CN107085685A - A kind of operating method of platform data - Google Patents

A kind of operating method of platform data Download PDF

Info

Publication number
CN107085685A
CN107085685A CN201710342424.XA CN201710342424A CN107085685A CN 107085685 A CN107085685 A CN 107085685A CN 201710342424 A CN201710342424 A CN 201710342424A CN 107085685 A CN107085685 A CN 107085685A
Authority
CN
China
Prior art keywords
application
platform
profile
information
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710342424.XA
Other languages
Chinese (zh)
Other versions
CN107085685B (en
Inventor
刘颖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Hui Zhi Distant View Science And Technology Ltd
Original Assignee
Chengdu Hui Zhi Distant View Science And Technology Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Hui Zhi Distant View Science And Technology Ltd filed Critical Chengdu Hui Zhi Distant View Science And Technology Ltd
Priority to CN201710342424.XA priority Critical patent/CN107085685B/en
Publication of CN107085685A publication Critical patent/CN107085685A/en
Application granted granted Critical
Publication of CN107085685B publication Critical patent/CN107085685B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

A kind of operating method of platform data includes:Feature is obtained in the operation of application on platform;Platform Analysis ProfileType, and interacted with remote equipment, determine uniformity;Intended application for not meeting uniformity, platform carries out the preliminary screening of suspicious object application by locally comparing;Intended application for not meeting preliminary examination, the behavior evaluation that platform is applied;Determine after malicious application, local killing simultaneously puts remote equipment on record;Verified and repaired for impaired platform data;The platform data repaired is run, whether verification has by the profile of the application of killing;If by the profile of the application of killing, then repeating step until there is no by the profile of the application of killing;If there is no by the profile of the application of killing, set timing, subsequently continue to repeat step.This method can obtain the information for the malicious application for running or attempting operation on a computer platform and by it in time, accurate, intactly killing.

Description

A kind of operating method of platform data
Technical field
The present invention relates generally to Computer Data Security field, more specifically, it is related to a kind of computer platform data Operating method.
Background technology
With the fast development of the communication technology, the terminal such as terminating machine, client, smart mobile phone, tablet personal computer should With also increasingly popular, these terminals become the platform of loading application, and being continuously increased for these platforms promotes market Application on prosperity, platform is greatly enriched the cultural life of people, while the life given people provides traversal, also brings The problem of safe.In order to reach illegal objective, some illegal molecules can issue Malware in a network, or actively should With in implantation platform, or launch a offensive to platform.These applications are by beating again bag, and the normal application that disguises oneself as appears in network Or on platform, or malice author is attached to some attack codes in several different valid applications, in this way not only Malicious code can be hidden in and seemed in normal application, automatically can also make and issue substantial amounts of rogue program. Its illegal act includes stealing short message and personal information, sends payment information, remote control etc..For example, platform black clouds was once reported, Once there is extensive application to infect the virus for being named as XcodeGhost on mobile platform.This virus can not only be stolen in application operation User profile is taken, or even can also simulate charge or account number pop-up to steal the password of user.In addition, what is loaded on platform includes height The money domestic application more than 20 such as moral map, straight flush, all by the malicious application of this " steal user profile, snatch password " Influence.The AKU user cheating upgrading for also once having the mobile terminal Chrome browsers for the Google that disguises oneself as is downloaded, software attachment Among webpage, these webpage appearances are very alike with Google official Internet page.
The safety problem and leak of platform include communication system, using, privacy and equipment safety;May be to user profile Such as account password is revealed, serious to threaten the personal safety as well as the property safety of user, therefore, how Malware is detected, It is a particularly important problem.
In the prior art, platform typically uses relatively simple detection mode, and the condition code for application is carried out It is binary to scan to determine whether it is Malware.Sensitive field would generally be encrypted yet with application, thus it is existing This detection mode having can not often be detected exactly, easily failure.Platform also is matched by static scanning The malicious code known, and perform application to judge whether potentially malicious behavior.But its problem is that static scanning can not The unknown malicious act of detection.Application on platform can be by environment-identification feature, so as to be hidden when Dynamic Execution Malicious act.And analysis is generally difficult to cover using all execution routes.
Except the platform safety strategy started with from the angle kept, also there is the platform safety strategy started with from the angle attacked. But the specific aim of the means is not sometimes strong, from the point of view of efficiency, may not necessarily reach the effect of effective protective platform.In addition, With the variation of malicious application, its latent mode is more and more hidden, and eavesdropping means are increasingly difficult to it is anticipated that being brought to the strategy attacked Increasing difficulty.
Therefore in the urgent need to one kind is directed to platform safety guard method.
The content of the invention
An object of the present invention is to provide a kind of operating method of computer platform data, and it is lifted by the angle attacked Computing power, can obtain the information for the malicious application for running or attempting operation on a computer platform and by it in time, it is accurate Really, intactly killing, so as to protect the security of system, can additionally further enhance safety analysis accuracy and Integrality, reduces judgment step, reduces occupancy and power consumption to platform processes resource, and enhance the security of data And integrality.
The present invention is to solve the technical scheme taken of above-mentioned technical problem:A kind of operating method bag of platform data Include:In step sl, feature is obtained in the operation of the application on platform;In step s 2, Platform Analysis ProfileType, and with Remote equipment is interacted, and determines uniformity;In step s3, for not meeting the intended application of uniformity, platform is by locally comparing Relatively carry out the preliminary screening of suspicious object application;In step s 4, for not meeting the intended application of preliminary examination, platform is carried out The behavior evaluation of application;In step s 5, determine after malicious application, local killing simultaneously puts remote equipment on record;In step s 6, it is right Verified and repaired in impaired platform data;In the step s 7, the platform data that operation is repaired, whether verification has is looked into The profile for the application killed;In step s 8, if by the profile of the application of killing, then repeating step S5 to S7, directly To there is no by the profile of the application of killing;If there is no by the profile of the application of killing, setting timing, subsequently after It is continuous to repeat step S1 to S7.
According to another aspect of the present invention, in step sl, feature is obtained in the operation of the application on platform includes: In the application start-up course of platform, start monitoring process according to internal memory loading, collect the startup item of application, running environment, Loader information, the recalls information to physical layer interface, handle, the profile produced in the same period is applied, and record its path and document Name, type, time;Wherein startup item includes the offset address and length information of verification and other structures;Loader information includes With context-sensitive information and coupling parameter configuration information;The profile had both been included in the information in main storage, also included Information in additional storage, and terminated for a period of time including temporary file and in end of run and after end of run The file for performing or deleting.
According to another aspect of the present invention, in step s 2, Platform Analysis ProfileType, and interacted with remote equipment, Determine that uniformity includes:According to the collection of profile information, for suspicious object application, first decompressed, then carry out filename With the examination of type;The suspicious object, which is applied, includes the application related to mounted valid application on platform;For with conjunction Method applies similar filename, the profile of extension name, then is sent the suspicious information to remotely setting by wired or wireless link It is standby;The remote equipment is stored with the different type and different classes of history profile of suspicious information, and the different type includes: The malicious application of determination, malicious application and valid application to be determined, malicious application to be determined include having for each platform convergence Application that is potential threat and can not determining;It is different of all categories including different extension name;Wherein the remote equipment first to Family information is identified and certification, and the user profile includes ID, IP, timestamp, suspicious application profile information, if passed through Identification and certification then allow to determine by inquiring about, if can not by identification and certification if beam back refusal respond;Remote equipment Interaction determines that uniformity includes:The different classes of history profile of traversal, verifies suspicious application profile information and history profile one by one Uniformity, if the corresponding type of matched and searched device then export, if mismatch if direct output result.
According to another aspect of the present invention, in step s3, for not meeting the intended application of uniformity, platform passes through The local preliminary screening for comparing progress suspicious object application includes:Suspicious application message is carried out decompiling to generate first pair As the first object of analysis is called, and carries out vector quantization, obtains vector, and the difference of two squares of analysis and each element value of reference point is most Small vector, analyzes the suspicious application and the degree of approximation of valid application, if the quantized value of degree of approximation is more than or waited accordingly In first threshold, then into next step;If the quantized value of degree of approximation is less than first threshold, it is determined that the suspicious application is Non-malicious application.
According to another aspect of the present invention, in step s 4, for not meeting the intended application of preliminary examination, platform enters The behavior evaluation of row application includes:The data flow and controlling stream of the suspicious application are generated, its information flow direction is determined, and analysis can Doubtful application is interacted with user, whether has signal flow or control bi-directionally or uni-directionally with RF receiving/transmission device, if new The file for building folder path to preserve generation and generated, carries out assignment according to these situations respectively, and according to default Weighted value is weighted to it sums and obtains behavior evaluation parameter, and is compared with Second Threshold, if greater than or equal to second Threshold value, it is determined that the suspicious application is malicious application really;If less than Second Threshold, it is determined that the suspicious application is non-malicious Using.
According to another aspect of the present invention, in step s 5, determine after malicious application, local killing and putting on record is remotely set It is standby to include:Query procedure list, the enable instruction generated after determining terminates the process automatically, transfers the profile of the malicious application To folder location, related generation file and compressed package, deleted, and check whether and regenerate after preset time value Or update, the step is if so then performed, until no longer existing;And by all information transfers of the malicious application to far Journey equipment is put on record, and its remote device by examining request and the identity of user terminal again, by then receiving the transmission Information is simultaneously classified and stored.
According to another aspect of the present invention, in step s 6, for impaired platform data verified and repaired with And in the step s 7, the platform data repaired is run, whether verification has the profile by the application of killing to include:If former malice There are replacement, damage using the data to the valid application on platform or cover, then search the configuration file of valid application, pass through chain The recovery that address carries out data file is connected to, starts the thread of valid application, data is verified, under entering if One step, if not repeating the step if, until verification passes through.
According to another aspect of the present invention, in step s 6, for impaired platform data verified and repaired with And in the step s 7, the platform data repaired is run, whether verification has the profile by the application of killing to include:By redundancy come Recover and repair data, including recovered by redundancy, the generating process of the redundancy is:Storage device is divided into multiple areas Block, memory block, redundant area, map section are assigned as according to function, after storage terminates, are given birth to using the redundancy inside storage device Grow up to be a useful person, data are subjected to redundant operation, and correspondingly in the mapping table of map section formation data storage and redundant data Lattice;CRC is added in the adjacent domain of storage region, and closes the key passage of storage medium.
According to another aspect of the present invention, among step S6 and S7, after the recovery of data file, behaviour is also performed Make:Cover is carried out to data, length is mended, constant is defined, function is determined, identifying code is calculated;And in step s 2, Platform Analysis Profile further comprises:Synchronization and the asynchronous refresh fileinfo of suspicious application are obtained, its newly-built and store path is determined, extracted The configuration parameter wherein retained, analyzes its information flow to extract the complete information of suspicious application.
According to another aspect of the present invention, in step s 4, after behavior evaluation, in order to further confirm that suspicious application For malicious application, the also following operation of suspicious use:By opening valid application, then terminate it after the defined period and enter Journey, observation obtains its communication information and and radio frequency herein between the defined period to the application message of the access of the valid application The signal stream of module, if there is the application of access then is defined as into malicious application;The same period file of malicious application generation is got over Many, its malice degree is stronger, and puts this information on record remote equipment in subsequent step.
Brief description of the drawings
Embodiments of the invention, wherein phase are shown by way of example rather than by way of limitation in the accompanying drawings Same reference represents identical element, wherein:
According to an exemplary embodiment of the invention, Fig. 1 illustrates a kind of flow chart of the operating method of platform data.
Embodiment
In the following description, refer to the attached drawing and several specific embodiments are diagrammatically shown.It will be appreciated that: It is contemplated that and other embodiments can be made without departing from the scope of the present disclosure or spirit.Therefore, it is described in detail below should not be by Think in a limiting sense.
According to an exemplary embodiment of the invention, Fig. 1 illustrates a kind of flow chart of the operating method of platform data.
In step sl, feature is obtained in the operation of the application on platform;
In step s 2, Platform Analysis ProfileType, and interacted with remote equipment, determine uniformity;
In step s3, for not meeting the intended application of uniformity, platform by locally compare carry out suspicious object should Preliminary screening;
In step s 4, for not meeting the intended application of preliminary examination, the behavior evaluation that platform is applied;
In step s 5, determine after malicious application, local killing simultaneously puts remote equipment on record;
In step s 6, verified and repaired for impaired platform data;
In the step s 7, whether the platform data that operation is repaired, verification has by the profile of the application of killing;
In step s 8, if by the profile of the application of killing, then repeating step S5 to S7, until there is no By the profile of the application of killing;If follow-up to continue to repeat to hold there is no timing by the profile of the application of killing, is set Row step S1 to S7.
Specifically, in step sl, feature is obtained in the operation of the application on platform includes:Start in the application of platform During, start monitoring process according to internal memory loading, collect the startup item of application, running environment, loader information, to bottom The recalls information of interface, handle, the profile produced in the same period is applied, and record its path and document name, type, time;Wherein Startup item includes the offset address and length information of verification and other structures;Loader information includes and context-sensitive letter Breath and coupling parameter configuration information;The profile had both been included in the information in main storage, was also included within the letter in additional storage Breath, additionally includes temporary file, and terminate the text for performing or deleting in end of run and after end of run for a period of time Part.By the operation and setting of the step, can comprehensively, it is accurate, in time, pointedly obtain and apply feature, be accurate, safety Ground carries out subsequent operation and is ready.
Specifically, in step s 2, Platform Analysis ProfileType, and interacted with remote equipment, determine that uniformity includes:Root According to the collection of profile information, for suspicious object application, first decompressed, then carry out the examination of filename and type.It is described Suspicious object, which is applied, includes the application related to mounted valid application on platform.For filename similar with valid application, The profile of extension name, then sent the suspicious information to remote equipment by wired or wireless link;The remote equipment is stored There are the different type and different classes of history profile of suspicious information, the different type includes:Fixed malicious application, treat The malicious application and valid application of determination, potential threat that what malicious application to be determined included that each platform converges have and can not be true Fixed application;It is different of all categories including different extension name.Wherein the remote equipment is identified and recognized to user profile first Card, the user profile includes ID, IP, timestamp, suspicious application profile information, allows to lead to if by identification and certification Inquiry is crossed to determine, if can not by identification and certification if beam back refusal respond.Remote equipment interaction determines that uniformity includes: The different classes of history profile of traversal, verifies suspicious application profile information and the uniformity of history profile one by one, if matching is looked into Look for the corresponding type of device and then output, the direct output result if mismatching.
Specifically, in step s3, for not meeting the intended application of uniformity, platform by locally compare carry out it is suspicious The preliminary screening of intended application includes:Suspicious application message is subjected to decompiling to generate the first object, the first object of analysis Call, and carry out vector quantization, obtain vector, the analysis vector minimum with the difference of two squares of reference point analyzes the suspicious application accordingly With the degree of approximation of valid application, if the quantized value of degree of approximation be more than or equal to first threshold, into next step;Such as The quantized value of fruit degree of approximation is less than first threshold, it is determined that the suspicious application is non-malicious application.
Specifically, in step s 4, for not meeting the intended application of preliminary examination, the behavior evaluation that platform is applied Including:The data flow and controlling stream of the suspicious application are generated, its information flow direction is determined, and analyzing suspicious application is entered with user Whether row interaction, have signal flow or control bi-directionally or uni-directionally with RF receiving/transmission device, if new folder path is protected Generation and the file generated are deposited, assignment is carried out according to these situations respectively, and according to default weighted value come weighted sum Behavior evaluation parameter is obtained, and is compared with Second Threshold, if greater than or equal to Second Threshold, it is determined that the suspicious application is certain For malicious application;If less than Second Threshold, it is determined that the suspicious application is non-malicious application.
Specifically, in step s 5, determine after malicious application, local killing is simultaneously put remote equipment on record and included:Query procedure List, the enable instruction generated after determining terminates the process automatically, transfers profile and folder location, the phase of the malicious application Generation file and compressed package is closed, is deleted, and is checked whether after preset time value and is regenerated or update, if Words then perform the step, until no longer existing.And all information transfers of the malicious application are put on record to remote equipment, Its remote device by examining request and the identity of user terminal again, by then receive the information of the transmission and carry out classification and Storage.
Specifically, in step s 6, verified and repaired for impaired platform data and in the step s 7, run Whether the platform data of reparation, verification has the profile by the application of killing to include:If former malicious application is to the conjunction on platform The data of method application have replacement, damage or covered, then search the configuration file of valid application, and data are carried out by being linked to address The recovery of file, starts the thread of valid application, data is verified, if entering next step if, if obstructed Cross, repeat the step, until verification passes through.
Alternately, in step s 6, verified and repaired for impaired platform data and in the step s 7, transported Whether the platform data that row is repaired, verification has the profile by the application of killing to include:Recovered by redundancy and repair data Including:Recovered by redundancy, the generating process of the redundancy is:Storage device is divided into multiple blocks, will according to function It is assigned as memory block, redundant area, map section, and after storage terminates, using the redundancy maker inside storage device, data are entered Row redundant operation, and correspondingly in map section formation data storage and the correspondence table of redundant data.In storage region Adjacent domain addition CRC, and close the key passage of storage medium.
Preferably, among step S6 and S7, after the recovery of data file, operation is also performed:Cover is carried out to data, Length is mended, constant is defined, function is determined, identifying code is calculated.By the operation, the securities of data can be further enhanced and complete Whole property.
Preferably, in step s 2, Platform Analysis profile further comprises:Obtain synchronization and the asynchronous refresh of suspicious application Fileinfo, determines its newly-built and store path, extracts the configuration parameter wherein retained, analyzes its information flow to extract suspicious answer Complete information.By the operation, the accuracy and integrality of safety analysis can be further enhanced, reduces and judges step Suddenly, the occupancy and power consumption to platform processes resource are reduced.
Preferably, in step s 4, after behavior evaluation, in order to further confirm that suspicious application is malicious application, may be used also Doubt and use following operation:By opening valid application, its process is then terminated after the defined period, is observed defined herein To the application message of the access of the valid application between period, its communication information and the signal stream with radio-frequency module are obtained, if In the presence of the application of access then is defined as into malicious application;The same period file of malicious application generation is more, and its malice degree is stronger, And put this information on record remote equipment in subsequent step.
To sum up, in the inventive solutions, by using a kind of operating method of platform data, it can obtain The information of the malicious application of operation is run or attempted on computer platform and by its timely, accurate, intactly killing, so as to protect The security of system, can additionally further enhance the accuracy and integrality of safety analysis, reduce judgment step, subtract Few occupancy and power consumption to platform processes resource, and enhance the security and integrality of data.
It will be appreciated that:The example and reality of the present invention can be realized in the form of the combination of hardware, software or hardware and software Apply example.As described above, any main body for performing this method can be stored, in the form of volatility or non-volatile holographic storage, for example No matter storage device, as ROM, can erase or whether rewritable, or in the form of a memory, such as RAM, storage core Piece, equipment or integrated circuit or on the readable medium of light or magnetic, such as CD, DVD, disk or tape.It will be appreciated that: Storage device and storage medium are suitable for storing the example of the machine readable storage of one or more programs, upon being performed, One or more of programs realize the example of the present invention.Via any medium, such as couple what is be loaded with by wired or wireless Signal of communication, can electronically transmit the example of the present invention, and example suitably includes identical content.
It should be noted that:Should because the present invention solves malice timely, accurate, intactly on killing computer platform The technical problem of information, employs technical staff in field of computer technology and is instructed after reading this description according to it Technological means to understand, and obtain the security for protecting system, further enhance safety analysis accuracy and Integrality, reduces judgment step, reduces to the occupancy and power consumption of platform processes resource, enhances the securities of data and complete The advantageous effects of whole property, so the technical side that claimed scheme belongs on patent law purposes in the following claims Case.In addition, because the technical scheme that appended claims are claimed can be made or used in industry, therefore the program has Standby practicality.
It is described above, it is only the preferably embodiment of the present invention, but protection scope of the present invention is not limited to This, any one skilled in the art the invention discloses technical scope in, the change that can readily occur in or replace Change, should all be encompassed within protection scope of the present invention.It is expressly recited unless otherwise, otherwise disclosed each feature is only It is equivalent or similar characteristics a example for general series.Therefore, protection scope of the present invention should be with claims Protection domain is defined.

Claims (10)

1. a kind of operating method of platform data, including:
In step sl, feature is obtained in the operation of the application on platform;
In step s 2, Platform Analysis ProfileType, and interacted with remote equipment, determine uniformity;
In step s3, for not meeting the intended application of uniformity, platform carries out suspicious object application by locally comparing Preliminary screening;
In step s 4, for not meeting the intended application of preliminary examination, the behavior evaluation that platform is applied;
In step s 5, determine after malicious application, local killing simultaneously puts remote equipment on record;
In step s 6, verified and repaired for impaired platform data;
In the step s 7, whether the platform data that operation is repaired, verification has by the profile of the application of killing;
In step s 8, if by the profile of the application of killing, then repeating step S5 to S7, until there is no by The profile of the application of killing;If there is no by the profile of the application of killing, set timing, subsequently continue to repeat step Rapid S1 to S7.
