CN104966018A - Windows system-based software program abnormal behavior analysis method - Google Patents

Abstract

The invention provides a method for analyzing abnormal behavior of software programs based on Windows system. The user selects a software program, and captures the software behavior information of the software program; establishes a white list library, a black list library and a dangerous behavior library; according to the white list Library, blacklist library and dangerous behavior library, analyze the captured software behavior information through genetic algorithm, and get the analysis results; display the analysis results, which greatly reduces the hidden dangers of network security caused by internal.

Description

Analysis Method of Abnormal Behavior of Software Program Based on Windows System

technical field

The invention relates to a method for analyzing abnormal behavior of software programs based on Windows system.

Background technique

With the increasing network security risks, the complexity of security issues is increasing. After a comprehensive survey of 484 companies by the FBI and CSI and the survey results of CNCERT/CC, the National Computer Network Emergency Coordination Center of China, it is shown that about 76% of the network Security threats come from inside, so it can be seen that the degree of harm far exceeds the losses caused by hacker attacks and viruses, and most of these threats are related to various internal network access behaviors; therefore, there is an urgent need for a security method to solve the above problems Effective monitoring and management. System program behavior monitoring is generated under such a background. The system abnormal behavior analysis program can intelligently determine whether there are viruses, Trojan horse abnormalities or dangerous operations by analyzing the behavior of each process in the system. The commonality of computer information system security requirements and architecture, its constituent elements are security means, system units and the Open System Interconnection Reference Model (OSI) formulated by the International Organization for Standardization (ISO). It is an important means to ensure network security that the local system conducts a comprehensive monitoring, analysis, and evaluation of security devices, network devices, application systems, and operating conditions in the network system. At present, most of the information systems of domestic enterprises are still Windows systems, including a large part of the server systems of some IDC enterprises are also Windows Server, so the monitoring under the Windows system is the most important thing.

Contents of the invention

The technical problem to be solved by the present invention is to provide a method for analyzing abnormal behavior of software programs based on Windows system.

The present invention is realized like this: a kind of software program abnormal behavior analysis method based on Windows system comprises the following steps:

Step 1, the user selects a software program, and captures the software behavior information of the software program;

Step 2, establishing a whitelist library, a blacklist library and a dangerous behavior library;

Step 3. According to the whitelist database, blacklist database and dangerous behavior database, the captured software behavior information is analyzed by genetic algorithm to obtain the analysis result;

Step 4, display the analysis result.

Further, the step 1 is further specifically: the user selects a software program, establishes a hook program in the Windows system, and captures the software behavior information of the software program through the hook program.

Further, in the step 1, the captured software behavior information is stored.

Further, the software behavior information includes thread behavior, registry behavior, file behavior, network behavior and driver behavior.

Further, the step 4 is further specifically: displaying the analysis result, and storing the analysis result in a corresponding library.

The present invention has the following advantages: the present invention is a method for analyzing abnormal behavior of software programs based on the Windows system, which greatly reduces hidden dangers of network security caused by the inside.

Description of drawings

The present invention will be further described below in conjunction with the embodiments with reference to the accompanying drawings.

Fig. 1 is a flow chart of the execution of the method of the present invention.

Detailed ways

The present invention is based on the software program abnormal behavior analysis method of Windows system, comprises the following steps:

Step 1, the user selects a software program, establishes a hook program in the Windows system, captures the software behavior information of the software program through the hook program, and stores the captured software behavior information, and the software behavior information includes thread behavior , registry behavior, file behavior, network behavior and driver behavior;

Step 2, establishing a whitelist library, a blacklist library and a dangerous behavior library;

Step 3. According to the whitelist database, blacklist database and dangerous behavior database, the captured software behavior information is analyzed by genetic algorithm to obtain the analysis results;

Step 4. Display the analysis results, and store the analysis results in a corresponding library.

A kind of specific implementation mode of the present invention is as follows:

1. System architecture: The system consists of an executable program, rule base (local or cloud), log files, analyzed software, etc.

System components and functions:

1. Construction of the overall system:

(1), drive monitoring module;

a. In the SSDT table, the function to be used by HOOK;

b. Data exchange with the control layer.

(2), data transmission control module (DLL)

a. In the ring3HOOK network function;

b. Interact with the driver layer;

c. Receive the input data information of the user interface layer, and send the data back to the interface layer.

(3), user function module

a. Monitor program behavior;

b. Display the behavior process of the monitored program;

c. Generate a log and record it to the access database;

d. Generate reports (reports are screened and judged);

e. Customize program security behavior (maintenance of black and white lists).

(4) Use genetic algorithm to learn and define rule modules.

The program can summarize some rules by itself, and automatically judge whether the software behavior is dangerous or not according to these rules.

2. Drive monitoring

Drivers are responsible for monitoring the behavior of system programs. The specific implementation process is as follows:

Driver layer (ring0): After the driver is installed, InitData() will be executed. The function of this function is to obtain the address of the system service function (that is, the function stored in SSDT) that the program needs to hook, and replace it with a custom function.

The drive control function contains two control codes:

OCTRL_PROCESS_MONITOR_ON and IOCTRL_PROCESS_MONITOR_OFF are used to enable and disable hook respectively. At the same time, in order to realize the data and control interaction with the ring3 layer program, the ring3 layer program sends the buffer area applied for at this layer while sending the hook control code, and the ring0 program passes the mapping

//Get the buffer address sent by the user layer

dwBuffAddress=*(DWORD*)pIoBuffer;

//Get the physical address according to the virtual address

pPhysicalAddr = MmGetPhysicalAddress((PVOID)dwBuffAddress);

//Map physical address to virtual address

g_pMyBuff=(PMY_BUFF)MmMapIoSpace

(pPhysicalAddr, sizeof(MY_BUFF),(MEMORY_CACHING_TYPE)0);

Then the buffer can be accessed "directly" at the ring0 layer, thus realizing the interaction between ring0 and ring3. This program uses kernel layer HOOK technology.

3. Data transmission control

DLL (control) layer: This layer first installs the driver program in the form of a service, loads the driver, establishes a device connection and then enables the network function HOOK (using the global HOOK in the message HOOK, based on a hook template library)

a. Open the Service Control Manager;

b. Create the service corresponding to the driver;

c. Establish a device connection.

This layer exports two functions, monitor and unmonitor, which are used to start monitoring and stop monitoring respectively. Monitor implementation:

(1) Open the symbolic link of the driver, send the start control code, and notify the driver to open the hook;

(2) After the Monitor sends the startup control code, it also creates a thread MonitorThreadProc that accepts kernel information.

(3) The thread MonitorThreadProc receives the information sent by the driver in a loop, and sends it to the user interface layer program in the form of a message after appropriate processing (converting the drive letter, etc.).

(4) The key data structure m_MyBuff.m_dwKenelReturn (check whether the driver sends new information), after the information is processed, the dll layer sets it to false, m_MyBuff.m_dwUserReturn (whether the user agrees to the program), always set to true (Because the program is not active defense type, only behavioral analysis).

(5) Correspondingly, the if(!g_pMyBuff->m_dwKenelReturn) break should also be controlled in the driver program. If the ring3 layer program does not finish processing the message, it will wait until the message is processed and the function of copying the message returns. Proceed to the next message copy.

4. User application

The function of the user application module is to satisfy the user's simple operation and analyze the monitoring behavior process of the required monitoring program. The specific implementation process is as follows:

When the program is initialized, the dll file of the control layer is loaded, and the connection of the access database is opened at the same time.

After the operation interface appears, open the executable file of the program to be monitored.

Clicking "Start Authentication" will open the executable file. During this process, the driver has started to monitor various behaviors of the executable file, and dynamically sends the monitored behaviors to the control layer, and the control layer sends them to the interface in the form of messages, and the interface receives and displays them.

After clicking "Stop Authentication", the driver monitoring stops. All monitored behaviors during this process have been saved and will be recorded in the database during the log generation process.

"Generate log": A record in txt format will be generated and recorded in the database for analysis.

"Generate report": An html file named after the system time will be generated in the doc directory, and it will be opened automatically, and the optimized records will be displayed, and suspicious behaviors will be analyzed for users' reference and analysis.

"Add rule": It is convenient for users to add behaviors that are allowed to pass, and it can also delete some outdated behaviors.

5. Application of Genetic Algorithm

This system uses genetic algorithm to realize the automatic generation of rules. This algorithm mainly adopts the principle model of biological species evolution, and uses biological genetic operations such as selection, crossover, and mutation.

The general steps of the genetic algorithm: first randomly initialize a population, then use the fitness calculation function to calculate the fitness of each individual in the population, and then calculate whether the individual meets the criteria for optimization according to the established rules. If it is satisfied, then the algorithm stops, and the current population is the optimal individual.

If the criteria are not met, the algorithm will select individuals with high fitness, and carry out biological genetic operations on individuals in this population, such as selection, crossover, mutation, etc. The purpose of genetic operations is to evolve a better offspring population. After evolution, the offspring population needs to use the existing rules to re-determine the degree of satisfaction of the optimization criteria, and then evolve to generate a new population.

Through the genetic algorithm, some previously monitored behaviors defined as dangerous are added to the rule file, and these behaviors are used as the basis for judgment. At the same time, based on past experience, some behavior sequences or collections can be set as certain dangerous operations.

In this program, if the behavior of the analyzed software exists in the white list, the software behavior is considered safe, otherwise it is considered dangerous. Drawing on the idea of genetic algorithm, the control of the white list is given to the user , the white list is added by the user. As the user continues to enrich the white list, the recognition ability of this software becomes more perfect. The white list is gradually improved as the number of samples increases. To put it bluntly, the more white lists added by users, the richer the white list and the more perfect the software's identification behavior.

The general structure of the system abnormal behavior analysis program based on genetic algorithm is as follows:

1. Quantify abnormal behavior rules and adjust the algorithm design in a timely manner;

2. Record the coding rules, use the data structure to represent genes, and use chromosomes to represent the memory space of behavior rules;

3. Design, copy, crossover and mutation operators;

4. Design of fitness function and cost function;

5. Rule memory record processing (such as: setting whitelist, pulling into blacklist, and automatically identifying behaviors on the blacklist and whitelist, etc.)

Although the specific embodiments of the present invention have been described above, those skilled in the art should understand that the specific embodiments we have described are only illustrative, rather than used to limit the scope of the present invention. Equivalent modifications and changes made by skilled personnel in accordance with the spirit of the present invention shall fall within the protection scope of the claims of the present invention.

Claims (5)

1., based on a software program abnormal behaviour analytical approach for Windows system, it is characterized in that: comprise the steps:

Step 1, the selected software program of user, catch the software action information of this software program;

Step 2, set up white list storehouse, blacklist storehouse and hazardous act storehouse;

Step 3, according to white list storehouse, blacklist storehouse and hazardous act storehouse, the software action information captured is analyzed by genetic algorithm, obtains analysis result;

Step 4, analysis result to be shown.

2. the software program abnormal behaviour analytical approach based on Windows system according to claim 1, it is characterized in that: described step 1 is specially further: user selectes a software program, in Windows system, set up hook program, caught by the software action information of hook program to this software program.

3. the software program abnormal behaviour analytical approach based on Windows system according to claim 1, is characterized in that: in described step 1, the software action information of catching is stored.

4. the software program abnormal behaviour analytical approach based on Windows system according to claim 1 or 3, is characterized in that: described software action information comprises the behavior of inlet wire journey, registration table behavior, file behavior, network behavior and driving behavior.

5. the software program abnormal behaviour analytical approach based on Windows system according to claim 1, is characterized in that: described step 4 is specially further: shown by analysis result, and is stored to by analysis result in corresponding storehouse.