Method, apparatus and system for detecting malicious process behavior
First Claim
1. A method for detecting a malicious process behavior, comprising:
- monitoring one or more process behaviors of a process by a detection apparatus to obtain behavior information about a target process behavior selected from the one or more process behaviors;
sending the behavior information about the target process behavior to a server from the detection apparatus;
carrying out, by the server, clustering analysis of behavior information about a plurality of malicious process behaviors that have been determined by clustering the behavior information about the plurality of malicious process behaviors into a cluster according to the behavior information about the target process behavior including;
a first object identifier that the target process behavior is exerted on;
data information generated by the target process behavior; and
an identifier of the target process behavior,to obtain a second object identifier for initiating one or more malicious process behaviors of the plurality of malicious process behaviors in the cluster, the second object identifier being different from the first object identifier;
determining whether the target process behavior is the malicious process behavior based upon the second object identifier;
receiving first operation indication information returned by the server according to a detection result of the target process behavior; and
performing an operation on the target process behavior according to the first operation indication information.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, apparatus and system for detecting a malicious process behavior. A detection apparatus monitors a process to obtain behavior information about a target process behavior, and then sends the behavior information to a server, which determines whether the target process behavior is a malicious process behavior. The detection apparatus can receive first operation indication information returned by the server according to a detection result of the target process behavior, and perform an operation on the target process behavior according to the first operation indication information. The target process behavior is subjected to a comprehensive detection by the server according to the behavior information, rather than depending on a specified feature analysis of a single sample of the target process behavior by the detection apparatus, so that malicious process behavior can be detected in time, thereby improving the security performance of the system.
40 Citations
20 Claims
-
1. A method for detecting a malicious process behavior, comprising:
-
monitoring one or more process behaviors of a process by a detection apparatus to obtain behavior information about a target process behavior selected from the one or more process behaviors; sending the behavior information about the target process behavior to a server from the detection apparatus; carrying out, by the server, clustering analysis of behavior information about a plurality of malicious process behaviors that have been determined by clustering the behavior information about the plurality of malicious process behaviors into a cluster according to the behavior information about the target process behavior including; a first object identifier that the target process behavior is exerted on; data information generated by the target process behavior; and an identifier of the target process behavior, to obtain a second object identifier for initiating one or more malicious process behaviors of the plurality of malicious process behaviors in the cluster, the second object identifier being different from the first object identifier; determining whether the target process behavior is the malicious process behavior based upon the second object identifier; receiving first operation indication information returned by the server according to a detection result of the target process behavior; and performing an operation on the target process behavior according to the first operation indication information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus for detecting a malicious process behavior, comprising:
-
one or more hardware processors configured to; monitor one or more process behaviors of a process to obtain behavior information about a target process behavior selected from the one or more process behaviors; send the behavior information about the target process behavior to a server, so that the server carries out clustering analysis of behavior information about a plurality of malicious process behaviors that have been determined by clustering the behavior information about the plurality of malicious process behaviors into a cluster according to the behavior information about the target process behavior including; a first object identifier that the target process behavior is exerted on; data information generated by the target process behavior; and an identifier of the target process behavior, to obtain a second object identifier for initiating one or more malicious process behaviors of the plurality of malicious process behaviors in the cluster, the second object identifier being different from the first object identifier; determine whether the target process behavior is the malicious process behavior based upon the second object identifier; and receive first operation indication information returned by the server according to the detection result of the target process behavior; and perform an operation on the target process behavior according to the first operation indication information. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory computer storage medium including at least one program for detecting a malicious process behavior when implemented by a processor, comprising:
-
instruction for monitoring one or more process behaviors of a process to obtain behavior information about a target process behavior selected from the one or more process behaviors; instruction for sending the behavior information about the target process behavior to a server; instruction for the server to carrying out clustering analysis of behavior information about a plurality of malicious process behaviors that have been determined by clustering the behavior information about the plurality of malicious process behaviors into a cluster according to the behavior information about the target process behavior including; a first object identifier that the target process behavior is exerted on; data information generated by the target process behavior; and an identifier of the target process behavior, to obtain a second object identifier for initiating one or more malicious process behaviors of the plurality of malicious process behaviors in the cluster, the second object identifier being different from the first object identifier; instruction for determining whether the target process behavior is the malicious process behavior based upon the second object identifier; instruction for receiving first operation indication information returned by the server according to a detection result of the target process behavior; and instruction for performing an operation on the target process behavior according to the first operation indication information. - View Dependent Claims (19, 20)
-
Specification