Method and system for identifying malicious program

The invention relates to a method and a system for identifying a malicious program. The method comprises the following steps: 1. acquiring information and acts of all processes in a computer system, establishing a process relational tree according to the set membership among the processes, and storing a process information and a process behavior list corresponding to each process; 2. classifying the process behaviors in the process behavior list of the parent process, and allocating the information of the parent process to sub-process according to the classification and the order of the process relation tree from top to bottom; 3. symbolizing according to the process relation tree and the process information, judging a malicious program based on a preset malicious behavior threshold, and running the malicious program in the computer system to obtain an expert system for judging the malicious program; and 4. when the process of a new program is created, using the expert system to judge whether the new program is a malicious program. Compared with the prior art, the invention lowers the implementation complexity and can improve the efficiency.