WO2020132876A1 - Operation detection method and system, and electronic device - Google Patents

Operation detection method and system, and electronic device Download PDF

Info

Publication number
WO2020132876A1
WO2020132876A1 PCT/CN2018/123534 CN2018123534W WO2020132876A1 WO 2020132876 A1 WO2020132876 A1 WO 2020132876A1 CN 2018123534 W CN2018123534 W CN 2018123534W WO 2020132876 A1 WO2020132876 A1 WO 2020132876A1
Authority
WO
WIPO (PCT)
Prior art keywords
execution
execution subject
permission set
subject
preset
Prior art date
Application number
PCT/CN2018/123534
Other languages
French (fr)
Chinese (zh)
Inventor
徐贵斌
Original Assignee
奇安信安全技术(珠海)有限公司
奇安信科技集团股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 奇安信安全技术(珠海)有限公司, 奇安信科技集团股份有限公司 filed Critical 奇安信安全技术(珠海)有限公司
Priority to PCT/CN2018/123534 priority Critical patent/WO2020132876A1/en
Publication of WO2020132876A1 publication Critical patent/WO2020132876A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates

Definitions

  • the present disclosure belongs to the field of network security, and specifically relates to an operation detection method, system and electronic equipment.
  • An aspect of the present disclosure provides an operation detection method, including: S1, before performing a specific operation, obtaining an execution subject performing the specific operation; S2, judging whether the execution subject has performed the specific operation according to the first set of permissions If not, execute operation S3; S3, obtain the operation state of the execution subject, and obtain the corresponding second permission set according to the operation state of the execution subject; S4, determine the execution subject according to the second permission set Whether it has the authority to perform the specific operation, if yes, perform operation S5, and if not, process the execution subject; S5, obtain a task including the specific operation, the task corresponds to an operation flow to perform at least one operation S6, judging whether the operation flow satisfies the preset operation flow, if yes, performing operation S7; if not, processing the execution body; S7, obtaining the instruction execution sequence corresponding to at least one operation in the task; S8, judging Whether the instruction execution sequence matches the preset instruction execution sequence, and if not, the execution body is processed.
  • step S6 determining whether the operation flow satisfies the preset operation flow includes: obtaining at least one operation corresponding to the operation flow; determining whether each operation in the at least one operation is consistent with the preset The corresponding operations in the operation flow are consistent.
  • the judging whether each operation in the at least one operation is consistent with the corresponding operation in the preset operation flow includes: judging whether the execution subject of each operation in the at least one operation is consistent with the preset operation The execution body of the operation corresponding to the process is consistent.
  • step S1 it further includes: S0, creating a first permission set, where the first permission set includes operation permissions of at least one execution subject in any operation state.
  • the method further includes: S0', creating at least one second permission set, wherein each second permission set corresponds to an operation state of an execution subject, and each of the The second set of rights includes the operation rights of the corresponding execution subject in the corresponding operation state.
  • the at least one second permission set is stored at the remote end, and in step S3, acquiring the corresponding second permission set according to the operating state of the execution subject includes: sending a request to the remote end, the request includes The execution subject information and its operation status; obtaining a second permission set sent by the remote end, where the second permission set is returned by the remote end in response to the request.
  • step S3 acquiring the operation state of the execution subject includes at least: determining the operation state of the execution subject according to the calling mode of the execution subject, where the execution subject is directly called by the user, It is determined that the operation state of the execution body is the first operation state, and when the execution body is called by another execution body, it is determined that the operation state of the execution body is the second operation state.
  • step S8 determining whether the instruction execution sequence matches a preset instruction execution sequence includes: obtaining function call information in the instruction execution sequence, where the function call information includes function call times and/or functions Call sequence; determine whether the function call information in the instruction execution sequence matches the function call information in the preset instruction execution sequence.
  • step S7 acquiring the instruction execution sequence corresponding to at least one operation in the task includes: acquiring the instruction execution sequence corresponding to at least one operation in the task from the stack memory.
  • an operation detection system including: a first acquisition module for acquiring an execution subject performing a specific operation before performing a specific operation; a first determination module for determining based on a first set of permissions Whether the execution subject has the authority to perform the specific operation, if not, the second acquisition module is executed; the second acquisition module is used to acquire the operation state of the execution subject, and obtain the corresponding according to the operation state of the execution subject A second set of permissions; a second judgment module, used to determine whether the execution subject has the permission to perform the specific operation according to the second set of permissions, if so, execute the third acquisition module, and if not, perform the execution on the subject Processing; the third obtaining module is used to obtain the task including the specific operation, and the task corresponds to an operation flow for performing at least one operation; the third judgment module is used to judge whether the operation flow satisfies the preset operation flow, if yes , The fourth acquisition module is executed, if not, the execution body is processed; the fourth acquisition module is used to acquire
  • determining whether the operation flow satisfies the preset operation flow includes: acquiring at least one operation corresponding to the operation flow; determining whether each operation in the at least one operation is different from the operation The corresponding operations in the preset operation flow are consistent.
  • the third determination module determines whether each operation in the at least one operation is consistent with the corresponding operation in the preset operation flow, including: determining whether the execution subject of each operation in the at least one operation is It is assumed that the execution body of the operation corresponding to the operation flow is consistent.
  • the operation detection system further includes: a first creation module, configured to create a first set of permissions, the first set of permissions includes operation permissions of at least one execution subject in any operation state.
  • a first creation module configured to create a first set of permissions, the first set of permissions includes operation permissions of at least one execution subject in any operation state.
  • the operation detection system further includes: a second creation module for creating at least one second permission set, wherein each second permission set corresponds to an operating state of an execution subject, and each The second permission set includes the operation permission of the corresponding execution subject in the corresponding operation state.
  • a second creation module for creating at least one second permission set, wherein each second permission set corresponds to an operating state of an execution subject, and each The second permission set includes the operation permission of the corresponding execution subject in the corresponding operation state.
  • At least one second permission set is stored at the remote end, and the second acquiring module acquiring the corresponding second permission set according to the operating state of the execution subject includes: sending a request to the remote end, the request including the Execution subject information and its operation status; obtaining a second permission set sent by the remote end, where the second permission set is returned by the remote end in response to the request.
  • the second acquiring module acquiring the operation state of the execution subject includes at least: determining the operation state of the execution subject according to the calling mode of the execution subject, where the execution subject is directly called by the user, It is determined that the operation state of the execution body is the first operation state, and when the execution body is called by another execution body, it is determined that the operation state of the execution body is the second operation state.
  • the fourth judgment module judges whether the instruction execution sequence matches the preset instruction execution sequence, including: obtaining function call information in the instruction execution sequence, and the function call information includes the number of function calls and/or function call sequence; Whether the function call information in the sequence matches the function call information in the preset instruction execution sequence.
  • the fourth acquiring module acquiring the instruction execution sequence corresponding to at least one operation in the task includes: acquiring the instruction execution sequence corresponding to at least one operation in the task from the stack memory.
  • an electronic device including: a processor: a memory, storing computer-executable instructions, which when executed by the processor, causes the processor to execute: S1, Before performing a specific operation, obtain an execution subject performing the specific operation; S2, determine whether the executing subject has the authority to perform the specific operation according to the first set of permissions, if not, perform operation S3; S3, obtain the execution The operating state of the subject, and obtain the corresponding second permission set according to the operating state of the executing subject; S4, judging whether the executing subject has the permission to perform the specific operation according to the second permission set, and if so, performing operation S5, if No, the execution body is processed; S5, a task including the specific operation is acquired, the task corresponds to an operation flow for performing at least one operation; S6, whether the operation flow satisfies the preset operation flow is determined, and if so, Then perform operation S7; if not, process the execution body; S7, obtain the instruction execution sequence corresponding to at least one operation in the task;
  • determining whether the operation flow satisfies the preset operation flow includes: acquiring at least one operation corresponding to the operation flow; determining whether each operation in the at least one operation is The corresponding operations in the preset operation flow are consistent.
  • the processor determining whether each operation in the at least one operation is consistent with a corresponding operation in the preset operation flow includes: determining whether an execution subject of each operation in the at least one operation is consistent with the preset operation The execution body of the operation corresponding to the process is consistent.
  • the processor before executing the step S1, the processor further executes: S0, creating a first permission set, where the first permission set includes operation permissions of at least one execution subject in any operation state.
  • the processor before executing the step S1, the processor further executes: S0' to create at least one second permission set, where each second permission set corresponds to an operation state of an execution subject, and each Each of the second permission sets includes operation permissions of the corresponding execution subject in the corresponding operation state.
  • At least one second permission set is stored at the remote end, and when the processor executes the step S3, acquiring the corresponding second permission set according to the operating state of the execution subject includes: sending a request to the remote end, The request includes the execution subject information and its operation status; obtaining a second permission set sent by the remote end, where the second permission set is returned by the remote end in response to the request.
  • acquiring the operation state of the execution body includes at least: determining the operation state of the execution body according to the calling mode of the execution body, wherein the execution body is When directly called by a user, it is determined that the operation state of the execution body is the first operation state, and when the execution body is called by another execution body, the operation state of the execution body is determined to be the second operation state.
  • the processor determines whether the instruction execution sequence matches the preset instruction execution sequence, including: acquiring function call information in the instruction execution sequence, and the function call information includes function call times and/or function call order ; Determine whether the function call information in the instruction execution sequence matches the function call information in the preset instruction execution sequence.
  • acquiring the instruction execution sequence corresponding to at least one operation in the task includes: acquiring the instruction execution sequence corresponding to at least one operation in the task from the stack memory.
  • Another aspect of the present disclosure provides a computer-readable medium storing computer-executable instructions, which when executed are used to implement the method as described in any one of the above.
  • Another aspect of the present disclosure provides a computer program, the computer program including computer-executable instructions, which when executed are used to implement the method according to any one of the above.
  • FIG. 1 schematically shows a flowchart of an operation detection method according to an embodiment of the present disclosure.
  • FIG. 2 schematically shows a legal operation flowchart of “remotely launching Shell program cmd.exe” in an embodiment of the present disclosure.
  • FIG. 3 schematically shows an illegal operation flowchart of “remotely launching Shell program cmd.exe” in an embodiment of the present disclosure.
  • FIG. 4 schematically shows a block diagram of an operation detection system according to an embodiment of the present disclosure.
  • FIG. 5 schematically shows a block diagram of an electronic device according to another embodiment of the present disclosure.
  • the technology of the present disclosure may be implemented in the form of hardware and/or software (including firmware, microcode, etc.).
  • the technology of the present disclosure may take the form of a computer program product on a computer-readable medium storing instructions, which may be used by or in conjunction with an instruction execution system.
  • a computer-readable medium may be any medium that can contain, store, transfer, propagate, or transfer instructions.
  • computer-readable media may include, but is not limited to, electrical, magnetic, optical, electromagnetic, infrared, or semiconductor systems, devices, devices, or propagation media.
  • Computer-readable media include: magnetic storage devices, such as magnetic tape or hard disk (HDD); optical storage devices, such as compact disk (CD-ROM); memory, such as random access memory (RAM) or flash memory; and/or wired /Wireless communication link.
  • magnetic storage devices such as magnetic tape or hard disk (HDD)
  • optical storage devices such as compact disk (CD-ROM)
  • memory such as random access memory (RAM) or flash memory
  • RAM random access memory
  • FIG. 1 schematically shows a flowchart of an operation detection method according to an embodiment of the present disclosure.
  • the operation detection method of the embodiment of the present disclosure includes the following operations:
  • Specific operations in this disclosure refer to some sensitive operations that may cause dangerous consequences, including but not limited to executable file loading, memory operations, file operations, network access, port monitoring, registry key operations, sensitive windows Message sending, etc.
  • the present disclosure monitors the above-mentioned specific operations in real time in the operating system, and there may be multiple monitoring methods.
  • "hooking” technology can be used.
  • "hooking” is a security monitoring method commonly used in the field of computer security. It can hook some application programming interfaces (APIs).
  • APIs application programming interfaces
  • execution subject performing this specific operation includes but is not limited to the operating system itself, applications installed on the operating system, and the like. Before executing the specific operation, the execution subject will obtain the information of the execution subject through the above monitoring means, including but not limited to the name of the execution subject, creation time, location index, etc.
  • the Windows 10 platform has 35 million applications
  • the IOS platform has 2.1 million applications
  • the Android platform has 2.6 million applications.
  • the operations involved in these applications are countless.
  • the specific operations of each application are determined by means of a blacklist or whitelist, which requires huge resources to collect the specific operations and legality of each application.
  • a first permission set is created, which is called a "minimum behavior permission set", and the set includes operation permissions of at least one execution subject in any operation state.
  • the operation state of the execution subject in the present disclosure refers to the state that the execution subject is in when performing the specific operation, for example, the execution subject is a winword program, which can open a word document at runtime, if the winword program is actively run by the user , Then its operating state is active running state, if the winword program is run by other program calls, then its operating state is passive running state.
  • the opened word document will be displayed in the form of a window, then its operating state is the window state. If the opened word document will only run in the background and not display, then its operating state is Non-windowed state.
  • the first permission set in the present disclosure only relates to the operation permission of the execution subject in "any operation state", and the operation permission in the "different operation state" will be described later.
  • the first set of permissions provided by the present disclosure includes at least the operating permissions of the execution subject in any operating state:
  • the application can only operate (read, write, open, delete, etc.) files created by itself or directly or indirectly created by the same installation package with itself;
  • the application does not allow cross-process operations on other processes
  • User private data includes but is not limited to documents, photos, etc.
  • the default editing program is subject to the registration in the operating system registry, for example, the word document only allows winword program or WPS operation;
  • the key registry entries include but are not limited to the browser homepage, self-starting items, default program settings for various types of files, system startup settings, etc.;
  • System function programs include, but are not limited to, shell programs, registry editors, scheduled tasks, and disk file registry permission change programs;
  • S103 Acquire the operation state of the execution subject, and acquire the corresponding second permission set according to the operation state of the execution subject.
  • the operation state of the execution subject has been explained in the above operation S102, and will not be repeated here.
  • the first permission set set in the above operation S102 can filter any risky operation.
  • security software which has the operation of detecting whether the system-wide executable files are infected by viruses, but is limited by The limitation of the first permission set cannot operate other applications. Therefore, if only the first permission set of the present disclosure is used for the determination, some special applications such as security software will generate "false positives".
  • the present disclosure needs to further determine the execution subject that does not satisfy the first permission set, thereby introducing the second permission set of the present disclosure.
  • each second permission set corresponds to an operating state of an execution subject, and each second permission set Including the operation authority of the corresponding execution subject in the corresponding operation state.
  • the second set of permissions provides:
  • the winword program When the user actively executes the winword program, it does not have the authority to operate the non-corresponding object, that is: when opening the word document A, the winword program only has the single authority to operate A, and does not have the authority to operate B, C and other word documents or non- Word document permissions.
  • the second permission set specifies the different permissions of the winword program under the two operating states of "active running state” and "passive running state”.
  • the operating state of the executive body can be determined according to the calling mode of the executive body, where the executive body is directly called by the user, and the operating state of the executive body is determined to be the active running state. When other executive bodies are called, it is determined that the operating state of the executive body is a passive running state.
  • the operation state of the execution subject can be determined according to the operation mode of the execution subject on the execution object.
  • the winword program is used as an example. If the opened word document is displayed in the form of a window, Then its operation state is window state. If the opened word document will only run in the background and not display, then its operation state is non-window state.
  • the above-mentioned embodiments are merely examples for explaining different operating states of the execution body, and the operating states are not limited to the above two embodiments.
  • the operation state acquired in operation S103 is not limited to one operation state, and multiple operation states to which it belongs can also be acquired for the same execution body at the same time (for example, the winword program that can be acquired simultaneously is the active execution state and the window state) For subsequent determination.
  • each second permission set corresponds to at least one operating state of an execution subject, so the number of second permission sets is extremely large. Therefore, the present disclosure may store the created second permission set at the remote end (eg, server side, cloud, etc.), and when the client implements the present disclosure, the client sends a request to the remote end, the request includes the execution subject information and its operation status, The remote end responds to the request, retrieves the corresponding second permission set according to the execution subject information and its operation status, and sends it to the client. Furthermore, after obtaining the second permission set, the client may locally cache the execution subject information and the operation state of the second permission set.
  • the remote end eg, server side, cloud, etc.
  • the client When the client needs to obtain the second permission set again, it can first query from the local cache, and if it does not exist, then send a request to the remote end.
  • the client when the client installs the application program (or other execution agent), it obtains the second permission set of various operating states corresponding to the application program (or other execution agent) from the remote end And save it locally. In this way, when the second permission set is subsequently acquired, it can be directly called from the local.
  • the second permission set includes the operation permission of the corresponding execution subject in the corresponding operation state, so it is easy to understand the determination process in operation S104, and details are not described here.
  • the present disclosure makes authority determination from the operational status of the executive body, and is no longer limited to "application behavior, application functions and types", and can more accurately determine the "over-right behavior" of the executive body. .
  • the second authority set is required to further judge it.
  • its corresponding second permission set specifies that it has the permission of “can be run automatically and can be connected to the network without user operation”, so it can pass the determination of the second permission set. It can be seen from the above example that the setting of the second permission set can avoid the "false positive" of the first permission set to some specific execution subjects.
  • the present disclosure sets the second permission set on the one hand, it not only prevents the "false positives" of the first permission set, but also strengthens the division of permissions on the execution subject, so that the execution subject can be protected from the first permission
  • the set of "false positives” affects its normal function, and can restrict it from other specific operations with security threats.
  • Xshell Taking Xshell as an example, it is mostly used to remotely manage servers, but there are backdoors in multiple versions of it, and users will secretly upload user server accounts and passwords when using it.
  • the first permission set specifies "the application is not allowed to access the internal and external networks and device nodes in the network", it does not meet the determination of the first permission set.
  • the second permission set of the present disclosure can determine different network connection permissions according to the type of application program, so that different application programs can accurately connect to a certain type or a certain network or networks. For example, printers, cameras, etc. can only be connected to a fixed IP address; applications for intranet communication can only be connected to the intranet; server management tools such as xshell can only connect to the network connected by the user for this operation; applications can only use specific Network protocol to connect to the network, etc. Taking Xshell as an example again, its second set of permissions in various operating states is:
  • Xshell When Xshell is determined based on the above second permission set, it does not allow Xshell to access the network other than the network to which the user is connected in this operation, and cuts off the network path for uploading the user's server account and password to avoid security threats.
  • the "task” is the smallest unit that realizes the corresponding function.
  • Each task includes one or more operations (including specific operations) that are executed in sequence. Performing these operations in a fixed order to complete the task is the task. Operating procedures.
  • the acquired task may specifically include: one or more operations included in the task, the execution order of the one or more operations, and the execution object of each operation (for example, opening a word document through a winword program, the word document is For the implementation object).
  • the execution object of each operation for example, opening a word document through a winword program, the word document is For the implementation object.
  • This disclosure determines whether the operation flow of a task is legal by determining whether it conforms to a preset operation flow.
  • Each task should have a set of legal operation flow in order to realize the corresponding function, which is the preset operation flow mentioned in this disclosure .
  • the following uses "remote start Shell program cmd.exe” as an example to explain the legal operation flow and the illegal operation flow of the present disclosure.
  • FIG. 2 illustrates a legal operation flowchart of “remotely launching Shell program cmd.exe” in an embodiment of the present disclosure.
  • a task generated by the normal remote control machine A is “start the Shell program cmd.exe on the target server B”, and the operation process performed by the task is:
  • FIG. 3 illustrates an illegal operation flowchart of “remotely launching Shell program cmd.exe” in an embodiment of the present disclosure.
  • a task generated by the hacker remote control machine A is “starting the Shell program cmd.exe on the target server B”, and the operation process performed by the task is:
  • the attacker's virus attack code injects the command to start the shell into spoolsv.exe;
  • FIGS. 2 to 3 of the present disclosure the two same tasks and the functions achieved are to start the shell program cmd.exe, but the operation flow performed by them is different.
  • the illegal operation process is: start cmd.exe through "printer management service program: spoolsv.exe”.
  • operation S106 of the present disclosure by determining whether the operation flow of the task is legal is by determining whether it conforms to the preset operation flow, it can be determined whether the task to which the specific operation belongs is legal. Specifically, when determining the operation flow, the present disclosure first obtains the operation corresponding to the operation flow, and then needs to determine whether each operation is consistent with the corresponding operation in the preset operation flow.
  • the illegal operation process includes “start spoolsv.exe” and “spoolsv.exe start Shell program cmd.exe”; the corresponding legal operation process is “tlntsvr.exe start tlntsess.exe”, “Tlntsess.exe starts Shell program cmd.exe”.
  • operation S106 of the present disclosure it is also necessary to determine whether the execution body of each operation is consistent with the execution body of the operation corresponding to the preset operation flow. If they are not consistent, the entire operation flow is considered illegal.
  • the “task” in operation S107 of the present disclosure is a task including a specific operation mentioned earlier in the present disclosure.
  • the present disclosure obtains at least one operation from the task (the operation may be a specific operation or other operations in the task), and obtains an instruction execution sequence corresponding to the execution of the operation.
  • the instruction execution sequence of the present disclosure is obtained from the stack memory in the operating system (the stack memory is automatically allocated, used, and recycled by the operating system, and cannot be controlled by the user).
  • the preset instruction execution sequence in operation S108 of the present disclosure refers to a legal instruction execution sequence.
  • the instruction execution sequence acquired from the stack memory and the preset instruction execution sequence are matched to determine whether the instruction execution sequence acquired from the stack memory is legal, and then determine whether the corresponding operation is legal.
  • one embodiment of the present disclosure is to obtain the function call information in the instruction execution sequence.
  • the function call information includes the number of function calls (if a function is called 0 times, it means that the function is not Call) and/or function call sequence to determine whether the function call information in the instruction execution sequence matches the function call information in the preset instruction execution sequence. If the match is successful, the specific operation performed by the execution subject is released, otherwise, the specific operation performed by the execution subject is intercepted.
  • Table 1 schematically shows the legal instruction execution sequence of “remote start Shell program cmd.exe” in the embodiment of the present disclosure:
  • one of the instructions is "kernel32! CreateProcessW", which means: "The function "CreateProcessW” in the dynamic link library "kernel32.dll” is called Once, and the function of calling this function is to “start a specified program.” Therefore, when determining whether the instruction execution sequence matches the preset instruction execution sequence, the present disclosure can be matched by the function call information in the respective sequence, Including whether the functions with different functions have been called, the number of calls and the order of calls.
  • FIG. 4 schematically shows a block diagram of an operation detection system according to an embodiment of the present disclosure.
  • the operation detection system 400 includes a first acquisition module 410, a first judgment module 420, a second acquisition module 430, a second judgment module 440, a third acquisition module 450, a third judgment module 460, and a fourth acquisition Module 470 and fourth judgment module 480.
  • the operation detection system 400 may perform the method described above with reference to FIG. 1 to implement detection of specific operations.
  • the first obtaining module 410 is used to obtain the executing subject performing the specific operation before performing the specific operation; the first determining module 420 is used to determine whether the executing subject has the right to perform the specific operation according to the first set of permissions, If not, the second obtaining module 430 is executed; the second obtaining module 430 is used to obtain the operating state of the executing subject, and obtains the corresponding second permission set according to the operating state of the executing subject; Two sets of permissions determine whether the execution subject has the permission to perform the specific operation.
  • the third acquisition module 450 is executed; if not, the execution subject is processed; the third acquisition module 450 is used to acquire the task including the specific operation , The task corresponds to an operation flow for performing at least one operation; the third determination module is used to determine whether the operation flow satisfies the preset operation flow, if yes, execute the fourth acquisition module, and if not, perform on the execution subject Processing; the fourth obtaining module is used to obtain the instruction execution sequence corresponding to at least one operation in the task; the fourth judging module is used to judge whether the instruction execution sequence matches the preset instruction execution sequence, and if not, the execution body is processed .
  • the module 480 may be combined and implemented in one module, or any one of the modules may be split into multiple modules. Alternatively, at least part of functions of one or more of these modules may be combined with at least part of functions of other modules and implemented in one module.
  • the first acquisition module 410, the first judgment module 420, the second acquisition module 430, the second judgment module 440, the third acquisition module 450, the third judgment module 460, the fourth acquisition module 470 and the third At least one of the four judgment modules 480 can be at least partially implemented as a hardware circuit, such as a field programmable gate array (FPGA), a programmable logic array (PLA), a system on chip, a system on a substrate, a system on a package, a dedicated An integrated circuit (ASIC) may be implemented in any other reasonable manner such as hardware or firmware that integrates or encapsulates the circuit, or an appropriate combination of software, hardware, and firmware.
  • FPGA field programmable gate array
  • PLA programmable logic array
  • ASIC dedicated An integrated circuit
  • the first acquisition module 410, the first judgment module 420, the second acquisition module 430, the second judgment module 440, the third acquisition module 450, the third judgment module 460, the fourth acquisition module 470 and the fourth judgment module 480 At least one of can be at least partially implemented as a computer program module, and when the program is run by a computer, the function of the corresponding module can be performed.
  • FIG. 5 schematically shows a block diagram of an electronic device according to another embodiment of the present disclosure.
  • the electronic device 500 includes a processor 510 and a computer-readable storage medium 520.
  • the electronic device 500 may perform the method described above with reference to FIG. 1 to implement detection of specific operations.
  • the processor 510 may include, for example, a general-purpose microprocessor, an instruction set processor and/or related chipsets, and/or a dedicated microprocessor (for example, an application specific integrated circuit (ASIC)), and so on.
  • the processor 510 may also include on-board memory for caching purposes.
  • the processor 510 may be a single processing unit or a plurality of processing units for performing different actions of the method flow according to the embodiment of the present disclosure described with reference to FIG. 1.
  • the computer-readable storage medium 520 may be, for example, any medium capable of containing, storing, transmitting, transmitting, or transmitting instructions.
  • readable storage media may include, but is not limited to, electrical, magnetic, optical, electromagnetic, infrared, or semiconductor systems, devices, devices, or propagation media.
  • Specific examples of readable storage media include: magnetic storage devices such as magnetic tapes or hard disks (HDD); optical storage devices such as compact disks (CD-ROM); memories such as random access memory (RAM) or flash memory; and/or wired /Wireless communication link.
  • the computer-readable storage medium 520 may include a computer program 521, which may include code/computer-executable instructions, which when executed by the processor 510, cause the processor 510 to perform, for example, the method flow described above in connection with FIG. 1 and Any deformation.
  • the computer program 521 may be configured to have computer program code including, for example, computer program modules.
  • the code in the computer program 521 may include one or more program modules, for example, including 521A, module 521B,... It should be noted that the division mode and number of modules are not fixed, and those skilled in the art may use appropriate program modules or program module combinations according to actual situations.
  • the processor 510 may be For example, the method flow described above in connection with FIGS. 2 to 3D and any variations thereof are performed.
  • At least one of the first acquisition module 410, the first judgment module 420, the second acquisition module 430, the second judgment module 440, the third acquisition module 450, and the third judgment module 460 may be implemented as a reference

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

An operation detection method, comprising: S1, obtaining an execution subject executing a specific operation; S2, determining, according to a first permission set, whether the execution subject has the permission to execute the specific operation; S3, obtaining the operation state of the execution subject and a corresponding second permission set; S4, determining, according to the second permission set, whether the execution subject has the permission to execute the specific operation, if yes, executing operation S5, and if not, processing the execution subject; S5, obtaining a task comprising the specific operation, the task corresponding to an operation process; S6, determining whether the operation process satisfies a preset operation process, and if not, processing the execution subject; S7, obtaining an instruction execution sequence corresponding to at least one operation in the task; and S8, determining whether the instruction execution sequence matches a preset instruction execution sequence, and if not, processing the execution subject. Also provided are an operation detection system and an electronic device.

Description

一种操作检测方法、系统及电子设备Operation detection method, system and electronic equipment 技术领域Technical field
本公开属于网络安全领域,具体涉及一种操作检测方法、系统及电子设备。The present disclosure belongs to the field of network security, and specifically relates to an operation detection method, system and electronic equipment.
背景技术Background technique
随着计算机网络的发展,网络安全越来越受到业界的重视。对于计算机网络被黑客攻击的情况,人们希望能在攻击发生的过程中或者危害结果发生之前发现此攻击,以在最大程度上避免侵害。现有技术中所采用的网络安全手段有多种,例如:“恶意软件检测”、“攻击发现”、“恶意行为检测”等等,这些技术虽然能够进行安全防护,但随着攻击手段的提高,已不能满足日益增长的网络安全需求。With the development of computer networks, network security has received increasing attention from the industry. For the case where the computer network is attacked by hackers, people hope that this attack can be discovered during the attack or before the result of the harm occurs, in order to avoid the violation to the greatest extent. There are a variety of network security methods used in the prior art, such as "malware detection", "attack discovery", "malicious behavior detection", etc. Although these technologies can provide security protection, with the improvement of attack methods , Can no longer meet the growing demand for network security.
发明内容Summary of the invention
本公开的一个方面提供了一种操作检测方法,包括:S1,在执行特定操作之前,获取执行该特定操作的执行主体;S2,根据第一权限集合判断所述执行主体是否具有执行该特定操作的权限,若否,则执行操作S3;S3,获取所述执行主体的操作状态,并根据该执行主体的操作状态获取对应的第二权限集合;S4,根据第二权限集合判断所述执行主体是否具有执行该特定操作的权限,若是,则执行操作S5,若否,则对所述执行主体进行处理;S5,获取包括所述特定操作的任务,该任务对应有执行至少一个操作的操作流程;S6,判断所述操作流程是否满足预设操作流程,若是,则执行操作S7;若否,则对执行主体进行处理;S7,获取任务中至少一个操作所对应的指令执行序列;S8,判断指令执行序列与预设指令执行序列是否匹配,若否,则对执行主体进行处理。An aspect of the present disclosure provides an operation detection method, including: S1, before performing a specific operation, obtaining an execution subject performing the specific operation; S2, judging whether the execution subject has performed the specific operation according to the first set of permissions If not, execute operation S3; S3, obtain the operation state of the execution subject, and obtain the corresponding second permission set according to the operation state of the execution subject; S4, determine the execution subject according to the second permission set Whether it has the authority to perform the specific operation, if yes, perform operation S5, and if not, process the execution subject; S5, obtain a task including the specific operation, the task corresponds to an operation flow to perform at least one operation S6, judging whether the operation flow satisfies the preset operation flow, if yes, performing operation S7; if not, processing the execution body; S7, obtaining the instruction execution sequence corresponding to at least one operation in the task; S8, judging Whether the instruction execution sequence matches the preset instruction execution sequence, and if not, the execution body is processed.
可选地,步骤S6中,判断所述操作流程是否满足预设操作流程, 包括:获取所述操作流程所对应的至少一个操作;判断所述至少一个操作中每个操作是否与所述预设操作流程中所对应的操作一致。Optionally, in step S6, determining whether the operation flow satisfies the preset operation flow includes: obtaining at least one operation corresponding to the operation flow; determining whether each operation in the at least one operation is consistent with the preset The corresponding operations in the operation flow are consistent.
可选地,所述判断所述至少一个操作中每个操作是否与所述预设操作流程中所对应操作一致,包括:判断所述至少一个操作中每个操作的执行主体是否与预设操作流程所对应操作的执行主体一致。Optionally, the judging whether each operation in the at least one operation is consistent with the corresponding operation in the preset operation flow includes: judging whether the execution subject of each operation in the at least one operation is consistent with the preset operation The execution body of the operation corresponding to the process is consistent.
可选地,在所述步骤S1之前,还包括:S0,创建第一权限集合,所述第一权限集合包括至少一个执行主体在任意操作状态下的操作权限。Optionally, before the step S1, it further includes: S0, creating a first permission set, where the first permission set includes operation permissions of at least one execution subject in any operation state.
可选地,在所述步骤S1之前,还包括:S0’,创建至少一个第二权限集合,其中,每个所述第二权限集合对应一个执行主体的一个操作状态,并且,每个所述第二权限集合包括对应执行主体在对应操作状态下的操作权限。Optionally, before the step S1, the method further includes: S0', creating at least one second permission set, wherein each second permission set corresponds to an operation state of an execution subject, and each of the The second set of rights includes the operation rights of the corresponding execution subject in the corresponding operation state.
可选地,所述至少一个第二权限集合存储在远端,所述步骤S3中,根据该执行主体的操作状态获取对应的第二权限集合,包括:向远端发送请求,所述请求包括所述执行主体信息及其操作状态;获取远端发送的第二权限集合,其中,该第二权限集合是由所述远端响应所述请求而返回。Optionally, the at least one second permission set is stored at the remote end, and in step S3, acquiring the corresponding second permission set according to the operating state of the execution subject includes: sending a request to the remote end, the request includes The execution subject information and its operation status; obtaining a second permission set sent by the remote end, where the second permission set is returned by the remote end in response to the request.
可选地,步骤S3中,获取所述执行主体的操作状态,至少包括:根据所述执行主体的调用方式确定所述执行主体的操作状态,其中,所述执行主体是由用户直接调用时,确定所述执行主体的操作状态为第一操作状态,当所述执行主体是由其他执行主体调用时,确定所述执行主体的操作状态为第二操作状态。Optionally, in step S3, acquiring the operation state of the execution subject includes at least: determining the operation state of the execution subject according to the calling mode of the execution subject, where the execution subject is directly called by the user, It is determined that the operation state of the execution body is the first operation state, and when the execution body is called by another execution body, it is determined that the operation state of the execution body is the second operation state.
可选地,步骤S8中,判断所述指令执行序列与预设指令执行序列是否匹配,包括:获取所述指令执行序列中的函数调用信息,所述函数调用信息包括函数调用次数和/或函数调用顺序;判断所述指令执行序列中的函数调用信息与预设指令执行序列中的函数调用信息是否匹配。Optionally, in step S8, determining whether the instruction execution sequence matches a preset instruction execution sequence includes: obtaining function call information in the instruction execution sequence, where the function call information includes function call times and/or functions Call sequence; determine whether the function call information in the instruction execution sequence matches the function call information in the preset instruction execution sequence.
可选地,步骤S7中,获取所述任务中至少一个操作所对应的指令执行序列,包括:从栈内存中获取所述任务中至少一个操作所对应的指令执行序列。Optionally, in step S7, acquiring the instruction execution sequence corresponding to at least one operation in the task includes: acquiring the instruction execution sequence corresponding to at least one operation in the task from the stack memory.
本公开的另一方面提供了一种操作检测系统,包括:第一获取模块,用于在执行特定操作之前,获取执行特定操作的执行主体;第一判断模块,用于根据第一权限集合判断所述执行主体是否具有执行该特定操作的权限,若否,则执行第二获取模块;第二获取模块,用于获取所述执行主体的操作状态,并根据该执行主体的操作状态获取对应的第二权限集合;第二判断模块,用于根据第二权限集合判断所述执行主体是否具有执行该特定操作的权限,若是,则执行第三获取模块,若否,则对所述执行主体进行处理;第三获取模块,用于获取包括所述特定操作的任务,该任务对应有执行至少一个操作的操作流程;第三判断模块,用于判断所述操作流程是否满足预设操作流程,若是,则执行第四获取模块,若否,则对执行主体进行处理;第四获取模块,用于获取任务中至少一个操作所对应的指令执行序列;第四判断模块,用于判断指令执行序列与预设指令执行序列是否匹配,若否,则对执行主体进行处理。Another aspect of the present disclosure provides an operation detection system, including: a first acquisition module for acquiring an execution subject performing a specific operation before performing a specific operation; a first determination module for determining based on a first set of permissions Whether the execution subject has the authority to perform the specific operation, if not, the second acquisition module is executed; the second acquisition module is used to acquire the operation state of the execution subject, and obtain the corresponding according to the operation state of the execution subject A second set of permissions; a second judgment module, used to determine whether the execution subject has the permission to perform the specific operation according to the second set of permissions, if so, execute the third acquisition module, and if not, perform the execution on the subject Processing; the third obtaining module is used to obtain the task including the specific operation, and the task corresponds to an operation flow for performing at least one operation; the third judgment module is used to judge whether the operation flow satisfies the preset operation flow, if yes , The fourth acquisition module is executed, if not, the execution body is processed; the fourth acquisition module is used to acquire the instruction execution sequence corresponding to at least one operation in the task; the fourth judgment module is used to determine the instruction execution sequence and Whether the preset instruction execution sequence matches, and if not, the execution body is processed.
可选地,第三判断模块中,判断所述操作流程是否满足预设操作流程,包括:获取所述操作流程所对应的至少一个操作;判断所述至少一个操作中每个操作是否与所述预设操作流程中所对应的操作一致。Optionally, in the third determining module, determining whether the operation flow satisfies the preset operation flow includes: acquiring at least one operation corresponding to the operation flow; determining whether each operation in the at least one operation is different from the operation The corresponding operations in the preset operation flow are consistent.
可选地,第三判断模块判断所述至少一个操作中每个操作是否与所述预设操作流程中所对应操作一致,包括:判断所述至少一个操作中每个操作的执行主体是否与预设操作流程所对应操作的执行主体一致。Optionally, the third determination module determines whether each operation in the at least one operation is consistent with the corresponding operation in the preset operation flow, including: determining whether the execution subject of each operation in the at least one operation is It is assumed that the execution body of the operation corresponding to the operation flow is consistent.
可选地,操作检测系统还包括:第一创建模块,用于创建第一权限集合,所述第一权限集合包括至少一个执行主体在任意操作状态下的操作权限。Optionally, the operation detection system further includes: a first creation module, configured to create a first set of permissions, the first set of permissions includes operation permissions of at least one execution subject in any operation state.
可选地,操作检测系统,还包括:第二创建模块,用于创建至少一个第二权限集合,其中,每个所述第二权限集合对应一个执行主体的一个操作状态,并且,每个所述第二权限集合包括对应执行主体在对应操作状态下的操作权限。Optionally, the operation detection system further includes: a second creation module for creating at least one second permission set, wherein each second permission set corresponds to an operating state of an execution subject, and each The second permission set includes the operation permission of the corresponding execution subject in the corresponding operation state.
可选地,至少一个第二权限集合存储在远端,所述第二获取模块根据该执行主体的操作状态获取对应的第二权限集合,包括:向远端发送请求,所述请求包括所述执行主体信息及其操作状态;获取远端发送的 第二权限集合,其中,该第二权限集合是由所述远端响应所述请求而返回。Optionally, at least one second permission set is stored at the remote end, and the second acquiring module acquiring the corresponding second permission set according to the operating state of the execution subject includes: sending a request to the remote end, the request including the Execution subject information and its operation status; obtaining a second permission set sent by the remote end, where the second permission set is returned by the remote end in response to the request.
可选地,第二获取模块获取所述执行主体的操作状态,至少包括:根据所述执行主体的调用方式确定所述执行主体的操作状态,其中,所述执行主体是由用户直接调用时,确定所述执行主体的操作状态为第一操作状态,当所述执行主体是由其他执行主体调用时,确定所述执行主体的操作状态为第二操作状态。Optionally, the second acquiring module acquiring the operation state of the execution subject includes at least: determining the operation state of the execution subject according to the calling mode of the execution subject, where the execution subject is directly called by the user, It is determined that the operation state of the execution body is the first operation state, and when the execution body is called by another execution body, it is determined that the operation state of the execution body is the second operation state.
可选地,第四判断模块判断指令执行序列与预设指令执行序列是否匹配,包括:获取指令执行序列中的函数调用信息,函数调用信息包括函数调用次数和/或函数调用顺序;判断指令执行序列中的函数调用信息与预设指令执行序列中的函数调用信息是否匹配。Optionally, the fourth judgment module judges whether the instruction execution sequence matches the preset instruction execution sequence, including: obtaining function call information in the instruction execution sequence, and the function call information includes the number of function calls and/or function call sequence; Whether the function call information in the sequence matches the function call information in the preset instruction execution sequence.
可选地,第四获取模块获取任务中至少一个操作所对应的指令执行序列,包括:从栈内存中获取任务中至少一个操作所对应的指令执行序列。Optionally, the fourth acquiring module acquiring the instruction execution sequence corresponding to at least one operation in the task includes: acquiring the instruction execution sequence corresponding to at least one operation in the task from the stack memory.
本公开的另一方面提供了一种电子设备,包括:处理器:存储器,存储有计算机可执行指令,该计算机可执行指令在被所述处理器执行时,使得所述处理器执行:S1,在执行特定操作之前,获取执行该特定操作的执行主体;S2,根据第一权限集合判断所述执行主体是否具有执行该特定操作的权限,若否,则执行操作S3;S3,获取所述执行主体的操作状态,并根据该执行主体的操作状态获取对应的第二权限集合;S4,根据第二权限集合判断所述执行主体是否具有执行该特定操作的权限,若是,则执行操作S5,若否,则对所述执行主体进行处理;S5,获取包括所述特定操作的任务,该任务对应有执行至少一个操作的操作流程;S6,判断所述操作流程是否满足预设操作流程,若是,则执行操作S7;若否,则对执行主体进行处理;S7,获取任务中至少一个操作所对应的指令执行序列;S8,判断指令执行序列与预设指令执行序列是否匹配,若否,则对执行主体进行处理。Another aspect of the present disclosure provides an electronic device, including: a processor: a memory, storing computer-executable instructions, which when executed by the processor, causes the processor to execute: S1, Before performing a specific operation, obtain an execution subject performing the specific operation; S2, determine whether the executing subject has the authority to perform the specific operation according to the first set of permissions, if not, perform operation S3; S3, obtain the execution The operating state of the subject, and obtain the corresponding second permission set according to the operating state of the executing subject; S4, judging whether the executing subject has the permission to perform the specific operation according to the second permission set, and if so, performing operation S5, if No, the execution body is processed; S5, a task including the specific operation is acquired, the task corresponds to an operation flow for performing at least one operation; S6, whether the operation flow satisfies the preset operation flow is determined, and if so, Then perform operation S7; if not, process the execution body; S7, obtain the instruction execution sequence corresponding to at least one operation in the task; S8, determine whether the instruction execution sequence matches the preset instruction execution sequence, if not, then Execute the subject for processing.
