CN101872400A - Establishing a computer information security protection method for judging the security of computer operation requests based on the association relationship of computing system operation requests - Google Patents

Establishing a computer information security protection method for judging the security of computer operation requests based on the association relationship of computing system operation requests Download PDF

Info

Publication number
CN101872400A
CN101872400A CN200910049945A CN200910049945A CN101872400A CN 101872400 A CN101872400 A CN 101872400A CN 200910049945 A CN200910049945 A CN 200910049945A CN 200910049945 A CN200910049945 A CN 200910049945A CN 101872400 A CN101872400 A CN 101872400A
Authority
CN
China
Prior art keywords
node
computer
request
operation request
operation requests
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN200910049945A
Other languages
Chinese (zh)
Other versions
CN101872400B (en
Inventor
汪家祥
曲立东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongtian Aetna (beijing) Information Technology Co Ltd
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN200910049945A priority Critical patent/CN101872400B/en
Publication of CN101872400A publication Critical patent/CN101872400A/en
Application granted granted Critical
Publication of CN101872400B publication Critical patent/CN101872400B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

本发明涉及一种建立根据计算系统操作请求关联关系判断计算机操作请求安全性的计算机信息安全防护方法。包含以下步骤:在计算运行状态下,对计算机操作系统内核或硬件抽象层产生的操作请求进行拦截;依据拦截到的操作请求的属性,在现有的关联结构已知某节点下创建虚拟节点,建立关联关系,构成一个虚拟关联结构;在虚拟关联结构中回溯虚拟节点的根节点,取得当前操作请求在虚拟关联结构中的关联规则;依据回溯取得的关联规则,与已定义的危险操作规则匹配,确定是否存在危害;依据与危险操作规则匹配结果决定当前操作是否允许执行,并更新关联结构。本发明克服了其它系统需要针对性分析恶意代码的特征和不同的操作系统以及不同应用系统的特征,具有事前防御未知恶意代码能力。The invention relates to a computer information security protection method for establishing a computer information security protection method for judging the security of a computer operation request based on a computing system operation request association relationship. It includes the following steps: intercepting the operation requests generated by the computer operating system kernel or the hardware abstraction layer in the computing running state; creating a virtual node under a certain node known in the existing association structure according to the attributes of the intercepted operation requests, Establish an association relationship to form a virtual association structure; trace back to the root node of the virtual node in the virtual association structure to obtain the association rules of the current operation request in the virtual association structure; match the defined dangerous operation rules according to the association rules obtained by backtracking , determine whether there is a hazard; determine whether the current operation is allowed to be executed according to the matching result with the dangerous operation rule, and update the association structure. The invention overcomes the need of other systems to specifically analyze the characteristics of malicious codes and the characteristics of different operating systems and different application systems, and has the ability to prevent unknown malicious codes in advance.

Description

建立根据计算系统操作请求关联关系判断计算机操作请求安全性的计算机信息安全防护方法 Establishing a computer information security protection method for judging the security of computer operation requests based on the association relationship of computing system operation requests

技术领域:Technical field:

本发明涉及一种计算机系统安全的防护方法,更具体地说涉及一种建立根据计算系统操作请求关联关系判断计算机操作请求安全性的计算机信息安全防护方法。The invention relates to a computer system security protection method, and more specifically relates to a computer information security protection method for judging the security of computer operation requests based on the association relationship of computing system operation requests.

背景技术:Background technique:

由于计算机应用技术和网络通信技术的普及,由计算机应用和网络通信构成的信息平台已经成为人们工作、学习、购物等日常生活基础条件之一,人们在充分享受信息平台带来的系统化便利的同时,可能也没有人能幸免受到恶意代码的侵害。Due to the popularization of computer application technology and network communication technology, the information platform composed of computer application and network communication has become one of the basic conditions for people's daily life such as work, study and shopping. People are fully enjoying the systematic convenience brought by the information platform. At the same time, probably no one is immune to malicious code.

目前常见的保护人们日常使用的信息安全平台的系统主要有“黑名单”类如:杀病毒类软件、防火墙类软件,“白名单”类如:防水墙类软件和主动防御类软件,以及非常见的有“可信”操作系统、“安全”操作系统以及“庇护类”安全系统。At present, the common systems for protecting information security platforms that people use daily mainly include "blacklist" categories such as antivirus software and firewall software, "whitelist" categories such as firewall software and active defense software, and very Common examples include "trusted" operating systems, "secure" operating systems, and "shielded" security systems.

上述的安全系统中,“黑名单”类系统应用相对广泛,而“白名单”类系统、“可信系统”以及“操作系统加固”类系统因其应用技术要求高而使其应用范围相对较小。Among the above-mentioned security systems, the "blacklist" type system is relatively widely used, while the "white list" type system, "trusted system" and "operating system hardening" type systems are relatively limited due to their high application technical requirements. Small.

“黑名单”系统具体通过“查杀”来实现安全保障,实现方法:查系统问题、定位恶意代码侧面、分析恶意代码特征码、清除恶意代码等四个步骤。“查杀”系统必须具有以下的技术保障:①必须及时发现计算系统存在的问题;②必须能准确定位问题的产生原因;③必须准确分析恶意代码的特征;④必须完整清除恶意代码。但是实际上发现计算机所有存在的问题就十分困难,更无法保障其它步骤的准确性和完整性。因此,“查杀”系统是一种事后的补救措施,其并不保证操作系统的安全性,更不具备防范未知恶意代码的能力。The "blacklist" system specifically implements security protection through "checking and killing". The implementation method includes four steps: checking system problems, locating the side of the malicious code, analyzing the signature of the malicious code, and clearing the malicious code. The "killing" system must have the following technical guarantees: ①The problems existing in the computing system must be discovered in time; ②The cause of the problem must be accurately located; ③The characteristics of the malicious code must be accurately analyzed; ④The malicious code must be completely removed. But in fact it is very difficult to find all the existing problems of the computer, let alone guarantee the accuracy and completeness of other steps. Therefore, the "killing" system is an after-the-fact remedial measure, which does not guarantee the security of the operating system, nor does it have the ability to prevent unknown malicious codes.

“白名单”类系统是确定哪些程序允许运行,哪些程序不允许运行,“白名单”系统的突出问题是因为无法保障允许执行程序在代码执行过程中加载和调用的正确性。也无法保证程序之间的关联加载和调用正确性。因此“白名单”系统在实际应用中难以推广。The "white list" type system is to determine which programs are allowed to run and which programs are not allowed to run. The outstanding problem of the "white list" system is that it cannot guarantee the correctness of the allowed executable program to be loaded and called during code execution. It is also impossible to guarantee the correctness of the associated loading and calling between programs. Therefore, the "white list" system is difficult to promote in practical applications.

“可信系统”和“庇护”类系统一般具有较强的抗恶意代码能力,从理论上说且具有抗未知恶意代码能力,但是“可信系统”和“庇护”类系统对应用者的要求极高,使用者不但要熟悉操作系统,而且要对应用系统十分熟悉,且能够对操作系统和应用系统进行相应的安全定义,并且需要使用者具有系统执行的跟踪和分析能力。因对应用者具有极高技术要求,因此此类系统只应用在高端应用领域。"Trusted systems" and "shelter" systems generally have strong anti-malicious code capabilities, and theoretically have the ability to resist unknown malicious codes, but the requirements of "trusted systems" and "shelter" systems for users Extremely high, users must not only be familiar with the operating system, but also be very familiar with the application system, and be able to define the corresponding security for the operating system and application system, and require the user to have the ability to track and analyze system execution. Due to the extremely high technical requirements for the users, such systems are only used in high-end applications.

发明内容:Invention content:

本发明的目的是针对现有信息安全理论和信息安全技术不足而提供一种建立根据计算系统操作请求关联关系判断计算机操作请求安全性的计算机信息安全防护方法。The purpose of the present invention is to provide a computer information security protection method for judging the security of computer operation requests based on the association relationship between computer system operation requests in view of the deficiencies of existing information security theories and information security technologies.

本发明的目的是通过以下措施来实现:一种建立根据计算系统操作请求关联关系判断计算机操作请求安全性的计算机信息安全防护方法,其特征在于,包含以下步骤:The object of the present invention is achieved by the following measures: a computer information security protection method that establishes a computer information security protection method for judging the security of a computer operation request according to a computing system operation request association relationship, is characterized in that, comprising the following steps:

步骤一,在计算运行状态下,对计算机操作系统内核或硬件抽象层产生的操作请求进行拦截;Step 1, intercepting the operation requests generated by the computer operating system kernel or the hardware abstraction layer in the computing running state;

步骤二,依据拦截到的操作请求的属性,在现有的关联结构已知某节点下创建虚拟节点,建立关联关系,构成一个虚拟关联结构;Step 2, according to the attribute of the intercepted operation request, create a virtual node under a certain node known in the existing association structure, establish an association relationship, and form a virtual association structure;

步骤三,在虚拟关联结构中回溯虚拟节点的根节点,取得当前操作请求在虚拟关联结构中的关联规则;Step 3, trace back the root node of the virtual node in the virtual association structure, and obtain the association rules of the current operation request in the virtual association structure;

步骤四,依据回溯取得的关联规则,与已定义的危险操作规则匹配,确定是否存在危害;Step 4, according to the association rules obtained backtracking, match with the defined dangerous operation rules to determine whether there is a hazard;

步骤五,依据与危险操作规则匹配结果决定当前操作是否允许执行,并更新关联结构。Step 5: Determine whether the current operation is allowed to be executed according to the matching result with the dangerous operation rule, and update the association structure.

所述步骤一拦截为利用操作系统内部的文件过滤、设备过滤、网络包过滤的过滤功能进行拦截。The first intercepting step is to use the filtering functions of file filtering, device filtering and network packet filtering inside the operating system to intercept.

所述步骤一拦截操作请求是指拦截计算机内部的文件操作请求、配置操作请求、内存操作请求、磁盘操作请求、网络操作请求。The step one intercepting operation requests refers to intercepting file operation requests, configuration operation requests, memory operation requests, disk operation requests, and network operation requests inside the computer.

所述步骤二的操作请求的属性为操作者请求发起者、被请求操作对象以及请求操作类型。The attributes of the operation request in step 2 are the operator request initiator, the requested operation object, and the requested operation type.

所述步骤二现有的关联结构定义为仅由操作系统内核、组件、服务发起的操作请求以及由直接用户发起的应用系统操作请求为根节点,由上述根节点发起的操作请求为子节点、子节点发起的请求为孙子节点的一种系统操作请求追溯结构。The existing association structure of step 2 is defined as the root node for the operation requests initiated by the operating system kernel, components, and services, and the application system operation requests initiated by the direct user, and the operation requests initiated by the above-mentioned root nodes are sub-nodes, The request initiated by the child node is a system operation request tracing structure of the grandchild node.

所述步骤二的某节点是指在关联结构中与所拦截到的任意一个操作请求其属性中的操作请求发起者相匹配的节点。A certain node in the step 2 refers to a node in the association structure that matches the initiator of the operation request in the attribute of any intercepted operation request.

所述步骤二的关联关系为指拦截到任意一个请求时,首先假设请求成立,根据拦截到的操作请求属性,在当前操作请求的发起者节点下虚拟一个子节点,当对一个已经存在的节点调用时,则建立一个虚拟子关联,使所有操作请求发起者与被请求的操作对象进行关联,得到虚拟关联节点。The association relationship in step 2 means that when any request is intercepted, first assume that the request is established, and according to the intercepted operation request attribute, virtualize a child node under the initiator node of the current operation request, when an existing node When calling, a virtual sub-association is established, so that all operation request initiators are associated with the requested operation object, and a virtual association node is obtained.

所述步骤二虚拟关联结构为根据拦截到的当前操作请求属性中的请求发起者信息,在请求发起者节点下创建虚拟的子节点,该虚拟关联节点与现有的关联结构共同构成虚拟关联结构。The virtual association structure in the second step is to create a virtual child node under the request initiator node according to the request initiator information in the intercepted current operation request attribute, and the virtual association node and the existing association structure together form a virtual association structure .

所述步骤三的根节点为通过已经建立的虚拟关联结构,从虚拟节点开始,回溯当前节点与上一级节点的关联关系,最终回溯至虚拟节点的最初发起者节点。The root node in the step 3 is through the established virtual association structure, starting from the virtual node, backtracking the association relationship between the current node and the upper-level node, and finally backtracking to the initial initiator node of the virtual node.

所述步骤三关联规则为当前操作请求的请求发起者、请求操作对象、请求操作类型、根节点类型、虚拟关联类型信息。The association rules in Step 3 are the request initiator, request operation object, request operation type, root node type, and virtual association type information of the current operation request.

所述步骤四的已定义的危险操作规则含:文件危险操作请求规则、内存危险操作请求规则、磁盘危险操作请求规则、配置危险操作请求规则、网络危险操作请求规则。The defined risky operation rules in step 4 include: file risky operation request rules, memory risky operation request rules, disk risky operation request rules, configuration risky operation request rules, and network risky operation request rules.

所述步骤四匹配将当前操作请求虚拟节点回溯得到的关联操作规则与已定义的危险操作规则进行匹配,判断当前操作请求的操作规则是否落入危险操作规则范围中。The step four matching matches the associated operation rules obtained by backtracking the virtual node of the current operation request with the defined dangerous operation rules, and judges whether the operation rules of the current operation request fall into the scope of the dangerous operation rules.

所述步骤五更新关联结构为:当匹配成功,当前操作请求不允许运行,并将计算机操作请求关联结构中虚拟的当前节点删除,保持原有的关联结构;当匹配不成功,则允许运行,并将计算机操作请求关联结构中当前操作请求虚拟节点改变为有效节点,更新为新关联结构。The step 5 updating the association structure is: when the matching is successful, the current operation request is not allowed to run, and the virtual current node in the computer operation request association structure is deleted, and the original association structure is maintained; when the matching is unsuccessful, the operation is allowed, And the current operation request virtual node in the computer operation request association structure is changed to a valid node, and the new association structure is updated.

与现有技术相比,由于采用了本发明提出的一种建立根据计算系统操作请求关联关系判断计算机操作请求安全性的计算机信息安全防护方法,改变了目前分析恶意代码特征或分析操作系统和应用系统特征的思路。本发明基于系统的任何操作首先都是系统内部的一个请求,而请求之间都存在着关联关系,本发明在建立关联关系的基础上,分析系统操作请求的特征,建立了请求之间关系的非法操作请求规则,通过分析操作请求的关联关系以确定请求的安全性。本发明克服了其它系统需要针对性分析恶意代码的特征和不同的操作系统以及不同应用系统的特征,不需要应用者具有相关的技术水平,且本发明具有事前防御能力,并具有防御未知恶意代码能力,也就是说已知和未知恶意代码的操作请求在本发明中都被分析和阻止,能较好地弥补其它安全理论体系和安全产品的不足。Compared with the prior art, due to the adoption of a computer information security protection method proposed by the present invention to determine the security of computer operation requests based on the association between computing system operation requests, the current analysis of malicious code characteristics or analysis of operating systems and applications has been changed. The idea of system characteristics. In the present invention, any operation based on the system is firstly a request within the system, and there is an association between the requests. The present invention analyzes the characteristics of the system operation request on the basis of establishing the association, and establishes the relationship between the requests. The illegal operation request rule determines the security of the request by analyzing the association relationship of the operation request. The present invention overcomes other systems that need targeted analysis of the characteristics of malicious codes and different operating systems and different application systems, and does not require the user to have a relevant technical level, and the present invention has prior defense capabilities and has the ability to defend against unknown malicious codes Capability, that is to say, the operation requests of known and unknown malicious codes are all analyzed and blocked in the present invention, which can better make up for the deficiencies of other security theory systems and security products.

具体实施方式:Detailed ways:

术语定义:Definition of Terms:

操作请求:指计算机应用过程中对某一设备,如硬件、软件代码的进行加载、执行、变动的操作的请求;Operation request: refers to a request for loading, executing, and changing operations on a certain device, such as hardware and software codes, during the computer application process;

应用请求:是指基于操作系统建立操作环境的需要或应用程序代码运行的需要而发起的请求;Application request: refers to the request initiated based on the need of the operating system to establish an operating environment or the need of the application code to run;

操作请求关联结构:当计算运行时,计算机系统是由一个个操作请求产生的操作构建其运行状态,操作请求关联结构是指建立由操作请求为节点的反应当前时刻计算运行状态的逻辑结构;Operation request association structure: When the calculation is running, the computer system constructs its operation state from the operations generated by each operation request. The operation request association structure refers to the establishment of a logical structure that uses the operation request as the response of the node to calculate the operation state at the current moment;

危险操作请求规则:是指操作请求关联结构,违反了某种操作请求之间的关联关系操作请求即被定义为危险操作请求规则;Dangerous operation request rule: refers to the operation request association structure, and an operation request that violates the association relationship between certain operation requests is defined as a dangerous operation request rule;

下面详细说明本发明的方法:其包含以下步骤:The method of the present invention is described in detail below: it comprises the following steps:

步骤一,在计算机运行状态下,对计算机操作系统内核或硬件抽象层产生的操作请求进行拦截。所述拦截为利用操作系统内部的文件过滤、设备过滤、网络包过滤的过滤功能进行拦截。通常在计算机启动过程中,计算机进行加电自检、加载微内核、加载内核、加载操作系统部件、加载应用至此完成操作系统加载;在应用环境加载后,用户将根据需要进行相应的操作。在以上计算机操作系统加载和用户进行应用操作过程中,分别进行了硬件操作、配置操作、文件操作、内存操作以及网络通信检测操作。以上的每一个操作在执行前,都会在操作系统内核和硬件抽象层中产生一系列的操作请求,由这些操作请求请求操作相应的设备,相应的设备根据每个操作请求分配资源执行相应的步骤。在计算机操作系统如Windows、Linux、Unix中,提供了相应的文件过滤、设备过滤、网络包过滤等过滤功能,能实现对操作系统内核和硬件抽象层发起的文件操作请求、配置操作请求、内存操作请求、磁盘操作请求、网络操作请求进行拦截。所述拦截操作请求是指拦截计算机内部的文件操作请求、配置操作请求、内存操作请求、磁盘操作请求、网络操作请求。文件操作请求是主要是指对文件及文件内容的读、写、加载、修改属性、执行的操作请求;配置操作请求是指对系统配置的变量或运行参数进行读取、改写的操作请求;内存操作请求主要是指对内存的读、写、执行操作请求;磁盘操作请求主要是指对存储设备进行的非文件模式的存、取操作请求;网络操作请求主要是指通过网络发起的对本地文件、设备、内存等操作请求。Step 1: In the running state of the computer, intercept the operation request generated by the kernel of the computer operating system or the hardware abstraction layer. The interception is carried out by using the filtering functions of file filtering, device filtering, and network packet filtering inside the operating system. Usually, during the computer startup process, the computer performs power-on self-test, loads the microkernel, loads the kernel, loads operating system components, and loads applications to complete the loading of the operating system; after the application environment is loaded, the user will perform corresponding operations as required. During the loading of the computer operating system and the user's application operation, hardware operations, configuration operations, file operations, memory operations, and network communication detection operations were performed respectively. Before each of the above operations is executed, a series of operation requests will be generated in the operating system kernel and the hardware abstraction layer. These operation requests request to operate the corresponding devices, and the corresponding devices allocate resources to perform corresponding steps according to each operation request. . In computer operating systems such as Windows, Linux, and Unix, corresponding filtering functions such as file filtering, device filtering, and network packet filtering are provided, which can realize file operation requests, configuration operation requests, and memory Operation requests, disk operation requests, and network operation requests are intercepted. The intercepting operation request refers to intercepting file operation requests, configuration operation requests, memory operation requests, disk operation requests, and network operation requests inside the computer. File operation requests mainly refer to the operation requests for reading, writing, loading, modifying attributes, and executing files and file contents; configuration operation requests refer to the operation requests for reading and rewriting system configuration variables or operating parameters; Operation requests mainly refer to read, write, and execute operation requests for memory; disk operation requests mainly refer to non-file storage and retrieval operation requests for storage devices; network operation requests mainly refer to local files initiated through the network. , device, memory and other operation requests.

步骤二,依据拦截到的操作请求的属性,在现有的关联结构已知某节点下创建虚拟节点,建立关联关系,构成一个虚拟关联结构。所述的操作请求的属性为操作者请求发起者、被请求操作对象以及请求操作类型。所述现有的关联结构定义为仅由操作系统内核、组件、服务发起的操作请求以及由直接用户发起的应用系统操作请求为根节点,由上述根节点发起的操作请求为子节点、子节点发起的请求为孙子节点的一种系统操作请求追溯结构。所述步骤二的某节点是指在关联结构中与所拦截到的任意一个操作请求其属性中的操作请求发起者相匹配的节点。所述步骤二的创建虚拟节点是指拦截到任意一个请求时,首先假设请求成立,根据拦截到的操作请求属性,在当前操作请求的发起者节点下虚拟一个子节点,当对一个已经存在的节点调用时,则建立一个虚拟子关联,使所有操作请求发起者与被请求的操作对象进行关联,得到虚拟关联节点。所述步骤二的关联关系是指在操作请求关联结构中,以当前节点为基准,从当前节点开始,回溯当前节点与上一级节点的关联,直到回溯到当前节点的根节点所取得的当前节点与上级各节点的关联属性。所述步骤二虚拟关联结构为根据拦截到的当前操作请求属性中的请求发起者信息,在请求发起者节点下创建虚拟的子节点,该虚拟关联节点与现有的关联结构共同构成虚拟关联结构。因该节点还不是一个有效节点,即该节点不能反应当前计算机的操作状态,因此这种带有虚拟节点的结构称为虚拟关联结构。通过建立虚拟的关联结构,是为了建立当前的操作请求与已知的操作请求之间的内在联系。Step 2: According to the attribute of the intercepted operation request, a virtual node is created under a certain node known in the existing association structure, and an association relationship is established to form a virtual association structure. The attributes of the operation request are operator request initiator, requested operation object and requested operation type. The existing association structure is defined as the root node for only the operation requests initiated by the operating system kernel, components, and services, and the application system operation requests initiated by direct users, and the operation requests initiated by the above-mentioned root nodes are sub-nodes, sub-nodes The initiated request is a system operation request traceability structure of the grandchild node. A certain node in the step 2 refers to a node in the association structure that matches the initiator of the operation request in the attribute of any intercepted operation request. The creation of a virtual node in the second step means that when any request is intercepted, first assume that the request is established, and according to the intercepted operation request attribute, virtualize a child node under the initiator node of the current operation request. When the node is invoked, a virtual sub-association is established, so that all operation request initiators are associated with the requested operation object to obtain a virtual associated node. The association relationship in step 2 means that in the operation request association structure, based on the current node, starting from the current node, backtracking the association between the current node and the upper-level node, until the current node obtained by backtracking to the root node of the current node The associated attributes of a node and its superior nodes. The virtual association structure in the second step is to create a virtual child node under the request initiator node according to the request initiator information in the intercepted current operation request attribute, and the virtual association node and the existing association structure together form a virtual association structure . Because the node is not yet a valid node, that is, the node cannot reflect the current operating state of the computer, so this structure with virtual nodes is called a virtual association structure. By establishing a virtual association structure, it is to establish the internal connection between the current operation request and the known operation request.

步骤三,在虚拟关联结构中回溯虚拟节点的根节点,取得当前操作请求在虚拟关联结构中的关联规则。所述步骤三的根节点为通过已经建立的虚拟关联结构,从虚拟节点开始,回溯当前节点与上一级节点的关联关系,最终回溯至虚拟节点的最初发起者。所述步骤三关联规则为当前操作请求的请求发起者、请求操作对象、请求操作类型、根节点类型、虚拟关联类型信息。在虚拟的关联结构中回溯虚拟节点与各相关节点的关联关系就是为了准确地定位当前的操作请求是如何引发和产生的,在产生当前操作的各个步骤都存在什么的关联特征,直到追溯到当前操作的根节点,也就是当前操作请求是由操作系统应用层的何种应用请求引发,至此,当前节点与各节点的关联特征就组成了当前操作请求的关联规则。由上可知,操作请求的关联规则的取得,是在反应计算机动态运行状态的关联结构中获取,因此是一个动态过程,克服了其它安全系统依赖的静态的代码分析和系统功能分析存在的不足。Step 3: Backtrack to the root node of the virtual node in the virtual association structure to obtain the association rules of the current operation request in the virtual association structure. The root node in the step 3 is through the established virtual association structure, starting from the virtual node, tracing back the association relationship between the current node and the upper-level node, and finally tracing back to the initial initiator of the virtual node. The association rules in Step 3 are the request initiator, request operation object, request operation type, root node type, and virtual association type information of the current operation request. In the virtual association structure, the purpose of tracing back the association relationship between virtual nodes and related nodes is to accurately locate how the current operation request is triggered and generated, and what association characteristics exist in each step of generating the current operation until it is traced back to the current The root node of the operation, that is, the current operation request is caused by the application request of the operating system application layer. So far, the association characteristics of the current node and each node constitute the association rule of the current operation request. It can be seen from the above that the acquisition of the association rules of the operation request is obtained in the association structure reflecting the dynamic operating state of the computer, so it is a dynamic process, which overcomes the shortcomings of the static code analysis and system function analysis that other security systems rely on.

步骤四,依据回溯取得的关联规则,与已定义的危险操作规则匹配,确定是否存在危害。所述步骤四的已定义的危险操作规则含:文件危险操作请求规则、内存危险操作请求规则、磁盘危险操作请求规则、配置危险操作请求规则、网络危险操作请求规则。所述文件危险操作请求规则是指对计算机系内的文件及文件内容发起的读、写、加载、修改属性、执行的操作请求过程中,存在具有安全威胁的关联规则定义,例如由普通非安装类应用程序发起的可执行程序的写和属性修改;解释器类程序通过解释脚本程序进行非可解释类程序的读、写操作。所述内存危险操作请求规则主要是指发起的对内存的读、写、执行操作请求过程中含有安全威胁操作规则定义;例如操作非同一内存地址空间的请求,向某一内存空间注入代码等危险操作。配置危险操作请求规则是指对系统配置的变量或运行参数发起的读取、改写过程中具有安全威胁的操作规则,例如由应用程序对配置文件进行修正、应用程序进行配置参数的修改。网络危险操作请求规则指通过网络发起的对本地文件、设备、内存等操作请求中具有安全威胁的操作规则,例如请求进行内存地址操作、请求加载新的线程等危险操作。磁盘操作请求规则主要是指从网络发起的对存储设备进行的非文件模式的存、取操作请求中具有威胁的操作规则,例如请求非文件系统操作模式操作磁盘,请求指定存储块操作等危险操作。当前计算机系统安全威胁从攻击方向上来说,可以分为外部入侵和内部控制,这些攻击的完成主要是依赖系统漏洞对系统功能非法调用、植入恶意代码。事实上,分析系统漏洞和找出所有的未代码是不可能的。本步骤定义这些规则是为了避免进行恶意代码分析和进行系统功能定义,所有的危害实现,都是要利用已有的计算机系统环境,改变操作请求的某些关联,加入攻击者需要的请求,面这些请求的加入都是利用操作系统的内核和硬件设备层实现。传统和代码分析、行为分析几乎难以阻止大量的危害发生。因为最初的安全威胁就是因为操作请求发生了关联规则的改变,本发明通过对操作请求关联进行规则定义,使安全威胁难以形成,同时也具有了危害预防能力和防范未知恶意代码能力。所述匹配将当前操作请求虚拟节点回溯得到的关联操作规则与已定义的危险操作规则进行匹配,判断当前操作请求的操作规则是否落入危险操作规则范围中。当取得当前操作请求的操作关联规则后,与已定义的相应的如文件、内存、配置、存储设备、网络危险操作请求规则匹配,以确定当前的操作请求是否具有危险性。Step 4: According to the association rules obtained backtracking, match the defined dangerous operation rules to determine whether there is a hazard. The defined risky operation rules in step 4 include: file risky operation request rules, memory risky operation request rules, disk risky operation request rules, configuration risky operation request rules, and network risky operation request rules. The file dangerous operation request rule refers to the operation request process of reading, writing, loading, modifying attributes, and executing files and file contents in the computer system. The writing and attribute modification of the executable program initiated by the application program; the interpreter program performs the read and write operations of the non-interpretable program through the interpreted script program. The memory risk operation request rules mainly refer to the definition of security threat operation rules included in the process of initiating memory read, write, and execution operation requests; operate. Configuration risky operation request rules refer to the operation rules that pose security threats during the process of reading and rewriting system configuration variables or operating parameters, such as modifying configuration files by applications and modifying configuration parameters by applications. Network dangerous operation request rules refer to operation rules that have security threats in operation requests to local files, devices, and memory initiated through the network, such as requesting memory address operations, requesting to load new threads, and other dangerous operations. Disk operation request rules mainly refer to the threatening operation rules in non-file mode storage and retrieval operation requests initiated from the network to storage devices, such as requesting non-file system operation mode to operate disks, requesting specified storage block operations and other dangerous operations . Current computer system security threats can be divided into external intrusion and internal control in terms of attack direction. The completion of these attacks mainly relies on system vulnerabilities to illegally call system functions and implant malicious codes. In fact, it is impossible to analyze system vulnerabilities and find all uncoded ones. The purpose of defining these rules in this step is to avoid malicious code analysis and system function definition. All hazards are realized by using the existing computer system environment, changing some associations of operation requests, and adding requests required by attackers. The addition of these requests is realized by using the kernel of the operating system and the hardware device layer. Traditional and code analysis, behavior analysis can hardly prevent a large number of hazards from happening. Because the initial security threat is due to the change of the association rule of the operation request, the present invention makes it difficult to form a security threat by defining the rules for the association of the operation request, and also has the ability to prevent harm and prevent unknown malicious codes. The matching matches the associated operation rules obtained by backtracking the virtual node of the current operation request with the defined dangerous operation rules, and judges whether the operation rules of the current operation request fall into the scope of the dangerous operation rules. After obtaining the operation association rules of the current operation request, match with the defined corresponding rules such as file, memory, configuration, storage device, and network dangerous operation request to determine whether the current operation request is dangerous.

