CN113849246B - Plug-in identification method, plug-in loading method, computing device and storage medium - Google Patents
Plug-in identification method, plug-in loading method, computing device and storage medium Download PDFInfo
- Publication number
- CN113849246B CN113849246B CN202111123571.0A CN202111123571A CN113849246B CN 113849246 B CN113849246 B CN 113849246B CN 202111123571 A CN202111123571 A CN 202111123571A CN 113849246 B CN113849246 B CN 113849246B
- Authority
- CN
- China
- Prior art keywords
- plug
- client
- target
- integral value
- loading
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44521—Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
- G06F9/44526—Plug-ins; Add-ons
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a plug-in identification method, which is executed in a server, wherein the server is connected with a plurality of clients, and the plug-in identification method comprises the following steps: obtaining loading conditions of each client to a target plug-in; calculating a credit score of the target plugin based on the loading condition; and identifying whether the target plug-in is a malicious plug-in or a normal plug-in according to the credit score. According to the plug-in identification method, the target plug-in is judged to be a normal plug-in or a malicious plug-in through the selection of the loading conditions of the plurality of clients, so that the running stability of the browser can be ensured, and the aim of protecting the safety of the clients is fulfilled. The invention also discloses a corresponding plug-in loading method, computing equipment and a storage medium.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a plug-in identification method, a plug-in loading method, a computing device, and a storage medium.
Background
With the rapid development of networks, automated attacks of large-scale malicious plugins have become a major form of network attack. This not only brings great trouble to the average user, but also brings non-negligible loss to the business and government. It follows that malicious plug-ins have become one of the main threats on the internet at present, and devices in the network may be attacked by the malicious plug-ins. Network criminals attack individuals and organizations with malicious plugins to achieve the goals of damaging operating systems, damaging computers or networks, stealing confidential data, collecting personal information, hijacking or encrypting sensitive data, and the like.
At present, whether the plug-in is a malicious plug-in or not is judged, and detection software is often relied on for judgment. Specifically, the plug-in is matched with the plug-in the black-and-white list. However, for unrecognized plug-ins that are not on the black-and-white list, no determination can be made.
Disclosure of Invention
The present invention has been made in view of the above problems, and has as its object to provide a card identifying method, a card loading method, a computing device and a storage medium which overcome or at least partially solve the above problems.
According to an aspect of the present invention, there is provided a plug-in identification method performed in a server connected to a plurality of clients, the method comprising: obtaining loading conditions of each client to a target plug-in; calculating a credit score of the target plugin based on the loading condition; and identifying whether the target plug-in is a malicious plug-in or a normal plug-in according to the credit score.
Optionally, in the plug-in identifying method according to the present invention, wherein the loading condition includes permission of loading and prohibition of loading, and the step of calculating the credit score of the target plug-in based on the loading condition includes: acquiring historical use conditions of each client for normal plug-ins and malicious plug-ins; calculating integral values of the clients based on historical use conditions respectively; counting the first client sides of the target plugins to be allowed to be loaded and the second client sides of the target plugins to be forbidden to be loaded; and taking the difference value of the sum of the points of each first client and the sum of the points of each second client as the credit value of the target plugin.
Optionally, in the plug-in identifying method according to the present invention, the calculating method of the integral value of the client includes: when it is monitored that a client loads a normal plug-in, judging whether a current first integral value of the client is smaller than an initial integral value or not; if the first integral value is smaller than the initial integral value, detecting whether the client is continuously loaded with normal plug-ins or not; if yes, obtaining a first time for continuously loading normal plug-ins by the client, taking the product of the first time and the first integral increment as a second integral increment of the client, and taking the sum of the first integral and the second integral increment as an integral of the client; if not, taking the sum of the first integral value and the first integral increment as the integral value of the client; if the first integral value is not smaller than the initial integral value, taking the sum of the first integral value and the added value of the first integral value as the integral value of the client; when it is monitored that a client loads a malicious plug-in, judging whether a current second integral value of the client is larger than an initial integral value or not; if the second integral value is larger than the initial integral value, the initial integral value is used as the integral value of the client; if the second integral value is not greater than the initial integral value, detecting whether the client is continuously loaded with malicious plugins or not; if yes, obtaining a second time for continuously loading the malicious plug-in by the client, taking the product of the second time and the first integral minus value as a second integral minus value of the client, and taking the difference value of the second integral value and the second integral minus value as an integral value of the client; if not, the difference between the second integral value and the first integral value is taken as the integral value of the client.
Optionally, in the plug-in identifying method according to the present invention, the step of determining whether the target plug-in is a malicious plug-in according to the credit score includes: when the credit score is smaller than a preset credit threshold, the target plug-in is considered as a malicious plug-in; and when the credit score is not smaller than the preset credit threshold, the target plug-in is considered as a normal plug-in.
Optionally, in the card identifying method according to the present invention, after the step of determining whether the target card is a malicious card according to the credit score, the method further includes the step of: when it is detected that a client loads a malicious plug-in, a warning is sent to the client.
Optionally, in the plug-in identifying method according to the present invention, the step of obtaining a loading condition of each client on the target plug-in includes: when detecting that a client receives a loading request of a target plug-in, carrying out popup warning on the client, wherein at least an allowed loading interface and an forbidden loading interface are displayed in the popup; the selection condition of the client side on the loading permission interface and the loading prohibition interface is monitored.
Optionally, in the plug-in identification method according to the present invention, the method further includes: the malicious plug-ins are listed in a pre-generated blacklist; and (5) listing the normal plug-ins on a pre-generated white list.
Optionally, in the card identifying method according to the present invention, after the step of determining whether the target card is a malicious card according to the credit score, the method further includes the step of: and receiving a target plug-in state update request sent by the client, and updating the state of the target plug-in aiming at the client, wherein the target plug-in state update request comprises updating a malicious plug-in into a normal plug-in or updating the normal plug-in into the malicious plug-in.
According to still another aspect of the present invention, there is provided a plug-in loading method, which is performed in a client, the client being connected to a server, the method comprising: responding to a loading request of a target plug-in, and inquiring whether the target plug-in is a normal plug-in or a malicious plug-in from a server; if the target plug-in is a normal plug-in, loading the target plug-in; if the target plug-in is a malicious plug-in, warning is carried out; if the target plug-in is neither a normal plug-in nor a malicious plug-in, the loading condition of the target plug-in by the user is recorded, and the loading condition is sent to the server so as to be convenient for the server to identify the target plug-in.
Optionally, in the plug-in loading method according to the present invention, the method further includes: and sending a state update request of the target plugin to the server so that the server updates the state of the target plugin, wherein the target plugin state update request comprises updating the malicious plugin into a normal plugin or updating the normal plugin into the malicious plugin.
According to yet another aspect of the present invention, there is provided a computing device comprising: at least one processor; and a memory storing program instructions, wherein the program instructions are configured to be adapted to be executed by the at least one processor, the program instructions comprising instructions for performing the above-described method.
According to yet another aspect of the present invention, there is provided a readable storage medium storing program instructions that, when read and executed by a computing device, cause the computing device to perform the above-described method.
According to the plug-in identification method, the target plug-in is judged to be a normal plug-in or a malicious plug-in through the selection of the loading conditions of the plurality of clients, so that the running stability of the browser can be ensured, and the aim of protecting the safety of the clients is fulfilled.
The foregoing description is only an overview of the present invention, and is intended to be implemented in accordance with the teachings of the present invention in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present invention more readily apparent.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to designate like parts throughout the figures. In the drawings:
FIG. 1 illustrates a schematic diagram of a card recognition system 100, according to one embodiment of the invention;
FIG. 2 illustrates a block diagram of a computing device 200 according to one embodiment of the invention;
FIG. 3 illustrates a flow chart of a plug-in identification method 300 according to one embodiment of the invention;
FIG. 4 illustrates a flow diagram of a plug-in loading method 400 according to one embodiment of the invention;
FIG. 5 illustrates a flow diagram of a plug-in loading application scenario 500 according to one embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The network view plug-in application programming interface (NPAPI, netscape Plugin Application Programming Interface) is a general interface for executing external application programs in a browser, and is composed of a set of simple C plug in APIs, which are injected by a dynamic library, which are communicated by a specified API, which describes plug-in capabilities by a character string, the browser is dynamically loaded according to the capability description and is responsible for the flow and life cycle management of plug-in call, and the plug-in itself is responsible for the design and implementation of the user interface and related functions. However, because the chromaum considers that the NPAPI plug-in has too strong authority, safety and other problems, the PPAPI scheme is replaced later. The NPAPI function has been deleted after release 44 under linux, but currently much OA systems of our national government are still using NPAPI. So in the latest open-source chromium project we develop this part of the functionality removed into the latest version for the re-migration.
In the migration process, the plug-in developed by the user is identified by a label emmbed when the browser loads the plug-in, for example, < emmbed type= "application/NP-plug in" with = 640height = 480 id= "npID" >/emmbed ", wherein the attribute type=" application/NP-plug in "originates from an interface np_getmimedscript of the plug-in, and the prototype of this interface is: constchar (×np_getmimedeescriptionprocptr) (void). The browser searches a plug-in dynamic library of plug-ins under a default plug-in path, and matches the current plug-ins according to the imported interface description. The following problems are caused: 1. normal plug-ins may be loaded, as well as malicious plug-ins. 2. The NPAPI plug-in runs in a separate process that is very large in rights to the outside of the sandbox, so system security is not guaranteed.
The technical scheme of the invention is provided for solving the problems in the prior art. In particular, as shown in FIG. 1, FIG. 1 shows a schematic diagram of a card recognition system 100 according to one embodiment of the invention. The card recognition system 100 includes a plurality of user terminals 110 and a computing device 200.
The user terminal 110, i.e. a terminal device used by a user, may be a personal computer such as a desktop computer, a notebook computer, or a mobile phone, a tablet computer, a multimedia device, an intelligent wearable device, but is not limited thereto. A browser or a page application (WebApp) resides in the user terminal 110, and accesses the computing device 200 in the internet through the browser or the page application, hereinafter, the browser and the page application are collectively referred to as a client, and the computing device 200 is a server. The computing device 200 is used to provide services to the user terminal 110, which may be implemented as a server, e.g., an application server, a Web server, etc.; but not limited to, desktop computers, notebook computers, processor chips, tablet computers, and the like.
In one embodiment, the card recognition system 100 further includes a data storage 120. The data storage 120 may be a relational database such as MySQL, ACCESS, etc., or a non-relational database such as NoSQL, etc.; the data storage device 120 may be a local database residing in the computing device 200, or may be a distributed database, such as HBase, disposed at a plurality of geographic locations, and in any case, the data storage device 120 is used to store data, and the specific deployment and configuration of the data storage device 120 is not limited by the present invention. The computing device 200 may connect with the data storage 120 and retrieve data stored in the data storage 120. For example, the computing device 200 may directly read the data in the data storage device 120 (when the data storage device 120 is a local database of the computing device 200), or may access the internet through a wired or wireless manner, and obtain the data in the data storage device 120 through a data interface.
In an embodiment of the invention, the data storage 120 is adapted to store status information of the plug-in, etc.
FIG. 2 illustrates a block diagram of a computing device 200 according to one embodiment of the invention. As shown in FIG. 2, in a basic configuration 202, computing device 200 typically includes a system memory 206 and one or more processors 204. A memory bus 208 may be used for communication between the processor 204 and the system memory 206.
Depending on the desired configuration, the processor 204 may be any type of processing including, but not limited to: a microprocessor (μp), a microcontroller (μc), a digital information processor (DSP), or any combination thereof. Processor 204 may include one or more levels of cache, such as a first level cache 210 and a second level cache 212, a processor core 214, and registers 216. The example processor core 214 may include an Arithmetic Logic Unit (ALU), a Floating Point Unit (FPU), a digital signal processing core (DSP core), or any combination thereof. The example memory controller 218 may be used with the processor 204, or in some implementations, the memory controller 218 may be an internal part of the processor 204.
Depending on the desired configuration, system memory 206 may be any type of memory including, but not limited to: volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.), or any combination thereof. Physical memory in a computing device is often referred to as volatile memory, RAM, and data in disk needs to be loaded into physical memory in order to be read by processor 204. The system memory 106 may include an operating system 220, one or more applications 222, and program data 224. The application 222 is in effect a plurality of program instructions for instructing the processor 204 to perform a corresponding operation. In some implementations, the application 222 can be arranged to execute instructions on an operating system by the one or more processors 204 using the program data 224 in some implementations. The operating system 220 may be, for example, linux, windows or the like, which includes program instructions for handling basic system services and performing hardware-dependent tasks. The application 222 includes program instructions for implementing various user desired functions, and the application 222 may be, for example, a browser, instant messaging software, a software development tool (e.g., integrated development environment IDE, compiler, etc.), or the like, but is not limited thereto. When an application 222 is installed into computing device 200, a driver module may be added to operating system 220.
When the computing device 200 starts up running, the processor 204 reads the program instructions of the operating system 220 from the memory 206 and executes them. Applications 222 run on top of operating system 220, utilizing interfaces provided by operating system 220 and underlying hardware, to implement various user-desired functions. When the user launches the application 222, the application 222 is loaded into the memory 206, and the processor 204 reads and executes the program instructions of the application 222 from the memory 206.
Computing device 200 also includes a storage device 232, where storage device 232 includes removable storage 236 and non-removable storage 238, where removable storage 236 and non-removable storage 238 are each connected to storage interface bus 234.
Computing device 200 may also include an interface bus 240 that facilitates communication from various interface devices (e.g., output devices 242, peripheral interfaces 244, and communication devices 246) to basic configuration 202 via bus/interface controller 230. The example output device 242 includes a graphics processing unit 248 and an audio processing unit 250. They may be configured to facilitate communication with various external devices, such as a display or speakers, via one or more a/V ports 252. The example peripheral interface 244 may include a serial interface controller 254 and a parallel interface controller 256, which may be configured to facilitate communication via one or more I/O ports 258 and external devices such as input devices (e.g., keyboard, mouse, pen, voice input device, touch input device) or other peripherals (e.g., printer, scanner, etc.). The example communication device 246 may include a network controller 260 that may be arranged to facilitate communication with one or more other computing devices 262 over a network communication link via one or more communication ports 264.
The network communication link may be one example of a communication medium. Communication media may typically be embodied by computer readable instructions, data structures, program modules, and may include any information delivery media in a modulated data signal, such as a carrier wave or other transport mechanism. A "modulated data signal" may be a signal that has one or more of its data set or changed in such a manner as to encode information in the signal. By way of non-limiting example, communication media may include wired media such as a wired network or special purpose network, and wireless media such as acoustic, radio Frequency (RF), microwave, infrared (IR) or other wireless media. The term computer readable media as used herein may include both storage media and communication media.
Computing device 200 also includes a storage interface bus 234 that is coupled to bus/interface controller 230. The storage interface bus 234 is coupled to the storage device 232, and the storage device 232 is adapted for data storage. Exemplary storage 232 may include removable storage 236 (e.g., CD, DVD, U disk, removable hard disk, etc.) and non-removable storage 238 (e.g., hard disk drive HDD, etc.).
In computing device 200 according to the present invention, application 222 includes a plurality of program instructions to perform method 300 and to perform method 400.
Fig. 3 illustrates a flow chart of a plug-in identification method 300 according to one embodiment of the invention. The method 300 is suitable for execution in a computing device (e.g., the aforementioned computing device 100) configured as a server that is connected to a plurality of clients.
As shown in fig. 3, the method 300 is for implementing a method for identifying a plug-in, and starts in step S302, loading conditions of each client on a target plug-in are obtained. In some embodiments, the loading conditions include allowing loading and prohibiting loading. Specifically, when detecting that a client receives a loading request of a target plug-in, carrying out popup warning on the client, and at least displaying a loading permission interface and a loading prohibition interface in the popup. The selection condition of the client side on the loading permission interface and the loading prohibition interface is monitored.
Note that, the target plug-in referred to in this embodiment is a plug-in that is not identified in the black-and-white list of the server, and the unidentified plug-in refers to a plug-in that has not been identified as a malicious plug-in or a normal plug-in. When it is detected that a client loads an unidentified plug-in, a warning is sent to the client so that the client reminds a user, for example, the client can pop a window to the user, inform the user that the plug-in is possibly a dangerous plug-in, normally operate the plug-in if the user selects to allow loading, and terminate the process of the plug-in if the user selects to prohibit loading.
In step S304, the credit score of the target plug-in is calculated based on the loading situation.
In some embodiments, the specific implementation of step S304 is as follows:
firstly, historical use conditions of each client side aiming at normal plug-ins and malicious plug-ins are obtained.
It should be noted that, unlike the unidentified plug-ins described above, the normal plug-ins and the malicious plug-ins referred to herein are plug-ins that have been characterized by the server. It is easy to understand that before the browser is released, a plurality of plug-ins are arranged in the browser, a worker can carry out adaptation detection on the built-in plug-ins, the plug-ins with qualified adaptation are directly identified as normal plug-ins, and the plug-ins with unqualified adaptation are identified as malicious plug-ins. In addition, there are some previously unidentified plug-ins, which are identified as normal plug-ins or malicious plug-ins by the plug-in identification method 300 provided in the present embodiment. In other words, the normal plug-ins mentioned herein include normal plug-ins built in the browser and plug-ins that have been identified as normal by the plug-in identification method 300. Similarly, the malicious plug-ins referred to herein include both malicious plug-ins built into the browser and plug-ins that have been identified as malicious by the plug-in identification method 300.
In some embodiments, malicious plugins are pre-generated blacklisted. And (5) listing the normal plug-ins on a pre-generated white list. It should be noted that, the black-and-white list is also configured in the browser residing in each client, the black-and-white list in the browser is associated with the black-and-white list residing in the server in this embodiment, and when the client uses the plugin in the black-and-white list, the client informs the server through the association, so that the server can monitor the use condition of the plugin by each client.
Then, based on the historical use cases, the integrated values of the respective clients are calculated, respectively. In this embodiment, if a client loads a normal plug-in, a reward is given to increase the integral value; if a client loads a malicious plug-in, it is given a penalty of reducing the integration value.
In some embodiments, a method of calculating an integrated value for a client includes:
when the client loading normal plug-in is monitored, judging whether the current first integral value of the client is smaller than the initial integral value. If the first integral value is smaller than the initial integral value, detecting whether the client is continuously loaded with normal plug-ins. If yes, obtaining a first number of times that the client continuously loads the normal plug-in, taking the product of the first number of times and the first integral increment as a second integral increment of the client, and taking the sum of the first integral increment and the second integral increment as the integral of the client. If not, the sum of the first integral value and the first integral value is taken as the integral value of the client. And if the first integral value is not smaller than the initial integral value, taking the sum value of the first integral value and the added value of the first integral value as the integral value of the client.
When the client loading the malicious plugin is monitored, judging whether the current second integral value of the client is larger than the initial integral value. And if the second integral value is larger than the initial integral value, taking the initial integral value as the integral value of the client. If the second integral value is not greater than the initial integral value, detecting whether the client is continuously loaded with malicious plugins. If yes, obtaining a second number of times that the client continuously loads the malicious plug-in, taking the product of the second number and the first integral minus value as a second integral minus value of the client, and taking the difference value of the second integral value and the second integral minus value as an integral value of the client. If not, the difference between the second integral value and the first integral value is taken as the integral value of the client.
In one specific example, the initial integral value in each client is 0.
Each time a user uses a normal plug-in a whitelist: if the current integral value of the client is more than or equal to 0, the integral value +x and x of the client are the first integral increment, and the size of x can be set by a person skilled in the art, so that the method is not limited. Illustratively, x may be 1. I.e. the integral value of the client +1. If the current integral value of the client is less than 0, judging whether the client is continuously loaded with normal plug-ins, for example, detecting whether the plug-ins loaded last time by the client are normal plug-ins, detecting whether the plug-ins last time and last time by the client are normal plug-ins, and the like. If the client is a continuously loaded normal plug-in, the number n of continuous loads is obtained, e.g., the client is continuously loaded with 5 normal plug-ins. Taking the product of x and n as the second integral increment, the integral value of the client is + (n x). Illustratively, the x integral is incremented by 1, and if the client is loaded with 5 normal plugins in succession, the client's integral value is +5. If the client is not continuously loading normal plug-ins, the client's integral value +x.
Each time a user uses a malicious plug-in the blacklist: if the current integral value of the client > 0, the integral value of the client is reset to 0 (initial integral value). If the current integral value of the client is less than or equal to 0, judging whether the client is continuously loaded with malicious plugins, for example, detecting whether the last loaded plugin of the client is a malicious plugin, detecting whether the last time of the client is a malicious plugin, and the like. If the client is continuously loaded with malicious plug-ins, the number n of continuous loads is obtained, for example, the client is continuously loaded with 5 malicious plug-ins. Taking the product of y and n as the second integral minus value, and y is the first integral minus value, and setting the integral value- (n×y) of the client by the person skilled in the art, where the size of y is not limited in this application. Illustratively, y may be 1, and a client is loaded with 5 malicious plug-ins in succession, then the client's integral value is-5. If the client is not continuously loaded with malicious plugins, the client's integral value-y is then calculated.
For ease of understanding, reference is made to the following examples:
1. the current integral value of the client a is 10, the initial value is 0, the integral increment is 1, and the integral decrement is 1. When the client a loads a normal plug-in once, the current integration value of the client a is updated to 10+1=11.
2. The current integral value of the client B is 10, the initial value is 0, the integral increment is 1, and the integral decrement is 1. When the client a loads a malicious plug-in, the current integral value of the client B is updated to 0.
3. The current integral value of the client C is-10, the initial value is 0, the integral increment is 1, and the integral decrement is 1. When the client C loads the normal plug-in once, it is determined whether the client C continuously loads the normal plug-in once, for example, the client C continuously loads 2 normal plug-ins before the normal plug-in is loaded once, and the normal plug-in is loaded 3 rd time. The current integration value of this client C is updated to-10+3= -7. If the one-time loading plugin of the client C before the normal plugin is the malicious plugin, it is indicated that the client does not have the continuous loading normal plugin, and the current integral value of the client C is updated to be-10+1= -9.
4. The current integral value of the client D is-10, the initial value is 0, the integral increment is 1, and the integral decrement is 1. When the client D loads the malicious plug-in once, it is determined whether the client D continuously loads the malicious plug-in, for example, the client D continuously loads 2 malicious plug-ins before the malicious plug-ins are loaded here, and the malicious plug-in loaded this time is the 3 rd malicious plug-in loaded. The current integral value of the client D is updated to-10-3= -13. If the one-time loading plug-in of the client D before the one-time loading of the malicious plug-in is a normal loading plug-in, the fact that the client does not have continuous loading of the malicious plug-in is indicated, and the current integral value of the client is updated to be-10-1= -11.
And then, selecting a first client capable of allowing the loading of the target plug-in and a second client capable of prohibiting the loading of the target plug-in from each client. Illustratively, there are a total of 5 clients A, B, C, D and E in the current network communicatively coupled to the server, with clients A, B and C,3 clients selecting to allow a target plug-in to load when loading the target plug-in. While clients D and E,2 clients have chosen to prohibit the target plug-in from loading when loading for the target plug-in. Then we consider clients A, B and C to be first clients and clients D and E to be second clients.
And finally, taking the difference value of the sum of the points of each first client and the sum of the points of each second client as the credit value of the target plug-in.
Continuing with the foregoing example, the current client integration values of clients A, B, C, D and E, respectively, are counted based on the foregoing calculation method of the client integration value, specifically, as shown in table 1.
TABLE 1
Client terminal | A | B | C | D | E |
Integral value | A 1 | B 1 | C 1 | D 1 | E 1 |
Loading of target plugins | Allow for | Allow for | Allow for | Inhibit | Inhibit |
Then the integration value of the target plugin= (a) 1 +B 1 +C 1 )-(D 1 +E 1 ) Integration value=a of target plugin obtained by conversion 1 +B 1 +C 1 -D 1 -E 1 。
Taking the integral value of each client as a specific value as an example, as shown in table 2:
TABLE 2
Client terminal | A | B | C | D | E |
Integral value | 20 | -10 | 30 | -30 | 10 |
Loading of target plugins | Allow for | Allow for | Allow for | Inhibit | Inhibit |
Then the integral value of the target plugin= (20-10+30) - (-30+10) =20-10+30+30-10=60. For the client C, the integral value is higher, which indicates that the user using the client compares the security of the plug-in, and the loading condition of the client on the target plug-in greatly affects the integral value of the target plug-in, for example, if the client selects to allow loading, the user can be indicated to trust the target plug-in, the credit score of the target plug-in can be made to be +30, and if the client selects to prohibit loading, the user can be indicated to not trust the target plug-in, and the credit score of the target plug-in can be made to be-30. For the client D, the integral value is lower, which indicates that a user using the client frequently uses a malicious plug-in and likes to use the malicious plug-in, and the loading condition of the client D on the target plug-in also affects the integral value of the target plug-in greatly, for example, if the client D selects a plug-in which is forbidden to load, the target plug-in is a plug-in which is not frequently used by the user, i.e. the plug-in has certain security, the credit value of the target plug-in is +30, if the client D selects a target plug-in which is allowed to load, the target plug-in which is preferred to be used by the user, and if the probability of the target plug-in is high, the credit value of the target plug-in is +30.
In step S306, whether the target plug-in is a malicious plug-in or a normal plug-in is identified based on the credit score.
In some embodiments, the target plugin is deemed to be a malicious plugin when the credit score is less than a preset credit threshold. And when the credit score is not smaller than the preset credit threshold, the target plug-in is considered as a normal plug-in.
Illustratively, when the credit threshold is set to 60, that is, the credit score of the target plugin is greater than 60, the target plugin is determined to be a normal plugin, and the target plugin may be whitelisted. And when the credit score of the target plugin is less than or equal to 60, the target plugin is considered to be a malicious plugin, and the target plugin can be listed in a blacklist.
In some embodiments, when a client is monitored to load a malicious plug-in, an alert is sent to the client. Specifically, when a user loads a malicious plug-in a blacklist, a warning is sent to the client, and the client generates a popup window based on the warning so as to warn the user that the currently loaded plug-in is the malicious plug-in.
Additionally, in some embodiments, the card identifying method 300 further comprises:
and receiving a target plug-in state update request sent by the client, and updating the state of the target plug-in aiming at the client, wherein the target plug-in state update request comprises updating a malicious plug-in into a normal plug-in or updating the normal plug-in into the malicious plug-in.
In one particular example, the target plug-in has been characterized as a malicious plug-in, and thus, the user is alerted by a popup every time the target plug-in is loaded. However, the user relies on and trusts the target plugin, which may request the server to update the target plugin from a malicious plugin to a normal plugin by sending a status update request for the target plugin to the first server. However, it should be noted that the server updates the state of the target plug-in only takes effect for the client. For example, for plug-in a, which is characterized as a malicious plug-in, client a requests that plug-in a be updated from a malicious plug-in to a normal plug-in, then for client a, when loading plug-in a, it will load plug-in a like normal plug-in is loaded. But for client B it does not require updating the state of plug-in a, which when plug-in a is loaded, still loads plug-in a as if it were malicious.
In another example, a domain configuration right is provided, and users in the domain may add some trusted lists and some blocked lists.
The list is in json format. As follows {
“allow_list”:[],
“block_list”:[]
}
In other words, the user can update the state of each plug-in through the domain configuration authority.
FIG. 4 illustrates a flow diagram of a plug-in loading method 400 according to one embodiment of the invention. The method 400 is suitable for execution in a computing device (e.g., the aforementioned computing device 100) configured as a client that interfaces with a server.
As shown in fig. 4, the purpose of the method 400 is to implement a loading method for a plug-in, beginning with step S402, in which, in response to a loading request for a target plug-in, whether the target plug-in is a normal plug-in or a malicious plug-in is queried from a server. When loading a target plugin, a client generates a plugin state request according to an identifier of the target plugin, and sends the plugin state request to a server, the server queries the target plugin based on the identifier of the target plugin, if the target plugin is recorded in a white list, the target plugin is indicated to be a normal plugin, if the target plugin is recorded in a black list, the target plugin is indicated to be a malicious plugin, and if the target plugin is neither in the white list nor in the black list, the target plugin is indicated to be an unidentified plugin.
In step S404, if the target plug-in is a normal plug-in, the target plug-in is loaded. And after the target plug-in is queried to be a normal plug-in, the target plug-in is loaded normally.
In step S406, if the target plug-in is a malicious plug-in, a warning is given. Specifically, a popup warning can be performed on the user to inform the user that the currently loaded plug-in is a malicious plug-in.
In step S408, if the target plug-in is neither a normal plug-in nor a malicious plug-in, the loading condition of the target plug-in by the user is recorded, and the loading condition is sent to the server, so that the server can identify the target plug-in. Specifically, the loading case includes allowing loading and prohibiting loading. The client records the loading condition of the target plug-in by the user, and sends the record to the server, and the server identifies the target plug-in through the plug-in identification method 300 provided in the foregoing embodiment. It should be noted that, for a specific method for identifying the target plugin by the server, reference may be made to the above-mentioned plugin identification method 300, which is not described herein again.
In addition, the loading method 400 of the plug-in the embodiment further includes:
and sending a state update request of the target plugin to the server so that the server updates the state of the target plugin, wherein the target plugin state update request comprises updating the malicious plugin into a normal plugin or updating the normal plugin into the malicious plugin.
It should be noted that, the method for updating the state of the target plugin is similar to the method for updating the state of the target plugin in the method for identifying a plugin 300, and the description of the method for identifying a plugin 300 may be referred to here, and will not be repeated.
In one specific example, as shown in fig. 5, fig. 5 shows a flow chart of a plug-in loading application scenario 500 according to one embodiment of the present invention.
Referring to fig. 5, the specific flow of the plug-in loading application scenario 500 is as follows:
and when receiving the plug-in loading request, judging whether the plug-in is in a black-and-white list or not.
If the plugin is in the white list, updating the integral value of the client, and operating the plugin normally.
If the plugin is in the blacklist, updating the integral value of the client, and ending the process of the plugin.
It should be noted that, the specific method for updating the integral value of the client may refer to the foregoing calculation method of the integral value of the client, which is not described herein again.
If the plug-in is not in the black-and-white list, the plug-in is not identified, and at the moment, a popup warning is given to the user, and at least interfaces allowing loading and prohibiting loading are displayed on the popup.
When the user selects to allow loading, the integral value of the client is sent to the server, so that the server performs addition calculation on the integral value of the client and the integral values of other clients to calculate the credit value of the plugin, and the plugin is normally operated.
When the user selects to prohibit loading, the integral value of the client is sent to the server, so that the server performs subtraction on the integral value of the client and the integral values of other clients to calculate the credit value of the plugin, and the process of the plugin is ended.
The method of claim A4, wherein after the step of determining whether the target plug-in is a malicious plug-in according to the credit score, further comprises the steps of:
when it is detected that a client loads a malicious plug-in, a warning is sent to the client.
A6. the method of claim A2, wherein the step of obtaining the loading condition of each client to the target plugin includes:
when detecting that a client receives a loading request of the target plug-in, carrying out popup warning on the client, wherein at least an allowed loading interface and an forbidden loading interface are displayed in the popup;
and monitoring the selection condition of the client side on the loading permission interface and the loading prohibition interface.
The various techniques described herein may be implemented in connection with hardware or software or, alternatively, with a combination of both. Thus, the methods and apparatus of the present invention, or certain aspects or portions of the methods and apparatus of the present invention, may take the form of program code (i.e., instructions) embodied in tangible media, such as removable hard drives, U-drives, floppy diskettes, CD-ROMs, or any other machine-readable storage medium, wherein, when the program is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the invention.
In the case of program code execution on programmable computers, the computing device will generally include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device. Wherein the memory is configured to store program code; the processor is configured to perform the method of the invention in accordance with instructions in said program code stored in the memory.
By way of example, and not limitation, readable media comprise readable storage media and communication media. The readable storage medium stores information such as computer readable instructions, data structures, program modules, or other data. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of readable media.
In the description provided herein, algorithms and displays are not inherently related to any particular computer, virtual system, or other apparatus. Various general-purpose systems may also be used with examples of the invention. The required structure for a construction of such a system is apparent from the description above. In addition, the present invention is not directed to any particular programming language. It should be appreciated that the teachings of the present invention as described herein may be implemented in a variety of programming languages and that the foregoing description of specific languages is provided for disclosure of preferred embodiments of the present invention.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be construed as reflecting the intention that: i.e., the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules or units or components of the devices in the examples disclosed herein may be arranged in a device as described in this embodiment, or alternatively may be located in one or more devices different from the devices in this example. The modules in the foregoing examples may be combined into one module or may be further divided into a plurality of sub-modules.
Those skilled in the art will appreciate that the modules in the apparatus of the embodiments may be adaptively changed and disposed in one or more apparatuses different from the embodiments. The modules or units or components of the embodiments may be combined into one module or unit or component and, furthermore, they may be divided into a plurality of sub-modules or sub-units or sub-components. Any combination of all features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or units of any method or apparatus so disclosed, may be used in combination, except insofar as at least some of such features and/or processes or units are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features but not others included in other embodiments, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments can be used in any combination.
Furthermore, some of the embodiments are described herein as methods or combinations of method elements that may be implemented by a processor of a computer system or by other means of performing the functions. Thus, a processor with the necessary instructions for implementing the described method or method element forms a means for implementing the method or method element. Furthermore, the elements of the apparatus embodiments described herein are examples of the following apparatus: the apparatus is for carrying out the functions performed by the elements for carrying out the objects of the invention.
As used herein, unless otherwise specified the use of the ordinal terms "first," "second," "third," etc., to describe a general object merely denote different instances of like objects, and are not intended to imply that the objects so described must have a given order, either temporally, spatially, in ranking, or in any other manner.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of the above description, will appreciate that other embodiments are contemplated within the scope of the invention as described herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the appended claims. The disclosure of the present invention is intended to be illustrative, but not limiting, of the scope of the invention, which is defined by the appended claims.
Claims (10)
1. A plug-in identification method performed in a server, the server being connected to a plurality of clients, the method comprising:
acquiring loading conditions of the target plug-ins by the clients;
calculating the credit score of the target plug-in based on the loading condition, including:
acquiring historical use conditions of the clients aiming at normal plug-ins and malicious plug-ins;
calculating integral values of the clients based on the historical use conditions respectively;
counting the first client sides allowing the loading of the target plug-in and the second client sides prohibiting the loading of the target plug-in;
taking the difference value of the sum of the points of the first clients and the sum of the points of the second clients as the credit value of the target plugin, wherein the calculation method of the integral value of the clients comprises the following steps: when a normal plug-in is loaded on a client, judging whether a current first integral value of the client is smaller than an initial integral value, if the first integral value is smaller than the initial integral value, detecting whether the client is a normal plug-in continuously loaded on the client, if so, acquiring a first number of times the normal plug-in is continuously loaded on the client, and taking the product of the first number of times and a first integral increment as a second integral increment of the client, taking the sum of the first integral value and the second integral increment as the integral value of the client, if not, taking the sum of the first integral value and the first integral increment as the integral value of the client, if the first integral value is not smaller than the initial integral value, taking the sum of the first integral value and the first integral increment as the integral value of the client, when the plug-in is loaded on the client is monitored, judging whether a current second integral value of the client is larger than the initial integral value, taking the second integral value as the second integral value of the client, if the second integral value is larger than the initial integral value, taking the difference value as the second integral value of the client, and if the second integral value is not larger than the initial integral value, and taking the second integral value as the plug-in continuously loaded on the client, and if the second integral value is not larger than the first integral value of the client;
And identifying whether the target plug-in is a malicious plug-in or a normal plug-in according to the credit score.
2. The method of claim 1, wherein the step of identifying whether the target plug-in is a malicious plug-in or a normal plug-in based on the credit score comprises:
when the credit score is smaller than a preset credit threshold, the target plug-in is considered to be a malicious plug-in;
and when the credit score is not smaller than a preset credit threshold, the target plug-in is considered to be a normal plug-in.
3. The method of claim 2, wherein after the step of determining whether the target plug-in is a malicious plug-in according to the credit score, further comprising the step of:
when it is detected that a client loads a malicious plug-in, a warning is sent to the client.
4. The method of claim 1, wherein the step of obtaining the loading condition of each client on the target plugin includes:
when detecting that a client receives a loading request of the target plug-in, carrying out popup warning on the client, wherein at least an allowed loading interface and an forbidden loading interface are displayed in the popup;
and monitoring the selection condition of the client side on the loading permission interface and the loading prohibition interface.
5. The method of claim 2, wherein the method further comprises:
the malicious plug-ins are listed in a pre-generated blacklist;
and (5) listing the normal plug-ins on a pre-generated white list.
6. The method of claim 1, wherein after the step of determining whether the target plug-in is a malicious plug-in according to the credit score, further comprising the step of:
and receiving a target plug-in state update request sent by the client, and updating the state of a target plug-in aiming at the client, wherein the target plug-in state update request comprises updating a malicious plug-in into a normal plug-in or updating the normal plug-in into the malicious plug-in.
7. A plug-in loading method, performed in a client, the client being connected to a server, the method comprising:
responding to a loading request of a target plug-in, and inquiring whether the target plug-in is a normal plug-in or a malicious plug-in from the server;
if the target plug-in is a normal plug-in, loading the target plug-in;
if the target plug-in is a malicious plug-in, warning is carried out;
if the target plug-in is neither a normal plug-in nor a malicious plug-in, recording the loading condition of the target plug-in by a user, and sending the loading condition to the server, so that the server can identify the target plug-in by the plug-in identification method according to any one of claims 1 to 6.
8. The method of claim 7, further comprising:
and sending a state update request of the target plug-in to the server so that the server updates the state of the target plug-in, wherein the state update request of the target plug-in comprises updating a malicious plug-in into a normal plug-in or updating the normal plug-in into the malicious plug-in.
9. A computing device, comprising:
at least one processor; and
a memory storing program instructions, wherein the program instructions are configured to be adapted to be executed by the at least one processor, the program instructions comprising instructions for performing the method of any of claims 1-8.
10. A readable storage medium storing program instructions which, when read and executed by a computing device, cause the computing device to perform the method of any of claims 1-8.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111123571.0A CN113849246B (en) | 2021-09-24 | 2021-09-24 | Plug-in identification method, plug-in loading method, computing device and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111123571.0A CN113849246B (en) | 2021-09-24 | 2021-09-24 | Plug-in identification method, plug-in loading method, computing device and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113849246A CN113849246A (en) | 2021-12-28 |
CN113849246B true CN113849246B (en) | 2024-01-23 |
Family
ID=78979388
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111123571.0A Active CN113849246B (en) | 2021-09-24 | 2021-09-24 | Plug-in identification method, plug-in loading method, computing device and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113849246B (en) |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101833575A (en) * | 2010-04-27 | 2010-09-15 | 南京邮电大学 | A sorting method for network virus reports |
US8336100B1 (en) * | 2009-08-21 | 2012-12-18 | Symantec Corporation | Systems and methods for using reputation data to detect packed malware |
JP2013532869A (en) * | 2010-07-28 | 2013-08-19 | マカフィー, インコーポレイテッド | System and method for local protection against malicious software |
CN103679023A (en) * | 2013-10-10 | 2014-03-26 | 南京邮电大学 | Mass virus reporting and analyzing method under united calculation architecture |
US8719924B1 (en) * | 2005-03-04 | 2014-05-06 | AVG Technologies N.V. | Method and apparatus for detecting harmful software |
CN103824017A (en) * | 2012-11-19 | 2014-05-28 | 腾讯科技(深圳)有限公司 | Method and platform for monitoring rogue programs |
CN103902888A (en) * | 2012-12-24 | 2014-07-02 | 腾讯科技(深圳)有限公司 | Website trust automatic rating method, server-side and system |
CN105631328A (en) * | 2015-12-18 | 2016-06-01 | 北京奇虎科技有限公司 | Detection method and device of unknown risks of browser plugin |
CN107483500A (en) * | 2017-09-25 | 2017-12-15 | 咪咕文化科技有限公司 | Risk identification method and device based on user behaviors and storage medium |
CN107766731A (en) * | 2017-09-22 | 2018-03-06 | 郑州云海信息技术有限公司 | A kind of anti-virus attack realization method and system based on application program management and control |
CN109815702A (en) * | 2018-12-29 | 2019-05-28 | 360企业安全技术(珠海)有限公司 | Safety detection method, device and the equipment of software action |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9081960B2 (en) * | 2012-04-27 | 2015-07-14 | Ut-Battelle, Llc | Architecture for removable media USB-ARM |
US11503070B2 (en) * | 2016-11-02 | 2022-11-15 | Microsoft Technology Licensing, Llc | Techniques for classifying a web page based upon functions used to render the web page |
-
2021
- 2021-09-24 CN CN202111123571.0A patent/CN113849246B/en active Active
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8719924B1 (en) * | 2005-03-04 | 2014-05-06 | AVG Technologies N.V. | Method and apparatus for detecting harmful software |
US8336100B1 (en) * | 2009-08-21 | 2012-12-18 | Symantec Corporation | Systems and methods for using reputation data to detect packed malware |
CN101833575A (en) * | 2010-04-27 | 2010-09-15 | 南京邮电大学 | A sorting method for network virus reports |
JP2013532869A (en) * | 2010-07-28 | 2013-08-19 | マカフィー, インコーポレイテッド | System and method for local protection against malicious software |
CN103824017A (en) * | 2012-11-19 | 2014-05-28 | 腾讯科技(深圳)有限公司 | Method and platform for monitoring rogue programs |
CN103902888A (en) * | 2012-12-24 | 2014-07-02 | 腾讯科技(深圳)有限公司 | Website trust automatic rating method, server-side and system |
CN103679023A (en) * | 2013-10-10 | 2014-03-26 | 南京邮电大学 | Mass virus reporting and analyzing method under united calculation architecture |
CN105631328A (en) * | 2015-12-18 | 2016-06-01 | 北京奇虎科技有限公司 | Detection method and device of unknown risks of browser plugin |
CN107766731A (en) * | 2017-09-22 | 2018-03-06 | 郑州云海信息技术有限公司 | A kind of anti-virus attack realization method and system based on application program management and control |
CN107483500A (en) * | 2017-09-25 | 2017-12-15 | 咪咕文化科技有限公司 | Risk identification method and device based on user behaviors and storage medium |
CN109815702A (en) * | 2018-12-29 | 2019-05-28 | 360企业安全技术(珠海)有限公司 | Safety detection method, device and the equipment of software action |
Also Published As
Publication number | Publication date |
---|---|
CN113849246A (en) | 2021-12-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11540133B2 (en) | Systems and methods for security analysis of applications on user mobile devices while maintaining user application privacy | |
US10320818B2 (en) | Systems and methods for detecting malicious computing events | |
US8479296B2 (en) | System and method for detecting unknown malware | |
Andronio et al. | Heldroid: Dissecting and detecting mobile ransomware | |
EP3210364B1 (en) | Systems and methods for application security analysis | |
US8079085B1 (en) | Reducing false positives during behavior monitoring | |
US9197662B2 (en) | Systems and methods for optimizing scans of pre-installed applications | |
US10783239B2 (en) | System, method, and apparatus for computer security | |
US9317679B1 (en) | Systems and methods for detecting malicious documents based on component-object reuse | |
US10735468B1 (en) | Systems and methods for evaluating security services | |
CN107426173B (en) | File protection method and device | |
US20170185785A1 (en) | System, method and apparatus for detecting vulnerabilities in electronic devices | |
JP2006127497A (en) | Efficient white listing of user-modifiable file | |
US9659182B1 (en) | Systems and methods for protecting data files | |
EP3014515B1 (en) | Systems and methods for directing application updates | |
US11556653B1 (en) | Systems and methods for detecting inter-personal attack applications | |
US11275836B2 (en) | System and method of determining a trust level of a file | |
JP2018200642A (en) | Threat detection program, threat detection method, and information processing apparatus | |
CN108810014A (en) | Attack alarm method and device | |
WO2023151238A1 (en) | Ransomware detection method and related system | |
US9785775B1 (en) | Malware management | |
US20180032745A1 (en) | System and method of blocking access to protected applications | |
EP3758330B1 (en) | System and method of determining a trust level of a file | |
CN113849246B (en) | Plug-in identification method, plug-in loading method, computing device and storage medium | |
US8615805B1 (en) | Systems and methods for determining if a process is a malicious process |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |