101 results about "Process behavior" patented technology

An anomalous process behavior manager uses statistical information concerning running processes to detect and manage process behavioral anomalies. The anomalous process behavior manager collects per process statistical data over time, such as resource allocation statistics and user interaction statistics. Current collected statistical data is analyzed against corresponding historical statistical data to determine whether processes are behaving in expected ways relative to past performance. Appropriate corrective steps are taken when it is determined that a process is behaving anomalously. For example, the process's blocking exclusions can be revoked, the process can be uninstalled, the process and/or the computer can be scanned for malicious code, the user can be alerted and/or relevant information can be shared with other parties.

A client simulator for simulating client behavior in groups or individuals to telephone services in a test system for testing telephone services between subscribers in a PSTN and clients in a distributed information network, for example, the Internet (IP Network), prior to availability of the telephone services to the subscribers and clients. A processor is coupled to a TCP/IP data network linked to the PSTN via a System Control Point (SCP) and the IP Network via an application server. A storage means is coupled to the processor through input/output registers and includes stored instruction for a parent process and a pool of client processes. e storage means further includes: a) a test input data file which contains client behavior profiles of either groups or individual client processes to call data messages; b) a logger queue file which allows the parent process to write event messages indicating start or stopped client processes with time stamp; c) a client information file which contains information and data for the total number of processes identified as being part of the test; d) a stopped client file used to track client processes that have stopped. The parent process is responsible for reading the test input data file and passing the client process behavior profile to the client processes. Each client process is responsible for returning state information to the PSTN; call handling actions and providing call handling statistics. The client process includes a client behavior control functions which processes and maintains the behavior parameters passed by the parent process. The behavior function, inter alia, accepts the call message, forward the call message according to the client behavior profile. The client process further includes a send/receive function to read and write to the registers coupled to the TCP/IP data network and support voice over IP protocols. A test originated by the PSTN is passed to the test input data file by the SCP and application file. The parent processes passes the call message to the client process. The client process provides a variety of call handling options including (a) accepting the call on the client's PC; sending a voice message to the caller. The call data messages responses are sent back to the SCP through the application server. The SCP directs the PSTN on how to handle the message call response.

The invention relates to a method and a system for identifying a malicious program. The method comprises the following steps: 1. acquiring information and acts of all processes in a computer system, establishing a process relational tree according to the set membership among the processes, and storing a process information and a process behavior list corresponding to each process; 2. classifying the process behaviors in the process behavior list of the parent process, and allocating the information of the parent process to sub-process according to the classification and the order of the process relation tree from top to bottom; 3. symbolizing according to the process relation tree and the process information, judging a malicious program based on a preset malicious behavior threshold, and running the malicious program in the computer system to obtain an expert system for judging the malicious program; and 4. when the process of a new program is created, using the expert system to judge whether the new program is a malicious program. Compared with the prior art, the invention lowers the implementation complexity and can improve the efficiency.

A method of targeting users receives a data feed that has information relating to a first media and extracts events from the received data feed. The method generates a profile relating to a first item in the first media, and processes behavior of a first group of users of a second media. The method models the behavior of the first group of users, and generates a scoring function by using the modeling. A system for targeting a user includes a data feed, an event extractor, one or more profiles, a behavior processor, and a model. The data feed has information relating to a first media. The event extractor is for receiving the data feed and extracting particular information based on a second media. The profile(s) are based on the extracted information. The behavior processor is for receiving the profile and comparing the profile to a first group of users of the second media. The model space is for receiving an output of the behavior processor and modeling user behavior by using the profile.

A method and apparatus for monitoring a computer to detect operating system process manipulation by malicious software programs is disclosed. In one embodiment, a method for detecting operating system process manipulation through unexpected process behavior includes accessing process behavior indicia regarding memory addresses used by at least one user mode process to request computer resources and comparing the process behavior indicia with a user mode request to identify operating system process manipulation.

A method for learning a process behavior model based on a process past instances and on one or more process attributes, and a method for detecting an anomalous process using the corresponding process behavior model.

Embodiments of invention provide a behavior processing method and device. The method comprises acquiring a mark of a target ability to be executed after traversing an ability subtree of a role behavior tree; selecting a target ability subtree matching the mark of the target ability from an ability pool, and loading the target ability subtree on the role behavior tree; and sequentially traversing all nodes of the target ability subtree, and executing linear ability motion corresponding to a target condition node if that a target condition node associated with a trigger event returns effective information is traversed. According to the behavior processing method and device, a subtree of a target ability to be executed can be loaded on a role behavior to be traversed, features of recursion and logic of a behavior tree can be fully utilized, the design mode is simple, and the expansibility is excellent.

The embodiment of the invention provides a method, a device and a system for detecting a malicious process behavior. The detection device is used for monitoring a process behavior of a process so as to acquire behavior information of a target process behavior, and sending the behavior information of the target process behavior to a server; the server detects the target process behavior according to the behavior information of the target process behavior to determine whether the target process behavior is a malicious process behavior, so that the detection device can receive first operation indicating information returned by the server according to a detection result of the target process behavior, and operate the target process behavior according to the first operation indicating information. The target process behavior is subjected to comprehensive detection by the server according to the behavior information of the target process behavior instead of appointed feature analysis on a single sample by the detection device, so that the malicious process behavior can be detected in time, and the safety of the system is improved.

The invention discloses a document leak protecting and tracking system which comprises a management module, a sensitive word matching module, a monitoring module, a behavior analysis module, a Trojansandbox module and an early warning analysis module, wherein the management module is used for setting sensitive word configuration information of the protecting and tracking system and user-defined rules as well as issuing planning tasks of document scanning and matching sensitive words for each host operating system; the sensitive word matching module is used for matching documents accessed by all processes for each host operating system as well as recognizing whether configuration key words exist in the documents or not; the monitoring module is used for monitoring local directories and files in real time and controlling access process behaviors of the local directories and files; the behavior analysis module is used for analyzing various behaviors of file access processes; the Trojan sandbox module is used for simulating and backtracking process behavior events with leak behaviors so as to recognize Trojan leak and Trojan outbreak; and the early warning analysis module is used forintercepting and early-warning all host clients when Trojan stealing behaviors are found. The system disclosed by the invention can be used for backtracking leaked and stolen sensitive files in computers as well as recognizing leaking and stealing modes.

Techniques are disclosed for influencing behavior of enterprise operations during process enactment using provenance data. For example, a computer-implemented method of influencing a behavior of an enterprise process comprises the following steps. Provenance data is generated, wherein the provenance data is based on collected data associated with at least a partial actual execution of the enterprise process and is indicative of a lineage of one or more data items. A provenance graph is generated that provides a visual representation of the generated provenance data, wherein nodes of the graph represent records associated with the collected data and edges of the graph represent relations between the records. At least a portion of the generated provenance data from the graph is analyzed to generate an execution pattern corresponding to the at least partial actual execution of the enterprise process. The execution pattern is compared to one or more previously stored patterns. A determination is made as to whether or not to alter the enterprise process based on a result of the comparison.

The invention discloses a detecting method and device of bat loopholes and relates to the field of information safety. The bat loopholes in a bat script can be detected quickly and accurately so that the safety of a computer system can be protected. According to the main technical scheme, a bat virtual machine for bat script operation is established; the bat script operates on the bat virtual machine, and the process behavior of the bat script during operation is recorded; the process behavior and a preset malicious behavior base are matched, and the preset malicious behavior base comprises the judging rules of a know malicious behavior script; and if matching is successful, the fact that the bat script is the bat loopholes is determined. The detecting method and device are mainly used in the processing of bat loophole detecting.

The invention provides a virtual machine safety monitoring method based on behavior recognition. A series of virtual machines, key monitoring points in the relevant program running process behavior and virtual machine resource state critical identification points are set, and then corresponding characteristic parameter specifications are set. On the basis, virtual machines and relevant resources are monitored, and when it is found that the behaviors of the virtual machines and virtual machine applications or the relevant resource states of the virtual machines are abnormal, an abnormality alarm is given. Through a bottom layer operation system or monitoring system of the running environment of the virtual machines, corresponding protective measures can be taken according to the abnormality warning information, and thus the running safety of the virtual machines and a virtualized system can be effectively guaranteed.

The invention discloses a process behavior control method and a process behavior control device. The method comprises the following steps that: when detecting a keyboard input or key input behavior, an underlying driver intercepts the calling of a callback function by a message hook, wherein the message hook is associated with a process for triggering the current keyboard input or key input behavior; the underlying driver sends information of the process associated with the message hook to an application layer; the underlying driver stops or allows the behavior triggered by the process associated with the message hook; the application layer judges whether the behavior triggered by the corresponding process is stopped or allowed or not according to the information of the process associated with the message hook, and informs the underlying driver of a judgment result; and the underlying driver performs the corresponding operation of stopping or allowing the behavior triggered by the corresponding process according to the judgment result of the application layer. By the method and the device, the calling of the callback function by the message hook can be intercepted, and the stability of a system is ensured.

The invention relates to a service analysis based automatic test case generation system and method. The service analysis based automatic test case generation system comprises a service analysis layer for determining the will of service achievement and clarifying a judgement criterion of the system, a system structure analysis layer for analyzing program elements, operating timing sequence and a detection object of a tested system and clarifying a program verification model for system testing, a testing design layer for performing test point analysis management and test data analysis management, an automatic test case generation engine for converting tested and analyzed data into test cases. By the adoption of the system and method, the problem that business personnel do not know techniques and accordingly 'demand distortion' of software design is caused, and the phenomenon that software function design does not meet the demand of service intent and accordingly frequent reworking is caused is avoided. The process behaviors of service, design and testing analysis are recorded through unified management practices and sediment to form properties of the software design process, and the service analysis based automatic test case generation system has a wide application range.

The invention relates to a method for controlling software behavior based on a least privilege principle, used for protecting a computer operating system from being damaged by malicious behaviors. The method comprises the following specific steps: setting parameters of a monitoring module according to the least privilege principle, storing the parameters in a registration list, and reading and storing through a control module interface; creating a process behavior sandbox, a file behavior sandbox and a registration list behavior sandbox, and monitoring the clue of process tree by the behaviorsand boxes; for interaction with users or file operation, filtering IRP (input/ output request package) process, and determining different operations according to different function request control codes; for process or registration list monitoring, not carrying out IRP filtration process; turning to step 5) and keeping monitoring if no abnormal situation is monitored; actively transmitting alarming information in real time to a control module positioned at an user layer; and carrying out system alarming.

The invention relates to network safety and aims at providing an attack chain behavior analysis based Trojan horse detection method and system. The attack chain behavior analysis based Trojan horse detection system comprises a DNS domain name anomaly detection module, a Trojan horse incubation behavior anomaly detection module and a Trojan horse communication behavior anomaly detection module andcan perform anomaly detection on three behavior processes, including, a Trojan horse connection process, a Trojan horse incubation process and a Trojan horse communication process, in a Trojan horse permeation attacking process; when the anomaly detection condition of the Trojan horse connection process, the Trojan horse incubation process and the Trojan horse communication process is met, a factthat a Trojan horse is detected is confirmed and the Trojan horse detection is realized. By performing sequential associated analysis on the three Trojan horse behavior processes, including, the Trojan horse connection process, the Trojan horse incubation process and the Trojan horse communication process, the comprehensive and efficient Trojan horse detection method and system are provided respectively based on the behavior features of the three Trojan horse processes, the accuracy of Trojan horse detection is enabled to be higher, and the missing report rate is enabled to be lower.

The invention provides a user mining method, apparatus and device. The method comprises the steps of processing historical behavior information of a user to obtain a frequent item set containing multiple groups of associated behaviors; processing behavior information in a preset time of the current user according to the frequent item set, calculating a support degree and a confidence degree corresponding to each group of the associated behaviors of the current user, and screening out at least one group of target associated behaviors meeting a condition according to a preset threshold; calculating first associated parameters and second associated parameters of the current user according to target behavior information related to the target associated behaviors and triggering parameters corresponding to the target behavior information; and processing the first associated parameters and the second associated parameters according to a preset algorithm to obtain a processing result, and determining whether the current user is a target user or not according to the processing result and a preset threshold. The target user can be accurately mined, and future possible behaviors of the user can be accurately predicted, so that commodities liked by the user are recommended, the search experience of the user is improved, and the conversion rate of a merchant is increased.