METHOD AND APPARATUS FOR DETECTING THE MALICIOUS BEHAVIOR OF COMPUTER PROGRAM
First Claim
1. A method for detecting malicious behavior of a computer program, comprising:
- monitoring an action executed by the computer program;
searching for a monitored process set associated with the monitored action within a library of monitored process sets, the monitored process set including information of at least one suspicious process correlated with each other in creating relationships; and
if the monitored process set associated with the monitored action is found, judging whether the monitored action belongs to malicious behavior by correlation analysis based on information recorded in the monitored process set found.
3 Assignments
0 Petitions
Accused Products
Abstract
A method and an apparatus for detecting malicious behavior of a computer program are disclosed. The method and apparatus analyze behavior characteristics of a malicious program using the concept of a monitored process set. The method comprises: monitoring an action executed by the computer program; searching for a process set associated with the monitored action within a library of monitored process sets, the process set including information of suspicious processes correlated with each other in creating relationships; and if the process set associated with the monitored action is found, judging whether the monitored action belongs to malicious behavior by correlation analysis based on information recorded in the process set found.
-
Citations
21 Claims
-
1. A method for detecting malicious behavior of a computer program, comprising:
-
monitoring an action executed by the computer program; searching for a monitored process set associated with the monitored action within a library of monitored process sets, the monitored process set including information of at least one suspicious process correlated with each other in creating relationships; and if the monitored process set associated with the monitored action is found, judging whether the monitored action belongs to malicious behavior by correlation analysis based on information recorded in the monitored process set found. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. An apparatus for detecting malicious behavior of a computer program, comprising:
-
a monitoring module configured to monitor an action executed by the computer program; a searching module configured to search for a monitored process set associated with the monitored action within a library of monitored process sets, the monitored process set including at least information of at least one suspicious process correlated with each other in creating relationships; and a judging module configured to, if the monitored process set associated with the monitored action is found, judge whether the monitored action belongs to malicious behavior by correlation analysis based on information recorded in the monitored process set found. - View Dependent Claims (17, 18, 19, 20, 21)
-
Specification