Summary of the invention
In view of this, the present invention provides a kind of service identification method of Behavior-based control, device, equipment and readable storage mediums
Matter, main purpose are to solve current attacker and are readily available service behavior to carry out malicious operation to operating system, and then right
Operating system causes significant damage, the poor problem of the safety of operating system.
According to the present invention in a first aspect, providing a kind of service identification method of Behavior-based control, this method comprises:
When receiving pending service behavior, determine that request executes the goal behavior main body of the pending service behavior
Authority set and process collection, the authority set includes at least one service behavior for allowing the goal behavior main body to execute, institute
Stating process collection includes the process that the goal behavior main body executes service behavior;
If at least one service behavior of the authority set not including the pending service behavior, it is determined that described
The behavior process of pending service behavior;
If the behavior process of the pending service behavior is consistent with process shown in the process collection, allow to execute
The pending service behavior.
In another embodiment, described when receiving pending service behavior, it is described pending to determine that request executes
Before the authority set and process collection of the goal behavior main body of service behavior, comprising:
Start the goal behavior main body, the service behavior of the goal behavior main body is monitored, acquisition is described extremely
A few service behavior;
The authority set for generating at least one service behavior described in including, extracts the main body mark of the goal behavior main body
Know, by the storage corresponding with the authority set of main body mark;
The process for executing service behavior to the goal behavior main body is monitored, and acquires the fortune of the goal behavior main body
Row state and operation bad border;
The operating status and the running environment are arranged sequentially in time, generated based on the target line
The process of body, using the process as the process collection, by process collection storage corresponding with main body mark.
In another embodiment, the starting goal behavior main body, to the service rows of the goal behavior main body
To be monitored, at least one described service behavior is obtained, comprising:
Enabled instruction is received, is identified, is determined based on the target line according to the main body to be launched that the enabled instruction carries
Body;
Start the goal behavior main body, and start behavior capture program, the behavior capture program is at least hook
Hook program;
Based on the behavior capture program, the service behavior of the goal behavior main body after actuation is monitored, described in acquisition
At least one described service behavior of goal behavior main body.
In another embodiment, described when receiving pending service behavior, it is described pending to determine that request executes
The authority set and process collection of the goal behavior main body of service behavior, comprising:
When receiving the pending service behavior, the behavioral agent that request executes the pending service behavior is made
For the goal behavior main body;
The main body mark for obtaining the goal behavior main body determines the authority set and process collection of the main body mark instruction.
In another embodiment, described when receiving pending service behavior, it is described pending to determine that request executes
After the authority set and process collection of the goal behavior main body of service behavior, comprising:
If at least one service behavior of the authority set including the pending service behavior, allow to execute institute
State pending service behavior.
In another embodiment, the method also includes:
If the behavior process of the pending service behavior and process shown in the process collection are inconsistent, forbid holding
The row pending service behavior.
Second aspect according to the present invention, provides a kind of service identification device of Behavior-based control, which includes:
First determining module, for when receiving pending service behavior, determining that request executes the pending service
The authority set and process collection of the goal behavior main body of behavior, the authority set include that the goal behavior main body is allowed to execute extremely
A few service behavior, the process collection include the process that the goal behavior main body executes service behavior;
Second determining module, if for not including the pending clothes at least one service behavior of the authority set
Business behavior, it is determined that the behavior process of the pending service behavior;
Execution module, if for process one shown in the behavior process of the pending service behavior and the process collection
It causes, then allows to execute the pending service behavior.
In another embodiment, described device further include:
Monitoring module supervises the service behavior of the goal behavior main body for starting the goal behavior main body
Control obtains at least one described service behavior;
Generation module extracts the target line for generating the authority set including at least one service behavior
Based on main body mark, by the main body mark it is corresponding with the authority set store;
Acquisition module, the process for executing service behavior to the goal behavior main body are monitored, and acquire the mesh
Mark operating status and the operation bad border of behavioral agent;
Memory module is generated for arranging sequentially in time to the operating status and the running environment
The process of the goal behavior main body, using the process as the process collection, by the process collection and main body mark pair
It should store.
