CN105653939A - Document overflow preventing method and apparatus - Google Patents
Document overflow preventing method and apparatus Download PDFInfo
- Publication number
- CN105653939A CN105653939A CN201510407302.5A CN201510407302A CN105653939A CN 105653939 A CN105653939 A CN 105653939A CN 201510407302 A CN201510407302 A CN 201510407302A CN 105653939 A CN105653939 A CN 105653939A
- Authority
- CN
- China
- Prior art keywords
- document
- snapshot
- application program
- essential information
- monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a document overflow preventing method and apparatus. The method comprises steps of generating a system snapshot in real time according to system operation conditions, stopping generating the snapshot when a file is found opened, monitoring system operation when the file is opened, extracting basic information of an application program to match with a reliable application program base when an application program start request is found, allowing starting operation if the match successes, blocking the starting operation if the match fails, monitoring behavior operation when the file is opened and generating a behavior record to determine whether a suspicious behavior exists, blocking the suspicious behavior if existing, continuing to monitor if the suspicious behavior does not exist, stopping all monitoring behaviors when file closing operation is found, and restoring the system snapshot generated before the file is opened. By the use of the document overflow preventing method, infection on a system by malicious codes through files can be effectively prevented.
Description
Technical field
The present invention relates to field of information security technology, relate in particular to a kind of method and device of defending document to overflow.
Background technology
Along with the develop rapidly of computer and information technology, information-based had application widely in all trades and professions. For enterprises and institutions, electronic document has become the main information carrier in company's running. At this stage, the major part such as a lot of phishing attacks, social engineering attack, spear type attack is all propagated taking document as carrier. And exist some users can click operation problem document, thus cause enterprise or individual's information leakage, even cause economic loss.
Enterprises and institutions also have certain shortcoming for the protection of these electronic documents at present, and existing securing software and safety product can not solve the safety problem of document completely. The awareness of safety that is mainly reflected in staff is poor, meets that some senior social engineerings are attacked, phishing attack still can be induced to open.
Summary of the invention
Technical solutions according to the invention, by after opening at document, are monitored the behavior operation of system operation and document self, as find the blocking-up in time of suspicious operation behavior, avoid the infection of problem document to system; Meanwhile, by generation system snapshot before document is opened, document is closed rear recovery system snapshot, harm system being caused during can effectively defending document to open.
The present invention adopts with the following method and realizes: a kind of method of defending document to overflow, comprising:
For the real-time generation system snapshot of running situation, when finding that stopping snapshot while there is document opening operation generates;
System operation during monitoring document is opened, when finding there is application program launching request, the essential information of extracting described application program is mated with trusted application storehouse, if successfully mate, allows to start operation, otherwise blocking-up startup operation;
Behavior operation during monitoring document is opened, and generate behavior record, judge whether to exist suspicious actions, block described suspicious actions if exist, otherwise continue monitoring;
In the time finding to have document shutoff operation, stop all monitoring behaviors, recover the system snapshot generating before document opening operation.
Further, the essential information of the described application program of described extraction is mated with trusted application storehouse, if successfully coupling, allow to start operation, otherwise blocking-up starts operation, replaces with: the system snapshot generating before inquiry document opening operation, whether the essential information that judges described application program is present in described system snapshot, if exist, allow to start operation, otherwise blocking-up starts operation.
Further, described suspicious actions comprise: releasing document, injection behavior, edit the registry, HOOK or shellcode.
Further, described essential information comprises: title, hash value or call relation.
The present invention can adopt and realize as lower device: a kind of device of defending document to overflow, comprising:
Snapshot generation module for for the real-time generation system snapshot of running situation, stops snapshot and generates in the time that discovery exists document opening operation;
System monitoring module, for the system operation during monitoring document and opening, when finding to exist application program launching request, the essential information of extracting described application program is mated with trusted application storehouse, if successfully coupling, allow to start operation, otherwise blocking-up starts operation;
Document monitor module, for the behavior operation during monitoring document and opening, and generates behavior record, judges whether to exist suspicious actions, blocks described suspicious actions, otherwise continue monitoring if exist;
Snapshot restore module, in the time finding to have document shutoff operation, stops all monitoring behaviors, recovers the system snapshot generating before document opening operation;
Trusted application storehouse, for storing the essential information of trusted application.
Further, the essential information of the described application program of described extraction is mated with trusted application storehouse, if successfully coupling, allow to start operation, otherwise blocking-up starts operation, replaces with: the system snapshot generating before inquiry document opening operation, whether the essential information that judges described application program is present in described system snapshot, if exist, allow to start operation, otherwise blocking-up starts operation.
Further, described suspicious actions comprise: releasing document, injection behavior, edit the registry, HOOK or shellcode.
Further, described essential information comprises: title, hash value or call relation.
To sum up, the present invention provides a kind of method and device of defending document to overflow, is only found while there is document opening operation, starts described device to the system protection that is on the defensive, existing before document opening operation, and generation system snapshot in real time; When monitoring while there is document opening operation, the generation of halt system snapshot; Monitor system operation, does not belong to the application program launching in trusted application storehouse if find, blocks in time; The behavior operation of monitoring document itself, if exist default suspicious actions to block in time; In the time finding to have document shutoff operation, the front generation of system snapshot open to(for) document carries out recovery operation.
Beneficial effect is: method of the present invention and device starting protection state after document is opened, under guard mode, can not carry out any executable program except trusted application storehouse; Can not inject any process in existing process, amendment or newly-increased thread or other operations, once find that suspicious operation behavior blocks in time; After document is closed, stop monitoring behavior, the system snapshot generating is carried out to recovery operation, even if document self exists leak or any safety problem, the opening operation of document can not cause any harm to system.
Brief description of the drawings
In order to be illustrated more clearly in technical scheme of the present invention, to the accompanying drawing of required use in embodiment be briefly described below, apparently, the accompanying drawing the following describes is only some embodiment that record in the present invention, for those of ordinary skill in the art, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is a kind of embodiment of the method flow chart of defending document to overflow provided by the invention;
Fig. 2 is a kind of device example structure figure that defends document to overflow provided by the invention.
Detailed description of the invention
The present invention has provided a kind of method and device embodiment that defends document to overflow, in order to make those skilled in the art person understand better the technical scheme in the embodiment of the present invention, and above-mentioned purpose of the present invention, feature and advantage can be become apparent more, below in conjunction with accompanying drawing, technical scheme in the present invention is described in further detail:
First the present invention provides a kind of embodiment of the method for defending document to overflow, and as shown in Figure 1, comprising:
S101 is for the real-time generation system snapshot of running situation, when finding that stopping snapshot while there is document opening operation generates;
Wherein, described system snapshot is that, to existing startup item in system, registration table, serves process, thread, dynamic address, the internal memory service condition of each process, thread or virtual memory service condition generation system snapshot;
System operation during S102 monitoring document is opened, when finding there is application program launching request, the essential information of extracting described application program is mated with trusted application storehouse, if successfully mate, allows to start operation, otherwise blocking-up startup operation; Wherein, described system operation can be, but not limited to: the associative operations such as process, thread, service or network; Therefore, the suspect application programs not loading in trusted application storehouse can not start operation, thereby realizes effectively defence;
Behavior operation during S103 monitoring document is opened, and generate behavior record, judge whether to exist suspicious actions, block described suspicious actions if exist, otherwise continue monitoring;
S104, in the time finding to have document shutoff operation, stops all monitoring behaviors, recovers the system snapshot generating before document opening operation.
Preferably, the essential information of the described application program of described extraction is mated with trusted application storehouse, if successfully coupling, allow to start operation, otherwise blocking-up starts operation, replaces with: the system snapshot generating before inquiry document opening operation, whether the essential information that judges described application program is present in described system snapshot, if exist, allow to start operation, otherwise blocking-up starts operation. Therefore, before opening, be not activated for document, the application program that document is opened rear request startup does not allow to start operation, blocks in time.
Preferably, described suspicious actions comprise: releasing document, injection behavior, edit the registry, HOOK or shellcode. Therefore, if there is leak or shellcode etc. in document, can be because document is opened infection system.
More preferably, described essential information comprises: title, hash value or call relation.
The present invention also provides a kind of device embodiment that defends document to overflow, and as shown in Figure 2, comprising:
Snapshot generation module 201 for for the real-time generation system snapshot of running situation, stops snapshot and generates in the time that discovery exists document opening operation;
System monitoring module 202, for the system operation during monitoring document and opening, when finding to exist application program launching request, the essential information of extracting described application program is mated with trusted application storehouse 205, if successfully coupling, allow to start operation, otherwise blocking-up starts operation;
Document monitor module 203, for the behavior operation during monitoring document and opening, and generates behavior record, judges whether to exist suspicious actions, blocks described suspicious actions, otherwise continue monitoring if exist;
Snapshot restore module 204, in the time finding to have document shutoff operation, stops all monitoring behaviors, recovers the system snapshot generating before document opening operation;
Trusted application storehouse 205, for storing the essential information of trusted application.
Preferably, the essential information of the described application program of described extraction is mated with trusted application storehouse, if successfully coupling, allow to start operation, otherwise blocking-up starts operation, replaces with: the system snapshot generating before inquiry document opening operation, whether the essential information that judges described application program is present in described system snapshot, if exist, allow to start operation, otherwise blocking-up starts operation.
Preferably, described suspicious actions comprise: releasing document, injection behavior, edit the registry, HOOK or shellcode.
More preferably, described essential information comprises: title, hash value or call relation.
As mentioned above, institute is to embodiment by generation system snapshot before document is opened, and document is closed the means of rear recovery snapshot and protected document and system of defense to infect; When finding after document opening operation, the behavior of monitor system operation and document operation, finds to have operation attempt and starts some application program, judges that described application program is whether in trusted application storehouse, allow to start operation if exist, otherwise block its operation; If find, document self has suspicious actions, blocks its execution.
To sum up, traditional document leak or malicious code detecting method, be to judge whether document exists leak or malicious code, carries out killing if exist; And the embodiment that provides of invention allow user relieved open and browing system in document, can not infect any known or unknown threat, not only user's awareness of safety itself is not had to excessive demand, and can effectively defend APT attack and phishing attack etc., be applicable to enterprise or the inner department that document security is had to particular/special requirement.
Above embodiment is unrestricted technical scheme of the present invention in order to explanation. Do not depart from any modification or partial replacement of spirit and scope of the invention, all should be encompassed in the middle of claim scope of the present invention.
Claims (8)
1. a method of defending document to overflow, is characterized in that, comprising:
For the real-time generation system snapshot of running situation, when finding that stopping snapshot while there is document opening operation generates;
System operation during monitoring document is opened, when finding there is application program launching request, the essential information of extracting described application program is mated with trusted application storehouse, if successfully mate, allows to start operation, otherwise blocking-up startup operation;
Behavior operation during monitoring document is opened, and generate behavior record, judge whether to exist suspicious actions, block described suspicious actions if exist, otherwise continue monitoring;
In the time finding to have document shutoff operation, stop all monitoring behaviors, recover the system snapshot generating before document opening operation.
2. the method for claim 1, it is characterized in that, the essential information of the described application program of described extraction is mated with trusted application storehouse, if successfully coupling, permission startup operation, otherwise blocking-up starts operation, replace with: the system snapshot generating before inquiry document opening operation, judges whether the essential information of described application program is present in described system snapshot, if exist, allow to start operation, otherwise blocking-up starts operation.
3. the method for claim 1, is characterized in that, described suspicious actions comprise: releasing document, injection behavior, edit the registry, HOOK or shellcode.
4. method as claimed in claim 1 or 2, is characterized in that, described essential information comprises: title, hash value or call relation.
5. a device of defending document to overflow, is characterized in that, comprising:
Snapshot generation module for for the real-time generation system snapshot of running situation, stops snapshot and generates in the time that discovery exists document opening operation;
System monitoring module, for the system operation during monitoring document and opening, when finding to exist application program launching request, the essential information of extracting described application program is mated with trusted application storehouse, if successfully coupling, allow to start operation, otherwise blocking-up starts operation;
Document monitor module, for the behavior operation during monitoring document and opening, and generates behavior record, judges whether to exist suspicious actions, blocks described suspicious actions, otherwise continue monitoring if exist;
Snapshot restore module, in the time finding to have document shutoff operation, stops all monitoring behaviors, recovers the system snapshot generating before document opening operation;
Trusted application storehouse, for storing the essential information of trusted application.
6. device as claimed in claim 5, it is characterized in that, the essential information of the described application program of described extraction is mated with trusted application storehouse, if successfully coupling, permission startup operation, otherwise blocking-up starts operation, replace with: the system snapshot generating before inquiry document opening operation, judges whether the essential information of described application program is present in described system snapshot, if exist, allow to start operation, otherwise blocking-up starts operation.
7. device as claimed in claim 5, is characterized in that, described suspicious actions comprise: releasing document, injection behavior, edit the registry, HOOK or shellcode.
8. the device as described in claim 5 or 6, is characterized in that, described essential information comprises: title, hash value or call relation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510407302.5A CN105653939B (en) | 2015-07-13 | 2015-07-13 | A kind of method and device that defence document overflows |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510407302.5A CN105653939B (en) | 2015-07-13 | 2015-07-13 | A kind of method and device that defence document overflows |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105653939A true CN105653939A (en) | 2016-06-08 |
| CN105653939B CN105653939B (en) | 2019-07-26 |
Family
ID=56481649
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510407302.5A Active CN105653939B (en) | 2015-07-13 | 2015-07-13 | A kind of method and device that defence document overflows |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105653939B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101408917A (en) * | 2008-10-22 | 2009-04-15 | 厦门市美亚柏科资讯科技有限公司 | Method and system for detecting application program behavior legality |
| CN101887497A (en) * | 2010-06-24 | 2010-11-17 | 北京安天电子设备有限公司 | Stack allocation law-based buffer overflow detection method |
| CN103440201A (en) * | 2013-09-05 | 2013-12-11 | 北京邮电大学 | Dynamic taint analysis device and application thereof to document format reverse analysis |
| CN103902914A (en) * | 2013-09-17 | 2014-07-02 | 北京安天电子设备有限公司 | Overflow vulnerability detection method and system for advanced persistent threat |
| CN104252447A (en) * | 2013-06-27 | 2014-12-31 | 贝壳网际(北京)安全技术有限公司 | File behavior analysis method and device |
-
2015
- 2015-07-13 CN CN201510407302.5A patent/CN105653939B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101408917A (en) * | 2008-10-22 | 2009-04-15 | 厦门市美亚柏科资讯科技有限公司 | Method and system for detecting application program behavior legality |
| CN101887497A (en) * | 2010-06-24 | 2010-11-17 | 北京安天电子设备有限公司 | Stack allocation law-based buffer overflow detection method |
| CN104252447A (en) * | 2013-06-27 | 2014-12-31 | 贝壳网际(北京)安全技术有限公司 | File behavior analysis method and device |
| CN103440201A (en) * | 2013-09-05 | 2013-12-11 | 北京邮电大学 | Dynamic taint analysis device and application thereof to document format reverse analysis |
| CN103902914A (en) * | 2013-09-17 | 2014-07-02 | 北京安天电子设备有限公司 | Overflow vulnerability detection method and system for advanced persistent threat |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105653939B (en) | 2019-07-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11663323B2 (en) | Process privilege escalation protection in a computing environment | |
| Song et al. | The effective ransomware prevention technique using process monitoring on android platform | |
| KR102307534B1 (en) | Systems and methods for tracking malicious behavior across multiple software entities | |
| US20180375826A1 (en) | Active network backup device | |
| US8195953B1 (en) | Computer program with built-in malware protection | |
| EP3225009B1 (en) | Systems and methods for malicious code detection | |
| US9330259B2 (en) | Malware discovery method and system | |
| US20210173930A1 (en) | Malware Management Using I/O Correlation Coefficients | |
| KR20140033349A (en) | System and method for virtual machine monitor based anti-malware security | |
| US10867049B2 (en) | Dynamic security module terminal device and method of operating same | |
| CN103246849A (en) | Safe running method based on ROST under Windows | |
| CN108616510A (en) | It is a kind of that virus detection techniques are extorted based on digital immune reclusion | |
| CN104821949A (en) | Signature-based SQL tamper-proof protection method | |
| CN105653939A (en) | Document overflow preventing method and apparatus | |
| Iffländer et al. | Hands off my database: Ransomware detection in databases through dynamic analysis of query sequences | |
| KR102309669B1 (en) | System for protecting damage of Zero-day attack | |
| CN109460658A (en) | It is a kind of for the detection method for maliciously extorting sample | |
| CN103679015A (en) | Attacking control method for protecting kernel system | |
| CN105389521A (en) | Method for safely protecting file in computer system | |
| CN106603493B (en) | Safety protection device and protection method built in network equipment | |
| CN109711153B (en) | Windows process protection method and system | |
| Jiang et al. | Analysis on Network Security and Its Countermeasures | |
| US20240111866A1 (en) | A cyber recovery forensics kit configured to maintain communication and send return malware | |
| CN105718810A (en) | Method and device for protecting sensitive documents of virtual machine | |
| CN117453344A (en) | Container credibility enhancement mechanism based on Linux system call |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 150028 Building 7, Innovation Plaza, Science and Technology Innovation City, Harbin Hi-tech Industrial Development Zone, Harbin, Heilongjiang Province (838 Shikun Road) Patentee after: Harbin antiy Technology Group Limited by Share Ltd Address before: 506 room 162, Hongqi Avenue, Nangang District, Harbin Development Zone, Heilongjiang, 150090 Patentee before: Harbin Antiy Technology Co., Ltd. |
|
| CP03 | Change of name, title or address | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 150028 building 7, innovation and entrepreneurship square, science and technology innovation city, Harbin high tech Industrial Development Zone, Harbin, Heilongjiang Province (No. 838, Shikun Road) Patentee after: Antan Technology Group Co.,Ltd. Address before: 150028 building 7, innovation and entrepreneurship square, science and technology innovation city, Harbin high tech Industrial Development Zone, Harbin, Heilongjiang Province (No. 838, Shikun Road) Patentee before: Harbin Antian Science and Technology Group Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder |