CN111241545A - Software processing method, system, device and medium - Google Patents

Software processing method, system, device and medium Download PDF

Info

Publication number
CN111241545A
CN111241545A CN202010026173.6A CN202010026173A CN111241545A CN 111241545 A CN111241545 A CN 111241545A CN 202010026173 A CN202010026173 A CN 202010026173A CN 111241545 A CN111241545 A CN 111241545A
Authority
CN
China
Prior art keywords
software
information
behaviors
management platform
behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202010026173.6A
Other languages
Chinese (zh)
Inventor
韩春超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Inspur Intelligent Technology Co Ltd
Original Assignee
Suzhou Inspur Intelligent Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Inspur Intelligent Technology Co Ltd filed Critical Suzhou Inspur Intelligent Technology Co Ltd
Priority to CN202010026173.6A priority Critical patent/CN111241545A/en
Publication of CN111241545A publication Critical patent/CN111241545A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a software processing method, which comprises the following steps: acquiring information of a plurality of behaviors generated when software runs; matching the information of the behaviors with the information of the behaviors in an abnormal behavior library; in response to the information of a plurality of behaviors in the information of the plurality of behaviors being matched with the information of the behaviors in the abnormal behavior library, recording the information of the plurality of behaviors into a behavior record table; returning the behavior record table to a management platform; and processing the software according to the instruction sent by the management platform. The invention also discloses a system, a computer device and a readable storage medium. The scheme provided by the invention compares the acquired behavior information generated during the software running with the behavior information in the abnormal behavior library to record the abnormal behavior information generated during the software running, thereby determining whether to prohibit the software running.

Description

Software processing method, system, device and medium
Technical Field
The invention relates to the field of software detection, in particular to a software processing method, a system, equipment and a storage medium.
Background
In the prior art, malware is often processed when a novel virus invades, a virus killing software manufacturer detects that new malware is generated, then the manufacturer analyzes the malware, the malware is merged into a malware library, meanwhile, a user updates the malware virus library, when software detected on a user end is matched with software in the malware virus library, the software is determined to be malware, and then a strategy is adopted for protection.
In the mode of depending on the malicious software virus library, the malicious software virus library is more and more huge due to the continuous evolution and change of viruses, and the mode is a post-processing mode and does not play a good role in protecting novel viruses.
Disclosure of Invention
In view of the above, in order to overcome at least one aspect of the above problems, an embodiment of the present invention provides a software processing method, including:
acquiring information of a plurality of behaviors generated when software runs;
matching the information of the behaviors with the information of the behaviors in an abnormal behavior library;
in response to the information of a plurality of behaviors in the information of the plurality of behaviors being matched with the information of the behaviors in the abnormal behavior library, recording the information of the plurality of behaviors into a behavior record table;
returning the behavior record table to a management platform;
and processing the software according to the instruction sent by the management platform.
In some embodiments, obtaining information about a plurality of behaviors generated by the software runtime further comprises:
acquiring a blacklist;
judging whether the software is in the blacklist or not;
obtaining information of the plurality of behaviors in response to the software not being in the blacklist.
In some embodiments, further comprising:
and ending the running of the software in response to the software being in the blacklist.
In some embodiments, obtaining information about a plurality of behaviors generated by the software runtime further comprises:
acquiring a monitoring strategy issued by the management platform;
determining a plurality of objects to be monitored according to the monitoring strategy;
inserting hooks into a kernel layer and/or an application layer to return relevant information of the plurality of objects to be monitored when the software runs;
and determining information of a plurality of behaviors generated when the software runs according to the related information of the plurality of objects to be monitored.
In some embodiments, returning the behavior record table to the management platform further comprises:
determining a threat value according to the information of the behaviors in the behavior record table;
judging whether the threat value is larger than a threshold value;
and returning the behavior record table to the management platform in response to the threat value being greater than a threshold value.
In some embodiments, the processing of the software according to the instructions issued by the management platform further comprises:
responding to a received instruction for continuing to operate sent by the management platform, and continuing to operate the software;
and in response to receiving an instruction for prohibiting running, which is sent by the management platform, closing the software.
In some embodiments, in response to receiving an instruction to prohibit execution from the management platform, the software is shut down, further comprising:
adding the software into a blacklist;
determining the damage caused by the software by using the information of a plurality of behaviors in the behavior record table;
and executing the corresponding repair file according to the damage caused by the software.
Based on the same inventive concept, according to another aspect of the present invention, an embodiment of the present invention further provides a system for software processing, including:
the acquisition module is configured to acquire information of a plurality of behaviors generated when the software runs;
a matching module configured to match information of the plurality of behaviors with information of behaviors in an abnormal behavior library;
a recording module configured to record information of a number of behaviors to a behavior record table in response to the information of the number of behaviors matching the information of the behavior in the abnormal behavior library;
the sending module is configured to return the behavior record table to a management platform;
a processing module configured to process the software according to instructions issued by the management platform.
Based on the same inventive concept, according to another aspect of the present invention, an embodiment of the present invention further provides a computer apparatus, including:
at least one processor; and
a memory storing a computer program operable on the processor, wherein the processor executes the program to perform the steps of any of the software processing methods described above.
Based on the same inventive concept, according to another aspect of the present invention, an embodiment of the present invention further provides a computer-readable storage medium storing a computer program, which, when executed by a processor, performs the steps of any one of the software processing methods described above.
The invention has one of the following beneficial technical effects: the scheme provided by the invention compares the acquired behavior information generated during the software running with the behavior information in the abnormal behavior library to record the abnormal behavior information generated during the software running, thereby determining whether to prohibit the software running.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other embodiments can be obtained by using the drawings without creative efforts.
FIG. 1 is a flow chart illustrating a processing method of software according to an embodiment of the present invention;
FIG. 2 is a block diagram of a system for software processing according to an embodiment of the present invention;
FIG. 3 is a block diagram of a system for software processing according to another embodiment of the present invention;
FIG. 4 is a flow diagram of a data acquisition module according to another embodiment of the present invention;
FIG. 5 is a flow diagram of a behavior analysis module provided in accordance with another embodiment of the present invention;
FIG. 6 is a flow diagram of a response module provided in accordance with another embodiment of the present invention;
FIG. 7 is a flowchart of a policy issuing module of a management platform according to another embodiment of the present invention;
FIG. 8 is a schematic structural diagram of a computer device provided in an embodiment of the present invention;
fig. 9 is a schematic structural diagram of a computer-readable storage medium according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the following embodiments of the present invention are described in further detail with reference to the accompanying drawings.
It should be noted that all expressions using "first" and "second" in the embodiments of the present invention are used for distinguishing two entities with the same name but different names or different parameters, and it should be noted that "first" and "second" are merely for convenience of description and should not be construed as limitations of the embodiments of the present invention, and they are not described in any more detail in the following embodiments.
According to an aspect of the present invention, an embodiment of the present invention provides a processing method of software, which may include the steps of, as shown in fig. 1: s1, acquiring information of a plurality of behaviors generated when the software runs; s2, matching the information of the behaviors with the information of the behaviors in an abnormal behavior library; s3, responding to the information of a plurality of behaviors in the information of the behaviors matched with the information of the behaviors in the abnormal behavior library, and recording the information of the behaviors into a behavior record table; s4, returning the behavior record table to a management platform; and S5, processing the software according to the instruction sent by the management platform.
The scheme provided by the invention compares the acquired behavior information generated during the software running with the behavior information in the abnormal behavior library to record the abnormal behavior information generated during the software running, thereby determining whether to prohibit the software running.
In some embodiments, step S1 (obtaining information of a plurality of behaviors generated when the software is running) further includes:
acquiring a blacklist;
judging whether the software is in the blacklist or not;
obtaining information of the plurality of behaviors in response to the software not being in the blacklist.
In some embodiments, the method further comprises:
and ending the running of the software in response to the software being in the blacklist.
Specifically, the black-and-white list is mainly used for improving monitoring efficiency, if one piece of software is judged to be malicious software and the software is put into the black list, all virtual machines on the host machine can refer to the black list, and rapid defense is completed on the malicious software. Therefore, when the virtual machine on the host machine runs the software, whether the software is in the blacklist is judged through the blacklist, if so, the software is directly prohibited from running, and if not, information of a plurality of behaviors generated when the software runs is acquired.
In some embodiments, the obtaining information of a plurality of behaviors generated when the software runs in step S1 further includes:
acquiring a monitoring strategy issued by the management platform;
determining a plurality of objects to be monitored according to the monitoring strategy;
inserting hooks into a kernel layer and/or an application layer to return relevant information of the plurality of objects to be monitored when the software runs;
and determining information of a plurality of behaviors generated when the software runs according to the related information of the plurality of objects to be monitored.
Specifically, a monitoring policy issued by the management platform or a default monitoring policy may be obtained first, where the monitoring policy specifies which functions, files, registries, services, processes, and networks need to be monitored at the kernel layer and the application layer. And then hooks (hooks) are inserted into the kernel layer according to the monitoring strategy, the hooks can acquire information executed by the function in the function calling process, wherein the information comprises function names, parameters, return values, files, processes, network correlation and the like, meanwhile, the monitoring is performed on the hooks inserted into the application layer according to the strategy, the information of the system function of the application layer is acquired as in the process, and finally, the steps S2-S5 are performed after the information of the function, the files, the processes, the network and the like acquired from the application layer and the kernel layer is formatted.
In some embodiments, in step S3, returning the behavior record table to the management platform may further include:
determining a threat value according to the information of the behaviors in the behavior record table;
judging whether the threat value is larger than a threshold value;
and returning the behavior record table to the management platform in response to the threat value being greater than a threshold value.
Specifically, the information such as function information, files, processes, networks and the like acquired by the hooks at the application layer and the kernel layer is matched with the information of the behaviors in the abnormal behavior library. The general abnormal behavior library records general malicious behaviors of the malicious software, the behaviors record function information, files, processes, networks and other information of an application layer or a kernel layer, and each behavior has a threat value. If the information sent by the data acquisition module is matched with a behavior in the behavior library, a corresponding threat value is added to the monitored process of the virtual machine, and if the threat value reaches a threshold value, the behavior record table is returned to the management platform. That is, if the behavior in the abnormal behavior library is matched, the acquired information of the behavior is stored in a behavior record table, which is different from the abnormal behavior library and is specially used for recording the information of the abnormal behavior on the virtual machine matched with a certain behavior in the abnormal behavior library. This information may provide the management platform with the data to be exposed.
In some embodiments, in step S5, the processing the software according to the instruction issued by the management platform further includes:
responding to a received instruction for continuing to operate sent by the management platform, and continuing to operate the software;
and in response to receiving an instruction for prohibiting running, which is sent by the management platform, closing the software.
In some embodiments, in response to receiving an instruction to prohibit execution from the management platform, the software is shut down, further comprising:
adding the software into a blacklist;
determining the damage caused by the software by using the information of a plurality of behaviors in the behavior record table;
and executing the corresponding repair file according to the damage caused by the software.
Specifically, when the threat values corresponding to the information of the behaviors recorded in the behavior record table are greater than a threshold value, the threat values are uploaded to the management platform, the management platform can show the behavior information of the software to a user or an administrator for analyzing the behavior track of the software after acquiring the behavior information of the software, then an operation strategy of the software is formulated according to the behavior track, namely the monitored software can be continuously operated or the software is forbidden, and the monitored software is added into a blacklist. And if the software needs to be forbidden and needs to be added into the blacklist, informing the host machine, updating the blacklist, and informing the virtual machines on all other host machines through the host machine so as to perform the same processing on the same software running on the virtual machines in other host machines. And simultaneously, according to the running track of the software, reversely quitting the damage caused by the malicious software through the track, and executing and sending the repair script to the virtual machine which receives the damage.
Based on the same inventive concept, according to another aspect of the present invention, as shown in fig. 2, an embodiment of the present invention further provides a system 400 for software processing, including:
an obtaining module 401, wherein the obtaining module 401 is configured to obtain information of a plurality of behaviors generated when software runs;
a matching module 402, the matching module 402 configured to match information of the plurality of behaviors with information of behaviors in an abnormal behavior library;
a recording module 403, where the recording module 403 is configured to record information of several behaviors to a behavior record table in response to the information of several behaviors in the information of the multiple behaviors matching the information of behaviors in the abnormal behavior library;
a sending module 404, where the sending module 404 is configured to return the behavior record table to a management platform;
a processing module 405, the processing module 405 configured to process the software according to the instruction issued by the management platform.
Based on the same inventive concept, according to another aspect of the present invention, as shown in fig. 3, an embodiment of the present invention further provides a system for software processing, including:
and the abnormal behavior library is responsible for constructing a malicious software behavior library, classifying the malicious software, stripping the characteristic behaviors of each type of malicious software, and storing and recording.
The behavior analysis module analyzes the malicious behavior log according to the malicious software behavior library and constructs an analysis judgment model capable of judging whether the malicious behavior log is a malicious software program;
the response module is divided into a host machine and a virtual machine, is a bridge between the management platform and the virtual machine, and simultaneously constructs a communication bridge between the behavior analysis module and the data acquisition module to provide timely response for the result of the analysis module so as to process the detected malicious software on the virtual machine according to the strategy issued by the management platform, such as host machine repair, process isolation, virtual machine isolation, malicious file deletion, black and white list strategy execution and the like.
And the data acquisition module records the starting and the termination of software and typical behaviors in the system, and comprises monitoring of a kernel layer and an application layer and monitoring of some network behaviors.
Black list: the blacklist is mainly used for improving monitoring efficiency, if one piece of software is judged to be malicious software and the software is put into the blacklist, all cloud hosts on the host machine can refer to the blacklist, and rapid defense is completed on the malicious software.
Platform display: the method mainly shows a software execution process, can enable an administrator or a user to find the execution process of the malicious software, can trace the damage operation of the malicious program according to the execution process, and can reversely make the recovery operation of the host.
In some embodiments, as shown in fig. 4, the data acquisition module may communicate with the analysis module through the response module to obtain a monitoring policy issued by the management platform, where the monitoring policy specifies which functions, files, registries, services, processes, and networks need to be monitored at the kernel layer and the application layer.
Then, hooks are inserted into the kernel layer according to a monitoring strategy, and the hooks can acquire information executed by the function in the function calling process, wherein the information comprises function names, parameters, return values, files, processes, network correlation and the like;
then, hooks are inserted into the application layer according to the monitoring strategy, and corresponding information can be obtained in the application layer in the same way as the process;
and finally, formatting the function information, the file, the process, the network and other information acquired from the application layer and the kernel layer, and sending the formatted information to the behavior analysis module.
In some embodiments, as shown in fig. 5, the behavior analysis module first receives the information collected by the data collection module, formats the data collection to obtain data that can be used by the black-and-white list and the abnormal behavior library, then matches the black-and-white list, if the process or the file is in the black list, directly notifies the response module to perform response processing, and if the black list is not matched, obtains information of function call in the process, and matches the function name, the function parameter, and the function parameter value with the abnormal behavior library behavior. The general abnormal behavior library records general malicious behaviors of malicious software, the behaviors record function information, files, processes, networks and other information of an application layer or a kernel layer, and each behavior has a threat value. If the information sent by the data acquisition module matches an action in the action library, a corresponding threat value is added to the monitored process of the virtual machine, and if the threat value reaches a threshold value, the response module is triggered. That is, if the behavior in the abnormal behavior library is matched, the information sent by the data acquisition module is stored in a behavior record table, and the table is different from the abnormal behavior library and is specially used for recording the abnormal behavior information on the virtual machine sent by the data acquisition module matched with a certain behavior in the abnormal behavior library. This information may provide the presentation platform with the data to be presented. Finally, if the threat value of the detected process has exceeded the threshold, the response module is notified.
In some embodiments, as shown in fig. 6, the main function of the response module is to construct a communication bridge between the behavior analysis module and the data collection module, so as to provide timely response to the result of the analysis module. If one piece of malicious software is software in a blacklist, the running of the malicious software is directly finished, if the piece of malicious software is judged to be the malicious software through a behavior threat value, attribute information of the malicious software and behavior analysis of the malicious software are sent to a management platform, then a strategy returned by the management platform is obtained, the main purposes of the strategy are two, namely whether the software continues to run or not, the purpose is mainly to solve the problem of false alarm, and the purpose is to prohibit the software from running and obtain the strategy for recovering the virtual machine. And finally, executing the processing of the malicious software according to the strategy, such as closing the malicious software process, deleting the malicious software file, deleting the registry modified by the repaired malicious software, isolating the virtual machine network and the like.
In some embodiments, as shown in fig. 7, if it is determined as malware through the behavior threat value, after the malware attribute information and the behavior analysis of the malware are sent to the management platform through the response module, the management platform obtains a behavior trace of the malware, a user or an administrator may analyze the behavior trace of the malware in the platform presentation module and make a malware operation policy, and then the policy issuing module may continue to operate the monitored software or prohibit the software and add the software to the blacklist. And finally, according to the running track of the malicious software, reversely quitting the damage caused by the malicious software through the track, and executing and issuing a repair script to the response module of the virtual machine which receives the damage.
Based on the same inventive concept, according to another aspect of the present invention, as shown in fig. 8, an embodiment of the present invention further provides a computer apparatus 501, including:
at least one processor 520; and
the memory 510, the memory 510 stores a computer program 511 that can be run on the processor, and the processor 520 executes the program to execute the steps of the processing method of any one of the above software.
Based on the same inventive concept, according to another aspect of the present invention, as shown in fig. 9, an embodiment of the present invention further provides a computer-readable storage medium 601, where the computer-readable storage medium 601 stores computer program instructions 610, and the computer program instructions 610, when executed by a processor, perform the steps of the processing method of any one of the above-mentioned software.
Finally, it should be noted that, as will be understood by those skilled in the art, all or part of the processes of the methods of the above embodiments may be implemented by a computer program to instruct related hardware to implement the methods. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), a Random Access Memory (RAM), or the like. The embodiments of the computer program may achieve the same or similar effects as any of the above-described method embodiments.
In addition, the apparatuses, devices, and the like disclosed in the embodiments of the present invention may be various electronic terminal devices, such as a mobile phone, a Personal Digital Assistant (PDA), a tablet computer (PAD), a smart television, and the like, or may be a large terminal device, such as a server, and the like, and therefore the scope of protection disclosed in the embodiments of the present invention should not be limited to a specific type of apparatus, device. The client disclosed by the embodiment of the invention can be applied to any one of the electronic terminal devices in the form of electronic hardware, computer software or a combination of the electronic hardware and the computer software.
Furthermore, the method disclosed according to an embodiment of the present invention may also be implemented as a computer program executed by a CPU, and the computer program may be stored in a computer-readable storage medium. The computer program, when executed by the CPU, performs the above-described functions defined in the method disclosed in the embodiments of the present invention.
Further, the above method steps and system elements may also be implemented using a controller and a computer readable storage medium for storing a computer program for causing the controller to implement the functions of the above steps or elements.
Further, it should be appreciated that the computer-readable storage media (e.g., memory) herein can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. By way of example, and not limitation, nonvolatile memory can include Read Only Memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM), which can act as external cache memory. By way of example and not limitation, RAM is available in a variety of forms such as synchronous RAM (DRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), and Direct Rambus RAM (DRRAM). The storage devices of the disclosed aspects are intended to comprise, without being limited to, these and other suitable types of memory.
Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as software or hardware depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the disclosed embodiments of the present invention.
The various illustrative logical blocks, modules, and circuits described in connection with the disclosure herein may be implemented or performed with the following components designed to perform the functions herein: a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination of these components. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP, and/or any other such configuration.
The steps of a method or algorithm described in connection with the disclosure herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC. The ASIC may reside in a user terminal. In the alternative, the processor and the storage medium may reside as discrete components in a user terminal.
In one or more exemplary designs, the functions may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer. By way of example, and not limitation, such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a general-purpose or special-purpose computer, or a general-purpose or special-purpose processor. Also, any connection is properly termed a computer-readable medium. For example, if the software is transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, Digital Subscriber Line (DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium. Disk and disc, as used herein, includes Compact Disc (CD), laser disc, optical disc, Digital Versatile Disc (DVD), floppy disk, blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable media.
The foregoing is an exemplary embodiment of the present disclosure, but it should be noted that various changes and modifications could be made herein without departing from the scope of the present disclosure as defined by the appended claims. The functions, steps and/or actions of the method claims in accordance with the disclosed embodiments described herein need not be performed in any particular order. Furthermore, although elements of the disclosed embodiments of the invention may be described or claimed in the singular, the plural is contemplated unless limitation to the singular is explicitly stated.
It should be understood that, as used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly supports the exception. It should also be understood that "and/or" as used herein is meant to include any and all possible combinations of one or more of the associated listed items.
The numbers of the embodiments disclosed in the embodiments of the present invention are merely for description, and do not represent the merits of the embodiments.
It will be understood by those skilled in the art that all or part of the steps of implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, and the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, of embodiments of the invention is limited to these examples; within the idea of an embodiment of the invention, also technical features in the above embodiment or in different embodiments may be combined and there are many other variations of the different aspects of the embodiments of the invention as described above, which are not provided in detail for the sake of brevity. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of the embodiments of the present invention are intended to be included within the scope of the embodiments of the present invention.

Claims (10)

1. A method for processing software, comprising the steps of:
acquiring information of a plurality of behaviors generated when software runs;
matching the information of the behaviors with the information of the behaviors in an abnormal behavior library;
in response to the information of a plurality of behaviors in the information of the plurality of behaviors being matched with the information of the behaviors in the abnormal behavior library, recording the information of the plurality of behaviors into a behavior record table;
returning the behavior record table to a management platform;
and processing the software according to the instruction sent by the management platform.
2. The method of claim 1, wherein obtaining information for a plurality of behaviors generated by a software runtime, further comprises:
acquiring a blacklist;
judging whether the software is in the blacklist or not;
obtaining information of the plurality of behaviors in response to the software not being in the blacklist.
3. The method of claim 2, further comprising:
and ending the running of the software in response to the software being in the blacklist.
4. The method of claim 1, wherein obtaining information for a plurality of behaviors generated by a software runtime, further comprises:
acquiring a monitoring strategy issued by the management platform;
determining a plurality of objects to be monitored according to the monitoring strategy;
inserting hooks into a kernel layer and/or an application layer to return relevant information of the plurality of objects to be monitored when the software runs;
and determining information of a plurality of behaviors generated when the software runs according to the related information of the plurality of objects to be monitored.
5. The method of claim 1, wherein returning the behavior record table to a management platform further comprises:
determining a threat value according to the information of the behaviors in the behavior record table;
judging whether the threat value is larger than a threshold value;
and returning the behavior record table to the management platform in response to the threat value being greater than a threshold value.
6. The method of claim 1, wherein processing the software according to instructions issued by the management platform further comprises:
responding to a received instruction for continuing to operate sent by the management platform, and continuing to operate the software;
and in response to receiving an instruction for prohibiting running, which is sent by the management platform, closing the software.
7. The method of claim 6, wherein shutting down the software in response to receiving an instruction to disable execution from the management platform, further comprising:
adding the software into a blacklist;
determining the damage caused by the software by using the information of a plurality of behaviors in the behavior record table;
and executing the corresponding repair file according to the damage caused by the software.
8. A system of software processing, comprising:
the acquisition module is configured to acquire information of a plurality of behaviors generated when the software runs;
a matching module configured to match information of the plurality of behaviors with information of behaviors in an abnormal behavior library;
a recording module configured to record information of a number of behaviors to a behavior record table in response to the information of the number of behaviors matching the information of the behavior in the abnormal behavior library;
the sending module is configured to return the behavior record table to a management platform;
a processing module configured to process the software according to instructions issued by the management platform.
9. A computer device, comprising:
at least one processor; and
memory storing a computer program operable on the processor, wherein the processor executes the program to perform the steps of the method according to any of claims 1-7.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, is adapted to carry out the steps of the method according to any one of claims 1 to 7.
CN202010026173.6A 2020-01-10 2020-01-10 Software processing method, system, device and medium Withdrawn CN111241545A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010026173.6A CN111241545A (en) 2020-01-10 2020-01-10 Software processing method, system, device and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010026173.6A CN111241545A (en) 2020-01-10 2020-01-10 Software processing method, system, device and medium

Publications (1)

Publication Number Publication Date
CN111241545A true CN111241545A (en) 2020-06-05

Family

ID=70865492

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010026173.6A Withdrawn CN111241545A (en) 2020-01-10 2020-01-10 Software processing method, system, device and medium

Country Status (1)

Country Link
CN (1) CN111241545A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112486771A (en) * 2020-11-28 2021-03-12 苏州浪潮智能科技有限公司 Distributed system management method, system, device and medium
CN113312201A (en) * 2021-06-23 2021-08-27 深信服科技股份有限公司 Abnormal process handling method and related device
CN113569242A (en) * 2021-07-28 2021-10-29 中国南方电网有限责任公司 Illegal software identification method
CN113722712A (en) * 2021-09-06 2021-11-30 杭州安恒信息技术股份有限公司 Method and related device for detecting program malicious behavior based on HOOK

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112486771A (en) * 2020-11-28 2021-03-12 苏州浪潮智能科技有限公司 Distributed system management method, system, device and medium
CN113312201A (en) * 2021-06-23 2021-08-27 深信服科技股份有限公司 Abnormal process handling method and related device
CN113569242A (en) * 2021-07-28 2021-10-29 中国南方电网有限责任公司 Illegal software identification method
CN113722712A (en) * 2021-09-06 2021-11-30 杭州安恒信息技术股份有限公司 Method and related device for detecting program malicious behavior based on HOOK

Similar Documents

Publication Publication Date Title
CN111241545A (en) Software processing method, system, device and medium
US10791133B2 (en) System and method for detecting and mitigating ransomware threats
JP6228966B2 (en) Computing device that detects malware
US8713680B2 (en) Method and apparatus for modeling computer program behaviour for behavioural detection of malicious program
CN111931166B (en) Application program anti-attack method and system based on code injection and behavior analysis
US8640233B2 (en) Environmental imaging
CN111460445B (en) Sample program malicious degree automatic identification method and device
KR102534334B1 (en) Detection of software attacks on processes in computing devices
US20190147163A1 (en) Inferential exploit attempt detection
CN112769775B (en) Threat information association analysis method, system, equipment and computer medium
CN111683084B (en) Intelligent contract intrusion detection method and device, terminal equipment and storage medium
CN112818307A (en) User operation processing method, system, device and computer readable storage medium
CN111241546B (en) Malicious software behavior detection method and device
CN107231364B (en) Website vulnerability detection method and device, computer device and storage medium
CN112287339A (en) APT intrusion detection method and device and computer equipment
CN110619214A (en) Method and device for monitoring normal operation of software
CN104426836A (en) Invasion detection method and device
CN112910895A (en) Network attack behavior detection method and device, computer equipment and system
CN110874474A (en) Lessocian virus defense method, Lessocian virus defense device, electronic device and storage medium
CN115643044A (en) Data processing method, device, server and storage medium
US11763004B1 (en) System and method for bootkit detection
CN112580038A (en) Anti-virus data processing method, device and equipment
JPWO2020065778A1 (en) Information processing equipment, control methods, and programs
CN113836542B (en) Trusted white list matching method, system and device
US20240070268A1 (en) Aggregate Event Profiles for Detecting Malicious Mobile Applications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20200605