CN103646209A - Cloud-security-based bundled software blocking method and device - Google Patents
Cloud-security-based bundled software blocking method and device Download PDFInfo
- Publication number
- CN103646209A CN103646209A CN201310714666.9A CN201310714666A CN103646209A CN 103646209 A CN103646209 A CN 103646209A CN 201310714666 A CN201310714666 A CN 201310714666A CN 103646209 A CN103646209 A CN 103646209A
- Authority
- CN
- China
- Prior art keywords
- interception
- descriptor
- erection schedule
- acquiescence
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
Abstract
The invention discloses a cloud-security-based bundled software blocking method and device. The method comprises the following steps: monitoring the main body installation process of an application program during installation of the application program; when the main body installation process starts one or more installation processes or executes one or more behaviors, respectively capturing the description information of the one or more installation processes/behaviors; matching the description information of the one or more installation processes/behaviors according to a strategy library in which the description information of the installation processes/behaviors and blocking strategies and/or releasing strategies corresponding to the description information of the installation processes/behaviors; blocking or releasing the one or more installation processes/behaviors according to the matching result. According to the invention, the bundled software and the bundling behavior can be actively prevented through the description information and the blocking strategies in the strategy library, so that dangers caused by bundling installation of rogue programs are avoided.
Description
Technical field
The application relates to field of computer technology, is specifically related to a kind of method and apparatus based on cloud security interception bundled software.
Background technology
Now, in binding mode, promote bundled software and become a kind of trend.The software bundling has almost related to computer every aspect used in everyday, be summed up and roughly have following a few class: instant messaging, network browsing, web search, checking and killing virus, audio-visual broadcasting, English-Chinese dictionary, word processing, image processing etc., these bundled softwares program carry out body while installing greatly the form mainly with optional frame occur.
In binding in form, bundled software also has several like this: during installation, remind and optional, acquiescence plugin card installation, unpredictalbe mandatory installation.Can see, during installation, remind and the still comparatively hommization of optional mode, because bundled software is not to be just accompanied by a main body software to occur, same bundled software may be by a lot of Software Bundlings, the phenomenon that will duplicate so when mounted.Certainly, the situation of more spreading unchecked is, a lot of bundled softwares are to give tacit consent to plugin card installation and unpredictalbe mandatory installation is carried out, at this moment not only there will be the situation that repeats installation, more may user, cannot select to be installed in even unwitting situation because of a large amount of bundled softwares user's terminal, cause storage resources and the operation resource of user's terminal to be consumed in a large number, seriously reduced the performance of user's terminal.
And, more dangerous is some bundled software or even rogue program, user, cannot select even unwitting situation that rogue program has been installed and likely can cause the paralysis of user terminal, and some trojan horse programs even can bring larger economic loss to user.
Therefore, currently how the installation of bundled software is carried out to effective interception and just become technical matters urgently to be resolved hurrily.
Summary of the invention
The application's technical matters to be solved is to provide a kind of method and apparatus based on cloud security interception bundled software, can effectively tackle the installation of bundled software.
In order to address the above problem, disclosed herein as well is a kind of method based on cloud security interception bundled software, comprising: when set up applications, monitor the body erection schedule of described application program; When described body erection schedule is opened one or more erection schedules or carried out one or more behavior, catch respectively the descriptor of described one or more erection schedule/behaviors; According to policy library, the descriptor of described one or more erection schedule/behaviors is mated, in described policy library, preserve descriptor and the interception strategy corresponding with the descriptor of described erection schedule/behavior and/or the strategy of letting pass of erection schedule/behavior; According to matching result, described one or more erection schedule/behaviors are tackled or let pass.
Further, according to matching result, described one or more erection schedule/behaviors are tackled or let pass, comprise: after obtaining described matching result, detect the set sign of described intercept process configuration item, wherein, the set of described processing configuration item is identified in a configuration interface and arranges, and described configuration interface is opened the triggering of the configuration entrance providing on main interface by receiving; When described set sign is designated as inquiry aftertreatment, according to described matching result prompting user, exist described one or more erection schedule/behavior needs to carry out interception strategy, and according to received user's indication, described one or more erection schedule/behaviors are tackled in default duration; If do not receive described user's indication in described default duration, give tacit consent to described one or more erection schedule/behaviors are tackled; When described set sign is designated as direct processing, according to described matching result, judge and exist described one or more erection schedule/behavior needs to carry out interception strategy, directly described one or more erection schedule/behaviors are tackled.
Further, after according to matching result, described one or more erection schedule/behaviors being tackled or letting pass, also comprise: the sign of corresponding described application program, records respectively sign and the commit time of described one or more erection schedule/behaviors; Statistics was carried out the number of the application program of interception, and the total interception number of times totally recording for all application programs; Acquiescence on main interface, show described execution cross interception application program number and always tackle number of times, and provide record queries entrance on described main interface; Thereby reception is opened query interface to the triggering of described record queries entrance, on described query interface with the index that is designated of described application program, sign and the commit time of the erection schedule/behavior being blocked of show described total interception number of times, recording; The sign of the erection schedule/behavior that is received in the sign of the described application program triggering on described query interface and/or is blocked, and the sign of the sign of described application program and/or erection schedule/behavior of being blocked is reported to server so that described server gathers described application program and erection schedule/behavior of being blocked and configures corresponding interception strategy and issue the interception strategy of described configuration.
Further, the corresponding descriptor of carrying out the tactful binding behavior of interception, comprise following one or more combination: the descriptor of the file creation operation that the process with described acquiescence interception carried out by the process of acquiescence interception is irrelevant, descriptor by the irrelevant file write operation of the process with described acquiescence interception of giving tacit consent to the process execution of tackling, descriptor by the irrelevant down operation of the process with described acquiescence interception of giving tacit consent to the process execution of tackling, descriptor by the irrelevant fitting operation of the process with described acquiescence interception of giving tacit consent to the process execution of tackling.
Further, the corresponding descriptor of carrying out the tactful behavior of letting pass, comprise following one or more combination: the descriptor of the fitting operation of being carried out by user-driven, the descriptor of the down operation of being carried out by user-driven, the descriptor of the fitting operation that the process of being let pass by acquiescence is carried out, the descriptor of the down operation that the process of being let pass by acquiescence is carried out.
Further, the corresponding descriptor of carrying out the tactful binding erection schedule of interception, comprises following one or more combination: by the process initiation of acquiescence interception and with the descriptor of the irrelevant binding erection schedule of the process of described acquiescence interception, the descriptor of the binding erection schedule of executed interception, the descriptor of the binding erection schedule of the acquiescence interception of collecting in advance, the network address of the binding downloading process access of the acquiescence interception of collecting in advance.
Further, the corresponding descriptor of carrying out the tactful erection schedule of letting pass, comprises following one or more combination: the descriptor of the erection schedule that the process initiation of being let pass by acquiescence and the process of letting pass with described acquiescence are irrelevant, the descriptor of the erection schedule that executed is let pass, the descriptor of the erection schedule that the acquiescence of collecting is in advance let pass, the network address of the downloading process access that the acquiescence of collecting is in advance let pass.
Further, described descriptor, comprises following one or more combination: the issue Business Name of version number, installation file, name of product, inner title, signer, signature date, installation file size, fitting limit, the timestamp of installation file, the capable information of installation order.
Further, described policy library is configured in the device place terminal of carrying out the described method based on cloud security interception bundled software, and/or, be configured in the webserver of the device place terminal access of carrying out the described method based on cloud security interception bundled software; Be configured in the policy library of the device place terminal of carrying out the described method based on cloud security interception bundled software, preserve the corresponding descriptor of carrying out the tactful erection schedule/behavior of letting pass; Be configured in the policy library of the webserver of the device place terminal access of carrying out the described method based on cloud security interception bundled software, preserve the corresponding descriptor of carrying out interception strategy and/or carrying out the tactful erection schedule/behavior of letting pass; The described policy library that is configured in the webserver of the device place terminal access of carrying out the described method based on cloud security interception bundled software, by continuous reception, access descriptor and interception strategy and/or the strategy of letting pass of some terminal to report of the described webserver, and described descriptor and interception strategy and/or clearance strategy are gathered to judgement to upgrade described policy library.
In order to address the above problem, disclosed herein as well is a kind of device based on cloud security interception bundled software, comprise: policy library, for preserving descriptor and the interception strategy corresponding with the descriptor of described erection schedule/behavior and/or the strategy of letting pass of erection schedule/behavior; Monitoring modular, for when the set up applications, monitors the body erection schedule of described application program; Capture module, for when described body erection schedule is opened one or more erection schedules or carried out one or more behavior, catches respectively the descriptor of described one or more erection schedule/behaviors; Matching module, for mating the descriptor of described one or more erection schedule/behaviors according to described policy library; Execution module, for tackling or let pass described one or more erection schedule/behaviors according to matching result.
Further, also comprise: execution module, for after obtaining described matching result, detect the set sign of described intercept process configuration item, wherein, the set of described processing configuration item is identified in a configuration interface and arranges, and described configuration interface is opened the triggering of the configuration entrance providing on main interface by receiving; When described set sign is designated as inquiry aftertreatment, according to described matching result prompting user, exist described one or more erection schedule/behavior needs to carry out interception strategy, and according to received user's indication, described one or more erection schedule/behaviors are tackled in default duration; If do not receive described user's indication in described default duration, give tacit consent to described one or more erection schedule/behaviors are tackled; When described set sign is designated as direct processing, according to described matching result, judge and exist described one or more erection schedule/behavior needs to carry out interception strategy, directly described one or more erection schedule/behaviors are tackled.
Further, also comprise: logging modle, sign for corresponding described application program, record respectively sign and the commit time of described one or more erection schedule/behaviors, statistics was carried out the number of the application program of interception, and the total interception number of times totally recording for all application programs; Record display module, for give tacit consent on main interface, show described execution cross interception application program number and always tackle number of times, and provide record queries entrance on described main interface; Thereby reception is opened query interface to the triggering of described record queries entrance, on described query interface with the index that is designated of described application program, sign and the commit time of the erection schedule/behavior being blocked of show described total interception number of times, recording; The sign of the erection schedule/behavior that is received in the sign of the described application program triggering on described query interface and/or is blocked, and the sign of the sign of described application program and/or erection schedule/behavior of being blocked is reported to server so that described server gathers described application program and erection schedule/behavior of being blocked and configures corresponding interception strategy and issue the interception strategy of described configuration.
Further, described policy library, the correspondence of preserving is carried out the descriptor of the tactful binding behavior of interception, comprise following one or more combination: the descriptor of the file creation operation that the process with described acquiescence interception carried out by the process of acquiescence interception is irrelevant, descriptor by the irrelevant file write operation of the process with described acquiescence interception of giving tacit consent to the process execution of tackling, descriptor by the irrelevant down operation of the process with described acquiescence interception of giving tacit consent to the process execution of tackling, descriptor by the irrelevant fitting operation of the process with described acquiescence interception of giving tacit consent to the process execution of tackling.
Further, described policy library, the correspondence of preserving is carried out the descriptor of the tactful behavior of letting pass, comprise following one or more combination: the descriptor of the fitting operation of being carried out by user-driven, the descriptor of the down operation of being carried out by user-driven, the descriptor of the fitting operation that the process of being let pass by acquiescence is carried out, the descriptor of the down operation that the process of being let pass by acquiescence is carried out.
Further, described policy library, the correspondence of preserving is carried out the descriptor of the tactful binding erection schedule of interception, comprises following one or more combination: by the process initiation of acquiescence interception and with the descriptor of the irrelevant binding erection schedule of the process of described acquiescence interception, the descriptor of the binding erection schedule of executed interception, the descriptor of the binding erection schedule of the acquiescence interception of collecting in advance, the network address of the binding downloading process access of the acquiescence interception of collecting in advance.
Further, described policy library, the correspondence of preserving is carried out the descriptor of the tactful erection schedule of letting pass, and comprises following one or more combination: the descriptor of the erection schedule that the process initiation of being let pass by acquiescence and the process of letting pass with described acquiescence are irrelevant, the descriptor of the erection schedule that executed is let pass, the descriptor of the erection schedule that the acquiescence of collecting is in advance let pass, the network address of the downloading process access that the acquiescence of collecting is in advance let pass.
Further, described descriptor, comprises following one or more combination: the issue Business Name of version number, installation file, name of product, inner title, signer, signature date, installation file size, fitting limit, the timestamp of installation file, the capable information of installation order.
Further, described policy library is configured in described device place terminal, and/or, be configured in the webserver that described device place terminal accesses; Be configured in the policy library of described device place terminal, preserve the corresponding descriptor of carrying out the tactful erection schedule/behavior of letting pass; Be configured in the policy library of the webserver of described device place terminal access, preserve the corresponding descriptor of carrying out interception strategy and/or carrying out the tactful erection schedule/behavior of letting pass; The described policy library that is configured in the webserver of described device place terminal access, by continuous reception, access descriptor and interception strategy and/or the strategy of letting pass of some terminal to report of the described webserver, and described descriptor and interception strategy and/or clearance strategy are gathered to judgement to upgrade described policy library.
Compared with prior art, the application can obtain and comprise following technique effect:
The application is by constantly enriching policy library, thereby thereby by the descriptor in policy library and interception strategy, this behavior of bundled software and binding is carried out to Initiative Defense, when user is at mounting software time, automatically the binding of following installation or download and other modes of monitoring identification bundled software, the installation of directly helping user to tackle bundled software according to arranging of user, or eject warning prompt user and tackle bundled software, purified the environment of user terminal, safeguarded the performance of user terminal, and avoided the binding of rogue program that the harm bringing is installed.
Certainly, arbitrary product of enforcement the application must not necessarily need to reach above-described all technique effects simultaneously.
Accompanying drawing explanation
Accompanying drawing described herein is used to provide further understanding of the present application, forms the application's a part, and the application's schematic description and description is used for explaining the application, does not form the improper restriction to the application.In the accompanying drawings:
Fig. 1 is the method flow diagram of the embodiment of the present application;
Fig. 2 is the structure drawing of device of the embodiment of the present application;
Fig. 3 is the another structure drawing of device of the embodiment of the present application;
Fig. 4 is the main interface schematic diagram of the embodiment of the present application;
Fig. 5 is the query interface schematic diagram of the embodiment of the present application;
Fig. 6 is the configuration interface schematic diagram of the embodiment of the present application.
Embodiment
To coordinate drawings and Examples to describe the application's embodiment in detail below, by this application's implementation procedure how application technology means solve technical matters and reach technology effect can be fully understood and be implemented according to this.
embodiment describes
With an embodiment, the realization of the application's method is described further below.As shown in Figure 1, be the process flow diagram based on cloud security interception bundled software of the embodiment of the present application, the method comprises:
S100: when set up applications, monitor the body erection schedule of described application program.
S102: when described body erection schedule is opened one or more erection schedules or carried out one or more behavior, catch respectively the descriptor of described one or more erection schedule/behaviors.
S104: according to policy library, the descriptor of described one or more erection schedule/behaviors is mated, preserve descriptor and the interception strategy corresponding with the descriptor of described erection schedule/behavior and/or the strategy of letting pass of erection schedule/behavior in described policy library.
1) correspondence of preserving in described policy library is carried out the descriptor of the tactful behavior of interception, comprise following one or more combination: the descriptor of the file creation operation that the process with described acquiescence interception carried out by the process of acquiescence interception is irrelevant, descriptor by the irrelevant file write operation of the process with described acquiescence interception of giving tacit consent to the process execution of tackling, descriptor by the irrelevant down operation of the process with described acquiescence interception of giving tacit consent to the process execution of tackling, descriptor by the irrelevant fitting operation of the process with described acquiescence interception of giving tacit consent to the process execution of tackling.It should be noted that, some binding behavior is not the behavior of directly installing, download behavior, but departed from the restriction of installation kit, directly set up file and toward writing in files in described file, this binding behavior is also required monitoring, therefore, in policy library, this behavior is also collected.
2) correspondence of preserving in described policy library is carried out the descriptor of the tactful erection schedule of interception, comprises following one or more combination: by the process initiation of acquiescence interception and with the descriptor of the irrelevant erection schedule of the process of described acquiescence interception, the descriptor of the erection schedule of executed interception, the descriptor of the erection schedule of the acquiescence interception of collecting in advance, the network address of the downloading process access of the acquiescence interception of collecting in advance.
With upper type 1) and 2) be similar to blacklist, if hit by the corresponding descriptor of carrying out the tactful behavior/erection schedule of interception, one or more binding erection schedules that described body erection schedule is opened or one or more binding behaviors of execution all will need to carry out interception strategy.
3) correspondence of preserving in described policy library is carried out the descriptor of the tactful behavior of letting pass, comprise following one or more combination: the descriptor of the fitting operation of being carried out by user-driven, the descriptor of the down operation of being carried out by user-driven, the descriptor of the fitting operation that the process of being let pass by acquiescence is carried out, the descriptor of the down operation that the process of being let pass by acquiescence is carried out.It should be noted that, generally by the installation of the user-driven behavior of downloading, be all considered to not be binding behavior, other is all that acquiescence is let pass through the process of authentication, and behavior is downloaded in the installation that these processes are carried out can be considered to not be binding behavior; Therefore for these non-binding behaviors, obviously need to let pass, certainly, for the behavior outside these non-binding behaviors, completely regard as binding behavior, the identification dynamics of visible this binding behavior and scope of determination are all very large, also fine for the strick precaution effect of binding behavior.
4) correspondence of preserving in described policy library is carried out the descriptor of the tactful erection schedule of letting pass, and comprises following one or more combination: the descriptor of the erection schedule that the process initiation of being let pass by acquiescence and the process of letting pass with described acquiescence are irrelevant, the descriptor of the erection schedule that executed is let pass, the descriptor of the erection schedule that the acquiescence of collecting is in advance let pass, the network address of the downloading process access that the acquiescence of collecting is in advance let pass.It should be noted that, the general erection schedule of letting pass of repeatedly carrying out can be identified and not be binding program or be not the binding program that user wishes interception, preferably lets pass; Some mode of collecting by high in the clouds assert that the network address of erection schedule that most users let pass or downloading process access is not that binding is relevant, can by the mode of collecting in advance, be kept in policy library, to the network address of this class erection schedule and downloading process access, obviously should let pass; Other is all that acquiescence is let pass through the process of authentication, and the erection schedule of these process initiations can be considered to not be binding erection schedule; Certainly, for the erection schedule outside these non-binding erection schedules, completely regard as binding erection schedule, the identification dynamics of visible this binding erection schedule and scope of determination are all very large, also fine for the strick precaution effect of binding erection schedule.
With upper type 3) and 4) be similar to white list, if hit by the corresponding descriptor of carrying out the tactful behavior/erection schedule of letting pass, one or more binding erection schedules that described body erection schedule is opened or one or more binding behaviors of execution can be let pass, certainly, if do not hit, need interception.Obviously, the descriptor of storing in white list is minority after all, and visible great majority binding erection schedule or binding behavior all will be blocked.In this programme, preferentially use the mode of white list, or use the mode of white list and blacklist combination.
The descriptor of described erection schedule, comprises following one or more combination: the issue Business Name of version number, installation file, name of product, inner title, signer, signature date, installation file size, fitting limit, the timestamp of installation file, the capable information of installation order.
S106: described one or more erection schedule/behaviors are tackled or let pass according to matching result.
Described one or more erection schedule/behaviors are tackled, comprising: can carry out to close to erection schedule/behavior and wait operation, or the corresponding file of erection schedule is carried out and deleted, or the operation such as the file that installation behavior is installed execution deletion.When erection schedule/behavior execution is closed, also to close the information such as file that erection schedule/behavior discharges.
After obtaining described matching result, detect the set sign of described intercept process configuration item, wherein, the set of described processing configuration item is identified in a configuration interface and arranges, and described configuration interface is opened the triggering of the configuration entrance providing on main interface by receiving;
When described set sign is designated as inquiry aftertreatment, according to described matching result prompting user, exist described one or more erection schedule/behavior needs to carry out interception strategy, and according to received user's indication, described one or more erection schedule/behaviors are tackled in default duration; If do not receive described user's indication in described default duration, give tacit consent to described one or more erection schedule/behaviors are tackled.
When described set sign is designated as direct processing, according to described matching result, judge and exist described one or more erection schedule/behavior needs to carry out interception strategy, directly described one or more erection schedule/behaviors are tackled.
On main interface, provide the processing configuration entrance of set sign, as shown in Figure 4.Arranging of set sign can be arranged voluntarily by user in configuration interface, as shown in Figure 6, as user wishes all binding behaviors or bundled software to clear up, can be set to set and be designated " directly processing ", when the erection schedule/behavior that matches is bundled software, just directly carry out like this interception; As user wishes indivedual bundled softwares to let pass, also can be set to set and be designated " inquiry aftertreatment ", when the erection schedule/behavior that matches is bundled software, by user self, selects interception or let pass.
S108: the sign of corresponding described application program, record respectively sign and the commit time of described one or more erection schedule/behaviors, statistics was carried out the number of the application program of interception, and the total interception number of times totally recording for all application programs, for user, checked.
Acquiescence on main interface, show described execution cross interception application program number and always tackle number of times, and provide record queries entrance on described main interface, as shown in Figure 4;
Thereby reception is opened query interface to the triggering of described record queries entrance, on described query interface with the index that is designated of described application program, sign and the commit time of the erection schedule/behavior being blocked of show described total interception number of times, recording, as shown in Figure 5;
The sign of the erection schedule/behavior that is received in the sign of the described application program triggering on described query interface and/or is blocked, and the sign of the sign of described application program and/or erection schedule/behavior of being blocked is reported to server so that described server gathers described application program and erection schedule/behavior of being blocked and configures corresponding interception strategy and issue the interception strategy of described configuration.
By main interface, the general status of interception is pointed out, so that user can grasp the entire change that binding occurs, and query interface is provided, on query interface for a lot of detailed information are provided, thereby user can trigger query interface and browses interception details when needed.
Described policy library is generally configured in the device place terminal of described execution binding hold-up interception method, also can be configured in the webserver of the device place terminal access of described execution binding hold-up interception method.Certainly, preferred plan is the webserver that is simultaneously configured in described terminal and the access of described terminal.Because when described terminal has just been opened, some softwares that downloaded in advance in described terminal will start and pop-up window suggestion user installation bundled software automatically, now network connects not yet foundation, cannot tackle by being deployed in the policy library of webserver side; And do not rely on network by the policy library of described terminal self deploy, can when not yet setting up, network connection well protect described terminal.Certainly, the policy library that is deployed in terminal helps out, and general comparatively light weight, wherein stores some conventional descriptors and the interception strategy/strategy of letting pass.
Be configured in the policy library of described terminal, preserve the corresponding descriptor of carrying out the tactful erection schedule/behavior of letting pass; Be configured in the policy library of the webserver of described terminal access, preserve the corresponding descriptor of carrying out interception strategy and/or carrying out the tactful erection schedule/behavior of letting pass;
The described policy library that is configured in the webserver of described terminal access, by continuous reception, access descriptor and interception strategy and/or the strategy of letting pass of some terminal to report of the described webserver, and described descriptor and interception strategy and/or clearance strategy are gathered to judgement to upgrade described policy library.
The application is except passing through the real-time blocking mode of above-mentioned steps S100~S108, when bundled software is installed or when binding behavior occurs, outside tackling in real time; Can also use non real-time interception mode, utilize the descriptor in policy library, for the whole softwares that are arranged in operating system, carry out examination, when matching bundled software, described bundled software be cleared up.By the combination of above-mentioned real-time blocking mode and non real-time interception mode, guarantee bundled software to tackle completely.
The binding installation procedure of take below further illustrates the scheme of itself asking as example.
When an application program has been opened body erection schedule A, and body erection schedule A has opened erection schedule B automatically.
When body erection schedule A creates erection schedule B, by hook interface (hook api), can capture the function creatprocess that creates erection schedule B, the descriptor of erection schedule B be can check, first's descriptor (the issue Business Name of version number, installation file, name of product, inner title etc.), second portion descriptor (signer, signature date etc.), third part descriptor (timestamp of installation file size, fitting limit, installation file etc.), the 4th part descriptor (order line information etc.) comprised;
According to the foregoing description information of erection schedule B, in policy library, mate, as long as any one is matched in policy library in above descriptor, can determine that erection schedule B is doubtful bundle.What certainly, policy library used here is blacklist mode.When coupling, according to the descriptor of erection schedule B, in default software information base, search the descriptor of the associated documents of erection schedule B, associated documents in the present embodiment comprise installation file, registry file, shortcut, the service document of erection schedule B, file of generation etc., associated documents can be erection schedule B install and the course of work in the All Files that produces; According to the descriptor of the associated documents that find, delete described associated documents.
Obtain the cleaning request to erection schedule B, cleaning request comprises the descriptor of erection schedule B; Recognize set and be designated " inquiry aftertreatment ", by an interface, erection schedule B is prompted to user, whether the wish that user can selective basis oneself is selected to tackle, in addition, more than one of the bundled software likely once matching, can the current bundled software identifying be all prompted to user by an interface, allow user select interception which bundled software wherein according to wish.
In previous embodiment, there is speech, policy library is preferentially used white list mode, because some bundled softwares itself are in order to escape interception, do not possess any descriptor, for example version number, name of product, signer, the signature date etc. does not all have, if use black name coverlet mode, be easy to be escaped from interception by this bundled software, and use white list mode, if will tackle in mating not.
The local policy storehouse of terminal is pre-stored has some conventional descriptors to inquire about not possessing when network connects, certainly, mainly to take network strategy storehouse as main, or use local policy storehouse and network strategy storehouse to combine the mode of coupling, after local policy storehouse coupling has been moved, it is doubtful bundled software that the matching result in local policy storehouse can only explain target, and further confirmation need to be submitted to network strategy storehouse and accurately inquire about.
Network strategy storehouse is mainly arranged on high in the clouds, when coupling, the executable extracting section of bundled software is out judged, no matter how the form of bundled software changes, and we can be according to the descriptor of the executable part of bundled software and MD5 at network strategy library inquiry.
For the software of the repeated multiple times clearance of exhausted most user, by high in the clouds, add up and can know, for this software, can determine and not be bundled software, in policy library, record the descriptor of this software, and the corresponding strategy of letting pass of preserving.When this software is installed again, can directly let pass after coupling next time in policy library.
Bundled software is at present main three kinds of modes: 1) directly by installation file binding, 2) by the network address, preserve bundled software installation file, by instant download, install 3) there is no installation file, directly create file, and writing in files.For these three kinds of modes, in policy library, all carried out Collection and conservation.When collecting, for mode 2), specifically can first by technician, by packet catcher, identify binding logic, check the accessed network address, collect all-network address and charge to pond, the network address, every some cycles, can upgrade to guarantee the real-time of policy library.For mode 1), can initiatively move body installation file by sandbox, if in predetermined amount of time, there is another installation file to follow body installation file automatically to complete installation, can confirm that another installation file is bundled software, the information of this bundled software and interception policy store are entered to policy library.
With another embodiment, the application's realization is described further below.The application can be used as the module in antivirus software, fail-safe software with binding interception function, when antivirus software, fail-safe software are opened, automatically open binding and tackles function, or the application also can exist with the form of software independently.The application can be applied in multiple download tool, or in Instant Messenger (IM) software, effectively finds, stops the malice bundled software producing in download tool and Instant Messenger (IM) software.
As shown in Figure 2, a kind of device based on cloud security interception bundled software, comprising:
Policy library 20, for preserving descriptor and the interception strategy corresponding with the descriptor of described erection schedule/behavior and/or the strategy of letting pass of erection schedule/behavior; Described policy library 20 is configured in described device place terminal, and/or, be configured in the webserver that described device place terminal accesses; Be configured in the policy library of described device place terminal, preserve the corresponding descriptor of carrying out the tactful erection schedule/behavior of letting pass; Be configured in the policy library of the webserver of described device place terminal access, preserve the corresponding descriptor of carrying out interception strategy and/or carrying out the tactful erection schedule/behavior of letting pass; The described policy library that is configured in the webserver of described device place terminal access, descriptor and the interception strategy and/or the strategy of letting pass that by continuous reception, access some terminal to report of the described webserver (provide in main interface as shown in Figure 4 to complain and have reported entrance, terminal reports to server by this entrance), and described descriptor and interception strategy and/or clearance strategy are gathered to judgement to upgrade described policy library.The descriptor of described erection schedule, comprises following one or more combination: the issue Business Name of version number, installation file, name of product, inner title, signer, signature date, installation file size, fitting limit, the timestamp of installation file, the capable information of installation order;
Monitoring modular 21, for when the set up applications, monitors the body erection schedule of described application program;
With an embodiment, the update mode of policy library 20 and update rule are described below.
In the update request sending in client, comprise the regular version information of binding interception.Specifically comprise: the binding in update request is tackled to the regular version information of binding interception in regular version information and server and compare, according to comparative result, determine the binding interception rule of the renewal that need to issue to client.Particularly, it is identical that the represented version of the regular version information version information regular with binding interception in server is tackled in the binding in update request, represents in client that this binding interception rule is for up-to-date binding interception rule, without renewal.Binding in update request is tackled version that regular version information represents when more Zao than version that in server, the regular version information of binding interception represents, represents that in client, this binding interception rule is regular for expired binding interception, needs renewal.In this version information, can comprise timestamp, this timestamp represents the issuing time of version, and the time that timestamp is tackled regular version by binding in the time of the regular version of binding interception in update request and server according to this compares.In addition, version information also can comprise version number, and after version number more leans on the larger expression version time, version number compared the time of the regular version of binding interception in the time of the regular version of binding interception in update request and server according to this.
In update request, except comprising version information, can also comprise other information, for example, user ID, avoid by the information such as authorization information of malicious attack.For example, authorization information can be random number.For regular security is tackled in the binding of guaranteeing to store in server, can carry out compress-encrypt to solicited message and/or response message.
Thus, by carry out the comparison of version information at server end, can determine and need the binding of upgrading to tackle rule, this binding interception rule is handed down to client, the binding interception rule that can only needs be upgraded is handed down to client, and without all binding interception rules are all handed down to client, reduces the quantity of information issuing to client, and then saved network traffics, and the resource in client and server.
As shown in Figure 3, described binding blocking apparatus, also comprises:
More than the content and method embodiment of device is mutually corresponding, and weak point can, with reference to said method embodiment, not repeat them here.
Above-mentioned explanation has illustrated and has described some preferred embodiments of the application, but as previously mentioned, be to be understood that the application is not limited to disclosed form herein, should not regard the eliminating to other embodiment as, and can be used for various other combinations, modification and environment, and can, in invention contemplated scope described herein, by technology or the knowledge of above-mentioned instruction or association area, change.And the spirit and scope that the change that those skilled in the art carry out and variation do not depart from the application, all should be in the protection domain of the application's claims.
The application has disclosed A1, a kind of method based on cloud security interception bundled software, comprising: when set up applications, monitor the body erection schedule of described application program; When described body erection schedule is opened one or more erection schedules or carried out one or more behavior, catch respectively the descriptor of described one or more erection schedule/behaviors; According to policy library, the descriptor of described one or more erection schedule/behaviors is mated, in described policy library, preserve descriptor and the interception strategy corresponding with the descriptor of described erection schedule/behavior and/or the strategy of letting pass of erection schedule/behavior; According to matching result, described one or more erection schedule/behaviors are tackled or let pass.A2, the binding hold-up interception method as described in A1, it is characterized in that, according to matching result, described one or more erection schedule/behaviors are tackled or let pass, further comprise: after obtaining described matching result, detect the set sign of described intercept process configuration item, wherein, the set of described processing configuration item is identified in a configuration interface and arranges, and described configuration interface is opened the triggering of the configuration entrance providing on main interface by receiving; When described set sign is designated as inquiry aftertreatment, according to described matching result prompting user, exist described one or more erection schedule/behavior needs to carry out interception strategy, and according to received user's indication, described one or more erection schedule/behaviors are tackled in default duration; If do not receive described user's indication in described default duration, give tacit consent to described one or more erection schedule/behaviors are tackled; When described set sign is designated as direct processing, according to described matching result, judge and exist described one or more erection schedule/behavior needs to carry out interception strategy, directly described one or more erection schedule/behaviors are tackled.A3, the binding hold-up interception method as described in A1, it is characterized in that, after according to matching result, described one or more erection schedule/behaviors being tackled or letting pass, also comprise: the sign of corresponding described application program, records respectively sign and the commit time of described one or more erection schedule/behaviors; Statistics was carried out the number of the application program of interception, and the total interception number of times totally recording for all application programs; Acquiescence on main interface, show described execution cross interception application program number and always tackle number of times, and provide record queries entrance on described main interface; Thereby reception is opened query interface to the triggering of described record queries entrance, on described query interface with the index that is designated of described application program, sign and the commit time of the erection schedule/behavior being blocked of show described total interception number of times, recording; The sign of the erection schedule/behavior that is received in the sign of the described application program triggering on described query interface and/or is blocked, and the sign of the sign of described application program and/or erection schedule/behavior of being blocked is reported to server so that described server gathers described application program and erection schedule/behavior of being blocked and configures corresponding interception strategy and issue the interception strategy of described configuration.A4, binding hold-up interception method as described in A1, it is characterized in that, the corresponding descriptor of carrying out the tactful binding behavior of interception, comprise following one or more combination: the descriptor of the file creation operation that the process with described acquiescence interception carried out by the process of acquiescence interception is irrelevant, descriptor by the irrelevant file write operation of the process with described acquiescence interception of giving tacit consent to the process execution of tackling, descriptor by the irrelevant down operation of the process with described acquiescence interception of giving tacit consent to the process execution of tackling, descriptor by the irrelevant fitting operation of the process with described acquiescence interception of giving tacit consent to the process execution of tackling.A5, the binding hold-up interception method as described in A1, it is characterized in that, the corresponding descriptor of carrying out the tactful behavior of letting pass, comprise following one or more combination: the descriptor of the fitting operation of being carried out by user-driven, the descriptor of the down operation of being carried out by user-driven, the descriptor of the fitting operation that the process of being let pass by acquiescence is carried out, the descriptor of the down operation that the process of being let pass by acquiescence is carried out.A6, the binding hold-up interception method as described in A1, it is characterized in that, the corresponding descriptor of carrying out the tactful binding erection schedule of interception, comprises following one or more combination: by the process initiation of acquiescence interception and with the descriptor of the irrelevant binding erection schedule of the process of described acquiescence interception, the descriptor of the binding erection schedule of executed interception, the descriptor of the binding erection schedule of the acquiescence interception of collecting in advance, the network address of the binding downloading process access of the acquiescence interception of collecting in advance.A7, the binding hold-up interception method as described in A1, it is characterized in that, the corresponding descriptor of carrying out the tactful erection schedule of letting pass, comprises following one or more combination: the descriptor of the erection schedule that the process initiation of being let pass by acquiescence and the process of letting pass with described acquiescence are irrelevant, the descriptor of the erection schedule that executed is let pass, the descriptor of the erection schedule that the acquiescence of collecting is in advance let pass, the network address of the downloading process access that the acquiescence of collecting is in advance let pass.A8, the binding hold-up interception method as described in A1 or A6 or A7, it is characterized in that, described descriptor, comprises following one or more combination: the issue Business Name of version number, installation file, name of product, inner title, signer, signature date, installation file size, fitting limit, the timestamp of installation file, the capable information of installation order.A9, the binding hold-up interception method as described in A1, it is characterized in that, described policy library is configured in the device place terminal of carrying out the described method based on cloud security interception bundled software, and/or, be configured in and carry out the webserver that described device place terminal of tackling the method for bundled software based on cloud security accesses; Be configured in the policy library of the device place terminal of carrying out the described method based on cloud security interception bundled software, preserve the corresponding descriptor of carrying out the tactful erection schedule/behavior of letting pass; Be configured in the policy library of the webserver of the device place terminal access of carrying out the described method based on cloud security interception bundled software, preserve the corresponding descriptor of carrying out interception strategy and/or carrying out the tactful erection schedule/behavior of letting pass; The described policy library that is configured in the webserver of the device place terminal access of carrying out the described method based on cloud security interception bundled software, by continuous reception, access descriptor and interception strategy and/or the strategy of letting pass of some terminal to report of the described webserver, and described descriptor and interception strategy and/or clearance strategy are gathered to judgement to upgrade described policy library.The application has also disclosed B1, a kind of device based on cloud security interception bundled software, it is characterized in that, comprise: policy library, for preserving descriptor and the interception strategy corresponding with the descriptor of described erection schedule/behavior and/or the strategy of letting pass of erection schedule/behavior; Monitoring modular, for when the set up applications, monitors the body erection schedule of described application program; Capture module, for when described body erection schedule is opened one or more erection schedules or carried out one or more behavior, catches respectively the descriptor of described one or more erection schedule/behaviors; Matching module, for mating the descriptor of described one or more erection schedule/behaviors according to described policy library; Execution module, for tackling or let pass described one or more erection schedule/behaviors according to matching result.B2, the binding blocking apparatus as described in B1, it is characterized in that, also comprise: execution module, be further used for after obtaining described matching result, detect the set sign of described intercept process configuration item, wherein, the set of described processing configuration item is identified in a configuration interface and arranges, and described configuration interface is opened the triggering of the configuration entrance providing on main interface by receiving; When described set sign is designated as inquiry aftertreatment, according to described matching result prompting user, exist described one or more erection schedule/behavior needs to carry out interception strategy, and according to received user's indication, described one or more erection schedule/behaviors are tackled in default duration; If do not receive described user's indication in described default duration, give tacit consent to described one or more erection schedule/behaviors are tackled; When described set sign is designated as direct processing, according to described matching result, judge and exist described one or more erection schedule/behavior needs to carry out interception strategy, directly described one or more erection schedule/behaviors are tackled.B3, the binding blocking apparatus as described in B1, it is characterized in that, also comprise: logging modle, sign for corresponding described application program, record respectively sign and the commit time of described one or more erection schedule/behaviors, statistics was carried out the number of the application program of interception, and the total interception number of times totally recording for all application programs; Record display module, for give tacit consent on main interface, show described execution cross interception application program number and always tackle number of times, and provide record queries entrance on described main interface; Thereby reception is opened query interface to the triggering of described record queries entrance, on described query interface with the index that is designated of described application program, sign and the commit time of the erection schedule/behavior being blocked of show described total interception number of times, recording; The sign of the erection schedule/behavior that is received in the sign of the described application program triggering on described query interface and/or is blocked, and the sign of the sign of described application program and/or erection schedule/behavior of being blocked is reported to server so that described server gathers described application program and erection schedule/behavior of being blocked and configures corresponding interception strategy and issue the interception strategy of described configuration.B4, binding blocking apparatus as described in B1, it is characterized in that, described policy library, the correspondence of preserving is carried out the descriptor of the tactful binding behavior of interception, comprise following one or more combination: the descriptor of the file creation operation that the process with described acquiescence interception carried out by the process of acquiescence interception is irrelevant, descriptor by the irrelevant file write operation of the process with described acquiescence interception of giving tacit consent to the process execution of tackling, descriptor by the irrelevant down operation of the process with described acquiescence interception of giving tacit consent to the process execution of tackling, descriptor by the irrelevant fitting operation of the process with described acquiescence interception of giving tacit consent to the process execution of tackling.B5, the binding blocking apparatus as described in B1, it is characterized in that, described policy library, the correspondence of preserving is carried out the descriptor of the tactful behavior of letting pass, comprise following one or more combination: the descriptor of the fitting operation of being carried out by user-driven, the descriptor of the down operation of being carried out by user-driven, the descriptor of the fitting operation that the process of being let pass by acquiescence is carried out, the descriptor of the down operation that the process of being let pass by acquiescence is carried out.B6, the binding blocking apparatus as described in B1, it is characterized in that, described policy library, the correspondence of preserving is carried out the descriptor of the tactful binding erection schedule of interception, comprises following one or more combination: by the process initiation of acquiescence interception and with the descriptor of the irrelevant binding erection schedule of the process of described acquiescence interception, the descriptor of the binding erection schedule of executed interception, the descriptor of the binding erection schedule of the acquiescence interception of collecting in advance, the network address of the binding downloading process access of the acquiescence interception of collecting in advance.B7, the binding blocking apparatus as described in B1, it is characterized in that, described policy library, the correspondence of preserving is carried out the descriptor of the tactful erection schedule of letting pass, and comprises following one or more combination: the descriptor of the erection schedule that the process initiation of being let pass by acquiescence and the process of letting pass with described acquiescence are irrelevant, the descriptor of the erection schedule that executed is let pass, the descriptor of the erection schedule that the acquiescence of collecting is in advance let pass, the network address of the downloading process access that the acquiescence of collecting is in advance let pass.B8, the binding blocking apparatus as described in B1 or B6 or B7, it is characterized in that, described descriptor, comprises following one or more combination: the issue Business Name of version number, installation file, name of product, inner title, signer, signature date, installation file size, fitting limit, the timestamp of installation file, the capable information of installation order.B9, the binding blocking apparatus as described in B1, is characterized in that, described policy library is configured in described device place terminal, and/or, be configured in the webserver that described device place terminal accesses; Be configured in the policy library of described device place terminal, preserve the corresponding descriptor of carrying out the tactful erection schedule/behavior of letting pass; Be configured in the policy library of the webserver of described device place terminal access, preserve the corresponding descriptor of carrying out interception strategy and/or carrying out the tactful erection schedule/behavior of letting pass; The described policy library that is configured in the webserver of described device place terminal access, by continuous reception, access descriptor and interception strategy and/or the strategy of letting pass of some terminal to report of the described webserver, and described descriptor and interception strategy and/or clearance strategy are gathered to judgement to upgrade described policy library.
Claims (10)
1. the method based on cloud security interception bundled software, is characterized in that, comprising:
When set up applications, monitor the body erection schedule of described application program;
When described body erection schedule is opened one or more erection schedules or carried out one or more behavior, catch respectively the descriptor of described one or more erection schedule/behaviors;
According to policy library, the descriptor of described one or more erection schedule/behaviors is mated, in described policy library, preserve descriptor and the interception strategy corresponding with the descriptor of described erection schedule/behavior and/or the strategy of letting pass of erection schedule/behavior;
According to matching result, described one or more erection schedule/behaviors are tackled or let pass.
2. binding hold-up interception method as claimed in claim 1, is characterized in that, according to matching result, described one or more erection schedule/behaviors is tackled or is let pass, and further comprises:
After obtaining described matching result, detect the set sign of described intercept process configuration item, wherein, the set of described processing configuration item is identified in a configuration interface and arranges, and described configuration interface is opened the triggering of the configuration entrance providing on main interface by receiving;
When described set sign is designated as inquiry aftertreatment, according to described matching result prompting user, exist described one or more erection schedule/behavior needs to carry out interception strategy, and according to received user's indication, described one or more erection schedule/behaviors are tackled in default duration; If do not receive described user's indication in described default duration, give tacit consent to described one or more erection schedule/behaviors are tackled;
When described set sign is designated as direct processing, according to described matching result, judge and exist described one or more erection schedule/behavior needs to carry out interception strategy, directly described one or more erection schedule/behaviors are tackled.
3. binding hold-up interception method as claimed in claim 1, is characterized in that, after according to matching result, described one or more erection schedule/behaviors being tackled or letting pass, also comprises:
The sign of corresponding described application program, records respectively sign and the commit time of described one or more erection schedule/behaviors;
Statistics was carried out the number of the application program of interception, and the total interception number of times totally recording for all application programs;
Acquiescence on main interface, show described execution cross interception application program number and always tackle number of times, and provide record queries entrance on described main interface;
Thereby reception is opened query interface to the triggering of described record queries entrance, on described query interface with the index that is designated of described application program, sign and the commit time of the erection schedule/behavior being blocked of show described total interception number of times, recording;
The sign of the erection schedule/behavior that is received in the sign of the described application program triggering on described query interface and/or is blocked, and the sign of the sign of described application program and/or erection schedule/behavior of being blocked is reported to server so that described server gathers described application program and erection schedule/behavior of being blocked and configures corresponding interception strategy and issue the interception strategy of described configuration.
4. binding hold-up interception method as claimed in claim 1, is characterized in that,
The corresponding descriptor of carrying out the tactful binding behavior of interception, comprises following one or more combination: the descriptor of the fitting operation that the descriptor of the down operation that the descriptor of the file write operation that the descriptor of the file creation operation that the process with described acquiescence interception carried out by the process of acquiescence interception is irrelevant, the process with described acquiescence interception of being carried out by the process of acquiescence interception are irrelevant, the process with described acquiescence interception of being carried out by the process of acquiescence interception are irrelevant, the process with described acquiescence interception of being carried out by the process of acquiescence interception are irrelevant.
5. binding hold-up interception method as claimed in claim 1, is characterized in that,
The corresponding descriptor of carrying out the tactful behavior of letting pass, comprise following one or more combination: the descriptor of the fitting operation of being carried out by user-driven, the descriptor of the down operation of being carried out by user-driven, the descriptor of the fitting operation that the process of being let pass by acquiescence is carried out, the descriptor of the down operation that the process of being let pass by acquiescence is carried out.
6. binding hold-up interception method as claimed in claim 1, is characterized in that,
The corresponding descriptor of carrying out the tactful binding erection schedule of interception, comprises following one or more combination: by the process initiation of acquiescence interception and with the descriptor of the irrelevant binding erection schedule of the process of described acquiescence interception, the descriptor of the binding erection schedule of executed interception, the descriptor of the binding erection schedule of the acquiescence interception of collecting in advance, the network address of the binding downloading process access of the acquiescence interception of collecting in advance.
7. binding hold-up interception method as claimed in claim 1, is characterized in that,
The corresponding descriptor of carrying out the tactful erection schedule of letting pass, comprises following one or more combination: the descriptor of the erection schedule that the process initiation of being let pass by acquiescence and the process of letting pass with described acquiescence are irrelevant, the descriptor of the erection schedule that executed is let pass, the descriptor of the erection schedule that the acquiescence of collecting is in advance let pass, the network address of the downloading process access that the acquiescence of collecting is in advance let pass.
8. the binding hold-up interception method as described in claim 1 or 6 or 7, is characterized in that,
Described descriptor, comprises following one or more combination: the issue Business Name of version number, installation file, name of product, inner title, signer, signature date, installation file size, fitting limit, the timestamp of installation file, the capable information of installation order.
9. binding hold-up interception method as claimed in claim 1, is characterized in that,
Described policy library is configured in the device place terminal of carrying out the described method based on cloud security interception bundled software, and/or, be configured in the webserver of the device place terminal access of carrying out the described method based on cloud security interception bundled software;
Be configured in the policy library of the device place terminal of carrying out the described method based on cloud security interception bundled software, preserve the corresponding descriptor of carrying out the tactful erection schedule/behavior of letting pass; Be configured in the policy library of the webserver of the device place terminal access of carrying out the described method based on cloud security interception bundled software, preserve the corresponding descriptor of carrying out interception strategy and/or carrying out the tactful erection schedule/behavior of letting pass;
The described policy library that is configured in the webserver of the device place terminal access of carrying out the described method based on cloud security interception bundled software, by continuous reception, access descriptor and interception strategy and/or the strategy of letting pass of some terminal to report of the described webserver, and described descriptor and interception strategy and/or clearance strategy are gathered to judgement to upgrade described policy library.
10. the device based on cloud security interception bundled software, is characterized in that, comprising:
Policy library, for preserving descriptor and the interception strategy corresponding with the descriptor of described erection schedule/behavior and/or the strategy of letting pass of erection schedule/behavior;
Monitoring modular, for when the set up applications, monitors the body erection schedule of described application program;
Capture module, for when described body erection schedule is opened one or more erection schedules or carried out one or more behavior, catches respectively the descriptor of described one or more erection schedule/behaviors;
Matching module, for mating the descriptor of described one or more erection schedule/behaviors according to described policy library;
Execution module, for tackling or let pass described one or more erection schedule/behaviors according to matching result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310714666.9A CN103646209B (en) | 2013-12-20 | 2013-12-20 | The method and apparatus intercepting bundled software based on cloud security |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310714666.9A CN103646209B (en) | 2013-12-20 | 2013-12-20 | The method and apparatus intercepting bundled software based on cloud security |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103646209A true CN103646209A (en) | 2014-03-19 |
| CN103646209B CN103646209B (en) | 2017-01-04 |
Family
ID=50251422
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310714666.9A Active CN103646209B (en) | 2013-12-20 | 2013-12-20 | The method and apparatus intercepting bundled software based on cloud security |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103646209B (en) |
Cited By (31)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104123496A (en) * | 2014-07-03 | 2014-10-29 | 珠海市君天电子科技有限公司 | Rogue software interception method, device and terminal |
| CN104123490A (en) * | 2014-07-02 | 2014-10-29 | 珠海市君天电子科技有限公司 | Method and device for processing malicious bundled software and mobile terminal |
| CN104199703A (en) * | 2014-09-05 | 2014-12-10 | 北京奇虎科技有限公司 | Unattended setup management method and device |
| CN104239797A (en) * | 2014-10-13 | 2014-12-24 | 北京奇虎科技有限公司 | Active defense method and device |
| CN104268464A (en) * | 2014-09-30 | 2015-01-07 | 珠海市君天电子科技有限公司 | Promotion rule for promotion software and determination method, server and communication terminal for promotion software |
| CN104660825A (en) * | 2015-03-09 | 2015-05-27 | 陈健强 | Method and system for deleting application of smart mobile phone |
| CN105243324A (en) * | 2015-10-20 | 2016-01-13 | 珠海市君天电子科技有限公司 | Method and device for identifying malicious software in user terminal and user terminal |
| CN105335184A (en) * | 2014-08-07 | 2016-02-17 | 北京奇虎科技有限公司 | Application installation method and apparatus |
| CN105550573A (en) * | 2015-12-23 | 2016-05-04 | 北京奇虎科技有限公司 | Bundled software interception method and apparatus |
| CN105631312A (en) * | 2015-12-25 | 2016-06-01 | 北京奇虎科技有限公司 | Method and system for processing rogue programs |
| CN105631331A (en) * | 2015-12-24 | 2016-06-01 | 北京奇虎科技有限公司 | Security protection method and apparatus |
| CN105678167A (en) * | 2015-12-24 | 2016-06-15 | 北京奇虎科技有限公司 | Safety protection method and apparatus |
| CN105740021A (en) * | 2016-01-29 | 2016-07-06 | 广东欧珀移动通信有限公司 | Installation method and device of application program |
| CN105746360A (en) * | 2016-04-27 | 2016-07-13 | 福建洛普生物科技有限公司 | Tissue culture chamber capable of precisely controlling temperature, humidity and illumination intensity |
| CN105808279A (en) * | 2014-12-30 | 2016-07-27 | 北京奇虎科技有限公司 | Software purified installation method and apparatus |
| CN105808275A (en) * | 2014-12-30 | 2016-07-27 | 北京奇虎科技有限公司 | Software purified installation device and method |
| CN105912925A (en) * | 2016-04-05 | 2016-08-31 | 周奇 | Method and system for preventing mobile terminal from automatically installing related applications |
| CN106201634A (en) * | 2016-07-28 | 2016-12-07 | 北京小米移动软件有限公司 | Software installation method and device |
| WO2016197827A1 (en) * | 2015-11-18 | 2016-12-15 | 中兴通讯股份有限公司 | Method and apparatus for processing malicious bundled software |
| CN106503541A (en) * | 2016-10-11 | 2017-03-15 | 天脉聚源(北京)传媒科技有限公司 | A kind of installation method of installation kit and system |
| CN106897617A (en) * | 2015-12-18 | 2017-06-27 | 北京奇虎科技有限公司 | A kind of method and device for recognizing bundled software |
| CN106909831A (en) * | 2015-12-22 | 2017-06-30 | 北京奇虎科技有限公司 | A kind of data processing method and device |
| CN106934284A (en) * | 2015-12-30 | 2017-07-07 | 北京金山安全软件有限公司 | Application program detection method and device and terminal |
| CN108055582A (en) * | 2017-12-14 | 2018-05-18 | 深圳市雷鸟信息科技有限公司 | Using installation method and smart television |
| CN108734006A (en) * | 2018-05-25 | 2018-11-02 | 山东华软金盾软件股份有限公司 | A method of disabling Windows installation procedures |
| CN108920943A (en) * | 2018-05-08 | 2018-11-30 | 国家计算机网络与信息安全管理中心 | The method and device of installation binding behavior is detected for application software |
| CN108984184A (en) * | 2018-06-22 | 2018-12-11 | 珠海市君天电子科技有限公司 | A kind of software installation method, device and electronic equipment, storage medium |
| CN109033817A (en) * | 2018-06-29 | 2018-12-18 | 北京奇虎科技有限公司 | Bundled software hold-up interception method, device and equipment |
| CN109189497A (en) * | 2018-08-06 | 2019-01-11 | 北京奇虎科技有限公司 | A kind of method, apparatus and computer equipment for clean room software |
| CN113032779A (en) * | 2021-02-04 | 2021-06-25 | 中国科学院软件研究所 | Multi-behavior joint matching method and device based on behavior parameter Boolean expression rule |
| CN113641987A (en) * | 2021-06-23 | 2021-11-12 | 深圳市沃特沃德信息有限公司 | Interception method and device for application silent installation and computer equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050268112A1 (en) * | 2004-05-28 | 2005-12-01 | Microsoft Corporation | Managing spyware and unwanted software through auto-start extensibility points |
| CN102413142A (en) * | 2011-11-30 | 2012-04-11 | 华中科技大学 | Active defense method based on cloud platform |
| CN102929768A (en) * | 2012-11-29 | 2013-02-13 | 北京奇虎科技有限公司 | Method for prompting software misloading and client |
| US20130159972A1 (en) * | 2011-08-25 | 2013-06-20 | International Business Machines Corporation | Identifying components of a bundled software product |
| CN103235913A (en) * | 2013-04-03 | 2013-08-07 | 北京奇虎科技有限公司 | System, equipment and method used for identifying and intercepting bundled software |
-
2013
- 2013-12-20 CN CN201310714666.9A patent/CN103646209B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050268112A1 (en) * | 2004-05-28 | 2005-12-01 | Microsoft Corporation | Managing spyware and unwanted software through auto-start extensibility points |
| US20130159972A1 (en) * | 2011-08-25 | 2013-06-20 | International Business Machines Corporation | Identifying components of a bundled software product |
| CN102413142A (en) * | 2011-11-30 | 2012-04-11 | 华中科技大学 | Active defense method based on cloud platform |
| CN102929768A (en) * | 2012-11-29 | 2013-02-13 | 北京奇虎科技有限公司 | Method for prompting software misloading and client |
| CN103235913A (en) * | 2013-04-03 | 2013-08-07 | 北京奇虎科技有限公司 | System, equipment and method used for identifying and intercepting bundled software |
Cited By (44)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104123490A (en) * | 2014-07-02 | 2014-10-29 | 珠海市君天电子科技有限公司 | Method and device for processing malicious bundled software and mobile terminal |
| CN104123496B (en) * | 2014-07-03 | 2017-08-04 | 珠海市君天电子科技有限公司 | The hold-up interception method and device of a kind of rogue software, terminal |
| CN104123496A (en) * | 2014-07-03 | 2014-10-29 | 珠海市君天电子科技有限公司 | Rogue software interception method, device and terminal |
| CN105335184A (en) * | 2014-08-07 | 2016-02-17 | 北京奇虎科技有限公司 | Application installation method and apparatus |
| CN105335184B (en) * | 2014-08-07 | 2020-06-12 | 北京奇虎科技有限公司 | Application installation method and device |
| CN104199703A (en) * | 2014-09-05 | 2014-12-10 | 北京奇虎科技有限公司 | Unattended setup management method and device |
| CN104268464A (en) * | 2014-09-30 | 2015-01-07 | 珠海市君天电子科技有限公司 | Promotion rule for promotion software and determination method, server and communication terminal for promotion software |
| CN104268464B (en) * | 2014-09-30 | 2017-02-15 | 珠海市君天电子科技有限公司 | Promotion rule for promotion software and determination method, server and communication terminal for promotion software |
| CN104239797A (en) * | 2014-10-13 | 2014-12-24 | 北京奇虎科技有限公司 | Active defense method and device |
| CN104239797B (en) * | 2014-10-13 | 2017-07-07 | 北京奇虎科技有限公司 | Active defense method and device |
| CN105808279A (en) * | 2014-12-30 | 2016-07-27 | 北京奇虎科技有限公司 | Software purified installation method and apparatus |
| CN105808275A (en) * | 2014-12-30 | 2016-07-27 | 北京奇虎科技有限公司 | Software purified installation device and method |
| CN104660825A (en) * | 2015-03-09 | 2015-05-27 | 陈健强 | Method and system for deleting application of smart mobile phone |
| CN105243324A (en) * | 2015-10-20 | 2016-01-13 | 珠海市君天电子科技有限公司 | Method and device for identifying malicious software in user terminal and user terminal |
| WO2016197827A1 (en) * | 2015-11-18 | 2016-12-15 | 中兴通讯股份有限公司 | Method and apparatus for processing malicious bundled software |
| CN106897617A (en) * | 2015-12-18 | 2017-06-27 | 北京奇虎科技有限公司 | A kind of method and device for recognizing bundled software |
| CN106909831A (en) * | 2015-12-22 | 2017-06-30 | 北京奇虎科技有限公司 | A kind of data processing method and device |
| CN105550573B (en) * | 2015-12-23 | 2019-01-15 | 北京奇虎科技有限公司 | The method and apparatus for intercepting bundled software |
| CN105550573A (en) * | 2015-12-23 | 2016-05-04 | 北京奇虎科技有限公司 | Bundled software interception method and apparatus |
| CN105678167B (en) * | 2015-12-24 | 2019-03-22 | 北京奇虎科技有限公司 | Safety protecting method and device |
| CN105678167A (en) * | 2015-12-24 | 2016-06-15 | 北京奇虎科技有限公司 | Safety protection method and apparatus |
| CN105631331A (en) * | 2015-12-24 | 2016-06-01 | 北京奇虎科技有限公司 | Security protection method and apparatus |
| CN105631312B (en) * | 2015-12-25 | 2018-09-07 | 北京奇虎科技有限公司 | The processing method and system of rogue program |
| CN105631312A (en) * | 2015-12-25 | 2016-06-01 | 北京奇虎科技有限公司 | Method and system for processing rogue programs |
| CN106934284B (en) * | 2015-12-30 | 2020-02-11 | 北京金山安全软件有限公司 | Application program detection method and device and terminal |
| CN106934284A (en) * | 2015-12-30 | 2017-07-07 | 北京金山安全软件有限公司 | Application program detection method and device and terminal |
| CN105740021B (en) * | 2016-01-29 | 2019-08-23 | Oppo广东移动通信有限公司 | A kind of installation method and device of application program |
| CN105740021A (en) * | 2016-01-29 | 2016-07-06 | 广东欧珀移动通信有限公司 | Installation method and device of application program |
| CN105912925A (en) * | 2016-04-05 | 2016-08-31 | 周奇 | Method and system for preventing mobile terminal from automatically installing related applications |
| CN105912925B (en) * | 2016-04-05 | 2019-10-08 | 周奇 | A kind of forbidden moves terminal installs the method and system of related application automatically |
| CN105746360A (en) * | 2016-04-27 | 2016-07-13 | 福建洛普生物科技有限公司 | Tissue culture chamber capable of precisely controlling temperature, humidity and illumination intensity |
| CN106201634B (en) * | 2016-07-28 | 2019-12-13 | 北京小米移动软件有限公司 | Software installation method and device |
| CN106201634A (en) * | 2016-07-28 | 2016-12-07 | 北京小米移动软件有限公司 | Software installation method and device |
| CN106503541A (en) * | 2016-10-11 | 2017-03-15 | 天脉聚源(北京)传媒科技有限公司 | A kind of installation method of installation kit and system |
| CN106503541B (en) * | 2016-10-11 | 2019-07-26 | 天脉聚源(北京)传媒科技有限公司 | A kind of installation method and system of installation kit |
| CN108055582A (en) * | 2017-12-14 | 2018-05-18 | 深圳市雷鸟信息科技有限公司 | Using installation method and smart television |
| CN108920943A (en) * | 2018-05-08 | 2018-11-30 | 国家计算机网络与信息安全管理中心 | The method and device of installation binding behavior is detected for application software |
| CN108734006A (en) * | 2018-05-25 | 2018-11-02 | 山东华软金盾软件股份有限公司 | A method of disabling Windows installation procedures |
| CN108984184A (en) * | 2018-06-22 | 2018-12-11 | 珠海市君天电子科技有限公司 | A kind of software installation method, device and electronic equipment, storage medium |
| CN109033817A (en) * | 2018-06-29 | 2018-12-18 | 北京奇虎科技有限公司 | Bundled software hold-up interception method, device and equipment |
| CN109189497A (en) * | 2018-08-06 | 2019-01-11 | 北京奇虎科技有限公司 | A kind of method, apparatus and computer equipment for clean room software |
| CN113032779A (en) * | 2021-02-04 | 2021-06-25 | 中国科学院软件研究所 | Multi-behavior joint matching method and device based on behavior parameter Boolean expression rule |
| CN113032779B (en) * | 2021-02-04 | 2024-01-02 | 中国科学院软件研究所 | Multi-behavior joint matching method and device based on behavior parameter Boolean expression rule |
| CN113641987A (en) * | 2021-06-23 | 2021-11-12 | 深圳市沃特沃德信息有限公司 | Interception method and device for application silent installation and computer equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103646209B (en) | 2017-01-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103646209A (en) | Cloud-security-based bundled software blocking method and device | |
| US6996843B1 (en) | System and method for detecting computer intrusions | |
| CN109688097B (en) | Website protection method, website protection device, website protection equipment and storage medium | |
| US8578490B2 (en) | System and method for using timestamps to detect attacks | |
| JP5809084B2 (en) | Network security system and method | |
| US7032114B1 (en) | System and method for using signatures to detect computer intrusions | |
| US6647400B1 (en) | System and method for analyzing filesystems to detect intrusions | |
| US7065657B1 (en) | Extensible intrusion detection system | |
| US7085936B1 (en) | System and method for using login correlations to detect intrusions | |
| US8443446B2 (en) | Method and system for identifying malicious messages in mobile communication networks, related network and computer program product therefor | |
| CN104239786B (en) | Exempt from ROOT Initiative Defenses collocation method and device | |
| US7895651B2 (en) | Content tracking in a network security system | |
| US6826697B1 (en) | System and method for detecting buffer overflow attacks | |
| US20070028302A1 (en) | Distributed meta-information query in a network | |
| WO2001016708A9 (en) | System and method for detecting buffer overflow attacks | |
| IL182013A (en) | Method and device for questioning a plurality of computerized devices | |
| CN105631312B (en) | The processing method and system of rogue program | |
| CN104239797B (en) | Active defense method and device | |
| CN101252443B (en) | Apparatus and method for detecting message security | |
| CN104468546B (en) | A kind of web information processing method and firewall device, system | |
| CN102045220A (en) | Wooden horse monitoring and auditing method and system thereof | |
| CN113901450A (en) | Industrial host terminal safety protection system | |
| TWI556129B (en) | Management server and method and user client device and monitoring method thereof | |
| CN115688100A (en) | Method, device, equipment and medium for placing bait file | |
| Anand et al. | RTR-Shield: Early Detection of Ransomware Using Registry and Trap Files |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220719 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |