CN106127032B - A kind of method and terminal intercepting application behavior - Google Patents
A kind of method and terminal intercepting application behavior Download PDFInfo
- Publication number
- CN106127032B CN106127032B CN201610475460.9A CN201610475460A CN106127032B CN 106127032 B CN106127032 B CN 106127032B CN 201610475460 A CN201610475460 A CN 201610475460A CN 106127032 B CN106127032 B CN 106127032B
- Authority
- CN
- China
- Prior art keywords
- application program
- global hook
- behavior
- hook
- global
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Stored Programmes (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the invention discloses a kind of methods for intercepting application behavior, comprising: whether monitoring application program carries out registration global hook;When monitoring that application program carries out registering the global hook, judge that whether the application program register the behavior of global hook as malicious act;When determining that the application program register the behavior of global hook as malicious act, the behavior for carrying out registration global hook to the application program is intercepted.The embodiment of the invention also discloses a kind of terminals.Using the present invention, avoidable rogue program carries out registration hook and damages to terminal system, improves Terminal security.
Description
Technical field
The present invention relates to electronic technology field more particularly to a kind of methods and terminal for intercepting application behavior.
Background technique
When one window of thread creation or closing in process, thread can be searched with the presence or absence of Hook Function, work as presence
When Hook Function, then it is called Hook Function and executes.
Currently, system provides RegisterUserApiHook function, terminal can pass through
RegisterUserApiHook function registers a global hook in systems, when specified some message are by any in system
When handled by application program, this hook is just called.Therefore, rogue program is in order to avoid by killing, rogue program can lead to
RegisterUserApiHook function registration global hook is crossed to prevent the detection of security software, so that rogue program is logical
It crosses security software to detect and destroy any process of terminal, influences user's normal use terminal.
Summary of the invention
The technical problem to be solved by the embodiment of the invention is that provide it is a kind of intercept application behavior method and end
End.Avoidable rogue program carries out registration hook and damages to terminal system, improves Terminal security.
In order to solve the above-mentioned technical problem, the embodiment of the invention provides a kind of method for intercepting application behavior, packets
It includes:
Whether monitoring application program carries out registration global hook;
When monitoring that the application program carries out registering the global hook, it is complete to judge that the application program register
Whether the behavior of office's hook is malicious act;
When determining that the application program register the behavior of global hook as malicious act, to the application program into
The behavior of row registration global hook is intercepted.
Wherein, which is characterized in that described to judge that whether the application program register the behavior of global hook as malice
Behavior includes:
The progress information that the application program register the global hook is obtained, is sentenced according to the progress information
Whether the application program of breaking register the behavior of global hook as malicious act.
Wherein, the progress information includes process path;
It is described according to the progress information judge the application program register global hook behavior whether as
Malicious act includes:
The application program registered is determined according to the process path;
Safety detection is carried out to the application program, judges whether the application program is malicious application;
When determining the application program is malicious application, determine that the application program carries out registration global hook
Behavior is malicious act.
Wherein, described judge that the application program carries out the behavior of registration global hook and is according to the progress information
It is no to include: for malicious act
Process file is determined according to the progress information;
Calculate the condition code of the process file;
Judge whether described document information matches with preset condition code;
When determining that described document information and preset condition code match, determine that the application program carries out registering global hook
The behavior of son is malicious act.
Wherein, the global hook is used to intercept the Hook Function of interfaces windows message.
The embodiment of the invention provides a kind of terminals, comprising:
Monitoring unit, for monitoring whether application program carries out registration global hook;
Judging unit, for when the monitoring unit monitors that the application program carries out registering the global hook,
Judge that whether the application program register the behavior of global hook as malicious act;
Interception unit, for judging that the application program register the behavior of global hook as evil when the judging unit
When meaning behavior, the behavior for carrying out registration global hook to the application program is intercepted.
Wherein, the judging unit is specifically used for:
The progress information that the application program register the global hook is obtained, is sentenced according to the progress information
Whether the application program of breaking register the behavior of global hook as malicious act.
Wherein, the progress information includes process path;
The judging unit includes:
First determines subelement, for determining the application program registered according to the process path;
First judgment sub-unit, for the application program carry out safety detection, judge the application program whether be
Malicious application;
Second determines subelement, is used for when the judgment sub-unit judges the application program for malicious application,
Determine that the application program register the behavior of global hook as malicious act.
Wherein, the judging unit includes:
Third determines subelement, for determining process file according to the progress information;
Computation subunit, for calculating the condition code of the process file;
Second judgment sub-unit, for judging whether described document information matches with preset condition code;
Third determines subelement, for judging described document information and preset condition code phase when second judgment sub-unit
When matching, determine that the application program register the behavior of global hook as malicious act.
Wherein, the global hook is used to intercept the Hook Function of interfaces windows message.
In embodiments of the present invention, terminal can monitor whether application program carries out registration global hook, described when monitoring
When application program carries out registering the global hook, judge that whether the application program register global hook as malice row
To be infused to the application program when determining that the application program register the behavior of global hook as malicious act
Volume global hook behavior intercepted, this may make terminal can the behavior in time to malicious registration global hook intercept,
Improve the safety of terminal.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
It obtains other drawings based on these drawings.
Fig. 1 is a kind of first embodiment process signal of method for intercepting application behavior provided in an embodiment of the present invention
Figure;
Fig. 2 is a kind of first embodiment structure chart of terminal provided in an embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
Executing subject in the embodiment of the present invention can be terminal, described terminal can include: computer, tablet computer,
The intelligent terminals such as notebook, above-mentioned terminal are only citings, and non exhaustive, including but not limited to above-mentioned terminal.
It is a kind of method first embodiment process for intercepting application behavior provided in an embodiment of the present invention referring to Fig. 1
Schematic diagram.A kind of method of interception application behavior of the embodiment of the present invention includes the following steps:
Whether S100, monitoring application program carry out registration global hook.
In embodiments of the present invention, hook is one section of program to processing system message, is called by system, it is hung
Enter system.Corresponding message can be intercepted and captured and be handled to hook, whenever specific message issues, before reaching object program, and hook
Son intercepts and captures the message in advance, obtains the control to this message.Hook can be processed the message of intercepting and capturing at this time, very
The transmitting of end message can extremely be forced.
In embodiments of the present invention, global hook is one kind of System hook, when specified some message are appointed in system
When handled by what application program, this hook is just called, wherein global hook includes a DLL (Dynamic Link
Library, dynamic link library) file and a call back function.In a particular application, global hook can be for intercepting interface
The Hook Function of window message, it is most of since user32.dll is the basic DLL of system such as user32.dll global hook
Process loads user32.dll, this makes the process of all load user32.dll just can all load this on startup
User32.dll global hook.
In embodiments of the present invention, terminal can provide NtUserRegisterUserApiHook function,
NtUserRegisterUserApiHook function can be used to register global hook, such as register user32.dll global hook.Cause
This, terminal can monitor NtUserRegisterUserApiHook function, when monitoring NtUserRegisterUserApiHook
Function is called when carrying out registration global hook, and terminal, which can determine, monitors that application program carries out registration global hook.
S101 judges that the application program carries out when monitoring that the application program carries out registering the global hook
The behavior of global hook is registered whether as malicious act.
In embodiments of the present invention, when terminal monitoring to application program carries out registration global hook, terminal can be obtained and be answered
The progress information that registration global hook is carried out with program, carries out judging that application program carries out registration global hook according to progress information
Behavior whether be malicious act.Wherein, progress information may include process path.Then terminal is judged according to progress information
Whether the behavior that application program register global hook, which may is that terminal can be determined according to process path as malicious act, carries out
The application program of registration, so that terminal can call safety antivirus application program to carry out safety detection to it.Wherein, safety antivirus is answered
With program application program, the security applications such as 360 security guards can be seized by force such as poison in specific application program.When safety is killed virus
Application program judges it for dangerous file or when being unknown file, then terminal can determine that application program is malicious application, when
When safety antivirus application program judges its secure file, terminal can determine that application program is not malicious application.When terminal is true
Determine application program be malicious application when, terminal can determine application program carry out registration global hook behavior malicious act.
Further, terminal according to progress information judge application program register global hook behavior whether as
Malicious act may also is that terminal determines process file according to progress information, wherein process file can be answering of being registered
Use program;Whether the condition code of terminal calculation procedure file, judging characteristic code match with preset condition code, when determining feature
When code matches with preset condition code, terminal can determine that application program register the behavior of global hook as malicious act.
Wherein, condition code can be MD5 (Message Digest Algorithm MD5, Message Digest Algorithm 5) condition code or
Cryptographic Hash etc., terminal can be used to record the condition code of malicious file with preset features code library, this feature code library, and therefore, terminal can
The condition code that will acquire is matched in preset condition code library, when having got with its consistent condition code, terminal
It can determine that application program register the behavior of global hook as malicious act.
S102, when determining that the application program carries out registering global hook as malicious act, to the application program into
The behavior of row registration global hook is intercepted.
In embodiments of the present invention, when terminal determines that application program register the behavior of global hook as malicious act
When, the behavior that terminal can carry out registration global hook to application program intercepts.Such as terminate the operation of registration global hook, or
Refusal executes the behavior for carrying out registration global hook.
In embodiments of the present invention, when determine application program carry out registration global hook be not malicious act when, terminal can
NtUserRegisterUserApiHook function is called to carry out registration global hook.
In embodiments of the present invention, terminal can monitor whether application program carries out registration global hook, when monitoring to apply
When program carries out registering the global hook, judge that whether the application program register global hook as malicious act, when
When determining that the application program register the behavior of global hook as malicious act, it is global that registration is carried out to the application program
The behavior of hook is intercepted, this may make terminal can the behavior in time to malicious registration global hook intercept, improve eventually
The safety at end.
It referring to fig. 2, is a kind of first embodiment structure chart of terminal provided in an embodiment of the present invention.The embodiment of the present invention
A kind of terminal includes:
Monitoring unit 100, for monitoring whether application program carries out registration global hook.
Judging unit 200, for monitoring that the application program carries out registering the global hook when the monitoring unit
When, judge that whether the application program register the behavior of global hook as malicious act.
Interception unit 300, for judging that the application program carries out the behavior of registration global hook when the judging unit
When for malicious act, the behavior for carrying out registration global hook to the application program is intercepted.
In embodiments of the present invention, hook is one section of program to processing system message, is called by system, it is hung
Enter system.Corresponding message can be intercepted and captured and be handled to hook, whenever specific message issues, before reaching object program, and hook
Son intercepts and captures the message in advance, obtains the control to this message.Hook can be processed the message of intercepting and capturing at this time, very
The transmitting of end message can extremely be forced.
In embodiments of the present invention, global hook is one kind of System hook, when specified some message are appointed in system
When handled by what application program, this hook is just called, wherein global hook includes a DLL (Dynamic Link
Library, dynamic link library) file and a call back function.In a particular application, global hook can be for intercepting interface
The Hook Function of window message, it is most of since user32.dll is the basic DLL of system such as user32.dll global hook
Process loads user32.dll, this makes the process of all load user32.dll just can all load this on startup
User32.dll global hook.
In embodiments of the present invention, terminal can provide NtUserRegisterUserApiHook function,
NtUserRegisterUserApiHook function can be used to register global hook, such as register user32.dll global hook.Cause
This, monitoring unit 100 can monitor NtUserRegisterUserApiHook function, when monitoring
NtUserRegisterUserApiHook function is called when carrying out registration global hook, and monitoring unit 100, which can determine, to be monitored
Application program carries out registration global hook.
In embodiments of the present invention, when monitoring unit 100 monitors that application program carries out registration global hook, judge list
Member 200 can obtain the progress information that application program carries out registration global hook, according to progress information judge application program into
Whether row registers the behavior of global hook as malicious act.Wherein, progress information may include process path.Then judging unit
200 judge that application program register the behavior of global hook and whether may is that and sentence as malicious act according to progress information
Disconnected unit 200 can determine the application program registered according to process path, so that judging unit 200 can call safety antivirus to answer
Safety detection is carried out to it with program.Wherein, safety antivirus application program can apply journey such as poison despot in specific application program
Sequence, the security applications such as 360 security guards.When safety antivirus application program judges it for danger file or be unknown file
When, then judging unit 200 can determine that application program is malicious application, when safety antivirus application program judges its secure file
When, judging unit 200 can determine that application program is not malicious application.When judging unit 200 determines that application program is malice
When application program, judging unit 200 can determine that application program carries out the behavior malicious act of registration global hook.
Further, judging unit 200 carries out judging the row that application program carries out registration global hook according to progress information
Whether to be that malicious act may also is that judging unit 200 determines process file according to progress information, wherein process file can
To be the application program registered;The condition code of terminal calculation procedure file, judging characteristic code whether with preset condition code
Match, when judging unit 200 determines condition code and preset condition code matches, judging unit 200 be can determine using journey
Sequence register the behavior of global hook as malicious act.Wherein, condition code can be MD5 (Message Digest
Algorithm MD5, Message Digest Algorithm 5) condition code or cryptographic Hash etc., terminal can be with preset features code library, this feature
Code library is used to record the condition code of malicious file, and therefore, the condition code that judging unit 200 can will acquire is in preset condition code
It is matched in library, when having got with its consistent condition code, it is complete that judging unit 200 can determine that application program register
The behavior of office's hook is malicious act.
In embodiments of the present invention, when judging unit 200 determines that application program register the behavior of global hook as evil
When meaning behavior, the behavior that interception unit 300 can carry out registration global hook to application program is intercepted.Such as interception unit 300
The operation or the refusal of interception unit 300 for terminating registration global hook execute the behavior for carrying out registration global hook.
It in embodiments of the present invention, is not malice row when judging unit 200 determines that application program carries out registration global hook
For when, terminal can call NtUserRegisterUserApiHook function to carry out registration global hook.
Wherein, the judging unit 200 is specifically used for:
The progress information that the application program register the global hook is obtained, is sentenced according to the progress information
Whether the application program of breaking register the behavior of global hook as malicious act.
The progress information includes process path;
The judging unit 200 includes:
First determines subelement, for determining the application program registered according to the process path;
First judgment sub-unit, for the application program carry out safety detection, judge the application program whether be
Malicious application;
Second determines subelement, is used for when the judgment sub-unit judges the application program for malicious application,
Determine that the application program register the behavior of global hook as malicious act.
The judging unit 200 includes:
Third determines subelement, for determining process file according to the progress information;
Computation subunit, for calculating the condition code of the process file;
Second judgment sub-unit, for judging whether described document information matches with preset condition code;
Third determines subelement, for judging described document information and preset condition code phase when second judgment sub-unit
When matching, determine that the application program register the behavior of global hook as malicious act.
Wherein it is possible to understand, the function of each functional module of the unit in the terminal of the present embodiment can be according to above-mentioned
Method specific implementation in embodiment of the method, specific implementation process are referred to the associated description of above method embodiment, this
Place is no longer repeated.
In embodiments of the present invention, terminal can monitor whether application program carries out registration global hook, when monitoring to apply
When program carries out registering the global hook, judge that whether the application program register global hook as malicious act, when
When determining that the application program register the behavior of global hook as malicious act, it is global that registration is carried out to the application program
The behavior of hook is intercepted, this may make terminal can the behavior in time to malicious registration global hook intercept, improve eventually
The safety at end.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, the program can be stored in a computer-readable storage medium
In, the program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, the storage medium can be magnetic
Dish, CD, read-only memory (Read-Only Memory, ROM) or random access memory (Random Access
Memory, RAM) etc..
The above disclosure is only the preferred embodiments of the present invention, cannot limit the right model of the present invention with this certainly
It encloses, therefore equivalent changes made in accordance with the claims of the present invention, is still within the scope of the present invention.
Claims (10)
1. a kind of method for intercepting application behavior, which is characterized in that the described method includes:
Whether monitoring application program, which passes through, carries out registration global hook for registering the function of global hook provided by system,
In, the global hook is the program for processing system message, for intercepting and capturing specific system message and to described specific
System message is processed, and the global hook includes the global hook for preventing security software from being detected;
When monitoring that the application program carries out registering the global hook, judge that the application program carries out registering global hook
Whether the behavior of son is malicious act;
When determining that the application program register the behavior of global hook as malicious act, the application program is infused
The behavior of volume global hook is intercepted.
2. the method as described in claim 1, which is characterized in that the judgement application program carries out registration global hook
Whether behavior is that malicious act includes:
The progress information that the application program register the global hook is obtained, judgement institute is carried out according to the progress information
It states application program and whether register the behavior of global hook as malicious act.
3. method according to claim 2, which is characterized in that the progress information includes process path;
It is described to be carried out judging that whether the application program register the behavior of global hook as malice according to the progress information
Behavior includes:
The application program registered is determined according to the process path;
Safety detection is carried out to the application program, judges whether the application program is malicious application;
When determining the application program is malicious application, determine that the application program carries out the behavior of registration global hook
For malicious act.
4. method according to claim 2, which is characterized in that it is described judge according to the progress information it is described using journey
Sequence register global hook behavior whether as malicious act include:
Process file is determined according to the progress information;
Calculate the condition code of the process file;
Judge whether described document information matches with preset condition code;
When determining that described document information and preset condition code match, determine that the application program carries out registration global hook
Behavior is malicious act.
5. the method as described in claim 1, which is characterized in that the global hook is used to intercept the hook of interfaces windows message
Subfunction.
6. a kind of terminal, which is characterized in that the terminal includes:
Monitoring unit is infused for monitoring the function whether application program passes through provided by system for registering global hook
Volume global hook, wherein the global hook is the program for processing system message, for intercepting and capturing specific system message simultaneously
The specific system message is processed, the global hook includes complete for preventing security software from being detected
Office's hook;
Judging unit, for judging when the monitoring unit monitors that the application program carries out registering the global hook
Whether the application program register the behavior of global hook as malicious act;
Interception unit, for judging that the application program register the behavior of global hook as malice row when the judging unit
For when, to the application program carry out registration global hook behavior intercept.
7. terminal as claimed in claim 6, which is characterized in that the judging unit is specifically used for:
The progress information that the application program register the global hook is obtained, judgement institute is carried out according to the progress information
It states application program and whether register the behavior of global hook as malicious act.
8. terminal as claimed in claim 7, which is characterized in that the progress information includes process path;
The judging unit includes:
First determines subelement, for determining the application program registered according to the process path;
First judgment sub-unit judges whether the application program is malice for carrying out safety detection to the application program
Application program;
Second determines subelement, for determining when the judgment sub-unit judges the application program for malicious application
The application program register the behavior of global hook as malicious act.
9. terminal as claimed in claim 7, which is characterized in that the judging unit includes:
Third determines subelement, for determining process file according to the progress information;
Computation subunit, for calculating the condition code of the process file;
Second judgment sub-unit, for judging whether described document information matches with preset condition code;
Third determines subelement, for judging that described document information matches with preset condition code when second judgment sub-unit
When, determine that the application program register the behavior of global hook as malicious act.
10. terminal as claimed in claim 6, which is characterized in that the global hook is used to intercept the hook of interfaces windows message
Subfunction.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610475460.9A CN106127032B (en) | 2016-06-25 | 2016-06-25 | A kind of method and terminal intercepting application behavior |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610475460.9A CN106127032B (en) | 2016-06-25 | 2016-06-25 | A kind of method and terminal intercepting application behavior |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106127032A CN106127032A (en) | 2016-11-16 |
CN106127032B true CN106127032B (en) | 2019-05-03 |
Family
ID=57266387
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610475460.9A Active CN106127032B (en) | 2016-06-25 | 2016-06-25 | A kind of method and terminal intercepting application behavior |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106127032B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108228411A (en) * | 2016-12-14 | 2018-06-29 | 北京国双科技有限公司 | A kind of method and mobile terminal of the monitoring of APP interfaces |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101620660A (en) * | 2009-07-31 | 2010-01-06 | 北京大学 | Method for defending hooks in Windows operating system |
CN102254113A (en) * | 2011-06-27 | 2011-11-23 | 深圳市安之天信息技术有限公司 | Method and system for detecting and intercepting malicious code of mobile terminal |
CN102413142A (en) * | 2011-11-30 | 2012-04-11 | 华中科技大学 | Active defense method based on cloud platform |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
RU2535175C2 (en) * | 2012-12-25 | 2014-12-10 | Закрытое акционерное общество "Лаборатория Касперского" | System and method for detecting malware by creating isolated environment |
-
2016
- 2016-06-25 CN CN201610475460.9A patent/CN106127032B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101620660A (en) * | 2009-07-31 | 2010-01-06 | 北京大学 | Method for defending hooks in Windows operating system |
CN102254113A (en) * | 2011-06-27 | 2011-11-23 | 深圳市安之天信息技术有限公司 | Method and system for detecting and intercepting malicious code of mobile terminal |
CN102413142A (en) * | 2011-11-30 | 2012-04-11 | 华中科技大学 | Active defense method based on cloud platform |
Also Published As
Publication number | Publication date |
---|---|
CN106127032A (en) | 2016-11-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10334083B2 (en) | Systems and methods for malicious code detection | |
US10893068B1 (en) | Ransomware file modification prevention technique | |
US9842208B2 (en) | Method, apparatus and system for detecting malicious process behavior | |
CN111433775B (en) | Security enhancement method and electronic device thereof | |
US8443439B2 (en) | Method and system for mobile network security, related network and computer program product | |
US8959641B2 (en) | Foiling a document exploit attack | |
CN109302426B (en) | Unknown vulnerability attack detection method, device, equipment and storage medium | |
US20160021131A1 (en) | Identifying stealth packets in network communications through use of packet headers | |
CN106709325B (en) | Method and device for monitoring program | |
CN107423622B (en) | Method and system for detecting and preventing rebound shell | |
CN111651754B (en) | Intrusion detection method and device, storage medium and electronic device | |
US20130305373A1 (en) | Method and apparatus for inspecting non-portable executable files | |
US9183392B2 (en) | Anti-malware tool for mobile apparatus | |
US10356113B2 (en) | Apparatus and method for detecting abnormal behavior | |
EP3270317A1 (en) | Dynamic security module server device and operating method thereof | |
CN102831356A (en) | Software dynamic credibility authentication method based on software fingerprint | |
CN105956461B (en) | A kind of method and terminal intercepting drive load | |
CN106682493B (en) | A kind of method, apparatus for preventing process from maliciously being terminated and electronic equipment | |
CN111988302A (en) | Method, system, terminal and storage medium for detecting rebound program | |
CN112351017A (en) | Transverse penetration protection method, device, equipment and storage medium | |
US20120192272A1 (en) | Mitigating multi-AET attacks | |
CN106127032B (en) | A kind of method and terminal intercepting application behavior | |
KR101583545B1 (en) | Security providing method of improving security of application in mobile device using respective debugging monitoring | |
KR101499470B1 (en) | Advanced Persistent Threat attack defense system and method using transfer detection of malignant code | |
CN105893845B (en) | A kind of data processing method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
TA01 | Transfer of patent application right | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20181203 Address after: Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Applicant after: Zhuhai Leopard Technology Co.,Ltd. Address before: 100085 East District, Second Floor, 33 Xiaoying West Road, Haidian District, Beijing Applicant before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. |
|
GR01 | Patent grant | ||
GR01 | Patent grant |