A kind of method and device of defending document to overflow
Technical field
The present invention relates to field of information security technology, relate in particular to a kind of method and device of defending document to overflow.
Background technology
Along with the develop rapidly of computer and information technology, information-based had application widely in all trades and professions. For enterprises and institutions, electronic document has become the main information carrier in company's running. At this stage, the major part such as a lot of phishing attacks, social engineering attack, spear type attack is all propagated taking document as carrier. And exist some users can click operation problem document, thus cause enterprise or individual's information leakage, even cause economic loss.
Enterprises and institutions also have certain shortcoming for the protection of these electronic documents at present, and existing securing software and safety product can not solve the safety problem of document completely. The awareness of safety that is mainly reflected in staff is poor, meets that some senior social engineerings are attacked, phishing attack still can be induced to open.
Summary of the invention
Technical solutions according to the invention, by after opening at document, are monitored the behavior operation of system operation and document self, as find the blocking-up in time of suspicious operation behavior, avoid the infection of problem document to system; Meanwhile, by generation system snapshot before document is opened, document is closed rear recovery system snapshot, harm system being caused during can effectively defending document to open.
The present invention adopts with the following method and realizes: a kind of method of defending document to overflow, comprising:
For the real-time generation system snapshot of running situation, when finding that stopping snapshot while there is document opening operation generates;
System operation during monitoring document is opened, when finding there is application program launching request, the essential information of extracting described application program is mated with trusted application storehouse, if successfully mate, allows to start operation, otherwise blocking-up startup operation;
Behavior operation during monitoring document is opened, and generate behavior record, judge whether to exist suspicious actions, block described suspicious actions if exist, otherwise continue monitoring;
In the time finding to have document shutoff operation, stop all monitoring behaviors, recover the system snapshot generating before document opening operation.
Further, the essential information of the described application program of described extraction is mated with trusted application storehouse, if successfully coupling, allow to start operation, otherwise blocking-up starts operation, replaces with: the system snapshot generating before inquiry document opening operation, whether the essential information that judges described application program is present in described system snapshot, if exist, allow to start operation, otherwise blocking-up starts operation.
Further, described suspicious actions comprise: releasing document, injection behavior, edit the registry, HOOK or shellcode.
Further, described essential information comprises: title, hash value or call relation.
The present invention can adopt and realize as lower device: a kind of device of defending document to overflow, comprising:
Snapshot generation module for for the real-time generation system snapshot of running situation, stops snapshot and generates in the time that discovery exists document opening operation;
System monitoring module, for the system operation during monitoring document and opening, when finding to exist application program launching request, the essential information of extracting described application program is mated with trusted application storehouse, if successfully coupling, allow to start operation, otherwise blocking-up starts operation;
Document monitor module, for the behavior operation during monitoring document and opening, and generates behavior record, judges whether to exist suspicious actions, blocks described suspicious actions, otherwise continue monitoring if exist;
Snapshot restore module, in the time finding to have document shutoff operation, stops all monitoring behaviors, recovers the system snapshot generating before document opening operation;
Trusted application storehouse, for storing the essential information of trusted application.
Further, the essential information of the described application program of described extraction is mated with trusted application storehouse, if successfully coupling, allow to start operation, otherwise blocking-up starts operation, replaces with: the system snapshot generating before inquiry document opening operation, whether the essential information that judges described application program is present in described system snapshot, if exist, allow to start operation, otherwise blocking-up starts operation.
Further, described suspicious actions comprise: releasing document, injection behavior, edit the registry, HOOK or shellcode.
Further, described essential information comprises: title, hash value or call relation.
To sum up, the present invention provides a kind of method and device of defending document to overflow, is only found while there is document opening operation, starts described device to the system protection that is on the defensive, existing before document opening operation, and generation system snapshot in real time; When monitoring while there is document opening operation, the generation of halt system snapshot; Monitor system operation, does not belong to the application program launching in trusted application storehouse if find, blocks in time; The behavior operation of monitoring document itself, if exist default suspicious actions to block in time; In the time finding to have document shutoff operation, the front generation of system snapshot open to(for) document carries out recovery operation.
Beneficial effect is: method of the present invention and device starting protection state after document is opened, under guard mode, can not carry out any executable program except trusted application storehouse; Can not inject any process in existing process, amendment or newly-increased thread or other operations, once find that suspicious operation behavior blocks in time; After document is closed, stop monitoring behavior, the system snapshot generating is carried out to recovery operation, even if document self exists leak or any safety problem, the opening operation of document can not cause any harm to system.
Brief description of the drawings
In order to be illustrated more clearly in technical scheme of the present invention, to the accompanying drawing of required use in embodiment be briefly described below, apparently, the accompanying drawing the following describes is only some embodiment that record in the present invention, for those of ordinary skill in the art, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is a kind of embodiment of the method flow chart of defending document to overflow provided by the invention;
Fig. 2 is a kind of device example structure figure that defends document to overflow provided by the invention.
Detailed description of the invention
The present invention has provided a kind of method and device embodiment that defends document to overflow, in order to make those skilled in the art person understand better the technical scheme in the embodiment of the present invention, and above-mentioned purpose of the present invention, feature and advantage can be become apparent more, below in conjunction with accompanying drawing, technical scheme in the present invention is described in further detail:
First the present invention provides a kind of embodiment of the method for defending document to overflow, and as shown in Figure 1, comprising:
S101 is for the real-time generation system snapshot of running situation, when finding that stopping snapshot while there is document opening operation generates;
Wherein, described system snapshot is that, to existing startup item in system, registration table, serves process, thread, dynamic address, the internal memory service condition of each process, thread or virtual memory service condition generation system snapshot;
System operation during S102 monitoring document is opened, when finding there is application program launching request, the essential information of extracting described application program is mated with trusted application storehouse, if successfully mate, allows to start operation, otherwise blocking-up startup operation; Wherein, described system operation can be, but not limited to: the associative operations such as process, thread, service or network; Therefore, the suspect application programs not loading in trusted application storehouse can not start operation, thereby realizes effectively defence;
Behavior operation during S103 monitoring document is opened, and generate behavior record, judge whether to exist suspicious actions, block described suspicious actions if exist, otherwise continue monitoring;
S104, in the time finding to have document shutoff operation, stops all monitoring behaviors, recovers the system snapshot generating before document opening operation.
Preferably, the essential information of the described application program of described extraction is mated with trusted application storehouse, if successfully coupling, allow to start operation, otherwise blocking-up starts operation, replaces with: the system snapshot generating before inquiry document opening operation, whether the essential information that judges described application program is present in described system snapshot, if exist, allow to start operation, otherwise blocking-up starts operation. Therefore, before opening, be not activated for document, the application program that document is opened rear request startup does not allow to start operation, blocks in time.
Preferably, described suspicious actions comprise: releasing document, injection behavior, edit the registry, HOOK or shellcode. Therefore, if there is leak or shellcode etc. in document, can be because document is opened infection system.
More preferably, described essential information comprises: title, hash value or call relation.
The present invention also provides a kind of device embodiment that defends document to overflow, and as shown in Figure 2, comprising:
Snapshot generation module 201 for for the real-time generation system snapshot of running situation, stops snapshot and generates in the time that discovery exists document opening operation;
System monitoring module 202, for the system operation during monitoring document and opening, when finding to exist application program launching request, the essential information of extracting described application program is mated with trusted application storehouse 205, if successfully coupling, allow to start operation, otherwise blocking-up starts operation;
Document monitor module 203, for the behavior operation during monitoring document and opening, and generates behavior record, judges whether to exist suspicious actions, blocks described suspicious actions, otherwise continue monitoring if exist;
Snapshot restore module 204, in the time finding to have document shutoff operation, stops all monitoring behaviors, recovers the system snapshot generating before document opening operation;
Trusted application storehouse 205, for storing the essential information of trusted application.
Preferably, the essential information of the described application program of described extraction is mated with trusted application storehouse, if successfully coupling, allow to start operation, otherwise blocking-up starts operation, replaces with: the system snapshot generating before inquiry document opening operation, whether the essential information that judges described application program is present in described system snapshot, if exist, allow to start operation, otherwise blocking-up starts operation.
Preferably, described suspicious actions comprise: releasing document, injection behavior, edit the registry, HOOK or shellcode.
More preferably, described essential information comprises: title, hash value or call relation.
As mentioned above, institute is to embodiment by generation system snapshot before document is opened, and document is closed the means of rear recovery snapshot and protected document and system of defense to infect; When finding after document opening operation, the behavior of monitor system operation and document operation, finds to have operation attempt and starts some application program, judges that described application program is whether in trusted application storehouse, allow to start operation if exist, otherwise block its operation; If find, document self has suspicious actions, blocks its execution.
To sum up, traditional document leak or malicious code detecting method, be to judge whether document exists leak or malicious code, carries out killing if exist; And the embodiment that provides of invention allow user relieved open and browing system in document, can not infect any known or unknown threat, not only user's awareness of safety itself is not had to excessive demand, and can effectively defend APT attack and phishing attack etc., be applicable to enterprise or the inner department that document security is had to particular/special requirement.
Above embodiment is unrestricted technical scheme of the present invention in order to explanation. Do not depart from any modification or partial replacement of spirit and scope of the invention, all should be encompassed in the middle of claim scope of the present invention.