CN106778236B - A kind of access control apparatus and method - Google Patents
A kind of access control apparatus and method Download PDFInfo
- Publication number
- CN106778236B CN106778236B CN201611075370.7A CN201611075370A CN106778236B CN 106778236 B CN106778236 B CN 106778236B CN 201611075370 A CN201611075370 A CN 201611075370A CN 106778236 B CN106778236 B CN 106778236B
- Authority
- CN
- China
- Prior art keywords
- application
- behavior
- prohibitive
- processing operation
- defence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephone Function (AREA)
Abstract
The invention discloses a kind of access control apparatus, are applied to mobile terminal, described device includes: first acquisition unit, first kind environmental information in the operating system environment for obtaining mobile terminal;Second acquisition unit, for obtaining the first kind action message of the first application;Judging unit, for judging first application with the presence or absence of the first prohibitive behavior in conjunction with the first kind environmental information and the first kind action message;Determination unit determines defence processing operation corresponding with first prohibitive behavior if there are the first prohibitive behaviors for first application;Control unit, for executing the defence processing operation under the license behavior operating condition for allowing first application.The present invention further simultaneously discloses a kind of access control method.Using technical solution of the present invention, the efficiency and stability of terminal operating system can be improved.
Description
Technical field
The present invention relates to the information processing technology more particularly to a kind of access control apparatus and methods.
Background technique
In recent years, with the rapid development of mobile Internet, third-party application market achieves the growth of explosion type.So
And more and more jejune application programs (Application, abbreviation APP) enter application market, although function is richer
Richness, but some applications show destructive behavior, for example continuously attempt to network connection, continually wake up terminal, account for for a long time
There is unnecessary resource etc., brings negative impact to terminal operating system.These destructive behaviors influenced at same end
The operation of other APP, increase terminal power consumption, consumption cellular data, occupancy memory space etc. on end.
Summary of the invention
In view of this, the effect of terminal operating system can be improved present invention contemplates that provide a kind of access control apparatus and method
Rate and stability.
In order to achieve the above objectives, the technical scheme of the present invention is realized as follows:
The present invention provides a kind of access control apparatus, are applied to mobile terminal, and described device includes:
First acquisition unit, first kind environmental information in the operating system environment for obtaining mobile terminal;
Second acquisition unit, for obtaining the first kind action message of the first application;
Judging unit, for judging described first in conjunction with the first kind environmental information and the first kind action message
Using with the presence or absence of the first prohibitive behavior;
Determination unit, if there are the first prohibitive behavior, determining and first prohibitive behaviors pair for first application
The defence processing operation answered;
Control unit, for executing the defence processing under the license behavior operating condition for allowing first application
Operation.
In above scheme, optionally, the second acquisition unit is also used to:
By with it is described first application interact, obtain it is described first application application programming interface (API,
Application Programming Interface) solicited message.
In above scheme, optionally, the judging unit is also used to:
It is relevant to screening behavior according to first kind environmental information judgement and first application;
According to the first kind action message from described to determine that first application whether there is first in screening behavior
Prohibitive behavior.
In above scheme, optionally, the determination unit is also used to:
Mapping relations set is inquired based on first prohibitive behavior, it is optional anti-where acquisition first prohibitive behavior
Imperial processing operation range determines the first prohibitive behavior phase with the first application from the optional defence processing operation range
The defence processing operation of adaptation.
In above scheme, optionally, described device further include:
Unit is cleared up, for clearing up monitoring data related with the defence processing operation;Wherein, the monitoring data packet
It includes: with described first using phase in data relevant to the first kind action message of first application, first kind environmental information
The data of pass.
The present invention also provides a kind of access control methods, are applied to mobile terminal, which comprises
Obtain first kind environmental information in the operating system environment of mobile terminal;
Obtain the first kind action message of the first application;
Judge that first application whether there is in conjunction with the first kind environmental information and the first kind action message
First prohibitive behavior;
If there are the first prohibitive behaviors for first application, defence processing behaviour corresponding with first prohibitive behavior is determined
Make;
Under the license behavior operating condition for allowing first application, the defence processing operation is executed.
In above scheme, optionally, the first kind action message for obtaining the first application, comprising:
By interacting with first application, the API request information of first application is obtained.
It is optionally, described true according to the first kind environmental information and the first kind action message in above scheme
Fixed first application whether there is the first prohibitive behavior, comprising:
It is relevant to screening behavior according to first kind environmental information judgement and first application;
According to the first kind action message from described to determine that first application whether there is first in screening behavior
Prohibitive behavior.
In above scheme, optionally, determination defence processing operation corresponding with first prohibitive behavior, comprising:
Mapping relations set is inquired based on first prohibitive behavior, it is optional anti-where acquisition first prohibitive behavior
Imperial processing operation range determines the first prohibitive behavior phase with the first application from the optional defence processing operation range
The defence processing operation of adaptation.
In above scheme, optionally, after the execution defence processing operation, the method also includes:
Clear up monitoring data related with the defence processing operation;Wherein, the monitoring data include: and described first
Relevant data are applied to described first in the relevant data of first kind action message of application, first kind environmental information.
Access control apparatus provided by the present invention and method obtain first kind ring in the operating system environment of mobile terminal
Border information;Obtain the first kind action message of the first application;In conjunction with the first kind environmental information and the first kind activity
Information judges first application with the presence or absence of the first prohibitive behavior;If there are the first prohibitive behaviors for first application, determine
Defence processing operation corresponding with first prohibitive behavior;Under the license behavior operating condition for allowing first application,
Execute the defence processing operation;In this way, allowing described first to answer judging first using there are when the first prohibitive behavior
Under license behavior operating condition, defence processing operation corresponding with first prohibitive behavior is executed, APP taboo can be resisted
Only behavior can improve the efficiency and stability of terminal operating system to the adverse effect of operating system environment.
