CN102508768B - Monitoring method and monitoring device - Google Patents
Monitoring method and monitoring device Download PDFInfo
- Publication number
- CN102508768B CN102508768B CN201110301950.4A CN201110301950A CN102508768B CN 102508768 B CN102508768 B CN 102508768B CN 201110301950 A CN201110301950 A CN 201110301950A CN 102508768 B CN102508768 B CN 102508768B
- Authority
- CN
- China
- Prior art keywords
- application program
- behavior
- application
- real
- standardizing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 53
- 238000012544 monitoring process Methods 0.000 title claims abstract description 24
- 238000012806 monitoring device Methods 0.000 title claims abstract description 15
- 230000002159 abnormal effect Effects 0.000 claims abstract description 27
- 230000008569 process Effects 0.000 claims description 25
- 238000012545 processing Methods 0.000 claims description 11
- 230000009471 action Effects 0.000 claims description 7
- 229910002056 binary alloy Inorganic materials 0.000 claims description 6
- 230000007935 neutral effect Effects 0.000 claims description 6
- 238000012549 training Methods 0.000 claims description 6
- 230000000903 blocking effect Effects 0.000 claims description 2
- 230000006399 behavior Effects 0.000 description 136
- 230000006870 function Effects 0.000 description 13
- 230000007246 mechanism Effects 0.000 description 4
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 231100001261 hazardous Toxicity 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000011112 process operation Methods 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 230000001502 supplementing effect Effects 0.000 description 1
Abstract
The application provides a monitoring method for an application program. The monitoring method comprises the following steps: acquiring real-time behavior of a current running application program; inquiring whether a standardized behavior library corresponding to the application program in a standardized behavior base of the application program contains the real-time behavior of the application program, if not, determining the application program to be abnormal. The application further provides a monitoring device for the application program for realizing the method. The monitoring method and the monitoring device for the application program provided by the application can be used for solving the problem that a malicious program is implanted due to the application program is abnormal.
Description
Technical field
The application relates to software action monitoring technique field, particularly relates to a kind of method for monitoring application program and device.
Background technology
Application programs different in operating system has different functions, but in some cases, because the defect of application program self or leak, makes these application programs easily by malicious attack or utilization and then bring harm to user.Such as, some attack document meticulously constructed based on the utilization to file format vulnerability such as .DOC .XLS, and then can cause the implanted rogue program of the user of these documents of preview.By MetaSploit (auxiliary frame is attacked in a kind of hacker's automation popular in the world), assailant can integrate download person (Downloader) function to easily this type of document, in subordinate act, as long as this kind of document of user's preview, document just can utilize such as MS11-006 leak remote download executable program, operation wooden horse, and this brings harm just to the terminal of installing these application programs.
Way common at present searches rogue program or wooden horse by antivirus software etc. to the method that the file in terminal carries out real-time killing; the mode of then deleting or isolate the rogue program that finds or wooden horse is to protect the safety of terminal; but; the prerequisite of this kind of method is that application program occurs exception; cause terminal implanted rogue program or wooden horse, and cannot rogue program or wooden horse implanted before just tackle.
Summary of the invention
Technical problems to be solved in this application are to provide a kind of method for monitoring application program and device, can solve application program because there is the problem of abnormal and implanted rogue program.
In order to solve the problem, this application discloses a kind of method for monitoring application program, comprising the following steps:
Obtain the real-time behavior of the application program of current operation;
Whether inquiry application is standardized behavior comprises the real-time behavior of described application program in set of standardizing behavior corresponding to this application program in storehouse, if not, then determines that this application program occurs abnormal.
Further, also comprise after determining the appearance extremely of this application program:
Occur that abnormal application program processes to determining.
Further, described process comprises:
Automatically the real-time behavior of this application program is blocked; Or
By playing window prompting user.
Further, determining that this program also comprises before occurring extremely:
If the real-time behavior of application program does not belong to set of standardizing behavior, then judge the exception behavior whether this real-time behavior belongs to predetermined, if not, then determine that this application program occurs abnormal.
Further, described method also comprises:
Collect standardizing behavior and being stored in server or client as application specifications behavior storehouse of each application program in advance.
Further, standardizing behavior of described each application program is determined by manual analysis, software binary system conversed analysis, software action record the mode such as training and study based on neutral net scheduling algorithm.
