CN106778236A - A kind of access control apparatus and method - Google Patents

A kind of access control apparatus and method Download PDF

Info

Publication number
CN106778236A
CN106778236A CN201611075370.7A CN201611075370A CN106778236A CN 106778236 A CN106778236 A CN 106778236A CN 201611075370 A CN201611075370 A CN 201611075370A CN 106778236 A CN106778236 A CN 106778236A
Authority
CN
China
Prior art keywords
application
behavior
defence
prohibitive
environmental information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611075370.7A
Other languages
Chinese (zh)
Other versions
CN106778236B (en
Inventor
李敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nubia Technology Co Ltd
Original Assignee
Nubia Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nubia Technology Co Ltd filed Critical Nubia Technology Co Ltd
Priority to CN201611075370.7A priority Critical patent/CN106778236B/en
Publication of CN106778236A publication Critical patent/CN106778236A/en
Application granted granted Critical
Publication of CN106778236B publication Critical patent/CN106778236B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephone Function (AREA)

Abstract

The invention discloses a kind of access control apparatus, mobile terminal is applied to, described device includes:First acquisition unit, for first kind environmental information in the operating system environment for obtaining mobile terminal;Second acquisition unit, the first kind action message for obtaining the first application;Judging unit, judges first application with the presence or absence of the first prohibitive behavior for combining the first kind environmental information and the first kind action message;Determining unit, if there is the first prohibitive behavior for the described first application, it is determined that defence treatment operation corresponding with first prohibitive behavior;Control unit, under the license behavior ruuning situation for allowing first application, performing the defence treatment operation.The present invention further simultaneously discloses a kind of access control method.Using technical scheme of the present invention, the efficiency and stability of terminal operating system can be improved.

Description

A kind of access control apparatus and method
Technical field
The present invention relates to the information processing technology, more particularly to a kind of access control apparatus and method.
Background technology
In recent years, with the fast development of mobile Internet, third-party application market achieves the growth of explosion type.So And, more and more jejune application programs (Application, abbreviation APP) enter application market, although function is richer Richness, but some applications show destructive behavior, such as continuously attempt to network connection, continually wake up terminal, account for for a long time There is unnecessary resource etc., negative impact is brought to terminal operating system.These destructive behaviors were influenceed at same end The operation of other APP, increase terminal power consumption, consumption cellular data, occupancy memory space etc. on end.
The content of the invention
In view of this, present invention contemplates that providing a kind of access control apparatus and method, the effect of terminal operating system can be improved Rate and stability.
To reach above-mentioned purpose, the technical proposal of the invention is realized in this way:
The invention provides a kind of access control apparatus, mobile terminal is applied to, described device includes:
First acquisition unit, for first kind environmental information in the operating system environment for obtaining mobile terminal;
Second acquisition unit, the first kind action message for obtaining the first application;
Judging unit, described first is judged for combining the first kind environmental information and the first kind action message Using with the presence or absence of the first prohibitive behavior;
Determining unit, if for described first application exist the first prohibitive behavior, it is determined that with first prohibitive behavior pair The defence treatment operation answered;
Control unit, under the license behavior ruuning situation for allowing first application, performing the defence treatment Operation.
In such scheme, alternatively, the second acquisition unit is additionally operable to:
By with described first application interact, obtain it is described first application application programming interface (API, Application Programming Interface) solicited message.
In such scheme, alternatively, the judging unit is additionally operable to:
Judged to treat examination behavior using related to described first according to the first kind environmental information;
According to the first kind action message from it is described treat examination behavior in determine first application with the presence or absence of first Prohibitive behavior.
In such scheme, alternatively, the determining unit is additionally operable to:
Mapping relations set is inquired about based on first prohibitive behavior, it is optional anti-where acquisition first prohibitive behavior Imperial treatment opereating specification, determines the first prohibitive behavior phase with the first application from the optional defence treatment opereating specification The defence treatment operation of adaptation.
In such scheme, alternatively, described device also includes:
Cleaning unit, for clearing up the monitoring data relevant with the defence treatment operation;Wherein, the monitoring packet Include:In data, the first kind environmental information related to the first kind action message of the described first application phase is applied with described first The data of pass.
Present invention also offers a kind of access control method, mobile terminal is applied to, methods described includes:
Obtain first kind environmental information in the operating system environment of mobile terminal;
Obtain the first kind action message of the first application;
Judge that first application whether there is with reference to the first kind environmental information and the first kind action message First prohibitive behavior;
If first application has the first prohibitive behavior, it is determined that defence treatment behaviour corresponding with first prohibitive behavior Make;
Under the license behavior ruuning situation for allowing first application, the defence treatment operation is performed.
In such scheme, alternatively, the first kind action message for obtaining the first application, including:
Interacted by with the described first application, obtain the API request information of first application.
It is alternatively, described true according to the first kind environmental information and the first kind action message in such scheme Fixed first application whether there is the first prohibitive behavior, including:
Judged to treat examination behavior using related to described first according to the first kind environmental information;
According to the first kind action message from it is described treat examination behavior in determine first application with the presence or absence of first Prohibitive behavior.
It is alternatively, described to determine that defence treatment corresponding with first prohibitive behavior is operated in such scheme, including:
Mapping relations set is inquired about based on first prohibitive behavior, it is optional anti-where acquisition first prohibitive behavior Imperial treatment opereating specification, determines the first prohibitive behavior phase with the first application from the optional defence treatment opereating specification The defence treatment operation of adaptation.
In such scheme, alternatively, after the execution defence treatment operation, methods described also includes:
Clear up the monitoring data relevant with the defence treatment operation;Wherein, the monitoring data include:With described first In the first kind action message of application related data, first kind environmental information related data are applied to described first.
Access control apparatus provided by the present invention and method, obtain first kind ring in the operating system environment of mobile terminal Environment information;Obtain the first kind action message of the first application;With reference to the first kind environmental information and the first kind activity Information judges first application with the presence or absence of the first prohibitive behavior;If there is the first prohibitive behavior in first application, it is determined that Defence treatment operation corresponding with first prohibitive behavior;Under the license behavior ruuning situation for allowing first application, Perform the defence treatment operation;In this way, when judging that the first application has the first prohibitive behavior, being answered allowing described first Under license behavior ruuning situation, defence treatment operation corresponding with first prohibitive behavior is performed, APP taboos can be resisted Only behavior can improve the efficiency and stability of terminal operating system to the adverse effect of operating system environment.
Brief description of the drawings
Fig. 1 is a hardware architecture diagram for optional mobile terminal for realizing each embodiment of the invention;
Fig. 2 is the wireless communication system schematic diagram of mobile terminal as shown in Figure 1;
Fig. 3 is that access control method provided in an embodiment of the present invention realizes schematic flow sheet;
Fig. 4 is a kind of configuration diagram of access control system provided in an embodiment of the present invention;
Fig. 5 is the composition structural representation of access control apparatus provided in an embodiment of the present invention.
Specific embodiment
The characteristics of in order to more fully hereinafter understand the embodiment of the present invention and technology contents, below in conjunction with the accompanying drawings to this hair The realization of bright embodiment is described in detail, appended accompanying drawing purposes of discussion only for reference, not for limiting the embodiment of the present invention.
The terminal of each embodiment of the invention is realized referring now to Description of Drawings.In follow-up description, using being used for The suffix of such as " module ", " part " or " unit " of element is represented only for being conducive to the explanation of the embodiment of the present invention, its Body does not have specific meaning.Therefore, " module ", " part " or " unit " can be used mixedly.
Terminal can be implemented in a variety of manners.For example, the terminal described in the embodiment of the present invention can include such as moving Mobile phone, smart phone, notebook computer, digit broadcasting receiver, personal digital assistant (PDA, Personal Digital Assistant), panel computer (PAD), portable media player (PMP, Portable Media Player), navigation dress The terminal put etc. and the such as fixed terminal of numeral TV, desktop computer etc..Hereinafter it is assumed that terminal is mobile terminal. However, it will be understood by those skilled in the art that, in addition to the element for being used in particular for moving purpose, implementation of the invention The construction of mode can also apply to the terminal of fixed type.
Fig. 1 is that the hardware configuration of the mobile terminal for realizing each embodiment of the invention is illustrated.
Mobile terminal 1 00 can include audio/video (A/V) input block 120, user input unit 130, output unit 150th, memory 160, interface unit 170, controller 180 and power subsystem 190 etc..Fig. 1 is shown with various assemblies Mobile terminal, it should be understood that being not required for implementing all components for showing.Can alternatively implement more or less Component.The element of mobile terminal will be discussed in more detail below.
A/V input blocks 120 are used to receive audio or video signal.A/V input blocks 120 can include the He of camera 121 Microphone 1220, the static map that 121 pairs, camera is obtained in Video Capture pattern or image capture mode by image capture apparatus The view data of piece or video is processed.Picture frame after treatment may be displayed on display unit 151.At camera 121 Picture frame after reason can be stored in memory 160 (or other storage mediums), can be provided according to the construction of mobile terminal Two or more cameras 1210.Microphone 122 can run in telephone calling model, logging mode, speech recognition mode etc. Sound (voice data) is received via microphone in pattern, and can be voice data by such acoustic processing.Microphone 122 can implement various types of noises eliminates (or suppression) algorithm to eliminate (or suppression) in reception and send audio signal During produce noise or interference.
User input unit 130 can generate key input data to control each of mobile terminal according to the order of user input Plant operation.User input unit 130 allows the various types of information of user input, and can include keyboard, metal dome, touch Plate (for example, detection due to being touched caused by resistance, pressure, electric capacity etc. change sensitive component), roller, rocking bar etc. Deng.Especially, when touch pad is superimposed upon on display unit 151 in the form of layer, touch-screen can be formed.
Interface unit 170 is connected the interface that can pass through with mobile terminal 1 00 as at least one external device (ED).For example, External device (ED) can include wired or wireless head-band earphone port, external power source (or battery charger) port, wired or nothing Line FPDP, memory card port, the port for connecting the device with identification module, audio input/output (I/O) end Mouth, video i/o port, ear port etc..Identification module can be that storage uses each of mobile terminal 1 00 for verifying user Kind of information and can include subscriber identification module (UIM, User Identify Module), client identification module (SIM, Subscriber Identity Module), Universal Subscriber identification module (USIM, Universal Subscriber Identity Module) etc..In addition, the device (hereinafter referred to as " identifying device ") with identification module can take intelligence The form of card, therefore, identifying device can be connected via port or other attachment means with mobile terminal 1 00.Interface unit 170 Can be used for the input transmission that receive the input (for example, data message, electric power etc.) from external device (ED) and will receive To one or more elements in mobile terminal 1 00 or can be used for transmitting data between mobile terminal and external device (ED).
In addition, when mobile terminal 1 00 is connected with external base, interface unit 170 can serve as allowing by it by electricity Power provides to the path of mobile terminal 1 00 from base or can serve as allowing the various command signals being input into from base to pass through it It is transferred to the path of mobile terminal.Be can serve as recognizing that mobile terminal is from the various command signals or electric power of base input The no signal being accurately fitted within base.Output unit 150 is configured to provide defeated with vision, audio and/or tactile manner Go out signal (for example, audio signal, vision signal, alarm signal, vibration signal etc.).Output unit 150 can include display Unit 151, dio Output Modules 152, alarm unit 153 etc..
Display unit 151 may be displayed on the information processed in mobile terminal 1 00.For example, when mobile terminal 1 00 is in electricity During words call mode, display unit 151 can show and converse or other communicate (for example, text messaging, multimedia file Download etc.) related user interface (UI, User Interface) or graphic user interface (GUI, Graphical User Interface).When mobile terminal 1 00 is in video calling pattern or image capture mode, display unit 151 can show Show the image of capture and/or the image of reception, the UI or GUI that show video or image and correlation function etc..
Meanwhile, when display unit 151 and touch pad in the form of layer it is superposed on one another to form touch-screen when, display unit 151 can serve as input unit and output device.Display unit 151 can include liquid crystal display (LCD, Liquid Crystal Display), thin film transistor (TFT) LCD (TFT-LCD, Thin Film Transistor-LCD), organic light-emitting diodes In pipe (OLED, Organic Light-Emitting Diode) display, flexible display, three-dimensional (3D) display etc. It is at least one.Some in these displays may be constructed such that transparence to allow user to be watched from outside, and this is properly termed as Transparent display, typical transparent display can be, for example, transparent organic light emitting diode (TOLED) display etc..According to Specific desired implementation method, mobile terminal 1 00 can include two or more display units (or other display devices), example Such as, mobile terminal can include outernal display unit (not shown) and inner display unit (not shown).Touch-screen can be used to examine Survey touch input pressure and touch input position and touch input area.
Dio Output Modules 152 can mobile terminal be in call signal reception pattern, call mode, logging mode, It is that wireless communication unit 110 is received or in memory 160 when under the isotypes such as speech recognition mode, broadcast reception mode The voice data transducing audio signal of middle storage and it is output as sound.And, dio Output Modules 152 can be provided and movement The audio output (for example, call signal receives sound, message sink sound etc.) of the specific function correlation that terminal 100 is performed. Dio Output Modules 152 can include loudspeaker, buzzer etc..
Alarm unit 153 can provide output and be notified to mobile terminal 1 00 with by event.Typical event can be with Including calling reception, message sink, key signals input, touch input etc..In addition to audio or video is exported, alarm unit 153 can in a different manner provide output with the generation of notification event.For example, alarm unit 153 can be in the form of vibrating Output is provided, when calling, message or some other entrance communication (incoming communication) are received, alarm list Unit 153 can provide tactile output (that is, vibrating) to notify to user.Exported by providing such tactile, even if When in pocket of the mobile phone of user in user, user also can recognize that the generation of various events.Alarm unit 153 The output of the generation of notification event can be provided via display unit 151 or dio Output Modules 152.
Memory 160 can store software program for the treatment and control operation performed by controller 180 etc., Huo Zheke Temporarily to store the data that exported or will export (for example, telephone directory, message, still image, video etc.).And And, memory 160 can store the vibration of various modes on being exported when touching and being applied to touch-screen and audio signal Data.
Memory 160 can include the storage medium of at least one type, and the storage medium includes flash memory, hard disk, many Media card, card-type memory (for example, SD or DX memories etc.), random access storage device (RAM, Random Access Memory), static random-access memory (SRAM, Static Random Access Memory), read-only storage (ROM, Read Only Memory), Electrically Erasable Read Only Memory (EEPROM, Electrically Erasable Programmable Read Only Memory), programmable read only memory (PROM, Programmable Read Only Memory), magnetic storage, disk, CD etc..And, mobile terminal 1 00 can perform memory with by network connection The network storage device cooperation of 160 store function.
The overall operation of the generally control mobile terminal of controller 180.For example, controller 180 is performed and voice call, data Communication, video calling etc. related control and treatment.In addition, controller 180 can be included for reproducing (or playback) many matchmakers The multi-media module 181 of volume data, multi-media module 181 can be constructed in controller 180, or can be structured as and control Device 180 is separated.Controller 180 can be with execution pattern identifying processing, the handwriting input that will be performed on the touchscreen or picture Draw input and be identified as character or image.
Power subsystem 190 receives external power or internal power under the control of controller 180 and provides operation each unit Appropriate electric power needed for part and component.
Various implementation methods described herein can be with use such as computer software, hardware or its any combination of calculating Machine computer-readable recording medium is implemented.Implement for hardware, implementation method described herein can be by using application-specific IC (ASIC, Application Specific Integrated Circuit), digital signal processor (DSP, Digital Signal Processing), digital signal processing device (DSPD, Digital Signal Processing Device), can Programmed logic device (PLD, Programmable Logic Device), field programmable gate array (FPGA, Field Programmable Gate Array), processor, controller, microcontroller, microprocessor, be designed to perform it is described herein Function electronic unit at least one implement, in some cases, such implementation method can be in controller 180 Middle implementation.For software implementation, the implementation method of such as process or function can with allow to perform at least one function or operation Single software module implement.Software code can be by the software application write with any appropriate programming language (or program) is implemented, and software code can store in memory 160 and be performed by controller 180.
So far, mobile terminal is described according to its function.Below, for the sake of brevity, will description such as folded form, Slide type mobile terminal in various types of mobile terminals of board-type, oscillating-type, slide type mobile terminal etc. is used as showing Example.Therefore, the present invention can be applied to any kind of mobile terminal, and be not limited to slide type mobile terminal.
Mobile terminal 1 00 as shown in Figure 1 may be constructed such that using via frame or packet transmission data it is all if any Line and wireless communication system and satellite-based communication system are operated.
The communication system that mobile terminal wherein according to embodiments of the present invention can be operated is described referring now to Fig. 2.
Such communication system can use different air interface and/or physical layer.For example, used by communication system Air interface includes such as frequency division multiple access (FDMA, Frequency Division Multiple Access), time division multiple acess (TDMA, Time Division Multiple Access), CDMA (CDMA, Code Division Multiple ) and UMTS (UMTS, Universal Mobile Telecommunications System) is (special Access Not, Long Term Evolution (LTE, Long Term Evolution)), global system for mobile communications (GSM) etc..As unrestricted Property example, following description is related to cdma communication system, but such teaching is equally applicable to other types of system.
With reference to Fig. 2, cdma wireless communication system can include multiple mobile terminal 1s 00, multiple base station (BS, Base Station) 270, base station controller (BSC, Base Station Controller) 275 and mobile switching centre (MSC, Mobile Switching Center)280.MSC280 is configured to and Public Switched Telephony Network (PSTN, Public Switched Telephone Network) 290 formation interfaces.MSC280 is also structured to and can be coupled via back haul link BSC275 to base station 270 forms interface.Back haul link can in some known interfaces any one construct, it is described Interface includes such as E1/T1, ATM, IP, PPP, frame relay, HDSL, ADSL or xDSL.It will be appreciated that as shown in Figure 2 System can include multiple BSC275.
Each BS270 can service one or more subregions (or region), by multidirectional antenna or the day of sensing specific direction Each subregion of line covering is radially away from BS270.Or, each subregion can be by two or more for diversity reception Antenna is covered.Each BS270 may be constructed such that the multiple frequency distribution of support, and the distribution of each frequency has specific frequency spectrum (for example, 1.25MHz, 5MHz etc.).
What subregion and frequency were distributed intersects can be referred to as CDMA Channel.BS270 can also be referred to as base station transceiver System (BTS, Base Transceiver Station) or other equivalent terms.In this case, term " base station " Can be used for broadly representing single BSC275 and at least one BS270.Base station can also be referred to as " cellular station ".Or, it is special Each subregion for determining BS270 can be referred to as multiple cellular stations.
As shown in Figure 2, be sent to for broadcast singal by broadcsting transmitter (BT, Broadcast Transmitter) 295 The mobile terminal 1 00 of operation in system.Broadcasting reception module 111 as shown in Figure 1 is arranged at mobile terminal 1 00 to connect Receive the broadcast singal sent by BT295.In fig. 2 it is shown that several global positioning system (GPS) satellites 300.Satellite 300 is helped Help at least one of multiple mobile terminal 1s 00 of positioning.
In fig. 2, multiple satellites 300 are depicted, it is understood that be, it is possible to use any number of satellite obtains useful Location information.GPS module 115 as shown in Figure 1 is generally configured to coordinate with satellite 300 to be believed with obtaining desired positioning Breath.Substitute GPS tracking techniques or outside GPS tracking techniques, it is possible to use other of the position of mobile terminal can be tracked Technology.In addition, at least one gps satellite 300 can optionally or additionally process satellite dmb transmission.
Used as a typical operation of wireless communication system, BS270 receives the reverse link from various mobile terminal 1s 00 Signal.Mobile terminal 1 00 generally participates in call, information receiving and transmitting and other types of communication.Each of the reception of certain base station 270 is anti- Processed in specific BS270 to link signal.The data of acquisition are forwarded to the BSC275 of correlation.BSC provides call Resource allocation and the mobile management function of the coordination including the soft switching process between BS270.The number that BSC275 will also be received According to MSC280 is routed to, it provides the extra route service for forming interface with PSTN290.Similarly, PSTN290 with MSC280 forms interface, and MSC and BSC275 form interface, and BSC275 correspondingly controls BS270 with by forward link signals It is sent to mobile terminal 1 00.
Based on above-mentioned mobile terminal hardware configuration and communication system, in order to the destructive behavior for solving application is grasped to terminal As the negative effect that system is brought, the efficiency and stability of operating system are improved, propose the inventive method each embodiment.
Embodiment one
Fig. 3 is the access control realized in schematic flow sheet, this example of access control method provided in an embodiment of the present invention Method processed is applied to mobile terminal, as shown in figure 3, the access control method is mainly included the following steps that:
Step 301:Obtain first kind environmental information in the operating system environment of mobile terminal.
Here, the operating system is the operating system of the mobile terminal.
For example, mainly having Android (Google), iOS (apple), windows using operating system on mobile terminals Phone (Microsoft), Symbian (Nokia), BlackBerry OS (blackberry, blueberry), windows mobile (Microsoft), Android (Android) etc..
Here, the first kind environmental information is the corresponding information of the other operating system environment of macro-level.For example, described One class environmental information includes electricity service condition, storage service condition, data traffic service condition, etc..
In an optional embodiment, first kind environmental information in the operating system environment for obtaining mobile terminal, bag Include:
The operating system environment of mobile terminal is monitored by grand monitor, first kind environment is obtained based on monitoring data analysis Information.
That is, grand monitor and all environmental informations in operating system environment need not be monitored, it is only necessary to monitor Can aid in and judge that each whether there is the first kind environmental information of prohibitive behavior in applying.
In an optional embodiment, the operating system environment that mobile terminal is monitored by grand monitor, based on prison After obtaining first kind environmental information depending on data analysis, also include:
The first kind environmental information is sent to each micro-monitor by controller, notifies described each micro-monitor The first kind activity of each application is monitored, first kind action message is obtained based on monitoring data analysis.
Here, the different first kind activity of different micro-monitor charge of overseeing.
Step 302:Obtain the first kind action message of the first application.
In the present embodiment, the first application is provided with the mobile terminal.
In the embodiment of the present invention, the first application of running of mobile terminal can be the application carried in mobile terminal system, For example, clock application, calculator application, camera applications, address list application etc., or by user installation third party should With for example, game application, wechat application, browser application, instant chat application, mail applications etc..
Here, the first kind action message include solicited message, such as application programming interface (API, Application Programming Interface) solicited message.
In an optional embodiment, the first kind action message for obtaining the first application, including:
Interacted by with the described first application, obtain the API request information of first application.
Wherein, the API request information, can include:
Callee information, request sentence, unique request mark, required parameter.
Wherein, the callee information includes:The identification identifier (UID, User Identifier) of application program, The program-package name of application program.
Wherein, the request sentence includes request time started, request frequency.
Wherein, the unique request mark includes IBinder objects.Here, the IBinder is the energy in Android exploitation Carry out a base interface of remote operation object.
In a specific embodiment, the first kind action message for obtaining the first application, including:
The first kind activity of the first application is monitored by micro-monitor, first kind activity letter is obtained based on monitoring data analysis Breath.
It should be noted that the micro-monitor will not follow the trail of all solicited messages of the first application, only solicited message When being likely to result in adverse effect, network connection is such as continuously attempted to, terminal is continually waken up, is occupied unnecessary resource feelings for a long time Condition, can just be monitored.
It should be noted that step 301 and step 302 can be carried out simultaneously, step 302 can also be entered prior to step 301 OK.
Step 303:Judge first application with reference to the first kind environmental information and the first kind action message With the presence or absence of the first prohibitive behavior.
Here, first prohibitive behavior is the behavior for not allowing the first application access of default.
Alternatively, it is described to determine that described first according to the first kind environmental information and the first kind action message With with the presence or absence of the first prohibitive behavior, including:
Judged to treat examination behavior using related to described first according to the first kind environmental information;
According to the first kind action message from it is described treat examination behavior in determine first application with the presence or absence of first Prohibitive behavior.
That is, first tentatively judging whether first application there may exist system and prohibit according to first kind environmental information Behavior only, if preliminary judged result is the first application there may be the behavior that system is forbidden;Then continue according to first kind activity Information judges the behavior that the first application is forbidden with the presence or absence of system.
Such as, if first kind environmental information shows the first application just in power consumption, then, illustrating that the first application there may be is The behavior that system is forbidden, then proceedes to judge what the first application was forbidden with the presence or absence of system according to the API request information of the first application Behavior, if in the presence of, it is determined that first application there is currently the first prohibitive behavior.
For another example, if first kind environmental information shows the first application just in consumed flow, then, illustrate that the first application may There is the behavior that system is forbidden, then proceed to judge the first application with the presence or absence of system according to the API request information of the first application The behavior forbidden, if in the presence of, it is determined that first application there is currently the first prohibitive behavior.
So, because monitoring the system environmental information of macro-level by grand monitor, it is impossible to which APP be fully inferred to Have a bad behavior, and combine the first kind action message of each APP, can preferably determine which APP have bad behavior and The type of bad behavior.
Step 304:If first application has the first prohibitive behavior, it is determined that corresponding with first prohibitive behavior anti- Imperial treatment operation.
It is described to determine that defence treatment corresponding with first prohibitive behavior is operated in an optional embodiment, including:
Mapping relations set is inquired about based on first prohibitive behavior, it is optional anti-where acquisition first prohibitive behavior Imperial treatment opereating specification, determines the first prohibitive behavior phase with the first application from the optional defence treatment opereating specification The defence treatment operation of adaptation.
Wherein, mapping relations set includes the mapping relations of different prohibitive behaviors and corresponding defence treatment operation;Wherein, Corresponding one or more the optional defence treatment operations of each prohibitive behavior.
It should be noted that the corresponding prohibitive behavior of different application may be different.In general, what severity level was higher should With its corresponding granted access rights limit scope is bigger, and then its corresponding prohibitive behavior is fewer;Conversely, severity level is lower Using its corresponding permissions scope is smaller, and then its corresponding prohibitive behavior is more.
In an optional embodiment, methods described also includes:
First is received to operate;Wherein, described first operate and apply white list for setting or changing;
Based on the described first operation generation application white list;
Mapping relations set is determined according to the application white list.
In general, using the application in white list granted access rights limit scope, more than non-application white list in should Granted access rights limit scope.For example, some API request information only allow to be called using the application in white list.
In an optional embodiment, methods described also includes:
Second is received to operate;Wherein, described second operate for being input into defence treatment strategy;
Based on the described second operation generation defence treatment strategy;
Mapping relations set is determined according to the defence treatment strategy.
A kind of applicating example of the corresponding different protection actions of defence treatment operation, as shown in table 1.
Table 1
For example, the corresponding protection type of action of defence treatment operation includes:Release.Specifically, to realize waking up lock Release movement, by periodically checking solicited message table, inspection solicited message token record has and all wakes up opening for lock Time beginning, corresponding lock object is deleted from lock set is waken up when more than preset critical.
For example, the corresponding protection type of action of defence treatment operation includes:Slow down.Specifically, in order to realize slowing down Clock, by adjusting the recurrence interval variable in data structure.
For example, the corresponding protection type of action of defence treatment operation includes:Time delay.Specifically, in order to realize the time The time delay of action, by by request be put into caching in, it is determined that time post-process this request.
Step 305:Under the license behavior ruuning situation for allowing first application, the defence treatment operation is performed.
Wherein, the defence treatment operation, at least includes:Total ban is performed, meets executable during trigger condition, postponement Perform.
In this way, when the first application is detected in the presence of the first i.e. destructive behavior of prohibitive behavior, by performing the defence The behavior of the application of adjustment first is processed operations to, destructive behavior can be prevented, and do not influence the major function of the first application.
Further, after the execution defence treatment operation, methods described also includes:
Clear up the monitoring data relevant with the defence treatment operation;Wherein, the monitoring data include:With described first In the first kind action message of application related data, first kind environmental information related data are applied to described first.
In a specific embodiment, the periodic cleaning monitoring data relevant with the defence treatment operation, or it is clear in time Manage the monitoring data relevant with the defence treatment operation.
In this way, by clearing up legacy data, can preferably discharge memory space.
In the present embodiment, first kind environmental information in the operating system environment of mobile terminal is obtained;Obtain the first application First kind action message;Judge that first application is with reference to the first kind environmental information and the first kind action message It is no to there is the first prohibitive behavior;If there is the first prohibitive behavior in first application, it is determined that corresponding with first prohibitive behavior Defence treatment operation;Under the license behavior ruuning situation for allowing first application, the defence treatment operation is performed;Such as This, is when judging that the first application has the first prohibitive behavior, under the license behavior ruuning situation for allowing first application, Defence treatment operation corresponding with first prohibitive behavior is performed, APP prohibitive behaviors can be resisted to operating system environment Adverse effect, can improve the efficiency and stability of terminal operating system.
Embodiment two
Fig. 4 is a kind of configuration diagram of access control system provided in an embodiment of the present invention, is applied to mobile terminal, such as Shown in Fig. 4, the system includes:
Grand monitor 41, first kind environmental information in charge of overseeing operating system environment;
Micro-monitor 42, the first kind action message that charge of overseeing is respectively applied;
Controller 43, is responsible for notifying that micro-monitor 42 monitors that the first kind of each application is lived based on the first kind environmental information Dynamic information;
Processor 44 corresponding with the micro-monitor 42, including defense module, for being believed according to the first kind activity Breath determines the first prohibitive behavior of the first application;It is determined that protection action corresponding with first prohibitive behavior;Described in allowing Under the normal access behavior ruuning situation of the first application, the protection action is performed.
In the present embodiment, with the defensive operating system for resisting APP destructions, referred to as DefOS.DefOS is used Modular design, the operating system environment (such as battery, storage etc.) of macro-level, pipe are monitored using controller service The expansible defense module set of reason, processes different APP destructions.
Wherein, defense module and microcontroller belong to the subsystem of DefOS to record important APP activities.Wherein, prevent Imperial module, including defender, memory space, Garbage Collector (GC, Garbage Collection);Specifically, defender bears Duty analysis monitoring information and execution defence action.Memory space is responsible for storing necessary information, the defence action such as cancelled.GC bears Duty deletes the data storage in old monitor data and memory space.
Wherein, DefOS has two kinds of patterns of permission and defence, can be to basic operating system (OS, Operating System service equally) is provided to APP, when there is unsound system environments and suspicious APP is movable, such as is frequently called out Wake up and operate, hold wake-up lock, DefOS is to enter defence pattern, and accurate self-prevention action is performed to bad APP, such as reduce APP Temporal frequency, the long-term wake-up lock held of release.
In the present embodiment, the system environments of the monitoring macro-level of grand monitor 41, such as electricity, data service condition etc., but It is that macroscopic information can not fully be inferred to which APP has bad behavior, can not fully design the accurate act of defense.Cause This, DefOS entrusts a series of proprietary defense modules, the life cycle of controller management these defense modules, and is responsible for this A little defense modules propagate the system environments of macro-level, and show some configuration informations, such as plan of self-prevention action to terminal user Summary, APP white lists etc..
In the present embodiment, DefOS not only monitors the system environments of macro-level by grand monitor 41, also by micro-monitor The Activites of 42 monitoring APP ranks, i.e. activity is interacted, for example by inserting a series of micro-monitor 42 with APP Power management services and positioning service etc..Micro-monitor 42 can record some accurate API request information of APP, including called Person's (UID or bag name), request sentence (request time started, request rate), unique request identify (IBinder pairs in Android As), required parameter, etc..Micro-monitor 42 will not follow the trail of all activities of APP, and the type only asked is likely to result in unfavorable shadow When ringing, can just be monitored, and when APP makes the request for being likely to result in adverse effect, defense module takes corresponding defence Treatment operation, such as discharges, cancels, to resist the destructive behavior of APP.In addition, each defense module is equipped with a rubbish Rubbish recover, can periodically clear up old data.Such as, after defense module takes corresponding defence treatment operation, micro- prison Most of data of visual organ 42 will be deleted.
In the present embodiment, the protection person in defense module is the important component of DefOS, and it can perform precise movement To reduce the bad behavior of various APP.Protection person is responsible for inspecting periodically monitoring data, and protection is performed for potential bad behavior Action, protection action can be as shown in table 1, and these actions can discharge resource, adjustment frequency, time delay/prevention request or warning and use Family.Micro-monitor 42 relies on proprietary subsystem to realize that these protection are acted, for example, to realize waking up the release movement of lock, leads to Cross and periodically check solicited message table, between inspection solicited message token record has all wake-up at the beginning of lock, when exceeding Corresponding lock object is deleted during preset critical from lock set is waken up.For example, in order to realize slower clock, by adjusting data Recurrence interval variable in structure.For example, in order to realize the time action time delay, by by request be put into caching in, it is determined that Time post-process this request.
Embodiment three
Fig. 5 is the composition structural representation of access control apparatus provided in an embodiment of the present invention, is applied to mobile terminal, such as Shown in Fig. 5, described device includes first acquisition unit 51, second acquisition unit 52, judging unit 53, determining unit 54, control Unit 55;Wherein,
The first acquisition unit 51, for first kind environmental information in the operating system environment for obtaining mobile terminal;
The second acquisition unit 52, the first kind action message for obtaining the first application;
The judging unit 53, institute is judged for combining the first kind environmental information and the first kind action message The first application is stated with the presence or absence of the first prohibitive behavior;
The determining unit 54, if there is the first prohibitive behavior for the described first application, it is determined that forbidding with described first The corresponding defence treatment operation of behavior;
Described control unit 55, under the license behavior ruuning situation for allowing first application, performing described anti- Imperial treatment operation.
In an optional embodiment, the second acquisition unit 52 is additionally operable to:
Interacted by with the described first application, obtain the application programming interface API request of first application Information.
In an optional embodiment, the judging unit 53 is additionally operable to:
Judged to treat examination behavior using related to described first according to the first kind environmental information;
According to the first kind action message from it is described treat examination behavior in determine first application with the presence or absence of first Prohibitive behavior.
In an optional embodiment, the determining unit 54 is additionally operable to:
Mapping relations set is inquired about based on first prohibitive behavior, it is optional anti-where acquisition first prohibitive behavior Imperial treatment opereating specification, determines the first prohibitive behavior phase with the first application from the optional defence treatment opereating specification The defence treatment operation of adaptation.
Alternatively, described device also includes:
Cleaning unit 56, for clearing up the monitoring data relevant with the defence treatment operation;Wherein, the monitoring data Including:With the described first application in data, the first kind environmental information related to the first kind action message of the described first application Related data.
Above-mentioned access control apparatus may be disposed in mobile terminal.
In practical application, above-mentioned first acquisition unit 51, second acquisition unit 52, judging unit 53, determining unit 54, control Unit processed 55, the concrete structure of cleaning unit 56 may both correspond to processor.The specific structure of processor can be center Processor (CPU, Central Processing Unit), microprocessor (MCU, Micro Controller Unit), numeral Signal processor (DSP, Digital Signal Processing) or PLD (PLC, Programmable Logic Controller) etc. electronic component or electronic component with processing function set.Wherein, the processor Including executable code, in storage medium, the processor can be communicated by bus etc. and be connect for the executable code storage Mouth is connected with the storage medium, when the corresponding function of specific each unit is performed, is read simultaneously from the storage medium Run the executable code.The part that the storage medium is used to store the executable code is preferably non-moment storage Jie Matter.
It is the first acquisition unit 51, second acquisition unit 52, judging unit 53, determining unit 54, control unit 55, clear That manages unit 56 with integrated corresponding to same processor, or can respectively correspond to different processors;When integrated corresponding to same place During reason device, the processor processes the first acquisition unit 51, second acquisition unit 52, judging unit 53, really using the time-division Order unit 54, control unit 55, the corresponding function of cleaning unit 56.
In practical application, the first acquisition unit 51 can be realized that the second acquisition unit 52 can by grand monitor Realized with by micro-monitor, the judging unit 53, the determining unit 54 and described control unit 55 can be by including defence The processor of module realizes that the cleaning unit 56 can by Garbage Collector corresponding with the processor including defense module To realize.
It will be appreciated by those skilled in the art that in the access control apparatus of the embodiment of the present invention each unit function, can join Understand, each unit in the access control apparatus of the embodiment of the present invention according to the associated description of aforementioned access control method, can pass through Realize the analog circuit of the function described in the embodiment of the present invention and realize, it is also possible to by performing the work(described in the embodiment of the present invention Can operation of the software on intelligent terminal and realize.
Access control apparatus described in the present embodiment, can resist adverse effect of the APP prohibitive behaviors to operating system environment, The efficiency and stability of terminal operating system can be improved.
It should be noted that herein, term " including ", "comprising" or its any other variant be intended to non-row His property is included, so that process, method, article or device including a series of key elements not only include those key elements, and And also include other key elements being not expressly set out, or also include for this process, method, article or device institute are intrinsic Key element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that including this Also there is other identical element in the process of key element, method, article or device.
The embodiments of the present invention are for illustration only, and the quality of embodiment is not represented.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side Method can add the mode of required general hardware platform to realize by software, naturally it is also possible to by hardware, but in many cases The former is more preferably implementation method.Based on such understanding, technical scheme is substantially done to prior art in other words The part for going out contribution can be embodied in the form of software product, and the computer software product is stored in a storage medium In (such as ROM/RAM, magnetic disc, CD), including some instructions are used to so that a station terminal equipment (can be mobile phone, computer, clothes Business device, air-conditioner, or network equipment etc.) perform method described in each embodiment of the invention.
The preferred embodiments of the present invention are these are only, the scope of the claims of the invention is not thereby limited, it is every to utilize this hair Equivalent structure or equivalent flow conversion that bright specification and accompanying drawing content are made, or directly or indirectly it is used in other related skills Art field, is included within the scope of the present invention.

Claims (10)

1. a kind of access control apparatus, are applied to mobile terminal, it is characterised in that described device includes:
First acquisition unit, for first kind environmental information in the operating system environment for obtaining mobile terminal;
Second acquisition unit, the first kind action message for obtaining the first application;
Judging unit, first application is judged for combining the first kind environmental information and the first kind action message With the presence or absence of the first prohibitive behavior;
Determining unit, if there is the first prohibitive behavior for the described first application, it is determined that corresponding with first prohibitive behavior Defence treatment operation;
Control unit, under the license behavior ruuning situation for allowing first application, performing the defence treatment operation.
2. device according to claim 1, it is characterised in that the second acquisition unit, is additionally operable to:
Interacted by with the described first application, obtain the application programming interface API request information of first application.
3. device according to claim 1, it is characterised in that the judging unit, is additionally operable to:
Judged to treat examination behavior using related to described first according to the first kind environmental information;
According to the first kind action message from it is described treat examination behavior in determine it is described first application forbid with the presence or absence of first Behavior.
4. device according to claim 1, it is characterised in that the determining unit, is additionally operable to:
Mapping relations set is inquired about based on first prohibitive behavior, at the optional defence where obtaining first prohibitive behavior Reason opereating specification, determines to be adapted with first prohibitive behavior of the first application from the optional defence treatment opereating specification Defence treatment operation.
5. device according to claim 1, it is characterised in that described device also includes:
Cleaning unit, for clearing up the monitoring data relevant with the defence treatment operation;Wherein, the monitoring data include: With the described first application correlation in data, the first kind environmental information related to the first kind action message of the described first application Data.
6. a kind of access control method, is applied to mobile terminal, it is characterised in that methods described includes:
Obtain first kind environmental information in the operating system environment of mobile terminal;
Obtain the first kind action message of the first application;
Judge first application with the presence or absence of first with reference to the first kind environmental information and the first kind action message Prohibitive behavior;
If first application has the first prohibitive behavior, it is determined that defence treatment operation corresponding with first prohibitive behavior;
Under the license behavior ruuning situation for allowing first application, the defence treatment operation is performed.
7. method according to claim 6, it is characterised in that the first kind action message of the application of the acquisition first, bag Include:
Interacted by with the described first application, obtain the application programming interface API request information of first application.
8. method according to claim 6, it is characterised in that described according to the first kind environmental information and described One class action message determines first application with the presence or absence of the first prohibitive behavior, including:
Judged to treat examination behavior using related to described first according to the first kind environmental information;
According to the first kind action message from it is described treat examination behavior in determine it is described first application forbid with the presence or absence of first Behavior.
9. method according to claim 6, it is characterised in that determination defence corresponding with first prohibitive behavior Treatment operation, including:
Mapping relations set is inquired about based on first prohibitive behavior, at the optional defence where obtaining first prohibitive behavior Reason opereating specification, determines to be adapted with first prohibitive behavior of the first application from the optional defence treatment opereating specification Defence treatment operation.
10. method according to claim 6, it is characterised in that after the execution defence treatment operation, the side Method also includes:
Clear up the monitoring data relevant with the defence treatment operation;Wherein, the monitoring data include:With the described first application Related data, the first kind environmental information of first kind action message in apply related data to described first.
CN201611075370.7A 2016-11-29 2016-11-29 A kind of access control apparatus and method Active CN106778236B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611075370.7A CN106778236B (en) 2016-11-29 2016-11-29 A kind of access control apparatus and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611075370.7A CN106778236B (en) 2016-11-29 2016-11-29 A kind of access control apparatus and method

Publications (2)

Publication Number Publication Date
CN106778236A true CN106778236A (en) 2017-05-31
CN106778236B CN106778236B (en) 2019-08-30

Family

ID=58900682

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611075370.7A Active CN106778236B (en) 2016-11-29 2016-11-29 A kind of access control apparatus and method

Country Status (1)

Country Link
CN (1) CN106778236B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114067464A (en) * 2021-11-09 2022-02-18 深圳Tcl新技术有限公司 Intelligent door lock and awakening method thereof, network equipment and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102186167A (en) * 2011-04-11 2011-09-14 中兴通讯股份有限公司 Method and system for monitoring applications
CN103246566A (en) * 2012-02-03 2013-08-14 腾讯科技(深圳)有限公司 Resource monitoring method and device for application program
CN103440172A (en) * 2013-08-19 2013-12-11 深圳创维数字技术股份有限公司 Resource management method and terminal device
CN104268470A (en) * 2014-09-26 2015-01-07 酷派软件技术(深圳)有限公司 Security control method and security control device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102186167A (en) * 2011-04-11 2011-09-14 中兴通讯股份有限公司 Method and system for monitoring applications
CN103246566A (en) * 2012-02-03 2013-08-14 腾讯科技(深圳)有限公司 Resource monitoring method and device for application program
CN103440172A (en) * 2013-08-19 2013-12-11 深圳创维数字技术股份有限公司 Resource management method and terminal device
CN104268470A (en) * 2014-09-26 2015-01-07 酷派软件技术(深圳)有限公司 Security control method and security control device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114067464A (en) * 2021-11-09 2022-02-18 深圳Tcl新技术有限公司 Intelligent door lock and awakening method thereof, network equipment and electronic equipment

Also Published As

Publication number Publication date
CN106778236B (en) 2019-08-30

Similar Documents

Publication Publication Date Title
CN105979095B (en) Mobile terminal and apply power consumption control method
CN106155741B (en) It is a kind of to avoid processing unit and method of the application program without response
CN104915582B (en) unlocking method and device
CN104850443B (en) A kind of method and mobile terminal for closing error starting application program
CN105245717A (en) Mobile terminal palm rejection device and method
CN105306457B (en) Data buffer storage device and method
CN105138400B (en) Application program self-starting management method and device
CN106844029A (en) The device and method that a kind of Android processes of Self management are freezed and thawed
CN105718027A (en) Management method of background application programs and mobile terminal
CN106060910A (en) Device and method of dynamically adjusting paging cycle
CN106850943A (en) A kind of apparatus and method for detecting terminal and the distance of shelter
CN104777982B (en) Method and device for switching terminal input method
CN105764085A (en) Abnormal electricity consumption detection method and terminal
CN105975052A (en) Screen switching method and device
CN105786647A (en) Data backup device and method and terminal
CN105302457B (en) Terminal control method and device
CN106371704A (en) Fast application layout method for lock screen interface and terminal
CN106231657A (en) The method and device of dual-screen mobile terminal switching battery saving mode
CN106484534A (en) Control method for the mobile terminal of displaying and control device
CN105974437B (en) A kind of method, apparatus and terminal promoting terminal applies performance
CN106227454B (en) A kind of touch trajectory detection system and method
CN106686703A (en) Terminal and timer wakeup method
CN106603806A (en) Mobile terminal and message display method thereof
CN106778236B (en) A kind of access control apparatus and method
CN106385669A (en) Method and device for identifying pseudo base station

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant