AUXILIARY METHOD FOR INVESTIGATING LURKING PROGRAM INCIDENTS
First Claim
1. An auxiliary method for investigating lurking program incidents comprising the steps of:
- continuously monitoring a plurality of processes run by a computer system and generating a process-invoking relationship data of each of the process being monitored when the process is created and terminated;
continuously monitoring a system registry database of the computer system and when a process is registered on an autostart registry area, an autostart-registered data of the autostart registry area is generated;
correlating the process-invoking relationship data to the autostart-registered data;
extracting high-level crucial clues of a suspicious lurking program and saving the high-level crucial clues of the suspicious lurking program into a high-level crucial clue database of the suspicious program according to the results of correlation; and
generating a process-invoking relationship log and saving the process-invoking relationship log in a process-invoking relationship log database according to the results of correlation.
1 Assignment
0 Petitions
Accused Products
Abstract
An auxiliary method for investigating lurking program incidents is disclosed. The method is to keep monitoring a plurality of processes run by a computer system and save process-invoking relationship data of each process being monitored when the process is created and terminated. Simultaneously, a system registry database of the computer system is also monitored and autostart-registered data of the programs is saved. Then correlate the process-invoking relationship data to the autostart-registered data for generating and saving process-invoking relationship log so as to extract and save high-level crucial clues of suspicious lurking programs. By the present method, only a little amount of high level crucial clues and process-invoking relationship log is collected and a few system resources is consumed for providing clear evidence that is helpful to investigation of lurking program incidents. Thus cost of time and labor for collecting and analyzing large amount of low-level logs is saved.
-
Citations
10 Claims
-
1. An auxiliary method for investigating lurking program incidents comprising the steps of:
-
continuously monitoring a plurality of processes run by a computer system and generating a process-invoking relationship data of each of the process being monitored when the process is created and terminated; continuously monitoring a system registry database of the computer system and when a process is registered on an autostart registry area, an autostart-registered data of the autostart registry area is generated; correlating the process-invoking relationship data to the autostart-registered data; extracting high-level crucial clues of a suspicious lurking program and saving the high-level crucial clues of the suspicious lurking program into a high-level crucial clue database of the suspicious program according to the results of correlation; and generating a process-invoking relationship log and saving the process-invoking relationship log in a process-invoking relationship log database according to the results of correlation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
Specification