Abnormal process detection method and apparatus

A detection method and detection device technology, applied in the direction of platform integrity maintenance, etc., can solve problems such as unable to detect and kill unknown viruses

Inactive Publication Date: 2016-02-03
ZTE CORP
View PDF7 Cites 17 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0003] The main technical problem to be solved by the present invention is to provide a method and device for det

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Abnormal process detection method and apparatus
  • Abnormal process detection method and apparatus
  • Abnormal process detection method and apparatus

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0033] This embodiment provides an abnormal process detection method, please refer to figure 1 , figure 1 It is a schematic flow chart of the method, and the method comprises the steps:

[0034] Step S101: Determine the execution program corresponding to the running process in the system;

[0035] Step S102: Determine whether the path of the execution program belongs to the preset legal path, if not, mark the process corresponding to the execution program as abnormal.

[0036] At least one of the following methods can be used to determine the preset legal path before judging whether the path of executing the program belongs to the preset legal path: take a snapshot of the system process to obtain the legal path of the legal process when the terminal is virus-free; The path corresponding to the legal process is regarded as the legal path. The legal path generally includes a system folder path set and a custom legal program full path set. The system folder path set is a coll...

Embodiment 2

[0045] In order to describe an abnormal process detection method proposed in Embodiment 1 in more detail, this embodiment provides a more specific embodiment, please refer to figure 2 , figure 2 A schematic flowchart of an abnormal process detection method provided in this embodiment includes the following steps:

[0046] Step S201: start.

[0047] Step S202: The system schedules the detection program, and enters step S203.

[0048] Before this step, a whitelist of legitimate processes is generated first. The whitelist is a text file, and each line represents a record. In the white list, a system folder path set, a custom legal program full path set, and a data summary value of an application corresponding to the custom legal program full path set are recorded.

[0049] Step S203: Obtain a list of all processes in the current system and detailed information such as the execution program and start time of each process through means such as ps and accessing / proc. Then go t...

Embodiment 3

[0060] This embodiment provides an abnormal process detection device, please refer to image 3 , image 3 An abnormal process detection device provided for this embodiment, the device includes: a program determination module 301, a path judgment module 302, and a process marking module 303; the program determination module 301 is used to determine the execution program corresponding to the running process in the system; The path judging module 302 is used to judge whether the path of executing the program belongs to the preset legal path, if not, notify the process marking module 303 to mark the process corresponding to the executing program as abnormal.

[0061] In this embodiment, another abnormal process detection device is provided, please refer to Figure 4 , the device includes the above modules, wherein the path judging module 302 also includes a system judging submodule 3021 and a custom judging submodule 3022, the system judging submodule 3021 is used to judge whethe...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The present invention discloses an abnormal process detection method and apparatus. The abnormal process detection method provided by the present invention comprises: determining an executive program corresponding to a running process in an apparatus; and determining whether a path of the executive program belongs to a preset valid path, if no, marking that the process corresponding to the executive program is abnormal. According to the method provided by the present invention, the preset valid path is set in advance, and is a path for storing a valid program. If the executive program corresponding to a currently allowed process is not in the valid path, it proves that the executive program of the process is invalid, and therefore, the process is abnormal. According to the method provided by the present invention, a state of the process can be determined only by determining whether the path of the executive program of the process belongs to the preset valid path, so as to determine whether the process is a virus process, thereby searching and killing a virus. Therefore, according to the abnormal process detection method provided by the present invention, a virus can be searched and killed without knowing a property of the virus.

Description

technical field [0001] The invention relates to the field of electronic security, in particular to a method and device for detecting an abnormal process. Background technique [0002] Along with the flourishing development of Internet at present, computer hacker, wooden horse, virus also emerge in an endless stream, seriously threaten electronic (for example computer) information security. People pay more and more attention to security issues, so various anti-virus software emerges as the times require. Existing virus checking methods are usually feature code checking. Signature code scanning is a virus scanning technology that analyzes and resolves known viruses. It mainly scans and matches files or memory based on simple virus signatures. If the match is successful, it reports the virus type name corresponding to the corresponding signature. The principle of "a certain part of the code of the same virus or similar viruses is the same" is adopted. That is to say, if the ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): G06F21/56
CPCG06F21/56
Inventor 张南骏李炀周祥生
Owner ZTE CORP
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products