公开(公告)号：US08161552B1

公开(公告)日：2012-04-17

申请号：US12565585

申请日：2009-09-23

申请人： Chih Yao Sun ,  Yi Lu ,  Dibin Tang ,  Ruifeng Yang ,  Peng Shu ,  Rong Yang

发明人： Chih Yao Sun ,  Yi Lu ,  Dibin Tang ,  Ruifeng Yang ,  Peng Shu ,  Rong Yang

IPC分类号： G06F11/00

CPC分类号： G06F21/566 ,  G06F2221/033 ,  H04L63/145

摘要： A white list (or exception list) for a behavior monitoring system for detecting unknown malware on a computing device is maintained automatically without human intervention. A white list contains process IDs and other data relating to processes that are determined to be (or very likely be) free of malware. If a process is on this list, the rule matching operations of a conventional behavior monitor are not performed, thereby saving processing resources on the computing device. When a process start up is detected, the behavior monitor performs a series of checks or tests. If the process has all valid digital signatures and is not launched from a removable storage device (such as a USB key) and is not enabled to make any inbound or outbound connections, it is eligible for being on the white list. The white list is also automatically maintained by removing process IDs for processes that have terminated or which attempt to make a new outbound or inbound connection, such as a TCP/UDP connection. Scheduled integrity checks on the white list are also performed by examining the process stack for each process to ensure that there are no abnormal files in the process stack.

摘要翻译： 用于检测计算设备上的未知恶意软件的行为监视系统的白名单（或例外列表）在没有人为干预的情况下自动维护。 白名单包含与被确定为（或很可能）没有恶意软件的进程有关的进程ID和其他数据。 如果一个进程在该列表中，则不执行常规行为监视器的规则匹配操作，从而在计算设备上保存处理资源。 当检测到进程启动时，行为监视器执行一系列检查或测试。 如果该进程具有所有有效的数字签名，并且未从可移动存储设备（例如USB密钥）启动，并且未启用进行任何入站或出站连接，则它有资格进入白名单。 白名单也通过删除已终止或尝试进行新的出站或入站连接（如TCP / UDP连接）的进程的进程ID自动维护。 白名单上的计划完整性检查也通过检查每个进程的进程堆栈来确保进程堆栈中没有异常文件。