In another embodiment, the monitoring module, comprising:
The monitoring module, comprising:
It determines submodule, for receiving enabled instruction, is identified, determined according to the main body to be launched that the enabled instruction carries
The goal behavior main body;
Promoter module for starting the goal behavior main body, and starts behavior capture program, and the behavior acquires journey
Sequence is at least hook Hook program;
Monitoring submodule monitors the clothes of the goal behavior main body after actuation for being based on the behavior capture program
Business behavior obtains at least one described service behavior of the goal behavior main body.
In another embodiment, the determining module, comprising:
First determining module, comprising:
First determines submodule, for request being executed described pending when receiving the pending service behavior
The behavioral agent of service behavior is as the goal behavior main body;
Second determines submodule, and the main body for obtaining the goal behavior main body identifies, and determines that the main body mark refers to
The authority set and process collection shown.
In another embodiment, the execution module, if being also used at least one service behavior of the authority set
In include the pending service behavior, then allow to execute the pending service behavior.
In another embodiment, described device further include:
Disabled module, if not for process shown in the behavior process of the pending service behavior and the process collection
Unanimously, then forbid executing the pending service behavior.
The third aspect according to the present invention, provides a kind of equipment, including memory and processor, and the memory is stored with
The step of computer program, the processor realizes above-mentioned first aspect the method when executing the computer program.
Fourth aspect according to the present invention provides a kind of readable storage medium storing program for executing, is stored thereon with computer program, the meter
The step of calculation machine program realizes the method for above-mentioned first aspect when being executed by processor.
By above-mentioned technical proposal, a kind of service identification method of Behavior-based control provided by the invention, device, equipment and can
Storage medium is read, compared with white feature database identifies by the way of service behavior, the present invention can be pending when receiving at present
When service behavior, determine that request executes the authority set and process collection of the goal behavior main body of pending service behavior, if permission
It does not include pending service behavior at least one service behavior of collection, it is determined that the behavior process of pending service behavior, and
And if the behavior process of pending service behavior is consistent with process shown in process collection, allow to execute pending service rows
For, thus by the authority set and process collection restrict driving based on service behavior so that the malicious act of attacker is easy to
It is identified, avoid the malicious operation of attacker from causing significant damage to operating system, the safety of operating system is preferable.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention,
And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can
It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Specific embodiment
The exemplary embodiment that the present invention will be described in more detail below with reference to accompanying drawings.Although showing the present invention in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the present invention without should be by embodiments set forth here
It is limited.It is to be able to thoroughly understand the present invention on the contrary, providing these embodiments, and can be by the scope of the present invention
It is fully disclosed to those skilled in the art.
The embodiment of the invention provides a kind of service identification methods of Behavior-based control, can work as and receive pending service rows
For when, determine that request executes the authority set and process collection of the goal behavior main body of pending service behavior, if authority set is extremely
It does not include pending service behavior in a few service behavior, it is determined that the behavior process of pending service behavior, and if
The behavior process of pending service behavior is consistent with process shown in process collection, then allows to execute pending service behavior, thus
By the service behavior based on the authority set and the restricted driving of process collection, so that the malicious act of attacker is easily identified,
Reach and the malicious operation of attacker is avoided to cause significant damage to operating system, the preferable purpose of the safety of operating system, such as
Shown in Fig. 1, this method comprises:
101, when receiving pending service behavior, determine that request executes the goal behavior main body of pending service behavior
Authority set and process collection, authority set includes at least one service behavior for allowing goal behavior main body to execute, and process collection includes
The process of goal behavior main body execution service behavior.
In embodiments of the present invention, when receiving pending service behavior, since each service behavior is behavior
What subject requests executed, hence, it can be determined that the behavioral agent of the pending service behavior is issued, using behavior main body as mesh
Mark behavioral agent.And being provided with corresponding in operating system for each behavioral agent includes that behavioral agent is allowed to execute
The authority set and process collection of at least one service behavior after goal behavior main body has been determined, this therefore can be got
The corresponding authority set of goal behavior main body and process collection, so as to it is subsequent based on the authority set and process collection to goal behavior main body
Pending service behavior identified, so that it is determined that whether goal behavior main body can execute the pending service behavior.
If not including 102, pending service behavior at least one service behavior of authority set, it is determined that pending clothes
The behavior process of business behavior.
In embodiments of the present invention, after the authority set that goal behavior main body has been determined, due to including allowing in authority set
Therefore at least one service behavior can be compared, pass through inquiry by least one service behavior executed by pending service
It whether include pending service behavior in the authority set, to determine whether the pending service behavior can execute.
If 103, the behavior process of pending service behavior is consistent with process shown in process collection, allow to execute wait hold
Row service behavior.
In embodiments of the present invention, if in authority set not including the pending service behavior, then it represents that the pending clothes
Business behavior is not in the range of authority set defined.In order to avoid the range that authority set is related to not enough causes normal extensively
Service behavior is intercepted, after being determined that the pending service behavior is not belonging to authority set, just obtains the pending service behavior
Behavior process, and when the behavior process of the pending service behavior is consistent with process shown in process collection, determining should be wait hold
Row service behavior is the normal behaviour of goal behavior main body, and allows to execute the pending service behavior.
Method provided in an embodiment of the present invention can determine described in request execution when receiving pending service behavior
The authority set and process collection of the goal behavior main body of pending service behavior, if at least one service behavior of the authority set
In do not include the pending service behavior, it is determined that the behavior process of the pending service behavior, and if it is described to
The behavior process for executing service behavior is consistent with process shown in the process collection, then allows to execute the pending service rows
For, thus by the authority set and process collection restrict driving based on service behavior so that the malicious act of attacker is easy to
It is identified, avoid the malicious operation of attacker from causing significant damage to operating system, the safety of operating system is preferable.
The embodiment of the invention provides a kind of service identification methods of Behavior-based control, can work as and receive pending service rows
For when, determine that request executes the authority set and process collection of the goal behavior main body of pending service behavior, if authority set is extremely
It does not include pending service behavior in a few service behavior, it is determined that the behavior process of pending service behavior, and if
The behavior process of pending service behavior is consistent with process shown in process collection, then allows to execute pending service behavior, thus
By the service behavior based on the authority set and the restricted driving of process collection, so that the malicious act of attacker is easily identified,
Reach and the malicious operation of attacker is avoided to cause significant damage to operating system, the preferable purpose of the safety of operating system, such as
Shown in Fig. 2A, this method comprises:
201, enabled instruction is received, is identified according to the main body to be launched that enabled instruction carries, determines goal behavior main body.
It was recognized by the inventor that the behavior act executed after behavioral agent starting is usually fixed namely behavior main body
By user provide the behavior act relied on when service be it is fixed, behavioral agent can't request in normal operation
Therefore the behavior act being not carried out before executing in order to which the behavior act to behavioral agent limits, avoids behavior master
Body executes the behavior act that should not be executed, and realizes the identification to the malicious act of attacker, and the embodiment of the present invention is each row
Based on be provided with authority set and process collection, and provide that the executable behavior of behavioral agent is moved based on the authority set and process collection
Make, and then the operation of behavioral agent is constrained.It should be noted that since the behavioral agent in system is more, it is impossible to
The same time is that whole behavioral agents sets authority set and process collection, therefore, in embodiments of the present invention, can also be arranged
The behavioral agent of one whole general " least privilege collection ", and based on should " least privilege collection " to being not provided with authority set and stream
The behavioral agent of journey collection carries out the identification of behavior.
Wherein, since authority set and process collection are the behavior operations executed during actual motion according to behavioral agent
It generates, therefore, it is necessary to the behavior executed during actual motion to behavioral agent operations to be acquired.In view of operation
The behavioral agent stayed in system is excessive, in order to clearly be which behavioral agent generates behavior library, needs in program enabled instruction
Carry main body mark to be launched.In this way, when receiving program enabled instruction, firstly, extracting in program enabled instruction should
Main body mark to be launched;Then, the behavioral agent of main body to be launched mark instruction is searched in an operating system, and by the behavior
Main body generates authority set and process collection as goal behavior main body, so as to subsequent for the goal behavior main body.It should be noted that
In order to be respectively provided with corresponding authority set and process collection to each behavioral agent in operating system, as long as there is no corresponding
Authority set and the behavioral agent of process collection can be used as goal behavior main body.Specifically, main body mark to be launched can be mesh
Program name or program number of beacon course sequence etc., the content that the embodiment of the present invention identifies main body to be launched is without specifically limiting
It is fixed.
202, start goal behavior main body, and start behavior capture program, behavior capture program is at least hook Hook journey
Sequence, Behavior-based control capture program, the service behavior of monitoring objective behavioral agent after actuation.
In embodiments of the present invention, after goal behavior main body has been determined, goal behavior main body can be started, to obtain
At least one service behavior of goal behavior main body is taken, and then is that target program generates permission based at least one service behavior
Collection.Wherein, in order to realize that the service behavior to goal behavior main body is acquired, acquisition behavior programmed acquisition can be based on.This
Sample just also starts behavior capture program after starting goal behavior main body, so that the behavior, capture program was to goal behavior
Whole service behaviors after main body starting are monitored and acquire, behavior capture program concretely Hook (hook) program.
During practical application, in order to make the quantity of collected service behavior that there is convincingness, and it is unlikely to several
Amount excessively causes the overload of operating system, and collection period can be set, and only acquires goal behavior main body in collection period
The service behavior of execution, and generated according to service behavior collected in collection period subsequent for goal behavior main body
Authority set.For example, collection period can be 7 days, in this way, service behavior of the acquisition destination service period in 7 days.
203, the authority set including at least one service behavior is generated, the main body mark of goal behavior main body is extracted, will lead
The storage corresponding with authority set of body mark.
It in embodiments of the present invention, can be near after collecting at least one service behavior of goal behavior main body
Few service behavior storage, to generate authority set.Wherein, when generating authority set, in order to guarantee each behavioral agent
The format of authority set is consistent, and convenient for being managed to authority set, default template can be set, and according to default template to extremely
A few service behavior is arranged, so that generating includes at least one service behavior, and format meets what default template required
Authority set.
In the authority set for generating the goal behavior main body, since each of operating system behavioral agent exists
Corresponding authority set, in this way, will have a large amount of authority set.In order to be managed to authority set, behavioral agent and power are avoided
Corresponding relationship between limit collection is obscured, thus cause the subsequent identification to service behavior that mistake occurs, after generating authority set,
The main body mark of extractable goal behavior main body, and by the storage corresponding with authority set of main body mark, to guarantee each behavior
Corresponding relationship between the corresponding authority set of main body is clearly.During practical application, authority set is being generated
Afterwards, authority set can also be marked using main body mark, so that realizing will be mutual between goal behavior main body and authority set
It is corresponding.
204, the process for executing service behavior to goal behavior main body is monitored, and acquires the operation shape of goal behavior main body
State and operation bad border, sequentially in time arrange operating status and running environment, generate goal behavior main body
Process, using process as process collection, by the storage corresponding with main body mark of process collection.
In embodiments of the present invention, when behavioral agent executes service behavior in systems, executing legal service behavior is
Legal process can be corresponded to, and executing illegal service behavior is also to have visibly different illegal process, therefore,
Its corresponding process collection can be generated for goal behavior main body, clothes are executed to goal behavior main body based on the process collection so as to subsequent
The process of business behavior is identified, so that it is determined that whether the process that goal behavior main body executes is legal.For example, spoolsv.exe
(print routine) is the service processes of Print Spooler (print service), for managing all locals and network printing queue
And all print jobs of control, spoolsv.exe do not have the reasons why any starting Shell (shell side sequence) or even spoolsv.exe
Should not just have the ability for starting any program, therefore, as long as being related to startup program in the process of spoolsv.exe,
The process is as illegal.
Wherein, when for goal behavior main body setting procedure collection, it is possible, firstly, to execute service behavior to goal behavior main body
Process be monitored, acquire goal behavior main body operating status and operation bad border;Then, sequentially in time to operation
State and running environment are arranged, and the process of goal behavior main body are generated, using process as process collection, by process collection and master
The corresponding storage of body mark.
It, can be to generate one and its for goal behavior main body by execution above-mentioned steps 201 to the process in step 204
Itself practical relevant authority set of service behavior and process collection executed.It should be noted that since operating system is to exist more
New, the service behavior that each behavioral agent can execute in updated operating system may change, such as behavior
Main body may increase some service behaviors that can be executed newly, therefore, in order to guarantee that authority set and the process collection of behavioral agent can
To be suitable for the demand of behavioral agent at this stage, the update cycle can be set in operating system, and just repeat every the update cycle
It executes above-mentioned steps 201 and generates authority set and process collection again to the process in step 203 for each behavioral agent, and adopt
With newly-generated authority set and process collection to before authority set and process collection be replaced, to guarantee the normal of behavioral agent
Operation.
After the authority set and process collection for generating goal behavior main body, in the subsequently received goal behavior subject requests
When execution, the behavior act of the goal behavior main body can be identified based on the authority set and process collection, so that it is determined that
Whether the behavior act of goal behavior main body, which allows, executes, referring to fig. 2 B, this method comprises:
205, when receiving pending service behavior, determine that request executes the goal behavior main body of pending service behavior
Authority set and process collection.
In embodiments of the present invention, when receiving pending service behavior, since pending service behavior is usually to go
Based on request execute, accordingly, it is determined that request execute the pending service behavior object, using the object as goal behavior
Main body will also request the behavioral agent for executing pending service behavior as goal behavior main body.Wherein, due to operating system
Storing authority set and be to identify to store according to main body when process collection, each main body mark can correspond to an authority set and
Therefore process collection, namely based on main body mark may be implemented to return the inquiry of authority set and process collection is determining based on target line
After body, the main body mark of the goal behavior main body is extracted, and then determines the authority set and process collection of main body mark instruction.
It should be noted that if obtaining authority set and the mistake of process collection of the goal behavior main body of pending service behavior
Lose, then it represents that may unpromising at this time goal behavior main body setting authority set and process collection, at this point, can obtain " most
Small authority set ", and pending service behavior is identified based on " the least privilege collection " subsequent.
206, pending service behavior is compared with authority set, whether it includes pending service rows that search access right is concentrated
To execute following step 207 if in authority set not including pending service behavior;If including pending in authority set
Service behavior then executes following step 208.
In embodiments of the present invention, after the authority set of the goal behavior main body has been determined, due to the goal behavior main body
Authority set in define the service behavior that goal behavior main body can execute, service behavior namely permission beyond authority set
Collecting service behavior not to be covered is that goal behavior main body is not allowed to execute, therefore, will be in pending service behavior and authority set
At least one service behavior be compared, so that it is determined that whether the pending service behavior allows to execute.Specifically, will be to
Service behavior is executed to be compared at least one service behavior, when whether search access right is concentrated including pending service behavior,
Firstly, extracting the pending behavior mark of pending service behavior, and extract at least one service of at least one service behavior
Behavior mark;Then, pending behavior mark and at least one service behavior mark are compared, inquire at least one service
Consistent service behavior mark is identified with the presence or absence of with pending behavior in behavior mark, to realize to pending service behavior
Identification.
Wherein, if in authority set not including pending service behavior, then it represents that the possible pending service behavior is not
Allow to execute, needs further to be judged based on process collection at this time, to avoid not including the service due to authority set
It is judged by accident caused by behavior, therefore, executes following step 207 to step 209;If in authority set including pending service rows
For, then it represents that the pending service behavior is the service behavior that the goal behavior main body can execute, the pending service behavior
Allow the goal behavior main body to execute, and be not belonging to unauthorized operation, is the requirement for meeting authority set to goal behavior main body
, namely execute following step 210.
If 207, in authority set not including pending service behavior, it is determined that the behavior process of pending service behavior,
If the behavior process of pending service behavior is consistent with process shown in process collection, following step 208 is executed;If wait hold
The behavior process and process shown in process collection of row service behavior are inconsistent, then execute following step 209.
If 208, the behavior process of pending service behavior is consistent with process shown in process collection, allow to execute wait hold
Row service behavior.
In embodiments of the present invention, if the behavior process of pending service behavior is consistent with process shown in process collection,
The behavior process for then indicating the pending service behavior is to meet the limitation of process collection, which executes should
Pending service behavior is not belonging to ultra vires act, and the goal behavior main body is allowed to execute the pending service behavior, therefore,
The goal behavior main body is allowed to execute the pending service behavior.
If 209, process shown in the behavior process of pending service behavior and process collection is inconsistent, forbid executing to
Execute service behavior.
In embodiments of the present invention, if the behavior process and process shown in process collection of pending service behavior are different
It causes, then it represents that the behavior process of the pending service behavior is to be unsatisfactory for the limitation of process collection, the goal behavior subject requests
It executes the pending service behavior and belongs to ultra vires act, be that the goal behavior main body is not allowed to execute the pending service behavior
, therefore, the goal behavior main body is forbidden to execute the pending service behavior.
If 210, in authority set including pending service behavior, goal behavior main body is allowed to execute pending service rows
For.
In embodiments of the present invention, if in authority set including pending service behavior, then it represents that the pending service rows
To be in the range of authority set regulation, which executes the pending service behavior and is not belonging to row of going beyond one's commission
To allow the goal behavior main body to execute the pending service behavior, therefore, allowing the goal behavior main body to execute should be to
Execute service behavior.
It is described wait hold to determine that request executes when receiving pending service behavior for method provided in an embodiment of the present invention
The authority set and process collection of the goal behavior main body of row service behavior, if at least one service behavior of the authority set not
Including the pending service behavior, it is determined that the behavior process of the pending service behavior, and if it is described pending
The behavior process of service behavior is consistent with process shown in the process collection, then allows to execute the pending service behavior, from
And by the authority set and process collection restrict driving based on service behavior so that the malicious act of attacker is easy to be known
Not, the malicious operation of attacker is avoided to cause significant damage to operating system, the safety of operating system is preferable.
Further, the specific implementation as Fig. 1 the method, the embodiment of the invention provides a kind of clothes of Behavior-based control
Business identification device, as shown in Figure 3A, described device includes: the first determining module 301, the second determining module 302 and execution module
303。
First determining module 301, for when receiving pending service behavior, determining that request executes pending service
The authority set and process collection of the goal behavior main body of behavior, authority set include that at least one for allowing goal behavior main body to execute takes
Business behavior, process collection include the process that goal behavior main body executes service behavior;
Second determining module 302, if for not including pending service at least one service behavior of authority set
Behavior, it is determined that the behavior process of pending service behavior;
The execution module 303, if the behavior process for pending service behavior is consistent with process shown in process collection,
Then allow to execute pending service behavior.
In specific application scenarios, as shown in Figure 3B, which further includes monitoring module 304, and generation module 305 is adopted
Collect module 306 and memory module 307.
The monitoring module 304 is monitored the service behavior of goal behavior main body for starting goal behavior main body,
Obtain at least one service behavior;
The generation module 305 extracts goal behavior main body for generating the authority set including at least one service behavior
Main body mark, by the storage corresponding with authority set of main body mark;
The acquisition module 306, the process for executing service behavior to goal behavior main body are monitored, and acquire target line
Based on operating status and operation bad border;
The memory module 307 generates target for arranging sequentially in time to operating status and running environment
The process of behavioral agent, using process as process collection, by the storage corresponding with main body mark of process collection.
In specific application scenarios, as shown in Figure 3 C, the monitoring module 304, including determine submodule 3041, promoter
Module 3042 and monitoring submodule 3043.
The determination submodule 3041 identifies, really for receiving enabled instruction according to the main body to be launched that enabled instruction carries
Set the goal behavioral agent;
The promoter module 3042 for starting goal behavior main body, and starts behavior capture program, behavior capture program
At least hook Hook program;
The monitoring submodule 3043 is used for Behavior-based control capture program, the service of monitoring objective behavioral agent after actuation
Behavior obtains at least one service behavior of goal behavior main body.
In specific application scenarios, as shown in Figure 3D, first determining module 301, including the first determining submodule
3011 and second determine submodule 3012.
The first determining submodule 3011, for when receiving pending service behavior, request to be executed pending clothes
The behavioral agent of business behavior is as goal behavior main body;
The second determining submodule 3012, the main body for obtaining goal behavior main body identify, and determine main body mark instruction
Authority set and process collection.
In specific application scenarios, the execution module 303, if be also used at least one service behavior of authority set
Including pending service behavior, then allow to execute pending service behavior.
In specific application scenarios, as shown in FIGURE 3 E, which further includes disabled module 308.
The disabled module 308, if different for the behavior process of pending service behavior and process shown in process collection
It causes, then forbids executing pending service behavior.
Device provided in an embodiment of the present invention can determine that request is executed wait hold when receiving pending service behavior
The authority set and process collection of the goal behavior main body of row service behavior, if not including at least one service behavior of authority set
Pending service behavior, it is determined that the behavior process of pending service behavior, and if pending service behavior behavior stream
Journey is consistent with process shown in process collection, then allows to execute pending service behavior, to pass through the authority set and process collection
Service behavior based on restricted driving avoids the malicious operation pair of attacker so that the malicious act of attacker is easily identified
Operating system causes significant damage, and the safety of operating system is preferable.
It should be noted that each function involved by a kind of service identification device of Behavior-based control provided in an embodiment of the present invention
Other corresponding descriptions of unit, can be with reference to the corresponding description in Fig. 1 and Fig. 2A to Fig. 2 B, and details are not described herein.
In the exemplary embodiment, referring to fig. 4, a kind of equipment is additionally provided, which includes communication bus, processing
Device, memory and communication interface, can also include, input/output interface and display equipment, wherein can between each functional unit
To complete mutual communication by bus.The memory is stored with computer program, processor, for executing institute on memory
The program of storage executes in above-described embodiment ... method.
A kind of readable storage medium storing program for executing is stored thereon with computer program, real when the computer program is executed by processor
The step of service identification method of the existing Behavior-based control.
Through the above description of the embodiments, those skilled in the art can be understood that the application can lead to
Hardware realization is crossed, the mode of necessary general hardware platform can also be added to realize by software.Based on this understanding, this Shen
Technical solution please can be embodied in the form of software products, which can store in a non-volatile memories
In medium (can be CD-ROM, USB flash disk, mobile hard disk etc.), including some instructions are used so that a computer equipment (can be
Personal computer, server or network equipment etc.) execute method described in each implement scene of the application.
It will be appreciated by those skilled in the art that the accompanying drawings are only schematic diagrams of a preferred implementation scenario, module in attached drawing or
Process is not necessarily implemented necessary to the application.
It will be appreciated by those skilled in the art that the module in device in implement scene can be described according to implement scene into
Row is distributed in the device of implement scene, can also be carried out corresponding change and is located at the one or more dresses for being different from this implement scene
In setting.The module of above-mentioned implement scene can be merged into a module, can also be further split into multiple submodule.
Above-mentioned the application serial number is for illustration only, does not represent the superiority and inferiority of implement scene.
Disclosed above is only several specific implementation scenes of the application, and still, the application is not limited to this, Ren Heben
What the technical staff in field can think variation should all fall into the protection scope of the application.