Method and apparatus for detecting the malicious behavior of computer program

US 8,898,775 B2
Filed: 10/15/2008
Issued: 11/25/2014
Est. Priority Date: 10/15/2007
Status: Active Grant

First Claim

Patent Images

1. A method performed by a computer device for detecting malicious behavior of a computer program, comprising:

monitoring an action executed by the computer program running on the computer device;

searching for a monitored process set associated with the monitored action within a library of monitored process sets, wherein the monitored process set includes information of at least two suspicious processes correlated with each other in creating relationships and logically embodies a common behavior of the two or more suspicious correlated processes contained therein, wherein the monitored process set includes process identifiers of the at least two suspicious processes, program files corresponding to the at least two suspicious processes, actions performed by the at least two suspicious processes, and historical records of data generated by the actions; and

if the monitored process set associated with the monitored action is found, judging whether the monitored action belongs to malicious behavior by correlation analysis based on information recorded in the monitored process set found, wherein the monitored process set found, which is associated with the monitored action, includes information of a process initiating the monitored action, wherein the judging step comprises;

comparing information of an object of the monitored action with the historical records in the monitored process set found, wherein the object of the monitored action is a file operated by the monitored action, wherein comparing includes comparing the file operated by the monitored action with file contents of historical files in the historical records, wherein the files being compared are all executable files, wherein comparing the file operated by the monitored action with file contents of historical files in the historical records further comprises comparing the file operated by the monitored action with contents of code areas of the historical files in the historical records, wherein comparing the file operated by the monitored action with contents of code areas of the historical files in the historical records comprises analyzing structures of two executable files being compared, to obtain program entry points of the executable files, analyzing section tables of the executable files, to find sections where the program entry points of the executable files are located, respectively, comparing sizes of the found sections of the two executable files, obtaining contents of the sections where the program entry points of the two executable files are located, to perform binary comparison, and if the contents of the sections are identical, then determining that the two executable files have the same code area; and

judging whether the monitored action belongs to malicious behavior based on the comparing result.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and an apparatus for detecting malicious behavior of a computer program are disclosed. The method and apparatus analyze behavior characteristics of a malicious program using the concept of a monitored process set. The method comprises: monitoring an action executed by the computer program; searching for a process set associated with the monitored action within a library of monitored process sets, the process set including information of suspicious processes correlated with each other in creating relationships; and if the process set associated with the monitored action is found, judging whether the monitored action belongs to malicious behavior by correlation analysis based on information recorded in the process set found.

17 Citations

View as Search Results

13 Claims

1. A method performed by a computer device for detecting malicious behavior of a computer program, comprising:
- monitoring an action executed by the computer program running on the computer device;
  
  searching for a monitored process set associated with the monitored action within a library of monitored process sets, wherein the monitored process set includes information of at least two suspicious processes correlated with each other in creating relationships and logically embodies a common behavior of the two or more suspicious correlated processes contained therein, wherein the monitored process set includes process identifiers of the at least two suspicious processes, program files corresponding to the at least two suspicious processes, actions performed by the at least two suspicious processes, and historical records of data generated by the actions; and
  
  if the monitored process set associated with the monitored action is found, judging whether the monitored action belongs to malicious behavior by correlation analysis based on information recorded in the monitored process set found, wherein the monitored process set found, which is associated with the monitored action, includes information of a process initiating the monitored action, wherein the judging step comprises;
  
  comparing information of an object of the monitored action with the historical records in the monitored process set found, wherein the object of the monitored action is a file operated by the monitored action, wherein comparing includes comparing the file operated by the monitored action with file contents of historical files in the historical records, wherein the files being compared are all executable files, wherein comparing the file operated by the monitored action with file contents of historical files in the historical records further comprises comparing the file operated by the monitored action with contents of code areas of the historical files in the historical records, wherein comparing the file operated by the monitored action with contents of code areas of the historical files in the historical records comprises analyzing structures of two executable files being compared, to obtain program entry points of the executable files, analyzing section tables of the executable files, to find sections where the program entry points of the executable files are located, respectively, comparing sizes of the found sections of the two executable files, obtaining contents of the sections where the program entry points of the two executable files are located, to perform binary comparison, and if the contents of the sections are identical, then determining that the two executable files have the same code area; and
  
  judging whether the monitored action belongs to malicious behavior based on the comparing result.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, wherein when a process is created, if a parent process of the newly-created process is a suspicious process in a monitored process set, then the newly-created process is determined as a suspicious process and is added to the monitored process set containing the parent process.
  - 3. The method according to claim 1, wherein when a process is created, if a parent process of the newly-created process is not a suspicious process, then a monitored process set corresponding to the newly-created process is established only if the newly-created process is determined as a suspicious process after process filtering.
  - 4. The method according to claim 3, wherein the process filtering comprises:
    - judging whether or not a program file corresponding to the newly-created process is a known secure program file, a system file or a default secure program file; and
      
      if not, determining that the newly-created process is a suspicious process.
  - 5. The method according to claim 1, wherein the object of the monitored action is a file operated by the monitored action, and the comparing step comprises comparing the file operated by the monitored action with full path information of historical files in the historical records.
  - 6. The method according to claim 1, wherein the judging step further comprises:
    - judging whether the monitored action belongs to a system call which possibly results in malicious behavior.
  - 7. The method according to claim 1, wherein the monitored process set found, which is associated with the monitored action, further includes information of an object of the monitored action.
  - 8. The method according to claim 1, wherein the object of the monitored action is a file operated by the monitored action, and the searching step comprises searching for information of the file operated by the monitored action within the historical records of all the monitored process sets.
  - 9. The method according to claim 1, wherein the step of monitoring an action executed by the computer program further comprises an action of an antivirus engine having detected a virus, and the searching step comprises searching, within the historical records, for a monitored process set containing information of a virus file where the virus is detected, based on the information of the virus file where the virus is detected.

10. An apparatus for detecting malicious behavior of a computer program, comprising a computer device configured to:
- monitor an action executed by the computer program running on the computer device;
  
  search for a monitored process set associated with the monitored action within a library of monitored process sets, wherein the monitored process set includes information of at least two suspicious processes correlated with each other in creating relationships and logically embodies a common behavior of two or more suspicious correlated processes contained therein, wherein the monitored process set includes process identifiers of the at least two suspicious processes, program files corresponding to the at least two suspicious processes, actions performed by the at least two suspicious processes, and historical records of data generated by the actions; and
  
  if the monitored process set associated with the monitored action is found, judge whether the monitored action belongs to malicious behavior by correlation analysis based on information recorded in the monitored process set found, wherein the monitored process set found, which is associated with the monitored action, includes information of a process initiating the monitored action, wherein the judging step comprises;
  
  comparing information of an object of the monitored action with the historical records in the monitored process set found, wherein the object of the monitored action is a file operated by the monitored action, wherein comparing includes comparing the file operated by the monitored action with file contents of historical files in the historical records, wherein the files being compared are all executable files, wherein comparing the file operated by the monitored action with file contents of historical files in the historical records further comprises comparing the file operated by the monitored action with contents of code areas of the historical files in the historical records, wherein comparing the file operated by the monitored action with contents of code areas of the historical files in the historical records comprises analyzing structures of two executable files being compared, to obtain program entry points of the executable files, analyzing section tables of the executable files, to find sections where the program entry points of the executable files are located, respectively, comparing sizes of the found sections of the two executable files, obtaining contents of the sections where the program entry points of the two executable files are located, to perform binary comparison, and if the contents of the sections are identical, then determining that the two executable files have the same code area; and
  
  judging whether the monitored action belongs to malicious behavior based on the comparing result.
- View Dependent Claims (11, 12, 13)
- - 11. The apparatus according to claim 10, wherein the computer device is further configured to:
    - if a parent process of a newly-created process is a suspicious process in a monitored process set, then determine the newly-created process as a suspicious process and allow the monitored process set to be created for it, and if the parent process of the newly-created process is not a suspicious process and a program file corresponding to the newly-created process is a secure file, then filter out the newly-created process and not allow a monitored process set to be created for it.
  - 12. The apparatus according to claim 10, wherein the action monitored further comprises an action of an antivirus engine having detected a virus, and the computer device is configured to search within the historical records, for a monitored process set containing information of a virus file where the virus is detected, based on the information of the virus file where the virus is detected.
  - 13. The apparatus according to claim 10, wherein the monitored process set found, which is associated with the monitored action, includes information of an object of the monitored action.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Beijing Rising Network Security Technology Company Limited
Original Assignee
Bejing Rising Information Technology Company Limited
Inventors
Ye, Chao
Primary Examiner(s)
BROWN, ANTHONY D

Application Number

US12/738,031
Publication Number

US 20100293615A1
Time in Patent Office

2,232 Days
Field of Search

713/201, 726 22- 25
US Class Current

726/22
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

Method and apparatus for detecting the malicious behavior of computer program

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for detecting the malicious behavior of computer program

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links