CN101872400A - Method for establishing computer information security protection capable of judging security of computer operation request according to associative relation of computing system operation request - Google Patents
Method for establishing computer information security protection capable of judging security of computer operation request according to associative relation of computing system operation request Download PDFInfo
- Publication number
- CN101872400A CN101872400A CN200910049945A CN200910049945A CN101872400A CN 101872400 A CN101872400 A CN 101872400A CN 200910049945 A CN200910049945 A CN 200910049945A CN 200910049945 A CN200910049945 A CN 200910049945A CN 101872400 A CN101872400 A CN 101872400A
- Authority
- CN
- China
- Prior art keywords
- node
- request
- operation request
- computer
- rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title abstract description 14
- 230000015654 memory Effects 0.000 claims description 24
- 239000003999 initiator Substances 0.000 claims description 12
- 238000001914 filtration Methods 0.000 claims description 7
- 230000008878 coupling Effects 0.000 claims description 5
- 238000010168 coupling process Methods 0.000 claims description 5
- 238000005859 coupling reaction Methods 0.000 claims description 5
- 238000012217 deletion Methods 0.000 claims description 5
- 230000037430 deletion Effects 0.000 claims description 5
- 230000006870 function Effects 0.000 claims description 4
- 230000000295 complement effect Effects 0.000 claims description 3
- 238000004458 analytical method Methods 0.000 description 10
- 230000008569 process Effects 0.000 description 7
- 230000009897 systematic effect Effects 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 5
- 230000000977 initiatory effect Effects 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000008859 change Effects 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 230000007812 deficiency Effects 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000002354 daily effect Effects 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000003014 reinforcing effect Effects 0.000 description 1
- 230000000246 remedial effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to a method for establishing computer information security protection capable of judging the security of a computer operation request according to the associative relation of a computing system operation request. The method comprises the following steps: in the computation running state, intercepting an operation request generated by the kernel or hardware abstraction layer of a computer operating system; according to the attribute of the intercepted operation request, creating a virtual node under some node of the existing associative architecture, establishing an associative relation, forming a virtual associative architecture; backtracking the root node of the virtual node in the virtual associative architecture, obtaining the associative rule of the current operation request in the virtual associative architecture; according to the associative rule obtained by backtracking, matching with the defined dangerous operation rule to determine whether a hazard exists; and according to the matching result by matching with the dangerous operation rule, deciding whether the current operation is allowed to execute, and updating the associative architecture. The invention overcomes the problem that other systems need to particularly analyze the characteristics of malicious codes and the characteristics of different operating systems and different application systems, and has the ability of preventing unknown malicious codes beforehand.
Description
Technical field:
The present invention relates to a kind of means of defence of computer system security, more specifically to a kind of computer information safe means of defence of judging computer operation request security according to computing system operation requests incidence relation of setting up.
Background technology:
Because popularizing of the Computer Applied Technology and the network communications technology, the information platform that is made of computer utility and network service has become one of daily life basic conditions such as people's work, study, shopping, people are enjoying systematization that information platform brings to the full simultaneously easily, and may also have no talent to escape by luck is subjected to the infringement of malicious code.
The system of at present common protection people information security terrace used in everyday mainly contains " blacklist " class as the class of killing the virus software, firewall class software; " white list " class is as: water [proof class software and initiatively defend class software and non-common having " credible " operating system, " safety " operating system and " protection class " security system.
In the above-mentioned security system, it is extensive relatively that " blacklist " type systematic is used, and " white list " type systematic, " trusted system " and " operating system reinforcings " type systematic make its range of application less relatively because of its application technology requires height.
" blacklist " system specifically realizes safety guarantee, implementation method by " killing ": look into four steps such as system problem, malicious code side, location, analysis malicious code condition code, removing malicious code." killing " system must have following technical guarantee: 1. must in time find the problem that computing system exists; 2. the necessary accurately generation reason of orientation problem; 3. must accurately analyze the feature of malicious code; 4. must complete removing malicious code.But the problem of in fact finding all existence of computing machine is just very difficult, more can't ensure the accuracy and the integrality of other step.Therefore, " killing " system is a kind of remedial measures afterwards, and it does not guarantee the security of operating system, does not more possess the ability of taking precautions against unknown malicious code.
" white list " type systematic is to determine which program allows operation, and which program does not allow operation, and the outstanding problem of " white list " system is because can't ensure the correctness that allows executive routine to load and call in the code implementation.Association between also can't the assurance program loads and calls correctness.Therefore " white list " system is difficult to promote in actual applications.
" trusted system " and " protection " type systematic generally has stronger anti-malicious code ability, in theory and have an anti-unknown malicious code ability, " but trusted system " and " protection " type systematic to application person require high, the user not only will be familiar with operating system, and to be very familiar to the application system, and can carry out corresponding security definitions to operating system and application system, and need the user to have tracking and analysis ability that system carries out.Cause has high technical requirement to application person, so this type systematic only is applied in the high-end applications field.
Summary of the invention:
The objective of the invention is at existing information safety theory and information security technology not enough and provide a kind of foundation to judge the computer information safe means of defence of computer operation request security according to computing system operation requests incidence relation.
The objective of the invention is to realize by following measure: a kind of computer information safe means of defence of judging computer operation request security according to computing system operation requests incidence relation of setting up, it is characterized in that, comprise following steps:
Step 1 is being calculated under the running status, and the operation requests of computer operating system kernel or hardware abstraction layer generation is tackled;
Step 2 according to the attribute of the operation requests of intercepting, is created dummy node under known certain node of existing relational structure, set up incidence relation, constitutes a virtual associated structure;
Step 3 is recalled the root node of dummy node in the virtual associated structure, obtain the correlation rule of current operation request in the virtual associated structure;
Step 4 according to recalling the correlation rule of obtaining, with defined risky operation rule match, determines whether to exist harm;
Step 5, foundation determines with risky operation rule match result whether current operation allows to carry out, and upgrades relational structure.
Described step 1 interception is tackled for the file filter that utilizes operating system inside, the filtering function that equipment filters, network packet is filtered.
Described step 1 interception operation requests is meant file operation requests, configuration operation request, internal memory operation request, disk operating request, the network operation request of interception computer-internal.
The attribute of the operation requests of described step 2 is asked the promoter, is requested operand and solicit operation type for the operator.
The existing relational structure of described step 2 only is defined as the operation requests of being initiated by operating system nucleus, assembly, service and the application system operation requests of being initiated by the end user is root node, and the operation requests of being initiated by above-mentioned root node is that request that child node, child node are initiated is that structure is reviewed in a kind of system operation request of grandson's node.
Certain node of described step 2 be meant in relational structure with its attribute of any one operation requests of being intercepted in the node that is complementary of operation requests promoter.
When the incidence relation of described step 2 is intercepted any one request for finger, at first the hypothesis request is set up, according to the operation requests attribute of intercepting, a virtual child node under the initiator node of current operation request, when the node that has been existed calls, then set up a virtual subnet association, it is related that all operations request promoter and requested operand are carried out, and obtains the virtual associated node.
Described step 2 virtual associated structure is created virtual child node for according to the request initiator information in the current operation request attribute of intercepting under the request initiator node, this virtual associated node and existing relational structure constitute the virtual associated structure jointly.
The root node of described step 3 from dummy node, is recalled the incidence relation of present node and even higher level of node for the virtual associated structure by having set up, and finally dates back the original initiator node of dummy node.
The request promoter that described step 3 correlation rule is a current operation request, solicit operation object, solicit operation type, root node type, virtual associated type information.
The defined risky operation rule of described step 4 contains: file risky operation request rule, internal memory risky operation request rule, disk risky operation request rule, configuration risky operation request rule, network risky operation request rule.
Described step 4 coupling is recalled the operation associated rule and the defined risky operation rule that obtain with the current operation request dummy node and is mated, and judges whether the working rule of current operation request falls into the regular scope of risky operation.
Described step 5 is upgraded relational structure: when the match is successful, current operation request does not allow operation, and with present node deletion virtual in the computer operation request relational structure, keeps original relational structure; Unsuccessful when coupling, then allow operation, and current operation request dummy node in the computer operation request relational structure is changed into effective node, be updated to new relational structure.
Compared with prior art, owing to adopted the computer information safe means of defence of a kind of foundation of the present invention's proposition, changed the thinking of present analysis malicious code feature or analysis operation system and application system feature according to computing system operation requests incidence relation judgement computer operation request security.Any operation that the present invention is based on system at first all is a request of internal system, and all exist incidence relation between the request, the present invention is setting up on the basis of incidence relation, the feature of analytic system operation requests, set up the illegal operation request rule of relation between the request, by the security of incidence relation to determine to ask of analysis operation request.The present invention has overcome other system needs specific aim to analyze the feature and the different operating system and the feature of different application systems of malicious code, do not need application person to have relevant technical merit, and the present invention has defence capability in advance, and has a defence unknown malicious code ability, that is to say known all analyzed in the present invention and prevention, can remedy the deficiency of other safety theory system and safety product preferably with operation requests unknown malicious code.
Embodiment:
Term definition:
Operation requests: refer in the computer utility process to a certain equipment, as the request of operating that loads, carries out, changes of hardware, software code;
Application request: be meant based on operating system and set up the needs of the needs of operating environment or application code operation and the request initiated;
Operation requests relational structure: when calculating operation, computer system is to make up its running status by the operation that operation requests one by one produces, and the operation requests relational structure is meant that foundation is the logical organization that the reaction current time of node calculates running status by operation requests;
Risky operation request rule: be meant the operation requests relational structure, the incidence relation operation requests of having violated between certain operation requests promptly is defined as risky operation request rule;
Describe method of the present invention below in detail: it comprises following steps:
Step 1 under computer operation condition, is tackled the operation requests of computer operating system kernel or hardware abstraction layer generation.Described interception is that the file filter that utilizes operating system inside, the filtering function that equipment filters, network packet is filtered are tackled.Usually in the computer starting process, computing machine carries out Power-On Self-Test, loads micro-kernel, loads kernel, load operation system unit, load application complete operation system loads so far; After applied environment loads, the user will operate as required accordingly.Carry out in the application operating process in above computer operating system loading and user, carried out hardware operation, configuration operation, file operation, internal memory operation and network service detecting operation respectively.Before above each operates in execution, the capital produces a series of operation requests in operating system nucleus and hardware abstraction layer, by these operation requests solicit operation corresponding apparatus, corresponding apparatus is carried out corresponding step according to each operation requests Resources allocation.In computer operating system such as Windows, Linux, Unix, filtering functions such as corresponding file filter, equipment filtration, network packet filtration are provided, can have realized file operation requests, configuration operation request, internal memory operation request, disk operating request, the network operation request of operating system nucleus and hardware abstraction layer initiation are tackled.Described interception operation requests is meant file operation requests, configuration operation request, internal memory operation request, disk operating request, the network operation request of interception computer-internal.File operation requests is the operation requests that mainly is meant reading and writing to file and file content, loading, modification attribute, execution; The configuration operation request is meant the operation requests that the variable of system configuration or operational factor are read, rewrite; The internal memory operation request mainly is meant reading and writing, the executable operations request to internal memory; The disk operating request mainly is meant the operation requests that deposits, withdraws of non-file mode that memory device is carried out; The network operation request mainly be meant by network initiate to operation requests such as local file, equipment, internal memories.
Step 2 according to the attribute of the operation requests of intercepting, is created dummy node under known certain node of existing relational structure, set up incidence relation, constitutes a virtual associated structure.The attribute of described operation requests is asked the promoter, is requested operand and solicit operation type for the operator.Described existing relational structure only is defined as the operation requests of being initiated by operating system nucleus, assembly, service and the application system operation requests of being initiated by the end user is root node, and the operation requests of being initiated by above-mentioned root node is that request that child node, child node are initiated is that structure is reviewed in a kind of system operation request of grandson's node.Certain node of described step 2 be meant in relational structure with its attribute of any one operation requests of being intercepted in the node that is complementary of operation requests promoter.The establishment dummy node of described step 2 is meant when intercepting any one request, at first the hypothesis request is set up, according to the operation requests attribute of intercepting, a virtual child node under the initiator node of current operation request, when the node that has been existed calls, then set up a virtual subnet association, it is related that all operations request promoter and requested operand are carried out, and obtains the virtual associated node.The incidence relation of described step 2 is meant in the operation requests relational structure, with the present node is benchmark, from present node, recall the related of present node and even higher level of node, up to the obtained present node of the root node that dates back to present node and the relating attribute of each node of higher level.Described step 2 virtual associated structure is created virtual child node for according to the request initiator information in the current operation request attribute of intercepting under the request initiator node, this virtual associated node and existing relational structure constitute the virtual associated structure jointly.Because of this node also is not an effective node, promptly this node can not react the mode of operation of current computer, and therefore this structure that has dummy node is called the virtual associated structure.By setting up virtual relational structure, be in order to set up the inner link between current operation requests and the known operation requests.
Step 3 is recalled the root node of dummy node in the virtual associated structure, obtain the correlation rule of current operation request in the virtual associated structure.The root node of described step 3 from dummy node, is recalled the incidence relation of present node and even higher level of node for the virtual associated structure by having set up, and finally dates back the original initiator of dummy node.The request promoter that described step 3 correlation rule is a current operation request, solicit operation object, solicit operation type, root node type, virtual associated type information.The incidence relation of recalling dummy node and each interdependent node in virtual relational structure is how to cause and produce in order to locate current operation requests exactly, all there is and so on linked character in each step that produces current operation, up to the root node of tracing back to current operation, just current operation request is which kind of the application request initiation by the operating system application layer, so far, the linked character of present node and each node has just been formed the correlation rule of current operation request.As from the foregoing, obtaining of the correlation rule of operation requests, being to obtain in the relational structure of reaction computer dynamic running status, is a dynamic process therefore, has overcome the code analysis of the static state that other security system relies on and deficiency that analysis of system performance exists.
Step 4 according to recalling the correlation rule of obtaining, with defined risky operation rule match, determines whether to exist harm.The defined risky operation rule of described step 4 contains: file risky operation request rule, internal memory risky operation request rule, disk risky operation request rule, configuration risky operation request rule, network risky operation request rule.Described file risky operation request rule is meant in the operation requests process of reading and writing that the file in the department of computer science and file content are initiated, loading, modification attribute, execution, have the correlation rule definition with security threat, for example the executable program of being initiated by common non-installation class application program writes and attribute modification; The interpreter class method carries out the reading and writing operation of non-soluble class method by explaining shell script.Described internal memory risky operation request rule mainly is meant in the reading and writing to internal memory, executable operations request process of initiation and contains the definition of security threat working rule; For example operate the request of non-same memory address space, to risky operation such as a certain memory headroom injecting codes.Configuration risky operation request rule is meant having the working rule of security threat in reading of initiating of the variable of system configuration or operational factor, the rewriting process, for example by application program to configuration file is revised, application program is configured parameter modification.Network risky operation request rule refer to by network initiate to having the working rule of security threat in the operation requests such as local file, equipment, internal memory, for example memory address operation, risky operation such as thread that request of loading is new are carried out in request.Disk operating request rule mainly is meant the working rule that has threat the operation requests that deposits, withdraws of the non-file mode that memory device is carried out initiated from network, for example ask non-file system operation pattern operation disk, risky operation such as request designated store block operations.The current computer security of system threatens from direction of attack, can be divided into outside invasion and internal control, and finishing of these attacks mainly is to rely on system vulnerability malicious code is illegally called, implanted to systemic-function.In fact, the analytic system leak is impossible with finding out all not codes.It is for fear of carrying out malicious code analysis and carrying out the systemic-function definition that this step defines these rules, all harm realizes, all be to utilize existing computing system environments, change some association of operation requests, add the request that the assailant needs, the adding of these requests of face all is to utilize the kernel of operating system and hardware device level to realize.Tradition and code analysis, behavioural analysis almost are difficult to stop a large amount of harm to take place.Because initial security threat is exactly because the change of correlation rule has taken place operation requests, the present invention makes security threat be difficult to form by rule definition is carried out in the operation requests association, has also had harm prevention ability simultaneously and has taken precautions against the unknown malicious code ability.Described coupling is recalled the operation associated rule and the defined risky operation rule that obtain with the current operation request dummy node and is mated, and judges whether the working rule of current operation request falls into risky operation rule scope.After the operative association rule that obtains current operation request, with defined corresponding, to determine whether current operation requests has danger as file, internal memory, configuration, memory device, network risky operation request rule match.
Step 5, foundation determines with risky operation rule match result whether current operation allows to carry out, and upgrades relational structure.Described step relational structure just before dawn is the success of operation requests rule match: stop current operation request to be carried out, and with present node deletion virtual in the computer operation request relational structure, keep original relational structure; When the operation requests rule match gets nowhere: then allow current operation to carry out, and the dummy node of current operation request in the computer operation request virtual associated structure is changed more effective node, form new relational structure.This step is according to matching result, current operation requests is let pass and stoped processing, finished effective interception to operation requests, the relational structure of update calculation machine operation request simultaneously, make the current running status that computer operation request relational structure all the time can the accurate response computing machine, for follow-up dummy node provides structure.
Exemplifying embodiment below further specifies:
Example 1: suppose that certain Office document has malice pin code, this scripted code can infect executable program, stops logic as follows:
When the kernel of operating system is intercepted a write operation requests to the executable file content, according to the request promoter attribute item in the operation requests attribute as can be known, this request is sent by the VBA script engine, in order to find the incidence relation of current operation request, under the VBA script engine node of the relational structure of known computer operation request, create the dummy node of current operation, and recall the incidence relation of current operation, recall net result and find it is to open certain this request of Office document to have caused current operation requests, get current working rule, Office is a common applications, by user's trigger request, Office request VBA pin engine is a normal call, current operation is to being the PE file, action type is a write operation, matches to be: common non-installation class application program is carried out the write operation rule of executable file content; The result is dangerous play: stop this operation requests, the dummy node in the deletion computer operation appealing structure.
Example 2.: supposing the system allows the Hacker Program operation, and the hacker directly calls the operation of certain system by hard address
When intercepting an operation requests space hard address operation requests to internal memory, according to the operation requests attribute, make up dummy node, be defined as operating system nucleus and initiate request, recall its incidence relation, find that the internal memory hard address operation of kernel is employed routine call; The request correlation rule of current internal memory operation request and the internal memory risky operation request correlation rule that has defined are mated, and the match is successful: 1. not carrying out the operation that memory request calls is risky operation; 2. long-rangely internally deposit into capable hard address operational hazards; Result: risky operation request.Stop internal memory operation, the dummy node in the deletion computer operation appealing structure.
Claims (13)
1. a foundation is judged according to computing system operation requests incidence relation and be it is characterized in that the computer information safe means of defence of computer operation request security being may further comprise the steps:
Step 1 is being calculated under the running status, and the operation requests of operating system nucleus or hardware abstraction layer generation is tackled;
Step 2 according to the attribute of the operation requests of intercepting, is created dummy node under known certain node of existing relational structure, set up incidence relation, forms a virtual associated structure;
Step 3 is recalled the root node of dummy node in the virtual associated structure, obtain the correlation rule of current operation request in the virtual associated structure;
Step 4 according to recalling the correlation rule of obtaining, with defined risky operation rule match, determines whether to exist harm;
Step 5, foundation determines with risky operation rule match result whether current operation allows to carry out, and upgrades relational structure.
2. foundation according to claim 1 is characterized in that according to the computer information safe means of defence of computing system operation requests incidence relation judgement computer operation request security described step 1 interception is for file filter, the equipment that utilizes operating system inside filters, the filtering function of network packet filtration is tackled.
3. foundation according to claim 1 is characterized in that according to the computer information safe means of defence of computing system operation requests incidence relation judgement computer operation request security described step 1 interception operation requests is meant file operation requests, configuration operation request, internal memory operation request, disk operating request, the network operation request of interception computer-internal.
4. foundation according to claim 1 is characterized in that according to the computer information safe means of defence of computing system operation requests incidence relation judgement computer operation request security the attribute of the operation requests of described step 2 is asked the promoter, is requested operand and solicit operation type for the operator.
5. the computer information safe means of defence of computer operation request security is judged in foundation according to claim 1 according to computing system operation requests incidence relation, it is characterized in that the existing relational structure of described step 2 only is defined as the operation requests of being initiated by operating system nucleus, assembly, service and the application system operation requests of being initiated by the end user is root node, the operation requests of being initiated by above-mentioned root node is that request that child node, child node are initiated is that structure is reviewed in a kind of system operation request of grandson's node.
6. foundation according to claim 1 is judged the computer information safe means of defence of computer operation request security according to computing system operation requests incidence relation, certain node that it is characterized in that described step 2 be meant in relational structure with its attribute of any one operation requests of being intercepted in the node that is complementary of operation requests promoter.
7. the computer information safe means of defence of computer operation request security is judged in foundation according to claim 1 according to computing system operation requests incidence relation, the incidence relation that it is characterized in that described step 2 is when referring to intercept any one request, at first the hypothesis request is set up, according to the operation requests attribute of intercepting, a virtual child node under the initiator node of current operation request, when the node that has been existed calls, then set up a virtual subnet association, it is related that all operations request promoter and requested operand are carried out, and obtains the virtual associated node.
8. the computer information safe means of defence of computer operation request security is judged in foundation according to claim 1 according to computing system operation requests incidence relation, it is characterized in that described step 2 virtual associated structure is the request initiator information in the basis current operation request attribute of intercepting, create virtual child node under the request initiator node, this virtual associated node and existing relational structure constitute the virtual associated structure jointly.
9. the computer information safe means of defence of computer operation request security is judged in foundation according to claim 1 according to computing system operation requests incidence relation, the root node that it is characterized in that described step 3 is the virtual associated structure by having set up, from dummy node, recall the incidence relation of present node and even higher level of node, finally date back the original initiator node of dummy node.
10. foundation according to claim 1 is characterized in that request promoter, solicit operation object, solicit operation type, root node type, virtual associated type information that described step 3 correlation rule is a current operation request according to the computer information safe means of defence of computing system operation requests incidence relation judgement computer operation request security.
11. foundation according to claim 1 is characterized in that according to the computer information safe means of defence of computing system operation requests incidence relation judgement computer operation request security the defined risky operation rule of described step 4 contains: file risky operation request rule, internal memory risky operation request rule, disk risky operation request rule, configuration risky operation request rule, network risky operation request rule.
12. the computer information safe means of defence of computer operation request security is judged in foundation according to claim 1 according to computing system operation requests incidence relation, it is characterized in that described step 4 coupling recalls the operation associated rule and the defined risky operation rule that obtain with the current operation request dummy node and mate, judge whether the working rule of current operation request falls into the regular scope of risky operation.
13. the computer information safe means of defence of computer operation request security is judged in foundation according to claim 1 according to computing system operation requests incidence relation, it is characterized in that described step 5 renewal relational structure is: when the match is successful, current request does not allow operation, and, keep original relational structure with present node deletion virtual in the computer operation request relational structure; Unsuccessful when coupling, then allow operation, and current operation request dummy node in the computer operation request relational structure is changed into effective node, be updated to new relational structure.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910049945A CN101872400B (en) | 2009-04-24 | 2009-04-24 | Method for establishing computer information security protection capable of judging security of computer operation request according to associative relation of computing system operation request |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910049945A CN101872400B (en) | 2009-04-24 | 2009-04-24 | Method for establishing computer information security protection capable of judging security of computer operation request according to associative relation of computing system operation request |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101872400A true CN101872400A (en) | 2010-10-27 |
| CN101872400B CN101872400B (en) | 2012-10-17 |
Family
ID=42997257
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910049945A Expired - Fee Related CN101872400B (en) | 2009-04-24 | 2009-04-24 | Method for establishing computer information security protection capable of judging security of computer operation request according to associative relation of computing system operation request |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101872400B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012083521A1 (en) * | 2010-12-21 | 2012-06-28 | 北京中天安泰信息科技有限公司 | Method for standardizing computer system action |
| CN102799817A (en) * | 2011-06-30 | 2012-11-28 | 卡巴斯基实验室封闭式股份公司 | System and method for malware protection using virtualization |
| CN103164444A (en) * | 2011-12-14 | 2013-06-19 | 联想(北京)有限公司 | File processing method, file processing device and file processing electronic equipment |
| JP2014517376A (en) * | 2011-04-29 | 2014-07-17 | 北京中天安泰信息科技有限公司 | Secure data storage method and device |
| CN104715175A (en) * | 2015-03-23 | 2015-06-17 | 浪潮集团有限公司 | Computer system safety protection method and device |
| CN105637479A (en) * | 2013-08-23 | 2016-06-01 | 英国电讯有限公司 | Method and apparatus for modifying a computer program in a trusted manner |
| CN103544151B (en) * | 2012-07-09 | 2018-01-02 | 上海斐讯数据通信技术有限公司 | The method and system of data processing in Linux system |
| CN109492400A (en) * | 2017-09-12 | 2019-03-19 | 珠海市石方科技有限公司 | Method and device for carrying out security detection and protection on computer hardware firmware |
| CN109559583A (en) * | 2017-09-27 | 2019-04-02 | 华为技术有限公司 | Failure simulation method and its device |
| CN110955895A (en) * | 2019-11-29 | 2020-04-03 | 珠海豹趣科技有限公司 | Operation interception method and device and computer readable storage medium |
| CN112232771A (en) * | 2020-10-17 | 2021-01-15 | 严怀华 | Big data analysis method and big data cloud platform applied to smart government-enterprise cloud service |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7437718B2 (en) * | 2003-09-05 | 2008-10-14 | Microsoft Corporation | Reviewing the security of trusted software components |
| US20060174078A1 (en) * | 2005-01-19 | 2006-08-03 | Alcatel | System and method for executing a process on a microprocessor-enabled device |
| CN100401224C (en) * | 2005-06-23 | 2008-07-09 | 福建东方微点信息安全有限责任公司 | Computer anti-virus protection system and method |
| CN100485700C (en) * | 2006-08-11 | 2009-05-06 | 珠海金山软件股份有限公司 | Device for preventing and treating computer virus by real-time monitoring for file and its upgrading method |
| CN101414341B (en) * | 2007-10-15 | 2014-12-10 | 北京瑞星信息技术有限公司 | Software self-protection method |
-
2009
- 2009-04-24 CN CN200910049945A patent/CN101872400B/en not_active Expired - Fee Related
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9230067B2 (en) | 2010-12-21 | 2016-01-05 | Antaios (Beijing) Information Technology Co., Ltd. | Method for normalizing a computer system |
| JP2013542536A (en) * | 2010-12-21 | 2013-11-21 | 北京中天安泰信息科技有限公司 | How to standardize the execution behavior of a computer system |
| WO2012083521A1 (en) * | 2010-12-21 | 2012-06-28 | 北京中天安泰信息科技有限公司 | Method for standardizing computer system action |
| CN102971741A (en) * | 2010-12-21 | 2013-03-13 | 北京中天安泰信息科技有限公司 | Method for standardizing computer system action |
| JP2014517376A (en) * | 2011-04-29 | 2014-07-17 | 北京中天安泰信息科技有限公司 | Secure data storage method and device |
| US9330266B2 (en) | 2011-04-29 | 2016-05-03 | Antaios (Beijing) Information Technology Co., Ltd. | Safe data storage method and device |
| CN102799817B (en) * | 2011-06-30 | 2015-08-26 | 卡巴斯基实验室封闭式股份公司 | For the system and method using Intel Virtualization Technology to carry out malware protection |
| CN102799817A (en) * | 2011-06-30 | 2012-11-28 | 卡巴斯基实验室封闭式股份公司 | System and method for malware protection using virtualization |
| CN103164444A (en) * | 2011-12-14 | 2013-06-19 | 联想(北京)有限公司 | File processing method, file processing device and file processing electronic equipment |
| CN103544151B (en) * | 2012-07-09 | 2018-01-02 | 上海斐讯数据通信技术有限公司 | The method and system of data processing in Linux system |
| CN105637479B (en) * | 2013-08-23 | 2019-11-08 | 英国电讯有限公司 | Modify method, the computer system and computer readable medium of computer program |
| CN105637479A (en) * | 2013-08-23 | 2016-06-01 | 英国电讯有限公司 | Method and apparatus for modifying a computer program in a trusted manner |
| CN104715175A (en) * | 2015-03-23 | 2015-06-17 | 浪潮集团有限公司 | Computer system safety protection method and device |
| CN109492400A (en) * | 2017-09-12 | 2019-03-19 | 珠海市石方科技有限公司 | Method and device for carrying out security detection and protection on computer hardware firmware |
| CN109559583A (en) * | 2017-09-27 | 2019-04-02 | 华为技术有限公司 | Failure simulation method and its device |
| CN110955895B (en) * | 2019-11-29 | 2022-03-29 | 珠海豹趣科技有限公司 | Operation interception method and device and computer readable storage medium |
| CN110955895A (en) * | 2019-11-29 | 2020-04-03 | 珠海豹趣科技有限公司 | Operation interception method and device and computer readable storage medium |
| CN112232771A (en) * | 2020-10-17 | 2021-01-15 | 严怀华 | Big data analysis method and big data cloud platform applied to smart government-enterprise cloud service |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101872400B (en) | 2012-10-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101872400B (en) | Method for establishing computer information security protection capable of judging security of computer operation request according to associative relation of computing system operation request | |
| KR102307534B1 (en) | Systems and methods for tracking malicious behavior across multiple software entities | |
| CN106991324B (en) | Malicious code tracking and identifying method based on memory protection type monitoring | |
| CN102436566B (en) | Dynamic trusted measurement method and safe embedded system | |
| EP2951955B1 (en) | Method and system for protecting web applications against web attacks | |
| CN110851241A (en) | Safety protection method, device and system for Docker container environment | |
| CN102932329B (en) | A kind of method, device and client device that the behavior of program is tackled | |
| CN104081404A (en) | Application sandboxing using a dynamic optimization framework | |
| CN102902919A (en) | Method, device and system for identifying and processing suspicious practices | |
| CN111859394B (en) | Software behavior active measurement method and system based on TEE | |
| CN102667794A (en) | Method and system for protecting an operating system against unauthorized modification | |
| CN104933358A (en) | Computer immune system design method and realization | |
| Jia et al. | Programmable system call security with ebpf | |
| CN111028077B (en) | Intelligent contract protection method and system based on input filter | |
| CN111262875B (en) | Server safety monitoring method, device, system and storage medium | |
| CN110737888B (en) | Method for detecting attack behavior of kernel data of operating system of virtualization platform | |
| CN1743992A (en) | Computer operating system safety protecting method | |
| WO2020007249A1 (en) | Operating system security active defense method and operating system | |
| CN109165509B (en) | Method, device, system and storage medium for measuring real-time credibility of software | |
| CN116094801A (en) | Security attack protection method, device, equipment and readable storage medium | |
| Riley | A framework for prototyping and testing data-only rootkit attacks | |
| CN113518055B (en) | Data security protection processing method and device, storage medium and terminal | |
| Eresheim et al. | On the impact of kernel code vulnerabilities in iot devices | |
| Kaur et al. | Major software security risks at design phase | |
| Harel et al. | Mitigating Unknown Cybersecurity Threats in Performance Constrained Electronic Control Units |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Free format text: FORMER OWNER: QU LIDONG Effective date: 20120523 Owner name: BEIJING ZHONGTIAN ANTAI INFORMATION TECHNOLOGY CO. Free format text: FORMER OWNER: WANG JIAXIANG Effective date: 20120523 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 200122 PUDONG NEW AREA, SHANGHAI TO: 100097 HAIDIAN, BEIJING |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20120523 Address after: 100097 Beijing city Haidian District landianchang Road No. 2 Jin Yuan business center B block 2-6B Applicant after: Beijing Zhongtian Antai Technology Co., Ltd. Address before: 200122 1308, publicity Road, 1503, Shanghai Applicant before: Wang Jiaxiang Co-applicant before: Qu Lidong |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100097 HAIDIAN, BEIJING TO: 100071 FENGTAI, BEIJING |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20150121 Address after: 100071 Beijing city Fengtai District Xiaotun Road No. 89 aerospace standard tower Patentee after: The safe and sound Information Technology Co., Ltd in sky in Beijing Address before: 100097 Beijing city Haidian District landianchang Road No. 2 Jin Yuan business center B block 2-6B Patentee before: Beijing Zhongtian Antai Technology Co., Ltd. |
|
| C56 | Change in the name or address of the patentee | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100071 Beijing city Fengtai District Xiaotun Road No. 89 aerospace standard tower Patentee after: Zhongtian Aetna (Beijing) Information Technology Co. Ltd. Address before: 100071 Beijing city Fengtai District Xiaotun Road No. 89 aerospace standard tower Patentee before: The safe and sound Information Technology Co., Ltd in sky in Beijing |
|
| DD01 | Delivery of document by public notice | ||
| DD01 | Delivery of document by public notice |
Addressee: Zhongtian Aetna (Beijing) Information Technology Co. Ltd. Document name: Notification to Pay the Fees |
|
| DD01 | Delivery of document by public notice | ||
| DD01 | Delivery of document by public notice |
Addressee: Zhongtian Antai (Beijing) Information Technology Co., Ltd. Document name: Notification of Termination of Patent Right |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20121017 Termination date: 20190424 |