CN102789559A - Method and device for monitoring program installation and program operation in mobile device - Google Patents
Method and device for monitoring program installation and program operation in mobile device Download PDFInfo
- Publication number
- CN102789559A CN102789559A CN2011101324860A CN201110132486A CN102789559A CN 102789559 A CN102789559 A CN 102789559A CN 2011101324860 A CN2011101324860 A CN 2011101324860A CN 201110132486 A CN201110132486 A CN 201110132486A CN 102789559 A CN102789559 A CN 102789559A
- Authority
- CN
- China
- Prior art keywords
- program
- mobile device
- installation
- monitoring
- report
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention provides a method and a device for monitoring program installation and program operation in a mobile device. The method comprises the following steps: installing a program on the mobile device and recording the installation information; running the installed program and recording the program operation information; packing and sending the installation information and the operation information to a server side; and then analyzing the installation information and the operation information by the server side. The method has the benefits that the virus can be actively discovered and the virus threat can be monitored by all the display functions of a mobile phone.
Description
Technical field
The present invention relates to field of communication security, relate to particularly that program in the monitoring mobile device is installed and the method and system of program run.
Background technology
Along with popularizing of smart mobile phone and other intelligent mobile devices, mobile phone viruses also rolls up, and for example virus such as mobile phone wooden horse and mobile phone worm is smart mobile phone or mobile device with target lock-on.The threat of mobile phone viruses can be invaded mobile device in several ways, short message for example, and multimedia message, wireless network is downloaded, and WiFi or bluetooth connect.Active safeguard protection becomes more and more important for mobile device.
Malware in the mobile device can cause a lot of serious problems.For example mobile phone viruses can cause the quick consumption of mobile phone electric weight, and virus also possibly deleted user's important business information even caused the specific function of mobile phone to lose efficacy.Virus is except forbidding the normal function of mobile phone, and mobile phone eavesdropping virus can also obtain the control authority of mobile phone, makes mobile phone become a mobile wiretap.Even can open camera, take pictures and be uploaded to network.
Though the means that virus is adopted are constantly upgraded, virus always has mark governed when in mobile device, showing effect.For example, the operation harmful to system, like deletion, mourn in silence installation or backstage networking etc.To these characteristics of virus, existing antivirus software has taked some measures to discern and remove virus.These measures can be summarized as following three steps:
The researchist collects Virus Sample, analyzes the execution flow process of virus, and Virus is classified, obtained viral fingerprint and deposit virus base in;
The periodic scanning mobile device utilizes the fingerprint of the virus document in the virus base to check viral species;
After having discerned specific virus, deletion Virus or the viral vestige of removing from infected program.
Though said process can be discerned the known virus or the mutation of known viruse, does not have effect for unknown virus.These class methods are post factum normally, could detect behind the virus infections, discerns and remove.These class methods depend on virus signature or the fingerprint of storing in the virus base for the identification of virus, do not have effect for the virus that does not have storage in the virus base.
For these reasons, checking and killing virus method of the prior art can't initiatively be discerned unknown virus, only depends on the sample of the virus of completed stroke, can't effectively take precautions against the security threat of mobile device.
Summary of the invention
The technical matters that the present invention solves provides a kind of technical scheme can installation process and the operational process of active monitoring software program in mobile device, thus the program that identification possibly constitute a threat to the safety of mobile device.
According to an aspect of the present invention; The technical scheme that is adopted provides that a kind of program in the mobile device of monitoring is installed and the method for program run; May further comprise the steps: installation procedure and write down mount message on mobile device; Program and logging program operation information after operation is installed mount message and operation information are packed and be sent to server end, and server end are analyzed mount message and operation information.
According to an aspect of the present invention, the record mount message comprises the structure of installation kit at least, back generator program name is installed, procedure identification code, filename, file path, one of file size and program certificate.
According to an aspect of the present invention, the record mount message also comprises the hash computations value of calculating the installation file.
According to an aspect of the present invention, the logging program operation information comprises the recording events title at least, working time, program name, program identification code, the file name of calling, one of document identifier code that calls.
According to an aspect of the present invention, the logging program operation information also comprises the hash computations value of calculating the file that calls.
According to an aspect of the present invention, the logging program operation information comprises that also the operation note that program is performed is compiled as logout.
According to an aspect of the present invention, after being compiled as data message respectively, the mount message of a plurality of programs and operation information generate packet.
According to an aspect of the present invention, the technical scheme that is adopted provides a kind of program in the mobile device of monitoring the system with program run is installed, and comprising: program installation monitoring modular; The program run monitoring modular; Data compilation module and data transmission blocks, program is installed monitoring modular real time execution in mobile device, the mount message that logging program produces in the process that mobile device is installed; Program run monitoring modular real time execution in mobile device; The operation information that logging program produces in the mobile device operational process, the data compilation module is installed monitoring modular with program and is communicated by letter with the program run monitoring modular, and the data compilation module reads mount message and operation information; Generator program Installation Report and program run report, and with program Installation Report and program run report packing; And data transmission blocks and data compilation module communication, the packet that data transmission blocks will contain program Installation Report and program run report is sent to server.
Beneficial effect of the present invention is, installation process and the operational process of active analysis software program in mobile device, thereby the program that identification possibly constitute a threat to the safety of mobile device.
Beneficial effect of the present invention also is, the installation process and the operational process of each program is monitored respectively, but the monitoring record of a plurality of programs is generated data message in batches.
Description of drawings
Below in conjunction with process flow diagram the present invention is further specified.
Fig. 1 is the operational flowchart of monitoring facilities installation and operation of the present invention.
Fig. 2 is the process flow diagram of program run monitoring flow process of the present invention.
Fig. 3 is the process flow diagram of multiprogram installation and operation monitoring operation of the present invention.
Fig. 4 is the system schematic of monitoring facilities installation and operation of the present invention.
Fig. 5 is the synoptic diagram of program run monitoring modular of the present invention.
Embodiment
The invention provides a kind of method that program is installed and process is moved in the mobile device of monitoring.Through program installation process and the program operation process in the monitoring mobile device, initiatively identification has the program or the virus of threat.
According to an embodiment of the invention, the method that program is installed and process is moved in the monitoring mobile device.Shown in Figure 1 like flow process, at step S101, mobile device install software program.Under different mobile device operation system platforms, the form of concrete installation procedure maybe be different.Installation procedure corresponding to the Saipan operating system platform is SIS or SISX file, is NPK or APK file corresponding to the installation procedure of Android operating system platform, and the installation procedure of IOS operating system platform is deb, ipa and pxl file.
At step S103, program is installed monitoring module monitoring of software program installation process.Comprising of installation process obtained program information in monitoring.According to an embodiment of the invention, be example with the Saipan system, program is installed the kernel mode that monitoring module needs the call operation system, because a lot of system resource, for example the information of erection schedule has only system kernel to visit.Read the relevant information of erection schedule in the mobile device system internal memory through the relevant API (API) of Software Interrupt (soft interruption).Particularly,, use the attribute of soft all program installation kits to be monitored of interrupt function acquisition corresponding to the program unique identifier that successful routine package is installed, like uid, title, publisher, version number or the like.
Software program Standard C++ library Common plugin with the Saipan system is an example; The following information of this program of monitoring module record; UID (the unique identifier of this application program; Usually form by one group of one group of 8 word string)---" 200364e0 ", the name of this application program is called " Standard C++ library Common plugin ", and the version number of this application program is " 3.23 (6) "; The supplier of this application program is " Nokia "; This installation kit membership---" main " (female installation kit), the degree of belief of this installation kit, the certificate supplier of this installation kit " Beijing Shenzhouhaomiao Chemicals Product Sales Co.; Ltd. ", the hash computations value " PiZRyQjnwS0URcsRRtJ/eAkOhHE=" of certificate issuance " Symbian CA I " and this installation kit.According to present embodiment, the algorithm use SH-1 algorithm of hash computations one of ordinary skill in the art will appreciate that other hashing algorithms, can realize the purpose of calculation document eigenwert equally like MD3 or MD5.
Outside above-mentioned information, program installation monitoring module also logging program is installed the file that the back is duplicated/generated in mobile device.Use above-mentioned example, software program Standard C++ library Common plugin installs the back and in mobile device, generates 6 files, the filename of 6 files with and corresponding installation path originally be not:
c:\System\Data\Dsez\Other\Init.ini
c:\System\Data\Dsez\Configue\pro3.sisx
c:\sys\bin\200364E2.dll
c:\resource\plugins\200364E2.rsc
c:\sys\bin\200364E1.exe
c:\sys\bin\200364E1.exe
In the file of above-mentioned generation, 200364E1.exe, 200364E1.exe are 2 executable files, and 200364E2.dll itself can not carry out, and load and can carry out through other processes.To the executable file that installation process generates, program is installed the size that monitoring module also further writes down executable file, the proof of identification of executable file, secure identifier, the hash computations value of file and file capability code.With the 200364E2.dll file is example; This document size is " 000003ec "; Unique identifier is " 10009d8d ", and secure identifier is " 200364e2 ", and the hash computations value is " HVUxqB0zybmARBnYpkud2AU2sGc=" and file capability code " 1e1b4 ".
At step S104, the generator program Installation Report.According to present embodiment, the program Installation Report that is generated is the XML form, and the program Installation Report is with tree-like format record program mount message.The information of the ground floor logging program installation kit of program Installation Report wherein, like the proof of identification of application program, the title of this application program; The version number of this application program; The supplier of this application program, this installation kit membership, the degree of belief of this installation kit; The certificate supplier of this installation kit, the hash computations value of certificate issuance and this installation kit.The information of the sub-installation kit of second layer logging program of program Installation Report is if this installation kit has sub-installation kit.Equally, the information of sub-installation kit comprises, the proof of identification of installation kit, application name, this installation kit membership, the degree of belief of this installation kit, the certificate supplier of this installation kit, the hash computations value of certificate issuance and this installation kit.The information of the file that the 3rd layer of record installation process of program Installation Report duplicated/generated.
At step S102, mobile device moves new installed software program for the first time.According to an embodiment of the invention, can move corresponding software programs for the first time by the icon that operating personnel click software program in the man-machine interface of mobile device.Optional, the first operation of software program begins after end is installed automatically.
At step S105, the software of the current operation of program run monitoring module monitors mobile device.According to an embodiment of the invention, be example with the Saipan system, the RapaLsSession class of utilizing the Saipan system to be provided, the specifying information of the process of moving in can the acquisition system.As shown in Figure 2, this process specifically comprises following flow process.At step S201, create the system kernel allocating object, for example the RapaLsSession object.At step S202, the task number of the current operation of register system.At step S203, obtain the preliminary information of whole operation tasks.At step S204, the operation task that Ergodic Theory is all.At step S205, obtain the specifying information of each task, comprise the unique identifier of task, the Process identifier of task, the memory size information that task process occupied, the working time of task and the concrete operations of task, as read are duplicated or deletion etc.At step S206, the specifying information of a task of every acquisition is added into tabulation with its specifying information, so that show.At step S207, updating system operation task information, and in all operation tasks of next system time Ergodic Theory.Repeat said process, can obtain the task logout in a period of time in the system.Except the process in the system, some exe programs can be moved in mobile device separately as application program independently, adopts above-mentioned steps, to the operation of exe program record respectively.Above-mentioned steps has been described the monitoring instance under the system platform of Saipan, one of ordinary skill in the art will appreciate that, corresponding to the different operating systems platform, in order to realize the object of the invention, also can replace above-mentioned steps with equivalent step.
As shown in Figure 1, at step S104, with program run monitoring record generator program operational report.According to an embodiment of the invention, the program run report comprises the record of the concrete incident that program run excites, and like deleted file, mourns in silence and installs or send note etc.The operation of a plurality of threads in some incident reflection system, it is relevant with following two threads for example in the system of Saipan, to open this incident of notepad, sys and sys.In addition, the incident of same classification corresponding thread or exe program in different operating system is also different.Therefore, the present invention adopts predefined rule that the operation of thread or exe program is classified as incident.
The Standard C++ library Common plugin program of installing with the S103 step is an example, and the program run report comprises following content:
Incident title: obtain handset identity code
Date: on March 22nd, 2011
Time: 17:39:40
Female installation kit title: Standard C++ library Common plugin
Female installation kit identification code: 200364e0
The thread title: sys
Thread identification code: 586
Thread program hash calculated value: qHxc2aDDk+gk/Z2CgIKkT+0gHcM
Carry out type: common
Incident title: deleted file
Date: on March 22nd, 2011
Time: 17:39:41
Female installation kit title: Standard C++ library Common plugin
Female installation kit identification code: 200364e0
The thread title: sys
Thread identification code: 586
Thread program hash calculated value: qHxc2aDDk+gk/Z2CgIKkT+0gHcM
Carry out type: the deletion service
According to present embodiment, the program run that is generated is reported as the XML form, and report file is a two-dimensional structure.Wherein the first dimension direction of program Installation Report is arranged different events and relevant information according to the time sequencing that incident takes place.The second dimension direction of report is arranged the different event and the relevant information of same procedure triggers according to the classification of program.
At step S107, generate packet.Program Installation Report that step S106 and S104 step generate respectively and program run report are merged generates packet.Optional, program Installation Report and the respectively corresponding XML file of program run report, 2 File Compress are a packet, adopt the compressed file of ZIP form or RAR form.
At step S108, mobile device passes through wireless network transmissions to server end with the packet that is generated.According to present embodiment, be connected to a http server through wireless WIFI, through the HTTP FTP file is uploaded in the http server.Http server is analyzed the file of uploading through starting a background process then; And analysis result is saved in database; And the HTTP service also can be docked with virus database and analytical database; After sample analysis was accomplished, the virus analysis teacher can see analysis result through a WEB page, and can submit virus characteristic very easily to and generate the virus analysis report.Optional, mobile device can adopt GPRS, and CDMA1x or 3G network uplink transmission data bag are transmitted to data processing server to communication base station by the base station.Server receives the laggard step data decompress(ion) of advancing of packet, operations such as analysis.
According to an embodiment of the invention, the present invention is the installation and operation of monitoring of software program in batches.As shown in Figure 3, at step S301, prepare software program to be monitored in batches.Optional, in the system of Saipan, with SISX installation kit batch duplicating to be monitored under the file directory of appointment, for example data preserve under the catalogue.At step S302, obtain the information of file to be installed, the spanned file tabulation, for example, and program 1, program 2 ..., program N.At step S303,, carry out and install according to the listed files order.At step S305,, obtain the corresponding information that program is installed to successful SISX routine package is installed.Optional, this step comprises the UID (unique identifier) that at first obtains the routine package of successfully installing, and records in the installation results tabulation after UID read, and utilizes the UID in the installation results tabulation, obtains the relevant information of installation kit.Optional, use soft interrupt function to obtain the attribute of the installation kit in the installation results tabulation, like UID, title, publisher, version number, spanned file title, path etc.Optional, this step also comprises the hash computations value of obtaining installation kit, and the hash computations value that the file of back generation is installed.
At step S306, the generator program Installation Report.The program Installation Report comprises the program mount message that monitoring modular monitors, like UID, and title, publisher, version number, the spanned file title, the path, the hash computations value of installation kit, and the hash computations value of installation back spanned file etc.
At step S304, the listed successful software program of installation in the tabulation of operation installation results.At step S307, the operation of program run monitoring module monitors program.According to an embodiment of the invention, observation process specifically comprises following flow process.Create the RapaLsSession object, the task number of the current operation of register system obtains the preliminary information of whole operation tasks; The operation task that Ergodic Theory is all is obtained the specifying information of each task, comprises the unique identifier of task; The thread identifier of task, the memory size information that mission thread occupied, the working time of task and the concrete operations of task; As read, duplicate or deletion etc. the specifying information of a task of every acquisition; Its specifying information is added into tabulation, updating system operation task information, and in all operation tasks of next system time Ergodic Theory.
Optional, the program run monitoring modular is continuous service in the predefined time period, thus the incident that not only triggers during the logging program initial start-up, but and the incident of logging program operation a period of time internal trigger.
At step S308, the generator program operational report.Data compilation module fetch program operation information, and generator program operational report.According to an embodiment of the invention, the record of data compilation module fetch program operation, and the thread record that program run is called gathered be the Event triggered record.
At step S309, the data compilation module is with program Installation Report and program run report packing.At step S310, the packet that data transmission blocks will contain program Installation Report and program run report is sent to server.
According to an embodiment of the invention, program to be monitored is installed in batches, and just is activated operation after any program installation end to be monitored.When a plurality of programs were mounted and move, the installation and operation process can be carried out simultaneously, and for example after program 1 was installed end, working procedure 1 also began installation procedure 2 simultaneously, and the operational monitoring process of program 1 can be carried out with the installation observation process of program 2 simultaneously.Optional; Difference according to the mobile device operation system; The operating system that for example has is supported multitask mode; And the operating system that has is only supported the single task role mode, and the monitoring of program installation and operation of the present invention can be monitored the installation and operation of a plurality of programs simultaneously, perhaps is subject to operating system platform and can only monitors the installation and operation of each program successively.
According to an embodiment of the invention, the system of the installation and operation of monitoring of software program is as shown in Figure 4 in batches.The system 400 of monitoring of software program installation and operation comprises program installation monitoring modular 401, program run monitoring modular 402, data compilation module 403 and data transmission blocks 404.Program is installed monitoring modular 401 continuous service in mobile device, the mount message that logging program produces in the process that mobile device is installed.
According to this embodiment, program install monitoring modular 401 can with mobile device communication, obtain routine package to be installed attribute, like unique identifier, title, publisher, version number or the like.
Program run monitoring modular 402 continuous service in mobile device, the operation information that logging program produces in the mobile device operational process.According to this embodiment, program run monitoring modular 402 can write down the record of the concrete incident that comprises that program run excites, and like deleted file, mourns in silence and installs or send note etc.But program run monitoring modular 402 is the relevant information of monitoring facilities also, like information such as female installation kit title, female installation kit identification code, thread title, thread identification code, thread program hash calculated value and execution types.
According to an embodiment of the invention, program run monitoring modular 402 comprises system kernel calling module 501, and system kernel calling module 501 can be communicated by letter with the operating system nucleus of mobile device, obtains the record of the routine call kernel of operation.The program run monitoring modular also comprises task record module 502, and task record module 502 is communicated by letter with system kernel calling module 501, reads the record of the routine call kernel of operation, takes passages the number of operation task wherein, and keeping records.Program run monitoring modular 402 also comprises preliminary information logging modle 503, and preliminary information logging modle is communicated by letter with system kernel calling module 501, and writes down the preliminary information of whole tasks.Program run monitoring modular 402 also comprises task spider module 504; Task spider module 504 and task record module 502 and kernel calls module communication; Task spider module 504 reads task number and preliminary recording of information, and makes all tasks of kernel calls module 501 traversals.Program run monitoring modular 402 also comprises details logging modle 505, and details logging modle 505 is communicated by letter with system kernel calling module 501, writes down the details of each task; For example, the unique identifier of logger task, the Process identifier of task; The memory size information that task process occupied; The working time of task and the concrete operations of task, as read are duplicated or deletion etc.Program run monitoring modular 402 also comprises refresh module 506, and refresh module 506 is communicated by letter with task spider module 504, and after the details record of whole tasks was accomplished, refresh module 506 triggered task spider module 504, travels through whole tasks once more.According to a true mode of the present invention, refresh module 506 triggers task spider module 504 according to predetermined time interval.
As shown in Figure 4, data compilation module 403 is installed monitoring modular 401 with program and is communicated by letter with program run monitoring modular 402.Data compilation module 403 is installed monitoring modular 401 from program and is read mount message and operation information respectively with program run monitoring modular 402, generator program Installation Report and program run report, and with program Installation Report and program run report packing.Data transmission blocks 404 is communicated by letter with data compilation module 403, and the packet that data transmission blocks will contain program Installation Report and program run report is sent to server.
According to an embodiment of the invention, system 400 also comprises installation file memory 411 to be monitored, and fileinfo read module 412 and batch installed module 413 are installed.Installation file memory 411 to be monitored can be stored many softwares to be monitored file is installed.Fileinfo read module 412 is installed is communicated by letter, and read the whole installation fileinfos in the installation file memory 411 to be monitored, the generator program tabulation with installation file memory 411 to be monitored.Installed module 413 is communicated by letter with fileinfo read module 412 is installed in batches, and according to program listing install software program.
For the object of the invention is described, can not states each combination of device or method at this, but persons skilled in the art will recognize that the present invention still has many combination and modifications further.Therefore; The invention is intended to contain all this type of change, correction and variation; For example according to the difference of mobile device operation system, the operating system that for example has is supported multitask mode, and the operating system that has is only supported the single task role mode; The monitoring of program installation and operation of the present invention can be monitored the installation and operation of a plurality of programs simultaneously, perhaps is subject to operating system platform and can only monitors the installation and operation of each program successively.In addition, though certain specific characteristic of the present invention possibly disclosed according to a kind of in the various implementations, this characteristic can combine with the further feature in other embodiment.
Claims (10)
1. the program in the mobile device of monitoring is installed and the method for program run, it is characterized in that may further comprise the steps:
Installation procedure on mobile device, record mount message and generator program Installation Report;
Program after operation is installed, logging program operation information and generator program operational report;
With the packing of Installation Report and operational report and be sent to server end; And
Server end is analyzed mount message and operation information.
2. the method that program is installed and process is moved in the monitoring mobile device according to claim 1, the record mount message comprises the structure of installation kit at least, and back generator program name is installed; The procedure identification code; Filename, file path, file size and program certificate one of them.
3. the method that program is installed and process is moved in the monitoring mobile device according to claim 2, record mount message also comprise calculates the hash computations value that file is installed.
4. the method that program is installed and process is moved in the monitoring mobile device according to claim 1, the logging program operation information comprises recording events title, working time at least; Program name; Program identification code, the file name of calling, the document identifier code that calls one of them.
5. the method that program is installed and process is moved in the monitoring mobile device according to claim 4, logging program operation information also comprise the hash computations value of calculating the file that calls.
6. the method that program is installed and process is moved in the monitoring mobile device according to claim 4, the logging program operation information comprises that also the operation note that program is performed is compiled as logout.
7. program is installed the method for moving with process in the monitoring mobile device according to claim 6, generates packet after the mount message of a plurality of programs and operation information are compiled as data message respectively.
8. the program in the mobile device of monitoring is installed the system with program run, comprising: program installation monitoring modular, program run monitoring modular, data compilation module and data transmission blocks;
Said program is installed monitoring modular real time execution in mobile device, the mount message that logging program produces in the process that mobile device is installed;
Said program run monitoring modular real time execution in mobile device, the operation information that logging program produces in the mobile device operational process;
Said data compilation module is installed monitoring modular with program and is communicated by letter with the program run monitoring modular, and the data compilation module reads mount message and operation information, generator program Installation Report and program run report, and with program Installation Report and program run report packing; And
The packet that said data transmission blocks and data compilation module communication, data transmission blocks will contain program Installation Report and program run report is sent to server.
9. program is installed and the system of program run in according to Claim 8 the monitoring mobile device, and the operation note that program is performed of said program run monitoring modular is compiled as logout.
10. program is installed the system with program run in according to Claim 8 the monitoring mobile device, and said data compilation module is with the Installation Report and the operational report generation packet of a plurality of programs.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011101324860A CN102789559A (en) | 2011-05-20 | 2011-05-20 | Method and device for monitoring program installation and program operation in mobile device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011101324860A CN102789559A (en) | 2011-05-20 | 2011-05-20 | Method and device for monitoring program installation and program operation in mobile device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102789559A true CN102789559A (en) | 2012-11-21 |
Family
ID=47154962
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011101324860A Pending CN102789559A (en) | 2011-05-20 | 2011-05-20 | Method and device for monitoring program installation and program operation in mobile device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102789559A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104133754A (en) * | 2014-07-29 | 2014-11-05 | 广州金山网络科技有限公司 | Method, device and system for determining reason for deletion of application installation package |
| CN110647442A (en) * | 2019-09-25 | 2020-01-03 | 北京宝兰德软件股份有限公司 | Software installation state monitoring method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2002063051A (en) * | 2000-08-23 | 2002-02-28 | Will:Kk | Software operation monitoring system, recording medium therefor and software operation monitoring method |
| CN1801030A (en) * | 2004-12-31 | 2006-07-12 | 福建东方微点信息安全有限责任公司 | Method for distinguishing baleful program behavior |
| CN1818823A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Computer protecting method based on programm behaviour analysis |
| CN101594248A (en) * | 2008-05-27 | 2009-12-02 | 奇智软件技术(北京)有限公司 | The remote assistance method of information security and system maintenance, system and server |
-
2011
- 2011-05-20 CN CN2011101324860A patent/CN102789559A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2002063051A (en) * | 2000-08-23 | 2002-02-28 | Will:Kk | Software operation monitoring system, recording medium therefor and software operation monitoring method |
| CN1801030A (en) * | 2004-12-31 | 2006-07-12 | 福建东方微点信息安全有限责任公司 | Method for distinguishing baleful program behavior |
| CN1818823A (en) * | 2005-02-07 | 2006-08-16 | 福建东方微点信息安全有限责任公司 | Computer protecting method based on programm behaviour analysis |
| CN101594248A (en) * | 2008-05-27 | 2009-12-02 | 奇智软件技术(北京)有限公司 | The remote assistance method of information security and system maintenance, system and server |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104133754A (en) * | 2014-07-29 | 2014-11-05 | 广州金山网络科技有限公司 | Method, device and system for determining reason for deletion of application installation package |
| CN104133754B (en) * | 2014-07-29 | 2018-12-28 | 广州猎豹网络科技有限公司 | A kind of application installation package is deleted the determination method, apparatus and system of reason |
| CN110647442A (en) * | 2019-09-25 | 2020-01-03 | 北京宝兰德软件股份有限公司 | Software installation state monitoring method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10783241B2 (en) | System and methods for sandboxed malware analysis and automated patch development, deployment and validation | |
| Burguera et al. | Crowdroid: behavior-based malware detection system for android | |
| US10652274B2 (en) | Identifying and responding to security incidents based on preemptive forensics | |
| CN103685575B (en) | A kind of web portal security monitoring method based on cloud framework | |
| CA2731915C (en) | Method and system for security maintenance in a network | |
| CN112685737A (en) | APP detection method, device, equipment and storage medium | |
| JP2017511923A (en) | Virus processing method, apparatus, system, device, and computer storage medium | |
| CN102831021A (en) | Method and device for interrupting or cleaning plugin | |
| CN102082802A (en) | Behavior-based mobile terminal security protection system and method | |
| CN103078864A (en) | Active defense file repairing method based on cloud security | |
| US20210226927A1 (en) | System and method for fingerprint-based network mapping of cyber-physical assets | |
| Cui et al. | Service-oriented mobile malware detection system based on mining strategies | |
| CN104809397A (en) | Android malicious software detection method and system based on dynamic monitoring | |
| CN102609654A (en) | Method and device for detecting malicious flash files | |
| US11805106B2 (en) | System and method for trigger-based scanning of cyber-physical assets | |
| US10917428B2 (en) | Holistic computer system cybersecurity evaluation and scoring | |
| CN111191226A (en) | Method, device, equipment and storage medium for determining program by using privilege-offering vulnerability | |
| CN102867143A (en) | Quick filtering method for malicious application programs | |
| CN113961245A (en) | Security protection system, method and medium based on micro-service application | |
| CN112860645A (en) | Processing method and device for offline compressed file, computer equipment and medium | |
| CN102789558A (en) | Method and device for analyzing program installation and program operation in mobile device | |
| EP3655878A1 (en) | Advanced cybersecurity threat mitigation using behavioral and deep analytics | |
| KR20090031393A (en) | Web shell monitoring system and method based on pattern detection | |
| Zegzhda et al. | Detecting Android application malicious behaviors based on the analysis of control flows and data flows | |
| KR101324691B1 (en) | System and method for detecting malicious mobile applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20121121 |