[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN107871079A - A kind of suspicious process detection method, device, equipment and storage medium - Google Patents

A kind of suspicious process detection method, device, equipment and storage medium Download PDF

Info

Publication number
CN107871079A
CN107871079A CN201711229602.4A CN201711229602A CN107871079A CN 107871079 A CN107871079 A CN 107871079A CN 201711229602 A CN201711229602 A CN 201711229602A CN 107871079 A CN107871079 A CN 107871079A
Authority
CN
China
Prior art keywords
operation behavior
target process
suspicious
user file
monitoring
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711229602.4A
Other languages
Chinese (zh)
Inventor
乔延臣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201711229602.4A priority Critical patent/CN107871079A/en
Publication of CN107871079A publication Critical patent/CN107871079A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a kind of suspicious process detection method, this method comprises the following steps:When there is target process startup, operation behavior of the monitoring objective process to user file;Target process for monitoring determines whether the operation behavior meets default abnormal operation behavior pattern to each operation behavior of user file;If it is, determine that target process is suspicious process.The technical scheme provided using the embodiment of the present invention, initial stage can be performed extorting the Malwares such as software, before larger harm is caused to system and user, detect suspicious process in time, and it is taken precautions against, reduce loss.The invention also discloses a kind of suspicious process detection means, equipment and storage medium, has relevant art effect.

Description

A kind of suspicious process detection method, device, equipment and storage medium
Technical field
The present invention relates to Computer Applied Technology field, more particularly to a kind of suspicious process detection method, device, equipment And storage medium.
Background technology
With the fast development of Computer Applied Technology, the detection for extorting the Malwares such as software is obtained more and more Concern.It is a kind of popular wooden horse to extort software, by harassing, threatening or even using modes such as bundled user files, use User data assets or computing resource can not normal use, and as condition to user's extortionist.If subjected to extort software Deng the attack of Malware, by the normal operation for the system that directly affects, greater loss is brought to user.
At present, it is that process caused by extorting the Malwares such as software is detected with bait list mode mostly.
But the shortcomings that certain be present in this method, extort the Malwares such as software caused by process pass through traversing directories And the mode encrypted is attacked, and when traversing bait catalogue, may face the predicament that a large number of users file has been encrypted, examine Survey more lags, and still can cause larger harm to system and user.
The content of the invention
It is an object of the invention to provide a kind of suspicious process detection method, device, equipment and storage medium, with extort it is soft The Malwares such as part perform initial stage, before larger harm is caused to system and user, detect suspicious process in time, and to it Taken precautions against, reduce loss.
In order to solve the above technical problems, the present invention provides following technical scheme:
A kind of suspicious process detection method, including:
When there is target process startup, operation behavior of the target process to user file is monitored;
The target process for monitoring determines whether the operation behavior accords with to each operation behavior of user file Close default abnormal operation behavior pattern;
If it is, determine that the target process is suspicious process.
In a kind of embodiment of the present invention, in operation row of the monitoring target process to user file For before, in addition to:
Determine whether the target process is process in the normal procedure list being obtained ahead of time;
If it is not, then perform the step of monitoring target process is to the operation behavior of user file.
In a kind of embodiment of the present invention, after the determination target process is suspicious process, also Including:
Interrupt the target process.
In a kind of embodiment of the present invention, in addition to:
When monitoring that the target process there will be operation behavior to user file, back up what the target process to be operated User file;
Accordingly, after the determination target process is suspicious process, in addition to:
Reduce the user file of backup.
In a kind of embodiment of the present invention, the abnormal operation behavior pattern includes monofile abnormal operation row For pattern and/or multifile abnormal operation behavior pattern.
A kind of suspicious process detection means, including:
Operation behavior monitoring modular, for when there is target process startup, monitoring the target process to user file Operation behavior;
Operation behavior determining module, each operation row for the target process for monitoring to user file To determine whether the operation behavior meets default abnormal operation behavior pattern;If it is, triggering suspicious process determines mould Block;
The suspicious process determining module, for determining that the target process is suspicious process.
In a kind of embodiment of the present invention, in addition to normal procedure determining module, it is used for:
Before the monitoring target process is to the operation behavior of user file, determine the target process whether be Process in the normal procedure list being obtained ahead of time;
If it is not, then trigger the operation behavior monitoring modular.
In a kind of embodiment of the present invention, in addition to target process interrupt module, it is used for:
After the determination target process is suspicious process, the target process is interrupted.
In a kind of embodiment of the present invention, in addition to user file backup module, it is used for:
When monitoring that the target process there will be operation behavior to user file, back up what the target process to be operated User file;
Accordingly, in addition to user file recovery module, it is used for:
After the determination target process is suspicious process, the user file of backup is reduced.
A kind of suspicious process detection device, including:
Memory, for storing computer program;
Processor, suspicious process detection method described in any of the above-described is realized during for performing the computer program Step.
A kind of computer-readable recording medium, computer program is stored with the computer-readable recording medium, it is described The step of suspicious process detection method described in any of the above-described is realized when computer program is executed by processor.
The technical scheme provided using the embodiment of the present invention, when there is target process startup, monitoring objective process to The operation behavior of family file, the target process for monitoring determine the operation behavior to each operation behavior of user file Whether default abnormal operation behavior pattern is met, if met, it is determined that target process is suspicious process, so as to strangle The Malwares such as rope software perform initial stage, before larger harm is caused to system and user, detect suspicious process in time, and It is taken precautions against, reduces loss.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is the required accompanying drawing used in technology description to be briefly described, it should be apparent that, drawings in the following description are only this Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can be with Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is a kind of implementing procedure figure of suspicious process detection method in the embodiment of the present invention;
Fig. 2 is a kind of structural representation of suspicious process detection means in the embodiment of the present invention;
Fig. 3 is a kind of structural representation of suspicious process detection device in the embodiment of the present invention.
Embodiment
In order that those skilled in the art more fully understand the present invention program, with reference to the accompanying drawings and detailed description The present invention is described in further detail.Obviously, described embodiment is only part of the embodiment of the present invention, rather than Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creative work premise Lower obtained every other embodiment, belongs to the scope of protection of the invention.
Shown in Figure 1, a kind of implementing procedure figure of the suspicious process detection method provided by the embodiment of the present invention should Method may comprise steps of:
S110:When there is target process startup, operation behavior of the monitoring objective process to user file.
In embodiments of the present invention, at the beginning of system starts, you can start a bottom monitoring process P, bottom monitoring Process P is bottom finger daemon, by way of in inner nuclear layer and client layer hook, realizes the fine granularity prison to other processes Control.By linking up with submode, bottom monitoring process P can monitor other process creation correlations API calling, when call these During one in API, represent that a new process will be started.Target process can be any one new process.
When there is target process startup, operation behavior that can be with monitoring objective process to user file.Specifically, it can open Dynamic user file operation monitoring process M, by user's file operation monitoring process M monitoring objective processes to user file Operation behavior.User file operates monitoring process M by linking up with submode, calling of the monitoring objective process to file operation API.
User file refers in file system, the file operated completely by user's manual operations or user's given batch size, Based on document, picture/mb-type, and nonsystematic or software create the file used.
S120:Whether target process for monitoring determines the operation behavior to each operation behavior of user file Meet default abnormal operation behavior pattern.
Since the target process monitored is to first operation behavior of user file, for the target process monitored To each operation behavior of user file, determine whether the operation behavior meets default abnormal operation behavior pattern.If symbol Close, then continue executing with step S130 operation, otherwise, can continue to supervise the operation behavior of user file target process Survey, as shown in Figure 1.
In embodiments of the present invention, abnormal operation behavior pattern includes monofile abnormal operation behavior pattern and/or more text Part abnormal operation behavior pattern.By analyzing the history abnormal operation behavior for extorting the Malwares such as software, can obtain Obtain abnormal operation behavior pattern.
It is understood that the normal operating to user file, mainly there are duplication, movement, deletion, compression, upload, look into The operation such as see, change.For the operation such as checking or changing, typically corresponding software can be used to open corresponding document, such as used Office opens the files such as word, ppt, and pdf files are opened using AdobeReader, and txt file is opened using Notepad.Its He is operated mainly for whole file.In all operations to user file, piecemeal processing is not carried out simultaneously to user file To one of operation being encrypted.And by the analysis to history abnormal operation behavior, it is soft to extort the malice such as software User file is generally divided into several parts, and select a portion to be encrypted by part at random to accelerate enciphering rate.In this hair In bright embodiment, such operation behavior mode can be referred to as to monofile abnormal operation behavior pattern.
In addition, when multifile is encrypted, it will usually carry out packaging ciphering to multifile, seldom multifile can be done Independent cryptographic operation.And extort the Malwares such as software and generally each user file in multifile is individually encrypted.At this In inventive embodiments, such operation behavior mode can be referred to as to multifile abnormal operation behavior pattern.
In actual applications, each operation behavior of user file can be determined first for the target process that monitors Whether the operation behavior meets default monofile abnormal operation behavior pattern, if it is, continuing executing with step S130 behaviour Make, if it is not, then determine whether the operation behavior meets default multifile abnormal operation behavior pattern again, if it is, after The continuous operation for performing step S130, if it is not, then continuing to be monitored the operation behavior of user file target process.
Or the target process for monitoring determines the operation behavior respectively to each operation behavior of user file Whether meet default monofile abnormal operation behavior pattern or whether meet default multifile abnormal operation behavior pattern, As long as meet any one abnormal operation behavior pattern, you can continue executing with step S130 operation, otherwise, continue to enter target Journey is monitored to the operation behavior of user file.
S130:It is suspicious process to determine target process.
Each operation behavior for the target process that monitors to user file, if it is determined that the operation behavior meets pre- If abnormal operation behavior pattern, then it is suspicious process that can determine target process, i.e. target process may be to extort software etc. The process that Malware triggers.
The method provided using the embodiment of the present invention, when there is target process startup, monitoring objective process is to user's text Whether the operation behavior of part, the target process for monitoring determine the operation behavior to each operation behavior of user file Meet default abnormal operation behavior pattern, if met, it is determined that target process is suspicious process, so as to extort it is soft The Malwares such as part perform initial stage, before larger harm is caused to system and user, detect suspicious process in time, and to it Taken precautions against, reduce loss.
In one embodiment of the invention, before monitoring objective process is to the operation behavior of user file, this method It can also comprise the following steps:
Determine whether target process is process in the normal procedure list being obtained ahead of time, if it is not, then performing monitoring mesh The step of mark process is to the operation behavior of user file.
In embodiments of the present invention, system can be obtained ahead of time and often use process with user, these are commonly used into process as just Chang Jincheng, store in normal procedure list.In normal procedure list can include process name, corresponding process file path, The information such as executable file that cryptographic Hash, the process of corresponding process file are related to and the cryptographic Hash in storehouse.
When there is target process startup, the letter that will first can include in the relevant information of target process and normal procedure list Breath is contrasted, and determines whether target process is process in normal procedure list.If it is, show that target process is normal Process, it can not be monitored to the operation behavior of user file, to reduce the performance consumption of system, if it is not, then table The bright non-conventional process of target process, can be monitored to it to the operation behavior of user file, to determine target process in time It is whether suspicious.
In one embodiment of the invention, after step s 130, this method can also comprise the following steps:
Interrupt targets process.
To avoid continuing to run with for target process from bringing adverse effect to system and user, it is determined that target process is suspicious , can be with interrupt targets process after process.At the same time it can also outputting alarm information or relevant information is reported, so that keeper Intervened in time, manually further confirm that whether target process is suspicious.
In one embodiment of the invention, this method can also comprise the following steps:
When monitoring that target process will have operation behavior to user file, the user that backup target process to be operated is literary Part;
Accordingly, after step s 130, this method can also comprise the following steps:
Reduce the user file of backup.
In embodiments of the present invention, when there is target process startup, monitoring objective process to the operation behavior of user file, , can the first backup target process user file to be operated when monitoring that target process will have operation behavior to user file. Specifically, the interim backup process B of a user file can be started, by the interim backup process B of user file to target process The user file to be operated is backed up.After it is determined that target process is suspicious process, the user file of backup can be reduced.
In actual applications, if the non-suspicious process of target process, can terminate to be directed to mesh at the end of target process The user file operation monitoring process M and interim backup process B of user file of mark process, meanwhile, the user that backup can be deleted File, to reduce systematic function consumption, save system resource.
That is, when there is target process startup, bottom monitoring objective process is and right to the operation behavior of user file The target process user file to be operated carries out continuing backup, untill determining that target process is normal, once in the process, Determine that target process is suspicious, you can interrupt targets process and the user file for recovering backup.Can in time to target process can Doubtful property is determined, and is overcome in the prior art using hysteresis sex chromosome mosaicism caused by the detection of bait catalogue, is improved detection efficiency And accuracy.
Corresponding to above method embodiment, the embodiment of the present invention additionally provides a kind of suspicious process detection means, hereafter A kind of suspicious process detection means of description can be mutually to should refer to a kind of above-described suspicious process detection method.
Shown in Figure 2, the device can include with lower module:
Operation behavior monitoring modular 210, for when there is target process startup, behaviour of the monitoring objective process to user file Make behavior;
Operation behavior determining module 220, each operation behavior for the target process for monitoring to user file, Determine whether the operation behavior meets default abnormal operation behavior pattern;If it is, triggering suspicious process determining module 230;
Suspicious process determining module 230, for determining that target process is suspicious process.
In a kind of embodiment of the present invention, in addition to normal procedure determining module, it is used for:
Before monitoring objective process is to the operation behavior of user file, determine whether target process is to be obtained ahead of time just Process in normal process list;
If it is not, then trigger action behavior monitoring module 210.
In a kind of embodiment of the present invention, in addition to target process interrupt module, it is used for:
It is determined that target process be suspicious process after, interrupt targets process.
In a kind of embodiment of the present invention, in addition to user file backup module, it is used for:
When monitoring that target process will have operation behavior to user file, the user that backup target process to be operated is literary Part;
Accordingly, in addition to user file recovery module, it is used for:
After it is determined that target process is suspicious process, the user file of backup is reduced.
In a kind of embodiment of the present invention, abnormal operation behavior pattern includes monofile abnormal operation behavior mould Formula and/or multifile abnormal operation behavior pattern.
Corresponding to above method embodiment, the embodiment of the present invention additionally provides a kind of suspicious process detection device, hereafter A kind of suspicious process detection device of description can be mutually to should refer to a kind of above-described suspicious process detection method.
Shown in Figure 3, the equipment includes:
Memory 310, for storing computer program;
Processor 320, the step of realizing above-mentioned suspicious process detection method during for performing computer program.
Corresponding to above method embodiment, the embodiment of the present invention additionally provides a kind of computer-readable recording medium, meter Computer program is stored with calculation machine readable storage medium storing program for executing, above-mentioned suspicious process is realized when computer program is executed by processor The step of detection method.
Each embodiment is described by the way of progressive in this specification, what each embodiment stressed be with it is other The difference of embodiment, between each embodiment same or similar part mutually referring to.For dress disclosed in embodiment Put, for equipment and storage medium, because it is corresponded to the method disclosed in Example, so description is fairly simple, it is related Part is referring to method part illustration.
Professional further appreciates that, with reference to the unit of each example of the embodiments described herein description And algorithm steps, can be realized with electronic hardware, computer software or the combination of the two, in order to clearly demonstrate hardware and The interchangeability of software, the composition and step of each example are generally described according to function in the above description.These Function is performed with hardware or software mode actually, application-specific and design constraint depending on technical scheme.Specialty Technical staff can realize described function using distinct methods to each specific application, but this realization should not Think beyond the scope of this invention.
Directly it can be held with reference to the step of method or algorithm that the embodiments described herein describes with hardware, processor Capable software module, or the two combination are implemented.Software module can be placed in random access memory (RAM), internal memory, read-only deposit Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology In any other form of storage medium well known in field.
Specific case used herein is set forth to the principle and embodiment of the present invention, and above example is said It is bright to be only intended to help and understand technical scheme and its core concept.It should be pointed out that for the common of the art For technical staff, under the premise without departing from the principles of the invention, some improvement and modification can also be carried out to the present invention, these Improve and modification is also fallen into the protection domain of the claims in the present invention.

Claims (11)

  1. A kind of 1. suspicious process detection method, it is characterised in that including:
    When there is target process startup, operation behavior of the target process to user file is monitored;
    It is pre- to determine whether the operation behavior meets to each operation behavior of user file for the target process for monitoring If abnormal operation behavior pattern;
    If it is, determine that the target process is suspicious process.
  2. 2. suspicious process detection method according to claim 1, it is characterised in that in the monitoring target process pair Before the operation behavior of user file, in addition to:
    Determine whether the target process is process in the normal procedure list being obtained ahead of time;
    If it is not, then perform the step of monitoring target process is to the operation behavior of user file.
  3. 3. suspicious process detection method according to claim 1, it is characterised in that determine that the target process is described After suspicious process, in addition to:
    Interrupt the target process.
  4. 4. suspicious process detection method according to claim 3, it is characterised in that also include:
    When monitoring that the target process there will be operation behavior to user file, the target process user to be operated is backed up File;
    Accordingly, after the determination target process is suspicious process, in addition to:
    Reduce the user file of backup.
  5. 5. the suspicious process detection method according to any one of Claims 1-4, it is characterised in that the abnormal behaviour Making behavior pattern includes monofile abnormal operation behavior pattern and/or multifile abnormal operation behavior pattern.
  6. A kind of 6. suspicious process detection means, it is characterised in that including:
    Operation behavior monitoring modular, for when there is target process startup, monitoring operation of the target process to user file Behavior;
    Operation behavior determining module, each operation behavior for the target process for monitoring to user file, really Whether the fixed operation behavior meets default abnormal operation behavior pattern;If it is, triggering suspicious process determining module;
    The suspicious process determining module, for determining that the target process is suspicious process.
  7. 7. suspicious process detection means according to claim 6, it is characterised in that also including normal procedure determining module, For:
    Before the monitoring target process is to the operation behavior of user file, determine whether the target process is advance Process in the normal procedure list of acquisition;
    If it is not, then trigger the operation behavior monitoring modular.
  8. 8. suspicious process detection means according to claim 6, it is characterised in that also including target process interrupt module, For:
    After the determination target process is suspicious process, the target process is interrupted.
  9. 9. suspicious process detection means according to claim 8, it is characterised in that also including user file backup module, For:
    When monitoring that the target process there will be operation behavior to user file, the target process user to be operated is backed up File;
    Accordingly, in addition to user file recovery module, it is used for:
    After the determination target process is suspicious process, the user file of backup is reduced.
  10. A kind of 10. suspicious process detection device, it is characterised in that including:
    Memory, for storing computer program;
    Processor, realize that the suspicious process as described in any one of claim 1 to 5 detects during for performing the computer program The step of method.
  11. 11. a kind of computer-readable recording medium, it is characterised in that be stored with computer on the computer-readable recording medium Program, the suspicious process detection side as described in any one of claim 1 to 5 is realized when the computer program is executed by processor The step of method.
CN201711229602.4A 2017-11-29 2017-11-29 A kind of suspicious process detection method, device, equipment and storage medium Pending CN107871079A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711229602.4A CN107871079A (en) 2017-11-29 2017-11-29 A kind of suspicious process detection method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711229602.4A CN107871079A (en) 2017-11-29 2017-11-29 A kind of suspicious process detection method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN107871079A true CN107871079A (en) 2018-04-03

Family

ID=61755030

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711229602.4A Pending CN107871079A (en) 2017-11-29 2017-11-29 A kind of suspicious process detection method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN107871079A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109388946A (en) * 2018-09-28 2019-02-26 珠海市君天电子科技有限公司 Malicious process detection method, device, electronic equipment and storage medium
CN110866248A (en) * 2018-11-28 2020-03-06 北京安天网络安全技术有限公司 Lesovirus identification method and device, electronic equipment and storage medium
CN111062035A (en) * 2019-11-18 2020-04-24 哈尔滨安天科技集团股份有限公司 Lesog software detection method and device, electronic equipment and storage medium
CN112560040A (en) * 2020-12-25 2021-03-26 安芯网盾(北京)科技有限公司 General detection method and device for computer infectious virus
CN113961920A (en) * 2021-10-13 2022-01-21 安天科技集团股份有限公司 Suspicious process processing method and device, storage medium and electronic equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103679031A (en) * 2013-12-12 2014-03-26 北京奇虎科技有限公司 File virus immunizing method and device
CN106156628A (en) * 2015-04-16 2016-11-23 阿里巴巴集团控股有限公司 A kind of user behavior analysis method and device
CN106548070A (en) * 2016-07-18 2017-03-29 北京安天电子设备有限公司 A kind of method and system that blackmailer's virus is defendd in stand-by time
CN106611121A (en) * 2016-11-01 2017-05-03 哈尔滨安天科技股份有限公司 Method and system for finding extortion viruses based on file format monitoring
CN106611123A (en) * 2016-12-02 2017-05-03 哈尔滨安天科技股份有限公司 Method and system for detecting 'Harm. Extortioner. a' virus
CN106844097A (en) * 2016-12-29 2017-06-13 北京奇虎科技有限公司 A kind of means of defence and device for malice encryption software

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103679031A (en) * 2013-12-12 2014-03-26 北京奇虎科技有限公司 File virus immunizing method and device
CN106156628A (en) * 2015-04-16 2016-11-23 阿里巴巴集团控股有限公司 A kind of user behavior analysis method and device
CN106548070A (en) * 2016-07-18 2017-03-29 北京安天电子设备有限公司 A kind of method and system that blackmailer's virus is defendd in stand-by time
CN106611121A (en) * 2016-11-01 2017-05-03 哈尔滨安天科技股份有限公司 Method and system for finding extortion viruses based on file format monitoring
CN106611123A (en) * 2016-12-02 2017-05-03 哈尔滨安天科技股份有限公司 Method and system for detecting 'Harm. Extortioner. a' virus
CN106844097A (en) * 2016-12-29 2017-06-13 北京奇虎科技有限公司 A kind of means of defence and device for malice encryption software

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109388946A (en) * 2018-09-28 2019-02-26 珠海市君天电子科技有限公司 Malicious process detection method, device, electronic equipment and storage medium
CN110866248A (en) * 2018-11-28 2020-03-06 北京安天网络安全技术有限公司 Lesovirus identification method and device, electronic equipment and storage medium
CN111062035A (en) * 2019-11-18 2020-04-24 哈尔滨安天科技集团股份有限公司 Lesog software detection method and device, electronic equipment and storage medium
CN111062035B (en) * 2019-11-18 2024-02-20 安天科技集团股份有限公司 Lesu software detection method and device, electronic equipment and storage medium
CN112560040A (en) * 2020-12-25 2021-03-26 安芯网盾(北京)科技有限公司 General detection method and device for computer infectious virus
CN113961920A (en) * 2021-10-13 2022-01-21 安天科技集团股份有限公司 Suspicious process processing method and device, storage medium and electronic equipment

Similar Documents

Publication Publication Date Title
US10977370B2 (en) Method of remediating operations performed by a program and system thereof
US11886591B2 (en) Method of remediating operations performed by a program and system thereof
EP3502943B1 (en) Method and system for generating cognitive security intelligence for detecting and preventing malwares
CN107871079A (en) A kind of suspicious process detection method, device, equipment and storage medium
Min et al. Amoeba: An autonomous backup and recovery SSD for ransomware attack defense
US8776236B2 (en) System and method for providing storage device-based advanced persistent threat (APT) protection
EP3362937B1 (en) Method of remediating a program and system thereof by undoing operations
US20190028495A1 (en) Program, information processing device, and information processing method
US10783041B2 (en) Backup and recovery of data files using hard links
CN109325349A (en) A kind of method for managing security, terminal device and computer readable storage medium
JP7144642B2 (en) Behavior-based VM resource capture for forensics
US12013929B2 (en) Stack pivot exploit detection and mitigation
US10007785B2 (en) Method and apparatus for implementing virtual machine introspection
CN108228308B (en) Monitoring method and device for virtual machine
CN111090857B (en) Method for defending file from malicious software attack, computer system and recording medium
CN110737888A (en) Method for detecting attack behavior of kernel data of operating system of virtualization platform
US7607122B2 (en) Post build process to record stack and call tree information
CN105162765A (en) Cloud data security realizing method based on tail-cutoff survival
CN108108635B (en) Data security processing method, device and system
US12001545B2 (en) Detecting stack pivots using stack artifact verification
CN109583204A (en) The monitoring method that static object is distorted under a kind of hybird environment
CN114556347A (en) System and method for identifying data tampering in a host device
CN114741694A (en) Method, device and equipment for detecting execution of shellcode and storage medium
WO2018171283A1 (en) Method and apparatus for realizing file protection, and computing device
Wang et al. Information transfer model of virtual machine based on storage covert channel

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180403