Method and system for detecting application program behavior legality

Abstract

A method for detecting the legitimacy of an application program behavior comprises the following steps: monitoring one or more system interfaces of a computer to cause the monitored system interfaces to jump to a monitoring module for execution when the monitoring system interfaces receive a call; blocking the application program of a caller and judging the validity of the caller: permitting the caller to call an interface function and continuously perform the application program of the caller if the caller is legal; and, pausing the behavior of the application program of the caller and issuing an intrusion alarm if the caller is illegal. The detection method finds out whether an executor of the application program behavior is legal or not by monitoring the system interfaces of the computer so as to intercept the program behavior executed by illegal executors and give an alarm. Compared with the existing fuzzier behavioral analysis technology, the detection method has the advantages of low false alarm rate, high recognition rate and the like, especially has good defense effect against the intrusion behavior due to overflow vulnerability, so the detection method is an effective supplement to the existing behavior analysis defense technology.

Description

technical field [0001] The invention relates to a method and system for detecting computer security, in particular to a method and system for detecting the legality of application program behavior. Background technique [0002] The vigorous development of the Internet has made network and computer security an increasingly serious problem. In the computer, there are unknown security holes in the system and various application software, such as unknown overflow holes, etc. These holes may be exploited by malicious intruders at any time to cause varying degrees of damage to the computer system and / or applications, documents, etc. . Therefore, a variety of protection software is widely used on network computers to detect and even contain malicious intruders. [0003] At present, most of the local protection software running on network computers adopts behavior analysis technology, such as active defense technology, to detect the behavior of exploiting unknown overflow vulnerab...

AI Technical Summary

Problems solved by technology

[0004] However, because applications often have unknown security vulnerabilities, many intrusions are directly intruded into the application, and the intrusion code is executed through the intruded application

The existing defense technology only determines the legality of the behavior based on whether the executed program is in the permission list, and cannot distinguish whether the behavior of the application is the normal behavior of the application itself or the behavior of a malicious intruder who invaded into the application. Unable to identify and block illegal behavior of legitimate applications

In computers using existing protection software, the illegal actions performed by these intruders through legitimate applications are often released because they meet the filter matching rules, leaving malicious intruders with an opportunity to bypass the protection software

Images