Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a rule issuing method and a rule issuing device, which solve the problem that a large amount of rules issued in the prior art occupy more system memory and improve the user experience.
In a first aspect, the present invention provides a rule issuing apparatus, including:
the monitoring module is used for monitoring program behaviors corresponding to each program in the equipment;
the judging module is used for judging whether the program behavior corresponding to the current program meets the rule triggering identification or not by adopting a preset behavior triggering condition;
the first sending module is used for sending a rule request to the server when the program behavior accords with the rule trigger identifier, so that the server searches a rule corresponding to the rule trigger identifier according to the rule request;
and the first receiving module is used for receiving the rule sent by the server and monitoring the program behavior corresponding to the current program by adopting the rule sent by the server.
Optionally, the apparatus further includes a second sending module, configured to send a rule revocation request corresponding to the partial/full rule to the server when the partial/full rule sent by the server does not match the monitored program behavior corresponding to the current program, so that the server sends a deletion instruction of the partial/full rule according to the rule revocation request;
and the second receiving module is used for receiving a deleting instruction sent by the server and deleting the part/all rules according to the deleting instruction.
Optionally, the preset behavior triggering condition is obtained by the server according to program behavior statistics corresponding to programs in the multiple devices, and the behavior triggering condition of the device is sent in advance;
the behavior triggering conditions comprise: the program behavior corresponding to each program and the rule trigger corresponding to the program behavior.
Optionally, the apparatus further comprises:
a third receiving module, configured to receive a rule deleting instruction sent by the server, where the rule deleting instruction is used to delete an unused rule in the device, and the rule deleting instruction includes: the server sends a rule deletion identifier to the equipment;
and the determining module is used for searching the rule matched with the rule deleting identifier in the equipment, determining that the rule does not monitor the program behavior of the current program any more, and deleting the rule according to the rule deleting instruction.
Optionally, the rules sent by the receiving server are defense rules, file defense rules, interception rules and data processing rules;
the program behavior includes: process creation, thread creation, file read-write operations, registry rewrite operations, stack operations, network communications, and/or thread injection operations.
In a second aspect, the present invention provides a rule issuing method, including:
monitoring program behaviors corresponding to each program in the equipment;
judging whether the program behavior corresponding to the current program meets the rule trigger identification or not by adopting a preset behavior trigger condition;
if the program behavior conforms to the rule trigger identifier, sending a rule request to a server so that the server searches a rule corresponding to the rule trigger identifier according to the rule request;
and receiving a rule sent by a server, and monitoring the program behavior corresponding to the current program by adopting the rule sent by the server.
Optionally, the method further includes:
if the part/all rules sent by the server do not match the monitored program behavior corresponding to the current program, sending a rule revocation request corresponding to the part/all rules to the server so that the server sends a deletion instruction of the part/all rules according to the rule revocation request;
and receiving a deleting instruction sent by the server, and deleting the part/all rules according to the deleting instruction.
Optionally, the preset behavior triggering condition is obtained by the server according to program behavior statistics corresponding to programs in the multiple devices, and the behavior triggering condition of the device is sent in advance;
the behavior triggering conditions comprise: the program behavior corresponding to each program and the rule trigger corresponding to the program behavior.
Optionally, the method further includes:
receiving a rule deleting instruction sent by the server and used for deleting unused rules in the equipment, wherein the rule deleting instruction comprises: the server sends a rule deletion identifier to the equipment;
and searching a rule matched with the rule deleting identification in the equipment, determining that the rule does not monitor the program behavior of the current program any more, and deleting the rule according to the rule deleting instruction.
Optionally, the rules sent by the receiving server are defense rules, file defense rules, interception rules and data processing rules;
the program behavior includes: process creation, thread creation, file read-write operations, registry rewrite operations, stack operations, network communications, and/or thread injection operations.
According to the technical scheme, the rule issuing method and the rule issuing device provided by the invention have the advantages that the program behavior corresponding to each program in the equipment is monitored, when the preset behavior triggering condition is adopted to judge that the program behavior corresponding to the current program meets the rule triggering identifier, the cloud server issues the rule corresponding to the rule triggering identifier according to the rule triggering identifier, and the program behavior corresponding to the current program is monitored according to the rule after the rule is received, so that all rules used by the equipment are not issued in advance, the rule issuing amount is reduced, the occupation of a system memory in the equipment is reduced, and the user experience is improved.
Detailed Description
The following further describes embodiments of the invention with reference to the drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present invention is not limited thereby.
Fig. 1 shows a schematic flow diagram of a rule issuing method provided in an embodiment of the present invention, and as shown in fig. 1, the rule issuing method includes the following steps:
101. monitoring program behaviors corresponding to each program in the equipment;
devices in this embodiment, such as a mobile phone, a personal computer, a tablet computer, a desktop computer, any device/management device with an operating system, and the like;
the above program may include: an instant chat program, a video call program, an online game program, a downloaded software program, a security detection program, a mass messaging program, etc. 102. Judging whether the program behavior corresponding to the current program meets the rule trigger identification or not by adopting a preset behavior trigger condition;
for example, the rule trigger in this embodiment may be a rule download identifier triggered when a program is started, for example, a rule trigger written in a certain program registry key, or a rule trigger for performing certain network communication, and the like.
If the trigger is a rule trigger for starting a program, the trigger may be defined as follows:
for example: in the instant chat program, when the instant chat program establishment process is started, a first rule trigger mark is corresponding to the program behavior of the establishment process; thus, it can be determined that the program behavior corresponding to the current program meets the first rule trigger, and step 103 described below can be performed.
Or when the photo needs to be sent in the instant chat program, the program behavior of sending the photo corresponds to a second rule trigger and the like.
The trigger and the definition of the trigger are only used for illustration, and the embodiment does not specifically limit the trigger.
103. If the program behavior conforms to the rule trigger identifier, sending a rule request to a server so that the server searches a rule corresponding to the rule trigger identifier according to the rule request;
in this embodiment, the server may be a cloud server, the cloud server searches for a rule corresponding to the rule trigger according to the rule request, and the rule searched by the cloud server is a behavior rule that is most likely to be executed in the next step of a program behavior corresponding to a current program in the device.
Specifically, when the program behavior corresponding to the program of the monitoring device is found to conform to the rule trigger identifier of the starting program through the preset behavior trigger condition, the rule request for starting a certain program is directly sent to the cloud server. For example, when a program installation package is started, after the program installation package installer is started, next most likely executed behaviors include operations of registering a process, loading other application installers, and the like, and at this time, the cloud server issues corresponding security rules of the registration process, the loading of the other application installers, and the like.
104. And receiving a rule sent by a server, and monitoring the program behavior corresponding to the current program by adopting the rule sent by the server.
In a specific application, the rule sent by the cloud server may be a defense rule, a file defense rule, an interception rule, and a data processing rule.
The defense rules include, for example, an Application defense system (AD) for monitoring a start or running process of some applications, and a Registry defense system (RD) for monitoring a common system sensitive Registry entry.
File defense rules are for example: and a File defense system (FD for short) judges local running programs, read-write operations of a registry and File read-write operations according to a settable rule and determines permission or prohibition. The FD is used to monitor file (e.g. HOSTS) operations of the system sensitive directory, such as modifying and deleting any file in the system directory or creating a new file, and may also be used to discover the file ontology hidden by the drive trojan.
The interception rules may include interception based on starting of a certain program, interception of an advertisement attached after starting of a certain program, interception of an operation authority of a certain program, and the like.
Taking the permission interception rule as an example, a security administrator of the app store (application store) requires that the security administrator has permission to read the address book when starting up according to an application program audit result uploaded by a developer, for example, a notepad program requires that the security administrator has permission to read the address book, so that the security administrator adds the application program to the app store, adds the permission interception rule of the application program to the cloud server, and receives information uploaded by the SecurityGuard at this time. The permission interception rules set by the network administrator cannot represent the will of the user, the SecurityGuard uploads the permission interception rules set by the user to the cloud server, and the cloud server automatically analyzes the messages and then calculates the user interception rate of each permission for prompting the user newly installing the application program.
If the interception rate of the user with each authority exceeds a preset value, intercepting the user with each authority when the notebook program starts the authority to read the address book; in another possible case, if the user interception rate of each right does not exceed the preset value, the rule is adopted to not intercept the right which wants to read the address book when the notepad program starts the right, but a prompt message is sent to the user equipment to help the user know which program behaviors corresponding to the application program start are potentially harmful when the application program starts the program behaviors.
The data processing rules are similar to the defense rules, the file defense rules, and the interception rules, and the embodiment will not be described again.
In the method in this embodiment, by monitoring the program behavior corresponding to each program in the device, when the preset behavior trigger condition is adopted to determine that the program behavior corresponding to the current program meets the rule trigger identifier, the cloud server issues the rule corresponding to the rule trigger identifier according to the rule trigger identifier, and monitors the program behavior corresponding to the current program according to the rule after receiving the rule.
Fig. 2A is a schematic flow chart illustrating a rule issuing method according to another embodiment of the present invention, and as shown in fig. 2A, the rule issuing method includes the following steps:
201. monitoring program behaviors corresponding to each program in the equipment;
specifically, the program behavior includes: process creation, thread creation, file read-write operations, registry rewrite operations, stack operations, network communications, and/or thread injection operations.
For example, the program behavior is created for a process, and may be a startup directory of a monitor program, for example, a startup directory of all programs of an experience (XP) system: "C: \\ Documents and Settings \ All Users \ Start ] Menu \ program \ Start ";
procedures for overwriting registry keys, e.g.
HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Microsoft \ Windows \ Current Version \ Run, wherein Run is a key in the registry;
HKEY _ LOCAL _ MACHINE \ Systm \ CurrentcontrolSet \ Services \ I magePath ], wherein ImagePath is a value corresponding to the path of the service/driver.
202. Judging whether the program behavior corresponding to the current program meets the rule trigger identification or not by adopting a preset behavior trigger condition;
the preset behavior triggering condition in this embodiment is counted by the cloud server according to a program behavior corresponding to a program in the plurality of devices, and the behavior triggering condition of the device is sent in advance;
in a specific application, the cloud server may send the statistical program behavior corresponding to the programs in the multiple devices to the devices in real time or at regular time, where the preset behavior trigger condition includes trigger conditions of program behaviors corresponding to all the programs in the devices.
The behavior triggering conditions comprise: the program behavior corresponding to each program and the rule trigger corresponding to the program behavior.
Specifically, the rule trigger corresponding to the program behavior includes one or more of the following: file name, file path, file size, file internal name, file information digest algorithm, file signature company information, file modification time, file creation time, file attributes, service name, registry location.
When the trigger marks comprise a plurality of trigger marks, the plurality of trigger marks are combined according to a preset combination rule to obtain a character string.
For example, the trigger is a file size, a file information summarization algorithm, and a file attribute, where the file size is 1M, the file information summarization algorithm MD5 is d41d8cd98f00b204e9800998ecf8427, and the file attribute is read only, the combined character string may be "1M d41d8cd98f00b204e9800998ecf8427 read only" or "d 41d8cd98f00b204e9800998ecf84271M read only", or may also be "d 41d8cd98f00b204e9800998ecf8427 read only 1M", and of course, other combination rules may also be used to combine the character string.
The above-described behavior trigger conditions may be stored in the device in the form of a table, as shown in table 1.
TABLE 1
203. If the program behavior corresponding to the program accords with the rule trigger identifier, sending a rule request to a cloud server so that the cloud server searches a rule corresponding to the rule trigger identifier according to the rule request;
204a, receiving a rule sent by a cloud server, wherein the rule can be matched with a program behavior corresponding to the current program, and monitoring the program behavior corresponding to the current program through the rule.
For example, if the program behavior of the current program is installation and activation of a program installation package, the rules sent by the cloud server for running the installation program, loading other application installation programs, and the like are received, when monitoring the program behavior corresponding to the current program, finding that the program behavior corresponding to the current program is loading some antivirus or other application installation program behaviors such as a certain browser and the like, checking whether the antivirus or other application installation program behaviors such as the browser and the like are allowed to be installed in a rule for loading other application installation programs sent by a cloud server at the moment, that is, it is determined whether the program behavior corresponding to the program is malicious or not by the rule, if the rule allows to install other application installation programs such as the antivirus or the browser, if the program behavior corresponding to the current program is the running program in the white list in the rule, maintaining the program behavior corresponding to the current program; if the rule does not allow other application installation programs such as the antivirus program or the browser to be installed, namely the current program behavior is the running program in the blacklist in the rule, the program behavior corresponding to the current program is intercepted or alarmed.
In another implementation, as shown in fig. 2B, the method further includes, after step 203, the steps of:
204b, receiving a rule sent by the cloud server, and sending a prompt message to a user if the rule cannot be matched with the program behavior corresponding to the current program.
If the program behavior corresponding to the current program is not matched with a certain rule, the program behavior corresponding to the program is the program behavior which can not be determined, the user is prompted to perform corresponding processing, such as releasing or intercepting decision and the like, so that the monitoring of the program behavior corresponding to the current program is realized.
In order to avoid a large amount of occupied memory space in the device, it is necessary to delete a rule that is not matched with a program behavior corresponding to a current program, as shown in fig. 3A, the method further includes the following steps after step 204 a:
301a, if a part of rules sent by the cloud server do not match the monitored program behavior corresponding to the current program, sending a rule revocation request corresponding to the part of rules to the cloud server, so that the cloud server sends a deletion instruction of the part of rules according to the rule revocation request;
302a, receiving a deleting instruction sent by the cloud server, and deleting all the rules according to the deleting instruction.
For example, when the cloud server issues rules for running the installation program, loading other application installation programs, and the like according to a next execution behavior of the startup program for starting a certain installation package, at this time, a program behavior corresponding to the current program is that other application installation programs such as a certain antivirus or a browser are loaded, at this time, a running state of the current program is matched with the rules for loading other application installation programs, and the rules for running the installation program are not matched, so that in order to avoid that a large number of rules occupy memory in the device, a revocation request for running the rules such as the installation program is sent to the cloud server.
In another implementation manner, in step 301a, if the partial rule sent by the cloud server does not match the monitored program behavior corresponding to the current program, and when a large number of unmatched rules are stored in the device, the device may also delete the unmatched partial rule by itself, and does not send a revocation request to the cloud server.
As shown in fig. 3B, the method further includes the following steps after step 204B:
301b, if all rules sent by the cloud server do not match the monitored program behavior corresponding to the current program, sending a rule revocation request corresponding to all the rules to the cloud server, so that the cloud server sends a deletion instruction of all the rules according to the rule revocation request;
302b, receiving a deleting instruction sent by the cloud server, and deleting all the rules according to the deleting instruction.
For example, if the program behavior corresponding to the current program is a behavior of loading the installation address of the installation program, and the rules issued by the cloud server to run the installation program, load other application installation programs, and the like are not matched, a request for revoking all the rules to run the installation program, load other application installation programs, and the like needs to be sent to the cloud server. At this time, the program behavior corresponding to the current program can be monitored through other defense rules according to the trigger identifier, and information prompting danger can be sent to the user, so that the user can judge whether to perform the next operation.
In another implementation manner, if all the rules sent by the cloud server in step 301b do not match the monitored program behavior corresponding to the current program, and when a large number of unmatched rules are stored in the device, the device may also delete all the unmatched rules by itself, and does not send a revocation request to the cloud server.
As shown in fig. 4, after the rule sent by the cloud server in 204a monitors the program behavior corresponding to the current program, after the used rule is used, that is, when the program behavior corresponding to the current program has entered the next working state, in order to reduce the excessive occupation of the memory of the device by the rule and influence the operation of the device, the rule matching the program behavior corresponding to the current program and the current program having entered the next working state are also required, and when the rule is not required to be used, the rule that has been used and is not used any longer temporarily needs to be deleted.
Specifically, the method comprises the following steps:
401. receiving a rule deleting instruction sent by the cloud server and used for deleting unused rules in the device, wherein the rule deleting instruction comprises: the cloud server sends a rule deletion identifier to the equipment;
specifically, when the current program enters the next working state, it may also be understood that when the program behavior corresponding to the next program of the current program meets the preset behavior triggering condition, that is, when the cloud server receives the rule request meeting the preset behavior triggering condition, the cloud server may send a rule deleting instruction for deleting the unused rule in the device.
402. And searching a rule matched with the rule deleting identification in the equipment, determining that the rule does not monitor the program behavior of the current program any more, and deleting the rule according to the rule deleting instruction.
The steps clear the rule issued by the cloud server to the equipment, so that the running speed of the equipment is increased.
Fig. 5 shows a rule issuing apparatus provided in an embodiment of the present invention, and as shown in fig. 5, the rule issuing apparatus specifically includes: a monitoring module 51, a judging module 52, a first sending module 53 and a first receiving module 54.
A monitoring module 51, configured to monitor a program behavior corresponding to each program in the device;
for example, the program behavior includes: process creation, thread creation, file read-write operation, registry write operation, stack operation, network communication, and/or thread injection operation.
The judging module 52 is configured to judge whether a program behavior corresponding to the current program meets the rule trigger identifier by using a preset behavior trigger condition;
specifically, the preset behavior triggering condition is counted by the cloud server according to program behaviors corresponding to programs in the multiple devices; the preset behavior triggering condition is sent to the equipment in advance by the cloud server after the cloud server counts program behaviors corresponding to programs in the multiple equipment; the preset behavior triggering conditions comprise conditions of program behaviors corresponding to all programs in the equipment;
the behavior triggering conditions comprise: the program behavior corresponding to each program and the rule trigger corresponding to the program behavior.
A first sending module 53, configured to send a rule request to the server when a program behavior corresponding to the program meets the rule trigger, so that the server searches for a rule corresponding to the rule trigger according to the rule request;
the server may be a cloud server.
The first receiving module 54 is configured to receive a rule sent by a cloud server, and monitor a program behavior corresponding to the current program by using the rule sent by the cloud server.
For example, the rule sent by the cloud server is a defense rule, a file defense rule, an interception rule, and a data processing rule.
In another possible implementation manner, fig. 6 shows a rule issuing device provided in an embodiment of the present invention, and as shown in fig. 6, the rule issuing device specifically includes: the device comprises a monitoring module 61, a judging module 62, a first sending module 63, a first receiving module 64, a second sending module 65 and a second receiving module 66.
The monitoring module 61 is used for monitoring program behaviors corresponding to each program in the equipment;
the judging module 62 is configured to judge whether a program behavior corresponding to the current program meets the rule trigger identifier by using a preset behavior trigger condition;
a first sending module 63, configured to send a rule request to the cloud server when a program behavior corresponding to the program meets the rule trigger, so that the cloud server searches for a rule corresponding to the rule trigger according to the rule request;
the first receiving module 64 is configured to receive a rule sent by a cloud server, where the rule can be matched with a program behavior corresponding to the current program, and then monitor the program behavior corresponding to the current program by using the rule sent by the cloud server.
The second sending module 65 is configured to, when a part of rules sent by the cloud server does not match the monitored program behavior corresponding to the current program, send a rule revocation request corresponding to the part of rules to the cloud server, so that the cloud server sends a deletion instruction of the part of rules according to the rule revocation request;
the second receiving module 66 is configured to receive a deleting instruction sent by the cloud server, and delete the part of rules according to the deleting instruction.
In another implementation manner, the first receiving module 64, the second sending module 65 and the second receiving module 66 in the above device are also specifically required for the following functions.
The first receiving module 64 is configured to receive a rule sent by the cloud server, and send a prompt message to a user if the rule cannot be matched with a program behavior corresponding to the current program.
Specifically, if the program behavior corresponding to the current program is not matched with a certain rule, the program behavior corresponding to the program is an indeterminate program behavior, and the user is prompted to perform corresponding processing, such as determining to release or intercept, so that the program behavior corresponding to the current program is monitored.
The second sending module 65 is configured to, when all rules sent by the cloud server do not match the monitored program behavior corresponding to the current program, send a rule revocation request corresponding to all the rules to the cloud server, so that the cloud server sends a deletion instruction of all the rules according to the rule revocation request;
the second receiving module 66 is configured to receive a deleting instruction sent by the cloud server, and delete all the rules according to the deleting instruction.
Fig. 7 shows a rule issuing apparatus according to an embodiment of the present invention, and as shown in fig. 7, the rule issuing apparatus specifically includes: the device comprises a monitoring module 71, a judging module 72, a first sending module 73, a first receiving module 74, a third receiving module 75 and a determining module 76.
A monitoring module 71, configured to monitor a program behavior corresponding to each program in the device;
the judging module 72 is configured to judge whether a program behavior corresponding to the current program meets the rule trigger identifier by using a preset behavior trigger condition;
a first sending module 73, configured to send a rule request to a cloud server when the program behavior meets the rule trigger, so that the cloud server searches for a rule corresponding to the rule trigger according to the rule request;
the first receiving module 74 is configured to receive a rule sent by a cloud server, where the rule can be matched with a program behavior corresponding to the current program, and then monitor the program behavior corresponding to the current program by using the rule sent by the cloud server.
A third receiving module 75, configured to receive a rule deleting instruction, sent by the cloud server, for deleting an unused rule in the device, where the rule deleting instruction includes: the cloud server sends a rule deletion identifier to the equipment;
a determining module 76, configured to find a rule in the device that matches the rule deletion identifier, determine that the rule no longer monitors the program behavior of the current program, and delete the rule according to the rule deletion instruction.
The above-described apparatus corresponds to the above-described method one to one, and the detailed description of the embodiments of the above-described method according to the present invention is also applicable to the detailed description of the apparatus, and the present invention is not described in detail.