CN113849246A - Plug-in identification method, plug-in loading method, computing device and storage medium - Google Patents

Plug-in identification method, plug-in loading method, computing device and storage medium Download PDF

Info

Publication number
CN113849246A
CN113849246A CN202111123571.0A CN202111123571A CN113849246A CN 113849246 A CN113849246 A CN 113849246A CN 202111123571 A CN202111123571 A CN 202111123571A CN 113849246 A CN113849246 A CN 113849246A
Authority
CN
China
Prior art keywords
plug
client
target
integral value
malicious
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111123571.0A
Other languages
Chinese (zh)
Other versions
CN113849246B (en
Inventor
黄文兵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Uniontech Software Technology Co Ltd
Original Assignee
Uniontech Software Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Uniontech Software Technology Co Ltd filed Critical Uniontech Software Technology Co Ltd
Priority to CN202111123571.0A priority Critical patent/CN113849246B/en
Publication of CN113849246A publication Critical patent/CN113849246A/en
Application granted granted Critical
Publication of CN113849246B publication Critical patent/CN113849246B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44521Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
    • G06F9/44526Plug-ins; Add-ons

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses a plug-in identification method, which is executed in a server, wherein the server is connected with a plurality of clients, and the plug-in identification method comprises the following steps: acquiring the loading condition of each client to a target plug-in; calculating a credit score of the target plug-in based on the loading condition; and identifying whether the target plug-in is a malicious plug-in or a normal plug-in according to the credit score. According to the plug-in identification method, whether the target plug-in is a normal plug-in or a malicious plug-in is judged through the selection of the loading condition of the target plug-ins by the plurality of clients, so that the running stability of the browser can be ensured, and the aim of protecting the safety of the clients is fulfilled. The invention also discloses a corresponding plug-in loading method, a computing device and a storage medium.

