WO2017185827A1 - Method and apparatus for determining suspicious activity of application program - Google Patents

Method and apparatus for determining suspicious activity of application program Download PDF

Info

Publication number
WO2017185827A1
WO2017185827A1 PCT/CN2017/070468 CN2017070468W WO2017185827A1 WO 2017185827 A1 WO2017185827 A1 WO 2017185827A1 CN 2017070468 W CN2017070468 W CN 2017070468W WO 2017185827 A1 WO2017185827 A1 WO 2017185827A1
Authority
WO
WIPO (PCT)
Prior art keywords
behavior
application
information
terminal device
process behavior
Prior art date
Application number
PCT/CN2017/070468
Other languages
French (fr)
Chinese (zh)
Inventor
刘振华
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2017185827A1 publication Critical patent/WO2017185827A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Definitions

  • Embodiments of the present invention relate to the field of computers and, more particularly, to a method and apparatus for determining suspicious behavior of an application.
  • Intra-enterprise checks for Advanced Persistent Threat (APT) attacks generally favor the use of big data analytics, including traffic analysis in enterprise networks, using sandboxes to analyze files and attempting to discover patterns that use traditional signature matching.
  • An unrecognized advanced threat that analyzes the early warning logs of various traditional security inspection devices. The purpose of these analyses is to timely identify security issues within the enterprise and minimize the damage that high-level threats bring to the enterprise.
  • the traditional host-based defense method is mainly to prevent suspicious behavior from attacking the system.
  • This defense method must rely on security software to monitor the process behavior of all applications in the host through security software.
  • the IT staff pre-sets an access control policy in the security software to control the application's access to system data. If a process behavior does not satisfy the above access control policy, then the security software determines that the process behavior is suspicious. After monitoring suspicious behavior, the security software will directly alert the user who is using the host to let the user choose whether to intercept the suspicious behavior.
  • the traditional defense method only involves the application's access rules to system data, and does not prevent suspicious behavior of illegal access to application data, such as suspicious behavior of stealing or tampering with application data.
  • the way in which traditional defense methods let users judge whether to intercept suspicious behavior is not very appropriate.
  • Embodiments of the present invention provide a method and apparatus for determining suspicious behavior of an application, which can determine suspicious behavior of illegally accessing application data, thereby improving overall system performance.
  • a method for determining suspicious behavior of an application comprising: when determining, by the terminal device, that data accessed by a process behavior of the first application belongs to a second application different from the first application, Determining the behavior of the process as a candidate suspicious behavior, the data including at least one of a process, a thread, a file, a directory, and a registry item; the terminal device transmitting behavior characteristic information of the process behavior to the data analysis server to facilitate the data analysis The server determines whether the behavior of the process is suspicious according to the behavior characteristic information of the behavior of the process.
  • the terminal device determines that the process behavior is a candidate suspicious behavior.
  • the second application includes the process P1 and the process P2. If the file F is created during the execution of the file F1, the file F belongs to the second application. If the process P2 accesses the file F during execution, Then the behavior of the process P2 can be regarded as legal. If the process P3 in the first application different from the second application accesses the file F, the behavior of the process P3 is a candidate suspicious behavior.
  • the embodiment of the present invention determines the candidate suspicious behavior from all detected process behaviors by the terminal device based on the data access rule between the application and the application, and sends the determined behavior characteristic information of the candidate suspicious behavior to the data.
  • the analysis server determines, by the data analysis server, whether the candidate suspicious behavior is a suspicious behavior according to the behavior characteristic information of the candidate suspicious behavior, thereby determining a suspicious behavior of the terminal device illegally accessing the application data.
  • the method does not need to rely on security software, and does not require user participation in the determination, can improve the accuracy and reliability of the determination of suspicious behavior, thereby improving the overall performance of the system.
  • the terminal device may be a host or a client.
  • the terminal device may determine relationship information between the application and the data in the system in multiple manners.
  • the terminal device can acquire the relationship information between the existing application program and the data in the system by collecting system information; the terminal device can obtain real-time monitoring manner between each application in the system and the data created by the system in real time. Relationship information; the terminal device can also determine whether the system is installing an application, and if the system is installing an application, the data created during the installation process is associated with the application. In this way, after determining the relationship information between the application and the data in the system, the terminal device can according to the relationship between the application and the data. Information, determine the application to which the data accessed by the process behavior of the first application belongs, thereby further determining the candidate suspicious behavior.
  • the terminal device determines the behavior of the process when determining that the data accessed by the process behavior of the first application belongs to the second application different from the first application
  • the candidate suspicious behavior includes: if the process behavior is a dynamic link library DLL file loading behavior of the first application, the terminal device determines whether the DLL file loaded by the process behavior is a system DLL file; if the DLL file is not a system DLL file, the terminal device determines an application to which the DLL file belongs; if the DLL file belongs to the second application different from the first application, the terminal device determines the behavior of the process as the candidate suspicious behavior .
  • the terminal device determines that the data accessed by the process behavior of the first application belongs to the first application
  • the second application determines the behavior of the process as a candidate suspicious behavior, including: if the process behavior is a registry access behavior of the first application, the terminal device determines a path to create a registry accessed by the process behavior An application; if the path of the registry is created by the second application different from the first application, the terminal device determines whether the path of the registry is a publicly accessible path; if the path of the registry is not The publicly accessible path, the terminal device determines the behavior of the process as the candidate suspicious behavior.
  • the terminal device determines that the data accessed by the process behavior of the first application belongs to the first application.
  • the second application determines the behavior of the process as a candidate suspicious behavior, including: if the process behavior is a file access behavior of the first application, the terminal device determines an application that creates a file accessed by the process behavior; If the file accessed by the process behavior is created by the second application different from the first application, the terminal device determines the type of the file accessed by the process behavior; if the type of the file accessed by the process behavior is The program file, the terminal device determines the behavior of the process as the candidate suspicious behavior.
  • the terminal device determines that the process behavior is accessed by the process An application registered with the extension of the file; if the extension of the file accessed by the process is registered, the application registered is a third application different from the first application In sequence, the terminal device determines the behavior of the process as the candidate suspicious behavior.
  • the terminal device determines a process created by the first process behavior Whether the process belongs to the first application; if the process created by the first process behavior does not belong to the first application, the terminal device determines whether the process is a system process of the first terminal device; if the process is not the first A system process of the terminal device, the first terminal device determining the first process behavior as the first candidate suspicious behavior.
  • the terminal device determines the thread created by the first process behavior The application; if the thread created by the first process behavior belongs to the second application different from the first application, the first terminal device determines the first process behavior as the first candidate suspicious behavior .
  • the behavior characteristic information includes: application information to which the process behavior belongs, information about data accessed by the process behavior, and The application information to which the data accessed by the process behaves.
  • the method further includes: the terminal The device receives the indication information sent by the data analysis server, where the indication information is used to indicate that the process behavior is a normal behavior; and the terminal device determines, according to the indication message, that the process behavior is a normal behavior.
  • the method can not only improve the accuracy of detecting the candidate suspicious behavior of the terminal device, but also avoid the transmission of unnecessary behavior feature information, thereby saving signaling overhead.
  • the ninth possible implementation in the first aspect in the mode, after the terminal device sends the behavior characteristic information of the process behavior to the data analysis server, the method further includes: the terminal device receiving the request message sent by the data analysis server, where the request message is used to request traceability of the process behavior Information, the traceability information includes at least one of the following information: process information of the process behavior, information of a program file corresponding to the behavior of the process, relationship information between a process creator of the process behavior and a program file creator; The terminal device sends the traceability information to the data analysis server according to the request message.
  • the data analysis server may request the terminal device to trace the source behavior of the process behavior.
  • the terminal device sends the traceability information of the suspicious behavior to the data analysis server, so that the IT manager obtains the traceability information through the data analysis server, and can restore the suspicious behavior according to the traceability information, and how the occurrence of the suspicious behavior occurs, which is beneficial to Investigation and evidence collection of late attack events.
  • a method for determining suspicious behavior of an application comprising: receiving, by a data analysis server, behavior characteristic information of a first process behavior sent by a first terminal device, where the first process behavior belongs to the first An application, and the data accessed by the first process behavior belongs to a second application different from the first application, the data including at least one of a process, a thread, a file, a directory, and a registry entry; the data analysis server Determining whether the first process behavior is a suspicious behavior according to behavior characteristic information of the first process behavior.
  • the data analysis server determines, according to behavior characteristic information of the first process behavior, whether the first process behavior is a suspicious behavior, including: the data analysis server is configured according to the first The behavior characteristic information of the process behavior, determining whether the first process behavior belongs to a set of trusted behaviors, wherein the trusted behavior set includes at least one trusted behavior; if it is determined that the first process behavior does not belong to the trusted behavior set, The data analysis server determines that the first process behaves as suspicious.
  • the data analysis server determines, according to behavior characteristic information of the first process behavior, whether the first process behavior belongs to Before the set of trust behaviors, the method further includes: the data analysis server receiving behavior characteristic information of the plurality of second process behaviors sent by each of the at least one second terminal device; the data analysis server according to the at least one The behavior characteristic information of the plurality of second process behaviors sent by the second terminal device, the data mining algorithm is used to determine the set of trusted behaviors, wherein the set of trusted behaviors includes at least one of the plurality of second process behaviors Process behavior.
  • the data mining algorithm may be a frequent item set algorithm, a support vector machine algorithm or a decision tree algorithm, or the like.
  • the behavior characteristic information of the first process behavior includes: application information to which the first process behavior belongs, the first The information of the data accessed by the process behavior and the application information of the data accessed by the behavior of the first process;
  • the behavior characteristic information of the behavior of the plurality of second processes includes: application information of the behavior of the plurality of second processes, The information of the data accessed by the plurality of second processes and the application information to which the data accessed by the plurality of second process behaviors belongs.
  • the method further includes: if the data analysis server determines that the first process behavior is a normal behavior, the data analysis server And transmitting, to the first terminal device, indication information, where the indication information is used to indicate that the first process behavior is a normal behavior.
  • the method further includes: if the data analysis server determines that the first process behavior is a suspicious behavior, the data analysis server Sending a request message to the first terminal device, where the request message is used to request traceability information of the first process behavior, where the traceability information includes process information of the first process behavior, and information about a program file corresponding to the first process behavior. At least one of the relationship information of the process creator and the program file creator of the first process behavior; the data analysis server receives the traceability information sent by the first terminal device according to the request message; the data analysis server passes through the background The management interface displays the traceability information.
  • the data analysis server can display the traceability information of the suspicious behavior to the IT manager through the background management interface, so that the IT manager can restore the suspicious behavior according to the traceability information and how it occurs, which is beneficial to the later attack. Investigation and evidence collection of the incident.
  • an apparatus for determining suspicious behavior of an application for performing the method of any of the above-described first aspect or any of the possible implementations of the first aspect is provided.
  • the apparatus may comprise means for performing the method of any of the above-described first aspect or any of the possible implementations of the first aspect.
  • an apparatus for determining suspicious behavior of an application for performing the method of any of the above-described second aspect or any of the possible implementations of the second aspect is provided.
  • the apparatus may comprise means for performing the method of any of the possible implementations of the second aspect or the second aspect described above.
  • an apparatus for determining suspicious behavior of an application comprising: a receiver, a transmitter, a memory, a processor, and a bus system.
  • the receiver, the transmitter, the memory and the processor are connected by the bus system, the memory is for storing instructions for executing the instructions stored by the memory to control the receiver to receive signals and control the sending
  • the transmitter transmits a signal, and when the processor executes the memory stored instructions, the execution causes the processor to perform the method of the first aspect or any of the possible implementations of the first aspect.
  • an apparatus for determining suspicious behavior of an application comprising: a receiver, a transmitter, a memory, a processor, and a bus system.
  • the receiver, the transmitter, the memory and the processor are connected by the bus system, the memory is for storing instructions for executing the instructions stored by the memory to control the receiver to receive signals and control the sending
  • the transmitter transmits a signal, and when the processor executes the memory stored instructions, the execution causes the processor to perform the method of any of the second aspect or any of the possible implementations of the second aspect.
  • a seventh aspect a system for determining suspicious behavior of an application, the system comprising the apparatus of any of the possible implementations of the third aspect or the third aspect, and the fourth or fourth aspect a device in a possible implementation; or
  • the system comprises the apparatus of any of the possible implementations of the fifth or fifth aspect, and the apparatus of any of the sixth or sixth aspect of the possible implementation.
  • a computer readable medium for storing a computer program, the computer program comprising instructions for performing the method of the first aspect or any of the possible implementations of the first aspect.
  • a ninth aspect a computer readable medium for storing a computer program, the computer program comprising instructions for performing the method of any of the second aspect or the second aspect of the second aspect.
  • FIG. 1 is a schematic diagram of a system to which an embodiment of the present invention is applied.
  • FIG. 2 is a schematic flowchart of a method for determining suspicious behavior of an application according to an embodiment of the present invention.
  • FIG. 3 is a schematic diagram of another system for determining suspicious behavior of an application according to an embodiment of the present invention.
  • FIG. 4 is a schematic block diagram of an apparatus for determining suspicious behavior of an application according to an embodiment of the present invention.
  • FIG. 5 is a schematic block diagram of another apparatus for determining suspicious behavior of an application according to an embodiment of the present invention.
  • FIG. 6 is a schematic block diagram of another apparatus for determining suspicious behavior of an application according to an embodiment of the present invention.
  • FIG. 7 is a schematic block diagram of another apparatus for determining suspicious behavior of an application according to an embodiment of the present invention.
  • an application is composed of a plurality of program files, which are also referred to as executable program files.
  • the program file initiates a system service request to the operating system during runtime.
  • a system service request can also be called an application programming interface (API) call.
  • the API call may include reading and writing of a file, allocation of a memory, input and output (IO) of a network, operation of a hardware device, reading and writing of a system configuration, and the like, which are not limited by the embodiment of the present invention.
  • this article refers to the application-related processes, threads, files, directories, and registry keys, etc., collectively referred to as the "data" of the application. Every time an application is installed and every time the application is run, the corresponding data is generated. It should be understood that the data other than the system data belongs to a specific application.
  • FIG. 1 shows a system 100 to which an embodiment of the present invention is applied.
  • the system 100 can include at least one terminal device 110 and one data analysis server 120.
  • the terminal device 110 can be mobile or fixed.
  • the terminal device 110 can refer to an access terminal, a user equipment (User Equipment, referred to as "UE"), a subscriber unit, a subscriber station, a mobile station, a mobile station, a remote station, a remote terminal, a mobile device, a user terminal, a terminal, and a wireless device.
  • Communication device User agent or user device.
  • the access terminal may be a cellular phone, a cordless phone, a Session Initiation Protocol ("SSIP") phone, a Wireless Local Loop (WLL) station, and a personal digital processing (Personal Digital) Assistant, referred to as "PDA"), a handheld device with wireless communication capabilities, a computing device or other processing device connected to a wireless modem, an in-vehicle device, a wearable device, a terminal device in a future 5G network, or a future evolving public land mobile A terminal device or the like in a network (Public Land Mobile Network, abbreviated as "PLMN").
  • PLMN Public Land Mobile Network
  • the terminal device 100 is a host or a client.
  • the data analysis server 120 may be a file server, a database server, an application server, a WEB server, etc., which is not limited by the embodiment of the present invention.
  • FIG. 1 exemplarily shows a terminal device and a data analysis server.
  • the system 100 may include a plurality of terminal devices, which is not limited by the embodiment of the present invention.
  • the data analysis server may transmit information with a plurality of terminal devices at the same time, thereby determining an application suspicious behavior of each of the plurality of terminal devices.
  • the process of determining the suspicious behavior of the application in each terminal device by the data analysis server is similar.
  • the following is an example of the process of determining, by the data analysis server, the suspicious behavior of the application in the first terminal device among the plurality of terminal devices. Description.
  • FIG. 2 is a schematic flowchart of a method for determining suspicious behavior of an application provided by an embodiment of the present invention.
  • the method 200 can be applied to the system 100 shown in FIG. 1, but the embodiment of the invention is not limited thereto.
  • the method 200 includes:
  • the first terminal device determines data accessed by the first process behavior of the first application.
  • the first process behavior is determined as candidate suspicious behavior, and the data includes at least one of a process, a thread, a file, a directory, and a registry key.
  • the first terminal device can learn that the application has a process behavior through a mechanism provided by the existing operating system.
  • the Windows operating system provides a filter driver mechanism that allows users to implement extended functions without affecting the normal functionality of the operating system.
  • First the user can write a driver module and register the driver module with the operating system.
  • the driver module can implement additional functions based on interfaces and points of interest provided by the filter driver mechanism, such as obtaining information about file operations and the like.
  • the operating system will operate related information, such as the process name and operation object, when the file input/output (I/O) operation, registry I/O operation, network I/O operation, etc. occur in each process.
  • the identifier of the file, registry entry, etc. is sent to the driver module.
  • a plurality of applications may be installed in the first terminal device, and when the first terminal device detects a process behavior, the process behavior belongs to a first application among the multiple applications, but the process behavior is accessed.
  • the data belongs to the second application in the plurality of applications, where the first application is different from the second application, and the first terminal device considers that the process behavior accesses data that is not its own, and the process is Behavior is determined to be candidate suspicious behavior.
  • the first terminal device does not simply detect the process behavior of all applications in the system, but filters all the process behaviors detected, and whether the data accessed according to the process behavior belongs to the The application to which the process behavior belongs, filters suspected suspicious process behavior from all process behavior.
  • the first terminal device determines the first process behavior as a candidate suspicious behavior
  • the determination of the relationship information between the application and the data can be specifically divided into the following three cases:
  • the first terminal device can acquire relationship information between the existing application program and the data in the system by collecting system information. For example, the first terminal device may locate the application directory of the application through the registry, classify the program file and the non-program according to the file creation time with the directory creation time as the application, and collect the program file of the application.
  • Product name, The company's copyright name, digital signature information, etc. are stored in the information database.
  • the first terminal device can acquire the relationship information between each application in the system and the data created by the system in real time through real-time monitoring. For example, if the first terminal device detects a data creation action of a process, the relationship between the created data and the creator's relationship information is stored in the information database.
  • the first terminal device can determine whether the system is installing an application, and if the system is installing an application, the data created during the installation process is associated with the application. For example, if a process is detected or a child process of the process creates a plurality of program files in a fixed directory, the first terminal device can determine whether the process or the child process registers an application, and if so, then The first terminal device establishes a relationship between the application program and the program file and the registry, and stores the corresponding relationship information in the information database.
  • the first terminal device can filter the detected process behavior according to the relationship information between the application and the data.
  • the first application includes a process P1 and a process P2. If the file F is created during the execution of the P1, the file F belongs to the first application, and if the process P2 accesses the file during execution. F, the behavior of the process P2 can be regarded as legal. If the process P3 in the second application different from the first application accesses the file F, the behavior of the process P3 is a candidate suspicious behavior.
  • the first terminal device sends behavior characteristic information of the first process behavior to the data analysis server.
  • the first terminal device directly reports the behavior characteristic information of the selected candidate suspicious behavior (ie, the first process behavior) to the data analysis server, and the data analysis server analyzes the behavior of the first process. And processing.
  • the data analysis server receives the behavior characteristic information of the first process behavior, and determines, according to the behavior characteristic information of the first process behavior, whether the first process behavior is a suspicious behavior.
  • the data analysis server may receive behavior characteristic information of the first process behavior that the first terminal device considers suspicious, and then determine, according to the behavior characteristic information, whether the first process behavior is a suspicious behavior.
  • the data analysis server determines, according to the behavior characteristic information of the first process behavior, whether the behavior of the first process is a suspicious behavior, including:
  • the data analysis server determines that the first process behavior is suspicious.
  • the data analysis server may determine whether the first process behavior belongs to a set of trusted behaviors, and the set of trusted behaviors includes at least one trusted behavior. If the first process behavior belongs to the set of trusted behaviors, the data analysis server determines that the first process behavior is a normal behavior; if the first process behavior does not belong to the trusted behavior set, then the data analysis server determines the first A process behavior is suspicious. Specifically, the data analysis server confirms that the first process behavior belongs to the trusted behavior set when the behavior characteristic information of the first process behavior is the same as the behavior characteristic information of one trusted behavior in the trusted behavior set; otherwise, in the first When the behavior characteristic information of the process behavior is different from the behavior characteristic information of each trusted behavior in the trusted behavior set, it is confirmed that the first process behavior does not belong to the trusted behavior set.
  • the embodiment of the present invention determines the candidate suspicious behavior from all detected process behaviors by the terminal device based on the data access rule between the application and the application, and sends the determined behavior characteristic information of the candidate suspicious behavior to the data.
  • An analysis server that determines whether the candidate suspicious behavior is suspicious.
  • the method for determining suspicious behavior of an application of an embodiment of the present invention is capable of determining suspicious behavior of illegally accessing application data without relying on security software and requiring no user involvement.
  • the host determines the suspicious behavior directly by using security software, and the security software monitors the process behavior of all applications in the system.
  • the IT staff pre-sets an access control policy in the security software to control access to the system data by the process behavior of the application in the system. If a process behavior does not satisfy the above access control policy, then the security software determines that the process behavior is suspicious. After monitoring suspicious behavior, the security software will directly alert the user who is using the host to let the user choose whether to intercept the suspicious behavior. Therefore, the traditional host-based defense method is mainly to prevent suspicious behavior from attacking the system, and this defense method must Rely on security software.
  • the traditional defense method only involves the application's access rules to the system data, does not consider the data access rules between the application and the application, and cannot prevent the suspicious behavior of illegal access to the application data, for example, stealing or tampering with the application. Suspicious behavior of program data.
  • the way in which traditional defense methods let users judge whether to intercept suspicious behavior is not very appropriate.
  • the embodiment of the present invention determines the candidate suspicious behavior from the detected process behavior by the terminal device based on the data access rule between the application and the application, and sends the determined behavior characteristic information of the candidate suspicious behavior to the data analysis server. And determining, by the data analysis server, whether the candidate suspicious behavior is a suspicious behavior, thereby being able to determine a suspicious behavior of illegally accessing application data in the terminal device, and the method does not need to rely on the security software, and does not require the user, compared with the prior art. Participation in the determination can improve the accuracy and reliability of the judgment of suspicious behavior, thereby improving the overall performance of the system.
  • the first terminal device determines that the candidate suspicious behavior may be classified into multiple cases according to the specific type of the process behavior.
  • the first terminal device determines whether the DLL file loaded by the first process behavior is a system DLL file; if the DLL file is not a system DLL file, the first terminal device determines an application to which the DLL file belongs; and if the DLL file belongs to the second application different from the first application, the A terminal device determines the first process behavior as the candidate suspicious behavior.
  • DLL dynamic link library
  • the first terminal device determines an application that creates a path of a registry accessed by the first process behavior; if the registry The path is created by the second application different from the first application, the first terminal device determines whether the path of the registry is a publicly accessible path; if the path of the registry is not a publicly accessible path, then The first terminal device determines the first process behavior as a candidate suspicious behavior.
  • the first terminal device determines an application that creates a file accessed by the first process behavior; if the first process behavior is accessed The file is created by the second application different from the first application, then the file Determining, by the first terminal device, a type of the file accessed by the first process behavior; if the type of the file accessed by the first process behavior is a program file, the first terminal device may directly determine the first process behavior as a candidate Suspicious behavior.
  • the first terminal device determines an application registered by the extension of the file accessed by the first process behavior; if the first process behavior If the application registered by the extension of the accessed file is a third application different from the first application, the first terminal device determines the first process behavior as a candidate suspicious behavior;
  • the terminal device determines whether the process created by the first process behavior belongs to the first application; if the process created by the first process behavior does not belong to the a first application, the terminal device determines whether the process is a system process of the first terminal device; if the process is not a system process of the first terminal device, the first terminal device determines the first process behavior as The first candidate suspicious behavior.
  • the first process behavior should be understood as the behavior of the virus.
  • the program file of the first application carries the virus.
  • the virus creates a new process, but the process does not belong to the first application. Therefore, based on the above judgment conditions, it can be determined whether the application carries a virus.
  • the terminal device determines an application of the thread created by the first process behavior; if the thread created by the first process behavior is different from the first The second application of the application, the first terminal device determines the first process behavior as the first candidate suspicious behavior.
  • the method before the data analysis server determines, according to the behavior characteristic information of the first process behavior, whether the first process behavior is a suspicious behavior, the method further includes:
  • the data analysis server receives behavior characteristic information of a plurality of second process behaviors sent by each of the at least one second terminal device;
  • the data analysis server determines the set of trusted behaviors by using a data mining algorithm according to the behavior characteristic information of the plurality of second process behaviors sent by the at least one second terminal device, where the trusted behavior set includes the multiple second processes At least one second process behavior in the behavior.
  • the second terminal device in this embodiment may be the same as or different from the foregoing first terminal device; the second process behavior may be the same as or different from the foregoing first process behavior, and the embodiment of the present invention may Not limited.
  • the behavior characteristic information of the first process behavior includes: application information to which the first process behavior belongs, information of data accessed by the first process behavior, and access by the first process behavior. Application information to which the data belongs;
  • the behavior characteristic information of the plurality of second process behaviors includes: application information to which the plurality of second process actions belong, information of data accessed by the plurality of second process actions, and access by the plurality of second process actions The application information to which the data belongs.
  • the generation of the set of trusted behavior feature information may adopt a data mining method. Therefore, the second terminal device is required to send the behavior characteristic information that the data mining algorithm can use to the data analysis server. After determining the second process behavior, the second terminal device preprocesses the information of the second process behavior, and converts the information of the second process behavior into the behavior feature information.
  • the behavior characteristic information may be sent to the data analysis server by the second terminal device as a set, and the set may include: a behavior of the second process behavior, a destination path of the second process behavior, and a second process behavior
  • the file name path information of the application the copyright information of the application, the version information of the application, the header hash of the application file of the application, the digital signature information of the program file of the application, and the like.
  • data mining algorithms can be used to uncover suspicious behaviors that are not recognized by security software.
  • the data mining algorithm herein may be a frequent item set algorithm, a support vector machine algorithm, a decision tree algorithm, or the like, which is not limited by the embodiment of the present invention.
  • the method further includes:
  • the data analysis server determines that the first process behavior is a normal behavior
  • the data analysis server sends the indication information to the first terminal device, where the indication information is used to indicate that the first process behavior is a normal behavior.
  • the first terminal device receives the indication information sent by the data analysis server, and determines, according to the indication message, that the first process behavior is a normal behavior.
  • the behavior information of the first process behavior is not sent to the data analysis server.
  • the method further includes:
  • the data analysis server determines that the first process behavior is a suspicious behavior, the data analysis server sends a request message to the first terminal device, where the request message is used to request traceability information of the first process behavior, and the traceability information includes the At least one of process information of a first process behavior, information of a program file corresponding to the behavior of the first process, relationship information between a process creator of the first process behavior, and a program file creator;
  • the data analysis server receives the traceability information sent by the first terminal device according to the request message, and displays the traceability information through a background management interface.
  • the data analysis server may display the traceability information of the suspicious behavior through the background management interface, so that the information technology (IT) management personnel determine the suspicious behavior through the traceability information. origin of.
  • IT information technology
  • the foregoing terminal device may specifically be a client, and the foregoing method for determining a suspicious program may be applied to an enterprise including multiple clients.
  • the enterprise includes a client 301, a client 302, and a client 303, and a monitoring program such as a probe program 304, a probe program 305, and a probe program 306 are separately deployed in each client.
  • These probe programs are responsible for implementing the monitoring of all process behaviors in the enterprise client and filtering the monitored process behavior. If a process behavior accesses data that is not its own, the probe program determines that the process behavior is a candidate suspicious. behavior.
  • each client After the candidate suspicious behavior is determined, each client separately extracts behavior characteristic information of each candidate suspicious behavior.
  • the probe program in the client transmits the determined behavior characteristic information of the candidate suspicious behavior to the data analysis server 307.
  • the data analysis server 307 continuously receives behavior characteristic information of candidate suspicious behaviors sent from different clients, and uses the data mining algorithm to perform the received behavior characteristic information. Statistical analysis, generating a set of trusted behaviors including at least one trusted behavior. After the data analysis server 307 generates the set of trusted behaviors, it can determine whether the candidate suspicious behavior is suspicious according to the behavior characteristic information of the candidate suspicious behavior.
  • the data analysis server 307 receives the behavior characteristic information of the process behavior sent by the client 301, that is, the behavior characteristic information of the candidate suspicious behavior, and can determine the behavior of the process according to the behavior characteristic information.
  • the data analysis server 307 determines that the process behavior is a normal behavior, it sends an indication message to the client 301 indicating that the process behavior is a normal behavior. After receiving the indication information, the client 301 determines the behavior of the process as a normal behavior. If the client 301 detects the behavior of the process again, the behavior characteristic information of the process behavior is not sent to the data analysis server 307.
  • the data analysis server 307 determines that the process behavior is suspicious, it sends a request message to the client 301 requesting traceability information of the process behavior. After receiving the request message, the client 301 sends the traceability information of the process behavior to the data analysis server 307. The data analysis server 307 receives the traceability information sent by the client 301, and displays the traceability information through the background management interface.
  • the data analysis server 307 can send the traceability information to the system management server 308.
  • the system management server 308 can display the traceability information to related personnel of the enterprise, such as an IT manager, in real time, so that the IT manager can restore the suspicious behavior according to the traceability information when and how the suspicious behavior occurs, which will be beneficial to the Investigation and evidence collection of late attack events.
  • the data analysis server does not necessarily judge the suspicious behavior. Because this kind of statistical analysis relies on the process behavior accumulated over a period of time, it is possible that a certain behavior is rarely counted at the beginning, but the subsequent number is gradually increased. Therefore, the data analysis server is required to process the previously received process. Perform backtracking iterations to improve the accuracy of the judgment results.
  • the method for determining suspicious behavior of an application determines a candidate suspicious behavior from a detected process behavior by a terminal device based on a data access rule between the application and the application, and determines the candidate suspicious behavior.
  • the behavior characteristic information is sent to the data analysis server, and the data analysis server determines whether the candidate suspicious behavior is a suspicious behavior, thereby being able to determine a suspicious behavior of illegally accessing the application data, and the method does not need to rely on security compared with the prior art.
  • Software and does not require user participation in the determination, can improve the accuracy and reliability of the judgment of suspicious behavior, thereby improving the overall performance of the system.
  • the embodiment of the present invention can display the traceability information of the suspicious behavior to the IT management personnel through the background management interface, so that the IT management personnel can restore the suspicious behavior when and how to appear according to the traceability information. Conducive to the investigation and evidence collection of later attacks.
  • a method for determining suspicious behavior of an application according to an embodiment of the present invention is described in detail above with reference to FIGS. 1 through 3.
  • an application for determining an application according to an embodiment of the present invention will be described in detail with reference to FIGS. 4 through 7.
  • a device for suspicious behavior will be described in detail with reference to FIGS. 4 through 7.
  • FIG. 4 shows an apparatus 400 for determining suspicious behavior of an application provided by an embodiment of the present invention.
  • the apparatus 400 includes:
  • the determining unit 410 is configured to determine the process behavior as a candidate suspicious behavior when determining that the data accessed by the process behavior of the first application belongs to a second application different from the first application, where the data includes a process, a thread At least one of a file, a directory, and a registry key;
  • the sending unit 420 is configured to send behavior characteristic information of the process behavior to the data analysis server, so that the data analysis server determines, according to the behavior characteristic information of the process behavior, whether the process behavior is suspicious behavior.
  • the determining unit 410 is specifically configured to:
  • If the process behavior is the dynamic link library DLL file loading behavior of the first application, determining whether the DLL file loaded by the process behavior is a system DLL file;
  • the DLL file is not a system DLL file, determine an application to which the DLL file belongs;
  • the process behavior is determined as the candidate suspicious behavior.
  • the determining unit 410 is specifically configured to:
  • process behavior is a registry access behavior of the first application, determining an application that creates a path to a registry accessed by the process behavior;
  • the process behavior is determined to be the candidate suspicious behavior.
  • the determining unit 410 is specifically configured to:
  • process behavior is a file access behavior of the first application, determining an application that creates a file accessed by the process behavior;
  • the process behavior is determined to be the candidate suspicious behavior.
  • the determining unit 410 is specifically configured to:
  • the type of the file accessed by the process behavior is a non-program file, it is determined whether the application registered by the extension of the file accessed by the process behavior is the first application;
  • the process behavior is determined as the candidate suspicious behavior.
  • the behavior characteristic information includes: application information to which the process behavior belongs, information of data accessed by the process behavior, and application information to which the data accessed by the process behavior belongs.
  • the apparatus 400 further includes:
  • a first receiving unit configured to: after the sending the behavior characteristic information of the process behavior to the data analysis server, receive the indication information sent by the data analysis server, where the indication information is used to indicate that the process behavior is a normal behavior;
  • the determining unit 410 is further configured to:
  • the behavior of the process is a normal behavior.
  • the apparatus 400 further includes:
  • a second receiving unit configured to: after sending the behavior characteristic information of the process behavior to the data analysis server, receive a request message sent by the data analysis server, where the request message is used to request traceability information of the process behavior, where the traceability information includes At least one of the following information: process information of the process behavior, information of a program file corresponding to the behavior of the process, relationship information between a process creator of the process behavior and a program file creator;
  • the sending unit 420 is further configured to send the data to the data analysis server according to the request message. Traceability information.
  • the apparatus 400 herein is embodied in the form of a functional unit.
  • the term "unit” herein may refer to an application specific integrated circuit (ASIC), an electronic circuit, a processor for executing one or more software or firmware programs (eg, a shared processor, a proprietary processor, or a group). Processors, etc.) and memory, merge logic, and/or other suitable components that support the described functionality.
  • ASIC application specific integrated circuit
  • the device 400 may be specifically the first terminal device in the foregoing embodiment, and the device 400 may be used to perform various processes corresponding to the first terminal device in the foregoing method embodiment. / or steps, in order to avoid repetition, will not repeat them here.
  • FIG. 5 shows an apparatus 500 for determining suspicious behavior of an application provided by an embodiment of the present invention.
  • the apparatus 500 includes:
  • the receiving unit 510 is configured to receive behavior characteristic information of the first process behavior sent by the first terminal device, where the first process behavior belongs to the first application, and the data accessed by the first process behavior is different from the first a second application of an application, the data including at least one of a process, a thread, a file, a directory, and a registry entry;
  • the determining unit 520 is configured to determine, according to the behavior characteristic information of the first process behavior, whether the first process behavior is a suspicious behavior.
  • the determining unit 520 is specifically configured to:
  • the first process behavior does not belong to the set of trusted behaviors, it is determined that the first process behavior is suspicious.
  • the receiving unit 510 is further configured to:
  • the determining unit 520 is further configured to:
  • the behavior characteristic information of the first process behavior includes: application information to which the first process behavior belongs, information of data accessed by the first process behavior, and an application to which the data accessed by the first process behavior belongs Program information;
  • the behavior characteristic information of the plurality of second process behaviors includes: application information to which the plurality of second process actions belong, information of data accessed by the plurality of second process actions, and access by the plurality of second process actions The application information to which the data belongs.
  • the device further includes:
  • the first sending unit is configured to send, to the first terminal device, indication information, after the determining unit determines that the first process behavior is a normal behavior, the indication information is used to indicate that the first process behavior is a normal behavior.
  • the device further includes:
  • a second sending unit configured to: after the determining unit determines that the first process behavior is a suspicious behavior, send a request message to the first terminal device, where the request message is used to request traceability information of the first process behavior, the traceability information At least one of process information including the behavior of the first process, program file information of the first process behavior, process creator of the first process behavior, and relationship information of the program file creator;
  • the receiving unit 510 is further configured to: receive the traceability information that is sent by the first terminal device according to the request message;
  • the device further includes: a display unit, configured to display the traceability information through a background management interface.
  • the apparatus 500 herein is embodied in the form of a functional unit.
  • the term "unit” herein may refer to an application specific integrated circuit (ASIC), an electronic circuit, a processor for executing one or more software or firmware programs (eg, a shared processor, a proprietary processor, or a group). Processors, etc.) and memory, merge logic, and/or other suitable components that support the described functionality.
  • ASIC application specific integrated circuit
  • the device 500 may be specifically the data analysis server in the foregoing embodiment, and the device 500 may be used to execute various processes and/or corresponding to the data analysis server in the foregoing method embodiments. Steps, to avoid repetition, will not be repeated here.
  • FIG. 6 illustrates an apparatus 600 for determining suspicious behavior of an application provided by an embodiment of the present invention.
  • the apparatus 600 includes a processor 610, a transmitter 620, a receiver 630, a memory 640, and a bus system 650. Wherein, the processor 610, the transmitter 620, the receiver 630, and the memory 640 pass through the bus.
  • a system 650 is coupled to the memory 640 for storing instructions for executing instructions stored by the memory 640 to control the transmitter 620 to transmit signals and to control the receiver 630 to receive signals.
  • the processor 610 is configured to determine the process behavior as candidate suspicious behavior when determining that the data accessed by the process behavior of the first application belongs to a second application different from the first application, where the data includes a process. At least one of a thread, a file, a directory, and a registry key;
  • the transmitter 620 is configured to send the behavior characteristic information of the process behavior to the data analysis server, so that the data analysis server determines whether the process behavior is suspicious according to the behavior characteristic information of the process behavior.
  • the processor 610 is specifically configured to:
  • If the process behavior is the dynamic link library DLL file loading behavior of the first application, determining whether the DLL file loaded by the process behavior is a system DLL file;
  • the DLL file is not a system DLL file, determine an application to which the DLL file belongs;
  • the process behavior is determined as the candidate suspicious behavior.
  • the processor 610 is specifically configured to:
  • process behavior is a registry access behavior of the first application, determining an application that creates a path to a registry accessed by the process behavior;
  • the process behavior is determined to be the candidate suspicious behavior.
  • the processor 610 is specifically configured to:
  • process behavior is a file access behavior of the first application, determining an application that creates a file accessed by the process behavior;
  • the process behavior is determined to be the candidate suspicious behavior.
  • the processor 610 is specifically configured to:
  • the type of the file accessed by the process behavior is a non-program file, it is determined whether the application registered by the extension of the file accessed by the process behavior is the first application;
  • the process behavior is determined as the candidate suspicious behavior.
  • the behavior characteristic information includes: application information to which the process behavior belongs, information of data accessed by the process behavior, and application information to which the data accessed by the process behavior belongs.
  • the receiver 630 is configured to: after the sending the behavior characteristic information of the process behavior to the data analysis server, receive the indication information sent by the data analysis server, where the indication information is used to indicate that the process behavior is a normal behavior;
  • the processor 610 is further configured to: according to the indication message, determine that the process behavior is a normal behavior.
  • the receiver 630 is configured to: after sending the behavior characteristic information of the process behavior to the data analysis server, receive a request message sent by the data analysis server, where the request message is used to request traceability information of the process behavior, where
  • the traceability information includes at least one of the following information: process information of the process behavior, information of a program file corresponding to the behavior of the process, relationship information between a process creator of the process behavior and a program file creator;
  • the transmitter 620 is further configured to: send the traceability information to the data analysis server according to the request message.
  • the device 600 may be specifically the terminal device in the foregoing embodiment, and may be used to perform various steps and/or processes corresponding to the terminal device in the foregoing method embodiments.
  • the memory 640 can include read only memory and random access memory and provide instructions and data to the processor. A portion of the memory may also include a non-volatile random access memory.
  • the memory can also store information of the device type.
  • the processor 630 can be configured to execute instructions stored in a memory, and when the processor executes instructions stored in the memory, the processor is operative to perform various steps and/or processes of the method embodiments described above.
  • FIG. 7 illustrates an apparatus 700 for determining suspicious behavior of an application provided by an embodiment of the present invention.
  • the apparatus 700 includes a receiver 710, a processor 720, a transmitter 730, a memory 740, and a bus system 750.
  • the receiver 710, the processor 720, the transmitter 730 and the memory 740 are connected by a bus system 750 for storing instructions for executing instructions stored in the memory 740 to control the receiver 710.
  • the receiver 710 is configured to receive behavior characteristic information of the first process behavior sent by the first terminal device, where the first process behavior belongs to the first application, and the data accessed by the first process behavior is different.
  • a second application of the first application the data comprising at least one of a process, a thread, a file, a directory, and a registry entry;
  • the processor 720 is configured to determine, according to behavior characteristic information of the first process behavior, whether the first process behavior is a suspicious behavior.
  • the processor 720 is specifically configured to:
  • the first process behavior does not belong to the set of trusted behaviors, it is determined that the first process behavior is suspicious.
  • the receiver 710 is further configured to:
  • the processor 720 is also configured to:
  • the behavior characteristic information of the first process behavior includes: application information to which the first process behavior belongs, information of data accessed by the first process behavior, and an application to which the data accessed by the first process behavior belongs Program information;
  • the behavior characteristic information of the plurality of second process behaviors includes: application information to which the plurality of second process actions belong, information of data accessed by the plurality of second process actions, and access by the plurality of second process actions The application information to which the data belongs.
  • the transmitter 730 is configured to send, to the first terminal device, indication information, after the determining unit determines that the first process behavior is a normal behavior, the indication information is used to indicate that the first process behavior is a normal behavior.
  • the transmitter 730 is configured to determine, at the determining unit, that the first process behavior is a suspicious line Afterwards, the request message is sent to the first terminal device, where the request message is used to request traceability information of the first process behavior, where the traceability information includes process information of the first process behavior, and a program corresponding to the first process behavior. At least one of information of the file, process creator of the first process behavior, and relationship information of the program file creator;
  • the receiver 710 is further configured to: receive the traceability information that is sent by the first terminal device according to the request message;
  • the processor 720 is configured to display the traceability information through a background management interface.
  • the apparatus 700 may be specifically the data analysis server in the foregoing embodiment, and may be used to perform various steps and/or processes corresponding to the data analysis server in the foregoing method embodiment.
  • the memory 740 can include read only memory and random access memory and provide instructions and data to the processor. A portion of the memory may also include a non-volatile random access memory.
  • the memory can also store information of the device type.
  • the processor 720 can be configured to execute instructions stored in a memory, and when the processor executes the instructions, the processor can perform various steps and/or processes corresponding to the data analysis server in the above method embodiments.
  • the processor may be a central processing unit (CPU), and the processor may also be other general purpose processors, digital signal processors (DSPs), and application specific integrated circuits (ASICs). ), Field Programmable Gate Array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
  • each step of the above method may be completed by an integrated logic circuit of hardware in a processor or an instruction in a form of software.
  • the steps of the method disclosed in the embodiments of the present invention may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor.
  • the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
  • the storage medium is located in a memory, and the processor executes instructions in the memory, in combination with hardware to perform the steps of the above method. To avoid repetition, it will not be described in detail here.
  • the disclosed systems, devices, and methods may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, or an electrical, mechanical or other form of connection.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the embodiments of the present invention.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • the technical solution of the present invention contributes in essence or to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium.
  • a number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a USB flash drive, a mobile hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a disk or a CD.
  • ROM Read-Only Memory
  • RAM Random Access Memory

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

A method and an apparatus for determining suspicious activity of an application program. The method comprises: when determining that the data accessed by a process activity of a first application program belongs to a second application program that is different to the first application program, a terminal device (110) determines that the process activity is candidate suspicious activity, the data comprising at least one of a process, a thread, a file, a directory, or a registry entry; the terminal device (110) sends activity characteristics information of the process activity to a data analysis server (120), such that the data analysis server (120), on the basis of the activity characteristics information of the process activity, determines whether the process activity is suspicious activity. On this basis, the suspicious activity of illegal access to application program data in the terminal device (110) can be determined; compared to the prior art, the present method does not need to rely on security software and does not require the user to participate in the determination, and can improve the accuracy and reliability of determining suspicious activity, thereby improving overall system performance.

Description

用于确定应用程序可疑行为的方法和装置Method and apparatus for determining suspicious behavior of an application
本申请要求于2016年4月26日提交中国专利局、申请号为201610266466.5、发明名称为“用于确定应用程序可疑行为的方法和装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application No. 201610266466.5, entitled "Method and Apparatus for Determining Suspicious Behavior of Application", filed on April 26, 2016, the entire contents of which are incorporated by reference. In this application.
技术领域Technical field
本发明实施例涉及计算机领域,并且更具体地,涉及一种用于确定应用程序可疑行为的方法和装置。Embodiments of the present invention relate to the field of computers and, more particularly, to a method and apparatus for determining suspicious behavior of an application.
背景技术Background technique
企业内部针对高级持续性威胁(Advanced Persistent Threat,APT)攻击的检查普遍倾向于使用大数据分析,包括对企业网络中的流量分析,使用沙箱对文件进行分析并试图发现那些使用传统签名匹配方式无法识别的高级威胁,对各种传统安全检查设备的预警日志进行分析。这些分析的目的都是及时发现企业内部的安全问题,尽量降低高级威胁给企业带来的损失。Intra-enterprise checks for Advanced Persistent Threat (APT) attacks generally favor the use of big data analytics, including traffic analysis in enterprise networks, using sandboxes to analyze files and attempting to discover patterns that use traditional signature matching. An unrecognized advanced threat that analyzes the early warning logs of various traditional security inspection devices. The purpose of these analyses is to timely identify security issues within the enterprise and minimize the damage that high-level threats bring to the enterprise.
传统的基于主机的防御方法主要是为了防止可疑行为攻击系统。这种防御方法必须依赖于安全软件,通过安全软件监控主机中的所有应用程序的进程行为。IT人员会在安全软件中预先设置一个访问控制策略,控制应用程序对系统数据的访问。如果一个进程行为不满足上述访问控制策略,那么该安全软件就判定这个进程行为是可疑行为。在监控到可疑行为后,安全软件会直接向正在使用主机的用户进行告警,让用户选择是否对该可疑行为进行拦截。The traditional host-based defense method is mainly to prevent suspicious behavior from attacking the system. This defense method must rely on security software to monitor the process behavior of all applications in the host through security software. The IT staff pre-sets an access control policy in the security software to control the application's access to system data. If a process behavior does not satisfy the above access control policy, then the security software determines that the process behavior is suspicious. After monitoring suspicious behavior, the security software will directly alert the user who is using the host to let the user choose whether to intercept the suspicious behavior.
但是,传统的防御方法只涉及应用程序对系统数据的访问规则,不能防止非法访问应用程序数据的可疑行为,例如,偷取或篡改应用程序数据的可疑行为。此外,由于普通用户没有太多计算机知识,所以传统防御方法中让用户判断是否拦截可疑行为的方式不是非常的妥当。However, the traditional defense method only involves the application's access rules to system data, and does not prevent suspicious behavior of illegal access to application data, such as suspicious behavior of stealing or tampering with application data. In addition, because ordinary users do not have much computer knowledge, the way in which traditional defense methods let users judge whether to intercept suspicious behavior is not very appropriate.
发明内容Summary of the invention
本发明实施例提供一种用于确定应用程序可疑行为的方法和装置,能够确定出非法访问应用程序数据的可疑行为,从而提高系统整体性能。Embodiments of the present invention provide a method and apparatus for determining suspicious behavior of an application, which can determine suspicious behavior of illegally accessing application data, thereby improving overall system performance.
第一方面,提供了一种用于确定应用程序可疑行为的方法,包括:终端设备在确定第一应用程序的进程行为所访问的数据属于不同于该第一应用程序的第二应用程序时,将该进程行为确定为候选可疑行为,该数据包括进程、线程、文件、目录以及注册表项中的至少一个;该终端设备向数据分析服务器发送该进程行为的行为特征信息,以便于该数据分析服务器根据该进程行为的行为特征信息确定该进程行为是否为可疑行为。In a first aspect, a method for determining suspicious behavior of an application is provided, comprising: when determining, by the terminal device, that data accessed by a process behavior of the first application belongs to a second application different from the first application, Determining the behavior of the process as a candidate suspicious behavior, the data including at least one of a process, a thread, a file, a directory, and a registry item; the terminal device transmitting behavior characteristic information of the process behavior to the data analysis server to facilitate the data analysis The server determines whether the behavior of the process is suspicious according to the behavior characteristic information of the behavior of the process.
具体地,当该终端设备的第一应用程序的进程行为所访问的数据属于第二应用程序时,该终端设备确定该进程行为为候选可疑行为。例如,该第二应用程序包括进程P1和进程P2,如果进行P1在执行过程中创建了文件F,那么该文件F属于该第二应用程序,若该进程P2在执行过程中访问该文件F,则该进程P2的行为可以视为合法,若不同于第二应用程序的第一应用程序中的进程P3访问了该文件F,则该进程P3的行为是候选可疑行为。Specifically, when the data accessed by the process behavior of the first application of the terminal device belongs to the second application, the terminal device determines that the process behavior is a candidate suspicious behavior. For example, the second application includes the process P1 and the process P2. If the file F is created during the execution of the file F1, the file F belongs to the second application. If the process P2 accesses the file F during execution, Then the behavior of the process P2 can be regarded as legal. If the process P3 in the first application different from the second application accesses the file F, the behavior of the process P3 is a candidate suspicious behavior.
这样,本发明实施例基于应用程序与应用程序之间的数据访问规则,通过终端设备从探测到的所有进程行为中确定出候选可疑行为,并将确定的候选可疑行为的行为特征信息发送给数据分析服务器,由该数据分析服务器根据该候选可疑行为的行为特征信息确定该候选可疑行为是否是可疑行为,从而确定出该终端设备中非法访问应用程序数据的可疑行为。与现有技术相比,该方法无需依赖安全软件,并且不需要用户参与确定,能够提高可疑行为的判定的准确度和可靠性,从而提高系统整体性能。In this way, the embodiment of the present invention determines the candidate suspicious behavior from all detected process behaviors by the terminal device based on the data access rule between the application and the application, and sends the determined behavior characteristic information of the candidate suspicious behavior to the data. The analysis server determines, by the data analysis server, whether the candidate suspicious behavior is a suspicious behavior according to the behavior characteristic information of the candidate suspicious behavior, thereby determining a suspicious behavior of the terminal device illegally accessing the application data. Compared with the prior art, the method does not need to rely on security software, and does not require user participation in the determination, can improve the accuracy and reliability of the determination of suspicious behavior, thereby improving the overall performance of the system.
可选地,该终端设备可以是主机或客户端。Alternatively, the terminal device may be a host or a client.
可选地,在该终端设备将该进程行为确定为候选可疑行为之前,该终端设备可以通过多种方式确定系统中的应用程序和数据之间的关系信息。该终端设备可以通过搜集系统信息的方式,获取系统中已有的应用程序和数据之间的关系信息;该终端设备可以通过实时监控的方式实时获取系统中每个应用程序与其创建的数据之间的关系信息;该终端设备还可以判断系统是否正在安装一个应用程序,若该系统正在安装一个应用程序,则将安装过程中创建的数据与该应用程序建立联系。这样,在确定系统中的应用程序和数据之间的关系信息之后,该终端设备就可以根据该应用程序和数据之间的关系信 息,判断出第一应用程序的进程行为所访问的数据所属的应用程序,从而进一步确定出候选可疑行为。Optionally, before the terminal device determines the behavior of the process as a candidate suspicious behavior, the terminal device may determine relationship information between the application and the data in the system in multiple manners. The terminal device can acquire the relationship information between the existing application program and the data in the system by collecting system information; the terminal device can obtain real-time monitoring manner between each application in the system and the data created by the system in real time. Relationship information; the terminal device can also determine whether the system is installing an application, and if the system is installing an application, the data created during the installation process is associated with the application. In this way, after determining the relationship information between the application and the data in the system, the terminal device can according to the relationship between the application and the data. Information, determine the application to which the data accessed by the process behavior of the first application belongs, thereby further determining the candidate suspicious behavior.
在第一方面的第一种可能的实现方式中,该终端设备在确定第一应用程序的进程行为所访问的数据属于不同于该第一应用程序的第二应用程序时,将该进程行为确定为候选可疑行为,包括:若该进程行为是该第一应用程序的动态链接库DLL文件加载行为,则该终端设备确定该进程行为所加载的DLL文件是否为系统DLL文件;若该DLL文件不是系统DLL文件,则该终端设备确定该DLL文件所属的应用程序;若该DLL文件属于不同于该第一应用程序的该第二应用程序,则该终端设备将该进程行为确定为该候选可疑行为。In a first possible implementation manner of the first aspect, the terminal device determines the behavior of the process when determining that the data accessed by the process behavior of the first application belongs to the second application different from the first application The candidate suspicious behavior includes: if the process behavior is a dynamic link library DLL file loading behavior of the first application, the terminal device determines whether the DLL file loaded by the process behavior is a system DLL file; if the DLL file is not a system DLL file, the terminal device determines an application to which the DLL file belongs; if the DLL file belongs to the second application different from the first application, the terminal device determines the behavior of the process as the candidate suspicious behavior .
结合第一方面的上述可能的实现方式,在第一方面的第二种可能的实现方式中,该终端设备在确定第一应用程序的进程行为所访问的数据属于不同于该第一应用程序的第二应用程序时,将该进程行为确定为候选可疑行为,包括:若该进程行为是该第一应用程序的注册表访问行为,则该终端设备确定创建该进程行为所访问的注册表的路径的应用程序;若该注册表的路径由不同于该第一应用程序的该第二应用程序创建,则该终端设备确定该注册表的路径是否为公共可访问路径;若该注册表的路径不是公共可访问路径,则该终端设备将该进程行为确定为该候选可疑行为。With reference to the foregoing possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the terminal device determines that the data accessed by the process behavior of the first application belongs to the first application The second application determines the behavior of the process as a candidate suspicious behavior, including: if the process behavior is a registry access behavior of the first application, the terminal device determines a path to create a registry accessed by the process behavior An application; if the path of the registry is created by the second application different from the first application, the terminal device determines whether the path of the registry is a publicly accessible path; if the path of the registry is not The publicly accessible path, the terminal device determines the behavior of the process as the candidate suspicious behavior.
结合第一方面的上述可能的实现方式,在第一方面的第三种可能的实现方式中,该终端设备在确定第一应用程序的进程行为所访问的数据属于不同于该第一应用程序的第二应用程序时,将该进程行为确定为候选可疑行为,包括:若该进程行为是该第一应用程序的文件访问行为,则该终端设备确定创建该进程行为所访问的文件的应用程序;若该进程行为所访问的文件由不同于该第一应用程序的该第二应用程序创建,则该终端设备确定该进程行为所访问的文件的类型;若该进程行为所访问的文件的类型是程序文件,则该终端设备将该进程行为确定为该候选可疑行为。With reference to the foregoing possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, the terminal device determines that the data accessed by the process behavior of the first application belongs to the first application. The second application determines the behavior of the process as a candidate suspicious behavior, including: if the process behavior is a file access behavior of the first application, the terminal device determines an application that creates a file accessed by the process behavior; If the file accessed by the process behavior is created by the second application different from the first application, the terminal device determines the type of the file accessed by the process behavior; if the type of the file accessed by the process behavior is The program file, the terminal device determines the behavior of the process as the candidate suspicious behavior.
结合第一方面的上述可能的实现方式,在第一方面的第四种可能的实现方式中,若该进程行为所访问的文件的类型是非程序文件,则该终端设备确定该进程行为所访问的文件的扩展名所注册的应用程序;若该进程行为所访问的文件的扩展名所注册的应用程序为不同于该第一应用程序的第三应用程 序,则该终端设备将该进程行为确定为该候选可疑行为。With reference to the foregoing possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect, if the type of the file accessed by the process behavior is a non-program file, the terminal device determines that the process behavior is accessed by the process An application registered with the extension of the file; if the extension of the file accessed by the process is registered, the application registered is a third application different from the first application In sequence, the terminal device determines the behavior of the process as the candidate suspicious behavior.
结合第一方面的上述可能的实现方式,在第一方面的第五种可能的实现方式中,若该第一进程行为是进程创建行为,则该终端设备确定该第一进程行为所创建的进程是否属于该第一应用程序;若该第一进程行为所创建的进程不属于该第一应用程序,则该终端设备确定该进程是否为该第一终端设备的系统进程;若该进程不是该第一终端设备的系统进程,则该第一终端设备将该第一进程行为确定为该第一候选可疑行为。With reference to the foregoing possible implementation manner of the first aspect, in a fifth possible implementation manner of the first aspect, if the first process behavior is a process creation behavior, the terminal device determines a process created by the first process behavior Whether the process belongs to the first application; if the process created by the first process behavior does not belong to the first application, the terminal device determines whether the process is a system process of the first terminal device; if the process is not the first A system process of the terminal device, the first terminal device determining the first process behavior as the first candidate suspicious behavior.
结合第一方面的上述可能的实现方式,在第一方面的第六种可能的实现方式中,若该第一进程行为是线程创建行为,则该终端设备确定该第一进程行为所创建的线程该的应用程序;若该第一进程行为所创建的线程属于不同于该第一应用程序的该第二应用程序,则该第一终端设备将该第一进程行为确定为该第一候选可疑行为。With reference to the foregoing possible implementation manner of the first aspect, in a sixth possible implementation manner of the first aspect, if the first process behavior is a thread creation behavior, the terminal device determines the thread created by the first process behavior The application; if the thread created by the first process behavior belongs to the second application different from the first application, the first terminal device determines the first process behavior as the first candidate suspicious behavior .
应理解,应用程序的可疑行为种类繁多,可以包括但不限于如下种类:跨进程线程注入、加载来历不明的DLL文件、访问不属于自己的文件、访问不属于自己的注册表、修改系统文件、删除系统文件、修改系统注册表、删除系统注册表等等。因此,上述只是列举了其中的一些情况进行描述,其他情况类似。It should be understood that there are many types of suspicious behaviors of an application, which may include but are not limited to the following types: inter-process thread injection, loading of unknown DLL files, accessing files that are not their own, accessing a registry that is not their own, modifying system files, Delete system files, modify the system registry, delete the system registry, and more. Therefore, the above is just a description of some of the cases, and the other cases are similar.
结合第一方面的上述可能的实现方式,在第一方面的第七种可能的实现方式中,该行为特征信息包括:该进程行为所属的应用程序信息、该进程行为所访问的数据的信息和该进程行为所访问的数据所属的应用程序信息。With reference to the foregoing possible implementation manner of the first aspect, in a seventh possible implementation manner of the first aspect, the behavior characteristic information includes: application information to which the process behavior belongs, information about data accessed by the process behavior, and The application information to which the data accessed by the process behaves.
结合第一方面的上述可能的实现方式,在第一方面的第八种可能的实现方式中,在该终端设备向数据分析服务器发送该进程行为的行为特征信息之后,该方法还包括:该终端设备接收该数据分析服务器发送的指示信息,该指示信息用于指示该进程行为是正常行为;该终端设备根据该指示消息,确定该进程行为是正常行为。With reference to the foregoing possible implementation manner of the first aspect, in an eighth possible implementation manner of the first aspect, after the terminal device sends the behavior characteristic information of the process behavior to the data analysis server, the method further includes: the terminal The device receives the indication information sent by the data analysis server, where the indication information is used to indicate that the process behavior is a normal behavior; and the terminal device determines, according to the indication message, that the process behavior is a normal behavior.
这样,该终端设备若再次探测到该进程行为,便不会再向数据分析服务器发送该进程行为的行为特征信息。因此,该方法不但可以提高该终端设备检测候选可疑行为的准确率,还能避免不必要行为特征信息的发送,从而节省信令的开销。In this way, if the terminal device detects the behavior of the process again, the terminal does not send the behavior characteristic information of the process behavior to the data analysis server. Therefore, the method can not only improve the accuracy of detecting the candidate suspicious behavior of the terminal device, but also avoid the transmission of unnecessary behavior feature information, thereby saving signaling overhead.
结合第一方面的上述可能的实现方式,在第一方面的第九种可能的实现 方式中,在该终端设备向数据分析服务器发送该进程行为的行为特征信息之后,该方法还包括:该终端设备接收该数据分析服务器发送的请求消息,该请求消息用于请求该进程行为的溯源信息,该溯源信息包括下列信息中的至少一种:该进程行为的进程信息、与该进程行为对应的程序文件的信息、该进程行为的进程创建者与程序文件创建者之间的关系信息;该终端设备根据该请求消息,向该数据分析服务器发送该溯源信息。In conjunction with the above possible implementation of the first aspect, the ninth possible implementation in the first aspect In the mode, after the terminal device sends the behavior characteristic information of the process behavior to the data analysis server, the method further includes: the terminal device receiving the request message sent by the data analysis server, where the request message is used to request traceability of the process behavior Information, the traceability information includes at least one of the following information: process information of the process behavior, information of a program file corresponding to the behavior of the process, relationship information between a process creator of the process behavior and a program file creator; The terminal device sends the traceability information to the data analysis server according to the request message.
具体地,该数据分析服务器在确定了该进程行为是可疑行为之后,可以向该终端设备请求该进程行为的溯源信息。该终端设备向该数据分析服务器发送可疑行为的溯源信息,这样,IT管理人员通过数据分析服务器获得该溯源信息,便能够根据溯源信息还原出可疑行为是何时出现的以及如何出现的,有利于后期的攻击事件的调查取证。Specifically, after determining that the process behavior is suspicious, the data analysis server may request the terminal device to trace the source behavior of the process behavior. The terminal device sends the traceability information of the suspicious behavior to the data analysis server, so that the IT manager obtains the traceability information through the data analysis server, and can restore the suspicious behavior according to the traceability information, and how the occurrence of the suspicious behavior occurs, which is beneficial to Investigation and evidence collection of late attack events.
第二方面,提供了另一种用于确定应用程序可疑行为的方法,包括:数据分析服务器接收第一终端设备发送的第一进程行为的行为特征信息,其中,该第一进程行为属于第一应用程序,并且该第一进程行为所访问的数据属于不同于该第一应用程序的第二应用程序,该数据包括进程、线程、文件、目录以及注册表项中的至少一个;该数据分析服务器根据该第一进程行为的行为特征信息,确定该第一进程行为是否是可疑行为。In a second aspect, a method for determining suspicious behavior of an application is provided, comprising: receiving, by a data analysis server, behavior characteristic information of a first process behavior sent by a first terminal device, where the first process behavior belongs to the first An application, and the data accessed by the first process behavior belongs to a second application different from the first application, the data including at least one of a process, a thread, a file, a directory, and a registry entry; the data analysis server Determining whether the first process behavior is a suspicious behavior according to behavior characteristic information of the first process behavior.
在第二方面的第一种可能的实现方式中,该数据分析服务器根据该第一进程行为的行为特征信息,确定该第一进程行为是否是可疑行为,包括:该数据分析服务器根据该第一进程行为的行为特征信息,确定该第一进程行为是否属于可信任行为集合,其中,该可信任行为集合包括至少一个可信任行为;若确定该第一进程行为不属于该可信任行为集合,该数据分析服务器确定该第一进程行为为可疑行为。In a first possible implementation manner of the second aspect, the data analysis server determines, according to behavior characteristic information of the first process behavior, whether the first process behavior is a suspicious behavior, including: the data analysis server is configured according to the first The behavior characteristic information of the process behavior, determining whether the first process behavior belongs to a set of trusted behaviors, wherein the trusted behavior set includes at least one trusted behavior; if it is determined that the first process behavior does not belong to the trusted behavior set, The data analysis server determines that the first process behaves as suspicious.
结合第二方面的上述可能的实现方式,在第二方面的第二种可能的实现方式中,在该数据分析服务器根据该第一进程行为的行为特征信息,确定该第一进程行为是否属于可信任行为集合之前,该方法还包括:该数据分析服务器接收至少一个第二终端设备中的每个第二终端设备发送的多个第二进程行为的行为特征信息;该数据分析服务器根据该至少一个第二终端设备发送的多个第二进程行为的行为特征信息,采用数据挖掘算法确定该可信任行为集合,其中,该可信任行为集合包括该多个第二进程行为中的至少一个第二 进程行为。With reference to the foregoing possible implementation manner of the second aspect, in a second possible implementation manner of the second aspect, the data analysis server determines, according to behavior characteristic information of the first process behavior, whether the first process behavior belongs to Before the set of trust behaviors, the method further includes: the data analysis server receiving behavior characteristic information of the plurality of second process behaviors sent by each of the at least one second terminal device; the data analysis server according to the at least one The behavior characteristic information of the plurality of second process behaviors sent by the second terminal device, the data mining algorithm is used to determine the set of trusted behaviors, wherein the set of trusted behaviors includes at least one of the plurality of second process behaviors Process behavior.
可选地,该数据挖掘算法可以为频繁项集算法、支持向量机算法或决策树算法等等。Optionally, the data mining algorithm may be a frequent item set algorithm, a support vector machine algorithm or a decision tree algorithm, or the like.
结合第二方面的上述可能的实现方式,在第二方面的第三种可能的实现方式中,该第一进程行为的行为特征信息包括:该第一进程行为所属的应用程序信息、该第一进程行为所访问的数据的信息和该第一进程行为所访问的数据所属的应用程序信息;该多个第二进程行为的行为特征信息包括:该多个第二进程行为所属的应用程序信息、该多个第二进程行为所访问的数据的信息和该多个第二进程行为所访问的数据所属的应用程序信息。With reference to the foregoing possible implementation manner of the second aspect, in a third possible implementation manner of the second aspect, the behavior characteristic information of the first process behavior includes: application information to which the first process behavior belongs, the first The information of the data accessed by the process behavior and the application information of the data accessed by the behavior of the first process; the behavior characteristic information of the behavior of the plurality of second processes includes: application information of the behavior of the plurality of second processes, The information of the data accessed by the plurality of second processes and the application information to which the data accessed by the plurality of second process behaviors belongs.
结合第二方面的上述可能的实现方式,在第二方面的第四种可能的实现方式中,该方法还包括:若该数据分析服务器确定该第一进程行为是正常行为,则该数据分析服务器向该第一终端设备发送指示信息,该指示信息用于指示该第一进程行为是正常行为。With reference to the foregoing possible implementation manner of the second aspect, in a fourth possible implementation manner of the second aspect, the method further includes: if the data analysis server determines that the first process behavior is a normal behavior, the data analysis server And transmitting, to the first terminal device, indication information, where the indication information is used to indicate that the first process behavior is a normal behavior.
结合第二方面的上述可能的实现方式,在第二方面的第五种可能的实现方式中,该方法还包括:若该数据分析服务器确定该第一进程行为是可疑行为,则该数据分析服务器向该第一终端设备发送请求消息,该请求消息用于请求该第一进程行为的溯源信息,该溯源信息包括该第一进程行为的进程信息、与该第一进程行为对应的程序文件的信息、该第一进程行为的进程创建者和程序文件创建者的关系信息中的至少一种;该数据分析服务器接收该第一终端设备根据该请求消息发送的该溯源信息;该数据分析服务器通过后台管理界面显示该溯源信息。With reference to the foregoing possible implementation manner of the second aspect, in a fifth possible implementation manner of the second aspect, the method further includes: if the data analysis server determines that the first process behavior is a suspicious behavior, the data analysis server Sending a request message to the first terminal device, where the request message is used to request traceability information of the first process behavior, where the traceability information includes process information of the first process behavior, and information about a program file corresponding to the first process behavior. At least one of the relationship information of the process creator and the program file creator of the first process behavior; the data analysis server receives the traceability information sent by the first terminal device according to the request message; the data analysis server passes through the background The management interface displays the traceability information.
具体地,数据分析服务器可以通过后台管理界面将可疑行为的溯源信息展示给IT管理人员,使得IT管理人员能够根据溯源信息还原出可疑行为是何时出现的以及如何出现的,有利于后期的攻击事件的调查取证。Specifically, the data analysis server can display the traceability information of the suspicious behavior to the IT manager through the background management interface, so that the IT manager can restore the suspicious behavior according to the traceability information and how it occurs, which is beneficial to the later attack. Investigation and evidence collection of the incident.
第三方面,提供了一种用于确定应用程序可疑行为的装置,用于执行上述第一方面或第一方面的任意可能的实现方式中的方法。In a third aspect, an apparatus for determining suspicious behavior of an application for performing the method of any of the above-described first aspect or any of the possible implementations of the first aspect is provided.
具体地,该装置可以包括用于执行上述第一方面或第一方面的任意可能的实现方式中的方法的单元。In particular, the apparatus may comprise means for performing the method of any of the above-described first aspect or any of the possible implementations of the first aspect.
第四方面,提供了一种用于确定应用程序可疑行为的装置,用于执行上述第二方面或第二方面的任意可能的实现方式中的方法。 In a fourth aspect, an apparatus for determining suspicious behavior of an application for performing the method of any of the above-described second aspect or any of the possible implementations of the second aspect is provided.
具体地,该装置可以包括用于执行上述第二方面或第二方面的任意可能的实现方式中的方法的单元。In particular, the apparatus may comprise means for performing the method of any of the possible implementations of the second aspect or the second aspect described above.
第五方面,提供了一种用于确定应用程序可疑行为的装置,该装置包括:接收器、发送器、存储器、处理器和总线系统。其中,该接收器、该发送器、该存储器和该处理器通过该总线系统相连,该存储器用于存储指令,该处理器用于执行该存储器存储的指令,以控制接收器接收信号,并控制发送器发送信号,并且当该处理器执行该存储器存储的指令时,该执行使得该处理器执行第一方面或第一方面的任意可能的实现方式中的方法。In a fifth aspect, an apparatus for determining suspicious behavior of an application is provided, the apparatus comprising: a receiver, a transmitter, a memory, a processor, and a bus system. Wherein the receiver, the transmitter, the memory and the processor are connected by the bus system, the memory is for storing instructions for executing the instructions stored by the memory to control the receiver to receive signals and control the sending The transmitter transmits a signal, and when the processor executes the memory stored instructions, the execution causes the processor to perform the method of the first aspect or any of the possible implementations of the first aspect.
第六方面,提供了一种用于确定应用程序可疑行为的装置,该装置包括:接收器、发送器、存储器、处理器和总线系统。其中,该接收器、该发送器、该存储器和该处理器通过该总线系统相连,该存储器用于存储指令,该处理器用于执行该存储器存储的指令,以控制接收器接收信号,并控制发送器发送信号,并且当该处理器执行该存储器存储的指令时,该执行使得该处理器执行第二方面或第二方面的任意可能的实现方式中的方法。In a sixth aspect, an apparatus for determining suspicious behavior of an application is provided, the apparatus comprising: a receiver, a transmitter, a memory, a processor, and a bus system. Wherein the receiver, the transmitter, the memory and the processor are connected by the bus system, the memory is for storing instructions for executing the instructions stored by the memory to control the receiver to receive signals and control the sending The transmitter transmits a signal, and when the processor executes the memory stored instructions, the execution causes the processor to perform the method of any of the second aspect or any of the possible implementations of the second aspect.
第七方面,提供了一种用于确定应用程序可疑行为的系统,该系统包括上述第三方面或第三方面的任一种可能实现方式中的装置以及第四方面或第四方面中的任一种可能实现方式中的装置;或者A seventh aspect, a system for determining suspicious behavior of an application, the system comprising the apparatus of any of the possible implementations of the third aspect or the third aspect, and the fourth or fourth aspect a device in a possible implementation; or
该系统包括上述第五方面或第五方面的任一种可能实现方式中的装置以及第六方面或第六方面中的任一种可能实现方式中的装置。The system comprises the apparatus of any of the possible implementations of the fifth or fifth aspect, and the apparatus of any of the sixth or sixth aspect of the possible implementation.
第八方面,提供了一种计算机可读介质,用于存储计算机程序,该计算机程序包括用于执行第一方面或第一方面的任意可能的实现方式中的方法的指令。In an eighth aspect, a computer readable medium is provided for storing a computer program, the computer program comprising instructions for performing the method of the first aspect or any of the possible implementations of the first aspect.
第九方面,提供了一种计算机可读介质,用于存储计算机程序,该计算机程序包括用于执行第二方面或第二方面的任意可能的实现方式中的方法的指令。A ninth aspect, a computer readable medium for storing a computer program, the computer program comprising instructions for performing the method of any of the second aspect or the second aspect of the second aspect.
附图说明DRAWINGS
为了更清楚地说明本发明实施例的技术方案,下面将对本发明实施例中所需要使用的附图作简单地介绍,显而易见地,下面所描述的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的 前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings to be used in the embodiments of the present invention will be briefly described below. It is obvious that the drawings described below are only some embodiments of the present invention, One of ordinary skill in the art, without creative labor Further drawings can also be obtained from these drawings.
图1是本发明实施例应用的系统的示意图。1 is a schematic diagram of a system to which an embodiment of the present invention is applied.
图2是本发明实施例提供的用于确定应用程序可疑行为的方法的示意性流程图。FIG. 2 is a schematic flowchart of a method for determining suspicious behavior of an application according to an embodiment of the present invention.
图3是本发明实施例提供的另一用于确定应用程序可疑行为的系统的示意图。FIG. 3 is a schematic diagram of another system for determining suspicious behavior of an application according to an embodiment of the present invention.
图4是本发明实施例提供的用于确定应用程序可疑行为的装置的示意性框图。FIG. 4 is a schematic block diagram of an apparatus for determining suspicious behavior of an application according to an embodiment of the present invention.
图5是本发明实施例提供的另一用于确定应用程序可疑行为的装置的示意性框图。FIG. 5 is a schematic block diagram of another apparatus for determining suspicious behavior of an application according to an embodiment of the present invention.
图6是本发明实施例提供的另一用于确定应用程序可疑行为的装置的示意性框图。FIG. 6 is a schematic block diagram of another apparatus for determining suspicious behavior of an application according to an embodiment of the present invention.
图7是本发明实施例提供的另一用于确定应用程序可疑行为的装置的示意性框图。FIG. 7 is a schematic block diagram of another apparatus for determining suspicious behavior of an application according to an embodiment of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明的一部分实施例,而不是全部实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动的前提下所获得的所有其他实施例,都应属于本发明保护的范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts shall fall within the scope of the present invention.
首先对操作系统中的应用程序所涉及到的一些技术进行简单的介绍。应理解,一个应用程序由多个程序文件构成,程序文件又称为可执行程序文件。First, a brief introduction to some of the technologies involved in the application in the operating system. It should be understood that an application is composed of a plurality of program files, which are also referred to as executable program files.
程序文件在运行期间会对操作系统发起系统服务请求。系统服务请求也可以称为应用程序编程接口(Application Programming Interface,API)调用。API调用可以包括文件的读写、内存的分配、网络的输入输出(Input Output,IO)、硬件设备的操作、系统配置的读写等等,本发明实施例对此不作限定。程序文件一旦被运行,系统中就会产生进程,因此程序文件与进程是一一对应的关系。本文将应用程序的程序文件在运行期间中API调用统称为程序文件的“进程行为”。应理解,每个进程行为对应一个行为特征信息,每个行为特征信息包括在执行所对应的进程行为时涉及的路径。 The program file initiates a system service request to the operating system during runtime. A system service request can also be called an application programming interface (API) call. The API call may include reading and writing of a file, allocation of a memory, input and output (IO) of a network, operation of a hardware device, reading and writing of a system configuration, and the like, which are not limited by the embodiment of the present invention. Once the program file is run, the process will be generated in the system, so the program file has a one-to-one correspondence with the process. In this article, the API files of the application's program files during runtime are collectively referred to as the "process behavior" of the program files. It should be understood that each process behavior corresponds to one behavior characteristic information, and each behavior characteristic information includes a path involved in executing the corresponding process behavior.
此外,本文将与应用程序相关的进程、线程、文件、目录以及注册表项等等统称为应用程序的“数据”。每安装一个应用程序以及每运行一次应用程序,都会产生相应的数据,应理解,除了系统数据之外的数据都是属于具体某个应用程序的。In addition, this article refers to the application-related processes, threads, files, directories, and registry keys, etc., collectively referred to as the "data" of the application. Every time an application is installed and every time the application is run, the corresponding data is generated. It should be understood that the data other than the system data belongs to a specific application.
图1示出了本发明实施例应用的系统100。该系统100可以包括至少一个终端设备110和一个数据分析服务器120。该终端设备110可以是移动的或固定的。该终端设备110可以指接入终端、用户设备(User Equipment,简称为“UE”)、用户单元、用户站、移动站、移动台、远方站、远程终端、移动设备、用户终端、终端、无线通信设备、用户代理或用户装置。接入终端可以是蜂窝电话、无绳电话、会话启动协议(Session Initiation Protocol,简称为“SIP”)电话、无线本地环路(Wireless Local Loop,简称为“WLL”)站、个人数字处理(Personal Digital Assistant,简称为“PDA”)、具有无线通信功能的手持设备、计算设备或连接到无线调制解调器的其它处理设备、车载设备、可穿戴设备、未来5G网络中的终端设备或者未来演进的公共陆地移动网络(Public Land Mobile Network,简称为“PLMN”)中的终端设备等。在本发明实施例中,可选地,该终端设备100为主机或客户端。FIG. 1 shows a system 100 to which an embodiment of the present invention is applied. The system 100 can include at least one terminal device 110 and one data analysis server 120. The terminal device 110 can be mobile or fixed. The terminal device 110 can refer to an access terminal, a user equipment (User Equipment, referred to as "UE"), a subscriber unit, a subscriber station, a mobile station, a mobile station, a remote station, a remote terminal, a mobile device, a user terminal, a terminal, and a wireless device. Communication device, user agent or user device. The access terminal may be a cellular phone, a cordless phone, a Session Initiation Protocol ("SSIP") phone, a Wireless Local Loop (WLL) station, and a personal digital processing (Personal Digital) Assistant, referred to as "PDA"), a handheld device with wireless communication capabilities, a computing device or other processing device connected to a wireless modem, an in-vehicle device, a wearable device, a terminal device in a future 5G network, or a future evolving public land mobile A terminal device or the like in a network (Public Land Mobile Network, abbreviated as "PLMN"). In the embodiment of the present invention, optionally, the terminal device 100 is a host or a client.
该数据分析服务器120可以是文件服务器,数据库服务器,应用程序服务器,WEB服务器等等,本发明实施例对此不作限定。The data analysis server 120 may be a file server, a database server, an application server, a WEB server, etc., which is not limited by the embodiment of the present invention.
图1示例性地示出了一个终端设备和一个数据分析服务器,可选地,该系统100可以包括多个终端设备,本发明实施例对此不做限定。FIG. 1 exemplarily shows a terminal device and a data analysis server. Alternatively, the system 100 may include a plurality of terminal devices, which is not limited by the embodiment of the present invention.
在本发明实施例中,多个终端设备可以独立地与数据分析服务器进行信息交互。因此,数据分析服务器在同一时刻可能与多个终端设备进行信息的传输,从而确定多个终端设备中每个终端设备的应用程序可疑行为。由于数据分析服务器确定各个终端设备中应用程序可疑行为的过程类似,为了便于理解和说明,以下,以数据分析服务器确定多个终端设备中的第一终端设备中应用程序可疑行为的流程为例进行说明。In the embodiment of the present invention, multiple terminal devices can independently exchange information with the data analysis server. Therefore, the data analysis server may transmit information with a plurality of terminal devices at the same time, thereby determining an application suspicious behavior of each of the plurality of terminal devices. The process of determining the suspicious behavior of the application in each terminal device by the data analysis server is similar. For ease of understanding and description, the following is an example of the process of determining, by the data analysis server, the suspicious behavior of the application in the first terminal device among the plurality of terminal devices. Description.
图2示出了本发明实施例提供的用于确定应用程序可疑行为的方法的示意性流程图。该方法200可以应用于图1所示的系统100,但本发明实施例不限于此。该方法200包括:FIG. 2 is a schematic flowchart of a method for determining suspicious behavior of an application provided by an embodiment of the present invention. The method 200 can be applied to the system 100 shown in FIG. 1, but the embodiment of the invention is not limited thereto. The method 200 includes:
S210,第一终端设备在确定第一应用程序的第一进程行为所访问的数据 属于不同于该第一应用程序的第二应用程序时,将该第一进程行为确定为候选可疑行为,该数据包括进程、线程、文件、目录以及注册表项中的至少一个。S210. The first terminal device determines data accessed by the first process behavior of the first application. When the second application is different from the first application, the first process behavior is determined as candidate suspicious behavior, and the data includes at least one of a process, a thread, a file, a directory, and a registry key.
第一终端设备可以通过现有操作系统提供的机制,获知应用程序发生了进程行为。例如,windows操作系统提供了一种过滤驱动(filter driver)机制,该机制允许在不影响操作系统的正常功能的情况下,用户可以实现扩展功能。首先用户可以编写一个驱动程序模块,并向操作系统注册该驱动程序模块。驱动程序模块可以基于过滤驱动机制提供的接口、关注点实现附加的功能,例如获得文件操作时的相关信息等等。此后操作系统会在各进程发生文件输入输出(Input/Output,I/O)操作、注册表I/O操作、网络I/O操作等操作时,将操作相关信息,如进程名、作为操作对象的文件、注册表表项等的标识发送给驱动程序模块。The first terminal device can learn that the application has a process behavior through a mechanism provided by the existing operating system. For example, the Windows operating system provides a filter driver mechanism that allows users to implement extended functions without affecting the normal functionality of the operating system. First the user can write a driver module and register the driver module with the operating system. The driver module can implement additional functions based on interfaces and points of interest provided by the filter driver mechanism, such as obtaining information about file operations and the like. After that, the operating system will operate related information, such as the process name and operation object, when the file input/output (I/O) operation, registry I/O operation, network I/O operation, etc. occur in each process. The identifier of the file, registry entry, etc. is sent to the driver module.
具体地,第一终端设备中可以安装了多个应用程序,当该第一终端设备检测到一个进程行为,该进程行为属于多个应用程序中的第一应用程序,然而,该进程行为所访问的数据属于多个应用程序中的第二应用程序,这里第一应用程序与第二应用程序不同,那么该第一终端设备就认为该进程行为访问了不属于自己的数据,则会将该进程行为确定为候选可疑行为。Specifically, a plurality of applications may be installed in the first terminal device, and when the first terminal device detects a process behavior, the process behavior belongs to a first application among the multiple applications, but the process behavior is accessed. The data belongs to the second application in the plurality of applications, where the first application is different from the second application, and the first terminal device considers that the process behavior accesses data that is not its own, and the process is Behavior is determined to be candidate suspicious behavior.
应理解,在本发明实施例中,第一终端设备不是简单地探测系统中的所有应用程序的进程行为,而是会对探测到所有进程行为进行过滤,根据进程行为所访问的数据是否属于该进程行为所属的应用程序,将疑似可疑的进程行为从所有进程行为中筛选出来。It should be understood that, in the embodiment of the present invention, the first terminal device does not simply detect the process behavior of all applications in the system, but filters all the process behaviors detected, and whether the data accessed according to the process behavior belongs to the The application to which the process behavior belongs, filters suspected suspicious process behavior from all process behavior.
还应理解,本实施例中仅以一个进程行为的确定过程为例进行了描述,对于第一终端设备探测到的所有进程行为的确定,都可以采用上述方法。It should also be understood that, in this embodiment, only a process of determining a process behavior is taken as an example. For the determination of all process behaviors detected by the first terminal device, the foregoing method may be adopted.
可选地,在该第一终端设备将该第一进程行为确定为候选可疑行为之前,该第一终端设备确定系统中的应用程序和数据之间的关系信息。这里,应用程序与数据之间的关系信息的确定具体可以分为如下三种情况:Optionally, before the first terminal device determines the first process behavior as a candidate suspicious behavior, the first terminal device determines relationship information between the application and the data in the system. Here, the determination of the relationship information between the application and the data can be specifically divided into the following three cases:
(1)该第一终端设备可以通过搜集系统信息的方式,获取系统中已有的应用程序和数据之间的关系信息。例如,该第一终端设备可以通过注册表定位应用程序的安装目录,将文件创建时间与该目录创建时间一致的程序文件和非程序划归为该应用程序所有,并统计该应用程序的程序文件的产品名称、 公司版权名称、数字签名信息等等存入信息数据库。(1) The first terminal device can acquire relationship information between the existing application program and the data in the system by collecting system information. For example, the first terminal device may locate the application directory of the application through the registry, classify the program file and the non-program according to the file creation time with the directory creation time as the application, and collect the program file of the application. Product name, The company's copyright name, digital signature information, etc. are stored in the information database.
(2)该第一终端设备可以通过实时监控的方式实时获取系统中每个应用程序与其创建的数据之间的关系信息。例如,该第一终端设备若探测到一个进程的数据创建动作,那么就将被创建的数据与创建者的关系信息存入信息数据库。(2) The first terminal device can acquire the relationship information between each application in the system and the data created by the system in real time through real-time monitoring. For example, if the first terminal device detects a data creation action of a process, the relationship between the created data and the creator's relationship information is stored in the information database.
(3)该第一终端设备可以判断系统是否正在安装一个应用程序,若该系统正在安装一个应用程序,则将安装过程中创建的数据与该应用程序建立联系。例如,若探测到一个进程或该进程的子进程向一个固定目录中创建了多个程序文件,那么该第一终端设备可以判断该进程或该子进程是否注册了一个应用程序,如果是,那么该第一终端设备建立该应用程序与程序文件、注册表之间的关系,并将相应的关系信息存入信息数据库。(3) The first terminal device can determine whether the system is installing an application, and if the system is installing an application, the data created during the installation process is associated with the application. For example, if a process is detected or a child process of the process creates a plurality of program files in a fixed directory, the first terminal device can determine whether the process or the child process registers an application, and if so, then The first terminal device establishes a relationship between the application program and the program file and the registry, and stores the corresponding relationship information in the information database.
在应用程序与数据之间的关系信息确定了之后,该第一终端设备就可以根据该应用程序与数据之间的关系信息对探测到的进程行为进行筛选了。具体地,例如,该第一应用程序包括进程P1和进程P2,如果进行P1在执行过程中创建了文件F,那么该文件F属于该第一应用程序,若进程P2在执行过程中访问该文件F,则该进程P2的行为可以视为合法,若不同于第一应用程序的第二应用程序中的进程P3访问了该文件F,则该进程P3的行为是候选可疑行为。After the relationship information between the application and the data is determined, the first terminal device can filter the detected process behavior according to the relationship information between the application and the data. Specifically, for example, the first application includes a process P1 and a process P2. If the file F is created during the execution of the P1, the file F belongs to the first application, and if the process P2 accesses the file during execution. F, the behavior of the process P2 can be regarded as legal. If the process P3 in the second application different from the first application accesses the file F, the behavior of the process P3 is a candidate suspicious behavior.
S220,该第一终端设备向数据分析服务器发送该第一进程行为的行为特征信息。S220. The first terminal device sends behavior characteristic information of the first process behavior to the data analysis server.
具体地,在本发明实施例中,第一终端设备将筛选的候选可疑行为(即第一进程行为)的行为特征信息直接上报给数据分析服务器,由数据分析服务器对该第一进程行为进行分析和处理。Specifically, in the embodiment of the present invention, the first terminal device directly reports the behavior characteristic information of the selected candidate suspicious behavior (ie, the first process behavior) to the data analysis server, and the data analysis server analyzes the behavior of the first process. And processing.
S230,该数据分析服务器接收该第一进程行为的行为特征信息,并根据该第一进程行为的行为特征信息,确定该第一进程行为是否是可疑行为。S230. The data analysis server receives the behavior characteristic information of the first process behavior, and determines, according to the behavior characteristic information of the first process behavior, whether the first process behavior is a suspicious behavior.
具体地,该数据分析服务器可以接收第一终端设备认为可疑的第一进程行为的行为特征信息,然后根据该行为特征信息判断该第一进程行为是否是可疑行为。Specifically, the data analysis server may receive behavior characteristic information of the first process behavior that the first terminal device considers suspicious, and then determine, according to the behavior characteristic information, whether the first process behavior is a suspicious behavior.
作为一个可选的实施例,该数据分析服务器根据该第一进程行为的行为特征信息,确定该第一进程行为是否是可疑行为,包括: As an optional embodiment, the data analysis server determines, according to the behavior characteristic information of the first process behavior, whether the behavior of the first process is a suspicious behavior, including:
该数据分析服务器根据该第一进程行为的行为特征信息,确定该第一进程行为是否属于可信任行为集合,其中,该可信任行为集合包括至少一个可信任行为;Determining, by the data analysis server, whether the first process behavior belongs to a set of trusted behaviors according to behavior characteristic information of the first process behavior, where the trusted behavior set includes at least one trusted behavior;
若确定该第一进程行为不属于该可信任行为集合,该数据分析服务器确定该第一进程行为为可疑行为。If it is determined that the first process behavior does not belong to the set of trusted behaviors, the data analysis server determines that the first process behavior is suspicious.
具体地,该数据分析服务器可以判断该第一进程行为是否属于可信任行为集合,该可信任行为集合包括至少一个可信任行为。若该第一进程行为属于该可信任行为集合,那么该数据分析服务器确定该第一进程行为是正常行为;若该第一进程行为不属于该可信任行为集合,那么该数据分析服务器确定该第一进程行为是可疑行为。具体地,数据分析服务器在第一进程行为的行为特征信息与可信任行为集合中的一个可信任行为的行为特征信息相同时,确认第一进程行为属于该可信任行为集合;否则,在第一进程行为的行为特征信息与可信任行为集合中每个可信任行为的行为特征信息均不同时,确认第一进程行为不属于该可信任行为集合。Specifically, the data analysis server may determine whether the first process behavior belongs to a set of trusted behaviors, and the set of trusted behaviors includes at least one trusted behavior. If the first process behavior belongs to the set of trusted behaviors, the data analysis server determines that the first process behavior is a normal behavior; if the first process behavior does not belong to the trusted behavior set, then the data analysis server determines the first A process behavior is suspicious. Specifically, the data analysis server confirms that the first process behavior belongs to the trusted behavior set when the behavior characteristic information of the first process behavior is the same as the behavior characteristic information of one trusted behavior in the trusted behavior set; otherwise, in the first When the behavior characteristic information of the process behavior is different from the behavior characteristic information of each trusted behavior in the trusted behavior set, it is confirmed that the first process behavior does not belong to the trusted behavior set.
这样,本发明实施例基于应用程序与应用程序之间的数据访问规则,通过终端设备从探测到的所有进程行为中确定出候选可疑行为,并将确定的候选可疑行为的行为特征信息发送给数据分析服务器,由该数据分析服务器确定该候选可疑行为是否是可疑行为。本发明实施例的用于确定应用程序可疑行为的方法能够将非法访问应用程序数据的可疑行为确定出来,无需依赖安全软件,并且不需要用户参与。In this way, the embodiment of the present invention determines the candidate suspicious behavior from all detected process behaviors by the terminal device based on the data access rule between the application and the application, and sends the determined behavior characteristic information of the candidate suspicious behavior to the data. An analysis server that determines whether the candidate suspicious behavior is suspicious. The method for determining suspicious behavior of an application of an embodiment of the present invention is capable of determining suspicious behavior of illegally accessing application data without relying on security software and requiring no user involvement.
应理解,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。It should be understood that the size of the sequence numbers of the above processes does not imply a sequence of executions, and the order of execution of the processes should be determined by its function and internal logic, and should not be construed as limiting the implementation process of the embodiments of the present invention.
在现有技术中,主机对可疑行为的确定是直接采用安全软件的,通过安全软件监控系统中的所有应用程序的进程行为。IT人员会在安全软件中预先设置一个访问控制策略,控制系统中应用程序的进程行为对系统数据的访问。如果一个进程行为不满足上述访问控制策略,那么该安全软件就判定这个进程行为是可疑行为。在监控到可疑行为后,安全软件会直接向正在使用主机的用户进行告警,让用户选择是否对该可疑行为进行拦截。因此,传统的基于主机的防御方法主要是为了防止可疑行为攻击系统,且这种防御方法必须 依赖于安全软件。In the prior art, the host determines the suspicious behavior directly by using security software, and the security software monitors the process behavior of all applications in the system. The IT staff pre-sets an access control policy in the security software to control access to the system data by the process behavior of the application in the system. If a process behavior does not satisfy the above access control policy, then the security software determines that the process behavior is suspicious. After monitoring suspicious behavior, the security software will directly alert the user who is using the host to let the user choose whether to intercept the suspicious behavior. Therefore, the traditional host-based defense method is mainly to prevent suspicious behavior from attacking the system, and this defense method must Rely on security software.
然而,传统的防御方法只涉及应用程序对系统数据的访问规则,并没有考虑应用程序与应用程序之间的数据访问规则,不能防止非法访问应用程序数据的可疑行为,例如,偷取或篡改应用程序数据的可疑行为。此外,由于普通用户没有太多计算机知识,所以传统防御方法中让用户判断是否拦截可疑行为的方式不是非常的妥当。However, the traditional defense method only involves the application's access rules to the system data, does not consider the data access rules between the application and the application, and cannot prevent the suspicious behavior of illegal access to the application data, for example, stealing or tampering with the application. Suspicious behavior of program data. In addition, because ordinary users do not have much computer knowledge, the way in which traditional defense methods let users judge whether to intercept suspicious behavior is not very appropriate.
因此,本发明实施例基于应用程序与应用程序之间的数据访问规则,通过终端设备从探测到的进程行为中确定候选可疑行为,并将确定的候选可疑行为的行为特征信息发送给数据分析服务器,由该数据分析服务器确定该候选可疑行为是否是可疑行为,从而能够确定出终端设备中非法访问应用程序数据的可疑行为,与现有技术相比,该方法无需依赖安全软件,并且不需要用户参与确定,能够提高可疑行为的判定的准确度和可靠性,从而提高系统整体性能。Therefore, the embodiment of the present invention determines the candidate suspicious behavior from the detected process behavior by the terminal device based on the data access rule between the application and the application, and sends the determined behavior characteristic information of the candidate suspicious behavior to the data analysis server. And determining, by the data analysis server, whether the candidate suspicious behavior is a suspicious behavior, thereby being able to determine a suspicious behavior of illegally accessing application data in the terminal device, and the method does not need to rely on the security software, and does not require the user, compared with the prior art. Participation in the determination can improve the accuracy and reliability of the judgment of suspicious behavior, thereby improving the overall performance of the system.
作为一个可选的实施例,在S210中,该第一终端设备确定候选可疑行为可以根据进程行为的具体类型分为多种情况。As an optional embodiment, in S210, the first terminal device determines that the candidate suspicious behavior may be classified into multiple cases according to the specific type of the process behavior.
可选地,若该第一进程行为是该第一应用程序的动态链接库(Dynamic Link Library,DLL)文件加载行为,则该第一终端设备确定该第一进程行为所加载的DLL文件是否为系统DLL文件;若该DLL文件不是系统DLL文件,则该第一终端设备确定该DLL文件所属的应用程序;若该DLL文件属于不同于该第一应用程序的该第二应用程序,则该第一终端设备将该第一进程行为确定为该候选可疑行为。Optionally, if the first process behavior is a dynamic link library (DLL) file loading behavior of the first application, the first terminal device determines whether the DLL file loaded by the first process behavior is a system DLL file; if the DLL file is not a system DLL file, the first terminal device determines an application to which the DLL file belongs; and if the DLL file belongs to the second application different from the first application, the A terminal device determines the first process behavior as the candidate suspicious behavior.
可选地,若该第一进程行为是该第一应用程序的注册表访问行为,则该第一终端设备确定创建该第一进程行为所访问的注册表的路径的应用程序;若该注册表的路径由不同于该第一应用程序的该第二应用程序创建,则该第一终端设备确定该注册表的路径是否为公共可访问路径;若该注册表的路径不是公共可访问路径,则该第一终端设备将该第一进程行为确定为候选可疑行为。Optionally, if the first process behavior is a registry access behavior of the first application, the first terminal device determines an application that creates a path of a registry accessed by the first process behavior; if the registry The path is created by the second application different from the first application, the first terminal device determines whether the path of the registry is a publicly accessible path; if the path of the registry is not a publicly accessible path, then The first terminal device determines the first process behavior as a candidate suspicious behavior.
可选地,若该第一进程行为是该第一应用程序的文件访问行为,则该第一终端设备确定创建该第一进程行为所访问的文件的应用程序;若该第一进程行为所访问的文件由不同于该第一应用程序的该第二应用程序创建,则该 第一终端设备确定该第一进程行为所访问的文件的类型;若该第一进程行为所访问的文件的类型是程序文件,则该第一终端设备可以直接将该第一进程行为确定为候选可疑行为。Optionally, if the first process behavior is a file access behavior of the first application, the first terminal device determines an application that creates a file accessed by the first process behavior; if the first process behavior is accessed The file is created by the second application different from the first application, then the file Determining, by the first terminal device, a type of the file accessed by the first process behavior; if the type of the file accessed by the first process behavior is a program file, the first terminal device may directly determine the first process behavior as a candidate Suspicious behavior.
可选地,若该第一进程行为所访问的文件的类型是非程序文件,则该第一终端设备确定该第一进程行为所访问的文件的扩展名所注册的应用程序;若该第一进程行为所访问的文件的扩展名所注册的应用程序为不同于该第一应用程序的第三应用程序,则该第一终端设备将该第一进程行为确定为候选可疑行为;Optionally, if the type of the file accessed by the first process behavior is a non-program file, the first terminal device determines an application registered by the extension of the file accessed by the first process behavior; if the first process behavior If the application registered by the extension of the accessed file is a third application different from the first application, the first terminal device determines the first process behavior as a candidate suspicious behavior;
可选地,若该第一进程行为是进程创建行为,则该终端设备确定该第一进程行为所创建的进程是否属于该第一应用程序;若该第一进程行为所创建的进程不属于该第一应用程序,则该终端设备确定该进程是否为该第一终端设备的系统进程;若该进程不是该第一终端设备的系统进程,则该第一终端设备将该第一进程行为确定为该第一候选可疑行为。Optionally, if the first process behavior is a process creation behavior, the terminal device determines whether the process created by the first process behavior belongs to the first application; if the process created by the first process behavior does not belong to the a first application, the terminal device determines whether the process is a system process of the first terminal device; if the process is not a system process of the first terminal device, the first terminal device determines the first process behavior as The first candidate suspicious behavior.
这里,第一进程行为应理解为病毒的行为,第一应用程序的程序文件携带病毒,系统运行该程序文件时,病毒会创建新的进程,但是这个进程并不属于该第一应用程序。因此,根据上述判断条件就可以判断出来应用程序是否携带病毒。Here, the first process behavior should be understood as the behavior of the virus. The program file of the first application carries the virus. When the system runs the program file, the virus creates a new process, but the process does not belong to the first application. Therefore, based on the above judgment conditions, it can be determined whether the application carries a virus.
可选地,若该第一进程行为是线程创建行为,则该终端设备确定该第一进程行为所创建的线程该的应用程序;若该第一进程行为所创建的线程属于不同于该第一应用程序的该第二应用程序,则该第一终端设备将该第一进程行为确定为该第一候选可疑行为。Optionally, if the first process behavior is a thread creation behavior, the terminal device determines an application of the thread created by the first process behavior; if the thread created by the first process behavior is different from the first The second application of the application, the first terminal device determines the first process behavior as the first candidate suspicious behavior.
应理解,应用程序的可疑行为种类繁多,可以包括但不限于如下种类:跨进程线程注入、加载来历不明的DLL文件、访问不属于自己的文件、访问不属于自己的注册表、修改系统文件、删除系统文件、修改系统注册表、删除系统注册表等等。因此,上文只是列举了其中的一些情况进行描述,其他情况类似,在此不再赘述。It should be understood that there are many types of suspicious behaviors of an application, which may include but are not limited to the following types: inter-process thread injection, loading of unknown DLL files, accessing files that are not their own, accessing a registry that is not their own, modifying system files, Delete system files, modify the system registry, delete the system registry, and more. Therefore, the above is just a list of some of the cases to describe, other situations are similar, and will not be repeated here.
作为一个可选的实施例,在该数据分析服务器根据该第一进程行为的行为特征信息,确定该第一进程行为是否是可疑行为之前,该方法还包括:As an optional embodiment, before the data analysis server determines, according to the behavior characteristic information of the first process behavior, whether the first process behavior is a suspicious behavior, the method further includes:
该数据分析服务器接收至少一个第二终端设备中的每个第二终端设备发送的多个第二进程行为的行为特征信息; The data analysis server receives behavior characteristic information of a plurality of second process behaviors sent by each of the at least one second terminal device;
该数据分析服务器根据该至少一个第二终端设备发送的多个第二进程行为的行为特征信息,采用数据挖掘算法确定该可信任行为集合,其中,该可信任行为集合包括该多个第二进程行为中的至少一个第二进程行为。The data analysis server determines the set of trusted behaviors by using a data mining algorithm according to the behavior characteristic information of the plurality of second process behaviors sent by the at least one second terminal device, where the trusted behavior set includes the multiple second processes At least one second process behavior in the behavior.
应理解,该实施例中的第二终端设备与上述第一终端设备可以相同,也可以不相同;第二进程行为与上述第一进程行为可以相同,也可以不相同,本发明实施例对此不作限定。It should be understood that the second terminal device in this embodiment may be the same as or different from the foregoing first terminal device; the second process behavior may be the same as or different from the foregoing first process behavior, and the embodiment of the present invention may Not limited.
作为一个可选的实施例,该第一进程行为的行为特征信息包括:该第一进程行为所属的应用程序信息、该第一进程行为所访问的数据的信息和该第一进程行为所访问的数据所属的应用程序信息;As an optional embodiment, the behavior characteristic information of the first process behavior includes: application information to which the first process behavior belongs, information of data accessed by the first process behavior, and access by the first process behavior. Application information to which the data belongs;
该多个第二进程行为的行为特征信息包括:该多个第二进程行为所属的应用程序信息、该多个第二进程行为所访问的数据的信息和该多个第二进程行为所访问的数据所属的应用程序信息。The behavior characteristic information of the plurality of second process behaviors includes: application information to which the plurality of second process actions belong, information of data accessed by the plurality of second process actions, and access by the plurality of second process actions The application information to which the data belongs.
具体地,该可信任行为特征信息集合的生成可以采用数据挖掘的方法,因此,需要第二终端设备向数据分析服务器发送数据挖掘算法能够使用的行为特征信息。第二终端设备在确定了第二进程行为之后,对该第二进程行为的信息进行预处理,将该第二进程行为的信息转化为行为特征信息。可选地,该行为特征信息可以作为一个集合的方式由第二终端设备发送给数据分析服务器,集合中可以包括:第二进程行为的行为、第二进程行为的目的路径、第二进程行为所属应用程序的文件名路径信息、该应用程序的版权信息、该应用程序的版本信息、该应用程序的程序文件的头部哈希值、该应用程序的程序文件的数字签名信息等等。Specifically, the generation of the set of trusted behavior feature information may adopt a data mining method. Therefore, the second terminal device is required to send the behavior characteristic information that the data mining algorithm can use to the data analysis server. After determining the second process behavior, the second terminal device preprocesses the information of the second process behavior, and converts the information of the second process behavior into the behavior feature information. Optionally, the behavior characteristic information may be sent to the data analysis server by the second terminal device as a set, and the set may include: a behavior of the second process behavior, a destination path of the second process behavior, and a second process behavior The file name path information of the application, the copyright information of the application, the version information of the application, the header hash of the application file of the application, the digital signature information of the program file of the application, and the like.
由于APT攻击的检查普遍倾向于使用大数据分析,所以通过数据挖掘算法可以将安全软件无法识别出来的可疑行为挖掘出来。可选地,这里的数据挖掘算法可以是频繁项集算法、支持向量机算法和决策树算法等等,本发明实施例对此不作限定。Since the inspection of APT attacks generally tends to use big data analysis, data mining algorithms can be used to uncover suspicious behaviors that are not recognized by security software. Optionally, the data mining algorithm herein may be a frequent item set algorithm, a support vector machine algorithm, a decision tree algorithm, or the like, which is not limited by the embodiment of the present invention.
作为一个可选的实施例,在数据分析服务器根据该第一进程行为的行为特征信息,确定该第一进程行为是否是可疑行为之后,该方法还包括:As an optional embodiment, after the data analysis server determines, according to the behavior characteristic information of the first process behavior, whether the first process behavior is a suspicious behavior, the method further includes:
若该数据分析服务器确定该第一进程行为是正常行为,则该数据分析服务器向该第一终端设备发送指示信息,该指示信息用于指示该第一进程行为是正常行为。 And if the data analysis server determines that the first process behavior is a normal behavior, the data analysis server sends the indication information to the first terminal device, where the indication information is used to indicate that the first process behavior is a normal behavior.
该第一终端设备接收该数据分析服务器发送的指示信息,并根据该指示消息,确定该第一进程行为是正常行为。The first terminal device receives the indication information sent by the data analysis server, and determines, according to the indication message, that the first process behavior is a normal behavior.
这样,第一终端设备若再次探测到该第一进程行为,便不会再向数据分析服务器发送该第一进程行为的行为特征信息。In this way, if the first terminal device detects the first process behavior again, the behavior information of the first process behavior is not sent to the data analysis server.
作为一个可选的实施例,在数据分析服务器根据该第一进程行为的行为特征信息,确定该第一进程行为是否是可疑行为之后,该方法还包括:As an optional embodiment, after the data analysis server determines, according to the behavior characteristic information of the first process behavior, whether the first process behavior is a suspicious behavior, the method further includes:
若该数据分析服务器确定该第一进程行为是可疑行为,则该数据分析服务器向该第一终端设备发送请求消息,该请求消息用于请求该第一进程行为的溯源信息,该溯源信息包括该第一进程行为的进程信息、与该第一进程行为对应的程序文件的信息、该第一进程行为的进程创建者和程序文件创建者的关系信息中的至少一种;If the data analysis server determines that the first process behavior is a suspicious behavior, the data analysis server sends a request message to the first terminal device, where the request message is used to request traceability information of the first process behavior, and the traceability information includes the At least one of process information of a first process behavior, information of a program file corresponding to the behavior of the first process, relationship information between a process creator of the first process behavior, and a program file creator;
该第一终端设备接收该数据分析服务器发送的请求消息,并根据该请求消息,向该数据分析服务器发送该溯源信息;Receiving, by the first terminal device, the request message sent by the data analysis server, and sending the traceability information to the data analysis server according to the request message;
该数据分析服务器接收该第一终端设备根据该请求消息发送的该溯源信息,并通过后台管理界面显示该溯源信息。The data analysis server receives the traceability information sent by the first terminal device according to the request message, and displays the traceability information through a background management interface.
在该实施例中,该数据分析服务器在确定了可疑行为之后,可以将可疑行为的溯源信息通过后台管理界面显示出来,以便于信息技术(Information Technology,IT)管理人员通过该溯源信息确定可疑行为的来源。In this embodiment, after determining the suspicious behavior, the data analysis server may display the traceability information of the suspicious behavior through the background management interface, so that the information technology (IT) management personnel determine the suspicious behavior through the traceability information. origin of.
在一个具体的实施例中,上述终端设备具体可以为客户端,并且上述确定可疑程序的方法可以应用于包括多个客户端的企业内部。如图3所示,例如,该企业包括客户端301、客户端302和客户端303,在各个客户端中分别部署监控程序,例如探针程序304、探针程序305和探针程序306。这些探针程序负责实施监控企业客户端中的所有进程行为,并对监控到的进程行为进行过滤,若某个进程行为访问了不属于自己的数据,则探针程序判定该进程行为是候选可疑行为。In a specific embodiment, the foregoing terminal device may specifically be a client, and the foregoing method for determining a suspicious program may be applied to an enterprise including multiple clients. As shown in FIG. 3, for example, the enterprise includes a client 301, a client 302, and a client 303, and a monitoring program such as a probe program 304, a probe program 305, and a probe program 306 are separately deployed in each client. These probe programs are responsible for implementing the monitoring of all process behaviors in the enterprise client and filtering the monitored process behavior. If a process behavior accesses data that is not its own, the probe program determines that the process behavior is a candidate suspicious. behavior.
在确定了候选可疑行为之后,各个客户端会分别提取各自的候选可疑行为的行为特征信息。After the candidate suspicious behavior is determined, each client separately extracts behavior characteristic information of each candidate suspicious behavior.
客户端中的探针程序将确定的候选可疑行为的行为特征信息发送至数据分析服务器307。数据分析服务器307持续地接收来自不同客户端发送的候选可疑行为的行为特征信息,采用数据挖掘算法对接收到的行为特征信息进行 统计分析,生成包括至少一个可信任行为的可信任行为集合。在数据分析服务器307生成了可信任行为集合之后,就可以根据候选可疑行为的行为特征信息,判断该候选可疑行为是否是可疑行为。The probe program in the client transmits the determined behavior characteristic information of the candidate suspicious behavior to the data analysis server 307. The data analysis server 307 continuously receives behavior characteristic information of candidate suspicious behaviors sent from different clients, and uses the data mining algorithm to perform the received behavior characteristic information. Statistical analysis, generating a set of trusted behaviors including at least one trusted behavior. After the data analysis server 307 generates the set of trusted behaviors, it can determine whether the candidate suspicious behavior is suspicious according to the behavior characteristic information of the candidate suspicious behavior.
例如,数据分析服务器接307收到客户端301发送的进程行为的行为特征信息,即上述候选可疑行为的行为特征信息,可以根据该行为特征信息对该进程行为进行判断。For example, the data analysis server 307 receives the behavior characteristic information of the process behavior sent by the client 301, that is, the behavior characteristic information of the candidate suspicious behavior, and can determine the behavior of the process according to the behavior characteristic information.
该数据分析服务器307若确定该进程行为是正常行为,那么就会向客户端301发送指示信息,指示该进程行为是正常行为。客户端301在接收到该指示信息之后,便会将该进程行为确定为正常行为。若后续该客户端301再次检测到该进程行为,不会再向数据分析服务器307发送该进程行为的行为特征信息。If the data analysis server 307 determines that the process behavior is a normal behavior, it sends an indication message to the client 301 indicating that the process behavior is a normal behavior. After receiving the indication information, the client 301 determines the behavior of the process as a normal behavior. If the client 301 detects the behavior of the process again, the behavior characteristic information of the process behavior is not sent to the data analysis server 307.
该数据分析服务器307若确定该进程行为是可疑行为,那么会向客户端301发送请求消息,请求该进程行为的溯源信息。客户端301在接收到该请求消息之后,会向数据分析服务器307发送该进程行为的溯源信息,数据分析服务器307接收客户端301发送的溯源信息,通过后台管理界面显示该溯源信息。If the data analysis server 307 determines that the process behavior is suspicious, it sends a request message to the client 301 requesting traceability information of the process behavior. After receiving the request message, the client 301 sends the traceability information of the process behavior to the data analysis server 307. The data analysis server 307 receives the traceability information sent by the client 301, and displays the traceability information through the background management interface.
可选地,数据分析服务器307可以将该溯源信息发送给系统管理服务器308。系统管理服务器308可以实时地向企业的相关工作人员,例如IT管理人员,展示该溯源信息,以便于IT管理人员根据溯源信息还原出可疑行为是何时出现的以及如何出现的,这样将有利于后期的攻击事件的调查取证。Alternatively, the data analysis server 307 can send the traceability information to the system management server 308. The system management server 308 can display the traceability information to related personnel of the enterprise, such as an IT manager, in real time, so that the IT manager can restore the suspicious behavior according to the traceability information when and how the suspicious behavior occurs, which will be beneficial to the Investigation and evidence collection of late attack events.
应理解,在上述可信任集合的建立阶段,数据分析服务器对可疑行为的判断未必准确。因为这种统计分析是依赖于一段时间内积累的进程行为的,可能某一个行为在刚开始统计出的数量很少,但后续数量逐步增加,因此,需要数据分析服务器对以前接收到的进程行为进行回溯迭代,提高判断结果的准确性。It should be understood that in the establishment phase of the above-mentioned trusted set, the data analysis server does not necessarily judge the suspicious behavior. Because this kind of statistical analysis relies on the process behavior accumulated over a period of time, it is possible that a certain behavior is rarely counted at the beginning, but the subsequent number is gradually increased. Therefore, the data analysis server is required to process the previously received process. Perform backtracking iterations to improve the accuracy of the judgment results.
本发明实施例的用于确定应用程序可疑行为的方法,基于应用程序与应用程序之间的数据访问规则,通过终端设备从探测到的进程行为中确定候选可疑行为,并将确定的候选可疑行为的行为特征信息发送给数据分析服务器,由该数据分析服务器确定该候选可疑行为是否是可疑行为,从而能够确定出非法访问应用程序数据的可疑行为,与现有技术相比,该方法无需依赖安全 软件,并且不需要用户参与确定,能够提高可疑行为的判定的准确度和可靠性,从而提高系统整体性能。在此基础之上,本发明实施例可以通过后台管理界面将可疑行为的溯源信息展示给IT管理人员,使得IT管理人员能够根据溯源信息还原出可疑行为是何时出现的以及如何出现的,有利于后期的攻击事件的调查取证。The method for determining suspicious behavior of an application according to an embodiment of the present invention determines a candidate suspicious behavior from a detected process behavior by a terminal device based on a data access rule between the application and the application, and determines the candidate suspicious behavior. The behavior characteristic information is sent to the data analysis server, and the data analysis server determines whether the candidate suspicious behavior is a suspicious behavior, thereby being able to determine a suspicious behavior of illegally accessing the application data, and the method does not need to rely on security compared with the prior art. Software, and does not require user participation in the determination, can improve the accuracy and reliability of the judgment of suspicious behavior, thereby improving the overall performance of the system. On the basis of this, the embodiment of the present invention can display the traceability information of the suspicious behavior to the IT management personnel through the background management interface, so that the IT management personnel can restore the suspicious behavior when and how to appear according to the traceability information. Conducive to the investigation and evidence collection of later attacks.
应理解,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。It should be understood that the size of the sequence numbers of the above processes does not imply a sequence of executions, and the order of execution of the processes should be determined by its function and internal logic, and should not be construed as limiting the implementation process of the embodiments of the present invention.
上文中结合图1至图3,详细描述了根据本发明实施例的用于确定应用程序可疑行为的方法,下面将结合图4至图7,详细描述根据本发明实施例的用于确定应用程序可疑行为的装置。A method for determining suspicious behavior of an application according to an embodiment of the present invention is described in detail above with reference to FIGS. 1 through 3. Hereinafter, an application for determining an application according to an embodiment of the present invention will be described in detail with reference to FIGS. 4 through 7. A device for suspicious behavior.
图4示出了本发明实施例提供的用于确定应用程序可疑行为的装置400,该装置400包括:FIG. 4 shows an apparatus 400 for determining suspicious behavior of an application provided by an embodiment of the present invention. The apparatus 400 includes:
确定单元410,用于在确定第一应用程序的进程行为所访问的数据属于不同于该第一应用程序的第二应用程序时,将该进程行为确定为候选可疑行为,该数据包括进程、线程、文件、目录以及注册表项中的至少一个;The determining unit 410 is configured to determine the process behavior as a candidate suspicious behavior when determining that the data accessed by the process behavior of the first application belongs to a second application different from the first application, where the data includes a process, a thread At least one of a file, a directory, and a registry key;
发送单元420,用于向数据分析服务器发送该进程行为的行为特征信息,以便于该数据分析服务器根据该进程行为的行为特征信息确定该进程行为是否为可疑行为。The sending unit 420 is configured to send behavior characteristic information of the process behavior to the data analysis server, so that the data analysis server determines, according to the behavior characteristic information of the process behavior, whether the process behavior is suspicious behavior.
可选地,该确定单元410具体用于:Optionally, the determining unit 410 is specifically configured to:
若该进程行为是该第一应用程序的动态链接库DLL文件加载行为,则确定该进程行为所加载的DLL文件是否为系统DLL文件;If the process behavior is the dynamic link library DLL file loading behavior of the first application, determining whether the DLL file loaded by the process behavior is a system DLL file;
若该DLL文件不是系统DLL文件,则确定该DLL文件所属的应用程序;If the DLL file is not a system DLL file, determine an application to which the DLL file belongs;
若该DLL文件属于不同于该第一应用程序的该第二应用程序,则将该进程行为确定为该候选可疑行为。If the DLL file belongs to the second application different from the first application, the process behavior is determined as the candidate suspicious behavior.
可选地,该确定单元410具体用于:Optionally, the determining unit 410 is specifically configured to:
若该进程行为是该第一应用程序的注册表访问行为,则确定创建该进程行为所访问的注册表的路径的应用程序;If the process behavior is a registry access behavior of the first application, determining an application that creates a path to a registry accessed by the process behavior;
若该注册表的路径由不同于该第一应用程序的该第二应用程序创建,则确定该注册表的路径是否为公共可访问路径; If the path of the registry is created by the second application different from the first application, determining whether the path of the registry is a publicly accessible path;
若该注册表的路径不是公共可访问路径,则将该进程行为确定为该候选可疑行为。If the path to the registry is not a publicly accessible path, the process behavior is determined to be the candidate suspicious behavior.
可选地,该确定单元410具体用于:Optionally, the determining unit 410 is specifically configured to:
若该进程行为是该第一应用程序的文件访问行为,则确定创建该进程行为所访问的文件的应用程序;If the process behavior is a file access behavior of the first application, determining an application that creates a file accessed by the process behavior;
若该进程行为所访问的文件由不同于该第一应用程序的该第二应用程序创建,则确定该进程行为所访问的文件的类型;If the file accessed by the process behavior is created by the second application different from the first application, determining the type of the file accessed by the process behavior;
若该进程行为所访问的文件的类型是程序文件,则将该进程行为确定为该候选可疑行为。If the type of file accessed by the process behavior is a program file, the process behavior is determined to be the candidate suspicious behavior.
可选地,该确定单元410具体用于:Optionally, the determining unit 410 is specifically configured to:
若该进程行为所访问的文件的类型是非程序文件,则确定该进程行为所访问的文件的扩展名所注册的应用程序是否为该第一应用程序;If the type of the file accessed by the process behavior is a non-program file, it is determined whether the application registered by the extension of the file accessed by the process behavior is the first application;
若该进程行为所访问的文件的扩展名所注册的应用程序为不同于该第一应用程序的第三应用程序,则将该进程行为确定为该候选可疑行为。If the application registered by the extension of the file accessed by the process behavior is a third application different from the first application, the process behavior is determined as the candidate suspicious behavior.
可选地,该行为特征信息包括:该进程行为所属的应用程序信息、该进程行为所访问的数据的信息和该进程行为所访问的数据所属的应用程序信息。Optionally, the behavior characteristic information includes: application information to which the process behavior belongs, information of data accessed by the process behavior, and application information to which the data accessed by the process behavior belongs.
可选地,该装置400还包括:Optionally, the apparatus 400 further includes:
第一接收单元,用于在该向数据分析服务器发送该进程行为的行为特征信息之后,接收该数据分析服务器发送的指示信息,该指示信息用于指示该进程行为是正常行为;a first receiving unit, configured to: after the sending the behavior characteristic information of the process behavior to the data analysis server, receive the indication information sent by the data analysis server, where the indication information is used to indicate that the process behavior is a normal behavior;
该确定单元410还用于:The determining unit 410 is further configured to:
根据该指示消息,确定该进程行为是正常行为。According to the indication message, it is determined that the behavior of the process is a normal behavior.
可选地,该装置400还包括:Optionally, the apparatus 400 further includes:
第二接收单元,用于在该向数据分析服务器发送该进程行为的行为特征信息之后,接收该数据分析服务器发送的请求消息,该请求消息用于请求该进程行为的溯源信息,该溯源信息包括下列信息中的至少一种:该进程行为的进程信息、与该进程行为对应的程序文件的信息、该进程行为的进程创建者与程序文件创建者之间的关系信息;a second receiving unit, configured to: after sending the behavior characteristic information of the process behavior to the data analysis server, receive a request message sent by the data analysis server, where the request message is used to request traceability information of the process behavior, where the traceability information includes At least one of the following information: process information of the process behavior, information of a program file corresponding to the behavior of the process, relationship information between a process creator of the process behavior and a program file creator;
该发送单元420还用于:根据该请求消息,向该数据分析服务器发送该 溯源信息。The sending unit 420 is further configured to send the data to the data analysis server according to the request message. Traceability information.
应理解,这里的装置400以功能单元的形式体现。这里的术语“单元”可以指应用特有集成电路(Application Specific Integrated Circuit,ASIC)、电子电路、用于执行一个或多个软件或固件程序的处理器(例如共享处理器、专有处理器或组处理器等)和存储器、合并逻辑电路和/或其它支持所描述的功能的合适组件。在一个可选例子中,本领域技术人员可以理解,装置400可以具体为上述实施例中的第一终端设备,装置400可以用于执行上述方法实施例中与第一终端设备对应的各个流程和/或步骤,为避免重复,在此不再赘述。It should be understood that the apparatus 400 herein is embodied in the form of a functional unit. The term "unit" herein may refer to an application specific integrated circuit (ASIC), an electronic circuit, a processor for executing one or more software or firmware programs (eg, a shared processor, a proprietary processor, or a group). Processors, etc.) and memory, merge logic, and/or other suitable components that support the described functionality. In an optional example, those skilled in the art may understand that the device 400 may be specifically the first terminal device in the foregoing embodiment, and the device 400 may be used to perform various processes corresponding to the first terminal device in the foregoing method embodiment. / or steps, in order to avoid repetition, will not repeat them here.
图5示出了本发明实施例提供的用于确定应用程序可疑行为的装置500,该装置500包括:FIG. 5 shows an apparatus 500 for determining suspicious behavior of an application provided by an embodiment of the present invention. The apparatus 500 includes:
接收单元510,用于接收第一终端设备发送的第一进程行为的行为特征信息,其中,该第一进程行为属于第一应用程序,并且该第一进程行为所访问的数据属于不同于该第一应用程序的第二应用程序,该数据包括进程、线程、文件、目录以及注册表项中的至少一个;The receiving unit 510 is configured to receive behavior characteristic information of the first process behavior sent by the first terminal device, where the first process behavior belongs to the first application, and the data accessed by the first process behavior is different from the first a second application of an application, the data including at least one of a process, a thread, a file, a directory, and a registry entry;
确定单元520,用于根据该第一进程行为的行为特征信息,确定该第一进程行为是否是可疑行为。The determining unit 520 is configured to determine, according to the behavior characteristic information of the first process behavior, whether the first process behavior is a suspicious behavior.
可选地,该确定单元520具体用于:Optionally, the determining unit 520 is specifically configured to:
根据该第一进程行为的行为特征信息,确定该第一进程行为是否属于可信任行为集合,其中,该可信任行为集合包括至少一个可信任行为;Determining, according to behavior characteristic information of the first process behavior, whether the first process behavior belongs to a set of trusted behaviors, wherein the trusted behavior set includes at least one trusted behavior;
若该第一进程行为不属于该可信任行为集合,则确定该第一进程行为为可疑行为。If the first process behavior does not belong to the set of trusted behaviors, it is determined that the first process behavior is suspicious.
可选地,该接收单元510还用于:Optionally, the receiving unit 510 is further configured to:
在该数据分析服务器根据该第一进程行为的行为特征信息,确定该第一进程行为是否属于可信任行为集合之前,接收至少一个第二终端设备中的每个第二终端设备发送的多个第二进程行为的行为特征信息;Receiving, by the data analysis server, the plurality of the second terminal devices sent by the at least one second terminal device before determining whether the first process behavior belongs to the trusted behavior set according to the behavior characteristic information of the first process behavior Behavioral characteristics information of the second process behavior;
该确定单元520还用于:The determining unit 520 is further configured to:
根据该每个第二终端设备发送的多个第二进程行为的行为特征信息,采用数据挖掘算法确定该可信任行为集合,其中,该可信任行为集合包括该多个第二进程行为中的至少一个第二进程行为。 Determining, by the data mining algorithm, the set of trusted behaviors according to behavior characteristic information of the plurality of second process behaviors sent by each second terminal device, where the set of trusted behaviors includes at least one of the plurality of second process behaviors A second process behavior.
可选地,该第一进程行为的行为特征信息包括:该第一进程行为所属的应用程序信息、该第一进程行为所访问的数据的信息和该第一进程行为所访问的数据所属的应用程序信息;Optionally, the behavior characteristic information of the first process behavior includes: application information to which the first process behavior belongs, information of data accessed by the first process behavior, and an application to which the data accessed by the first process behavior belongs Program information;
该多个第二进程行为的行为特征信息包括:该多个第二进程行为所属的应用程序信息、该多个第二进程行为所访问的数据的信息和该多个第二进程行为所访问的数据所属的应用程序信息。The behavior characteristic information of the plurality of second process behaviors includes: application information to which the plurality of second process actions belong, information of data accessed by the plurality of second process actions, and access by the plurality of second process actions The application information to which the data belongs.
可选地,该装置还包括:Optionally, the device further includes:
第一发送单元,用于在该确定单元确定该第一进程行为是正常行为之后,向该第一终端设备发送指示信息,该指示信息用于指示该第一进程行为是正常行为。The first sending unit is configured to send, to the first terminal device, indication information, after the determining unit determines that the first process behavior is a normal behavior, the indication information is used to indicate that the first process behavior is a normal behavior.
可选地,该装置还包括:Optionally, the device further includes:
第二发送单元,用于在该确定单元确定该第一进程行为是可疑行为之后,向该第一终端设备发送请求消息,该请求消息用于请求该第一进程行为的溯源信息,该溯源信息包括该第一进程行为的进程信息、该第一进程行为的程序文件信息、该第一进程行为的进程创建者和程序文件创建者的关系信息中的至少一种;a second sending unit, configured to: after the determining unit determines that the first process behavior is a suspicious behavior, send a request message to the first terminal device, where the request message is used to request traceability information of the first process behavior, the traceability information At least one of process information including the behavior of the first process, program file information of the first process behavior, process creator of the first process behavior, and relationship information of the program file creator;
该接收单元510还用于:接收该第一终端设备根据该请求消息发送的该溯源信息;The receiving unit 510 is further configured to: receive the traceability information that is sent by the first terminal device according to the request message;
该装置还包括:显示单元,用于通过后台管理界面显示该溯源信息。The device further includes: a display unit, configured to display the traceability information through a background management interface.
应理解,这里的装置500以功能单元的形式体现。这里的术语“单元”可以指应用特有集成电路(Application Specific Integrated Circuit,ASIC)、电子电路、用于执行一个或多个软件或固件程序的处理器(例如共享处理器、专有处理器或组处理器等)和存储器、合并逻辑电路和/或其它支持所描述的功能的合适组件。在一个可选例子中,本领域技术人员可以理解,装置500可以具体为上述实施例中的数据分析服务器,装置500可以用于执行上述方法实施例中与数据分析服务器对应的各个流程和/或步骤,为避免重复,在此不再赘述。It should be understood that the apparatus 500 herein is embodied in the form of a functional unit. The term "unit" herein may refer to an application specific integrated circuit (ASIC), an electronic circuit, a processor for executing one or more software or firmware programs (eg, a shared processor, a proprietary processor, or a group). Processors, etc.) and memory, merge logic, and/or other suitable components that support the described functionality. In an alternative example, those skilled in the art may understand that the device 500 may be specifically the data analysis server in the foregoing embodiment, and the device 500 may be used to execute various processes and/or corresponding to the data analysis server in the foregoing method embodiments. Steps, to avoid repetition, will not be repeated here.
图6示出了本发明实施例提供的用于确定应用程序可疑行为的装置600。该装置600包括处理器610、发送器620、接收器630、存储器640和总线系统650。其中,处理器610、发送器620、接收器630和存储器640通过总线 系统650相连,该存储器640用于存储指令,该处理器610用于执行该存储器640存储的指令,以控制该发送器620发送信号,并控制该接收器630接收信号。FIG. 6 illustrates an apparatus 600 for determining suspicious behavior of an application provided by an embodiment of the present invention. The apparatus 600 includes a processor 610, a transmitter 620, a receiver 630, a memory 640, and a bus system 650. Wherein, the processor 610, the transmitter 620, the receiver 630, and the memory 640 pass through the bus. A system 650 is coupled to the memory 640 for storing instructions for executing instructions stored by the memory 640 to control the transmitter 620 to transmit signals and to control the receiver 630 to receive signals.
其中,该处理器610用于在确定第一应用程序的进程行为所访问的数据属于不同于该第一应用程序的第二应用程序时,将该进程行为确定为候选可疑行为,该数据包括进程、线程、文件、目录以及注册表项中的至少一个;The processor 610 is configured to determine the process behavior as candidate suspicious behavior when determining that the data accessed by the process behavior of the first application belongs to a second application different from the first application, where the data includes a process. At least one of a thread, a file, a directory, and a registry key;
该发送器620用于向数据分析服务器发送该进程行为的行为特征信息,以便于该数据分析服务器根据该进程行为的行为特征信息确定该进程行为是否为可疑行为。The transmitter 620 is configured to send the behavior characteristic information of the process behavior to the data analysis server, so that the data analysis server determines whether the process behavior is suspicious according to the behavior characteristic information of the process behavior.
可选地,该处理器610具体用于:Optionally, the processor 610 is specifically configured to:
若该进程行为是该第一应用程序的动态链接库DLL文件加载行为,则确定该进程行为所加载的DLL文件是否为系统DLL文件;If the process behavior is the dynamic link library DLL file loading behavior of the first application, determining whether the DLL file loaded by the process behavior is a system DLL file;
若该DLL文件不是系统DLL文件,则确定该DLL文件所属的应用程序;If the DLL file is not a system DLL file, determine an application to which the DLL file belongs;
若该DLL文件属于不同于该第一应用程序的该第二应用程序,则将该进程行为确定为该候选可疑行为。If the DLL file belongs to the second application different from the first application, the process behavior is determined as the candidate suspicious behavior.
可选地,该处理器610具体用于:Optionally, the processor 610 is specifically configured to:
若该进程行为是该第一应用程序的注册表访问行为,则确定创建该进程行为所访问的注册表的路径的应用程序;If the process behavior is a registry access behavior of the first application, determining an application that creates a path to a registry accessed by the process behavior;
若该注册表的路径由不同于该第一应用程序的该第二应用程序创建,则确定该注册表的路径是否为公共可访问路径;If the path of the registry is created by the second application different from the first application, determining whether the path of the registry is a publicly accessible path;
若该注册表的路径不是公共可访问路径,则将该进程行为确定为该候选可疑行为。If the path to the registry is not a publicly accessible path, the process behavior is determined to be the candidate suspicious behavior.
可选地,该处理器610具体用于:Optionally, the processor 610 is specifically configured to:
若该进程行为是该第一应用程序的文件访问行为,则确定创建该进程行为所访问的文件的应用程序;If the process behavior is a file access behavior of the first application, determining an application that creates a file accessed by the process behavior;
若该进程行为所访问的文件由不同于该第一应用程序的该第二应用程序创建,则确定该进程行为所访问的文件的类型;If the file accessed by the process behavior is created by the second application different from the first application, determining the type of the file accessed by the process behavior;
若该进程行为所访问的文件的类型是程序文件,则将该进程行为确定为该候选可疑行为。If the type of file accessed by the process behavior is a program file, the process behavior is determined to be the candidate suspicious behavior.
可选地,该处理器610具体用于: Optionally, the processor 610 is specifically configured to:
若该进程行为所访问的文件的类型是非程序文件,则确定该进程行为所访问的文件的扩展名所注册的应用程序是否为该第一应用程序;If the type of the file accessed by the process behavior is a non-program file, it is determined whether the application registered by the extension of the file accessed by the process behavior is the first application;
若该进程行为所访问的文件的扩展名所注册的应用程序为不同于该第一应用程序的第三应用程序,则将该进程行为确定为该候选可疑行为。If the application registered by the extension of the file accessed by the process behavior is a third application different from the first application, the process behavior is determined as the candidate suspicious behavior.
可选地,该行为特征信息包括:该进程行为所属的应用程序信息、该进程行为所访问的数据的信息和该进程行为所访问的数据所属的应用程序信息。Optionally, the behavior characteristic information includes: application information to which the process behavior belongs, information of data accessed by the process behavior, and application information to which the data accessed by the process behavior belongs.
可选地,该接收器630用于在该向数据分析服务器发送该进程行为的行为特征信息之后,接收该数据分析服务器发送的指示信息,该指示信息用于指示该进程行为是正常行为;Optionally, the receiver 630 is configured to: after the sending the behavior characteristic information of the process behavior to the data analysis server, receive the indication information sent by the data analysis server, where the indication information is used to indicate that the process behavior is a normal behavior;
该处理器610还用于:根据该指示消息,确定该进程行为是正常行为。The processor 610 is further configured to: according to the indication message, determine that the process behavior is a normal behavior.
可选地,该接收器630用于在该向数据分析服务器发送该进程行为的行为特征信息之后,接收该数据分析服务器发送的请求消息,该请求消息用于请求该进程行为的溯源信息,该溯源信息包括下列信息中的至少一种:该进程行为的进程信息、与该进程行为对应的程序文件的信息、该进程行为的进程创建者与程序文件创建者之间的关系信息;Optionally, the receiver 630 is configured to: after sending the behavior characteristic information of the process behavior to the data analysis server, receive a request message sent by the data analysis server, where the request message is used to request traceability information of the process behavior, where The traceability information includes at least one of the following information: process information of the process behavior, information of a program file corresponding to the behavior of the process, relationship information between a process creator of the process behavior and a program file creator;
该发送器620还用于:根据该请求消息,向该数据分析服务器发送该溯源信息。The transmitter 620 is further configured to: send the traceability information to the data analysis server according to the request message.
应理解,装置600可以具体为上述实施例中的终端设备,并且可以用于执行上述方法实施例中与终端设备对应的各个步骤和/或流程。可选地,该存储器640可以包括只读存储器和随机存取存储器,并向处理器提供指令和数据。存储器的一部分还可以包括非易失性随机存取存储器。例如,存储器还可以存储设备类型的信息。该处理器630可以用于执行存储器中存储的指令,并且当该处理器执行存储器中存储的指令时,该处理器用于执行上述方法实施例的各个步骤和/或流程。It should be understood that the device 600 may be specifically the terminal device in the foregoing embodiment, and may be used to perform various steps and/or processes corresponding to the terminal device in the foregoing method embodiments. Optionally, the memory 640 can include read only memory and random access memory and provide instructions and data to the processor. A portion of the memory may also include a non-volatile random access memory. For example, the memory can also store information of the device type. The processor 630 can be configured to execute instructions stored in a memory, and when the processor executes instructions stored in the memory, the processor is operative to perform various steps and/or processes of the method embodiments described above.
图7示出了本发明实施例提供的用于确定应用程序可疑行为的装置700。该装置700包括接收器710、处理器720、发送器730、存储器740和总线系统750。其中,接收器710、处理器720、发送器730和存储器740通过总线系统750相连,该存储器740用于存储指令,该处理器720用于执行该存储器740存储的指令,以控制该接收器710接收信号,并控制该发送器730发 送指令。FIG. 7 illustrates an apparatus 700 for determining suspicious behavior of an application provided by an embodiment of the present invention. The apparatus 700 includes a receiver 710, a processor 720, a transmitter 730, a memory 740, and a bus system 750. The receiver 710, the processor 720, the transmitter 730 and the memory 740 are connected by a bus system 750 for storing instructions for executing instructions stored in the memory 740 to control the receiver 710. Receiving a signal and controlling the transmitter 730 to send Send instructions.
其中,该接收器710用于接收第一终端设备发送的第一进程行为的行为特征信息,其中,该第一进程行为属于第一应用程序,并且该第一进程行为所访问的数据属于不同于该第一应用程序的第二应用程序,该数据包括进程、线程、文件、目录以及注册表项中的至少一个;The receiver 710 is configured to receive behavior characteristic information of the first process behavior sent by the first terminal device, where the first process behavior belongs to the first application, and the data accessed by the first process behavior is different. a second application of the first application, the data comprising at least one of a process, a thread, a file, a directory, and a registry entry;
该处理器720用于根据该第一进程行为的行为特征信息,确定该第一进程行为是否是可疑行为。The processor 720 is configured to determine, according to behavior characteristic information of the first process behavior, whether the first process behavior is a suspicious behavior.
可选地,该处理器720具体用于:Optionally, the processor 720 is specifically configured to:
根据该第一进程行为的行为特征信息,确定该第一进程行为是否属于可信任行为集合,其中,该可信任行为集合包括至少一个可信任行为;Determining, according to behavior characteristic information of the first process behavior, whether the first process behavior belongs to a set of trusted behaviors, wherein the trusted behavior set includes at least one trusted behavior;
若该第一进程行为不属于该可信任行为集合,则确定该第一进程行为为可疑行为。If the first process behavior does not belong to the set of trusted behaviors, it is determined that the first process behavior is suspicious.
可选地,该接收器710还用于:Optionally, the receiver 710 is further configured to:
在该数据分析服务器根据该第一进程行为的行为特征信息,确定该第一进程行为是否属于可信任行为集合之前,接收至少一个第二终端设备中的每个第二终端设备发送的多个第二进程行为的行为特征信息;Receiving, by the data analysis server, the plurality of the second terminal devices sent by the at least one second terminal device before determining whether the first process behavior belongs to the trusted behavior set according to the behavior characteristic information of the first process behavior Behavioral characteristics information of the second process behavior;
该处理器720还用于:The processor 720 is also configured to:
根据该每个第二终端设备发送的多个第二进程行为的行为特征信息,采用数据挖掘算法确定该可信任行为集合,其中,该可信任行为集合包括该多个第二进程行为中的至少一个第二进程行为。Determining, by the data mining algorithm, the set of trusted behaviors according to behavior characteristic information of the plurality of second process behaviors sent by each second terminal device, where the set of trusted behaviors includes at least one of the plurality of second process behaviors A second process behavior.
可选地,该第一进程行为的行为特征信息包括:该第一进程行为所属的应用程序信息、该第一进程行为所访问的数据的信息和该第一进程行为所访问的数据所属的应用程序信息;Optionally, the behavior characteristic information of the first process behavior includes: application information to which the first process behavior belongs, information of data accessed by the first process behavior, and an application to which the data accessed by the first process behavior belongs Program information;
该多个第二进程行为的行为特征信息包括:该多个第二进程行为所属的应用程序信息、该多个第二进程行为所访问的数据的信息和该多个第二进程行为所访问的数据所属的应用程序信息。The behavior characteristic information of the plurality of second process behaviors includes: application information to which the plurality of second process actions belong, information of data accessed by the plurality of second process actions, and access by the plurality of second process actions The application information to which the data belongs.
可选地,该发送器730用于在该确定单元确定该第一进程行为是正常行为之后,向该第一终端设备发送指示信息,该指示信息用于指示该第一进程行为是正常行为。Optionally, the transmitter 730 is configured to send, to the first terminal device, indication information, after the determining unit determines that the first process behavior is a normal behavior, the indication information is used to indicate that the first process behavior is a normal behavior.
可选地,该发送器730用于在该确定单元确定该第一进程行为是可疑行 为之后,向该第一终端设备发送请求消息,该请求消息用于请求该第一进程行为的溯源信息,该溯源信息包括该第一进程行为的进程信息、与该第一进程行为对应的程序文件的信息、该第一进程行为的进程创建者和程序文件创建者的关系信息中的至少一种;Optionally, the transmitter 730 is configured to determine, at the determining unit, that the first process behavior is a suspicious line Afterwards, the request message is sent to the first terminal device, where the request message is used to request traceability information of the first process behavior, where the traceability information includes process information of the first process behavior, and a program corresponding to the first process behavior. At least one of information of the file, process creator of the first process behavior, and relationship information of the program file creator;
该接收器710还用于:接收该第一终端设备根据该请求消息发送的该溯源信息;The receiver 710 is further configured to: receive the traceability information that is sent by the first terminal device according to the request message;
该处理器720用于通过后台管理界面显示该溯源信息。The processor 720 is configured to display the traceability information through a background management interface.
应理解,装置700可以具体为上述实施例中的数据分析服务器,并且可以用于执行上述方法实施例中与数据分析服务器对应的各个步骤和/或流程。可选地,该存储器740可以包括只读存储器和随机存取存储器,并向处理器提供指令和数据。存储器的一部分还可以包括非易失性随机存取存储器。例如,存储器还可以存储设备类型的信息。该处理器720可以用于执行存储器中存储的指令,并且该处理器执行该指令时,该处理器可以执行上述方法实施例中与数据分析服务器对应的各个步骤和/或流程。It should be understood that the apparatus 700 may be specifically the data analysis server in the foregoing embodiment, and may be used to perform various steps and/or processes corresponding to the data analysis server in the foregoing method embodiment. Alternatively, the memory 740 can include read only memory and random access memory and provide instructions and data to the processor. A portion of the memory may also include a non-volatile random access memory. For example, the memory can also store information of the device type. The processor 720 can be configured to execute instructions stored in a memory, and when the processor executes the instructions, the processor can perform various steps and/or processes corresponding to the data analysis server in the above method embodiments.
应理解,在本发明实施例中,该处理器可以是中央处理单元(Central Processing Unit,CPU),该处理器还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现场可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that, in the embodiment of the present invention, the processor may be a central processing unit (CPU), and the processor may also be other general purpose processors, digital signal processors (DSPs), and application specific integrated circuits (ASICs). ), Field Programmable Gate Array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
在实现过程中,上述方法的各步骤可以通过处理器中的硬件的集成逻辑电路或者软件形式的指令完成。结合本发明实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器,处理器执行存储器中的指令,结合其硬件完成上述方法的步骤。为避免重复,这里不再详细描述。In the implementation process, each step of the above method may be completed by an integrated logic circuit of hardware in a processor or an instruction in a form of software. The steps of the method disclosed in the embodiments of the present invention may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor. The software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like. The storage medium is located in a memory, and the processor executes instructions in the memory, in combination with hardware to perform the steps of the above method. To avoid repetition, it will not be described in detail here.
本领域普通技术人员可以意识到,结合本文中所公开的实施例中描述的各方法步骤和单元,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各实施例的步骤及组成。这些功能究竟以硬件还是软件方式来执行, 取决于技术方案的特定应用和设计约束条件。本领域普通技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。Those skilled in the art will appreciate that the various method steps and elements described in connection with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both, in order to clearly illustrate hardware and software. Interchangeability, the steps and composition of the various embodiments have been generally described in terms of function in the foregoing description. Whether these functions are implemented in hardware or software, Depending on the specific application and design constraints of the technical solution. Different methods may be used to implement the described functionality for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.
所属领域的技术人员可以清楚地了解到,为了描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。A person skilled in the art can clearly understand that, for the convenience and brevity of the description, the specific working process of the system, the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另外,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口、装置或单元的间接耦合或通信连接,也可以是电的,机械的或其它的形式连接。In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, or an electrical, mechanical or other form of connection.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本发明实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the embodiments of the present invention.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以是两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分,或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,简称为“ROM”)、随机存取存储器(Random Access Memory,简称为“RAM”)、磁碟或者光盘等各种可以存储程序代码的介质。 The integrated unit, if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention contributes in essence or to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium. A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention. The foregoing storage medium includes: a USB flash drive, a mobile hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a disk or a CD. A variety of media that can store program code.
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到各种等效的修改或替换,这些修改或替换都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以权利要求的保护范围为准。 The above is only the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any equivalent person can be easily conceived within the technical scope of the present invention by any person skilled in the art. Modifications or substitutions are intended to be included within the scope of the invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.

Claims (22)

  1. 一种用于确定应用程序可疑行为的方法,其特征在于,包括:A method for determining suspicious behavior of an application, comprising:
    终端设备在确定第一应用程序的进程行为所访问的数据属于不同于所述第一应用程序的第二应用程序时,将所述进程行为确定为候选可疑行为,所述数据包括文件、目录以及注册表项中的至少一个;The terminal device determines the process behavior as candidate suspicious behavior when determining that the data accessed by the process behavior of the first application belongs to a second application different from the first application, the data including files, directories, and At least one of the registry keys;
    所述终端设备向数据分析服务器发送所述进程行为的行为特征信息,以便于所述数据分析服务器根据所述进程行为的行为特征信息确定所述进程行为是否为可疑行为。The terminal device sends the behavior characteristic information of the process behavior to the data analysis server, so that the data analysis server determines whether the process behavior is a suspicious behavior according to the behavior characteristic information of the process behavior.
  2. 根据权利要求1所述的方法,其特征在于,所述终端设备在确定第一应用程序的进程行为所访问的数据属于不同于所述第一应用程序的第二应用程序时,将所述进程行为确定为候选可疑行为,包括:The method according to claim 1, wherein the terminal device determines the process when the data accessed by the process behavior of the first application belongs to a second application different from the first application. Behavior is determined to be candidate suspicious behavior, including:
    若所述进程行为是所述第一应用程序的动态链接库DLL文件加载行为,则所述终端设备确定所述进程行为所加载的DLL文件是否为系统DLL文件;If the process behavior is a dynamic link library DLL file loading behavior of the first application, the terminal device determines whether the DLL file loaded by the process behavior is a system DLL file;
    若所述DLL文件不是系统DLL文件,则所述终端设备确定所述DLL文件所属的应用程序;If the DLL file is not a system DLL file, the terminal device determines an application to which the DLL file belongs;
    若所述DLL文件属于不同于所述第一应用程序的所述第二应用程序,则所述终端设备将所述进程行为确定为所述候选可疑行为。If the DLL file belongs to the second application different from the first application, the terminal device determines the process behavior as the candidate suspicious behavior.
  3. 根据权利要求1所述的方法,其特征在于,所述终端设备在确定第一应用程序的进程行为所访问的数据属于不同于所述第一应用程序的第二应用程序时,将所述进程行为确定为候选可疑行为,包括:The method according to claim 1, wherein the terminal device determines the process when the data accessed by the process behavior of the first application belongs to a second application different from the first application. Behavior is determined to be candidate suspicious behavior, including:
    若所述进程行为是所述第一应用程序的注册表访问行为,则所述终端设备确定创建所述进程行为所访问的注册表的路径的应用程序;And if the process behavior is a registry access behavior of the first application, the terminal device determines an application that creates a path of a registry accessed by the process behavior;
    若所述注册表的路径由不同于所述第一应用程序的所述第二应用程序创建,则所述终端设备确定所述注册表的路径是否为公共可访问路径;If the path of the registry is created by the second application different from the first application, the terminal device determines whether the path of the registry is a publicly accessible path;
    若所述注册表的路径不是公共可访问路径,则所述终端设备将所述进程行为确定为所述候选可疑行为。 If the path of the registry is not a publicly accessible path, the terminal device determines the process behavior as the candidate suspicious behavior.
  4. 根据权利要求1所述的方法,其特征在于,所述终端设备在确定第一应用程序的进程行为所访问的数据属于不同于所述第一应用程序的第二应用程序时,将所述进程行为确定为候选可疑行为,包括:The method according to claim 1, wherein the terminal device determines the process when the data accessed by the process behavior of the first application belongs to a second application different from the first application. Behavior is determined to be candidate suspicious behavior, including:
    若所述进程行为是所述第一应用程序的文件访问行为,则所述终端设备确定创建所述进程行为所访问的文件的应用程序;And if the process behavior is a file access behavior of the first application, the terminal device determines an application that creates a file accessed by the process behavior;
    若所述进程行为所访问的文件由不同于所述第一应用程序的所述第二应用程序创建,则所述终端设备确定所述进程行为所访问的文件的类型;And if the file accessed by the process behavior is created by the second application different from the first application, the terminal device determines a type of a file accessed by the process behavior;
    若所述进程行为所访问的文件的类型是程序文件,则所述终端设备将所述进程行为确定为所述候选可疑行为。If the type of the file accessed by the process behavior is a program file, the terminal device determines the process behavior as the candidate suspicious behavior.
  5. 根据权利要求4所述的方法,其特征在于,若所述进程行为所访问的文件的类型是非程序文件,则所述终端设备确定所述进程行为所访问的文件的扩展名所注册的应用程序;The method according to claim 4, wherein if the type of the file accessed by the process behavior is a non-program file, the terminal device determines an application registered by the extension of the file accessed by the process behavior;
    若所述进程行为所访问的文件的扩展名所注册的应用程序为不同于所述第一应用程序的第三应用程序,则所述终端设备将所述进程行为确定为所述候选可疑行为。And if the application registered by the extension of the file accessed by the process behavior is a third application different from the first application, the terminal device determines the process behavior as the candidate suspicious behavior.
  6. 根据权利要求1至5中任一项所述的方法,其特征在于,所述行为特征信息包括:The method according to any one of claims 1 to 5, wherein the behavior characteristic information comprises:
    所述进程行为所属的应用程序信息、所述进程行为所访问的数据的信息和所述进程行为所访问的数据所属的应用程序信息。The application information to which the process behavior belongs, the information of the data accessed by the process behavior, and the application information to which the data accessed by the process behavior belongs.
  7. 根据权利要求1至6中任一项所述的方法,其特征在于,在所述终端设备向数据分析服务器发送所述进程行为的行为特征信息之后,所述方法还包括:The method according to any one of claims 1 to 6, wherein after the terminal device sends the behavior characteristic information of the process behavior to the data analysis server, the method further includes:
    所述终端设备接收所述数据分析服务器发送的指示信息,所述指示信息用于指示所述进程行为是正常行为;The terminal device receives the indication information sent by the data analysis server, where the indication information is used to indicate that the process behavior is a normal behavior;
    所述终端设备根据所述指示消息,确定所述进程行为是正常行为。The terminal device determines, according to the indication message, that the process behavior is a normal behavior.
  8. 根据权利要求1至6中任一项所述的方法,其特征在于,在所述终端设备向数据分析服务器发送所述进程行为的行为特征信息之后,所述方法还 包括:The method according to any one of claims 1 to 6, wherein after the terminal device transmits behavior characteristic information of the process behavior to a data analysis server, the method further include:
    所述终端设备接收所述数据分析服务器发送的请求消息,所述请求消息用于请求所述进程行为的溯源信息,所述溯源信息包括下列信息中的至少一种:所述进程行为的进程信息、与所述进程行为对应的程序文件的信息、所述进程行为的进程创建者与程序文件创建者之间的关系信息;The terminal device receives a request message sent by the data analysis server, where the request message is used to request traceability information of the process behavior, and the traceability information includes at least one of the following information: process information of the process behavior Information about a program file corresponding to the behavior of the process, relationship information between a process creator of the process behavior and a program file creator;
    所述终端设备根据所述请求消息,向所述数据分析服务器发送所述溯源信息。And the terminal device sends the traceability information to the data analysis server according to the request message.
  9. 一种用于确定应用程序可疑行为的方法,其特征在于,包括:A method for determining suspicious behavior of an application, comprising:
    数据分析服务器接收第一终端设备发送的第一进程行为的行为特征信息,其中,所述第一进程行为属于第一应用程序,并且所述第一进程行为所访问的数据属于不同于所述第一应用程序的第二应用程序,所述数据包括文件、目录以及注册表项中的至少一个;The data analysis server receives the behavior characteristic information of the first process behavior sent by the first terminal device, where the first process behavior belongs to the first application, and the data accessed by the first process behavior is different from the first a second application of an application, the data comprising at least one of a file, a directory, and a registry entry;
    所述数据分析服务器根据所述第一进程行为的行为特征信息,以及保存的可信任行为集合,在所述第一进程行为不属于所述可信任行为集合时,确定所述第一进程行为是可疑行为,所述可信行为集合是所述数据分析服务器接收所述第一进程行为的行为特征信息之前,根据接收到的至少一个其他终端设备发送多个第二进程进行的行为特征信息,采用数据挖掘算法生成的,其中所述其他终端设备是指除所述第一终端设备之外的终端设备,所述可信任行为集合包括所述多个第二进程行为中的至少一个第二进程行为。Determining, by the data analysis server, that the first process behavior is based on behavior characteristic information of the first process behavior and a saved set of trusted behaviors, when the first process behavior does not belong to the trusted behavior set Suspicious behavior, the set of trusted behaviors is: before the data analysis server receives the behavior characteristic information of the first process behavior, according to the received behavior characteristic information sent by the at least one other terminal device to send the plurality of second processes, Generated by the data mining algorithm, wherein the other terminal device refers to a terminal device other than the first terminal device, and the set of trusted behavior includes at least one second process behavior of the plurality of second process behaviors .
  10. 根据权利要求9所述的方法,其特征在于,所述第一进程行为的行为特征信息包括:The method according to claim 9, wherein the behavior characteristic information of the first process behavior comprises:
    所述第一进程行为所属的应用程序信息、所述第一进程行为所访问的数据的信息和所述第一进程行为所访问的数据所属的应用程序信息;The application information to which the first process behavior belongs, the information of the data accessed by the first process behavior, and the application information to which the data accessed by the first process behavior belongs;
    所述多个第二进程行为的行为特征信息包括:The behavior characteristic information of the plurality of second process behaviors includes:
    所述多个第二进程行为所属的应用程序信息、所述多个第二进程行为所访问的数据的信息和所述多个第二进程行为所访问的数据所属的应用程序信息。 The application information to which the plurality of second process actions belong, the information of the data accessed by the plurality of second process actions, and the application information to which the data accessed by the plurality of second process actions belongs.
  11. 根据权利要求9或10所述的方法,其特征在于,所述方法还包括:The method according to claim 9 or 10, wherein the method further comprises:
    在所述第一进程行为属于所述可信任行为集合时,确定所述第一进程行为是正常行为;Determining that the first process behavior is a normal behavior when the first process behavior belongs to the set of trusted behaviors;
    若所述数据分析服务器确定所述第一进程行为是正常行为,则所述数据分析服务器向所述第一终端设备发送指示信息,所述指示信息用于指示所述第一进程行为是正常行为。And if the data analysis server determines that the first process behavior is a normal behavior, the data analysis server sends the indication information to the first terminal device, where the indication information is used to indicate that the first process behavior is a normal behavior. .
  12. 根据权利要求9或10所述的方法,其特征在于,所述方法还包括:The method according to claim 9 or 10, wherein the method further comprises:
    若所述数据分析服务器确定所述第一进程行为是可疑行为,则所述数据分析服务器向所述第一终端设备发送请求消息,所述请求消息用于请求所述第一进程行为的溯源信息,所述溯源信息包括所述第一进程行为的进程信息、与所述第一进程行为对应的程序文件的信息、所述第一进程行为的进程创建者和程序文件创建者的关系信息中的至少一种;If the data analysis server determines that the first process behavior is a suspicious behavior, the data analysis server sends a request message to the first terminal device, where the request message is used to request traceability information of the first process behavior. The traceability information includes process information of the first process behavior, information of a program file corresponding to the first process behavior, and relationship information between a process creator of the first process behavior and a program file creator. At least one
    所述数据分析服务器接收所述第一终端设备根据所述请求消息发送的所述溯源信息;The data analysis server receives the traceability information that is sent by the first terminal device according to the request message;
    所述数据分析服务器通过后台管理界面显示所述溯源信息。The data analysis server displays the traceability information through a background management interface.
  13. 一种用于确定应用程序可疑行为的装置,其特征在于,包括:An apparatus for determining suspicious behavior of an application, comprising:
    确定单元,用于在确定第一应用程序的进程行为所访问的数据属于不同于所述第一应用程序的第二应用程序时,将所述进程行为确定为候选可疑行为,所述数据包括文件、目录以及注册表项中的至少一个;a determining unit, configured to determine the process behavior as a candidate suspicious behavior when determining that the data accessed by the process behavior of the first application belongs to a second application different from the first application, the data including a file At least one of a directory, a registry key, and a registry key;
    发送单元,用于向数据分析服务器发送所述进程行为的行为特征信息,以便于所述数据分析服务器根据所述进程行为的行为特征信息确定所述进程行为是否为可疑行为。And a sending unit, configured to send behavior characteristic information of the process behavior to the data analysis server, so that the data analysis server determines, according to the behavior characteristic information of the process behavior, whether the process behavior is a suspicious behavior.
  14. 根据权利要求13所述的装置,其特征在于,所述确定单元具体用于:The device according to claim 13, wherein the determining unit is specifically configured to:
    若所述进程行为是所述第一应用程序的动态链接库DLL文件加载行为,则确定所述进程行为所加载的DLL文件是否为系统DLL文件;If the process behavior is a dynamic link library DLL file loading behavior of the first application, determining whether the DLL file loaded by the process behavior is a system DLL file;
    若所述DLL文件不是系统DLL文件,则确定所述DLL文件所属的应用程序; If the DLL file is not a system DLL file, determining an application to which the DLL file belongs;
    若所述DLL文件属于不同于所述第一应用程序的所述第二应用程序,则将所述进程行为确定为所述候选可疑行为。If the DLL file belongs to the second application different from the first application, the process behavior is determined as the candidate suspicious behavior.
  15. 根据权利要求13所述的装置,其特征在于,所述确定单元具体用于:The device according to claim 13, wherein the determining unit is specifically configured to:
    若所述进程行为是所述第一应用程序的注册表访问行为,则确定创建所述进程行为所访问的注册表的路径的应用程序;And if the process behavior is a registry access behavior of the first application, determining an application that creates a path of a registry accessed by the process behavior;
    若所述注册表的路径由不同于所述第一应用程序的所述第二应用程序创建,则确定所述注册表的路径是否为公共可访问路径;If the path of the registry is created by the second application different from the first application, determining whether the path of the registry is a publicly accessible path;
    若所述注册表的路径不是公共可访问路径,则将所述进程行为确定为所述候选可疑行为。If the path of the registry is not a publicly accessible path, the process behavior is determined to be the candidate suspicious behavior.
  16. 根据权利要求13所述的装置,其特征在于,所述确定单元具体用于:The device according to claim 13, wherein the determining unit is specifically configured to:
    若所述进程行为是所述第一应用程序的文件访问行为,则确定创建所述进程行为所访问的文件的应用程序;And if the process behavior is a file access behavior of the first application, determining an application that creates a file accessed by the process behavior;
    若所述进程行为所访问的文件由不同于所述第一应用程序的所述第二应用程序创建,则确定所述进程行为所访问的文件的类型;Determining, if the file accessed by the process behavior is created by the second application different from the first application, determining a type of a file accessed by the process behavior;
    若所述进程行为所访问的文件的类型是程序文件,则将所述进程行为确定为所述候选可疑行为。If the type of the file accessed by the process behavior is a program file, the process behavior is determined as the candidate suspicious behavior.
  17. 根据权利要求16所述的装置,其特征在于,若所述进程行为所访问的文件的类型是非程序文件,则确定所述进程行为所访问的文件的扩展名所注册的应用程序是否为所述第一应用程序;The apparatus according to claim 16, wherein if the type of the file accessed by the process behavior is a non-program file, determining whether the application registered by the extension of the file accessed by the process behavior is the An application;
    若所述进程行为所访问的文件的扩展名所注册的应用程序为不同于所述第一应用程序的第三应用程序,则将所述进程行为确定为所述候选可疑行为。If the application registered by the extension of the file accessed by the process behavior is a third application different from the first application, the process behavior is determined as the candidate suspicious behavior.
  18. 根据权利要求13至17中任一项所述的装置,其特征在于,所述装置还包括:The device according to any one of claims 13 to 17, wherein the device further comprises:
    第一接收单元,用于在所述发送单元所述向数据分析服务器发送所述进程行为的行为特征信息之后,接收所述数据分析服务器发送的指示信息,所述指示信息用于指示所述进程行为是正常行为;a first receiving unit, configured to receive, after the sending unit sends the behavior characteristic information of the process behavior to the data analysis server, the indication information sent by the data analysis server, where the indication information is used to indicate the process Behavior is normal behavior;
    所述确定单元还用于: The determining unit is further configured to:
    根据所述指示消息,确定所述进程行为是正常行为。Determining that the process behavior is a normal behavior according to the indication message.
  19. 根据权利要求13至17中任一项所述的装置,其特征在于,所述装置还包括:The device according to any one of claims 13 to 17, wherein the device further comprises:
    第二接收单元,用于在所述向数据分析服务器发送所述进程行为的行为特征信息之后,接收所述数据分析服务器发送的请求消息,所述请求消息用于请求所述进程行为的溯源信息,所述溯源信息包括下列信息中的至少一种:所述进程行为的进程信息、与所述进程行为对应的程序文件的信息、所述进程行为的进程创建者与程序文件创建者之间的关系信息;a second receiving unit, configured to: after sending the behavior characteristic information of the process behavior to the data analysis server, receive a request message sent by the data analysis server, where the request message is used to request traceability information of the process behavior The traceability information includes at least one of the following information: process information of the process behavior, information of a program file corresponding to the process behavior, process creator of the process behavior, and a program file creator Relationship information;
    所述发送单元还用于:The sending unit is further configured to:
    根据所述请求消息,向所述数据分析服务器发送所述溯源信息。And sending the traceability information to the data analysis server according to the request message.
  20. 一种用于确定应用程序可疑行为的装置,其特征在于,包括:An apparatus for determining suspicious behavior of an application, comprising:
    接收单元,用于接收第一终端设备发送的第一进程行为的行为特征信息,其中,所述第一进程行为属于第一应用程序,并且所述第一进程行为所访问的数据属于不同于所述第一应用程序的第二应用程序,所述数据包括文件、目录以及注册表项中的至少一个;a receiving unit, configured to receive behavior characteristic information of the first process behavior sent by the first terminal device, where the first process behavior belongs to the first application, and the data accessed by the first process behavior is different from the a second application of the first application, the data comprising at least one of a file, a directory, and a registry entry;
    确定单元,用于根据所述第一进程行为的行为特征信息,以及保存的可信任行为集合,在所述第一进程行为不属于所述可信任行为集合时,确定所述第一进程行为是可疑行为,所述可信行为集合是所述数据分析服务器接收所述第一进程行为的行为特征信息之前,根据接收到的至少一个其他终端设备发送多个第二进程进行的行为特征信息,采用数据挖掘算法生成的,其中所述其他终端设备是指除所述第一终端设备之外的终端设备,所述可信任行为集合包括所述多个第二进程行为中的至少一个第二进程行为。a determining unit, configured to determine, according to behavior characteristic information of the first process behavior, and the saved set of trusted behaviors, when the first process behavior does not belong to the trusted behavior set, determining that the first process behavior is Suspicious behavior, the set of trusted behaviors is: before the data analysis server receives the behavior characteristic information of the first process behavior, according to the received behavior characteristic information sent by the at least one other terminal device to send the plurality of second processes, Generated by the data mining algorithm, wherein the other terminal device refers to a terminal device other than the first terminal device, and the set of trusted behavior includes at least one second process behavior of the plurality of second process behaviors .
  21. 根据权利要求20所述的装置,其特征在于,The device of claim 20 wherein:
    所述确定单元,还用于在所述第一进程行为属于所述可信任行为集合时,确定所述第一进程行为是正常行为;The determining unit is further configured to: when the first process behavior belongs to the set of trusted behaviors, determine that the first process behavior is a normal behavior;
    所述装置还包括:The device also includes:
    第一发送单元,用于在所述确定单元确定所述第一进程行为是正常行为 之后,向所述第一终端设备发送指示信息,所述指示信息用于指示所述第一进程行为是正常行为。a first sending unit, configured to determine, in the determining unit, that the first process behavior is a normal behavior Then, the indication information is sent to the first terminal device, where the indication information is used to indicate that the first process behavior is a normal behavior.
  22. 根据权利要求20所述的装置,其特征在于,所述装置还包括:The device of claim 20, wherein the device further comprises:
    第二发送单元,用于在所述确定单元确定所述第一进程行为是可疑行为之后,向所述第一终端设备发送请求消息,所述请求消息用于请求所述第一进程行为的溯源信息,所述溯源信息包括所述第一进程行为的进程信息、与所述第一进程行为对应的程序文件的信息、所述第一进程行为的进程创建者和程序文件创建者的关系信息中的至少一种;a second sending unit, configured to: after the determining unit determines that the first process behavior is a suspicious behavior, send a request message to the first terminal device, where the request message is used to request traceability of the first process behavior Information, the traceability information includes process information of the first process behavior, information of a program file corresponding to the behavior of the first process, relationship information between a process creator of the first process behavior, and a program file creator At least one type;
    所述接收单元还用于:The receiving unit is further configured to:
    接收所述第一终端设备根据所述请求消息发送的所述溯源信息;Receiving the traceability information sent by the first terminal device according to the request message;
    所述装置还包括:The device also includes:
    显示单元,用于通过后台管理界面显示所述溯源信息。 a display unit, configured to display the traceability information through a background management interface.
PCT/CN2017/070468 2016-04-26 2017-01-06 Method and apparatus for determining suspicious activity of application program WO2017185827A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610266466.5A CN107315952A (en) 2016-04-26 2016-04-26 Method and apparatus for determining application program suspicious actions
CN201610266466.5 2016-04-26

Publications (1)

Publication Number Publication Date
WO2017185827A1 true WO2017185827A1 (en) 2017-11-02

Family

ID=60160690

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/070468 WO2017185827A1 (en) 2016-04-26 2017-01-06 Method and apparatus for determining suspicious activity of application program

Country Status (2)

Country Link
CN (1) CN107315952A (en)
WO (1) WO2017185827A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113672925A (en) * 2021-08-26 2021-11-19 安天科技集团股份有限公司 Method, device, storage medium and electronic equipment for preventing lasso software attack
CN114676429A (en) * 2022-03-18 2022-06-28 山东鼎夏智能科技有限公司 Method and device for detecting unknown risk of startup item

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110750561A (en) * 2018-07-20 2020-02-04 深圳市诚壹科技有限公司 Method and device for mining associated application program
CN109255238B (en) * 2018-08-24 2022-01-28 成都网思科平科技有限公司 Terminal threat detection and response method and engine
CN109327433B (en) * 2018-09-03 2022-05-17 北京智游网安科技有限公司 Threat perception method and system based on operation scene analysis
CN109784052B (en) * 2018-12-29 2021-07-20 360企业安全技术(珠海)有限公司 Management method for software behavior detection, server, terminal and system
CN109784051B (en) * 2018-12-29 2021-01-15 360企业安全技术(珠海)有限公司 Information security protection method, device and equipment
CN109815702B (en) * 2018-12-29 2022-07-05 奇安信安全技术(珠海)有限公司 Software behavior safety detection method, device and equipment
CN115412320A (en) * 2022-08-19 2022-11-29 奇安信网神信息技术(北京)股份有限公司 Attack behavior tracing method, device and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101556608A (en) * 2009-02-27 2009-10-14 浙大网新科技股份有限公司 File system operation intercepting method based on event monitoring mechanism
CN103902892A (en) * 2012-12-24 2014-07-02 珠海市君天电子科技有限公司 Behavior-based virus defense method and system
CN104899511A (en) * 2015-05-21 2015-09-09 成都中科慧创科技有限公司 Program behavior algorithm based active defense method
CN105243324A (en) * 2015-10-20 2016-01-13 珠海市君天电子科技有限公司 Method and device for identifying malicious software in user terminal and user terminal
CN105279433A (en) * 2014-07-10 2016-01-27 腾讯科技(深圳)有限公司 Application protection method and apparatus

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101556608A (en) * 2009-02-27 2009-10-14 浙大网新科技股份有限公司 File system operation intercepting method based on event monitoring mechanism
CN103902892A (en) * 2012-12-24 2014-07-02 珠海市君天电子科技有限公司 Behavior-based virus defense method and system
CN105279433A (en) * 2014-07-10 2016-01-27 腾讯科技(深圳)有限公司 Application protection method and apparatus
CN104899511A (en) * 2015-05-21 2015-09-09 成都中科慧创科技有限公司 Program behavior algorithm based active defense method
CN105243324A (en) * 2015-10-20 2016-01-13 珠海市君天电子科技有限公司 Method and device for identifying malicious software in user terminal and user terminal

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113672925A (en) * 2021-08-26 2021-11-19 安天科技集团股份有限公司 Method, device, storage medium and electronic equipment for preventing lasso software attack
CN113672925B (en) * 2021-08-26 2024-01-26 安天科技集团股份有限公司 Method and device for preventing lux software attack, storage medium and electronic equipment
CN114676429A (en) * 2022-03-18 2022-06-28 山东鼎夏智能科技有限公司 Method and device for detecting unknown risk of startup item

Also Published As

Publication number Publication date
CN107315952A (en) 2017-11-03

Similar Documents

Publication Publication Date Title
WO2017185827A1 (en) Method and apparatus for determining suspicious activity of application program
Milajerdi et al. Holmes: real-time apt detection through correlation of suspicious information flows
US10872151B1 (en) System and method for triggering analysis of an object for malware in response to modification of that object
US10893068B1 (en) Ransomware file modification prevention technique
CA2968201C (en) Systems and methods for malicious code detection
US10601848B1 (en) Cyber-security system and method for weak indicator detection and correlation to generate strong indicators
US8805995B1 (en) Capturing data relating to a threat
AU2014318585B2 (en) Automated runtime detection of malware
CN106687971B (en) Automatic code locking to reduce attack surface of software
US9336385B1 (en) System for real-time threat detection and management
US10652274B2 (en) Identifying and responding to security incidents based on preemptive forensics
US8904531B1 (en) Detecting advanced persistent threats
EP2939173B1 (en) Real-time representation of security-relevant system state
US10216934B2 (en) Inferential exploit attempt detection
US10191789B2 (en) Tracing system operations across remote procedure linkages to identify request originators
US11403389B2 (en) System and method of detecting unauthorized access to computing resources for cryptomining
US10812466B2 (en) Using trusted platform module to build real time indicators of attack information
Zhu et al. General, efficient, and real-time data compaction strategy for APT forensic analysis
EP3531324A1 (en) Identification process for suspicious activity patterns based on ancestry relationship
US20230247043A1 (en) Techniques for detecting cybersecurity vulnerabilities in a cloud based computing environment based on forensic analysis of cloud logs
US20190327263A1 (en) Distributed client protection
US11599638B2 (en) Game engine-based computer security
US20230247040A1 (en) Techniques for cloud detection and response from cloud logs utilizing a security graph
US11973773B2 (en) Detecting and mitigating zero-day attacks
US11763004B1 (en) System and method for bootkit detection

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17788490

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 17788490

Country of ref document: EP

Kind code of ref document: A1