Further, the real-time behavior of the application program of the current operation of described acquisition comprises:
Obtain when the application program of current operation has new behavior to produce; Or
Obtain according to predetermined time.
In order to solve the problem, present invention also provides a kind of method for monitoring application program, comprising the following steps:
Obtain the real-time behavior of the application program of current operation;
Determine this application program generic;
Whether inquiry application is standardized behavior comprises the real-time behavior of described application program in set of standardizing behavior corresponding to this application program generic in storehouse, if not, then determines that this application program occurs abnormal.
In order to solve the problem, present invention also provides a kind of Application Monitoring device, comprising:
The real-time behavior acquisition module of application program, for obtaining the real-time behavior of the application program of current operation;
Enquiry module, standardizes behavior whether comprise the real-time behavior of described application program in set of standardizing behavior corresponding to this application program in storehouse, if not, then determines that this application program occurs abnormal for inquiry application.
Further, described device also comprises:
Processing module, for occurring that abnormal application program processes to determining, described process comprises automatically blocking this real-time behavior or passing through to play window points out user.
Further, described device also comprises:
Exception behavior judge module, if do not belong to for the real-time behavior of application program set of standardizing behavior, then judges the exception behavior whether this real-time behavior belongs to predetermined, if not, then determines that this application program occurs abnormal.
Further, described device also comprises:
To standardize behavior determination module, for collecting standardizing behavior and being stored in server or client as application specifications behavior storehouse of each application program in advance.
Further, determination module of standardizing behavior described in comprises:
Analytic unit, for by manual analysis, software binary system conversed analysis, software action record based on the standardizing behavior of the mode determination application program such as training and study of neutral net scheduling algorithm.
In order to solve the problem, present invention also provides a kind of Application Monitoring device, comprising:
The real-time behavior acquisition module of application program, for obtaining the real-time behavior of the application program of current operation;
Application category determination module, for determining described application program generic;
Enquiry module, standardizes behavior whether comprise the real-time behavior of described application program in set of standardizing behavior corresponding to this application program generic in storehouse, if not, then determines that this application program occurs abnormal for inquiry application.
Compared with prior art, the application has the following advantages:
The application analyzes by the behavior that may occur each application program in advance the storehouse of standardizing behavior determining application program, when real-time judge, the real-time behavior obtained just can be determined whether this real-time behavior exists potential danger with standardizing behavior to compare, thus determine whether application program occurs exception.This kind of mode can find application exception timely, and implanted rogue program brings harm to terminal because of reasons such as self-defects to avoid application program.
Further, when standardizing behavior of application program is determined in analysis, can application programs classify according to practical function, because its behavior operationally produced of application program with identical function can be substantially identical, that is determined by analysis standardizes behavior as the general specification behavior of a certain class application program, only need when new application program occurs to determine that the classification belonging to it just can get its general specification behavior according to its function, and without the need to again analyzing for a certain new application program, simplify handling process.
Accompanying drawing explanation
Fig. 1 is the flow chart of the method for monitoring application program embodiment one of the application;
Fig. 2 is the flow chart of the method for monitoring application program embodiment two of the application;
Fig. 3 is the flow chart of the method for monitoring application program embodiment three of the application;
Fig. 4 is the structural representation of the Application Monitoring device embodiment one of the application;
Fig. 5 is the structural representation of the Application Monitoring device embodiment two of the application;
Fig. 6 is the structural representation of the Application Monitoring device embodiment three of the application.
Detailed description of the invention
For enabling above-mentioned purpose, the feature and advantage of the application more become apparent, below in conjunction with the drawings and specific embodiments, the application is described in further detail.
With reference to Fig. 1, the method for monitoring application program embodiment one of the application is shown, comprises the following steps:
Step 101, obtains the real-time behavior of the application program of current operation.
Each application program operationally can produce different behaviors because of needing to realize different functions.Such as, for word processing class software, operationally the behaviors such as document creation, reading, write, deletion, closedown can be there is according to the different operating of operator.Undertaken by application programs real-time status analyzing the real-time behavior that can get application program.
The acquisition of the real-time behavior of application program can obtain when there being new behavior to occur, also can predetermined acquisition time interval, after application program is run, obtains once at interval of the regular hour.
The acquisition of the real-time behavior of application program can according to operating system schema be divided into intercept and capture calling of associated process in operating system User space mounting routine and intercept and capture associated process in operating system nucleus state mounting routine call two large classes.For kernel state routine mounting (Kernel Mode Routine Hooking) that windows platform antivirus software Initiative Defense function is conventional, Microsoft devises a system service and distributes table (SSDT in kernel, System Service Dispatch Table), the routine that system service distributes in table covers: the functions such as file operation, registry operations, process operation, threading operation, internal memory operation, Object Operations.The process routine of replacing in this table simply can reach the object that interception system calls, and above-mentioned invoked procedure is differentiation process, and this just means that the behavior of process can be kidnapped (SSDT Hooking) and obtained by SSDT.
Except the method that SSDT kidnaps, go back the method for recommendation readjustment (Callback) in Microsoft official document to realize behavior monitoring.Callback mechanism is the integrated event notice solution of microsoft operation system kernel, when some event occurs (as process creation time, thread creation time, module loading time), the registrant of system meeting proactive notification readjustment, this cover mechanism also can help us to obtain the behavior of process.
Step 102, whether inquiry application is standardized behavior comprises the real-time behavior of described application program in set of standardizing behavior corresponding to this application program in storehouse, if not, then determines that this application program occurs abnormal.
Wherein, application specifications behavior storehouse can be collected standardizing behavior of each application program in advance and is stored in server or client.The all behaviors comprising and may occur when application program is normally run of standardizing behavior of application program, these are standardized behavior can by analyzing, as manual analysis, software binary system conversed analysis, software action record determining based on modes such as the training of neutral net scheduling algorithm and study.
When getting the real-time behavior of application program, first this application program can be found from application specifications behavior storehouse, find the set of standardizing behavior that this application program is corresponding again, relatively whether this real-time behavior belongs to set of standardizing behavior, if do not belong to, then illustrate that this real-time behavior may have potential danger, thus it is abnormal to determine that application program occurs.
With reference to Fig. 2, the method for monitoring application program embodiment two of the application is shown, comprises the following steps:
Step 201, obtains the real-time behavior of the application program of current operation.
Step 202, determines this application program generic.
The function that application category can realize according to it is classified, and the application program realizing identical function is divided into a class.Such as, word processing class, audio frequency, video playback class, web browser class etc.
Step 203, whether inquiry application is standardized behavior comprises the real-time behavior of described application program in set of standardizing behavior corresponding to this application program generic in storehouse, if not, then determines that this application program occurs abnormal.
Because along with application program increases gradually, for the application program that some is not too general or common, certain difficulty is had when the standardizing behavior of analysis application, if analyze standardizing behavior of all application programs one by one can expend the more time, and very reality.In addition, for the application program with identical function, it is standardized behavior also all can be substantially identical, for this reason, when the standardizing behavior of analysis application, application programs can classify in advance, determine the general specification behavior of a class application program.
Such as, the application program of word processing class, the establishment that what it was general standardize behavior can comprise file, reading, write, mapping, closedown, deletion; Establishment, the reading of registration table key assignments, revise, enumerate, close, delete etc.The real-time behavior of the application program of any one word processing class can compare with these general specification behaviors.For Microsoft Office Word, because it belongs to word processing class application program, so it is standardized behavior, and being that word processing class is determined standardizes behavior, and produces following behavior when getting it: (1) creates subprocess, (2) are by web download executable program and run (i.e. so-called Download and Execute process), (3) be injected into other process space, (4) load driver module to kernel state space, (5) direct control physical memory etc.If certain Microsoft Office Word process has touched above-mentioned behavior, so just can think that Microsoft Office Word occurs abnormal.Same, aforementioned identical mode also can be adopted to process for audio frequency, video playback class application program.
By adopting the identical mode of standardizing behavior to similar application program, when there being new application program to occur, as long as get the classification of this application program, just can find standardizing behavior of this application program, avoid standardizing behavior for each application program analysis and summary separately, thus simplify handling process, there is good adaptability and versatility.
Preferably, with reference to Fig. 3, the method for monitoring application program embodiment three of the application is shown, the basis of previous embodiment one and embodiment two can also comprise the following steps:
To determining, step 301, occurs that abnormal application program processes.
Wherein process and comprise: automatically block this real-time behavior or by playing window prompting user, allowing user manually select the mode blocked, and passing through the mode recording exceptional of log recording, so that subsequent analysis optimizes this application program.
Preferably, on the basis of previous embodiment one to three, if the real-time behavior of application program does not belong to the predetermined set of standardizing behavior in application specifications behavior storehouse, so, also need the exception behavior judging whether this real-time behavior belongs to predetermined, if not, then determine that this application program occurs again abnormal.
Exception behavior is to supplementing of standardizing behavior because for some application program, its may produce and standardize behavior beyond some behavior, and these behaviors are hazardous act in the ordinary course of things, but under special circumstances, it belongs to normal.
Such as, for Microsoft Office Word, or the application program of whole file process class, need when its application program has redaction to occur to upgrade, so may start ROMPaq (Update.exe), and this is a behavior creating subprocess, standardizes behavior can determine according to it, create subprocess and be not allowed to.Now, then can by the mode of exception behavior, such as, introducing " the white list of behavior " mechanism, is verifying the above-mentioned behavior of acquiescence clearance under the prerequisite confirmed.Exception behavior can as application specifications behavior storehouse supplement, to realize intelligent decision, reduce user bother.
With reference to Fig. 4, a kind of Application Monitoring device embodiment one of the application is shown, comprises the real-time behavior acquisition module 10 of application program and enquiry module 20.
The real-time behavior acquisition module 10 of application program, for obtaining the real-time behavior of the application program of current operation.
Enquiry module 20, standardizes behavior whether comprise the real-time behavior of described application program in set of standardizing behavior corresponding to this application program in storehouse, if not, then determines that this application program occurs abnormal for inquiry application.
With reference to Fig. 5, the Application Monitoring device embodiment two of the application is shown, comprises the real-time behavior acquisition module 10 of application program, application category determination module 30 and enquiry module 20.
The real-time behavior acquisition module 10 of application program, for obtaining the real-time behavior of the application program of current operation.
Application category determination module 30, for determining described application program generic.Wherein, the classification of application program divides according to function, and the application program realizing identical function is a class, e.g., and word processing class, audio frequency, video playback class, web browser class etc.
Enquiry module 20, standardizes behavior whether comprise the real-time behavior of described application program in set of standardizing behavior corresponding to this application program generic in storehouse, if not, then determines that this application program occurs abnormal for inquiry application.
With reference to Fig. 6, the Application Monitoring device embodiment three of the application is shown, further, this device also comprises processing module 50, for occurring that abnormal application program processes to determining.Wherein, process comprise automatically block this real-time behavior or by play window prompting user.
Preferably, this device also comprises exception behavior judge module, if do not belong to for the real-time behavior of application program set of standardizing behavior, then judges the exception behavior whether this real-time behavior belongs to predetermined, if not, then determines that this application program occurs abnormal.Exception behavior refers to not belong to the usual behavior of application program, but the behavior that may occur in some cases, as the upgrade mechanism of word processing class software, need to create subprocess.
Preferably, this device also comprises determination module of standardizing behavior, for collecting standardizing behavior and being stored in server or client as application specifications behavior storehouse of each application program in advance.This determination module of standardizing behavior comprises analytic unit, for by manual analysis, software binary system conversed analysis, software action record based on the standardizing behavior of the mode determination application program such as training and study of neutral net scheduling algorithm.
Each embodiment in this description all adopts the mode of going forward one by one to describe, and what each embodiment stressed is the difference with other embodiments, between each embodiment identical similar part mutually see.For device embodiment, due to itself and embodiment of the method basic simlarity, so description is fairly simple, relevant part illustrates see the part of embodiment of the method.
The method for monitoring application program provided the application above and device are described in detail, apply specific case herein to set forth the principle of the application and embodiment, the explanation of above embodiment is just for helping method and the core concept thereof of understanding the application; Meanwhile, for one of ordinary skill in the art, according to the thought of the application, all will change in specific embodiments and applications, in sum, this description should not be construed as the restriction to the application.
Claims (10)
1. a method for monitoring application program, is characterized in that, comprises the following steps:
Obtain the real-time behavior of the application program of current operation;
Determine this application program generic, wherein, the classification of described application program divides according to the function realized;
This application program generic is searched from application specifications behavior storehouse, search the set of standardizing behavior that described application program generic is corresponding again, to standardize behavior described in whether the real-time behavior of more described application program belongs to set, if not, then determine that this application program occurs abnormal;
Wherein, determining that this program also comprises before occurring extremely: if the real-time behavior of application program does not belong to set of standardizing behavior, then judge the exception behavior whether this real-time behavior belongs to predetermined, if not, then determining that this application program occurs abnormal.
2. method for monitoring application program as claimed in claim 1, is characterized in that, also comprises after determining the appearance extremely of this application program:
Occur that abnormal application program processes to determining.
3. method for monitoring application program as claimed in claim 2, it is characterized in that, described process comprises:
Automatically the real-time behavior of this application program is blocked; Or
By playing window prompting user.
4. method for monitoring application program as claimed in claim 1, it is characterized in that, described method also comprises:
Collect standardizing behavior and being stored in server or client as application specifications behavior storehouse of each application program in advance.
5. method for monitoring application program as claimed in claim 4, it is characterized in that, standardizing behavior of described each application program is determined by manual analysis, software binary system conversed analysis, software action record the mode such as training and study based on neutral net scheduling algorithm.
6. method for monitoring application program as claimed in claim 1, it is characterized in that, the real-time behavior of the application program of the current operation of described acquisition comprises:
Obtain when the application program of current operation has new behavior to produce; Or
Obtain according to predetermined time.
7. an Application Monitoring device, is characterized in that, comprising:
The real-time behavior acquisition module of application program, for obtaining the real-time behavior of the application program of current operation;
Application category determination module, for determining described application program generic, wherein, the classification of described application program divides according to the function realized;
Enquiry module, for searching this application program generic from application specifications behavior storehouse, searching set of standardizing behavior corresponding to described application program generic, to standardize behavior described in whether the real-time behavior of more described application program belongs to set, if not, then determine that this application program occurs abnormal;
Also comprise: exception behavior judge module, if do not belong to for the real-time behavior of application program set of standardizing behavior, then judges the exception behavior whether this real-time behavior belongs to predetermined, if not, then determine that this application program occurs abnormal.
8. Application Monitoring device as claimed in claim 7, it is characterized in that, described device also comprises:
Processing module, for occurring that abnormal application program processes to determining, described process comprises automatically blocking this real-time behavior or passing through to play window points out user.
9. Application Monitoring device as claimed in claim 7, it is characterized in that, described device also comprises:
To standardize behavior determination module, for collecting standardizing behavior and being stored in server or client as application specifications behavior storehouse of each application program in advance.
10. Application Monitoring device as claimed in claim 9, is characterized in that, described in determination module of standardizing behavior comprise:
Analytic unit, for by manual analysis, software binary system conversed analysis, software action record based on the standardizing behavior of the mode determination application program such as training and study of neutral net scheduling algorithm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110301950.4A CN102508768B (en) | 2011-09-30 | 2011-09-30 | Monitoring method and monitoring device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110301950.4A CN102508768B (en) | 2011-09-30 | 2011-09-30 | Monitoring method and monitoring device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102508768A CN102508768A (en) | 2012-06-20 |
| CN102508768B true CN102508768B (en) | 2015-03-25 |
Family
ID=46220860
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110301950.4A Active CN102508768B (en) | 2011-09-30 | 2011-09-30 | Monitoring method and monitoring device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102508768B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104866760A (en) * | 2015-06-01 | 2015-08-26 | 成都中科创达软件有限公司 | Smartphone security protection method |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102945341B (en) * | 2012-10-23 | 2015-08-05 | 北京奇虎科技有限公司 | A kind of method and apparatus of interceptor window |
| CN102968590B (en) * | 2012-10-23 | 2015-08-05 | 北京奇虎科技有限公司 | Play window suppressing method and system |
| CN103810424B (en) * | 2012-11-05 | 2017-02-08 | 腾讯科技(深圳)有限公司 | Method and device for identifying abnormal application programs |
| CN104660606B (en) * | 2015-03-05 | 2017-10-20 | 中南大学 | A kind of long-distance monitoring method of application security |
| CN104866761B (en) * | 2015-06-01 | 2017-10-31 | 成都中科创达软件有限公司 | A kind of high security Android intelligent terminal |
| CN107517308A (en) * | 2017-08-07 | 2017-12-26 | 惠州Tcl移动通信有限公司 | Application program for mobile terminal abnormal detection method, storage device and mobile terminal |
| CN108920295A (en) * | 2018-06-29 | 2018-11-30 | 北京奇虎科技有限公司 | The processing method of system exception, apparatus and system |
| CN112765604A (en) * | 2020-12-30 | 2021-05-07 | 上海磐御网络科技有限公司 | Network safety system based on artificial intelligence |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1734389A (en) * | 2004-08-12 | 2006-02-15 | 株式会社Ntt都科摩 | Software operation monitoring apparatus and software operation monitoring method |
| CN1794645A (en) * | 2005-08-24 | 2006-06-28 | 上海浦东软件园信息技术有限公司 | Invading detection method and system based on procedure action |
| CN1904852A (en) * | 2006-08-01 | 2007-01-31 | 西安西电捷通无线网络通信有限公司 | Method for monitoring and abnormal processing of computer application program |
| CN101282246A (en) * | 2007-01-15 | 2008-10-08 | 软件股份公司 | Method and system for monitoring a software system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7620940B2 (en) * | 2004-11-23 | 2009-11-17 | International Business Machines Corporation | Methods and apparatus for monitoring program execution |
-
2011
- 2011-09-30 CN CN201110301950.4A patent/CN102508768B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1734389A (en) * | 2004-08-12 | 2006-02-15 | 株式会社Ntt都科摩 | Software operation monitoring apparatus and software operation monitoring method |
| CN1794645A (en) * | 2005-08-24 | 2006-06-28 | 上海浦东软件园信息技术有限公司 | Invading detection method and system based on procedure action |
| CN1904852A (en) * | 2006-08-01 | 2007-01-31 | 西安西电捷通无线网络通信有限公司 | Method for monitoring and abnormal processing of computer application program |
| CN101282246A (en) * | 2007-01-15 | 2008-10-08 | 软件股份公司 | Method and system for monitoring a software system |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104866760A (en) * | 2015-06-01 | 2015-08-26 | 成都中科创达软件有限公司 | Smartphone security protection method |
| CN104866760B (en) * | 2015-06-01 | 2017-10-10 | 成都中科创达软件有限公司 | A kind of smart mobile phone safety protecting method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102508768A (en) | 2012-06-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102508768B (en) | Monitoring method and monitoring device | |
| US11727333B2 (en) | Endpoint with remotely programmable data recorder | |
| CN109688097B (en) | Website protection method, website protection device, website protection equipment and storage medium | |
| US11636206B2 (en) | Deferred malware scanning | |
| CN108133139B (en) | Android malicious application detection system based on multi-operation environment behavior comparison | |
| CN105427096B (en) | Payment security sandbox implementation method and system and application program monitoring method and system | |
| CN108932429B (en) | Application program analysis method, terminal and storage medium | |
| US20130122861A1 (en) | System and method for verifying apps for smart phone | |
| US20130067563A1 (en) | Apparatus and method for managing permission information of application | |
| US10176327B2 (en) | Method and device for preventing application in an operating system from being uninstalled | |
| KR20150044490A (en) | A detecting device for android malignant application and a detecting method therefor | |
| CN102263773B (en) | Real-time protection method and apparatus thereof | |
| CN103839003A (en) | Malicious file detection method and device | |
| Xie et al. | Fingerprinting Android malware families | |
| US20130283274A1 (en) | Method and system for discovering and activating an application in a computer device | |
| CN102708309A (en) | Automatic malicious code analysis method and system | |
| EP2605174B1 (en) | Apparatus and method for analyzing malware in data analysis system | |
| CN112084497A (en) | Method and device for detecting malicious program of embedded Linux system | |
| Zhou et al. | Demystifying diehard android apps | |
| US9348999B2 (en) | User terminal, reliability management server, and method and program for preventing unauthorized remote operation | |
| CN109981573B (en) | Security event response method and device | |
| CN102270132B (en) | Control method for script action in Linux operating system | |
| CN111125701B (en) | File detection method, equipment, storage medium and device | |
| CN110928754A (en) | Operation and maintenance auditing method, device, equipment and medium | |
| CN109327433B (en) | Threat perception method and system based on operation scene analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20151022 Address after: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee after: Qizhi software (Beijing) Co.,Ltd. Address before: The 4 layer 100016 unit of Beijing city Chaoyang District Jiuxianqiao Road No. 14 Building C Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee after: Beijing Qizhi Business Consulting Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240116 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Beijing Qizhi Business Consulting Co.,Ltd. |