CN106302531B - Safety protection method and device and terminal equipment - Google Patents
Safety protection method and device and terminal equipment Download PDFInfo
- Publication number
- CN106302531B CN106302531B CN201610873954.2A CN201610873954A CN106302531B CN 106302531 B CN106302531 B CN 106302531B CN 201610873954 A CN201610873954 A CN 201610873954A CN 106302531 B CN106302531 B CN 106302531B
- Authority
- CN
- China
- Prior art keywords
- data packet
- application
- malicious
- address
- library
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer Networks & Wireless Communication (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a safety protection method, a safety protection device and terminal equipment, wherein the method comprises the following steps: acquiring data packets of each application access network in terminal equipment; judging whether the destination server address contained in the data packet is in a preset address library, wherein the preset address library comprises the address of a malicious server; and if so, determining that the application sending the data packet carries a malicious program. According to the security protection method, the security protection device and the terminal equipment, the malicious application is searched and killed according to the address of the target server accessed by the application, so that the continuously updated malicious application is effectively protected in real time, the searching and killing time of the malicious application is shortened, and the security level of the terminal equipment is improved.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a security protection method and apparatus, and a terminal device.
Background
With the rapid spread of terminals, the accompanying security issues are becoming more prominent, especially with the wide variety of applications that may be run on mobile terminals. Currently, security detection techniques for unknown mobile applications mainly use traditional static detection techniques, such as, for example, signature matching techniques.
The feature code matching technology is mainly used for establishing a rich feature code library by extracting feature strings on the basis of a large number of samples accumulated in advance, and then analyzing and matching features of unknown mobile applications through a security policy setting and scoring mechanism on the basis so as to judge whether the unknown mobile applications are malicious applications or not.
However, in the existing malicious application searching and killing mode, under the condition that the malicious application is updated, the feature code library is difficult to update in time, so that the new malicious application cannot be protected in real time and effectively, and the risk that the user terminal equipment is damaged is increased.
Disclosure of Invention
The present application is directed to solving, at least to some extent, one of the technical problems in the related art.
Therefore, a first objective of the present application is to provide a security protection method, which performs searching and killing on malicious applications according to destination server addresses accessed by applications, so as to implement real-time and effective protection on continuously updated malicious applications, reduce the time for searching and killing the malicious applications, and improve the security level of terminal equipment.
A second object of the present application is to provide a safety shield apparatus.
A third object of the present application is to provide a terminal device.
In order to achieve the above object, an embodiment of a first aspect of the present application provides a safety protection method, including: acquiring data packets of each application access network in terminal equipment; judging whether the destination server address contained in the data packet is in a preset address library, wherein the preset address library comprises the address of a malicious server; and if so, determining that the application sending the data packet carries a malicious program.
In a possible implementation form of the first aspect, the obtaining a data packet of each application in the terminal device accessing the network includes:
and acquiring a data packet of each application access network in the terminal equipment by monitoring the network interface of the virtual network card in the terminal equipment.
In another possible implementation form of the first aspect, after determining that the application that sends the data packet carries a malware, the method further includes:
and inquiring whether the user unloads the application sending the data packet or not through a prompt window.
In another possible implementation form of the first aspect, after determining that the application that sends the data packet carries a malware, the method further includes:
and intercepting or packet loss processing is carried out on all data packets corresponding to the application sending the data packets.
In another possible implementation form of the first aspect, after the determining whether the destination server address included in the data packet is in a preset address library, the method further includes:
if not, judging whether the information abstract corresponding to the data packet is matched with the feature codes in a preset feature code library or not;
and if so, determining that the application sending the data packet carries a malicious program.
In yet another possible implementation form of the first aspect, after determining that an application that sends the data packet carries a malware, the method further includes:
and adding the destination server address included in the data packet into the preset address library.
According to the safety protection method provided by the embodiment of the application, firstly, a data packet of each application in the terminal equipment for accessing the network is obtained, then, whether a destination server address contained in the data packet is in a preset address library or not is judged, and if yes, it is determined that the application sending the data packet carries a malicious program. Therefore, the malicious application is searched and killed according to the address of the target server accessed by the application, so that the continuously updated malicious application is effectively protected in real time, the searching and killing time of the malicious application is reduced, and the security level of the terminal equipment is improved.
To achieve the above object, a safety protection device is provided in an embodiment of the second aspect of the present application, including: the acquisition module is used for acquiring data packets of each application access network in the terminal equipment; the first judging module is used for judging whether the address of the destination server contained in the data packet is in a preset address library, wherein the preset address library comprises the address of a malicious server; and the determining module is used for determining that the application sending the data packet carries a malicious program if the destination address is in a preset address library.
In a possible implementation form of the second aspect, the obtaining module is specifically configured to:
and acquiring a data packet of each application access network in the terminal equipment by monitoring the network interface of the virtual network card in the terminal equipment.
In another possible implementation form of the second aspect, the safety protection device further includes: and the prompting module is used for inquiring whether the user unloads the application sending the data packet or not through a prompting window.
In yet another possible implementation form of the second aspect, the safety shield apparatus further includes: and the interception module is used for intercepting or losing all data packets corresponding to the application sending the data packets.
In yet another possible implementation form of the second aspect, the safety shield apparatus further includes: the second judgment module is used for judging whether the information abstract corresponding to the data packet is matched with the feature code in the preset feature code library or not if the destination address contained in the data packet is not in the preset address library; the determining module is further configured to determine that the application sending the data packet carries a malicious program if the information digest corresponding to the data packet matches a feature code in a preset feature library.
In yet another possible implementation form of the second aspect, the safety shield apparatus further includes: and the adding module is used for adding the destination server address included in the data packet into the preset address library.
The safety protection device provided by the embodiment of the application firstly obtains a data packet of each application in the terminal equipment for accessing the network, then judges whether a destination server address contained in the data packet is in a preset address library, and if so, determines that the application sending the data packet carries a malicious program. Therefore, the malicious application is searched and killed according to the address of the target server accessed by the application, so that the continuously updated malicious application is effectively protected in real time, the searching and killing time of the malicious application is reduced, and the security level of the terminal equipment is improved.
To achieve the above object, a third aspect of the present application provides a terminal device, including: a processor; and a memory for storing an execution program of the processor; wherein the processor is configured to perform the following method: acquiring data packets of each application access network in terminal equipment; judging whether the destination server address contained in the data packet is in a preset address library, wherein the preset address library comprises the address of a malicious server; and if so, determining that the application sending the data packet carries a malicious program.
The terminal device provided by the embodiment of the application firstly obtains a data packet of each application in the terminal device for accessing the network, then judges whether a destination server address contained in the data packet is in a preset address library, and if so, determines that the application sending the data packet carries a malicious program. Therefore, the malicious application is searched and killed according to the address of the target server accessed by the application, so that the continuously updated malicious application is effectively protected in real time, the searching and killing time of the malicious application is reduced, and the security level of the terminal equipment is improved.
Drawings
The foregoing and/or additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
FIG. 1 is a flow diagram of a method of security of one embodiment of the present application;
FIG. 2 is a flow chart of a method of security guards according to another embodiment of the present application;
FIG. 3 is a block diagram of a safety shield apparatus in accordance with an embodiment of the present application;
FIG. 4 is a block diagram of a safety shield apparatus in accordance with another embodiment of the present application;
fig. 5 is a block diagram of a terminal device according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to embodiments of the present application, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are exemplary and intended to be used for explaining the present application and should not be construed as limiting the present application.
The method for searching and killing the malicious applications is provided according to the addresses of the malicious servers, and one malicious server corresponds to a plurality of malicious applications, namely the number of the malicious applications is far smaller than that of the malicious servers, so that the malicious applications can be monitored in time according to one malicious server address, and the malicious applications are searched and killed.
The safety protection method of the embodiment of the present application is described below with reference to the drawings.
FIG. 1 is a flow chart of a security method according to an embodiment of the present application.
As shown in fig. 1, the security method includes:
s101, acquiring data packets of each application access network in the terminal equipment.
Specifically, an execution subject of the security protection method provided by the embodiment of the present application is the security protection device provided by the embodiment of the present application, and the device may be configured to be implemented in any terminal device that has an operating system and is capable of installing an application.
The type of the terminal equipment can be determined according to needs, for example, the terminal equipment can be a mobile phone, a computer, intelligent wearable equipment and the like.
During specific implementation, the safety protection device may acquire the data packet of the terminal device accessing the network through monitoring the network interface of the terminal device, or may also acquire the data packet of the terminal device accessing the network through installing an application of the network on the terminal device for monitoring network interaction data, such as Fiddler and the like.
In a possible implementation form of this embodiment, for a terminal device whose operating system is an Android system, since the system supports configuration of a VPN service function, an important function of the VPN service is an "application proxy server". In the terminal device, once the VPN connection is established, all the data packets sent out on the terminal device are forwarded to the network interface of the virtual network card, and therefore, in the embodiment of the present application, the network data packets sent out by all applications on the terminal device can also be obtained by reading the data on the interface. That is, in one possible implementation form of the present application, the above S101 includes:
and acquiring a data packet of each application in the terminal for accessing the network by monitoring the network interface of the virtual network card in the terminal equipment.
And S102, judging whether the destination server address contained in the data packet is in a preset address library, wherein the preset address library comprises the address of the malicious server.
And S103, if yes, determining that the application sending the data packet carries the malicious program.
The safety protection device can be preset in advance and comprises an address library of known addresses of various malicious servers. The address library may be preset by a user, or may be generated by analyzing a large number of malicious applications, which is not limited in this embodiment.
Specifically, the data packet of the application accessing the network includes an address of a destination server to be accessed by the application, access request data, and the like. After acquiring a data packet of an application access network, a safety protection device can read a destination server address from the data packet, and further judge whether the destination server address contained in the data packet is in a preset address library, if so, it can be determined that a malicious program, such as a malicious plug-in, is carried in the application, and further process the application, such as intercepting or packet-dropping all data packets corresponding to the application sending the data packet, so as to prevent a malicious server from damaging terminal equipment through the application.
It can be understood that, because the number of the malicious server addresses is far less than that of the malicious applications, and the update speed of the malicious server addresses is also far less than that of the malicious applications, the speed of matching the destination server address with the malicious server addresses in the address library is far greater than the speed of matching the feature codes in the data packet with a large number of feature codes, by using the method provided by this embodiment, the malicious applications can be timely and effectively killed and protected, the time for killing the malicious applications is reduced, and the security level of the terminal device is improved.
According to the safety protection method provided by the embodiment of the application, firstly, a data packet of each application in the terminal equipment for accessing the network is obtained, then, whether a destination server address contained in the data packet is in a preset address library or not is judged, and if yes, it is determined that the application sending the data packet carries a malicious program. Therefore, the malicious application is searched and killed according to the address of the target server accessed by the application, so that the continuously updated malicious application is effectively protected in real time, the searching and killing time of the malicious application is reduced, and the security level of the terminal equipment is improved.
Through the analysis, the data packets of the application access network can be effectively monitored and filtered according to the malicious server address, so that the continuously updated malicious application can be effectively searched and killed in real time. However, in a possible implementation form, if a new malicious server address appears and the security protection device cannot update the malicious server address in the address library in time, a situation that a malicious application survives for a certain time in the terminal device may also occur at this time. In the above situation, the safety protection method provided by the present application is further described with reference to fig. 2.
Fig. 2 is a flow chart of a security protection method according to another embodiment of the present application.
As shown in fig. 2, the safety protection method includes:
s201, acquiring a data packet of each application access network in the terminal equipment by monitoring a network interface of a virtual network card in the terminal equipment.
S202, judging whether the destination server address contained in the data packet is in a preset address library, if so, executing S203, otherwise, executing S204.
S203, determining that the application sending the data packet carries a malicious program.
The above S201 to S203 refer to the detailed descriptions of S101 to S103 in the above embodiments, and are not described herein again.
And S204, judging whether the information abstract corresponding to the data packet is matched with the feature codes in a preset feature code library or not, if so, executing S203, and otherwise, executing S205.
S205, sending the data packet to the destination server.
Specifically, in the embodiment of the present application, when it cannot be determined whether the application sending the data packet is a malicious application according to the destination server address in the data packet, the data packet may be analyzed by using a conventional feature code matching method.
The information Digest corresponding to the data packet may be determined by a plurality of Message Digest algorithms, for example, a fifth version of the Message Digest Algorithm (Message-Digest Algorithm 5, MD5 for short), MD4, MD3, and the like. I.e. the whole data packet is regarded as a large text message, and a unique md5 message abstract of the data packet is generated through an irreversible character string transformation algorithm.
In a specific implementation, in the security protection device, a feature code library including md5 message digests corresponding to all malicious data packets may be preset in advance, where each feature code in the feature code library corresponds to a message digest of a malicious data packet. Therefore, after the information abstract corresponding to the currently acquired data packet is determined, the information abstract can be sequentially matched with the feature codes in the preset feature code library to determine whether the application sending the data packet carries the malicious program, if so, the application sending the data packet can be determined to carry the malicious program, otherwise, the data packet can be sent to the destination server.
In general, because different malicious application developers have the same purpose of developing malicious applications or the same manner of destroying terminal devices, in this embodiment, when it is impossible to determine whether a data packet is a data packet of a malicious application according to a malicious server address, the data packet may be determined twice according to an information digest corresponding to the data packet, so as to finally determine whether the data packet is a data packet sent by the malicious application.
Further, after determining that the application sending the data packet carries the malicious program according to the information digest corresponding to the data packet, the method may further add the destination server address in the data packet to a preset address library, that is, in step S204, after determining the information digest corresponding to the data packet and matching the feature code in the preset feature code library, the method further includes:
and S206, adding the destination server address included in the data packet into the preset address library.
In addition, it should be noted that, after determining that the application sending the data packet carries a malicious program, the security protection device may further intercept and analyze all data packets sent or received by the application, so as to update and perfect the feature code library or the malicious server library according to other data packets sent or received by the application.
Further, after it is determined that the application sending the data packet carries the malicious program, the application may be processed, for example, the data packet received or sent by the application is intercepted, or the application is uninstalled.
That is, after S203 described above, the method may further include:
s207, inquiring whether the user uninstalls the application sending the data packet or not through a prompt window.
It can be understood that the safety protection device may directly uninstall the application sending the data packet after determining that the application carries the malicious program. Or prompting the user that the application accesses the malicious server by means of popup and the like, inquiring whether the user wants to uninstall the application or not by the prompting window, and uninstalling the application if the user determines to uninstall the application.
The security protection method provided in this embodiment includes first obtaining a data packet of each application in the terminal device accessing a network by monitoring a network interface of a virtual network card in the terminal device, then determining whether a destination server address included in the data packet is in a preset address library, if not, then determining an information summary corresponding to the data packet, whether the information summary matches a feature code in a preset feature code library, and if so, determining that an application sending the data packet carries a malicious program, and updating the preset address library according to the destination server address included in the data. Therefore, the data packet is verified twice according to the destination server address and the information abstract of the data packet, so that real-time and effective protection of continuously updated malicious application is realized, the time for searching and killing the malicious application is reduced, and the security level of the terminal equipment is improved. Moreover, through two times of verification, the reliability of searching and killing the malicious programs is improved.
In order to implement the safety protection method provided by the above embodiment, an embodiment of the present application further provides a safety protection device.
Figure 3 is a schematic diagram of a safety shield apparatus according to one embodiment of the present application.
As shown in fig. 3, safety shield apparatus 30 includes:
an obtaining module 31, configured to obtain a data packet of each application in the terminal device for accessing the network;
a first determining module 32, configured to determine whether an address of a destination server included in the data packet is in a preset address library, where the preset address library includes an address of a malicious server;
a determining module 33, configured to determine that the application sending the data packet carries a malicious program if the destination address is in a preset address library.
The safety protection device 30 provided in this embodiment may be configured in any specific operating system and application-installable terminal device, and is configured to execute the safety protection method shown in fig. 1.
Specifically, the obtaining module 31 may obtain the data packet of each application in the terminal device accessing the network in a plurality of ways. For example, the monitoring terminal device may be connected to a network interface, or software having a packet interception function may be used.
In a possible implementation form of the present application, the obtaining module 31 is specifically configured to:
and acquiring a data packet of each application access network in the terminal equipment by monitoring the network interface of the virtual network card in the terminal equipment.
It should be noted that the above description of the embodiment of the safety protection method shown in fig. 1 is also applicable to the safety protection device provided in this embodiment, and is not repeated herein.
The safety protection device provided by the embodiment of the application firstly obtains a data packet of each application in the terminal equipment for accessing the network, then judges whether a destination server address contained in the data packet is in a preset address library, and if so, determines that the application sending the data packet carries a malicious program. Therefore, the malicious application is searched and killed according to the address of the target server accessed by the application, so that the continuously updated malicious application is effectively protected in real time, the searching and killing time of the malicious application is reduced, and the security level of the terminal equipment is improved.
Figure 4 is a schematic diagram of a safety shield apparatus according to another embodiment of the present application.
As shown in fig. 4, safety shield apparatus 30, based on the illustration in fig. 3, further includes:
and the prompting module 41 is configured to query, through a prompting window, whether the user uninstalls the application that sends the data packet.
Specifically, after determining that the application sending the data packet carries a malicious program, safety guard device 30 may prompt and guide the user to uninstall the application. Before the application is uninstalled, in order to prevent a malicious program from damaging the terminal or stealing user information in the terminal, a data packet sent or received by the application may be intercepted, that is, the security protection device 30 further includes:
the interception module 42 is configured to intercept or discard all data packets corresponding to the application that sends the data packet.
In a possible implementation form of this embodiment, if the destination address included in the data packet is not in the preset address library, it may also be determined whether the application sending the data packet carries a malicious program according to the information digest of the data packet, that is, the apparatus 30 further includes:
a second determining module 43, configured to determine whether an information summary corresponding to the data packet matches a feature code in a preset feature code library if a destination address included in the data packet is not in a preset address library;
correspondingly, the determining module 33 is further configured to determine that the application sending the data packet carries a malicious program if the information digest corresponding to the data packet matches a feature code in a preset feature library.
Further, after determining that the application sending the data packet carries a malicious program according to the information digest of the data packet, the apparatus 30 may further update a preset address library, that is, the apparatus further includes:
an adding module 44, configured to add the destination server address included in the data packet to the preset address library.
It should be noted that the above description of the embodiment of the safety protection method shown in fig. 2 is also applicable to the safety protection device provided in this embodiment, and is not repeated here.
The security protection device provided in this embodiment first obtains, by monitoring a network interface of a virtual network card in a terminal device, a data packet of each application in the terminal device, then determines whether a destination server address included in the data packet is in a preset address library, if not, then determines an information digest corresponding to the data packet, whether the information digest is matched with a feature code in a preset feature code library, and if so, determines that an application that sends the data packet carries a malicious program, and updates the preset address library according to the destination server address included in the data. Therefore, the data packet is verified twice according to the destination server address and the information abstract of the data packet, so that real-time and effective protection of continuously updated malicious application is realized, the time for searching and killing the malicious application is reduced, and the security level of the terminal equipment is improved. Moreover, through two times of verification, the reliability of searching and killing the malicious programs is improved.
Fig. 5 is a schematic structural diagram of a terminal device according to an embodiment of the present application.
As shown in fig. 5, the terminal device 5 includes:
a processor 51;
and a memory 52 for storing an execution program of the processor 51;
wherein the processor 51 is configured to perform the following method:
acquiring data packets of each application access network in terminal equipment;
judging whether the destination server address contained in the data packet is in a preset address library, wherein the preset address library comprises the address of a malicious server;
and if so, determining that the application sending the data packet carries a malicious program.
In particular, the processor 51 may generally include one or more modules that facilitate interaction between the processing component 51 and other components. For example, the processing component 51 may include a communication module to facilitate interaction with the memory 52 to retrieve the program from the memory 52.
The memory 52 is configured to store various types of data to support operations in the terminal device 5. Examples of such data include instructions for any application or method configured to operate on terminal device 5. The memory 52 may be implemented by any type or combination of volatile or non-volatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.
It will be appreciated that the terminal device 5 further comprises a power supply component 53 for providing power to the various components of the terminal device 5. The power components 53 may include a power management system, one or more power sources, and other components associated with generating, managing, and distributing power for the terminal device 5.
In addition, the terminal device 5 may also include multimedia components 54, such as a touch-sensitive display screen providing an output interface between the terminal device 5 and the user. In some embodiments, the touch display screen may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). The touch panel includes one or more touch sensors to sense touch, slide, and gestures on the touch panel. The touch sensor may not only sense the boundary of a touch or slide action, but also detect the duration and pressure associated with the touch or slide operation.
Further, the terminal device 5 may further include: an input/output (I/O) interface 55 for providing an interface between the processor 51 and peripheral interface modules, which may be keyboards, buttons, etc.
Further comprising: a communication component 56 configured to facilitate communication between the terminal device 5 and other devices in a wired or wireless manner. The terminal device 5 may access a wireless network based on a communication standard, such as WiFi, 2G or 3G, or a combination thereof. In an exemplary embodiment, the communication component 56 receives broadcast signals or broadcast related information from an external broadcast management system via a broadcast channel.
In an exemplary embodiment, the terminal device 5 may be implemented by one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), controllers, micro-controllers, microprocessors or other electronic elements configured to perform the above-described message processing methods.
It should be noted that the foregoing explanation on the embodiment of the security protection method is also applicable to the terminal device of the embodiment, and the implementation principle is similar, and is not described herein again.
The terminal device provided by the embodiment of the application firstly obtains a data packet of each application in the terminal device for accessing the network, then judges whether a destination server address contained in the data packet is in a preset address library, and if so, determines that the application sending the data packet carries a malicious program. Therefore, the malicious application is searched and killed according to the address of the target server accessed by the application, so that the continuously updated malicious application is effectively protected in real time, the searching and killing time of the malicious application is reduced, and the security level of the terminal equipment is improved.
In the description herein, reference to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the application. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present application, "plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and the scope of the preferred embodiments of the present application includes other implementations in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present application.
It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.
The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc. Although embodiments of the present application have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present application, and that variations, modifications, substitutions and alterations may be made to the above embodiments by those of ordinary skill in the art within the scope of the present application.
Claims (11)
1. A safety protection method is characterized by comprising the following steps:
acquiring data packets of each application access network in terminal equipment;
judging whether the destination server address contained in the data packet is in a preset address library, wherein the preset address library comprises the address of a malicious server;
if so, determining that the application sending the data packet carries a malicious program;
after the step of judging whether the destination server address contained in the data packet is in a preset address library, the method further includes:
if not, judging whether the information abstract corresponding to the data packet is matched with the feature codes in a preset feature code library or not, wherein each feature code in the preset feature code library corresponds to the information abstract of a malicious data packet;
if so, determining that the application sending the data packet carries a malicious program;
under the condition that the application is determined to carry the malicious program, all data packets sent or received by the application are obtained;
and updating the preset address library or the feature code library according to all data packets sent or received by the application.
2. The method of claim 1, wherein the obtaining the data packet of each application in the terminal device accessing the network comprises:
and acquiring a data packet of each application access network in the terminal equipment by monitoring the network interface of the virtual network card in the terminal equipment.
3. The method of claim 1, wherein after determining that the application sending the data packet carries a malware, further comprising:
and inquiring whether the user unloads the application sending the data packet or not through a prompt window.
4. The method of claim 1, wherein after determining that the application sending the data packet carries a malware, further comprising:
and intercepting or packet loss processing is carried out on all data packets corresponding to the application sending the data packets.
5. The method according to claim 1, wherein after determining that the application sending the data packet carries a malicious program according to the information digest corresponding to the data packet, the method further comprises:
and adding the destination server address included in the data packet into the preset address library.
6. A safety shield apparatus, comprising:
the acquisition module is used for acquiring data packets of each application access network in the terminal equipment;
the first judging module is used for judging whether the address of the destination server contained in the data packet is in a preset address library, wherein the preset address library comprises the address of a malicious server;
the determining module is used for determining that the application sending the data packet carries a malicious program if the destination address is in a preset address library;
the second judging module is used for judging whether the information abstract corresponding to the data packet is matched with the feature codes in a preset feature code library or not if the destination address contained in the data packet is not in the preset address library, wherein each feature code in the preset feature code library corresponds to the information abstract of a malicious data packet;
the determining module is further configured to determine that the application sending the data packet carries a malicious program if the information digest corresponding to the data packet matches a feature code in a preset feature code library;
the determining module is further configured to acquire all data packets sent or received by the application under the condition that it is determined that the application carries a malicious program;
and updating the preset address library or the feature code library according to all data packets sent or received by the application.
7. The apparatus of claim 6, wherein the obtaining module is specifically configured to:
and acquiring a data packet of each application access network in the terminal equipment by monitoring the network interface of the virtual network card in the terminal equipment.
8. The apparatus of claim 6, further comprising:
and the prompting module is used for inquiring whether the user unloads the application sending the data packet or not through a prompting window.
9. The apparatus of claim 6, further comprising:
and the interception module is used for intercepting or losing all data packets corresponding to the application sending the data packets.
10. The apparatus of claim 6, further comprising:
and the adding module is used for adding the destination server address included in the data packet into the preset address library under the condition that the malicious program is determined to be carried in the application sending the data packet according to the information abstract corresponding to the data packet.
11. A terminal device, comprising: a processor;
and a memory for storing an execution program of the processor;
wherein the processor is configured to perform the method of any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610873954.2A CN106302531B (en) | 2016-09-30 | 2016-09-30 | Safety protection method and device and terminal equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610873954.2A CN106302531B (en) | 2016-09-30 | 2016-09-30 | Safety protection method and device and terminal equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106302531A CN106302531A (en) | 2017-01-04 |
| CN106302531B true CN106302531B (en) | 2021-04-27 |
Family
ID=57716944
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610873954.2A Active CN106302531B (en) | 2016-09-30 | 2016-09-30 | Safety protection method and device and terminal equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106302531B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110971575B (en) * | 2018-09-29 | 2023-04-18 | 北京金山云网络技术有限公司 | Malicious request identification method and device, electronic equipment and computer storage medium |
| CN109462503B (en) * | 2018-11-09 | 2022-04-26 | 中国联合网络通信集团有限公司 | Data detection method and device |
| CN111597557A (en) * | 2020-06-30 | 2020-08-28 | 腾讯科技(深圳)有限公司 | Malicious application detection method, system, device, equipment and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101572713A (en) * | 2009-06-10 | 2009-11-04 | 成都市华为赛门铁克科技有限公司 | Method for detecting worm and system thereof |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130007882A1 (en) * | 2011-06-28 | 2013-01-03 | The Go Daddy Group, Inc. | Methods of detecting and removing bidirectional network traffic malware |
| CN102571812B (en) * | 2011-12-31 | 2014-11-05 | 华为数字技术(成都)有限公司 | Tracking and identification method and apparatus for network threats |
| CN103442361B (en) * | 2013-09-09 | 2017-01-25 | 北京网秦天下科技有限公司 | Method for detecting safety of mobile application, and mobile terminal |
| CN103500310A (en) * | 2013-09-29 | 2014-01-08 | 北京金山网络科技有限公司 | Method and system for protecting electronic device |
| CN103957201B (en) * | 2014-04-18 | 2018-01-05 | 北京奇虎科技有限公司 | Domain-name information processing method based on DNS, apparatus and system |
-
2016
- 2016-09-30 CN CN201610873954.2A patent/CN106302531B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101572713A (en) * | 2009-06-10 | 2009-11-04 | 成都市华为赛门铁克科技有限公司 | Method for detecting worm and system thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106302531A (en) | 2017-01-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11853414B2 (en) | Mitigation of return-oriented programming attacks | |
| US10581879B1 (en) | Enhanced malware detection for generated objects | |
| US20180089430A1 (en) | Computer security profiling | |
| US10339300B2 (en) | Advanced persistent threat and targeted malware defense | |
| KR101647487B1 (en) | Analysis system and method for patch file | |
| KR101720686B1 (en) | Apparaus and method for detecting malcious application based on visualization similarity | |
| CN106940651B (en) | POS terminal software upgrading method and device | |
| US10216934B2 (en) | Inferential exploit attempt detection | |
| CN103390130A (en) | Rogue program searching and killing method and device based on cloud security as well as server | |
| EP3123311A1 (en) | Malicious code protection for computer systems based on process modification | |
| JP6030566B2 (en) | Unauthorized application detection system and method | |
| EP2839406A1 (en) | Detection and prevention of installation of malicious mobile applications | |
| KR20150044490A (en) | A detecting device for android malignant application and a detecting method therefor | |
| US9747449B2 (en) | Method and device for preventing application in an operating system from being uninstalled | |
| CN107330328B (en) | Method and device for defending against virus attack and server | |
| CN104573435A (en) | Method for terminal authority management and terminal | |
| CN111125688B (en) | Process control method and device, electronic equipment and storage medium | |
| CN106302531B (en) | Safety protection method and device and terminal equipment | |
| KR101256468B1 (en) | Apparatus and method for detecting malicious file | |
| CN113961936A (en) | Trusted white list construction method, system and device and computer equipment | |
| CN105791250B (en) | Application program detection method and device | |
| CN105791221B (en) | Rule issuing method and device | |
| US11763004B1 (en) | System and method for bootkit detection | |
| KR101369254B1 (en) | Apparatus and method for detecting malicious application | |
| CN113836542B (en) | Trusted white list matching method, system and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |