CN103617395B - Method, device and system for intercepting advertisement programs based on cloud security - Google Patents
Method, device and system for intercepting advertisement programs based on cloud security Download PDFInfo
- Publication number
- CN103617395B CN103617395B CN201310656591.3A CN201310656591A CN103617395B CN 103617395 B CN103617395 B CN 103617395B CN 201310656591 A CN201310656591 A CN 201310656591A CN 103617395 B CN103617395 B CN 103617395B
- Authority
- CN
- China
- Prior art keywords
- browser
- parent
- visualization window
- behavior
- parent process
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 507
- 230000008569 process Effects 0.000 claims abstract description 463
- 238000001514 detection method Methods 0.000 claims abstract description 19
- 238000012800 visualization Methods 0.000 claims description 92
- 238000012544 monitoring process Methods 0.000 claims description 31
- 238000012545 processing Methods 0.000 claims description 19
- 238000012360 testing method Methods 0.000 claims description 15
- 238000004321 preservation Methods 0.000 claims description 13
- 238000000605 extraction Methods 0.000 claims description 9
- 241000239290 Araneae Species 0.000 claims description 5
- 238000007689 inspection Methods 0.000 claims 1
- 230000000007 visual effect Effects 0.000 abstract 2
- 230000006870 function Effects 0.000 description 45
- 241000282485 Vulpes vulpes Species 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 6
- 230000007246 mechanism Effects 0.000 description 6
- 235000008954 quail grass Nutrition 0.000 description 6
- 230000004044 response Effects 0.000 description 5
- 241000700605 Viruses Species 0.000 description 4
- 230000008901 benefit Effects 0.000 description 4
- 238000010276 construction Methods 0.000 description 4
- 230000000977 initiatory effect Effects 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 235000013399 edible fruits Nutrition 0.000 description 3
- VYZAMTAEIAYCRO-UHFFFAOYSA-N Chromium Chemical compound [Cr] VYZAMTAEIAYCRO-UHFFFAOYSA-N 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 230000003542 behavioural effect Effects 0.000 description 2
- 230000001351 cycling effect Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000001035 drying Methods 0.000 description 1
- 238000007429 general method Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000011112 process operation Methods 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Information Transfer Between Computers (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
Abstract
The invention discloses a method, device and system for intercepting advertisement programs based on cloud security. The method comprises the steps that the creation behavior of a browser process is monitored; when the creation request of the browser process is monitored, the information of a parent process of the browser process is obtained; according to the information of the parent process of the browser process, all visual windows are traversed, and whether the parent process corresponds to the visual windows or not is detected; the creation behavior of the browser process is processed according to a detection result. According to the scheme, advertisements, phishing websites and other browser web pages, popped up without the agreement of users, of background processes of hidden windows can be effectively intercepted, the users are prevented from being interfered by the advertisements and other ineffective information and being deceived by false information of various malicious websites, and the safety of user network operations is improved.
Description
Technical field
The present invention relates to computer safety field is and in particular to a kind of intercept the method for advertising program, dress based on cloud security
Put and system.
Background technology
With the development of internet, become increasingly popular based on the application of web, people can inquire about bank's account by browser
Family, shopping online, ecommerce, Query Information, obtain knowledge, entertain etc., web provides a convenient and efficiently
Interactive mode.However, people surf the web browse webpage while, be frequently encountered browsing of without click automatic spring
The device page, such as advertisement, game, shopping webpage, the content of these webpages is generally meaningless for user, only can be to user
Navigation patterns interfere, more serious problem is that part popup web page is also possible to from malicious websites, such as fishing website,
Or fraud, fake site etc., these pages generally show deceptive information and page code are embedded in despiteful pin
This program, for personal information such as the illegal account obtaining user input, passwords, causes damage to user benefit.
Wherein, part without approval and the browser page opened be by the rogue program in running background process open
, these malicious process generally do not have window, or hiding own window is to reach the purpose that not the user discover that.For this kind of
Rogue program, still adopts general method in prior art, for example feature based storehouse to analyze, the condition code of matcher,
This mode generally has hysteresis quality it is impossible to tackle news, and operation cost is also larger.Therefore, for this kind of rogue program,
Lack one kind in prior art and there is targetedly detection method.
Content of the invention
In view of the above problems it is proposed that the present invention so as to provide one kind overcome the problems referred to above or at least in part solve on
State the methods, devices and systems intercepting advertising program based on cloud security of problem.
According to an aspect of the invention, it is provided a kind of method that advertising program is intercepted based on cloud security, comprising: monitoring
The establishment behavior of browser process;When monitoring the request to create of browser process, obtain the parent process of browser process
Information;The information of the parent process according to browser process, by traveling through whole visualization window, whether detection parent process corresponds to
In visualization window;According to testing result, the establishment behavior of browser process is processed.
According to a further aspect in the invention, there is provided a kind of device intercepting advertising program based on cloud security, comprising: monitoring
Module, is suitable to monitor the establishment behavior of browser process;Acquisition module, is suitable to monitor the wound of browser process when monitoring module
When building request, obtain the information of the parent process of browser process;Detection module, is suitable to the letter of the parent process according to browser process
Breath, by traveling through whole visualization window, whether detection parent process corresponds to visualization window;Processing module, is suitable to basis
Testing result is processed to the establishment behavior of browser process.
According to a further aspect in the invention, there is provided a kind of system intercepting advertising program based on cloud security, including above-mentioned
Intercept the device of advertising program based on cloud security, also include providing the server of cloud inquiry service to this device.
Intercept the methods, devices and systems of advertising program according to the present invention based on cloud security, monitor browser process
Request to create when, obtain the information of the parent process that will create this browser process, detect this parent process whether with current interface
At least one of visualization window correspond to, thus judging the security of parent process, according to testing result, it being created and browsing
The behavior of device process is processed accordingly.According to the program, can effectively intercept the background process of hide window without user
Agree to and the browser page such as pop-up advertisement, fishing website, make user avoid in operation being done by invalid informations such as advertisements
Disturb the deception with deceptive information in various malicious websites, improve the security of user network operation.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention,
And can be practiced according to the content of specification, and in order to allow the above and other objects of the present invention, feature and advantage can
Become apparent, below especially exemplified by the specific embodiment of the present invention.
Brief description
By reading the detailed description of hereafter preferred embodiment, various other advantages and benefit are common for this area
Technical staff will be clear from understanding.Accompanying drawing is only used for illustrating the purpose of preferred embodiment, and is not considered as to the present invention
Restriction.And in whole accompanying drawing, it is denoted by the same reference numerals identical part.In the accompanying drawings:
The flow chart that Fig. 1 shows the method intercepting advertising program based on cloud security according to an embodiment of the invention;
The flow chart that Fig. 2 shows the method intercepting advertising program based on cloud security according to another embodiment of the present invention;
The flow chart that Fig. 3 shows the method intercepting advertising program based on cloud security according to another embodiment of the present invention;
The flow chart that Fig. 4 shows the method intercepting advertising program based on cloud security according to another embodiment of the present invention;
Fig. 5 shows the block diagram of the device intercepting advertising program based on cloud security of another embodiment of the present invention;
Fig. 6 shows the structural frames of the system intercepting advertising program based on cloud security according to another embodiment of the present invention
Figure.
Specific embodiment
It is more fully described the exemplary embodiment of the disclosure below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing
Exemplary embodiment it being understood, however, that may be realized in various forms the disclosure and should not be by embodiments set forth here
Limited.On the contrary, these embodiments are provided to be able to be best understood from the disclosure, and can be by the scope of the present disclosure
Complete conveys to those skilled in the art.
The flow chart that Fig. 1 shows the method intercepting advertising program based on cloud security according to an embodiment of the invention,
As shown in figure 1, the method comprises the steps:
Step s110, the establishment behavior of monitoring browser process.
In common computer system, such as windows system, the monitoring to browser process is normally based on operating system
The api interface function providing or system are called and to be realized.
In this step described browser including but not limited to operate in ie in all kinds of computer systems, firefox,
The independent kernel browser such as chrome, safari, and common based on ie kernel, or the browser based on many kernels, such as
360 browsers, sogou browser etc., also include running on common browser in various mobile terminal operating systems.A kind of normal
Situation about seeing is to be provided with more than one browser in system, for example, the ie browser except carrying in windows system,
User, for abundant function, higher security and personal like, may install and give tacit consent to using other browsers above-mentioned.This
When, the monitoring to browser process just should include to ie process, and the monitoring of other whole browser process.
Step s120, when monitoring the request to create of browser process, obtains the information of the parent process of browser process.
The parent process of browser process is exactly the process that request creates this browser process.With windows operating system it is
Example, various application layer applications programs are all realized by calling various api functions, and parent process creates browser process to be needed
Call corresponding api function, the request to create of detection browser process namely monitors calling of the api function of establishment process please
Ask, the application program of sensing by capturing this api function, can be parsed from the parameter that this api function carries, judge to create
Whether build is browser process.The process of this function of request call is exactly the parent process of browser process, the process of parent process
Information can include but is not limited to process title, process identification (PID), the routing information of process file and the dynamic link library of correlation
File etc..
Step s130, the information of the parent process according to browser process, by traveling through whole visualization window, detects father
Whether process corresponds to visualization window.
To most application program, visualization window and system that user is typically provided by this program interact.
The present invention is by detecting corresponding to visualization window, whether parent process judges whether the establishment behavior of browser process is user
Triggering.Travel through whole visualization window, relative with the parent process of browser process if there is at least one visualization window
Should it is believed that the establishment behavior of browser process be the corresponding application response of this visualization window in user in this window
The triggering behavior such as click on, input and initiating, for example, user clicks on the space picture on qq interface, has ejected space page, this
Belong to the safety behavior of user's permission, and if the parent process of browser process does not correspond to visualization window it is believed that this wound
Construction Bank is to be that background process allows to ask without user, is suspicious malicious act.
Step s140, is processed to the establishment behavior of described browser process according to testing result.
To the parent process corresponding to visualization window it is allowed to it creates browser process;Corresponding visualization window
Parent process, is intercepted, and provides information or further confirms that its security.
The method being provided according to the above embodiment of the present invention, the establishment behavior to browser process is monitored in real time,
And find the process initiating this request to create, as the parent process of browser process, obtain the information of this parent process, traversal is all
Visualization window, whether detection parent process correspond to visualization window, with the establishment behavior that this to judge browser process be
The no active for user selects, and according to the result of detection, establishment behavior is done with corresponding process.Can effectively be blocked according to the program
The background process cutting hide window agree to without user and the browser page such as pop-up advertisement, game, shopping, fishing website dry
Disturb or threaten, improve the security of user network operation.
The flow chart that Fig. 2 shows the method intercepting advertising program based on cloud security of another embodiment of the present invention, such as
Shown in Fig. 2, the method comprises the steps:
Step s210, the establishment behavior of monitoring browser process.
As, described in step s120, in windows system, the establishment behavior of monitoring browser process is actually
The call request to corresponding api function for the monitoring.Specifically, application program will create a win32 process it may be necessary to call
Api function have createprocess, createprocessasuser etc., the executable literary composition that the new process operation of establishment is specified
Part, the path of executable file, filename are specified by the parameter of api function, and for example, parameter lpapplicationname is specified
The path of executable module, captures this function, obtains the path of executable file from its parameter, the information such as filename, that is,
Can determine whether out that this api calls whether the process of establishment is browser process.
Step s220, obtains the parent process information of browser process.
Obtain the application program of the api functions such as request call createprocess, thus obtaining parent process information.Father enters
The progress information of journey can include but is not limited to process title, process identification (PID), the routing information of process file and correlation dynamic
State link library file etc..
When obtaining parent process information, one kind, can it might be that some rogue programs are in order to preferably hide oneself
Can pass through its process a calling process b, then process b request call api function creation browser process, or even through more
Level call.At this moment, in subsequent step, the information according only to process b can not make accurate judgement.Therefore, also to obtain
Take the information of multiple processes of chain of processes at process b place.This can be real by ntqueryinformationprocess function
Existing, searched step by step using this function, obtain whole associated process.
Specifically, obtain the information such as process title, process identification (PID) to realize by calling api function, for example, pass through
Multiple functions under process status (process status) api function obtain process title;Pass through
Getcurrentprocessid obtains process id etc..It is of course also possible to selecting other api functions or passing through high-level language
Realize.
Step s230, travels through whole visualization window and obtains the process identification (PID) of the corresponding process of each visualization window.
A process identification (PID) can be assigned to when process is created.It is all effective until process stops this mark, and
And will not change, within the process effective time, the process identification (PID) of each process is unique, and therefore, it can be used to
This process of unique mark.Specifically, enumwindows function cycling among windows can be used in this step, obtain the handle of window,
Then obtain the corresponding process identification (PID) of each window handle with getwindowthreadprocessid function.
Step s240, the parent process mark of Query Browser process in the process identification (PID) of whole visualization window, such as
Fruit can inquire parent process mark, then show that parent process corresponds to visualization window, execution step s250, otherwise, execution step
s260.
In synchronization, process identification (PID) is unique, therefore, if there is at least one visualization window, its process identification (PID) with
The process identification (PID) of the parent process of browser process is consistent then it is assumed that this parent process corresponds to this visualization window, you can to think
The establishment behavior of browser process is the corresponding application response of this visualization window in click in this window for the user, defeated
The triggering behavior such as enter and initiate.
Step s250 is it is allowed to execution parent process creates the behavior of browser process.
Described from hereinafter step s260, a kind of method of interception process is, in any one step of the process of establishment
Suddenly pass through the method for Hook Function and intercept the api function realization that it must call.Therefore, for the wound that permission is monitored
Construction Bank is the situation of request, after the Hook Function of the embodiment of the present invention is finished, jumps to this document behavior request and corresponds to
The original entry address of api is gone to execute and is instructed accordingly.
Step s260, provides indicating risk information, selects the establishment behavior of described browser process is carried out according to user
Intercept.
If not inquiring parent process mark in the process identification (PID) of whole visualization window it is believed that this parent process creates
The behavior of browser process is that background process allows without user and initiates, and is suspicious malicious act, such as advertising program row
For it may be necessary to intercept to the behavior.
At this moment, provide a user with indicating risk information, specifically, can be in desktop designated area Pop-up message window, will
The parent process information obtaining in step s220, such as process title, process path, corresponding executable file title etc. shows use
Family, for customer analysis to make decision, can also provide process and the danger of corresponding application program according to existing statistics
Dangerous grade, safety are commented grading information and are provided a user with corresponding suggestion.
In some cases although parent process does not correspond to visualization window, but this parent process creates the row of browser process
For and be not belonging to malicious act, for example, install, uninstall when, after installing, Uninstaller terminates, often eject some use
In the browser page of feedback of the information, not there is harmfulness, if user needs, can select not to this browser process
Establishment behavior is intercepted.In a locally located safe list, user can also be selected the process not intercepted to add this name
Dan Zhong, next time does not reresent.
Interception to process creation behavior can be realized as follows.Generally, the establishment process of a process is as follows: beats
Open file map to be performed, create executive process object, create initial thread and storehouse and context, notify windows
Subsystem, about the information of process, starts the execution of initial thread, executes the process initialization in new process context.Can be
Wherein any one step intercepts, by the method for Hook Function, the api function that it must call, and reaches interception process creation
Purpose.For example, by before the step execution starting initial thread, by the native in system service dispatch table
The interception of api function zwcreateprocess, to realize, that is, when system calls zwcreateprocess, goes to hook program
In processed.Or realized by intercepting the api function calling in other steps, such as ntcreatesection function, this letter
Number is for opening file map to be performed.
The flow chart that Fig. 3 shows the method intercepting advertising program based on cloud security of another embodiment of the present invention, such as
Shown in Fig. 3, the method comprises the steps:
Step s310, the establishment behavior of monitoring browser process;
Step s320, obtains the parent process information of browser process;
Step s330, travels through whole visualization window and obtains the process identification (PID) of the corresponding process of each visualization window;
Wherein, step s310-s330 is identical with step s210-s230 in a upper embodiment, and here is omitted.
Step s340, the parent process mark of Query Browser process in the process identification (PID) of whole visualization window, such as
Fruit can inquire parent process mark, then show that parent process corresponds to visualization window, execution step s350, otherwise, execution step
s360.
Step s350 is it is allowed to execution parent process creates the behavior of browser process.
Step s360, inquiry in preset local process white list does not correspond to the process of the parent process of visualization window
Information, if successful inquiring, execution step s350, otherwise, execution step s370.
As described in step s260 in a upper embodiment, do not correspond to the establishment row of the parent process of visualization window
For being probably safety.However, the judgement of user may not be accurate.In the present embodiment, judged and black and white lists by user
Mode combines and is more accurately judged.
Inquire about parent process information first in locally preset process white list, local white list preserves common safety
Process, for example, the process of the peace loading, unloading correlation of popular software.With step s260 similarly, eject in desktop designated area and disappear
Breath window.Information window can be fed back with receive user, the maintenance for local process white list and renewal.For example, use
There is specific demand at family to a certain not process in white list, can select to allow it to create browser process, record user couple
The selection of this process, process is added in local process white list, next time does not reresent.
Step s370, the progress information of parent process is uploaded onto the server, so that by cloud inquiry, server knows that father enters
Whether journey belongs to the process blacklist of server preservation, if this process belongs to the process blacklist of server preservation, executes step
Rapid s380.
Compared with local list, the black list database of server end preserves more complete information, can carry out tighter
Lattice accurately judge.Specifically, the progress information of the suspicious process detecting is uploaded onto the server by client, server according to
Progress information carries out antivirus analysis to corresponding executable file or application program, can be using traditional condition code match party
Formula, or the behavioral characteristic that application program comprises is analyzed using the method for Initiative Defense.Find out condition code and virus base, or malice
The application program that program matches, or the application program of behavior act triggering preset security rule, corresponding progress information is added
Enter in process blacklist.
Blacklist on server can also be produced by way of artificial operation, and server end is periodically to from client
Virus or rogue program data counted, or growth rate forward to usage quantity ranking be forward or dangerous ranking
Forward process, judges its security by analyzing the modes such as the content of its ejection webpage, puts in blacklist.
Step s380, provides indicating risk information, selects the establishment behavior of browser process is intercepted according to user.
In practice it is also possible to select directly to intercept establishment behavior.But consider that user may have special need to some processes
Ask, generally first provide indicating risk information, receive user is fed back.This step is similar to s260, on the basis of step s260, also
The analysis result of server can be given further.
For the process belonging to white list, it can be allowed to create the behavior of browser.
The flow chart that Fig. 4 shows the method intercepting advertising program based on cloud security of another embodiment of the present invention.As
Shown in Fig. 4, the method comprises the steps:
Step s410, the establishment behavior of monitoring browser process;
Step s420, obtains the parent process information of browser process;
Step s430, travels through whole visualization window and obtains the process identification (PID) of the corresponding process of each visualization window;
Wherein, step s410-s430 is identical with step s210-s230 in previous embodiment, and here is omitted
Step s440, the parent process mark of Query Browser process in the process identification (PID) of whole visualization window, such as
Fruit can inquire parent process mark, then show that parent process corresponds to visualization window, execution step s450, otherwise, execution step
s460.
Step s450 is it is allowed to execution parent process creates the behavior of browser process.
Step s460, obtains the browser process of parent process establishment page url to be accessed.
A kind of possible mode is the Plugin Mechanism by providing in browser, for example, in ie browser, by response
" beforenavigate2 " event can obtain the current url loading of ie.Using red fox in red fox (firefox) browser
The specified response event interface that extension mechanism provides, obtains the current url loading of red fox browser.In Google, (chrome) browses
Using Netscape plug-in applications DLL (netscape plugin application programming in device
Interface, referred to as: npapi) Plugin Mechanism, obtain the current url loading of Google's browser.
Step s470, this page url is packaged into ciphertext and uploads onto the server, so that server knows page by cloud inquiry
Whether face url belongs to url blacklist and/or the white list of server preservation.If this page url belongs to url blacklist, execution
Step s480;If this page url belongs to url white list, execution step s450.
Server collects the url of the pages such as common advertisement, game, adds in blacklist;The clear of clearance is allowed to user
Device of looking at creates behavior, collects the url that the browser page of behavior establishment is opened, analyzes the content of this url page, or system
The meter interception situation to this url page for a large number of users, judges whether this page is normal page, the normal page that will determine that out adds
Enter in white list.
When uploading onto the server, first url is encrypted to ciphertext, is then sent to server.Here it is possible to be added using reversible
Decryption method is encrypted to url, it would however also be possible to employ irreversible encryption method is encrypted to url.For example, calculate url's
Characteristic value is as ciphertext.Alternatively, characteristic value can be that (message digest algorithm, eap-message digest is calculated according to md5
Method the 5th edition) calculated cryptographic Hash, or sha1 (secure hash algorithm, Secure Hash Algorithm) code, or crc
(cyclic redundancy check, CRC) code etc. can unique mark prime information condition code.Need explanation
It is, when uploading the ciphertext of url to server, to need to shield the network address character string that may carry user cipher first, no
Upload such url, to ensure the safety of user profile.
Step s480, provides indicating risk information, selects the establishment behavior of browser process is intercepted according to user.
For identical with step s370 the reasons why it is preferable that first providing indicating risk information.
The corresponding parent process for the url belonging to white list, can allow it to create the behavior of browser.
The method being provided according to the above embodiment of the present invention, it is right to be realized by api function necessary to capture establishment process
Browser process creates the monitoring of behavior, finds the parent process initiating this request to create, obtains the process identification (PID) of this parent process, time
Go through whole visualization window and obtain the process identification (PID) of the corresponding process of each visualization window, in whole visualization window
In process identification (PID), whether the parent process mark of Query Browser process, judge the establishment behavior of browser process as user with this
Active select, the suspicious process that non-user is actively selected, provide indicating risk information, or pass through high in the clouds further
Process black and white lists or url black and white lists confirm.According to the program can effectively intercept the background process of hide window without with
Family is agreed to and the interference of the browser page such as pop-up advertisement, game, shopping, fishing website or threat, and, inquired about by cloud
Mode, reduces the probability to rogue program behavior and safety behavior erroneous judgement, improves the security of system and user further
Operating experience.
Fig. 5 shows the block diagram of the device intercepting advertising program based on cloud security of another embodiment of the present invention.As Fig. 5
Shown, this device includes:
Monitoring module 510, is suitable to monitor the establishment behavior of browser process.
Specifically, monitoring module 510 passes through to monitor the call request realization of the api function of establishment process to the behavior of establishment
Monitoring.Specifically, application program to create a win32 process it may be necessary to the api function that calls have createprocess,
Createprocessasuser etc., the new process of establishment runs the executable file specified, the path of executable file, file
Name is specified by the parameter of api function, and for example, parameter lpapplicationname specifies the path of executable module, monitors mould
Block 540 captures this function, obtains path and the filename of executable file, you can judge that this api calls from its parameter
Whether the process creating is browser process.
Acquisition module 520, is suitable to, when monitoring module 510 monitors the request to create of browser process, obtain browser
The information of the parent process of process.
Acquisition module 520 obtains the application program of the api functions such as request call createprocess, thus obtain father entering
Journey information.The progress information that acquisition module 520 obtains parent process can including but not limited to obtain process title, process identification (PID),
Dynamic link library file of the routing information of process file and correlation etc..
Acquisition module 520 is particularly adapted to: when monitoring module 510 monitors the request to create of browser process, obtains clear
Look at device process parent process mark.Acquisition module 520 obtains the information such as process title, process identification (PID) can also be by calling api
Function is realized, and for example, obtains process title by the multiple functions under process status (process status) api function;Logical
Cross getcurrentprocessid and obtain process id etc..
Detection module 530, is suitable to the information of the parent process according to browser process, by traveling through whole visualization windows
Mouthful, whether detection parent process corresponds to visualization window.
A process identification (PID) can be assigned to when process is created.It is all effective until process stops this mark, and
And will not change, within the process effective time, the process identification (PID) of each process is unique, and therefore, detection module 530 leads to
Cross whether process identification (PID) detection parent process corresponds to visualization window.
Specifically, detection module 530 includes:
Spider module 550, is suitable to travel through whole visualization window and obtain entering of the corresponding process of each visualization window
Journey identifies;Spider module 550 can use enumwindows function cycling among windows, obtains the handle of window, Ran Houyong
Getwindowthreadprocessid function obtains the corresponding process identification (PID) of each window handle.
Enquiry module 560, is suitable to the parent process of Query Browser process in the process identification (PID) of whole visualization window
Mark, if inquiring the parent process mark of browser process, shows that parent process corresponds to visualization window;Without looking into
Ask the parent process mark of browser process, then show that parent process does not correspond to visualization window.
Device also includes: processing module 540, is suitable at according to the establishment behavior to browser process for the testing result
Reason.
Processing module 540 is further adapted for: the parent process not corresponding to visualization window is created with the row of browser process
For providing indicating risk information, selecting the establishment behavior of described browser process is intercepted according to user.
Processing module 540 can be realized as follows to the interception of process creation behavior.Generally, the establishment of a process
Process is as follows: opens file map to be performed, creates executive process object, create initial thread and storehouse and context,
Notify windows subsystem about the information of process, start the execution of initial thread, execute at the beginning of the process in new process context
Beginningization.Therefore, processing module 540 any one step can intercept the api function that it must call wherein, reaches interception
The purpose of process creation.For example, processing module 540 start initial thread step execution before, to system service dispatch table
In native api function zwcreateprocess interception.
Processing module 540 provides a user with indicating risk information particularly as follows: in desktop designated area Pop-up message window, inciting somebody to action
The parent process information that acquisition module 520 obtains, such as process title, process path, corresponding executable file title etc. shows
User, for customer analysis to make decision, processing module 540 can also provide process and corresponding according to existing statistics
The danger classes of application program, safety comments grading information and provides a user with corresponding suggestion.
Alternatively, device also includes: cloud query interface 580, and it is not right to be suitable to inquire about in preset local process white list
Should in the progress information of the parent process of visualization window, by do not inquire the progress information of parent process upload onto the server,
So that by cloud inquiry, server knows whether parent process belongs to the process blacklist of server preservation, and look into from server reception
Ask result.
Specifically, the progress information of the suspicious process that detection module 530 is detected by cloud query interface 580 is uploaded to service
Device, server carries out antivirus analysis, for example traditional feature according to progress information to corresponding executable file or application program
Code matching way, or the method using Initiative Defense, the behavioral characteristic that analysis application program comprises.Find out condition code and virus
Storehouse, or the application program that rogue program matches, or the application program of behavior act triggering preset security rule, are entered accordingly
Journey information is added in process blacklist.
Blacklist on server can also be produced by way of artificial operation, and server end is periodically to from client
Virus or rogue program data counted, or growth rate forward to usage quantity ranking be forward or dangerous ranking
Forward process, judges its security by analyzing the modes such as the content of its ejection webpage, puts in blacklist.
Then processing module 540 is further adapted for: if the Query Result that cloud query interface 570 receives from server shows institute
State parent process and belong to described process blacklist, provide indicating risk information, the wound to described browser process is selected according to user
Construction Bank is to be intercepted.
Alternatively, device also includes: page url extraction module 570, is suitable to the father not corresponding to visualization window is entered
Journey, obtains the browser process of parent process establishment page url to be accessed.
A kind of possible mode that page url extraction module 570 obtains url is the Plugin Mechanism by providing in browser,
For example, in ie browser, page url extraction module 570 passes through response " beforenavigate2 " event acquisition ie and currently adds
The url carrying, in red fox (firefox) browser, page url extraction module 570 uses the specified sound that red fox extension mechanism provides
Answer event interface, obtain the current url loading of red fox browser.Using Netscape plug-in application in Google (c1rome) browser
Program Interfaces (netscape plugin application programming interface, referred to as: npapi) are inserted
Part mechanism, obtains the current url loading of Google's browser.
Cloud query interface 580 can be adapted to for the page url acquired in page url extraction module 570 to be packaged into ciphertext
After upload onto the server, for server by cloud inquiry know page url whether belong to server preservation url blacklist
And/or white list and from server receive Query Result.
Processing module 540 is further adapted for: if the Query Result that cloud query interface 570 receives from server show described
Page url belongs to described url blacklist, provides indicating risk information, selects the establishment to described browser process according to user
Behavior is intercepted.
Fig. 6 shows the system intercepting advertising program based on cloud security that another embodiment of the present invention provides, as Fig. 6 institute
Show, this system includes the device intercepting advertising program based on cloud security in an embodiment, also includes: provide cloud to this device
The server of inquiry service.
The device being provided according to the above embodiment of the present invention and system, monitoring module passes through to capture necessary to establishment process
Api function realizes browser process is created with the monitoring of behavior, finds the parent process initiating this request to create, acquisition module obtains
The progress information of this parent process, including process identification (PID), the whole visualization window of spider module traversal and obtain each can
Depending on changing the process identification (PID) of the corresponding process of window, enquiry module Query Browser in the process identification (PID) of whole visualization window enters
The parent process mark of journey, the active as user selects for the establishment behavior to judge browser process with this, for non-user
The suspicious process actively selecting, processing module provides indicating risk information, or further, and cloud query interface is by progress information
Send to server with the url of the page to be visited, confirmed by the process black and white lists or url black and white lists in high in the clouds.According to this
Scheme, the background process that can effectively intercept hide window is agreed to and pop-up advertisement, game, shopping, fishing website without user
Deng interference or the threat of browser page, and, by way of cloud is inquired about, reduce to rogue program behavior and safety behavior
The probability of erroneous judgement, improves the security of system and the operating experience of user further.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein.
Various general-purpose systems can also be used together with based on teaching in this.As described above, construct required by this kind of system
Structure be obvious.Additionally, the present invention is also not for any certain programmed language.It is understood that, it is possible to use various
Programming language realizes the content of invention described herein, and the description above language-specific done is to disclose this
Bright preferred forms.
In specification mentioned herein, illustrate a large amount of details.It is to be appreciated, however, that the enforcement of the present invention
Example can be put into practice in the case of not having these details.In some instances, known method, structure are not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly it will be appreciated that in order to simplify the disclosure and help understand one or more of each inventive aspect,
Above in the description to the exemplary embodiment of the present invention, each feature of the present invention is grouped together into single enforcement sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect an intention that i.e. required guarantor
The application claims of shield more features than the feature being expressly recited in each claim.More precisely, it is such as following
Claims reflected as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
The claims following specific embodiment are thus expressly incorporated in this specific embodiment, wherein each claim itself
All as the separate embodiments of the present invention.
Those skilled in the art are appreciated that and the module in the equipment in embodiment can be carried out adaptively
Change and they are arranged in one or more equipment different from this embodiment.Can be the module in embodiment or list
Unit or assembly be combined into a module or unit or assembly, and can be divided in addition multiple submodule or subelement or
Sub-component.In addition to such feature and/or at least some of process or unit exclude each other, can adopt any
Combination is to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed
Where method or all processes of equipment or unit are combined.Unless expressly stated otherwise, this specification (includes adjoint power
Profit requires, summary and accompanying drawing) disclosed in each feature can carry out generation by the alternative features providing identical, equivalent or similar purpose
Replace.
Although additionally, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments
In included some features rather than further feature, but the combination of the feature of different embodiment means to be in the present invention's
Within the scope of and form different embodiments.For example, in the following claims, embodiment required for protection appoint
One of meaning can in any combination mode using.
The all parts embodiment of the present invention can be realized with hardware, or to run on one or more processor
Program module realize, or with combinations thereof realize.It will be understood by those of skill in the art that can use in practice
Microprocessor or digital signal processor (dsp) are realizing according to embodiments of the present invention intercepting advertising program based on cloud security
Device and system in some or all parts some or all functions.The present invention is also implemented as executing
Some or all equipment of method as described herein or program of device (for example, computer program and computer journey
Sequence product).Such program realizing the present invention can store on a computer-readable medium, or can have one or
The form of multiple signals.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or
There is provided with any other form.
It should be noted that above-described embodiment the present invention will be described rather than limits the invention, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element listed in the claims or step.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can come real by means of the hardware including some different elements and by means of properly programmed computer
Existing.If in the unit claim listing equipment for drying, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame
Claim.
The invention discloses:
A1, a kind of method that advertising program is intercepted based on cloud security, comprising:
The establishment behavior of monitoring browser process;
When monitoring the request to create of browser process, obtain the information of the parent process of described browser process;
The information of the parent process according to described browser process, by traveling through whole visualization window, detects described father
Whether process corresponds to visualization window;
According to testing result, the establishment behavior of described browser process is processed.
2a, the method according to a1, the information of the parent process of described acquisition browser process is particularly as follows: obtain browser
The parent process mark of process;
The described visualization window whole by traversal, whether detection parent process specifically includes corresponding to visualization window:
Travel through whole visualization window and obtain the process identification (PID) of the corresponding process of each visualization window;
Inquire about the parent process mark of described browser process in the process identification (PID) of whole visualization window, if inquiry
To the parent process mark of described browser process, then show that parent process corresponds to visualization window;Described without inquiring
The parent process mark of browser process, then show that parent process does not correspond to visualization window.
A3, the method according to a1 or a2, at the described establishment behavior according to testing result to browser process
Reason specifically includes: the parent process not corresponding to visualization window created with the behavior of browser process, provides indicating risk information,
Select the establishment behavior of described browser process is intercepted according to user.
A4, the method according to a1 or a2, at the described establishment behavior according to testing result to browser process
Reason specifically includes:
The progress information of the parent process of visualization window is not corresponded to described in inquiry in preset local process white list,
If successful inquiring is it is allowed to described parent process creates the behavior of browser process;
Otherwise the progress information of described parent process is uploaded onto the server, so that described server knows institute by cloud inquiry
State the process blacklist whether parent process belongs to server preservation;
If described parent process belongs to described process blacklist, provide indicating risk information, selected to described according to user
The establishment behavior of browser process is intercepted.
A5, the method according to a1 or a2, at the described establishment behavior according to testing result to browser process
Reason specifically includes:
To the parent process not corresponding to visualization window, the browser process obtaining described parent process establishment is to be accessed
Page url, this page url is packaged into ciphertext, uploads onto the server, so that server knows the described page by cloud inquiry
Whether url belongs to url blacklist and/or the white list of server preservation;
If described page url belongs to described url blacklist, provide indicating risk information, selected to described according to user
The establishment behavior of browser process is intercepted.
B6, a kind of device intercepting advertising program based on cloud security, comprising:
Monitoring module, is suitable to monitor the establishment behavior of browser process;
Acquisition module, is suitable to, when described monitoring module monitors the request to create of browser process, browse described in acquisition
The information of the parent process of device process;
Detection module, is suitable to the information of the parent process according to described browser process, by traveling through whole visualization windows
Mouthful, detect whether described parent process corresponds to visualization window;
Processing module, is suitable to according to testing result, the establishment behavior of described browser process be processed.
B7, the device according to b6, described acquisition module is particularly adapted to: when described monitoring module monitors that browser enters
During the request to create of journey, obtain the parent process mark of browser process;
Described detection module includes:
Spider module, is suitable to the process mark traveling through whole visualization window and obtaining the corresponding process of each visualization window
Know;
Enquiry module, is suitable to inquire about the parent process of described browser process in the process identification (PID) of whole visualization window
Mark, if inquiring the parent process mark of described browser process, shows that parent process corresponds to visualization window;If not yet
There is the parent process mark inquiring described browser process, then show that parent process does not correspond to visualization window.
B8, the device according to b6 or b7, described processing module is further adapted for: to not corresponding to visualization window
Parent process creates the behavior of browser process, provides indicating risk information, selects the wound to described browser process according to user
Construction Bank is to be intercepted.
B9, the device according to b6 or b7, also include: cloud query interface, are suitable in preset local process white list
Middle inquiry does not correspond to the progress information of the parent process of visualization window, and the progress information of the parent process not inquired is uploaded to
Server, so that by cloud inquiry, described server knows whether described parent process belongs to the process blacklist of server preservation,
And receive Query Result from server;
Described processing module is further adapted for: if Query Result shows that described parent process belongs to described process blacklist,
Provide indicating risk information, select the establishment behavior of described browser process is intercepted according to user.
B10, the device according to b6 or b7, also include:
Page url extraction module, is suitable to the parent process not corresponding to visualization window, obtains what described parent process created
Browser process page url to be accessed;
Cloud query interface, is suitable to the page url acquired in described page url extraction module is packaged into after ciphertext and is uploaded to
Server, for server by cloud inquiry know described page url whether belong to server preservation url blacklist and/or
White list simultaneously receives Query Result from server;
Described processing module is further adapted for: if Query Result shows that described page url belongs to described url blacklist,
Provide indicating risk information, select the establishment behavior of described browser process is intercepted according to user.
C11, a kind of based on cloud security intercept advertising program system, including described in any one of b6-b10 based on cloud security
Intercept the device of advertising program, also include: the server of cloud inquiry service is provided to described device.
Claims (9)
1. a kind of method that advertising program is intercepted based on cloud security, comprising:
The establishment behavior of monitoring browser process;
When monitoring the request to create of browser process, obtain the parent process mark of described browser process;
Travel through whole visualization window and obtain the process identification (PID) of the corresponding process of each visualization window;
Inquire about the parent process mark of described browser process in the process identification (PID) of whole visualization window, if inquiring institute
State the parent process mark of browser process, then show that parent process corresponds to visualization window;Without browsing described in inquiring
The parent process mark of device process, then show that parent process does not correspond to visualization window;
According to testing result, the establishment behavior of described browser process is processed.
2. method according to claim 1, described is processed to the establishment behavior of browser process according to testing result
Specifically include: the parent process not corresponding to visualization window is created with the behavior of browser process, provides indicating risk information, root
Select the establishment behavior of described browser process is intercepted according to user.
3. method according to claim 1, described is processed to the establishment behavior of browser process according to testing result
Specifically include:
The progress information of the parent process of visualization window is not corresponded to described in inquiry in preset local process white list, if
Successful inquiring is it is allowed to described parent process creates the behavior of browser process;
Otherwise the progress information of described parent process is uploaded onto the server, so that described server knows described father by cloud inquiry
Whether process belongs to the process blacklist of server preservation;
If described parent process belongs to described process blacklist, provide indicating risk information, select to browse to described according to user
The establishment behavior of device process is intercepted.
4. method according to claim 1, described is processed to the establishment behavior of browser process according to testing result
Specifically include:
To the parent process not corresponding to visualization window, obtain the browser process of the described parent process establishment page to be accessed
Url, this page url is packaged into ciphertext, uploads onto the server, so that by cloud inquiry, server knows that described page url is
The no url blacklist belonging to server preservation and/or white list;
If described page url belongs to described url blacklist, provide indicating risk information, select to browse to described according to user
The establishment behavior of device process is intercepted.
5. a kind of device intercepting advertising program based on cloud security, comprising:
Monitoring module, is suitable to monitor the establishment behavior of browser process;
Acquisition module, is suitable to, when described monitoring module monitors the request to create of browser process, obtain described browser and enter
The parent process mark of journey;
Detection module, is suitable to the information of the parent process according to described browser process, by traveling through whole visualization window, inspection
Survey whether described parent process corresponds to visualization window;
Processing module, is suitable to according to testing result, the establishment behavior of described browser process be processed;
Described detection module includes:
Spider module, is suitable to the process identification (PID) traveling through whole visualization window and obtaining the corresponding process of each visualization window;
Enquiry module, is suitable to inquire about the parent process mark of described browser process in the process identification (PID) of whole visualization window
Knowing, if inquiring the parent process mark of described browser process, showing that parent process corresponds to visualization window;Without
Inquire the parent process mark of described browser process, then show that parent process does not correspond to visualization window.
6. device according to claim 5, described processing module is further adapted for: to the father not corresponding to visualization window
The behavior of process creation browser process, provides indicating risk information, selects the establishment to described browser process according to user
Behavior is intercepted.
7. device according to claim 5, also includes: cloud query interface, is suitable in preset local process white list
Inquiry does not correspond to the progress information of the parent process of visualization window, and the progress information of the parent process not inquired is uploaded to clothes
Business device, so that by cloud inquiry, described server knows whether described parent process belongs to the process blacklist of server preservation, and
Receive Query Result from server;
Described processing module is further adapted for: if Query Result shows that described parent process belongs to described process blacklist, is given
Indicating risk information, selects the establishment behavior of described browser process is intercepted according to user.
8. device according to claim 5, also includes:
Page url extraction module, is suitable to, to the parent process not corresponding to visualization window, obtain browsing of described parent process establishment
Device process page url to be accessed;
Cloud query interface, is suitable to for the page url acquired in described page url extraction module to be packaged into after ciphertext the service that is uploaded to
Device, so that by cloud inquiry, server knows whether described page url belongs to the url blacklist of server preservation and/or white name
Dan Bingcong server receives Query Result;
Described processing module is further adapted for: if Query Result shows that described page url belongs to described url blacklist, is given
Indicating risk information, selects the establishment behavior of described browser process is intercepted according to user.
9. a kind of based on cloud security intercept advertising program system, including described in any one of claim 5-8 based on cloud security
Intercept the device of advertising program, also include: the server of cloud inquiry service is provided to described device.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310656591.3A CN103617395B (en) | 2013-12-06 | 2013-12-06 | Method, device and system for intercepting advertisement programs based on cloud security |
PCT/CN2014/093286 WO2015081900A1 (en) | 2013-12-06 | 2014-12-08 | Method, device, and system for cloud-security-based blocking of advertisement programs |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310656591.3A CN103617395B (en) | 2013-12-06 | 2013-12-06 | Method, device and system for intercepting advertisement programs based on cloud security |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103617395A CN103617395A (en) | 2014-03-05 |
CN103617395B true CN103617395B (en) | 2017-01-18 |
Family
ID=50168098
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310656591.3A Active CN103617395B (en) | 2013-12-06 | 2013-12-06 | Method, device and system for intercepting advertisement programs based on cloud security |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN103617395B (en) |
WO (1) | WO2015081900A1 (en) |
Families Citing this family (29)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103617395B (en) * | 2013-12-06 | 2017-01-18 | 北京奇虎科技有限公司 | Method, device and system for intercepting advertisement programs based on cloud security |
CN103902292B (en) * | 2014-03-27 | 2017-08-01 | 广东欧珀移动通信有限公司 | The screen method and system of display window |
CN104036014B (en) * | 2014-06-24 | 2020-06-26 | 腾讯科技(深圳)有限公司 | Webpage filtering method and terminal |
CN104102743B (en) * | 2014-07-31 | 2017-11-03 | 可牛网络技术(北京)有限公司 | A kind of method and device of filtering web page advertisement |
CN104239794B (en) * | 2014-09-10 | 2017-08-25 | 广东欧珀移动通信有限公司 | It is a kind of to intercept the method and device that application malice opens browser |
CN104268193B (en) * | 2014-09-19 | 2017-12-29 | 北京金山安全软件有限公司 | Advertisement webpage intercepting method and device |
CN104468551B (en) * | 2014-11-28 | 2016-06-15 | 北京奇虎科技有限公司 | A kind of method and device saving flow based on Ad blocking |
CN104363247A (en) * | 2014-11-28 | 2015-02-18 | 北京奇虎科技有限公司 | Flow saving method and device adopting saving-free application |
CN104539584B (en) * | 2014-12-05 | 2018-01-19 | 北京奇虎科技有限公司 | The anti-method for implanting of browser, browser client and device |
CN105791221B (en) * | 2014-12-22 | 2020-06-05 | 北京奇虎科技有限公司 | Rule issuing method and device |
CN104615491B (en) * | 2015-02-13 | 2018-04-27 | 联想(北京)有限公司 | A kind of message treatment method and electronic equipment |
CN104881291B (en) * | 2015-06-03 | 2018-05-25 | 北京金山安全软件有限公司 | Control method and device of default browser and terminal |
CN105117258A (en) * | 2015-09-07 | 2015-12-02 | 青岛海信移动通信技术股份有限公司 | Application program uninstalling method and apparatus |
CN105243632A (en) * | 2015-10-26 | 2016-01-13 | 深圳荣亚物联科技有限公司 | Cloud management based air pollution monitoring system and method |
CN106897618A (en) * | 2015-12-21 | 2017-06-27 | 珠海市君天电子科技有限公司 | Webpage access method and device |
CN106909262A (en) * | 2015-12-22 | 2017-06-30 | 北京奇虎科技有限公司 | A kind of data processing method and device |
CN106909546A (en) * | 2015-12-22 | 2017-06-30 | 北京奇虎科技有限公司 | A kind of data processing method and device |
CN106909544A (en) * | 2015-12-22 | 2017-06-30 | 北京奇虎科技有限公司 | A kind of data processing method and device |
CN105787302B (en) * | 2016-02-23 | 2019-05-17 | 珠海豹趣科技有限公司 | A kind of processing method of application program, device and electronic equipment |
CN107729753A (en) * | 2017-09-22 | 2018-02-23 | 郑州云海信息技术有限公司 | A kind of defence method and system of computer unknown virus |
CN111444508B (en) * | 2018-12-27 | 2024-06-18 | 北京奇虎科技有限公司 | CPU vulnerability detection device and method based on virtual machine |
CN109815700B (en) * | 2018-12-29 | 2021-10-01 | 360企业安全技术(珠海)有限公司 | Application program processing method and device, storage medium and computer equipment |
CN109992386B (en) * | 2019-03-31 | 2021-10-22 | 联想(北京)有限公司 | Information processing method and electronic equipment |
CN111597554A (en) * | 2020-05-07 | 2020-08-28 | 上海二三四五网络科技有限公司 | Control method and device for detecting suspicious software based on browser |
CN112083974A (en) * | 2020-09-18 | 2020-12-15 | 珠海豹趣科技有限公司 | Advertisement window closing method and device and electronic equipment |
CN112800337A (en) * | 2021-02-08 | 2021-05-14 | 联想(北京)有限公司 | Information processing method and device, electronic equipment and computer storage medium |
CN114071213B (en) * | 2021-11-15 | 2024-06-21 | 深圳小湃科技有限公司 | Method, equipment and storage medium for intercepting bullet frame of set top box |
CN114782942B (en) * | 2022-04-29 | 2024-05-28 | 深圳市致远优学教育科技有限公司 | Risk content display detection method |
CN117762889B (en) * | 2024-02-20 | 2024-04-19 | 成都融见软件科技有限公司 | Same-file multi-window state synchronization method, electronic equipment and medium |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1925494A (en) * | 2006-09-28 | 2007-03-07 | 北京理工大学 | Web page wooden horse detecting method based on behavior characteristic |
CN101350053A (en) * | 2007-10-15 | 2009-01-21 | 北京瑞星国际软件有限公司 | Method and apparatus for preventing web page browser from being used by leak |
CN102932329A (en) * | 2012-09-26 | 2013-02-13 | 北京奇虎科技有限公司 | Method and device for intercepting behaviors of program, and client equipment |
CN103034727A (en) * | 2012-12-19 | 2013-04-10 | 北京奇虎科技有限公司 | System for intercepting pop-up window in webpage |
CN103077353A (en) * | 2013-01-24 | 2013-05-01 | 北京奇虎科技有限公司 | Method and device for actively defending rogue program |
CN103150513A (en) * | 2013-03-20 | 2013-06-12 | 北京奇虎科技有限公司 | Method and device for intercepting embedded information in application program |
CN103279707A (en) * | 2013-06-08 | 2013-09-04 | 北京奇虎科技有限公司 | Method, device and system for actively defending against malicious programs |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103617395B (en) * | 2013-12-06 | 2017-01-18 | 北京奇虎科技有限公司 | Method, device and system for intercepting advertisement programs based on cloud security |
-
2013
- 2013-12-06 CN CN201310656591.3A patent/CN103617395B/en active Active
-
2014
- 2014-12-08 WO PCT/CN2014/093286 patent/WO2015081900A1/en active Application Filing
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1925494A (en) * | 2006-09-28 | 2007-03-07 | 北京理工大学 | Web page wooden horse detecting method based on behavior characteristic |
CN101350053A (en) * | 2007-10-15 | 2009-01-21 | 北京瑞星国际软件有限公司 | Method and apparatus for preventing web page browser from being used by leak |
CN102932329A (en) * | 2012-09-26 | 2013-02-13 | 北京奇虎科技有限公司 | Method and device for intercepting behaviors of program, and client equipment |
CN103034727A (en) * | 2012-12-19 | 2013-04-10 | 北京奇虎科技有限公司 | System for intercepting pop-up window in webpage |
CN103077353A (en) * | 2013-01-24 | 2013-05-01 | 北京奇虎科技有限公司 | Method and device for actively defending rogue program |
CN103150513A (en) * | 2013-03-20 | 2013-06-12 | 北京奇虎科技有限公司 | Method and device for intercepting embedded information in application program |
CN103279707A (en) * | 2013-06-08 | 2013-09-04 | 北京奇虎科技有限公司 | Method, device and system for actively defending against malicious programs |
Also Published As
Publication number | Publication date |
---|---|
WO2015081900A1 (en) | 2015-06-11 |
CN103617395A (en) | 2014-03-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103617395B (en) | Method, device and system for intercepting advertisement programs based on cloud security | |
US20240121266A1 (en) | Malicious script detection | |
Konoth et al. | Minesweeper: An in-depth look into drive-by cryptocurrency mining and its defense | |
US10102372B2 (en) | Behavior profiling for malware detection | |
Jagpal et al. | Trends and lessons from three years fighting malicious extensions | |
Nelms et al. | {WebWitness}: Investigating, Categorizing, and Mitigating Malware Download Paths | |
Catakoglu et al. | Automatic extraction of indicators of compromise for web applications | |
Kapravelos et al. | Hulk: Eliciting malicious behavior in browser extensions | |
US9509714B2 (en) | Web page and web browser protection against malicious injections | |
US9306968B2 (en) | Systems and methods for risk rating and pro-actively detecting malicious online ads | |
US7774459B2 (en) | Honey monkey network exploration | |
Amrutkar et al. | Detecting mobile malicious webpages in real time | |
Tahir et al. | The browsers strike back: Countering cryptojacking and parasitic miners on the web | |
WO2019018033A9 (en) | Methods, systems, and media for testing insider threat detection systems | |
CN107800686B (en) | Phishing website identification method and device | |
Hieu et al. | Cv-inspector: Towards automating detection of adblock circumvention | |
CN107566401B (en) | Protection method and device for virtualized environment | |
Krumnow et al. | How gullible are web measurement tools? a case study analysing and strengthening OpenWPM's reliability | |
KR101781780B1 (en) | System and Method for detecting malicious websites fast based multi-server, multi browser | |
Priya et al. | A static approach to detect drive-by-download attacks on webpages | |
Chen et al. | Detecting mobile application malicious behaviors based on data flow of source code | |
Welch et al. | Two-stage classification model to detect malicious web pages | |
Takata et al. | Fine-grained analysis of compromised websites with redirection graphs and javascript traces | |
CN114697049B (en) | WebShell detection method and device | |
US20230362187A1 (en) | Event and rule-based dynamic security test system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20220718 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
TR01 | Transfer of patent right |