Method for intercepting operating of suspicious programs

A program running, suspicious technology, applied in the field of information security, can solve the problem of new Trojan horses not having the ability to detect and kill, and achieve the effect of improving security

Active Publication Date: 2013-04-24
THE FIRST RES INST OF MIN OF PUBLIC SECURITY +1
View PDF3 Cites 42 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

For example, the active defense detection method will frequently ask the user, making the user at a loss. Although, the use of advanced kernel rootkit technology can avoid the active defense monitoring; the heuristic killing method can be bypassed by writing custom system functions, etc. However, the detection methods in the above-mentioned prior art all use the malicious behavior of virus and Trojan horses as the detection basis, therefore, under the situation of not capturing new Trojan horse samples, there is no ability to check and kill unknown new Trojan horses

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method for intercepting operating of suspicious programs
  • Method for intercepting operating of suspicious programs

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0026] The present invention will be described in detail below in conjunction with the accompanying drawings and embodiments. Such as figure 1 As shown, the embodiment of the present invention is to run directly on the computer to be protected in the form of software, and the specific interception steps are as follows:

[0027] 1. Generate a white list of this computer: on the premise that there is no Trojan horse virus on the protected computer (such as a newly installed operating system, etc.), when the system runs for the first time, it uses multi-threading to scan the entire computer, and calculates and generates all corresponding files on the computer. Whitelist of PE files.

[0028] 2. Intercept process start: realize the function NtCreateSection that the operating system calls for loading files when the HOOK process starts by loading the driver, from which it is judged whether the file to be loaded by the operating system is a PE file, and the file path of the file i...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a method for intercepting operating of suspicious programs. The method includes the steps of: (1) under the condition that a protected computer has no Trojan horse viruses and when a system is operated for the first time, recording all PE (Portable Execute) file information existing in the computer and generating a white list, (2) intercepting requests of memory application in file loading and screening out the PE files in a operating system nucleus, (3) comparing with a black list and the white list to judge whether the file is suspicious. The method for intercepting operating of suspicious programs has the advantages that the method effectively intercepts the enablement of suspicious programs and obtains Trojan horse virus samples by intercepting all the PE files loaded by an operating system and comparing with the white list to judge the PE files, intercepts known Trojan horse viruses by making the black list, provides detailed log reports to analyze and monitor running status of all processes in a current system so that the safety of the system is greatly improved, and overcomes the great defect that existing antivirus software can not intercept unknown Trojan horse viruses by using feature contrasting mode.

Description

technical field [0001] The invention relates to a method for intercepting suspicious program operation, belonging to the technical field of information security. Background technique [0002] At present, according to the network security information and dynamics released by the China National Computer Network Emergency Response Technology Coordination Center, the number of hosts infected with network viruses in China is on the rise. For example, the speed at which viruses and Trojan horses mutate and spread is overwhelming for most antivirus software manufacturers. Moreover, in the current host environment, viruses and Trojans cannot be detected and killed by antivirus software, host firewalls cannot be blocked, and anti-hidden tools cannot be found. Once the system is infected with viruses and Trojans, they will lie dormant for a long time, causing huge losses to information security. [0003] At present, in the prior art, the technologies and methods mainly used for detec...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/56
Inventor 胡光俊王奕钧薛正宋伟航
Owner THE FIRST RES INST OF MIN OF PUBLIC SECURITY
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap