CN102508768A - Monitoring method and monitoring device for application program - Google Patents
Monitoring method and monitoring device for application program Download PDFInfo
- Publication number
- CN102508768A CN102508768A CN2011103019504A CN201110301950A CN102508768A CN 102508768 A CN102508768 A CN 102508768A CN 2011103019504 A CN2011103019504 A CN 2011103019504A CN 201110301950 A CN201110301950 A CN 201110301950A CN 102508768 A CN102508768 A CN 102508768A
- Authority
- CN
- China
- Prior art keywords
- application program
- behavior
- application
- real
- standardizing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 238000012544 monitoring process Methods 0.000 title claims abstract description 26
- 238000012806 monitoring device Methods 0.000 title claims abstract description 17
- 238000012545 processing Methods 0.000 claims description 18
- 230000009471 action Effects 0.000 claims description 7
- 238000013528 artificial neural network Methods 0.000 claims description 6
- 238000004422 calculation algorithm Methods 0.000 claims description 6
- 238000012549 training Methods 0.000 claims description 6
- 230000002159 abnormal effect Effects 0.000 abstract 2
- 230000006399 behavior Effects 0.000 description 136
- 230000006870 function Effects 0.000 description 13
- 230000008569 process Effects 0.000 description 11
- 230000007246 mechanism Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 239000012467 final product Substances 0.000 description 2
- 238000002513 implantation Methods 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 231100001261 hazardous Toxicity 0.000 description 1
- 238000011112 process operation Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Abstract
The application provides a monitoring method for an application program. The monitoring method comprises the following steps: acquiring real-time behavior of a current running application program; inquiring whether a standardized behavior library corresponding to the application program in a standardized behavior base of the application program contains the real-time behavior of the application program, if not, determining the application program to be abnormal. The application further provides a monitoring device for the application program for realizing the method. The monitoring method and the monitoring device for the application program provided by the application can be used for solving the problem that a malicious program is implanted due to the application program is abnormal.
Description
Technical field
The application relates to software action monitoring technique field, particularly relates to a kind of method for monitoring application program and device.
Background technology
Application programs different in the operating system have different functions, but in some cases, because the defective of application program self or leak, make these application programs bring harm by malicious attack or utilization and then to the user easily.For example, meticulously attack document of structure can be based on the utilization to file layout leaks such as .DOC .XLS for some, and then causes the user of these documents of preview to be implanted rogue program.By MetaSploit (auxiliary frame is attacked in a kind of popular in the world hacker's robotization); The assailant can integrate download person (Downloader) function for easily this type of document; In the subordinate act; As long as this type of user's preview document, document just can utilize such as MS11-006 leak remote download executable program, operation wooden horse, this has brought harm with regard to giving the terminal that these application programs are installed.
At present common way is through antivirus software etc. the method that the file in the terminal carries out real-time killing to be searched rogue program or wooden horse; The mode of the rogue program find of deletion or isolate or wooden horse is protected the safety at terminal then; But; The prerequisite of this kind method is that application program has occurred unusually, causes the terminal to be implanted rogue program or wooden horse, and can't before rogue program or wooden horse are implanted, just tackle.
Summary of the invention
The application's technical matters to be solved provides a kind of method for monitoring application program and device, can solve application program because occur unusual by the problem of implantation rogue program.
In order to address the above problem, the application discloses a kind of method for monitoring application program, may further comprise the steps:
Obtain the real-time behavior of the application program of current operation;
Whether inquiry application is standardized behavior comprises the real-time behavior of said application program in the corresponding set of standardizing behavior of this application program in the storehouse, and if not, it is unusual to confirm that then this application program occurs.
Further, confirming that this application program also comprises after occurring unusually:
To confirming that unusual application program occurring handles.
Further, said processing comprises:
Automatically block the real-time behavior of this application program; Or
Through playing window prompting user.
Further, confirming that unusual also comprising before appear in this program:
If the real-time behavior of application program does not belong to the set of standardizing behavior, judge then whether this real-time behavior belongs to predetermined exception behavior, if not, it is unusual to confirm that then this application program occurs.
Further, said method also comprises:
Collect standardizing behavior and being stored in server or the client of each application program in advance as application specifications behavior storehouse.
Further, standardizing behavior of said each application program confirmed through manual analysis, software scale-of-two conversed analysis, software action record and based on modes such as the training of neural network scheduling algorithm and study.
Further, said real-time behavior of obtaining the application program of current operation comprises:
, the application program of current operation obtains when having new behavior to produce; Or
Obtain according to preset time.
In order to address the above problem, the application also provides a kind of method for monitoring application program, may further comprise the steps:
Obtain the real-time behavior of the application program of current operation;
Confirm the affiliated classification of this application program;
Whether inquiry application is standardized behavior in the storehouse comprises the real-time behavior of said application program in the corresponding set of standardizing behavior of classification under this application program, and if not, it is unusual to confirm that then this application program occurs.
In order to address the above problem, the application also provides a kind of Application Monitoring device, comprising:
The real-time behavior acquisition module of application program is used to obtain the real-time behavior of the application program of current operation;
Enquiry module is used for inquiry application and standardizes behavior whether comprise the real-time behavior of said application program in the corresponding set of standardizing behavior of this application program of storehouse, and if not, it is unusual to confirm that then this application program occurs.
Further, said device also comprises:
Processing module is used for confirming that unusual application program occurring handles, and said processing comprises this real-time behavior of blocking-up automatically or passes through to play window prompting user.
Further, said device also comprises:
Exception behavior judge module is used for judging then whether this real-time behavior belongs to predetermined exception behavior if the real-time behavior of application program does not belong to the set of standardizing behavior, and if not, it is unusual to confirm that then this application program occurs.
Further, said device also comprises:
The determination module of standardizing behavior is used for collecting in advance standardizing behavior and being stored in server or client as application specifications behavior storehouse of each application program.
Further, the said determination module of standardizing behavior comprises:
Analytic unit is used for confirming standardizing behavior of application program through manual analysis, software scale-of-two conversed analysis, software action record and based on modes such as the training of neural network scheduling algorithm and study.
In order to address the above problem, the application also provides a kind of Application Monitoring device, comprising:
The real-time behavior acquisition module of application program is used to obtain the real-time behavior of the application program of current operation;
The application category determination module is used for confirming the affiliated classification of said application program;
Enquiry module is used for inquiry application and standardizes behavior whether comprise the real-time behavior of said application program in the corresponding set of standardizing behavior of classification under this application program of storehouse, and if not, it is unusual to confirm that then this application program occurs.
Compared with prior art, the application has the following advantages:
The application analyzes the storehouse of standardizing behavior of determining application program through the behavior that possibly occur each application program in advance; The real-time behavior that when real-time judge, will obtain with standardize behavior to compare to confirm just whether this real-time behavior exists potential danger, thereby confirm whether application program occurs unusually.This kind mode can be found application exception timely, avoids application program because self-defect etc. are former thereby brought harm by the implantation rogue program to the terminal.
Further; When standardizing behavior of application program confirmed in analysis; Can application programs classify according to the realization function; Because it is basic identical to have its behavior meeting that when operation, produces of application program of identical function,,, new application program only need confirm that the classification under it just can get access to its general specification behavior when occurring according to its function through analyzing definite standardizing behavior to the general specification behavior of a certain type of application program; And need not to analyze for a certain new application program again, simplified treatment scheme.
Description of drawings
Fig. 1 is the process flow diagram of the application's method for monitoring application program embodiment one;
Fig. 2 is the process flow diagram of the application's method for monitoring application program embodiment two;
Fig. 3 is the process flow diagram of the application's method for monitoring application program embodiment three;
Fig. 4 is the structural representation of the application's Application Monitoring device embodiment one;
Fig. 5 is the structural representation of the application's Application Monitoring device embodiment two;
Fig. 6 is the structural representation of the application's Application Monitoring device embodiment three.
Embodiment
For above-mentioned purpose, the feature and advantage that make the application can be more obviously understandable, the application is done further detailed explanation below in conjunction with accompanying drawing and embodiment.
With reference to Fig. 1, the application's method for monitoring application program embodiment one is shown, may further comprise the steps:
Each application program can produce different behaviors because need to realize different functions when operation.For example, for word processing class software, behavior such as the time can document creation occur according to operator's different operating in operation, read, write, delete, close.Analyze the real-time behavior that can get access to application program through the application programs real-time status.
Obtaining of the real-time behavior of application program can be obtained when having new behavior to occur, and also can be scheduled to acquisition time at interval, and after the application program operation, every is obtained once at regular intervals.
The obtaining to be divided into according to operating system schema of the real-time behavior of application program articulates routine in operating system user attitude and intercepts and captures calling of associated process and articulate call two big types that routine is intercepted and captured associated process in the operating system nucleus attitude.Articulating (Kernel Mode Routine Hooking) with windows platform antivirus software active defense function kernel state routine commonly used is example; Microsoft has designed a system service and has distributed table (SSDT in kernel; System Service Dispatch Table), the routine that system service is distributed in the table has contained: functions such as file operation, registry operations, process operation, threading operation, internal memory operation, Object Operations.The processing routine of replacing in this table can simply reach the purpose that interception system calls, and above-mentioned invoked procedure is the differentiation process, and this behavior that just means process can be obtained through SSDT abduction (SSDT Hooking).
Except the method that SSDT kidnaps, also recommend in official of the Microsoft document to use the method for readjustment (Callback) to realize behavior monitoring.Callback mechanism is the integrated event notice solution of microsoft operation system kernel; When some incidents takes place when module loading (during like process creation, during thread creation); The registrant of system's meeting proactive notification readjustment, this cover mechanism also can help us to obtain the behavior of process.
Whether step 102, inquiry application are standardized behavior comprises the real-time behavior of said application program in the corresponding set of standardizing behavior of this application program in the storehouse, and if not, it is unusual to confirm that then this application program occurs.
Wherein, application specifications behavior storehouse can be collected standardizing behavior and being stored in server or the client of each application program in advance.Standardizing behavior of application program comprises all behaviors that possibly occur when application program is normally moved; These are standardized behavior can be through analyzing, and confirms like manual analysis, software scale-of-two conversed analysis, software action record and based on modes such as the training of neural network scheduling algorithm and study.
When getting access to the real-time behavior of application program; At first can from application specifications behavior storehouse, find this application program; Find the corresponding set of standardizing behavior of this application program again, relatively whether this real-time behavior belongs to the set of standardizing behavior, if do not belong to; Explain that then this real-time behavior possibly have potential danger, thereby it is unusual to confirm that application program occurs.
With reference to Fig. 2, the application's method for monitoring application program embodiment two is shown, may further comprise the steps:
Step 202 is confirmed the affiliated classification of this application program.
Application category can be classified according to its function that realizes, realizes that the application program of identical function is divided into one type.For example, word processing class, audio frequency, video playback class, web browser class or the like.
Whether step 203, inquiry application are standardized behavior in the storehouse comprises the real-time behavior of said application program in the corresponding set of standardizing behavior of classification under this application program, and if not, it is unusual to confirm that then this application program occurs.
Because along with application program increases gradually; For some not too general or common application program; When the standardizing behavior of analysis application, have certain degree of difficulty, can expend the more time if analyze standardizing behavior of all application programs one by one, and reality very.In addition, for the application program with identical function, it is standardized behavior also all can be basic identical, and for this reason, when the standardizing behavior of analysis application, application programs is classified in advance, confirms the general specification behavior of one type of application program.
For example, the application program of word processing class, standardizing behavior that it is general can comprise file establishment, read, write, shine upon, close, delete; The establishment of registration table key assignments, read, revise, enumerate, close, delete or the like.The real-time behavior of the application program of any one word processing class can compare with these general specification behaviors.With Microsoft Office Word is example; Because it belongs to word processing class application program; It is standardized behavior so, and then to be that the word processing class is determined standardize behavior, and produces following behavior when getting access to it: (1) create subprocess, (2) through network download executable program and operation (being so-called Download and Execute process), (3) be injected into other process space, (4) load driver module arrives kernel state space, (5) direct control physical memory or the like.If certain Microsoft Office Word process has been touched above-mentioned behavior, it is unusual so just can to think that Microsoft Office Word occurs.Same, also can adopt aforementioned identical mode to handle for audio frequency, video playback class application program.
Through similar application program is adopted the identical mode of standardizing behavior; When new application program occurs; As long as get access to the classification of this application program, just can find standardizing behavior of this application program, avoid separately for each application program all analysis and summary standardize behavior; Thereby simplified treatment scheme, had adaptability and versatility preferably.
Preferably,, the application's method for monitoring application program embodiment three is shown, on the basis of previous embodiment one and embodiment two, can also may further comprise the steps with reference to Fig. 3:
Step 301 is to confirming that unusual application program occurring handles.
Wherein handle and comprise: block this real-time behavior automatically or pass through to play window prompting user, let the user manually select the mode of blocking, and pass through the mode recording exceptional of log record, so that subsequent analysis is optimized this application program.
Preferably; On the basis of previous embodiment one to three; If the real-time behavior of application program does not belong to the set of standardizing behavior that application specifications behavior storehouse is scheduled to, so, need judge also whether this real-time behavior belongs to predetermined exception behavior; If not, it is unusual to confirm that then this application program occurs again.
The exception behavior is for replenishing what standardize behavior, because for some application program, it possibly produce some behavior in addition of standardizing behavior, and these behaviors are hazardous act in the ordinary course of things, but under special circumstances, it belongs to normal.
For example; For Microsoft Office Word, the application program of perhaps whole file processing class needs to upgrade when its application program has redaction to occur; Possibly start ROMPaq (Update.exe) so; And this is a behavior of creating subprocess, standardizes behavior and can confirm according to it, creates subprocess and is not allowed to.At this moment, then can for example, introduce " behavior is tabulated in vain " mechanism, the above-mentioned behavior of acquiescence clearance under the prerequisite that verification is confirmed through the mode of exception behavior.The exception behavior can be used as replenishing of application specifications behavior storehouse, to realize intelligent decision, reduces the user and bothers.
With reference to Fig. 4, a kind of Application Monitoring device embodiment one of the application is shown, comprise real-time behavior acquisition module 10 of application program and enquiry module 20.
The real-time behavior acquisition module 10 of application program is used to obtain the real-time behavior of the application program of current operation.
With reference to Fig. 5, the application's Application Monitoring device embodiment two is shown, comprise the real-time behavior acquisition module of application program 10, application category determination module 30 and enquiry module 20.
The real-time behavior acquisition module 10 of application program is used to obtain the real-time behavior of the application program of current operation.
Application category determination module 30 is used for confirming the affiliated classification of said application program.Wherein, the classification of application program is divided according to function, realizes that the application program of identical function is one type, as, word processing class, audio frequency, video playback class, web browser class or the like.
With reference to Fig. 6, the application's Application Monitoring device embodiment three is shown, further, this device also comprises processing module 50, is used for confirming that unusual application program occurring handles.Wherein, processing comprises this real-time behavior of blocking-up automatically or points out the user through playing window.
Preferably, this device also comprises exception behavior judge module, is used for judging then whether this real-time behavior belongs to predetermined exception behavior if the real-time behavior of application program does not belong to the set of standardizing behavior, and if not, it is unusual to confirm that then this application program occurs.The exception behavior refers to not belong to the common behavior of application program, but the behavior that may occur in some cases like the upgrade mechanism of word processing class software, needs to create subprocess.
Preferably, this device also comprises the determination module of standardizing behavior, and is used for collecting in advance standardizing behavior and being stored in server or client as application specifications behavior storehouse of each application program.This determination module of standardizing behavior comprises analytic unit, is used for confirming standardizing behavior of application program through manual analysis, software scale-of-two conversed analysis, software action record and based on modes such as the training of neural network scheduling algorithm and study.
Each embodiment in this instructions all adopts the mode of going forward one by one to describe, and what each embodiment stressed all is and the difference of other embodiment that identical similar part is mutually referring to getting final product between each embodiment.For device embodiment, because it is similar basically with method embodiment, so description is fairly simple, relevant part gets final product referring to the part explanation of method embodiment.
More than method for monitoring application program and device that the application provided have been carried out detailed introduction; Used concrete example among this paper the application's principle and embodiment are set forth, the explanation of above embodiment just is used to help to understand the application's method and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to the application's thought, the part that on embodiment and range of application, all can change, in sum, this description should not be construed as the restriction to the application.
Claims (14)
1. a method for monitoring application program is characterized in that, may further comprise the steps:
Obtain the real-time behavior of the application program of current operation;
Whether inquiry application is standardized behavior comprises the real-time behavior of said application program in the corresponding set of standardizing behavior of this application program in the storehouse, and if not, it is unusual to confirm that then this application program occurs.
2. method for monitoring application program as claimed in claim 1 is characterized in that, is confirming that this application program also comprises after occurring unusually:
To confirming that unusual application program occurring handles.
3. method for monitoring application program as claimed in claim 2 is characterized in that, said processing comprises:
Automatically block the real-time behavior of this application program; Or
Through playing window prompting user.
4. method for monitoring application program as claimed in claim 1 is characterized in that, is confirming that unusual also comprising before appear in this program:
If the real-time behavior of application program does not belong to the set of standardizing behavior, judge then whether this real-time behavior belongs to predetermined exception behavior, if not, it is unusual to confirm that then this application program occurs.
5. method for monitoring application program as claimed in claim 1 is characterized in that, said method also comprises:
Collect standardizing behavior and being stored in server or the client of each application program in advance as application specifications behavior storehouse.
6. method for monitoring application program as claimed in claim 5; It is characterized in that standardizing behavior of said each application program confirmed through manual analysis, software scale-of-two conversed analysis, software action record and based on modes such as the training of neural network scheduling algorithm and study.
7. method for monitoring application program as claimed in claim 1 is characterized in that, said real-time behavior of obtaining the application program of current operation comprises:
, the application program of current operation obtains when having new behavior to produce; Or
Obtain according to preset time.
8. a method for monitoring application program is characterized in that, may further comprise the steps:
Obtain the real-time behavior of the application program of current operation;
Confirm the affiliated classification of this application program;
Whether inquiry application is standardized behavior in the storehouse comprises the real-time behavior of said application program in the corresponding set of standardizing behavior of classification under this application program, and if not, it is unusual to confirm that then this application program occurs.
9. an Application Monitoring device is characterized in that, comprising:
The real-time behavior acquisition module of application program is used to obtain the real-time behavior of the application program of current operation;
Enquiry module is used for inquiry application and standardizes behavior whether comprise the real-time behavior of said application program in the corresponding set of standardizing behavior of this application program of storehouse, and if not, it is unusual to confirm that then this application program occurs.
10. Application Monitoring device as claimed in claim 9 is characterized in that, said device also comprises:
Processing module is used for confirming that unusual application program occurring handles, and said processing comprises this real-time behavior of blocking-up automatically or passes through to play window prompting user.
11. Application Monitoring device as claimed in claim 9 is characterized in that, said device also comprises:
Exception behavior judge module is used for judging then whether this real-time behavior belongs to predetermined exception behavior if the real-time behavior of application program does not belong to the set of standardizing behavior, and if not, it is unusual to confirm that then this application program occurs.
12. Application Monitoring device as claimed in claim 9 is characterized in that, said device also comprises:
The determination module of standardizing behavior is used for collecting in advance standardizing behavior and being stored in server or client as application specifications behavior storehouse of each application program.
13. Application Monitoring device as claimed in claim 12 is characterized in that, the said determination module of standardizing behavior comprises:
Analytic unit is used for confirming standardizing behavior of application program through manual analysis, software scale-of-two conversed analysis, software action record and based on modes such as the training of neural network scheduling algorithm and study.
14. an Application Monitoring device is characterized in that, comprising:
The real-time behavior acquisition module of application program is used to obtain the real-time behavior of the application program of current operation;
The application category determination module is used for confirming the affiliated classification of said application program;
Enquiry module is used for inquiry application and standardizes behavior whether comprise the real-time behavior of said application program in the corresponding set of standardizing behavior of classification under this application program of storehouse, and if not, it is unusual to confirm that then this application program occurs.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110301950.4A CN102508768B (en) | 2011-09-30 | 2011-09-30 | Monitoring method and monitoring device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110301950.4A CN102508768B (en) | 2011-09-30 | 2011-09-30 | Monitoring method and monitoring device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102508768A true CN102508768A (en) | 2012-06-20 |
| CN102508768B CN102508768B (en) | 2015-03-25 |
Family
ID=46220860
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110301950.4A Active CN102508768B (en) | 2011-09-30 | 2011-09-30 | Monitoring method and monitoring device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102508768B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102945341A (en) * | 2012-10-23 | 2013-02-27 | 北京奇虎科技有限公司 | Method and device for intercepting popup |
| CN102968590A (en) * | 2012-10-23 | 2013-03-13 | 北京奇虎科技有限公司 | Pop window suppression method and system |
| WO2014067424A1 (en) * | 2012-11-05 | 2014-05-08 | Tencent Technology (Shenzhen) Company Limited | Method and device for identifying abnormal application |
| CN104660606A (en) * | 2015-03-05 | 2015-05-27 | 中南大学 | Method for remotely monitoring safety of application program |
| CN104866761A (en) * | 2015-06-01 | 2015-08-26 | 成都中科创达软件有限公司 | High-security Android intelligent terminal |
| CN107517308A (en) * | 2017-08-07 | 2017-12-26 | 惠州Tcl移动通信有限公司 | Application program for mobile terminal abnormal detection method, storage device and mobile terminal |
| CN108920295A (en) * | 2018-06-29 | 2018-11-30 | 北京奇虎科技有限公司 | The processing method of system exception, apparatus and system |
| CN112765604A (en) * | 2020-12-30 | 2021-05-07 | 上海磐御网络科技有限公司 | Network safety system based on artificial intelligence |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104866760B (en) * | 2015-06-01 | 2017-10-10 | 成都中科创达软件有限公司 | A kind of smart mobile phone safety protecting method |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1734389A (en) * | 2004-08-12 | 2006-02-15 | 株式会社Ntt都科摩 | Software operation monitoring apparatus and software operation monitoring method |
| US20060117299A1 (en) * | 2004-11-23 | 2006-06-01 | International Business Machines Corporation | Methods and apparatus for monitoring program execution |
| CN1794645A (en) * | 2005-08-24 | 2006-06-28 | 上海浦东软件园信息技术有限公司 | Invading detection method and system based on procedure action |
| CN1904852A (en) * | 2006-08-01 | 2007-01-31 | 西安西电捷通无线网络通信有限公司 | Method for monitoring and abnormal processing of computer application program |
| CN101282246A (en) * | 2007-01-15 | 2008-10-08 | 软件股份公司 | Method and system for monitoring a software system |
-
2011
- 2011-09-30 CN CN201110301950.4A patent/CN102508768B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1734389A (en) * | 2004-08-12 | 2006-02-15 | 株式会社Ntt都科摩 | Software operation monitoring apparatus and software operation monitoring method |
| US20060117299A1 (en) * | 2004-11-23 | 2006-06-01 | International Business Machines Corporation | Methods and apparatus for monitoring program execution |
| CN1794645A (en) * | 2005-08-24 | 2006-06-28 | 上海浦东软件园信息技术有限公司 | Invading detection method and system based on procedure action |
| CN1904852A (en) * | 2006-08-01 | 2007-01-31 | 西安西电捷通无线网络通信有限公司 | Method for monitoring and abnormal processing of computer application program |
| CN101282246A (en) * | 2007-01-15 | 2008-10-08 | 软件股份公司 | Method and system for monitoring a software system |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102968590A (en) * | 2012-10-23 | 2013-03-13 | 北京奇虎科技有限公司 | Pop window suppression method and system |
| CN102968590B (en) * | 2012-10-23 | 2015-08-05 | 北京奇虎科技有限公司 | Play window suppressing method and system |
| CN102945341B (en) * | 2012-10-23 | 2015-08-05 | 北京奇虎科技有限公司 | A kind of method and apparatus of interceptor window |
| CN102945341A (en) * | 2012-10-23 | 2013-02-27 | 北京奇虎科技有限公司 | Method and device for intercepting popup |
| US9894097B2 (en) | 2012-11-05 | 2018-02-13 | Tencent Technology (Shenzhen) Company Limited | Method and device for identifying abnormal application |
| WO2014067424A1 (en) * | 2012-11-05 | 2014-05-08 | Tencent Technology (Shenzhen) Company Limited | Method and device for identifying abnormal application |
| TWI498770B (en) * | 2012-11-05 | 2015-09-01 | Tencent Tech Shenzhen Co Ltd | Method and system for identifying abnormal application program |
| CN104660606A (en) * | 2015-03-05 | 2015-05-27 | 中南大学 | Method for remotely monitoring safety of application program |
| CN104660606B (en) * | 2015-03-05 | 2017-10-20 | 中南大学 | A kind of long-distance monitoring method of application security |
| CN104866761A (en) * | 2015-06-01 | 2015-08-26 | 成都中科创达软件有限公司 | High-security Android intelligent terminal |
| CN104866761B (en) * | 2015-06-01 | 2017-10-31 | 成都中科创达软件有限公司 | A kind of high security Android intelligent terminal |
| CN107517308A (en) * | 2017-08-07 | 2017-12-26 | 惠州Tcl移动通信有限公司 | Application program for mobile terminal abnormal detection method, storage device and mobile terminal |
| CN108920295A (en) * | 2018-06-29 | 2018-11-30 | 北京奇虎科技有限公司 | The processing method of system exception, apparatus and system |
| CN112765604A (en) * | 2020-12-30 | 2021-05-07 | 上海磐御网络科技有限公司 | Network safety system based on artificial intelligence |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102508768B (en) | 2015-03-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102508768A (en) | Monitoring method and monitoring device for application program | |
| US11095669B2 (en) | Forensic analysis of computing activity | |
| CN105427096B (en) | Payment security sandbox implementation method and system and application program monitoring method and system | |
| CN109688097B (en) | Website protection method, website protection device, website protection equipment and storage medium | |
| CN104462970B (en) | A kind of Android application program privilege abuse detection methods based on process communication | |
| CN104462978B (en) | A kind of method and apparatus of application program rights management | |
| US9306889B2 (en) | Method and device for processing messages | |
| CN102638617B (en) | Active response system based on intrusion detection for Android mobile phones | |
| CN109104412B (en) | Account authority management method, account authority management system and computer readable storage medium | |
| DE112012001389T5 (en) | Secure execution of an unsecured app on a device | |
| CN105631312B (en) | The processing method and system of rogue program | |
| CN106778243B (en) | Virtual machine-based kernel vulnerability detection file protection method and device | |
| CN101542446A (en) | System analysis and management | |
| CN102263773B (en) | Real-time protection method and apparatus thereof | |
| CN104572394B (en) | process monitoring method and device | |
| CN107193666B (en) | Control method and device for calling between application programs | |
| US11748522B2 (en) | Systems, devices, and methods for prevention of recording content | |
| CN102902515A (en) | Software window processing method and device | |
| US20190095312A1 (en) | Macro-Script Execution Control | |
| CN110958397A (en) | Method and device for controlling intelligent camera | |
| CN103428212A (en) | Malicious code detection and defense method | |
| CN102750477A (en) | Method and system for controlling closing of terminal | |
| KR20090031393A (en) | Web shell monitoring system and method based on pattern detection | |
| CN113254994A (en) | Database access method and device, storage medium and computer equipment | |
| CN109657485B (en) | Authority processing method and device, terminal equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20151022 Address after: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee after: Qizhi software (Beijing) Co.,Ltd. Address before: The 4 layer 100016 unit of Beijing city Chaoyang District Jiuxianqiao Road No. 14 Building C Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee after: Beijing Qizhi Business Consulting Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240116 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Beijing Qizhi Business Consulting Co.,Ltd. |