CN102855274A - Method and device for detecting suspicious progresses - Google Patents
Method and device for detecting suspicious progresses Download PDFInfo
- Publication number
- CN102855274A CN102855274A CN2012102484185A CN201210248418A CN102855274A CN 102855274 A CN102855274 A CN 102855274A CN 2012102484185 A CN2012102484185 A CN 2012102484185A CN 201210248418 A CN201210248418 A CN 201210248418A CN 102855274 A CN102855274 A CN 102855274A
- Authority
- CN
- China
- Prior art keywords
- white list
- characteristic data
- executable file
- suspicious
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention provides a method and a device for detecting suspicious progresses. The method includes acquiring first characteristic data of the progresses of a browser; matching the first characteristic data in a preset first white list data base; and judging one progress to be a suspicious progress if the first characteristic data of the progress are not in the preset first white list data base, wherein the first characteristic data include Hash values and digital signatures of executable files of the progresses, and the preset first white list data base includes the credible file Hash values and the credible file digital signatures. According to the method and the device for detecting the suspicious progresses, the suspicious progresses can be fully, effectively and accurately distinguished, and safety for users to surf the internet is improved.
Description
Technical field
The application relates to the technical field of information security, particularly relates to a kind of method of suspicious process detection and the device that a kind of suspicious process detects.
Background technology
Computer virus refers to destruction computer function that the organizer inserts or destroys data in computer program, affect computing machine use and one group of computer instruction or program code that can self-replacation.In a single day computing machine catches virus, being usually expressed as its file is increased, deletes, changes title or attribute, moves under other catalogue, virus is to these operations of computer documents, may cause that normal program can't be moved, computer operating system collapse, computing machine be by a series of problems such as Long-distance Control, user profile are stolen.
At present, the more liable to infection computer virus of Internet user is exactly " wooden horse ".The program of steal files after wooden horse refers to utilize the computer program leak to invade.It is a kind of have hiding, idiopathic program that is used to carry out malicious act.To attempt to allow with the mask user cheating of useful program the class infiltration of its operation in history to the definition of computing machine wooden horse.Note that wooden horse in the past is so really, but they need not camouflage oneself now.Their unique purposes be exactly permeate as far as possible like a cork and finish its malice target." wooden horse " become a general term, is used for describing all infiltrations that do not belong to any particular category.
The wooden horse technical development so far, the most common is exactly webpage Trojan horse, webpage Trojan horse is the arch-criminal that webpage malicious software threatens, disguise oneself as on its surface common web page files or will malice code directly be inserted in the normal web page files, when having the people to access, webpage Trojan horse will utilize the leak of method, system or browser downloaded to the service end of the wooden horse that configures on visitor's the computer automatically and automatically perform.The essence of webpage Trojan horse is to utilize leak to propagate the wooden horse downloader to the user, say exactly, webpage Trojan horse is not trojan horse program, and should be called webpage Trojan horse " planter ", also be a kind of by attacking the leak of browser or browser externally hung program (target is IE browser and ActiveX program normally), implant the means that wooden horse, virus, password such as steal at the rogue program to targeted customer's machine.
Webpage Trojan horse is actually a html web page, and different from other webpage is that this webpage is that the hacker is elaborate, and in a single day the user has accessed this webpage will middle wooden horse.Why say that the hacker is elaborate? because be embedded in the leak that script snugly in this webpage has utilized the IE browser, allowing IE automatically download the hacker on the backstage is placed on the wooden horse on the network and moves (installation) this wooden horse, that is to say, this webpage can be downloaded wooden horse and download to wooden horse on the local computing to local and operation (installation), whole process is all at running background, in a single day the user opens this webpage, and downloading process and operation (installation) process just begins automatically.
In order to guarantee the safe operation of computing machine, in the prior art, various fail-safe softwares have proposed for the detection of wooden horse and Interception Technology, the principle that existing fail-safe software detects and tackles is to set up virus base by extracting virus signature, when user's detection trigger, specified file in the subscriber computer is compared with the condition code in the virus base, determining whether virus, if virus is then isolated or deleted.Yet because virus base is not real-time update, the user triggers the virus detection and also lags behind, and adopts this prior art virus very easily to occur and reports by mistake and fail to report and problem.For example, the user has hung the website (hanging the horse website) of wooden horse by quilt of browser access, browser process can be downloaded trojan horse program and carry out in the unwitting situation of user, because existing fail-safe software can't arrive this situation by detecting real-time, to cause inevitably trojan horse program to move in subscriber equipment this moment, usurp the data such as its account number cipher, thereby cause the user to produce loss.Especially for new virus, triggered the wooden horse testing process later even the user hangs the horse website in access, but because it is not embodied in the virus base, wooden horse can't detect still.
Therefore, need at present the urgent technical matters that solves of those skilled in the art to be exactly: the mechanism that a kind of brand-new suspicious process detects is proposed, in order to suspicious process is carried out comprehensively, effectively, accurately identification, improve the security of user's online.
Summary of the invention
The application's technical matters to be solved provides the method and apparatus that a kind of suspicious process detects, in order to suspicious process is carried out comprehensively, effectively, accurately identification, improve the security of user's online.
In order to address the above problem, the application discloses the method that a kind of suspicious process detects, and comprising:
Obtain the First Characteristic data of respectively moving process in the browser, described First Characteristic data comprise cryptographic hash and the digital signature of the executable file of process;
Adopt described First Characteristic data in the first white list database that presets, to mate, comprise believable file cryptographic hash and believable file digital signature in described the first white list database;
If the First Characteristic data of certain process in described the first white list database that presets, do not judge that then this process is suspicious process.
Preferably, each operation process comprises the process that has started in process that browser is starting and the browser in the described browser.
Preferably, the described step of obtaining the First Characteristic data of respectively moving process in the browser comprises:
Obtain the path of respectively moving the executable file of process in the browser;
From the corresponding executable file of described path extraction;
Read the content of described executable file and calculate cryptographic hash;
And,
Extract the digital signature of described executable file.
Preferably, described digital signature generates in the following way:
1) executable file that will sign is created the hash value;
2) encrypt above-mentioned hash value with publisher's private key;
3) digital certificate with encrypted hash value and publisher is inserted into the executable file that will sign;
And described digital signature is extracted in the following way:
1) executable file that will verify is created the hash value;
2) decipher encrypted hash value with publisher's PKI;
3) relatively the hash value of deciphering and newly the hash value of establishment, if coupling explanation signature is correct, extraction publisher's digital certificate information.
Preferably, described First Characteristic data comprise the path of the executable file of process, also comprise trusted path in described the first white list database.
Preferably, described method also comprises:
If the First Characteristic data of certain process in described the first white list database that presets, are then further extracted the Second Characteristic data of this process, the file path in the performed parameter of executable file that described Second Characteristic data comprise process;
Under described file path, extract the information of corresponding document;
Adopt the fileinfo of described extraction in the second white list database that presets, to mate, comprise believable fileinfo in described the second white list database;
If the fileinfo of described extraction in described the second white list database that presets, does not judge that then this process is suspicious process.
Preferably, described method also comprises:
Send the suspicious process information and finish this process for suspicious process;
Perhaps,
Send the suspicious process information and stop this process operation for suspicious process.
The embodiment of the present application also discloses the device that a kind of suspicious process detects, and comprising:
The progress information acquisition module is used for obtaining the First Characteristic data that browser respectively moves process, and described First Characteristic data comprise cryptographic hash and the digital signature of the executable file of process;
The white list detection module is used for adopting described First Characteristic data to mate at the first white list database that presets, and comprises believable file cryptographic hash and believable file digital signature in described the first white list database;
The first determination module is used for First Characteristic data in certain process not at described the first white list database that presets, and judges that then this process is suspicious process.
Preferably, each operation process comprises the process that has started in process that browser is starting and the browser in the described browser.
Preferably, described progress information acquisition module comprises:
The executable file path obtains submodule, is used for obtaining the path that browser respectively moves the executable file of process;
Executable file extracts submodule, is used for from the corresponding executable file of described path extraction;
The content reading submodule is calculated cryptographic hash for the content that reads described executable file;
And,
Digital signature is extracted submodule, is used for extracting the digital signature of described executable file.
Preferably, described First Characteristic data also comprise the path of the executable file of process, also comprise trusted path in described the first white list database.
Preferably, described device also comprises:
Characteristic extracting module, when being used for First Characteristic data in certain process at described the first white list database that presets, further extract the Second Characteristic data of this process, the file path in the performed parameter of executable file that described Second Characteristic data comprise process;
The file extraction module is for the information of extracting corresponding document under described file path;
Matching module is used for adopting the fileinfo of described extraction to mate at the second white list database that presets, and comprises believable fileinfo in described the second white list database;
The second determination module when being used for fileinfo in described extraction not at described the second white list database that presets, judges that this process is suspicious process.
Preferably, described device also comprises:
The first reminding module is used for sending the suspicious process information and finishing this process for suspicious process;
Perhaps,
The second reminding module links to each other with the white list detection module, is used for for suspicious process, sends the suspicious process information and stops this process operation.
Compared with prior art, the application comprises following advantage:
The application has proposed a kind of process for moving in the browser and has carried out the mechanism that white list detects; utilize the characteristic of white list " non-namely black in vain "; can protect the process of moving in the browser not attacked by leak; also can protect the user in unwitting situation, to pass through program downloading-running virus wooden horse; to suspicious process can carry out comprehensively, effectively, accurately identification, thereby improve the security of user's online.
Suspicious process in the current operation process of white list testing mechanism screening browser of the embodiment of the present application employing two-stage, in first order white list Check processing, obtain the First Characteristic data of respectively moving process in the browser, judge that these data whether at the first white list database, judge then that if not corresponding process is suspicious process; Can also further initiate simultaneously the second level white list Check processing to other process except described suspicious process, namely by obtaining the Second Characteristic data of these processes, judge that these data whether at the second white list database, judge then that if not corresponding process is suspicious process.The application can carry out detecting real-time to the current operation process of browser, thereby the security of Effective Raise user online avoids the user to be subject to such as viral attacks such as trojan horse programs.
Description of drawings
Fig. 1 is the flow chart of steps of the embodiment of the method 1 that detects of the application's a kind of suspicious process;
Fig. 2 is the flow chart of steps of the embodiment of the method 2 that detects of the application's a kind of suspicious process;
Fig. 3 is the flow chart of steps of the embodiment of the method 3 that detects of the application's a kind of suspicious process;
Fig. 4 is the structured flowchart of the device embodiment 1 that detects of the application's a kind of suspicious process;
Fig. 5 is the structured flowchart of the device embodiment 2 that detects of the application's a kind of suspicious process.
Embodiment
For above-mentioned purpose, the feature and advantage that make the application can become apparent more, below in conjunction with the drawings and specific embodiments the application is described in further detail.
One of core idea of the embodiment of the present application is, propose a kind of process for moving in the browser and carry out the mechanism that white list detects, utilize the characteristic of white list " non-namely black in vain ", effectively take precautions against the suspicious process of moving in the browser, improve the security of user's online.
With reference to figure 1, show the flow chart of steps of the embodiment of the method 1 that the application's a kind of suspicious process detects, specifically can comprise the steps:
Step 101 is obtained the First Characteristic data of respectively moving process in the browser, and described First Characteristic data comprise cryptographic hash and the digital signature of the executable file of process;
Step 102 adopts described First Characteristic data to mate in the first white list database that presets;
In the present embodiment, comprise believable file cryptographic hash and believable file digital signature in described the first white list database, step 102 namely will respectively be moved the executable file cryptographic hash of process in the current browser, mate with the believable file cryptographic hash in the first white list database; Respectively move the digital signature of the executable file of process in the current browser, mate with believable file digital signature in the first white list database.
In the embodiment of the present application, each operation process comprises the process that has started in process that browser is starting and the browser, i.e. all processes of current unlatching and operation in the browser in the described browser.Use the embodiment of the present application, when browser (browser program) access network address, can obtain then that current browser is starting and browser in the First Characteristic data of the process that started, by First Characteristic data and the first white list database of presetting are mated, thereby judge in the process that current browser starting and starting whether have suspicious process.
Need to prove that process is a program of carrying out, the program example that is namely moving in the computing machine; It can be distributed to processor and be carried out by processor as an entity.Indication in the embodiment of the present application " each operation process in the browser ", do not comprise browser process itself, generally include two types, file downloading process under a kind of non-browser CACHE DIRECTORY, because normal web page browsing can not downloaded the virus documents such as wooden horse, browser process can be with the picture in the webpage, the web page resources such as style sheet and script file downloads to local CACHE DIRECTORY, as C: Documents and Settings %username% Local Settings Temporary Internet Files, therefore, current this situation namely refers to the file downloading process under the non-browser CACHE DIRECTORY, for example, the process of the download address of an executable file of access, the executable file that namely directly moves by browser.By the file downloading process under the non-browser CACHE DIRECTORY is identified, can effectively block the operation of the suspicious process that might be the virus such as wooden horse.
Another kind is the webpage Trojan horse downloading process that triggers by system vulnerability.The characteristic of webpage Trojan horse be disguise oneself as on the surface common web page files or will malice code directly be inserted in the normal web page files, when having the people to access, webpage Trojan horse will utilize the leak of method, system or browser downloaded to the service end of the wooden horse that configures on visitor's the computer automatically and automatically perform, so using the embodiment of the present application can be to the webpage Trojan horse process detecting real-time that moves in the browser, adopt white list mechanism can prevent again because virus base lags behind, do not comprise the Webpage wooden horse and the problem that causes the webpage Trojan horse None-identified to go out.
In a preferred embodiment of the present application, described step 102 can comprise following substep:
Substep S11 obtains the path of respectively moving the executable file of process in the browser;
Substep S12 is from the corresponding executable file of described path extraction;
Substep S13 reads the content of described executable file and calculates cryptographic hash;
And,
Substep S14 judges whether described executable file has digital signature, if then extract this digital signature; If not, then generate corresponding digital signature for described executable file.
In specific implementation, can pass through unique HASH (Hash) value that MD5 algorithm (Message Digest Algorithm MD5, Message Digest Algorithm 5) calculates executable file.It is that a segment information (Message) is produced informative abstract (Message-Digest) that the typical case of MD5 algorithm uses, and is tampered preventing.The MD5 algorithm is used as whole file as a large text message, by its irreversible character string mapping algorithm, has produced this unique MD5 informative abstract.
For example, by the MD5 algorithm, 32 unique HASH values of calculating executable file WINWORD.EXE are 54525786F76E6CD2BA29E2B7B1B28939.
Certainly, those skilled in the art all are feasible according to the cryptographic hash that actual conditions adopt other algorithm to calculate executable file, for example adopt sha-1, RIPEMD and Haval scheduling algorithm, and the application need not this to be limited.
Digital signature (Digital Signature) is to come the publisher of identification software and guarantee a kind of technology of integrality of software with the hash algorithm with digital certificate.In Windows operating system, the code signature certificate that the root authority that Microsoft certification code utilization Windows is trusted is issued, software code is carried out digital signature, thereby guaranteed software code from real publisher and guaranteed that software code is not illegally distorted.The software code digital signature still adopts PKI (Public Key Infrastructure, Public Key Infrastructure) conbined public or double key technology, whole digital signature procedure is, the data source transmit leg uses the private key of oneself that check sum or other variablees relevant with data content are encrypted processing, legal " signature " of complete paired data, " digital signature " that the data receiver then utilizes the other side's PKI to understand to receive, and will understand the result for the check to the data integrality, to confirm the legitimacy of signature.
For example, the process of generating digital signature is:
1) executable file that will sign is created the hash value;
2) encrypt above-mentioned hash value with publisher's private key;
3) digital certificate with encrypted hash value and publisher is inserted into the executable file that will sign.
Correspondingly, the proof procedure of digital signature is:
1) executable file that will verify is created the hash value;
2) decipher encrypted hash value with publisher's PKI;
3) relatively the hash value of deciphering and newly the hash value of establishment, if coupling explanation signature is correct, extraction publisher's digital certificate information.
For example, the digital signature of the WINWORD.EXE of verification executable file, the digital certificate information of extracting the publisher is: Microsoft Code Signing PCA.
Step 103 is if the First Characteristic data of certain process judge that then this process is suspicious process not in described the first white list database that presets.
In specific implementation, the embodiment of the present application goes for the network address accessing operation of arbitrary browser, namely when the browser access network address, triggers the suspicious process detecting pattern, execution in step 101-103 under the suspicious process pattern; As another kind of example, in the website service that the embodiment of the present application also can be specially adapted to safe class is had relatively high expectations, namely in the list of websites that the network address of browser current accessed is presetting the time, trigger the suspicious process detecting pattern, such as the user in access during certain shopping website, judge this network address in the higher list of websites of the safe class that presets, so trigger suspicious process detecting pattern, execution in step 101-103 under the suspicious process pattern.
With reference to figure 2, show the flow chart of steps of the embodiment of the method 2 that the application's a kind of suspicious process detects, specifically can comprise the steps:
Step 201 is obtained the First Characteristic data of respectively moving process in the browser, and described First Characteristic data comprise the path of the executable file of process, cryptographic hash and digital signature;
In specific implementation, described First Characteristic data can also comprise the title of process.
Step 202, adopt described First Characteristic data in the first white list database that presets, to mate, judge that whether current process is suspicious process, comprises trusted path in described the first white list database, believable file cryptographic hash and believable file digital signature;
Step 203 is if the First Characteristic data of certain process judge that then this process is suspicious process not in described the first white list database that presets;
Step 204 is sent the suspicious process information and is finished this process for described suspicious process; Perhaps, send suspicious process information and stop the operation of this process.
In specific implementation, can monitor in the process that RING3 (ring 3) layer and/or RING0 (ring 0) layer move in to browser, specifically can realize by HOOK (hook) API (application programming interfaces) function.Wherein RING3 (ring 3) layer, RING0 (ring 0) layer is for the privileged instruction rank of CPU, and CPU is divided into 4 rank: RING0, RING1, RING2, RING3 with privilege level.Windows only uses two rank RING0 and RING3 wherein, and RING0 is only to operating system usefulness, and who can both use RING3.
For example, in the RING3 layer, the fill order class api function that can call by HOOK obtains function parameter, obtains the executable file path of title and the process of startup of startup process.At the RING0 layer, by HOOK hook DeviceIoControl api function, the program of user's attitude sends I/O request bag by the DeviceIoControl function and drives to kernel state, after kernel state drives and receives this request bag, fill out in the buffer zone that the program that writes data to user's attitude provides, start the executable file path of title and the process of startup of process by checking data acquisition.
For example, in the RING3 layer, can HOOK WinExec function:
UINT?WinExec(LPCSTR?lpCmdLine,UINT?uCmdShow);
Wherein, lpCmdLine is the order line of the application program of execution, uCmdShow: how the window of definition window application shows, and the wShowWindow member's of STARTUPINFO parameter value is provided for the CreateProcess function.
If current browser calls the muma.exe file under the WinExec function execution C dish,
WinExec(″C:\\muma.exe″,SW_NORMAL);
Then by the HOOK of RING3 and RING0, the lpCmdLine parameter be can obtain, the title of process and the path of executable file obtained.
As the concrete another kind of example of using of the embodiment of the present application, can also obtain in the following way title and the executable file path of respectively moving process in the browser:
The api function NtQuerySystemInformation that calls the windows system enumerates the process of current system:
1. from the Ntdll.dll module, find the function entrance of ZwQuerySystemInformation;
2. obtain progress information array chain;
3. searching loop goes out all progress informations;
4. obtain the ProcessName process name in the progress information;
5. from process name, obtain path and the filename of process.
In specific implementation, trusted path can comprise fixing software installation directory, fixing file path etc. in described the first white list database.
For making those skilled in the art understand better the embodiment of the present application, below describe by a concrete example.
S1 obtains progress information, travels through out wherein progress information:
C:\Program?Files\Microsoft?Office\Office?12\WINWORD.EXE;
S2, the path that obtains its executable file be C: Program Files Microsoft Office Office 12;
S3, by mating the trusted file path in the first white list database, decision paths C: Program Files, belong to the normal software installation path of device;
S4, by the MD5HASH algorithm, 32 unique MD5HASH values of file of calculating WINWORD.EXE are 54525786F76E6CD2BA29E2B7B1B28939; By the file cryptographic hash in match query the first white list database, find to exist this file MD5hash value;
S5, the digital signature of verification WINWORD.EXE, digital signature side is: Microsoft Code Signing PCA belongs to the Trusted Digital certificate in the first white list database;
S6 judges that this process is the trusted process in the white list.
In practice, when the First Characteristic data of certain the operation process in the browser do not occur in the first white list database, when then being judged to be suspicious process, for suspicious process, can point out and the end process, also can point out and the operation of prevention process, can also adopt alternate manner that this process is tackled, the application need not this to be limited.
With reference to figure 3, show the flow chart of steps of the embodiment of the method 3 that the application's a kind of suspicious process detects, specifically can comprise the steps:
Step 301 is obtained the First Characteristic data of respectively moving process in the browser, and described First Characteristic data comprise the path of the executable file of process, cryptographic hash and digital signature;
In specific implementation, described First Characteristic data can also comprise the title of process.
Step 302, adopt described First Characteristic data in the first white list database that presets, to mate, judge that whether current process is suspicious process, comprises trusted path in described the first white list database, believable file cryptographic hash and believable file digital signature;
Step 303 is if the First Characteristic data of certain process judge that then this process is suspicious process not in described the first white list database that presets;
Step 304 is if the First Characteristic data of certain process in described the first white list database that presets, are then further extracted the Second Characteristic data of this process, the file path in the performed parameter of executable file that described Second Characteristic data comprise process;
Step 305, the information of extraction corresponding document under described file path;
Step 306 adopts the fileinfo of described extraction to mate in the second white list database that presets, and comprises believable fileinfo in described the second white list database;
Step 307 is if the fileinfo of described extraction judges that then this process is suspicious process not in described the second white list database that presets;
Step 308 is sent the suspicious process information and is finished this process for described suspicious process; Perhaps, send suspicious process information and stop the operation of this process.
Suspicious process in the current operation process of white list testing mechanism screening browser of the embodiment of the present application employing two-stage, in first order white list Check processing, obtain the First Characteristic data of respectively moving process in the browser, judge that these data whether at the first white list database, judge then that if not corresponding process is suspicious process; Can also further initiate simultaneously the second level white list Check processing to other process except described suspicious process, namely by obtaining the Second Characteristic data of these processes, judge that these data whether at the second white list database, judge then that if not corresponding process is suspicious process.Present embodiment can prevent from utilizing white list process secondary to carry out the situation of malice trojan horse program.
For example: suppose through with the first white list database matching after determine that process cmd.exe is non-suspicious process, in this case, the file path that further extracts in the performed parameter of executable file of this process cmd.exe is as follows:
″C:\Documents?and?Settings\Administrator\Local?Settings\Temporary?Internet?Files\Content.IE5\server[1].exe”
Expression process cmd.exe removes can go to accept parameter path execute file " C: Documents and Settings Administrator Local Settings Temporary Internet Files Content.IE5 server[1] .exe ", namely mean this non-suspicious process apocrypha that may rerun.
In this case, can use present embodiment and obtain file path in the performed parameter of process cmd.exe:
C:\Documents?and?Settings\Administrator\Local?Settings\Temporary?Internet?Files\Content.IE5\server[1].exe
Then under this path, extract file server[1] .exe, again with file server[1] whether .exe puts into the second white list database, judges a believable fileinfo, if not, then current process is judged to be suspicious process.
Or as: suppose through with the first white list database matching after definite process WScript.exe be non-suspicious process, in this case, the file path that further extracts in the performed parameter of executable file of this process WScript.exe is as follows:
″C:\DOCUME~1\o1\LOCALS~1\Temp\MtwRtxMTrFeeGOaDW.vbs″
Expression process WScript.exe can go to accept parameter path execute file " C: DOCUME~1 o1 LOCALS~1 Temp MtwRtxMTrFeeGOaDW.vbs ", namely mean this non-suspicious process apocrypha that may rerun.
In this case, can use present embodiment and obtain file path in the performed parameter of process cmd.exe:
C:\DOCUME~1\o1\LOCALS~1\Temp\MtwRtxMTrFeeGOaDW.vbs
Then under this path, extract file MtwRtxMTrFeeGOaDW.vbs, again file MtwRtxMTrFeeGOaDW.vbs is put into the second white list database, judge to be a believable fileinfo, if not, then current process is judged to be suspicious process.
Certainly, the setting of above-mentioned Second Characteristic data and the second white list database is only as example, it all is feasible that those skilled in the art arrange according to actual conditions, for example, the Second Characteristic data be set be the file path in the performed parameter of executable file of process, the believable filenames of the second white list database relative set etc., the application need not this to be limited.
Need to prove, for embodiment of the method, for simple description, so it all is expressed as a series of combination of actions, but those skilled in the art should know, the application is not subjected to the restriction of described sequence of movement, because according to the application, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in the instructions all belongs to preferred embodiment, and related action and module might not be that the application is necessary.
With reference to figure 4, show the structured flowchart of the device embodiment 1 that the application's a kind of suspicious process detects, specifically can comprise such as lower module:
Progress information acquisition module 401 is used for obtaining the First Characteristic data that browser respectively moves process, and described First Characteristic data comprise cryptographic hash and the digital signature of the executable file of process;
White list detection module 402 is used for adopting described First Characteristic data to mate at the first white list database that presets, and comprises believable file cryptographic hash and believable file digital signature in described the first white list database.
The first determination module 403 is used for First Characteristic data in certain process not at described the first white list database that presets, and judges that then this process is suspicious process.
In specific implementation, each operation process can comprise the process that is starting and the process that has started in the described browser.
In a preferred embodiment of the present application, described progress information acquisition module 301 can comprise following submodule:
The executable file path obtains submodule, is used for obtaining the path that browser respectively moves the executable file of process;
Executable file extracts submodule, is used for from the corresponding executable file of described path extraction;
The content reading submodule is calculated cryptographic hash for the content that reads described executable file;
And,
Digital signature is extracted submodule, is used for extracting the digital signature of described executable file.
As the concrete a kind of example used of the embodiment of the present application, described First Characteristic data can also comprise the path of the executable file of process, correspondingly, can also comprise trusted path in described the first white list database.
In specific implementation, the embodiment of the present application can also comprise:
The first reminding module is used for sending the suspicious process information and finishing this process for suspicious process;
Perhaps,
The second reminding module is used for sending the suspicious process information and stoping this process operation for suspicious process.
With reference to figure 5, show the structured flowchart of the device embodiment 2 that the application's a kind of suspicious process detects, specifically can comprise such as lower module:
Progress information acquisition module 501 is used for obtaining the First Characteristic data that browser respectively moves process, and described First Characteristic data comprise cryptographic hash and the digital signature of the executable file of process;
White list detection module 502 is used for adopting described First Characteristic data to mate at the first white list database that presets, and comprises believable file cryptographic hash and believable file digital signature in described the first white list database.
The first determination module 503 is used for First Characteristic data in certain process not at described the first white list database that presets, and judges that then this process is suspicious process;
Characteristic extracting module 504, when being used for First Characteristic data in certain process at described the first white list database that presets, further extract the Second Characteristic data of this process, the file path in the performed parameter of executable file that described Second Characteristic data comprise process;
The second determination module 507 when being used for fileinfo in described extraction not at described the second white list database that presets, judges that this process is suspicious process.
For device embodiment because itself and embodiment of the method basic simlarity, so describe fairly simple, relevant part gets final product referring to the part explanation of embodiment of the method.
Each embodiment in this instructions all adopts the mode of going forward one by one to describe, and what each embodiment stressed is and the difference of other embodiment that identical similar part is mutually referring to getting final product between each embodiment.
Those skilled in the art should understand that the application's embodiment can be provided as method, device or computer program.Therefore, the application can adopt complete hardware implementation example, complete implement software example or in conjunction with the form of the embodiment of software and hardware aspect.And the application can adopt the form of the computer program of implementing in one or more computer-usable storage medium (including but not limited to magnetic disk memory, CD-ROM, optical memory etc.) that wherein include computer usable program code.
The application is that reference is described according to process flow diagram and/or the block scheme of method, equipment (system) and the computer program of the embodiment of the present application.Should understand can be by the flow process in each flow process in computer program instructions realization flow figure and/or the block scheme and/or square frame and process flow diagram and/or the block scheme and/or the combination of square frame.Can provide these computer program instructions to the processor of multi-purpose computer, special purpose computer, Embedded Processor or other programmable data processing device producing a machine, so that the instruction of carrying out by the processor of computing machine or other programmable data processing device produces the device of the function that is used for being implemented in flow process of process flow diagram or a plurality of flow process and/or square frame of block scheme or a plurality of square frame appointments.
These computer program instructions also can be stored in energy vectoring computer or the computer-readable memory of other programmable data processing device with ad hoc fashion work, so that the instruction that is stored in this computer-readable memory produces the manufacture that comprises command device, this command device is implemented in the function of appointment in flow process of process flow diagram or a plurality of flow process and/or square frame of block scheme or a plurality of square frame.
These computer program instructions also can be loaded on computing machine or other programmable data processing device, so that carry out the sequence of operations step producing computer implemented processing at computing machine or other programmable devices, thereby be provided for being implemented in the step of the function of appointment in flow process of process flow diagram or a plurality of flow process and/or square frame of block scheme or a plurality of square frame in the instruction that computing machine or other programmable devices are carried out.
Although described the application's preferred embodiment, in a single day those skilled in the art get the basic creative concept of cicada, then can make other change and modification to these embodiment.So claims are intended to all changes and the modification that are interpreted as comprising preferred embodiment and fall into the application's scope.
At last, also need to prove, in this article, relational terms such as the first and second grades only is used for an entity or operation are made a distinction with another entity or operation, and not necessarily requires or hint and have the relation of any this reality or sequentially between these entities or the operation.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thereby not only comprise those key elements so that comprise process, method, article or the equipment of a series of key elements, but also comprise other key elements of clearly not listing, or also be included as the intrinsic key element of this process, method, article or equipment.Do not having in the situation of more restrictions, the key element that is limited by statement " comprising ... ", and be not precluded within process, method, article or the equipment that comprises described key element and also have other identical element.
More than the device that detects of the method that detects of a kind of suspicious process that the application is provided and a kind of suspicious process be described in detail, used specific case herein the application's principle and embodiment are set forth, the explanation of above embodiment just is used for helping to understand the application's method and core concept thereof; Simultaneously, for one of ordinary skill in the art, the thought according to the application all will change in specific embodiments and applications, and in sum, this description should not be construed as the restriction to the application.
Claims (13)
1. the method that suspicious process detects is characterized in that, comprising:
Obtain the First Characteristic data of respectively moving process in the browser, described First Characteristic data comprise cryptographic hash and the digital signature of the executable file of process;
Adopt described First Characteristic data in the first white list database that presets, to mate, comprise believable file cryptographic hash and believable file digital signature in described the first white list database;
If the First Characteristic data of certain process in described the first white list database that presets, do not judge that then this process is suspicious process.
2. method according to claim 1 is characterized in that, each operation process comprises the process that has started in process that browser is starting and the browser in the described browser.
3. method according to claim 2 is characterized in that, the described step of obtaining the First Characteristic data of respectively moving process in the browser comprises:
Obtain the path of respectively moving the executable file of process in the browser;
From the corresponding executable file of described path extraction;
Read the content of described executable file and calculate cryptographic hash;
And,
Extract the digital signature of described executable file.
4. method according to claim 3 is characterized in that, described digital signature generates in the following way:
1) executable file that will sign is created the hash value;
2) encrypt above-mentioned hash value with publisher's private key;
3) digital certificate with encrypted hash value and publisher is inserted into the executable file that will sign;
And described digital signature is extracted in the following way:
1) executable file that will verify is created the hash value;
2) decipher encrypted hash value with publisher's PKI;
3) relatively the hash value of deciphering and newly the hash value of establishment, if coupling explanation signature is correct, extraction publisher's digital certificate information.
5. according to claim 1 and 2 or 3 or 4 described methods, it is characterized in that described First Characteristic data also comprise the path of the executable file of process, also comprise trusted path in described the first white list database.
6. method according to claim 5 is characterized in that, also comprises:
If the First Characteristic data of certain process in described the first white list database that presets, are then further extracted the Second Characteristic data of this process, the file path in the performed parameter of executable file that described Second Characteristic data comprise process;
Under described file path, extract the information of corresponding document;
Adopt the fileinfo of described extraction in the second white list database that presets, to mate, comprise believable fileinfo in described the second white list database;
If the fileinfo of described extraction in described the second white list database that presets, does not judge that then this process is suspicious process.
7. method according to claim 6 is characterized in that, also comprises:
Send the suspicious process information and finish this process for suspicious process;
Perhaps,
Send the suspicious process information and stop this process operation for suspicious process.
8. the device that suspicious process detects is characterized in that, comprising:
The progress information acquisition module is used for obtaining the First Characteristic data that browser respectively moves process, and described First Characteristic data comprise cryptographic hash and the digital signature of the executable file of process;
The white list detection module is used for adopting described First Characteristic data to mate at the first white list database that presets, and comprises believable file cryptographic hash and believable file digital signature in described the first white list database;
The first determination module is used for First Characteristic data in certain process not at described the first white list database that presets, and judges that then this process is suspicious process.
9. device according to claim 8 is characterized in that, each operation process comprises the process that has started in process that browser is starting and the browser in the described browser.
10. device according to claim 9 is characterized in that, described progress information acquisition module comprises:
The executable file path obtains submodule, is used for obtaining the path that browser respectively moves the executable file of process;
Executable file extracts submodule, is used for from the corresponding executable file of described path extraction;
The content reading submodule is calculated cryptographic hash for the content that reads described executable file;
And,
Digital signature is extracted submodule, is used for extracting the digital signature of described executable file.
11. according to claim 8 or 9 or 10 described devices, it is characterized in that described First Characteristic data also comprise the path of the executable file of process, also comprise trusted path in described the first white list database.
12. device according to claim 11 is characterized in that, also comprises:
Characteristic extracting module, when being used for First Characteristic data in certain process at described the first white list database that presets, further extract the Second Characteristic data of this process, the file path in the performed parameter of executable file that described Second Characteristic data comprise process;
The file extraction module is for the information of extracting corresponding document under described file path;
Matching module is used for adopting the fileinfo of described extraction to mate at the second white list database that presets, and comprises believable fileinfo in described the second white list database;
The second determination module when being used for fileinfo in described extraction not at described the second white list database that presets, judges that this process is suspicious process.
13. device according to claim 12 is characterized in that, also comprises:
The first reminding module is used for sending the suspicious process information and finishing this process for suspicious process;
Perhaps,
The second reminding module links to each other with the white list detection module, is used for for suspicious process, sends the suspicious process information and stops this process operation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210248418.5A CN102855274B (en) | 2012-07-17 | 2012-07-17 | The method and apparatus that a kind of suspicious process detects |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210248418.5A CN102855274B (en) | 2012-07-17 | 2012-07-17 | The method and apparatus that a kind of suspicious process detects |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102855274A true CN102855274A (en) | 2013-01-02 |
| CN102855274B CN102855274B (en) | 2015-12-09 |
Family
ID=47401862
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210248418.5A Expired - Fee Related CN102855274B (en) | 2012-07-17 | 2012-07-17 | The method and apparatus that a kind of suspicious process detects |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102855274B (en) |
Cited By (41)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103220277A (en) * | 2013-04-01 | 2013-07-24 | 新浪技术(中国)有限公司 | Method, device and system for monitoring cross site scripting attacks |
| CN103235912A (en) * | 2013-04-12 | 2013-08-07 | 福建伊时代信息科技股份有限公司 | Device and method for recognizing trusted processes |
| CN103235918A (en) * | 2013-04-18 | 2013-08-07 | 北京奇虎科技有限公司 | Method and system for collecting trusted file |
| CN103559438A (en) * | 2013-10-31 | 2014-02-05 | 上海上讯信息技术有限公司 | Progress identification method and progress identification system |
| CN103679029A (en) * | 2013-12-11 | 2014-03-26 | 北京奇虎科技有限公司 | Method and device for repairing cheap-copy application programs |
| CN103995814A (en) * | 2013-02-20 | 2014-08-20 | 腾讯科技(深圳)有限公司 | Method and system for searching for final virus parent |
| CN104715191A (en) * | 2015-03-26 | 2015-06-17 | 广州快飞计算机科技有限公司 | Starting detection and protection method and system of embedded main program |
| CN105227680A (en) * | 2015-10-26 | 2016-01-06 | 广东佳学信息科技有限公司 | A kind of smart machine file download Validity control method |
| CN105303107A (en) * | 2014-06-06 | 2016-02-03 | 中兴通讯股份有限公司 | Abnormal process detection method and apparatus |
| CN105574724A (en) * | 2015-12-24 | 2016-05-11 | 北京奇虎科技有限公司 | Safety payment protection method and system, safety application client, and safety server |
| CN105635126A (en) * | 2015-12-24 | 2016-06-01 | 北京奇虎科技有限公司 | Malicious URL access protection method, client side, security server and system |
| WO2016095566A1 (en) * | 2014-12-18 | 2016-06-23 | 中兴通讯股份有限公司 | Method and device for providing and loading executable module |
| CN105844158A (en) * | 2016-04-27 | 2016-08-10 | 北京金山安全软件有限公司 | Method and device for protecting window and electronic equipment |
| CN105893845A (en) * | 2016-04-05 | 2016-08-24 | 北京金山安全软件有限公司 | Data processing method and device |
| CN105912948A (en) * | 2016-04-06 | 2016-08-31 | 北京金山安全软件有限公司 | Data protection method and device |
| CN105991587A (en) * | 2015-02-13 | 2016-10-05 | 中国移动通信集团山西有限公司 | Intrusion detection method and system |
| CN106295323A (en) * | 2016-07-27 | 2017-01-04 | 苏盛 | Senior measuring system malware detection method based on cloud security |
| CN106529281A (en) * | 2016-11-07 | 2017-03-22 | 广东浪潮大数据研究有限公司 | Executable file processing method and device |
| CN106778276A (en) * | 2016-12-29 | 2017-05-31 | 北京安天网络安全技术有限公司 | A kind of method and system for detecting incorporeity file malicious code |
| CN106803038A (en) * | 2016-12-28 | 2017-06-06 | 北京安天网络安全技术有限公司 | A kind of method and system of detection PowerShell malicious codes |
| CN106844002A (en) * | 2016-12-23 | 2017-06-13 | 中国科学院信息工程研究所 | A kind of cloud platform client machine system availability method for improving based on Intel Virtualization Technology |
| CN107122663A (en) * | 2017-04-28 | 2017-09-01 | 成都梆梆信息科技有限公司 | A kind of detection method for injection attack and device |
| CN108549809A (en) * | 2018-04-02 | 2018-09-18 | 郑州云海信息技术有限公司 | A kind of program process control method and system based on digital certificate |
| CN108777691A (en) * | 2018-06-12 | 2018-11-09 | 山东智慧云链网络科技有限公司 | Network safety protection method and device |
| CN108959929A (en) * | 2018-07-23 | 2018-12-07 | 北京奇安信科技有限公司 | Program file processing method and processing device |
| CN108985095A (en) * | 2018-07-05 | 2018-12-11 | 深圳市网心科技有限公司 | A kind of non-public file access method, system and electronic equipment and storage medium |
| CN109309690A (en) * | 2018-12-28 | 2019-02-05 | 中国人民解放军国防科技大学 | Software white list control method based on message authentication code |
| CN109472144A (en) * | 2017-12-29 | 2019-03-15 | 北京安天网络安全技术有限公司 | It is a kind of to defend the viral method, apparatus operated to file and storage medium |
| CN109977669A (en) * | 2017-12-28 | 2019-07-05 | 腾讯科技(深圳)有限公司 | Viral recognition methods, device and computer equipment |
| CN110232276A (en) * | 2019-06-03 | 2019-09-13 | 浙江大华技术股份有限公司 | A kind of hold-up interception method, terminal device and the computer storage medium of program operation |
| CN110290147A (en) * | 2019-07-05 | 2019-09-27 | 上海中通吉网络技术有限公司 | Safe penetration defence method, device and equipment |
| CN111079139A (en) * | 2019-12-24 | 2020-04-28 | 腾讯科技(深圳)有限公司 | Process early warning method and device, computer equipment and computer readable storage medium |
| CN111159707A (en) * | 2020-04-07 | 2020-05-15 | 北京安博通科技股份有限公司 | Malicious DLL injection detection method and device |
| CN111291355A (en) * | 2020-02-24 | 2020-06-16 | 广西电网有限责任公司防城港供电局 | Transformer substation system |
| CN111309978A (en) * | 2020-02-24 | 2020-06-19 | 广西电网有限责任公司防城港供电局 | Transformer substation system safety protection method and device, computer equipment and storage medium |
| CN111753301A (en) * | 2020-07-01 | 2020-10-09 | 深信服科技股份有限公司 | File-free attack detection method and device, electronic equipment and medium |
| CN112069499A (en) * | 2020-09-15 | 2020-12-11 | 北京微步在线科技有限公司 | Detection method, detection device, storage medium and electronic equipment |
| WO2021036322A1 (en) * | 2019-08-30 | 2021-03-04 | 深圳壹账通智能科技有限公司 | Method and apparatus for preventing dynamic link library file hijacking, and computer device |
| CN113312623A (en) * | 2021-06-21 | 2021-08-27 | 北京天融信网络安全技术有限公司 | Process detection method and device in access control, electronic equipment and storage medium |
| CN113343221A (en) * | 2020-02-18 | 2021-09-03 | 厦门网宿有限公司 | Terminal early warning method and device |
| CN113378175A (en) * | 2020-03-10 | 2021-09-10 | 科大国盾量子技术股份有限公司 | Method, device and system for detecting QKD system software operating environment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101311950A (en) * | 2007-05-25 | 2008-11-26 | 北京书生国际信息技术有限公司 | Electronic stamp realization method and device |
| CN101834860A (en) * | 2010-04-22 | 2010-09-15 | 北京交通大学 | Method for remote dynamic verification on integrality of client software |
| CN102004879A (en) * | 2010-11-22 | 2011-04-06 | 北京北信源软件股份有限公司 | Method for identifying credible progress |
-
2012
- 2012-07-17 CN CN201210248418.5A patent/CN102855274B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101311950A (en) * | 2007-05-25 | 2008-11-26 | 北京书生国际信息技术有限公司 | Electronic stamp realization method and device |
| CN101834860A (en) * | 2010-04-22 | 2010-09-15 | 北京交通大学 | Method for remote dynamic verification on integrality of client software |
| CN102004879A (en) * | 2010-11-22 | 2011-04-06 | 北京北信源软件股份有限公司 | Method for identifying credible progress |
Cited By (58)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103995814A (en) * | 2013-02-20 | 2014-08-20 | 腾讯科技(深圳)有限公司 | Method and system for searching for final virus parent |
| CN103995814B (en) * | 2013-02-20 | 2017-04-05 | 腾讯科技(深圳)有限公司 | A kind of lookup method and system of viral final parent |
| CN103220277A (en) * | 2013-04-01 | 2013-07-24 | 新浪技术(中国)有限公司 | Method, device and system for monitoring cross site scripting attacks |
| CN103220277B (en) * | 2013-04-01 | 2016-12-28 | 新浪技术(中国)有限公司 | The monitoring method of cross-site scripting attack, Apparatus and system |
| CN103235912A (en) * | 2013-04-12 | 2013-08-07 | 福建伊时代信息科技股份有限公司 | Device and method for recognizing trusted processes |
| CN103235912B (en) * | 2013-04-12 | 2015-12-02 | 福建伊时代信息科技股份有限公司 | Trusted process recognition device and trusted process recognition methods |
| CN103235918B (en) * | 2013-04-18 | 2016-05-25 | 北京奇虎科技有限公司 | The collection method of trusted file and system |
| CN103235918A (en) * | 2013-04-18 | 2013-08-07 | 北京奇虎科技有限公司 | Method and system for collecting trusted file |
| CN103559438A (en) * | 2013-10-31 | 2014-02-05 | 上海上讯信息技术有限公司 | Progress identification method and progress identification system |
| CN103679029A (en) * | 2013-12-11 | 2014-03-26 | 北京奇虎科技有限公司 | Method and device for repairing cheap-copy application programs |
| CN105303107A (en) * | 2014-06-06 | 2016-02-03 | 中兴通讯股份有限公司 | Abnormal process detection method and apparatus |
| WO2016095566A1 (en) * | 2014-12-18 | 2016-06-23 | 中兴通讯股份有限公司 | Method and device for providing and loading executable module |
| CN105991587B (en) * | 2015-02-13 | 2019-10-15 | 中国移动通信集团山西有限公司 | A kind of intrusion detection method and system |
| CN105991587A (en) * | 2015-02-13 | 2016-10-05 | 中国移动通信集团山西有限公司 | Intrusion detection method and system |
| CN104715191B (en) * | 2015-03-26 | 2017-09-29 | 广州快飞计算机科技有限公司 | A kind of method and system of the startup detection and protection of embedded main program |
| CN104715191A (en) * | 2015-03-26 | 2015-06-17 | 广州快飞计算机科技有限公司 | Starting detection and protection method and system of embedded main program |
| CN105227680A (en) * | 2015-10-26 | 2016-01-06 | 广东佳学信息科技有限公司 | A kind of smart machine file download Validity control method |
| CN105635126A (en) * | 2015-12-24 | 2016-06-01 | 北京奇虎科技有限公司 | Malicious URL access protection method, client side, security server and system |
| CN105574724A (en) * | 2015-12-24 | 2016-05-11 | 北京奇虎科技有限公司 | Safety payment protection method and system, safety application client, and safety server |
| CN105893845A (en) * | 2016-04-05 | 2016-08-24 | 北京金山安全软件有限公司 | Data processing method and device |
| CN105893845B (en) * | 2016-04-05 | 2019-05-10 | 珠海豹趣科技有限公司 | A kind of data processing method and device |
| CN105912948A (en) * | 2016-04-06 | 2016-08-31 | 北京金山安全软件有限公司 | Data protection method and device |
| CN105912948B (en) * | 2016-04-06 | 2019-03-15 | 珠海豹趣科技有限公司 | A kind of data guard method and device |
| CN105844158A (en) * | 2016-04-27 | 2016-08-10 | 北京金山安全软件有限公司 | Method and device for protecting window and electronic equipment |
| CN106295323A (en) * | 2016-07-27 | 2017-01-04 | 苏盛 | Senior measuring system malware detection method based on cloud security |
| CN106529281A (en) * | 2016-11-07 | 2017-03-22 | 广东浪潮大数据研究有限公司 | Executable file processing method and device |
| CN106529281B (en) * | 2016-11-07 | 2019-09-06 | 广东浪潮大数据研究有限公司 | A kind of executable file processing method and processing device |
| CN106844002A (en) * | 2016-12-23 | 2017-06-13 | 中国科学院信息工程研究所 | A kind of cloud platform client machine system availability method for improving based on Intel Virtualization Technology |
| CN106803038A (en) * | 2016-12-28 | 2017-06-06 | 北京安天网络安全技术有限公司 | A kind of method and system of detection PowerShell malicious codes |
| CN106778276B (en) * | 2016-12-29 | 2020-06-19 | 北京安天网络安全技术有限公司 | Method and system for detecting malicious codes of entity-free files |
| CN106778276A (en) * | 2016-12-29 | 2017-05-31 | 北京安天网络安全技术有限公司 | A kind of method and system for detecting incorporeity file malicious code |
| CN107122663A (en) * | 2017-04-28 | 2017-09-01 | 成都梆梆信息科技有限公司 | A kind of detection method for injection attack and device |
| CN109977669B (en) * | 2017-12-28 | 2022-05-20 | 腾讯科技(深圳)有限公司 | Virus identification method and device and computer equipment |
| CN109977669A (en) * | 2017-12-28 | 2019-07-05 | 腾讯科技(深圳)有限公司 | Viral recognition methods, device and computer equipment |
| CN109472144B (en) * | 2017-12-29 | 2021-09-28 | 北京安天网络安全技术有限公司 | Method, device and storage medium for operating file by defending virus |
| CN109472144A (en) * | 2017-12-29 | 2019-03-15 | 北京安天网络安全技术有限公司 | It is a kind of to defend the viral method, apparatus operated to file and storage medium |
| CN108549809A (en) * | 2018-04-02 | 2018-09-18 | 郑州云海信息技术有限公司 | A kind of program process control method and system based on digital certificate |
| CN108777691A (en) * | 2018-06-12 | 2018-11-09 | 山东智慧云链网络科技有限公司 | Network safety protection method and device |
| CN108777691B (en) * | 2018-06-12 | 2022-04-15 | 山东智慧云链网络科技有限公司 | Network security protection method and device |
| CN108985095B (en) * | 2018-07-05 | 2022-04-01 | 深圳市网心科技有限公司 | Non-public file access method, system, electronic equipment and storage medium |
| CN108985095A (en) * | 2018-07-05 | 2018-12-11 | 深圳市网心科技有限公司 | A kind of non-public file access method, system and electronic equipment and storage medium |
| CN108959929A (en) * | 2018-07-23 | 2018-12-07 | 北京奇安信科技有限公司 | Program file processing method and processing device |
| CN109309690B (en) * | 2018-12-28 | 2019-04-02 | 中国人民解放军国防科技大学 | Software white list control method based on message authentication code |
| CN109309690A (en) * | 2018-12-28 | 2019-02-05 | 中国人民解放军国防科技大学 | Software white list control method based on message authentication code |
| CN110232276A (en) * | 2019-06-03 | 2019-09-13 | 浙江大华技术股份有限公司 | A kind of hold-up interception method, terminal device and the computer storage medium of program operation |
| CN110290147A (en) * | 2019-07-05 | 2019-09-27 | 上海中通吉网络技术有限公司 | Safe penetration defence method, device and equipment |
| WO2021036322A1 (en) * | 2019-08-30 | 2021-03-04 | 深圳壹账通智能科技有限公司 | Method and apparatus for preventing dynamic link library file hijacking, and computer device |
| CN111079139A (en) * | 2019-12-24 | 2020-04-28 | 腾讯科技(深圳)有限公司 | Process early warning method and device, computer equipment and computer readable storage medium |
| CN113343221A (en) * | 2020-02-18 | 2021-09-03 | 厦门网宿有限公司 | Terminal early warning method and device |
| CN111309978A (en) * | 2020-02-24 | 2020-06-19 | 广西电网有限责任公司防城港供电局 | Transformer substation system safety protection method and device, computer equipment and storage medium |
| CN111291355A (en) * | 2020-02-24 | 2020-06-16 | 广西电网有限责任公司防城港供电局 | Transformer substation system |
| CN113378175A (en) * | 2020-03-10 | 2021-09-10 | 科大国盾量子技术股份有限公司 | Method, device and system for detecting QKD system software operating environment |
| CN111159707A (en) * | 2020-04-07 | 2020-05-15 | 北京安博通科技股份有限公司 | Malicious DLL injection detection method and device |
| CN111753301A (en) * | 2020-07-01 | 2020-10-09 | 深信服科技股份有限公司 | File-free attack detection method and device, electronic equipment and medium |
| CN111753301B (en) * | 2020-07-01 | 2024-04-09 | 深信服科技股份有限公司 | File attack-free detection method and device, electronic equipment and medium |
| CN112069499A (en) * | 2020-09-15 | 2020-12-11 | 北京微步在线科技有限公司 | Detection method, detection device, storage medium and electronic equipment |
| CN113312623A (en) * | 2021-06-21 | 2021-08-27 | 北京天融信网络安全技术有限公司 | Process detection method and device in access control, electronic equipment and storage medium |
| CN113312623B (en) * | 2021-06-21 | 2023-11-24 | 北京天融信网络安全技术有限公司 | Process detection method and device in access control, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102855274B (en) | 2015-12-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102855274B (en) | The method and apparatus that a kind of suspicious process detects | |
| US10171250B2 (en) | Detecting and preventing man-in-the-middle attacks on an encrypted connection | |
| US9798879B2 (en) | Apparatus, system, and method for protecting against keylogging malware | |
| Tan et al. | A root privilege management scheme with revocable authorization for Android devices | |
| Yang et al. | Automated detection and analysis for android ransomware | |
| US20130061323A1 (en) | System and method for protecting against malware utilizing key loggers | |
| US20130055335A1 (en) | Security enhancement methods and systems | |
| CN110188547B (en) | Trusted encryption system and method | |
| JP2011517859A (en) | Systems and methods for authentication, data transfer and phishing protection | |
| WO2007125422A2 (en) | System and method for enforcing a security context on a downloadable | |
| US10050977B2 (en) | Preventing misuse of code signing certificates | |
| US9015817B2 (en) | Resilient and restorable dynamic device identification | |
| JP2019057167A (en) | Computer program, device and determining method | |
| US20200265135A1 (en) | Protecting a software program against tampering | |
| Xing et al. | Unauthorized cross-app resource access on mac os x and ios | |
| KR20100054940A (en) | Apparatus and method for preventing malware using signature verification for embedded linux | |
| US7779269B2 (en) | Technique for preventing illegal invocation of software programs | |
| US11658996B2 (en) | Historic data breach detection | |
| KR20140011518A (en) | Method and system to prevent malware code | |
| CN101136048A (en) | Software identification method | |
| US20120278883A1 (en) | Method and System for Protecting a Computing System | |
| Li et al. | Authenticator rebinding attack of the UAF protocol on mobile devices | |
| Cho et al. | A strengthened android signature management method | |
| CN116956298A (en) | Application running environment detection method and device | |
| CN111046440A (en) | Tamper verification method and system for secure area content |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20151209 Termination date: 20190717 |