Description

Plug-in identification method, plug-in loading method, computing device and storage medium
Technical Field
The invention relates to the technical field of computers, in particular to a plug-in identification method, a plug-in loading method, a computing device and a storage medium.
Background
With the rapid development of networks, the automated attack of large-scale malicious plug-ins has become a main form of network attack. This not only causes great trouble to the ordinary users, but also causes non-trivial losses to the enterprises and government departments. Therefore, malicious plug-ins have become one of the main threats of the internet at present, and all devices in the network can be attacked by the malicious plug-ins. The network criminal attacks individuals and organizations by using malicious plug-ins, and achieves the aims of destroying an operating system, destroying a computer or a network, stealing confidential data, collecting personal information, hijacking or encrypting sensitive data and the like.
At present, whether the plug-in is a malicious plug-in is judged by relying on detection software. Specifically, the plug-ins are matched with the plug-ins in the black and white list. However, it is impossible to determine an unidentified card that is not on the black-and-white list.
Disclosure of Invention
In view of the above, the present invention has been made to provide a plug-in identification method, a plug-in loading method, a computing device and a storage medium that overcome or at least partially solve the above problems.
According to an aspect of the present invention, there is provided a plug-in identification method, executed in a server connected to a plurality of clients, the method including: acquiring the loading condition of each client to a target plug-in; calculating a credit score of the target plug-in based on the loading condition; and identifying whether the target plug-in is a malicious plug-in or a normal plug-in according to the credit score.
Optionally, in the plug-in recognition method according to the present invention, wherein the loading condition includes loading permission and loading prohibition, and the step of calculating the credit score of the target plug-in based on the loading condition includes: acquiring historical use conditions of each client aiming at normal plug-ins and malicious plug-ins; respectively calculating the integral value of each client based on the historical use condition; counting a first client allowing loading of the target plug-in and a second client forbidding loading of the target plug-in all the clients; and taking the difference value of the sum of the points of each first client and the sum of the points of each second client as the credit score value of the target plug-in.
Alternatively, in a plug-in recognition method according to the present invention, wherein the calculation method of the integral value of the client includes: when the situation that a client loads a normal plug-in is monitored, judging whether a current first integral value of the client is smaller than an initial integral value or not; if the first integral value is smaller than the initial integral value, detecting whether the client is a continuous loading normal plug-in; if so, acquiring a first time of continuously loading the normal plug-in by the client, taking the product of the first time and the first integral increment as a second integral increment of the client, and taking the sum of the first integral value and the second integral increment as an integral value of the client; if not, taking the sum of the first integral value and the first integral increment as the integral value of the client; if the first integral value is not smaller than the initial integral value, taking the sum of the first integral value and the first integral increment as the integral value of the client; when the situation that a client loads a malicious plug-in is monitored, judging whether a current second integral value of the client is larger than an initial integral value or not; if the second integral value is larger than the initial integral value, taking the initial integral value as the integral value of the client; if the second integral value is not larger than the initial integral value, detecting whether the client is a continuously loaded malicious plug-in; if so, acquiring a second time of continuously loading the malicious plug-ins by the client, taking the product of the second time and the first integral subtraction value as a second integral subtraction value of the client, and taking the difference value of a second integral value and the second integral subtraction value as an integral value of the client; and if not, taking the difference value between the second integral value and the first integral subtraction value as the integral value of the client.
Optionally, in the plug-in identification method according to the present invention, the step of determining whether the target plug-in is a malicious plug-in according to the credit score includes: when the credit score is smaller than a preset credit threshold value, the target plug-in is determined to be a malicious plug-in; and when the credit score is not less than the preset credit threshold value, the target plug-in is determined to be a normal plug-in.
Optionally, in the plug-in identification method according to the present invention, after the step of determining whether the target plug-in is a malicious plug-in according to the credit score, the method further includes the steps of: and when the situation that the client loads the malicious plug-in is monitored, sending a warning to the client.
Optionally, in the plug-in identification method according to the present invention, the step of obtaining the loading condition of each client to the target plug-in includes: when detecting that a client receives a loading request of a target plug-in, performing popup warning on the client, wherein at least a loading-allowed interface and a loading-prohibited interface are presented in a popup; and monitoring the selection condition of the client to the loading-allowed interface and the loading-prohibited interface.
Optionally, in the plug-in identification method according to the present invention, the method further includes: the malicious plug-in is listed in a pre-generated blacklist; and listing the normal plug-in into a pre-generated white list.
Optionally, in the plug-in identification method according to the present invention, after the step of determining whether the target plug-in is a malicious plug-in according to the credit score, the method further includes the steps of: receiving a target plug-in state updating request sent by a client, and updating the state of a target plug-in for the client, wherein the target plug-in state updating request comprises the step of updating a malicious plug-in to a normal plug-in or updating the normal plug-in to the malicious plug-in.
According to still another aspect of the present invention, there is provided a plug-in loading method, executed in a client connected to a server, the method including: responding to a loading request of a target plug-in, and inquiring whether the target plug-in is a normal plug-in or a malicious plug-in from a server; if the target plug-in is a normal plug-in, loading the target plug-in; if the target plug-in is a malicious plug-in, warning is carried out; if the target plug-in is neither a normal plug-in nor a malicious plug-in, recording the loading condition of the target plug-in by the user, and sending the loading condition to the server so as to be convenient for the server to identify the target plug-in.
Optionally, in the plug-in loading method according to the present invention, the method further includes: and sending a state updating request of the target plug-in to the server so that the server updates the state of the target plug-in, wherein the state updating request of the target plug-in comprises updating the malicious plug-in to a normal plug-in or updating the normal plug-in to the malicious plug-in.
According to yet another aspect of the invention, there is provided a computing device comprising: at least one processor; and a memory storing program instructions, wherein the program instructions are configured to be executed by the at least one processor, the program instructions comprising instructions for performing the above-described method.
According to yet another aspect of the present invention, there is provided a readable storage medium storing program instructions which, when read and executed by a computing device, cause the computing device to perform the above-described method.
According to the plug-in identification method, whether the target plug-in is a normal plug-in or a malicious plug-in is judged through the selection of the loading condition of the target plug-ins by the plurality of clients, so that the running stability of the browser can be ensured, and the aim of protecting the safety of the clients is fulfilled.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 shows a schematic diagram of a plug-in identification system 100 according to one embodiment of the invention;
FIG. 2 shows a block diagram of a computing device 200, according to one embodiment of the invention;
FIG. 3 illustrates a flow diagram of a plug-in identification method 300 according to one embodiment of the invention;
FIG. 4 illustrates a flow diagram of a plug-in loading method 400 according to one embodiment of the invention;
FIG. 5 illustrates a flow diagram of a plug-in loading application scenario 500 according to one embodiment of the invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The network scene plug-in Application Programming Interface (NPAPI) is a universal Interface for executing external Application programs in a browser, a group of simple C plug-in APIs are injected by a dynamic library, communication is carried out by a specified API, the plug-in capability is described by a character string, the browser can be dynamically loaded according to capability description and is responsible for plug-in calling flow and life cycle management, and the plug-in is responsible for the design and implementation of a user Interface and related functions. However, since the issue of the chroma considers that the NPAPI plug-in is too powerful and safe, a PPAPI scheme is substituted later. The NPAPI function has been deleted after 44 th edition under linux, but currently a considerable number of OA systems of our national government still use NPAPI. So in the latest open source premium project, we develop this removed part of the functionality into the latest version for re-migration.
In the migration process, when the browser loads the plug-in developed by the user, it is identified by a tag embed, for example, < embed type ═ application/NP-plug-in "width ═ 640height ═ 480id ═ npID ═ emobd >, where the attribute type ═ application/NP-plug-in" is derived from an interface NP _ getmodedescription of the plug-in, and the prototype of this interface is: const char ([ NP _ getmimescriptprotrptr) (void). The browser searches a plug-in dynamic library of the plug-in under a default plug-in path, and matches the current plug-in according to the imported interface description. So that the following problems are caused: 1. normal plug-ins can be loaded, as can malicious plug-ins. 2. The NPAPI plug-in is operated in an independent process, the process is opposite to the sandbox, the authority is very large, and therefore the system safety cannot be guaranteed.
In order to solve the problems in the prior art, the technical scheme of the invention is provided. Specifically, as shown in FIG. 1, FIG. 1 shows a schematic diagram of a plug-in identification system 100 according to one embodiment of the invention. The plug-in identification system 100 includes a plurality of user terminals 110 and a computing device 200.
The user terminal 110 is a terminal device used by a user, and may specifically be a personal computer such as a desktop computer and a notebook computer, or may also be a mobile phone, a tablet computer, a multimedia device, an intelligent wearable device, and the like, but is not limited thereto. A browser or a page application (WebApp) resides in the user terminal 110, and accesses the computing device 200 in the internet through the browser or the page application, which are hereinafter collectively referred to as a client, and accordingly, the computing device 200 is a server. Computing device 200 is used to provide services to user terminal 110, and may be implemented as a server, such as an application server, a Web server, or the like; but may also be implemented as a desktop computer, a notebook computer, a processor chip, a tablet computer, etc., but is not limited thereto.
In one embodiment, the plug-in identification system 100 further comprises a data storage 120. The data storage 120 may be a relational database such as MySQL, ACCESS, etc., or a non-relational database such as NoSQL, etc.; the data storage device 120 may be a local database residing in the computing device 200, or may be disposed at a plurality of geographic locations as a distributed database, such as HBase, in short, the data storage device 120 is used for storing data, and the present invention is not limited to the specific deployment and configuration of the data storage device 120. The computing device 200 may connect with the data storage 120 and retrieve data stored in the data storage 120. For example, the computing device 200 may directly read the data in the data storage 120 (when the data storage 120 is a local database of the computing device 200), or may access the internet in a wired or wireless manner and obtain the data in the data storage 120 through a data interface.
In an embodiment of the invention, the data storage 120 is adapted to store state information of plug-ins and the like.
FIG. 2 shows a block diagram of a computing device 200, according to one embodiment of the invention. As shown in FIG. 2, in a basic configuration 202, a computing device 200 typically includes a system memory 206 and one or more processors 204. A memory bus 208 may be used for communication between the processor 204 and the system memory 206.
Depending on the desired configuration, the processor 204 may be any type of processing, including but not limited to: a microprocessor (μ P), a microcontroller (μ C), a Digital Signal Processor (DSP), or any combination thereof. The processor 204 may include one or more levels of cache, such as a level one cache 210 and a level two cache 212, a processor core 214, and registers 216. Example processor cores 214 may include Arithmetic Logic Units (ALUs), Floating Point Units (FPUs), digital signal processing cores (DSP cores), or any combination thereof. The example memory controller 218 may be used with the processor 204, or in some implementations the memory controller 218 may be an internal part of the processor 204.
Depending on the desired configuration, system memory 206 may be any type of memory, including but not limited to: volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.), or any combination thereof. The physical memory in the computing device is usually referred to as a volatile memory RAM, and data in the disk needs to be loaded into the physical memory to be read by the processor 204. System memory 106 may include an operating system 220, one or more applications 222, and program data 224. The application 222 is actually a plurality of program instructions that direct the processor 204 to perform corresponding operations. In some embodiments, the application 222 may be arranged to execute instructions on an operating system with the program data 224 by one or more processors 204 in some embodiments. Operating system 220 may be, for example, Linux, Windows, or the like, which includes program instructions for handling basic system services and for performing hardware-dependent tasks. The application 222 includes program instructions for implementing various user-desired functions, and the application 222 may be, for example, but not limited to, a browser, instant messenger, a software development tool (e.g., an integrated development environment IDE, a compiler, etc.), and the like. When the application 222 is installed into the computing device 200, a driver module may be added to the operating system 220.
When the computing device 200 is started, the processor 204 reads program instructions of the operating system 220 from the memory 206 and executes them. Applications 222 run on top of operating system 220, utilizing the interface provided by operating system 220 and the underlying hardware to implement various user-desired functions. When the user starts the application 222, the application 222 is loaded into the memory 206, and the processor 204 reads the program instructions of the application 222 from the memory 206 and executes the program instructions.
Computing device 200 also includes storage device 232, storage device 232 including removable storage 236 and non-removable storage 238, each of removable storage 236 and non-removable storage 238 being connected to storage interface bus 234.
Computing device 200 may also include an interface bus 240 that facilitates communication from various interface devices (e.g., output devices 242, peripheral interfaces 244, and communication devices 246) to the basic configuration 202 via the bus/interface controller 230. The example output device 242 includes a graphics processing unit 248 and an audio processing unit 250. They may be configured to facilitate communication with various external devices, such as a display or speakers, via one or more a/V ports 252. Example peripheral interfaces 244 can include a serial interface controller 254 and a parallel interface controller 256, which can be configured to facilitate communications with external devices such as input devices (e.g., keyboard, mouse, pen, voice input device, touch input device) or other peripherals (e.g., printer, scanner, etc.) via one or more I/O ports 258. An example communication device 246 may include a network controller 260, which may be arranged to facilitate communications with one or more other computing devices 262 over a network communication link via one or more communication ports 264.
A network communication link may be one example of a communication medium. Communication media may typically be embodied by computer readable instructions, data structures, program modules, and may include any information delivery media, such as carrier waves or other transport mechanisms, in a modulated data signal. A "modulated data signal" may be a signal that has one or more of its data set or its changes made in such a manner as to encode information in the signal. By way of non-limiting example, communication media may include wired media such as a wired network or private-wired network, and various wireless media such as acoustic, Radio Frequency (RF), microwave, Infrared (IR), or other wireless media. The term computer readable media as used herein may include both storage media and communication media.
The computing device 200 also includes a storage interface bus 234 coupled to the bus/interface controller 230. The storage interface bus 234 is coupled to the storage device 232, and the storage device 232 is adapted to store data. Example storage devices 232 may include removable storage 236 (e.g., CD, DVD, U-disk, removable hard disk, etc.) and non-removable storage 238 (e.g., hard disk drive, HDD, etc.).
In computing device 200 according to the present invention, application 222 includes a plurality of program instructions that perform method 300 and perform method 400.
FIG. 3 shows a flow diagram of a plug-in identification method 300 according to one embodiment of the invention. The method 300 is suitable for execution in a computing device (e.g., the aforementioned computing device 100) configured as a server connected to a plurality of clients.
As shown in fig. 3, the method 300 is to implement a plug-in recognition method, starting from step S302, and in step S302, acquiring the loading condition of each client on a target plug-in. In some embodiments, the loading conditions include load enable and load disable. Specifically, when it is detected that a client receives a loading request of a target plug-in, a popup warning is given to the client, and at least a loading-allowed interface and a loading-prohibited interface are presented in the popup. And monitoring the selection condition of the client to the loading-allowed interface and the loading-prohibited interface.
It should be noted that, the target plug-in mentioned in this embodiment is for an unidentified plug-in that is not in the black and white list of the server, and the unidentified plug-in refers to a plug-in that has not been qualified as a malicious plug-in or a normal plug-in. When the situation that the client loads the unidentified plug-in is monitored, a warning is sent to the client so that the client can remind a user, for example, the client can give a popup warning to the user to inform the user that the plug-in is possibly a dangerous plug-in, if the user selects to allow the loading, the plug-in is normally operated, and if the user selects to prohibit the loading, the process of the plug-in is terminated.
In step S304, a credit score of the target plug-in is calculated based on the loading condition.
In some embodiments, the specific implementation manner of step S304 is as follows:
firstly, the historical use condition of each client for normal plug-ins and malicious plug-ins is obtained.
It should be noted that the normal plug-in and the malicious plug-in mentioned here are different from the aforementioned unidentified plug-in, and both the normal plug-in and the malicious plug-in are plug-ins that have been qualified by the server. It is easy to understand that before the browser is released, a plurality of plug-ins are built in the browser, and a worker can perform adaptation detection on the built-in plug-ins, wherein the plug-ins with qualified adaptation are directly identified as normal plug-ins, and the plug-ins with unqualified adaptation are identified as malicious plug-ins. In addition, some previously unidentified plug-ins are identified as normal plug-ins or malicious plug-ins by the plug-in identification method 300 provided by the embodiment. In other words, the normal plug-ins mentioned herein include normal plug-ins built in a browser and plug-ins that have been recognized as normal by the plug-in recognition method 300. Similarly, the malicious plug-ins mentioned herein include those built in the browser and those that have been identified as malicious by the plug-in identification method 300.
In some embodiments, the malicious plug-ins are listed in a pre-generated blacklist. And listing the normal plug-in into a pre-generated white list. It should be noted that, a black-and-white list is also configured in the browser residing in each client, the black-and-white list in the browser is correlated with the black-and-white list residing in the server in this embodiment, and when the client uses the plug-in the black-and-white list, the client informs the server through the correlation, so as to facilitate the server to monitor the use condition of the plug-in by each client.
Then, the integral value of each client is calculated based on the historical usage. In this embodiment, if a client loads a normal plug-in, it is given a reward for adding a credit value; and if the client loads the malicious plug-ins, the client is given a penalty of reducing the integral value.
In some embodiments, the method for calculating the value of credit of the client includes:
when the situation that the normal plug-in is loaded on the client side is monitored, whether the current first integral value of the client side is smaller than the initial integral value is judged. And if the first integral value is smaller than the initial integral value, detecting whether the client is a continuously loaded normal plug-in. If so, acquiring a first time of continuously loading the normal plug-in by the client, taking the product of the first time and the first integral increment as a second integral increment of the client, and taking the sum of the first integral value and the second integral increment as an integral value of the client. And if not, taking the sum of the first integral value and the first integral increment as the integral value of the client. And if the first integral value is not smaller than the initial integral value, taking the sum of the first integral value and the first integral increment as the integral value of the client.
And when the situation that the client loads the malicious plug-in is monitored, judging whether the current second integral value of the client is larger than the initial integral value. And if the second integral value is larger than the initial integral value, the initial integral value is used as the integral value of the client. And if the second integral value is not larger than the initial integral value, detecting whether the client is continuously loaded with malicious plug-ins. If so, acquiring a second time of continuously loading the malicious plug-ins by the client, taking the product of the second time and the first integral subtraction value as a second integral subtraction value of the client, and taking the difference value of the second integral value and the second integral subtraction value as the integral value of the client. And if not, taking the difference value between the second integral value and the first integral subtraction value as the integral value of the client.
In one specific example, the initial credit value in each client is 0.
When the user uses normal plug-ins in the white list each time: if the current integral value of the client is greater than or equal to 0, the integral value of the client + x is added to the first integral value, and the size of x may be set by a person skilled in the art. Illustratively, x may be 1. I.e. the client's credit value + 1. If the current integral value of the client is less than 0, judging whether the client is continuously loaded with normal plug-ins, for example, detecting whether the plug-ins loaded last time by the client are normal plug-ins, detecting whether the last time and the last time of the client are normal plug-ins, and the like. If the client is continuously loading normal plug-ins, the number n of continuous loading is obtained, for example, the client is continuously loaded with 5 normal plug-ins. And adding the product of x and n as a second integral value, and adding the integral value of the client + (n x). Illustratively, the value of x is incremented by 1, and if the client is continuously loaded with 5 times of normal plug-ins, the value of the client is added to + 5. If the client is not continuously loading normal plug-ins, the integral value + x of the client is used.
When the user uses the malicious plug-ins in the blacklist each time: if the current integral value of the client is > 0, the integral value of the client is reset to 0 (initial integral value). If the current integral value of the client is less than or equal to 0, judging whether the client is continuously loaded with malicious plug-ins, for example, detecting whether the plug-ins loaded last time by the client are malicious plug-ins, detecting whether the last time and the last time of the client are malicious plug-ins, and the like. If the client is continuously loaded with the malicious plug-ins, acquiring the number n of continuous loads, for example, the client is continuously loaded with the malicious plug-ins 5 times. Taking the product of y and n as the second integral subtraction value, and y is the first integral subtraction value, the size of the integral value- (n × y) of the client may be set by a person skilled in the art, which is not limited in this application. Illustratively, y may be 1, and if the client loads malicious plug-ins 5 times in succession, the value of the credit for the client is-5. And if the client is not continuously loaded with the malicious plug-ins, the integral value-y of the client is used.
For ease of understanding, reference is made to the following examples:
1. the current integral value of the client a is 10, the initial value is 0, the integral increment value is 1, and the integral decrement value is also 1. When the client a loads a normal plug-in once, the current integral value of the client a is updated to 10+ 1-11.
2. The current integral value of the client B is 10, the initial value is 0, the integral increment is 1, and the integral decrement is also 1. And when the client A loads a malicious plug-in, updating the current integral value of the client B to be 0.
3. The current integral value of the client C is-10, the initial value is 0, the integral increment is 1, and the integral decrement is also 1. When the client C loads the normal plug-in once, it is determined whether the client C continuously loads the normal plug-in, for example, if the client C continuously loads the normal plug-in 2 times before the normal plug-in is loaded this time, the normal plug-in is loaded this time to be the normal plug-in loaded for the 3 rd time. The current credit value for that client C is updated to-10 + 3-7. If the plug-in loaded once before the normal plug-in is loaded this time by the client C is a malicious plug-in loaded, it indicates that the client C does not continuously load normal plug-ins, and the current integral value of the client C is updated to-10 +1 or-9.
4. The current integral value of the client D is-10, the initial value is 0, the integral increment value is 1, and the integral decrement value is also 1. When the client D loads the malicious plug-ins once, it is determined whether the client D continuously loads the malicious plug-ins, for example, if the client D continuously loads the malicious plug-ins 2 times before the client D loads the malicious plug-ins here, the client D loads the malicious plug-ins for the 3 rd time. The current credit value of this client D is updated to-10-3-13. If the plug-in loaded once before the client D loads the malicious plug-in this time is a normal plug-in loaded, it indicates that the client does not continuously load the malicious plug-ins, and the current integral value of the client is updated to-10-1 or-11.
And then, counting a first client which is allowed to load the target plug-in and a second client which is forbidden to load the target plug-in from the clients. Illustratively, there are 5 clients in current networks, A, B, C, D and E, communicatively connected to the server, among which there are clients A, B and C, 3 clients, when they are directed to the loading of a target plug-in, have chosen to allow the target plug-in to load. And the clients D and E, 2 clients choose to forbid the target plug-in from loading when aiming at the target plug-in. Then we consider clients A, B and C as first clients and clients D and E as second clients.
And finally, taking the difference value of the sum of the points of each first client and the sum of the points of each second client as the credit score value of the target plug-in.
Continuing with the foregoing example, the current client point values of clients A, B, C, D and E are counted, respectively, based on the foregoing calculation method of the point values of the clients, specifically, as shown in table 1.
TABLE 1
Client terminal A B C D E
Integral value A1 B1 C1 D1 E1
Loading conditions for target plug-ins Allow for Allow for Allow for Inhibit Inhibit
The integral value of the target plugin is (a)1+B1+C1)-(D1+E1) Converting to obtain the integral value A of the target plug-in1+B1+C1-D1-E1
Taking the integral value of each client as a specific numerical value, as shown in table 2:
TABLE 2
Client terminal A B C D E
Integral value 20 -10 30 -30 10
Loading conditions for target plug-ins Allow for Allow for Allow for Inhibit Inhibit
The integral value of the target card is (20-10+30) - (-30+10) ═ 20-10+30+30-10 ═ 60. For example, if the client C selects to allow loading, it may indicate that the user relatively trusts the target plugin, so that the credit score of the target plugin is +30, and if the client C selects to prohibit loading, it may indicate that the user does not trust the target plugin, so that the credit score of the target plugin is-30. For the client D, the credit value is lower, which indicates that the user using the client frequently uses a malicious plug-in, and prefers to use a malicious plug-in, and the loading condition of the target plug-in also greatly affects the credit value of the target plug-in, for example, if the client D to prohibit loading, which indicates that the target plug-in is a plug-in that the user does not frequently use, that is, the plug-in has certain security, the credit value of the target plug-in is made to be +30, and if the client D selects to allow loading, which indicates that the target plug-in is a target plug-in that the user prefers to use, which is a malicious plug-in, the probability of being a malicious plug-in is made to be-30.
In step S306, whether the target plug-in is a malicious plug-in or a normal plug-in is identified according to the credit score.
In some embodiments, the target plugin is identified as a malicious plugin when the credit score is less than a preset credit threshold. And when the credit score is not less than the preset credit threshold value, the target plug-in is determined to be a normal plug-in.
For example, a credit threshold of 60 is set, i.e., when the credit score of the target plug-in is greater than 60, the target plug-in is considered to be a normal plug-in and may be whitelisted. When the credit score of the target plugin is less than or equal to 60, the target plugin is determined to be a malicious plugin, and the target plugin can be listed in a blacklist.
In some embodiments, when it is monitored that a client loads a malicious plug-in, an alert is sent to the client. Specifically, when a user loads a malicious plug-in the blacklist, a warning is sent to the client, and the client generates a popup window based on the warning to warn the user that the currently loaded plug-in is a malicious plug-in.
Additionally, in some embodiments, the plug-in identification method 300 further comprises:
receiving a target plug-in state updating request sent by a client, and updating the state of a target plug-in for the client, wherein the target plug-in state updating request comprises the step of updating a malicious plug-in to a normal plug-in or updating the normal plug-in to the malicious plug-in.
In one particular example, the target plug-in has been characterized as a malicious plug-in, and therefore, the user is alerted by a pop-up each time the target plug-in is loaded. However, the user relies on and trusts the target plug-in, and can request the server to update the target plug-in from a malicious plug-in to a normal plug-in by sending a state update request of the target plug-in by the server. However, it should be noted that the server updates the state of the target plug-in only to take effect for the client. For example, for plug-in a, which is characterized as a malicious plug-in, client a requests that plug-in a be updated from a malicious plug-in to a normal plug-in, when client a loads plug-in a, plug-in a is loaded as if normal plug-in were loaded. But for client B, it does not require updating the state of plug-in a, and when plug-in a is loaded, it still loads plug-in a as if it were a malicious plug-in.
In another example, a domain configuration right is provided, and users in the domain can add some credit lists and some block lists.
The roster is in json format. As follows
“allow_list”:[],
“block_list”:[]
}
In other words, the user can update the state of each plug-in through the domain configuration authority.
FIG. 4 shows a flow diagram of a plug-in loading method 400 according to one embodiment of the invention. Method 400 is suitable for execution in a computing device (e.g., computing device 100 described above) configured as a client that interfaces with a server.
As shown in fig. 4, the method 400 is to implement a method for loading a plug-in, starting from step S402, and in step S402, in response to a load request for a target plug-in, querying a server whether the target plug-in is a normal plug-in or a malicious plug-in. Illustratively, when a user loads a target plugin, a client generates a plugin state request according to an identifier of the target plugin, and sends the plugin state request to a server, the server queries the target plugin based on the identifier of the target plugin, if the target plugin is recorded in a white list, the target plugin is a normal plugin, if the target plugin is recorded in a black list, the target plugin is a malicious plugin, and if the target plugin is not in the white list or the black list, the target plugin is an unidentified plugin.
In step S404, if the target plug-in is a normal plug-in, the target plug-in is loaded. And when the target plug-in is found to be a normal plug-in, normally loading the target plug-in.
In step S406, if the target plug-in is a malicious plug-in, a warning is given. Specifically, a pop-up warning may be given to the user to inform the user that the currently loaded plug-in is a malicious plug-in.
In step S408, if the target plug-in is neither a normal plug-in nor a malicious plug-in, the loading condition of the target plug-in by the user is recorded, and the loading condition is sent to the server, so that the server can identify the target plug-in. Specifically, the loading case includes load enable and load disable. The client records the loading condition of the user on the target plug-in and sends the record to the server, and the server identifies the target plug-in through the plug-in identification method 300 provided in the foregoing embodiment. It should be noted that, as for a specific method for identifying the target plug-in by the server, reference may be made to the plug-in identification method 300, which is not described herein again.
In addition, the plug-in loading method 400 in this embodiment further includes:
and sending a state updating request of the target plug-in to the server so that the server updates the state of the target plug-in, wherein the state updating request of the target plug-in comprises updating the malicious plug-in to a normal plug-in or updating the normal plug-in to the malicious plug-in.
It should be noted that the method for updating the state of the target plug-in is similar to the method for updating the state of the target plug-in the method for identifying a plug-in 300, and reference may be made to the description of the method for identifying a plug-in 300 for relevant points, which is not repeated herein.
In one specific example, as shown in FIG. 5, FIG. 5 illustrates a flow diagram of a plug-in loading application scenario 500 according to one embodiment of the present invention.
Referring to fig. 5, the specific flow of the plug-in loading application scenario 500 is as follows:
and when a plug-in loading request is received, judging whether the plug-in is in a black and white list or not.
And if the plug-in is in the white list, updating the integral value of the client and normally operating the plug-in.
And if the plug-in is in the blacklist, updating the integral value of the client and ending the process of the plug-in.
It should be noted that, for a specific method for updating the value of the integral of the client, reference may be made to the foregoing method for calculating the value of the integral of the client, and details are not described herein again.
If the plug-in is not in the black and white list, the plug-in is not identified, at this time, a popup warning is given to a user, and at least an interface allowing loading and an interface prohibiting loading are presented on the popup.
When the user selects to allow loading, the integral value of the client is sent to the server, so that the server adds the integral value of the client and the integral values of other clients to calculate the credit score of the plug-in, and the plug-in is operated normally.
And when the user selects to prohibit loading, sending the integral value of the client to the server, so that the server performs subtraction calculation on the integral value of the client and the integral values of other clients to calculate the credit score of the plug-in, and finishing the process of the plug-in.
A5, the method of claim a4, wherein after the step of determining whether the target plug-in is a malicious plug-in according to the credit score, further comprising the steps of:
and when the situation that the client loads the malicious plug-in is monitored, sending a warning to the client.
A6 the method of claim a2, wherein the step of obtaining the loading condition of each client to the target plug-in includes:
when detecting that a client receives a loading request of the target plug-in, performing popup warning on the client, wherein at least a loading-allowed interface and a loading-prohibited interface are presented in the popup;
and monitoring the selection condition of the client to the loading-allowed interface and the loading-prohibited interface.
The various techniques described herein may be implemented in connection with hardware or software or, alternatively, with a combination of both. Thus, the methods and apparatus of the present invention, or certain aspects or portions thereof, may take the form of program code (i.e., instructions) embodied in tangible media, such as removable hard drives, U.S. disks, floppy disks, CD-ROMs, or any other machine-readable storage medium, wherein, when the program is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the invention.
In the case of program code execution on programmable computers, the computing device will generally include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device. Wherein the memory is configured to store program code; the processor is configured to perform the method of the invention according to instructions in said program code stored in the memory.
By way of example, and not limitation, readable media may comprise readable storage media and communication media. Readable storage media store information such as computer readable instructions, data structures, program modules or other data. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of readable media.
In the description provided herein, algorithms and displays are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with examples of this invention. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose preferred embodiments of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules or units or components of the devices in the examples disclosed herein may be arranged in a device as described in this embodiment or alternatively may be located in one or more devices different from the devices in this example. The modules in the foregoing examples may be combined into one module or may be further divided into multiple sub-modules.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
Furthermore, some of the described embodiments are described herein as a method or combination of method elements that can be performed by a processor of a computer system or by other means of performing the described functions. A processor having the necessary instructions for carrying out the method or method elements thus forms a means for carrying out the method or method elements. Further, the elements of the apparatus embodiments described herein are examples of the following apparatus: the apparatus is used to implement the functions performed by the elements for the purpose of carrying out the invention.
As used herein, unless otherwise specified the use of the ordinal adjectives "first", "second", "third", etc., to describe a common object, merely indicate that different instances of like objects are being referred to, and are not intended to imply that the objects so described must be in a given sequence, either temporally, spatially, in ranking, or in any other manner.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this description, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as described herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the appended claims. The present invention has been disclosed in an illustrative rather than a restrictive sense with respect to the scope of the invention, as defined in the appended claims.

Claims (10)

1. A plug-in identification method executed in a server connected to a plurality of clients, the method comprising:
acquiring the loading condition of each client to a target plug-in;
calculating a credit score of the target plug-in based on the loading condition;
and identifying whether the target plug-in is a malicious plug-in or a normal plug-in according to the credit score.
2. The method of claim 1, wherein the loading conditions include allow loading and prohibit loading, and the step of calculating a credit score for the target plug-in based on the loading conditions comprises:
acquiring historical use conditions of each client aiming at normal plug-ins and malicious plug-ins;
respectively calculating the integral value of each client based on the historical use condition;
counting a first client which is selected to allow the target plug-in to be loaded and a second client which is forbidden to load the target plug-in from the clients;
and taking the difference value of the sum of the points of each first client and the sum of the points of each second client as the credit score value of the target plug-in.
3. The method of claim 2, wherein the calculation of the credit value of the client comprises:
when the situation that a client loads a normal plug-in is monitored, judging whether a current first integral value of the client is smaller than an initial integral value or not;
if the first integral value is smaller than the initial integral value, detecting whether the client is a continuously loaded normal plug-in;
if so, acquiring a first time of continuously loading normal plug-ins by the client, taking the product of the first time and the first integral increment as a second integral increment of the client, and taking the sum of the first integral value and the second integral increment as the integral value of the client;
if not, taking the sum of the first integral value and the first increment value as the integral value of the client;
if the first integral value is not smaller than the initial integral value, taking the sum of the first integral value and the first integral increment as the integral value of the client;
when the situation that a client loads a malicious plug-in is monitored, judging whether a current second integral value of the client is larger than the initial integral value or not;
if the second integral value is larger than the initial integral value, taking the initial integral value as the integral value of the client;
if the second integral value is not larger than the initial integral value, detecting whether the client is a continuously loaded malicious plug-in;
if so, acquiring a second time of continuously loading malicious plug-ins by the client, taking the product of the second time and the first integral subtraction value as a second integral subtraction value of the client, and taking the difference value of the second integral value and the second integral subtraction value as the integral value of the client;
and if not, taking the difference value between the second integral value and the first integral subtraction value as the integral value of the client.
4. The method of claim 1, wherein the determining whether the target plug-in is a malicious plug-in according to the credit score comprises:
when the credit score is smaller than a preset credit threshold value, the target plug-in is determined to be a malicious plug-in;
and when the credit score is not less than a preset credit threshold value, the target plug-in is determined to be a normal plug-in.
5. The method of claim 4, wherein the method further comprises:
the malicious plug-in is listed in a pre-generated blacklist;
and listing the normal plug-in into a pre-generated white list.
6. The method of claim 1, wherein after the step of determining whether the target plug-in is a malicious plug-in according to the credit score, further comprising the steps of:
receiving a target plug-in state updating request sent by a client, and updating the state of a target plug-in for the client, wherein the target plug-in state updating request comprises the step of updating a malicious plug-in to a normal plug-in or updating the normal plug-in to the malicious plug-in.
7. A plug-in loading method executed in a client connected to a server, the method comprising:
responding to a loading request of a target plug-in, and inquiring whether the target plug-in is a normal plug-in or a malicious plug-in from the server;
if the target plug-in is a normal plug-in, loading the target plug-in;
if the target plug-in is a malicious plug-in, warning;
if the target plug-in is neither a normal plug-in nor a malicious plug-in, recording the loading condition of the target plug-in by a user, and sending the loading condition to the server so as to facilitate the server to identify the target plug-in.
8. The method of claim 7, further comprising:
and sending a state updating request of the target plug-in to the server so that the server updates the state of the target plug-in, wherein the state updating request of the target plug-in comprises updating a malicious plug-in to a normal plug-in or updating the normal plug-in to the malicious plug-in.
9. A computing device, comprising:
at least one processor; and
a memory storing program instructions configured for execution by the at least one processor, the program instructions comprising instructions for performing the method of any of claims 1-8.
10. A readable storage medium storing program instructions that, when read and executed by a computing device, cause the computing device to perform the method of any of claims 1-8.
CN202111123571.0A 2021-09-24 2021-09-24 Plug-in identification method, plug-in loading method, computing device and storage medium Active CN113849246B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111123571.0A CN113849246B (en) 2021-09-24 2021-09-24 Plug-in identification method, plug-in loading method, computing device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111123571.0A CN113849246B (en) 2021-09-24 2021-09-24 Plug-in identification method, plug-in loading method, computing device and storage medium

Publications (2)

Publication Number Publication Date
CN113849246A true CN113849246A (en) 2021-12-28
CN113849246B CN113849246B (en) 2024-01-23

Family

ID=78979388

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111123571.0A Active CN113849246B (en) 2021-09-24 2021-09-24 Plug-in identification method, plug-in loading method, computing device and storage medium

Country Status (1)

Country Link
CN (1) CN113849246B (en)

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101833575A (en) * 2010-04-27 2010-09-15 南京邮电大学 Method for sorting network virus reports
US8336100B1 (en) * 2009-08-21 2012-12-18 Symantec Corporation Systems and methods for using reputation data to detect packed malware
JP2013532869A (en) * 2010-07-28 2013-08-19 マカフィー, インコーポレイテッド System and method for local protection against malicious software
US20130291112A1 (en) * 2012-04-27 2013-10-31 Ut-Batelle, Llc Architecture for removable media usb-arm
CN103679023A (en) * 2013-10-10 2014-03-26 南京邮电大学 Mass virus reporting and analyzing method under united calculation architecture
US8719924B1 (en) * 2005-03-04 2014-05-06 AVG Technologies N.V. Method and apparatus for detecting harmful software
CN103824017A (en) * 2012-11-19 2014-05-28 腾讯科技(深圳)有限公司 Method and platform for monitoring rogue programs
CN103902888A (en) * 2012-12-24 2014-07-02 腾讯科技(深圳)有限公司 Website trust automatic rating method, server-side and system
CN105631328A (en) * 2015-12-18 2016-06-01 北京奇虎科技有限公司 Detection method and device of unknown risks of browser plugin
CN107483500A (en) * 2017-09-25 2017-12-15 咪咕文化科技有限公司 A kind of Risk Identification Method based on user behavior, device and storage medium
CN107766731A (en) * 2017-09-22 2018-03-06 郑州云海信息技术有限公司 A kind of anti-virus attack realization method and system based on application program management and control
US20180124109A1 (en) * 2016-11-02 2018-05-03 RiskIQ, Inc. Techniques for classifying a web page based upon functions used to render the web page
CN109815702A (en) * 2018-12-29 2019-05-28 360企业安全技术(珠海)有限公司 Safety detection method, device and the equipment of software action

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8719924B1 (en) * 2005-03-04 2014-05-06 AVG Technologies N.V. Method and apparatus for detecting harmful software
US8336100B1 (en) * 2009-08-21 2012-12-18 Symantec Corporation Systems and methods for using reputation data to detect packed malware
CN101833575A (en) * 2010-04-27 2010-09-15 南京邮电大学 Method for sorting network virus reports
JP2013532869A (en) * 2010-07-28 2013-08-19 マカフィー, インコーポレイテッド System and method for local protection against malicious software
US20130291112A1 (en) * 2012-04-27 2013-10-31 Ut-Batelle, Llc Architecture for removable media usb-arm
CN103824017A (en) * 2012-11-19 2014-05-28 腾讯科技(深圳)有限公司 Method and platform for monitoring rogue programs
CN103902888A (en) * 2012-12-24 2014-07-02 腾讯科技(深圳)有限公司 Website trust automatic rating method, server-side and system
CN103679023A (en) * 2013-10-10 2014-03-26 南京邮电大学 Mass virus reporting and analyzing method under united calculation architecture
CN105631328A (en) * 2015-12-18 2016-06-01 北京奇虎科技有限公司 Detection method and device of unknown risks of browser plugin
US20180124109A1 (en) * 2016-11-02 2018-05-03 RiskIQ, Inc. Techniques for classifying a web page based upon functions used to render the web page
CN107766731A (en) * 2017-09-22 2018-03-06 郑州云海信息技术有限公司 A kind of anti-virus attack realization method and system based on application program management and control
CN107483500A (en) * 2017-09-25 2017-12-15 咪咕文化科技有限公司 A kind of Risk Identification Method based on user behavior, device and storage medium
CN109815702A (en) * 2018-12-29 2019-05-28 360企业安全技术(珠海)有限公司 Safety detection method, device and the equipment of software action

Also Published As

Publication number Publication date
CN113849246B (en) 2024-01-23

Similar Documents

Publication Publication Date Title
US9852289B1 (en) Systems and methods for protecting files from malicious encryption attempts
US9596257B2 (en) Detection and prevention of installation of malicious mobile applications
US10104107B2 (en) Methods and systems for behavior-specific actuation for real-time whitelisting
US8479296B2 (en) System and method for detecting unknown malware
EP3029593B1 (en) System and method of limiting the operation of trusted applications in the presence of suspicious programs
US8776236B2 (en) System and method for providing storage device-based advanced persistent threat (APT) protection
US9317679B1 (en) Systems and methods for detecting malicious documents based on component-object reuse
US9065849B1 (en) Systems and methods for determining trustworthiness of software programs
US8640233B2 (en) Environmental imaging
JP2006127497A (en) Efficient white listing of user-modifiable file
US10735468B1 (en) Systems and methods for evaluating security services
US9064120B2 (en) Systems and methods for directing application updates
CN104680084A (en) Method and system for protecting user privacy in computer
US11558531B2 (en) Systems and methods for authenticating an image
US9152790B1 (en) Systems and methods for detecting fraudulent software applications that generate misleading notifications
US9659182B1 (en) Systems and methods for protecting data files
US9245132B1 (en) Systems and methods for data loss prevention
Shin et al. Focusing on the weakest link: A similarity analysis on phishing campaigns based on the att&ck matrix
US9785775B1 (en) Malware management
WO2023151238A1 (en) Ransomware detection method and related system
CN113596044B (en) Network protection method and device, electronic equipment and storage medium
CN113849246B (en) Plug-in identification method, plug-in loading method, computing device and storage medium
US10331902B2 (en) Data loss prevention
CN113282923B (en) Remote control method, computing device and storage medium
CN113254917B (en) Recording permission management method, computing device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant