Method, apparatus and system for detecting malicious process behavior

US 9,842,208 B2
Filed: 12/29/2014
Issued: 12/12/2017
Est. Priority Date: 04/28/2014
Status: Active Grant

First Claim

Patent Images

1. A method for detecting a malicious process behavior, comprising:

monitoring one or more process behaviors of a process by a detection apparatus to obtain behavior information about a target process behavior selected from the one or more process behaviors;

sending the behavior information about the target process behavior to a server from the detection apparatus;

carrying out, by the server, clustering analysis of behavior information about a plurality of malicious process behaviors that have been determined by clustering the behavior information about the plurality of malicious process behaviors into a cluster according to the behavior information about the target process behavior including;

a first object identifier that the target process behavior is exerted on;

data information generated by the target process behavior; and

an identifier of the target process behavior,to obtain a second object identifier for initiating one or more malicious process behaviors of the plurality of malicious process behaviors in the cluster, the second object identifier being different from the first object identifier;

determining whether the target process behavior is the malicious process behavior based upon the second object identifier;

receiving first operation indication information returned by the server according to a detection result of the target process behavior; and

performing an operation on the target process behavior according to the first operation indication information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus and system for detecting a malicious process behavior. A detection apparatus monitors a process to obtain behavior information about a target process behavior, and then sends the behavior information to a server, which determines whether the target process behavior is a malicious process behavior. The detection apparatus can receive first operation indication information returned by the server according to a detection result of the target process behavior, and perform an operation on the target process behavior according to the first operation indication information. The target process behavior is subjected to a comprehensive detection by the server according to the behavior information, rather than depending on a specified feature analysis of a single sample of the target process behavior by the detection apparatus, so that malicious process behavior can be detected in time, thereby improving the security performance of the system.

40 Citations

20 Claims

1. A method for detecting a malicious process behavior, comprising:
- monitoring one or more process behaviors of a process by a detection apparatus to obtain behavior information about a target process behavior selected from the one or more process behaviors;
  
  sending the behavior information about the target process behavior to a server from the detection apparatus;
  
  carrying out, by the server, clustering analysis of behavior information about a plurality of malicious process behaviors that have been determined by clustering the behavior information about the plurality of malicious process behaviors into a cluster according to the behavior information about the target process behavior including;
  
  a first object identifier that the target process behavior is exerted on;
  
  data information generated by the target process behavior; and
  
  an identifier of the target process behavior,to obtain a second object identifier for initiating one or more malicious process behaviors of the plurality of malicious process behaviors in the cluster, the second object identifier being different from the first object identifier;
  
  determining whether the target process behavior is the malicious process behavior based upon the second object identifier;
  
  receiving first operation indication information returned by the server according to a detection result of the target process behavior; and
  
  performing an operation on the target process behavior according to the first operation indication information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein said sending the behavior information to the server comprises:
    - sending the behavior information to the server; and
      
      detecting the target process behavior by the server according to the behavior information about the target process behavior so as to determine whether the target process behavior is the malicious process behavior.
  - 3. The method of claim 2, wherein said detecting the target process behavior includes detecting the target process behavior according to the behavior information about the target process behavior and behavior information about other target process behaviors sent from other detection apparatuses so as to determine whether the target process behavior is the malicious process behavior.
  - 4. The method of claim 3, further comprising:
    - carrying out clustering analysis of the behavior information about the target process behavior and the behavior information about the other target process behaviors sent from the other detection apparatuses, so as to obtain a clustering result; and
      
      analyzing the clustering result to determine whether the target process behavior is the malicious process behavior.
  - 5. The method of claim 1, wherein said monitoring includes monitoring the process behaviors of the process according to preconfigured identification information about suspicious target process behaviors to obtain the behavior information about the target process behavior.
  - 6. The method of claim 1, wherein the behavior information includesoriginator information about the target process behavior,target object information about the target process behavior,additional information about the target process behavior,identification information about the target process behavior,or a combination thereof.
  - 7. The method of claim 1, further comprising:
    - receiving second operation indication information returned by the server according to detection results of other process behaviors relevant to the target process behavior, the detection results of the other process behaviors being obtained by the server detecting the other process behaviors so as to determine whether the other process behaviors relevant to the target process behavior are malicious process behaviors; and
      
      performing an operation on behavior results corresponding to the other process behaviors according to the second operation indication information.
  - 8. The method of claim 7, wherein said receiving the second operation indication information and said performing the operation on the behavior results occur after said sending the behavior information to the server.

9. An apparatus for detecting a malicious process behavior, comprising:
- one or more hardware processors configured to;
  
  monitor one or more process behaviors of a process to obtain behavior information about a target process behavior selected from the one or more process behaviors;
  
  send the behavior information about the target process behavior to a server, so that the server carries out clustering analysis of behavior information about a plurality of malicious process behaviors that have been determined by clustering the behavior information about the plurality of malicious process behaviors into a cluster according to the behavior information about the target process behavior including;
  
  a first object identifier that the target process behavior is exerted on;
  
  data information generated by the target process behavior; and
  
  an identifier of the target process behavior,to obtain a second object identifier for initiating one or more malicious process behaviors of the plurality of malicious process behaviors in the cluster, the second object identifier being different from the first object identifier;
  
  determine whether the target process behavior is the malicious process behavior based upon the second object identifier; and
  
  receive first operation indication information returned by the server according to the detection result of the target process behavior; and
  
  perform an operation on the target process behavior according to the first operation indication information.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The apparatus of claim 9, wherein said one or more hardware processors are configured to send the behavior information to the server for detecting the target process behavior according to the behavior information about the target process behavior so as to determine whether the target process behavior is the malicious process behavior.
  - 11. The apparatus of claim 9, wherein said one or more hardware processors are configured to monitor the process behaviors of the process according to preconfigured identification information about suspicious target process behaviors to obtain the behavior information about the target process behavior.
  - 12. The apparatus of claim 9, wherein the behavior information about the target process behavior obtained by said one or more hardware processors comprisesoriginator information about the target process behavior,target object information about the target process behavior,additional information about the target process behavior,identification information about the target process behavior,or a combination thereof.
  - 13. The apparatus of claim 9, wherein said one or more hardware processors are configured to receive second operation indication information returned by the server according to detection results of other process behaviors relevant to the target process behavior, the detection results of the other process behaviors being obtained by the server detecting the other process behaviors so as to determine whether the other process behaviors relevant to the target process behavior are malicious process behaviours.
  - 14. The apparatus of claim 13, wherein said one or more hardware processors are configured to perform an operation on behavior results corresponding to the other process behaviors according to the second operation indication information.
  - 15. A system for detecting a malicious process behavior, comprising a server and the apparatus of claim 9, wherein the server is used for detecting the target process behavior according to the behavior information about the target process behavior to determine whether the target process behavior is the malicious process behavior.
  - 16. The system of claim 15, wherein said server is configured for detecting the target process behavior according to the behavior information about the target process behavior and behavior information about other target process behaviors sent from other detection apparatuses, so as to determine whether the target process behavior is the malicious process behavior.
  - 17. The system of claim 16, wherein said server is configured for:
    - carrying out clustering analysis of the behavior information about the target process behavior and the behavior information about the other target process behaviors sent from the other detection apparatuses, so as to obtain a clustering result; and
      
      analyzing the clustering result to determine whether the target process behavior is the malicious process behavior.

18. A non-transitory computer storage medium including at least one program for detecting a malicious process behavior when implemented by a processor, comprising:
- instruction for monitoring one or more process behaviors of a process to obtain behavior information about a target process behavior selected from the one or more process behaviors;
  
  instruction for sending the behavior information about the target process behavior to a server;
  
  instruction for the server to carrying out clustering analysis of behavior information about a plurality of malicious process behaviors that have been determined by clustering the behavior information about the plurality of malicious process behaviors into a cluster according to the behavior information about the target process behavior including;
  
  a first object identifier that the target process behavior is exerted on;
  
  data information generated by the target process behavior; and
  
  an identifier of the target process behavior,to obtain a second object identifier for initiating one or more malicious process behaviors of the plurality of malicious process behaviors in the cluster, the second object identifier being different from the first object identifier;
  
  instruction for determining whether the target process behavior is the malicious process behavior based upon the second object identifier;
  
  instruction for receiving first operation indication information returned by the server according to a detection result of the target process behavior; and
  
  instruction for performing an operation on the target process behavior according to the first operation indication information.
- View Dependent Claims (19, 20)
- - 19. The computer storage medium of claim 18, wherein said instruction for sending the behavior information to the server comprises:
    - instruction for sending the behavior information to the server; and
      
      instruction for detecting the target process behavior by the server according to the behavior information about the target process behavior so as to determine whether the target process behavior is the malicious process behavior.
  - 20. The computer storage medium of claim 18, wherein said instruction for detecting the target process behavior comprises:
    - instruction for carrying out clustering analysis of the behavior information about the target process behavior and behavior information about other target process behaviors sent from other detection apparatuses, so as to obtain a clustering result; and
      
      instruction for analyzing the clustering result to determine whether the target process behavior is the malicious process behavior.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Baidu Online Network Technology (Beijing) Co., Ltd (Baidu Incorporated)
Original Assignee
Baidu Online Network Technology (Beijing) Co., Ltd (Baidu Incorporated)
Inventors
Mei, Yinming, Xie, Yizhi, Yue, Huaming, Hu, Hanzhong, Bi, Tingli
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Khan, Sher A

Application Number

US14/585,080
Publication Number

US 20150310211A1
Time in Patent Office

1,079 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

G06F 2221/034   Test or assess a computer o...

G06N 5/048   Fuzzy inferencing

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

H04W 12/68   Gesture-dependent or behavi...

Method, apparatus and system for detecting malicious process behavior

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

40 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method, apparatus and system for detecting malicious process behavior

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links