步骤五,依据与危险操作规则匹配结果决定当前操作是否允许执行,并更新关联结构。所述步骤五更关联结构为操作请求规则匹配成功:阻止当前操作请求执行,并将计算机操作请求关联结构中虚拟的当前节点删除,保持原有的关联结构;当操作请求规则匹配不成功:则允许当前操作执行,并将计算机操作请求虚拟关联结构中当前操作请求的虚拟节点改变更为有效节点,形成新的关联结构。本步骤根据匹配结果,对当前的操作请求进行放行和阻止处理,完成了对操作请求的有效拦截,同时更新计算机操作请求的关联结构,使计算机操作请求关联结构始终能准确反应计算机的当前运行状态,为后续虚拟节点提供结构。Step 5: Determine whether the current operation is allowed to be executed according to the matching result with the dangerous operation rule, and update the association structure. The step five changes the association structure to match the operation request rule successfully: prevent the execution of the current operation request, delete the virtual current node in the computer operation request association structure, and keep the original association structure; when the operation request rule is not matched successfully: then The current operation is allowed to execute, and the virtual node of the current operation request in the computer operation request virtual association structure is changed to a more effective node to form a new association structure. According to the matching result, this step releases and blocks the current operation request, completes the effective interception of the operation request, and updates the association structure of the computer operation request at the same time, so that the association structure of the computer operation request can always accurately reflect the current operation status of the computer , providing structure for subsequent virtual nodes.

下面例举实施例进一步说明:Examples are given below to further illustrate:

例1:假设某Office文档带有恶意脚代码,该脚本代码可感染可执行程序,阻止逻辑如下:Example 1: Assuming that an Office document contains malicious script code, which can infect executable programs, the blocking logic is as follows:

当操作系统的内核拦截到一个对可执行文件内容的写操作请求时,根据操作请求属性中的请求发起者属性项可知,该请求是由VBA脚本引擎所发出,为了找到当前操作请求的关联关系,在已知的计算机操作请求的关联结构的VBA脚本引擎节点下创建当前操作的虚拟节点,并回溯当前操作的关联关系,回溯最终结果发现是打开某个Office文档这个请求引发了当前的操作请求,取当前的操作规则,Office是普通应用程序、由用户触发请求、Office请求VBA脚引擎是正常调用,当前操作对是PE文件,操作类型是写操作,匹配到是:普通非安装类应用程序进行可执行文件内容的写操作规则;结果是危险动作:阻止此操作请求,删除计算机操作请求结构中的虚拟节点。When the kernel of the operating system intercepts a write operation request for the content of the executable file, according to the request initiator attribute item in the operation request attribute, it can be known that the request is issued by the VBA script engine, in order to find the association relationship of the current operation request , Create a virtual node of the current operation under the VBA script engine node of the known association structure of the computer operation request, and trace back the association relationship of the current operation. The final result of the traceback is that the request to open an Office document triggers the current operation request , take the current operation rules, Office is a common application, the request is triggered by the user, Office requests the VBA script engine to be called normally, the current operation pair is a PE file, the operation type is a write operation, and the match is: ordinary non-installation application Write operation rules for executable file contents; result is dangerous action: block this operation request, delete virtual node in computer operation request structure.

例2.:假设系统允许黑客程序运行,黑客通过硬地址直接调用某个系统的操作Example 2.: Assuming that the system allows the hacker program to run, the hacker directly calls the operation of a certain system through the hard address

当拦截到一个对内存的操作请求空间硬地址操作请求,根据操作请求属性,构建虚拟节点,确定为操作系统内核发起请求,回溯其关联关系,发现内核的内存硬地址操作被应用程序调用;将当前内存操作请求的请求关联规则与已经定义的内存危险操作请求关联规则进行匹配,匹配成功:1.未进行内存请求调用的操作是危险操作;2.远程对内存进行硬地址操作危险;结果:危险操作请求。阻止内存操作,删除计算机操作请求结构中的虚拟节点。When a hard address operation request for the memory operation request space is intercepted, a virtual node is constructed according to the attribute of the operation request, and the request is determined to be initiated by the operating system kernel, and its association relationship is traced back, and it is found that the memory hard address operation of the kernel is called by the application; The request association rules of the current memory operation request are matched with the defined memory risk operation request association rules, and the match is successful: 1. Operations that do not call for memory requests are dangerous operations; 2. It is dangerous to remotely perform hard address operations on memory; the result: Dangerous operation request. Block memory operations, delete virtual nodes in the computer operation request structure.

Claims (13)

1. a foundation is judged according to computing system operation requests incidence relation and be it is characterized in that the computer information safe means of defence of computer operation request security being may further comprise the steps:
Step 1 is being calculated under the running status, and the operation requests of operating system nucleus or hardware abstraction layer generation is tackled;
Step 2 according to the attribute of the operation requests of intercepting, is created dummy node under known certain node of existing relational structure, set up incidence relation, forms a virtual associated structure;
Step 3 is recalled the root node of dummy node in the virtual associated structure, obtain the correlation rule of current operation request in the virtual associated structure;
Step 4 according to recalling the correlation rule of obtaining, with defined risky operation rule match, determines whether to exist harm;
Step 5, foundation determines with risky operation rule match result whether current operation allows to carry out, and upgrades relational structure.
2. foundation according to claim 1 is characterized in that according to the computer information safe means of defence of computing system operation requests incidence relation judgement computer operation request security described step 1 interception is for file filter, the equipment that utilizes operating system inside filters, the filtering function of network packet filtration is tackled.
3. foundation according to claim 1 is characterized in that according to the computer information safe means of defence of computing system operation requests incidence relation judgement computer operation request security described step 1 interception operation requests is meant file operation requests, configuration operation request, internal memory operation request, disk operating request, the network operation request of interception computer-internal.
4. foundation according to claim 1 is characterized in that according to the computer information safe means of defence of computing system operation requests incidence relation judgement computer operation request security the attribute of the operation requests of described step 2 is asked the promoter, is requested operand and solicit operation type for the operator.
5. the computer information safe means of defence of computer operation request security is judged in foundation according to claim 1 according to computing system operation requests incidence relation, it is characterized in that the existing relational structure of described step 2 only is defined as the operation requests of being initiated by operating system nucleus, assembly, service and the application system operation requests of being initiated by the end user is root node, the operation requests of being initiated by above-mentioned root node is that request that child node, child node are initiated is that structure is reviewed in a kind of system operation request of grandson's node.
6. foundation according to claim 1 is judged the computer information safe means of defence of computer operation request security according to computing system operation requests incidence relation, certain node that it is characterized in that described step 2 be meant in relational structure with its attribute of any one operation requests of being intercepted in the node that is complementary of operation requests promoter.
7. the computer information safe means of defence of computer operation request security is judged in foundation according to claim 1 according to computing system operation requests incidence relation, the incidence relation that it is characterized in that described step 2 is when referring to intercept any one request, at first the hypothesis request is set up, according to the operation requests attribute of intercepting, a virtual child node under the initiator node of current operation request, when the node that has been existed calls, then set up a virtual subnet association, it is related that all operations request promoter and requested operand are carried out, and obtains the virtual associated node.
8. the computer information safe means of defence of computer operation request security is judged in foundation according to claim 1 according to computing system operation requests incidence relation, it is characterized in that described step 2 virtual associated structure is the request initiator information in the basis current operation request attribute of intercepting, create virtual child node under the request initiator node, this virtual associated node and existing relational structure constitute the virtual associated structure jointly.
9. the computer information safe means of defence of computer operation request security is judged in foundation according to claim 1 according to computing system operation requests incidence relation, the root node that it is characterized in that described step 3 is the virtual associated structure by having set up, from dummy node, recall the incidence relation of present node and even higher level of node, finally date back the original initiator node of dummy node.
10. foundation according to claim 1 is characterized in that request promoter, solicit operation object, solicit operation type, root node type, virtual associated type information that described step 3 correlation rule is a current operation request according to the computer information safe means of defence of computing system operation requests incidence relation judgement computer operation request security.
11. foundation according to claim 1 is characterized in that according to the computer information safe means of defence of computing system operation requests incidence relation judgement computer operation request security the defined risky operation rule of described step 4 contains: file risky operation request rule, internal memory risky operation request rule, disk risky operation request rule, configuration risky operation request rule, network risky operation request rule.
12. the computer information safe means of defence of computer operation request security is judged in foundation according to claim 1 according to computing system operation requests incidence relation, it is characterized in that described step 4 coupling recalls the operation associated rule and the defined risky operation rule that obtain with the current operation request dummy node and mate, judge whether the working rule of current operation request falls into the regular scope of risky operation.
13. the computer information safe means of defence of computer operation request security is judged in foundation according to claim 1 according to computing system operation requests incidence relation, it is characterized in that described step 5 renewal relational structure is: when the match is successful, current request does not allow operation, and, keep original relational structure with present node deletion virtual in the computer operation request relational structure; Unsuccessful when coupling, then allow operation, and current operation request dummy node in the computer operation request relational structure is changed into effective node, be updated to new relational structure.
CN200910049945A 2009-04-24 2009-04-24 Method for establishing computer information security protection capable of judging security of computer operation request according to associative relation of computing system operation request Expired - Fee Related CN101872400B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200910049945A CN101872400B (en) 2009-04-24 2009-04-24 Method for establishing computer information security protection capable of judging security of computer operation request according to associative relation of computing system operation request

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200910049945A CN101872400B (en) 2009-04-24 2009-04-24 Method for establishing computer information security protection capable of judging security of computer operation request according to associative relation of computing system operation request

Publications (2)

Publication Number Publication Date
CN101872400A true CN101872400A (en) 2010-10-27
CN101872400B CN101872400B (en) 2012-10-17

Family

ID=42997257

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200910049945A Expired - Fee Related CN101872400B (en) 2009-04-24 2009-04-24 Method for establishing computer information security protection capable of judging security of computer operation request according to associative relation of computing system operation request

Country Status (1)

Country Link
CN (1) CN101872400B (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012083521A1 (en) * 2010-12-21 2012-06-28 北京中天安泰信息科技有限公司 Method for standardizing computer system action
CN102799817A (en) * 2011-06-30 2012-11-28 卡巴斯基实验室封闭式股份公司 System and method for malware protection using virtualization
CN103164444A (en) * 2011-12-14 2013-06-19 联想(北京)有限公司 File processing method, file processing device and file processing electronic equipment
JP2014517376A (en) * 2011-04-29 2014-07-17 北京中天安泰信息科技有限公司 Secure data storage method and device
CN104715175A (en) * 2015-03-23 2015-06-17 浪潮集团有限公司 Computer system safety protection method and device
CN105637479A (en) * 2013-08-23 2016-06-01 英国电讯有限公司 Method and apparatus for modifying a computer program in a trusted manner
CN103544151B (en) * 2012-07-09 2018-01-02 上海斐讯数据通信技术有限公司 The method and system of data processing in Linux system
CN109492400A (en) * 2017-09-12 2019-03-19 珠海市石方科技有限公司 Method and device for carrying out security detection and protection on computer hardware firmware
CN109559583A (en) * 2017-09-27 2019-04-02 华为技术有限公司 Failure simulation method and its device
CN110955895A (en) * 2019-11-29 2020-04-03 珠海豹趣科技有限公司 Operation interception method and device and computer readable storage medium
CN112232771A (en) * 2020-10-17 2021-01-15 严怀华 Big data analysis method and big data cloud platform applied to smart government-enterprise cloud service

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7437718B2 (en) * 2003-09-05 2008-10-14 Microsoft Corporation Reviewing the security of trusted software components
US20060174078A1 (en) * 2005-01-19 2006-08-03 Alcatel System and method for executing a process on a microprocessor-enabled device
CN100401224C (en) * 2005-06-23 2008-07-09 福建东方微点信息安全有限责任公司 Computer anti-virus protection system and method
CN100485700C (en) * 2006-08-11 2009-05-06 珠海金山软件股份有限公司 Device for preventing and treating computer virus by real-time monitoring for file and its upgrading method
CN101414341B (en) * 2007-10-15 2014-12-10 北京瑞星信息技术有限公司 Software self-protection method

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9230067B2 (en) 2010-12-21 2016-01-05 Antaios (Beijing) Information Technology Co., Ltd. Method for normalizing a computer system
CN102971741A (en) * 2010-12-21 2013-03-13 北京中天安泰信息科技有限公司 Method for standardizing computer system action
JP2013542536A (en) * 2010-12-21 2013-11-21 北京中天安泰信息科技有限公司 How to standardize the execution behavior of a computer system
WO2012083521A1 (en) * 2010-12-21 2012-06-28 北京中天安泰信息科技有限公司 Method for standardizing computer system action
US9330266B2 (en) 2011-04-29 2016-05-03 Antaios (Beijing) Information Technology Co., Ltd. Safe data storage method and device
JP2014517376A (en) * 2011-04-29 2014-07-17 北京中天安泰信息科技有限公司 Secure data storage method and device
CN102799817B (en) * 2011-06-30 2015-08-26 卡巴斯基实验室封闭式股份公司 For the system and method using Intel Virtualization Technology to carry out malware protection
CN102799817A (en) * 2011-06-30 2012-11-28 卡巴斯基实验室封闭式股份公司 System and method for malware protection using virtualization
CN103164444A (en) * 2011-12-14 2013-06-19 联想(北京)有限公司 File processing method, file processing device and file processing electronic equipment
CN103544151B (en) * 2012-07-09 2018-01-02 上海斐讯数据通信技术有限公司 The method and system of data processing in Linux system
CN105637479A (en) * 2013-08-23 2016-06-01 英国电讯有限公司 Method and apparatus for modifying a computer program in a trusted manner
CN105637479B (en) * 2013-08-23 2019-11-08 英国电讯有限公司 Method for modifying computer program, computer system and computer readable medium
CN104715175A (en) * 2015-03-23 2015-06-17 浪潮集团有限公司 Computer system safety protection method and device
CN109492400A (en) * 2017-09-12 2019-03-19 珠海市石方科技有限公司 Method and device for carrying out security detection and protection on computer hardware firmware
CN109559583A (en) * 2017-09-27 2019-04-02 华为技术有限公司 Failure simulation method and its device
CN110955895A (en) * 2019-11-29 2020-04-03 珠海豹趣科技有限公司 Operation interception method and device and computer readable storage medium
CN110955895B (en) * 2019-11-29 2022-03-29 珠海豹趣科技有限公司 Operation interception method and device and computer readable storage medium
CN112232771A (en) * 2020-10-17 2021-01-15 严怀华 Big data analysis method and big data cloud platform applied to smart government-enterprise cloud service

Also Published As

Publication number Publication date
CN101872400B (en) 2012-10-17

Similar Documents

Publication Publication Date Title
US10599841B2 (en) System and method for reverse command shell detection
CN101872400A (en) Establishing a computer information security protection method for judging the security of computer operation requests based on the association relationship of computing system operation requests
US10691792B2 (en) System and method for process hollowing detection
CN102902919B (en) A kind of identifying processing methods, devices and systems of suspicious operation
US11882134B2 (en) Stateful rule generation for behavior based threat detection
KR102307534B1 (en) Systems and methods for tracking malicious behavior across multiple software entities
EP2951955B1 (en) Method and system for protecting web applications against web attacks
Sood et al. Dissecting SpyEye–Understanding the design of third generation botnets
CN104766011A (en) Sandbox detection alarming method and system based on main engine characteristic
CN103246849A (en) Safe running method based on ROST under Windows
US12056237B2 (en) Analysis of historical network traffic to identify network vulnerabilities
US12058147B2 (en) Visualization tool for real-time network risk assessment
US20210194915A1 (en) Identification of potential network vulnerability and security responses in light of real-time network risk assessment
Barabosch et al. Bee master: Detecting host-based code injection attacks
CN115225315A (en) Network white list management and control scheme based on Android system
RU2587426C2 (en) System and method of detecting directed attack on corporate infrastructure
Ajmal et al. Defeating modern day anti-viruses for defense evaluation
Deep et al. Security In Smartphone: A Comparison of Viruses and Security Breaches in Phones and Computers
Ganganagari Defining Best Practices to Prevent Zero-Day and Polymorphic Attacks
Pan et al. An offensive containment strategy based on Malware's attack patterns
Badal Batllori Malware analysis methodology applied to the WannaCry ransomware
Parihar et al. Villain: Malware Analysis and Antivirus Evasion of a Backdoor Generator
CN114417325A (en) Protection method and device based on registry
Lee et al. Design of effective anti-malware system for mobile industrial devices based on windows CE
Sun et al. Contemporary Malware Trends and Countermeasures

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
ASS Succession or assignment of patent right

Free format text: FORMER OWNER: QU LIDONG

Effective date: 20120523

Owner name: BEIJING ZHONGTIAN ANTAI INFORMATION TECHNOLOGY CO.

Free format text: FORMER OWNER: WANG JIAXIANG

Effective date: 20120523

C41 Transfer of patent application or patent right or utility model
COR Change of bibliographic data

Free format text: CORRECT: ADDRESS; FROM: 200122 PUDONG NEW AREA, SHANGHAI TO: 100097 HAIDIAN, BEIJING

TA01 Transfer of patent application right

Effective date of registration: 20120523

Address after: 100097 Beijing city Haidian District landianchang Road No. 2 Jin Yuan business center B block 2-6B

Applicant after: Beijing Zhongtian Antai Technology Co., Ltd.

Address before: 200122 1308, publicity Road, 1503, Shanghai

Applicant before: Wang Jiaxiang

Co-applicant before: Qu Lidong

C14 Grant of patent or utility model
GR01 Patent grant
C41 Transfer of patent application or patent right or utility model
COR Change of bibliographic data

Free format text: CORRECT: ADDRESS; FROM: 100097 HAIDIAN, BEIJING TO: 100071 FENGTAI, BEIJING

TR01 Transfer of patent right

Effective date of registration: 20150121

Address after: 100071 Beijing city Fengtai District Xiaotun Road No. 89 aerospace standard tower

Patentee after: The safe and sound Information Technology Co., Ltd in sky in Beijing

Address before: 100097 Beijing city Haidian District landianchang Road No. 2 Jin Yuan business center B block 2-6B

Patentee before: Beijing Zhongtian Antai Technology Co., Ltd.

C56 Change in the name or address of the patentee
CP01 Change in the name or title of a patent holder

Address after: 100071 Beijing city Fengtai District Xiaotun Road No. 89 aerospace standard tower

Patentee after: Zhongtian Aetna (Beijing) Information Technology Co. Ltd.

Address before: 100071 Beijing city Fengtai District Xiaotun Road No. 89 aerospace standard tower

Patentee before: The safe and sound Information Technology Co., Ltd in sky in Beijing

DD01 Delivery of document by public notice

Addressee: Zhongtian Aetna (Beijing) Information Technology Co. Ltd.

Document name: Notification to Pay the Fees

DD01 Delivery of document by public notice
DD01 Delivery of document by public notice

Addressee: Zhongtian Antai (Beijing) Information Technology Co., Ltd.

Document name: Notification of Termination of Patent Right

DD01 Delivery of document by public notice
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20121017

Termination date: 20190424