METHOD AND APPARATUS FOR DETECTING THE MALICIOUS BEHAVIOR OF COMPUTER PROGRAM

US 20100293615A1
Filed: 10/15/2008
Published: 11/18/2010
Est. Priority Date: 10/15/2007
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malicious behavior of a computer program, comprising:

monitoring an action executed by the computer program;

searching for a monitored process set associated with the monitored action within a library of monitored process sets, the monitored process set including information of at least one suspicious process correlated with each other in creating relationships; and

if the monitored process set associated with the monitored action is found, judging whether the monitored action belongs to malicious behavior by correlation analysis based on information recorded in the monitored process set found.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and an apparatus for detecting malicious behavior of a computer program are disclosed. The method and apparatus analyze behavior characteristics of a malicious program using the concept of a monitored process set. The method comprises: monitoring an action executed by the computer program; searching for a process set associated with the monitored action within a library of monitored process sets, the process set including information of suspicious processes correlated with each other in creating relationships; and if the process set associated with the monitored action is found, judging whether the monitored action belongs to malicious behavior by correlation analysis based on information recorded in the process set found.

Citations

21 Claims

1. A method for detecting malicious behavior of a computer program, comprising:
- monitoring an action executed by the computer program;
  
  searching for a monitored process set associated with the monitored action within a library of monitored process sets, the monitored process set including information of at least one suspicious process correlated with each other in creating relationships; and
  
  if the monitored process set associated with the monitored action is found, judging whether the monitored action belongs to malicious behavior by correlation analysis based on information recorded in the monitored process set found.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method according to claim 1, whereinthe monitored process set includes process identifiers of the at least one suspicious process, program files corresponding to the at least one suspicious process, actions performed by the at least one suspicious process, and historical records of data generated by the actions.
  - 3. The method according to claim 1, whereinwhen a process is created, if a parent process of the newly-created process is a suspicious process in a monitored process set, then the newly-created process is determined as a suspicious process and is added to the monitored process set containing the parent process.
  - 4. The method according to claim 1, whereinwhen a process is created, if a parent process of the newly-created process is not a suspicious process, then a monitored process set corresponding to the newly-created process is established only if the newly-created process is determined as a suspicious process after process filtering.
  - 5. The method according to claim 4, wherein the process filtering comprises:
    - judging whether or not a program file corresponding to the newly-created process is a known secure program file, a system file or a default secure program file; and
      
      if not, determining that the newly-created process is a suspicious process.
  - 6. The method according to claim 2, wherein the monitored process set found, which is associated with the monitored action, includes information of a process initiating the monitored action.
  - 7. The method according to 6, wherein the judging step comprises:
    - comparing information of an object of the monitored action with the historical records in the monitored process set found; and
      
      judging whether the monitored action belongs to malicious behavior based on the comparing result.
  - 8. The method according to claim 7, whereinthe object of the monitored action is a file operated by the monitored action, and the comparing step comprises comparing the file operated by the monitored action with full path information of historical files in the historical records.
  - 9. The method according to claim 7, whereinthe object of the monitored action is a file operated by the monitored action, and the comparing step comprises comparing the file operated by the monitored action with file contents of historical files in the historical records.
  - 10. The method according to claim 9, wherein the files being compared are all executable files, and the step of comparing the file operated by the monitored action with file contents of historical files in the historical records further comprises:
    - comparing the file operated by the monitored action with contents of code areas of the historical files in the historical records.
  - 11. The method according to claim 10, wherein the step of comparing the file operated by the monitored action with contents of code areas of the historical files in the historical records comprises:
    - analyzing structures of two executable files being compared, to obtain program entry points of the executable files;
      
      analyzing section tables of the executable files, to find sections where the program entry points of the executable files are located, respectively;
      
      comparing sizes of the found sections of the two executable files;
      
      obtaining contents of the sections where the program entry points of the two executable files are located, to perform binary comparison, andif the contents of the sections are identical, then determining that the two executable files have the same code area.
  - 12. The method according to claim 6, wherein the judging step further comprises:
    - judging whether the monitored action belongs to a system call which possibly results in malicious behavior.
  - 13. The method according to claim 2, wherein the monitored process set found, which is associated with the monitored action, includes information of an object of the monitored action.
  - 14. The method according to claim 7, whereinthe object of the monitored action is a file operated by the monitored action, and the searching step comprises searching for information of the file operated by the monitored action within the historical records of all the monitored process sets.
  - 15. The method according to claim 2, whereinthe step of monitoring an action executed by the computer program further comprises an action of an antivirus engine having detected a virus, and the searching step comprises searching, within the historical records, for a monitored process set containing information of a virus file where the virus is detected, based on the information of the virus file where the virus is detected.

16. An apparatus for detecting malicious behavior of a computer program, comprising:
- a monitoring module configured to monitor an action executed by the computer program;
  
  a searching module configured to search for a monitored process set associated with the monitored action within a library of monitored process sets, the monitored process set including at least information of at least one suspicious process correlated with each other in creating relationships; and
  
  a judging module configured to, if the monitored process set associated with the monitored action is found, judge whether the monitored action belongs to malicious behavior by correlation analysis based on information recorded in the monitored process set found.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The apparatus according to claim 16, whereinthe monitored process set includes process identifiers of the at least one suspicious process, program files corresponding to the at least one suspicious process, actions performed by the at least one suspicious process, and historical records of data generated by the actions.
  - 18. The apparatus according to claim 16, further comprising:
    - a process filtering module configured to, if a parent process of a newly-created process is a suspicious process in a monitored process set, then determine the newly-created process as a suspicious process and allow the monitored process set to be created for it, and if the parent process of the newly-created process is not a suspicious process and a program file corresponding to the newly-created process is a secure file, then filter out the newly-created process and not allow a monitored process set to be created for it.
  - 19. The apparatus according to claim 17, whereinthe action monitored by the monitoring module further comprises an action of an antivirus engine having detected a virus, and the searching module searches, within the historical records, for a monitored process set containing information of a virus file where the virus is detected, based on the information of the virus file where the virus is detected.
  - 20. The apparatus according to claim 16, wherein the monitored process set found by the searching module, which is associated with the monitored action, includes information of a process initiating the monitored action.
  - 21. The apparatus according to claim 16, wherein the monitored process set found by the searching module, which is associated with the monitored action, includes information of an object of the monitored action.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Beijing Rising Network Security Technology Company Limited
Original Assignee
Beijing Rising International Software Company Limited
Inventors
Ye, Chao

Granted Patent

US 8,898,775 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

METHOD AND APPARATUS FOR DETECTING THE MALICIOUS BEHAVIOR OF COMPUTER PROGRAM

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR DETECTING THE MALICIOUS BEHAVIOR OF COMPUTER PROGRAM

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links