178 results about "Software behavior" patented technology

The present invention addresses the problem of providing illumination in a manner that is energy efficient and intelligent. In particular, the present invention uses distributed processing across a network of illuminators to control the illumination for a given environment. The network controls the illumination level and pattern in response to light, sound, and motion. The network may also be trained according to uploaded software behavior modules, and subsets of the network may be organized into groups for illumination control and maintenance reporting.

The invention relates to a malicious software detection system based on P2P dynamic cloud and a malicious software detection method. The system comprises a single solid cloud server, multiple dynamic cloud servers and multiple distributed terminals, wherein the multiple dynamic cloud servers form a P2P network, the single solid cloud server and the multiple dynamic cloud servers form a C/S network, the dynamic cloud servers and the distributed terminals form a C/S network, the distributed terminals are used for monitoring abnormality of software behaviors in the network to acquire abnormal behavior characteristics, and the abnormal behavior characteristics are uploaded to the dynamic cloud servers, the dynamic cloud servers are used for analyzing the abnormal behavior characteristics and feeding back the analysis result to the distributed terminals or the solid cloud server, and the solid cloud server is used for carrying out further analysis on the abnormal behavior characteristics uploaded by the dynamic cloud servers and feeding back the analysis result to the distributed terminals through the dynamic cloud servers. Through the system, load of the cloud servers is mitigated, a speed of response to a client request is improved, and precision of detection on the malicious software is improved.

This invention discloses a method for testing inbreak, which obtains the information of software behavior characters of a program, a structure access model and acts it on the program to prevent abnormal behavior so as to protect the entire network server system to avoid network inbreak including the following basic processes: collecting and processing a behavior security box to monitor the software behavior timely and a protection system suitable for the above mentioned method is also disclosed to realize the close coupling control to the behavior of the applied program.

The invention discloses a method and a device for detecting malicious software of an intelligent mobile terminal. The user operation is compared with a software behavior and according to behavior characteristics, the malicious software is identified. For continuously emerging new viruses or virus mutations, compared with a conventional detection method, the method and the device do not depend on a malicious code section feature library and a malicious function calling sequence feature library and are also limited to known malicious software, and thus, the method and the device have high universality and high detection rate, malicious behaviors such as malicious charging, privacy stealing and remote control can be well identified and reliable guarantee is provided for safety use of the intelligent mobile terminal.

The invention discloses a data monitoring method and a data monitoring system for software behavior of a mobile terminal. The data monitoring method comprises the following steps: (1) monitoring the events that application software of the mobile terminal triggers a hardware device to start or close, and recording a trigger, a triggered object and time of each event, (2) constructing an operation state diagram of one hardware device serving as the triggered object within a preset time period, (3) extracting the triggers corresponding to specified time on the operation state diagram to form a display table, and (4) counting the total duration respectively occupying each hardware device of the application software serving as the trigger in the preset time period to form a display table. By means of the data monitoring method and the data monitoring system for the software behavior of the mobile terminal, a user can well master the specific behavior of each application software of the mobile terminal, data statistics of the software behavior is formed, so that the user is helped to analyze abnormal software behavior, various rogue software is found out, the safety of user information of the mobile terminal is guaranteed, and power consumption caused by back-stage operation of various software is reduced.

The invention discloses a proxy server having a mobile terminal malicious software behavior detection capability and a method. The proxy server comprises a static detection module, a dynamic detection module and a flow behavior analysis module, wherein the static detection module is used for performing static detection on downloaded mobile applications by calling a static detection interface; the dynamic detection module is used for performing secondary detection on the mobile applications which are detected to be normal by the static detection module by calling an API interface provided by a third-party dynamic detection service; and the flow behavior analysis module is used for processing flow of applications installed by a user and detecting whether flow behaviors are generated by malicious software or not through a flow detection service model. A novel proxy server having a triple detection capability is designed. Through primary and secondary detection, the security of the mobile applications installed by the user is basically ensured. Through tertiary flow detection, effective identification of malicious behaviors generated by the malicious software is ensured.

The invention discloses a software cleaning method and device. The software cleaning method comprises obtaining one or a plurality of software cleaning requirements which comprise software description information; searching software file description information which is corresponding to the software description information in a preset software information base with software installed, recording the file description information which is relevant to the software and generated through software behaviors of one or a plurality of software in the preset software information base with the software installed and deleting one or a plurality of files which are corresponding to the description information according to searched description information of the file which is relevant to the software. The software cleaning method has the advantages of solving the problem that in the prior art, part of residual files are left during a software uninstalling process and automatically achieving cleaning of the software when a user select the software to be cleaned, namely, achieving one-key cleaning of the software.

The invention discloses an abnormal behavior detection system of Android platform software, and belongs to the technical field of the intelligent mobile terminal. The system comprises an Android mobile terminal and a software behavior monitoring database, wherein the Android mobile terminal and the software behavior monitoring database are mutually communicated; the Android mobile terminal comprises a kernel Hook module, a data analysis module and a Hook log module; the kernel Hook module comprises a System_server process, a libbind.so library and an ioctl function, wherein the System_server process, the libbind.so library and the ioctl function are successively interacted to realize the extraction of kernel Hook information; the data analysis module comprises a resource monitoring process, a state monitoring process, a data analysis engine and a data processing process, and carries out the definition writing of software behavior abnormality. The abnormal behavior detection system has the advantages of advancement, accuracy and comprehensiveness, combines the advantages of dynamic detection and static detection, effectively detects the abnormal behavior of app software through the Hook of a sensitive API (Application Program Interface) function, and effectively carries out statistics on the operating system behavior characteristics of the software.

The invention relates to a software hybrid measure method based on trusted computing. The software hybrid measure method includes the steps: preprocessing software, analyzing and inserting program source codes, extracting behavior characteristics of the software, generating a software behavior characteristic library, embedding a software integrity measure strategy and generating an executable program to be measured; measuring the software, measuring integrity by a parallel optimization algorithm when starting the executable program to be measured according to the integrity measure strategy and the software behavior characteristic library, and dynamically measuring the executable program in real time in the running process. Static software measure and dynamic software measure can be simultaneously supported, software integrity measure and real-time dynamic behavior measure are combined by the aid of technologies such as parallel optimization, strategy embedding, inserting and system calling division, and the method has fine measure efficiency and low measure expenditure.

The invention provides an Android software visualization safety analysis method based on module relations.According to the method, module recognition is conducted on Android software source codes according to a standard module model, all Android modules are extracted, then all attributes of individual module are obtained through regulation matching engine analysis, automated module type modeling of Android software is achieved, software behavior is described in the modularized form, meanwhile, user privacy data serve as the core, privacy data and data leakage outlets are recognized, the weakness degree of each module is quantified, visualization description is conducted on possible privacy disclosure behavior of the software, module positions which is attacked by malicious applications possibly and the module calling relation, and visualization display of the software behavior with respect to safety is achieved.Artificial distinguishing of a user and a program analysis method are effectively combined, so that the user has more visualized knowledge about the software behavior related to privacy data, and the purpose of distinguishing safety of an application is achieved.

The invention relates to an active defense system based on Android platform software behavior detection. The active defense system based on Android platform software behavior detection is used for actively defending mobile phone security threats. According to the active defense system, process data are collected by using a top command or a PS command, and ActivityManager.MemoryInfo () and ActivityManager.AppProcessInfo () which are provided by an API (Application Programming Interface) of Android; the collected data are analyzed by using a PCA (Principal Component Analysis) method, features which best reflect samples are extracted, and the samples are loaded to a neural network model; and partial samples are randomly selected for learning so as to obtain model parameters which serve as model parameters of an evaluation portion, thus, the samples to be detected are evaluated, whether the samples are normal or not is judged, and then, whether some process is abnormal or not is judged. According to the active defense system, PCA dimensionality reduction is introduced into mobile phones in a manner of being combined with a BP (Back Propagation) neural network, so that the traditional computation amount and memory capacity of the BP neural network are reduced, the active defense system can be excellently implemented on mobile devices with limited computing power and storage capacity, such as the mobile phones, and the security of the mobile phones is guaranteed.

Automated security systems and methods include a set monitored systems, each having one or more corresponding monitors configured to record system state information. A progressive software behavioral query language (PROBEQL) database is configured to store the system state information from the monitored systems. A query optimizing module is configured to optimize a database query for parallel execution using spatial and temporal information relating to elements in the PROBEQL database. The optimized database query is split into sub-queries with sub-queries being divided spatially according to host and temporally according to time window. A parallel execution module is configured to execute the sub-queries on the PROBEQL database in parallel. A results module is configured to output progressive results of the database query. A security control system is configured to perform a security control action in accordance with the progressive results.

The invention discloses a method of tracing software abnormal behaviors based on a software functional layer. The method includes: firstly, capturing system call sequences of software functions, and figuring out a standard operating sequence of each software function state sequence; secondly, adopting software functions as points of interest of program slices, and establishing a program slicing criterion of each software function; thirdly, establishing software function transferring charts during normal software operation; and finally, acquiring a test sequence of each software function in the testing sequences, matching with the test sequence with the standard operating sequence, and detecting software abnormal behaviors. According the method, higher-layer software state models can be extracted on the basis of system call, software modeling is performed according to software function transferring manners, whether or not the software functions are abnormal can be judged by detecting errors of function state sequences, program slices are made on software abnormal behaviors, and the purpose of software tracing is achieved; reasons for software abnormal behaviors are found out from the root, and control of software behavior creditability is improved.

The invention provides a virtual machine measurement method and apparatus. The method comprises: configuring a to-be-measured file and a white list; constructing a behavior information base corresponding to each piece of white list software located in the white list; by measuring a kernel file and the to-be-measured file in a virtual machine starting process, judging whether the kernel file and the to-be-measured file are trusted; at a set first time interval, obtaining a process currently in a running state and memory information in a virtual machine; according to the process currently in the running state and the memory information, judging whether software located outside the white list runs in the virtual machine; and at a set second time interval, obtaining a software behavior of each piece of white list software in a running state, and by comparison with the corresponding behavior information base, judging whether each piece of white list software runs normally. The apparatus comprises a configuration unit, a construction unit, a first measurement unit, an acquisition unit, a second measurement unit and a third measurement unit. According to the scheme, the security of the virtual machine can be improved.

The invention relates to a software behavior credibility detecting method based on a diagram. A detecting system is divided into five modules including a data preprocessing module, a state diagram training module, a behavior detecting module, a real-time monitoring module and an abnormal warning module, wherein the data preprocessing module is in charge of processing preliminary data; the state diagram training module is used for training a normal behavior base; the behavior detecting module is in charge of detecting behaviors according to the built diagram, and the detection module is divided into two layers, the first layer is used for detecting states and paths, and the second layer is mainly used for detecting weights; the real-time monitoring module dynamically stores detection results in a log mode; and the abnormal warning module warns when the detecting module detects abnormal conditions, and stops running software. A detecting model can monitor software behaviors in real time, and detects behaviors which do not belong to the software, aggressive behaviors and illegal input.

A mobile intelligent terminal malicious software analysis system comprises a mobile intelligent terminal client program, a software behavior information analysis background server, a client-side and background server communication protocol, and a distributed operating environment, wherein the mobile intelligent terminal client program is used for collecting behavior information in software operation and sending the information to the background server; the software behavior information analysis background server adopts related algorithms to analyze software behavior information, judges whether software has malicious behaviors or not, and returns analysis results to a mobile intelligent terminal; the client-side and background server communication protocol is used for achieving data communication between a client-side and the background server; and the distributed operating environment is used for providing mass data of software behavior analysis. According to the mobile intelligent terminal malicious software analysis system, emerging malicious software can be effectively detected, and system resource overhead of the mobile intelligent terminal on malicious software detection is reduced.

The invention provides a system and method for detecting dynamic malicious behaviors of an application program in a mobile terminal. The system comprises a software behavior extraction module, a dynamic stain tracking module, a dynamic behavior recognition module and a driving module, wherein the software behavior extraction module dynamically extracts software behaviors of the application program running on the mobile terminal; the dynamic stain tracking module receives the software behaviors and monitors a data transmission behavior among the software behaviors to judge whether the data transmission behavior is a malicious behavior; the dynamic behavior recognition module receives the software behaviors and recognizes a software system calling behavior among the software behaviors to judge whether the software system calling behavior is a malicious behavior; the driving module receives judgment results of the dynamic stain tracking module and the dynamic behavior recognition module and conducts processing. By means of the system and method, a dynamic detection technology for the application program in the running process is provided, the ability of the system to detect malicious software is improved, and information security of users is guaranteed.

A code abstraction can be created within a software meta-development tool as a platform and programming language independent representation of a software application. The code abstraction can be comprised of action objects and data flow connectors. An action object can be a graphical placeholder representing software code that implements software behavior. Each action object can have an input and an output stream that are unconstrained by data type. A data flow connector can connect the output stream of one action object to the input stream of another sequentially-related action object. The data flow connector can graphically express a directional relationship and can define input data and transformation parameters. The data flow connector can implicitly represent the operations necessary to convert the input data in accordance with the transformation parameters. Authoring of the software code associated with the code abstraction by a user of the software meta-development tool can be unnecessary.

The invention discloses a function cell based dynamic detection method for buffer overflow vulnerability. The method comprises the steps of acquiring a function call instruction address and a return instruction address of a detected program; building input parameters, and operating the detection program; in case of function call occurs, acquiring the value EBP_B in a base register; acquiring the value EBP_A of the base register when the function call is finished; if EBP_B is not equal to EBP_A, recording the vulnerability and alarming; if EBP_B is equal to EBP_A, determining that no vulnerability occurs; repeating the process until the detection program finishes the operation; continuously acquiring the function call information of the current operation; matching with an abnormal software behavior model; if matching, recording the possible vulnerability; if not matching, determining that the behavior of the program under the current input is free of the feature showing the buffer overflow vulnerability. The method is that a large number of inputs are built for repeated detection. The method can perform dynamic detection and improve the detection efficiency.

The invention relates to a multi-track malicious program feature detecting method based on data mining. The multi-track malicious program feature detecting method comprises the step of behavior track acquiring, the step of zone partitioning, the step of feature extracting and feature library establishing and the step of magnanimity detecting. In the step of behavior track acquiring, a dynamically-operating system calling sequence of a program is obtained; in the step of zone partitioning, zone portioning is carried out on obtained software behavior tracks so as to adapt to the needs of the mining process; in the step of feature extracting and feature library establishing, a sequence mode mining algorithm improved in data mining is adopted for acquiring a data flow, network flow and resource flow behavior frequent subsequence set, removing normal program behavior track fragments and structure a malicious behavior feature library; in the step of magnanimity detecting, magnanimity detecting is carried out on a program operating in real time according to the structured three-dimensional feature library. The multi-track malicious program feature detecting method based on data mining is high in detection accuracy.

The invention relates to a method for controlling software behavior based on a least privilege principle, used for protecting a computer operating system from being damaged by malicious behaviors. The method comprises the following specific steps: setting parameters of a monitoring module according to the least privilege principle, storing the parameters in a registration list, and reading and storing through a control module interface; creating a process behavior sandbox, a file behavior sandbox and a registration list behavior sandbox, and monitoring the clue of process tree by the behaviorsand boxes; for interaction with users or file operation, filtering IRP (input/ output request package) process, and determining different operations according to different function request control codes; for process or registration list monitoring, not carrying out IRP filtration process; turning to step 5) and keeping monitoring if no abnormal situation is monitored; actively transmitting alarming information in real time to a control module positioned at an user layer; and carrying out system alarming.

The invention discloses an online virus detection method based on assembly of multiple detectors and relates to computer virus detection. The method includes the sample preparation stage, the Map stage, the Reduce stage, the background timed processing stage. Based on a Hadoop distributed computing frame, a security system, namely an online virus detection model, aiming at defense of the whole Internet is provided. The Map stage and the Reduce stage are achieved by means of the Hadoop distributed computing frame. The online virus detection model intergrates parallel processing, grid computing, unknown virus behavior judgment and other emerging technologies and concepts and performs abnormity monitoring on software behaviors in the Internet through a large number of reticular clients, latest information about viruses, the Trojan horse and other malware in the Internet is obtained and transmitted to a server to be automatically analyzed and processed, and then the solutions to the viruses and the Trojan horse are distributed to all the clients.

Systems described herein provide structures and functionality for transforming passive analytics systems into systems that can actively modify software behavior based on analytic data to improve software performance relative to configurable goal metrics. An example method generally includes receiving, from a policy generator, a decision-making policy specifying actions for a software application to perform upon detection of decision-point events; receiving a decision-making request from the software application; retrieving, from a data repository, time-series data in a session associated with the consumer identifier; selecting one or more of the different actions for the software application to perform by comparing the time-series data and the event type to the decision-making policy; sending an indication of the selected actions in response to the decision-making request; and updating the time-series data in the session associated with the consumer identifier to reflect the decision-point event and the one or more selected actions.