| 摘要 |
Multi-behavior matching in a computer system is performed in order to identify suspicious sequences of activities. System behavior is captured using driver hooks. A behavior monitoring system determines the process to which the system behavior belongs by processing a table. This includes using the process ID and thread ID of the system behavior as lookups into the table. A multi-behavior matching algorithm is applied to determine if there is any matching suspicious behavior by matching sets of rules (a policy) to system events caused by a particular process. A state machine is used to keep track of matching policies. Options to the rules and policies (such as offset, depth, distance, within, ordered and occurrence/interval) are used to refine when a rule or policy is allowed to produce a positive match, reducing false positives.
|
