Method and device for acquiring behavior stack information

Abstract

The invention discloses a behavior stack information acquisition method and device, and relates to the technical field of security, and mainly aims to acquire the behavior stack information of all processes on terminal device without repeatedly injecting a capture module into the processes and simplify the acquisition steps of the behavior stack information, so that the acquisition efficiency of the behavior stack information can be improved. In addition, the normal operation process of the terminal device can be prevented from being interfered, and a user can normally use the terminal device.The method comprises the following steps: monitoring a behavior event of a running process in terminal device in a kernel layer of the terminal device; when it is monitored that the behavior event occurs, stack information backtracking is conducted on system calling of the running process in a current process thread space corresponding to the behavior event, and behavior stack information of therunning process is obtained. The method and the device are suitable for acquiring the behavior stack information.

Description

technical field [0001] The present invention relates to the field of security technology, in particular to a method and device for acquiring behavior stack information. Background technique [0002] With the rapid development of Internet technology, more and more application programs appear and are widely applied to terminal devices in order to facilitate users' life and work. Therefore, in order to avoid terminal device data leakage and cause user property loss, terminal device data security becomes more and more important. In practical applications, the behavior stack information of the process in the terminal device is usually obtained, and the behavior stack feature database is constructed according to the behavior stack information, and then the behavior stack feature database is used as the basis for judging the normal operation behavior and abnormal operation behavior of the process, so as to provide Virus and Trojan horse detection and killing add new means to prote...

AI Technical Summary

Problems solved by technology

However, only the behavior stack information corresponding to the injected process can be obtained through each capture module, and multiple processes can usually be created on the terminal device. If the behavior stack information is obtained through the above method, the steps of injecting the capture module need to be repeated, resulting in behavior stack The steps of information acquisition are complicated, resulting in low efficiency of behavior stack information acquisition

In addition, when the process is created, it means that the terminal device is running the process. At this time, injecting the capture module into the process will interfere with the normal running process of the terminal device, thereby interfering with the normal use of the terminal device by the user

Images