The struggles for intrusion and anti-intrusion techniques relating to computer viruses have been ongoing. Because computers are widely used, the tension associated with the fighting has increased. Over time, various methods for reducing the intrusions of computer viruses have been developed, resulting in many corresponding protection products. These products can be generally classified into two categories. One group blocks invading viruses. For example, firewalls may reduce the intrusions of the viruses by restricting the communication ports, protocols, etc. The other group searches for virus-infected files that may allow an intrusion. For example, the present generation of antivirus software detects and removes the infected harmful files by scanning the code characteristics of the virus-infected files that may enable intrusions. Although these two types of products do, to a certain extent, fight virus intrusions, they unfortunately suffer disadvantages. For example, although firewalls may block the intrusions of some viruses or hackers, the principle subjects monitored by firewalls are ports and protocols, and the users have to set the rules of constraint by themselves. This technique may result is certain disadvantages. First, to set the rules effectively, the users have to be very familiar with the system. Second, because of the large amount of traffic to monitor, it is unlikely that rules will be set for the ports and protocols necessary for the network applications. If unconstrained communications are allowed, intrusions by viruses or hackers may occur. If they are not allowed, the normal operation of the network may be affected. Antivirus software utilizing the characteristic codes of viruses always trails the development of the viruses. This is because it is only after virus samples are captured that the characteristic codes of viruses can be extracted. Therefore, this kind of antivirus software cannot prevent the intrusions of new unknown viruses, and even computers that have been installed with antivirus software still may be attacked by the viruses. This risk may be reduced by upgrading and updating the virus database which is always later than the occurrence of the viruses.
In addition to the above-mentioned kinds of passive protection systems, the inventor of the present invention has provided an antivirus protection method for computers based on the behavioral analysis of the programs, disclosed in Chinese Patent Application No. 20051 0007682.X, entitled “protection method for computer based on the behavioral analysis of programs.” The application has provided a wholly new method for virus protection in which computer programs are identified if they are harmful or attacked by viruses by analyzing the action behaviors of programs.