CN103795703A - Method for ensuring user network security and client - Google Patents
Method for ensuring user network security and client Download PDFInfo
- Publication number
- CN103795703A CN103795703A CN201310472912.4A CN201310472912A CN103795703A CN 103795703 A CN103795703 A CN 103795703A CN 201310472912 A CN201310472912 A CN 201310472912A CN 103795703 A CN103795703 A CN 103795703A
- Authority
- CN
- China
- Prior art keywords
- executable file
- list
- payment
- user
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The embodiment of the application discloses a method for ensuring user network security and a client. The method comprises the following steps that: whether a user starts a login operation mode or a payment operation mode by a client is monitored; and after the starting operation of the login operation mode or payment operation mode of the user is monitored, security monitoring is carried out on the login process or payment process of the user according to a security strategy that is set in advance. With the method and the client, when the client user is in a login state or on-line payment state, security protection is carried out on the login process or payment process by using various security strategies specially for guaranteeing the login process or the payment process; and the network security of the login process or payment process of the user can be ensured by dangerous process intercepting, executable file prompting, and browser invoking monitoring and the like.
Description
Patent application of the present invention is to be that on 04 18th, 2011, application number are the divisional application that 201110097169.X, name are called the Chinese invention patent application of " a kind of method and client that guarantees user network fail safe " applying date.
Technical field
The application relates to technical field of the computer network, particularly relates to a kind of method and client that guarantees user network fail safe.
Background technology
Along with the expansion of network application, the network user can the various expenses of on-line payment, and modal application is exactly user when logining online shopping mall and buying article, carries out online payment by the transfer of accounts by the Internet bank opening in advance.In the process paying by the Internet bank, the password that user need to input bank card account number and set in advance, the fail safe that therefore protecting network pays is most important.In prior art, malice third party tends to steal by wooden horse user's Internet bank's account and password, for example, in the time that user clicks payment button on webpage, the payment page that may enter is that malice third direction pre-sets, the malicious web pages similar to normal payment webpage, once user has inputted username and password on malicious web pages, causes user profile to be stolen.Hence one can see that, and in existing network payment process, user's Net silver is easily stolen, causes internet security not high, easily causes damage to user.
Summary of the invention
In order to solve the problems of the technologies described above, the embodiment of the present application provides a kind of method and client that guarantees user network fail safe, is easily stolen to solve user profile in existing network payment process, causes the problem that internet security is not high.
The embodiment of the present application discloses following technical scheme:
A method that guarantees user network fail safe, comprising:
Whether monitor user ' opens register pattern or delivery operation pattern by client;
Open after register pattern or delivery operation pattern when monitoring user, the login process according to the security strategy setting in advance to user or payment process carry out security monitoring.
Described security strategy is the security strategy that ensures described login process or payment process that is exclusively used in setting in advance;
Described monitor user ' whether opens register pattern by client or delivery operation pattern is specially: whether monitor user ' opens register pattern or delivery operation pattern by client browser.
The login process of the described security strategy according to setting in advance to user or payment process carry out security monitoring and comprise at least one following manner:
By default process list, the dangerous process in login process or payment process is monitored;
Executable file list by default safety is monitored the executable file transmitting in login process or payment process;
The browser behavior of calling in login process or payment process is monitored;
Calling of keyboard input content in login process or payment process monitored;
Data object to client transmissions in login process or payment process is monitored;
The webpage of opening in login process or payment process is monitored.
Describedly by default process list, the dangerous process in login process or payment process is monitored and is comprised:
Default white list list, obtains the current process in described login process or payment process, when do not find described current process in described white list list time, described current process is tackled as dangerous process; Or,
Default blacklist list, obtains the current process in described login process or payment process, when find described current process in described blacklist list time, described current process is tackled as dangerous process.
The described executable file list by default safety is monitored and is comprised the executable file transmitting in login process or payment process:
In the time monitoring client preparation reception executable file, search the executable file list of the safety setting in advance, if do not find described executable file in described executable file list, determine that described executable file is apocrypha, output request user selects whether to receive the selection information of described executable file; Or
When monitoring client in receiving executable file process time, search the executable file list of the safety setting in advance, if do not find described executable file in described executable file list, determine that described executable file is apocrypha, whether output request user selection continues and receives the selection information of described executable file; Or
In the time of the executable file that monitored client, search the executable file list of the safety setting in advance, if do not find described executable file in described executable file list, determine that described executable file is apocrypha, output request user selects whether to move the selection information of described executable file.
Described the browser behavior of calling in login process or payment process monitored and comprised:
By the correlation function of communication between bottom layer driving monitoring process;
When monitoring while browser process being operated to triggered associated functional calls by remote procedure call interface, event is called in interception accordingly;
Described in parsing, call event, filter out the process of calling event described in initiation;
Determine that by searching the process list setting in advance described initiation calls whether the process of event is illegal process, described process list comprises white list or blacklist;
In the time that definite described process is illegal process, call event described in refusal.
A kind of client, comprising:
Whether monitoring means, open register pattern or delivery operation pattern by client for monitor user ';
Monitoring unit, for opening after register pattern or delivery operation pattern when monitoring user, the login process according to the security strategy setting in advance to user or payment process carry out security monitoring.
Described security strategy is the security strategy that ensures described login process or payment process that is exclusively used in setting in advance;
Whether described monitoring means, open register pattern or delivery operation pattern by client browser specifically for monitor user '.
Described monitoring unit comprises at least one following unit:
Dangerous process monitoring unit, monitors the dangerous process of login process or payment process for the process list by default;
Executable file monitoring unit, executable file login process or payment process being transmitted for the executable file list of the safety by default is monitored;
Browser calls monitoring unit, monitors for the browser behavior of calling to login process or payment process;
Input content calls monitoring unit, monitors for the calling of keyboard input content to login process or payment process;
Data object monitoring unit, for monitoring the data object of login process or payment process client transmissions;
Webpage monitoring unit, monitors for the webpage that login process or payment process are opened.
Described dangerous process monitoring unit comprises at least one following unit:
White list interception unit, for default white list list, obtains the current process in described login process or payment process, when do not find described current process in described white list list time, described current process is tackled as dangerous process;
Blacklist interception unit, for default blacklist list, obtains the current process in described login process or payment process, when find described current process in described blacklist list time, described current process is tackled as dangerous process.
Described executable file monitoring unit comprises at least one following unit:
The first executable file monitoring unit, for in the time monitoring client preparation reception executable file, search the executable file list of the safety setting in advance, if do not find described executable file in described executable file list, determine that described executable file is apocrypha, output request user selects whether to receive the selection information of described executable file;
The second executable file monitoring unit, for in the time monitoring client in reception executable file process, search the executable file list of the safety setting in advance, if do not find described executable file in described executable file list, determine that described executable file is apocrypha, whether output request user selection continues and receives the selection information of described executable file;
The 3rd executable file monitoring unit, for when the executable file that monitored client, search the executable file list of the safety setting in advance, if do not find described executable file in described executable file list, determine that described executable file is apocrypha, output request user selects whether to move the selection information of described executable file.
Described browser calls monitoring unit and comprises:
Function monitoring unit, for passing through the correlation function of communication between bottom layer driving monitoring process;
Call event interception unit, for when monitoring while browser process being operated to triggered associated functional calls by remote procedure call interface, event is called in interception accordingly;
Call event resolution unit, described in resolving, call event, filter out the process of calling event described in initiation;
Illegal process determining unit, for determining that by searching the process list setting in advance described initiation calls whether the process of event is illegal process, described process list comprises white list or blacklist;
Call event rejecting unit, in the time that definite described process is illegal process, call event described in refusal.
As can be seen from the above-described embodiment, in the embodiment of the present application, open after register pattern or delivery operation pattern monitoring user, the login process according to the security strategy setting in advance to user or payment process carry out security monitoring.Application the embodiment of the present application; in the time that client user is in login process or in on-line payment process; can carry out safeguard protection to login process or payment process by the multiple security strategy that is specifically designed to guarantee login process or payment process; call monitoring etc. by dangerous process interception, executable file prompting and browser, guarantee the internet security of user in login process or payment process.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present application or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, for those of ordinary skills, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the first embodiment flow chart of the application's method of guaranteeing user network fail safe;
Fig. 2 is the second embodiment flow chart of the application's method of guaranteeing user network fail safe;
Fig. 3 is the 3rd embodiment flow chart of the application's method of guaranteeing user network fail safe;
Fig. 4 is the 4th embodiment flow chart of the application's method of guaranteeing user network fail safe;
Fig. 5 is the embodiment block diagram of the application's client.
Embodiment
The following embodiment of the present invention provides a kind of method and client that guarantees user network fail safe.
In order to make those skilled in the art person understand better the technical scheme in the embodiment of the present invention, and the above-mentioned purpose of the embodiment of the present invention, feature and advantage can be become apparent more, below in conjunction with accompanying drawing, technical scheme in the embodiment of the present invention is described in further detail.
Referring to Fig. 1, for applying for the first embodiment flow chart of the method that guarantees user network fail safe:
Step 101: whether monitor user ' opens register pattern or delivery operation pattern by client.
The embodiment of the present application can be applied in user is especially undertaken by client in the process of network payment, detects user and whether has opened the payment page by client.Can not reveal with user profile in the process of guaranteeing payment, improve the fail safe of network payment.Concrete, whether monitor user ' opens register pattern or delivery operation pattern by client browser.
Step 102: open after register pattern or delivery operation pattern when monitoring user, the login process according to the security strategy setting in advance to user or payment process carry out security monitoring.
Wherein, security strategy is in advance for register pattern or the set security strategy of delivery operation pattern.
Client can be monitored the dangerous process in login process or payment process by default process list; Or the executable file list by default safety is monitored the executable file transmitting in login process or payment process; Or the browser behavior of calling in login process or payment process is monitored; Or the calling of keyboard input content in login process or payment process monitored; Or the data object to client transmissions in login process or payment process is monitored, for example, when monitoring client to login process or irrelevant object transfer and the login of payment process or while paying relevant data, should tackle transmitted data object; Or the webpage of opening in login process or payment process is monitored, for example, in login process or payment process, the payment webpage that user may open be malice third party forge with webpage like true payment web page class, therefore need opened webpage to monitor.
It should be noted that, above-mentioned listed six kinds of security strategy executive modes can be in whole monitor procedure executed in parallel, or select as required that wherein at least one is carried out, this embodiment of the present application is not limited.
Referring to Fig. 2, for the application guarantees the second embodiment flow chart of the method for user network fail safe, this embodiment, take on-line payment as example, shows the process that dangerous process is monitored:
Step 201: the operation of monitor user ' in client.
Step 202: judge that according to monitoring result whether user starts on-line payment, if so, performs step 203; Otherwise, return to step 201.
Client user can be preserved a paying website list in advance, when monitoring after user's open any browser, obtain URL(Uniform/Universal Resource Locator of the browser access page, web page address), paying website URL in the URL obtaining and paying website list is contrasted, if find consistent URL, can confirm that user has entered the payment page, and start on-line payment.
Step 203: search default white list list according to the current process of having opened.
What in white list list, preserve is the security procedure that system is not threatened of having confirmed, therefore can not tackle for these processes.
White list list is generally held in this locality, therefore searches that the operation of white list list is also corresponding to be carried out in this locality.Whether further, also can, in conjunction with the mode of cloud killing, in the process of current process operation, connect Cloud Server, be that security procedure is searched by the multiple white list lists that existed in network to current process.
In whole on-line payment process, may open multiple processes, after each process is opened, this process is all searched the operation of white list list to its execution as current process.
Step 204: judge whether to find current process in white list list, if so, perform step 205; Otherwise, execution step 206.
Step 205: current process is tackled as dangerous process.
For the process in white list list not, it directly can be tackled as dangerous process, also can point out user, selected whether to allow the execution of this process by user, or stop the execution of this process.For the process in white list list not, can provide and limit the function that these processes are carried out to user, include but not limited to freeze process, isolated process, termination process.
The present embodiment look for example with white list, show the intercept process to dangerous process, in actual application, also can preset blacklist list, when find current process in described blacklist list time, described current process is tackled as dangerous process; , can point out user at the white list also process in blacklist not for neither, be selected whether to stop the operation of these processes by user, prevent the dangerous process that may exist in unknown process.
Step 206: judge whether user has finished on-line payment, if so, process ends; Otherwise, return to step 203.
Referring to Fig. 3, for the application guarantees the 3rd embodiment flow chart of the method for user network fail safe, this embodiment, take on-line payment as example, shows the process of the executable file receiving in secure payment process being monitored by the executable file list of default safety:
Step 301: the operation of monitor user ' in client.
Step 302: judge that according to monitoring result whether user starts on-line payment, if so, performs step 303; Otherwise, return to step 301.
Client user can be preserved a paying website list in advance, when monitoring after user's open any browser, obtain the URL of the browser access page, paying website URL in the URL obtaining and paying website list is contrasted, if find consistent URL, can confirm that user has entered the payment page, and start on-line payment.
Step 303: judge that whether client receives executable file, if so, performs step 304; Otherwise, return to step 303.
In the process of user's on-line payment, may receive the executable file (file that for example suffix be .exe) of third party transfer to user, these executable files are the file that needs use in payment process a bit, and some is the dangerous file that malice third party sends to user.Above-mentioned these files may be transferred to the terminal equipment at user place, be induced user to download to the terminal equipment at its place, the terminal equipment that is transferred to user place when illegal mode propagates into the terminal equipment at user place or the file in copy movable storage device such as propagate by hanging wooden horse or virus by the mode of downloading or share by JICQ.
In the time detecting executable file, can monitor by user's JICQ, browser etc., also can in the time that being downloaded to this locality, file detect in real time; In addition, executable file is starting when operation, and starts after operation, also can both be detected by system.
Step 304: the executable file list of searching the safety setting in advance.
Size that can log file in the executable file list of safety, the time of file, MD5 information, the signature of file etc. of file.
The executable file list of safety can adopt the mode of white list, preserves all safe executable files by white list; Or adopt the mode of blacklist, preserve adventurous executable file by blacklist; Or, adopt the mode of behavioural characteristic, record all safety behavior features, receiving after executable file, extract the behavioural characteristic in executable file, judge that whether the behavioural characteristic of extracting meets the safety behavior feature recording, and can confirm as safe executable file for the file that meets safety behavior feature from executable file.
Step 305: judge whether to find the executable file of reception in executable file list, if so, perform step 306; Otherwise, execution step 307.
Step 306: output request user selects whether to move the selection information of described executable file.
Step 307: judge whether user has finished on-line payment, if so, process ends; Otherwise, return to step 303.
Except the executable file to receiving in secure payment process shown in above-described embodiment is monitored, also can prepare the executable file receiving to client, or the executable file receiving is monitored.Concrete, in the time monitoring client preparation reception executable file, search the executable file list of the safety setting in advance, if do not find this executable file in executable file list, determine that this executable file is apocrypha, output request user selects whether to receive the selection information of this executable file; When monitoring client in receiving executable file process time, search the executable file list of the safety setting in advance, if do not find this executable file in executable file list, determine that this executable file is apocrypha, whether output request user selection continues and receives the selection information of this executable file.
Referring to Fig. 4, for the application guarantees the 4th embodiment flow chart of the method for user network fail safe, this embodiment, take on-line payment as example, shows the process that the browser behavior of calling in secure payment process is monitored:
Step 401: the operation of monitor user ' in client.
Step 402: judge that according to monitoring result whether user starts on-line payment, if so, performs step 403; Otherwise, return to step 401.
Client user can be preserved a paying website list in advance, when monitoring after user's open any browser, obtain the URL of the browser access page, paying website URL in the URL obtaining and paying website list is contrasted, if find consistent URL, can confirm that user has entered the payment page, and start on-line payment.
Step 403: by the correlation function of communication between bottom layer driving monitoring process.
For on-line payment process, communication function between the process of bottom layer driving monitoring can comprise the API(Application Programming Interface of following example, application programming interface) function:
NtAlpcSendWaitReceivePort
NtRequestWaitReplyPort
NtRequestPort
Step 404: judge whether to monitor by remote procedure call interface browser process is operated to triggered associated functional calls, if so, perform step 405; Otherwise, return to step 403.
In the time having program to attempt the correlation function of communication between calling process, can be by remote procedure call interface (for example, com interface) interface of browser process is operated, in the time that this operation attempts to control the network address of browser process or content of pages, can monitor corresponding function call event, now will trigger function call is tackled.
Step 405: event is called in interception accordingly, and resolve and call event, filters out the process of initiating this and call event.
The event of calling of intercepting is the event to function call, it is RPC(Remote Procedure Call that general function calls, remote procedure call) function that calls in process, now call function is resolved, for example, if the call function of resolving is NtRequestWaitReplyPort, the correlation function parsing can comprise RequestMessage, PortHandle etc.
In the time that filtration operates triggered function call by remote procedure call interface to browser process, for example, A process is attempted operating browser process B, to jump to malice network address C, reach the net purchase process of kidnapping on-line payment, A process can connect the remote procedure call interface of browser process B, and produce a port handle (PortHandle), that then will call calls the Information encapsulation such as sequence number and redirect network address in the parameters R equestMessage of function NtRequestWaitReplyPort, RequestMessage is a buffer address, finally call NtRequestWaitReplyPortAPI function, jump request is sent to the remote procedure call port of browser process B, realize redirect manipulation process.In the present embodiment by interception, monitor this function NtRequestWaitReplyPort, from the buffer memory of parameters R equestMessage, resolve and restore the information such as sequence number and redirect network address of calling of institute's call function, these information are identified as to an operating browser and call event, and obtain and trigger this browser and call the A process of event.
Step 406: search the process list setting in advance.
Trigger browser and call after the A process of event getting, can obtain process ID, execution route, the fileinfo of respective file etc. of this process.Obtain respective file according to execution route, and the summary of file is calculated, obtain the Hash information that represents this file uniqueness.
Wherein, process list can adopt white list mode or blacklist mode.In the time adopting white list mode, in white list, comprise the Hash information of all security procedure respective file, Hash information in the Hash information of the process getting and this white list is compared, if there is consistent Hash information, represent that the process getting is security procedure, need not tackle; If also there is blacklist, to tackling and give the alarm with the process that in blacklist, Hash information matches is consistent; , can tackle and send prompting to user at white list also process corresponding to the Hash information in blacklist not for neither.
Step 407: judge that according to lookup result whether this process is illegal process, if so, performs step 408; Otherwise, execution step 409.
Step 408: refuse this and call event.
Step 409: judge whether user has finished on-line payment, if so, process ends; Otherwise, return to step 403.
As seen from the above-described embodiment; when client user carries out register; in particularly on-line payment process; can carry out safeguard protection to payment process by multiple security strategy; by dangerous process is tackled, executable file is pointed out and browser is called and monitored etc., guarantee the internet security of user in login process.
The embodiment of method that guarantees user network fail safe with the application is corresponding, and the application also provides the embodiment of client.
Referring to Fig. 5, it is the embodiment block diagram of the application's client.
This client comprises: monitoring means 510 and monitoring unit 520.
Wherein, whether monitoring means 510, open register pattern or delivery operation pattern by client for monitor user ';
Wherein, described security strategy is the security strategy that ensures described login process or payment process that is exclusively used in setting in advance; Whether described monitoring means 510, open register pattern or delivery operation pattern by client browser specifically for monitor user '.
Wherein, monitoring unit 520 can comprise at least one following unit (not shown in Fig. 5):
Dangerous process monitoring unit, monitors the dangerous process of login process or payment process for the process list by default;
Executable file monitoring unit, executable file login process or payment process being transmitted for the executable file list of the safety by default is monitored;
Browser calls monitoring unit, monitors for the browser behavior of calling to login process or payment process;
Input content calls monitoring unit, monitors for the calling of keyboard input content to login process or payment process;
Data object monitoring unit, for monitoring the data object of login process or payment process client transmissions;
Webpage monitoring unit, monitors for the webpage that login process or payment process are opened.
Concrete, dangerous process monitoring unit can comprise at least one following unit:
White list interception unit, for default white list list, obtains the current process in described login process or payment process, when do not find described current process in described white list list time, described current process is tackled as dangerous process;
Blacklist interception unit, for default blacklist list, obtains the current process in described login process or payment process, when find described current process in described blacklist list time, described current process is tackled as dangerous process.
Concrete, executable file monitoring unit can comprise at least one following unit:
The first executable file monitoring unit, for in the time monitoring client preparation reception executable file, search the executable file list of the safety setting in advance, if do not find described executable file in described executable file list, determine that described executable file is apocrypha, output request user selects whether to receive the selection information of described executable file;
The second executable file monitoring unit, for in the time monitoring client in reception executable file process, search the executable file list of the safety setting in advance, if do not find described executable file in described executable file list, determine that described executable file is apocrypha, whether output request user selection continues and receives the selection information of described executable file;
The 3rd executable file monitoring unit, for when the executable file that monitored client, search the executable file list of the safety setting in advance, if do not find described executable file in described executable file list, determine that described executable file is apocrypha, output request user selects whether to move the selection information of described executable file.
Concrete, browser calls monitoring unit and can comprise:
Function monitoring unit, for passing through the correlation function of communication between bottom layer driving monitoring process;
Call event interception unit, for when monitoring while browser process being operated to triggered associated functional calls by remote procedure call interface, event is called in interception accordingly;
Call event resolution unit, described in resolving, call event, filter out the process of calling event described in initiation;
Illegal process determining unit, for determining that by searching the process list setting in advance described initiation calls whether the process of event is illegal process, described process list comprises white list or blacklist;
Call event rejecting unit, in the time that definite described process is illegal process, call event described in refusal.
Known by the description to above execution mode, in the embodiment of the present application, to open after register pattern or delivery operation pattern monitoring user, the login process according to the security strategy setting in advance to user or payment process carry out security monitoring.Application the embodiment of the present application; in the time that client user is in login process or in on-line payment process; can carry out safeguard protection to login process or payment process by the multiple security strategy that is specifically designed to guarantee login process or payment process; call monitoring etc. by dangerous process interception, executable file prompting and browser, guarantee the internet security of user in login process or payment process.
Those skilled in the art can be well understood to the mode that technology in the embodiment of the present invention can add essential general hardware platform by software and realize.Based on such understanding, the part that technical scheme in the embodiment of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product can be stored in storage medium, as ROM/RAM, magnetic disc, CD etc., comprise that some instructions (can be personal computers in order to make a computer equipment, server, or the network equipment etc.) carry out the method described in some part of each embodiment of the present invention or embodiment.
Each embodiment in this specification all adopts the mode of going forward one by one to describe, between each embodiment identical similar part mutually referring to, what each embodiment stressed is and the difference of other embodiment.Especially,, for system embodiment, because it is substantially similar in appearance to embodiment of the method, so description is fairly simple, relevant part is referring to the part explanation of embodiment of the method.
Above-described embodiment of the present invention, does not form limiting the scope of the present invention.Any modification of doing within the spirit and principles in the present invention, be equal to and replace and improvement etc., within all should being included in protection scope of the present invention.
Claims (9)
1. a method that guarantees user network fail safe, is characterized in that, comprising:
Whether monitor user ' opens register pattern or delivery operation pattern by client, when monitoring after user's open any browser, obtain the URL of the browser access page, paying website URL in the URL obtaining and paying website list is contrasted, if find consistent URL, can confirm that user has entered the payment page, and start on-line payment;
Open after register pattern or delivery operation pattern when monitoring user, the login process according to the security strategy setting in advance to user or payment process carry out security monitoring,
Obtain and trigger browser and call the process of event, obtain process ID, the execution route of this process, the fileinfo of respective file, obtain respective file according to execution route, and the summary of file is calculated, obtain the Hash information that represents this file uniqueness,
Default white list list, obtain the current process in described login process or payment process, in white list, preserve the Hash information of security procedure respective file, Hash information in the Hash information of the process getting and this white list is compared, if there is consistent Hash information, represent that the process getting is security procedure, need not tackle; Or,
Default blacklist list, obtains the current process in described login process or payment process, to tackling and give the alarm with the process that in blacklist, Hash information matches is consistent, described current process is tackled as dangerous process; , tackle and send prompting to user at white list also process corresponding to the Hash information in blacklist not for neither.
2. method according to claim 1, is characterized in that, described security strategy is the security strategy that ensures described login process or payment process that is exclusively used in setting in advance;
Described monitor user ' whether opens register pattern by client or delivery operation pattern is specially: whether monitor user ' opens register pattern or delivery operation pattern by client browser.
3. method according to claim 1, is characterized in that, the login process of the described security strategy according to setting in advance to user or payment process carry out security monitoring and comprise at least one following manner:
By default process list, the dangerous process in login process or payment process is monitored;
Executable file list by default safety is monitored the executable file transmitting in login process or payment process;
The browser behavior of calling in login process or payment process is monitored;
Calling of keyboard input content in login process or payment process monitored;
Data object to client transmissions in login process or payment process is monitored;
The webpage of opening in login process or payment process is monitored.
4. method according to claim 3, is characterized in that, the described executable file list by default safety is monitored and comprised the executable file transmitting in login process or payment process:
In the time monitoring client preparation reception executable file, search the executable file list of the safety setting in advance, if do not find described executable file in described executable file list, determine that described executable file is apocrypha, output request user selects whether to receive the selection information of described executable file; Or
When monitoring client in receiving executable file process time, search the executable file list of the safety setting in advance, if do not find described executable file in described executable file list, determine that described executable file is apocrypha, whether output request user selection continues and receives the selection information of described executable file; Or
In the time of the executable file that monitored client, search the executable file list of the safety setting in advance, if do not find described executable file in described executable file list, determine that described executable file is apocrypha, output request user selects whether to move the selection information of described executable file.
5. method according to claim 3, is characterized in that, described the browser behavior of calling in login process or payment process is monitored and comprised:
By the correlation function of communication between bottom layer driving monitoring process;
When monitoring while browser process being operated to triggered associated functional calls by remote procedure call interface, event is called in interception accordingly;
Described in parsing, call event, filter out the process of calling event described in initiation;
Determine that by searching the process list setting in advance described initiation calls whether the process of event is illegal process, described process list comprises white list or blacklist;
In the time that definite described process is illegal process, call event described in refusal.
6. a client, is characterized in that, comprising:
Monitoring means, whether open register pattern or delivery operation pattern by client for monitor user ', when monitoring after user's open any browser, obtain the URL of the browser access page, paying website URL in the URL obtaining and paying website list is contrasted, if find consistent URL, can confirm that user has entered the payment page, and start on-line payment;
Monitoring unit, for opening after register pattern or delivery operation pattern when monitoring user, login process according to the security strategy setting in advance to user or payment process carry out security monitoring, obtain the process that triggering browser calls event, obtain process ID, the execution route of this process, the fileinfo of respective file, obtain respective file according to execution route, and the summary of file is calculated, obtain the Hash information that represents this file uniqueness;
White list interception unit, for default white list list, obtain the current process in described login process or payment process, in white list, preserve the Hash information of security procedure respective file, Hash information in the Hash information of the process getting and this white list is compared, if there is consistent Hash information, represent that the process getting is security procedure, need not tackle;
Blacklist interception unit, for default blacklist list, obtain the current process in described login process or payment process, to tackling and give the alarm with the process that in blacklist, Hash information matches is consistent, described current process is tackled as dangerous process; , tackle and send prompting to user at white list also process corresponding to the Hash information in blacklist not for neither.
7. client according to claim 6, is characterized in that, described security strategy is the security strategy that ensures described login process or payment process that is exclusively used in setting in advance;
Whether described monitoring means, open register pattern or delivery operation pattern by client browser specifically for monitor user '.
8. client according to claim 6, is characterized in that, described monitoring unit comprises at least one following unit:
Dangerous process monitoring unit, monitors the dangerous process of login process or payment process for the process list by default;
Executable file monitoring unit, executable file login process or payment process being transmitted for the executable file list of the safety by default is monitored;
Browser calls monitoring unit, monitors for the browser behavior of calling to login process or payment process;
Input content calls monitoring unit, monitors for the calling of keyboard input content to login process or payment process;
Data object monitoring unit, for monitoring the data object of login process or payment process client transmissions;
Webpage monitoring unit, monitors for the webpage that login process or payment process are opened.
9. client according to claim 8, is characterized in that, described executable file monitoring unit comprises at least one following unit:
The first executable file monitoring unit, for in the time monitoring client preparation reception executable file, search the executable file list of the safety setting in advance, if do not find described executable file in described executable file list, determine that described executable file is apocrypha, output request user selects whether to receive the selection information of described executable file;
The second executable file monitoring unit, for in the time monitoring client in reception executable file process, search the executable file list of the safety setting in advance, if do not find described executable file in described executable file list, determine that described executable file is apocrypha, whether output request user selection continues and receives the selection information of described executable file;
The 3rd executable file monitoring unit, for when the executable file that monitored client, search the executable file list of the safety setting in advance, if do not find described executable file in described executable file list, determine that described executable file is apocrypha, output request user selects whether to move the selection information of described executable file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310472912.4A CN103795703A (en) | 2011-04-18 | 2011-04-18 | Method for ensuring user network security and client |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310472912.4A CN103795703A (en) | 2011-04-18 | 2011-04-18 | Method for ensuring user network security and client |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110097169XA Division CN102164138A (en) | 2011-04-18 | 2011-04-18 | Method for ensuring network security of user and client |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103795703A true CN103795703A (en) | 2014-05-14 |
Family
ID=50670991
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310472912.4A Pending CN103795703A (en) | 2011-04-18 | 2011-04-18 | Method for ensuring user network security and client |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103795703A (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015188788A1 (en) * | 2014-06-12 | 2015-12-17 | 北京奇虎科技有限公司 | Method and apparatus for protecting mobile terminal payment security, and mobile terminal |
| WO2016015680A1 (en) * | 2014-08-01 | 2016-02-04 | 北京奇虎科技有限公司 | Security detection method and security detection apparatus for mobile terminal input window |
| CN105844148A (en) * | 2016-03-16 | 2016-08-10 | 北京金山安全软件有限公司 | Method and device for protecting operating system and electronic equipment |
| CN106203092A (en) * | 2016-06-30 | 2016-12-07 | 北京金山安全软件有限公司 | Method and device for intercepting shutdown of malicious program and electronic equipment |
| CN106462705A (en) * | 2014-05-20 | 2017-02-22 | 微软技术许可有限责任公司 | Identifying suspected malware files and sites based on presence in known malicious environment |
| CN106504000A (en) * | 2016-10-25 | 2017-03-15 | 广州爱九游信息技术有限公司 | User terminal and means of payment detection means and method |
| CN106953845A (en) * | 2017-02-23 | 2017-07-14 | 中国银联股份有限公司 | A kind of guard method and device that sensitive information is inputted to webpage |
| CN106980545A (en) * | 2016-01-15 | 2017-07-25 | 阿里巴巴集团控股有限公司 | remote invocation method and device |
| CN108985095A (en) * | 2018-07-05 | 2018-12-11 | 深圳市网心科技有限公司 | A kind of non-public file access method, system and electronic equipment and storage medium |
| CN109992965A (en) * | 2017-12-29 | 2019-07-09 | 广东欧珀移动通信有限公司 | Process handling method and device, electronic equipment, computer readable storage medium |
| CN110599187A (en) * | 2019-08-30 | 2019-12-20 | 广东智慧电子信息产业股份有限公司 | Payment method and device based on face recognition, computer equipment and storage medium |
| CN111159701A (en) * | 2019-12-25 | 2020-05-15 | 五八同城信息技术有限公司 | Third-party page loading method and device, electronic equipment and storage medium |
| CN113837757A (en) * | 2021-09-26 | 2021-12-24 | 快钱支付清算信息有限公司 | Privacy security protection method for personal payment based on network security |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101098226A (en) * | 2006-06-27 | 2008-01-02 | 飞塔信息科技(北京)有限公司 | Online real-time virus processing system and method |
| CN101110836A (en) * | 2007-08-23 | 2008-01-23 | 上海交通大学 | Real-time monitoring system authorization management method based on PE document |
| US7483972B2 (en) * | 2003-01-08 | 2009-01-27 | Cisco Technology, Inc. | Network security monitoring system |
| CN101409719A (en) * | 2007-10-08 | 2009-04-15 | 联想(北京)有限公司 | Method and client terminal for implementing network safety payment |
| CN101944167A (en) * | 2010-09-29 | 2011-01-12 | 中国科学院计算技术研究所 | Method and system for identifying malicious program |
-
2011
- 2011-04-18 CN CN201310472912.4A patent/CN103795703A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7483972B2 (en) * | 2003-01-08 | 2009-01-27 | Cisco Technology, Inc. | Network security monitoring system |
| CN101098226A (en) * | 2006-06-27 | 2008-01-02 | 飞塔信息科技(北京)有限公司 | Online real-time virus processing system and method |
| CN101110836A (en) * | 2007-08-23 | 2008-01-23 | 上海交通大学 | Real-time monitoring system authorization management method based on PE document |
| CN101409719A (en) * | 2007-10-08 | 2009-04-15 | 联想(北京)有限公司 | Method and client terminal for implementing network safety payment |
| CN101944167A (en) * | 2010-09-29 | 2011-01-12 | 中国科学院计算技术研究所 | Method and system for identifying malicious program |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10282544B2 (en) | 2014-05-20 | 2019-05-07 | Microsoft Technology Licensing, Llc | Identifying suspected malware files and sites based on presence in known malicious environment |
| CN106462705B (en) * | 2014-05-20 | 2019-06-25 | 微软技术许可有限责任公司 | For identifying the method and system of suspicious malware file and website |
| CN106462705A (en) * | 2014-05-20 | 2017-02-22 | 微软技术许可有限责任公司 | Identifying suspected malware files and sites based on presence in known malicious environment |
| WO2015188788A1 (en) * | 2014-06-12 | 2015-12-17 | 北京奇虎科技有限公司 | Method and apparatus for protecting mobile terminal payment security, and mobile terminal |
| WO2016015680A1 (en) * | 2014-08-01 | 2016-02-04 | 北京奇虎科技有限公司 | Security detection method and security detection apparatus for mobile terminal input window |
| CN106980545B (en) * | 2016-01-15 | 2021-03-23 | 创新先进技术有限公司 | Remote calling method and device |
| CN106980545A (en) * | 2016-01-15 | 2017-07-25 | 阿里巴巴集团控股有限公司 | remote invocation method and device |
| CN105844148A (en) * | 2016-03-16 | 2016-08-10 | 北京金山安全软件有限公司 | Method and device for protecting operating system and electronic equipment |
| CN106203092A (en) * | 2016-06-30 | 2016-12-07 | 北京金山安全软件有限公司 | Method and device for intercepting shutdown of malicious program and electronic equipment |
| CN106504000A (en) * | 2016-10-25 | 2017-03-15 | 广州爱九游信息技术有限公司 | User terminal and means of payment detection means and method |
| CN106953845A (en) * | 2017-02-23 | 2017-07-14 | 中国银联股份有限公司 | A kind of guard method and device that sensitive information is inputted to webpage |
| CN106953845B (en) * | 2017-02-23 | 2020-05-01 | 中国银联股份有限公司 | Method and device for protecting sensitive information input to webpage |
| CN109992965A (en) * | 2017-12-29 | 2019-07-09 | 广东欧珀移动通信有限公司 | Process handling method and device, electronic equipment, computer readable storage medium |
| CN109992965B (en) * | 2017-12-29 | 2021-08-17 | Oppo广东移动通信有限公司 | Process processing method and device, electronic equipment and computer readable storage medium |
| CN108985095A (en) * | 2018-07-05 | 2018-12-11 | 深圳市网心科技有限公司 | A kind of non-public file access method, system and electronic equipment and storage medium |
| CN108985095B (en) * | 2018-07-05 | 2022-04-01 | 深圳市网心科技有限公司 | Non-public file access method, system, electronic equipment and storage medium |
| CN110599187A (en) * | 2019-08-30 | 2019-12-20 | 广东智慧电子信息产业股份有限公司 | Payment method and device based on face recognition, computer equipment and storage medium |
| CN111159701A (en) * | 2019-12-25 | 2020-05-15 | 五八同城信息技术有限公司 | Third-party page loading method and device, electronic equipment and storage medium |
| CN111159701B (en) * | 2019-12-25 | 2023-09-29 | 五八同城信息技术有限公司 | Third-party page loading method and device, electronic equipment and storage medium |
| CN113837757A (en) * | 2021-09-26 | 2021-12-24 | 快钱支付清算信息有限公司 | Privacy security protection method for personal payment based on network security |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102164138A (en) | Method for ensuring network security of user and client | |
| CN103795703A (en) | Method for ensuring user network security and client | |
| EP3432541B1 (en) | Web site login method and apparatus | |
| US8307099B1 (en) | Identifying use of software applications | |
| EP2447878B1 (en) | Web based remote malware detection | |
| US11886619B2 (en) | Apparatus and method for securing web application server source code | |
| CN101304418B (en) | Client side protection method and system against drive-by pharming via referrer checking | |
| US9716726B2 (en) | Method of identifying and counteracting internet attacks | |
| EP1986395B1 (en) | Enhanced cross-site attack prevention | |
| US11451583B2 (en) | System and method to detect and block bot traffic | |
| CN103701804A (en) | Network shopping environment safety detecting method and device | |
| US20150058493A1 (en) | Preventing extraction of secret information over a compromised encrypted connection | |
| CN102571812B (en) | Tracking and identification method and apparatus for network threats | |
| US9787712B2 (en) | Controlling a download source of an electronic file | |
| CN105635178B (en) | Ensure the block type Network Access Method and device of safety | |
| CN108259619B (en) | Network request protection method and network communication system | |
| CN105631334A (en) | Application security detecting method and system | |
| Kerschbaum | Simple cross-site attack prevention | |
| CN107426243A (en) | A kind of network safety protection method and device | |
| US11082437B2 (en) | Network resources attack detection | |
| US9787711B2 (en) | Enabling custom countermeasures from a security device | |
| EP3549330B1 (en) | Method and system for performing a sensitive operation during a communication session | |
| KR102513460B1 (en) | Method and system for transmitting safty file by remote browser | |
| CN105791221A (en) | Rule sending method and device | |
| CN108229150B (en) | Information verification method and device for client |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140514 |
|
| RJ01 | Rejection of invention patent application after publication |