11-25 Bejing Rising Information Technology Co., Ltd. Method and apparatus for detecting the malicious behavior of computer program
CN105653948A (en) * 2014-11-14 2016-06-08 腾讯数码(深圳)有限公司 Method and device for preventing malicious operation
CN106033511A (en) * 2015-03-17 2016-10-19 阿里巴巴集团控股有限公司 Method and device for preventing website data from leaking
WO2017197942A1 (en) * 2016-05-19 2017-11-23 腾讯科技(深圳)有限公司 Virus database acquisition method and device, equipment, server and system
CN107609411A (en) * 2017-09-15 2018-01-19 郑州云海信息技术有限公司 A kind of system and method for intelligent monitoring classified document
CN107657176A (en) * 2017-09-26 2018-02-02 四川长虹电器股份有限公司 A kind of unknown malicious code identification of Behavior-based control analysis and analysis method
CN107992751A (en) * 2017-12-21 2018-05-04 郑州云海信息技术有限公司 A kind of real-time threat detection method based on branch's behavior model
CN108073809A (en) * 2017-12-25 2018-05-25 哈尔滨安天科技股份有限公司 APT Heuristic detection methods and system based on abnormal component liaison
CN108959951A (en) * 2017-05-19 2018-12-07 北京瑞星网安技术股份有限公司 Method, apparatus, equipment and the readable storage medium storing program for executing of document security protection
CN109040136A (en) * 2018-09-29 2018-12-18 成都亚信网络安全产业技术研究院有限公司 A kind of detection method and electronic equipment of network attack

Cited By (44)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100437614C (en) * 2005-11-16 2008-11-26 白杰 Method for identifying unknown virus programe and clearing method thereof
US7870612B2 (en) 2006-09-11 2011-01-11 Fujian Eastern Micropoint Info-Tech Co., Ltd Antivirus protection system and method for computers
WO2008098519A1 (en) * 2007-02-14 2008-08-21 Jie Bai A computer protection method based on a program behavior analysis
CN101127638B (en) * 2007-06-07 2011-06-15 飞塔公司 A system and method with active virus automatic prevention and control
US8561192B2 (en) 2007-10-15 2013-10-15 Beijing Rising Information Technology Co., Ltd. Method and apparatus for automatically protecting a computer against a harmful program
US8898775B2 (en) 2007-10-15 2014-11-25 Bejing Rising Information Technology Co., Ltd. Method and apparatus for detecting the malicious behavior of computer program
CN101470620B (en) * 2007-12-29 2013-01-16 珠海金山软件有限公司 Method and apparatus for judging PE file source code consistency
CN101286986B (en) * 2008-05-15 2011-09-14 成都市华为赛门铁克科技有限公司 Active defense method, device and system
CN101593249B (en) * 2008-05-30 2011-08-03 成都市华为赛门铁克科技有限公司 Suspicious file analyzing method and suspicious file analyzing system
CN102073816A (en) * 2010-12-31 2011-05-25 兰雨晴 Behavior-based software trusted measurement system and method
CN102789559A (en) * 2011-05-20 2012-11-21 北京网秦天下科技有限公司 Method and device for monitoring program installation and program operation in mobile device
CN103136471A (en) * 2011-11-25 2013-06-05 中国科学院软件研究所 Method and system for testing malicious Android application programs
CN103136471B (en) * 2011-11-25 2015-12-16 中国科学院软件研究所 A kind of malice Android application program detection method and system
CN103136475A (en) * 2011-11-29 2013-06-05 姚纪卫 Method and device for detecting computer viruses
CN103136475B (en) * 2011-11-29 2017-07-04 姚纪卫 A kind of method and apparatus for checking computer virus
CN103294947A (en) * 2012-02-23 2013-09-11 株式会社日立制作所 Program analysis system and method thereof
CN102694817A (en) * 2012-06-08 2012-09-26 奇智软件(北京)有限公司 Method, device and system for identifying abnormality of network behavior of program
CN102752290A (en) * 2012-06-13 2012-10-24 腾讯科技(深圳)有限公司 Method and device for determining safety information of unknown file in cloud safety system
CN102752290B (en) * 2012-06-13 2016-06-01 深圳市腾讯计算机系统有限公司 The safe information defining method of unknown file in a kind of cloud security system and device
US9166998B2 (en) 2012-06-13 2015-10-20 Tencent Technology (Shenzhen) Company Limited Method and apparatus for determining security information of an unknown file in a cloud security system
WO2014012441A1 (en) * 2012-07-16 2014-01-23 Tencent Technology (Shenzhen) Company Limited Method and apparatus for determining malicious program
US9158918B2 (en) 2012-07-16 2015-10-13 Tencent Technology (Shenzhen) Company Limited Method and apparatus for determining malicious program
US9894097B2 (en) 2012-11-05 2018-02-13 Tencent Technology (Shenzhen) Company Limited Method and device for identifying abnormal application
CN103810424A (en) * 2012-11-05 2014-05-21 腾讯科技(深圳)有限公司 Method and device for identifying abnormal application programs
CN103810424B (en) * 2012-11-05 2017-02-08 腾讯科技(深圳)有限公司 Method and device for identifying abnormal application programs
CN103839003A (en) * 2012-11-22 2014-06-04 腾讯科技(深圳)有限公司 Malicious file detection method and device
CN103839003B (en) * 2012-11-22 2018-01-30 腾讯科技(深圳)有限公司 Malicious file detection method and device
CN103207969A (en) * 2013-04-12 2013-07-17 百度在线网络技术(北京)有限公司 Device and method for detecting Android malware
CN103207969B (en) * 2013-04-12 2016-10-05 百度在线网络技术(北京)有限公司 The device of detection Android malware and method
CN103366115B (en) * 2013-07-03 2016-03-23 中国联合网络通信集团有限公司 Safety detecting method and device
CN103366115A (en) * 2013-07-03 2013-10-23 中国联合网络通信集团有限公司 Safety detecting method and device
CN103428223A (en) * 2013-08-28 2013-12-04 北京永信至诚科技有限公司 Trojan horse behavior identification method and system
CN105653948B (en) * 2014-11-14 2020-04-24 腾讯数码(深圳)有限公司 Method and device for preventing malicious operation
CN105653948A (en) * 2014-11-14 2016-06-08 腾讯数码(深圳)有限公司 Method and device for preventing malicious operation
CN106033511A (en) * 2015-03-17 2016-10-19 阿里巴巴集团控股有限公司 Method and device for preventing website data from leaking
WO2017197942A1 (en) * 2016-05-19 2017-11-23 腾讯科技(深圳)有限公司 Virus database acquisition method and device, equipment, server and system
US10990672B2 (en) 2016-05-19 2021-04-27 Tencent Technology (Shenzhen) Company Limited Method and apparatus for obtaining virus library, device, server, and system
CN108959951A (en) * 2017-05-19 2018-12-07 北京瑞星网安技术股份有限公司 Method, apparatus, equipment and the readable storage medium storing program for executing of document security protection
CN107609411A (en) * 2017-09-15 2018-01-19 郑州云海信息技术有限公司 A kind of system and method for intelligent monitoring classified document
CN107657176A (en) * 2017-09-26 2018-02-02 四川长虹电器股份有限公司 A kind of unknown malicious code identification of Behavior-based control analysis and analysis method
CN107992751B (en) * 2017-12-21 2020-05-08 苏州浪潮智能科技有限公司 Real-time threat detection method based on branch behavior model
CN107992751A (en) * 2017-12-21 2018-05-04 郑州云海信息技术有限公司 A kind of real-time threat detection method based on branch's behavior model
CN108073809A (en) * 2017-12-25 2018-05-25 哈尔滨安天科技股份有限公司 APT Heuristic detection methods and system based on abnormal component liaison
CN109040136A (en) * 2018-09-29 2018-12-18 成都亚信网络安全产业技术研究院有限公司 A kind of detection method and electronic equipment of network attack

Also Published As

Publication number Publication date
CN100547513C (en) 2009-10-07

Similar Documents

Publication Publication Date Title
US10664596B2 (en) Method of malware detection and system thereof
US9596257B2 (en) Detection and prevention of installation of malicious mobile applications
US9853941B2 (en) Security information and event management
JP6317434B2 (en) System and method for facilitating malware scanning using reputation indicators
US9547765B2 (en) Validating a type of a peripheral device
US9892261B2 (en) Computer imposed countermeasures driven by malware lineage
US9621571B2 (en) Apparatus and method for searching for similar malicious code based on malicious code feature information
JP5982575B2 (en) Security scan based on dynamic taint
CN103065092B (en) A kind of method of tackling suspect program and running
US8042186B1 (en) System and method for detection of complex malware
RU2530210C2 (en) System and method for detecting malware preventing standard user interaction with operating system interface
US9985978B2 (en) Method and system for misuse detection
CN1284095C (en) Task allocation method in multiprocessor system, and multiprocessor system
US7360249B1 (en) Refining behavioral detections for early blocking of malicious code
KR100968003B1 (en) Mechanism for evaluating security risks
CN101350052B (en) Method and apparatus for discovering malignancy of computer program
CN1210655C (en) Servicer equipment and information processing method
US9021584B2 (en) System and method for assessing danger of software using prioritized rules
CA2797584C (en) Behavioral signature generation using clustering
US8566943B2 (en) Asynchronous processing of events for malware detection
US8763128B2 (en) Apparatus and method for detecting malicious files
US8819835B2 (en) Silent-mode signature testing in anti-malware processing
US8087061B2 (en) Resource-reordered remediation of malware threats
US8261344B2 (en) Method and system for classification of software using characteristics and combinations of such characteristics
US8640245B2 (en) Optimization of anti-malware processing by automated correction of detection rules

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
GR01 Patent grant
C14 Grant of patent or utility model
TR01 Transfer of patent right

Effective date of registration: 20150715

Address after: 100097 Beijing city Haidian District landianchang road A Jin Yuan era business center No. 2 block 5E

Patentee after: Beijing Dongfang Micropoint Information Technology Co., Ltd.

Address before: 350002, No. 548, industrial road, Gulou District, Fujian, Fuzhou, five

Patentee before: Dongfang Micro-point Information Security Co., Ltd., Fujian

ASS Succession or assignment of patent right

Owner name: BEIJING EASTERN MICROPOINT INFO-TECH CO., LTD.

Free format text: FORMER OWNER: FUJIAN ORIENT MICROPOINT INFORMATION SECURITY CO., LTD.

Effective date: 20150715

C41 Transfer of patent application or patent right or utility model