Detailed description of the invention
The hardware structural diagram of Fig. 1 optional mobile terminal of each embodiment to realize the present invention;
Fig. 2 is the wireless communication system schematic diagram of mobile terminal as shown in Figure 1;
Fig. 3 is the implementation process schematic diagram of access control method provided in an embodiment of the present invention;
Fig. 4 is a kind of configuration diagram of access control system provided in an embodiment of the present invention;
Fig. 5 is the composed structure schematic diagram of access control apparatus provided in an embodiment of the present invention.
Specific embodiment
The characteristics of in order to more fully hereinafter understand the embodiment of the present invention and technology contents, with reference to the accompanying drawing to this hair
The realization of bright embodiment is described in detail, appended attached drawing purposes of discussion only for reference, is not used to limit the embodiment of the present invention.
The terminal of each embodiment of the present invention is realized in description with reference to the drawings.In subsequent description, using being used for
Indicate the suffix of such as " module ", " component " or " unit " of element only for being conducive to the explanation of the embodiment of the present invention,
There is no specific meanings for body.Therefore, " module ", " component " or " unit " can be used mixedly.
Terminal can be implemented in a variety of manners.For example, terminal described in the embodiment of the present invention may include such as moving
Mobile phone, smart phone, laptop, digit broadcasting receiver, personal digital assistant (PDA, Personal Digital
Assistant), tablet computer (PAD), portable media player (PMP, Portable Media Player), navigation dress
The fixed terminal of the terminal and such as number TV, desktop computer etc. set etc..Hereinafter it is assumed that terminal is mobile terminal.
However, it will be understood by those skilled in the art that other than the element for being used in particular for mobile purpose, implementation according to the present invention
The construction of mode can also apply to the terminal of fixed type.
Fig. 1 to realize the present invention the mobile terminal of each embodiment hardware configuration signal.
Mobile terminal 100 may include audio/video (A/V) input unit 120, user input unit 130, output unit
150, memory 160, interface unit 170, controller 180 and power supply unit 190 etc..Fig. 1 is shown with various assemblies
Mobile terminal, it should be understood that being not required for implementing all components shown.Can alternatively it implement more or fewer
Component.The element of mobile terminal will be discussed in more detail below.
A/V input unit 120 is for receiving audio or video signal.A/V input unit 120 may include 121 He of camera
Microphone 1220, camera 121 is to the static map obtained in video acquisition mode or image capture mode by image capture apparatus
The image data of piece or video is handled.Treated, and picture frame may be displayed on display unit 151.At camera 121
Picture frame after reason can store in memory 160 (or other storage mediums), can be provided according to the construction of mobile terminal
Two or more cameras 1210.Microphone 122 can be run in telephone calling model, logging mode, speech recognition mode etc.
Sound (audio data) is received via microphone in mode, and can be audio data by such acoustic processing.Microphone
122, which can be implemented various types of noises elimination (or inhibition) algorithms, is sending and receiving audio signal to eliminate (or inhibition)
The noise generated in the process or interference.
The order that user input unit 130 can be inputted according to user generates key input data to control each of mobile terminal
Kind operation.User input unit 130 allows user to input various types of information, and may include keyboard, metal dome, touch
Plate (for example, the sensitive component of detection due to the variation of resistance, pressure, capacitor etc. caused by being contacted), idler wheel, rocking bar etc.
Deng.Particularly, when touch tablet is superimposed upon in the form of layer on display unit 151, touch screen can be formed.
Interface unit 170 be used as at least one external device (ED) connect with mobile terminal 100 can by interface.For example,
External device (ED) may include wired or wireless headphone port, external power supply (or battery charger) port, wired or nothing
Line data port, memory card port, the port for connecting the device with identification module, audio input/output (I/O) end
Mouth, video i/o port, ear port etc..Identification module can be storage and use each of mobile terminal 100 for verifying user
Kind of information and may include subscriber identification module (UIM, User Identify Module), client identification module (SIM,
Subscriber Identity Module), Universal Subscriber identification module (USIM, Universal Subscriber
Identity Module) etc..In addition, the device (hereinafter referred to as " identification device ") with identification module can take intelligence
The form of card, therefore, identification device can be connect via port or other attachment devices with mobile terminal 100.Interface unit 170
It can be used for receiving the input (for example, data information, electric power etc.) from external device (ED) and transmit the input received
One or more elements in mobile terminal 100 can be used for transmitting data between mobile terminal and external device (ED).
In addition, when mobile terminal 100 is connect with external base, interface unit 170 may be used as allowing will be electric by it
Power, which is provided from pedestal to the path or may be used as of mobile terminal 100, allows the various command signals inputted from pedestal to pass through it
It is transferred to the path of mobile terminal.The various command signals or electric power inputted from pedestal, which may be used as mobile terminal for identification, is
The no signal being accurately fitted on pedestal.Output unit 150 is configured to provide with vision, audio and/or tactile manner defeated
Signal (for example, audio signal, vision signal, alarm signal, vibration signal etc.) out.Output unit 150 may include display
Unit 151, audio output module 152, alarm unit 153 etc..
Display unit 151 may be displayed on the information handled in mobile terminal 100.For example, when mobile terminal 100 is in electricity
When talking about call mode, display unit 151 can show and converse or other communicate (for example, text messaging, multimedia file
Downloading etc.) relevant user interface (UI, User Interface) or graphic user interface (GUI, Graphical User
Interface).When mobile terminal 100 is in video calling mode or image capture mode, display unit 151 can be shown
Show captured image and/or received image, the UI or GUI that show video or image and correlation function etc..