可选地,处理器在执行步骤S6时,判断所述操作流程是否满足预设操作流程,包括:获取所述操作流程所对应的至少一个操作;判断所 述至少一个操作中每个操作是否与所述预设操作流程中所对应的操作一致。Optionally, when the processor executes step S6, determining whether the operation flow satisfies the preset operation flow includes: acquiring at least one operation corresponding to the operation flow; determining whether each operation in the at least one operation is The corresponding operations in the preset operation flow are consistent.
可选地,处理器判断所述至少一个操作中每个操作是否与所述预设操作流程中所对应操作一致,包括:判断所述至少一个操作中每个操作的执行主体是否与预设操作流程所对应操作的执行主体一致。Optionally, the processor determining whether each operation in the at least one operation is consistent with a corresponding operation in the preset operation flow includes: determining whether an execution subject of each operation in the at least one operation is consistent with the preset operation The execution body of the operation corresponding to the process is consistent.
可选地,处理器在执行所述步骤S1之前,还执行:S0,创建第一权限集合,所述第一权限集合包括至少一个执行主体在任意操作状态下的操作权限。Optionally, before executing the step S1, the processor further executes: S0, creating a first permission set, where the first permission set includes operation permissions of at least one execution subject in any operation state.
可选地,处理器在执行所述步骤S1之前,还执行:S0’,创建至少一个第二权限集合,其中,每个所述第二权限集合对应一个执行主体的一个操作状态,并且,每个所述第二权限集合包括对应执行主体在对应操作状态下的操作权限。Optionally, before executing the step S1, the processor further executes: S0' to create at least one second permission set, where each second permission set corresponds to an operation state of an execution subject, and each Each of the second permission sets includes operation permissions of the corresponding execution subject in the corresponding operation state.
可选地,至少一个第二权限集合存储在远端,所述处理器在执行所述步骤S3时,根据该执行主体的操作状态获取对应的第二权限集合,包括:向远端发送请求,所述请求包括所述执行主体信息及其操作状态;获取远端发送的第二权限集合,其中,该第二权限集合是由所述远端响应所述请求而返回。Optionally, at least one second permission set is stored at the remote end, and when the processor executes the step S3, acquiring the corresponding second permission set according to the operating state of the execution subject includes: sending a request to the remote end, The request includes the execution subject information and its operation status; obtaining a second permission set sent by the remote end, where the second permission set is returned by the remote end in response to the request.
可选地,处理器在执行所述步骤S3时,获取所述执行主体的操作状态,至少包括:根据所述执行主体的调用方式确定所述执行主体的操作状态,其中,所述执行主体是由用户直接调用时,确定所述执行主体的操作状态为第一操作状态,当所述执行主体是由其他执行主体调用时,确定所述执行主体的操作状态为第二操作状态。Optionally, when the processor executes the step S3, acquiring the operation state of the execution body includes at least: determining the operation state of the execution body according to the calling mode of the execution body, wherein the execution body is When directly called by a user, it is determined that the operation state of the execution body is the first operation state, and when the execution body is called by another execution body, the operation state of the execution body is determined to be the second operation state.
可选地,处理器在执行步骤S8时,判断指令执行序列与预设指令执行序列是否匹配,包括:获取指令执行序列中的函数调用信息,函数调用信息包括函数调用次数和/或函数调用顺序;判断指令执行序列中的函数调用信息与预设指令执行序列中的函数调用信息是否匹配。Optionally, when executing step S8, the processor determines whether the instruction execution sequence matches the preset instruction execution sequence, including: acquiring function call information in the instruction execution sequence, and the function call information includes function call times and/or function call order ; Determine whether the function call information in the instruction execution sequence matches the function call information in the preset instruction execution sequence.
可选地,处理器在执行步骤S7时,获取任务中至少一个操作所对应的指令执行序列,包括:从栈内存中获取任务中至少一个操作所对应的指令执行序列。Optionally, when the processor executes step S7, acquiring the instruction execution sequence corresponding to at least one operation in the task includes: acquiring the instruction execution sequence corresponding to at least one operation in the task from the stack memory.
本公开的另一方面提供了一种计算机可读介质,存储有计算机可执行指令,所述指令在被执行时用于实现如上任一项所述的方法。Another aspect of the present disclosure provides a computer-readable medium storing computer-executable instructions, which when executed are used to implement the method as described in any one of the above.
本公开的另一方面提供了一种计算机程序,所述计算机程序包括计算机可执行指令,所述指令在被执行时用于实现如上任一项所述的方法。Another aspect of the present disclosure provides a computer program, the computer program including computer-executable instructions, which when executed are used to implement the method according to any one of the above.
附图说明BRIEF DESCRIPTION
图1示意性示出了根据本公开实施例的操作检测方法的流程图。FIG. 1 schematically shows a flowchart of an operation detection method according to an embodiment of the present disclosure.
图2示意性示出了本公开实施例中“远程启动Shell程序cmd.exe”的合法操作流程图。FIG. 2 schematically shows a legal operation flowchart of “remotely launching Shell program cmd.exe” in an embodiment of the present disclosure.
图3示意性示出了本公开实施例中“远程启动Shell程序cmd.exe”的非法操作流程图。FIG. 3 schematically shows an illegal operation flowchart of “remotely launching Shell program cmd.exe” in an embodiment of the present disclosure.
图4示意性示出了根据本公开实施例的操作检测系统的框图。FIG. 4 schematically shows a block diagram of an operation detection system according to an embodiment of the present disclosure.
图5示意性示出了根据本公开另一实施例的电子设备的框图。FIG. 5 schematically shows a block diagram of an electronic device according to another embodiment of the present disclosure.
具体实施方式detailed description
以下,将参照附图来描述本公开的实施例。但是应该理解,这些描述只是示例性的,而并非要限制本公开的范围。此外,在以下说明中,省略了对公知结构和技术的描述,以避免不必要地混淆本公开的概念。Hereinafter, embodiments of the present disclosure will be described with reference to the drawings. However, it should be understood that these descriptions are only exemplary and are not intended to limit the scope of the present disclosure. In addition, in the following description, descriptions of well-known structures and techniques are omitted to avoid unnecessarily obscuring the concepts of the present disclosure.
在此使用的术语仅仅是为了描述具体实施例,而并非意在限制本公开。这里使用的词语“一”、“一个(种)”和“该”等也应包括“多个”、“多种”的意思,除非上下文另外明确指出。此外,在此使用的术语“包括”、“包含”等表明了所述特征、步骤、操作和/或部件的存在,但是并不排除存在或添加一个或多个其他特征、步骤、操作或部件。The terminology used herein is for describing specific embodiments only, and is not intended to limit the present disclosure. The words "a", "an" and "the" as used herein should also include the meaning of "plurality" and "various types" unless the context clearly indicates otherwise. In addition, the terms "comprising", "including", etc. used herein indicate the existence of the described features, steps, operations and/or components, but do not exclude the presence or addition of one or more other features, steps, operations or components .
在此使用的所有术语(包括技术和科学术语)具有本领域技术人员通常所理解的含义,除非另外定义。应注意,这里使用的术语应解释为具有与本说明书的上下文相一致的含义,而不应以理想化或过于刻板的方式来解释。All terms (including technical and scientific terms) used herein have the meaning commonly understood by those skilled in the art unless otherwise defined. It should be noted that the terms used herein should be interpreted as having a meaning consistent with the context of this specification, and should not be interpreted in an idealized or overly stereotypical manner.
附图中示出了一些方框图和/或流程图。应理解,方框图和/或流程图中的一些方框或其组合可以由计算机程序指令来实现。这些计算机程序指令可以提供给通用计算机、专用计算机或其他可编程数据处理装置的处理器,从而这些指令在由该处理器执行时可以创建用于实现这些方框图和/或流程图中所说明的功能/操作的装置。Some block diagrams and/or flowcharts are shown in the drawings. It should be understood that some of the blocks in the block diagrams and/or flowcharts or combinations thereof may be implemented by computer program instructions. These computer program instructions can be provided to the processor of a general-purpose computer, special-purpose computer, or other programmable data processing device, so that when executed by the processor, these instructions can be created to implement the functions described in these block diagrams and/or flowcharts / Operated device.
因此,本公开的技术可以硬件和/或软件(包括固件、微代码等)的形式来实现。另外,本公开的技术可以采取存储有指令的计算机可读介质上的计算机程序产品的形式,该计算机程序产品可供指令执行系统使用或者结合指令执行系统使用。在本公开的上下文中,计算机可读介质可以是能够包含、存储、传送、传播或传输指令的任意介质。例如,计算机可读介质可以包括但不限于电、磁、光、电磁、红外或半导体系统、装置、器件或传播介质。计算机可读介质的具体示例包括:磁存储装置,如磁带或硬盘(HDD);光存储装置,如光盘(CD-ROM);存储器,如随机存取存储器(RAM)或闪存;和/或有线/无线通信链路。Therefore, the technology of the present disclosure may be implemented in the form of hardware and/or software (including firmware, microcode, etc.). In addition, the technology of the present disclosure may take the form of a computer program product on a computer-readable medium storing instructions, which may be used by or in conjunction with an instruction execution system. In the context of this disclosure, a computer-readable medium may be any medium that can contain, store, transfer, propagate, or transfer instructions. For example, computer-readable media may include, but is not limited to, electrical, magnetic, optical, electromagnetic, infrared, or semiconductor systems, devices, devices, or propagation media. Specific examples of computer-readable media include: magnetic storage devices, such as magnetic tape or hard disk (HDD); optical storage devices, such as compact disk (CD-ROM); memory, such as random access memory (RAM) or flash memory; and/or wired /Wireless communication link.
图1示意性示出了根据本公开实施例的操作检测方法的流程图。FIG. 1 schematically shows a flowchart of an operation detection method according to an embodiment of the present disclosure.
具体地,如图1所示,本公开实施例的操作检测方法包括以下操作:Specifically, as shown in FIG. 1, the operation detection method of the embodiment of the present disclosure includes the following operations:
S101,在执行特定操作之前,获取执行该特定操作的执行主体。S101. Before performing a specific operation, obtain an execution subject performing the specific operation.
在操作系统的中为了完成任务,会执行各种各样的操作,这些操作经常会涉及到系统中的服务、程序、文件、数据等。本公开的“特定操作”是指一些敏感的、有可能导致危险后果的操作,其包括但不限于可执行文件加载、内存操作、文件操作、网络访问、端口监听、注册表项操作、敏感窗口消息发送等等。In order to complete tasks in the operating system, various operations are performed, and these operations often involve services, programs, files, and data in the system. "Specific operations" in this disclosure refer to some sensitive operations that may cause dangerous consequences, including but not limited to executable file loading, memory operations, file operations, network access, port monitoring, registry key operations, sensitive windows Message sending, etc.
本公开在操作系统中会实时对上述的特定操作进行监控,其监控手段可以有多种。例如可以采用“挂钩(HOOK)技术”,“挂钩”是计算机安全领域常用的一种安全监控方法,可以对一些应用程序编程接口(Application Programming Interface,API)进行挂钩,当系统执行特定操作时,就会进入到HOOK处理流程中;又例如可以采用操作系统提供的各类的功能过滤驱动,比如:文件过滤驱动、网络过滤驱动等等,可以对涉及相应文件、网络等的特定操作进行监控。The present disclosure monitors the above-mentioned specific operations in real time in the operating system, and there may be multiple monitoring methods. For example, "hooking" technology can be used. "hooking" is a security monitoring method commonly used in the field of computer security. It can hook some application programming interfaces (APIs). When the system performs specific operations, It will enter the HOOK processing flow; for example, you can use various types of function filter drivers provided by the operating system, such as: file filter driver, network filter driver, etc., you can monitor specific operations involving the corresponding file, network, etc.
本公开所提及的“执行该特定操作的执行主体”包括但不限于操作系统本身、安装在操作系统上的应用程序等。当执行主体在执行特定操作之前,会通过上述监控手段获取该执行主体的信息,包括但不限于执行主体的名称、创建时间、位置索引等等。The “execution subject performing this specific operation” mentioned in this disclosure includes but is not limited to the operating system itself, applications installed on the operating system, and the like. Before executing the specific operation, the execution subject will obtain the information of the execution subject through the above monitoring means, including but not limited to the name of the execution subject, creation time, location index, etc.
S102,根据第一权限集合判断执行主体是否具有执行该特定操作的权限,若是,则对该特定操作放行,若否,则执行操作S103。S102: Determine whether the execution subject has the authority to perform the specific operation according to the first authority set. If yes, release the specific operation, and if not, perform operation S103.
由于目前的应用程序繁多,其中,Windows10平台拥有3500万个应用程序、IOS平台拥有210万个应用程序、安卓平台拥有260万个应用程序,这些应用程序所涉及的操作更是不计其数,若通过黑名单或者白名单的方式对每个应用程序的特定操作都进行判定,需要耗费巨大的资源收集每个应用程序的特定操作及合法性。Due to the large number of current applications, the Windows 10 platform has 35 million applications, the IOS platform has 2.1 million applications, and the Android platform has 2.6 million applications. The operations involved in these applications are countless. The specific operations of each application are determined by means of a blacklist or whitelist, which requires huge resources to collect the specific operations and legality of each application.
本公开出于上述考虑,在执行上述操作S101之前,会创建第一权限集合,称之为“最小行为权限集合”,该集合包括至少一个执行主体在任意操作状态下的操作权限。其中,本公开中执行主体的操作状态是指执行主体在执行该特定操作时所处于的状态,例如执行主体为winword程序,其在运行时可以打开word文档,如果该winword程序是用户主动运行的,那么其操作状态为主动运行状态,如果该winword程序是被其他程序调用所运行的,那么其操作状态为被动运行状态。还是以winword程序为例,若其打开的word文档会以一个窗口的形式进行显示,那么其操作状态为窗口状态,若其打开的word文档会只在后台运行并不显示,那么其操作状态为非窗口状态。本公开中第一权限集合只涉及执行主体在“任意操作状态下”的操作权限,其“不同操作状态下”的操作权限将在后文中描述。In view of the foregoing considerations of the present disclosure, before performing the above operation S101, a first permission set is created, which is called a "minimum behavior permission set", and the set includes operation permissions of at least one execution subject in any operation state. Among them, the operation state of the execution subject in the present disclosure refers to the state that the execution subject is in when performing the specific operation, for example, the execution subject is a winword program, which can open a word document at runtime, if the winword program is actively run by the user , Then its operating state is active running state, if the winword program is run by other program calls, then its operating state is passive running state. Taking the winword program as an example, if the opened word document will be displayed in the form of a window, then its operating state is the window state. If the opened word document will only run in the background and not display, then its operating state is Non-windowed state. The first permission set in the present disclosure only relates to the operation permission of the execution subject in "any operation state", and the operation permission in the "different operation state" will be described later.
本公开所提供的第一权限集合至少包括如下执行主体在任意操作状态下的操作权限:The first set of permissions provided by the present disclosure includes at least the operating permissions of the execution subject in any operating state:
·非特定的应用程序的运行方式为非自动运行· The operation mode of non-specific applications is non-automatic operation
解释:一般的应用程序不可以自动运行,只能由用户手动执行,特定的需要自动运行的程序由程序专属行为集合进行处理;Explanation: General applications cannot be run automatically, and can only be executed manually by the user. Specific programs that need to be run automatically are processed by the program's exclusive set of actions;
·应用程序只能操作自身直接和/或间接创建的文件·The application can only operate files created directly and/or indirectly by itself
解释:应用程序只可以全权操作(读、写、打开、删除等)自己创建的或与自己一起由同一安装包直接或间接创建的文件;Explanation: The application can only operate (read, write, open, delete, etc.) files created by itself or directly or indirectly created by the same installation package with itself;
·应用程序对操作系统文件仅有只读的权限;·The application has only read-only permission to the operating system files;
·应用程序不能操作除了自身直接和/或间接创建的文件外的非系统文件·Applications cannot operate on non-system files other than files created directly and/or indirectly
解释:应用程序不可以操作(读、写、打开、删除等)除自身直接和/或间接创建的文件外的、任何非系统的文件;Explanation: The application cannot operate (read, write, open, delete, etc.) any non-system files other than the files created directly and/or indirectly by itself;
·应用程序不允许访问内外网络及网内设备节点· The application does not allow access to internal and external networks and intra-network device nodes
·在非用户操作时,应用程序不允许对其它进程进行跨进程操作;· During non-user operations, the application does not allow cross-process operations on other processes;
·操作系统本身及应用程序,不允许不通过文件系统而直接操作磁盘;·The operating system itself and application programs are not allowed to directly operate the disk without going through the file system;
·在非用户操作时,操作系统及应用程序不允许下载或执行另一个程序,不可以加载驱动;· During non-user operation, the operating system and application programs are not allowed to download or execute another program, and the driver cannot be loaded;
·在非用户操作时,操作系统及应用程序不允许读写用户私有数据· During non-user operations, the operating system and applications are not allowed to read and write user private data
解释:用户私有数据包括但不限于文档、照片等;Explanation: User private data includes but is not limited to documents, photos, etc.;
·在用户操作时,只有数据所对应的默认编辑程序可以操作对应数据类型的文档·When the user operates, only the default editing program corresponding to the data can operate the document of the corresponding data type
解释:默认编辑程序以操作系统注册表中的登记为准,例如,word文档只允许winword程序或WPS操作;Explanation: The default editing program is subject to the registration in the operating system registry, for example, the word document only allows winword program or WPS operation;
·在用户操作时,对应的行为主体,只有对单一客体进行操作的权限·When the user operates, the corresponding behavior subject only has the authority to operate on a single object
解释:比如用户调用winword程序打开了word文档A,那winword程序将拥有对A的操作权限,但对用户并没有显示主动打开的word文档B,winword程序并不具备操作权限;Explanation: For example, if the user calls the winword program to open the word document A, the winword program will have the operation authority for A, but the user does not display the actively opened word document B, and the winword program does not have the operation authority;
·在非用户操作时,操作系统及应用程序不具备添加账户的权限;· The operating system and application programs do not have the permission to add accounts during non-user operations;
·在非用户操作时,操作系统及应用程序不具备写关键注册表项的权限· During non-user operations, the operating system and applications do not have permission to write key registry entries
解释:关键注册表项包括但不限于浏览器主页、自启动项、各类型文件的默认程序设置、系统启动设置等;Explanation: The key registry entries include but are not limited to the browser homepage, self-starting items, default program settings for various types of files, system startup settings, etc.;
·在非用户操作时,操作系统本身及应用程序不具备调用系统功能类程序的权限· During non-user operations, the operating system itself and applications do not have the authority to call system function programs
解释:系统功能类程序包括但不限于shell程序、注册表编辑器、计划任务、磁盘文件注册表的权限更改类程序;Explanation: System function programs include, but are not limited to, shell programs, registry editors, scheduled tasks, and disk file registry permission change programs;
·在非用户操作时,操作系统及应用程序不具备创建并执行脚本文件的权限。· During non-user operations, the operating system and applications do not have the authority to create and execute script files.
通过上述第一权限集合的设定,能够有效判定大多数的执行主体是否具有执行该特定操作的权限,无需对每个执行主体及相应的特定操作建立黑名单或者白名单,从而节省了系统开销。在本操作中,若执行主体所执行的特定操作符合上述第一权限集合,则对该特定操作放行,并使该特定操作执行,若执行主体所执行的特定操作不符合上述第一权限集合,则执行操作S103,以对其进行进一步判定。Through the setting of the first permission set, it is possible to effectively determine whether most of the executive bodies have the authority to perform the specific operation, without establishing a blacklist or whitelist for each executive body and the corresponding specific operation, thereby saving system overhead . In this operation, if the specific operation performed by the executor meets the first permission set, the specific operation is released and the specific operation is executed. If the specific operation performed by the executor does not comply with the first permission set, Then, operation S103 is performed to further determine it.
S103,获取执行主体的操作状态,并根据该执行主体的操作状态获取对应的第二权限集合。S103: Acquire the operation state of the execution subject, and acquire the corresponding second permission set according to the operation state of the execution subject.
在上述操作S102中已解释了执行主体的操作状态,在此就不再赘述。另外,上述操作S102所设定的第一权限集合能够对任何有风险的操作进行过滤。然而,对于一些特殊的应用程序,其在正常运行时即会超出第一权限集合所限制的权限,比如:安全软件,它有检测全系统可执行文件是否被病毒感染的操作,但受限于第一权限集合的限制,其并不能操作其它的应用程序。因此,如果仅采用本公开的第一权限集合来进行判定,会对例如安全软件等一些特殊的应用程序产生“误报”。对于上述情形,本公开需要对不满足第一权限集合的执行主体进行进一步判定,由此引入本公开的第二权限集合。The operation state of the execution subject has been explained in the above operation S102, and will not be repeated here. In addition, the first permission set set in the above operation S102 can filter any risky operation. However, for some special applications, they will exceed the permissions restricted by the first permission set during normal operation, such as: security software, which has the operation of detecting whether the system-wide executable files are infected by viruses, but is limited by The limitation of the first permission set cannot operate other applications. Therefore, if only the first permission set of the present disclosure is used for the determination, some special applications such as security software will generate "false positives". For the above situation, the present disclosure needs to further determine the execution subject that does not satisfy the first permission set, thereby introducing the second permission set of the present disclosure.
本公开出于上述考虑,在执行上述操作S101之前,还会创建一个以上的第二权限集合,其中,每个第二权限集合对应一个执行主体的一个操作状态,并且,每个第二权限集合包括对应执行主体在对应操作状态下的操作权限。In view of the above considerations, before performing the above operation S101, the disclosure will also create more than one second permission set, where each second permission set corresponds to an operating state of an execution subject, and each second permission set Including the operation authority of the corresponding execution subject in the corresponding operation state.
例如,针对winword程序,第二权限集合规定:For example, for the winword program, the second set of permissions provides:
·用户主动执行winword程序时,拥有操作对应客体的权限,即: 用户主动通过winword程序打开word文档A时,winword程序即拥有word文档A的操作权限。(注:双击word文档,由操作系统调用winword程序来打开;与双击winword程序再通过菜单或拖拽操作打开文档,都是因用户操作触发的行为,都被视为“主动运行状态”)· When the user actively executes the winword program, he has the authority to operate the corresponding object, that is: When the user actively opens the word document A through the winword program, the winword program has the operation authority of the word document A. (Note: Double-click the word document, and the operating system calls the winword program to open it; and double-clicking the winword program and then opening the document through the menu or drag operation are all actions triggered by user operations, and are regarded as "active running status")
·非用户主动执行winword程序时(被动运行状态),并不具备操作word文档的权限。· When the non-user actively executes the winword program (passive running state), he does not have the authority to operate the word document.
·用户主动执行winword程序时,也并不具备操作非对应客体的权限,即:打开word文档A时,winword程序只具备操作A的单一权限,并不具备操作B、C等其它word文档或非word文档的权限。· When the user actively executes the winword program, it does not have the authority to operate the non-corresponding object, that is: when opening the word document A, the winword program only has the single authority to operate A, and does not have the authority to operate B, C and other word documents or non- Word document permissions.
通过上述例子可以看出,第二权限集合规定了winword程序在“主动运行状态”及“被动运行状态”这两种操作状态下的不同权限。It can be seen from the above example that the second permission set specifies the different permissions of the winword program under the two operating states of "active running state" and "passive running state".
在本公开操作S103中,可以通过不同的方式确定执行主体的不同操作状态。In operation S103 of the present disclosure, different operation states of the execution subject may be determined in different ways.
根据本公开的一种实施方式,可以根据执行主体的调用方式确定执行主体的操作状态,其中,执行主体是由用户直接调用时,确定执行主体的操作状态为主动运行状态,当执行主体是由其他执行主体调用时,确定执行主体的操作状态为被动运行状态。According to an embodiment of the present disclosure, the operating state of the executive body can be determined according to the calling mode of the executive body, where the executive body is directly called by the user, and the operating state of the executive body is determined to be the active running state. When other executive bodies are called, it is determined that the operating state of the executive body is a passive running state.
根据本公开的另一种实施方式,可以根据执行主体对执行客体的操作方式来确定执行主体的操作状态,例如,winword程序为例,若其打开的word文档会以一个窗口的形式进行显示,那么其操作状态为窗口状态,若其打开的word文档会只在后台运行并不显示,那么其操作状态为非窗口状态。According to another embodiment of the present disclosure, the operation state of the execution subject can be determined according to the operation mode of the execution subject on the execution object. For example, the winword program is used as an example. If the opened word document is displayed in the form of a window, Then its operation state is window state. If the opened word document will only run in the background and not display, then its operation state is non-window state.
上述实施方式仅为说明执行主体的不同操作状态而举出的例子,其操作状态并不限定于上述两种实施方式。另外,操作S103中所获取的操作状态并不局限于一种操作状态,也可以针对同一执行主体同时获取多个其所属的操作状态(例如可以同时获取的winword程序为主动执行状态及窗口状态),用于后续判定。The above-mentioned embodiments are merely examples for explaining different operating states of the execution body, and the operating states are not limited to the above two embodiments. In addition, the operation state acquired in operation S103 is not limited to one operation state, and multiple operation states to which it belongs can also be acquired for the same execution body at the same time (for example, the winword program that can be acquired simultaneously is the active execution state and the window state) For subsequent determination.
另外还需要说明的是,每一个第二权限集合对应一个执行主体的至少一个操作状态,所以说第二权限集合的数量极为庞大。因此,本公开 可将创建的第二权限集合存储在远端(例如服务器端、云端等),客户端在实施本公开时,向远端发送请求,该请求包括执行主体信息及其操作状态,远端响应请求,根据执行主体信息及其操作状态检索出对于的第二权限集合,并发送给客户端。更进一步地,客户端在获取到第二权限集合后,可以将此第二权限集合联合对于的执行主体信息及其操作状态进行本地缓存。当客户端再次需要获取该第二权限集合后,可以先从本地缓存中进行查询,若不存在,再向远端发送请求。在本公开的另外一种实施方式中,客户端在安装应用程序(或其他执行主体)时,即从远端获取应用程序(或其他执行主体)所对应的各种操作状态的第二权限集合,并进行本地保存。这样在后续获取第二权限集合时,即可直接从本地调用。It should also be noted that each second permission set corresponds to at least one operating state of an execution subject, so the number of second permission sets is extremely large. Therefore, the present disclosure may store the created second permission set at the remote end (eg, server side, cloud, etc.), and when the client implements the present disclosure, the client sends a request to the remote end, the request includes the execution subject information and its operation status, The remote end responds to the request, retrieves the corresponding second permission set according to the execution subject information and its operation status, and sends it to the client. Furthermore, after obtaining the second permission set, the client may locally cache the execution subject information and the operation state of the second permission set. When the client needs to obtain the second permission set again, it can first query from the local cache, and if it does not exist, then send a request to the remote end. In another embodiment of the present disclosure, when the client installs the application program (or other execution agent), it obtains the second permission set of various operating states corresponding to the application program (or other execution agent) from the remote end And save it locally. In this way, when the second permission set is subsequently acquired, it can be directly called from the local.
S104,根据第二权限集合判断执行主体是否具有执行该特定操作的权限,若是,则执行操作S105,若否,则对执行主体进行处理。S104: Determine whether the execution subject has the authority to perform the specific operation according to the second permission set. If yes, perform operation S105; if not, process the execution subject.
以上已经介绍了第二权限集合包括对应执行主体在对应操作状态下的操作权限,因此容易理解操作S104中的判断流程,在此就不再赘述。但需要强调的是,本公开从执行主体的操作状态层面上进行了权限判定,不再局限于“应用程序本身行为、应用程序功能与种类”,能够较为准确地判定执行主体的“越权行为”。It has been described above that the second permission set includes the operation permission of the corresponding execution subject in the corresponding operation state, so it is easy to understand the determination process in operation S104, and details are not described here. However, it should be emphasized that the present disclosure makes authority determination from the operational status of the executive body, and is no longer limited to "application behavior, application functions and types", and can more accurately determine the "over-right behavior" of the executive body. .
再以上述安全软件为例,其由于在正常运行时会检测全系统可执行文件是否被病毒感染的操作,故需要有无需用户干预自动进行安全检测的功能,且进行安全检测时一般都需要连接云端的病毒特征库,这些功能显然已经超出了上述第一权限集合所规定的权限。因此,其必定不能通过第一权限集合的判定,此时,需要第二权限集合对其进行进一步判定。在安全软件的任意操作状态下,其对应的第二权限集合规定了其具有“可以自动运行、可以非经用户操作连接网络”的权限,所以其能通过第二权限集合的判定。通过上例可以看出,第二权限集合的设定可以避免第一权限集合对一些特定执行主体的“误报”。Taking the above security software as an example, since it will detect whether the executable file of the entire system is infected by a virus during normal operation, it needs to have a function of automatic security detection without user intervention, and generally requires connection when performing security detection In the virus signature database in the cloud, these functions obviously have exceeded the permissions specified in the first permission set. Therefore, it must not be able to pass the judgment of the first authority set. In this case, the second authority set is required to further judge it. In any operating state of the security software, its corresponding second permission set specifies that it has the permission of “can be run automatically and can be connected to the network without user operation”, so it can pass the determination of the second permission set. It can be seen from the above example that the setting of the second permission set can avoid the "false positive" of the first permission set to some specific execution subjects.
另外,本公开设定第二权限集合一方面不仅仅是防止了第一权限集合的“误报”,另一方面还加强了对执行主体的权限划分,以使得执行 主体能够不被第一权限集合的“误报”影响其正常功能,又能限制其进行其他具有安全威胁的特定操作。以Xshell为例,其多被用来远程管理服务器,但在其多个版本中存在后门,使用时会偷偷上传用户服务器账户与密码。Xshell在由本公开第一权限集合判定时,由于第一权限集合规定了“应用程序不允许访问内外网络及网内设备节点”,故其不符合第一权限集合的判定。对于本公开的第二权限集合,其可以根据应用程序类型确定不同的网络连接权限,以使得不同应用程序能够精确地连接某一类或某一个或多个网络。例如,打印机、摄像头等只可以连接固定的IP地址;内网通信用的应用程序只可以连接内网;xshell类的服务器管理工具只可以连接用户本次操作所连接的网络;应用程序只可以使用特定的网络协议连接网络等。再以Xshell为例,其在各种操作状态下的第二权限集合为:In addition, the present disclosure sets the second permission set on the one hand, it not only prevents the "false positives" of the first permission set, but also strengthens the division of permissions on the execution subject, so that the execution subject can be protected from the first permission The set of "false positives" affects its normal function, and can restrict it from other specific operations with security threats. Taking Xshell as an example, it is mostly used to remotely manage servers, but there are backdoors in multiple versions of it, and users will secretly upload user server accounts and passwords when using it. When Xshell is determined by the first permission set of the present disclosure, since the first permission set specifies "the application is not allowed to access the internal and external networks and device nodes in the network", it does not meet the determination of the first permission set. For the second permission set of the present disclosure, it can determine different network connection permissions according to the type of application program, so that different application programs can accurately connect to a certain type or a certain network or networks. For example, printers, cameras, etc. can only be connected to a fixed IP address; applications for intranet communication can only be connected to the intranet; server management tools such as xshell can only connect to the network connected by the user for this operation; applications can only use specific Network protocol to connect to the network, etc. Taking Xshell as an example again, its second set of permissions in various operating states is:
·在用户主动执行、且具备交互窗口的双状态下,拥有与指定网络地址(主动连接的服务器IP或域名)进行网络通信的权限· In the dual state of the user's active execution and with the interactive window, he has the right to communicate with the specified network address (actively connected server IP or domain name) for network communication
·非用户主动执行、或无窗口都不可进行网络通信·Non-user active execution, or no window is not allowed for network communication
·不可与本次用户操作所指向管理的服务器地址无关的网络地址通信·Do not communicate with the network address unrelated to the server address pointed to by this user operation
基于上述第二权限集合判定Xshell时,其不允许Xshell访问用户本次操作所连接的网络之外的其他网络,切断了其上传用户服务器账户与密码的网络通路,避免了安全威胁。When Xshell is determined based on the above second permission set, it does not allow Xshell to access the network other than the network to which the user is connected in this operation, and cuts off the network path for uploading the user's server account and password to avoid security threats.
通过上述例子可以看出,根据第一权限集合的判定对其进行了“拦截”后,再由第二权限集合对其判定,对于远程管理服务器等正常功能进行“放行”,对于非法连接其他网络进行“拦截”,实现了更精准的权限控制。It can be seen from the above example that after the first permission set is "intercepted", it is determined by the second permission set. It is "released" for normal functions such as the remote management server, and illegally connected to other networks Carry out "interception" to achieve more precise permission control.
当执行主体在对应操作状态下不满足所规定的第二权限集合,则可以充分认定该执行主体或其对应的特定操作具有安全威胁,即对该执行主体进行拦截,以中断其即将执行的特定操作。When the executor does not meet the specified second permission set in the corresponding operation state, it can be fully determined that the executor or the corresponding specific operation has a security threat, that is, the executor is intercepted to interrupt the specific operating.
但是,当执行主体在对应操作状态下满足所规定的第二权限集合(其已经操作S102中判定该执行主体不满足第一权限集合)时,即可 认定通过第一权限集合进行判定的结果存在“误报”的可能,需要在后续进行进一步的判定。However, when the executor satisfies the specified second permission set in the corresponding operation state (it has been determined in operation S102 that the executor does not satisfy the first permission set), it can be determined that the result of the determination by the first permission set exists The possibility of "false positives" requires further judgment in the future.
S105,获取包括特定操作的任务,该任务对应有执行至少一个操作的操作流程。S105. Obtain a task including a specific operation, and the task corresponds to an operation flow for performing at least one operation.
在操作系统中“任务”是实现对应功能的最小单元,每个任务包括有一个或多个按顺序执行的操作(包括特定操作),以固定的顺序执行这些操作以完成任务即是该任务的操作流程。In the operating system, the "task" is the smallest unit that realizes the corresponding function. Each task includes one or more operations (including specific operations) that are executed in sequence. Performing these operations in a fixed order to complete the task is the task. Operating procedures.
在操作S105中,获取的任务可以具体包括:任务所包含的一个或多个操作,一个或多个操作的执行顺序、每个操作的执行客体(例如,通过winword程序打开word文档,word文档即为执行客体)。通过上述的信息即可判定任务的操作流程是否合法。In operation S105, the acquired task may specifically include: one or more operations included in the task, the execution order of the one or more operations, and the execution object of each operation (for example, opening a word document through a winword program, the word document is For the implementation object). Through the above information, it can be determined whether the operation flow of the task is legal.
S106,判断操作流程是否满足预设操作流程,若是,则执行操作S7,若否,则对执行主体进行处理。S106. Determine whether the operation flow satisfies the preset operation flow. If yes, perform operation S7. If no, perform processing on the execution body.
本公开判定任务的操作流程是否合法是通过判定其是否符合预设操作流程,每个任务为了实现对应的功能都应具备一套合法的操作流程,即为本公开所提及的预设操作流程。下面以“远程启动Shell程序cmd.exe”为例,来解释本公开的合法操作流程及非法操作流程。This disclosure determines whether the operation flow of a task is legal by determining whether it conforms to a preset operation flow. Each task should have a set of legal operation flow in order to realize the corresponding function, which is the preset operation flow mentioned in this disclosure . The following uses "remote start Shell program cmd.exe" as an example to explain the legal operation flow and the illegal operation flow of the present disclosure.
图2绘示出本公开实施例中“远程启动Shell程序cmd.exe”的合法操作流程图。如图2所示,在正常远控机A产生一任务为“启动目标服务器B上的Shell程序cmd.exe”,该任务执行的操作流程为:FIG. 2 illustrates a legal operation flowchart of “remotely launching Shell program cmd.exe” in an embodiment of the present disclosure. As shown in FIG. 2, a task generated by the normal remote control machine A is “start the Shell program cmd.exe on the target server B”, and the operation process performed by the task is:
S201,在正常远控机A上启动Telnet.exe程序;S201, start the Telnet.exe program on the normal remote control machine A;
S202,在正常远控机上A,通过Telnet.exe程序发送与目标服务器B建立远程连接的请求;S202, on the normal remote control machine A, a request to establish a remote connection with the target server B is sent through the Telnet.exe program;
S203,在目标服务器B上通过tlntsvr.exe接收正常远控机A发送的远程连接的请求;S203, receiving a remote connection request sent by the normal remote control machine A through tlntsvr.exe on the target server B;
S204,在目标服务器B上,通过tlntsvr.exe启动tlntsess.exe,以建立与正常远控机A的连接;S204, on the target server B, start tlntsess.exe through tlntsvr.exe to establish a connection with the normal remote control machine A;
S205,在正常远控机A上发送启动Shell程序cmd.exe的指令;S205, sending a command to start the shell program cmd.exe on the normal remote control machine A;
S206,在目标服务器B上通过tlntsess.exe接收到上述指令;S206, the above instruction is received on the target server B through tlntsess.exe;
S207,在目标服务器B上通过tlntsess.exe启动Shell程序cmd.exe。S207, start the shell program cmd.exe through tlntsess.exe on the target server B.
图3绘示出本公开实施例中“远程启动Shell程序cmd.exe”的非法操作流程图。如图3所示,在黑客远控机A产生一任务为“启动目标服务器B上的Shell程序cmd.exe”,该任务执行的操作流程为:FIG. 3 illustrates an illegal operation flowchart of “remotely launching Shell program cmd.exe” in an embodiment of the present disclosure. As shown in FIG. 3, a task generated by the hacker remote control machine A is “starting the Shell program cmd.exe on the target server B”, and the operation process performed by the task is:
S301,在黑客远控机A上,通过ms17-010漏洞(此漏洞为勒索者病毒Wannacry实际使用的漏洞)向目标服务器B发送数据包(该数据包为特殊构建的、包含有勒索者病毒的攻击代码);S301, on the hacker remote control machine A, send a data packet to the target server B through the ms17-010 vulnerability (this vulnerability is actually used by the ransomware virus Wannacry) (the data packet is specially constructed and contains the ransomware virus) Attack code);
S302,在目标服务器B上,由于ms17-010漏洞存在,执行数据包中的勒索者病毒的攻击代码;S302, on the target server B, due to the existence of the ms17-010 vulnerability, the attack code of the ransomware virus in the data packet is executed;
S303,在目标服务器B上,索者病毒的攻击代码,将启动shell的指令注入到spoolsv.exe中;S303, on the target server B, the attacker's virus attack code injects the command to start the shell into spoolsv.exe;
S304,在目标服务器B上,通过spoolsv.exe启动Shell程序cmd.exe。S304. On the target server B, start the shell program cmd.exe through spoolsv.exe.
从本公开的图2~图3可以看出,两个同样地任务,实现的功能均是启动Shell程序cmd.exe,但是其执行的操作流程不一样。It can be seen from FIGS. 2 to 3 of the present disclosure that the two same tasks and the functions achieved are to start the shell program cmd.exe, but the operation flow performed by them is different.
但合法操作流程是:“系统专用的远程管理服务程序:tlntsvr.exe、tlntsess.exe”共同完成了任务的执行,tlntsvr.exe接受连接进行身份认证,然后启动tlntsess.exe来接受用户的命令,最终启动cmd.exe。But the legal operation flow is: "System-specific remote management service program: tlntsvr.exe, tlntsess.exe" jointly completed the execution of the task, tlntsvr.exe accepts the connection for identity authentication, and then starts tlntsess.exe to accept user commands, Finally start cmd.exe.
而非法操作流程是:通过“打印机管理服务程序:spoolsv.exe”启动cmd.exe。The illegal operation process is: start cmd.exe through "printer management service program: spoolsv.exe".
显然地,本公开操作S106中,通过判定任务的操作流程是否合法是通过判定其是否符合预设操作流程,能够判定特定操作所属的任务是否合法。具体地,本公开在判定操作流程时,首先获取操作流程所对应的操作,然后需要判定每个操作是否与预设操作流程中所对应的操作一致。Obviously, in operation S106 of the present disclosure, by determining whether the operation flow of the task is legal is by determining whether it conforms to the preset operation flow, it can be determined whether the task to which the specific operation belongs is legal. Specifically, when determining the operation flow, the present disclosure first obtains the operation corresponding to the operation flow, and then needs to determine whether each operation is consistent with the corresponding operation in the preset operation flow.
以图2~图3为例,非法操作流程中有“启动spoolsv.exe”、“spoolsv.exe启动Shell程序cmd.exe”;其对应的合法操作流程为“tlntsvr.exe启动tlntsess.exe”、“tlntsess.exe启动Shell程序cmd.exe”。虽然两者都有“启动Shell程序cmd.exe”这个操作,但缺少“tlntsvr.exe启动tlntsess.exe”环节,而且“spoolsv.exe启动cmd.exe”也与预设任务流程中的tlntsess.exe 启动Shell程序cmd.exe不一致,因此图3所示的任务操作流程不符合预设操作流程,进而不合法。Taking Figures 2 to 3 as examples, the illegal operation process includes "start spoolsv.exe" and "spoolsv.exe start Shell program cmd.exe"; the corresponding legal operation process is "tlntsvr.exe start tlntsess.exe", "Tlntsess.exe starts Shell program cmd.exe". Although both have the operation of "start Shell program cmd.exe", the link "tlntsvr.exe start tlntsess.exe" is missing, and "spoolsv.exe start cmd.exe" is also the same as tlntsess.exe in the preset task flow Starting the Shell program cmd.exe is inconsistent, so the task operation flow shown in Figure 3 does not conform to the preset operation flow and is therefore illegal.
另外,假如恶意攻击代码不是选择注入spoolsv.exe而是启动并注入到tlntsess.exe中,再执行启动shell程序cmd.exe的操作,是否就能判定此操作合法呢?仍然不能,因为tlntsess.exe在预设的合法流程中,必须由tlntsvr.exe启动才是合法的,而不是任何其它的服务或程序。In addition, if the malicious attack code does not choose to inject spoolsv.exe but starts and injects into tlntsess.exe, and then executes the operation of starting the shell program cmd.exe, can it be determined that this operation is legal? Still can't, because tlntsess.exe in the default legal process must be started by tlntsvr.exe to be legal, not any other service or program.
因此,本公开在操作S106中,还需要判断每个操作的执行主体是否与预设操作流程所对应操作的执行主体一致,如果不一致,则认为整个操作流程不合法。Therefore, in operation S106 of the present disclosure, it is also necessary to determine whether the execution body of each operation is consistent with the execution body of the operation corresponding to the preset operation flow. If they are not consistent, the entire operation flow is considered illegal.
为了更加准确地判定操作流程是否合法,还可以增加“判定每个操作的执行客体是否”合法的步骤,其原理与“判断每个操作的执行主体是否与预设操作流程所对应操作的执行主体一致”一样,在此就不再赘述。In order to more accurately determine whether the operation process is legal, you can also add the step of "determine whether the execution object of each operation" is legal, its principle and "determine whether the execution subject of each operation is the execution subject of the operation corresponding to the preset operation flow The same, so I won’t repeat them here.
通过本公开的操作S106,可以将“未通过第一权限集合的判定”,但又“通过了第二权限集合的判断”的执行主体及特定操作进行准确甄别,以确定其是“误报”还是“确实存在安全威胁”。因此,在判定出操作流程不满足预设操作流程时,可充分认定该执行主体或其对应的特定操作具有安全威胁,即对该执行主体进行拦截,以中断其即将执行的特定操作;在判定出操作流程满足预设操作流程时,可充分认定在操作S102中存在“误报”现象,对该执行主体及对应的特定操作进行“放行”,以使该执行主体执行该特定操作。Through operation S106 of the present disclosure, it is possible to accurately screen the execution subject and the specific operation of "not passed the judgment of the first authority set" but "passed the judgment of the second authority set" to determine that it is a "false positive" Still "there is indeed a security threat." Therefore, when it is determined that the operation flow does not satisfy the preset operation flow, the execution subject or its corresponding specific operation may be fully deemed to have a security threat, that is, the execution subject is intercepted to interrupt the specific operation to be performed; When the operation flow satisfies the preset operation flow, it can be fully determined that there is a "false positive" phenomenon in operation S102, and the execution subject and the corresponding specific operation are "released" so that the execution subject performs the specific operation.
然而基于图2及图3的示例,如果黑客远程攻击完成后,先控制tlntsvr.exe,再通过tlntsvr.exe调用tlntsess.exe,然后再控制tlntsess.exe来启动Shell,进而绕过了上述操作S106的操作流程判定。因此,本公开进一步引入操作S107~S108。However, based on the examples in Figure 2 and Figure 3, if the hacker's remote attack is completed, first control tlntsvr.exe, and then call tlntsess.exe through tlntsvr.exe, and then control tlntsess.exe to start the shell, thereby bypassing the above operation S106 To determine the operation flow. Therefore, the present disclosure further introduces operations S107 to S108.
S107,获取任务中至少一个操作所对应的指令执行序列。S107: Obtain an instruction execution sequence corresponding to at least one operation in the task.
本公开操作S107中的“任务”即本公开之前所提及的包括特定操作的任务。本公开从该任务中获取至少一个操作(该操作可以是特定操作,也可以是任务中的其他操作),并获取执行该操作所对应的指令执 行序列。具体地,本公开指令执行序列是从操作系统中的栈内存(栈内存由操作系统自动申请分配、使用以及回收,用户无法控制)中获取的。The “task” in operation S107 of the present disclosure is a task including a specific operation mentioned earlier in the present disclosure. The present disclosure obtains at least one operation from the task (the operation may be a specific operation or other operations in the task), and obtains an instruction execution sequence corresponding to the execution of the operation. Specifically, the instruction execution sequence of the present disclosure is obtained from the stack memory in the operating system (the stack memory is automatically allocated, used, and recycled by the operating system, and cannot be controlled by the user).
S108,判断指令执行序列与预设指令执行序列是否匹配,若否,则对执行主体进行处理。S108. Determine whether the instruction execution sequence matches the preset instruction execution sequence, and if not, process the execution body.
本公开操作S108中的预设指令执行序列是指合法的指令执行序列。将从栈内存中获取的指令执行序列与预设指令执行序列进行匹配,以确定从栈内存中获取的指令执行序列是否合法,进而判定其对应的操作是否合法。具体地,在匹配过程中,本公开的一种实施方式为,获取指令执行序列中的函数调用信息,函数调用信息包括函数调用次数(若某一函数被调用0次时,表示该函数未被调用)和/或函数调用顺序,判断指令执行序列中的函数调用信息与预设指令执行序列中的函数调用信息是否匹配。如果匹配成功,则对执行主体进行的特定操作进行放行,否则,对执行主体进行的特定操作进行拦截。The preset instruction execution sequence in operation S108 of the present disclosure refers to a legal instruction execution sequence. The instruction execution sequence acquired from the stack memory and the preset instruction execution sequence are matched to determine whether the instruction execution sequence acquired from the stack memory is legal, and then determine whether the corresponding operation is legal. Specifically, in the matching process, one embodiment of the present disclosure is to obtain the function call information in the instruction execution sequence. The function call information includes the number of function calls (if a function is called 0 times, it means that the function is not Call) and/or function call sequence to determine whether the function call information in the instruction execution sequence matches the function call information in the preset instruction execution sequence. If the match is successful, the specific operation performed by the execution subject is released, otherwise, the specific operation performed by the execution subject is intercepted.
表1示意性示出了本公开实施例中“远程启动Shell程序cmd.exe”合法的指令执行序列:Table 1 schematically shows the legal instruction execution sequence of “remote start Shell program cmd.exe” in the embodiment of the present disclosure:
Figure PCTCN2018123534-appb-000001
Figure PCTCN2018123534-appb-000001
Figure PCTCN2018123534-appb-000002
Figure PCTCN2018123534-appb-000002
表1Table 1
需要说明的是,指令执行序列存储在栈内存中时的顺序与其执行的顺序相反,为了方便说明,表1即按执行顺序从上至下来描述,下面针对表1中的指令执行序列1和指令执行序列2,对其中一些关键性的指令进行说明,如表2所示:It should be noted that the order in which the instruction execution sequence is stored in the stack memory is opposite to the order in which it is executed. For convenience of description, Table 1 is described from the top to the bottom of the execution order. The following describes the instruction execution sequence 1 and instructions in Table 1 Execute sequence 2 to explain some of the key instructions, as shown in Table 2:
Figure PCTCN2018123534-appb-000003
Figure PCTCN2018123534-appb-000003
表2Table 2
通过表1和表2可以看出,当(合法的)操作执行时,其指令执行序列是脉络清晰的。每次调用都是来自tlntsvr及tlntsess本身或系统API调用,从调用栈的各层指令执行序列中,可以清晰的看到每个服务或程序中的各个关键环节、关键任务的启动、上下间的关系衔接、及流程进行的脉络。As can be seen from Table 1 and Table 2, when the (legal) operation is executed, the instruction execution sequence is clear. Each call is from tlntsvr and tlntsess itself or the system API call. From the execution sequence of each layer of the call stack, you can clearly see each key link in each service or program, the start of key tasks, the upper and lower The connection of the relationship and the context of the process.
然而,对于同样是完成任务“远程启动Shell程序cmd.exe”,黑客通过漏洞攻击,远程获取服务器的系统控制权后,通过tlntsvr.exe调用tlntsess.exe,然后再控制tlntsess.exe来启动Shell程序cmd.exe,如表3所示,表3示意性示出了本公开实施例中“远程启动Shell程序cmd.exe”非法的指令执行序列:However, for the same completed task "remote start Shell program cmd.exe", hackers attacked the system remotely after gaining system control of the server, called tlntsess.exe through tlntsvr.exe, and then controlled tlntsess.exe to start the Shell program cmd.exe, as shown in Table 3, Table 3 schematically shows an illegal instruction execution sequence of "remote start Shell program cmd.exe" in the embodiment of the present disclosure:
tlntsvr.exe启动tlntsess.exe时的指令执行序列3tlntsvr.exe instruction execution sequence when starting tlntsess.exeThree tlntsess.exe启动cmd.exe时的指令执行序列4tlntsess.exe command execution sequence when starting cmd.exe 4
ntdll!RtlInitializeExceptionChainntdll! RtlInitializeExceptionChain ntdll!RtlInitializeExceptionChainntdll! RtlInitializeExceptionChain
ntdll!RtlInitializeExceptionChainntdll! RtlInitializeExceptionChain ntdll!RtlInitializeExceptionChainntdll! RtlInitializeExceptionChain
kernel32!BaseThreadInitThunkkernel32! BaseThreadInitThunk kernel32!BaseThreadInitThunkkernel32! BaseThreadInitThunk
0x70ce11630x70ce1163 0x730711b00x730711b0
kernel32!CreateProcessWkernel32! CreateProcessW kernel32!CreateProcessWkernel32! CreateProcessW
表3table 3
通过对比表1和表3可以清楚的看到,表1所示出的“远程启动Shell程序cmd.exe”需要进行“tlntsvr.exe启动tlntsess.exe”、“tlntsess.exe启动cmd.exe”两个操作。而表3所示出的“远程启动Shell程序cmd.exe”,恶意攻击者为了模拟正常的任务流程完成任务“远程启动Shell程序cmd.exe”,同样需要进行“tlntsvr.exe启动tlntsess.exe”、“tlntsess.exe启动cmd.exe”两个操作,其在操作流程上是一致的。但通过分析栈内存中的指令执行序列,两者完全不一样,甚至没有任何相同之处。又从表3可以看出,非法的指令执行序列直接是一个单独的线程启动,然后从一个非系统代码的空间地址中启动了对应的程序,从中完全无法看出正常操作发生时应该有的指令及调用序列,其中的非法与异常清晰可辩。It can be clearly seen by comparing Table 1 and Table 3 that the "remote start Shell program cmd.exe" shown in Table 1 needs to be "tlntsvr.exe start tlntsess.exe", "tlntsess.exe start cmd.exe" two Operations. The "remote start Shell program cmd.exe" shown in Table 3, in order to simulate the normal task process to complete the task "remote start Shell program cmd.exe", also need to perform "tlntsvr.exe start tlntsess.exe" , "Tlntsess.exe start cmd.exe" two operations, the operation process is consistent. But by analyzing the instruction execution sequence in the stack memory, the two are completely different, and there is not even any similarities. It can also be seen from Table 3 that the illegal instruction execution sequence is directly started by a separate thread, and then the corresponding program is started from a non-system code space address, from which it is impossible to see the instructions that should occur when normal operation occurs And the calling sequence, the illegal and abnormal are clearly arguable.
再参见表1所示的合法的指令执行序列1中,其中一条指令为“kernel32!CreateProcessW”,其代表的含义是:“在“kernel32.dll”这个动态链接库中的函数“CreateProcessW”被调用了一次,而调用这个函数的作用是“启动某一指定的程序”。因此,本公开在判断指令执行序列与预设指令执行序列是否匹配时,可以通过各自序列中的函数调用信息来匹配,包括不同作用的函数是否被调用过、调用的次数及调用的顺序等。Referring again to the legal instruction execution sequence 1 shown in Table 1, one of the instructions is "kernel32! CreateProcessW", which means: "The function "CreateProcessW" in the dynamic link library "kernel32.dll" is called Once, and the function of calling this function is to “start a specified program.” Therefore, when determining whether the instruction execution sequence matches the preset instruction execution sequence, the present disclosure can be matched by the function call information in the respective sequence, Including whether the functions with different functions have been called, the number of calls and the order of calls.
通过本公开实施例的操作S107~S108可以看出,任务的操作流程通过了S106的判定后,还进一步地对任务的指令执行序列进行合法性判定,在指令执行序列通过判定时,即认为最初的S101中的执行主体及其特定操作合法,进而对其放行;否则,对执行主体及其特定操作进行 拦截。因此,S107~S108进一步保证了操作的安全性。图4示意性示出了根据本公开实施例的操作检测系统的框图。It can be seen from operations S107-S108 of the embodiment of the present disclosure that after the operation flow of the task passes the determination of S106, the legality of the instruction execution sequence of the task is further determined. When the instruction execution sequence passes the determination, the initial The execution subject and its specific operation in S101 are legal, and then it is released; otherwise, the execution subject and its specific operation are intercepted. Therefore, S107 ~ S108 further ensure the safety of operation. FIG. 4 schematically shows a block diagram of an operation detection system according to an embodiment of the present disclosure.
如图4所示,操作检测系统400包括第一获取模块410、第一判断模块420、第二获取模块430、第二判断模块440、第三获取模块450、第三判断模块460、第四获取模块470及第四判断模块480。该操作检测系统400可以执行上面参考图1描述的方法,以实现对特定操作的检测。As shown in FIG. 4, the operation detection system 400 includes a first acquisition module 410, a first judgment module 420, a second acquisition module 430, a second judgment module 440, a third acquisition module 450, a third judgment module 460, and a fourth acquisition Module 470 and fourth judgment module 480. The operation detection system 400 may perform the method described above with reference to FIG. 1 to implement detection of specific operations.
具体地,第一获取模块410用于在执行特定操作之前,获取执行特定操作的执行主体;第一判断模块420用于根据第一权限集合判断所述执行主体是否具有执行该特定操作的权限,若否,则执行第二获取模块430;第二获取模块430用于获取执行主体的操作状态,并根据该执行主体的操作状态获取对应的第二权限集合;第二判断模块440用于根据第二权限集合判断执行主体是否具有执行该特定操作的权限,若是,则执行第三获取模块450,若否,则对所述执行主体进行处理;第三获取模块450用于获取包括特定操作的任务,该任务对应有执行至少一个操作的操作流程;第三判断模块用于判断所述操作流程是否满足预设操作流程,若是,则执行第四获取模块,若否,则对所述执行主体进行处理;第四获取模块用于获取任务中至少一个操作所对应的指令执行序列;第四判断模块,用于判断指令执行序列与预设指令执行序列是否匹配,若否,则对执行主体进行处理。Specifically, the first obtaining module 410 is used to obtain the executing subject performing the specific operation before performing the specific operation; the first determining module 420 is used to determine whether the executing subject has the right to perform the specific operation according to the first set of permissions, If not, the second obtaining module 430 is executed; the second obtaining module 430 is used to obtain the operating state of the executing subject, and obtains the corresponding second permission set according to the operating state of the executing subject; Two sets of permissions determine whether the execution subject has the permission to perform the specific operation. If yes, the third acquisition module 450 is executed; if not, the execution subject is processed; the third acquisition module 450 is used to acquire the task including the specific operation , The task corresponds to an operation flow for performing at least one operation; the third determination module is used to determine whether the operation flow satisfies the preset operation flow, if yes, execute the fourth acquisition module, and if not, perform on the execution subject Processing; the fourth obtaining module is used to obtain the instruction execution sequence corresponding to at least one operation in the task; the fourth judging module is used to judge whether the instruction execution sequence matches the preset instruction execution sequence, and if not, the execution body is processed .
可以理解的是,第一获取模块410、第一判断模块420、第二获取模块430、第二判断模块440、第三获取模块450、第三判断模块460、第四获取模块470及第四判断模块480可以合并在一个模块中实现,或者其中的任意一个模块可以被拆分成多个模块。或者,这些模块中的一个或多个模块的至少部分功能可以与其他模块的至少部分功能相结合,并在一个模块中实现。根据本发明的实施例,第一获取模块410、第一判断模块420、第二获取模块430、第二判断模块440、第三获取模块450、第三判断模块460、第四获取模块470及第四判断模块480中的至少一个可以至少被部分地实现为硬件电路,例如现场可编程门阵列 (FPGA)、可编程逻辑阵列(PLA)、片上系统、基板上的系统、封装上的系统、专用集成电路(ASIC),或可以以对电路进行集成或封装的任何其他的合理方式等硬件或固件来实现,或以软件、硬件以及固件三种实现方式的适当组合来实现。或者,第一获取模块410、第一判断模块420、第二获取模块430、第二判断模块440、第三获取模块450、第三判断模块460、第四获取模块470及第四判断模块480中的至少一个可以至少被部分地实现为计算机程序模块,当该程序被计算机运行时,可以执行相应模块的功能。It can be understood that the first acquisition module 410, the first judgment module 420, the second acquisition module 430, the second judgment module 440, the third acquisition module 450, the third judgment module 460, the fourth acquisition module 470, and the fourth judgment The module 480 may be combined and implemented in one module, or any one of the modules may be split into multiple modules. Alternatively, at least part of functions of one or more of these modules may be combined with at least part of functions of other modules and implemented in one module. According to an embodiment of the present invention, the first acquisition module 410, the first judgment module 420, the second acquisition module 430, the second judgment module 440, the third acquisition module 450, the third judgment module 460, the fourth acquisition module 470 and the third At least one of the four judgment modules 480 can be at least partially implemented as a hardware circuit, such as a field programmable gate array (FPGA), a programmable logic array (PLA), a system on chip, a system on a substrate, a system on a package, a dedicated An integrated circuit (ASIC) may be implemented in any other reasonable manner such as hardware or firmware that integrates or encapsulates the circuit, or an appropriate combination of software, hardware, and firmware. Alternatively, the first acquisition module 410, the first judgment module 420, the second acquisition module 430, the second judgment module 440, the third acquisition module 450, the third judgment module 460, the fourth acquisition module 470 and the fourth judgment module 480 At least one of can be at least partially implemented as a computer program module, and when the program is run by a computer, the function of the corresponding module can be performed.
图5示意性示出了根据本公开另一实施例的电子设备的框图。FIG. 5 schematically shows a block diagram of an electronic device according to another embodiment of the present disclosure.
如图5所示,电子设备500包括处理器510、计算机可读存储介质520。该电子设备500可以执行上面参考图1描述的方法,以实现对特定操作的检测。As shown in FIG. 5, the electronic device 500 includes a processor 510 and a computer-readable storage medium 520. The electronic device 500 may perform the method described above with reference to FIG. 1 to implement detection of specific operations.
具体地,处理器510例如可以包括通用微处理器、指令集处理器和/或相关芯片组和/或专用微处理器(例如,专用集成电路(ASIC)),等等。处理器510还可以包括用于缓存用途的板载存储器。处理器510可以是用于执行参考图1描述的根据本公开实施例的方法流程的不同动作的单一处理单元或者是多个处理单元。Specifically, the processor 510 may include, for example, a general-purpose microprocessor, an instruction set processor and/or related chipsets, and/or a dedicated microprocessor (for example, an application specific integrated circuit (ASIC)), and so on. The processor 510 may also include on-board memory for caching purposes. The processor 510 may be a single processing unit or a plurality of processing units for performing different actions of the method flow according to the embodiment of the present disclosure described with reference to FIG. 1.
计算机可读存储介质520,例如可以是能够包含、存储、传送、传播或传输指令的任意介质。例如,可读存储介质可以包括但不限于电、磁、光、电磁、红外或半导体系统、装置、器件或传播介质。可读存储介质的具体示例包括:磁存储装置,如磁带或硬盘(HDD);光存储装置,如光盘(CD-ROM);存储器,如随机存取存储器(RAM)或闪存;和/或有线/无线通信链路。The computer-readable storage medium 520 may be, for example, any medium capable of containing, storing, transmitting, transmitting, or transmitting instructions. For example, readable storage media may include, but is not limited to, electrical, magnetic, optical, electromagnetic, infrared, or semiconductor systems, devices, devices, or propagation media. Specific examples of readable storage media include: magnetic storage devices such as magnetic tapes or hard disks (HDD); optical storage devices such as compact disks (CD-ROM); memories such as random access memory (RAM) or flash memory; and/or wired /Wireless communication link.
计算机可读存储介质520可以包括计算机程序521,该计算机程序521可以包括代码/计算机可执行指令,其在由处理器510执行时使得处理器510执行例如上面结合图1所描述的方法流程及其任何变形。The computer-readable storage medium 520 may include a computer program 521, which may include code/computer-executable instructions, which when executed by the processor 510, cause the processor 510 to perform, for example, the method flow described above in connection with FIG. 1 and Any deformation.
计算机程序521可被配置为具有例如包括计算机程序模块的计算机程序代码。例如,在示例实施例中,计算机程序521中的代码可以包括一个或多个程序模块,例如包括521A、模块521B、……。应当注意, 模块的划分方式和个数并不是固定的,本领域技术人员可以根据实际情况使用合适的程序模块或程序模块组合,当这些程序模块组合被处理器510执行时,使得处理器510可以执行例如上面结合图2~图3D所描述的方法流程及其任何变形。The computer program 521 may be configured to have computer program code including, for example, computer program modules. For example, in an example embodiment, the code in the computer program 521 may include one or more program modules, for example, including 521A, module 521B,... It should be noted that the division mode and number of modules are not fixed, and those skilled in the art may use appropriate program modules or program module combinations according to actual situations. When these program module combinations are executed by the processor 510, the processor 510 may be For example, the method flow described above in connection with FIGS. 2 to 3D and any variations thereof are performed.
根据本发明的实施例,第一获取模块410、第一判断模块420、第二获取模块430、第二判断模块440、第三获取模块450及第三判断模块460中的至少一个可以实现为参考图5描述的计算机程序模块,其在被处理器510执行时,可以实现上面描述的相应操作。According to an embodiment of the present invention, at least one of the first acquisition module 410, the first judgment module 420, the second acquisition module 430, the second judgment module 440, the third acquisition module 450, and the third judgment module 460 may be implemented as a reference The computer program module described in FIG. 5, when executed by the processor 510, can implement the corresponding operations described above.
本领域技术人员可以理解,本公开的各个实施例和/或权利要求中记载的特征可以进行多种组合或/或结合,即使这样的组合或结合没有明确记载于本公开中。特别地,在不脱离本公开精神和教导的情况下,本公开的各个实施例和/或权利要求中记载的特征可以进行多种组合和/或结合。所有这些组合和/或结合均落入本公开的范围。Those skilled in the art may understand that the features described in the various embodiments and/or claims of the present disclosure may be combined or combined in various ways, even if such combinations or combinations are not explicitly described in the present disclosure. In particular, the features recited in the various embodiments and/or claims of the present disclosure may be combined and/or combined in various ways without departing from the spirit and teachings of the present disclosure. All of these combinations and/or combinations fall within the scope of this disclosure.
尽管已经参照本公开的特定示例性实施例示出并描述了本公开,但是本领域技术人员应该理解,在不背离所附权利要求及其等同物限定的本公开的精神和范围的情况下,可以对本公开进行形式和细节上的多种改变。因此,本公开的范围不应该限于上述实施例,而是应该不仅由所附权利要求来进行确定,还由所附权利要求的等同物来进行限定。Although the present disclosure has been shown and described with reference to specific exemplary embodiments of the present disclosure, those skilled in the art should understand that without departing from the spirit and scope of the present disclosure as defined by the appended claims and their equivalents, Various changes in form and details are made to the present disclosure. Therefore, the scope of the present disclosure should not be limited to the above-described embodiments, but should be determined not only by the appended claims but also by the equivalents of the appended claims.

Claims (28)

  1. 一种操作检测方法,包括:An operation detection method, including:
    S1,在执行特定操作之前,获取执行该特定操作的执行主体;S1, before performing a specific operation, obtain an execution subject performing the specific operation;
    S2,根据第一权限集合判断所述执行主体是否具有执行该特定操作的权限,若否,则执行操作S3;S2, judging whether the execution subject has the authority to perform the specific operation according to the first authority set, and if not, performing operation S3;
    S3,获取所述执行主体的操作状态,并根据该执行主体的操作状态获取对应的第二权限集合;S3. Obtain the operation state of the execution subject, and obtain the corresponding second permission set according to the operation state of the execution subject;
    S4,根据第二权限集合判断所述执行主体是否具有执行该特定操作的权限,若是,则执行操作S5,若否,则对所述执行主体进行处理;S4: Determine whether the execution subject has the authority to perform the specific operation according to the second permission set, if yes, perform operation S5, and if not, process the execution subject;
    S5,获取包括所述特定操作的任务,该任务对应有执行至少一个操作的操作流程;S5. Obtain a task including the specific operation, and the task corresponds to an operation flow for performing at least one operation;
    S6,判断所述操作流程是否满足预设操作流程,若是,则执行操作S7;若否,则对所述执行主体进行处理;S6. Determine whether the operation flow satisfies the preset operation flow. If yes, perform operation S7; if not, process the execution body;
    S7,获取所述任务中至少一个操作所对应的指令执行序列;S7, obtaining an instruction execution sequence corresponding to at least one operation in the task;
    S8,判断所述指令执行序列与预设指令执行序列是否匹配,若否,则对所述执行主体进行处理。S8: Determine whether the instruction execution sequence matches the preset instruction execution sequence, and if not, process the execution subject.
  2. 根据权利要求1所述的操作检测方法,其中,所述步骤S6中,判断所述操作流程是否满足预设操作流程,包括:The operation detection method according to claim 1, wherein in step S6, determining whether the operation flow satisfies a preset operation flow includes:
    获取所述操作流程所对应的至少一个操作;Acquiring at least one operation corresponding to the operation flow;
    判断所述至少一个操作中每个操作是否与所述预设操作流程中所对应的操作一致。Judging whether each operation in the at least one operation is consistent with the corresponding operation in the preset operation flow.
  3. 根据权利要求2所述的操作检测方法,其中,所述判断所述至少一个操作中每个操作是否与所述预设操作流程中所对应操作一致,包括:The operation detection method according to claim 2, wherein the judging whether each operation in the at least one operation is consistent with a corresponding operation in the preset operation flow includes:
    判断所述至少一个操作中每个操作的执行主体是否与预设操作流程所对应操作的执行主体一致。It is determined whether the execution subject of each operation in the at least one operation is consistent with the execution subject of the operation corresponding to the preset operation flow.
  4. 根据权利要求1-3任意一项所述的操作检测方法,其中,在所述步骤S1之前,还包括:The operation detection method according to any one of claims 1-3, wherein before the step S1, further comprising:
    S0,创建第一权限集合,所述第一权限集合包括至少一个执行主体在任意操作状态下的操作权限。S0. Create a first permission set, where the first permission set includes operation permissions of at least one execution subject in any operation state.
  5. 根据权利要求1-4任意一项所述的操作检测方法,其中,在所述步骤S1之前,还包括:The operation detection method according to any one of claims 1-4, wherein before the step S1, further comprising:
    S0’,创建至少一个第二权限集合,其中,每个所述第二权限集合对应一个执行主体的一个操作状态,并且,每个所述第二权限集合包括对应执行主体在对应操作状态下的操作权限。S0', creating at least one second permission set, where each second permission set corresponds to an operation state of an execution subject, and each second permission set includes the corresponding execution subject in the corresponding operation state Operation authority.
  6. 根据权利要求5所述的操作检测方法,其中,所述至少一个第二权限集合存储在远端,所述步骤S3中,根据该执行主体的操作状态获取对应的第二权限集合,包括:The operation detection method according to claim 5, wherein the at least one second permission set is stored at the remote end, and in step S3, obtaining the corresponding second permission set according to the operation state of the execution subject includes:
    向远端发送请求,所述请求包括所述执行主体信息及其操作状态;Send a request to the far end, the request includes the execution subject information and its operation status;
    获取远端发送的第二权限集合,其中,该第二权限集合是由所述远端响应所述请求而返回。Acquire a second permission set sent by the remote end, where the second permission set is returned by the remote end in response to the request.
  7. 根据权利要求1-6任意一项所述的操作检测方法,其中,所述步骤S3中,获取所述执行主体的操作状态,至少包括:The operation detection method according to any one of claims 1 to 6, wherein in step S3, obtaining the operation state of the execution subject includes at least:
    根据所述执行主体的调用方式确定所述执行主体的操作状态,其中,所述执行主体是由用户直接调用时,确定所述执行主体的操作状态为第一操作状态,当所述执行主体是由其他执行主体调用时,确定所述执行主体的操作状态为第二操作状态。The operation state of the execution body is determined according to the calling method of the execution body, wherein when the execution body is directly called by the user, it is determined that the operation state of the execution body is the first operation state, and when the execution body is When called by another execution subject, it is determined that the operation state of the execution subject is the second operation state.
  8. 根据权利要求1所述的操作检测方法,其中,所述步骤S8中,判断所述指令执行序列与预设指令执行序列是否匹配,包括:The operation detection method according to claim 1, wherein in step S8, determining whether the instruction execution sequence matches a preset instruction execution sequence includes:
    获取所述指令执行序列中的函数调用信息,所述函数调用信息包括函数调用次数和/或函数调用顺序;Acquiring function call information in the instruction execution sequence, the function call information including the number of function calls and/or the order of function calls;
    判断所述指令执行序列中的函数调用信息与预设指令执行序列中的函数调用信息是否匹配。It is determined whether the function call information in the instruction execution sequence matches the function call information in the preset instruction execution sequence.
  9. 根据权利要求1-7任意一项所述的操作检测方法,其中,所述步骤S7中,获取所述任务中至少一个操作所对应的指令执行序列,包括:The operation detection method according to any one of claims 1-7, wherein in step S7, obtaining an instruction execution sequence corresponding to at least one operation in the task includes:
    从栈内存中获取所述任务中至少一个操作所对应的指令执行序列。Obtain the instruction execution sequence corresponding to at least one operation in the task from the stack memory.
  10. 一种操作检测系统,包括:An operation detection system, including:
    第一获取模块,用于在执行特定操作之前,获取执行特定操作的执行主体;The first obtaining module is used to obtain an execution subject performing the specific operation before performing the specific operation;
    第一判断模块,用于根据第一权限集合判断所述执行主体是否具有执行该特定操作的权限,若否,则执行第二获取模块;The first judgment module is used to judge whether the execution subject has the authority to perform the specific operation according to the first authority set; if not, execute the second acquisition module;
    第二获取模块,用于获取所述执行主体的操作状态,并根据该执行主体的操作状态获取对应的第二权限集合;A second obtaining module, configured to obtain the operation state of the execution subject, and obtain the corresponding second permission set according to the operation state of the execution subject;
    第二判断模块,用于根据第二权限集合判断所述执行主体是否具有执行该特定操作的权限,若是,则执行第三获取模块,若否,则对所述执行主体进行处理;The second judgment module is used to judge whether the execution subject has the authority to perform the specific operation according to the second permission set, if yes, execute the third acquisition module, and if not, process the execution subject;
    第三获取模块,用于获取包括所述特定操作的任务,该任务对应有执行至少一个操作的操作流程;A third acquiring module, configured to acquire a task including the specific operation, and the task corresponds to an operation process for performing at least one operation;
    第三判断模块,用于判断所述操作流程是否满足预设操作流程,若是,则执行第四获取模块,若否,则对所述执行主体进行处理;A third judgment module, used to judge whether the operation flow satisfies the preset operation flow, if yes, execute the fourth acquisition module, if not, process the execution subject;
    第四获取模块,用于获取所述任务中至少一个操作所对应的指令执行序列;A fourth obtaining module, configured to obtain an instruction execution sequence corresponding to at least one operation in the task;
    第四判断模块,用于判断所述指令执行序列与预设指令执行序列是否匹配,若否,则对所述执行主体进行处理。The fourth judgment module is used for judging whether the instruction execution sequence matches the preset instruction execution sequence, and if not, processing the execution subject.
  11. 根据权利要求10所述的操作检测系统,其中,所述第三判断模块中,判断所述操作流程是否满足预设操作流程,包括:The operation detection system according to claim 10, wherein, in the third determination module, determining whether the operation flow satisfies a preset operation flow includes:
    获取所述操作流程所对应的至少一个操作;Acquiring at least one operation corresponding to the operation flow;
    判断所述至少一个操作中每个操作是否与所述预设操作流程中所对应的操作一致。Judging whether each operation in the at least one operation is consistent with the corresponding operation in the preset operation flow.
  12. 根据权利要求11所述的操作检测系统,其中,所述第三判断模块判断所述至少一个操作中每个操作是否与所述预设操作流程中所对应操作一致,包括:The operation detection system according to claim 11, wherein the third determination module determines whether each operation in the at least one operation is consistent with a corresponding operation in the preset operation flow, including:
    判断所述至少一个操作中每个操作的执行主体是否与预设操作流程所对应操作的执行主体一致。It is determined whether the execution subject of each operation in the at least one operation is consistent with the execution subject of the operation corresponding to the preset operation flow.
  13. 根据权利要求10-12任意一项所述的操作检测系统,还包括:The operation detection system according to any one of claims 10-12, further comprising:
    第一创建模块,用于创建第一权限集合,所述第一权限集合包括至 少一个执行主体在任意操作状态下的操作权限。The first creation module is used to create a first permission set, where the first permission set includes at least one operating subject's operating permission in any operating state.
  14. 根据权利要求9-13任意一项所述的操作检测系统,还包括:The operation detection system according to any one of claims 9-13, further comprising:
    第二创建模块,用于创建至少一个第二权限集合,其中,每个所述第二权限集合对应一个执行主体的一个操作状态,并且,每个所述第二权限集合包括对应执行主体在对应操作状态下的操作权限。A second creation module, configured to create at least one second permission set, wherein each second permission set corresponds to an operation state of an execution subject, and each second permission set includes a corresponding execution subject in a corresponding Operation authority in operation state.
  15. 根据权利要求14所述的操作检测系统,其中,所述至少一个第二权限集合存储在远端,所述第二获取模块根据该执行主体的操作状态获取对应的第二权限集合,包括:The operation detection system according to claim 14, wherein the at least one second permission set is stored at a remote end, and the second obtaining module obtains the corresponding second permission set according to the operating state of the execution subject, including:
    向远端发送请求,所述请求包括所述执行主体信息及其操作状态;Send a request to the far end, the request includes the execution subject information and its operation status;
    获取远端发送的第二权限集合,其中,该第二权限集合是由所述远端响应所述请求而返回。Acquire a second permission set sent by the remote end, where the second permission set is returned by the remote end in response to the request.
  16. 根据权利要求10-15任意一项所述的操作检测系统,其中,所述第二获取模块获取所述执行主体的操作状态,至少包括:The operation detection system according to any one of claims 10-15, wherein the second acquisition module acquiring the operation state of the execution subject includes at least:
    根据所述执行主体的调用方式确定所述执行主体的操作状态,其中,所述执行主体是由用户直接调用时,确定所述执行主体的操作状态为第一操作状态,当所述执行主体是由其他执行主体调用时,确定所述执行主体的操作状态为第二操作状态。The operation state of the execution body is determined according to the calling method of the execution body, wherein when the execution body is directly called by the user, it is determined that the operation state of the execution body is the first operation state, and when the execution body is When called by another execution subject, it is determined that the operation state of the execution subject is the second operation state.
  17. 根据权利要求10所述的操作检测系统,其中,所述第四判断模块判断所述指令执行序列与预设指令执行序列是否匹配,包括:The operation detection system according to claim 10, wherein the fourth determination module determines whether the instruction execution sequence matches a preset instruction execution sequence, including:
    获取所述指令执行序列中的函数调用信息,所述函数调用信息包括函数调用次数和/或函数调用顺序;Acquiring function call information in the instruction execution sequence, the function call information including the number of function calls and/or the order of function calls;
    判断所述指令执行序列中的函数调用信息与预设指令执行序列中的函数调用信息是否匹配。It is determined whether the function call information in the instruction execution sequence matches the function call information in the preset instruction execution sequence.
  18. 根据权利要求10-17任意一项所述的操作检测系统,其中,所述第四获取模块获取所述任务中至少一个操作所对应的指令执行序列,包括:The operation detection system according to any one of claims 10-17, wherein the fourth acquisition module acquiring the instruction execution sequence corresponding to at least one operation in the task includes:
    从栈内存中获取所述任务中至少一个操作所对应的指令执行序列。Obtain the instruction execution sequence corresponding to at least one operation in the task from the stack memory.
  19. 一种电子设备,包括:An electronic device, including:
    处理器:processor:
    存储器,存储有计算机可执行指令,该计算机可执行指令在被所述处理器执行时,使得所述处理器执行:The memory stores computer-executable instructions, which when executed by the processor, causes the processor to execute:
    S1,在执行特定操作之前,获取执行该特定操作的执行主体;S1, before performing a specific operation, obtain an execution subject performing the specific operation;
    S2,根据第一权限集合判断所述执行主体是否具有执行该特定操作的权限,若否,则执行操作S3;S2, judging whether the execution subject has the authority to perform the specific operation according to the first authority set, and if not, performing operation S3;
    S3,获取所述执行主体的操作状态,并根据该执行主体的操作状态获取对应的第二权限集合;S3. Obtain the operation state of the execution subject, and obtain the corresponding second permission set according to the operation state of the execution subject;
    S4,根据第二权限集合判断所述执行主体是否具有执行该特定操作的权限,若是,则执行操作S5,若否,则对所述执行主体进行处理;S4: Determine whether the execution subject has the authority to perform the specific operation according to the second permission set, if yes, perform operation S5, and if not, process the execution subject;
    S5,获取包括所述特定操作的任务,该任务对应有执行至少一个操作的操作流程;S5. Obtain a task including the specific operation, and the task corresponds to an operation flow for performing at least one operation;
    S6,判断所述操作流程是否满足预设操作流程,若是,则执行操作S7;若否,则对所述执行主体进行处理;S6, judging whether the operation flow satisfies the preset operation flow, if yes, performing operation S7; if not, processing the execution body;
    S7,获取所述任务中至少一个操作所对应的指令执行序列;S7, obtaining an instruction execution sequence corresponding to at least one operation in the task;
    S8,判断所述指令执行序列与预设指令执行序列是否匹配,若否,则对所述执行主体进行处理。S8: Determine whether the instruction execution sequence matches the preset instruction execution sequence, and if not, process the execution subject.
  20. 根据权利要求19所述的电子设备,其中,所述处理器在执行步骤S6时,判断所述操作流程是否满足预设操作流程,包括:The electronic device according to claim 19, wherein when the processor executes step S6, determining whether the operation flow satisfies a preset operation flow includes:
    获取所述操作流程所对应的至少一个操作;Acquiring at least one operation corresponding to the operation flow;
    判断所述至少一个操作中每个操作是否与所述预设操作流程中所对应的操作一致。Judging whether each operation in the at least one operation is consistent with the corresponding operation in the preset operation flow.
  21. 根据权利要求20所述的电子设备,其中,所述处理器判断所述至少一个操作中每个操作是否与所述预设操作流程中所对应操作一致,包括:The electronic device according to claim 20, wherein the processor determining whether each operation in the at least one operation is consistent with a corresponding operation in the preset operation flow includes:
    判断所述至少一个操作中每个操作的执行主体是否与预设操作流程所对应操作的执行主体一致。It is determined whether the execution subject of each operation in the at least one operation is consistent with the execution subject of the operation corresponding to the preset operation flow.
  22. 根据权利要求19-21任意一项所述的电子设备,其中,所述处理器在执行所述步骤S1之前,还执行:The electronic device according to any one of claims 19-21, wherein, before executing the step S1, the processor further executes:
    S0,创建第一权限集合,所述第一权限集合包括至少一个执行主体 在任意操作状态下的操作权限。S0. Create a first permission set, where the first permission set includes operation permissions of at least one execution subject in an arbitrary operation state.
  23. 根据权利要求19-22任意一项所述的电子设备,其中,所述处理器在执行所述步骤S1之前,还执行:The electronic device according to any one of claims 19-22, wherein before performing the step S1, the processor further executes:
    S0’,创建至少一个第二权限集合,其中,每个所述第二权限集合对应一个执行主体的一个操作状态,并且,每个所述第二权限集合包括对应执行主体在对应操作状态下的操作权限。S0', creating at least one second permission set, where each second permission set corresponds to an operation state of an execution subject, and each second permission set includes the corresponding execution subject in the corresponding operation state Operation authority.
  24. 根据权利要求23所述的电子设备,其中,所述至少一个第二权限集合存储在远端,所述处理器在执行所述步骤S3时,根据该执行主体的操作状态获取对应的第二权限集合,包括:The electronic device according to claim 23, wherein the at least one second permission set is stored at the remote end, and when the processor executes the step S3, the corresponding second permission is obtained according to the operating state of the execution subject Collection, including:
    向远端发送请求,所述请求包括所述执行主体信息及其操作状态;Send a request to the far end, the request includes the execution subject information and its operation status;
    获取远端发送的第二权限集合,其中,该第二权限集合是由所述远端响应所述请求而返回。Acquire a second permission set sent by the remote end, where the second permission set is returned by the remote end in response to the request.
  25. 根据权利要求19-24任意一项所述的电子设备,其中,所述处理器在执行所述步骤S3时,获取所述执行主体的操作状态,至少包括:The electronic device according to any one of claims 19-24, wherein when the processor executes the step S3, acquiring the operation state of the execution subject includes at least:
    根据所述执行主体的调用方式确定所述执行主体的操作状态,其中,所述执行主体是由用户直接调用时,确定所述执行主体的操作状态为第一操作状态,当所述执行主体是由其他执行主体调用时,确定所述执行主体的操作状态为第二操作状态。The operation state of the execution body is determined according to the calling method of the execution body, wherein when the execution body is directly called by the user, it is determined that the operation state of the execution body is the first operation state, and when the execution body is When called by another execution subject, it is determined that the operation state of the execution subject is the second operation state.
  26. 根据权利要求19所述的电子设备,其中,所述处理器在执行步骤S8时,判断所述指令执行序列与预设指令执行序列是否匹配,包括:The electronic device according to claim 19, wherein when the processor executes step S8, determining whether the instruction execution sequence matches a preset instruction execution sequence includes:
    获取所述指令执行序列中的函数调用信息,所述函数调用信息包括函数调用次数和/或函数调用顺序;Acquiring function call information in the instruction execution sequence, the function call information including the number of function calls and/or the order of function calls;
    判断所述指令执行序列中的函数调用信息与预设指令执行序列中的函数调用信息是否匹配。It is determined whether the function call information in the instruction execution sequence matches the function call information in the preset instruction execution sequence.
  27. 根据权利要求19-26任意一项所述的电子设备,其中,所述处理器在执行步骤S7时,获取所述任务中至少一个操作所对应的指令执行序列,包括:The electronic device according to any one of claims 19 to 26, wherein when the processor executes step S7, acquiring the instruction execution sequence corresponding to at least one operation in the task includes:
    从栈内存中获取所述任务中至少一个操作所对应的指令执行序列。Obtain the instruction execution sequence corresponding to at least one operation in the task from the stack memory.
  28. 一种计算机可读介质,存储有计算机可执行指令,所述指令在被执行时用于实现如权利要求1-9任意一项所述的方法。A computer-readable medium storing computer-executable instructions, which when executed are used to implement the method according to any one of claims 1-9.
PCT/CN2018/123534 2018-12-25 2018-12-25 Operation detection method and system, and electronic device WO2020132876A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2018/123534 WO2020132876A1 (en) 2018-12-25 2018-12-25 Operation detection method and system, and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2018/123534 WO2020132876A1 (en) 2018-12-25 2018-12-25 Operation detection method and system, and electronic device

Publications (1)

Publication Number Publication Date
WO2020132876A1 true WO2020132876A1 (en) 2020-07-02

Family

ID=71127292

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/123534 WO2020132876A1 (en) 2018-12-25 2018-12-25 Operation detection method and system, and electronic device

Country Status (1)

Country Link
WO (1) WO2020132876A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103067911A (en) * 2012-12-17 2013-04-24 中国联合网络通信集团有限公司 Method and equipment used for controlling hardware module
CN104166818A (en) * 2014-07-02 2014-11-26 百度在线网络技术(北京)有限公司 Authority control method, device and system
US20160098570A1 (en) * 2013-08-28 2016-04-07 Huawei Device Co., Ltd. Method and Apparatus for Determining Permission of Application Program
CN107944258A (en) * 2017-11-21 2018-04-20 广东欧珀移动通信有限公司 Start control method, device, storage medium and the terminal of application with method of service

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103067911A (en) * 2012-12-17 2013-04-24 中国联合网络通信集团有限公司 Method and equipment used for controlling hardware module
US20160098570A1 (en) * 2013-08-28 2016-04-07 Huawei Device Co., Ltd. Method and Apparatus for Determining Permission of Application Program
CN104166818A (en) * 2014-07-02 2014-11-26 百度在线网络技术(北京)有限公司 Authority control method, device and system
CN107944258A (en) * 2017-11-21 2018-04-20 广东欧珀移动通信有限公司 Start control method, device, storage medium and the terminal of application with method of service

Similar Documents

Publication Publication Date Title
US10747875B1 (en) Customizing operating system kernels with secure kernel modules
US10242186B2 (en) System and method for detecting malicious code in address space of a process
EP3365828B1 (en) Methods for data loss prevention from malicious applications and targeted persistent threats
US11102220B2 (en) Detection of botnets in containerized environments
US10033745B2 (en) Method and system for virtual security isolation
JP6055574B2 (en) Context-based switching to a secure operating system environment
US20220046051A1 (en) Techniques for protecting applications from unsecure network exposure
US20230035007A1 (en) Trusted cyber physical system
US10671730B2 (en) Controlling configuration data storage
US10339307B2 (en) Intrusion detection system in a device comprising a first operating system and a second operating system
US8782809B2 (en) Limiting information leakage and piracy due to virtual machine cloning
US9219728B1 (en) Systems and methods for protecting services
US9785775B1 (en) Malware management
US11366904B2 (en) Secure configuration data storage
CN105791221B (en) Rule issuing method and device
Sun et al. Cloud armor: Protecting cloud commands from compromised cloud services
WO2020132876A1 (en) Operation detection method and system, and electronic device
TWI711939B (en) Systems and methods for malicious code detection
WO2020132877A1 (en) Operation detection method and system, and electronic device
KR20200052524A (en) An apparatus for detecting and preventing ransom-ware behavior using camouflage process, a method thereof and computer recordable medium storing program to perform the method
Ko et al. A mantrap-inspired, user-centric data leakage prevention (DLP) approach
US20230418933A1 (en) Systems and methods for folder and file sequestration
KR101415403B1 (en) System and method for providign secure space being shared
Revazova et al. RASP for LSASS: Preventing Mimikatz-Related Attacks
Kilpeläinen Privacy and Security of Smartphone Platforms

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18944927

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18944927

Country of ref document: EP

Kind code of ref document: A1