Abstract: To detect malicious program, the disadvantages of current detection mechanism were analyzed. The extension of process behavior concept was redefined. A detection model of difference comparison and process dynamic behavior analysis was proposed. The critical technology and realization were given. The experimental results indicate that the detection model excels traditional detection method in versatility and effectiveness.

Key words: vicious procedure, difference comparison, detection model, API function

摘要： 为了检测恶意程序，分析了现有各类检测机制的不足，重新界定了进程行为概念的外延，提出了差量对比与进程动态行为分析的检测模型，给出了关键技术和实现方法。测试结果表明该检测模型在通用性和有效性方面优于传统检测方法。

关键词: 恶意程序, 差量对比, 检测模型, API函数