Meanwhile when display unit 151 and touch tablet in the form of layer it is superposed on one another to form touch screen when, display unit
151 may be used as input unit and output device.Display unit 151 may include liquid crystal display (LCD, Liquid
Crystal Display), thin film transistor (TFT) LCD (TFT-LCD, Thin Film Transistor-LCD), organic light-emitting diodes
It manages in (OLED, Organic Light-Emitting Diode) display, flexible display, three-dimensional (3D) display etc.
It is at least one.Some in these displays may be constructed such that transparence to allow user to watch from outside, this is properly termed as
Transparent display, typical transparent display can be, for example, transparent organic light emitting diode (TOLED) display etc..According to
Specific desired embodiment, mobile terminal 100 may include two or more display units (or other display devices), example
Such as, mobile terminal may include outernal display unit (not shown) and inner display unit (not shown).Touch screen can be used for examining
Survey touch input pressure and touch input position and touch input area.
Audio output module 152 can mobile terminal be in call signal reception pattern, call mode, logging mode,
It is when under the isotypes such as speech recognition mode, broadcast reception mode, wireless communication unit 110 is received or in memory 160
The audio data transducing audio signal of middle storage and to export be sound.Moreover, audio output module 152 can provide and movement
The relevant audio output of specific function (for example, call signal receives sound, message sink sound etc.) that terminal 100 executes.
Audio output module 152 may include loudspeaker, buzzer etc..
Alarm unit 153 can provide output notifying event to mobile terminal 100.Typical event can be with
Including calling reception, message sink, key signals input, touch input etc..Other than audio or video output, alarm unit
153 can provide output in different ways with the generation of notification event.For example, alarm unit 153 can be in the form of vibration
Output is provided, when receiving calling, message or some other entrance communications (incoming communication), alarm list
Member 153 can provide tactile output (that is, vibration) to notify to user.By providing such tactile output, even if
When the mobile phone of user is in the pocket of user, user also can recognize that the generation of various events.Alarm unit 153
The output of the generation of notification event can be provided via display unit 151 or audio output module 152.
Memory 160 can store the software program etc. of the processing and control operation that are executed by controller 180, Huo Zheke
Temporarily to store the data that has exported or will export (for example, telephone directory, message, still image, video etc.).And
And memory 160 can store about the vibrations of various modes and audio signal exported when touching and being applied to touch screen
Data.
Memory 160 may include the storage medium of at least one type, and the storage medium includes flash memory, hard disk, more
Media card, card-type memory (for example, SD or DX memory etc.), random access storage device (RAM, Random Access
Memory), static random-access memory (SRAM, Static Random Access Memory), read-only memory (ROM,
Read Only Memory), electrically erasable programmable read-only memory (EEPROM, Electrically Erasable
Programmable Read Only Memory), programmable read only memory (PROM, Programmable Read Only
Memory), magnetic storage, disk, CD etc..Moreover, mobile terminal 100 can execute memory with by network connection
The network storage device of 160 store function cooperates.
The overall operation of the usually control mobile terminal of controller 180.For example, controller 180 executes and voice communication, data
Communication, video calling etc. relevant control and processing.In addition, controller 180 may include for reproducing (or playback) more matchmakers
The multi-media module 181 of volume data, multi-media module 181 can construct in controller 180, or can be structured as and control
Device 180 separates.Controller 180 can be with execution pattern identifying processing, by the handwriting input executed on the touchscreen or picture
It draws input and is identified as character or image.
Power supply unit 190 receives external power or internal power under the control of controller 180 and provides operation each member
Electric power appropriate needed for part and component.
Various embodiments described herein can be to use the calculating of such as computer software, hardware or any combination thereof
Machine readable medium is implemented.Hardware is implemented, embodiment described herein can be by using application-specific IC
(ASIC, Application Specific Integrated Circuit), digital signal processor (DSP, Digital
Signal Processing), digital signal processing device (DSPD, Digital Signal Processing Device), can
Programmed logic device (PLD, Programmable Logic Device), field programmable gate array (FPGA, Field
Programmable Gate Array), processor, controller, microcontroller, microprocessor, be designed to execute it is described herein
At least one of the electronic unit of function implement, in some cases, such embodiment can be in controller 180
Middle implementation.For software implementation, the embodiment of such as process or function can with allow to execute at least one functions or operations
Individual software module implement.Software code can be by the software application write with any programming language appropriate
(or program) is implemented, and software code can store in memory 160 and executed by controller 180.
So far, mobile terminal is described according to its function.In the following, for the sake of brevity, will description such as folded form,
Slide type mobile terminal in various types of mobile terminals of board-type, oscillating-type, slide type mobile terminal etc., which is used as, to be shown
Example.Therefore, the present invention can be applied to any kind of mobile terminal, and be not limited to slide type mobile terminal.
Mobile terminal 100 as shown in Figure 1 may be constructed such that using via frame or grouping send data it is all if any
Line and wireless communication system and satellite-based communication system operate.
Referring now to Fig. 2 description communication system that wherein mobile terminal according to an embodiment of the present invention can operate.
Different air interface and/or physical layer can be used in such communication system.For example, used by communication system
Air interface includes such as frequency division multiple access (FDMA, Frequency Division Multiple Access), time division multiple acess
(TDMA, Time Division Multiple Access), CDMA (CDMA, Code Division Multiple
Access) and Universal Mobile Communication System (UMTS, Universal Mobile Telecommunications System) is (special
Not, long term evolution (LTE, Long Term Evolution)), global system for mobile communications (GSM) etc..As unrestricted
Property example, description below is related to cdma communication system, but such introduction is equally applicable to other types of system.
