System, Method, Program, and Recording Medium for Detecting and Blocking Unwanted Programs in Real Time Based on Process Behavior Analysis and Recording Medium for Storing Program
First Claim
1. A method of detecting and blocking unwanted programs in real time based on process behavior analysis, comprising:
- a security server defining a list of unwanted program scenarios in advance; and
matching a program, executed on a user terminal based on an agent program, with the unwanted program scenarios, thus detecting and blocking an unwanted process.
1 Assignment
0 Petitions
Accused Products
Abstract
A system, method and program for detecting and blocking unwanted programs in real time based on process behavior analysis and a recording medium for storing the program. In particular, the invention relates to a system, method and program for detecting and blocking unwanted programs in real time based on process behavior analysis and a recording medium for storing the program, in which a security server defines lists of unwanted abnormal actions of a process in advance, detects the number of abnormal actions that have occurred, collects the abnormal actions, and detects and blocks an unwanted process by matching a program executed on a user terminal with the lists of abnormal actions.
63 Citations
12 Claims
-
1. A method of detecting and blocking unwanted programs in real time based on process behavior analysis, comprising:
-
a security server defining a list of unwanted program scenarios in advance; and matching a program, executed on a user terminal based on an agent program, with the unwanted program scenarios, thus detecting and blocking an unwanted process. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 11, 12)
-
-
9. A system for detecting and blocking unwanted programs in real time based on process behavior analysis, the system comprising a plurality of user terminals and a security server individually connected to the user terminals over a network, wherein:
-
each of the user terminals comprises an action monitoring module for monitoring actions of a process, a process tracking and Process Identification (PID) detection module for tracking actions of a process, abnormal actions of which have been detected, and detecting Process Identification (PID) of the process, a scenario blocking module for combining lists of actions taken by a relevant process for a given time period and blocking the relevant process when the actions match those of a composite scenario, a checksum blocking module for blocking a relevant process when a checksum of an execution program thereof matches a previously obtained checksum, a hooking detection and restoration module for, when an unwanted program is operating by injecting code into another process so as to conceal itself, detecting the unwanted program and restoring an original program, and an exceptional process database (DB) for examining a relevant process for an exception to action-based monitoring and then processing the relevant process as the exception to action-based monitoring; and the security server comprises an analysis module for analyzing statistical information received from the user terminals, a security measure module for collecting information about abnormal actions occurring in the user terminals and blocking of unwanted programs in the user terminals, thus taking security measures, and an overall DB for storing information about blocking conditions, occurrence of abnormal actions on each of the user terminals, and unwanted programs. - View Dependent Claims (10)
-
Specification