Method and device for identifying abnormal application
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
G06F-012/14
H04L-029/06
G06F-021/56
H04L-012/26
출원번호
US-0700323
(2015-04-30)
등록번호
US-9894097
(2018-02-13)
우선권정보
CN-2012 1 0436204 (2012-11-05)
발명자
/ 주소
Yu, Wenfeng
출원인 / 주소
Tencent Technology (Shenzhen) Company Limited
대리인 / 주소
Harness, Dickey & Pierce, P.L.C.
인용정보
피인용 횟수 :
0인용 특허 :
1
초록▼
A method and device for identifying an abnormal application are provided. The method includes executing abnormal applications, obtaining dynamic behavior information of the abnormal applications, inputting the dynamic behavior information of the abnormal applications into a preset detection network,
A method and device for identifying an abnormal application are provided. The method includes executing abnormal applications, obtaining dynamic behavior information of the abnormal applications, inputting the dynamic behavior information of the abnormal applications into a preset detection network, obtaining a behavior rule of the dynamic behavior information via the detection network, and identifying a detected application according to the behavior rule to determine whether the detected application is an abnormal application.
대표청구항▼
1. A method for identifying an abnormal application, comprising: executing, by a virtual machine, prestored abnormal applications, which are viruses or Trojan programs;obtaining dynamic behavior information of the prestored abnormal applications;inputting the dynamic behavior information of the pres
1. A method for identifying an abnormal application, comprising: executing, by a virtual machine, prestored abnormal applications, which are viruses or Trojan programs;obtaining dynamic behavior information of the prestored abnormal applications;inputting the dynamic behavior information of the prestored abnormal applications into a preset detection network;obtaining a behavior rule of the dynamic behavior information via the preset detection network; andidentifying a detected application according to the behavior rule of the dynamic behavior information to determine whether the detected application is a virus or Trojan program;wherein inputting the dynamic behavior information of the prestored abnormal applications into the preset detection network includes converting the dynamic behavior vector; and inputting the behavior vector into the preset detection network; andwherein obtaining dynamic behavior information of the prestored abnormal applications and converting the dynamic behavior information of the prestored abnormal applications into a behavior vector includes: monitoring whether each of the abnormal applications executes at least one of operating a danger registry, operating a sensitive file, performing dangerous operation on network connection, and operating and Application Programming Interface (API);when one of the above operations is executed, one of number 0 and 1 is allocated, when one of the above operations is nor performed, the other one of number 0 and 1 is allocated; andcreating a behavior vector comprising the allocated 0 and 1. 2. The method for identifying an abnormal application according to claim 1, wherein before executing the prestored abnormal applications, the method further comprises: presetting the preset detection network. 3. The method for identifying an abnormal application according to claim 1, wherein before executing the prestored abnormal applications, the method further comprises: establishing a dynamic behavior information monitoring point; andobtaining the dynamic behavior information of the prestored abnormal applications via the dynamic behavior information monitoring point. 4. The method for identifying an abnormal application according to claim 1, wherein the preset detection network is a back propagation network. 5. A device for identifying an abnormal application, comprising: a dynamic behavior information obtaining module configured to execute prestored abnormal applications, which are viruses or Trojan programs, and obtain dynamic behavior information of the prestored abnormal applications;a dynamic behavior information transmission module configured to input the dynamic behavior information of the prestored abnormal applications into a preset detection network;a behavior rule obtaining module^ configured to obtain a behavior rule of the dynamic behavior information via the preset detection network; andan identification module configured to identify a detected application according to the behavior rule of the dynamic behavior information to determine whether the detected application is a virus or Trojan program;wherein the dynamic behavior information obtaining module is configured to monitor whether each of the abnormal applications executes at least one of operating a danger registry, operating a sensitive file, performing dangerous operation on network connection, and operating an Application Programming Interface (API); andwherein the device further includes a behavior vector conversion module configured to allocate one of number 0 and 1 when one of the above operations is executed, and allocate the other one of number 0 and 1 when the above operations is not performed, and create a behavior vector comprising the allocated number 0 and 1. 6. The device for identifying an abnormal application according to claim 5, further comprising: a detection network generation module, to preset the detection network. 7. The device for identifying an abnormal application according to claim 5, whereinthe dynamic behavior information transmission module is further to input the behavior vector into the preset detection network. 8. The device for identifying an abnormal application according to claim 5, further comprising: a monitoring point establishment module, to establish a dynamic behavior information monitoring point; whereinthe dynamic behavior information obtaining module is further to obtain the dynamic behavior information of the prestored abnormal applications via the dynamic behavior information monitoring point. 9. The device for identifying an abnormal application according to claim 5, wherein the preset detection network is a back propagation network. 10. A non-transitory computer-readable medium storing instructions which, when executed by one or more processors, cause a device to perform a method for identifying an abnormal application, the method comprising: executing prestored abnormal applications, which are viruses or Trojan programs;obtaining dynamic behavior information of the prestored abnormal applications; inputting the dynamic behavior information of the prestored abnormal applications into a preset detection network;obtaining a behavior rule of the dynamic behavior information via the preset detection network; andidentifying a detected application according to the behavior rule of the dynamic behavior information to determine whether the detected application is a virus or Trojan program;wherein inputting the dynamic behavior information of the prestored abnormal applications into the preset detection network includes converting the dynamic behavior vector; and inputting the behavior vector into the preset detection network; andwherein obtaining dynamic behavior information of the prestored abnormal applications and converting the dynamic behavior information of the prestored abnormal applications into a behavior vector includes: monitoring whether each of the abnormal applications executes at least one of operating a danger registry, operating a sensitive file, performing dangerous operation on network connection, and operating and Application Programming Interface (API);when one of the above operations is executed, one of number 0 and 1 is allocated, when one of the above operations is nor performed, the other one of number 0 and 1 is allocated; andcreating a behavior vector comprising the allocated 0 and 1. 11. The non-transitory computer-readable medium according to claim 10, wherein the non-transitory computer-readable medium further stores instructions which, when executed by one or more processors, cause a device to preset the detection network before executing the prestored abnormal applications. 12. The non-transitory computer-readable medium according to claim 10, wherein the non-transitory computer-readable medium further stores instructions which, when executed by one or more processors, cause a device to establish a dynamic behavior information monitoring point before executing the prestored abnormal applications; andobtain the dynamic behavior information of the prestored abnormal applications via the dynamic behavior information monitoring point. 13. The non-transitory computer-readable medium according to claim 10, wherein the preset detection network is a back propagation network.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (1)
Kalinichenko, Michael, Application of nested behavioral rules for anti-malware processing.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.