With reference to Fig. 2, cdma wireless communication system may include multiple mobile terminals 100, multiple base station (BS, Base
Station) 270, base station controller (BSC, Base Station Controller) 275 and mobile switching centre (MSC,
Mobile Switching Center)280.MSC280 is configured to and Public Switched Telephony Network (PSTN, Public
Switched Telephone Network) 290 formation interfaces.MSC280 is also structured to and can couple via back haul link
BSC275 to base station 270 forms interface.Back haul link can be constructed according to any in several known interfaces, described
Interface includes such as E1/T1, ATM, IP, PPP, frame relay, HDSL, ADSL or xDSL.It will be appreciated that as shown in Figure 2
System may include multiple BSC275.
Each BS270 can service one or more subregions (or region), by multidirectional antenna or the day of direction specific direction
Each subregion of line covering is radially far from BS270.Alternatively, each subregion can be by two or more for diversity reception
Antenna covering.Each BS270, which may be constructed such that, supports multiple frequency distribution, and the distribution of each frequency has specific frequency spectrum
(for example, 1.25MHz, 5MHz etc.).
What subregion and frequency were distributed, which intersects, can be referred to as CDMA Channel.BS270 can also be referred to as base station transceiver
System (BTS, Base Transceiver Station) or other equivalent terms.In this case, term " base station "
It can be used for broadly indicating single BSC275 and at least one BS270.Base station can also be referred to as " cellular station ".Alternatively, special
Each subregion for determining BS270 can be referred to as multiple cellular stations.
As shown in Figure 2, broadcast singal is sent to by broadcsting transmitter (BT, Broadcast Transmitter) 295
The mobile terminal 100 operated in system.Broadcasting reception module 111 as shown in Figure 1 is arranged at mobile terminal 100 to connect
Receive the broadcast singal sent by BT295.In fig. 2 it is shown that several global positioning system (GPS) satellites 300.Satellite 300 is helped
Help at least one of multiple mobile terminals 100 of positioning.
In Fig. 2, multiple satellites 300 are depicted, it is understood that, it is useful to can use any number of satellite acquisition
Location information.GPS module 115 as shown in Figure 1 is generally configured to cooperate with satellite 300 to obtain desired positioning and believe
Breath.It substitutes GPS tracking technique or except GPS tracking technique, the other of the position that can track mobile terminal can be used
Technology.In addition, at least one 300 property of can choose of GPS satellite or extraly processing satellite dmb transmission.
As a typical operation of wireless communication system, BS270 receives the reverse link from various mobile terminals 100
Signal.Mobile terminal 100 usually participates in call, information receiving and transmitting and other types of communication.Certain base station 270 is received each anti-
It is handled in specific BS270 to link signal.The data of acquisition are forwarded to relevant BSC275.BSC provides call
The mobile management function of resource allocation and the coordination including the soft switching process between BS270.The number that BSC275 will also be received
According to MSC280 is routed to, the additional route service for forming interface with PSTN290 is provided.Similarly, PSTN290 with
MSC280 forms interface, and MSC and BSC275 form interface, and BSC275 controls BS270 correspondingly with by forward link signals
It is sent to mobile terminal 100.
Based on above-mentioned mobile terminal hardware configuration and communication system, grasped to solve the destructive behavior of application to terminal
Make the negative effect of system bring, improve the efficiency and stability of operating system, proposes each embodiment of the method for the present invention.
Embodiment one
Fig. 3 is the implementation process schematic diagram of access control method provided in an embodiment of the present invention, the access control in this example
Method processed is applied to mobile terminal, as shown in figure 3, the access control method mainly comprises the steps that
Step 301: obtaining first kind environmental information in the operating system environment of mobile terminal.
Here, the operating system is the operating system of the mobile terminal.
For example, mainly having Android (Google), iOS (apple), windows using operating system on mobile terminals
Phone (Microsoft), Symbian (Nokia), BlackBerry OS (blackberry, blueberry), windows mobile (Microsoft), Android
(Android) etc..
Here, the first kind environmental information is the corresponding information of the other operating system environment of macro-level.For example, described
A kind of environmental information includes electricity service condition, stores service condition, data traffic service condition, etc..
In an optional embodiment, first kind environmental information in the operating system environment for obtaining mobile terminal, packet
It includes:
The operating system environment that mobile terminal is monitored by macro monitor is analyzed to obtain first kind environment based on monitoring data
Information.
That is, macro monitor does not need all environmental informations in monitoring operating system environment, it is only necessary to monitor
It can aid in the first kind environmental information for judging to whether there is prohibitive behavior in each application.
In an optional embodiment, the operating system environment that mobile terminal is monitored by macro monitor, based on prison
After analyzing to obtain first kind environmental information depending on data, further includes:
The first kind environmental information is sent to each micro-monitor by controller, notifies each micro-monitor
The first kind activity for monitoring each application is analyzed to obtain first kind action message based on monitoring data.
Here, different micro-monitors are responsible for monitoring different first kind activities.
Step 302: obtaining the first kind action message of the first application.
In the present embodiment, the first application is provided on the mobile terminal.
In the embodiment of the present invention, the first application of running of mobile terminal can be the application carried in mobile terminal system,
For example, clock application, calculator application, camera applications, address list application etc., are also possible to be answered by the third party of user installation
With for example, game application, wechat application, browser application, instant chat application, mail applications etc..
Here, the first kind action message includes solicited message, as application programming interface (API,
Application Programming Interface) solicited message.
In an optional embodiment, the first kind action message for obtaining the first application, comprising:
By interacting with first application, the API request information of first application is obtained.
Wherein, the API request information may include:
Callee information, request sentence, unique request mark, required parameter.
Wherein, the callee information include: application program identification identifier (UID, User Identifier),
The program-package name of application program.
Wherein, the request sentence includes the request time started, request frequency.
Wherein, the unique request mark includes IBinder object.Here, the IBinder is the energy in Android exploitation
Carry out a base interface of remote operation object.
In a specific embodiment, the first kind action message for obtaining the first application, comprising:
By the first kind activity of the first application of micro-monitor monitoring, analyze to obtain first kind activity letter based on monitoring data
Breath.
It should be noted that the micro-monitor will not track all solicited messages of the first application, only solicited message
When may cause adverse effect, such as network connection is continuously attempted to, terminal is continually waken up, occupies unnecessary resource feelings for a long time
Condition can be just monitored.
It should be noted that step 301 and step 302 can carry out simultaneously, step 302 can also prior to step 301 into
Row.
Step 303: judging first application in conjunction with the first kind environmental information and the first kind action message
With the presence or absence of the first prohibitive behavior.
Here, first prohibitive behavior is the behavior for not allowing the first application access of default.
Optionally, described to determine that described first answers according to the first kind environmental information and the first kind action message
With with the presence or absence of the first prohibitive behavior, comprising:
It is relevant to screening behavior according to first kind environmental information judgement and first application;
According to the first kind action message from described to determine that first application whether there is first in screening behavior
Prohibitive behavior.
That is, first tentatively judging whether first application there may be system and prohibit according to first kind environmental information
Behavior only, if preliminary judging result is that there may be the behaviors that system is forbidden for the first application;Then continue according to first kind activity
Information judges the behavior that the first application is forbidden with the presence or absence of system.
For example, if first kind environmental information shows that first applies just in power consumption, then, illustrate that there may be for the first application
The behavior that system is forbidden then proceedes to judge what the first application was forbidden with the presence or absence of system according to the API request information of the first application
Behavior, and if it exists, then determine first application there is currently the first prohibitive behaviors.
For another example, if first kind environmental information shows that first applies just in consumed flow, then, illustrate that the first application may
There are the behavior that system is forbidden, then proceed to be judged the first application with the presence or absence of system according to the API request information of the first application
The behavior forbidden, and if it exists, then determine first application there is currently the first prohibitive behaviors.
In this way, which APP cannot be fully inferred to because monitoring the system environmental information of macro-level by macro monitor
Have a bad behavior, and combine the first kind action message of each APP, can preferably determine which APP have bad behavior and
The type of bad behavior.
Step 304: if there are the first prohibitive behaviors for first application, determining corresponding with first prohibitive behavior anti-
Imperial processing operation.
In an optional embodiment, determination defence processing operation corresponding with first prohibitive behavior, comprising:
Mapping relations set is inquired based on first prohibitive behavior, it is optional anti-where acquisition first prohibitive behavior
Imperial processing operation range determines the first prohibitive behavior phase with the first application from the optional defence processing operation range
The defence processing operation of adaptation.
Wherein, mapping relations set includes the mapping relations of different prohibitive behaviors and corresponding defence processing operation;Wherein,
The corresponding one or more optional defence processing operations of each prohibitive behavior.
It should be noted that the corresponding prohibitive behavior of different application may be different.In general, severity level is higher answers
With corresponding granted access rights limit range is bigger, and then its corresponding prohibitive behavior is fewer;Conversely, severity level is lower
Using corresponding permissions range is smaller, and then its corresponding prohibitive behavior is more.
In an optional embodiment, the method also includes:
Receive the first operation;Wherein, first operation is for being arranged or changing using white list;
It is generated based on first operation and applies white list;
Mapping relations set is determined according to the application white list.
In general, range is limited using the granted access rights of the application in white list, greater than non-using answering in white list
Granted access rights limit range.For example, some API request information only allow to be called using the application in white list.
In an optional embodiment, the method also includes:
Receive the second operation;Wherein, second operation is for inputting defence processing strategie;
Defence processing strategie is generated based on second operation;
Mapping relations set is determined according to the defence processing strategie.
A kind of applicating example of the corresponding different protection movements of processing operation is defendd, as shown in table 1.
Table 1
For example, the corresponding protection type of action of defence processing operation includes: release.Specifically, wake-up lock is realized
Release movement, it is described to check that solicited message table record has and all wake up opening for lock by periodically checking solicited message table
Begin the time, is deleted from wake-up lock set when more than preset critical and lock object accordingly.
For example, the corresponding protection type of action of defence processing operation includes: to slow down.Specifically, slow down to realize
Clock, by adjusting the recurrence interval variable in data structure.
For example, the corresponding protection type of action of defence processing operation includes: delay.Specifically, in order to realize the time
The delay of movement is put into caching by that will request, post-processes this request in the determining time.
Step 305: under the license behavior operating condition for allowing first application, executing the defence processing operation.
Wherein, the defence processing operation, includes at least: total ban is executable when executing, meeting trigger condition, postpones
It executes.
In this way, passing through when detecting first using there are when the first i.e. destructive behavior of prohibitive behavior and executing the defence
The behavior for processing operations to the first application of adjustment, can prevent destructive behavior and influence the major function of the first application.
Further, after the execution defence processing operation, the method also includes:
Clear up monitoring data related with the defence processing operation;Wherein, the monitoring data include: and described first
Relevant data are applied to described first in the relevant data of first kind action message of application, first kind environmental information.
In a specific embodiment, periodic cleaning monitoring data related with the defence processing operation, or it is clear in time
Manage monitoring data related with the defence processing operation.
In this way, can preferably discharge memory space by cleaning legacy data.
In the present embodiment, first kind environmental information in the operating system environment of mobile terminal is obtained;Obtain the first application
First kind action message;Judge that first application is in conjunction with the first kind environmental information and the first kind action message
It is no that there are the first prohibitive behaviors;If first application is there are the first prohibitive behavior, determination is corresponding with first prohibitive behavior
Defence processing operation;Under the license behavior operating condition for allowing first application, the defence processing operation is executed;Such as
This, judge first application exist when the first prohibitive behavior, allow it is described first apply license behavior operating condition under,
Defence processing operation corresponding with first prohibitive behavior is executed, APP prohibitive behavior can be resisted to operating system environment
Adverse effect, can improve the efficiency and stability of terminal operating system.
Embodiment two
Fig. 4 is a kind of configuration diagram of access control system provided in an embodiment of the present invention, is applied to mobile terminal, such as
Shown in Fig. 4, the system comprises:
Macro monitor 41 is responsible for first kind environmental information in monitoring operating system environment;
Micro-monitor 42 is responsible for the first kind action message of each application of monitoring;
Controller 43 is responsible for monitoring that the first kind of each application is living based on first kind environmental information notice micro-monitor 42
Dynamic information;
Processor 44 corresponding with the micro-monitor 42, including defense module, for being believed according to the first kind activity
Breath determines the first prohibitive behavior of the first application;Determine protection movement corresponding with first prohibitive behavior;Described in permission
Under the normal access behavior operating condition of first application, the protection movement is executed.
In the present embodiment, there is the defensive operating system for resisting APP destruction, referred to as DefOS.DefOS is used
Modular design monitors using controller service the operating system environment (such as battery, storage etc.) of macro-level, pipe
Expansible defense module set is managed, different APP destructions is handled.
Wherein, defense module and microcontroller belong to the subsystem of DefOS, to record important APP activity.Wherein, prevent
Imperial module, including defender, memory space, Garbage Collector (GC, Garbage Collection);Specifically, defender is negative
Duty analysis monitoring information and execution defence movement.Memory space is responsible for storing necessary information, the defence movement such as cancelled.GC is negative
Duty deletes the storing data in old monitor data and memory space.
Wherein, DefOS has two kinds of modes of permission and defence, can be to basic operating system (OS, Operating
System service equally) is provided to APP, when there is unsound system environments and suspicious APP activity, for example is frequently called out
It wakes up and operates, holds wake-up lock, DefOS enters defence mode, executes accurate self-prevention action, such as reduction APP to bad APP
Temporal frequency, release hold for a long time wake-up lock.
In the present embodiment, macro monitor 41 monitors the system environments, such as electricity, data service condition etc. of macro-level, but
It is that macroscopic information cannot fully be inferred to which APP has bad behavior, can not fully design the accurate act of defense.Cause
This, DefOS entrusts a series of proprietary defense modules, the life cycle of these defense modules of controller management, and is responsible for this
A little defense modules propagate the system environments of macro-level, and show some configuration informations to terminal user, such as the plan of self-prevention action
Summary, APP white list etc..
In the present embodiment, DefOS not only monitors the system environments of macro-level by macro monitor 41, also passes through micro-monitor
The Activites of 42 monitoring APP ranks, i.e., it is movable, it is interacted by being inserted into a series of micro-monitor 42 and APP, such as
Power management services and positioning service etc..Micro-monitor 42 will record some accurate API request information of APP, including called
Person's (UID or packet name), request sentence (request time started, request rate), unique request identify (IBinder pairs in Android
As), required parameter, etc..Micro-monitor 42 will not track all activities of APP, and the type only requested may cause unfavorable shadow
When ringing, can just it be monitored, and when APP makes the request that may cause adverse effect, defense module takes corresponding defence
Processing operation, such as release, cancellation, to resist the destructive behavior of APP.In addition, each defense module is equipped with a rubbish
Rubbish recover can periodically clear up old data.For example, after defense module takes corresponding defence processing operation, micro- prison
Most of data of visual organ 42 will be deleted.
In the present embodiment, the protector in defense module is the important component of DefOS, it can execute precise movement
To reduce the bad behavior of various APP.Protector is responsible for inspecting periodically monitoring data, executes protection for potential bad behavior
Movement, protection movement can be as shown in table 1, these movements can discharge resource, adjustment frequency, delay/prevention request or warning and use
Family.Micro-monitor 42 relies on proprietary subsystem to realize that these protection act, for example, to realize the release movement for waking up lock, leads to
It crosses and periodically checks solicited message table, at the beginning of inspections solicited message table record has all wake-ups locks, when being more than
It is deleted from wake-up lock set when preset critical and locks object accordingly.For example, in order to realize slower clock, by adjusting data
Recurrence interval variable in structure.For example, the delay in order to realize time movement, is put into caching, in determination by that will request
Time post-process this request.
Embodiment three
Fig. 5 is the composed structure schematic diagram of access control apparatus provided in an embodiment of the present invention, is applied to mobile terminal, such as
Shown in Fig. 5, described device includes first acquisition unit 51, second acquisition unit 52, judging unit 53, determination unit 54, control
Unit 55;Wherein,
The first acquisition unit 51, first kind environmental information in the operating system environment for obtaining mobile terminal;
The second acquisition unit 52, for obtaining the first kind action message of the first application;
The judging unit 53, for judging institute in conjunction with the first kind environmental information and the first kind action message
The first application is stated with the presence or absence of the first prohibitive behavior;
The determination unit 54, if determination is forbidden with described first for first application there are the first prohibitive behavior
The corresponding defence processing operation of behavior;
Described control unit 55, for executing described anti-under the license behavior operating condition for allowing first application
Imperial processing operation.
In an optional embodiment, the second acquisition unit 52 is also used to:
By interacting with first application, the application programming interface API request of first application is obtained
Information.
In an optional embodiment, the judging unit 53 is also used to:
It is relevant to screening behavior according to first kind environmental information judgement and first application;
According to the first kind action message from described to determine that first application whether there is first in screening behavior
Prohibitive behavior.
In an optional embodiment, the determination unit 54 is also used to:
Mapping relations set is inquired based on first prohibitive behavior, it is optional anti-where acquisition first prohibitive behavior
Imperial processing operation range determines the first prohibitive behavior phase with the first application from the optional defence processing operation range
The defence processing operation of adaptation.
Optionally, described device further include:
Unit 56 is cleared up, for clearing up monitoring data related with the defence processing operation;Wherein, the monitoring data
Include: in the relevant data of first kind action message of first application, first kind environmental information with first application
Relevant data.
Above-mentioned access control apparatus may be disposed in mobile terminal.
In practical application, above-mentioned first acquisition unit 51, second acquisition unit 52, judging unit 53, determination unit 54, control
Unit 55 processed, the specific structure for clearing up unit 56 may both correspond to processor.The specific structure of processor can be center
Processor (CPU, Central Processing Unit), microprocessor (MCU, Micro Controller Unit), number
Signal processor (DSP, Digital Signal Processing) or programmable logic device (PLC, Programmable
Logic Controller) etc. with processing function electronic component or electronic component set.Wherein, the processor
Including executable code, the executable code is stored in a storage medium, and the processor can be connect by communications such as buses
Mouthful be connected in the storage medium, in the corresponding function of the specific each unit of execution, read simultaneously from the storage medium
Run the executable code.The part that the storage medium is used to store the executable code is preferably that non-moment storage is situated between
Matter.
It is the first acquisition unit 51, second acquisition unit 52, judging unit 53, determination unit 54, control unit 55, clear
Reason unit 56 can integrate corresponding to same processor, or respectively correspond different processors;Correspond to same place when integrated
When managing device, the processor handles the first acquisition unit 51, second acquisition unit 52, judging unit 53, really using the time-division
Order member 54, control unit 55, the corresponding function of clearing up unit 56.
In practical application, the first acquisition unit 51 can be realized by macro monitor, and the second acquisition unit 52 can
To be realized by micro-monitor, the judging unit 53, the determination unit 54 and described control unit 55 can be by including defence
The processor of module realizes, the cleaning unit 56 can by with include the corresponding Garbage Collector of the processor of defense module
To realize.
It will be appreciated by those skilled in the art that in the access control apparatus of the embodiment of the present invention each unit function, can join
According to aforementioned access control method associated description and understand, each unit in the access control apparatus of the embodiment of the present invention, can pass through
It realizes the analog circuit of function described in the embodiment of the present invention and realizes, it can also be by executing function described in the embodiment of the present invention
Can operation of the software on intelligent terminal and realize.
Access control apparatus described in the present embodiment, can resist APP prohibitive behavior to the adverse effect of operating system environment,
The efficiency and stability of terminal operating system can be improved.
It should be noted that, in this document, the terms "include", "comprise" or its any other variant are intended to non-row
His property includes, so that the process, method, article or the device that include a series of elements not only include those elements, and
And further include other elements that are not explicitly listed, or further include for this process, method, article or device institute it is intrinsic
Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including being somebody's turn to do
There is also other identical elements in the process, method of element, article or device.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side
Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases
The former is more preferably embodiment.Based on this understanding, technical solution of the present invention substantially in other words does the prior art
The part contributed out can be embodied in the form of software products, which is stored in a storage medium
In (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that a terminal device (can be mobile phone, computer, clothes
Business device, air conditioner or the network equipment etc.) execute method described in each embodiment of the present invention.
The above is only a preferred embodiment of the present invention, is not intended to limit the scope of the invention, all to utilize this hair
Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills
Art field, is included within the scope of the present invention.
Claims (10)
1. a kind of access control apparatus, it is applied to mobile terminal, which is characterized in that described device includes:
First acquisition unit, first kind environmental information in the operating system environment for obtaining mobile terminal;
Second acquisition unit, for obtaining the first kind action message of the first application;Wherein, the first kind action message includes
Request message;
Judging unit, for judging first application in conjunction with the first kind environmental information and the first kind action message
With the presence or absence of the first prohibitive behavior;
Determination unit, if determination is corresponding with first prohibitive behavior for first application there are the first prohibitive behavior
Defend processing operation;
Control unit, for executing the defence processing operation under the license behavior operating condition for allowing first application.
2. the apparatus according to claim 1, which is characterized in that the second acquisition unit is also used to:
By interacting with first application, the application programming interface API request information of first application is obtained.
3. the apparatus according to claim 1, which is characterized in that the judging unit is also used to:
It is relevant to screening behavior according to first kind environmental information judgement and first application;
According to the first kind action message from described to determine that first application is forbidden with the presence or absence of first in screening behavior
Behavior.
4. the apparatus according to claim 1, which is characterized in that the determination unit is also used to:
Based on first prohibitive behavior inquiry mapping relations set, at the optional defence where acquisition first prohibitive behavior
Opereating specification is managed, determines from the optional defence processing operation range and is adapted with first prohibitive behavior of the first application
Defence processing operation.
5. the apparatus according to claim 1, which is characterized in that described device further include:
Unit is cleared up, for clearing up monitoring data related with the defence processing operation;Wherein, the monitoring data include:
It is relevant with first application in data relevant to the first kind action message of first application, first kind environmental information
Data.
6. a kind of access control method is applied to mobile terminal, which is characterized in that the described method includes:
Obtain first kind environmental information in the operating system environment of mobile terminal;
Obtain the first kind action message of the first application;Wherein, the first kind action message includes request message;
Judge first application with the presence or absence of first in conjunction with the first kind environmental information and the first kind action message
Prohibitive behavior;
If there are the first prohibitive behaviors for first application, defence processing operation corresponding with first prohibitive behavior is determined;
Under the license behavior operating condition for allowing first application, the defence processing operation is executed.
7. according to the method described in claim 6, it is characterized in that, the first kind action message for obtaining the first application, packet
It includes:
By interacting with first application, the application programming interface API request information of first application is obtained.
8. according to the method described in claim 6, it is characterized in that, described according to the first kind environmental information and described
A kind of action message determines first application with the presence or absence of the first prohibitive behavior, comprising:
It is relevant to screening behavior according to first kind environmental information judgement and first application;
According to the first kind action message from described to determine that first application is forbidden with the presence or absence of first in screening behavior
Behavior.
9. according to the method described in claim 6, it is characterized in that, determination defence corresponding with first prohibitive behavior
Processing operation, comprising:
Based on first prohibitive behavior inquiry mapping relations set, at the optional defence where acquisition first prohibitive behavior
Opereating specification is managed, determines from the optional defence processing operation range and is adapted with first prohibitive behavior of the first application
Defence processing operation.
10. according to the method described in claim 6, it is characterized in that, it is described execute the defence processing operation after, the side
Method further include:
Clear up monitoring data related with the defence processing operation;Wherein, the monitoring data include: and first application
The relevant data of first kind action message, to described first apply relevant data in first kind environmental information.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611075370.7A CN106778236B (en) | 2016-11-29 | 2016-11-29 | A kind of access control apparatus and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611075370.7A CN106778236B (en) | 2016-11-29 | 2016-11-29 | A kind of access control apparatus and method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106778236A CN106778236A (en) | 2017-05-31 |
CN106778236B true CN106778236B (en) | 2019-08-30 |
Family
ID=58900682
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611075370.7A Active CN106778236B (en) | 2016-11-29 | 2016-11-29 | A kind of access control apparatus and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106778236B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114067464A (en) * | 2021-11-09 | 2022-02-18 | 深圳Tcl新技术有限公司 | Intelligent door lock and awakening method thereof, network equipment and electronic equipment |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102186167A (en) * | 2011-04-11 | 2011-09-14 | 中兴通讯股份有限公司 | Method and system for monitoring applications |
CN103246566A (en) * | 2012-02-03 | 2013-08-14 | 腾讯科技(深圳)有限公司 | Resource monitoring method and device for application program |
CN103440172A (en) * | 2013-08-19 | 2013-12-11 | 深圳创维数字技术股份有限公司 | Resource management method and terminal device |
CN104268470A (en) * | 2014-09-26 | 2015-01-07 | 酷派软件技术(深圳)有限公司 | Security control method and security control device |
-
2016
- 2016-11-29 CN CN201611075370.7A patent/CN106778236B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102186167A (en) * | 2011-04-11 | 2011-09-14 | 中兴通讯股份有限公司 | Method and system for monitoring applications |
CN103246566A (en) * | 2012-02-03 | 2013-08-14 | 腾讯科技(深圳)有限公司 | Resource monitoring method and device for application program |
CN103440172A (en) * | 2013-08-19 | 2013-12-11 | 深圳创维数字技术股份有限公司 | Resource management method and terminal device |
CN104268470A (en) * | 2014-09-26 | 2015-01-07 | 酷派软件技术(深圳)有限公司 | Security control method and security control device |
Also Published As
Publication number | Publication date |
---|---|
CN106778236A (en) | 2017-05-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105979095B (en) | Mobile terminal and apply power consumption control method | |
CN106055246B (en) | A kind of mobile terminal and its operating method | |
CN105101366B (en) | Method for controlling mobile terminal and mobile terminal | |
CN105306457B (en) | Data buffer storage device and method | |
CN104915582B (en) | unlocking method and device | |
CN104850443B (en) | A kind of method and mobile terminal for closing error starting application program | |
CN105245717A (en) | Mobile terminal palm rejection device and method | |
CN105138400B (en) | Application program self-starting management method and device | |
CN106412255B (en) | Terminal and display methods | |
CN106850943A (en) | A kind of apparatus and method for detecting terminal and the distance of shelter | |
CN105955613B (en) | A kind of control method and device | |
CN104777982B (en) | Method and device for switching terminal input method | |
CN106341315A (en) | Text message cleaning method, apparatus and mobile terminal | |
CN105939517B (en) | A kind of method and apparatus preventing mobile terminal access pseudo-base station | |
CN105808049B (en) | A kind of control method that realizing mobile terminal and device | |
CN104735254B (en) | terminal screen locking method and system | |
CN106412103A (en) | Display device and method of push information | |
CN105786647A (en) | Data backup device and method and terminal | |
CN106412328B (en) | A kind of method and apparatus obtaining field feedback | |
CN105302457B (en) | Terminal control method and device | |
CN106790951A (en) | The method and apparatus of mobile terminal and call blocking | |
CN104883454B (en) | A kind of display control method and display control terminal | |
CN106484534A (en) | Control method for the mobile terminal of displaying and control device | |
CN106778236B (en) | A kind of access control apparatus and method | |
CN106255142B (en) | A kind of mobile terminal and its exception information report method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |