CN106778236B - A kind of access control apparatus and method - Google Patents

A kind of access control apparatus and method Download PDF

Info

Publication number
CN106778236B
CN106778236B CN201611075370.7A CN201611075370A CN106778236B CN 106778236 B CN106778236 B CN 106778236B CN 201611075370 A CN201611075370 A CN 201611075370A CN 106778236 B CN106778236 B CN 106778236B
Authority
CN
China
Prior art keywords
application
behavior
prohibitive
processing operation
defence
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611075370.7A
Other languages
Chinese (zh)
Other versions
CN106778236A (en
Inventor
李敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nubia Technology Co Ltd
Original Assignee
Nubia Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nubia Technology Co Ltd filed Critical Nubia Technology Co Ltd
Priority to CN201611075370.7A priority Critical patent/CN106778236B/en
Publication of CN106778236A publication Critical patent/CN106778236A/en
Application granted granted Critical
Publication of CN106778236B publication Critical patent/CN106778236B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephone Function (AREA)

Abstract

The invention discloses a kind of access control apparatus, are applied to mobile terminal, described device includes: first acquisition unit, first kind environmental information in the operating system environment for obtaining mobile terminal;Second acquisition unit, for obtaining the first kind action message of the first application;Judging unit, for judging first application with the presence or absence of the first prohibitive behavior in conjunction with the first kind environmental information and the first kind action message;Determination unit determines defence processing operation corresponding with first prohibitive behavior if there are the first prohibitive behaviors for first application;Control unit, for executing the defence processing operation under the license behavior operating condition for allowing first application.The present invention further simultaneously discloses a kind of access control method.Using technical solution of the present invention, the efficiency and stability of terminal operating system can be improved.

Description

A kind of access control apparatus and method
Technical field
The present invention relates to the information processing technology more particularly to a kind of access control apparatus and methods.
Background technique
In recent years, with the rapid development of mobile Internet, third-party application market achieves the growth of explosion type.So And more and more jejune application programs (Application, abbreviation APP) enter application market, although function is richer Richness, but some applications show destructive behavior, for example continuously attempt to network connection, continually wake up terminal, account for for a long time There is unnecessary resource etc., brings negative impact to terminal operating system.These destructive behaviors influenced at same end The operation of other APP, increase terminal power consumption, consumption cellular data, occupancy memory space etc. on end.
Summary of the invention
In view of this, the effect of terminal operating system can be improved present invention contemplates that provide a kind of access control apparatus and method Rate and stability.
In order to achieve the above objectives, the technical scheme of the present invention is realized as follows:
The present invention provides a kind of access control apparatus, are applied to mobile terminal, and described device includes:
First acquisition unit, first kind environmental information in the operating system environment for obtaining mobile terminal;
Second acquisition unit, for obtaining the first kind action message of the first application;
Judging unit, for judging described first in conjunction with the first kind environmental information and the first kind action message Using with the presence or absence of the first prohibitive behavior;
Determination unit, if there are the first prohibitive behavior, determining and first prohibitive behaviors pair for first application The defence processing operation answered;
Control unit, for executing the defence processing under the license behavior operating condition for allowing first application Operation.
In above scheme, optionally, the second acquisition unit is also used to:
By with it is described first application interact, obtain it is described first application application programming interface (API, Application Programming Interface) solicited message.
In above scheme, optionally, the judging unit is also used to:
It is relevant to screening behavior according to first kind environmental information judgement and first application;
According to the first kind action message from described to determine that first application whether there is first in screening behavior Prohibitive behavior.
In above scheme, optionally, the determination unit is also used to:
Mapping relations set is inquired based on first prohibitive behavior, it is optional anti-where acquisition first prohibitive behavior Imperial processing operation range determines the first prohibitive behavior phase with the first application from the optional defence processing operation range The defence processing operation of adaptation.
In above scheme, optionally, described device further include:
Unit is cleared up, for clearing up monitoring data related with the defence processing operation;Wherein, the monitoring data packet It includes: with described first using phase in data relevant to the first kind action message of first application, first kind environmental information The data of pass.
The present invention also provides a kind of access control methods, are applied to mobile terminal, which comprises
Obtain first kind environmental information in the operating system environment of mobile terminal;
Obtain the first kind action message of the first application;
Judge that first application whether there is in conjunction with the first kind environmental information and the first kind action message First prohibitive behavior;
If there are the first prohibitive behaviors for first application, defence processing behaviour corresponding with first prohibitive behavior is determined Make;
Under the license behavior operating condition for allowing first application, the defence processing operation is executed.
In above scheme, optionally, the first kind action message for obtaining the first application, comprising:
By interacting with first application, the API request information of first application is obtained.
It is optionally, described true according to the first kind environmental information and the first kind action message in above scheme Fixed first application whether there is the first prohibitive behavior, comprising:
It is relevant to screening behavior according to first kind environmental information judgement and first application;
According to the first kind action message from described to determine that first application whether there is first in screening behavior Prohibitive behavior.
In above scheme, optionally, determination defence processing operation corresponding with first prohibitive behavior, comprising:
Mapping relations set is inquired based on first prohibitive behavior, it is optional anti-where acquisition first prohibitive behavior Imperial processing operation range determines the first prohibitive behavior phase with the first application from the optional defence processing operation range The defence processing operation of adaptation.
In above scheme, optionally, after the execution defence processing operation, the method also includes:
Clear up monitoring data related with the defence processing operation;Wherein, the monitoring data include: and described first Relevant data are applied to described first in the relevant data of first kind action message of application, first kind environmental information.
Access control apparatus provided by the present invention and method obtain first kind ring in the operating system environment of mobile terminal Border information;Obtain the first kind action message of the first application;In conjunction with the first kind environmental information and the first kind activity Information judges first application with the presence or absence of the first prohibitive behavior;If there are the first prohibitive behaviors for first application, determine Defence processing operation corresponding with first prohibitive behavior;Under the license behavior operating condition for allowing first application, Execute the defence processing operation;In this way, allowing described first to answer judging first using there are when the first prohibitive behavior Under license behavior operating condition, defence processing operation corresponding with first prohibitive behavior is executed, APP taboo can be resisted Only behavior can improve the efficiency and stability of terminal operating system to the adverse effect of operating system environment.
Detailed description of the invention
The hardware structural diagram of Fig. 1 optional mobile terminal of each embodiment to realize the present invention;
Fig. 2 is the wireless communication system schematic diagram of mobile terminal as shown in Figure 1;
Fig. 3 is the implementation process schematic diagram of access control method provided in an embodiment of the present invention;
Fig. 4 is a kind of configuration diagram of access control system provided in an embodiment of the present invention;
Fig. 5 is the composed structure schematic diagram of access control apparatus provided in an embodiment of the present invention.
Specific embodiment
The characteristics of in order to more fully hereinafter understand the embodiment of the present invention and technology contents, with reference to the accompanying drawing to this hair The realization of bright embodiment is described in detail, appended attached drawing purposes of discussion only for reference, is not used to limit the embodiment of the present invention.
The terminal of each embodiment of the present invention is realized in description with reference to the drawings.In subsequent description, using being used for Indicate the suffix of such as " module ", " component " or " unit " of element only for being conducive to the explanation of the embodiment of the present invention, There is no specific meanings for body.Therefore, " module ", " component " or " unit " can be used mixedly.
Terminal can be implemented in a variety of manners.For example, terminal described in the embodiment of the present invention may include such as moving Mobile phone, smart phone, laptop, digit broadcasting receiver, personal digital assistant (PDA, Personal Digital Assistant), tablet computer (PAD), portable media player (PMP, Portable Media Player), navigation dress The fixed terminal of the terminal and such as number TV, desktop computer etc. set etc..Hereinafter it is assumed that terminal is mobile terminal. However, it will be understood by those skilled in the art that other than the element for being used in particular for mobile purpose, implementation according to the present invention The construction of mode can also apply to the terminal of fixed type.
Fig. 1 to realize the present invention the mobile terminal of each embodiment hardware configuration signal.
Mobile terminal 100 may include audio/video (A/V) input unit 120, user input unit 130, output unit 150, memory 160, interface unit 170, controller 180 and power supply unit 190 etc..Fig. 1 is shown with various assemblies Mobile terminal, it should be understood that being not required for implementing all components shown.Can alternatively it implement more or fewer Component.The element of mobile terminal will be discussed in more detail below.
A/V input unit 120 is for receiving audio or video signal.A/V input unit 120 may include 121 He of camera Microphone 1220, camera 121 is to the static map obtained in video acquisition mode or image capture mode by image capture apparatus The image data of piece or video is handled.Treated, and picture frame may be displayed on display unit 151.At camera 121 Picture frame after reason can store in memory 160 (or other storage mediums), can be provided according to the construction of mobile terminal Two or more cameras 1210.Microphone 122 can be run in telephone calling model, logging mode, speech recognition mode etc. Sound (audio data) is received via microphone in mode, and can be audio data by such acoustic processing.Microphone 122, which can be implemented various types of noises elimination (or inhibition) algorithms, is sending and receiving audio signal to eliminate (or inhibition) The noise generated in the process or interference.
The order that user input unit 130 can be inputted according to user generates key input data to control each of mobile terminal Kind operation.User input unit 130 allows user to input various types of information, and may include keyboard, metal dome, touch Plate (for example, the sensitive component of detection due to the variation of resistance, pressure, capacitor etc. caused by being contacted), idler wheel, rocking bar etc. Deng.Particularly, when touch tablet is superimposed upon in the form of layer on display unit 151, touch screen can be formed.
Interface unit 170 be used as at least one external device (ED) connect with mobile terminal 100 can by interface.For example, External device (ED) may include wired or wireless headphone port, external power supply (or battery charger) port, wired or nothing Line data port, memory card port, the port for connecting the device with identification module, audio input/output (I/O) end Mouth, video i/o port, ear port etc..Identification module can be storage and use each of mobile terminal 100 for verifying user Kind of information and may include subscriber identification module (UIM, User Identify Module), client identification module (SIM, Subscriber Identity Module), Universal Subscriber identification module (USIM, Universal Subscriber Identity Module) etc..In addition, the device (hereinafter referred to as " identification device ") with identification module can take intelligence The form of card, therefore, identification device can be connect via port or other attachment devices with mobile terminal 100.Interface unit 170 It can be used for receiving the input (for example, data information, electric power etc.) from external device (ED) and transmit the input received One or more elements in mobile terminal 100 can be used for transmitting data between mobile terminal and external device (ED).
In addition, when mobile terminal 100 is connect with external base, interface unit 170 may be used as allowing will be electric by it Power, which is provided from pedestal to the path or may be used as of mobile terminal 100, allows the various command signals inputted from pedestal to pass through it It is transferred to the path of mobile terminal.The various command signals or electric power inputted from pedestal, which may be used as mobile terminal for identification, is The no signal being accurately fitted on pedestal.Output unit 150 is configured to provide with vision, audio and/or tactile manner defeated Signal (for example, audio signal, vision signal, alarm signal, vibration signal etc.) out.Output unit 150 may include display Unit 151, audio output module 152, alarm unit 153 etc..
Display unit 151 may be displayed on the information handled in mobile terminal 100.For example, when mobile terminal 100 is in electricity When talking about call mode, display unit 151 can show and converse or other communicate (for example, text messaging, multimedia file Downloading etc.) relevant user interface (UI, User Interface) or graphic user interface (GUI, Graphical User Interface).When mobile terminal 100 is in video calling mode or image capture mode, display unit 151 can be shown Show captured image and/or received image, the UI or GUI that show video or image and correlation function etc..
Meanwhile when display unit 151 and touch tablet in the form of layer it is superposed on one another to form touch screen when, display unit 151 may be used as input unit and output device.Display unit 151 may include liquid crystal display (LCD, Liquid Crystal Display), thin film transistor (TFT) LCD (TFT-LCD, Thin Film Transistor-LCD), organic light-emitting diodes It manages in (OLED, Organic Light-Emitting Diode) display, flexible display, three-dimensional (3D) display etc. It is at least one.Some in these displays may be constructed such that transparence to allow user to watch from outside, this is properly termed as Transparent display, typical transparent display can be, for example, transparent organic light emitting diode (TOLED) display etc..According to Specific desired embodiment, mobile terminal 100 may include two or more display units (or other display devices), example Such as, mobile terminal may include outernal display unit (not shown) and inner display unit (not shown).Touch screen can be used for examining Survey touch input pressure and touch input position and touch input area.
Audio output module 152 can mobile terminal be in call signal reception pattern, call mode, logging mode, It is when under the isotypes such as speech recognition mode, broadcast reception mode, wireless communication unit 110 is received or in memory 160 The audio data transducing audio signal of middle storage and to export be sound.Moreover, audio output module 152 can provide and movement The relevant audio output of specific function (for example, call signal receives sound, message sink sound etc.) that terminal 100 executes. Audio output module 152 may include loudspeaker, buzzer etc..
Alarm unit 153 can provide output notifying event to mobile terminal 100.Typical event can be with Including calling reception, message sink, key signals input, touch input etc..Other than audio or video output, alarm unit 153 can provide output in different ways with the generation of notification event.For example, alarm unit 153 can be in the form of vibration Output is provided, when receiving calling, message or some other entrance communications (incoming communication), alarm list Member 153 can provide tactile output (that is, vibration) to notify to user.By providing such tactile output, even if When the mobile phone of user is in the pocket of user, user also can recognize that the generation of various events.Alarm unit 153 The output of the generation of notification event can be provided via display unit 151 or audio output module 152.
Memory 160 can store the software program etc. of the processing and control operation that are executed by controller 180, Huo Zheke Temporarily to store the data that has exported or will export (for example, telephone directory, message, still image, video etc.).And And memory 160 can store about the vibrations of various modes and audio signal exported when touching and being applied to touch screen Data.
Memory 160 may include the storage medium of at least one type, and the storage medium includes flash memory, hard disk, more Media card, card-type memory (for example, SD or DX memory etc.), random access storage device (RAM, Random Access Memory), static random-access memory (SRAM, Static Random Access Memory), read-only memory (ROM, Read Only Memory), electrically erasable programmable read-only memory (EEPROM, Electrically Erasable Programmable Read Only Memory), programmable read only memory (PROM, Programmable Read Only Memory), magnetic storage, disk, CD etc..Moreover, mobile terminal 100 can execute memory with by network connection The network storage device of 160 store function cooperates.
The overall operation of the usually control mobile terminal of controller 180.For example, controller 180 executes and voice communication, data Communication, video calling etc. relevant control and processing.In addition, controller 180 may include for reproducing (or playback) more matchmakers The multi-media module 181 of volume data, multi-media module 181 can construct in controller 180, or can be structured as and control Device 180 separates.Controller 180 can be with execution pattern identifying processing, by the handwriting input executed on the touchscreen or picture It draws input and is identified as character or image.
Power supply unit 190 receives external power or internal power under the control of controller 180 and provides operation each member Electric power appropriate needed for part and component.
Various embodiments described herein can be to use the calculating of such as computer software, hardware or any combination thereof Machine readable medium is implemented.Hardware is implemented, embodiment described herein can be by using application-specific IC (ASIC, Application Specific Integrated Circuit), digital signal processor (DSP, Digital Signal Processing), digital signal processing device (DSPD, Digital Signal Processing Device), can Programmed logic device (PLD, Programmable Logic Device), field programmable gate array (FPGA, Field Programmable Gate Array), processor, controller, microcontroller, microprocessor, be designed to execute it is described herein At least one of the electronic unit of function implement, in some cases, such embodiment can be in controller 180 Middle implementation.For software implementation, the embodiment of such as process or function can with allow to execute at least one functions or operations Individual software module implement.Software code can be by the software application write with any programming language appropriate (or program) is implemented, and software code can store in memory 160 and executed by controller 180.
So far, mobile terminal is described according to its function.In the following, for the sake of brevity, will description such as folded form, Slide type mobile terminal in various types of mobile terminals of board-type, oscillating-type, slide type mobile terminal etc., which is used as, to be shown Example.Therefore, the present invention can be applied to any kind of mobile terminal, and be not limited to slide type mobile terminal.
Mobile terminal 100 as shown in Figure 1 may be constructed such that using via frame or grouping send data it is all if any Line and wireless communication system and satellite-based communication system operate.
Referring now to Fig. 2 description communication system that wherein mobile terminal according to an embodiment of the present invention can operate.
Different air interface and/or physical layer can be used in such communication system.For example, used by communication system Air interface includes such as frequency division multiple access (FDMA, Frequency Division Multiple Access), time division multiple acess (TDMA, Time Division Multiple Access), CDMA (CDMA, Code Division Multiple Access) and Universal Mobile Communication System (UMTS, Universal Mobile Telecommunications System) is (special Not, long term evolution (LTE, Long Term Evolution)), global system for mobile communications (GSM) etc..As unrestricted Property example, description below is related to cdma communication system, but such introduction is equally applicable to other types of system.
With reference to Fig. 2, cdma wireless communication system may include multiple mobile terminals 100, multiple base station (BS, Base Station) 270, base station controller (BSC, Base Station Controller) 275 and mobile switching centre (MSC, Mobile Switching Center)280.MSC280 is configured to and Public Switched Telephony Network (PSTN, Public Switched Telephone Network) 290 formation interfaces.MSC280 is also structured to and can couple via back haul link BSC275 to base station 270 forms interface.Back haul link can be constructed according to any in several known interfaces, described Interface includes such as E1/T1, ATM, IP, PPP, frame relay, HDSL, ADSL or xDSL.It will be appreciated that as shown in Figure 2 System may include multiple BSC275.
Each BS270 can service one or more subregions (or region), by multidirectional antenna or the day of direction specific direction Each subregion of line covering is radially far from BS270.Alternatively, each subregion can be by two or more for diversity reception Antenna covering.Each BS270, which may be constructed such that, supports multiple frequency distribution, and the distribution of each frequency has specific frequency spectrum (for example, 1.25MHz, 5MHz etc.).
What subregion and frequency were distributed, which intersects, can be referred to as CDMA Channel.BS270 can also be referred to as base station transceiver System (BTS, Base Transceiver Station) or other equivalent terms.In this case, term " base station " It can be used for broadly indicating single BSC275 and at least one BS270.Base station can also be referred to as " cellular station ".Alternatively, special Each subregion for determining BS270 can be referred to as multiple cellular stations.
As shown in Figure 2, broadcast singal is sent to by broadcsting transmitter (BT, Broadcast Transmitter) 295 The mobile terminal 100 operated in system.Broadcasting reception module 111 as shown in Figure 1 is arranged at mobile terminal 100 to connect Receive the broadcast singal sent by BT295.In fig. 2 it is shown that several global positioning system (GPS) satellites 300.Satellite 300 is helped Help at least one of multiple mobile terminals 100 of positioning.
In Fig. 2, multiple satellites 300 are depicted, it is understood that, it is useful to can use any number of satellite acquisition Location information.GPS module 115 as shown in Figure 1 is generally configured to cooperate with satellite 300 to obtain desired positioning and believe Breath.It substitutes GPS tracking technique or except GPS tracking technique, the other of the position that can track mobile terminal can be used Technology.In addition, at least one 300 property of can choose of GPS satellite or extraly processing satellite dmb transmission.
As a typical operation of wireless communication system, BS270 receives the reverse link from various mobile terminals 100 Signal.Mobile terminal 100 usually participates in call, information receiving and transmitting and other types of communication.Certain base station 270 is received each anti- It is handled in specific BS270 to link signal.The data of acquisition are forwarded to relevant BSC275.BSC provides call The mobile management function of resource allocation and the coordination including the soft switching process between BS270.The number that BSC275 will also be received According to MSC280 is routed to, the additional route service for forming interface with PSTN290 is provided.Similarly, PSTN290 with MSC280 forms interface, and MSC and BSC275 form interface, and BSC275 controls BS270 correspondingly with by forward link signals It is sent to mobile terminal 100.
Based on above-mentioned mobile terminal hardware configuration and communication system, grasped to solve the destructive behavior of application to terminal Make the negative effect of system bring, improve the efficiency and stability of operating system, proposes each embodiment of the method for the present invention.
Embodiment one
Fig. 3 is the implementation process schematic diagram of access control method provided in an embodiment of the present invention, the access control in this example Method processed is applied to mobile terminal, as shown in figure 3, the access control method mainly comprises the steps that
Step 301: obtaining first kind environmental information in the operating system environment of mobile terminal.
Here, the operating system is the operating system of the mobile terminal.
For example, mainly having Android (Google), iOS (apple), windows using operating system on mobile terminals Phone (Microsoft), Symbian (Nokia), BlackBerry OS (blackberry, blueberry), windows mobile (Microsoft), Android (Android) etc..
Here, the first kind environmental information is the corresponding information of the other operating system environment of macro-level.For example, described A kind of environmental information includes electricity service condition, stores service condition, data traffic service condition, etc..
In an optional embodiment, first kind environmental information in the operating system environment for obtaining mobile terminal, packet It includes:
The operating system environment that mobile terminal is monitored by macro monitor is analyzed to obtain first kind environment based on monitoring data Information.
That is, macro monitor does not need all environmental informations in monitoring operating system environment, it is only necessary to monitor It can aid in the first kind environmental information for judging to whether there is prohibitive behavior in each application.
In an optional embodiment, the operating system environment that mobile terminal is monitored by macro monitor, based on prison After analyzing to obtain first kind environmental information depending on data, further includes:
The first kind environmental information is sent to each micro-monitor by controller, notifies each micro-monitor The first kind activity for monitoring each application is analyzed to obtain first kind action message based on monitoring data.
Here, different micro-monitors are responsible for monitoring different first kind activities.
Step 302: obtaining the first kind action message of the first application.
In the present embodiment, the first application is provided on the mobile terminal.
In the embodiment of the present invention, the first application of running of mobile terminal can be the application carried in mobile terminal system, For example, clock application, calculator application, camera applications, address list application etc., are also possible to be answered by the third party of user installation With for example, game application, wechat application, browser application, instant chat application, mail applications etc..
Here, the first kind action message includes solicited message, as application programming interface (API, Application Programming Interface) solicited message.
In an optional embodiment, the first kind action message for obtaining the first application, comprising:
By interacting with first application, the API request information of first application is obtained.
Wherein, the API request information may include:
Callee information, request sentence, unique request mark, required parameter.
Wherein, the callee information include: application program identification identifier (UID, User Identifier), The program-package name of application program.
Wherein, the request sentence includes the request time started, request frequency.
Wherein, the unique request mark includes IBinder object.Here, the IBinder is the energy in Android exploitation Carry out a base interface of remote operation object.
In a specific embodiment, the first kind action message for obtaining the first application, comprising:
By the first kind activity of the first application of micro-monitor monitoring, analyze to obtain first kind activity letter based on monitoring data Breath.
It should be noted that the micro-monitor will not track all solicited messages of the first application, only solicited message When may cause adverse effect, such as network connection is continuously attempted to, terminal is continually waken up, occupies unnecessary resource feelings for a long time Condition can be just monitored.
It should be noted that step 301 and step 302 can carry out simultaneously, step 302 can also prior to step 301 into Row.
Step 303: judging first application in conjunction with the first kind environmental information and the first kind action message With the presence or absence of the first prohibitive behavior.
Here, first prohibitive behavior is the behavior for not allowing the first application access of default.
Optionally, described to determine that described first answers according to the first kind environmental information and the first kind action message With with the presence or absence of the first prohibitive behavior, comprising:
It is relevant to screening behavior according to first kind environmental information judgement and first application;
According to the first kind action message from described to determine that first application whether there is first in screening behavior Prohibitive behavior.
That is, first tentatively judging whether first application there may be system and prohibit according to first kind environmental information Behavior only, if preliminary judging result is that there may be the behaviors that system is forbidden for the first application;Then continue according to first kind activity Information judges the behavior that the first application is forbidden with the presence or absence of system.
For example, if first kind environmental information shows that first applies just in power consumption, then, illustrate that there may be for the first application The behavior that system is forbidden then proceedes to judge what the first application was forbidden with the presence or absence of system according to the API request information of the first application Behavior, and if it exists, then determine first application there is currently the first prohibitive behaviors.
For another example, if first kind environmental information shows that first applies just in consumed flow, then, illustrate that the first application may There are the behavior that system is forbidden, then proceed to be judged the first application with the presence or absence of system according to the API request information of the first application The behavior forbidden, and if it exists, then determine first application there is currently the first prohibitive behaviors.
In this way, which APP cannot be fully inferred to because monitoring the system environmental information of macro-level by macro monitor Have a bad behavior, and combine the first kind action message of each APP, can preferably determine which APP have bad behavior and The type of bad behavior.
Step 304: if there are the first prohibitive behaviors for first application, determining corresponding with first prohibitive behavior anti- Imperial processing operation.
In an optional embodiment, determination defence processing operation corresponding with first prohibitive behavior, comprising:
Mapping relations set is inquired based on first prohibitive behavior, it is optional anti-where acquisition first prohibitive behavior Imperial processing operation range determines the first prohibitive behavior phase with the first application from the optional defence processing operation range The defence processing operation of adaptation.
Wherein, mapping relations set includes the mapping relations of different prohibitive behaviors and corresponding defence processing operation;Wherein, The corresponding one or more optional defence processing operations of each prohibitive behavior.
It should be noted that the corresponding prohibitive behavior of different application may be different.In general, severity level is higher answers With corresponding granted access rights limit range is bigger, and then its corresponding prohibitive behavior is fewer;Conversely, severity level is lower Using corresponding permissions range is smaller, and then its corresponding prohibitive behavior is more.
In an optional embodiment, the method also includes:
Receive the first operation;Wherein, first operation is for being arranged or changing using white list;
It is generated based on first operation and applies white list;
Mapping relations set is determined according to the application white list.
In general, range is limited using the granted access rights of the application in white list, greater than non-using answering in white list Granted access rights limit range.For example, some API request information only allow to be called using the application in white list.
In an optional embodiment, the method also includes:
Receive the second operation;Wherein, second operation is for inputting defence processing strategie;
Defence processing strategie is generated based on second operation;
Mapping relations set is determined according to the defence processing strategie.
A kind of applicating example of the corresponding different protection movements of processing operation is defendd, as shown in table 1.
Table 1
For example, the corresponding protection type of action of defence processing operation includes: release.Specifically, wake-up lock is realized Release movement, it is described to check that solicited message table record has and all wake up opening for lock by periodically checking solicited message table Begin the time, is deleted from wake-up lock set when more than preset critical and lock object accordingly.
For example, the corresponding protection type of action of defence processing operation includes: to slow down.Specifically, slow down to realize Clock, by adjusting the recurrence interval variable in data structure.
For example, the corresponding protection type of action of defence processing operation includes: delay.Specifically, in order to realize the time The delay of movement is put into caching by that will request, post-processes this request in the determining time.
Step 305: under the license behavior operating condition for allowing first application, executing the defence processing operation.
Wherein, the defence processing operation, includes at least: total ban is executable when executing, meeting trigger condition, postpones It executes.
In this way, passing through when detecting first using there are when the first i.e. destructive behavior of prohibitive behavior and executing the defence The behavior for processing operations to the first application of adjustment, can prevent destructive behavior and influence the major function of the first application.
Further, after the execution defence processing operation, the method also includes:
Clear up monitoring data related with the defence processing operation;Wherein, the monitoring data include: and described first Relevant data are applied to described first in the relevant data of first kind action message of application, first kind environmental information.
In a specific embodiment, periodic cleaning monitoring data related with the defence processing operation, or it is clear in time Manage monitoring data related with the defence processing operation.
In this way, can preferably discharge memory space by cleaning legacy data.
In the present embodiment, first kind environmental information in the operating system environment of mobile terminal is obtained;Obtain the first application First kind action message;Judge that first application is in conjunction with the first kind environmental information and the first kind action message It is no that there are the first prohibitive behaviors;If first application is there are the first prohibitive behavior, determination is corresponding with first prohibitive behavior Defence processing operation;Under the license behavior operating condition for allowing first application, the defence processing operation is executed;Such as This, judge first application exist when the first prohibitive behavior, allow it is described first apply license behavior operating condition under, Defence processing operation corresponding with first prohibitive behavior is executed, APP prohibitive behavior can be resisted to operating system environment Adverse effect, can improve the efficiency and stability of terminal operating system.
Embodiment two
Fig. 4 is a kind of configuration diagram of access control system provided in an embodiment of the present invention, is applied to mobile terminal, such as Shown in Fig. 4, the system comprises:
Macro monitor 41 is responsible for first kind environmental information in monitoring operating system environment;
Micro-monitor 42 is responsible for the first kind action message of each application of monitoring;
Controller 43 is responsible for monitoring that the first kind of each application is living based on first kind environmental information notice micro-monitor 42 Dynamic information;
Processor 44 corresponding with the micro-monitor 42, including defense module, for being believed according to the first kind activity Breath determines the first prohibitive behavior of the first application;Determine protection movement corresponding with first prohibitive behavior;Described in permission Under the normal access behavior operating condition of first application, the protection movement is executed.
In the present embodiment, there is the defensive operating system for resisting APP destruction, referred to as DefOS.DefOS is used Modular design monitors using controller service the operating system environment (such as battery, storage etc.) of macro-level, pipe Expansible defense module set is managed, different APP destructions is handled.
Wherein, defense module and microcontroller belong to the subsystem of DefOS, to record important APP activity.Wherein, prevent Imperial module, including defender, memory space, Garbage Collector (GC, Garbage Collection);Specifically, defender is negative Duty analysis monitoring information and execution defence movement.Memory space is responsible for storing necessary information, the defence movement such as cancelled.GC is negative Duty deletes the storing data in old monitor data and memory space.
Wherein, DefOS has two kinds of modes of permission and defence, can be to basic operating system (OS, Operating System service equally) is provided to APP, when there is unsound system environments and suspicious APP activity, for example is frequently called out It wakes up and operates, holds wake-up lock, DefOS enters defence mode, executes accurate self-prevention action, such as reduction APP to bad APP Temporal frequency, release hold for a long time wake-up lock.
In the present embodiment, macro monitor 41 monitors the system environments, such as electricity, data service condition etc. of macro-level, but It is that macroscopic information cannot fully be inferred to which APP has bad behavior, can not fully design the accurate act of defense.Cause This, DefOS entrusts a series of proprietary defense modules, the life cycle of these defense modules of controller management, and is responsible for this A little defense modules propagate the system environments of macro-level, and show some configuration informations to terminal user, such as the plan of self-prevention action Summary, APP white list etc..
In the present embodiment, DefOS not only monitors the system environments of macro-level by macro monitor 41, also passes through micro-monitor The Activites of 42 monitoring APP ranks, i.e., it is movable, it is interacted by being inserted into a series of micro-monitor 42 and APP, such as Power management services and positioning service etc..Micro-monitor 42 will record some accurate API request information of APP, including called Person's (UID or packet name), request sentence (request time started, request rate), unique request identify (IBinder pairs in Android As), required parameter, etc..Micro-monitor 42 will not track all activities of APP, and the type only requested may cause unfavorable shadow When ringing, can just it be monitored, and when APP makes the request that may cause adverse effect, defense module takes corresponding defence Processing operation, such as release, cancellation, to resist the destructive behavior of APP.In addition, each defense module is equipped with a rubbish Rubbish recover can periodically clear up old data.For example, after defense module takes corresponding defence processing operation, micro- prison Most of data of visual organ 42 will be deleted.
In the present embodiment, the protector in defense module is the important component of DefOS, it can execute precise movement To reduce the bad behavior of various APP.Protector is responsible for inspecting periodically monitoring data, executes protection for potential bad behavior Movement, protection movement can be as shown in table 1, these movements can discharge resource, adjustment frequency, delay/prevention request or warning and use Family.Micro-monitor 42 relies on proprietary subsystem to realize that these protection act, for example, to realize the release movement for waking up lock, leads to It crosses and periodically checks solicited message table, at the beginning of inspections solicited message table record has all wake-ups locks, when being more than It is deleted from wake-up lock set when preset critical and locks object accordingly.For example, in order to realize slower clock, by adjusting data Recurrence interval variable in structure.For example, the delay in order to realize time movement, is put into caching, in determination by that will request Time post-process this request.
Embodiment three
Fig. 5 is the composed structure schematic diagram of access control apparatus provided in an embodiment of the present invention, is applied to mobile terminal, such as Shown in Fig. 5, described device includes first acquisition unit 51, second acquisition unit 52, judging unit 53, determination unit 54, control Unit 55;Wherein,
The first acquisition unit 51, first kind environmental information in the operating system environment for obtaining mobile terminal;
The second acquisition unit 52, for obtaining the first kind action message of the first application;
The judging unit 53, for judging institute in conjunction with the first kind environmental information and the first kind action message The first application is stated with the presence or absence of the first prohibitive behavior;
The determination unit 54, if determination is forbidden with described first for first application there are the first prohibitive behavior The corresponding defence processing operation of behavior;
Described control unit 55, for executing described anti-under the license behavior operating condition for allowing first application Imperial processing operation.
In an optional embodiment, the second acquisition unit 52 is also used to:
By interacting with first application, the application programming interface API request of first application is obtained Information.
In an optional embodiment, the judging unit 53 is also used to:
It is relevant to screening behavior according to first kind environmental information judgement and first application;
According to the first kind action message from described to determine that first application whether there is first in screening behavior Prohibitive behavior.
In an optional embodiment, the determination unit 54 is also used to:
Mapping relations set is inquired based on first prohibitive behavior, it is optional anti-where acquisition first prohibitive behavior Imperial processing operation range determines the first prohibitive behavior phase with the first application from the optional defence processing operation range The defence processing operation of adaptation.
Optionally, described device further include:
Unit 56 is cleared up, for clearing up monitoring data related with the defence processing operation;Wherein, the monitoring data Include: in the relevant data of first kind action message of first application, first kind environmental information with first application Relevant data.
Above-mentioned access control apparatus may be disposed in mobile terminal.
In practical application, above-mentioned first acquisition unit 51, second acquisition unit 52, judging unit 53, determination unit 54, control Unit 55 processed, the specific structure for clearing up unit 56 may both correspond to processor.The specific structure of processor can be center Processor (CPU, Central Processing Unit), microprocessor (MCU, Micro Controller Unit), number Signal processor (DSP, Digital Signal Processing) or programmable logic device (PLC, Programmable Logic Controller) etc. with processing function electronic component or electronic component set.Wherein, the processor Including executable code, the executable code is stored in a storage medium, and the processor can be connect by communications such as buses Mouthful be connected in the storage medium, in the corresponding function of the specific each unit of execution, read simultaneously from the storage medium Run the executable code.The part that the storage medium is used to store the executable code is preferably that non-moment storage is situated between Matter.
It is the first acquisition unit 51, second acquisition unit 52, judging unit 53, determination unit 54, control unit 55, clear Reason unit 56 can integrate corresponding to same processor, or respectively correspond different processors;Correspond to same place when integrated When managing device, the processor handles the first acquisition unit 51, second acquisition unit 52, judging unit 53, really using the time-division Order member 54, control unit 55, the corresponding function of clearing up unit 56.
In practical application, the first acquisition unit 51 can be realized by macro monitor, and the second acquisition unit 52 can To be realized by micro-monitor, the judging unit 53, the determination unit 54 and described control unit 55 can be by including defence The processor of module realizes, the cleaning unit 56 can by with include the corresponding Garbage Collector of the processor of defense module To realize.
It will be appreciated by those skilled in the art that in the access control apparatus of the embodiment of the present invention each unit function, can join According to aforementioned access control method associated description and understand, each unit in the access control apparatus of the embodiment of the present invention, can pass through It realizes the analog circuit of function described in the embodiment of the present invention and realizes, it can also be by executing function described in the embodiment of the present invention Can operation of the software on intelligent terminal and realize.
Access control apparatus described in the present embodiment, can resist APP prohibitive behavior to the adverse effect of operating system environment, The efficiency and stability of terminal operating system can be improved.
It should be noted that, in this document, the terms "include", "comprise" or its any other variant are intended to non-row His property includes, so that the process, method, article or the device that include a series of elements not only include those elements, and And further include other elements that are not explicitly listed, or further include for this process, method, article or device institute it is intrinsic Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including being somebody's turn to do There is also other identical elements in the process, method of element, article or device.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases The former is more preferably embodiment.Based on this understanding, technical solution of the present invention substantially in other words does the prior art The part contributed out can be embodied in the form of software products, which is stored in a storage medium In (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that a terminal device (can be mobile phone, computer, clothes Business device, air conditioner or the network equipment etc.) execute method described in each embodiment of the present invention.
The above is only a preferred embodiment of the present invention, is not intended to limit the scope of the invention, all to utilize this hair Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills Art field, is included within the scope of the present invention.

Claims (10)

1. a kind of access control apparatus, it is applied to mobile terminal, which is characterized in that described device includes:
First acquisition unit, first kind environmental information in the operating system environment for obtaining mobile terminal;
Second acquisition unit, for obtaining the first kind action message of the first application;Wherein, the first kind action message includes Request message;
Judging unit, for judging first application in conjunction with the first kind environmental information and the first kind action message With the presence or absence of the first prohibitive behavior;
Determination unit, if determination is corresponding with first prohibitive behavior for first application there are the first prohibitive behavior Defend processing operation;
Control unit, for executing the defence processing operation under the license behavior operating condition for allowing first application.
2. the apparatus according to claim 1, which is characterized in that the second acquisition unit is also used to:
By interacting with first application, the application programming interface API request information of first application is obtained.
3. the apparatus according to claim 1, which is characterized in that the judging unit is also used to:
It is relevant to screening behavior according to first kind environmental information judgement and first application;
According to the first kind action message from described to determine that first application is forbidden with the presence or absence of first in screening behavior Behavior.
4. the apparatus according to claim 1, which is characterized in that the determination unit is also used to:
Based on first prohibitive behavior inquiry mapping relations set, at the optional defence where acquisition first prohibitive behavior Opereating specification is managed, determines from the optional defence processing operation range and is adapted with first prohibitive behavior of the first application Defence processing operation.
5. the apparatus according to claim 1, which is characterized in that described device further include:
Unit is cleared up, for clearing up monitoring data related with the defence processing operation;Wherein, the monitoring data include: It is relevant with first application in data relevant to the first kind action message of first application, first kind environmental information Data.
6. a kind of access control method is applied to mobile terminal, which is characterized in that the described method includes:
Obtain first kind environmental information in the operating system environment of mobile terminal;
Obtain the first kind action message of the first application;Wherein, the first kind action message includes request message;
Judge first application with the presence or absence of first in conjunction with the first kind environmental information and the first kind action message Prohibitive behavior;
If there are the first prohibitive behaviors for first application, defence processing operation corresponding with first prohibitive behavior is determined;
Under the license behavior operating condition for allowing first application, the defence processing operation is executed.
7. according to the method described in claim 6, it is characterized in that, the first kind action message for obtaining the first application, packet It includes:
By interacting with first application, the application programming interface API request information of first application is obtained.
8. according to the method described in claim 6, it is characterized in that, described according to the first kind environmental information and described A kind of action message determines first application with the presence or absence of the first prohibitive behavior, comprising:
It is relevant to screening behavior according to first kind environmental information judgement and first application;
According to the first kind action message from described to determine that first application is forbidden with the presence or absence of first in screening behavior Behavior.
9. according to the method described in claim 6, it is characterized in that, determination defence corresponding with first prohibitive behavior Processing operation, comprising:
Based on first prohibitive behavior inquiry mapping relations set, at the optional defence where acquisition first prohibitive behavior Opereating specification is managed, determines from the optional defence processing operation range and is adapted with first prohibitive behavior of the first application Defence processing operation.
10. according to the method described in claim 6, it is characterized in that, it is described execute the defence processing operation after, the side Method further include:
Clear up monitoring data related with the defence processing operation;Wherein, the monitoring data include: and first application The relevant data of first kind action message, to described first apply relevant data in first kind environmental information.
CN201611075370.7A 2016-11-29 2016-11-29 A kind of access control apparatus and method Active CN106778236B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611075370.7A CN106778236B (en) 2016-11-29 2016-11-29 A kind of access control apparatus and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611075370.7A CN106778236B (en) 2016-11-29 2016-11-29 A kind of access control apparatus and method

Publications (2)

Publication Number Publication Date
CN106778236A CN106778236A (en) 2017-05-31
CN106778236B true CN106778236B (en) 2019-08-30

Family

ID=58900682

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611075370.7A Active CN106778236B (en) 2016-11-29 2016-11-29 A kind of access control apparatus and method

Country Status (1)

Country Link
CN (1) CN106778236B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114067464A (en) * 2021-11-09 2022-02-18 深圳Tcl新技术有限公司 Intelligent door lock and awakening method thereof, network equipment and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102186167A (en) * 2011-04-11 2011-09-14 中兴通讯股份有限公司 Method and system for monitoring applications
CN103246566A (en) * 2012-02-03 2013-08-14 腾讯科技(深圳)有限公司 Resource monitoring method and device for application program
CN103440172A (en) * 2013-08-19 2013-12-11 深圳创维数字技术股份有限公司 Resource management method and terminal device
CN104268470A (en) * 2014-09-26 2015-01-07 酷派软件技术(深圳)有限公司 Security control method and security control device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102186167A (en) * 2011-04-11 2011-09-14 中兴通讯股份有限公司 Method and system for monitoring applications
CN103246566A (en) * 2012-02-03 2013-08-14 腾讯科技(深圳)有限公司 Resource monitoring method and device for application program
CN103440172A (en) * 2013-08-19 2013-12-11 深圳创维数字技术股份有限公司 Resource management method and terminal device
CN104268470A (en) * 2014-09-26 2015-01-07 酷派软件技术(深圳)有限公司 Security control method and security control device

Also Published As

Publication number Publication date
CN106778236A (en) 2017-05-31

Similar Documents

Publication Publication Date Title
CN105979095B (en) Mobile terminal and apply power consumption control method
CN106055246B (en) A kind of mobile terminal and its operating method
CN105101366B (en) Method for controlling mobile terminal and mobile terminal
CN105306457B (en) Data buffer storage device and method
CN104915582B (en) unlocking method and device
CN104850443B (en) A kind of method and mobile terminal for closing error starting application program
CN105245717A (en) Mobile terminal palm rejection device and method
CN105138400B (en) Application program self-starting management method and device
CN106412255B (en) Terminal and display methods
CN106850943A (en) A kind of apparatus and method for detecting terminal and the distance of shelter
CN105955613B (en) A kind of control method and device
CN104777982B (en) Method and device for switching terminal input method
CN106341315A (en) Text message cleaning method, apparatus and mobile terminal
CN105939517B (en) A kind of method and apparatus preventing mobile terminal access pseudo-base station
CN105808049B (en) A kind of control method that realizing mobile terminal and device
CN104735254B (en) terminal screen locking method and system
CN106412103A (en) Display device and method of push information
CN105786647A (en) Data backup device and method and terminal
CN106412328B (en) A kind of method and apparatus obtaining field feedback
CN105302457B (en) Terminal control method and device
CN106790951A (en) The method and apparatus of mobile terminal and call blocking
CN104883454B (en) A kind of display control method and display control terminal
CN106484534A (en) Control method for the mobile terminal of displaying and control device
CN106778236B (en) A kind of access control apparatus and method
CN106255142B (en) A kind of mobile terminal and its exception information report method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant