Signature-independent, System Behavior-based Malware Detection

与签名无关的基于系统行为的恶意软件检测

Abstract

The present invention relates to a method, system, and computer program product for detecting malware based upon system behavior. At least one process expected to be active is identified for a current mode of operation of a processing system comprising one or more resources. An expected activity level of the one or more resources of the processing system is calculated based upon the current mode of operation and the at least one process expected to be active. An actual activity level of the plurality of resources is determined. If a deviation is detected between the expected activity level and the actual activity level, a source of unexpected activity is identified as a potential cause of the deviation. Policy guidelines are used to determine whether the unexpected activity is legitimate. If the unexpected activity is not legitimate, the source of the unexpected activity is classified as malware.
公开了用于以系统行为基础检测恶意软件的方法、系统和计算机程序产品。对于包括一个或多个资源的处理系统的当前操作模式识别预期为活动的至少一个过程。以所述当前操作模式和所述预期为活动的至少一个过程为基础计算所述处理系统的所述一个或多个资源的预期活动水平。确定所述多个资源的实际活动水平。如果在所述预期活动水平和所述实际活动水平之间检测到偏差,则将未预期活动的源识别为所述偏差的潜在原因。策略准则用于确定所述未预期活动是否合法。如果所述未预期活动不合法,则将所述未预期活动的所述源分类为恶意软件。

Claims

Description

Topics

Download Full PDF Version (Non-Commercial Use)

Patent Citations (0)

    Publication numberPublication dateAssigneeTitle

NO-Patent Citations (0)

    Title

Cited By (0)

    Publication numberPublication dateAssigneeTitle