WO2017185827A1 - Procédé et appareil pour déterminer une activité suspecte d'un programme d'application - Google Patents

Procédé et appareil pour déterminer une activité suspecte d'un programme d'application Download PDF

Info

Publication number
WO2017185827A1
WO2017185827A1 PCT/CN2017/070468 CN2017070468W WO2017185827A1 WO 2017185827 A1 WO2017185827 A1 WO 2017185827A1 CN 2017070468 W CN2017070468 W CN 2017070468W WO 2017185827 A1 WO2017185827 A1 WO 2017185827A1
Authority
WO
WIPO (PCT)
Prior art keywords
behavior
application
information
terminal device
process behavior
Prior art date
Application number
PCT/CN2017/070468
Other languages
English (en)
Chinese (zh)
Inventor
刘振华
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2017185827A1 publication Critical patent/WO2017185827A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Definitions

  • Embodiments of the present invention relate to the field of computers and, more particularly, to a method and apparatus for determining suspicious behavior of an application.
  • Intra-enterprise checks for Advanced Persistent Threat (APT) attacks generally favor the use of big data analytics, including traffic analysis in enterprise networks, using sandboxes to analyze files and attempting to discover patterns that use traditional signature matching.
  • An unrecognized advanced threat that analyzes the early warning logs of various traditional security inspection devices. The purpose of these analyses is to timely identify security issues within the enterprise and minimize the damage that high-level threats bring to the enterprise.
  • the traditional host-based defense method is mainly to prevent suspicious behavior from attacking the system.
  • This defense method must rely on security software to monitor the process behavior of all applications in the host through security software.
  • the IT staff pre-sets an access control policy in the security software to control the application's access to system data. If a process behavior does not satisfy the above access control policy, then the security software determines that the process behavior is suspicious. After monitoring suspicious behavior, the security software will directly alert the user who is using the host to let the user choose whether to intercept the suspicious behavior.
  • the traditional defense method only involves the application's access rules to system data, and does not prevent suspicious behavior of illegal access to application data, such as suspicious behavior of stealing or tampering with application data.
  • the way in which traditional defense methods let users judge whether to intercept suspicious behavior is not very appropriate.
  • Embodiments of the present invention provide a method and apparatus for determining suspicious behavior of an application, which can determine suspicious behavior of illegally accessing application data, thereby improving overall system performance.
  • a method for determining suspicious behavior of an application comprising: when determining, by the terminal device, that data accessed by a process behavior of the first application belongs to a second application different from the first application, Determining the behavior of the process as a candidate suspicious behavior, the data including at least one of a process, a thread, a file, a directory, and a registry item; the terminal device transmitting behavior characteristic information of the process behavior to the data analysis server to facilitate the data analysis The server determines whether the behavior of the process is suspicious according to the behavior characteristic information of the behavior of the process.
  • the terminal device determines that the process behavior is a candidate suspicious behavior.
  • the second application includes the process P1 and the process P2. If the file F is created during the execution of the file F1, the file F belongs to the second application. If the process P2 accesses the file F during execution, Then the behavior of the process P2 can be regarded as legal. If the process P3 in the first application different from the second application accesses the file F, the behavior of the process P3 is a candidate suspicious behavior.
  • the embodiment of the present invention determines the candidate suspicious behavior from all detected process behaviors by the terminal device based on the data access rule between the application and the application, and sends the determined behavior characteristic information of the candidate suspicious behavior to the data.
  • the analysis server determines, by the data analysis server, whether the candidate suspicious behavior is a suspicious behavior according to the behavior characteristic information of the candidate suspicious behavior, thereby determining a suspicious behavior of the terminal device illegally accessing the application data.
  • the method does not need to rely on security software, and does not require user participation in the determination, can improve the accuracy and reliability of the determination of suspicious behavior, thereby improving the overall performance of the system.
  • the terminal device may be a host or a client.
  • the terminal device may determine relationship information between the application and the data in the system in multiple manners.
  • the terminal device can acquire the relationship information between the existing application program and the data in the system by collecting system information; the terminal device can obtain real-time monitoring manner between each application in the system and the data created by the system in real time. Relationship information; the terminal device can also determine whether the system is installing an application, and if the system is installing an application, the data created during the installation process is associated with the application. In this way, after determining the relationship information between the application and the data in the system, the terminal device can according to the relationship between the application and the data. Information, determine the application to which the data accessed by the process behavior of the first application belongs, thereby further determining the candidate suspicious behavior.
  • the terminal device determines the behavior of the process when determining that the data accessed by the process behavior of the first application belongs to the second application different from the first application
  • the candidate suspicious behavior includes: if the process behavior is a dynamic link library DLL file loading behavior of the first application, the terminal device determines whether the DLL file loaded by the process behavior is a system DLL file; if the DLL file is not a system DLL file, the terminal device determines an application to which the DLL file belongs; if the DLL file belongs to the second application different from the first application, the terminal device determines the behavior of the process as the candidate suspicious behavior .
  • the terminal device determines that the data accessed by the process behavior of the first application belongs to the first application
  • the second application determines the behavior of the process as a candidate suspicious behavior, including: if the process behavior is a registry access behavior of the first application, the terminal device determines a path to create a registry accessed by the process behavior An application; if the path of the registry is created by the second application different from the first application, the terminal device determines whether the path of the registry is a publicly accessible path; if the path of the registry is not The publicly accessible path, the terminal device determines the behavior of the process as the candidate suspicious behavior.
  • the terminal device determines that the data accessed by the process behavior of the first application belongs to the first application.
  • the second application determines the behavior of the process as a candidate suspicious behavior, including: if the process behavior is a file access behavior of the first application, the terminal device determines an application that creates a file accessed by the process behavior; If the file accessed by the process behavior is created by the second application different from the first application, the terminal device determines the type of the file accessed by the process behavior; if the type of the file accessed by the process behavior is The program file, the terminal device determines the behavior of the process as the candidate suspicious behavior.
  • the terminal device determines that the process behavior is accessed by the process An application registered with the extension of the file; if the extension of the file accessed by the process is registered, the application registered is a third application different from the first application In sequence, the terminal device determines the behavior of the process as the candidate suspicious behavior.
  • the terminal device determines a process created by the first process behavior Whether the process belongs to the first application; if the process created by the first process behavior does not belong to the first application, the terminal device determines whether the process is a system process of the first terminal device; if the process is not the first A system process of the terminal device, the first terminal device determining the first process behavior as the first candidate suspicious behavior.
  • the terminal device determines the thread created by the first process behavior The application; if the thread created by the first process behavior belongs to the second application different from the first application, the first terminal device determines the first process behavior as the first candidate suspicious behavior .
  • the behavior characteristic information includes: application information to which the process behavior belongs, information about data accessed by the process behavior, and The application information to which the data accessed by the process behaves.
  • the method further includes: the terminal The device receives the indication information sent by the data analysis server, where the indication information is used to indicate that the process behavior is a normal behavior; and the terminal device determines, according to the indication message, that the process behavior is a normal behavior.
  • the method can not only improve the accuracy of detecting the candidate suspicious behavior of the terminal device, but also avoid the transmission of unnecessary behavior feature information, thereby saving signaling overhead.
  • the ninth possible implementation in the first aspect in the mode, after the terminal device sends the behavior characteristic information of the process behavior to the data analysis server, the method further includes: the terminal device receiving the request message sent by the data analysis server, where the request message is used to request traceability of the process behavior Information, the traceability information includes at least one of the following information: process information of the process behavior, information of a program file corresponding to the behavior of the process, relationship information between a process creator of the process behavior and a program file creator; The terminal device sends the traceability information to the data analysis server according to the request message.
  • the data analysis server may request the terminal device to trace the source behavior of the process behavior.
  • the terminal device sends the traceability information of the suspicious behavior to the data analysis server, so that the IT manager obtains the traceability information through the data analysis server, and can restore the suspicious behavior according to the traceability information, and how the occurrence of the suspicious behavior occurs, which is beneficial to Investigation and evidence collection of late attack events.
  • a method for determining suspicious behavior of an application comprising: receiving, by a data analysis server, behavior characteristic information of a first process behavior sent by a first terminal device, where the first process behavior belongs to the first An application, and the data accessed by the first process behavior belongs to a second application different from the first application, the data including at least one of a process, a thread, a file, a directory, and a registry entry; the data analysis server Determining whether the first process behavior is a suspicious behavior according to behavior characteristic information of the first process behavior.
  • the data analysis server determines, according to behavior characteristic information of the first process behavior, whether the first process behavior is a suspicious behavior, including: the data analysis server is configured according to the first The behavior characteristic information of the process behavior, determining whether the first process behavior belongs to a set of trusted behaviors, wherein the trusted behavior set includes at least one trusted behavior; if it is determined that the first process behavior does not belong to the trusted behavior set, The data analysis server determines that the first process behaves as suspicious.
  • the data analysis server determines, according to behavior characteristic information of the first process behavior, whether the first process behavior belongs to Before the set of trust behaviors, the method further includes: the data analysis server receiving behavior characteristic information of the plurality of second process behaviors sent by each of the at least one second terminal device; the data analysis server according to the at least one The behavior characteristic information of the plurality of second process behaviors sent by the second terminal device, the data mining algorithm is used to determine the set of trusted behaviors, wherein the set of trusted behaviors includes at least one of the plurality of second process behaviors Process behavior.
  • the data mining algorithm may be a frequent item set algorithm, a support vector machine algorithm or a decision tree algorithm, or the like.
  • the behavior characteristic information of the first process behavior includes: application information to which the first process behavior belongs, the first The information of the data accessed by the process behavior and the application information of the data accessed by the behavior of the first process;
  • the behavior characteristic information of the behavior of the plurality of second processes includes: application information of the behavior of the plurality of second processes, The information of the data accessed by the plurality of second processes and the application information to which the data accessed by the plurality of second process behaviors belongs.
  • the method further includes: if the data analysis server determines that the first process behavior is a normal behavior, the data analysis server And transmitting, to the first terminal device, indication information, where the indication information is used to indicate that the first process behavior is a normal behavior.
  • the method further includes: if the data analysis server determines that the first process behavior is a suspicious behavior, the data analysis server Sending a request message to the first terminal device, where the request message is used to request traceability information of the first process behavior, where the traceability information includes process information of the first process behavior, and information about a program file corresponding to the first process behavior. At least one of the relationship information of the process creator and the program file creator of the first process behavior; the data analysis server receives the traceability information sent by the first terminal device according to the request message; the data analysis server passes through the background The management interface displays the traceability information.
  • the data analysis server can display the traceability information of the suspicious behavior to the IT manager through the background management interface, so that the IT manager can restore the suspicious behavior according to the traceability information and how it occurs, which is beneficial to the later attack. Investigation and evidence collection of the incident.
  • an apparatus for determining suspicious behavior of an application for performing the method of any of the above-described first aspect or any of the possible implementations of the first aspect is provided.
  • the apparatus may comprise means for performing the method of any of the above-described first aspect or any of the possible implementations of the first aspect.
  • an apparatus for determining suspicious behavior of an application for performing the method of any of the above-described second aspect or any of the possible implementations of the second aspect is provided.
  • the apparatus may comprise means for performing the method of any of the possible implementations of the second aspect or the second aspect described above.
  • an apparatus for determining suspicious behavior of an application comprising: a receiver, a transmitter, a memory, a processor, and a bus system.
  • the receiver, the transmitter, the memory and the processor are connected by the bus system, the memory is for storing instructions for executing the instructions stored by the memory to control the receiver to receive signals and control the sending
  • the transmitter transmits a signal, and when the processor executes the memory stored instructions, the execution causes the processor to perform the method of the first aspect or any of the possible implementations of the first aspect.
  • an apparatus for determining suspicious behavior of an application comprising: a receiver, a transmitter, a memory, a processor, and a bus system.
  • the receiver, the transmitter, the memory and the processor are connected by the bus system, the memory is for storing instructions for executing the instructions stored by the memory to control the receiver to receive signals and control the sending
  • the transmitter transmits a signal, and when the processor executes the memory stored instructions, the execution causes the processor to perform the method of any of the second aspect or any of the possible implementations of the second aspect.
  • a seventh aspect a system for determining suspicious behavior of an application, the system comprising the apparatus of any of the possible implementations of the third aspect or the third aspect, and the fourth or fourth aspect a device in a possible implementation; or
  • the system comprises the apparatus of any of the possible implementations of the fifth or fifth aspect, and the apparatus of any of the sixth or sixth aspect of the possible implementation.
  • a computer readable medium for storing a computer program, the computer program comprising instructions for performing the method of the first aspect or any of the possible implementations of the first aspect.
  • a ninth aspect a computer readable medium for storing a computer program, the computer program comprising instructions for performing the method of any of the second aspect or the second aspect of the second aspect.
  • FIG. 1 is a schematic diagram of a system to which an embodiment of the present invention is applied.
  • FIG. 2 is a schematic flowchart of a method for determining suspicious behavior of an application according to an embodiment of the present invention.
  • FIG. 3 is a schematic diagram of another system for determining suspicious behavior of an application according to an embodiment of the present invention.
  • FIG. 4 is a schematic block diagram of an apparatus for determining suspicious behavior of an application according to an embodiment of the present invention.
  • FIG. 5 is a schematic block diagram of another apparatus for determining suspicious behavior of an application according to an embodiment of the present invention.
  • FIG. 6 is a schematic block diagram of another apparatus for determining suspicious behavior of an application according to an embodiment of the present invention.
  • FIG. 7 is a schematic block diagram of another apparatus for determining suspicious behavior of an application according to an embodiment of the present invention.
  • an application is composed of a plurality of program files, which are also referred to as executable program files.
  • the program file initiates a system service request to the operating system during runtime.
  • a system service request can also be called an application programming interface (API) call.
  • the API call may include reading and writing of a file, allocation of a memory, input and output (IO) of a network, operation of a hardware device, reading and writing of a system configuration, and the like, which are not limited by the embodiment of the present invention.
  • this article refers to the application-related processes, threads, files, directories, and registry keys, etc., collectively referred to as the "data" of the application. Every time an application is installed and every time the application is run, the corresponding data is generated. It should be understood that the data other than the system data belongs to a specific application.
  • FIG. 1 shows a system 100 to which an embodiment of the present invention is applied.
  • the system 100 can include at least one terminal device 110 and one data analysis server 120.
  • the terminal device 110 can be mobile or fixed.
  • the terminal device 110 can refer to an access terminal, a user equipment (User Equipment, referred to as "UE"), a subscriber unit, a subscriber station, a mobile station, a mobile station, a remote station, a remote terminal, a mobile device, a user terminal, a terminal, and a wireless device.
  • Communication device User agent or user device.
  • the access terminal may be a cellular phone, a cordless phone, a Session Initiation Protocol ("SSIP") phone, a Wireless Local Loop (WLL) station, and a personal digital processing (Personal Digital) Assistant, referred to as "PDA"), a handheld device with wireless communication capabilities, a computing device or other processing device connected to a wireless modem, an in-vehicle device, a wearable device, a terminal device in a future 5G network, or a future evolving public land mobile A terminal device or the like in a network (Public Land Mobile Network, abbreviated as "PLMN").
  • PLMN Public Land Mobile Network
  • the terminal device 100 is a host or a client.
  • the data analysis server 120 may be a file server, a database server, an application server, a WEB server, etc., which is not limited by the embodiment of the present invention.
  • FIG. 1 exemplarily shows a terminal device and a data analysis server.
  • the system 100 may include a plurality of terminal devices, which is not limited by the embodiment of the present invention.
  • the data analysis server may transmit information with a plurality of terminal devices at the same time, thereby determining an application suspicious behavior of each of the plurality of terminal devices.
  • the process of determining the suspicious behavior of the application in each terminal device by the data analysis server is similar.
  • the following is an example of the process of determining, by the data analysis server, the suspicious behavior of the application in the first terminal device among the plurality of terminal devices. Description.
  • FIG. 2 is a schematic flowchart of a method for determining suspicious behavior of an application provided by an embodiment of the present invention.
  • the method 200 can be applied to the system 100 shown in FIG. 1, but the embodiment of the invention is not limited thereto.
  • the method 200 includes:
  • the first terminal device determines data accessed by the first process behavior of the first application.
  • the first process behavior is determined as candidate suspicious behavior, and the data includes at least one of a process, a thread, a file, a directory, and a registry key.
  • the first terminal device can learn that the application has a process behavior through a mechanism provided by the existing operating system.
  • the Windows operating system provides a filter driver mechanism that allows users to implement extended functions without affecting the normal functionality of the operating system.
  • First the user can write a driver module and register the driver module with the operating system.
  • the driver module can implement additional functions based on interfaces and points of interest provided by the filter driver mechanism, such as obtaining information about file operations and the like.
  • the operating system will operate related information, such as the process name and operation object, when the file input/output (I/O) operation, registry I/O operation, network I/O operation, etc. occur in each process.
  • the identifier of the file, registry entry, etc. is sent to the driver module.
  • a plurality of applications may be installed in the first terminal device, and when the first terminal device detects a process behavior, the process behavior belongs to a first application among the multiple applications, but the process behavior is accessed.
  • the data belongs to the second application in the plurality of applications, where the first application is different from the second application, and the first terminal device considers that the process behavior accesses data that is not its own, and the process is Behavior is determined to be candidate suspicious behavior.
  • the first terminal device does not simply detect the process behavior of all applications in the system, but filters all the process behaviors detected, and whether the data accessed according to the process behavior belongs to the The application to which the process behavior belongs, filters suspected suspicious process behavior from all process behavior.
  • the first terminal device determines the first process behavior as a candidate suspicious behavior
  • the determination of the relationship information between the application and the data can be specifically divided into the following three cases:
  • the first terminal device can acquire relationship information between the existing application program and the data in the system by collecting system information. For example, the first terminal device may locate the application directory of the application through the registry, classify the program file and the non-program according to the file creation time with the directory creation time as the application, and collect the program file of the application.
  • Product name, The company's copyright name, digital signature information, etc. are stored in the information database.
  • the first terminal device can acquire the relationship information between each application in the system and the data created by the system in real time through real-time monitoring. For example, if the first terminal device detects a data creation action of a process, the relationship between the created data and the creator's relationship information is stored in the information database.
  • the first terminal device can determine whether the system is installing an application, and if the system is installing an application, the data created during the installation process is associated with the application. For example, if a process is detected or a child process of the process creates a plurality of program files in a fixed directory, the first terminal device can determine whether the process or the child process registers an application, and if so, then The first terminal device establishes a relationship between the application program and the program file and the registry, and stores the corresponding relationship information in the information database.
  • the first terminal device can filter the detected process behavior according to the relationship information between the application and the data.
  • the first application includes a process P1 and a process P2. If the file F is created during the execution of the P1, the file F belongs to the first application, and if the process P2 accesses the file during execution. F, the behavior of the process P2 can be regarded as legal. If the process P3 in the second application different from the first application accesses the file F, the behavior of the process P3 is a candidate suspicious behavior.
  • the first terminal device sends behavior characteristic information of the first process behavior to the data analysis server.
  • the first terminal device directly reports the behavior characteristic information of the selected candidate suspicious behavior (ie, the first process behavior) to the data analysis server, and the data analysis server analyzes the behavior of the first process. And processing.
  • the data analysis server receives the behavior characteristic information of the first process behavior, and determines, according to the behavior characteristic information of the first process behavior, whether the first process behavior is a suspicious behavior.
  • the data analysis server may receive behavior characteristic information of the first process behavior that the first terminal device considers suspicious, and then determine, according to the behavior characteristic information, whether the first process behavior is a suspicious behavior.
  • the data analysis server determines, according to the behavior characteristic information of the first process behavior, whether the behavior of the first process is a suspicious behavior, including:
  • the data analysis server determines that the first process behavior is suspicious.
  • the data analysis server may determine whether the first process behavior belongs to a set of trusted behaviors, and the set of trusted behaviors includes at least one trusted behavior. If the first process behavior belongs to the set of trusted behaviors, the data analysis server determines that the first process behavior is a normal behavior; if the first process behavior does not belong to the trusted behavior set, then the data analysis server determines the first A process behavior is suspicious. Specifically, the data analysis server confirms that the first process behavior belongs to the trusted behavior set when the behavior characteristic information of the first process behavior is the same as the behavior characteristic information of one trusted behavior in the trusted behavior set; otherwise, in the first When the behavior characteristic information of the process behavior is different from the behavior characteristic information of each trusted behavior in the trusted behavior set, it is confirmed that the first process behavior does not belong to the trusted behavior set.
  • the embodiment of the present invention determines the candidate suspicious behavior from all detected process behaviors by the terminal device based on the data access rule between the application and the application, and sends the determined behavior characteristic information of the candidate suspicious behavior to the data.
  • An analysis server that determines whether the candidate suspicious behavior is suspicious.
  • the method for determining suspicious behavior of an application of an embodiment of the present invention is capable of determining suspicious behavior of illegally accessing application data without relying on security software and requiring no user involvement.
  • the host determines the suspicious behavior directly by using security software, and the security software monitors the process behavior of all applications in the system.
  • the IT staff pre-sets an access control policy in the security software to control access to the system data by the process behavior of the application in the system. If a process behavior does not satisfy the above access control policy, then the security software determines that the process behavior is suspicious. After monitoring suspicious behavior, the security software will directly alert the user who is using the host to let the user choose whether to intercept the suspicious behavior. Therefore, the traditional host-based defense method is mainly to prevent suspicious behavior from attacking the system, and this defense method must Rely on security software.
  • the traditional defense method only involves the application's access rules to the system data, does not consider the data access rules between the application and the application, and cannot prevent the suspicious behavior of illegal access to the application data, for example, stealing or tampering with the application. Suspicious behavior of program data.
  • the way in which traditional defense methods let users judge whether to intercept suspicious behavior is not very appropriate.
  • the embodiment of the present invention determines the candidate suspicious behavior from the detected process behavior by the terminal device based on the data access rule between the application and the application, and sends the determined behavior characteristic information of the candidate suspicious behavior to the data analysis server. And determining, by the data analysis server, whether the candidate suspicious behavior is a suspicious behavior, thereby being able to determine a suspicious behavior of illegally accessing application data in the terminal device, and the method does not need to rely on the security software, and does not require the user, compared with the prior art. Participation in the determination can improve the accuracy and reliability of the judgment of suspicious behavior, thereby improving the overall performance of the system.
  • the first terminal device determines that the candidate suspicious behavior may be classified into multiple cases according to the specific type of the process behavior.
  • the first terminal device determines whether the DLL file loaded by the first process behavior is a system DLL file; if the DLL file is not a system DLL file, the first terminal device determines an application to which the DLL file belongs; and if the DLL file belongs to the second application different from the first application, the A terminal device determines the first process behavior as the candidate suspicious behavior.
  • DLL dynamic link library
  • the first terminal device determines an application that creates a path of a registry accessed by the first process behavior; if the registry The path is created by the second application different from the first application, the first terminal device determines whether the path of the registry is a publicly accessible path; if the path of the registry is not a publicly accessible path, then The first terminal device determines the first process behavior as a candidate suspicious behavior.
  • the first terminal device determines an application that creates a file accessed by the first process behavior; if the first process behavior is accessed The file is created by the second application different from the first application, then the file Determining, by the first terminal device, a type of the file accessed by the first process behavior; if the type of the file accessed by the first process behavior is a program file, the first terminal device may directly determine the first process behavior as a candidate Suspicious behavior.
  • the first terminal device determines an application registered by the extension of the file accessed by the first process behavior; if the first process behavior If the application registered by the extension of the accessed file is a third application different from the first application, the first terminal device determines the first process behavior as a candidate suspicious behavior;
  • the terminal device determines whether the process created by the first process behavior belongs to the first application; if the process created by the first process behavior does not belong to the a first application, the terminal device determines whether the process is a system process of the first terminal device; if the process is not a system process of the first terminal device, the first terminal device determines the first process behavior as The first candidate suspicious behavior.
  • the first process behavior should be understood as the behavior of the virus.
  • the program file of the first application carries the virus.
  • the virus creates a new process, but the process does not belong to the first application. Therefore, based on the above judgment conditions, it can be determined whether the application carries a virus.
  • the terminal device determines an application of the thread created by the first process behavior; if the thread created by the first process behavior is different from the first The second application of the application, the first terminal device determines the first process behavior as the first candidate suspicious behavior.
  • the method before the data analysis server determines, according to the behavior characteristic information of the first process behavior, whether the first process behavior is a suspicious behavior, the method further includes:
  • the data analysis server receives behavior characteristic information of a plurality of second process behaviors sent by each of the at least one second terminal device;
  • the data analysis server determines the set of trusted behaviors by using a data mining algorithm according to the behavior characteristic information of the plurality of second process behaviors sent by the at least one second terminal device, where the trusted behavior set includes the multiple second processes At least one second process behavior in the behavior.
  • the second terminal device in this embodiment may be the same as or different from the foregoing first terminal device; the second process behavior may be the same as or different from the foregoing first process behavior, and the embodiment of the present invention may Not limited.
  • the behavior characteristic information of the first process behavior includes: application information to which the first process behavior belongs, information of data accessed by the first process behavior, and access by the first process behavior. Application information to which the data belongs;
  • the behavior characteristic information of the plurality of second process behaviors includes: application information to which the plurality of second process actions belong, information of data accessed by the plurality of second process actions, and access by the plurality of second process actions The application information to which the data belongs.
  • the generation of the set of trusted behavior feature information may adopt a data mining method. Therefore, the second terminal device is required to send the behavior characteristic information that the data mining algorithm can use to the data analysis server. After determining the second process behavior, the second terminal device preprocesses the information of the second process behavior, and converts the information of the second process behavior into the behavior feature information.
  • the behavior characteristic information may be sent to the data analysis server by the second terminal device as a set, and the set may include: a behavior of the second process behavior, a destination path of the second process behavior, and a second process behavior
  • the file name path information of the application the copyright information of the application, the version information of the application, the header hash of the application file of the application, the digital signature information of the program file of the application, and the like.
  • data mining algorithms can be used to uncover suspicious behaviors that are not recognized by security software.
  • the data mining algorithm herein may be a frequent item set algorithm, a support vector machine algorithm, a decision tree algorithm, or the like, which is not limited by the embodiment of the present invention.
  • the method further includes:
  • the data analysis server determines that the first process behavior is a normal behavior
  • the data analysis server sends the indication information to the first terminal device, where the indication information is used to indicate that the first process behavior is a normal behavior.
  • the first terminal device receives the indication information sent by the data analysis server, and determines, according to the indication message, that the first process behavior is a normal behavior.
  • the behavior information of the first process behavior is not sent to the data analysis server.
  • the method further includes:
  • the data analysis server determines that the first process behavior is a suspicious behavior, the data analysis server sends a request message to the first terminal device, where the request message is used to request traceability information of the first process behavior, and the traceability information includes the At least one of process information of a first process behavior, information of a program file corresponding to the behavior of the first process, relationship information between a process creator of the first process behavior, and a program file creator;
  • the data analysis server receives the traceability information sent by the first terminal device according to the request message, and displays the traceability information through a background management interface.
  • the data analysis server may display the traceability information of the suspicious behavior through the background management interface, so that the information technology (IT) management personnel determine the suspicious behavior through the traceability information. origin of.
  • IT information technology
  • the foregoing terminal device may specifically be a client, and the foregoing method for determining a suspicious program may be applied to an enterprise including multiple clients.
  • the enterprise includes a client 301, a client 302, and a client 303, and a monitoring program such as a probe program 304, a probe program 305, and a probe program 306 are separately deployed in each client.
  • These probe programs are responsible for implementing the monitoring of all process behaviors in the enterprise client and filtering the monitored process behavior. If a process behavior accesses data that is not its own, the probe program determines that the process behavior is a candidate suspicious. behavior.
  • each client After the candidate suspicious behavior is determined, each client separately extracts behavior characteristic information of each candidate suspicious behavior.
  • the probe program in the client transmits the determined behavior characteristic information of the candidate suspicious behavior to the data analysis server 307.
  • the data analysis server 307 continuously receives behavior characteristic information of candidate suspicious behaviors sent from different clients, and uses the data mining algorithm to perform the received behavior characteristic information. Statistical analysis, generating a set of trusted behaviors including at least one trusted behavior. After the data analysis server 307 generates the set of trusted behaviors, it can determine whether the candidate suspicious behavior is suspicious according to the behavior characteristic information of the candidate suspicious behavior.
  • the data analysis server 307 receives the behavior characteristic information of the process behavior sent by the client 301, that is, the behavior characteristic information of the candidate suspicious behavior, and can determine the behavior of the process according to the behavior characteristic information.
  • the data analysis server 307 determines that the process behavior is a normal behavior, it sends an indication message to the client 301 indicating that the process behavior is a normal behavior. After receiving the indication information, the client 301 determines the behavior of the process as a normal behavior. If the client 301 detects the behavior of the process again, the behavior characteristic information of the process behavior is not sent to the data analysis server 307.
  • the data analysis server 307 determines that the process behavior is suspicious, it sends a request message to the client 301 requesting traceability information of the process behavior. After receiving the request message, the client 301 sends the traceability information of the process behavior to the data analysis server 307. The data analysis server 307 receives the traceability information sent by the client 301, and displays the traceability information through the background management interface.
  • the data analysis server 307 can send the traceability information to the system management server 308.
  • the system management server 308 can display the traceability information to related personnel of the enterprise, such as an IT manager, in real time, so that the IT manager can restore the suspicious behavior according to the traceability information when and how the suspicious behavior occurs, which will be beneficial to the Investigation and evidence collection of late attack events.
  • the data analysis server does not necessarily judge the suspicious behavior. Because this kind of statistical analysis relies on the process behavior accumulated over a period of time, it is possible that a certain behavior is rarely counted at the beginning, but the subsequent number is gradually increased. Therefore, the data analysis server is required to process the previously received process. Perform backtracking iterations to improve the accuracy of the judgment results.
  • the method for determining suspicious behavior of an application determines a candidate suspicious behavior from a detected process behavior by a terminal device based on a data access rule between the application and the application, and determines the candidate suspicious behavior.
  • the behavior characteristic information is sent to the data analysis server, and the data analysis server determines whether the candidate suspicious behavior is a suspicious behavior, thereby being able to determine a suspicious behavior of illegally accessing the application data, and the method does not need to rely on security compared with the prior art.
  • Software and does not require user participation in the determination, can improve the accuracy and reliability of the judgment of suspicious behavior, thereby improving the overall performance of the system.
  • the embodiment of the present invention can display the traceability information of the suspicious behavior to the IT management personnel through the background management interface, so that the IT management personnel can restore the suspicious behavior when and how to appear according to the traceability information. Conducive to the investigation and evidence collection of later attacks.
  • a method for determining suspicious behavior of an application according to an embodiment of the present invention is described in detail above with reference to FIGS. 1 through 3.
  • an application for determining an application according to an embodiment of the present invention will be described in detail with reference to FIGS. 4 through 7.
  • a device for suspicious behavior will be described in detail with reference to FIGS. 4 through 7.
  • FIG. 4 shows an apparatus 400 for determining suspicious behavior of an application provided by an embodiment of the present invention.
  • the apparatus 400 includes:
  • the determining unit 410 is configured to determine the process behavior as a candidate suspicious behavior when determining that the data accessed by the process behavior of the first application belongs to a second application different from the first application, where the data includes a process, a thread At least one of a file, a directory, and a registry key;
  • the sending unit 420 is configured to send behavior characteristic information of the process behavior to the data analysis server, so that the data analysis server determines, according to the behavior characteristic information of the process behavior, whether the process behavior is suspicious behavior.
  • the determining unit 410 is specifically configured to:
  • If the process behavior is the dynamic link library DLL file loading behavior of the first application, determining whether the DLL file loaded by the process behavior is a system DLL file;
  • the DLL file is not a system DLL file, determine an application to which the DLL file belongs;
  • the process behavior is determined as the candidate suspicious behavior.
  • the determining unit 410 is specifically configured to:
  • process behavior is a registry access behavior of the first application, determining an application that creates a path to a registry accessed by the process behavior;
  • the process behavior is determined to be the candidate suspicious behavior.
  • the determining unit 410 is specifically configured to:
  • process behavior is a file access behavior of the first application, determining an application that creates a file accessed by the process behavior;
  • the process behavior is determined to be the candidate suspicious behavior.
  • the determining unit 410 is specifically configured to:
  • the type of the file accessed by the process behavior is a non-program file, it is determined whether the application registered by the extension of the file accessed by the process behavior is the first application;
  • the process behavior is determined as the candidate suspicious behavior.
  • the behavior characteristic information includes: application information to which the process behavior belongs, information of data accessed by the process behavior, and application information to which the data accessed by the process behavior belongs.
  • the apparatus 400 further includes:
  • a first receiving unit configured to: after the sending the behavior characteristic information of the process behavior to the data analysis server, receive the indication information sent by the data analysis server, where the indication information is used to indicate that the process behavior is a normal behavior;
  • the determining unit 410 is further configured to:
  • the behavior of the process is a normal behavior.
  • the apparatus 400 further includes:
  • a second receiving unit configured to: after sending the behavior characteristic information of the process behavior to the data analysis server, receive a request message sent by the data analysis server, where the request message is used to request traceability information of the process behavior, where the traceability information includes At least one of the following information: process information of the process behavior, information of a program file corresponding to the behavior of the process, relationship information between a process creator of the process behavior and a program file creator;
  • the sending unit 420 is further configured to send the data to the data analysis server according to the request message. Traceability information.
  • the apparatus 400 herein is embodied in the form of a functional unit.
  • the term "unit” herein may refer to an application specific integrated circuit (ASIC), an electronic circuit, a processor for executing one or more software or firmware programs (eg, a shared processor, a proprietary processor, or a group). Processors, etc.) and memory, merge logic, and/or other suitable components that support the described functionality.
  • ASIC application specific integrated circuit
  • the device 400 may be specifically the first terminal device in the foregoing embodiment, and the device 400 may be used to perform various processes corresponding to the first terminal device in the foregoing method embodiment. / or steps, in order to avoid repetition, will not repeat them here.
  • FIG. 5 shows an apparatus 500 for determining suspicious behavior of an application provided by an embodiment of the present invention.
  • the apparatus 500 includes:
  • the receiving unit 510 is configured to receive behavior characteristic information of the first process behavior sent by the first terminal device, where the first process behavior belongs to the first application, and the data accessed by the first process behavior is different from the first a second application of an application, the data including at least one of a process, a thread, a file, a directory, and a registry entry;
  • the determining unit 520 is configured to determine, according to the behavior characteristic information of the first process behavior, whether the first process behavior is a suspicious behavior.
  • the determining unit 520 is specifically configured to:
  • the first process behavior does not belong to the set of trusted behaviors, it is determined that the first process behavior is suspicious.
  • the receiving unit 510 is further configured to:
  • the determining unit 520 is further configured to:
  • the behavior characteristic information of the first process behavior includes: application information to which the first process behavior belongs, information of data accessed by the first process behavior, and an application to which the data accessed by the first process behavior belongs Program information;
  • the behavior characteristic information of the plurality of second process behaviors includes: application information to which the plurality of second process actions belong, information of data accessed by the plurality of second process actions, and access by the plurality of second process actions The application information to which the data belongs.
  • the device further includes:
  • the first sending unit is configured to send, to the first terminal device, indication information, after the determining unit determines that the first process behavior is a normal behavior, the indication information is used to indicate that the first process behavior is a normal behavior.
  • the device further includes:
  • a second sending unit configured to: after the determining unit determines that the first process behavior is a suspicious behavior, send a request message to the first terminal device, where the request message is used to request traceability information of the first process behavior, the traceability information At least one of process information including the behavior of the first process, program file information of the first process behavior, process creator of the first process behavior, and relationship information of the program file creator;
  • the receiving unit 510 is further configured to: receive the traceability information that is sent by the first terminal device according to the request message;
  • the device further includes: a display unit, configured to display the traceability information through a background management interface.
  • the apparatus 500 herein is embodied in the form of a functional unit.
  • the term "unit” herein may refer to an application specific integrated circuit (ASIC), an electronic circuit, a processor for executing one or more software or firmware programs (eg, a shared processor, a proprietary processor, or a group). Processors, etc.) and memory, merge logic, and/or other suitable components that support the described functionality.
  • ASIC application specific integrated circuit
  • the device 500 may be specifically the data analysis server in the foregoing embodiment, and the device 500 may be used to execute various processes and/or corresponding to the data analysis server in the foregoing method embodiments. Steps, to avoid repetition, will not be repeated here.
  • FIG. 6 illustrates an apparatus 600 for determining suspicious behavior of an application provided by an embodiment of the present invention.
  • the apparatus 600 includes a processor 610, a transmitter 620, a receiver 630, a memory 640, and a bus system 650. Wherein, the processor 610, the transmitter 620, the receiver 630, and the memory 640 pass through the bus.
  • a system 650 is coupled to the memory 640 for storing instructions for executing instructions stored by the memory 640 to control the transmitter 620 to transmit signals and to control the receiver 630 to receive signals.
  • the processor 610 is configured to determine the process behavior as candidate suspicious behavior when determining that the data accessed by the process behavior of the first application belongs to a second application different from the first application, where the data includes a process. At least one of a thread, a file, a directory, and a registry key;
  • the transmitter 620 is configured to send the behavior characteristic information of the process behavior to the data analysis server, so that the data analysis server determines whether the process behavior is suspicious according to the behavior characteristic information of the process behavior.
  • the processor 610 is specifically configured to:
  • If the process behavior is the dynamic link library DLL file loading behavior of the first application, determining whether the DLL file loaded by the process behavior is a system DLL file;
  • the DLL file is not a system DLL file, determine an application to which the DLL file belongs;
  • the process behavior is determined as the candidate suspicious behavior.
  • the processor 610 is specifically configured to:
  • process behavior is a registry access behavior of the first application, determining an application that creates a path to a registry accessed by the process behavior;
  • the process behavior is determined to be the candidate suspicious behavior.
  • the processor 610 is specifically configured to:
  • process behavior is a file access behavior of the first application, determining an application that creates a file accessed by the process behavior;
  • the process behavior is determined to be the candidate suspicious behavior.
  • the processor 610 is specifically configured to:
  • the type of the file accessed by the process behavior is a non-program file, it is determined whether the application registered by the extension of the file accessed by the process behavior is the first application;
  • the process behavior is determined as the candidate suspicious behavior.
  • the behavior characteristic information includes: application information to which the process behavior belongs, information of data accessed by the process behavior, and application information to which the data accessed by the process behavior belongs.
  • the receiver 630 is configured to: after the sending the behavior characteristic information of the process behavior to the data analysis server, receive the indication information sent by the data analysis server, where the indication information is used to indicate that the process behavior is a normal behavior;
  • the processor 610 is further configured to: according to the indication message, determine that the process behavior is a normal behavior.
  • the receiver 630 is configured to: after sending the behavior characteristic information of the process behavior to the data analysis server, receive a request message sent by the data analysis server, where the request message is used to request traceability information of the process behavior, where
  • the traceability information includes at least one of the following information: process information of the process behavior, information of a program file corresponding to the behavior of the process, relationship information between a process creator of the process behavior and a program file creator;
  • the transmitter 620 is further configured to: send the traceability information to the data analysis server according to the request message.
  • the device 600 may be specifically the terminal device in the foregoing embodiment, and may be used to perform various steps and/or processes corresponding to the terminal device in the foregoing method embodiments.
  • the memory 640 can include read only memory and random access memory and provide instructions and data to the processor. A portion of the memory may also include a non-volatile random access memory.
  • the memory can also store information of the device type.
  • the processor 630 can be configured to execute instructions stored in a memory, and when the processor executes instructions stored in the memory, the processor is operative to perform various steps and/or processes of the method embodiments described above.
  • FIG. 7 illustrates an apparatus 700 for determining suspicious behavior of an application provided by an embodiment of the present invention.
  • the apparatus 700 includes a receiver 710, a processor 720, a transmitter 730, a memory 740, and a bus system 750.
  • the receiver 710, the processor 720, the transmitter 730 and the memory 740 are connected by a bus system 750 for storing instructions for executing instructions stored in the memory 740 to control the receiver 710.
  • the receiver 710 is configured to receive behavior characteristic information of the first process behavior sent by the first terminal device, where the first process behavior belongs to the first application, and the data accessed by the first process behavior is different.
  • a second application of the first application the data comprising at least one of a process, a thread, a file, a directory, and a registry entry;
  • the processor 720 is configured to determine, according to behavior characteristic information of the first process behavior, whether the first process behavior is a suspicious behavior.
  • the processor 720 is specifically configured to:
  • the first process behavior does not belong to the set of trusted behaviors, it is determined that the first process behavior is suspicious.
  • the receiver 710 is further configured to:
  • the processor 720 is also configured to:
  • the behavior characteristic information of the first process behavior includes: application information to which the first process behavior belongs, information of data accessed by the first process behavior, and an application to which the data accessed by the first process behavior belongs Program information;
  • the behavior characteristic information of the plurality of second process behaviors includes: application information to which the plurality of second process actions belong, information of data accessed by the plurality of second process actions, and access by the plurality of second process actions The application information to which the data belongs.
  • the transmitter 730 is configured to send, to the first terminal device, indication information, after the determining unit determines that the first process behavior is a normal behavior, the indication information is used to indicate that the first process behavior is a normal behavior.
  • the transmitter 730 is configured to determine, at the determining unit, that the first process behavior is a suspicious line Afterwards, the request message is sent to the first terminal device, where the request message is used to request traceability information of the first process behavior, where the traceability information includes process information of the first process behavior, and a program corresponding to the first process behavior. At least one of information of the file, process creator of the first process behavior, and relationship information of the program file creator;
  • the receiver 710 is further configured to: receive the traceability information that is sent by the first terminal device according to the request message;
  • the processor 720 is configured to display the traceability information through a background management interface.
  • the apparatus 700 may be specifically the data analysis server in the foregoing embodiment, and may be used to perform various steps and/or processes corresponding to the data analysis server in the foregoing method embodiment.
  • the memory 740 can include read only memory and random access memory and provide instructions and data to the processor. A portion of the memory may also include a non-volatile random access memory.
  • the memory can also store information of the device type.
  • the processor 720 can be configured to execute instructions stored in a memory, and when the processor executes the instructions, the processor can perform various steps and/or processes corresponding to the data analysis server in the above method embodiments.
  • the processor may be a central processing unit (CPU), and the processor may also be other general purpose processors, digital signal processors (DSPs), and application specific integrated circuits (ASICs). ), Field Programmable Gate Array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
  • each step of the above method may be completed by an integrated logic circuit of hardware in a processor or an instruction in a form of software.
  • the steps of the method disclosed in the embodiments of the present invention may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor.
  • the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
  • the storage medium is located in a memory, and the processor executes instructions in the memory, in combination with hardware to perform the steps of the above method. To avoid repetition, it will not be described in detail here.
  • the disclosed systems, devices, and methods may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, or an electrical, mechanical or other form of connection.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the embodiments of the present invention.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • the technical solution of the present invention contributes in essence or to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium.
  • a number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a USB flash drive, a mobile hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a disk or a CD.
  • ROM Read-Only Memory
  • RAM Random Access Memory

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

L'invention concerne un procédé et un appareil permettant de déterminer une activité suspecte d'un programme d'application. Le procédé comprend les étapes suivantes : lorsqu'il est déterminé que les données auxquelles accède une activité de processus d'un premier programme d'application appartiennent à un deuxième programme d'application qui est différent du premier programme d'application, un dispositif terminal (110) détermine que l'activité de processus est une activité suspecte candidate, les données comprenant au moins un élément parmi un processus, une tâche élémentaire, un fichier, un répertoire ou une entrée de registre ; le dispositif terminal (110) envoie des informations caractéristiques d'activité de l'activité du processus à un serveur d'analyse de données (120), de sorte que le serveur d'analyse de données (120), en se basant sur les informations caractéristiques d'activité de l'activité de processus, détermine si l'activité de processus est une activité suspecte. L'invention permet ainsi de déterminer l'activité suspecte d'un accès illégal à des données de programme d'application dans le dispositif terminal (110). En comparaison de l'état de la technique, le procédé selon l'invention n'a pas besoin de s'en remettre à un logiciel de sécurité et ne nécessite pas la participation de l'utilisateur à la détermination, et il peut améliorer la précision et la fiabilité de la détermination de l'activité suspecte, améliorant ainsi les performances générales du système.
PCT/CN2017/070468 2016-04-26 2017-01-06 Procédé et appareil pour déterminer une activité suspecte d'un programme d'application WO2017185827A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610266466.5A CN107315952A (zh) 2016-04-26 2016-04-26 用于确定应用程序可疑行为的方法和装置
CN201610266466.5 2016-04-26

Publications (1)

Publication Number Publication Date
WO2017185827A1 true WO2017185827A1 (fr) 2017-11-02

Family

ID=60160690

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/070468 WO2017185827A1 (fr) 2016-04-26 2017-01-06 Procédé et appareil pour déterminer une activité suspecte d'un programme d'application

Country Status (2)

Country Link
CN (1) CN107315952A (fr)
WO (1) WO2017185827A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113672925A (zh) * 2021-08-26 2021-11-19 安天科技集团股份有限公司 阻止勒索软件攻击的方法、装置、存储介质及电子设备
CN114676429A (zh) * 2022-03-18 2022-06-28 山东鼎夏智能科技有限公司 一种启动项未知风险的检测方法及装置

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110750561A (zh) * 2018-07-20 2020-02-04 深圳市诚壹科技有限公司 一种关联应用程序挖掘的方法及装置
CN109255238B (zh) * 2018-08-24 2022-01-28 成都网思科平科技有限公司 终端威胁检测与响应方法及引擎
CN109327433B (zh) * 2018-09-03 2022-05-17 北京智游网安科技有限公司 基于运行场景分析的威胁感知方法及系统
CN109784052B (zh) * 2018-12-29 2021-07-20 360企业安全技术(珠海)有限公司 软件行为检测的管理方法及服务端、终端、系统
CN109815702B (zh) * 2018-12-29 2022-07-05 奇安信安全技术(珠海)有限公司 软件行为的安全检测方法、装置及设备
CN109784051B (zh) * 2018-12-29 2021-01-15 360企业安全技术(珠海)有限公司 信息安全防护方法、装置及设备
CN115412320A (zh) * 2022-08-19 2022-11-29 奇安信网神信息技术(北京)股份有限公司 攻击行为溯源方法、装置及系统

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101556608A (zh) * 2009-02-27 2009-10-14 浙大网新科技股份有限公司 一种基于事件监控机制的文件系统操作拦截方法
CN103902892A (zh) * 2012-12-24 2014-07-02 珠海市君天电子科技有限公司 基于行为的病毒防御方法及系统
CN104899511A (zh) * 2015-05-21 2015-09-09 成都中科慧创科技有限公司 一种基于程序行为算法的主动防御方法
CN105243324A (zh) * 2015-10-20 2016-01-13 珠海市君天电子科技有限公司 一种用户终端中恶意软件的识别方法、装置及用户终端
CN105279433A (zh) * 2014-07-10 2016-01-27 腾讯科技(深圳)有限公司 一种应用程序的防护方法及装置

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101556608A (zh) * 2009-02-27 2009-10-14 浙大网新科技股份有限公司 一种基于事件监控机制的文件系统操作拦截方法
CN103902892A (zh) * 2012-12-24 2014-07-02 珠海市君天电子科技有限公司 基于行为的病毒防御方法及系统
CN105279433A (zh) * 2014-07-10 2016-01-27 腾讯科技(深圳)有限公司 一种应用程序的防护方法及装置
CN104899511A (zh) * 2015-05-21 2015-09-09 成都中科慧创科技有限公司 一种基于程序行为算法的主动防御方法
CN105243324A (zh) * 2015-10-20 2016-01-13 珠海市君天电子科技有限公司 一种用户终端中恶意软件的识别方法、装置及用户终端

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113672925A (zh) * 2021-08-26 2021-11-19 安天科技集团股份有限公司 阻止勒索软件攻击的方法、装置、存储介质及电子设备
CN113672925B (zh) * 2021-08-26 2024-01-26 安天科技集团股份有限公司 阻止勒索软件攻击的方法、装置、存储介质及电子设备
CN114676429A (zh) * 2022-03-18 2022-06-28 山东鼎夏智能科技有限公司 一种启动项未知风险的检测方法及装置

Also Published As

Publication number Publication date
CN107315952A (zh) 2017-11-03

Similar Documents

Publication Publication Date Title
WO2017185827A1 (fr) Procédé et appareil pour déterminer une activité suspecte d'un programme d'application
Milajerdi et al. Holmes: real-time apt detection through correlation of suspicious information flows
US11936666B1 (en) Risk analyzer for ascertaining a risk of harm to a network and generating alerts regarding the ascertained risk
US10872151B1 (en) System and method for triggering analysis of an object for malware in response to modification of that object
US10893068B1 (en) Ransomware file modification prevention technique
CA2968201C (fr) Systemes et procedes de detection de code malveillant
US10601848B1 (en) Cyber-security system and method for weak indicator detection and correlation to generate strong indicators
US8805995B1 (en) Capturing data relating to a threat
AU2014318585B2 (en) Automated runtime detection of malware
CN106687971B (zh) 用来减少软件的攻击面的自动代码锁定
US9336385B1 (en) System for real-time threat detection and management
US10652274B2 (en) Identifying and responding to security incidents based on preemptive forensics
US8904531B1 (en) Detecting advanced persistent threats
EP2939173B1 (fr) Représentation en temps réel d'un état de système pertinent pour la sécurité
US10216934B2 (en) Inferential exploit attempt detection
US10191789B2 (en) Tracing system operations across remote procedure linkages to identify request originators
US11403389B2 (en) System and method of detecting unauthorized access to computing resources for cryptomining
US10812466B2 (en) Using trusted platform module to build real time indicators of attack information
US20230247043A1 (en) Techniques for detecting cybersecurity vulnerabilities in a cloud based computing environment based on forensic analysis of cloud logs
EP3531324A1 (fr) Processus d'identification de modèles d'activités suspectes fondé sur les liens d'ascendance
US20190327263A1 (en) Distributed client protection
US11599638B2 (en) Game engine-based computer security
US20230247040A1 (en) Techniques for cloud detection and response from cloud logs utilizing a security graph
CN116595523A (zh) 基于动态编排的多引擎文件检测方法、系统、设备及介质
US11973773B2 (en) Detecting and mitigating zero-day attacks

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17788490

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 17788490

Country of ref document: EP

Kind code of ref document: A1