CN105791221B - Rule issuing method and device - Google Patents
Rule issuing method and device Download PDFInfo
- Publication number
- CN105791221B CN105791221B CN201410806644.XA CN201410806644A CN105791221B CN 105791221 B CN105791221 B CN 105791221B CN 201410806644 A CN201410806644 A CN 201410806644A CN 105791221 B CN105791221 B CN 105791221B
- Authority
- CN
- China
- Prior art keywords
- rule
- program
- server
- behavior
- rules
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses a rule issuing method and a device, wherein the method comprises the following steps: monitoring program behaviors corresponding to each program in the equipment; judging whether the program behavior corresponding to the current program meets the rule trigger identification or not by adopting a preset behavior trigger condition; if the program behavior conforms to the rule trigger identifier, sending a rule request to a server so that the server searches a rule corresponding to the rule trigger identifier according to the rule request; and receiving a rule sent by a server, and monitoring the program behavior corresponding to the current program by adopting the rule sent by the server. Compared with the existing rule which does not issue the program behavior aiming at the rule trigger identifier, the method reduces the rule issuing amount, reduces the occupation of the system memory and improves the user experience.
Description
Technical Field
The invention relates to the technical field of internet, in particular to a rule issuing method and a rule issuing device.
Background
The active defense is a real-time protection technology for preventing malicious programs based on the autonomous analysis and judgment of program behaviors. Malicious programs are a general term referring to any software program that is intentionally created to perform unauthorized and often harmful actions. Computer viruses, back door programs, keyloggers, password thieves, Word and Excel macro viruses, boot viruses, script viruses, trojans, criminal software, spyware, adware, and the like, can all be referred to as malware.
When the active defense is used for defending the malicious program, the file characteristic value is not taken as the basis for judging the malicious program, but the most original definition is used for starting, and the behavior of the program is directly taken as the basis for judging the malicious program. Taking a Host-based Intrusion Prevention System (HIPS for short), the HIPS is an active defense software that can monitor the operation of files in a computer, the operation of other files in the files, and the modification of a registry by the files, and send a report request to allow the operation or modification.
However, when a certain program triggers a certain behavior, the cloud may issue many defense rules for executing the program, and a large number of rules occupy more system memory, which causes the system booting speed to become slow, resulting in poor user experience.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a rule issuing method and a rule issuing device, which solve the problem that a large amount of rules issued in the prior art occupy more system memory and improve the user experience.
In a first aspect, the present invention provides a rule issuing apparatus, including:
the monitoring module is used for monitoring program behaviors corresponding to each program in the equipment;
the judging module is used for judging whether the program behavior corresponding to the current program meets the rule triggering identification or not by adopting a preset behavior triggering condition;
the first sending module is used for sending a rule request to the server when the program behavior accords with the rule trigger identifier, so that the server searches a rule corresponding to the rule trigger identifier according to the rule request;
and the first receiving module is used for receiving the rule sent by the server and monitoring the program behavior corresponding to the current program by adopting the rule sent by the server.
Optionally, the apparatus further includes a second sending module, configured to send a rule revocation request corresponding to the partial/full rule to the server when the partial/full rule sent by the server does not match the monitored program behavior corresponding to the current program, so that the server sends a deletion instruction of the partial/full rule according to the rule revocation request;
and the second receiving module is used for receiving a deleting instruction sent by the server and deleting the part/all rules according to the deleting instruction.
Optionally, the preset behavior triggering condition is obtained by the server according to program behavior statistics corresponding to programs in the multiple devices, and the behavior triggering condition of the device is sent in advance;
the behavior triggering conditions comprise: the program behavior corresponding to each program and the rule trigger corresponding to the program behavior.
Optionally, the apparatus further comprises:
a third receiving module, configured to receive a rule deleting instruction sent by the server, where the rule deleting instruction is used to delete an unused rule in the device, and the rule deleting instruction includes: the server sends a rule deletion identifier to the equipment;
and the determining module is used for searching the rule matched with the rule deleting identifier in the equipment, determining that the rule does not monitor the program behavior of the current program any more, and deleting the rule according to the rule deleting instruction.
Optionally, the rules sent by the receiving server are defense rules, file defense rules, interception rules and data processing rules;
the program behavior includes: process creation, thread creation, file read-write operations, registry rewrite operations, stack operations, network communications, and/or thread injection operations.
In a second aspect, the present invention provides a rule issuing method, including:
monitoring program behaviors corresponding to each program in the equipment;
judging whether the program behavior corresponding to the current program meets the rule trigger identification or not by adopting a preset behavior trigger condition;
if the program behavior conforms to the rule trigger identifier, sending a rule request to a server so that the server searches a rule corresponding to the rule trigger identifier according to the rule request;
and receiving a rule sent by a server, and monitoring the program behavior corresponding to the current program by adopting the rule sent by the server.
Optionally, the method further includes:
if the part/all rules sent by the server do not match the monitored program behavior corresponding to the current program, sending a rule revocation request corresponding to the part/all rules to the server so that the server sends a deletion instruction of the part/all rules according to the rule revocation request;
and receiving a deleting instruction sent by the server, and deleting the part/all rules according to the deleting instruction.
Optionally, the preset behavior triggering condition is obtained by the server according to program behavior statistics corresponding to programs in the multiple devices, and the behavior triggering condition of the device is sent in advance;
the behavior triggering conditions comprise: the program behavior corresponding to each program and the rule trigger corresponding to the program behavior.
Optionally, the method further includes:
receiving a rule deleting instruction sent by the server and used for deleting unused rules in the equipment, wherein the rule deleting instruction comprises: the server sends a rule deletion identifier to the equipment;
and searching a rule matched with the rule deleting identification in the equipment, determining that the rule does not monitor the program behavior of the current program any more, and deleting the rule according to the rule deleting instruction.
Optionally, the rules sent by the receiving server are defense rules, file defense rules, interception rules and data processing rules;
the program behavior includes: process creation, thread creation, file read-write operations, registry rewrite operations, stack operations, network communications, and/or thread injection operations.
According to the technical scheme, the rule issuing method and the rule issuing device provided by the invention have the advantages that the program behavior corresponding to each program in the equipment is monitored, when the preset behavior triggering condition is adopted to judge that the program behavior corresponding to the current program meets the rule triggering identifier, the cloud server issues the rule corresponding to the rule triggering identifier according to the rule triggering identifier, and the program behavior corresponding to the current program is monitored according to the rule after the rule is received, so that all rules used by the equipment are not issued in advance, the rule issuing amount is reduced, the occupation of a system memory in the equipment is reduced, and the user experience is improved.
Drawings
Fig. 1 is a schematic flow chart of a rule issuing method according to an embodiment of the present invention;
fig. 2A and fig. 2B are schematic flow diagrams of a rule issuing method according to another embodiment of the present invention;
fig. 3A and fig. 3B are schematic flow diagrams of a rule issuing method according to another embodiment of the present invention;
fig. 4 is a schematic flow chart of a rule issuing method according to another embodiment of the present invention;
fig. 5 is a schematic structural diagram of a rule issuing device according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a rule issuing device according to another embodiment of the present invention;
fig. 7 is a schematic structural diagram of a rule issuing device according to another embodiment of the present invention.
Detailed Description
The following further describes embodiments of the invention with reference to the drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present invention is not limited thereby.
Fig. 1 shows a schematic flow diagram of a rule issuing method provided in an embodiment of the present invention, and as shown in fig. 1, the rule issuing method includes the following steps:
101. monitoring program behaviors corresponding to each program in the equipment;
devices in this embodiment, such as a mobile phone, a personal computer, a tablet computer, a desktop computer, any device/management device with an operating system, and the like;
the above program may include: an instant chat program, a video call program, an online game program, a downloaded software program, a security detection program, a mass messaging program, etc. 102. Judging whether the program behavior corresponding to the current program meets the rule trigger identification or not by adopting a preset behavior trigger condition;
for example, the rule trigger in this embodiment may be a rule download identifier triggered when a program is started, for example, a rule trigger written in a certain program registry key, or a rule trigger for performing certain network communication, and the like.
If the trigger is a rule trigger for starting a program, the trigger may be defined as follows:
for example: in the instant chat program, when the instant chat program establishment process is started, a first rule trigger mark is corresponding to the program behavior of the establishment process; thus, it can be determined that the program behavior corresponding to the current program meets the first rule trigger, and step 103 described below can be performed.
Or when the photo needs to be sent in the instant chat program, the program behavior of sending the photo corresponds to a second rule trigger and the like.
The trigger and the definition of the trigger are only used for illustration, and the embodiment does not specifically limit the trigger.
103. If the program behavior conforms to the rule trigger identifier, sending a rule request to a server so that the server searches a rule corresponding to the rule trigger identifier according to the rule request;
in this embodiment, the server may be a cloud server, the cloud server searches for a rule corresponding to the rule trigger according to the rule request, and the rule searched by the cloud server is a behavior rule that is most likely to be executed in the next step of a program behavior corresponding to a current program in the device.
Specifically, when the program behavior corresponding to the program of the monitoring device is found to conform to the rule trigger identifier of the starting program through the preset behavior trigger condition, the rule request for starting a certain program is directly sent to the cloud server. For example, when a program installation package is started, after the program installation package installer is started, next most likely executed behaviors include operations of registering a process, loading other application installers, and the like, and at this time, the cloud server issues corresponding security rules of the registration process, the loading of the other application installers, and the like.
104. And receiving a rule sent by a server, and monitoring the program behavior corresponding to the current program by adopting the rule sent by the server.
In a specific application, the rule sent by the cloud server may be a defense rule, a file defense rule, an interception rule, and a data processing rule.
The defense rules include, for example, an Application defense system (AD) for monitoring a start or running process of some applications, and a Registry defense system (RD) for monitoring a common system sensitive Registry entry.
File defense rules are for example: and a File defense system (FD for short) judges local running programs, read-write operations of a registry and File read-write operations according to a settable rule and determines permission or prohibition. The FD is used to monitor file (e.g. HOSTS) operations of the system sensitive directory, such as modifying and deleting any file in the system directory or creating a new file, and may also be used to discover the file ontology hidden by the drive trojan.
The interception rules may include interception based on starting of a certain program, interception of an advertisement attached after starting of a certain program, interception of an operation authority of a certain program, and the like.
Taking the permission interception rule as an example, a security administrator of the app store (application store) requires that the security administrator has permission to read the address book when starting up according to an application program audit result uploaded by a developer, for example, a notepad program requires that the security administrator has permission to read the address book, so that the security administrator adds the application program to the app store, adds the permission interception rule of the application program to the cloud server, and receives information uploaded by the SecurityGuard at this time. The permission interception rules set by the network administrator cannot represent the will of the user, the SecurityGuard uploads the permission interception rules set by the user to the cloud server, and the cloud server automatically analyzes the messages and then calculates the user interception rate of each permission for prompting the user newly installing the application program.
If the interception rate of the user with each authority exceeds a preset value, intercepting the user with each authority when the notebook program starts the authority to read the address book; in another possible case, if the user interception rate of each right does not exceed the preset value, the rule is adopted to not intercept the right which wants to read the address book when the notepad program starts the right, but a prompt message is sent to the user equipment to help the user know which program behaviors corresponding to the application program start are potentially harmful when the application program starts the program behaviors.
The data processing rules are similar to the defense rules, the file defense rules, and the interception rules, and the embodiment will not be described again.
In the method in this embodiment, by monitoring the program behavior corresponding to each program in the device, when the preset behavior trigger condition is adopted to determine that the program behavior corresponding to the current program meets the rule trigger identifier, the cloud server issues the rule corresponding to the rule trigger identifier according to the rule trigger identifier, and monitors the program behavior corresponding to the current program according to the rule after receiving the rule.
Fig. 2A is a schematic flow chart illustrating a rule issuing method according to another embodiment of the present invention, and as shown in fig. 2A, the rule issuing method includes the following steps:
201. monitoring program behaviors corresponding to each program in the equipment;
specifically, the program behavior includes: process creation, thread creation, file read-write operations, registry rewrite operations, stack operations, network communications, and/or thread injection operations.
For example, the program behavior is created for a process, and may be a startup directory of a monitor program, for example, a startup directory of all programs of an experience (XP) system: "C: \\ Documents and Settings \ All Users \ Start ] Menu \ program \ Start ";
procedures for overwriting registry keys, e.g.
HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Microsoft \ Windows \ Current Version \ Run, wherein Run is a key in the registry;
HKEY _ LOCAL _ MACHINE \ Systm \ CurrentcontrolSet \ Services \ I magePath ], wherein ImagePath is a value corresponding to the path of the service/driver.
202. Judging whether the program behavior corresponding to the current program meets the rule trigger identification or not by adopting a preset behavior trigger condition;
the preset behavior triggering condition in this embodiment is counted by the cloud server according to a program behavior corresponding to a program in the plurality of devices, and the behavior triggering condition of the device is sent in advance;
in a specific application, the cloud server may send the statistical program behavior corresponding to the programs in the multiple devices to the devices in real time or at regular time, where the preset behavior trigger condition includes trigger conditions of program behaviors corresponding to all the programs in the devices.
The behavior triggering conditions comprise: the program behavior corresponding to each program and the rule trigger corresponding to the program behavior.
Specifically, the rule trigger corresponding to the program behavior includes one or more of the following: file name, file path, file size, file internal name, file information digest algorithm, file signature company information, file modification time, file creation time, file attributes, service name, registry location.
When the trigger marks comprise a plurality of trigger marks, the plurality of trigger marks are combined according to a preset combination rule to obtain a character string.
For example, the trigger is a file size, a file information summarization algorithm, and a file attribute, where the file size is 1M, the file information summarization algorithm MD5 is d41d8cd98f00b204e9800998ecf8427, and the file attribute is read only, the combined character string may be "1M d41d8cd98f00b204e9800998ecf8427 read only" or "d 41d8cd98f00b204e9800998ecf84271M read only", or may also be "d 41d8cd98f00b204e9800998ecf8427 read only 1M", and of course, other combination rules may also be used to combine the character string.
The above-described behavior trigger conditions may be stored in the device in the form of a table, as shown in table 1.
TABLE 1
203. If the program behavior corresponding to the program accords with the rule trigger identifier, sending a rule request to a cloud server so that the cloud server searches a rule corresponding to the rule trigger identifier according to the rule request;
204a, receiving a rule sent by a cloud server, wherein the rule can be matched with a program behavior corresponding to the current program, and monitoring the program behavior corresponding to the current program through the rule.
For example, if the program behavior of the current program is installation and activation of a program installation package, the rules sent by the cloud server for running the installation program, loading other application installation programs, and the like are received, when monitoring the program behavior corresponding to the current program, finding that the program behavior corresponding to the current program is loading some antivirus or other application installation program behaviors such as a certain browser and the like, checking whether the antivirus or other application installation program behaviors such as the browser and the like are allowed to be installed in a rule for loading other application installation programs sent by a cloud server at the moment, that is, it is determined whether the program behavior corresponding to the program is malicious or not by the rule, if the rule allows to install other application installation programs such as the antivirus or the browser, if the program behavior corresponding to the current program is the running program in the white list in the rule, maintaining the program behavior corresponding to the current program; if the rule does not allow other application installation programs such as the antivirus program or the browser to be installed, namely the current program behavior is the running program in the blacklist in the rule, the program behavior corresponding to the current program is intercepted or alarmed.
In another implementation, as shown in fig. 2B, the method further includes, after step 203, the steps of:
204b, receiving a rule sent by the cloud server, and sending a prompt message to a user if the rule cannot be matched with the program behavior corresponding to the current program.
If the program behavior corresponding to the current program is not matched with a certain rule, the program behavior corresponding to the program is the program behavior which can not be determined, the user is prompted to perform corresponding processing, such as releasing or intercepting decision and the like, so that the monitoring of the program behavior corresponding to the current program is realized.
In order to avoid a large amount of occupied memory space in the device, it is necessary to delete a rule that is not matched with a program behavior corresponding to a current program, as shown in fig. 3A, the method further includes the following steps after step 204 a:
301a, if a part of rules sent by the cloud server do not match the monitored program behavior corresponding to the current program, sending a rule revocation request corresponding to the part of rules to the cloud server, so that the cloud server sends a deletion instruction of the part of rules according to the rule revocation request;
302a, receiving a deleting instruction sent by the cloud server, and deleting all the rules according to the deleting instruction.
For example, when the cloud server issues rules for running the installation program, loading other application installation programs, and the like according to a next execution behavior of the startup program for starting a certain installation package, at this time, a program behavior corresponding to the current program is that other application installation programs such as a certain antivirus or a browser are loaded, at this time, a running state of the current program is matched with the rules for loading other application installation programs, and the rules for running the installation program are not matched, so that in order to avoid that a large number of rules occupy memory in the device, a revocation request for running the rules such as the installation program is sent to the cloud server.
In another implementation manner, in step 301a, if the partial rule sent by the cloud server does not match the monitored program behavior corresponding to the current program, and when a large number of unmatched rules are stored in the device, the device may also delete the unmatched partial rule by itself, and does not send a revocation request to the cloud server.
As shown in fig. 3B, the method further includes the following steps after step 204B:
301b, if all rules sent by the cloud server do not match the monitored program behavior corresponding to the current program, sending a rule revocation request corresponding to all the rules to the cloud server, so that the cloud server sends a deletion instruction of all the rules according to the rule revocation request;
302b, receiving a deleting instruction sent by the cloud server, and deleting all the rules according to the deleting instruction.
For example, if the program behavior corresponding to the current program is a behavior of loading the installation address of the installation program, and the rules issued by the cloud server to run the installation program, load other application installation programs, and the like are not matched, a request for revoking all the rules to run the installation program, load other application installation programs, and the like needs to be sent to the cloud server. At this time, the program behavior corresponding to the current program can be monitored through other defense rules according to the trigger identifier, and information prompting danger can be sent to the user, so that the user can judge whether to perform the next operation.
In another implementation manner, if all the rules sent by the cloud server in step 301b do not match the monitored program behavior corresponding to the current program, and when a large number of unmatched rules are stored in the device, the device may also delete all the unmatched rules by itself, and does not send a revocation request to the cloud server.
As shown in fig. 4, after the rule sent by the cloud server in 204a monitors the program behavior corresponding to the current program, after the used rule is used, that is, when the program behavior corresponding to the current program has entered the next working state, in order to reduce the excessive occupation of the memory of the device by the rule and influence the operation of the device, the rule matching the program behavior corresponding to the current program and the current program having entered the next working state are also required, and when the rule is not required to be used, the rule that has been used and is not used any longer temporarily needs to be deleted.
Specifically, the method comprises the following steps:
401. receiving a rule deleting instruction sent by the cloud server and used for deleting unused rules in the device, wherein the rule deleting instruction comprises: the cloud server sends a rule deletion identifier to the equipment;
specifically, when the current program enters the next working state, it may also be understood that when the program behavior corresponding to the next program of the current program meets the preset behavior triggering condition, that is, when the cloud server receives the rule request meeting the preset behavior triggering condition, the cloud server may send a rule deleting instruction for deleting the unused rule in the device.
402. And searching a rule matched with the rule deleting identification in the equipment, determining that the rule does not monitor the program behavior of the current program any more, and deleting the rule according to the rule deleting instruction.
The steps clear the rule issued by the cloud server to the equipment, so that the running speed of the equipment is increased.
Fig. 5 shows a rule issuing apparatus provided in an embodiment of the present invention, and as shown in fig. 5, the rule issuing apparatus specifically includes: a monitoring module 51, a judging module 52, a first sending module 53 and a first receiving module 54.
A monitoring module 51, configured to monitor a program behavior corresponding to each program in the device;
for example, the program behavior includes: process creation, thread creation, file read-write operation, registry write operation, stack operation, network communication, and/or thread injection operation.
The judging module 52 is configured to judge whether a program behavior corresponding to the current program meets the rule trigger identifier by using a preset behavior trigger condition;
specifically, the preset behavior triggering condition is counted by the cloud server according to program behaviors corresponding to programs in the multiple devices; the preset behavior triggering condition is sent to the equipment in advance by the cloud server after the cloud server counts program behaviors corresponding to programs in the multiple equipment; the preset behavior triggering conditions comprise conditions of program behaviors corresponding to all programs in the equipment;
the behavior triggering conditions comprise: the program behavior corresponding to each program and the rule trigger corresponding to the program behavior.
A first sending module 53, configured to send a rule request to the server when a program behavior corresponding to the program meets the rule trigger, so that the server searches for a rule corresponding to the rule trigger according to the rule request;
the server may be a cloud server.
The first receiving module 54 is configured to receive a rule sent by a cloud server, and monitor a program behavior corresponding to the current program by using the rule sent by the cloud server.
For example, the rule sent by the cloud server is a defense rule, a file defense rule, an interception rule, and a data processing rule.
In another possible implementation manner, fig. 6 shows a rule issuing device provided in an embodiment of the present invention, and as shown in fig. 6, the rule issuing device specifically includes: the device comprises a monitoring module 61, a judging module 62, a first sending module 63, a first receiving module 64, a second sending module 65 and a second receiving module 66.
The monitoring module 61 is used for monitoring program behaviors corresponding to each program in the equipment;
the judging module 62 is configured to judge whether a program behavior corresponding to the current program meets the rule trigger identifier by using a preset behavior trigger condition;
a first sending module 63, configured to send a rule request to the cloud server when a program behavior corresponding to the program meets the rule trigger, so that the cloud server searches for a rule corresponding to the rule trigger according to the rule request;
the first receiving module 64 is configured to receive a rule sent by a cloud server, where the rule can be matched with a program behavior corresponding to the current program, and then monitor the program behavior corresponding to the current program by using the rule sent by the cloud server.
The second sending module 65 is configured to, when a part of rules sent by the cloud server does not match the monitored program behavior corresponding to the current program, send a rule revocation request corresponding to the part of rules to the cloud server, so that the cloud server sends a deletion instruction of the part of rules according to the rule revocation request;
the second receiving module 66 is configured to receive a deleting instruction sent by the cloud server, and delete the part of rules according to the deleting instruction.
In another implementation manner, the first receiving module 64, the second sending module 65 and the second receiving module 66 in the above device are also specifically required for the following functions.
The first receiving module 64 is configured to receive a rule sent by the cloud server, and send a prompt message to a user if the rule cannot be matched with a program behavior corresponding to the current program.
Specifically, if the program behavior corresponding to the current program is not matched with a certain rule, the program behavior corresponding to the program is an indeterminate program behavior, and the user is prompted to perform corresponding processing, such as determining to release or intercept, so that the program behavior corresponding to the current program is monitored.
The second sending module 65 is configured to, when all rules sent by the cloud server do not match the monitored program behavior corresponding to the current program, send a rule revocation request corresponding to all the rules to the cloud server, so that the cloud server sends a deletion instruction of all the rules according to the rule revocation request;
the second receiving module 66 is configured to receive a deleting instruction sent by the cloud server, and delete all the rules according to the deleting instruction.
Fig. 7 shows a rule issuing apparatus according to an embodiment of the present invention, and as shown in fig. 7, the rule issuing apparatus specifically includes: the device comprises a monitoring module 71, a judging module 72, a first sending module 73, a first receiving module 74, a third receiving module 75 and a determining module 76.
A monitoring module 71, configured to monitor a program behavior corresponding to each program in the device;
the judging module 72 is configured to judge whether a program behavior corresponding to the current program meets the rule trigger identifier by using a preset behavior trigger condition;
a first sending module 73, configured to send a rule request to a cloud server when the program behavior meets the rule trigger, so that the cloud server searches for a rule corresponding to the rule trigger according to the rule request;
the first receiving module 74 is configured to receive a rule sent by a cloud server, where the rule can be matched with a program behavior corresponding to the current program, and then monitor the program behavior corresponding to the current program by using the rule sent by the cloud server.
A third receiving module 75, configured to receive a rule deleting instruction, sent by the cloud server, for deleting an unused rule in the device, where the rule deleting instruction includes: the cloud server sends a rule deletion identifier to the equipment;
a determining module 76, configured to find a rule in the device that matches the rule deletion identifier, determine that the rule no longer monitors the program behavior of the current program, and delete the rule according to the rule deletion instruction.
The above-described apparatus corresponds to the above-described method one to one, and the detailed description of the embodiments of the above-described method according to the present invention is also applicable to the detailed description of the apparatus, and the present invention is not described in detail.
In the description of the present invention, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the devices in an embodiment may be adaptively changed and placed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. It will be appreciated by those skilled in the art that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components in a device of a browser terminal according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the present invention, and they should be construed as being included in the following claims and description.
Claims (6)
1. A rule issuing device is characterized by comprising:
the monitoring module is used for monitoring program behaviors corresponding to each program in the equipment;
the judging module is used for judging whether the program behavior corresponding to the current program meets the rule triggering identification or not by adopting a preset behavior triggering condition;
the first sending module is used for sending a rule request to the server when the program behavior accords with the rule trigger identifier, so that the server searches a rule corresponding to the rule trigger identifier according to the rule request;
the first receiving module is used for receiving the rule sent by the server and monitoring the program behavior corresponding to the current program by adopting the rule sent by the server;
a second sending module, configured to send a rule revocation request corresponding to the partial/full rule to the server when the partial/full rule sent by the server does not match the monitored program behavior corresponding to the current program, so that the server sends a deletion instruction of the partial/full rule according to the rule revocation request;
the second receiving module is used for receiving a deleting instruction sent by the server and deleting the part/all rules according to the deleting instruction;
the preset behavior triggering conditions are counted by the server according to program behaviors corresponding to programs in the multiple devices, and the behavior triggering conditions of the devices are sent in advance;
the behavior triggering conditions comprise: the program behavior corresponding to each program and the rule trigger corresponding to the program behavior.
2. The apparatus of claim 1, further comprising:
a third receiving module, configured to receive a rule deleting instruction sent by the server, where the rule deleting instruction is used to delete an unused rule in the device, and the rule deleting instruction includes: the server sends a rule deletion identifier to the equipment;
and the determining module is used for searching the rule matched with the rule deleting identifier in the equipment, determining that the rule does not monitor the program behavior of the current program any more, and deleting the rule according to the rule deleting instruction.
3. The apparatus of claim 1,
receiving rules sent by a server, wherein the rules are defense rules, file defense rules, interception rules and data processing rules;
the program behavior includes: process creation, thread creation, file read-write operations, registry rewrite operations, stack operations, network communications, and/or thread injection operations.
4. A rule issuing method is characterized by comprising the following steps:
monitoring program behaviors corresponding to each program in the equipment;
judging whether the program behavior corresponding to the current program meets the rule trigger identification or not by adopting a preset behavior trigger condition;
if the program behavior conforms to the rule trigger identifier, sending a rule request to a server so that the server searches a rule corresponding to the rule trigger identifier according to the rule request;
receiving a rule sent by a server, and monitoring a program behavior corresponding to the current program by adopting the rule sent by the server;
if the part/all rules sent by the server do not match the monitored program behavior corresponding to the current program, sending a rule revocation request corresponding to the part/all rules to the server so that the server sends a deletion instruction of the part/all rules according to the rule revocation request;
receiving a deleting instruction sent by a server, and deleting the part of/all the rules according to the deleting instruction;
the preset behavior triggering conditions are counted by the server according to program behaviors corresponding to programs in the multiple devices, and the behavior triggering conditions of the devices are sent in advance;
the behavior triggering conditions comprise: the program behavior corresponding to each program and the rule trigger corresponding to the program behavior.
5. The method of claim 4, further comprising:
receiving a rule deleting instruction sent by the server and used for deleting unused rules in the equipment, wherein the rule deleting instruction comprises: the server sends a rule deletion identifier to the equipment;
and searching a rule matched with the rule deleting identification in the equipment, determining that the rule does not monitor the program behavior of the current program any more, and deleting the rule according to the rule deleting instruction.
6. The method of claim 4,
receiving rules sent by a server, wherein the rules are defense rules, file defense rules, interception rules and data processing rules;
the program behavior includes: process creation, thread creation, file read-write operations, registry rewrite operations, stack operations, network communications, and/or thread injection operations.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410806644.XA CN105791221B (en) | 2014-12-22 | 2014-12-22 | Rule issuing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410806644.XA CN105791221B (en) | 2014-12-22 | 2014-12-22 | Rule issuing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105791221A CN105791221A (en) | 2016-07-20 |
| CN105791221B true CN105791221B (en) | 2020-06-05 |
Family
ID=56385306
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410806644.XA Active CN105791221B (en) | 2014-12-22 | 2014-12-22 | Rule issuing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105791221B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI608377B (en) * | 2017-04-13 | 2017-12-11 | 廣達電腦股份有限公司 | Monitoring management systems and methods |
| CN109376193B (en) * | 2018-09-29 | 2023-04-28 | 北京友友天宇系统技术有限公司 | Data exchange system based on self-adaptive rule |
| CN111913847B (en) * | 2020-07-21 | 2021-04-27 | 上海冰鉴信息科技有限公司 | Method and system for acquiring remote task execution progress |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103401845A (en) * | 2013-07-15 | 2013-11-20 | Tcl集团股份有限公司 | Detection method and device for website safety |
| CN103617395A (en) * | 2013-12-06 | 2014-03-05 | 北京奇虎科技有限公司 | Method, device and system for intercepting advertisement programs based on cloud security |
| CN104135479A (en) * | 2014-07-29 | 2014-11-05 | 腾讯科技(深圳)有限公司 | Cloud real-time defense method and system |
-
2014
- 2014-12-22 CN CN201410806644.XA patent/CN105791221B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103401845A (en) * | 2013-07-15 | 2013-11-20 | Tcl集团股份有限公司 | Detection method and device for website safety |
| CN103617395A (en) * | 2013-12-06 | 2014-03-05 | 北京奇虎科技有限公司 | Method, device and system for intercepting advertisement programs based on cloud security |
| CN104135479A (en) * | 2014-07-29 | 2014-11-05 | 腾讯科技(深圳)有限公司 | Cloud real-time defense method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105791221A (en) | 2016-07-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10893068B1 (en) | Ransomware file modification prevention technique | |
| EP3474176B1 (en) | System and method of detecting a malicious file | |
| CN109583193B (en) | System and method for cloud detection, investigation and elimination of target attacks | |
| US10657251B1 (en) | Multistage system and method for analyzing obfuscated content for malware | |
| US9596257B2 (en) | Detection and prevention of installation of malicious mobile applications | |
| Jiang et al. | Detecting passive content leaks and pollution in android applications | |
| US9015829B2 (en) | Preventing and responding to disabling of malware protection software | |
| WO2015096695A1 (en) | Installation control method, system and device for application program | |
| US8578174B2 (en) | Event log authentication using secure components | |
| Zheng et al. | DroidRay: a security evaluation system for customized android firmwares | |
| WO2014121714A1 (en) | Notification-bar message processing method, device and system | |
| US10142343B2 (en) | Unauthorized access detecting system and unauthorized access detecting method | |
| US10873588B2 (en) | System, method, and apparatus for computer security | |
| US8955138B1 (en) | Systems and methods for reevaluating apparently benign behavior on computing devices | |
| US11706237B2 (en) | Threat detection and security for edge devices | |
| JP6030566B2 (en) | Unauthorized application detection system and method | |
| WO2014071867A1 (en) | Program processing method and system, and client and server for program processing | |
| US11487868B2 (en) | System, method, and apparatus for computer security | |
| EP3579523A1 (en) | System and method for detection of malicious interactions in a computer network | |
| CN105791221B (en) | Rule issuing method and device | |
| CN115221524A (en) | Service data protection method, device, equipment and storage medium | |
| CN108595957B (en) | Browser homepage tampering detection method, device and storage medium | |
| US9785775B1 (en) | Malware management | |
| EP3959632B1 (en) | File storage service initiation of antivirus software locally installed on a user device | |
| US8640242B2 (en) | Preventing and detecting print-provider startup malware |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee after: Beijing Qizhi Business Consulting Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220324 Address after: 1773, floor 17, floor 15, building 3, No. 10, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Beijing Qizhi Business Consulting Co.,Ltd. |
|
| TR01 | Transfer of patent right |