CN104966018A - Windows system-based software program abnormal behavior analysis method - Google Patents
Windows system-based software program abnormal behavior analysis method Download PDFInfo
- Publication number
- CN104966018A CN104966018A CN201510340007.2A CN201510340007A CN104966018A CN 104966018 A CN104966018 A CN 104966018A CN 201510340007 A CN201510340007 A CN 201510340007A CN 104966018 A CN104966018 A CN 104966018A
- Authority
- CN
- China
- Prior art keywords
- software program
- software
- behavior
- windows system
- storehouse
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/12—Computing arrangements based on biological models using genetic models
- G06N3/126—Evolutionary algorithms, e.g. genetic algorithms or genetic programming
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Biophysics (AREA)
- Life Sciences & Earth Sciences (AREA)
- General Physics & Mathematics (AREA)
- Evolutionary Biology (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- General Engineering & Computer Science (AREA)
- Biomedical Technology (AREA)
- Physiology (AREA)
- Genetics & Genomics (AREA)
- Artificial Intelligence (AREA)
- Computer Hardware Design (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- General Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The present invention provides a Windows system-based software program abnormal behavior analysis method, comprising: selecting, by a user, a software program, and capturing software behavior information of the software program; establishing a white list library, a black list library, and a dangerous behavior library; analyzing the captured software behavior information by using a genetic algorithm according to the white list library, the black list library, and the dangerous behavior library, to obtain an analysis result; and displaying the analysis result, thereby significantly reducing a network security hidden danger caused inside the system.
Description
Technical field
The present invention relates to a kind of software program abnormal behaviour analytical approach based on Windows system.
Background technology
Growing along with network security risk, the complicacy of safety problem strengthens day by day, through comprehensive FBI and CSI, the investigation result of the investigation of 484 enterprises and China national computer network response coordination center CNCERT/CC is shown: the network security threats of about 76% comes from inside, it can thus be appreciated that its extent of injury is the loss caused considerably beyond assault and virus, and these to threaten the overwhelming majority and the various network in inside to access behavior relevant; Therefore, in the urgent need to a kind of security means, effective monitor and managment is carried out to the problems referred to above.System program behavior monitoring produces just in this context, and system exception behavioural analysis program is by the behavior of process each in analytic system, and whether intelligent decision has virus, wooden horse exception or risky operation.The general character of computer information system demand for security and architecture, the open system interconnection reference model (OSI) that its inscape is security means, system unit and ISO (International Standards Organization) (ISO) are formulated.Local system is comprehensively monitored the safety equipment in network system and the network equipment, application system and operation conditions, analyzed, assesses is the important means guaranteed network security.At present, the most still Windows system of infosystem of domestic enterprise, a big chunk server system comprising some IDC enterprises is also Windows Server, so for the most important thing especially of the monitoring under Windows system.
Summary of the invention
The technical problem to be solved in the present invention, is to provide a kind of software program abnormal behaviour analytical approach based on Windows system.
The present invention is achieved in that a kind of software program abnormal behaviour analytical approach based on Windows system, comprises the steps:
Step 1, the selected software program of user, catch the software action information of this software program;
Step 2, set up white list storehouse, blacklist storehouse and hazardous act storehouse;
Step 3, according to white list storehouse, blacklist storehouse and hazardous act storehouse, the software action information captured is analyzed by genetic algorithm, obtains analysis result;
Step 4, analysis result to be shown.
Further, described step 1 is specially further: user selectes a software program, in Windows system, set up hook program, is caught by the software action information of hook program to this software program.
Further, in described step 1, the software action information of catching is stored.
Further, described software action information comprises the behavior of inlet wire journey, registration table behavior, file behavior, network behavior and driving behavior.
Further, described step 4 is specially further: shown by analysis result, and is stored to by analysis result in corresponding storehouse.
Tool of the present invention has the following advantages: a kind of software program abnormal behaviour analytical approach based on Windows system of the present invention, greatly reduces the Network Security Vulnerabilities because inside causes.
Accompanying drawing explanation
The present invention is further illustrated in conjunction with the embodiments with reference to the accompanying drawings.
Fig. 1 is the inventive method flowchart.
Embodiment
The present invention is based on the software program abnormal behaviour analytical approach of Windows system, comprise the steps:
Step 1, the selected software program of user, hook program is set up in Windows system, caught by the software action information of hook program to this software program, the software action information of catching stored, described software action information comprises the behavior of inlet wire journey, registration table behavior, file behavior, network behavior and driving behavior;
Step 2, set up white list storehouse, blacklist storehouse and hazardous act storehouse;
Step 3, according to white list storehouse, blacklist storehouse and hazardous act storehouse, the software action information captured is analyzed by genetic algorithm, obtains analysis result;
Step 4, analysis result to be shown, and analysis result is stored in corresponding storehouse.
A kind of embodiment of the present invention is as follows:
One, system architecture: system is made up of an executable program, rule base (local or high in the clouds), journal file, analyzed software etc.
System composition function:
1, the structure of total system:
(1), monitoring modular is driven;
A. in SSDT table, the function that HOOK will use;
B. realize exchanging with the data of key-course.
(2), data transmission control module (DLL)
A. at ring3HOOK network function function;
B. mutual with driving layer;
C. receive the input data information of user interface layer, and send data and return contact bed.
(3), user function module
A. monitoring facilities behavior;
B. the action process of monitored program is shown;
C. generate daily record, and be recorded to access database;
D. report (report is through screening and judge) is produced;
E. self defining programm safety behavior (maintenance of black and white lists).
(4), genetic algorithm is used to learn and definition rule module.
Whether program can sum up some rules voluntarily, and dangerous according to these regular automatic decision software actions.
Two, monitoring is driven
Driver is responsible for the behavior of monitoring system program.Specific implementation flow process is as follows:
Drive layer (ring0): after drive installation, InitData () can be performed, this function performance is exactly the address that this program of acquisition needs the system service function of hook (namely depositing in the function of SSDT), uses self-defining function to replace.
Two control codes are contained at drived control function:
OCTRL_PROCESS_MONITOR_ON and IOCTRL_PROCESS_MONITOR_OFF, is used for realizing opening hook and closing hook respectively.Simultaneously in order to realize with the data of ring3 layer program and control mutual, it is have sent the buffer zone this layer of application that ring3 layer program opens hook control code in transmission simultaneously, and ring0 program is by mapping
The buffer zone address that // acquisition client layer sends
dwBuffAddress=*(DWORD*)pIoBuffer;
// obtain physical address according to virtual address
pPhysicalAddr=MmGetPhysicalAddress((PVOID)dwBuffAddress);
// physical address map to virtual address
g_pMyBuff=(PMY_BUFF)MmMapIoSpace
(pPhysicalAddr,sizeof(MY_BUFF),(MEMORY_CACHING_TYPE)0);
Then " directly " this buffer zone can be accessed at ring0 layer, thus achieve the mutual of ring0 and ring3.This program adopts inner nuclear layer HOOK technology.
Three, Data Transmission Controlling
DLL (control) layer: this layer install driver first in the form of services, load driver, apparatus for establishing connects then opening network function HOOK (using the overall HOOK in message HOOK, based on a hook template base)
A, open Service Control Manager;
Service corresponding to b, establishment drive;
C, apparatus for establishing connect.
This layer is derived monitor and unmonitor two functions, is used for respectively starting monitoring and stopping monitoring.Monitor realizes:
(1) open the Symbolic Links of driver, send and start control code, notice driver opens hook;
(2) Monitor is after transmission starts control code, further creates the thread MonitorThreadProc that accepts kernel information.
(3) thread MonitorThreadProc circulation accepts the information that driver sends, and is sent to user interface layer program in form of a message after suitably processing (conversion drive etc.).
(4) key data structure m_MyBuff.m_dwKenelReturn (checking whether driver sends new information), after information processing, dll layer is set to false, m_MyBuff.m_dwUserReturn (whether user agrees to that program is passed through), all the time true (because this program is not also Initiative Defense type, only doing behavioural analysis) is set to.
(5) corresponding, also to control in driver if (! G_pMyBuff->m_dwKenelReturn) break, if ring3 layer program is not just waited complete for Message Processing, until the function of the complete copy message of Message Processing just returns, carries out message copy next time.
Four, user's application
The function of user's application module is the monitoring action process meeting user's simple operations and analyze required monitoring facilities.Specific implementation flow process is as follows:
When program initialization, the dll file of Loading Control layer, opens the connection of access database simultaneously.
After there is operation interface, open the executable needing monitoring.
Click " starting qualification ", this executable file can be opened.In the process, driver has started the various actions of monitoring this executable file, and dynamically the behavior monitored is sent to key-course, and key-course sends to interface in form of a message, and interface receives and shows.
After clicking " stopping qualification ", driver monitoring stops.All behaviors monitored in this process are saved, can be recorded in database in generation logging process.
" generation daily record ": the record that can produce txt form, and in the database simultaneously recorded, for analysis.
" generate report ": one can be generated with the html file of system time name under doc catalogue, and automatically open, the record through optimizing be shown, and analyzes more suspicious behavior, analysis for reference.
" add rule ": user can be facilitated to add allow the behavior passed through, also can delete some out-of-date behaviors simultaneously.
Five, genetic algorithm is applied
Native system have employed the automatic generation that genetic algorithm carrys out implementation rule, and this algorithm mainly adopts the principle model that biological species is evolved, by means of biological heredity operations such as selection, intersection, variations.
The general step of genetic algorithm: first random initializtion population, then utilizes fitness computing function to calculate the fitness of each individuality in this population, afterwards, calculates the individual criterion whether meeting Optimality Criteria according to the rule formulated.If met, so algorithm stops, and current population is exactly optimum individual.
If do not meet criterion, so algorithm will choose the high individuality of fitness, biological genetic manipulation is carried out to the individuality of this population, such as select, intersect, variation etc., the object of genetic manipulation is exactly will evolve to obtain more outstanding progeny population, and the progeny population after developing, needs to utilize existing rule, again the satisfaction degree of Optimality Criteria is judged, and then the population that generation of evolving is new.
By genetic algorithm, some in the past monitoring are defined as dangerous behavior, add rule file to voluntarily, and according to these behaviors as the foundation judged.Meanwhile, according to experience in the past, some behavior sequences can also be set or gather for certain risky operation.
In this program, if the behavior of the software analyzed is present in white list, then this software action is considered to safe, otherwise be considered to dangerous, use for reference the thought of genetic algorithm, give user by the control of white list, add white list by user, along with user enriches constantly white list, the recognition capability of this software becomes more perfect.White list is gradual perfection along with the increase of sample size, is exactly plainly, and the white list that user adds is more, and white list is abundanter, and the identification behavior of software is more perfect.
General structure based on the system exception behavioural analysis program of genetic algorithm is as follows:
1, abnormal behaviour rule is quantized, the design of in good time adjustment algorithm;
2, coding rule record problem, represent gene by data structure, chromosomal mode represents rule of conduct memory space;
3, design, copy, crossover and mutation operation operator;
4, the design of fitness function and cost function;
5, rule memory recording processing (as: white list is set, draws in blacklist and automatically identifies the behavior etc. on black and white lists)
Although the foregoing describe the specific embodiment of the present invention; but be familiar with those skilled in the art to be to be understood that; specific embodiment described by us is illustrative; instead of for the restriction to scope of the present invention; those of ordinary skill in the art, in the modification of the equivalence done according to spirit of the present invention and change, should be encompassed in scope that claim of the present invention protects.
Claims (5)
1., based on a software program abnormal behaviour analytical approach for Windows system, it is characterized in that: comprise the steps:
Step 1, the selected software program of user, catch the software action information of this software program;
Step 2, set up white list storehouse, blacklist storehouse and hazardous act storehouse;
Step 3, according to white list storehouse, blacklist storehouse and hazardous act storehouse, the software action information captured is analyzed by genetic algorithm, obtains analysis result;
Step 4, analysis result to be shown.
2. the software program abnormal behaviour analytical approach based on Windows system according to claim 1, it is characterized in that: described step 1 is specially further: user selectes a software program, in Windows system, set up hook program, caught by the software action information of hook program to this software program.
3. the software program abnormal behaviour analytical approach based on Windows system according to claim 1, is characterized in that: in described step 1, the software action information of catching is stored.
4. the software program abnormal behaviour analytical approach based on Windows system according to claim 1 or 3, is characterized in that: described software action information comprises the behavior of inlet wire journey, registration table behavior, file behavior, network behavior and driving behavior.
5. the software program abnormal behaviour analytical approach based on Windows system according to claim 1, is characterized in that: described step 4 is specially further: shown by analysis result, and is stored to by analysis result in corresponding storehouse.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510340007.2A CN104966018A (en) | 2015-06-18 | 2015-06-18 | Windows system-based software program abnormal behavior analysis method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510340007.2A CN104966018A (en) | 2015-06-18 | 2015-06-18 | Windows system-based software program abnormal behavior analysis method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104966018A true CN104966018A (en) | 2015-10-07 |
Family
ID=54220056
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510340007.2A Pending CN104966018A (en) | 2015-06-18 | 2015-06-18 | Windows system-based software program abnormal behavior analysis method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104966018A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020215567A1 (en) * | 2019-04-26 | 2020-10-29 | 平安科技(深圳)有限公司 | Global hook automatic repair method, apparatus, device, and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101183414A (en) * | 2007-12-07 | 2008-05-21 | 白杰 | Program detection method, device and program analyzing method |
| CN101373501A (en) * | 2008-05-12 | 2009-02-25 | 公安部第三研究所 | Method for capturing dynamic behavior aiming at computer virus |
| CN101924762A (en) * | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Cloud security-based active defense method |
| CN103106366A (en) * | 2010-08-18 | 2013-05-15 | 北京奇虎科技有限公司 | Dynamic maintenance method of sample database based on cloud |
| CN103500305A (en) * | 2013-09-04 | 2014-01-08 | 中国航天科工集团第二研究院七〇六所 | System and method for malicious code analysis based on cloud computing |
| CN103942493A (en) * | 2014-03-28 | 2014-07-23 | 北京工业大学 | Intelligent active defensive system and method under Window |
-
2015
- 2015-06-18 CN CN201510340007.2A patent/CN104966018A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101183414A (en) * | 2007-12-07 | 2008-05-21 | 白杰 | Program detection method, device and program analyzing method |
| CN101373501A (en) * | 2008-05-12 | 2009-02-25 | 公安部第三研究所 | Method for capturing dynamic behavior aiming at computer virus |
| CN101924762A (en) * | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Cloud security-based active defense method |
| CN103106366A (en) * | 2010-08-18 | 2013-05-15 | 北京奇虎科技有限公司 | Dynamic maintenance method of sample database based on cloud |
| CN103500305A (en) * | 2013-09-04 | 2014-01-08 | 中国航天科工集团第二研究院七〇六所 | System and method for malicious code analysis based on cloud computing |
| CN103942493A (en) * | 2014-03-28 | 2014-07-23 | 北京工业大学 | Intelligent active defensive system and method under Window |
Non-Patent Citations (1)
| Title |
|---|
| 王成: "《信息对抗理论与技术》", 31 January 2011 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020215567A1 (en) * | 2019-04-26 | 2020-10-29 | 平安科技(深圳)有限公司 | Global hook automatic repair method, apparatus, device, and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11689556B2 (en) | Incorporating software-as-a-service data into a cyber threat defense system | |
| US20210273949A1 (en) | Treating Data Flows Differently Based on Level of Interest | |
| US11003773B1 (en) | System and method for automatically generating malware detection rule recommendations | |
| CN106411578B (en) | A kind of web publishing system and method being adapted to power industry | |
| EP2447877B1 (en) | System and method for detection of malware and management of malware-related information | |
| US6742128B1 (en) | Threat assessment orchestrator system and method | |
| CN103679031B (en) | A kind of immune method and apparatus of file virus | |
| US8505092B2 (en) | Dynamic provisioning of protection software in a host intrusion prevention system | |
| CN103679026B (en) | Rogue program intelligence system of defense under a kind of cloud computing environment and defence method | |
| US20140223555A1 (en) | Method and system for improving security threats detection in communication networks | |
| CN113794276A (en) | Power distribution network terminal safety behavior monitoring system and method based on artificial intelligence | |
| US11102235B2 (en) | Threat mitigation system and method | |
| WO2021021733A1 (en) | Threat mitigation system and method | |
| CN104966018A (en) | Windows system-based software program abnormal behavior analysis method | |
| CN114143015A (en) | Abnormal access behavior detection method and electronic equipment | |
| CN115270137A (en) | Risk state determination method and device and electronic equipment | |
| CN113536381A (en) | Big data analysis processing method and system based on terminal | |
| CN109040003A (en) | A kind of method that local area network carries out safety management | |
| Bockermann et al. | On the automated creation of understandable positive security models for web applications | |
| CN117640415A (en) | Computer network management method and device, storage medium and electronic equipment | |
| CN118018231A (en) | Security policy management method, device, equipment and storage medium for isolation area | |
| CN115664726A (en) | Malicious beacon communication detection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20151007 |