CN116484361A - Method, system, storage medium and computer equipment for applying security protection - Google Patents
Method, system, storage medium and computer equipment for applying security protection Download PDFInfo
- Publication number
- CN116484361A CN116484361A CN202210051144.4A CN202210051144A CN116484361A CN 116484361 A CN116484361 A CN 116484361A CN 202210051144 A CN202210051144 A CN 202210051144A CN 116484361 A CN116484361 A CN 116484361A
- Authority
- CN
- China
- Prior art keywords
- application
- access
- isolation belt
- data
- access right
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 66
- 238000002955 isolation Methods 0.000 claims abstract description 109
- 238000013475 authorization Methods 0.000 claims abstract description 64
- 230000000903 blocking effect Effects 0.000 claims abstract description 13
- 230000006399 behavior Effects 0.000 claims description 48
- 238000004590 computer program Methods 0.000 claims description 21
- 238000012544 monitoring process Methods 0.000 claims description 19
- 238000004422 calculation algorithm Methods 0.000 claims description 16
- 230000008569 process Effects 0.000 claims description 13
- 238000010276 construction Methods 0.000 claims description 9
- 230000001960 triggered effect Effects 0.000 description 9
- 230000004044 response Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 238000005336 cracking Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/74—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Lock And Its Accessories (AREA)
Abstract
The invention provides a method for protecting application safety, which constructs an encrypted application isolation belt for each application respectively; the application isolation belt is used for blocking data access among the applications; when the first application requests to access a second application and/or application data of the second application are monitored, respectively acquiring a first access right and a second access right preset by the first application and the second application; judging whether the first application has access authorization to the second application and/or the application data according to the first access authority and the second access authority; and if the access authorization exists, controlling the application isolation belt corresponding to the second application to directionally unlock the first application. The invention also provides a system, a storage medium and computer equipment for applying the safety protection. Therefore, the invention can realize the safety control of dynamic interview among various applications, and improves the data safety of the intelligent terminal.
Description
Technical Field
The present invention relates to the field of application data security technologies, and in particular, to a method, a system, a storage medium, and a computer device for application security protection.
Background
The data security of the intelligent terminal is a major concern for users, and how to effectively prevent the data on the intelligent terminal from being illegally read or leaked is a problem, so that the user experience of the intelligent product is relevant.
The prior art provides the following two technical schemes: the first method comprises the steps of splitting data and storing the split data into a first database and a second database respectively, and acquiring the data by requiring a first authority server and a second authority server to verify data requests respectively; secondly, setting an authorization condition for data access; determining a data access request conforming to the authorization condition; and carrying out authorization operation of the data application corresponding to the authorization condition according to the data access request. Obviously, the schemes provided by the prior art are all used for preventing the data access request from the external terminal, but do not disclose the risk of the data access request among various applications in the intelligent terminal, namely the prior art cannot well solve the problem of safely and flexibly accessing the opposite party capability and/or data among a plurality of applications.
In summary, the conventional method has many problems in practical use, so that improvement is necessary.
Disclosure of Invention
Aiming at the defects, the invention aims to provide an application safety protection method, a system, a storage medium and computer equipment thereof, which can realize the safety control of dynamic interview among various applications and improve the data safety of an intelligent terminal.
In order to achieve the above object, the present invention provides a method for applying security protection, comprising the steps of:
respectively constructing an encrypted application isolation belt for each application; the application isolation belt is used for blocking data access among the applications;
when the first application requests to access a second application and/or application data of the second application are monitored, respectively acquiring a first access right and a second access right which are preset corresponding to the first application and the second application;
judging whether the first application has access authorization to the second application and/or the application data according to the first access authority and the second access authority;
and if the access authorization exists, controlling the application isolation belt corresponding to the second application to directionally unlock the first application.
Optionally, the step of constructing the encrypted application isolation bands for the respective applications further includes:
creating a feature set corresponding to the application isolation belt; the feature set comprises an application identity, an application process number, a process array and access rights, and the access rights consist of an external access right list and an internal access right list.
Optionally, the step of constructing the encrypted application isolation belt for each application specifically includes:
respectively constructing application isolation belts taking the application identity identifiers of all applications as indexes;
and performing access locking on the application isolation belt according to a preset security locking algorithm.
Optionally, when the step of monitoring that the first application requests to access the second application and/or the application data of the second application, the step of respectively obtaining the first access right and the second access right preset by the first application and the second application specifically includes:
determining whether a target behavior of the first application requesting access to the second application exists according to real-time dynamic monitoring of the full life cycle behaviors of the applications;
and if the target behavior exists, respectively acquiring a first access right and a second access right preset by the first application and the second application.
Optionally, if the target behavior exists, the step of respectively obtaining the first access right and the second access right preset by the first application and the second application specifically includes:
and if the target behavior exists, acquiring an external access authority list of the first application and an internal access authority list of the second application.
Optionally, the step of determining whether the first application has access authorization to the second application and/or the application data according to the first access right and the second access right specifically includes:
judging whether the second application is recorded in the external access authority list of the first application;
if the second application is recorded, judging whether the first application is recorded in the in-pair access authority list of the second application;
if the first application is recorded, determining that the first application has access authorization to the second application and/or the application data.
Optionally, if the access authorization exists, the step of controlling the application isolation belt corresponding to the second application to directionally unlock the first application specifically includes:
And if the first application has the access authorization, establishing a data channel which is directionally opened to the first application on the application isolation belt corresponding to the second application.
The system for applying the safety protection is also provided, and comprises:
the isolation belt construction unit is used for constructing an encrypted application isolation belt for each application respectively; the application isolation belt is used for blocking data access among the applications;
the monitoring and acquiring unit is used for respectively acquiring a first access right and a second access right which are preset corresponding to the first application and the second application when the first application requests to access the second application and/or application data of the second application;
an authorization judging unit, configured to judge whether the first application has access authorization to the second application and/or the application data according to the first access right and the second access right;
and the unlocking unit is used for controlling the application isolation belt corresponding to the second application to directionally unlock the first application if the access authorization exists.
In addition, a storage medium and a computer device are provided, the storage medium is used for storing a computer program for executing the method for applying security protection.
The computer device comprises a storage medium, a processor and a computer program stored on the storage medium and capable of running on the processor, wherein the processor realizes the method for applying the security protection when executing the computer program.
According to the application safety protection method and system, the corresponding application isolation bands are respectively constructed for all the applications on the intelligent terminal and are used for encryption protection, and the application isolation bands are used for blocking data access among all the applications; when the first application request to access the second application and/or application data of the second application are monitored, respectively acquiring preset access rights of the first application and the second application; further, judging whether the first application has access authorization to the second application and/or the application data according to the access authority; if the access authorization exists, controlling an application isolation belt corresponding to the second application to directionally unlock the first application; otherwise, blocking the access request from the first application by the application isolation belt. Therefore, the invention can timely control the access authority and the data reading among all applications, and greatly improves the safety of using the intelligent terminal by the user.
Drawings
FIG. 1 is a flowchart illustrating steps of a method for applying security protection according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating steps of a method for applying security protection according to another embodiment of the present invention;
FIG. 3 is a flowchart illustrating optional steps for constructing an application isolation belt according to an embodiment of the method for applying security protection of the present invention;
FIG. 4 is a flowchart illustrating optional steps for monitoring applications and obtaining access rights according to an embodiment of the method for securing applications of the present invention;
FIG. 5 is a schematic block diagram of a system for applying security protection according to an embodiment of the present invention;
fig. 6 is a schematic block diagram of a system for applying security protection according to another embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
It should be noted that references in the specification to "one embodiment," "an example embodiment," etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Furthermore, such phrases are not intended to refer to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to effect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
Furthermore, certain terms are used throughout the specification and the claims that follow to refer to particular components or parts, and it will be understood by those of ordinary skill in the art that manufacturers may refer to a component or part by different terms or terminology. The present specification and the following claims do not take the form of an element or component with the difference in name, but rather take the form of an element or component with the difference in function as a criterion for distinguishing. In the following description and in the claims, the terms "include" and "comprise" are used in an open-ended fashion, and thus should be interpreted to mean "include, but not limited to. The term "coupled," as used herein, includes any direct or indirect electrical connection. Indirect electrical connection means include connection via other devices.
Fig. 1 illustrates a method for applying security protection according to an embodiment of the present invention, where the method is applied to a smart terminal, and the smart terminal includes, but is not limited to, a smart phone, a smart watch, a tablet computer, a personal computer, or other devices; the method comprises the following steps:
s101: respectively constructing an encrypted application isolation belt for each application; the application isolation belt is used for blocking data access among various applications. Specifically, in this embodiment, an application isolation belt corresponding to each application in the intelligent terminal is previously constructed, and the application isolation belt functions similar to a water-horse safety isolation belt, so that the connection between each application in the intelligent terminal is blocked, and any data access and reading between each application are limited.
Optionally, step S101 further includes: creating a feature set corresponding to the application isolation belt; the feature set comprises an application identity, an application process number, a process array and access rights, and the access rights consist of an external access right list and an internal access right list. Each application isolation belt corresponds to a specific feature set, the application isolation belt determines the isolated applications and processes thereof and other information according to the feature set, and determines which applications can access the applications and application data thereof in the application isolation belt according to the access rights.
S102: when the first application requests to access the second application and/or application data of the second application are monitored, respectively acquiring a first access right and a second access right which are preset corresponding to the first application and the second application. The access authority corresponding to each application is preconfigured for each application, and the configuration can be carried out by a user or according to a preset configuration rule; the access rights include rights to access other applications and the applications themselves to grant access to the interior. In implementation, if the first application requests to access the second application and/or the first application requests to access application data of the second application (the application data comprises data information generated by the second application networking and cache data running in the background, and the like) are monitored, respectively calling the first access right from the feature set of the first application and the second access right from the feature set of the second application.
S103: and judging whether the first application has access authorization to the second application and/or application data according to the first access authority and the second access authority. Specifically, whether the first application is allowed to request access to the second application is determined according to the first access authority, whether the second application is allowed to receive the access from the first application is determined according to the second access authority, and only the bidirectional authority determined by the first access authority and the second access authority allows the first application to access the second application and/or the application data of the second application.
S104: and if the access authorization exists, controlling the application isolation belt corresponding to the second application to directionally unlock the first application. The directional unlocking means that the application isolation belt of the second application is opened to the designated application (such as the first application), so that the designated application can access the second application and/or the application data of the second application. After determining that the first application has access authorization for accessing the second application and/or application data of the second application, the system controls an application isolation belt corresponding to the second application to directionally unlock the first application; if the first application is endowed with the temporary password and the long-term password for unlocking the application isolation belt of the second application, the first application can unlock the application isolation belt according to the obtained temporary password and the obtained long-term password, and therefore the second application and/or application data of the second application can be accessed.
Optionally, step S104 specifically includes: and if the first application has the access authorization, establishing a data channel which is directionally opened to the first application on the application isolation belt corresponding to the second application. I.e. the first application and the second application are communicated through the data channel, so that the first application accesses the application data of the second application and/or the second application through the data channel.
According to the invention, the application isolation belts are constructed for the applications in advance, the applications are isolated by the application isolation belts, and only when one or both sides have access authorization from the access rights of both sides, the corresponding applications are allowed to be accessed by the sides. Therefore, the invention realizes the safety control of the application dynamic interview and improves the data safety of the terminal.
Fig. 2 shows a method for applying security protection according to another embodiment of the present invention, which further includes, after the step S103, in combination with the above embodiment:
s105: and if the first application does not have the access authorization, generating an instruction bullet frame for the first application to request access. Specifically, an access request of a first application to a second application is displayed on the instruction bullet frame, and simultaneously a first virtual key and a second virtual key are displayed on the instruction bullet frame, wherein the first virtual key is used for triggering and generating a first instruction, and the second virtual key is used for triggering and generating a second instruction.
S106: and responding to a first instruction triggered by a user on an instruction bullet frame, controlling an application isolation belt corresponding to the second application to directionally unlock a first application, and updating a first access right of the first application and a second access right of the second application so as to enable the first application to obtain the access authorization. I.e. the first instruction is application data allowing the first application to access the second application and/or the second application; in the implementation, a user selects a corresponding virtual key on an instruction popup frame of a display interface of the intelligent terminal to trigger generation of a first instruction, and after the first instruction is received, the system controls an application isolation belt of a second application to directionally unlock the first application, namely directionally open the first application to access. And updating the first access right and the second access right corresponding to the first application and the second application, so that the first application can still obtain the access authorization for accessing the second application at the follow-up time according to the updated first access right and second access right.
Optionally, after step S105, the method further includes:
s107: and responding to a second instruction triggered by the user on the instruction popup box, prohibiting the access request of the first application, and generating an alarm prompt when the unlocking behavior of the first application is monitored to reach a preset condition. The second instruction is to reject the first application to access the second application and/or application data of the second application; in the implementation, a user selects a corresponding virtual key on an instruction popup frame of a display interface of the intelligent terminal to trigger generation of a second instruction, and after the second instruction is received, an access request sent by a first application to a second application is not processed or intercepted. Monitoring whether the first application continuously tries to unlock an application isolation belt of the second application; for example, when the number of times that the first application continues to attempt to unlock the application isolation belt of the second application exceeds a preset number of times threshold, an alarm prompt for prompting that the first application is a Trojan application or a virus is generated.
Optionally, after step S107, the method further includes: and carrying out AI intelligent analysis on the unlocking behaviors to update a security lock algorithm of the application isolation belt. In the specific implementation, after the first application fails to attempt to access the second application by the access request, the unlocking behavior of the second application is obtained, wherein the unlocking behavior comprises the behavior of performing violent cracking on an application isolation belt of the second application (the collected information of the unlocking behavior at least comprises an application name, an installation source, an unlocking object package name, unlocking time, unlocking times and the like); because the first application tries to unlock and access the second application for many times, in order to avoid the first application from cracking the security lock algorithm on the application isolation belt through cloud violence, the embodiment reports the collected unlocking behavior of the first application to a designated cloud algorithm center, and the cloud algorithm center returns a new security lock algorithm to the intelligent terminal through AI intelligent calculation, and the application isolation belt of each application is reconstructed based on the new security lock algorithm.
Referring to fig. 3, in an alternative implementation of any of the above embodiments, step S101 specifically includes:
s1011: and respectively constructing application isolation belts with application identity marks of all the applications as indexes.
S1012: and performing access locking on the application isolation belt according to a preset security locking algorithm.
The application identity is an application package name; when the system of the intelligent terminal is started, an application isolation belt corresponding to each application is built by taking the application package name as an index, and the application isolation belt is locked based on a preset security locking algorithm, so that other applications cannot access the application in the application isolation belt under the condition that the application isolation belt cannot be unlocked. The security lock algorithm is an algorithm for encrypting the application isolation belt, and only a correct security lock password is obtained, the application isolation belt can be unlocked and the application isolated by the application isolation belt can be accessed.
Referring to fig. 4, in an alternative implementation of any of the foregoing embodiments, step S102 specifically includes:
s1021: and determining whether target behaviors of the first application requesting access to the second application exist according to the real-time dynamic monitoring of the full life cycle behaviors of the applications.
S1022: and if the target behavior exists, respectively acquiring a first access right and a second access right preset by the first application and the second application.
The full life cycle of the application is the whole period from the installation of the application to the unloading of the application from the intelligent terminal, and the full life cycle behavior of the application is the application behavior after the application is installed on the intelligent terminal; specifically, in this embodiment, the behavior of the full life cycle of all applications is dynamically monitored in real time, and when it is determined from the monitored behavior to the application that a certain application requests access to other applications, the first access right and the second access right corresponding to the first application and the second application are obtained from the corresponding feature set by using the application package name as an index. The target behavior of this embodiment includes a behavior that the first application requests access to the second application and a behavior that the first application requests access to application data of the second application.
In one embodiment, step S1022 specifically includes: and if the target behavior exists, acquiring an external access authority list of the first application and an internal access authority list of the second application. The access rights of each application in the embodiment comprise an external access rights list EAPL (External access permission list, including a system and an application) and an internal access rights list IAPL (Internal access permission list, including a system and an application); other applications which can be accessed externally are recorded on the external access authority list, and other applications which can be accessed by the user are recorded on the internal access authority list. And if the first application requests access to the second application, respectively acquiring an external access authority list of the first application and an internal access authority list of the second application.
Optionally, step S103 specifically includes: judging whether a second application is recorded in an external access authority list of the first application; if the second application is recorded, judging whether the first application is recorded in an in-pair access authority list of the second application; if the first application is noted, it is determined that the first application has access authorization to the second application and/or the application data. For example, if the first application is x and the second application is y, when the application x is about to access the application y and/or the data of the application y, the external access authority list EAPL of the application x is obtained x Intra-pair access rights list IAPL for application y y The method comprises the steps of carrying out a first treatment on the surface of the If EAPL is x Contains application y and IAPL y Containing application x, application x will be allowed to access the y application and/or the data of the y application; if EAPL is x Does not contain application y or IAPL y If the application x is not contained, the application x is not allowed to access the data of the application y and/or the application y, and a popup reminding window informs the user that the application x is currently accessing the data of the application y and/or the application y, and the user selects whether to allow or reject the access. If the user selects to allow, EAPL will be updated simultaneously x And IAPL y To allow application x to access application y and/or application y's data.
In one embodiment, step S104 specifically includes: and if the first application has the access authorization, establishing a data channel which is directionally opened to the first application on the application isolation belt corresponding to the second application.
Fig. 5 illustrates a system 100 for applying security protection according to an embodiment of the present invention, where the system is applied to a smart terminal, and the smart terminal includes a smart phone, a smart watch, a tablet computer, a personal computer, or other devices; the system 100 includes a median constructing unit 10, a monitoring and acquiring unit 20, an authorization judging unit 30, and an unlocking unit 40, wherein:
The isolation belt construction unit 10 is used for constructing encrypted application isolation belts for respective applications; the application isolation belt is used for blocking data access among the applications; the monitoring and acquiring unit 20 is configured to acquire a first access right and a second access right corresponding to a first application and a second application, when it is monitored that the first application requests access to the second application and/or application data of the second application; the authorization determining unit 30 is configured to determine whether the first application has access authorization to the second application and/or the application data according to the first access right and the second access right; the unlocking unit 40 is configured to control the application isolation belt corresponding to the second application to directionally unlock the first application if the access authorization is provided.
Fig. 6 shows a system 200 for applying security protection according to another embodiment of the present invention, which further includes a frame unit 50 and a first response unit 60, where:
the frame unit 50 is configured to generate an instruction frame that the first application requests access if the first application does not have the access authorization; the first response unit 60 is configured to control, in response to a first instruction triggered by a user on the instruction box, the application isolation strap corresponding to the second application to directionally unlock the first application, and update the first access right of the first application and the second access right of the second application so that the first application obtains the access authorization.
Optionally, a second response unit 70 is further included, and is configured to respond to a second instruction triggered by the user on the instruction box, prohibit the access request of the first application, and generate an alarm prompt when it is monitored that the unlocking behavior of the first application reaches a preset condition.
In an embodiment, the system further includes an updating unit, configured to update the security locking algorithm of the application isolation belt by performing AI intelligent analysis on the unlocking behavior.
Optionally, the system further comprises a creating unit, which is used for creating the feature set corresponding to the application isolation belt; the feature set comprises an application identity, an application process number, a process array and access rights, and the access rights consist of an external access right list and an internal access right list.
In an alternative embodiment, the isolation belt construction unit 10 specifically includes a construction subunit and a locking subunit, wherein:
the construction subunit is used for respectively constructing application isolation belts taking application identity identifiers of all applications as indexes; and the locking subunit is used for carrying out access locking on the application isolation belt according to a preset security locking algorithm.
In an alternative embodiment, the monitoring and acquiring unit 20 specifically includes a monitoring subunit and an acquiring subunit, where:
The monitoring subunit is used for determining whether a target behavior of the first application requesting access to the second application exists or not according to real-time dynamic monitoring of the full life cycle behaviors of each application; the obtaining subunit is configured to obtain, if the target behavior exists, a first access right and a second access right preset by the first application and the second application, respectively.
Optionally, the acquiring subunit is specifically configured to: and if the target behavior exists, acquiring an external access authority list of the first application and an internal access authority list of the second application.
In an alternative embodiment, the authorization determining unit 30 specifically includes a first determining subunit, a second determining subunit, and a determining subunit, where:
the first judging subunit is used for judging whether the external access authority list of the first application records a second application or not; the second judging subunit is configured to judge whether a first application is recorded in the in-pair access permission list of the second application if the second application is recorded; and the determining subunit is used for determining that the first application has access authorization to the second application and/or application data if the first application is recorded.
Optionally, the unlocking unit 40 is specifically configured to: and if the first application has the access authorization, establishing a data channel which is directionally opened to the first application on the application isolation belt corresponding to the second application.
The present invention also provides a storage medium for storing a computer program for a method of applying security protection as described in fig. 1-4. Such as computer program instructions, which, when executed by a computer, may invoke or provide methods and/or techniques in accordance with the present application. Program instructions for invoking the methods of the present application may be stored in fixed or removable storage media and/or transmitted via a data stream in a broadcast or other signal bearing medium and/or stored within a storage medium of a computer device operating according to the program instructions. Here, an embodiment according to the present application includes a computer device of a system for applying security protection as shown in fig. 5 or fig. 6, preferably including a storage medium for storing a computer program and a processor for executing the computer program, wherein the computer program, when executed by the processor, triggers the computer device to perform a method and/or a technical solution based on the foregoing embodiments.
It should be noted that the present application may be implemented in software and/or a combination of software and hardware, for example, using Application Specific Integrated Circuits (ASIC), a general purpose computer or any other similar hardware device. In one embodiment, the software program of the present application may be executed by a processor to implement the above steps or functions. Likewise, the software programs of the present application (including associated data structures) may be stored on a computer readable recording medium, such as RAM memory, magnetic or optical drive or diskette and the like. In addition, some steps or functions of the present application may be implemented in hardware, for example, as circuitry that cooperates with the processor to perform various steps or functions.
The method according to the invention may be implemented as a computer implemented method on a computer, or in dedicated hardware, or in a combination of both. Executable code or parts thereof for the method according to the invention may be stored on a computer program product. Examples of computer program products include memory devices, optical storage devices, integrated circuits, servers, online software, and the like. Preferably, the computer program product comprises non-transitory program code means stored on a computer readable medium for performing the method according to the invention when said program product is executed on a computer.
In a preferred embodiment the computer program comprises computer program code means adapted to perform all the steps of the method according to the invention when the computer program is run on a computer. Preferably, the computer program is embodied on a computer readable medium.
In summary, according to the method and the system for application security protection provided by the invention, corresponding application isolation belts are respectively constructed for each application on the intelligent terminal and are used for encryption protection, and the application isolation belts are used for blocking data access among each application; when the first application request to access the second application and/or application data of the second application are monitored, respectively acquiring preset access rights of the first application and the second application; further, judging whether the first application has access authorization to the second application and/or the application data according to the access authority; if the access authorization exists, controlling an application isolation belt corresponding to the second application to directionally unlock the first application; otherwise, blocking the access request from the first application by the application isolation belt. Therefore, the invention can timely control the access authority and the data reading among all applications, and greatly improves the safety of using the intelligent terminal by the user.
Of course, the present invention is capable of other various embodiments and its several details are capable of modification and variation in light of the present invention, as will be apparent to those skilled in the art, without departing from the spirit and scope of the invention as defined in the appended claims.
The invention also provides A1, a method for applying safety protection, comprising the following steps:
respectively constructing an encrypted application isolation belt for each application; the application isolation belt is used for blocking data access among the applications;
when the first application requests to access a second application and/or application data of the second application are monitored, respectively acquiring a first access right and a second access right which are preset corresponding to the first application and the second application;
judging whether the first application has access authorization to the second application and/or the application data according to the first access authority and the second access authority;
and if the access authorization exists, controlling the application isolation belt corresponding to the second application to directionally unlock the first application.
A2, the method for protecting application safety according to A1, wherein the step of constructing encrypted application isolation bands for each application respectively further comprises:
Creating a feature set corresponding to the application isolation belt; the feature set comprises an application identity, an application process number, a process array and access rights, and the access rights consist of an external access right list and an internal access right list.
A3, the method for protecting application safety according to A2, wherein the step of constructing the encrypted application isolation belt for each application comprises the following steps:
respectively constructing application isolation belts taking the application identity identifiers of all applications as indexes;
and performing access locking on the application isolation belt according to a preset security locking algorithm.
A4, according to the application security protection method of A2, when the first application requests to access the second application and/or the application data of the second application is monitored, the step of respectively obtaining the first access right and the second access right preset by the first application and the second application specifically comprises the following steps:
determining whether a target behavior of the first application requesting access to the second application exists according to real-time dynamic monitoring of the full life cycle behaviors of the applications;
and if the target behavior exists, respectively acquiring a first access right and a second access right preset by the first application and the second application.
A5, according to the method for protecting application security of A4, the step of respectively acquiring the first access right and the second access right preset by the first application and the second application if the target behavior exists specifically includes:
and if the target behavior exists, acquiring an external access authority list of the first application and an internal access authority list of the second application.
A6, according to the method of application security protection of A5, the step of judging whether the first application has access authorization to the second application and/or the application data according to the first access right and the second access right specifically includes:
judging whether the second application is recorded in the external access authority list of the first application;
if the second application is recorded, judging whether the first application is recorded in the in-pair access authority list of the second application;
if the first application is recorded, determining that the first application has access authorization to the second application and/or the application data.
A7, according to the method for protecting application security of A1, the step of controlling the application isolation belt corresponding to the second application to directionally unlock the first application if the access authorization exists specifically includes:
And if the first application has the access authorization, establishing a data channel which is directionally opened to the first application on the application isolation belt corresponding to the second application.
A8, after the step of determining whether the first application has access authorization to the second application and/or the application data according to the first access right and the second access right, the method of application security protection according to A1 further includes:
if the first application does not have the access authorization, generating an instruction bullet frame for the first application to request access;
and responding to a first instruction triggered by a user on the instruction popup box, controlling the application isolation belt corresponding to the second application to directionally unlock the first application, and updating the first access right of the first application and the second access right of the second application so as to enable the first application to obtain the access authorization.
A9, after the step of generating the instruction box that the first application requests to access if the first application does not have the access authorization, the method for protecting application security according to A8 further includes:
and responding to a second instruction triggered by the user on the instruction popup box, prohibiting the access request of the first application, and generating an alarm prompt when the unlocking behavior of the first application is monitored to reach a preset condition.
A10, according to the method for protecting application security of A9, the step of responding to a second instruction triggered by the user on the instruction frame, prohibiting the access request of the first application, and generating an alarm prompt when the unlocking behavior of the first application is monitored to reach a preset condition, further comprises:
and carrying out AI intelligent analysis on the unlocking behaviors to update the security locking algorithm of the application isolation belt.
Also provided is B11, a system for applying security protection, comprising:
the isolation belt construction unit is used for constructing an encrypted application isolation belt for each application respectively; the application isolation belt is used for blocking data access among the applications;
the monitoring and acquiring unit is used for respectively acquiring a first access right and a second access right which are preset corresponding to the first application and the second application when the first application requests to access the second application and/or application data of the second application;
an authorization judging unit, configured to judge whether the first application has access authorization to the second application and/or the application data according to the first access right and the second access right;
And the unlocking unit is used for controlling the application isolation belt corresponding to the second application to directionally unlock the first application if the access authorization exists.
B12, the system for applying security protection according to B11, further comprising:
the creating unit is used for creating a feature set corresponding to the application isolation belt; the feature set comprises an application identity, an application process number, a process array and access rights, and the access rights consist of an external access right list and an internal access right list.
B13, the system for applying safety protection according to B12, wherein the isolation belt construction unit specifically comprises:
a construction subunit, configured to separately construct application isolation bands with the application identities of the applications as indexes;
and the locking subunit is used for carrying out access locking on the application isolation belt according to a preset security locking algorithm.
B14, the system for applying security protection according to B12, wherein the monitoring and obtaining unit specifically includes:
the monitoring subunit is used for determining whether a target behavior of the first application requesting access to the second application exists or not according to real-time dynamic monitoring of the full life cycle behaviors of the applications;
And the obtaining subunit is used for respectively obtaining the first access right and the second access right preset by the first application and the second application if the target behavior exists.
B15, the system for applying security protection according to B14, wherein the obtaining subunit is specifically configured to:
and if the target behavior exists, acquiring an external access authority list of the first application and an internal access authority list of the second application.
B16, the system for applying security protection according to B15, where the authorization determination unit specifically includes:
a first judging subunit, configured to judge whether the second application is recorded in the external access permission list of the first application;
a second judging subunit, configured to judge whether the first application is recorded in the in-pair access permission list of the second application if the second application is recorded;
and the determining subunit is used for determining that the first application has access authorization to the second application and/or the application data if the first application is recorded.
B17, the system for applying security protection according to B11, wherein the unlocking unit is specifically configured to:
and if the first application has the access authorization, establishing a data channel which is directionally opened to the first application on the application isolation belt corresponding to the second application.
B18, the system for applying security protection according to B11, further comprising:
the bullet frame unit is used for generating an instruction bullet frame for the first application to request access if the first application does not have the access authorization;
the first response unit is used for responding to a first instruction triggered by a user on the instruction elastic frame, controlling the application isolation belt corresponding to the second application to directionally unlock the first application, and updating the first access right of the first application and the second access right of the second application so that the first application obtains the access right.
B19, the system for applying security protection according to B18, further comprising:
and the second response unit is used for responding to a second instruction triggered by the user on the instruction bullet frame, prohibiting the access request of the first application, and generating an alarm prompt when the unlocking behavior of the first application is monitored to reach a preset condition.
B20, the system for applying security protection according to B19, further comprising:
and the updating unit is used for updating the security locking algorithm of the application isolation belt by carrying out AI intelligent analysis on the unlocking behavior.
There is also provided C21, a storage medium storing a computer program for executing the method of applying security protection of any one of A1 to a 10.
Also provided is a D22, a computer device comprising a storage medium, a processor and a computer program stored on the storage medium and executable on the processor, the processor implementing the method of applying security protection of any one of A1 to a10 when executing the computer program.
Claims (10)
1. A method of applying security protection, comprising the steps of:
respectively constructing an encrypted application isolation belt for each application; the application isolation belt is used for blocking data access among the applications;
when the first application requests to access a second application and/or application data of the second application are monitored, respectively acquiring a first access right and a second access right which are preset corresponding to the first application and the second application;
judging whether the first application has access authorization to the second application and/or the application data according to the first access authority and the second access authority;
and if the access authorization exists, controlling the application isolation belt corresponding to the second application to directionally unlock the first application.
2. The method of claim 1, wherein the step of constructing encrypted application isolation bands for respective applications further comprises:
Creating a feature set corresponding to the application isolation belt; the feature set comprises an application identity, an application process number, a process array and access rights, and the access rights consist of an external access right list and an internal access right list.
3. The method for protecting application security according to claim 2, wherein the step of constructing encrypted application isolation bands for each application respectively specifically comprises:
respectively constructing application isolation belts taking the application identity identifiers of all applications as indexes;
and performing access locking on the application isolation belt according to a preset security locking algorithm.
4. The method for protecting application security according to claim 2, wherein the step of acquiring the first access right and the second access right preset by the first application and the second application when the first application requests to access the second application and/or application data of the second application is monitored specifically comprises:
determining whether a target behavior of the first application requesting access to the second application exists according to real-time dynamic monitoring of the full life cycle behaviors of the applications;
and if the target behavior exists, respectively acquiring a first access right and a second access right preset by the first application and the second application.
5. The method for protecting application security according to claim 4, wherein the step of acquiring the first access right and the second access right preset by the first application and the second application if the target behavior exists specifically comprises:
and if the target behavior exists, acquiring an external access authority list of the first application and an internal access authority list of the second application.
6. The method for protecting application security according to claim 5, wherein the step of determining whether the first application has access authorization to the second application and/or the application data according to the first access right and the second access right specifically comprises:
judging whether the second application is recorded in the external access authority list of the first application;
if the second application is recorded, judging whether the first application is recorded in the in-pair access authority list of the second application;
if the first application is recorded, determining that the first application has access authorization to the second application and/or the application data.
7. The method for protecting application security according to claim 1, wherein the step of controlling the application isolation belt corresponding to the second application to directionally unlock the first application if the access authorization is provided specifically comprises:
And if the first application has the access authorization, establishing a data channel which is directionally opened to the first application on the application isolation belt corresponding to the second application.
8. A system for applying security protection, comprising:
the isolation belt construction unit is used for constructing an encrypted application isolation belt for each application respectively; the application isolation belt is used for blocking data access among the applications;
the monitoring and acquiring unit is used for respectively acquiring a first access right and a second access right which are preset corresponding to the first application and the second application when the first application requests to access the second application and/or application data of the second application;
an authorization judging unit, configured to judge whether the first application has access authorization to the second application and/or the application data according to the first access right and the second access right;
and the unlocking unit is used for controlling the application isolation belt corresponding to the second application to directionally unlock the first application if the access authorization exists.
9. A storage medium storing a computer program for executing the method of applying security protection of any one of claims 1 to 7.
10. A computer device comprising a storage medium, a processor and a computer program stored on the storage medium and executable on the processor, characterized in that the processor implements the method of applying security protection according to any of claims 1-7 when executing the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210051144.4A CN116484361A (en) | 2022-01-17 | 2022-01-17 | Method, system, storage medium and computer equipment for applying security protection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210051144.4A CN116484361A (en) | 2022-01-17 | 2022-01-17 | Method, system, storage medium and computer equipment for applying security protection |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116484361A true CN116484361A (en) | 2023-07-25 |
Family
ID=87210685
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210051144.4A Pending CN116484361A (en) | 2022-01-17 | 2022-01-17 | Method, system, storage medium and computer equipment for applying security protection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116484361A (en) |
-
2022
- 2022-01-17 CN CN202210051144.4A patent/CN116484361A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| RU2620998C2 (en) | Method and authentication device for unlocking administrative rights | |
| EP2731040B1 (en) | Computer system for storing and retrieval of encrypted data items, client computer, computer program product and computer-implemented method | |
| US10567438B2 (en) | Providing privileged access to non-privileged accounts | |
| Emerson et al. | An OAuth based authentication mechanism for IoT networks | |
| CN109767534B (en) | Access control access method, system, management terminal and access control terminal based on block chain | |
| US9148433B2 (en) | Retrospective policy safety net | |
| US9848001B2 (en) | Secure access to mobile applications | |
| KR20070114725A (en) | A multi-layer system for privacy enforcement and monitoring of suspicious data access behavior | |
| CN101213561B (en) | Method for protecting confidential file of security countermeasure application and confidential file protection device | |
| Bailey et al. | Self-adaptive authorization framework for policy based RBAC/ABAC models | |
| US20150341362A1 (en) | Method and system for selectively permitting non-secure application to communicate with secure application | |
| US11611587B2 (en) | Systems and methods for data privacy and security | |
| CN108959943B (en) | Method, device, apparatus, storage medium and corresponding vehicle for managing an encryption key | |
| US10320775B2 (en) | Eliminating abuse caused by password reuse in different systems | |
| CN114611124A (en) | Method and device for preventing data leakage | |
| KR101951367B1 (en) | A cctv access authorization system using user recognition device | |
| CN101324913B (en) | Method and apparatus for protecting computer file | |
| RU2311676C2 (en) | Method for providing access to objects of corporate network | |
| CN116484361A (en) | Method, system, storage medium and computer equipment for applying security protection | |
| CN106845264A (en) | Using encryption method, device and application access method, device | |
| CN108664805A (en) | A kind of application security method of calibration and system | |
| KR930004434B1 (en) | Data accessing method | |
| KR101955449B1 (en) | Method and system for protecting personal information infingement using division of authentication process and biometrics authentication | |
| GB2580709A (en) | Task engine | |
| CN113839922B (en) | Information safety protection system and method for video monitoring system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |