CN105678167B - Safety protecting method and device - Google Patents
Safety protecting method and device Download PDFInfo
- Publication number
- CN105678167B CN105678167B CN201510984719.8A CN201510984719A CN105678167B CN 105678167 B CN105678167 B CN 105678167B CN 201510984719 A CN201510984719 A CN 201510984719A CN 105678167 B CN105678167 B CN 105678167B
- Authority
- CN
- China
- Prior art keywords
- behavior
- security strategy
- interim security
- default risk
- trigger condition
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The present invention provides a kind of safety protecting method and devices, safety protecting method therein includes: when the behavior of process matches preset local trigger policy, the description information of the behavior of the process is uploaded to server-side, so that server-side issues the interim security strategy for presetting risk behavior corresponding to this when matching the behavior and any default risk behavior for determining the process;Include in interim security strategy: the revocation condition of interim security strategy, and processing operation and its trigger condition for coping with default risk behavior;Receive the interim security strategy from server-side;Interim security strategy is loaded, to execute corresponding processing operation when any trigger condition meets, and cancels interim security strategy when any revocation condition meets.The present invention, which can solve existing security strategy and occupy in user resources, has contradiction between application validity, greatly promotes the operational efficiency and user experience of protection capacity of safety protection software.
Description
Technical field
The present invention relates to field of computer technology, and in particular to a kind of safety protecting method and device.
Background technique
Rogue program is a recapitulative term, refers to that any intentional creation is used to execute without permission and is usually nocuousness
The program in machine code of behavior, such as computer virus, backdoor programs, Key Logger, password eavesdropper, macrovirus, boot section disease
Poison, script virus, wooden horse, crime software, spyware and ad ware etc..
In order to cope with enormous amount and growing number of rogue program, existing protection capacity of safety protection software can be answered by monitoring
With the behavior of program, and each behavior is monitored and is handled according to security strategy, it is anti-to the safety of rogue program to enhance
Shield ability.Wherein, core of the security strategy as security protection ability is usually carried out in network-wide basis more by server-side
Newly, it safeguards and distributes.Certainly, the unified security strategy of the whole network suffers from outstanding excellent in timeliness and maintenance cost
Gesture, but have the defects that in its balance between user resources occupancy and application validity very big.
It for example, only just can be effectively using stringenter monitoring means for certain series advertisements promotion program
It intercepts, but if applying the monitoring means in the unified security strategy of the whole network, all user terminals require to hold
Execute the resource occupation for monitoring and greatly increasing user terminal to continuous property;Still more the popularity of such advertisement promotion program may
It is not high, thus the monitoring process on most user terminals may all be meaningless.For the situation, existing safety
The considerations of securing software is for user experience can use more relaxed monitoring means, but can lose to the series advertisements again in this way
The validity of the interception of promotion program.
Summary of the invention
For the defects in the prior art, the present invention provides a kind of safety protecting method and device, can solve existing
Security strategy is occupied in user resources has contradiction between application validity.
In a first aspect, the present invention provides a kind of safety devices, comprising:
Uploading unit, when matching preset local trigger policy for the behavior in process, by the behavior of the process
Description information is uploaded to server-side, so that server-side matches in the behavior for determining the process with any default risk behavior
When, issue the interim security strategy that risk behavior is preset corresponding to this;Include in the interim security strategy: the interim safety
The revocation condition of strategy, and processing operation and its trigger condition for coping with default risk behavior;
Receiving unit, for receiving the interim security strategy from the server-side;
Loading unit, the interim security strategy obtained for loading the receiving unit, in any trigger condition
Corresponding processing operation is executed when meeting, and cancels the interim security strategy when any revocation condition meets.
Optionally, the loading unit is further used for for the interim security strategy being loaded onto memory, so that described
Interim security strategy voluntarily cancels after memory power-off.
Optionally, the behavior for matching the process of the local trigger policy includes any one or more following:
Access the network address unrelated with the function of process owning application;
Download the file unrelated with the function of process owning application;
Establish the process unrelated with the function of process owning application;
To other process injecting codes unrelated with process owning application;
File is written under shielded file directory;
The behavior of process relevant to the application program in blacklist.
Optionally, the situation that the behavior of the process and any default risk behavior match includes any one following
Or it is a variety of:
The process matches with any default risk process;
The behavior of the process matches with any default risk behavior;
The behavior of the process and the omen behavior of any default risk behavior match.
Optionally, the revocation condition of the interim security strategy includes any one or more following:
The entry-into-force time of the interim security strategy is more than predetermined threshold;
User has granted the default risk behavior in prompting message;
In the interim security strategy there is the processing operation for terminating label to have completed;
Receive the cancel an order message from the server-side.
Optionally, the processing operation and its trigger condition for coping with default risk behavior includes following any one
Kind is a variety of:
There is no trigger condition, limits the operation of the operating right and/or system resource occupancy of the process;
Using detect default risk behavior as trigger condition, the operation that the behavior of the process is intercepted;
To detect that default very dangerous behavior as trigger condition, terminates the process or terminates to answer belonging to the process
With the operation of program;
Using detect Stub File as trigger condition, the operation that the Stub File is cleared up.
Second aspect, the present invention also provides a kind of safety devices, comprising:
Receiving unit, for receiving the description information for carrying out the behavior of process of self terminal;The description of the behavior of the process
The preset local trigger policy of the information matches terminal;
Judging unit, the description information for being obtained according to the receiving unit judge that the behavior of the process is
It is no to match with any default risk behavior;
Issuance unit matches for the behavior in the judging unit determinating processes with any default risk behavior
When, Xiang Suoshu terminal issues the interim security strategy that risk behavior is preset corresponding to this, so that the terminal receives and loads institute
State interim security strategy;
Wherein, include in the interim security strategy: the revocation condition of the interim security strategy, and it is pre- for coping with
If the processing operation and its trigger condition of risk behavior, so that the terminal of the load interim security strategy is in any triggering
Corresponding processing operation is executed when condition meets, and cancels the interim security strategy when any revocation condition meets.
Optionally, the situation that the behavior of the process and any default risk behavior match includes any one following
Or it is a variety of:
The process matches with any default risk process;
The behavior of the process matches with any default risk behavior;
The behavior of the process and the omen behavior of any default risk behavior match.
The third aspect, the present invention also provides a kind of safety protecting methods, comprising:
In the preset local trigger policy of the behavior matching of process, the description information of the behavior of the process is uploaded to
Server-side, so that server-side when matching the behavior and any default risk behavior for determining the process, is issued to correspond to and is somebody's turn to do
The interim security strategy of default risk behavior;Include in the interim security strategy: the revocation condition of the interim security strategy,
And processing operation and its trigger condition for coping with default risk behavior;
Receive the interim security strategy from the server-side;
The interim security strategy is loaded, to execute corresponding processing operation when any trigger condition meets, and
The interim security strategy is cancelled when any revocation condition meets.
Fourth aspect, the present invention also provides a kind of safety protecting methods, comprising:
Receive the description information for carrying out the behavior of process of self terminal;The description information of the behavior of the process matches the terminal
Preset local trigger policy;
According to the description information, judge whether the behavior of the process matches with any default risk behavior;
When the behavior of process and any default risk behavior match, Xiang Suoshu terminal issues default corresponding to this
The interim security strategy of risk behavior, so that the terminal receives and loads the interim security strategy;
Wherein, include in the interim security strategy: the revocation condition of the interim security strategy, and it is pre- for coping with
If the processing operation and its trigger condition of risk behavior, so that the terminal of the load interim security strategy is in any triggering
Corresponding processing operation is executed when condition meets, and cancels the interim security strategy when any revocation condition meets.
As shown from the above technical solution, the present invention can identify that process will be held based on the setting of local trigger policy
Capable risk operations, and risk operations can be performed corresponding processing based on the setting of interim security strategy.It is understood that
, targetedly interim security strategy can effectively cope with rogue program using stringent monitoring means, and due to facing
When security strategy include revocation condition thus will not the resource to user terminal occupied for a long time.Therefore, of the invention
Can solve existing security strategy and occupy in user resources has contradiction between application validity.
Compared with the existing technology, the present invention can improve answering for security strategy under conditions of same user resources occupy
With validity, user resources can also be reduced under conditions of ensureing using validity and occupied.Moreover, the present invention can be directed to
Property handle the risk operations of rogue program, can not only user resources occupy, promoted and apply validity, can also realize that risk is grasped
The clearance of the interception of work and other operations.It, can be in addition, realize the storage, maintenance and distribution of interim security strategy by server-side
Efficiently use its powerful information storage, collection and operational capability.It can be seen that the present invention may provide the user with it is safer and
Efficient security protection greatly promotes the operational efficiency and user experience of protection capacity of safety protection software.
Certainly, implement any of the products of the present invention or method it is not absolutely required at the same reach all the above excellent
Point.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to make one simply to introduce, it should be apparent that, the accompanying drawings in the following description is this hair
Bright some embodiments for those of ordinary skill in the art without creative efforts, can be with root
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is a kind of step flow diagram of safety protecting method in one embodiment of the invention;
Fig. 2 is a kind of step flow diagram of safety protecting method in further embodiment of this invention;
Fig. 3 is the interactive process schematic diagram in one embodiment of the invention between a kind of terminal and server-side;
Fig. 4 is a kind of structural block diagram of safety device in one embodiment of the invention;
Fig. 5 is a kind of structural block diagram of safety device in further embodiment of this invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
Every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
Fig. 1 is a kind of step flow diagram of safety protecting method in one embodiment of the invention.It is described referring to Fig. 1
Safety protecting method includes:
Step 101: in the preset local trigger policy of the behavior matching of process, the description of the behavior of the process being believed
Breath is uploaded to server-side, so that server-side is issued when matching the behavior and any default risk behavior for determining the process
The interim security strategy of risk behavior is preset corresponding to this;Include in interim security strategy: the revocation condition of interim security strategy,
And processing operation and its trigger condition for coping with default risk behavior;
Step 102: receiving the interim security strategy from server-side;
Step 103: interim security strategy is loaded, to execute corresponding processing operation when any trigger condition meets, and
Interim security strategy is cancelled when any revocation condition meets.
Wherein it is understood that safety protecting method of the invention can be applied on any one terminal device, example
Such as personal computer (such as desktop computer, laptop, tablet computer, all-in-one machine), smart phone, e-book, smart television, number
Any one equipment such as code photo frame, Intelligent navigator.And it is understood that above-mentioned steps 101 can be independently of step 102
And be individually performed except step 103, it does not need with inevitable sequencing;And step 102 and step 103 are needed in step
It is executed after 101, and step 103 needs to execute after step 102.
And corresponding to the safety protecting method shown in FIG. 1 applied to terminal, Fig. 2 is a kind of in further embodiment of this invention
The step flow diagram of safety protecting method applied to server-side.Referring to fig. 2, this method comprises:
Step 201: receiving the description information for carrying out the behavior of process of self terminal;The description information matching of the behavior of process should
The preset local trigger policy of terminal;
Step 202: according to description information, judging whether the behavior of process matches with any default risk behavior;
Step 203: when the behavior of process and any default risk behavior match, being issued to terminal default corresponding to this
The interim security strategy of risk behavior, so that terminal receives and loads interim security strategy;
Wherein, include in interim security strategy: the revocation condition of interim security strategy, and for coping with default risk row
For processing operation and its trigger condition so that the terminal for loading interim security strategy executes phase when any trigger condition meets
The processing operation answered, and interim security strategy is cancelled when any revocation condition meets.
It is understood that safety protecting method of the invention can be applied in any one server device, such as
Single server apparatus, server farm, server cluster or Cloud Server equipment etc., the present invention does not limit this
System.
It should be noted that above-mentioned process can be operation in an operating system, for any one or more application programs
Execute the process of corresponding function;The behavior of above-mentioned process refers to the set of the practical operation carried out of process or operation, than
Following published article part, to disk write-in file, to other process injecting codes etc..Above-mentioned local trigger policy is to be pre-configured with
, the angle needs for being mainly used for describing which type of process and/or its behavior for security protection attract attention;When
Both so, it may come from issuing for external equipment, can be from the setting in user based on default version, can also be
Combination, the present invention it is without limitation.Foregoing description information may belong to a part of local trigger policy, be also possible to
It is separately provided, is mainly used for describing which parameter focused particularly on for process of interest and/or its behavior.
It is understood that equipment applied by above-mentioned server-side and safety protecting method has network connection relation, make
The server-side can be uploaded to when getting foregoing description information by obtaining equipment.And the server-side is mainly used for the row of analysis process
Whether to match with any default risk behavior, and corresponding interim security strategy is issued to equipment.Wherein, risk behavior is preset
It refers to having had in server-side the record of corresponding description information and is determined that (source can be artificial fixed there are the operation of risk
Justice, to gather data automatically analyze or its combination), such as bundle some software, certain advertisement popularization, steal certain software
User name and password etc. belong to the object that protection capacity of safety protection software needs to cope with processing.And above-mentioned interim security strategy then corresponds to
Risk behavior is preset in a certain or certain class, is mainly used within the entry-into-force time targetedly reply default risk row accordingly
For.As can be seen that interim security strategy, which can be established in above-mentioned server-side, safeguard and be issued, (can be manual operation, be based on
Data analysis be automatically brought into operation or its combination), and be targetedly additionally provided with revocation condition simultaneously having.Specifically, equipment
Load to interim security strategy is so that interim security strategy comes into force, to execute when any trigger condition meets corresponding
Processing operation, such as intercepted when detecting downloading rogue program;And equipment to the revocation of interim security strategy i.e. so that
Interim security strategy failure, so that interim security strategy can no longer occupy any system resource.
As shown from the above technical solution, the safety protecting method of any one of the above can be based on local trigger policy
Be arranged to identify risk operations that process will execute, and can based on the setting of interim security strategy come to risk operations into
The corresponding processing of row.It is understood that targetedly interim security strategy can be effectively using stringent monitoring means
Cope with rogue program, and due to interim security strategy include revocation condition thus will not the resource to user terminal carry out long when
Between occupancy.Therefore, the embodiment of the present invention can solve existing security strategy user resources occupy with application validity it
Between there are problems that contradiction.
Compared with the existing technology, the embodiment of the present invention can improve safe plan under conditions of same user resources occupy
Application validity slightly can also reduce user resources under conditions of ensureing using validity and occupy.Moreover, the present invention is implemented
Example can targetedly handle the risk operations of rogue program, can not only user resources occupy, promoted and apply validity, may be used also
To realize the clearance of interception and other operations of risk operations.In addition, realizing storage, the maintenance of interim security strategy by server-side
And distribution, its powerful information storage, collection and operational capability can be efficiently used.It can be seen that the embodiment of the present invention can be with
Safer and efficient security protection is provided the user with, the operational efficiency and user experience of protection capacity of safety protection software are greatly promoted.
As a kind of more specific example, Fig. 3 is the friendship in one embodiment of the invention between a kind of terminal and server-side
Mutual process schematic.Referring to Fig. 3, terminal is when the behavior of process matches preset local trigger policy first, by the process
The description information of the behavior is uploaded to server-side (above-mentioned steps 101), so that server-side receives the behavior for carrying out the process of self terminal
Description information (above-mentioned steps 201), and according to description information, judge process behavior whether with any default risk behavior phase
It matches (above-mentioned steps 202).It is understood that since the upload of description information is primarily to judge that default risk behavior is
It is no to occur or occur, so terminal can not carry out respective handling to the behavior of process when uploading description information
And directly let pass, respective handling can also be carried out to avoid loss, local security policy is depended primarily on and the process is somebody's turn to do
The judgement of behavior, the present invention are without limitation.And the behavior of server-side determinating processes not with any default risk behavior
When matching, illustrate that any security risk is not detected in the behavior of the process, so as to terminal return corresponding message with
Clearance processing or server-side and terminal are not done and are further handled to reduce the use of system resource.
However, server-side issues correspondence to terminal if the behavior of process matches with any default risk behavior
In the interim security strategy (above-mentioned steps 203) for presetting risk behavior, so that terminal receives interim security strategy (above-mentioned steps
102) and interim security strategy is loaded, to execute corresponding processing operation when any trigger condition meets, and in any revocation
Interim security strategy (above-mentioned steps 103) are cancelled when condition meets.For example, server-side is clear according to the description information judgement received
The downloading file behavior of device process look at is matched with the default risk behavior of binding music player software, to issue pair to terminal
It should be in the interim security strategy of binding music player software.In interim security strategy, contain with any process to disk write
Processing operation that any associated documents for entering music player software are trigger condition, that write-in behavior is intercepted, and
The revocation condition of the associated documents of all music player softwares is completed in cleaning.It is understood that shown in Fig. 3 interacted
Journey corresponds to issuing, coming into force and failure procedure for an interim security strategy, then can be same in actual application scenarios
When have multiple such processes side by side or carry out across.
Further, it for the revocation mechanism of interim security strategy represented by above-mentioned revocation condition, is given below several
The representative example of kind:
First, directly in memory by the load of interim security strategy so that interim security strategy after memory power-off voluntarily
Revocation.That is above-mentioned steps 103: loading interim security strategy, to execute corresponding processing operation when any trigger condition meets,
And interim security strategy is cancelled when any revocation condition meets, include the steps that 103a not shown in figures: will temporarily pacify
Full strategy is loaded onto memory, so that interim security strategy voluntarily cancels after memory power-off.In the case, for instructing end
The information of interim security strategy load in memory is equally included in interim security strategy with a kind of revocation condition by end.
Certainly, other revocation conditions can not be set in the case of this in interim security strategy, and may correspond to other should cancel
Situation other revocation conditions are set, the present invention is without limitation.
Second, it is more than predetermined threshold that revocation condition, which includes the entry-into-force time of interim security strategy,.Wherein, preset threshold can be with
It is server-side based on the behavior and the relationship of default risk behavior in time for matching local trigger policy, and combination is to terminal
System resource occupancy situation determines.For example, downloading bundled software installation kit behavior with to user's pop-up prompt whether
It will not be usually spaced for a long time between the behavior of installation, and a small amount of system resource only can be occupied to the monitoring of pop-up, so comprehensive
Closing and predetermined threshold can be set under considering is 15~40 minutes.Certainly, when description information includes the information of free system resources,
Server-side can integrated terminal system resource occupancy situation and above-mentioned temporal relationship determine specific preset threshold.
Third, revocation condition include that user has granted default risk behavior in prompting message.For example, interim security strategy
The prompt whether intercepted can be issued the user in intercepting default risk behavior, if user has selected the license default wind
Dangerous behavior, for example user's selection allows the installation of the bundled software during intercepting bundled software, then interim safe plan
Slightly then can under the conditions of above-mentioned revocation not revival, to avoid further occupying system resources.
4th, revocation condition includes in interim security strategy there is the processing operation for terminating label to have completed.It is specific next
Say, some in the processing operation that interim security strategy is included be as terminate item, therefore can in advance these processing behaviour
Addition terminates label on work;To when interim security strategy has executed any one in these processing operations, so that it may press
Interim security strategy is set to fail according to above-mentioned revocation condition, to avoid further occupying system resources.
5th, revocation condition includes receiving the cancel an order message from server-side.Specifically, interim security strategy
Revocation condition can not judge in local process and be executed by server-side.For example, determining in server-side for certain process behavior
There is the possibility of the default risk behavior of installation trojan horse program, has just issued corresponding interim safe plan for the default risk behavior
Slightly;However in server-side based on the judgement to subsequent processes behavior, and determine the risk for not having installation trojan horse program, thus can
To issue cancel an order message to terminal again, so that the interim security strategy failure previously issued.As a result, compared with the prior art
For above-mentioned safety protecting method more default risk behavior can be prevented, play more preferably security protection effect
Fruit.
It should be noted that the set-up mode of above-mentioned revocation condition can be optionally first, or pass through any way group
It closes, to be adapted to different application scenarios, the present invention is without limitation.
As the set-up mode specific example of above-mentioned local trigger policy, the behavior for matching the process of local trigger policy can
To include any one or more following:
Access the network address unrelated with the function of process owning application;
Download the file unrelated with the function of process owning application;
Establish the process unrelated with the function of process owning application;
To other process injecting codes unrelated with process owning application;
File is written under shielded file directory;
The behavior of process relevant to the application program in blacklist.
It should be noted that process owning application refers to the application program of the object serviced as process, and
It is functionally whether related, whether process related to application program, the blacklist of protected catalogue and application program can come
From the default setting for issuing either protection capacity of safety protection software in user setting, server-side, the invention is not limited in this regard.
As can be seen that there is installation or the operation bundled software, trojan horse program, spy of varying degree in above-mentioned process behavior
The rogue programs such as software, or convenient risk, therefore these rows are provided for the installation, operation and self-protection of rogue program
For that can be arranged in above-mentioned local trigger policy according to specific application scenarios.
It is above-mentioned for coping with the processing of default risk behavior as the set-up mode specific example of above-mentioned interim security strategy
Operation and its trigger condition include any one or more following:
There is no a trigger condition, the operation of the operating right of limiting process and/or system resource occupancy (such as limitation network
Access is to prevent process from downloading or continuing the installation kit of downloading rogue program);
Using detect default risk behavior as trigger condition, the operation that the behavior of process is intercepted (such as into
Journey pop-up is intercepted when promoting advertisement);
To detect that default very dangerous behavior as trigger condition, terminates application program belonging to process or end process
It operates (for example terminating corresponding erection schedule in the installation for detecting trojan horse program);
To detect Stub File as trigger condition, the operation cleared up Stub File (for example is detecting wood
It is cleared up accordingly when horse program Stub File).
It is understood that being related to detecting and handle in both sides in the known default risk behavior for needing to cope with
Very strong specific aim can be had by stating processing operation and its trigger condition, by including without being only limitted to above-mentioned each mode to answer
To corresponding default risk behavior.
Furthermore it should be noted that the situation that the behavior of above-mentioned process matches with any default risk behavior may include
Any one or more following: process matches with any default risk process;The behavior of process and any default risk row
To match;The behavior of process and the omen behavior of any default risk behavior match.That is, server-side judge into
When whether the behavior of journey and any default risk behavior match, can be not limited only to process behavior and any default risk row
To match, the process that can also be matches with default risk or the behavior of process and any default risk behavior
The situation that omen behavior matches.Accordingly, for process itself there is the behavior of risk, process to have risk and process
Omen these types situation of the risky behavior of behavior, server-side can be selected according to specific application scenarios, to realize more
Excellent security protection effect.
Based on same inventive concept, Fig. 4 is a kind of structural block diagram of safety device in one embodiment of the invention.
Referring to fig. 4, which includes:
Uploading unit 41, when matching preset local trigger policy for the behavior in process, by the behavior of the process
Description information be uploaded to server-side so that server-side determine the process the behavior match with any default risk behavior
When, issue the interim security strategy that risk behavior is preset corresponding to this;Include in interim security strategy: interim security strategy is removed
Pin strip part, and processing operation and its trigger condition for coping with default risk behavior;
Receiving unit 42, for receiving the interim security strategy from server-side;
Loading unit 43, the interim security strategy obtained for loading receiving unit 42, to meet in any trigger condition
The corresponding processing operation of Shi Zhihang, and interim security strategy is cancelled when any revocation condition meets.
It is understood that the step of function realized of the safety device and safety protecting method shown in FIG. 1
Process corresponds, therefore can have corresponding structure and function, for example corresponds to above-mentioned steps 103a, above-mentioned load list
Member 43 can also be further used for for interim security strategy being loaded onto memory so that interim security strategy after memory power-off from
Row revocation, details are not described herein.
Based on same inventive concept, Fig. 5 is a kind of structural block diagram of safety device in one embodiment of the invention.
Referring to Fig. 5, which includes:
Receiving unit 51, for receiving the description information for carrying out the behavior of process of self terminal;The description of the behavior of process is believed
Breath matches the preset local trigger policy of the terminal;
Judging unit 52, the description information for being obtained according to receiving unit 51, judge process behavior whether with it is any
Default risk behavior matches;
Issuance unit 53, when matching for the behavior in 52 determinating processes of judging unit with any default risk behavior,
The interim security strategy that risk behavior is preset corresponding to this is issued to terminal, so that terminal receives and loads interim security strategy;
Wherein, include in interim security strategy: the revocation condition of interim security strategy, and for coping with default risk row
For processing operation and its trigger condition so that the terminal for loading interim security strategy executes phase when any trigger condition meets
The processing operation answered, and interim security strategy is cancelled when any revocation condition meets.
It is understood that the step of function realized of the safety device and safety protecting method shown in Fig. 2
Process corresponds, therefore can have corresponding structure and function, and details are not described herein.
In specification of the invention, numerous specific details are set forth.It is to be appreciated, however, that the embodiment of the present invention can be with
It practices without these specific details.In some instances, well known method, structure and skill is not been shown in detail
Art, so as not to obscure the understanding of this specification.
Similarly, it should be understood that disclose to simplify the present invention and help to understand one or more in each inventive aspect
A, in the above description of the exemplary embodiment of the present invention, each feature of the invention is grouped together into individually sometimes
In embodiment, figure or descriptions thereof.However, should not explain the method for the disclosure is in reflect an intention that be wanted
Ask protection the present invention claims features more more than feature expressly recited in each claim.More precisely, such as
As following claims reflect, inventive aspect is all features less than single embodiment disclosed above.
Therefore, it then follows thus claims of specific embodiment are expressly incorporated in the specific embodiment, wherein each right is wanted
Ask itself all as a separate embodiment of the present invention.
It will be understood by those skilled in the art that can be adaptively changed to the module in the equipment in embodiment
And they are provided in the different one or more equipment of the embodiment.Can in embodiment module or unit or
Component is combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or subgroups
Part.In addition to such feature and/or at least some of process or unit are mutually exclusive places, any combination can be used
To all features disclosed in this specification (including adjoint claims and drawing) and so disclosed any method or
All process or units of person's equipment are combined.Unless expressly stated otherwise, this specification (including adjoint claim and
Attached drawing) disclosed in each feature can be replaced with an alternative feature that provides the same, equivalent, or similar purpose.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included certain features rather than other feature, but the combination of the feature of different embodiments mean it is of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed
Meaning one of can in any combination mode come using.
Various component embodiments of the invention can be implemented in hardware, or to run on one or more processors
Software module realize, or be implemented in a combination thereof.It will be understood by those of skill in the art that can be used in practice
Microprocessor or digital signal processor (DSP) come realize some of middle safety device according to an embodiment of the present invention or
The some or all functions of person's whole component.The present invention is also implemented as one for executing method as described herein
Point or whole device or device programs (for example, computer program and computer program product).Such this hair of realization
Bright program can store on a computer-readable medium, or may be in the form of one or more signals.It is such
Signal can be downloaded from an internet website to obtain, and is perhaps provided on the carrier signal or is provided in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability
Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real
It is existing.In the unit claims listing several devices, several in these devices can be through the same hardware branch
To embody.The use of word first, second, and third does not indicate any sequence.These words can be explained and be run after fame
Claim.
Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent
Pipe present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: its according to
So be possible to modify the technical solutions described in the foregoing embodiments, or to some or all of the technical features into
Row equivalent replacement;And these are modified or replaceed, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution
The range of scheme should all cover within the scope of the claims and the description of the invention.
Claims (20)
1. a kind of safety device characterized by comprising
Uploading unit, when matching preset local trigger policy for the behavior in process, by the description of the behavior of the process
Information is uploaded to server-side so that server-side determine the process the behavior and any default risk behavior match when, under
Hair corresponds to the interim security strategy of the default risk behavior;Include in the interim security strategy: the interim security strategy
Revocation condition, and processing operation and its trigger condition for coping with default risk behavior;
Receiving unit, for receiving the interim security strategy from the server-side;
Loading unit, the interim security strategy obtained for loading the receiving unit, to meet in any trigger condition
The corresponding processing operation of Shi Zhihang, and the interim security strategy is cancelled when any revocation condition meets.
2. safety device according to claim 1, which is characterized in that the loading unit is further used for will be described
Interim security strategy is loaded onto memory, so that the interim security strategy voluntarily cancels after memory power-off.
3. safety device according to claim 1, which is characterized in that the process of the matching local trigger policy
Behavior includes any one or more following:
Access the network address unrelated with the function of process owning application;
Download the file unrelated with the function of process owning application;
Establish the process unrelated with the function of process owning application;
To other process injecting codes unrelated with process owning application;
File is written under shielded file directory;
The behavior of process relevant to the application program in blacklist.
4. safety device according to claim 1, which is characterized in that the behavior of the process and any default risk
The situation that behavior matches includes any one or more following:
The process matches with any default risk process;
The behavior of the process matches with any default risk behavior;
The behavior of the process and the omen behavior of any default risk behavior match.
5. safety device according to claim 1, which is characterized in that the revocation condition packet of the interim security strategy
Include any one or more following:
The entry-into-force time of the interim security strategy is more than predetermined threshold;
User has granted the default risk behavior in prompting message;
In the interim security strategy there is the processing operation for terminating label to have completed;
Receive the cancel an order message from the server-side.
6. safety device according to claim 1, which is characterized in that described for coping with the place of default risk behavior
Reason operation and its trigger condition include any one or more following:
There is no trigger condition, limits the operation of the operating right and/or system resource occupancy of the process;
Using detect default risk behavior as trigger condition, the operation that the behavior of the process is intercepted;
To detect that default very dangerous behavior as trigger condition, terminates the process or terminates application journey belonging to the process
The operation of sequence;
Using detect Stub File as trigger condition, the operation that the Stub File is cleared up.
7. a kind of safety device characterized by comprising
Receiving unit, for receiving the description information for carrying out the behavior of process of self terminal;The description information of the behavior of the process
Match the preset local trigger policy of the terminal;
Judging unit, the description information for being obtained according to the receiving unit, judge the process the behavior whether with
Any default risk behavior matches;
Issuance unit, when matching for the behavior in the judging unit determinating processes with any default risk behavior,
The interim security strategy that risk behavior is preset corresponding to this is issued to the terminal, so that the terminal receives and loads described face
When security strategy;
Wherein, include in the interim security strategy: the revocation condition of the interim security strategy, and for coping with default wind
The processing operation and its trigger condition of dangerous behavior, so that the terminal of the load interim security strategy is in any trigger condition
Corresponding processing operation is executed when meeting, and cancels the interim security strategy when any revocation condition meets.
8. safety device according to claim 7, which is characterized in that the behavior of the process and any default risk
The situation that behavior matches includes any one or more following:
The process matches with any default risk process;
The behavior of the process matches with any default risk behavior;
The behavior of the process and the omen behavior of any default risk behavior match.
9. safety device according to claim 7, which is characterized in that the revocation condition packet of the interim security strategy
Include any one or more following:
The entry-into-force time of the interim security strategy is more than predetermined threshold;
User has granted the default risk behavior in prompting message;
In the interim security strategy there is the processing operation for terminating label to have completed;
Receive the cancel an order message from server-side.
10. safety device according to claim 7, which is characterized in that described for coping with default risk behavior
Processing operation and its trigger condition include any one or more following:
There is no trigger condition, limits the operation of the operating right and/or system resource occupancy of the process;
Using detect default risk behavior as trigger condition, the operation that the behavior of the process is intercepted;
To detect that default very dangerous behavior as trigger condition, terminates the process or terminates application journey belonging to the process
The operation of sequence;
Using detect Stub File as trigger condition, the operation that the Stub File is cleared up.
11. a kind of safety protecting method characterized by comprising
In the preset local trigger policy of the behavior matching of process, the description information of the behavior of the process is uploaded to service
End, so that server-side when matching the behavior and any default risk behavior for determining the process, issues default corresponding to this
The interim security strategy of risk behavior;Include in the interim security strategy: the revocation condition of the interim security strategy, and
For coping with the processing operation and its trigger condition of default risk behavior;
Receive the interim security strategy from the server-side;
The interim security strategy is loaded, to execute corresponding processing operation when any trigger condition meets, and it is in office
The one revocation condition cancels the interim security strategy when meeting.
12. safety protecting method according to claim 11, which is characterized in that the load interim security strategy,
To execute corresponding processing operation when any trigger condition meets, and institute is cancelled when any revocation condition meets
State interim security strategy, comprising:
The interim security strategy is loaded onto memory, so that the interim security strategy voluntarily cancels after memory power-off.
13. safety protecting method according to claim 11, which is characterized in that the process of the matching local trigger policy
Behavior include any one or more following:
Access the network address unrelated with the function of process owning application;
Download the file unrelated with the function of process owning application;
Establish the process unrelated with the function of process owning application;
To other process injecting codes unrelated with process owning application;
File is written under shielded file directory;
The behavior of process relevant to the application program in blacklist.
14. safety protecting method according to claim 11, which is characterized in that the behavior of the process and any default wind
The situation that dangerous behavior matches includes any one or more following:
The process matches with any default risk process;
The behavior of the process matches with any default risk behavior;
The behavior of the process and the omen behavior of any default risk behavior match.
15. safety protecting method according to claim 11, which is characterized in that the revocation condition of the interim security strategy
Including any one or more following:
The entry-into-force time of the interim security strategy is more than predetermined threshold;
User has granted the default risk behavior in prompting message;
In the interim security strategy there is the processing operation for terminating label to have completed;
Receive the cancel an order message from the server-side.
16. safety protecting method according to claim 11, which is characterized in that described for coping with default risk behavior
Processing operation and its trigger condition include any one or more following:
There is no trigger condition, limits the operation of the operating right and/or system resource occupancy of the process;
Using detect default risk behavior as trigger condition, the operation that the behavior of the process is intercepted;
To detect that default very dangerous behavior as trigger condition, terminates the process or terminates application journey belonging to the process
The operation of sequence;
Using detect Stub File as trigger condition, the operation that the Stub File is cleared up.
17. a kind of safety protecting method characterized by comprising
Receive the description information for carrying out the behavior of process of self terminal;The description information of the behavior of the process matches the pre- of the terminal
If local trigger policy;
According to the description information, judge whether the behavior of the process matches with any default risk behavior;
When the behavior of process and any default risk behavior match, Xiang Suoshu terminal, which is issued, presets risk corresponding to this
The interim security strategy of behavior, so that the terminal receives and loads the interim security strategy;
Wherein, include in the interim security strategy: the revocation condition of the interim security strategy, and for coping with default wind
The processing operation and its trigger condition of dangerous behavior, so that the terminal of the load interim security strategy is in any trigger condition
Corresponding processing operation is executed when meeting, and cancels the interim security strategy when any revocation condition meets.
18. safety protecting method according to claim 17, which is characterized in that the behavior of the process and any default wind
The situation that dangerous behavior matches includes any one or more following:
The process matches with any default risk process;
The behavior of the process matches with any default risk behavior;
The behavior of the process and the omen behavior of any default risk behavior match.
19. safety protecting method according to claim 17, which is characterized in that the revocation condition of the interim security strategy
Including any one or more following:
The entry-into-force time of the interim security strategy is more than predetermined threshold;
User has granted the default risk behavior in prompting message;
In the interim security strategy there is the processing operation for terminating label to have completed;
Receive the cancel an order message from server-side.
20. safety protecting method according to claim 17, which is characterized in that described for coping with default risk behavior
Processing operation and its trigger condition include any one or more following:
There is no trigger condition, limits the operation of the operating right and/or system resource occupancy of the process;
Using detect default risk behavior as trigger condition, the operation that the behavior of the process is intercepted;
To detect that default very dangerous behavior as trigger condition, terminates the process or terminates application journey belonging to the process
The operation of sequence;
Using detect Stub File as trigger condition, the operation that the Stub File is cleared up.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510984719.8A CN105678167B (en) | 2015-12-24 | 2015-12-24 | Safety protecting method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510984719.8A CN105678167B (en) | 2015-12-24 | 2015-12-24 | Safety protecting method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105678167A CN105678167A (en) | 2016-06-15 |
| CN105678167B true CN105678167B (en) | 2019-03-22 |
Family
ID=56189619
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510984719.8A Active CN105678167B (en) | 2015-12-24 | 2015-12-24 | Safety protecting method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105678167B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107682315B (en) * | 2017-09-05 | 2020-11-06 | 杭州迪普科技股份有限公司 | Method and device for setting SQL injection attack detection mode |
| CN108234469A (en) * | 2017-12-28 | 2018-06-29 | 江苏通付盾信息安全技术有限公司 | Mobile terminal application safety protecting method, apparatus and system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103139184A (en) * | 2011-12-02 | 2013-06-05 | 中国电信股份有限公司 | Intelligent network firewall device and network attack protection method |
| CN103646209A (en) * | 2013-12-20 | 2014-03-19 | 北京奇虎科技有限公司 | Cloud-security-based bundled software blocking method and device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104202325A (en) * | 2006-03-27 | 2014-12-10 | 意大利电信股份公司 | System for implementing security policies on mobile communication equipment |
| US8881289B2 (en) * | 2011-10-18 | 2014-11-04 | Mcafee, Inc. | User behavioral risk assessment |
-
2015
- 2015-12-24 CN CN201510984719.8A patent/CN105678167B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103139184A (en) * | 2011-12-02 | 2013-06-05 | 中国电信股份有限公司 | Intelligent network firewall device and network attack protection method |
| CN103646209A (en) * | 2013-12-20 | 2014-03-19 | 北京奇虎科技有限公司 | Cloud-security-based bundled software blocking method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105678167A (en) | 2016-06-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10136324B2 (en) | Method and apparatus for reading verification information | |
| US9659175B2 (en) | Methods and apparatus for identifying and removing malicious applications | |
| CN103646209B (en) | The method and apparatus intercepting bundled software based on cloud security | |
| Kiss et al. | Kharon dataset: Android malware under a microscope | |
| CN104091125B (en) | Handle the method and suspended window processing unit of suspended window | |
| CN104125547B (en) | Handle the method and short message processing device of short message | |
| CN109766699A (en) | Hold-up interception method and device, storage medium, the electronic device of operation behavior | |
| CN104539584B (en) | The anti-method for implanting of browser, browser client and device | |
| CN103116722A (en) | Processing method, processing device and processing system of notification board information | |
| CN101657793B (en) | Method, system and computer program for configuring firewalls | |
| CN103532797A (en) | Abnormity monitoring method and device for user registration | |
| Hamandi et al. | Android SMS malware: Vulnerability and mitigation | |
| CN104021141B (en) | Method, device and system for data processing and cloud service | |
| CN104156235A (en) | Browser plugin and/or extension updating method and device | |
| CN106998335B (en) | Vulnerability detection method, gateway equipment, browser and system | |
| CN105844146B (en) | Method and device for protecting driver and electronic equipment | |
| CN104753944A (en) | Account security verifying method and system | |
| CN103646081B (en) | Method and device for logging in web page | |
| CN101483658A (en) | System and method for input content protection of browser | |
| CN105678167B (en) | Safety protecting method and device | |
| CN104915594B (en) | Application program operation method and device | |
| CN106934272B (en) | Application information verification method and device | |
| CN102682230B (en) | For safety protecting method and the device of the Internet Long-distance Control | |
| CN108881929B (en) | Method and device for setting login prompt of live broadcast room | |
| CN107818260B (en) | Method and device for guaranteeing system safety |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee after: Beijing Qizhi Business Consulting Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220329 Address after: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Beijing Qizhi Business Consulting Co.,Ltd. |
|
| TR01 | Transfer of patent right |