Antivirus protection system and method for computers
First Claim
1. An antivirus protection system for computers, comprising:
- a Process Behavior-Evaluating Unit for identifying programs existing in a user'"'"'s computer and classifying the programs as normal programs or suspect programs;
a Program-Monitoring Unit for monitoring and recording actions and/or behaviors of the programs;
a Correlation-Analyzing Unit for creating correlative trees and analyzing correlations of actions and/or behaviors of programs, the correlative trees comprising a process tree and a file tree;
a Virus-Identifying Knowledge Base, comprising a Program-Behavior Knowledge Base and a Database of Attack-Identifying Rules; and
a Virus-Identifying Unit for receiving program actions and/or behaviors captured by the Program-Monitoring Unit, comparing the captured actions and/or behaviors to information stored in the Program-Behavior Knowledge Base or the Database of Attack-Identifying Rules, in combination with information stored in the Process Behavior-Evaluating Unit, and calling the Correlation-Analyzing Unit to determine whether the program is a virus in dependence on the comparison.
1 Assignment
0 Petitions
Accused Products
Abstract
The example embodiments herein relate to an antivirus protection system and method for computers based on program behavior analysis. The antivirus protection system may comprise: a Process Behavior-Evaluating Unit for identifying the programs existing in the user'"'"'s computers and classifying them into normal programs and suspect programs; a Program-Monitoring Unit for monitoring and recording the actions and/or behaviors of programs; a Correlation-Analyzing Unit for creating correlative trees and analyzing the correlations of actions and/or behaviors of programs, the correlative trees comprising a process tree and a file tree; a Virus-Identifying Knowledge Base, comprising a Program-Behavior Knowledge Base and a Database of Attack-Identifying Rules; a Virus-Identifying Unit for comparing captured actions and/or behaviors to the information in the Virus-Identifying Knowledge Base to determine whether the program is a virus program. With the techniques of certain example embodiments, it may be possible to increase efficiency and reduce the need to upgrade virus codes after viruses become active, while also effectively blocking unknown viruses, Trojans, etc.
-
Citations
24 Claims
-
1. An antivirus protection system for computers, comprising:
-
a Process Behavior-Evaluating Unit for identifying programs existing in a user'"'"'s computer and classifying the programs as normal programs or suspect programs; a Program-Monitoring Unit for monitoring and recording actions and/or behaviors of the programs; a Correlation-Analyzing Unit for creating correlative trees and analyzing correlations of actions and/or behaviors of programs, the correlative trees comprising a process tree and a file tree; a Virus-Identifying Knowledge Base, comprising a Program-Behavior Knowledge Base and a Database of Attack-Identifying Rules; and a Virus-Identifying Unit for receiving program actions and/or behaviors captured by the Program-Monitoring Unit, comparing the captured actions and/or behaviors to information stored in the Program-Behavior Knowledge Base or the Database of Attack-Identifying Rules, in combination with information stored in the Process Behavior-Evaluating Unit, and calling the Correlation-Analyzing Unit to determine whether the program is a virus in dependence on the comparison. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. An antivirus protection method for computer, the method comprising:
-
17.1) hooking system API function calls of a program after the program is running; 17.2) monitoring actions of the program, and recording the actions of the program in a process tree; 17.3) determining whether the action is a program creation action to create a created program; 17.4) if the program performs a program creation action, adding program creation information associated with the program creation action into the file tree, and determining whether the created program is a normal program and recording the result of the determination, or if the program does not perform a program creation action, determining whether the action is a dangerous action; 17.5) if the action is not a dangerous action, returning to step 17.2), or if the program has performed a dangerous action, determining whether the action and/or behavior is a harmful program behavior by the Virus-Identifying Unit; and 17.6) if it is determined the action and/or behavior is not a harmful program behavior, returning to step 17.2), or if the action behavior is determined to be a harmful program behavior, dealing with the program by the Virus-Identifying Unit. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification