CN105678167A - Safety protection method and apparatus - Google Patents
Safety protection method and apparatus Download PDFInfo
- Publication number
- CN105678167A CN105678167A CN201510984719.8A CN201510984719A CN105678167A CN 105678167 A CN105678167 A CN 105678167A CN 201510984719 A CN201510984719 A CN 201510984719A CN 105678167 A CN105678167 A CN 105678167A
- Authority
- CN
- China
- Prior art keywords
- behavior
- security policy
- temporary security
- preset risk
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Information Transfer Between Computers (AREA)
Abstract
本发明提供了一种安全防护方法及装置,其中的安全防护方法包括:在进程的行为匹配预设的本地触发策略时,将该进程的该行为的描述信息上传至服务端,以使服务端在判定该进程的该行为与任一预设风险行为相匹配时,下发对应于该预设风险行为的临时安全策略;临时安全策略中包含:临时安全策略的撤销条件,以及用于应对预设风险行为的处理操作及其触发条件;接收来自服务端的临时安全策略;加载临时安全策略,以在任一触发条件满足时执行相应的处理操作,并在任一撤销条件满足时撤销临时安全策略。本发明可以解决现有的安全策略在用户资源占用与应用有效性之间存在矛盾的问题,大大提升安全防护软件的运行效率和用户体验。
The present invention provides a security protection method and device, wherein the security protection method includes: when the behavior of the process matches the preset local trigger strategy, upload the description information of the behavior of the process to the server, so that the server When it is determined that the behavior of the process matches any preset risk behavior, a temporary security policy corresponding to the preset risk behavior is issued; the temporary security policy includes: the withdrawal conditions of the temporary security policy, and Set the processing operation of the risky behavior and its triggering conditions; receive the temporary security policy from the server; load the temporary security policy to execute the corresponding processing operation when any triggering condition is met, and revoke the temporary security policy when any revocation condition is met. The present invention can solve the problem of contradiction between user resource occupation and application effectiveness in existing security policies, and greatly improve the operating efficiency and user experience of security protection software.
Description
技术领域technical field
本发明涉及计算机技术领域,具体涉及一种安全防护方法及装置。The invention relates to the field of computer technology, in particular to a safety protection method and device.
背景技术Background technique
恶意程序是一个概括性的术语,指任何故意创建用来执行未经授权并通常是有害行为的代码程序,例如计算机病毒、后门程序、键盘记录器、密码盗取者、宏病毒、引导区病毒、脚本病毒、木马、犯罪软件、间谍软件和广告软件等等。Malicious program is an umbrella term for any program of code deliberately created to perform unauthorized and often harmful behavior, such as computer viruses, backdoors, keyloggers, password stealers, macro viruses, boot sector viruses , script viruses, Trojan horses, crimeware, spyware, adware, and more.
为了应对数量巨大并不断增多的恶意程序,现有的安全防护软件可以通过监视应用程序的行为,并按照安全策略来对各行为进行监控和处理,来增强对恶意程序的安全防护能力。其中,安全策略作为安全防护能力的核心,通常是由服务端进行全网范围内的更新、维护以及分发的。当然,全网统一的安全策略在时效性和维护成本上都有着突出的优势,但是其在用户资源占用与应用有效性之间的平衡上存在着很大的缺陷。In order to cope with the huge and increasing number of malicious programs, existing security protection software can enhance the security protection capability against malicious programs by monitoring the behavior of application programs and monitoring and processing each behavior according to security policies. Among them, the security policy, as the core of the security protection capability, is usually updated, maintained and distributed by the server in the whole network. Of course, a unified security policy for the entire network has outstanding advantages in terms of timeliness and maintenance costs, but it has a big flaw in the balance between user resource occupation and application effectiveness.
举例来说,针对某类广告推广程序,只有采用比较严格的监测手段才可以有效地拦截,但是如果在全网统一的安全策略中应用该监测手段,那么所有的用户终端都需要持续性地执行监测而大大增加用户终端的资源占用;更何况该类广告推广程序的流行度可能不高,因而在绝大多数用户终端上的监测过程可能都是无意义的。对于该情况,现有的安全防护软件出于用户体验的考虑会采用比较宽松的监测手段,但是这样又会损失对该类广告推广程序的拦截的有效性。For example, for a certain type of advertising promotion program, only stricter monitoring methods can be effectively intercepted, but if this monitoring method is applied in a unified security policy for the entire network, then all user terminals need to continuously execute Monitoring greatly increases the resource occupation of the user terminal; what's more, the popularity of this type of advertising promotion program may not be high, so the monitoring process on most user terminals may be meaningless. For this situation, the existing security protection software will adopt relatively loose monitoring means in consideration of user experience, but this will lose the effectiveness of blocking this type of advertising promotion program.
发明内容Contents of the invention
针对现有技术中的缺陷,本发明提供一种安全防护方法及装置,可以解决现有的安全策略在用户资源占用与应用有效性之间存在矛盾的问题。Aiming at the defects in the prior art, the present invention provides a security protection method and device, which can solve the problem of contradiction between user resource occupation and application effectiveness in existing security policies.
第一方面,本发明提供了一种安全防护装置,包括:In a first aspect, the present invention provides a safety protection device, comprising:
上传单元,用于在进程的行为匹配预设的本地触发策略时,将该进程的该行为的描述信息上传至服务端,以使服务端在判定该进程的该行为与任一预设风险行为相匹配时,下发对应于该预设风险行为的临时安全策略;所述临时安全策略中包含:所述临时安全策略的撤销条件,以及用于应对预设风险行为的处理操作及其触发条件;The upload unit is used to upload the description information of the behavior of the process to the server when the behavior of the process matches the preset local trigger strategy, so that the server can judge whether the behavior of the process is consistent with any preset risk behavior When matching, issue a temporary security policy corresponding to the preset risk behavior; the temporary security policy includes: the revocation conditions of the temporary security policy, and the processing operations and trigger conditions used to deal with the preset risk behavior ;
接收单元,用于接收来自所述服务端的所述临时安全策略;a receiving unit, configured to receive the temporary security policy from the server;
加载单元,用于加载所述接收单元得到的临时安全策略,以在任一所述触发条件满足时执行相应的处理操作,并在任一所述撤销条件满足时撤销所述临时安全策略。The loading unit is configured to load the temporary security policy obtained by the receiving unit, so as to execute corresponding processing operations when any of the trigger conditions are met, and revoke the temporary security policy when any of the revocation conditions are met.
可选地,所述加载单元进一步用于将所述临时安全策略加载至内存中,以使所述临时安全策略在内存断电后自行撤销。Optionally, the loading unit is further configured to load the temporary security policy into the memory, so that the temporary security policy can be canceled automatically after the memory is powered off.
可选地,匹配所述本地触发策略的进程的行为包括下述的任意一种或多种:Optionally, the behavior of the process matching the local trigger policy includes any one or more of the following:
访问与进程所属应用程序的功能无关的网络地址;Access to network addresses not related to the functionality of the application to which the process belongs;
下载与进程所属应用程序的功能无关的文件;Downloading files that are not related to the functionality of the application to which the process belongs;
建立与进程所属应用程序的功能无关的进程;Create a process that is not related to the functionality of the application to which the process belongs;
向与进程所属应用程序无关的其他进程注入代码;Inject code into other processes unrelated to the application to which the process belongs;
在受保护的文件目录下写入文件;Write a file under the protected file directory;
与黑名单中的应用程序相关的进程的行为。Behavior of processes associated with blacklisted applications.
可选地,所述进程的行为与任一预设风险行为相匹配的情形包括下述的任意一种或多种:Optionally, the situation that the behavior of the process matches any preset risk behavior includes any one or more of the following:
所述进程与任一预设风险进程相匹配;Said process matches any of the preset risk processes;
所述进程的行为与任一预设风险行为相匹配;The behavior of the process matches any of the preset risk behaviors;
所述进程的行为与任一预设风险行为的前兆行为相匹配。The behavior of the process matches the precursor behavior of any predetermined risk behavior.
可选地,所述临时安全策略的撤销条件包括下述的任意一种或多种:Optionally, the revocation conditions of the temporary security policy include any one or more of the following:
所述临时安全策略的生效时间超过预定阈值;The effective time of the temporary security policy exceeds a predetermined threshold;
用户在提示消息中许可了所述预设风险行为;The user has approved the preset risk behavior in the prompt message;
所述临时安全策略中具有结束标记的处理操作已经完成;The processing operation with the end mark in the temporary security policy has been completed;
收到来自所述服务端的撤销指令消息。A revocation instruction message from the server is received.
可选地,所述用于应对预设风险行为的处理操作及其触发条件包括下述的任意一种或多种:Optionally, the processing operations and trigger conditions for dealing with preset risk behaviors include any one or more of the following:
没有触发条件,限制所述进程的操作权限和/或系统资源占用量的操作;Operations that limit the operating authority and/or system resource usage of the process without triggering conditions;
以检测到预设风险行为作为触发条件,对所述进程的行为进行拦截的操作;Taking the detection of a preset risky behavior as a trigger condition to intercept the behavior of the process;
以检测到预设高危行为作为触发条件,结束所述进程或者结束所述进程所属的应用程序的操作;Taking the detection of a preset high-risk behavior as a trigger condition, ending the operation of the process or the application program to which the process belongs;
以检测到残留文件作为触发条件,对所述残留文件进行清理的操作。The detection of residual files is used as a trigger condition to clean up the residual files.
第二方面,本发明还提供了一种安全防护装置,包括:In a second aspect, the present invention also provides a safety protection device, comprising:
接收单元,用于接收来自终端的进程的行为的描述信息;所述进程的行为的描述信息匹配该终端的预设的本地触发策略;The receiving unit is configured to receive the description information of the behavior of the process from the terminal; the description information of the behavior of the process matches the preset local trigger strategy of the terminal;
判断单元,用于根据所述接收单元得到的描述信息,判断所述进程的所述行为是否与任一预设风险行为相匹配;a judging unit, configured to judge whether the behavior of the process matches any preset risk behavior according to the description information obtained by the receiving unit;
下发单元,用于在所述判断单元判定进程的所述行为与任一预设风险行为相匹配时,向所述终端下发对应于该预设风险行为的临时安全策略,以使所述终端接收并加载所述临时安全策略;an issuing unit, configured to issue a temporary security policy corresponding to the preset risk behavior to the terminal when the judging unit judges that the behavior of the process matches any preset risk behavior, so that the The terminal receives and loads the temporary security policy;
其中,所述临时安全策略中包含:所述临时安全策略的撤销条件,以及用于应对预设风险行为的处理操作及其触发条件,以使加载所述临时安全策略的终端在任一所述触发条件满足时执行相应的处理操作,并在任一所述撤销条件满足时撤销所述临时安全策略。Wherein, the temporary security policy includes: the revocation condition of the temporary security policy, and processing operations and trigger conditions for dealing with preset risk behaviors, so that the terminal loaded with the temporary security policy can Execute corresponding processing operations when the conditions are met, and revoke the temporary security policy when any revocation condition is met.
可选地,所述进程的行为与任一预设风险行为相匹配的情形包括下述的任意一种或多种:Optionally, the situation that the behavior of the process matches any preset risk behavior includes any one or more of the following:
所述进程与任一预设风险进程相匹配;Said process matches any of the preset risk processes;
所述进程的行为与任一预设风险行为相匹配;The behavior of the process matches any of the preset risk behaviors;
所述进程的行为与任一预设风险行为的前兆行为相匹配。The behavior of the process matches the precursor behavior of any predetermined risk behavior.
第三方面,本发明还提供了一种安全防护方法,包括:In a third aspect, the present invention also provides a safety protection method, including:
在进程的行为匹配预设的本地触发策略时,将该进程的该行为的描述信息上传至服务端,以使服务端在判定该进程的该行为与任一预设风险行为相匹配时,下发对应于该预设风险行为的临时安全策略;所述临时安全策略中包含:所述临时安全策略的撤销条件,以及用于应对预设风险行为的处理操作及其触发条件;When the behavior of the process matches the preset local trigger policy, upload the description information of the behavior of the process to the server, so that when the server determines that the behavior of the process matches any preset risk behavior, download Sending a temporary security policy corresponding to the preset risk behavior; the temporary security policy includes: a revocation condition of the temporary security policy, and processing operations and trigger conditions for dealing with the preset risk behavior;
接收来自所述服务端的所述临时安全策略;receiving the temporary security policy from the server;
加载所述临时安全策略,以在任一所述触发条件满足时执行相应的处理操作,并在任一所述撤销条件满足时撤销所述临时安全策略。Loading the temporary security policy to perform corresponding processing operations when any of the trigger conditions are met, and revoke the temporary security policy when any of the revocation conditions are met.
第四方面,本发明还提供了一种安全防护方法,包括:In a fourth aspect, the present invention also provides a safety protection method, including:
接收来自终端的进程的行为的描述信息;所述进程的行为的描述信息匹配该终端的预设的本地触发策略;receiving the description information of the behavior of the process from the terminal; the description information of the behavior of the process matches the preset local trigger policy of the terminal;
根据所述描述信息,判断所述进程的所述行为是否与任一预设风险行为相匹配;judging whether the behavior of the process matches any preset risk behavior according to the description information;
在进程的所述行为与任一预设风险行为相匹配时,向所述终端下发对应于该预设风险行为的临时安全策略,以使所述终端接收并加载所述临时安全策略;When the behavior of the process matches any preset risk behavior, issue a temporary security policy corresponding to the preset risk behavior to the terminal, so that the terminal receives and loads the temporary security policy;
其中,所述临时安全策略中包含:所述临时安全策略的撤销条件,以及用于应对预设风险行为的处理操作及其触发条件,以使加载所述临时安全策略的终端在任一所述触发条件满足时执行相应的处理操作,并在任一所述撤销条件满足时撤销所述临时安全策略。Wherein, the temporary security policy includes: the revocation condition of the temporary security policy, and processing operations and trigger conditions for dealing with preset risk behaviors, so that the terminal loaded with the temporary security policy can Execute corresponding processing operations when the conditions are met, and revoke the temporary security policy when any revocation condition is met.
由上述技术方案可知,本发明可以基于本地触发策略的设置来识别出进程即将执行的风险操作,并可以基于临时安全策略的设置来对风险操作进行相应的处理。可以理解的是,有针对性的临时安全策略采用严格的监测手段可以有效地应对恶意程序,而由于临时安全策略包含撤销条件所以也不会对用户终端的资源进行长时间的占用。因此,本发明可以解决现有的安全策略在用户资源占用与应用有效性之间存在矛盾的问题。It can be known from the above technical solution that the present invention can identify the risky operation to be executed by the process based on the setting of the local trigger policy, and can deal with the risky operation based on the setting of the temporary security policy. It can be understood that the targeted temporary security policy adopts strict monitoring means to effectively deal with malicious programs, and since the temporary security policy includes revocation conditions, it will not occupy the resources of the user terminal for a long time. Therefore, the present invention can solve the problem that existing security policies have contradictions between user resource occupation and application effectiveness.
相对于现有技术,本发明可以在同等的用户资源占用的条件下提高安全策略的应用有效性,也可以在保障应用有效性的条件下减少用户资源占用。而且,本发明可以有针对性地处理恶意程序的风险操作,不仅能用户资源占用、提升应用有效性,还可以实现风险操作的拦截和其他操作的放行。此外,由服务端实现临时安全策略的存储、维护和分发,可以有效利用其强大的信息存储、收集和运算能力。由此可见,本发明可以给用户提供更安全而高效的安全防护,大大提升安全防护软件的运行效率和用户体验。Compared with the prior art, the present invention can improve the application effectiveness of security policies under the condition of equal user resource occupation, and can also reduce user resource occupation under the condition of ensuring application effectiveness. Moreover, the present invention can deal with risky operations of malicious programs in a targeted manner, not only occupying user resources and improving application effectiveness, but also realizing the interception of risky operations and the release of other operations. In addition, the storage, maintenance and distribution of temporary security policies can be realized by the server, which can effectively use its powerful information storage, collection and computing capabilities. It can be seen that the present invention can provide users with safer and more efficient security protection, greatly improving the operating efficiency and user experience of security protection software.
当然,实施本发明的任一产品或方法并不一定需要同时达到以上所述的所有优点。Of course, implementing any product or method of the present invention does not necessarily need to achieve all the above-mentioned advantages at the same time.
附图说明Description of drawings
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单的介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will give a brief introduction to the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description These are some embodiments of the present invention. Those skilled in the art can also obtain other drawings based on these drawings without creative work.
图1是本发明一个实施例中一种安全防护方法的步骤流程示意图;Fig. 1 is a schematic flow chart of the steps of a security protection method in an embodiment of the present invention;
图2是本发明又一实施例中一种安全防护方法的步骤流程示意图;Fig. 2 is a schematic flow chart of a safety protection method in another embodiment of the present invention;
图3是本发明一个实施例中一种终端与服务端之间的交互过程示意图;FIG. 3 is a schematic diagram of an interaction process between a terminal and a server in an embodiment of the present invention;
图4是本发明一个实施例中一种安全防护装置的结构框图;Fig. 4 is a structural block diagram of a safety protection device in an embodiment of the present invention;
图5是本发明又一实施例中一种安全防护装置的结构框图。Fig. 5 is a structural block diagram of a safety protection device in another embodiment of the present invention.
具体实施方式detailed description
为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of the present invention.
图1是本发明一个实施例中一种安全防护方法的步骤流程示意图。参见图1,所述安全防护方法包括:Fig. 1 is a schematic flowchart of steps of a security protection method in an embodiment of the present invention. Referring to Figure 1, the safety protection method includes:
步骤101:在进程的行为匹配预设的本地触发策略时,将该进程的该行为的描述信息上传至服务端,以使服务端在判定该进程的该行为与任一预设风险行为相匹配时,下发对应于该预设风险行为的临时安全策略;临时安全策略中包含:临时安全策略的撤销条件,以及用于应对预设风险行为的处理操作及其触发条件;Step 101: When the behavior of the process matches the preset local trigger policy, upload the description information of the behavior of the process to the server, so that the server can determine that the behavior of the process matches any preset risk behavior , issue a temporary security policy corresponding to the preset risk behavior; the temporary security policy includes: the revocation conditions of the temporary security policy, and the processing operations and trigger conditions used to deal with the preset risk behavior;
步骤102:接收来自服务端的临时安全策略;Step 102: Receive a temporary security policy from the server;
步骤103:加载临时安全策略,以在任一触发条件满足时执行相应的处理操作,并在任一撤销条件满足时撤销临时安全策略。Step 103: Load the temporary security policy to perform corresponding processing operations when any trigger condition is met, and revoke the temporary security policy when any revocation condition is met.
其中可以理解的是,本发明的安全防护方法可以应用于任意一种终端设备上,例如个人计算机(如台式机、笔记本电脑、平板电脑、一体机)、智能手机、电子书、智能电视、数码相框、智能导航仪等任意一种设备。而且可以理解的是,上述步骤101可以独立于步骤102及步骤103之外单独执行,不需要具有必然的先后顺序;而步骤102与步骤103是需要在步骤101之后执行,而且步骤103需要在步骤102之后执行。It can be understood that the security protection method of the present invention can be applied to any terminal equipment, such as personal computers (such as desktop computers, notebook computers, tablet computers, all-in-one computers), smart phones, e-books, smart TVs, digital Any kind of equipment such as photo frame and smart navigator. And it can be understood that the above-mentioned step 101 can be executed independently of step 102 and step 103, and does not need to have a certain sequence; and step 102 and step 103 need to be executed after step 101, and step 103 needs to be executed after step 103 Execute after 102.
而对应于图1所示的应用于终端的安全防护方法,图2是本发明又一实施例中一种应用于服务端的安全防护方法的步骤流程示意图。参见图2,该方法包括:Corresponding to the security protection method applied to the terminal shown in FIG. 1 , FIG. 2 is a schematic flowchart of steps of a security protection method applied to the server in another embodiment of the present invention. Referring to Figure 2, the method includes:
步骤201:接收来自终端的进程的行为的描述信息;进程的行为的描述信息匹配该终端的预设的本地触发策略;Step 201: Receive the description information of the behavior of the process from the terminal; the description information of the behavior of the process matches the preset local trigger strategy of the terminal;
步骤202:根据描述信息,判断进程的行为是否与任一预设风险行为相匹配;Step 202: According to the description information, determine whether the behavior of the process matches any preset risk behavior;
步骤203:在进程的行为与任一预设风险行为相匹配时,向终端下发对应于该预设风险行为的临时安全策略,以使终端接收并加载临时安全策略;Step 203: When the behavior of the process matches any preset risk behavior, issue a temporary security policy corresponding to the preset risk behavior to the terminal, so that the terminal receives and loads the temporary security policy;
其中,临时安全策略中包含:临时安全策略的撤销条件,以及用于应对预设风险行为的处理操作及其触发条件,以使加载临时安全策略的终端在任一触发条件满足时执行相应的处理操作,并在任一撤销条件满足时撤销临时安全策略。Among them, the temporary security policy includes: the revocation conditions of the temporary security policy, and the processing operations and trigger conditions used to deal with preset risk behaviors, so that the terminal loaded with the temporary security policy executes the corresponding processing operation when any trigger condition is met , and revoke the temporary security policy when any revoking condition is met.
可以理解的是,本发明的安全防护方法可以应用于任意一种服务端设备上,例如单个的服务器设备、服务器群组、服务器集群或者云服务器设备等等,本发明对此不作限制。It can be understood that the security protection method of the present invention can be applied to any kind of server device, such as a single server device, server group, server cluster or cloud server device, etc., and the present invention is not limited thereto.
需要说明的是,上述进程可以是运行在操作系统中、为任意一个或多个应用程序执行相应功能的进程;上述进程的行为指的是进程所实际进行的操作或者操作的集合,比如下载文件、向磁盘写入文件、向其他进程注入代码等等。上述本地触发策略是预先配置的,主要用于描述什么样的进程和/或其行为出于安全防护的角度是需要受到关注的;当然,其可以来自于外部设备的下发,也可以来自于用户基于默认版本的设置,还可以是两者的结合,本发明对此不做限制。上述描述信息可以属于本地触发策略的一部分,也可以是的单独设置的,主要用于描述对于所关注的进程和/或其行为具体关注哪些参量。It should be noted that the above-mentioned process can be a process running in the operating system and performing corresponding functions for any one or more applications; the behavior of the above-mentioned process refers to the actual operation or set of operations performed by the process, such as downloading files , write files to disk, inject code into other processes, and more. The above local trigger policy is pre-configured and is mainly used to describe what kind of process and/or its behavior needs attention from the perspective of security protection; of course, it can come from the delivery of external devices or from the The user's setting based on the default version may also be a combination of the two, which is not limited in the present invention. The above description information may belong to a part of the local trigger policy, or may be set separately, and is mainly used to describe which parameters are specifically concerned about the concerned process and/or its behavior.
可以理解的是,上述服务端与安全防护方法所应用的设备具有网络连接关系,使得设备在获取到上述描述信息时可以上传至该服务端。而该服务端主要用于分析进程的行为是否与任一预设风险行为匹配,并向设备下发相应的临时安全策略。其中,预设风险行为指的是服务端中已经有相应描述信息的记录并被判定存在风险的操作(来源可以是人为定义、对搜集数据的自动分析或其结合),比如捆绑某个软件、某种广告的推广、盗取某软件的用户名及密码等等,属于安全防护软件需要应对处理的对象。而上述临时安全策略则对应于某一或某类预设风险行为,主要用于在生效时间内有针对性地应对相应的预设风险行为。可以看出,临时安全策略可以在上述服务端中建立、维护和下发(可以为人工操作、基于数据分析的自动操作或其结合),并在具有针对性的同时还设有撤销条件。具体来说,设备对临时安全策略的加载即使得临时安全策略生效,从而在任一触发条件满足时执行相应的处理操作,例如在检测到下载恶意程序时进行拦截;而设备对临时安全策略的撤销即使得临时安全策略失效,从而临时安全策略可以不再占用任何系统资源。It can be understood that the above-mentioned server has a network connection relationship with the device to which the security protection method is applied, so that the device can upload the above-mentioned description information to the server when it obtains the above-mentioned description information. The server is mainly used to analyze whether the behavior of the process matches any preset risk behavior, and deliver the corresponding temporary security policy to the device. Among them, the preset risk behavior refers to the operation that has corresponding description information in the server and is judged to be risky (the source can be artificially defined, automatic analysis of collected data or a combination thereof), such as bundling a certain software, The promotion of some kind of advertisement, the theft of a user name and password of a certain software, etc., belong to the objects that security protection software needs to deal with. The above-mentioned temporary security policy corresponds to a certain or a certain type of preset risk behavior, and is mainly used to deal with the corresponding preset risk behavior in a targeted manner within the effective time. It can be seen that the temporary security policy can be established, maintained and issued in the above-mentioned server (it can be manual operation, automatic operation based on data analysis or a combination thereof), and there are revocation conditions while being targeted. Specifically, the device loads the temporary security policy to make the temporary security policy take effect, so that when any trigger condition is met, corresponding processing operations are performed, such as blocking when downloading malicious programs is detected; and the device revokes the temporary security policy That is, the temporary security policy is invalidated, so that the temporary security policy no longer occupies any system resources.
由上述技术方案可知,上述任意一种的安全防护方法均可以基于本地触发策略的设置来识别出进程即将执行的风险操作,并可以基于临时安全策略的设置来对风险操作进行相应的处理。可以理解的是,有针对性的临时安全策略采用严格的监测手段可以有效地应对恶意程序,而由于临时安全策略包含撤销条件所以也不会对用户终端的资源进行长时间的占用。因此,本发明实施例可以解决现有的安全策略在用户资源占用与应用有效性之间存在矛盾的问题。It can be seen from the above technical solution that any one of the above security protection methods can identify the risky operation to be executed by the process based on the setting of the local trigger policy, and can process the risky operation based on the setting of the temporary security policy. It can be understood that the targeted temporary security policy adopts strict monitoring means to effectively deal with malicious programs, and since the temporary security policy includes revocation conditions, it will not occupy the resources of the user terminal for a long time. Therefore, the embodiments of the present invention can solve the problem that existing security policies have conflicts between user resource occupation and application effectiveness.
相对于现有技术,本发明实施例可以在同等的用户资源占用的条件下提高安全策略的应用有效性,也可以在保障应用有效性的条件下减少用户资源占用。而且,本发明实施例可以有针对性地处理恶意程序的风险操作,不仅能用户资源占用、提升应用有效性,还可以实现风险操作的拦截和其他操作的放行。此外,由服务端实现临时安全策略的存储、维护和分发,可以有效利用其强大的信息存储、收集和运算能力。由此可见,本发明实施例可以给用户提供更安全而高效的安全防护,大大提升安全防护软件的运行效率和用户体验。Compared with the prior art, the embodiment of the present invention can improve the application effectiveness of the security policy under the condition of equal user resource occupation, and can also reduce the user resource occupation under the condition of ensuring the application effectiveness. Moreover, the embodiments of the present invention can deal with the risky operations of malicious programs in a targeted manner, not only occupying user resources and improving application effectiveness, but also realizing the interception of risky operations and the release of other operations. In addition, the storage, maintenance and distribution of temporary security policies can be realized by the server, which can effectively use its powerful information storage, collection and computing capabilities. It can be seen that the embodiments of the present invention can provide users with safer and more efficient security protection, greatly improving the operating efficiency and user experience of security protection software.
作为一种更具体的示例,图3是本发明一个实施例中一种终端与服务端之间的交互过程示意图。参见图3,首先终端在进程的行为匹配预设的本地触发策略时,将该进程的该行为的描述信息上传至服务端(上述步骤101),使得服务端接收来自终端的进程的行为的描述信息(上述步骤201),并根据描述信息,判断进程的行为是否与任一预设风险行为相匹配(上述步骤202)。可以理解的是,由于描述信息的上传主要是为了判断预设风险行为是否正在发生或者将要发生,所以终端在上传描述信息时可以不对进程的行为进行相应处理而直接放行,也可以进行相应处理以避免损失,其主要取决于本地安全策略对该进程的该行为的判定,本发明对此不做限制。而在服务端判定进程的行为没有与任一预设风险行为匹配时,说明该进程的该行为没有检测出任何安全风险,从而可以向终端返回相应消息以放行处理,或者服务端和终端都不做进一步地处理以减小系统资源的使用。As a more specific example, FIG. 3 is a schematic diagram of an interaction process between a terminal and a server in an embodiment of the present invention. Referring to Figure 3, first, when the behavior of the process matches the preset local trigger policy, the terminal uploads the description information of the behavior of the process to the server (step 101 above), so that the server receives the description of the behavior of the process from the terminal Information (step 201 above), and according to the description information, determine whether the behavior of the process matches any preset risk behavior (step 202 above). It is understandable that since the uploading of the description information is mainly for judging whether the preset risk behavior is happening or will happen, the terminal can directly release the process behavior without corresponding processing when uploading the description information, or can perform corresponding processing to The avoidance of losses mainly depends on the determination of the behavior of the process by the local security policy, which is not limited in the present invention. When the server determines that the behavior of the process does not match any of the preset risk behaviors, it means that the behavior of the process has not detected any security risks, so it can return a corresponding message to the terminal for release processing, or neither the server nor the terminal Do further processing to reduce system resource usage.
然而,如果进程的行为与任一预设风险行为相匹配,那么服务端向终端下发对应于该预设风险行为的临时安全策略(上述步骤203),以使终端接收临时安全策略(上述步骤102)并加载临时安全策略,以在任一触发条件满足时执行相应的处理操作,并在任一撤销条件满足时撤销临时安全策略(上述步骤103)。例如,服务端根据接收到的描述信息判定浏览器进程的下载文件行为匹配于捆绑音乐播放器软件的预设风险行为,从而向终端下发对应于捆绑音乐播放器软件的临时安全策略。临时安全策略中,包含了以任何进程向磁盘写入音乐播放器软件的任一相关文件为触发条件的、对写入行为进行拦截的处理操作,以及清理完成所有的音乐播放器软件的相关文件的撤销条件。可以理解的是,图3所示的交互过程是对应于一个临时安全策略的下发、生效和失效过程的,在实际的应用场景中则可以同时有多个这样的过程并列或者交叉地进行。However, if the behavior of the process matches any preset risk behavior, then the server issues a temporary security policy corresponding to the preset risk behavior to the terminal (the above-mentioned step 203), so that the terminal receives the temporary security policy (the above-mentioned step 102) and load the temporary security policy, so as to execute the corresponding processing operation when any trigger condition is satisfied, and revoke the temporary security policy when any revocation condition is satisfied (step 103 above). For example, according to the received description information, the server judges that the downloading behavior of the browser process matches the preset risk behavior of the bundled music player software, and then issues a temporary security policy corresponding to the bundled music player software to the terminal. The temporary security policy includes the triggering condition of any process writing any related file of the music player software to the disk, the processing operation of intercepting the writing behavior, and cleaning up all the related files of the music player software the revocation conditions. It can be understood that the interaction process shown in FIG. 3 corresponds to the issuance, validation and invalidation process of a temporary security policy. In actual application scenarios, multiple such processes can be performed in parallel or in parallel.
更进一步地,对于上述撤销条件所表示的临时安全策略的撤销机制,下面给出几种具有代表性的示例:Furthermore, for the revocation mechanism of the temporary security policy represented by the above revocation conditions, several representative examples are given below:
第一,直接将临时安全策略加载在内存中,以使临时安全策略在内存断电后自行撤销。即上述步骤103:加载临时安全策略,以在任一触发条件满足时执行相应的处理操作,并在任一撤销条件满足时撤销临时安全策略,包括未在附图中示出的步骤103a:将临时安全策略加载至内存中,以使临时安全策略在内存断电后自行撤销。在此情况下,用于指导终端将临时安全策略加载在内存中的信息即与一种撤销条件等效地包含在临时安全策略中。当然,此情况下可以不在临时安全策略中设置其他撤销条件,也可以对应于其他应当撤销的情形设置其他的撤销条件,本发明对此不做限制。First, the temporary security policy is directly loaded into the memory, so that the temporary security policy can be automatically revoked after the memory is powered off. That is, the above step 103: load the temporary security policy to perform corresponding processing operations when any trigger condition is met, and revoke the temporary security policy when any revocation condition is met, including step 103a not shown in the figure: set the temporary security policy to The policy is loaded into memory so that the temporary security policy revokes itself after the memory is powered off. In this case, the information for instructing the terminal to load the temporary security policy into the memory is equivalent to a revocation condition included in the temporary security policy. Of course, in this case, other revocation conditions may not be set in the temporary security policy, and other revocation conditions may also be set corresponding to other situations that should be revoked, which is not limited in the present invention.
第二,撤销条件包括临时安全策略的生效时间超过预定阈值。其中,预设阈值可以是服务端基于匹配本地触发策略的行为与预设风险行为在时间上的关系,并结合对终端的系统资源占用情况来确定的。比如,下载捆绑软件的安装包的行为与向用户弹窗提示是否安装的行为之间通常不会间隔很久,而且对弹窗的监测只会占用少量的系统资源,所以综合考虑下可以设置预定阈值为15~40分钟。当然,在描述信息包括可用系统资源的信息时,服务端就可以综合终端的系统资源占用情况和上述时间上的关系来确定具体的预设阈值。Second, the revocation condition includes that the effective time of the temporary security policy exceeds a predetermined threshold. Wherein, the preset threshold may be determined by the server based on the time relationship between the behavior matching the local trigger policy and the preset risk behavior, and in combination with the system resource occupation of the terminal. For example, there is usually not a long interval between the act of downloading the installation package of the bundled software and the act of prompting the user whether to install it, and the monitoring of the pop-up window will only occupy a small amount of system resources, so a predetermined threshold can be set after comprehensive consideration 15 to 40 minutes. Of course, when the description information includes information about available system resources, the server can determine the specific preset threshold based on the occupancy of the system resources of the terminal and the above-mentioned time relationship.
第三,撤销条件包括用户在提示消息中许可了预设风险行为。比如,临时安全策略可以在拦截预设风险行为中向用户发出是否进行拦截的提示,若用户选择了许可该预设风险行为,比如在拦截捆绑软件的过程中用户选择允许该捆绑软件的安装,那么临时安全策略则可以在上述撤销条件下不再生效,以避免进一步占用系统资源。Third, the revocation condition includes that the user approves the preset risk behavior in the prompt message. For example, the temporary security policy can issue a prompt to the user whether to intercept the preset risk behavior. If the user chooses to allow the preset risk behavior, for example, the user chooses to allow the installation of the bundled software in the process of intercepting the bundled software. Then the temporary security policy may no longer take effect under the above revocation conditions, so as to avoid further occupation of system resources.
第四,撤销条件包括临时安全策略中具有结束标记的处理操作已经完成。具体来说,临时安全策略所包含的处理操作中有些是作为结束项的,因此可以预先在这些处理操作上添加结束标记;从而在临时安全策略执行完这些处理操作中的任意一个时,就可以按照上述撤销条件使临时安全策略失效,以避免进一步占用系统资源。Fourth, the revocation condition includes that the processing operation with the end mark in the temporary security policy has been completed. Specifically, some of the processing operations included in the temporary security policy are end items, so an end mark can be added to these processing operations in advance; so that when the temporary security policy finishes executing any of these processing operations, Make the temporary security policy invalid according to the above revocation conditions to avoid further occupation of system resources.
第五,撤销条件包括收到来自服务端的撤销指令消息。具体来说,临时安全策略的撤销条件可以不在本地进程判断而由服务端来执行。比如,在服务端针对某进程行为判定有安装木马程序的预设风险行为的可能,就针对该预设风险行为下发了对应的临时安全策略;然而在服务端基于对后续进程行为的判断,又判定不具有安装木马程序的风险,因而可以再向终端下发撤销指令消息,使得先前下发的临时安全策略失效。由此,相比于现有技术而言上述安全防护方法可以更加严格地对预设风险行为进行预防,起到更佳的安全防护效果。Fifth, the revocation condition includes receiving a revocation instruction message from the server. Specifically, the revocation condition of the temporary security policy may not be judged by the local process but executed by the server. For example, if the server determines that there is a possibility of installing a preset risk behavior of a Trojan horse program based on the behavior of a certain process, a corresponding temporary security policy is issued for the preset risk behavior; however, based on the judgment of the subsequent process behavior on the server side, It is also determined that there is no risk of installing a Trojan horse program, so a revocation instruction message can be issued to the terminal, so that the previously issued temporary security policy becomes invalid. Therefore, compared with the prior art, the above security protection method can prevent preset risk behaviors more strictly and achieve better security protection effect.
需要说明的是,上述撤销条件的设置方式可以任选其一,也可以通过任意方式组合,以适应于不同的应用场景,本发明对此不做限制。It should be noted that one of the above-mentioned revocation condition setting methods may be selected, or any combination may be used to adapt to different application scenarios, which is not limited in the present invention.
作为上述本地触发策略的设置方式具体示例,匹配本地触发策略的进程的行为可以包括下述的任意一种或多种:As a specific example of the setting method of the above local trigger policy, the behavior of the process matching the local trigger policy may include any one or more of the following:
访问与进程所属应用程序的功能无关的网络地址;Access to network addresses not related to the functionality of the application to which the process belongs;
下载与进程所属应用程序的功能无关的文件;Downloading files that are not related to the functionality of the application to which the process belongs;
建立与进程所属应用程序的功能无关的进程;Create a process that is not related to the functionality of the application to which the process belongs;
向与进程所属应用程序无关的其他进程注入代码;Inject code into other processes unrelated to the application to which the process belongs;
在受保护的文件目录下写入文件;Write a file under the protected file directory;
与黑名单中的应用程序相关的进程的行为。Behavior of processes associated with blacklisted applications.
需要说明的是,进程所属应用程序指的是作为进程所服务的对象的应用程序,而功能上是否相关、进程与应用程序是否相关、受保护目录以及应用程序的黑名单均可以来自于用户设置、服务端下发或者是安全防护软件的默认设置,本发明对此不作限制。It should be noted that the application to which the process belongs refers to the application that the process serves, and whether the function is related, whether the process is related to the application, the protected directory, and the blacklist of the application can all come from user settings. , issued by the server, or the default setting of the security protection software, which is not limited in the present invention.
可以看出,上述进程行为均存在程度不等的安装或运行捆绑软件、木马程序、间谍软件等恶意程序,或者为恶意程序的安装、运行以及自我防护提供便利的风险,因此这些行为可以根据具体的应用场景设置在上述本地触发策略中。It can be seen that the above-mentioned process behaviors have varying degrees of risks of installing or running malicious programs such as bundled software, Trojan horse programs, and spyware, or providing convenience for the installation, running, and self-protection of malicious programs. The application scenario of is set in the above local trigger strategy.
作为上述临时安全策略的设置方式具体示例,上述用于应对预设风险行为的处理操作及其触发条件包括下述的任意一种或多种:As a specific example of the setting method of the above-mentioned temporary security policy, the above-mentioned processing operations and trigger conditions for dealing with preset risk behaviors include any one or more of the following:
没有触发条件,限制进程的操作权限和/或系统资源占用量的操作(比如限制网络访问以防止进程下载或继续下载恶意程序的安装包);There are no trigger conditions, operations that limit the operating authority of the process and/or the amount of system resource usage (such as restricting network access to prevent the process from downloading or continuing to download the installation package of malicious programs);
以检测到预设风险行为作为触发条件,对进程的行为进行拦截的操作(比如在进程弹窗推广广告时进行拦截);Taking the detection of preset risky behaviors as a trigger condition to intercept the behavior of the process (such as intercepting when the process pops up to promote advertisements);
以检测到预设高危行为作为触发条件,结束进程或者结束进程所属的应用程序的操作(比如在检测到木马程序的安装时结束相应的安装进程);Use the detection of a preset high-risk behavior as a trigger condition to end the process or end the operation of the application to which the process belongs (such as ending the corresponding installation process when the installation of a Trojan horse program is detected);
以检测到残留文件作为触发条件,对残留文件进行清理的操作(比如在检测到木马程序残留文件时进行相应的清理)。The detection of residual files is used as a trigger condition to perform cleaning operations on residual files (for example, corresponding cleaning is performed when residual files of a Trojan horse program are detected).
可以理解的是,在已知需要应对的预设风险行为时,涉及检测和处理两方面的上述处理操作及其触发条件均可以有很强的针对性,通过包括而不仅限于上述的各方式来应对相应的预设风险行为。It can be understood that when the preset risk behaviors that need to be dealt with are known, the above-mentioned processing operations and their trigger conditions involving both detection and processing can be highly targeted, including but not limited to the above-mentioned methods Respond to corresponding preset risk behaviors.
此外需要说明的是,上述进程的行为与任一预设风险行为相匹配的情形可以包括下述的任意一种或多种:进程与任一预设风险进程相匹配;进程的行为与任一预设风险行为相匹配;进程的行为与任一预设风险行为的前兆行为相匹配。也就是说,服务端在判断进程的行为与任一预设风险行为是否相匹配时,可以不仅限于进程的行为与任一预设风险行为相匹配,还可以是进程与预设风险进行相匹配,或者进程的行为与任一预设风险行为的前兆行为相匹配的情形。由此,对于进程本身具有风险、进程的行为具有风险,以及进程的行为有风险行为的前兆这几种情况,服务端可以根据具体的应用场景进行选择,以实现更优的安全防护效果。In addition, it should be noted that the situation that the behavior of the above process matches any preset risk behavior may include any one or more of the following: the process matches any preset risk process; the process behavior matches any Matching of preset risk behaviors; the behavior of the process matches the precursor behavior of any preset risk behavior. That is to say, when the server judges whether the behavior of the process matches any preset risk behavior, it can not only match the behavior of the process with any preset risk behavior, but also match the process with the preset risk , or a situation where the behavior of the process matches the precursor behavior of any pre-set risk behavior. Therefore, for the situations where the process itself is risky, the behavior of the process is risky, and the behavior of the process is a precursor to risky behavior, the server can choose according to the specific application scenario to achieve a better security protection effect.
基于同样的发明构思,图4是本发明一个实施例中一种安全防护装置的结构框图。参见图4,该安全防护装置包括:Based on the same inventive concept, Fig. 4 is a structural block diagram of a safety protection device in an embodiment of the present invention. Referring to Figure 4, the safety protection device includes:
上传单元41,用于在进程的行为匹配预设的本地触发策略时,将该进程的该行为的描述信息上传至服务端,以使服务端在判定该进程的该行为与任一预设风险行为相匹配时,下发对应于该预设风险行为的临时安全策略;临时安全策略中包含:临时安全策略的撤销条件,以及用于应对预设风险行为的处理操作及其触发条件;The upload unit 41 is configured to upload the description information of the behavior of the process to the server when the behavior of the process matches the preset local trigger policy, so that the server can determine whether the behavior of the process is consistent with any preset risk When the behavior matches, a temporary security policy corresponding to the preset risk behavior is issued; the temporary security policy includes: the revocation conditions of the temporary security policy, and the processing operations and trigger conditions used to deal with the preset risk behavior;
接收单元42,用于接收来自服务端的临时安全策略;A receiving unit 42, configured to receive the temporary security policy from the server;
加载单元43,用于加载接收单元42得到的临时安全策略,以在任一触发条件满足时执行相应的处理操作,并在任一撤销条件满足时撤销临时安全策略。The loading unit 43 is configured to load the temporary security policy obtained by the receiving unit 42, so as to execute corresponding processing operations when any trigger condition is met, and revoke the temporary security policy when any revocation condition is met.
可以理解的是,该安全防护装置所实现的功能与图1所示的安全防护方法的步骤流程一一对应,因此可以具有相对应的结构与功能,比如对应于上述步骤103a,上述加载单元43也可以进一步用于将临时安全策略加载至内存中,以使临时安全策略在内存断电后自行撤销,在此不再赘述。It can be understood that the functions realized by the safety protection device correspond to the steps of the safety protection method shown in FIG. 1 one by one, so they can have corresponding structures and functions. It can also be further used to load the temporary security policy into the memory, so that the temporary security policy can be revoked automatically after the memory is powered off, and details will not be described here.
基于同样的发明构思,图5是本发明一个实施例中一种安全防护装置的结构框图。参见图5,该安全防护装置包括:Based on the same inventive concept, Fig. 5 is a structural block diagram of a safety protection device in an embodiment of the present invention. Referring to Figure 5, the safety protection device includes:
接收单元51,用于接收来自终端的进程的行为的描述信息;进程的行为的描述信息匹配该终端的预设的本地触发策略;The receiving unit 51 is configured to receive the description information of the behavior of the process from the terminal; the description information of the behavior of the process matches the preset local trigger strategy of the terminal;
判断单元52,用于根据接收单元51得到的描述信息,判断进程的行为是否与任一预设风险行为相匹配;A judging unit 52, configured to judge whether the behavior of the process matches any preset risk behavior according to the description information obtained by the receiving unit 51;
下发单元53,用于在判断单元52判定进程的行为与任一预设风险行为相匹配时,向终端下发对应于该预设风险行为的临时安全策略,以使终端接收并加载临时安全策略;The delivery unit 53 is configured to deliver a temporary security policy corresponding to the preset risk behavior to the terminal when the judging unit 52 determines that the behavior of the process matches any preset risk behavior, so that the terminal receives and loads the temporary security policy. Strategy;
其中,临时安全策略中包含:临时安全策略的撤销条件,以及用于应对预设风险行为的处理操作及其触发条件,以使加载临时安全策略的终端在任一触发条件满足时执行相应的处理操作,并在任一撤销条件满足时撤销临时安全策略。Among them, the temporary security policy includes: the revocation conditions of the temporary security policy, and the processing operations and trigger conditions used to deal with preset risk behaviors, so that the terminal loaded with the temporary security policy executes the corresponding processing operation when any trigger condition is met , and revoke the temporary security policy when any revoking condition is met.
可以理解的是,该安全防护装置所实现的功能与图2所示的安全防护方法的步骤流程一一对应,因此可以具有相对应的结构与功能,在此不再赘述。It can be understood that the functions implemented by the safety protection device correspond one-to-one to the steps and flow of the safety protection method shown in FIG. 2 , so it may have corresponding structures and functions, which will not be repeated here.
应理解的是,本发明的各实施例公开了下述各技术方案:It should be understood that each embodiment of the present invention discloses the following technical solutions:
A1、一种安全防护装置,其特征在于,包括:A1, a safety protection device, is characterized in that, comprising:
上传单元,用于在进程的行为匹配预设的本地触发策略时,将该进程的该行为的描述信息上传至服务端,以使服务端在判定该进程的该行为与任一预设风险行为相匹配时,下发对应于该预设风险行为的临时安全策略;所述临时安全策略中包含:所述临时安全策略的撤销条件,以及用于应对预设风险行为的处理操作及其触发条件;The upload unit is used to upload the description information of the behavior of the process to the server when the behavior of the process matches the preset local trigger strategy, so that the server can judge whether the behavior of the process is consistent with any preset risk behavior When matching, issue a temporary security policy corresponding to the preset risk behavior; the temporary security policy includes: the revocation conditions of the temporary security policy, and the processing operations and trigger conditions used to deal with the preset risk behavior ;
接收单元,用于接收来自所述服务端的所述临时安全策略;a receiving unit, configured to receive the temporary security policy from the server;
加载单元,用于加载所述接收单元得到的临时安全策略,以在任一所述触发条件满足时执行相应的处理操作,并在任一所述撤销条件满足时撤销所述临时安全策略。The loading unit is configured to load the temporary security policy obtained by the receiving unit, so as to execute corresponding processing operations when any of the trigger conditions are met, and revoke the temporary security policy when any of the revocation conditions are met.
A2、根据前述方案A1所述的安全防护装置,其特征在于,所述加载单元进一步用于将所述临时安全策略加载至内存中,以使所述临时安全策略在内存断电后自行撤销。A2. The safety protection device according to the aforementioned scheme A1, wherein the loading unit is further configured to load the temporary security policy into the memory, so that the temporary security policy can be automatically canceled after the memory is powered off.
A3、根据前述方案A1所述的安全防护装置,其特征在于,匹配所述本地触发策略的进程的行为包括下述的任意一种或多种:A3. According to the safety protection device described in the aforementioned solution A1, the behavior of the process matching the local trigger policy includes any one or more of the following:
访问与进程所属应用程序的功能无关的网络地址;Access to network addresses not related to the functionality of the application to which the process belongs;
下载与进程所属应用程序的功能无关的文件;Downloading files that are not related to the functionality of the application to which the process belongs;
建立与进程所属应用程序的功能无关的进程;Create a process that is not related to the functionality of the application to which the process belongs;
向与进程所属应用程序无关的其他进程注入代码;Inject code into other processes unrelated to the application to which the process belongs;
在受保护的文件目录下写入文件;Write a file under the protected file directory;
与黑名单中的应用程序相关的进程的行为。Behavior of processes associated with blacklisted applications.
A4、根据前述方案A1所述的安全防护装置,其特征在于,所述进程的行为与任一预设风险行为相匹配的情形包括下述的任意一种或多种:A4. According to the safety protection device described in the aforementioned scheme A1, it is characterized in that the situation where the behavior of the process matches any preset risk behavior includes any one or more of the following:
所述进程与任一预设风险进程相匹配;Said process matches any of the preset risk processes;
所述进程的行为与任一预设风险行为相匹配;The behavior of the process matches any of the preset risk behaviors;
所述进程的行为与任一预设风险行为的前兆行为相匹配。The behavior of the process matches the precursor behavior of any predetermined risk behavior.
A5、根据前述方案A1所述的安全防护装置,其特征在于,所述临时安全策略的撤销条件包括下述的任意一种或多种:A5. According to the safety protection device described in the aforementioned scheme A1, it is characterized in that the revocation conditions of the temporary safety policy include any one or more of the following:
所述临时安全策略的生效时间超过预定阈值;The effective time of the temporary security policy exceeds a predetermined threshold;
用户在提示消息中许可了所述预设风险行为;The user has approved the preset risk behavior in the prompt message;
所述临时安全策略中具有结束标记的处理操作已经完成;The processing operation with the end mark in the temporary security policy has been completed;
收到来自所述服务端的撤销指令消息。A revocation instruction message from the server is received.
A6、根据前述方案A1所述的安全防护装置,其特征在于,所述用于应对预设风险行为的处理操作及其触发条件包括下述的任意一种或多种:A6. The safety protection device according to the aforementioned scheme A1, characterized in that, the processing operations and trigger conditions for dealing with preset risk behaviors include any one or more of the following:
没有触发条件,限制所述进程的操作权限和/或系统资源占用量的操作;Operations that limit the operating authority and/or system resource usage of the process without triggering conditions;
以检测到预设风险行为作为触发条件,对所述进程的行为进行拦截的操作;Taking the detection of a preset risky behavior as a trigger condition to intercept the behavior of the process;
以检测到预设高危行为作为触发条件,结束所述进程或者结束所述进程所属的应用程序的操作;Taking the detection of a preset high-risk behavior as a trigger condition, ending the operation of the process or the application program to which the process belongs;
以检测到残留文件作为触发条件,对所述残留文件进行清理的操作。The detection of residual files is used as a trigger condition to clean up the residual files.
B7、一种安全防护装置,其特征在于,包括:B7, a kind of safety protection device, is characterized in that, comprises:
接收单元,用于接收来自终端的进程的行为的描述信息;所述进程的行为的描述信息匹配该终端的预设的本地触发策略;The receiving unit is configured to receive the description information of the behavior of the process from the terminal; the description information of the behavior of the process matches the preset local trigger strategy of the terminal;
判断单元,用于根据所述接收单元得到的描述信息,判断所述进程的所述行为是否与任一预设风险行为相匹配;a judging unit, configured to judge whether the behavior of the process matches any preset risk behavior according to the description information obtained by the receiving unit;
下发单元,用于在所述判断单元判定进程的所述行为与任一预设风险行为相匹配时,向所述终端下发对应于该预设风险行为的临时安全策略,以使所述终端接收并加载所述临时安全策略;an issuing unit, configured to issue a temporary security policy corresponding to the preset risk behavior to the terminal when the judging unit judges that the behavior of the process matches any preset risk behavior, so that the The terminal receives and loads the temporary security policy;
其中,所述临时安全策略中包含:所述临时安全策略的撤销条件,以及用于应对预设风险行为的处理操作及其触发条件,以使加载所述临时安全策略的终端在任一所述触发条件满足时执行相应的处理操作,并在任一所述撤销条件满足时撤销所述临时安全策略。Wherein, the temporary security policy includes: the revocation condition of the temporary security policy, and processing operations and trigger conditions for dealing with preset risk behaviors, so that the terminal loaded with the temporary security policy can Execute corresponding processing operations when the conditions are met, and revoke the temporary security policy when any revocation condition is met.
B8、根据前述方案B7所述的安全防护装置,其特征在于,所述进程的行为与任一预设风险行为相匹配的情形包括下述的任意一种或多种:B8. According to the safety protection device described in the aforementioned scheme B7, it is characterized in that the situation that the behavior of the process matches any preset risk behavior includes any one or more of the following:
所述进程与任一预设风险进程相匹配;Said process matches any of the preset risk processes;
所述进程的行为与任一预设风险行为相匹配;The behavior of the process matches any of the preset risk behaviors;
所述进程的行为与任一预设风险行为的前兆行为相匹配。The behavior of the process matches the precursor behavior of any predetermined risk behavior.
B9、根据前述方案B7所述的安全防护装置,其特征在于,所述临时安全策略的撤销条件包括下述的任意一种或多种:B9. According to the safety protection device described in the aforementioned scheme B7, it is characterized in that the revocation conditions of the temporary safety policy include any one or more of the following:
所述临时安全策略的生效时间超过预定阈值;The effective time of the temporary security policy exceeds a predetermined threshold;
用户在提示消息中许可了所述预设风险行为;The user has approved the preset risk behavior in the prompt message;
所述临时安全策略中具有结束标记的处理操作已经完成;The processing operation with the end mark in the temporary security policy has been completed;
收到来自所述服务端的撤销指令消息。A revocation instruction message from the server is received.
B10、根据前述方案B7所述的安全防护装置,其特征在于,所述用于应对预设风险行为的处理操作及其触发条件包括下述的任意一种或多种:B10. According to the safety protection device described in the aforementioned scheme B7, it is characterized in that the processing operations and trigger conditions for dealing with preset risk behaviors include any one or more of the following:
没有触发条件,限制所述进程的操作权限和/或系统资源占用量的操作;Operations that limit the operating authority and/or system resource usage of the process without triggering conditions;
以检测到预设风险行为作为触发条件,对所述进程的行为进行拦截的操作;Taking the detection of a preset risky behavior as a trigger condition to intercept the behavior of the process;
以检测到预设高危行为作为触发条件,结束所述进程或者结束所述进程所属的应用程序的操作;Taking the detection of a preset high-risk behavior as a trigger condition, ending the operation of the process or the application program to which the process belongs;
以检测到残留文件作为触发条件,对所述残留文件进行清理的操作。The detection of residual files is used as a trigger condition to clean up the residual files.
C11、一种安全防护方法,其特征在于,包括:C11, a security protection method, is characterized in that, comprises:
在进程的行为匹配预设的本地触发策略时,将该进程的该行为的描述信息上传至服务端,以使服务端在判定该进程的该行为与任一预设风险行为相匹配时,下发对应于该预设风险行为的临时安全策略;所述临时安全策略中包含:所述临时安全策略的撤销条件,以及用于应对预设风险行为的处理操作及其触发条件;When the behavior of the process matches the preset local trigger policy, upload the description information of the behavior of the process to the server, so that when the server determines that the behavior of the process matches any preset risk behavior, download Sending a temporary security policy corresponding to the preset risk behavior; the temporary security policy includes: a revocation condition of the temporary security policy, and processing operations and trigger conditions for dealing with the preset risk behavior;
接收来自所述服务端的所述临时安全策略;receiving the temporary security policy from the server;
加载所述临时安全策略,以在任一所述触发条件满足时执行相应的处理操作,并在任一所述撤销条件满足时撤销所述临时安全策略。Loading the temporary security policy to perform corresponding processing operations when any of the trigger conditions are met, and revoke the temporary security policy when any of the revocation conditions are met.
C12、根据前述方案C11所述的安全防护方法,其特征在于,所述加载所述临时安全策略,以在任一所述触发条件满足时执行相应的处理操作,并在任一所述撤销条件满足时撤销所述临时安全策略,包括:C12. The security protection method according to the aforementioned solution C11, wherein the loading of the temporary security policy is performed to perform corresponding processing operations when any of the trigger conditions are met, and when any of the revocation conditions are met Revoke said temporary security policy, including:
将所述临时安全策略加载至内存中,以使所述临时安全策略在内存断电后自行撤销。The temporary security policy is loaded into the memory, so that the temporary security policy can be automatically revoked after the memory is powered off.
C13、根据前述方案C11所述的安全防护方法,其特征在于,匹配所述本地触发策略的进程的行为包括下述的任意一种或多种:C13. According to the security protection method described in the aforementioned scheme C11, the behavior of the process matching the local trigger policy includes any one or more of the following:
访问与进程所属应用程序的功能无关的网络地址;Access to network addresses not related to the functionality of the application to which the process belongs;
下载与进程所属应用程序的功能无关的文件;Downloading files that are not related to the functionality of the application to which the process belongs;
建立与进程所属应用程序的功能无关的进程;Create a process that is not related to the functionality of the application to which the process belongs;
向与进程所属应用程序无关的其他进程注入代码;Inject code into other processes unrelated to the application to which the process belongs;
在受保护的文件目录下写入文件;Write a file under the protected file directory;
与黑名单中的应用程序相关的进程的行为。Behavior of processes associated with blacklisted applications.
C14、根据前述方案C11所述的安全防护方法,其特征在于,所述进程的行为与任一预设风险行为相匹配的情形包括下述的任意一种或多种:C14. According to the security protection method described in the aforementioned scheme C11, it is characterized in that the situation where the behavior of the process matches any preset risk behavior includes any one or more of the following:
所述进程与任一预设风险进程相匹配;Said process matches any of the preset risk processes;
所述进程的行为与任一预设风险行为相匹配;The behavior of the process matches any of the preset risk behaviors;
所述进程的行为与任一预设风险行为的前兆行为相匹配。The behavior of the process matches the precursor behavior of any predetermined risk behavior.
C15、根据前述方案C11所述的安全防护方法,其特征在于,所述临时安全策略的撤销条件包括下述的任意一种或多种:C15. According to the security protection method described in the aforementioned solution C11, it is characterized in that the revocation conditions of the temporary security policy include any one or more of the following:
所述临时安全策略的生效时间超过预定阈值;The effective time of the temporary security policy exceeds a predetermined threshold;
用户在提示消息中许可了所述预设风险行为;The user has approved the preset risk behavior in the prompt message;
所述临时安全策略中具有结束标记的处理操作已经完成;The processing operation with the end mark in the temporary security policy has been completed;
收到来自所述服务端的撤销指令消息。A revocation instruction message from the server is received.
C16、根据前述方案C11所述的安全防护方法,其特征在于,所述用于应对预设风险行为的处理操作及其触发条件包括下述的任意一种或多种:C16. According to the security protection method described in the aforementioned scheme C11, it is characterized in that the processing operations and trigger conditions for dealing with preset risk behaviors include any one or more of the following:
没有触发条件,限制所述进程的操作权限和/或系统资源占用量的操作;Operations that limit the operating authority and/or system resource usage of the process without triggering conditions;
以检测到预设风险行为作为触发条件,对所述进程的行为进行拦截的操作;Taking the detection of a preset risky behavior as a trigger condition to intercept the behavior of the process;
以检测到预设高危行为作为触发条件,结束所述进程或者结束所述进程所属的应用程序的操作;Taking the detection of a preset high-risk behavior as a trigger condition, ending the operation of the process or the application program to which the process belongs;
以检测到残留文件作为触发条件,对所述残留文件进行清理的操作。The detection of residual files is used as a trigger condition to clean up the residual files.
D17、一种安全防护方法,其特征在于,包括:D17. A safety protection method, characterized in that it includes:
接收来自终端的进程的行为的描述信息;所述进程的行为的描述信息匹配该终端的预设的本地触发策略;receiving the description information of the behavior of the process from the terminal; the description information of the behavior of the process matches the preset local trigger policy of the terminal;
根据所述描述信息,判断所述进程的所述行为是否与任一预设风险行为相匹配;judging whether the behavior of the process matches any preset risk behavior according to the description information;
在进程的所述行为与任一预设风险行为相匹配时,向所述终端下发对应于该预设风险行为的临时安全策略,以使所述终端接收并加载所述临时安全策略;When the behavior of the process matches any preset risk behavior, issue a temporary security policy corresponding to the preset risk behavior to the terminal, so that the terminal receives and loads the temporary security policy;
其中,所述临时安全策略中包含:所述临时安全策略的撤销条件,以及用于应对预设风险行为的处理操作及其触发条件,以使加载所述临时安全策略的终端在任一所述触发条件满足时执行相应的处理操作,并在任一所述撤销条件满足时撤销所述临时安全策略。Wherein, the temporary security policy includes: the revocation condition of the temporary security policy, and processing operations and trigger conditions for dealing with preset risk behaviors, so that the terminal loaded with the temporary security policy can Execute corresponding processing operations when the conditions are met, and revoke the temporary security policy when any revocation condition is met.
D18、根据前述方案D17所述的安全防护方法,其特征在于,所述进程的行为与任一预设风险行为相匹配的情形包括下述的任意一种或多种:D18. According to the security protection method described in the aforementioned scheme D17, it is characterized in that the situation that the behavior of the process matches any preset risk behavior includes any one or more of the following:
所述进程与任一预设风险进程相匹配;Said process matches any of the preset risk processes;
所述进程的行为与任一预设风险行为相匹配;The behavior of the process matches any of the preset risk behaviors;
所述进程的行为与任一预设风险行为的前兆行为相匹配。The behavior of the process matches the precursor behavior of any predetermined risk behavior.
D19、根据前述方案D17所述的安全防护方法,其特征在于,所述临时安全策略的撤销条件包括下述的任意一种或多种:D19. According to the security protection method described in the aforementioned solution D17, it is characterized in that the revocation conditions of the temporary security policy include any one or more of the following:
所述临时安全策略的生效时间超过预定阈值;The effective time of the temporary security policy exceeds a predetermined threshold;
用户在提示消息中许可了所述预设风险行为;The user has approved the preset risk behavior in the prompt message;
所述临时安全策略中具有结束标记的处理操作已经完成;The processing operation with the end mark in the temporary security policy has been completed;
收到来自所述服务端的撤销指令消息。A revocation instruction message from the server is received.
D20、根据前述方案D17所述的安全防护方法,其特征在于,所述用于应对预设风险行为的处理操作及其触发条件包括下述的任意一种或多种:D20. The safety protection method according to the aforementioned solution D17, wherein the processing operations and trigger conditions for dealing with preset risk behaviors include any one or more of the following:
没有触发条件,限制所述进程的操作权限和/或系统资源占用量的操作;Operations that limit the operating authority and/or system resource usage of the process without triggering conditions;
以检测到预设风险行为作为触发条件,对所述进程的行为进行拦截的操作;Taking the detection of a preset risky behavior as a trigger condition to intercept the behavior of the process;
以检测到预设高危行为作为触发条件,结束所述进程或者结束所述进程所属的应用程序的操作;Taking the detection of a preset high-risk behavior as a trigger condition, ending the operation of the process or the application program to which the process belongs;
以检测到残留文件作为触发条件,对所述残留文件进行清理的操作。The detection of residual files is used as a trigger condition to clean up the residual files.
本发明的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the description of the invention, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure the understanding of this description.
类似地,应当理解,为了精简本发明公开并帮助理解各个发明方面中的一个或多个,在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释呈反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如下面的权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发明的单独实施例。Similarly, it should be appreciated that in the above description of exemplary embodiments of the invention, in order to streamline the present disclosure and to facilitate understanding of one or more of the various inventive aspects, various features of the invention are sometimes grouped together into a single embodiment , figure, or description of it. This method of disclosure, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.
本领域技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在于该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是互相排斥之处,可以采用任何组合对本说明书(包括伴随的权利要求和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。Those skilled in the art can understand that the modules in the device in the embodiment can be adaptively changed and installed in one or more devices different from the embodiment. Modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore may be divided into a plurality of sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including the accompanying claims and drawings) and any method or apparatus so disclosed may be used in any combination, except where at least some of such features and/or processes or units are mutually exclusive. All processes or units are combined. Each feature disclosed in this specification (including accompanying claims and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如,在下面的权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。Furthermore, those skilled in the art will understand that although some embodiments described herein include some features included in other embodiments but not others, combinations of features from different embodiments are meant to be within the scope of the invention. and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
本发明的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例的中安全防护装置的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。这样的实现本发明的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。The various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art should understand that a microprocessor or a digital signal processor (DSP) may be used in practice to implement some or all functions of some or all components of the safety protection device according to the embodiment of the present invention. The present invention can also be implemented as an apparatus or an apparatus program (for example, a computer program and a computer program product) for performing a part or all of the methods described herein. Such a program for realizing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such a signal may be downloaded from an Internet site, or provided on a carrier signal, or provided in any other form.
应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The use of the words first, second, and third, etc. does not indicate any order. These words can be interpreted as names.
最后应说明的是:以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围,其均应涵盖在本发明的权利要求和说明书的范围当中。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than limiting them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: It is still possible to modify the technical solutions described in the foregoing embodiments, or perform equivalent replacements for some or all of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions of the various embodiments of the present invention. All of them should be covered by the scope of the claims and description of the present invention.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510984719.8A CN105678167B (en) | 2015-12-24 | 2015-12-24 | Safety protecting method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510984719.8A CN105678167B (en) | 2015-12-24 | 2015-12-24 | Safety protecting method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105678167A true CN105678167A (en) | 2016-06-15 |
| CN105678167B CN105678167B (en) | 2019-03-22 |
Family
ID=56189619
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510984719.8A Active CN105678167B (en) | 2015-12-24 | 2015-12-24 | Safety protecting method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105678167B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107682315A (en) * | 2017-09-05 | 2018-02-09 | 杭州迪普科技股份有限公司 | A kind of SQL injection attack detecting moade setting method and device |
| CN108234469A (en) * | 2017-12-28 | 2018-06-29 | 江苏通付盾信息安全技术有限公司 | Mobile terminal application safety protecting method, apparatus and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130097701A1 (en) * | 2011-10-18 | 2013-04-18 | Mcafee, Inc. | User behavioral risk assessment |
| CN103139184A (en) * | 2011-12-02 | 2013-06-05 | 中国电信股份有限公司 | Intelligent network firewall device and network attack protection method |
| CN103646209A (en) * | 2013-12-20 | 2014-03-19 | 北京奇虎科技有限公司 | Cloud-security-based bundled software blocking method and device |
| CN104202325A (en) * | 2006-03-27 | 2014-12-10 | 意大利电信股份公司 | System for implementing security policies on mobile communication equipment |
-
2015
- 2015-12-24 CN CN201510984719.8A patent/CN105678167B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104202325A (en) * | 2006-03-27 | 2014-12-10 | 意大利电信股份公司 | System for implementing security policies on mobile communication equipment |
| US20130097701A1 (en) * | 2011-10-18 | 2013-04-18 | Mcafee, Inc. | User behavioral risk assessment |
| CN103139184A (en) * | 2011-12-02 | 2013-06-05 | 中国电信股份有限公司 | Intelligent network firewall device and network attack protection method |
| CN103646209A (en) * | 2013-12-20 | 2014-03-19 | 北京奇虎科技有限公司 | Cloud-security-based bundled software blocking method and device |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107682315A (en) * | 2017-09-05 | 2018-02-09 | 杭州迪普科技股份有限公司 | A kind of SQL injection attack detecting moade setting method and device |
| CN108234469A (en) * | 2017-12-28 | 2018-06-29 | 江苏通付盾信息安全技术有限公司 | Mobile terminal application safety protecting method, apparatus and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105678167B (en) | 2019-03-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11977630B2 (en) | Detecting ransomware | |
| US8739284B1 (en) | Systems and methods for blocking and removing internet-traversing malware | |
| JP6196393B2 (en) | System and method for optimizing scanning of pre-installed applications | |
| CN103679031B (en) | A kind of immune method and apparatus of file virus | |
| CN106716432A (en) | Pre-launch Process Vulnerability Assessment | |
| CN102882875B (en) | Active defense method and device | |
| CN103714292B (en) | A kind of detection method of vulnerability exploit code | |
| CN104036019B (en) | The open method and device of web page interlinkage | |
| CN103473501B (en) | A malware tracking method based on cloud security | |
| US9754105B1 (en) | Preventing the successful exploitation of software application vulnerability for malicious purposes | |
| CN102592086B (en) | Method and device for browsing webpage in sandbox | |
| EP3314861A1 (en) | Detection of malicious thread suspension | |
| WO2014071867A1 (en) | Program processing method and system, and client and server for program processing | |
| WO2016019893A1 (en) | Application installation method and apparatus | |
| Jeong et al. | A kernel-based monitoring approach for analyzing malicious behavior on android | |
| RU2667052C2 (en) | Detection of harmful software with cross-review | |
| AU2017204194B2 (en) | Inoculator and antibody for computer security | |
| US20170279819A1 (en) | Systems and methods for obtaining information about security threats on endpoint devices | |
| CN105550573A (en) | Bundled software interception method and apparatus | |
| US9785775B1 (en) | Malware management | |
| CN104598812B (en) | Web-page approach and device are browsed in sandbox | |
| CN105678167A (en) | Safety protection method and apparatus | |
| CN105791221B (en) | Method and device for issuing rules | |
| CN105631331B (en) | Safety protecting method and device | |
| CN111931169A (en) | Trojan horse detection method and device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee after: Beijing Qizhi Business Consulting Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220329 Address after: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Beijing Qizhi Business Consulting Co.,Ltd. |