技术领域Technical Field
本发明涉及用于保护计算机系统免受恶意软件影响的系统及方法。The present invention relates to systems and methods for protecting computer systems from malware.
背景技术Background Art
恶意软件(也被称为恶意软件(malware))在世界范围内影响大量计算机系统。在其许多形式(例如计算机病毒、蠕虫、隐匿程序(rootkit)、未经请求的广告程序、勒索软件及间谍软件)中,恶意软件给数百万计算机用户呈现严重风险,使其易受数据及敏感信息丢失、身份盗用及生产力损失以及其它侵害。恶意软件可进一步显示一些用户认为淫秽、过分暴力、骚扰或或其它令人反感的资料。Malicious software (also known as malicious software) affects a significant number of computer systems worldwide. In its many forms, such as computer viruses, worms, rootkits, unsolicited adware, ransomware, and spyware, malware presents a serious risk to millions of computer users, exposing them to loss of data and sensitive information, identity theft, and lost productivity, among other harms. Malware can also display material that some users consider obscene, excessively violent, harassing, or otherwise objectionable.
安全软件可用于检测使用户的计算机系统受感染的恶意软件,且另外用于移除或停止此类恶意软件的执行。所属领域中已知数种恶意软件检测技术。一些技术依赖于将恶意软件代理的代码片段与恶意软件指示性特征库进行匹配。其它常规方法检测恶意软件指示性行为,例如由恶意软件代理执行一组动作。Security software can be used to detect malware that infects a user's computer system and, in addition, to remove or stop the execution of such malware. Several malware detection techniques are known in the art. Some rely on matching malware agent code snippets with a library of malware-indicative signatures. Other conventional methods detect malware-indicative behavior, such as a set of actions performed by a malware agent.
恶意软件依赖于各种策略来规避检测。一个此策略涉及模糊技术,举例来说,对恶意代码进行加密,或在每一受感染计算机上使用稍微不同代码版本(通常称为多态性的特征)。另一示范性检测避免方法将恶意活动分到多个代理当中,其中每一代理执行一组单独动作,所述组单独动作在独立于由其它代理执行的动作被采取时无法被视为具恶意软件指示性。Malware relies on various strategies to evade detection. One such strategy involves obfuscation techniques, for example, encrypting the malicious code or using slightly different versions of the code on each infected computer (a characteristic often referred to as polymorphism). Another exemplary detection avoidance approach divides malicious activity among multiple agents, where each agent performs a separate set of actions that, when taken independently of the actions performed by the other agents, cannot be considered indicative of malware.
对于开发检测此类高级恶意软件的系统及方法存在强烈兴趣。There is strong interest in developing systems and methods to detect such advanced malware.
发明内容Summary of the Invention
根据一个方面,一种主机系统包括至少一个硬件处理器以及存储器单元,所述至少一个硬件处理器经配置以执行实体管理器及试探引擎。所述实体管理器经配置以将受监视可执行实体集合组织成多个实体群组,其中组织所述集合包括:响应于检测到所述集合的第一实体已生成子实体,确定所述第一实体是否属于实体的群组创建者类别。组织所述集合进一步包括:响应于确定所述第一实体是否属于所述群组创建者类别,当所述第一实体属于所述群组创建者类别时,将新实体群组添加到所述多个实体群组,及将所述子实体指派到所述新实体群组。组织所述集合进一步包括:响应于确定所述第一实体是否属于所述群组创建者类别,当所述第一实体不属于所述群组创建者类别时,从所述多个实体群组选择第一实体群组,使得所述第一实体为所述第一实体群组的成员,及将所述子实体指派到所述第一实体群组。所述试探引擎经配置以响应于由所述子实体执行的第一动作而:从所述多个实体群组选择第二实体群组,使得所述子实体为所述第二实体群组的成员;及响应于选择所述第二实体群组,根据由所述第二实体群组的另一成员执行的第二动作而确定所述第一动作是否指示恶意软件攻击。According to one aspect, a host system includes at least one hardware processor and a memory unit, the at least one hardware processor being configured to execute an entity manager and a heuristic engine. The entity manager is configured to organize a set of monitored executable entities into a plurality of entity groups, wherein organizing the set includes: in response to detecting that a first entity of the set has generated a child entity, determining whether the first entity belongs to a group creator category of entities. Organizing the set further includes: in response to determining whether the first entity belongs to the group creator category, when the first entity belongs to the group creator category, adding a new entity group to the plurality of entity groups, and assigning the child entity to the new entity group. Organizing the set further includes: in response to determining whether the first entity belongs to the group creator category, when the first entity does not belong to the group creator category, selecting a first entity group from the plurality of entity groups so that the first entity is a member of the first entity group, and assigning the child entity to the first entity group. The heuristic engine is configured to, in response to a first action performed by the child entity, select a second entity group from the plurality of entity groups such that the child entity is a member of the second entity group; and in response to selecting the second entity group, determine whether the first action indicates a malware attack based on a second action performed by another member of the second entity group.
根据另一方面,一种方法包括采用主机系统的至少一个硬件处理器来将受监视可执行实体集合组织成多个实体群组。组织所述集合包括:响应于检测到所述集合的第一实体已生成子实体,确定所述第一实体是否属于实体的群组创建者类别。组织所述集合进一步包括:响应于确定所述第一实体是否属于所述群组创建者类别,当所述第一实体属于所述群组创建者类别时,将新实体群组添加到所述多个实体群组,及将所述子实体指派到所述新实体群组。组织所述集合进一步包括:响应于确定所述第一实体是否属于所述群组创建者类别,当所述第一实体不属于所述群组创建者类别时,从所述多个实体群组选择第一实体群组,使得所述第一实体为所述第一实体群组的成员,及将所述子实体指派到所述第一实体群组。所述方法进一步包括:响应于由所述子实体执行的第一动作,采用所述主机系统的至少一个硬件处理器从所述多个实体群组选择第二实体群组,使得所述子实体为所述第二实体群组的成员。所述方法进一步包括:响应于选择所述第二实体群组,采用所述主机系统的至少一个硬件处理器根据由所述第二实体群组的另一成员执行的第二动作而确定所述第一动作是否指示恶意软件攻击。According to another aspect, a method includes, employing at least one hardware processor of a host system, organizing a set of monitored executable entities into a plurality of entity groups. Organizing the set includes, in response to detecting that a first entity of the set has generated a child entity, determining whether the first entity belongs to a group creator category of entities. Organizing the set further includes, in response to determining whether the first entity belongs to the group creator category, adding a new entity group to the plurality of entity groups when the first entity belongs to the group creator category, and assigning the child entity to the new entity group. Organizing the set further includes, in response to determining whether the first entity belongs to the group creator category, selecting a first entity group from the plurality of entity groups such that the first entity is a member of the first entity group, and assigning the child entity to the first entity group when the first entity does not belong to the group creator category. The method further includes, in response to a first action performed by the child entity, employing the at least one hardware processor of the host system, selecting a second entity group from the plurality of entity groups such that the child entity is a member of the second entity group. The method further includes, in response to selecting the second entity group, determining, with at least one hardware processor of the host system, whether the first action indicates a malware attack based on a second action performed by another member of the second entity group.
根据另一方面,一种非暂时性计算机可读媒体存储有指令,所述指令在由主机系统的至少一个硬件处理器执行时致使所述主机系统形成实体管理器及试探引擎。所述实体管理器经配置以将受监视可执行实体集合组织成多个实体群组,其中组织所述集合包括:响应于检测到所述集合的第一实体已生成子实体,确定所述第一实体是否属于实体的群组创建者类别。组织所述集合进一步包括:响应于确定所述第一实体是否属于所述群组创建者类别,当所述第一实体属于所述群组创建者类别时,将新实体群组添加到所述多个实体群组,及将所述子实体指派到所述新实体群组。组织所述集合进一步包括:响应于确定所述第一实体是否属于所述群组创建者类别,当所述第一实体不属于所述群组创建者类别时,从所述多个实体群组选择第一实体群组,使得所述第一实体为所述第一实体群组的成员,及将所述子实体指派到所述第一实体群组。所述试探引擎经配置以响应于由所述子实体执行的第一动作而:从所述多个实体群组选择第二实体群组,使得所述子实体为所述第二实体群组的成员;及响应于选择所述第二实体群组,根据由所述第二实体群组的另一成员执行的第二动作而确定所述第一动作是否指示恶意软件攻击。According to another aspect, a non-transitory computer-readable medium stores instructions that, when executed by at least one hardware processor of a host system, cause the host system to form an entity manager and a heuristic engine. The entity manager is configured to organize a set of monitored executable entities into a plurality of entity groups, wherein organizing the set includes: in response to detecting that a first entity of the set has generated a child entity, determining whether the first entity belongs to a group creator category of entities. Organizing the set further includes: in response to determining whether the first entity belongs to the group creator category, when the first entity belongs to the group creator category, adding a new entity group to the plurality of entity groups, and assigning the child entity to the new entity group. Organizing the set further includes: in response to determining whether the first entity belongs to the group creator category, when the first entity does not belong to the group creator category, selecting a first entity group from the plurality of entity groups so that the first entity is a member of the first entity group, and assigning the child entity to the first entity group. The heuristic engine is configured to, in response to a first action performed by the child entity, select a second entity group from the plurality of entity groups such that the child entity is a member of the second entity group; and in response to selecting the second entity group, determine whether the first action indicates a malware attack based on a second action performed by another member of the second entity group.
根据另一方面,一种主机系统包括至少一个硬件处理器以及存储器单元,所述至少一个硬件处理器经配置以执行实体管理器及试探引擎。所述实体管理器经配置以根据实体间关系集将受监视可执行实体集合组织成多个实体群组,使得所述集合的至少一个实体同时属于多个实体群组,其中所述实体间关系集选自由父子关系及代码注入关系组成的关系群组。所述试探引擎经配置以响应于由所述至少一个实体执行的第一动作而:从所述多个实体群组选择一实体群组,使得所述至少一个实体为所述实体群组的成员;及响应于选择所述实体群组,根据由所述实体群组的另一成员执行的第二动作而确定所述第一动作是否指示恶意软件攻击。According to another aspect, a host system includes at least one hardware processor and a memory unit, the at least one hardware processor configured to execute an entity manager and a heuristic engine. The entity manager is configured to organize a set of monitored executable entities into a plurality of entity groups based on a set of inter-entity relationships, such that at least one entity of the set simultaneously belongs to multiple entity groups, wherein the set of inter-entity relationships is selected from a relationship group consisting of parent-child relationships and code injection relationships. The heuristic engine is configured to, in response to a first action performed by the at least one entity, select an entity group from the plurality of entity groups such that the at least one entity is a member of the entity group; and, in response to selecting the entity group, determine whether the first action indicates a malware attack based on a second action performed by another member of the entity group.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
在阅读以下详细说明后且在参考图式后,本发明的前述方面及优点将立即变得更好理解,在图式中:The foregoing aspects and advantages of the present invention will become immediately better understood upon reading the following detailed description and upon reference to the accompanying drawings, in which:
图1展示根据本发明的一些实施例的包含在客户端系统上执行的安全应用程序的一组示范性软件对象。1 shows an exemplary set of software objects comprising a security application executing on a client system, according to some embodiments of the invention.
图2图解说明根据本发明的一些实施例的客户端计算机系统的示范性硬件配置。FIG2 illustrates an exemplary hardware configuration of a client computer system according to some embodiments of the present invention.
图3展示根据本发明的一些实施例的安全应用程序的示范性结构。FIG3 shows an exemplary structure of a security application according to some embodiments of the present invention.
图4图解说明在环境中的一组进程的示范性执行流程。实线箭头指示在不存在安全应用程序的情况下的典型流程。虚线箭头指示对所述执行流程的修改,所述修改由根据本发明的一些实施例操作的多个事件拦截器引入。FIG4 illustrates an exemplary execution flow of a set of processes in an environment. Solid arrows indicate a typical flow in the absence of a security application. Dashed arrows indicate modifications to the execution flow introduced by a plurality of event interceptors operating in accordance with some embodiments of the present invention.
图5-A图解说明根据本发明的一些实施例的包括针对恶意行为而监视的可执行实体的实体群组集。实线箭头表示实体创建;虚线箭头表示代码注入。Figure 5-A illustrates a set of entity groups including executable entities monitored for malicious behavior according to some embodiments of the present invention. Solid arrows represent entity creation; dashed arrows represent code injection.
图5-B图解说明根据本发明的一些实施例的另一实体群组集。FIG. 5-B illustrates another set of entity groups according to some embodiments of the present invention.
图6展示根据本发明的一些实施例的由实体管理器(图3)执行的示范性步骤序列。FIG. 6 shows an exemplary sequence of steps performed by the entity manager ( FIG. 3 ), according to some embodiments of the invention.
图7展示根据本发明的一些实施例的由规避性恶意软件执行的动作的示范性时间序列及示范性行为特征。7 shows an exemplary time sequence of actions performed by evasive malware and exemplary behavioral characteristics, according to some embodiments of the present invention.
图8-A图解说明根据本发明的一些实施例的另一示范性行为特征。FIG8-A illustrates another exemplary behavioral characteristic according to some embodiments of the present invention.
图8-B图解说明根据本发明的一些实施例的又一示范性行为特征。FIG8-B illustrates yet another exemplary behavioral characteristic according to some embodiments of the present invention.
图9图解说明根据本发明的一些实施例的由试探引擎(图3)执行的示范性步骤序列。FIG. 9 illustrates an exemplary sequence of steps performed by the heuristic engine ( FIG. 3 ), according to some embodiments of the invention.
图10-A展示根据本发明的一些实施例的多个示范性实体评分对象(ESO),每一ESO是针对相应可执行实体而确定。FIG. 10-A shows a plurality of exemplary entity scoring objects (ESOs), each ESO being determined for a respective executable entity, according to some embodiments of the present invention.
图10-B展示根据本发明的一些实施例的多个示范性群组评分对象(GSO),每一GSO是针对相应可执行实体群组而确定。FIG. 10-B shows a plurality of exemplary group scoring objects (GSOs), each GSO being determined for a respective group of executable entities, according to some embodiments of the present invention.
图11-A图解说明根据本发明的一些实施例的一组示范性实体评分值及相关联实体评分增量。11-A illustrates an exemplary set of entity score values and associated entity score deltas, according to some embodiments of the invention.
图11-B图解说明根据本发明的一些实施例的一组示范性群组评分值及相关联群组评分增量。11-B illustrates a set of exemplary group score values and associated group score increments, according to some embodiments of the invention.
图12-A展示根据本发明的一些实施例的由评分引擎(图3)执行的示范性步骤序列。FIG12-A shows an exemplary sequence of steps performed by the scoring engine ( FIG3 ), according to some embodiments of the invention.
图12-B展示根据本发明的一些实施例的由评分引擎执行的替代步骤序列。FIG12-B illustrates an alternative sequence of steps performed by a scoring engine according to some embodiments of the invention.
图12-C展示根据本发明的一些实施例的由评分引擎执行的又一替代步骤序列。FIG. 12-C shows yet another alternative sequence of steps performed by the scoring engine, according to some embodiments of the invention.
图13展示根据本发明的一些实施例的由清除模块(图3)执行的示范性步骤序列。FIG. 13 shows an exemplary sequence of steps performed by the clearing module ( FIG. 3 ), according to some embodiments of the invention.
具体实施方式DETAILED DESCRIPTION
在以下描述中,应理解,结构之间的所有所引用连接可为直接操作连接或通过中间结构的间接操作连接。一组元素包含一或多个元素。对元素的任何引用应理解为指代至少一个元素。多个元素包含至少两个元素。除非另有要求,否则任何所描述方法步骤不一定要以特定所图解说明次序执行。从第二元素导出的第一元素(例如,数据)涵盖等于所述第二元素的第一元素以及通过处理所述第二元素而产生的第一元素及任选地其它数据。根据参数做出确定或决策涵盖根据所述参数及任选地根据其它数据做出确定或决策。除非另外规定,否则一些数量/数据的指示符可为数量/数据本身,或与所述数量/数据本身不同的指示符。计算机安全性涵盖保护用户及装备免遭对数据及/或硬件的不期望或未授权存取、免遭对数据及/或硬件的不期望或未授权修改且免遭对数据及/或硬件的破坏。计算机程序是执行任务的处理器指令序列。在本发明的一些实施例中所描述的计算机程序可为其它计算机程序的独立软件实体或子实体(例如,子例程、库)。除非另有规定,否则进程为计算机程序(例如,应用程序或操作系统的一部分)的实例,且由通过给其指派至少一执行线程及虚拟存储器空间而表征,其中相应虚拟存储器空间的内容包含可执行代码。除非另有规定,否则试探为经执行以确定一组事件的发生是否指示计算机安全威胁的程序。计算机可读媒体涵盖非暂时性媒体(例如磁性媒体、光学媒体及半导体存储媒体(例如硬盘驱动器、光盘、快闪存储器、DRAM))以及通信链路(例如导电电缆及光纤链路)。根据一些实施例,本发明尤其提供包括经编程以执行本文中所描述的方法的硬件(例如一或多个微处理器)的计算机系统,以及编码用以执行本文中所描述的方法的指令的计算机可读媒体。In the following description, it should be understood that all referenced connections between structures can be direct operational connections or indirect operational connections through intermediate structures. A group of elements includes one or more elements. Any reference to an element should be understood to refer to at least one element. A plurality of elements includes at least two elements. Unless otherwise required, any described method steps do not necessarily have to be performed in the specific illustrated order. A first element (e.g., data) derived from a second element encompasses a first element equal to the second element and a first element and optionally other data generated by processing the second element. Making a determination or decision based on a parameter encompasses making a determination or decision based on the parameter and optionally other data. Unless otherwise specified, an indicator of some quantity/data may be the quantity/data itself, or an indicator different from the quantity/data itself. Computer security encompasses protecting users and equipment from unwanted or unauthorized access to data and/or hardware, unwanted or unauthorized modification of data and/or hardware, and destruction of data and/or hardware. A computer program is a sequence of processor instructions that performs a task. The computer programs described in some embodiments of the present invention may be independent software entities or sub-entities (e.g., subroutines, libraries) of other computer programs. Unless otherwise specified, a process is an instance of a computer program (e.g., an application program or part of an operating system) and is characterized by assigning it at least one execution thread and virtual memory space, where the contents of the corresponding virtual memory space contain executable code. Unless otherwise specified, a heuristic is a program executed to determine whether the occurrence of a set of events indicates a computer security threat. Computer-readable media encompasses non-transitory media (e.g., magnetic media, optical media, and semiconductor storage media (e.g., hard drives, optical disks, flash memory, DRAM)) and communication links (e.g., conductive cables and fiber optic links). According to some embodiments, the present invention provides, among other things, a computer system comprising hardware (e.g., one or more microprocessors) programmed to perform the methods described herein, and a computer-readable medium encoding instructions for performing the methods described herein.
以下说明以实例方式且未必以限制方式图解说明本发明的实施例。The following description illustrates embodiments of the invention by way of example and not necessarily by way of limitation.
图1展示根据本发明的一些实施例的在经保护免受计算机安全威胁的客户端系统10上执行的一组示范性软件对象。客户端系统10可表示计算机系统(例如,最终用户计算机、企业服务器等)。其它示范性客户端系统10包含移动计算装置(例如,膝上型计算机、平板PC)、通讯装置(例如,智能电话)、数字娱乐器械(TV、游戏控制台等)、随身计算装置(例如,智能手表),或者具有处理器及存储器且需要计算机安全保护的任何其它电子装置。FIG1 shows a set of exemplary software objects executed on a client system 10 protected from computer security threats according to some embodiments of the present invention. Client system 10 may represent a computer system (e.g., an end-user computer, an enterprise server, etc.). Other exemplary client systems 10 include mobile computing devices (e.g., laptops, tablet PCs), communication devices (e.g., smartphones), digital entertainment devices (TVs, game consoles, etc.), wearable computing devices (e.g., smart watches), or any other electronic device having a processor and memory that requires computer security protection.
在一些实施例中,操作系统(OS)30包括软件,所述软件提供通往客户端系统10的硬件的接口,且为一组软件应用程序32a到32c及36充当主机。OS 30可包括任何广泛可用的操作系统,例如或以及其它操作系统。应用程序32a到32c一般表示用户软件,所述用户软件可包含(举例来说)字处理、图像处理、数据库、浏览器及电子通信应用程序以及其它。在一些实施例中,安全应用程序36与应用程序32a到32c同时执行且经配置以确定在客户端系统10(包含应用程序32a到32c及OS 30)上执行的任何软件是否造成计算机安全威胁。举例来说,应用程序36可检测恶意软件及/或间谍软件。应用程序36可进一步经配置以擦除此恶意软件或以其它方式使此恶意软件无用,且向客户端系统10的用户或系统管理员发出警示。安全应用程序36可为独立程序,或可形成包括反恶意软件、反垃圾邮件及反诈骗组件以及其它的软件套件的一部分。下文详细描述安全应用程序36的操作。In some embodiments, operating system (OS) 30 comprises software that provides an interface to the hardware of client system 10 and hosts a set of software applications 32a-32c and 36. OS 30 may include any widely available operating system, such as Windows XP, Windows XP Professional, and Windows XP Professional. Applications 32a-32c generally represent user software, which may include, for example, word processing, image processing, database, browser, and electronic communication applications, among others. In some embodiments, security application 36 executes concurrently with applications 32a-32c and is configured to determine whether any software executing on client system 10 (including applications 32a-32c and OS 30) poses a computer security threat. For example, application 36 may detect malware and/or spyware. Application 36 may further be configured to remove or otherwise render such malware useless and to alert the user or system administrator of client system 10. Security application 36 may be a standalone program or may form part of a software suite that includes anti-malware, anti-spam, and anti-fraud components, among others. The operation of security application 36 is described in detail below.
图2图解说明客户端系统10的示范性硬件配置,其中客户端系统10为计算机系统。所属领域的技术人员将了解,例如平板PC、移动电话、智能手表等其它装置的硬件配置可不同于所图解说明配置,但本说明可适用于此些装置。客户端系统10包括一组物理装置,包含全部通过控制器集线器24互连的硬件处理器12、存储器单元14、一组输入装置16、一组输出装置18、一组存储装置20及一组网络适配器22。FIG2 illustrates an exemplary hardware configuration of a client system 10, where the client system 10 is a computer system. Those skilled in the art will appreciate that the hardware configuration of other devices, such as tablet PCs, mobile phones, and smart watches, may differ from the illustrated configuration, but the present description is applicable to such devices. The client system 10 comprises a set of physical devices, including a hardware processor 12, a memory unit 14, a set of input devices 16, a set of output devices 18, a set of storage devices 20, and a set of network adapters 22, all interconnected via a controller hub 24.
在一些实施例中,处理器12包括经配置以利用一组信号及/或数据来执行计算操作及/或逻辑操作的物理装置(例如,微处理器、半导体衬底上所形成的多核集成电路)。在一些实施例中,此些逻辑操作以处理器指令序列(例如,机器代码或其它类型的软件)的形式从存储器单元14发射到处理器12。存储器单元14可包括易失性计算机可读媒体(例如,RAM),所述易失性计算机可读媒体存储在执行指令期间由处理器12存取或产生的数据/信号。输入装置16可包含计算机键盘、鼠标及麦克风以及其它,包含相应硬件接口及/或适配器,从而允许用户将数据及/或指令引入到客户端系统10中。输出装置18可包含显示装置(例如,监视器及扬声器以及其它)以及硬件接口/适配器(例如,显卡),从而允许客户端系统10将数据传达到用户。在一些实施例中,输入装置16与输出装置18可共享一件共同硬件,如在触摸屏装置的情形中。存储装置20包含实现处理器指令及/或数据的非易失性存储、读取及写入的计算机可读媒体。示范性存储装置20包含磁盘及光盘以及快闪存储器装置,以及可移除式媒体,例如CD及/或DVD磁盘及驱动器。所述组网络适配器22使得客户端系统10能够连接到网络(例如,局域网、无线网络等)及/或其它装置/计算机系统。控制器集线器24一般表示多个系统、外围设备及/或芯片集总线,及/或实现处理器12与装置14、16、18、20及22之间的通信的所有其它电路。举例来说,控制器集线器24可包括将处理器12连接到存储器14的北桥及/或将处理器12连接到装置16、18、20及22的南桥。In some embodiments, processor 12 comprises a physical device (e.g., a microprocessor, a multi-core integrated circuit formed on a semiconductor substrate) configured to perform computational and/or logical operations using a set of signals and/or data. In some embodiments, these logical operations are transmitted to processor 12 from memory unit 14 in the form of a sequence of processor instructions (e.g., machine code or other types of software). Memory unit 14 may include volatile computer-readable media (e.g., RAM) that stores data/signals accessed or generated by processor 12 during the execution of instructions. Input device 16 may include a computer keyboard, mouse, and microphone, among others, including corresponding hardware interfaces and/or adapters to allow a user to enter data and/or instructions into client system 10. Output device 18 may include a display device (e.g., a monitor and speakers, among others) and hardware interfaces/adapters (e.g., a graphics card) to allow client system 10 to communicate data to the user. In some embodiments, input device 16 and output device 18 may share a common piece of hardware, as in the case of a touch screen device. Storage devices 20 include computer-readable media that enable non-volatile storage, reading, and writing of processor instructions and/or data. Exemplary storage devices 20 include magnetic and optical disks and flash memory devices, as well as removable media such as CD and/or DVD disks and drives. The set of network adapters 22 enables client system 10 to connect to a network (e.g., a local area network, a wireless network, etc.) and/or other devices/computer systems. Controller hub 24 generally represents multiple system, peripheral, and/or chipset buses, and/or all other circuitry that enables communication between processor 12 and devices 14, 16, 18, 20, and 22. For example, controller hub 24 may include a northbridge that connects processor 12 to memory 14 and/or a southbridge that connects processor 12 to devices 16, 18, 20, and 22.
图3展示根据本发明的一些实施例的安全应用程序36的示范性组件。安全应用程序36包括评分引擎48及清除模块56,两者均连接到行为管理器42。行为管理器42进一步包括耦合到试探引擎46的实体管理器44。3 shows exemplary components of security application 36 according to some embodiments of the present invention. Security application 36 includes scoring engine 48 and cleanup module 56, both connected to behavior manager 42. Behavior manager 42 further includes entity manager 44 coupled to heuristic engine 46.
在一些实施例中,行为管理器42从安装于在客户端系统10上执行的各种软件对象内的一组事件拦截器28a到28c接收一组事件通知40。事件通知40因此可向行为管理器42告知在软件的执行期间各种事件的发生。示范性所通知事件可包含进程或线程的创建、代码注入、系统调用、创建新磁盘文件的尝试、写入到现有磁盘文件的尝试、编辑系统注册表项的尝试及写入到特定存储器部分的尝试,以及其它。所通知事件中的一些事件可能具恶意软件指示性。其它事件本身可能不指示安全威胁,但在与其它事件一起发生时可用信号表示潜在威胁。响应于接收到通知40,行为管理器42的一些实施例可存取试探数据库26并根据通知40的细节而选择检测例程,所选择例程实施特定试探。行为管理器42可进一步将相应检测例程发送到试探引擎46以供执行。相应例程的执行可将评分警示50供应到评分引擎48。引擎48可维持多个此类评价指示符(例如,评分),且可在至少一个此类指示符指示计算机安全威胁时发出警示。下文详细描述组件44、46、48及56的操作。In some embodiments, the behavior manager 42 receives a set of event notifications 40 from a set of event interceptors 28a-28c installed within various software objects executing on the client system 10. Event notifications 40 can thus inform the behavior manager 42 of the occurrence of various events during the execution of the software. Exemplary notified events may include the creation of a process or thread, code injection, system calls, attempts to create new disk files, attempts to write to existing disk files, attempts to edit system registry entries, and attempts to write to specific memory locations, among others. Some of the notified events may be indicative of malware. Other events may not indicate a security threat on their own, but when occurring in conjunction with other events, may signal a potential threat. In response to receiving notifications 40, some embodiments of the behavior manager 42 may access the heuristics database 26 and, based on the details of the notifications 40, select a detection routine that implements a specific heuristic. The behavior manager 42 may further send the corresponding detection routine to the heuristic engine 46 for execution. Execution of the corresponding routine may supply a scoring alert 50 to the scoring engine 48. Engine 48 may maintain a plurality of such evaluation indicators (eg, scores) and may issue an alert when at least one such indicator indicates a computer security threat. The operation of components 44, 46, 48, and 56 is described in detail below.
为图解说明事件拦截器28a到28c的操作,图4展示根据本发明的一些实施例的一组软件实体60a到60b的示范性执行流程。为简单起见,所挑选实体60a到60b为在OS的实例中执行的进程;举例来说,可再现用于其它操作系统(例如Linux)的类似图式。实线箭头表示在不存在事件拦截器的情况下的执行流程。虚线箭头表示根据本发明的一些实施例执行的因存在事件拦截器28a到28c而产生的对所述流程的修改。To illustrate the operation of event interceptors 28a-28c, FIG4 shows an exemplary execution flow of a set of software entities 60a-60b according to some embodiments of the present invention. For simplicity, the entities 60a-60b are selected to be processes executing in an instance of an OS; similar diagrams can be reproduced for other operating systems (e.g., Linux). Solid arrows represent the execution flow in the absence of event interceptors. Dashed arrows represent modifications to the execution flow due to the presence of event interceptors 28a-28c, as performed according to some embodiments of the present invention.
示范性进程60a加载多个动态链接库(DLL)62a到62c;在图4的实例中,DLL 62c通过(可能为恶意的)进程60b而注入到进程60a中。当进程60a(或其所加载的DLL中的一者)执行调用一些系统功能性(例如,将某事写入到磁盘文件、或编辑注册表项)的指令时,相应指令调用用户模式应用程序编程接口(API),例如KERNEL32.DLL或NTDLL.DLL。在图4的实例中,相应用户模式API调用被用户层级事件拦截器28a拦截。此类拦截可通过例如DLL注入或挂起以及其它方法而实现。挂起为所属领域中使用的针对拦截在软件组件之间传递的函数调用、消息或事件的方法的通用术语。一种示范性挂起方法包括通过插入将执行重新引导到第二函数的指令(在此情形中,事件拦截器28a)来更改目标函数的入口点。在此挂起之后,第二函数可替代目标函数或在目标函数之前执行。在图4的实例中,安全应用程序36可挂接到KERNEL32.DLL及/或NTDLL.DLL库的某些功能中,以指示相应功能将执行重新引导到应用程序36的组件。因此,无论何时进程60a正试图执行根据所挂起功能而识别的特定动作,均可通知应用程序36。Exemplary process 60a loads multiple dynamic link libraries (DLLs) 62a to 62c; in the example of FIG. 4 , DLL 62c is injected into process 60a by (possibly malicious) process 60b. When process 60a (or one of the DLLs it loads) executes an instruction that calls some system functionality (e.g., writes something to a disk file or edits a registry key), the corresponding instruction calls a user-mode application programming interface (API), such as KERNEL32.DLL or NTDLL.DLL. In the example of FIG. 4 , the corresponding user-mode API call is intercepted by user-level event interceptor 28a. Such interception can be achieved through, for example, DLL injection or suspension, among other methods. Suspension is a general term used in the art for methods of intercepting function calls, messages, or events passed between software components. One exemplary suspension method includes changing the entry point of a target function by inserting an instruction (in this case, event interceptor 28a) that redirects execution to a second function. After this suspension, the second function can be executed in place of the target function or before the target function. 4 , security application 36 may hook into certain functions of the KERNEL32.DLL and/or NTDLL.DLL libraries to instruct the corresponding functions to redirect execution to components of application 36. Thus, application 36 may be notified whenever process 60 a is attempting to perform a specific action identified by the hooked function.
在典型执行流程中,由实体60a调用的用户模式API函数可从操作系统的内核请求服务。在一些实施例中,通过在x86平台上发布系统调用(例如SYSCALL及SYSENTER)来执行此类操作。在图4的实例中,此类系统调用被事件拦截器28b拦截。在一些实施例中,此类拦截包括(举例来说)通过改变存储在处理器12的模型特有寄存器(MSR)中的值而修改系统调用处理程序例程,此有效地将相应处理程序例程的执行重新引导到拦截器28b或直接重新引导到应用程序36的组件。此类技术在所属技术中称为MSR挂起,且无论何时软件实体正试图执行某些系统调用,均可允许通知安全应用程序36。In a typical execution flow, a user-mode API function called by entity 60a may request services from the operating system's kernel. In some embodiments, such operations are performed by issuing system calls (e.g., SYSCALL and SYSENTER) on an x86 platform. In the example of FIG. 4 , such system calls are intercepted by event interceptor 28b. In some embodiments, such interception includes, for example, modifying a system call handler routine by changing a value stored in a model-specific register (MSR) of processor 12, effectively redirecting execution of the corresponding handler routine to interceptor 28b or directly to a component of application 36. Such a technique is known in the art as MSR suspension and allows security application 36 to be notified whenever a software entity attempts to execute certain system calls.
在系统调用之后,对处理器的控制通常移交到OS 30的内核。在一些实施例中,内核层级事件拦截器28c经配置以拦截OS内核的某些动作,且因此确定所评估进程正试图执行可具恶意软件指示性的某些操作。为拦截此些动作,一些实施例可采用构建到OS 30中且被OS 30暴露的一组过滤机制。举例来说,在OS中,可使用FltRegisterFilter来拦截如创建文件、打开文件、写入到文件及删除文件等操作。在另一实例中,事件拦截器28c可使用ObRegisterCallback来拦截创建或复制对象句柄操作,或使用PsSetCreateProcessNotifyRoutine来拦截新进程的创建。在又一实例中,Windows注册表操作(例如,创建及设定注册表项/值)可使用CmRegisterCallbackEx来拦截。所属技术中知晓用于其它操作系统(例如)的类似事件过滤机制。响应于检测到特定事件/动作的发生,事件拦截器28可将通知40发射到安全应用程序36。After the system call, control of the processor is typically transferred to the kernel of the OS 30. In some embodiments, the kernel-level event interceptor 28c is configured to intercept certain actions of the OS kernel and, therefore, determine that the assessed process is attempting to perform certain operations that may be indicative of malware. To intercept these actions, some embodiments may employ a set of filtering mechanisms built into and exposed by the OS 30. For example, in the OS, FltRegisterFilter may be used to intercept operations such as creating a file, opening a file, writing to a file, and deleting a file. In another example, the event interceptor 28c may use ObRegisterCallback to intercept operations to create or copy object handles, or use PsSetCreateProcessNotifyRoutine to intercept the creation of a new process. In yet another example, Windows registry operations (e.g., creating and setting registry keys/values) may be intercepted using CmRegisterCallbackEx. Similar event filtering mechanisms for other operating systems (e.g., are known in the art. In response to detecting the occurrence of a specific event/action, the event interceptor 28 may transmit a notification 40 to the security application 36.
在一些实施例中,安全应用程序36针对恶意行为而监视多个软件实体。受监视软件实体的复杂性可从个别执行线程、到进程、到整个应用程序、框架及虚拟机而变化。为简单起见,以下陈述将假设受监视实体为进程,但此假设不应限制本发明的范围。所属领域的技术人员将了解,所描述系统及方法可扩展到除个别进程之外的其它类型的可执行实体。In some embodiments, security application 36 monitors multiple software entities for malicious behavior. The complexity of the monitored software entities can vary from individual execution threads, to processes, to entire applications, frameworks, and virtual machines. For simplicity, the following description will assume that the monitored entities are processes, but this assumption should not limit the scope of the present invention. Those skilled in the art will appreciate that the described systems and methods can be extended to other types of executable entities besides individual processes.
本发明的一些实施例从监视恶意行为的角度将可执行实体(例如,进程)划分成数个相异类别。此些类别可包含群组创建者、群组继承者及未监视实体,以及其它。在一些实施例中,群组创建者包含操作系统的某些进程、组件及服务,例如中的Winlogon及服务主机(svchost.exe)。其它群组创建者实体可包含文件管理器进程及/或组件(例如,WindowsFileTotal等)及/或浏览器进程及组件(例如,Internet等),以及其它。群组继承者类别可包含大部分用户进程,以及未知实体或无法识别为群组创建者的实体。另一类别可表示免除监视的实体。此些非受监视实体可包含(举例来说)受操作系统(例如,平台上的csrss.exe及smss.exe)保护的某些进程,及形成安全应用程序36的一部分的实体。在一些实施例中,实体的类别在其寿命期间可改变。举例来说,群组创建者实体可变为群组继承者,如下文所展示。Some embodiments of the present invention divide executable entities (e.g., processes) into several distinct categories from the perspective of monitoring for malicious behavior. These categories may include group creators, group inheritors, and unmonitored entities, among others. In some embodiments, group creators include certain processes, components, and services of the operating system, such as Winlogon and the service host (svchost.exe) in Windows. Other group creator entities may include file manager processes and/or components (e.g., Windows File Total, etc.) and/or browser processes and components (e.g., Internet, etc.), among others. The group inheritor category may include most user processes, as well as unknown entities or entities that cannot be identified as group creators. Another category may represent entities exempt from monitoring. These unmonitored entities may include, for example, certain processes protected by the operating system (e.g., csrss.exe and smss.exe on the platform), and entities that form part of the security application 36. In some embodiments, the category of an entity may change during its lifetime. For example, a group creator entity may become a group inheritor, as shown below.
安全应用程序36的一些实施例可根据相应实体的某些特征而确定每一实体属于哪一类别,所述特征例如相应实体的路径、文件名、资源集(例如,在开始时加载的库)、OS注册表条目、数字签名及存储器位置。指示实体是否属于特定类别的其它数据包括相应实体是否使用某些硬件装置(例如,网络适配器22)的指示符。在示范性实施例中,安全应用程序可执行对客户端系统10及/或OS 30的审计以定位与群组创建者实体(例如,OS服务、浏览器及文件管理器)相关联的资源集,且稍后使用此信息来确定执行实体是属于一个类别还是属于另一类别。安全应用程序36可进一步识别实体,且通过将相应实体的散列集与已知实体的散列数据库进行比较而建立所述实体的类别。Some embodiments of the security application 36 may determine which category each entity belongs to based on certain characteristics of the respective entity, such as the respective entity's path, file name, resource set (e.g., libraries loaded at startup), OS registry entries, digital signatures, and memory locations. Other data indicating whether an entity belongs to a particular category includes indicators of whether the respective entity uses certain hardware devices (e.g., network adapter 22). In an exemplary embodiment, the security application may perform an audit of the client system 10 and/or OS 30 to locate resource sets associated with group creator entities (e.g., OS services, browsers, and file managers), and later use this information to determine whether the executing entity belongs to one category or another. The security application 36 may further identify the entity and establish its category by comparing the respective entity's hash set with a database of hashes of known entities.
在一些实施例中,实体管理器44维持在客户端系统10上执行的实体的数据结构(例如,列表),且动态地更新相应数据结构以反映新实体的添加(例如,响应于进程创建)及其它实体的移除(例如,响应于进程终止)。为简单起见,当前在执行实体列表上的实体在下文中被视为当前实体。在一些实施例中,当前实体列表上的每一实体表示可执行对象的相异实例。因此,当前实体列表可包括同一可执行对象的多个实例。在其中web浏览器应用程序作为单独进程而执行每一浏览器标签的一个此类实例中,每一此进程可为单独受监视实体。In some embodiments, the entity manager 44 maintains a data structure (e.g., a list) of entities executing on the client system 10 and dynamically updates the corresponding data structure to reflect the addition of new entities (e.g., in response to process creation) and the removal of other entities (e.g., in response to process termination). For simplicity, the entity currently on the list of executing entities is referred to as the current entity below. In some embodiments, each entity on the current entity list represents a different instance of an executable object. Thus, the current entity list may include multiple instances of the same executable object. In one such instance in which the web browser application executes each browser tab as a separate process, each such process may be a separate monitored entity.
实体管理器44进一步将当前实体划分成多个群组,每一群组仅包括相互相关实体,且维持指示(举例来说)哪一实体为哪一群组的一部分的关联性集。实体可经由父子关系及/或代码注入以及其它方式而相关。父子关系在本文中是指群组的一个实体是另一实体的子实体或父实体。子进程可(举例来说)经由生成(在中)或分叉(在Unix衍生的OS中)而创建。在一些实施例中,同一实体可同时属于多个相异群组。在一个此类实例中,一实体是第一群组的一部分,因为所述实体是第一群组的另一成员的子实体或父实体,且同时,所述实体也是第二群组的一部分,因为第二群组的另一成员已将代码注入到所述实体中。Entity manager 44 further divides the current entities into a plurality of groups, each group including only mutually related entities, and maintains a set of associations indicating, for example, which entity is part of which group. Entities may be related through parent-child relationships and/or code injection, among other means. A parent-child relationship herein means that one entity of a group is a child or parent of another entity. Child processes may be created, for example, by spawning (in) or forking (in Unix-derived OSes). In some embodiments, the same entity may belong to multiple distinct groups simultaneously. In one such example, an entity is part of a first group because it is a child or parent of another member of the first group, and at the same time, it is also part of a second group because another member of the second group has injected code into it.
图5-A到5-B图解说明根据本发明的一些实施例的由实体管理器44维持的各种示范性实体群组。所述图解使用三角形来表示群组创建者实体,使用圆来表示群组继承者实体,且使用方形来表示非受监视实体。实线箭头指示父子关系,而虚线箭头指示代码注入。每一箭头的方向可指示相应所连接实体之间的关系的方向。举例来说,在图5-A中,实体E6为实体E5的子实体,而实体E7已将代码注入到实体E14中。Figures 5-A and 5-B illustrate various exemplary entity groups maintained by entity manager 44, according to some embodiments of the present invention. The diagram uses triangles to represent group creator entities, circles to represent group successor entities, and squares to represent non-monitored entities. Solid arrows indicate parent-child relationships, while dashed arrows indicate code injection. The direction of each arrow may indicate the direction of the relationship between the corresponding connected entities. For example, in Figure 5-A, entityE6 is a child entity of entityE5 , while entityE7 has injected code into entityE14 .
群组创建者可或可不属于群组。一些实施例给每一群组创建者实体指派一相异群组(例如,如图5-A中的G1及G6的群组)。此些群组可仅具有一个成员,即,相应群组创建者实体。在一些实施例中,群组创建者在其生成新实体时会创建新群组。在图5-A的实例中,群组创建者E1在其生成子实体E5时创建了群组G5。在一些实施例中,当群组继承者实体生成另一实体或将代码注入到另一实体中时,所述另一实体被包含在与群组继承者实体相同的群组中。在图5-A的实例中,实体E6被包含在与其父实体E5相同的群组中。类似地,实体E14响应于接收到来自E7的所注入代码而被包含在与实体E7相同的群组中。A group creator may or may not belong to a group. Some embodiments assign a distinct group to each group creator entity (e.g., groups such asG1 andG6 in FIG5-A ). Such groups may have only one member, namely, the respective group creator entity. In some embodiments, a group creator creates a new group when it generates a new entity. In the example of FIG5-A , group creatorE1 creates groupG5 when it generates child entityE5 . In some embodiments, when a group successor entity generates another entity or injects code into another entity, the other entity is included in the same group as the group successor entity. In the example of FIG5-A , entityE6 is included in the same group as its parent entityE5 . Similarly, entityE14 is included in the same group as entityE7 in response to receiving injected code fromE7 .
在一些实施例中,实体的类别可响应于某些事件及/或响应于变为一群组的一部分而改变。在图5-A的实例中,实体E14最初为群组创建者实体(参见群组G11)。后来,响应于接收到来自群组G5的成员的所注入代码,实体E14变为群组G5的一部分且被重新标记为群组继承者。相同处理可适用于图5-B中的实体E1。In some embodiments, an entity's classification can change in response to certain events and/or in response to becoming part of a group. In the example of FIG5-A , entityE14 is initially a group creator entity (see groupG11 ). Later, in response to receiving injected code from a member of groupG5 , entityE14 becomes part of groupG5 and is re-labeled as a group successor. The same process can be applied to entityE1 in FIG5-B .
一实体可同时属于多个群组。在图5-B的实例中,实体E5(群组继承者)同时为群组G3、G5及G6的成员。E5为G3的一部分,因为E5是来自实体E3的所注入代码的接收者。类似地,E5为G6的一部分,因为E5接收来自E6的所注入代码。实体E5进一步为群组G5的一部分,因为E5由群组创建者E2所生成。当实体E5生成子实体E9时,E9为群组G3及G5两者的成员。类似地,在图5-A中,当实体E14(现在为群组继承者,参见以上论述)生成新实体E15时,实体E15可被包含在群组G5及G11两者中。An entity can belong to multiple groups simultaneously. In the example of Figure 5-B , entityE5 (a group successor) is simultaneously a member of groupsG3 ,G5 , andG6 .E5 is part ofG3 becauseit is the recipient of injected code from entityE3 . Similarly,E5 is part ofG6 because it receives injected codefromE6 . EntityE5 is further part of groupG5 because it was created by group creatorE2 . When entityE5 creates child entityE9 ,E9 becomes a memberof both groupsG3 andG5 . Similarly, in Figure 5-A , when entityE14 (now a group successor, see above) creates new entityE15 , entityE15 can be included in both groupsG5 andG11 .
图6展示根据本发明的一些实施例的由实体管理器44(图3)执行以管理当前实体列表的示范性步骤序列。在步骤序列150-152中,实体管理器44拦截实体生命周期事件,且当发生此事件时,步骤序列154-155识别事件的类型及受影响实体。在一些实施例中,生命周期事件包括进程创建、代码注入及进程终止,以及其它。检测此些事件可包括从适当事件拦截器(举例来说,图4中的拦截器28c)接收事件通知40。实体管理器44可通过剖析OS 30管理当前在执行的进程所使用的数据结构而识别受当前生命周期事件(例如,父进程及子进程,在生成情形中)影响的实体。在OS中,每一进程均表示为执行体进程块(EPROCESS),其包括对相应进程的线程中的每一者的处理及允许OS 30从多个执行进程识别出相应进程的唯一进程ID,以及其它。类似进程/线程表示可用于其它OS,例如Linux。FIG6 illustrates an exemplary sequence of steps performed by entity manager 44 ( FIG3 ) to manage the current entity list, according to some embodiments of the present invention. In step sequence 150-152, entity manager 44 intercepts entity lifecycle events, and when such an event occurs, step sequence 154-155 identifies the type of event and the affected entities. In some embodiments, lifecycle events include process creation, code injection, and process termination, among others. Detecting such events may include receiving event notifications 40 from an appropriate event interceptor (e.g., interceptor 28c in FIG4 ). Entity manager 44 may identify entities affected by the current lifecycle event (e.g., parent and child processes in the case of a spawn) by analyzing the data structures used by OS 30 to manage currently executing processes. In the OS, each process is represented as an executable process block (EPROCESS), which includes, among other things, a handle for each of the threads of the corresponding process and a unique process ID that allows OS 30 to distinguish the corresponding process from multiple executing processes. Similar process/thread representations are available for other OSes, such as Linux.
步骤156确定事件是否包括新实体(例如,新进程)的创建,且当事件不包括新实体(例如,新进程)的创建时,实体管理器44前进到下文所描述的步骤170。当事件包括实体创建时,在步骤158中,管理器44确定父实体是否为群组继承者,且当父实体不是群组继承者时,管理器44前进到步骤164。当父实体是群组继承者时,在步骤序列160-162中,管理器44可将子实体添加到父实体的群组并将子实体标记为群组继承者。在步骤164中,管理器44确定父实体是否为群组创建者。当父实体是群组创建者时,在步骤序列166-168中,管理器44可创建新群组并将子实体添加到新创建的群组。Step 156 determines whether the event includes the creation of a new entity (e.g., a new process), and when the event does not include the creation of a new entity (e.g., a new process), the entity manager 44 proceeds to step 170, described below. When the event includes the creation of an entity, in step 158, the manager 44 determines whether the parent entity is a group successor, and when the parent entity is not a group successor, the manager 44 proceeds to step 164. When the parent entity is a group successor, in a sequence of steps 160-162, the manager 44 may add the child entity to the parent entity's group and mark the child entity as a group successor. In step 164, the manager 44 determines whether the parent entity is a group creator. When the parent entity is a group creator, in a sequence of steps 166-168, the manager 44 may create a new group and add the child entity to the newly created group.
在一些实施例中,步骤170确定所检测的生命周期事件是否包括代码注入,且当所检测的生命周期事件不包括代码注入时,管理器44可前进到步骤174。一般情况下,安全应用程序36可将每一代码注入事件解译为可疑的、可能指示恶意活动。然而,OS的一些实体在极特殊情况下正当地将代码注入到其它实体中。此类情况在安全社区中通常称为异常情况,且通常免除反恶意软件处理,以便不意外地产生错误肯定检测。在一些实施例中,步骤171(举例来说)通过尝试将相应注入事件的细节与异常情况列表进行匹配而检查所述注入是否可受信任为正当的。当相应代码注入不被视为已知种类的正当注入时,在步骤172中,管理器44可将接收所注入代码的实体添加到执行代码注入的实体的群组。在一些实施例中,另一步骤173将接收实体标记为群组继承者。In some embodiments, step 170 determines whether the detected lifecycle event includes a code injection, and when the detected lifecycle event does not include a code injection, the manager 44 may proceed to step 174. Generally, the security application 36 may interpret each code injection event as suspicious, potentially indicating malicious activity. However, some entities of the OS legitimately inject code into other entities under very specific circumstances. Such cases are generally referred to as anomalies in the security community and are generally exempt from anti-malware processing so as not to accidentally generate false positive detections. In some embodiments, step 171 (for example) checks whether the injection can be trusted as legitimate by attempting to match the details of the corresponding injection event with a list of anomalies. When the corresponding code injection is not considered a known type of legitimate injection, in step 172, the manager 44 may add the entity that received the injected code to the group of entities that performed the code injection. In some embodiments, another step 173 marks the receiving entity as a group successor.
在步骤174中,管理器44确定事件是否包括实体的终止,且当事件不包括实体的终止时,管理器44返回到步骤150。举例来说,当相应进程的所有线程已完成执行时,终止进程。一些实施例可将所终止实体保持为群组的一部分,(举例来说)直到所终止实体的所有子实体均被终止为止,或直到相应群组的所有成员均被终止为止。在此些实施例中,可将所终止实体标记为死的(步骤176)。此策略可允许为客户端系统10清除规避性恶意软件的效应(举例来说,生成恶意子实体且接着退出的实体的效应)。在其它实施例中,当所检测到的生命周期事件包括实体终止时,管理器44可将所终止实体从所有群组移除。In step 174, manager 44 determines whether the event includes the termination of an entity, and when the event does not include the termination of an entity, manager 44 returns to step 150. For example, a process is terminated when all threads of the corresponding process have completed execution. Some embodiments may keep the terminated entity as part of a group, for example, until all child entities of the terminated entity are terminated, or until all members of the corresponding group are terminated. In such embodiments, the terminated entity may be marked as dead (step 176). This strategy may allow the client system 10 to be cleaned of the effects of evasive malware (for example, the effects of an entity that spawned malicious child entities and then exited). In other embodiments, when the detected lifecycle event includes entity termination, manager 44 may remove the terminated entity from all groups.
在一些实施例中,试探引擎46(图3)执行一组测试或程序,(本文中一般为经调用试探),以确定客户端系统10内的一组事件的发生是否指示安全威胁(例如,是否具恶意软件指示性)。当相应试探推断所述组事件具恶意软件指示性时,引擎46可将评分警示50发射到评分引擎48,此可进一步确定客户端系统10是否包括恶意软件。试探引擎46通过事件拦截器28a到28c而被通知事件的发生。In some embodiments, heuristic engine 46 ( FIG. 3 ) executes a set of tests or procedures, generally referred to herein as heuristics, to determine whether the occurrence of a set of events within client system 10 indicates a security threat (e.g., whether it is indicative of malware). When a corresponding heuristic concludes that the set of events is indicative of malware, engine 46 may transmit a scoring alert 50 to scoring engine 48, which may further determine whether client system 10 includes malware. Heuristic engine 46 is notified of the occurrence of the events through event interceptors 28 a - 28 c.
一些试探可为实体相关的,在某种意义上,所述试探确定事件的发生是否指示个别实体为恶意的。此些试探在本文中将称为实体试探。其它试探可为群组相关的(且在本文中称作群组试探),在某种意义上,所述试探确定事件的发生是否指示整个实体群组为恶意的。Some heuristics may be entity-specific, in the sense that they determine whether the occurrence of an event indicates that an individual entity is malicious. Such heuristics will be referred to herein as entity heuristics. Other heuristics may be group-specific (and referred to herein as group heuristics), in the sense that they determine whether the occurrence of an event indicates that an entire group of entities is malicious.
每一试探可体现相异恶意软件检测方法。在一些实施例中,每一试探可经配置以检测特定类别、系列、类型或变体的恶意代理的存在。在检测单个类别、系列、类型或变体的恶意代理中,数个相异试探可协作进行。在一些实施例中,单个试探可参与检测数个类别、类型、系列或变体的恶意软件。试探的特定实例检查客户端系统10上的特定事件序列(行为特征)的发生。并非序列的所有事件均需要由相同实体导致。然而,此事件序列的发生可具恶意软件指示性。在图7中所图解说明的一个此类实例中,恶意活动被分到实体E1-E4的群组当中,群组的每一成员执行恶意活动的一小部分。特定动作序列A1-A6相当于识别特定恶意软件攻击的行为特征68。Each heuristic may embody a distinct malware detection method. In some embodiments, each heuristic may be configured to detect the presence of a specific class, family, type, or variant of malicious agents. Several distinct heuristics may collaborate in detecting a single class, family, type, or variant of malicious agents. In some embodiments, a single heuristic may participate in detecting malware of several classes, types, families, or variants. A particular instance of a heuristic checks for the occurrence of a specific sequence of events (behavioral signature) on client system 10. Not all events in the sequence need be caused by the same entity. However, the occurrence of such a sequence of events may be indicative of malware. In one such example, illustrated in FIG7 , malicious activity is grouped into entitiesE1 -E4 , with each member of the group performing a small portion of the malicious activity. A specific sequence of actionsA1 -A6 corresponds to a behavioral signature 68 that identifies a specific malware attack.
图7图解说明与勒索软件攻击相关联的示范性行为特征。勒索软件是特定类型的恶意软件,其对用户的计算机上的文件集进行加密,且接着要求用户付款来恢复相应文件。实体创建图解说明为之字形箭头。每一垂直实线展示每一实体的生命历史。举例来说,实体E1在生成实体E2之后死亡。实体E3响应于接收到来自E2的所注入代码而变为所图解说明群组的一部分。相应实体的一些动作并非特征68的一部分。举例来说,实体E3生成实体E4不包含在特征68中。Figure 7 illustrates exemplary behavioral features associated with a ransomware attack. Ransomware is a specific type of malware that encrypts a collection of files on a user's computer and then demands payment to restore the files. Entity creation is illustrated as zigzag arrows. Each vertical solid line shows the life history of each entity. For example, entityE1 dies after spawning entityE2 . EntityE3 becomes part of the illustrated group in response to receiving injected code fromE2 . Some actions of the respective entities are not part of feature 68. For example, entityE3 spawning entityE4 is not included in feature 68.
图8-A到8-B图解说明此些示范性行为特征。特征68a要求动作A1-A6以确切的所指示次序执行。相比之下,示范性特征68b允许一些动作(A3、A4及A5)以任何次序执行,只要其发生在A2与A6之间即可。特征(例如,68b)所提供的灵活性可允许检测恶意代理的各种版本、变体或整个系列。在一些实施例中,使用特定行为特征的试探经配置以检测由相应行为特征指示的特定事件(或动作)序列的发生。相应试探可进一步检验执行动作的实体之间的关系(例如,可检验所有参与实体均为同一群组的一部分)。在一些实施例中,此类检验是隐含式的。举例来说,经配置以实施特定行为特征的群组试探可针对所选择实体群组被初始化一次。接着,相应群组试探可仅在相应群组的成员执行动作时被触发。下文给出对群组试探的进一步论述及实例。Figures 8-A through 8-B illustrate these exemplary behavioral features. Feature 68a requires actionsA1 -A6 to be performed in the exact indicated order. In contrast, exemplary feature 68b allows some actions (A3 ,A4 , andA5 ) to be performed in any order, as long as they occur betweenA2 andA6 . The flexibility provided by features (e.g., 68b) can allow for the detection of various versions, variants, or entire series of malicious agents. In some embodiments, probes using specific behavioral features are configured to detect the occurrence of a specific sequence of events (or actions) indicated by the corresponding behavioral feature. The corresponding probes can further verify the relationship between the entities performing the actions (e.g., verifying that all participating entities are part of the same group). In some embodiments, such verification is implicit. For example, a group probe configured to implement a specific behavioral feature can be initialized once for a selected group of entities. Subsequently, the corresponding group probe can be triggered only when a member of the corresponding group performs an action. Further discussion and examples of group probes are provided below.
在一些实施例中,试探引擎46与试探数据库26介接,所述试探数据库可驻存在客户端系统10的存储装置20上,或驻存在通信地耦合到客户端系统10的计算机可读媒体上。数据库26可包括可用试探集合以及试探与触发相应试探的使用的事件类型之间的关联性的指示符。此类关联性允许试探引擎46响应于被通知特定类型的事件的发生而选择性地检索试探。数据库26的示范性实施例为软件库,例如,DLL。In some embodiments, the heuristics engine 46 interfaces with a heuristics database 26, which may reside on the storage device 20 of the client system 10 or on a computer-readable medium communicatively coupled to the client system 10. The database 26 may include an indicator of a set of available heuristics and an association between the heuristics and the event types that trigger the use of the corresponding heuristics. Such associations allow the heuristics engine 46 to selectively retrieve heuristics in response to being notified of the occurrence of a particular type of event. An exemplary embodiment of the database 26 is a software library, such as a DLL.
在一些实施例中,试探以字节代码(跨平台指令集)进行译码。字节代码的实例包含及编程语言。每一试探可作为单独字节代码例程进行译码及递送。在此些实施例中,试探引擎46可包含将字节代码翻译成原生处理器指令序列并执行相应序列的字节代码翻译虚拟机(例如,解译器或即时编译器)。此些实施例可促进安全应用程序36的发展,且大大缩短安全应用程序36的上市时间。In some embodiments, heuristics are decoded in bytecode (a cross-platform instruction set). Examples of bytecode include programming languages. Each heuristic can be decoded and delivered as a separate bytecode routine. In such embodiments, heuristic engine 46 can include a bytecode translation virtual machine (e.g., an interpreter or just-in-time compiler) that translates the bytecode into a sequence of native processor instructions and executes the sequence. Such embodiments can facilitate the development of security applications 36 and significantly reduce the time to market for security applications 36.
图9图解说明根据本发明的一些实施例的由试探引擎46执行的示范性步骤序列。步骤序列200-202聆听来自拦截器28a到28c的事件通知。响应于接收到事件通知40,步骤204确定相应所通知事件的类型及事件参数集。示范性事件类型包含代码注入、特定系统调用、磁盘文件的创建及HTTP请求,以及其它。事件参数可为每一类型的所通知事件所特有。一些示范性事件参数包含执行所通知动作的进程或线程(例如,进程ID)的识别符、文件名、路径、存储器地址及处理器指令的操作数,以及其它。事件参数可通过拦截器28a到28c而确定且被包含在事件通知40中,或可响应于接收到通知40而由试探引擎46确定。在所通知事件为创建新磁盘文件的尝试的一个实例中,事件参数可包含正创建的文件的名称。相应文件名可由事件拦截器确定并作为通知40的一部分发射到试探引擎46。在一些实施例中,事件参数包含指示发生或检测到相应事件的时刻的时间标记。时间标记可进一步由试探引擎46用来确定某些事件是否依序发生(例如,参见上文关于行为特征的说明)。FIG9 illustrates an exemplary sequence of steps performed by the heuristic engine 46 according to some embodiments of the present invention. Step sequence 200-202 listens for event notifications from interceptors 28a to 28c. In response to receiving an event notification 40, step 204 determines the type of the corresponding notified event and a set of event parameters. Exemplary event types include code injection, specific system calls, creation of disk files, and HTTP requests, among others. Event parameters may be specific to each type of notified event. Some exemplary event parameters include an identifier of the process or thread (e.g., process ID) that performs the notified action, a file name, path, memory address, and operands of the processor instruction, among others. The event parameters may be determined by interceptors 28a to 28c and included in the event notification 40, or may be determined by the heuristic engine 46 in response to receiving the notification 40. In an example where the notified event is an attempt to create a new disk file, the event parameters may include the name of the file being created. The corresponding file name may be determined by the event interceptor and transmitted to the heuristic engine 46 as part of the notification 40. In some embodiments, the event parameters include a time stamp indicating the time at which the corresponding event occurred or was detected. The time stamp can be further used by the heuristic engine 46 to determine whether certain events occur in sequence (eg, see the description of behavioral characteristics above).
在步骤序列206-208中,引擎46可存取试探数据库26且根据所通知事件的类型及参数而选择性地检索一组试探。另一步骤209应用所选择试探来确定所通知事件是否指示恶意软件。当相应试探指示恶意的嫌疑时,在步骤212中,引擎46将评分警示50发送到评分引擎48。评分警示50可包含相应试探的识别符,且可进一步包含可疑实体及/或群组的识别符。In step sequence 206-208, engine 46 may access heuristic database 26 and selectively retrieve a set of heuristics based on the type and parameters of the notified event. Another step 209 applies the selected heuristics to determine whether the notified event indicates malware. When the corresponding heuristic indicates suspicion of maliciousness, engine 46 sends a score alert 50 to scoring engine 48 in step 212. Score alert 50 may include an identifier of the corresponding heuristic and may further include an identifier of a suspicious entity and/or group.
试探引擎46的一些实施例利用数个相异类型的变量(例如,LOCAL、STATIC、ENTITY、GROUP及GLOBAL,以及其它)而操作。LOCAL类型的变量对于试探的每一实例可为唯一的。STATIC类型的变量可为每一试探所特有的,在某种意义上,所述变量的值可跨越同一试探的多个实例而共享。GLOBAL类型的变量可跨越所有试探及其实例而共享。ENTITY类型的变量可唯一地附属于<heuristic,entity>元组、跨越同一试探的多个实例而共享,但在各实体间不同。ENTITY类型的变量可针对每个受监视实体被初始化一次,且在相应实体终止后即刻被擦除。GROUP类型的变量可唯一地附属于<heuristic,group>元组、跨越同一试探的多个实例而共享,但在各实体群组间不同。GROUP类型的变量可针对每个实体群组而初始化一次。此些实施例允许某些试探检查(举例来说)复杂行为特征,其中恶意活动跨越多个实体而分布。Some embodiments of the heuristic engine 46 operate using several distinct types of variables (e.g., LOCAL, STATIC, ENTITY, GROUP, and GLOBAL, among others). Variables of type LOCAL can be unique to each instance of a heuristic. Variables of type STATIC can be specific to each heuristic, in the sense that their values can be shared across multiple instances of the same heuristic. Variables of type GLOBAL can be shared across all heuristics and their instances. Variables of type ENTITY can be uniquely attached to a <heuristic, entity> tuple, shared across multiple instances of the same heuristic, but distinct between entities. Variables of type ENTITY can be initialized once for each monitored entity and erased upon termination of the corresponding entity. Variables of type GROUP can be uniquely attached to a <heuristic, group> tuple, shared across multiple instances of the same heuristic, but distinct between entity groups. Variables of type GROUP can be initialized once for each entity group. Such embodiments allow certain heuristics to detect, for example, complex behavioral signatures where malicious activity is distributed across multiple entities.
在一些实施例中,评分引擎48维持且更新针对在客户端系统10上执行的多个受监视实体及/或实体群组而确定的多个恶意评分。评分引擎48可根据相应评分进一步确定客户端系统10是否包括恶意软件。在一些实施例中,当引擎46确定特定事件的发生指示恶意时,评分引擎48从试探引擎46接收评分警示50。响应于检测到恶意软件,评分引擎48可进一步将恶意指示符58发送到清除模块56。In some embodiments, scoring engine 48 maintains and updates a plurality of maliciousness scores determined for a plurality of monitored entities and/or groups of entities executing on client system 10. Scoring engine 48 may further determine whether client system 10 includes malware based on the respective scores. In some embodiments, scoring engine 48 receives a score alert 50 from heuristic engine 46 when engine 46 determines that the occurrence of a particular event indicates maliciousness. In response to detecting malware, scoring engine 48 may further send a maliciousness indicator 58 to cleanup module 56.
图10-A展示根据本发明的一些实施例的多个示范性实体评分对象(ESO)74a到74c,每一ESO是针对相应软件实体70a到70c而确定。每一ESO可包括多个数据字段,图10-A中图解说明所述多个数据字段中的一些数据字段。此些字段包含唯一实体识别符EID 76a、多个当前实体评估评分76b及当前实体总评分76d。在一些实施例中,实体评估评分76b是根据从试探引擎46所接收的评分警示50由引擎48确定。每一评分76b可根据相异准则而确定。举例来说,评分76b与一组试探76c可具有一一对应性,使得每一实体评估评分根据相应试探而归结。在一个此类实例中,特定试探Hk包括确定受监视实体是否从计算机网络(例如,因特网)下载文件。接着,相应评分Sk可仅在相应所评估实体试图下载时被裁定或增大。在一些实施例中,实体总评分76d作为当前实体评估评分76b的总和而计算(参见下文进一步细节)。FIG10-A shows a plurality of exemplary entity scoring objects (ESOs) 74a-74c, each determined for a respective software entity 70a-70c, according to some embodiments of the present invention. Each ESO may include a plurality of data fields, some of which are illustrated in FIG10-A. These fields include a unique entity identifier (EID) 76a, a plurality of current entity evaluation scores 76b, and a current entity total score 76d. In some embodiments, the entity evaluation score 76b is determined by the engine 48 based on a score alert 50 received from the heuristic engine 46. Each score 76b may be determined based on different criteria. For example, a score 76b may have a one-to-one correspondence with a set of heuristics 76c, such that each entity evaluation score is attributed to a corresponding heuristic. In one such example, a particular heuristicHk includes determining whether the monitored entity is downloading a file from a computer network (e.g., the Internet). The corresponding scoreSk may then be adjudicated or increased only when the corresponding assessed entity attempts to download. In some embodiments, the entity total score 76d is calculated as the sum of the current entity evaluation scores 76b (see further details below).
在一些实施例中,每一ESO可进一步包含相应实体与其所属的群组之间的关联性的指示符。举例来说,在图10-A的实例中,项76f图解说明此一实体群组列表。在替代实施例中,评分引擎48可动态地从实体管理器44检索具有某些实体作为成员的群组列表。In some embodiments, each ESO may further include an indicator of the association between the respective entity and the group to which it belongs. For example, in the example of FIG10-A , item 76f illustrates such a list of entity groups. In an alternative embodiment, the scoring engine 48 may dynamically retrieve a list of groups having certain entities as members from the entity manager 44.
评分引擎48的一些实施例进一步维持与每一实体群组相关联的评分集。图10-B展示多个示范性群组评分对象(GSO)75a到75c,每一GSO是针对相异软件实体群组而确定。每一所图解说明GSO包括唯一群组识别符GID 77a、多个当前群组评估评分77b及当前群组总评分77d(上标G指示相应项与实体群组而非单个实体相关联)。在一些实施例中,每一群组评估评分根据相异准则(例如,相异试探)而裁定及/或递增。设定及/或递增群组评估评分的示范性试探实施如图7中所图解说明的行为特征。使用所述实例,当实体E1、E2及E3以所图解说明次序执行动作A1-A6时,可使对应于包括实体E1、E2及E3的群组的群组评估评分递增。对应于每一群组评估评分的群组试探在图10-B中图解说明为项77c。Some embodiments of the scoring engine 48 further maintain a score set associated with each entity group. FIG. 10-B shows a plurality of exemplary group score objects (GSOs) 75a-75c, each of which is determined for a distinct group of software entities. Each illustrated GSO includes a unique group identifier GID 77a, a plurality of current group evaluation scores 77b, and a current group total score 77d (the superscript G indicates that the corresponding item is associated with a group of entities rather than a single entity). In some embodiments, each group evaluation score is determined and/or incremented based on a distinct criterion (e.g., a distinct heuristic). An exemplary heuristic for setting and/or incrementing group evaluation scores implements the behavioral characteristics illustrated in FIG. 7 . Using this example, when entitiesE1 ,E2 , andE3 perform actionsA1 -A6 in the illustrated order, the group evaluation score corresponding to the group including entitiesE1 ,E2 , andE3 may be incremented. The group heuristic corresponding to each group evaluation score is illustrated in FIG. 10-B as item 77c.
在一些实施例中,每一GSO可进一步包括相应群组与其成员实体之间的关联性的指示符。在图10-B的实例中,实体E1(G1)、E2(G1)等为群组G1的成员。或者,评分引擎48可随时从实体管理器44请求群组成员身份数据。在一些实施例中,通过对群组评估评分77b进行求和而计算群组总评分77d,如下文进一步详细说明。In some embodiments, each GSO may further include an indicator of the association between the corresponding group and its member entities. In the example of FIG10-B , entitiesE1(G1) ,E2(G1) , etc. are members of groupG1 . Alternatively, the scoring engine 48 may request group membership data from the entity manager 44 at any time. In some embodiments, the group total score 77d is calculated by summing the group evaluation scores 77b, as described in further detail below.
评分引擎48的一些实施例将每一实体及/或群组评估评分增大对应于相应评分的试探所特有的量。图11-A到11-B展示分别对应于实体评分及群组评分的此类评分增量。当评分引擎48接收到响应于执行特定试探而产生的评分警示50时,对应于相应试探的实体及/或群组评估评分可被增大相应增量值。一些实体试探还可为群组试探,举例来说,试探H1可与群组试探H1(G)一致。在一些实施例中,通过此试探而产生的评分警示可致使更新相应实体的实体评估评分及/或具有相应实体作为成员的群组的群组评估评分。Some embodiments of the scoring engine 48 increase each entity and/or group evaluation score by an amount unique to the heuristic corresponding to the respective score. Figures 11-A and 11-B illustrate such score increments corresponding to entity scores and group scores, respectively. When the scoring engine 48 receives a score alert 50 generated in response to executing a particular heuristic, the entity and/or group evaluation score corresponding to the respective heuristic may be increased by the respective increment value. Some entity heuristics may also be group heuristics; for example, heuristicH1 may be consistent with group heuristicH1(G) . In some embodiments, a score alert generated by such a heuristic may result in an update to the entity evaluation score of the respective entity and/or the group evaluation score of a group of which the respective entity is a member.
图12-A展示根据本发明的一些实施例的由评分引擎48(图3)执行的示范性步骤序列。步骤序列300-302聆听来自试探引擎46的评分警示。在一些实施例中,评分警示50包含产生相应警示的试探的指示符以及针对其而产生相应警示的实体及/或实体群组的指示符。响应于接收到评分警示50,步骤304确定警示50是否通过实体试探(即,经配置以确定事件是否指示个别实体为恶意的试探)而产生。当确定警示50并非通过实体试探而产生时,评分引擎48前进到步骤310。当确定警示50是通过实体试探而产生时,在步骤306中,评分引擎48根据警示50而识别相应实体且根据产生警示的试探而更新相应实体的评估评分。举例来说,当警示50通过试探Hk而产生时,评分引擎48可将对应于试探Hk的评分Sk增大适当增量(参见例如图11-A)。另一步骤308(举例来说)对相应实体的所有实体评估评分进行求和而计算相应实体的总评分。FIG12-A shows an exemplary sequence of steps performed by scoring engine 48 ( FIG3 ), according to some embodiments of the present invention. Step sequence 300-302 listens for a scored alert from heuristic engine 46. In some embodiments, scored alert 50 includes an indicator of the heuristic that generated the corresponding alert and an indicator of the entity and/or group of entities for which the corresponding alert was generated. In response to receiving scored alert 50, step 304 determines whether alert 50 was generated by an entity heuristic (i.e., a heuristic configured to determine whether an event indicates that a particular entity is malicious). When it is determined that alert 50 was not generated by an entity heuristic, scoring engine 48 proceeds to step 310. When it is determined that alert 50 was generated by an entity heuristic, in step 306, scoring engine 48 identifies the corresponding entity from alert 50 and updates the evaluation score of the corresponding entity based on the heuristic that generated the alert. For example, when alert 50 was generated by heuristic Hk , scoring engine 48 may increase scoreSk corresponding to heuristic Hk by an appropriate increment (see, for example, FIG11-A ). Another step 308 is to calculate a total score for the corresponding entity by, for example, summing all entity evaluation scores for the corresponding entity.
步骤310确定评分警示50是否通过群组试探(即,经配置以确定事件是否指示实体群组为恶意的试探)而产生。当确定评分警示50并非通过群组试探而产生时,评分引擎48前进到步骤316。当确定评分警示50是通过群组试探而产生时,在步骤312中,评分引擎48根据警示50而识别群组集且根据产生警示的试探而更新相应群组的群组评估评分。在步骤314中,引擎48(举例来说)作为群组评估评分的总和而计算相应群组的总评分。Step 310 determines whether the scored alert 50 was generated by a group heuristic (i.e., a heuristic configured to determine whether an event indicates that a group of entities is malicious). When it is determined that the scored alert 50 was not generated by a group heuristic, the scoring engine 48 proceeds to step 316. When it is determined that the scored alert 50 was generated by a group heuristic, in step 312, the scoring engine 48 identifies a set of groups based on the alert 50 and updates the group evaluation scores of the respective groups based on the heuristic that generated the alert. In step 314, the engine 48 calculates the total score for the respective group, for example, as the sum of the group evaluation scores.
在步骤316中,评分引擎48确定相应实体及/或群组的总评分是否超过预定阈值。当不超过预定阈值时,引擎48返回到步骤300。当超过预定阈值时,引擎48将恶意指示符58发送到清除模块56。In step 316, the scoring engine 48 determines whether the total score of the corresponding entity and/or group exceeds a predetermined threshold. When the predetermined threshold is not exceeded, the engine 48 returns to step 300. When the predetermined threshold is exceeded, the engine 48 sends a malicious indicator 58 to the cleaning module 56.
图12-B展示由评分引擎48执行的替代步骤序列。响应于接收到警示50,步骤326识别产生相应警示的实体及试探。接着,根据警示50针对相应实体而确定评估评分及总评分。在步骤332中,评分引擎48识别具有相应实体作为成员的至少一个群组。接着,步骤336递增相应群组的总评分。当实体或群组(或者两者)的总评分超过预定阈值时,步骤340将恶意指示符58发送到清除模块56。每当相应群组的成员执行恶意软件指示性动作时,图12-B中所图解说明的示范性实施例可递增群组评分。因此,甚至在将恶意活动分到群组的数个成员之间时,及在对应于每一个别成员的总评分不足以指示恶意时,群组范围的评分可能超过恶意软件检测阈值。FIG12-B shows an alternative sequence of steps performed by the scoring engine 48. In response to receiving an alert 50, step 326 identifies the entity and heuristic that generated the corresponding alert. Next, an assessment score and a total score are determined for the corresponding entity based on the alert 50. In step 332, the scoring engine 48 identifies at least one group that has the corresponding entity as a member. Next, step 336 increments the total score of the corresponding group. When the total score of the entity or group (or both) exceeds a predetermined threshold, step 340 sends a malicious indicator 58 to the cleanup module 56. The exemplary embodiment illustrated in FIG12-B may increment the group score each time a member of the corresponding group performs an action indicative of malware. Thus, the group-wide score may exceed the malware detection threshold even when malicious activity is divided among several members of the group and when the total score corresponding to each individual member is insufficient to indicate maliciousness.
图12-C展示根据本发明的一些实施例的由评分引擎48执行的又一示范性替代步骤序列。与图12-A及12-B形成对照,图12-C可描述不计算群组评分而是替代地完全依赖于实体评分的实施例的操作。然而,此实施例仍可通过使用群组试探来检测规避性恶意软件。使用图7中的行为特征68的实例,检测事件序列A1-A6的发生的试探可响应于检测到实体E4已执行动作A6且因此完成了由行为特征68指示的恶意软件指示性动作序列而产生评分警示50。响应于接收到此警示,步骤348可递增实体E4的实体评估评分,所述评分对应于相应试探。如果与相应试探相关联的增量经选择为足够大的,那么相应实体评估评分的增大可足以使得针对实体E4而计算的总评分超过恶意软件检测阈值。FIG12-C shows another exemplary alternative sequence of steps performed by scoring engine 48 according to some embodiments of the present invention. In contrast to FIG12-A and FIG12-B, FIG12-C may describe the operation of an embodiment that does not calculate a group score, but instead relies entirely on entity scores. However, this embodiment can still detect evasive malware by using group heuristics. Using the example of behavioral signature 68 in FIG7, a heuristic that detects the occurrence of the sequence of eventsA1 -A6 may generate a score alert 50 in response to detecting that entityE4 has performed actionA6 and, thereby, completed the malware-indicative action sequence indicated by behavioral signature 68. In response to receiving this alert, step 348 may increment the entity evaluation score of entityE4 corresponding to the corresponding heuristic. If the increment associated with the corresponding heuristic is selected to be sufficiently large, the increase in the corresponding entity evaluation score may be sufficient to cause the total score calculated for entityE4 to exceed the malware detection threshold.
图13图解说明根据本发明的一些实施例的由清除模块56(图3)执行的示范性步骤序列。在步骤402中,模块56从评分引擎48接收恶意指示符58。在一些实施例中,恶意指示符58包含可疑实体的指示符及/或可疑实体群组的指示符,例如,其总评分超过恶意软件检测阈值(参见上文)的实体及/或群组。在步骤404中,模块56识别触发评分引擎48发送恶意指示符58的可疑实体。FIG13 illustrates an exemplary sequence of steps performed by cleanup module 56 ( FIG3 ) according to some embodiments of the present invention. In step 402, module 56 receives malicious indicators 58 from scoring engine 48. In some embodiments, malicious indicators 58 include indicators of suspicious entities and/or indicators of groups of suspicious entities, such as entities and/or groups whose total scores exceed a malware detection threshold (see above). In step 404, module 56 identifies the suspicious entity that triggered scoring engine 48 to send malicious indicators 58.
在一些实施例中,步骤406检查相应可疑实体是否为单个群组的成员。当相应可疑实体并非单个群组的成员时,模块56前进到步骤410。当相应可疑实体是单个群组的成员时,在步骤408中,清除模块56清除可疑实体的整个群组。在一些实施例中,清除实体群组包括清除相应群组的每个成员实体。清除可涉及计算机安全领域中已知的任何方法。在一些实施例中,清除实体包括暂停或终止相应实体的执行。清除实体可进一步包括删除包括相应实体的代码的磁盘文件。清除实体可进一步包括还原或恢复在相应实体的寿命期间由相应实体执行的一组改变(此些改变可包含对OS的注册表、文件系统等的改变)。清除实体可包括使用额外单独恶意软件扫描仪来分析相应实体。在一些实施例中,清除进一步包含向客户端系统10的用户及/或系统管理员发出警示。In some embodiments, step 406 checks whether the corresponding suspicious entity is a member of a single group. When the corresponding suspicious entity is not a member of a single group, module 56 proceeds to step 410. When the corresponding suspicious entity is a member of a single group, in step 408, the removal module 56 removes the entire group of suspicious entities. In some embodiments, removing the entity group includes removing each member entity of the corresponding group. Removal may involve any method known in the field of computer security. In some embodiments, removing the entity includes pausing or terminating the execution of the corresponding entity. Removing the entity may further include deleting the disk file including the code of the corresponding entity. Removing the entity may further include restoring or recovering a set of changes performed by the corresponding entity during the life of the corresponding entity (such changes may include changes to the registry, file system, etc. of the OS). Removing the entity may include using an additional separate malware scanner to analyze the corresponding entity. In some embodiments, removal further includes issuing a warning to the user and/or system administrator of the client system 10.
在一个清除实例中,当恶意活动被追溯到代码注入事件时,清除模块56使接收实体终止并恢复在相应注入事件之后发生的对存储器及/或文件系统的所有改变。可能时,清除模块56可仅恢复因相应注入事件而产生的改变。在另一清除实例中,当恶意实体使用清洁实体(例如cmd.exe、regedit.exe、正当浏览器进程等)来执行恶意攻击的一部分时,清除模块56可终止相应清洁实体,但不删除其可执行文件。In one cleanup example, when malicious activity is traced back to a code injection event, cleanup module 56 causes the receiving entity to terminate and restore all changes to the memory and/or file system that occurred after the corresponding injection event. Where possible, cleanup module 56 may restore only the changes resulting from the corresponding injection event. In another cleanup example, when a malicious entity uses a cleanup entity (e.g., cmd.exe, regedit.exe, a legitimate browser process, etc.) to perform part of a malicious attack, cleanup module 56 may terminate the cleanup entity without deleting its executable file.
在一些实施例中,当可疑实体属于多个实体群组时,步骤410尝试识别相应群组中的哪一者可为恶意的。步骤410可包含确定可疑实体是如何成为每一相应群组的成员的(例如,响应于实体创建与响应于代码注入)。步骤410可进一步确定哪一试探触发决定评分引擎推断出客户端系统10受到攻击的评分警示。识别触发恶意软件检测的试探可允许确定可疑实体正执行什么动作,所述动作触发相应评分警示。为执行步骤410,清除模块58可进一步确定在相应评分警示被触发时可疑实体的哪一组件正在执行。In some embodiments, when a suspicious entity belongs to multiple entity groups, step 410 attempts to identify which of the respective groups may be malicious. Step 410 may include determining how the suspicious entity became a member of each respective group (e.g., in response to entity creation versus in response to code injection). Step 410 may further determine which heuristic triggered the score alert that determined the scoring engine concluded that the client system 10 was compromised. Identifying the heuristic that triggered malware detection allows for determining what action the suspicious entity was performing that triggered the respective score alert. To perform step 410, the cleanup module 58 may further determine which component of the suspicious entity was executing when the respective score alert was triggered.
在一种示范性情景中,可疑实体经由实体创建而变为第一群组的成员且经由代码注入而变为第二群组的成员。步骤410已确定在来自可疑实体的主要可执行模块的代码正执行时导致恶意软件检测被触发的评分警示。接着,清除模块58可推断第一群组为恶意的。相比之下,如果可疑实体在评分警示被触发时正执行所注入代码,那么清除模块58可推断第二群组为恶意的。In one exemplary scenario, a suspicious entity becomes a member of a first group through entity creation and a member of a second group through code injection. Step 410 has determined that a score alert caused malware detection to be triggered when code from the suspicious entity's primary executable module was executing. Cleanup module 58 can then infer that the first group is malicious. In contrast, if the suspicious entity was executing the injected code when the score alert was triggered, cleanup module 58 can infer that the second group is malicious.
在步骤412中,模块56确定恶意群组的识别是否成功。当确定恶意群组的识别成功时,在步骤414中,模块56清除所识别恶意群组。当步骤410未能识别恶意实体群组时,在步骤416中,模块56仅清除可疑实体。因此,步骤416可防止错误肯定恶意软件识别,即,将良好实体错误地识别为恶意的,此可导致用户的数据损失。In step 412, module 56 determines whether the identification of the malicious group was successful. If the identification of the malicious group is determined to be successful, module 56 removes the identified malicious group in step 414. If step 410 fails to identify a group of malicious entities, module 56 removes only the suspicious entities in step 416. Thus, step 416 can prevent false positive malware identification, i.e., misidentifying a benign entity as malicious, which can result in data loss for the user.
上文所描述的示范性系统及方法允许保护计算机系统免受恶意软件(例如,病毒、特洛伊木马及间谍软件)影响。在本发明的一些实施例中,安全应用程序监视当前在客户端系统上执行的一组实体(例如,进程)的行为。安全应用程序通过一组事件拦截器而被通知客户端系统内的各种事件的发生。此些示范性事件可包含进程或线程的创建、代码注入、系统调用、创建新磁盘文件的尝试、写入到现有磁盘文件的尝试、编辑OS注册表项的尝试及写入到特定存储器部分的尝试,以及其它。所通知事件中的一些事件可具恶意软件指示性,而其它事件本身可不指示安全威胁,但在与其它事件一起发生可用信号表示潜在威胁。The exemplary systems and methods described above allow for protection of computer systems from malware (e.g., viruses, Trojan horses, and spyware). In some embodiments of the present invention, a security application monitors the behavior of a set of entities (e.g., processes) currently executing on a client system. The security application is notified of the occurrence of various events within the client system through a set of event interceptors. Such exemplary events may include the creation of a process or thread, code injection, system calls, attempts to create a new disk file, attempts to write to an existing disk file, attempts to edit OS registry entries, and attempts to write to a particular memory portion, among others. Some of the notified events may be indicative of malware, while other events may not themselves indicate a security threat, but when occurring in conjunction with other events may signal a potential threat.
响应于接收到事件通知,安全应用程序可执行一组检测程序(例如,试探)以确定相应事件是否指示恶意软件。响应于确定事件具恶意软件指示性,试探可致使恶意软件指示性评分递增。评分引擎可根据递增的恶意软件指示性评分而进一步确定客户端系统是否受到攻击。清除模块可对被视为恶意的实体或实体群组进一步采取反恶意软件动作。In response to receiving an event notification, the security application may execute a set of detection procedures (e.g., heuristics) to determine whether the corresponding event is indicative of malware. In response to determining that the event is indicative of malware, the heuristics may cause a malware-indicative score to be incremented. The scoring engine may further determine whether the client system is compromised based on the incremented malware-indicative score. The cleanup module may further take anti-malware actions against the entity or group of entities deemed malicious.
常规反恶意软件系统通常使评分与每一个别实体相关联,且无论何时相应实体以恶意软件指示性方式起作用均递增此类评分。此类常规系统通常无法检测将恶意活动分到多个实体当中的规避性恶意软件。当每一参与实体的行为在独立进行时不具有恶意软件指示性时,此行为基于个别评分可不导致检测。相比之下,本发明的一些实施例通过使跨越多个相关实体的行为相关而明确解决规避性恶意软件问题。Conventional anti-malware systems typically associate a score with each individual entity and increment such score whenever the corresponding entity behaves in a manner indicative of malware. Such conventional systems are often unable to detect evasive malware that divides malicious activity among multiple entities. When the behavior of each participating entity, when performed independently, is not indicative of malware, such behavior may not result in detection based on the individual scores. In contrast, some embodiments of the present invention explicitly address the evasive malware problem by correlating behavior across multiple related entities.
在一些实施例中,安全应用程序将受监视实体划分成多个实体群组,其中群组的所有成员均通过父子关系或代码注入而相关。实体可同时属于多个实体群组。所述安全应用程序可进一步使评分集与每一实体群组相关联。当相应群组的成员执行某些动作时,可使此些群组评分递增。因此,即使由个别成员执行的动作本身可能不具有恶意软件指示性,群组评分也可俘获集体恶意行为并触发检测。In some embodiments, the security application divides monitored entities into multiple entity groups, where all members of a group are related through parent-child relationships or code injection. An entity can belong to multiple entity groups simultaneously. The security application can further associate a score set with each entity group. When members of the corresponding group perform certain actions, these group scores can be incremented. Thus, even if the actions performed by individual members may not themselves be indicative of malware, the group scores can capture collective malicious behavior and trigger detection.
在本发明的一些实施例中,可执行实体被划分成至少两个主要类别,即,群组创建者及群组继承者。群组创建者类别可包含通常可以正当方式执行例如实体创建等活动的实体,例如操作系统进程、文件管理器及浏览器。在一些实施例中,群组创建者实体在其生成子实体时会创建新群组。群组继承者类别可包括用户进程及未知进程。群组继承者实体可为其父实体的群组的成员,或当其父实体为群组创建者时,可为群组的第一实体。针对群组创建者实体及群组继承者实体具有相异群组成员身份规则将允许本发明的一些实施例使用相异恶意软件检测策略来监视两个实体类别。In some embodiments of the present invention, executable entities are divided into at least two main categories, namely, group creators and group successors. The group creator category may include entities that can generally perform activities such as entity creation in a legitimate manner, such as operating system processes, file managers, and browsers. In some embodiments, a group creator entity creates a new group when it generates child entities. The group successor category may include user processes and unknown processes. A group successor entity may be a member of the group of its parent entity, or may be the first entity of a group when its parent entity is a group creator. Having different group membership rules for group creator entities and group successor entities will allow some embodiments of the present invention to use different malware detection strategies to monitor the two entity categories.
根据本发明的一些实施例,解决规避性恶意软件的另一方式包括使用恶意软件检测试探,所述试探检测由相关实体群组执行的动作而非由个别实体执行的独立动作的特定序列或组合。相应试探可仅在相应序列或组合的所有动作均已被执行时触发评分增大。According to some embodiments of the present invention, another approach to addressing evasive malware involves using malware detection heuristics that detect specific sequences or combinations of actions performed by groups of related entities, rather than individual actions performed by individual entities. The heuristics can trigger a score increase only when all actions in the sequence or combination have been performed.
常规计算机安全系统可检测个别恶意实体,且可独立于其它实体对每一此类实体采取反恶意软件动作。当所检测到恶意实体为恶意实体的协调网络的一小部分时,使单个实体无用仍可使客户端系统易受恶意软件攻击或甚至感染恶意软件。相比之下,响应于检测恶意实体群组,本发明的一些实施例可清除整个恶意实体群组或以其它方式使整个恶意实体群组无用。当可疑实体为多个实体群组的一部分,但安全应用程序无法确定相应群组中的哪一者正执行恶意活动时,本发明的一些实施例仅对相应可疑实体采取反恶意软件动作,以便防止错误肯定恶意软件识别。Conventional computer security systems can detect individual malicious entities and take anti-malware actions against each such entity independently of other entities. When the detected malicious entity is a small part of a coordinated network of malicious entities, disabling a single entity can still leave the client system vulnerable to malware attacks or even malware infection. In contrast, in response to detecting a group of malicious entities, some embodiments of the present invention can eliminate or otherwise disabling the entire group of malicious entities. When a suspicious entity is part of multiple groups of entities, but the security application cannot determine which of the respective groups is performing malicious activity, some embodiments of the present invention take anti-malware actions only against the respective suspicious entity to prevent false positive malware identifications.
所属领域的技术人员将清楚,可在不背离本发明的范围的情况下以多种方式更改以上实施例。因此,本发明的范围应由所附权利要求书及其法律等效内容来确定。It will be apparent to those skilled in the art that the above embodiments can be modified in many ways without departing from the scope of the present invention. Therefore, the scope of the present invention should be determined by the appended claims and their legal equivalents.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US14/808,173US10089465B2 (en) | 2015-07-24 | 2015-07-24 | Systems and methods for tracking malicious behavior across multiple software entities |
| US14/808,173 | 2015-07-24 | ||
| PCT/EP2016/065737WO2017016814A1 (en) | 2015-07-24 | 2016-07-04 | Systems and methods for tracking malicious behavior across multiple software entities |
| Publication Number | Publication Date |
|---|---|
| HK1247296A1 HK1247296A1 (en) | 2018-09-21 |
| HK1247296Btrue HK1247296B (en) | 2021-07-02 |
| Publication | Publication Date | Title |
|---|---|---|
| US10706151B2 (en) | Systems and methods for tracking malicious behavior across multiple software entities | |
| US11438349B2 (en) | Systems and methods for protecting devices from malware | |
| KR102116573B1 (en) | Dynamic reputation indicators for optimizing computer security operations | |
| RU2645268C2 (en) | Complex classification for detecting malware | |
| JP6370747B2 (en) | System and method for virtual machine monitor based anti-malware security | |
| RU2646352C2 (en) | Systems and methods for using a reputation indicator to facilitate malware scanning | |
| EP3308315B1 (en) | Behavioral malware detection using an interpreter virtual machine | |
| US8646080B2 (en) | Method and apparatus for removing harmful software | |
| US8397297B2 (en) | Method and apparatus for removing harmful software | |
| HK1247296B (en) | Systems and methods for tracking malicious behavior across multiple software entities |