Summary of the invention
In view of the above problems, the present invention has been proposed in order to a kind of file operation control method and system that overcomes the problems referred to above or address the above problem at least in part is provided, can make the enterprise version safety product embody the personalization features at different enterprises, aspect security control, embody stronger dirigibility.
According to one aspect of the present invention, a kind of file operation control method is provided, comprising:
Client is monitored the object run behavior of file destination;
When monitoring when file destination carried out the operation requests of object run behavior, described request is tackled, and obtained the security attribute information of described file destination by client by network to the management control center of security control server; Described security attribute information comprises privately owned attribute and publicly-owned attribute, wherein, the security class information of the described file destination that the security class information that the safety officer that described privately owned attribute is management control center arranges for described file destination, described publicly-owned attribute get access to for the feature database that presets by inquiry;
According to the security attribute information of described file destination and from the security strategy at active client that described management control center gets access to, judge whether to allow operation that described file destination is carried out described object run behavior; Described security strategy is used for preserving the security attribute information set that allows and/or do not allow to carry out at active client the file of described object run behavior;
According to judged result the request of intercepting is handled.
Alternatively, also comprise:
, according to the difference of the residing physical region of client to security requirement physical region is divided at management control center, and be respectively the different security strategy of each physical region configuration;
Client sends the request of obtaining security strategy to described management control center;
Described management control center is determined the residing physical region of described client, will return to this client for the security strategy of this physical region configuration.
Alternatively, the described request of intercepting the processing according to judged result comprises:
If described judged result is carried out described object run behavior for allowing to described file destination, then the described request of intercepting is let pass.
Alternatively, the described request of intercepting the processing according to judged result comprises:
If described judged result is carried out described object run behavior for not allowing to described file destination, then the described request of intercepting is abandoned.
Alternatively, also comprise:
Described described request is tackled after, the interface that loaded and displayed presets is in order to show that carrying out security detects.
According to another aspect of the present invention, a kind of file operation control system is provided, comprise client and management control center, wherein, described client comprises:
Monitoring unit is used for the object run behavior of file destination is monitored;
Information acquisition unit, be used for when the operation requests that monitors file destination execution object run behavior, described request is tackled, and obtained the security attribute information of described file destination by client by network to the management control center of security control server; Described security attribute information comprises privately owned attribute and publicly-owned attribute, wherein, the security class information of the described file destination that the security class information that the safety officer that described privately owned attribute is management control center arranges for described file destination, described publicly-owned attribute get access to for the feature database that presets by inquiry;
Judging unit is used for according to the security attribute information of described file destination and from the security strategy at active client that described management control center gets access to, and judges whether to allow operation that described file destination is carried out described object run behavior; Described security strategy is used for preserving the security attribute information set that allows and/or do not allow to carry out at active client the file of described object run behavior;
Processing unit is used for according to judged result the request of intercepting being handled.
Alternatively, described management control center comprises:
Dispensing unit is used for according to the difference of the residing physical region of client to security requirement, physical region is divided, and be respectively the different security strategy of each physical region configuration;
Described client also comprises:
Request unit is used for client and sends the request of obtaining security strategy to described management control center;
Described management control center also comprises:
Determining unit is used for determining the residing physical region of described client, will return to this client for the security strategy of this physical region configuration.
Alternatively, described processing unit comprises:
The clearance subelement is carried out described object run behavior for allowing to described file destination if be used for described judged result, then the described request of intercepting is let pass.
Alternatively, described processing unit comprises:
Abandon subelement, for not allowing described file destination is carried out described object run behavior if be used for described judged result, then the described request of intercepting is abandoned.
Alternatively, described client also comprises:
Display unit, be used for described described request is tackled after, the interface that loaded and displayed presets is in order to show that carrying out security detects.
According to file operation control method of the present invention and system, can be the security strategy of this client configuration according to security attribute information and the management control center of file destination, judge whether to allow on active client, this document to be carried out the object run behavior.Wherein, security attribute information not only can comprise the publicly-owned attribute of the file of determining according to the feature database of business-class security product, can also comprise that the keeper of enterprises is the privately owned attribute of file configuration, and, in security strategy, also be the security attribute information that embodies this two aspect simultaneously, like this, when judging, just can carry out comprehensive judgement based on the information of this two aspect, can aspect security control, embody stronger dirigibility so that the enterprise version safety product embodies the personalization features at different enterprises.
Above-mentioned explanation only is the general introduction of technical solution of the present invention, for can clearer understanding technological means of the present invention, and can be implemented according to the content of instructions, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Though shown exemplary embodiment of the present disclosure in the accompanying drawing, yet should be appreciated that and to realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order to understand the disclosure more thoroughly that these embodiment are provided, and can with the scope of the present disclosure complete convey to those skilled in the art.
Referring to Fig. 1, the embodiment of the invention at first provides a kind of file operation control method, and this method can may further comprise the steps:
S101: client is monitored the object run behavior of file destination;
So-called object run behavior can comprise that operational objective file, program check certain file (for example address list etc.) of another program or leave photo in the hard disk in, etc.For convenience of description, hereinafter all be that example is introduced with the operating file.
In embodiments of the present invention, be not the operations such as checking and killing virus of carrying out the scan full hard disk formula, but when the user wants to move certain file (comprise open certain document, open certain executable file etc.), carry out security at this current file that will move and detect, in order to determine whether to allow the active user to move this document.For this reason, can in system, register Hook Function in advance, API(Application Programming Interface to the running paper class, application programming interface) function carries out hook (HOOK), like this, when preparing certain file of operation by the api function that calls correspondence, the address of calling will be turned to the client of the enterprise version safety product in the embodiment of the invention.
S102: when monitoring when file destination carried out the operation requests of object run behavior, described request is tackled, and obtained the security attribute information of described file destination by client by network to the management control center of security control server; Described security attribute information comprises privately owned attribute and publicly-owned attribute, wherein, the security class information of the described file destination that the security class information that the safety officer that described privately owned attribute is management control center arranges for described file destination, described publicly-owned attribute get access to for the feature database that presets by inquiry;
Monitor after the request of certain file destination of operation, just this request can be tackled, also namely temporarily this request can not sent to the place, address at former api function place, but carry out the relevant processing of safety earlier.In embodiments of the present invention, after client is intercepted the request of operational objective file, just can obtain the security attribute information of file destination to the management control center of enterprise version safety product.Specifically when obtaining the security attribute information of file destination to management control center, can carry out feature extraction to file destination in client, the static nature such as filename, md5 value that comprises file destination, can also comprise behavioral characteristics of file destination etc., send to management control center then, come the security attribute information of query aim file at management control center according to the feature of file destination, and then return to client.Perhaps, under another kind of implementation, also can directly file destination be sent to management control center, at management control center file destination be carried out feature extraction then, and inquire about its security attribute information.Wherein, no matter be to carry out Feature Extraction in client, still carry out the extraction of file characteristic at management control center, concrete extracting method can be identical.
Certainly; because management control center usually can corresponding a plurality of clients; therefore; if the style of writing of the as ready in all clients part all uploads to management control center and carries out feature extraction; then can cause taking the management control center storage space on the one hand; on the other hand; under the concurrent situation of a plurality of requests; can cause the phenomenon of queuing; and then the response speed of reduction management control center, therefore, under most situation; all can adopt in client file is carried out feature extraction, upload to the mode of management control center then.
In embodiments of the present invention, the security attribute information of as ready style of writing part can be made up of two parts, and wherein a part is the privately owned attribute of file, and another part is the publicly-owned attribute of file.Wherein, so-called privately owned attribute is to be the security class information of file destination configuration by the keeper in the enterprise, during specific implementation, can in the display interface of management control center, be provided as the operation entry of the privately owned attribute of each file configuration, the keeper can dispose the security class information of each file according to the concrete needs of enterprises.For example, the security class information in the privately owned attribute can be respectively with numeral 70,10,40 represent to deceive, in vain, ash, also, 70 representation files are the most dangerous, 10 representation files are the safest, can not determine the safety into whether for 40.Because when same file is used in different enterprises, its security class may be different, therefore, considers the difference between this enterprise, used the concept of privately owned attribute in the embodiment of the invention, by the keeper of the enterprises security class of enactment document according to actual needs.After having set the privately owned attribute of file, can be at management control center, preserve the mapping table between a file and the privately owned attribute, in this mapping table, the sign of file can be represented with the file filename, but for fear of setting and the record that the file at different filenames, same file content carries out repetition, also can represent with the content check informations such as md5 value of file.Like this, when the request of the security attribute information that receives the client query file destination, just can get access to the privately owned attribute of current goal file by this mapping table of inquiry.
Need to prove, in actual applications, the privately owned attribute of file destination can be when receiving the security attribute information of certain file destination of inquiry first, be configured by the keeper, after configuration, then identification information and the privately owned corresponding relationship between attributes of this file destination can be added in the mapping table, use for other clients of the same file destination of subsequent query.Like this, at the request of obtaining privately owned attribute at every turn, can carry out following flow process: at first inquire about in this mapping table, if there is the information of coupling, then direct privately owned attribute with correspondence returns to client; If there is no, then can require client that this file destination is uploaded to management control center, dispose privately owned attribute for it after being analyzed by the keeper of management control center then, return to client, simultaneously, identification information and the privately owned corresponding relationship between attributes of this file destination are added in the mapping table, by that analogy.
Publicly-owned attribute refers to the security class information of the file determined according to the feature database of enterprise version safety product.The feature database of enterprise version safety product is towards all enterprise version users', there is not the difference between the different enterprises, therefore, for the privately owned attribute that the keeper of each enterprises arranges, the file security information that gets access to according to this feature database becomes publicly-owned attribute.Publicly-owned attribute can 70,10,40 represent to deceive equally with numeral, in vain, ash.When management control center receives the request of the security attribute information of inquiring about certain file destination, just can inquire about this feature database according to the feature that from file destination, extracts, determine the publicly-owned attribute of file destination according to the result of coupling.For example, what preserve in the feature database is a white list and a blacklist, appears in the white list if then find the feature of file destination, proves that then the publicly-owned attribute of this file destination is " in vain ", can be represented by " 10 "; Appear in the blacklist if find the feature of file destination, prove that then the publicly-owned attribute of this file destination is " deceiving ", can be represented by " 70 "; Both do not appeared in the white list if find the feature of file destination, do not appeared in the blacklist yet, proved then that the publicly-owned attribute of this file destination was " ash ", can have been represented by " 40 ".In a word, can obtain the publicly-owned attribute of file destination by the feature database that inquiry is preset.
Wherein, this feature database can be this locality that is kept at management control center, along with your installation of management control center, downloads to this locality, and by long-range enterprise version safety product server it is carried out regular or irregular renewal; When receiving the request of the publicly-owned attribute of inquiring about certain file destination, management control center is directly inquired about according to the feature database that preserve this locality.Perhaps, for fear of the storage space that takies management control center, this feature database also can directly be kept in the server of enterprise version safety product, when management control center receives the request of the publicly-owned attribute of inquiring about certain file destination, query requests can be transmitted to server, determine the publicly-owned attribute of file destination according to the return results of server end.
In a word, after management control center receives the request of the security attribute information of inquiring about certain file destination, can return the private attribute information of this file destination on the one hand, can return the publicly-owned attribute information of this file destination on the other hand, the information of this two aspect is formed the security attribute information of current goal file jointly.All like this security attribute information can be with 9 numerals such as 7070,7010,7040,4070,4010,4040,1070,1010,1040 in privately owned cloud, and the front two of numeral is represented the privately owned attribute of file, the publicly-owned attribute of back two bit representation files.For example, the security attribute information that receives the file destination that management control center returns is 7010, then prove this file destination thought by the feature database of enterprise version safety product safe, but thought by the keeper in the current enterprise unsafe, etc.
Need to prove, after the request of an operating file is tackled, because follow-up safety analysis need of work a period of time, therefore, during the period can interface of presetting of loaded and displayed, in order to show information such as carrying out the security detection.
S103: according to the security attribute information of described file destination and from the security strategy at active client that described management control center gets access to, judge whether to allow operation that described file destination is carried out described object run behavior; Described security strategy is used for preserving the security attribute information set that allows and/or do not allow to carry out at active client the file of described object run behavior;
In embodiments of the present invention, client can also be in advance gets access to security strategy at this client from management control center, and so-called security strategy just allows this client to move which file, and/or does not allow client to move which file.Allow or do not allow the file of client operation to be represented by the set of permission or unallowed security attribute information.For example, at active client, allow the file of operation to comprise that security attribute information is " 1010 ", " 1040 " and " 1070 ", then just can preserve following information in its security strategy: allowing the file in this client operation is the file of " 1010 ", " 1040 " or " 1070 " for security attribute information.Client can be preserved this strategy in this locality, belongs to above-mentioned wherein a kind of if inquire the security attribute information of certain file destination, and then proof allows to move in active client, otherwise, do not allow.
Wherein, the security strategy of client can be sent by agreements such as HTTP by management control center, also, can be configured in the security strategy of management control center to client by the keeper, be handed down to client then, so that client is according to this strategy execution.Wherein, the client in the enterprise network has a plurality of, and is that the security strategy of each client configuration can be identical, also can be different.Under identical situation, can provide unified configuration entrance at management control center, after finishing unified configuration, unified each client that is handed down to; Under different situations, can be respectively each client at management control center security strategy configuration entrance is provided, respectively each client is configured and issues.Perhaps, also can be unified configuration entrance and independent configuration entrance individualism.
When specific implementation, consider in enterprises and often have following situation: not all client all is identical to the requirement of security, but neither each client different to safe requirement, but can client be divided into several classes according to the difference to security requirement.For example, some client is positioned at the core space of enterprise, these clients to the requirement meeting of security than higher, and some client is positioned at the Office Area of enterprise, then these clients are lower slightly to the requirement meeting of security, also some client is positioned at the client area of enterprise, and then these clients are lower to the requirement meeting of security, etc.Therefore, can physical region be divided at management control center according to the difference of the residing physical region of client to security requirement, and be respectively the different security strategy of each physical region configuration, for example, can be as shown in table 1:
Table 1
Policy name |
Allow the file of operation |
Forbid the file that moves |
Nucleus |
1010,1040,1070 |
4010,4040,4070,7010,7040,7070 |
Administrative Area |
1010,1040,1070,4010 |
4040,4070,7010,7040,7070 |
Client region |
1010,1040,1070,4010,4040 |
4070,7010,7040,7070 |
The public domain |
1010,1040,4010,4040,7010,7040 |
1070,4070,7070 |
Also namely, if certain client is in the nucleus of enterprise, then allow the security attribute information of the file that moves in its terminal to comprise 1010,1040,1070, do not allow the security attribute information of the file that moves in its terminal to comprise 4010,4040,4070,7010,7040,7070; If certain client is in the Administrative Area of enterprise, then allow the security attribute information of the file that moves in its terminal to comprise 1010,1040,1070,4010, do not allow the security attribute information of the file that moves in its terminal to comprise 4040,4070,7010,7040,7070, by that analogy.As can be seen, allow the file type of operation more few to the more high zone of safety requirements.For example, only allowing privately owned attribute in the strategy of nucleus is the running paper of " in vain ", and the running paper of publicly-owned attribute for " deceiving " only forbidden in the public domain.Certainly, the corresponding specific strategy of concrete regional dividing mode and zone can be carried out concrete customization according to concrete demand.
The physical region of enterprise is being divided and be respectively after each physical region disposed different security strategies, it can be the request of obtaining security strategy to the management control center initiation by client, management control center can be determined the physical region at this client place according to the information such as IP address of client then, will return to this client for the security strategy of this physical region configuration then.Like this, client just can be come security control has been carried out in the operation of file according to this security strategy.In actual applications, management control center can also regularly or aperiodically upgrade the security strategy of each client.
S104: the request of intercepting is handled according to judged result.
If judgment result displays allows the operation of current goal file, then the request that this can be intercepted is let pass, and like this, the request meeting of operating file arrives the call address of former api function smoothly, carries out opening and follow-up operations such as editor of file.And if judgment result displays is not for allowing the current goal running paper, then the request of intercepting can be abandoned,, the request of operating file can be to the call address of former api function yet, this document also just can't avoid this client to receive the influence of malice file in this client operation.
In a word, in embodiments of the present invention, can be the security strategy of this client configuration according to security attribute information and the management control center of file destination, judge whether to allow on active client, this document to be carried out the object run behavior.Wherein, security attribute information not only can comprise the publicly-owned attribute of the file of determining according to the feature database of business-class security product, can also comprise that the keeper of enterprises is the privately owned attribute of file configuration, and, in security strategy, also be the security attribute information that embodies this two aspect simultaneously, like this, when judging, just can carry out comprehensive judgement based on the information of this two aspect, can aspect security control, embody stronger dirigibility so that the enterprise version safety product embodies the personalization features at different enterprises.
Corresponding with a kind of file operation control method that the embodiment of the invention provides, the embodiment of the invention also provides a kind of file operation control system, comprises client and management control center, and wherein, referring to Fig. 2, described client can comprise:
Monitoring unit 201 is used for the object run behavior of file destination is monitored;
Information acquisition unit 202, be used for when the operation requests that monitors file destination execution object run behavior, described request is tackled, and obtained the security attribute information of described file destination by client by network to the management control center of security control server; Described security attribute information comprises privately owned attribute and publicly-owned attribute, wherein, the security class information of the described file destination that the security class information that the safety officer that described privately owned attribute is management control center arranges for described file destination, described publicly-owned attribute get access to for the feature database that presets by inquiry;
Judging unit 203 is used for according to the security attribute information of described file destination and from the security strategy at active client that described management control center gets access to, and judges whether to allow operation that described file destination is carried out described object run behavior; Described security strategy is used for preserving the security attribute information set that allows and/or do not allow to carry out at active client the file of described object run behavior;
Processing unit 204 is used for according to judged result the request of intercepting being handled.
During specific implementation, described management control center can comprise:
Dispensing unit is used for according to the difference of the residing physical region of client to security requirement, physical region is divided, and be respectively the different security strategy of each physical region configuration;
Described client also comprises:
Request unit is used for client and sends the request of obtaining security strategy to described management control center;
Described management control center also comprises:
Determining unit is used for determining the residing physical region of described client, will return to this client for the security strategy of this physical region configuration.
Concrete, described processing unit 204 can comprise:
The clearance subelement is carried out described object run behavior for allowing to described file destination if be used for described judged result, then the described request of intercepting is let pass.
Perhaps, described processing unit 204 also can comprise:
Abandon subelement, for not allowing described file destination is carried out described object run behavior if be used for described judged result, then the described request of intercepting is abandoned.
In addition, described client can also comprise:
Display unit, be used for described described request is tackled after, the interface that loaded and displayed presets is in order to show that carrying out security detects.
Intrinsic not relevant with any certain computer, virtual system or miscellaneous equipment with demonstration at this algorithm that provides.Various general-purpose systems also can be with using based on the teaching at this.According to top description, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also at any certain programmed language.Should be understood that and to utilize various programming languages to realize content of the present invention described here, and the top description that language-specific is done is in order to disclose preferred forms of the present invention.
In the instructions that provides herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can be put into practice under the situation of these details not having.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the description to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes in the above.Yet the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires the more feature of feature clearly put down in writing than institute in each claim.Or rather, as following claims reflected, inventive aspect was to be less than all features of the disclosed single embodiment in front.Therefore, follow claims of embodiment and incorporate this embodiment thus clearly into, wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can adaptively change and they are arranged in one or more equipment different with this embodiment the module in the equipment among the embodiment.Can become a module or unit or assembly to the module among the embodiment or unit or combination of components, and can be divided into a plurality of submodules or subelement or sub-component to them in addition.In such feature and/or process or unit at least some are mutually repelling, and can adopt any combination to disclosed all features in this instructions (comprising claim, summary and the accompanying drawing followed) and so all processes or the unit of disclosed any method or equipment make up.Unless clearly statement in addition, disclosed each feature can be by providing identical, being equal to or the alternative features of similar purpose replaces in this instructions (comprising claim, summary and the accompanying drawing followed).
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included among other embodiment, the combination of features of different embodiment means and is within the scope of the present invention and forms different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with array mode arbitrarily.
Each parts embodiment of the present invention can realize with hardware, perhaps realizes with the software module of moving at one or more processor, and perhaps the combination with them realizes.It will be understood by those of skill in the art that and to use microprocessor or digital signal processor (DSP) to realize according to some or all some or repertoire of parts in the file operation opertaing device of the embodiment of the invention in practice.The present invention can also be embodied as for part or all equipment or the device program (for example, computer program and computer program) of carrying out method as described herein.Such realization program of the present invention can be stored on the computer-readable medium, perhaps can have the form of one or more signal.Such signal can be downloaded from internet website and obtain, and perhaps provides at carrier signal, perhaps provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment under the situation of the scope that does not break away from claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed in element or step in the claim.Being positioned at word " " before the element or " one " does not get rid of and has a plurality of such elements.The present invention can realize by means of the hardware that includes some different elements and by means of the computing machine of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to come imbody by same hardware branch.Any order is not represented in the use of word first, second and C grade.Can be title with these word explanations.
The application can be applied to computer system/server, and it can be with numerous other universal or special computingasystem environment or configuration operation.The example that is suitable for well-known computing system, environment and/or the configuration used with computer system/server includes but not limited to: personal computer system, server computer system, thin client, thick client computer, hand-held or laptop devices, the system based on microprocessor, set-top box, programmable consumer electronics, NetPC Network PC, Xiao type Ji calculate machine Xi Tong ﹑ large computer system and comprise the distributed cloud computing technological accumulation and inheritance of above-mentioned any system, etc.
Computer system/server can be described under the general linguistic context of the computer system executable instruction of being carried out by computer system (such as program module).Usually, program module can comprise routine, program, target program, assembly, logic, data structure etc., and they are carried out specific task or realize specific abstract data type.Computer system/server can be implemented in distributed cloud computing environment, and in the distributed cloud computing environment, task is by carrying out by the teleprocessing equipment of communication network link.In distributed cloud computing environment, program module can be positioned on the Local or Remote computing system storage medium that comprises memory device.