CN107871079A - A kind of suspicious process detection method, device, equipment and storage medium - Google Patents
A kind of suspicious process detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN107871079A CN107871079A CN201711229602.4A CN201711229602A CN107871079A CN 107871079 A CN107871079 A CN 107871079A CN 201711229602 A CN201711229602 A CN 201711229602A CN 107871079 A CN107871079 A CN 107871079A
- Authority
- CN
- China
- Prior art keywords
- operation behavior
- target process
- suspicious
- user file
- monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a kind of suspicious process detection method, this method comprises the following steps:When there is target process startup, operation behavior of the monitoring objective process to user file;Target process for monitoring determines whether the operation behavior meets default abnormal operation behavior pattern to each operation behavior of user file;If it is, determine that target process is suspicious process.The technical scheme provided using the embodiment of the present invention, initial stage can be performed extorting the Malwares such as software, before larger harm is caused to system and user, detect suspicious process in time, and it is taken precautions against, reduce loss.The invention also discloses a kind of suspicious process detection means, equipment and storage medium, has relevant art effect.
Description
Technical field
The present invention relates to Computer Applied Technology field, more particularly to a kind of suspicious process detection method, device, equipment
And storage medium.
Background technology
With the fast development of Computer Applied Technology, the detection for extorting the Malwares such as software is obtained more and more
Concern.It is a kind of popular wooden horse to extort software, by harassing, threatening or even using modes such as bundled user files, use
User data assets or computing resource can not normal use, and as condition to user's extortionist.If subjected to extort software
Deng the attack of Malware, by the normal operation for the system that directly affects, greater loss is brought to user.
At present, it is that process caused by extorting the Malwares such as software is detected with bait list mode mostly.
But the shortcomings that certain be present in this method, extort the Malwares such as software caused by process pass through traversing directories
And the mode encrypted is attacked, and when traversing bait catalogue, may face the predicament that a large number of users file has been encrypted, examine
Survey more lags, and still can cause larger harm to system and user.
The content of the invention
It is an object of the invention to provide a kind of suspicious process detection method, device, equipment and storage medium, with extort it is soft
The Malwares such as part perform initial stage, before larger harm is caused to system and user, detect suspicious process in time, and to it
Taken precautions against, reduce loss.
In order to solve the above technical problems, the present invention provides following technical scheme:
A kind of suspicious process detection method, including:
When there is target process startup, operation behavior of the target process to user file is monitored;
The target process for monitoring determines whether the operation behavior accords with to each operation behavior of user file
Close default abnormal operation behavior pattern;
If it is, determine that the target process is suspicious process.
In a kind of embodiment of the present invention, in operation row of the monitoring target process to user file
For before, in addition to:
Determine whether the target process is process in the normal procedure list being obtained ahead of time;
If it is not, then perform the step of monitoring target process is to the operation behavior of user file.
In a kind of embodiment of the present invention, after the determination target process is suspicious process, also
Including:
Interrupt the target process.
In a kind of embodiment of the present invention, in addition to:
When monitoring that the target process there will be operation behavior to user file, back up what the target process to be operated
User file;
Accordingly, after the determination target process is suspicious process, in addition to:
Reduce the user file of backup.
In a kind of embodiment of the present invention, the abnormal operation behavior pattern includes monofile abnormal operation row
For pattern and/or multifile abnormal operation behavior pattern.
A kind of suspicious process detection means, including:
Operation behavior monitoring modular, for when there is target process startup, monitoring the target process to user file
Operation behavior;
Operation behavior determining module, each operation row for the target process for monitoring to user file
To determine whether the operation behavior meets default abnormal operation behavior pattern;If it is, triggering suspicious process determines mould
Block;
The suspicious process determining module, for determining that the target process is suspicious process.
In a kind of embodiment of the present invention, in addition to normal procedure determining module, it is used for:
Before the monitoring target process is to the operation behavior of user file, determine the target process whether be
Process in the normal procedure list being obtained ahead of time;
If it is not, then trigger the operation behavior monitoring modular.
In a kind of embodiment of the present invention, in addition to target process interrupt module, it is used for:
After the determination target process is suspicious process, the target process is interrupted.
In a kind of embodiment of the present invention, in addition to user file backup module, it is used for:
When monitoring that the target process there will be operation behavior to user file, back up what the target process to be operated
User file;
Accordingly, in addition to user file recovery module, it is used for:
After the determination target process is suspicious process, the user file of backup is reduced.
A kind of suspicious process detection device, including:
Memory, for storing computer program;
Processor, suspicious process detection method described in any of the above-described is realized during for performing the computer program
Step.
A kind of computer-readable recording medium, computer program is stored with the computer-readable recording medium, it is described
The step of suspicious process detection method described in any of the above-described is realized when computer program is executed by processor.
The technical scheme provided using the embodiment of the present invention, when there is target process startup, monitoring objective process to
The operation behavior of family file, the target process for monitoring determine the operation behavior to each operation behavior of user file
Whether default abnormal operation behavior pattern is met, if met, it is determined that target process is suspicious process, so as to strangle
The Malwares such as rope software perform initial stage, before larger harm is caused to system and user, detect suspicious process in time, and
It is taken precautions against, reduces loss.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is the required accompanying drawing used in technology description to be briefly described, it should be apparent that, drawings in the following description are only this
Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can be with
Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is a kind of implementing procedure figure of suspicious process detection method in the embodiment of the present invention;
Fig. 2 is a kind of structural representation of suspicious process detection means in the embodiment of the present invention;
Fig. 3 is a kind of structural representation of suspicious process detection device in the embodiment of the present invention.
Embodiment
In order that those skilled in the art more fully understand the present invention program, with reference to the accompanying drawings and detailed description
The present invention is described in further detail.Obviously, described embodiment is only part of the embodiment of the present invention, rather than
Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creative work premise
Lower obtained every other embodiment, belongs to the scope of protection of the invention.
Shown in Figure 1, a kind of implementing procedure figure of the suspicious process detection method provided by the embodiment of the present invention should
Method may comprise steps of:
S110:When there is target process startup, operation behavior of the monitoring objective process to user file.
In embodiments of the present invention, at the beginning of system starts, you can start a bottom monitoring process P, bottom monitoring
Process P is bottom finger daemon, by way of in inner nuclear layer and client layer hook, realizes the fine granularity prison to other processes
Control.By linking up with submode, bottom monitoring process P can monitor other process creation correlations API calling, when call these
During one in API, represent that a new process will be started.Target process can be any one new process.
When there is target process startup, operation behavior that can be with monitoring objective process to user file.Specifically, it can open
Dynamic user file operation monitoring process M, by user's file operation monitoring process M monitoring objective processes to user file
Operation behavior.User file operates monitoring process M by linking up with submode, calling of the monitoring objective process to file operation API.
User file refers in file system, the file operated completely by user's manual operations or user's given batch size,
Based on document, picture/mb-type, and nonsystematic or software create the file used.
S120:Whether target process for monitoring determines the operation behavior to each operation behavior of user file
Meet default abnormal operation behavior pattern.
Since the target process monitored is to first operation behavior of user file, for the target process monitored
To each operation behavior of user file, determine whether the operation behavior meets default abnormal operation behavior pattern.If symbol
Close, then continue executing with step S130 operation, otherwise, can continue to supervise the operation behavior of user file target process
Survey, as shown in Figure 1.
In embodiments of the present invention, abnormal operation behavior pattern includes monofile abnormal operation behavior pattern and/or more text
Part abnormal operation behavior pattern.By analyzing the history abnormal operation behavior for extorting the Malwares such as software, can obtain
Obtain abnormal operation behavior pattern.
It is understood that the normal operating to user file, mainly there are duplication, movement, deletion, compression, upload, look into
The operation such as see, change.For the operation such as checking or changing, typically corresponding software can be used to open corresponding document, such as used
Office opens the files such as word, ppt, and pdf files are opened using AdobeReader, and txt file is opened using Notepad.Its
He is operated mainly for whole file.In all operations to user file, piecemeal processing is not carried out simultaneously to user file
To one of operation being encrypted.And by the analysis to history abnormal operation behavior, it is soft to extort the malice such as software
User file is generally divided into several parts, and select a portion to be encrypted by part at random to accelerate enciphering rate.In this hair
In bright embodiment, such operation behavior mode can be referred to as to monofile abnormal operation behavior pattern.
In addition, when multifile is encrypted, it will usually carry out packaging ciphering to multifile, seldom multifile can be done
Independent cryptographic operation.And extort the Malwares such as software and generally each user file in multifile is individually encrypted.At this
In inventive embodiments, such operation behavior mode can be referred to as to multifile abnormal operation behavior pattern.
In actual applications, each operation behavior of user file can be determined first for the target process that monitors
Whether the operation behavior meets default monofile abnormal operation behavior pattern, if it is, continuing executing with step S130 behaviour
Make, if it is not, then determine whether the operation behavior meets default multifile abnormal operation behavior pattern again, if it is, after
The continuous operation for performing step S130, if it is not, then continuing to be monitored the operation behavior of user file target process.
Or the target process for monitoring determines the operation behavior respectively to each operation behavior of user file
Whether meet default monofile abnormal operation behavior pattern or whether meet default multifile abnormal operation behavior pattern,
As long as meet any one abnormal operation behavior pattern, you can continue executing with step S130 operation, otherwise, continue to enter target
Journey is monitored to the operation behavior of user file.
S130:It is suspicious process to determine target process.
Each operation behavior for the target process that monitors to user file, if it is determined that the operation behavior meets pre-
If abnormal operation behavior pattern, then it is suspicious process that can determine target process, i.e. target process may be to extort software etc.
The process that Malware triggers.
The method provided using the embodiment of the present invention, when there is target process startup, monitoring objective process is to user's text
Whether the operation behavior of part, the target process for monitoring determine the operation behavior to each operation behavior of user file
Meet default abnormal operation behavior pattern, if met, it is determined that target process is suspicious process, so as to extort it is soft
The Malwares such as part perform initial stage, before larger harm is caused to system and user, detect suspicious process in time, and to it
Taken precautions against, reduce loss.
In one embodiment of the invention, before monitoring objective process is to the operation behavior of user file, this method
It can also comprise the following steps:
Determine whether target process is process in the normal procedure list being obtained ahead of time, if it is not, then performing monitoring mesh
The step of mark process is to the operation behavior of user file.
In embodiments of the present invention, system can be obtained ahead of time and often use process with user, these are commonly used into process as just
Chang Jincheng, store in normal procedure list.In normal procedure list can include process name, corresponding process file path,
The information such as executable file that cryptographic Hash, the process of corresponding process file are related to and the cryptographic Hash in storehouse.
When there is target process startup, the letter that will first can include in the relevant information of target process and normal procedure list
Breath is contrasted, and determines whether target process is process in normal procedure list.If it is, show that target process is normal
Process, it can not be monitored to the operation behavior of user file, to reduce the performance consumption of system, if it is not, then table
The bright non-conventional process of target process, can be monitored to it to the operation behavior of user file, to determine target process in time
It is whether suspicious.
In one embodiment of the invention, after step s 130, this method can also comprise the following steps:
Interrupt targets process.
To avoid continuing to run with for target process from bringing adverse effect to system and user, it is determined that target process is suspicious
, can be with interrupt targets process after process.At the same time it can also outputting alarm information or relevant information is reported, so that keeper
Intervened in time, manually further confirm that whether target process is suspicious.
In one embodiment of the invention, this method can also comprise the following steps:
When monitoring that target process will have operation behavior to user file, the user that backup target process to be operated is literary
Part;
Accordingly, after step s 130, this method can also comprise the following steps:
Reduce the user file of backup.
In embodiments of the present invention, when there is target process startup, monitoring objective process to the operation behavior of user file,
, can the first backup target process user file to be operated when monitoring that target process will have operation behavior to user file.
Specifically, the interim backup process B of a user file can be started, by the interim backup process B of user file to target process
The user file to be operated is backed up.After it is determined that target process is suspicious process, the user file of backup can be reduced.
In actual applications, if the non-suspicious process of target process, can terminate to be directed to mesh at the end of target process
The user file operation monitoring process M and interim backup process B of user file of mark process, meanwhile, the user that backup can be deleted
File, to reduce systematic function consumption, save system resource.
That is, when there is target process startup, bottom monitoring objective process is and right to the operation behavior of user file
The target process user file to be operated carries out continuing backup, untill determining that target process is normal, once in the process,
Determine that target process is suspicious, you can interrupt targets process and the user file for recovering backup.Can in time to target process can
Doubtful property is determined, and is overcome in the prior art using hysteresis sex chromosome mosaicism caused by the detection of bait catalogue, is improved detection efficiency
And accuracy.
Corresponding to above method embodiment, the embodiment of the present invention additionally provides a kind of suspicious process detection means, hereafter
A kind of suspicious process detection means of description can be mutually to should refer to a kind of above-described suspicious process detection method.
Shown in Figure 2, the device can include with lower module:
Operation behavior monitoring modular 210, for when there is target process startup, behaviour of the monitoring objective process to user file
Make behavior;
Operation behavior determining module 220, each operation behavior for the target process for monitoring to user file,
Determine whether the operation behavior meets default abnormal operation behavior pattern;If it is, triggering suspicious process determining module
230;
Suspicious process determining module 230, for determining that target process is suspicious process.
In a kind of embodiment of the present invention, in addition to normal procedure determining module, it is used for:
Before monitoring objective process is to the operation behavior of user file, determine whether target process is to be obtained ahead of time just
Process in normal process list;
If it is not, then trigger action behavior monitoring module 210.
In a kind of embodiment of the present invention, in addition to target process interrupt module, it is used for:
It is determined that target process be suspicious process after, interrupt targets process.
In a kind of embodiment of the present invention, in addition to user file backup module, it is used for:
When monitoring that target process will have operation behavior to user file, the user that backup target process to be operated is literary
Part;
Accordingly, in addition to user file recovery module, it is used for:
After it is determined that target process is suspicious process, the user file of backup is reduced.
In a kind of embodiment of the present invention, abnormal operation behavior pattern includes monofile abnormal operation behavior mould
Formula and/or multifile abnormal operation behavior pattern.
Corresponding to above method embodiment, the embodiment of the present invention additionally provides a kind of suspicious process detection device, hereafter
A kind of suspicious process detection device of description can be mutually to should refer to a kind of above-described suspicious process detection method.
Shown in Figure 3, the equipment includes:
Memory 310, for storing computer program;
Processor 320, the step of realizing above-mentioned suspicious process detection method during for performing computer program.
Corresponding to above method embodiment, the embodiment of the present invention additionally provides a kind of computer-readable recording medium, meter
Computer program is stored with calculation machine readable storage medium storing program for executing, above-mentioned suspicious process is realized when computer program is executed by processor
The step of detection method.
Each embodiment is described by the way of progressive in this specification, what each embodiment stressed be with it is other
The difference of embodiment, between each embodiment same or similar part mutually referring to.For dress disclosed in embodiment
Put, for equipment and storage medium, because it is corresponded to the method disclosed in Example, so description is fairly simple, it is related
Part is referring to method part illustration.
Professional further appreciates that, with reference to the unit of each example of the embodiments described herein description
And algorithm steps, can be realized with electronic hardware, computer software or the combination of the two, in order to clearly demonstrate hardware and
The interchangeability of software, the composition and step of each example are generally described according to function in the above description.These
Function is performed with hardware or software mode actually, application-specific and design constraint depending on technical scheme.Specialty
Technical staff can realize described function using distinct methods to each specific application, but this realization should not
Think beyond the scope of this invention.
Directly it can be held with reference to the step of method or algorithm that the embodiments described herein describes with hardware, processor
Capable software module, or the two combination are implemented.Software module can be placed in random access memory (RAM), internal memory, read-only deposit
Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology
In any other form of storage medium well known in field.
Specific case used herein is set forth to the principle and embodiment of the present invention, and above example is said
It is bright to be only intended to help and understand technical scheme and its core concept.It should be pointed out that for the common of the art
For technical staff, under the premise without departing from the principles of the invention, some improvement and modification can also be carried out to the present invention, these
Improve and modification is also fallen into the protection domain of the claims in the present invention.
Claims (11)
- A kind of 1. suspicious process detection method, it is characterised in that including:When there is target process startup, operation behavior of the target process to user file is monitored;It is pre- to determine whether the operation behavior meets to each operation behavior of user file for the target process for monitoring If abnormal operation behavior pattern;If it is, determine that the target process is suspicious process.
- 2. suspicious process detection method according to claim 1, it is characterised in that in the monitoring target process pair Before the operation behavior of user file, in addition to:Determine whether the target process is process in the normal procedure list being obtained ahead of time;If it is not, then perform the step of monitoring target process is to the operation behavior of user file.
- 3. suspicious process detection method according to claim 1, it is characterised in that determine that the target process is described After suspicious process, in addition to:Interrupt the target process.
- 4. suspicious process detection method according to claim 3, it is characterised in that also include:When monitoring that the target process there will be operation behavior to user file, the target process user to be operated is backed up File;Accordingly, after the determination target process is suspicious process, in addition to:Reduce the user file of backup.
- 5. the suspicious process detection method according to any one of Claims 1-4, it is characterised in that the abnormal behaviour Making behavior pattern includes monofile abnormal operation behavior pattern and/or multifile abnormal operation behavior pattern.
- A kind of 6. suspicious process detection means, it is characterised in that including:Operation behavior monitoring modular, for when there is target process startup, monitoring operation of the target process to user file Behavior;Operation behavior determining module, each operation behavior for the target process for monitoring to user file, really Whether the fixed operation behavior meets default abnormal operation behavior pattern;If it is, triggering suspicious process determining module;The suspicious process determining module, for determining that the target process is suspicious process.
- 7. suspicious process detection means according to claim 6, it is characterised in that also including normal procedure determining module, For:Before the monitoring target process is to the operation behavior of user file, determine whether the target process is advance Process in the normal procedure list of acquisition;If it is not, then trigger the operation behavior monitoring modular.
- 8. suspicious process detection means according to claim 6, it is characterised in that also including target process interrupt module, For:After the determination target process is suspicious process, the target process is interrupted.
- 9. suspicious process detection means according to claim 8, it is characterised in that also including user file backup module, For:When monitoring that the target process there will be operation behavior to user file, the target process user to be operated is backed up File;Accordingly, in addition to user file recovery module, it is used for:After the determination target process is suspicious process, the user file of backup is reduced.
- A kind of 10. suspicious process detection device, it is characterised in that including:Memory, for storing computer program;Processor, realize that the suspicious process as described in any one of claim 1 to 5 detects during for performing the computer program The step of method.
- 11. a kind of computer-readable recording medium, it is characterised in that be stored with computer on the computer-readable recording medium Program, the suspicious process detection side as described in any one of claim 1 to 5 is realized when the computer program is executed by processor The step of method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711229602.4A CN107871079A (en) | 2017-11-29 | 2017-11-29 | A kind of suspicious process detection method, device, equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711229602.4A CN107871079A (en) | 2017-11-29 | 2017-11-29 | A kind of suspicious process detection method, device, equipment and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107871079A true CN107871079A (en) | 2018-04-03 |
Family
ID=61755030
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711229602.4A Pending CN107871079A (en) | 2017-11-29 | 2017-11-29 | A kind of suspicious process detection method, device, equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107871079A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109388946A (en) * | 2018-09-28 | 2019-02-26 | 珠海市君天电子科技有限公司 | Malicious process detection method, device, electronic equipment and storage medium |
CN110866248A (en) * | 2018-11-28 | 2020-03-06 | 北京安天网络安全技术有限公司 | Lesovirus identification method and device, electronic equipment and storage medium |
CN111062035A (en) * | 2019-11-18 | 2020-04-24 | 哈尔滨安天科技集团股份有限公司 | Lesog software detection method and device, electronic equipment and storage medium |
CN112560040A (en) * | 2020-12-25 | 2021-03-26 | 安芯网盾(北京)科技有限公司 | General detection method and device for computer infectious virus |
CN113961920A (en) * | 2021-10-13 | 2022-01-21 | 安天科技集团股份有限公司 | Suspicious process processing method and device, storage medium and electronic equipment |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103679031A (en) * | 2013-12-12 | 2014-03-26 | 北京奇虎科技有限公司 | File virus immunizing method and device |
CN106156628A (en) * | 2015-04-16 | 2016-11-23 | 阿里巴巴集团控股有限公司 | A kind of user behavior analysis method and device |
CN106548070A (en) * | 2016-07-18 | 2017-03-29 | 北京安天电子设备有限公司 | A kind of method and system that blackmailer's virus is defendd in stand-by time |
CN106611121A (en) * | 2016-11-01 | 2017-05-03 | 哈尔滨安天科技股份有限公司 | Method and system for finding extortion viruses based on file format monitoring |
CN106611123A (en) * | 2016-12-02 | 2017-05-03 | 哈尔滨安天科技股份有限公司 | Method and system for detecting 'Harm. Extortioner. a' virus |
CN106844097A (en) * | 2016-12-29 | 2017-06-13 | 北京奇虎科技有限公司 | A kind of means of defence and device for malice encryption software |
-
2017
- 2017-11-29 CN CN201711229602.4A patent/CN107871079A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103679031A (en) * | 2013-12-12 | 2014-03-26 | 北京奇虎科技有限公司 | File virus immunizing method and device |
CN106156628A (en) * | 2015-04-16 | 2016-11-23 | 阿里巴巴集团控股有限公司 | A kind of user behavior analysis method and device |
CN106548070A (en) * | 2016-07-18 | 2017-03-29 | 北京安天电子设备有限公司 | A kind of method and system that blackmailer's virus is defendd in stand-by time |
CN106611121A (en) * | 2016-11-01 | 2017-05-03 | 哈尔滨安天科技股份有限公司 | Method and system for finding extortion viruses based on file format monitoring |
CN106611123A (en) * | 2016-12-02 | 2017-05-03 | 哈尔滨安天科技股份有限公司 | Method and system for detecting 'Harm. Extortioner. a' virus |
CN106844097A (en) * | 2016-12-29 | 2017-06-13 | 北京奇虎科技有限公司 | A kind of means of defence and device for malice encryption software |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109388946A (en) * | 2018-09-28 | 2019-02-26 | 珠海市君天电子科技有限公司 | Malicious process detection method, device, electronic equipment and storage medium |
CN110866248A (en) * | 2018-11-28 | 2020-03-06 | 北京安天网络安全技术有限公司 | Lesovirus identification method and device, electronic equipment and storage medium |
CN111062035A (en) * | 2019-11-18 | 2020-04-24 | 哈尔滨安天科技集团股份有限公司 | Lesog software detection method and device, electronic equipment and storage medium |
CN111062035B (en) * | 2019-11-18 | 2024-02-20 | 安天科技集团股份有限公司 | Lesu software detection method and device, electronic equipment and storage medium |
CN112560040A (en) * | 2020-12-25 | 2021-03-26 | 安芯网盾(北京)科技有限公司 | General detection method and device for computer infectious virus |
CN113961920A (en) * | 2021-10-13 | 2022-01-21 | 安天科技集团股份有限公司 | Suspicious process processing method and device, storage medium and electronic equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10977370B2 (en) | Method of remediating operations performed by a program and system thereof | |
US11886591B2 (en) | Method of remediating operations performed by a program and system thereof | |
EP3502943B1 (en) | Method and system for generating cognitive security intelligence for detecting and preventing malwares | |
CN107871079A (en) | A kind of suspicious process detection method, device, equipment and storage medium | |
Min et al. | Amoeba: An autonomous backup and recovery SSD for ransomware attack defense | |
US8776236B2 (en) | System and method for providing storage device-based advanced persistent threat (APT) protection | |
EP3362937B1 (en) | Method of remediating a program and system thereof by undoing operations | |
US20190028495A1 (en) | Program, information processing device, and information processing method | |
US10783041B2 (en) | Backup and recovery of data files using hard links | |
CN109325349A (en) | A kind of method for managing security, terminal device and computer readable storage medium | |
JP7144642B2 (en) | Behavior-based VM resource capture for forensics | |
US12013929B2 (en) | Stack pivot exploit detection and mitigation | |
US10007785B2 (en) | Method and apparatus for implementing virtual machine introspection | |
CN108228308B (en) | Monitoring method and device for virtual machine | |
CN111090857B (en) | Method for defending file from malicious software attack, computer system and recording medium | |
CN110737888A (en) | Method for detecting attack behavior of kernel data of operating system of virtualization platform | |
US7607122B2 (en) | Post build process to record stack and call tree information | |
CN105162765A (en) | Cloud data security realizing method based on tail-cutoff survival | |
CN108108635B (en) | Data security processing method, device and system | |
US12001545B2 (en) | Detecting stack pivots using stack artifact verification | |
CN109583204A (en) | The monitoring method that static object is distorted under a kind of hybird environment | |
CN114556347A (en) | System and method for identifying data tampering in a host device | |
CN114741694A (en) | Method, device and equipment for detecting execution of shellcode and storage medium | |
WO2018171283A1 (en) | Method and apparatus for realizing file protection, and computing device | |
Wang et al. | Information transfer model of virtual machine based on storage covert channel |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180403 |