2. the operating method of platform data as claimed in claim 1, wherein in step sl, the operation of the application on platform Middle acquisition feature includes:In the application start-up course of platform, start monitoring process according to internal memory loading, collect opening for application Dynamic item, running environment, loader information, the recalls information to physical layer interface, handle, the profile produced in the same period is applied, and remembered Record its path and document name, type, time;Wherein startup item includes the offset address and length information of verification and other structures; Loader information includes and context-sensitive information and coupling parameter configuration information;The profile was both included in main storage Information, be also included within the information in additional storage, and including temporary file and in end of run and end of run A period of time terminates the file for performing or deleting afterwards.
3. the operating method of platform data as claimed in claim 2, wherein in step s 2, Platform Analysis ProfileType, and Interacted with remote equipment, determine that uniformity includes:According to the collection of profile information, for suspicious object application, first decompressed, Then the examination of filename and type is carried out;The suspicious object is applied including related to mounted valid application on platform Using;For filename similar with valid application, the profile of extension name, then by wired or wireless link by the suspicious information Send to remote equipment;The remote equipment is stored with the different type and different classes of history profile of suspicious information, it is described not Same type includes:Fixed malicious application, malicious application and valid application to be determined, malicious application to be determined include each The application that is having potential threat and can not determining of platform convergence;It is different of all categories including different extension name;Wherein this is long-range Equipment user profile is identified first and certification, and the user profile includes ID, IP, timestamp, suspicious application profile Information, if by identification and certification if allow to determine by inquiring about, if can not by identification and certification if beam back refusal Response;Remote equipment interaction determines that uniformity includes:The different classes of history profile of traversal, verifies suspicious application profile letter one by one The uniformity of breath and history profile, if the corresponding type of matched and searched device and then output, directly output is tied if mismatching Really.
4. the operating method of platform data as claimed in claim 3, wherein in step s3, the mesh for not meeting uniformity Mark application, the preliminary screening that platform carries out suspicious object application by locally comparing includes:Compiled suspicious application message is counter Translate to generate the first object, analyze calling for the first object, and carry out vector quantization, obtain vector, analysis and each member of reference point The vector of the difference of two squares minimum of element value, analyzes the degree of approximation of the suspicious application and valid application accordingly, if degree of approximation Quantized value is more than or equal to first threshold, then into next step;If the quantized value of degree of approximation is less than first threshold, really The fixed suspicious application is non-malicious application.
5. the operating method of platform data as claimed in claim 4, wherein in step s 4, for not meeting preliminary examination Intended application, the behavior evaluation that platform is applied includes:The data flow and controlling stream of the suspicious application are generated, its information is determined Flow direction, and analyzing suspicious application is interacted with user, whether has signal stream bi-directionally or uni-directionally with RF receiving/transmission device Dynamic or control, if new folder path carries out assignment according to these situations respectively come the file for preserving generation and having generated, And it is weighted according to default weighted value and sums and obtains behavior evaluation parameter, and is compared with Second Threshold, if More than or equal to Second Threshold, it is determined that the suspicious application is malicious application really;If less than Second Threshold, it is determined that this can It is non-malicious application to doubt application.
6. the operating method of platform data as claimed in claim 5, wherein in step s 5, determining after malicious application, locally Killing is simultaneously put remote equipment on record and included:Query procedure list, the enable instruction generated after determining terminates the process automatically, transfers The profile of the malicious application and folder location, related generation file and compressed package, are deleted, and after preset time value Check whether and regenerate or update, if so then perform the step, until no longer existing;And by the malicious application All information transfers are put on record to remote equipment, and its remote device is led to by examining request and the identity of user terminal again Cross, receive the information of the transmission and classified and stored.
7. the operating method of platform data as claimed in claim 6, wherein in step s 6, entering for impaired platform data Row is verified and repaired and in the step s 7, runs the platform data repaired, and whether verification has by the profile of the application of killing Including:If former malicious application has replacement, damage to the data of the valid application on platform or covered, valid application is searched Configuration file, the recovery of data file is carried out by being linked to address, starts the thread of valid application, data are verified, If entering next step if, if not repeating the step if, until verification passes through.
8. the operating method of platform data as claimed in claim 7, wherein in step s 6, entering for impaired platform data Row is verified and repaired and in the step s 7, runs the platform data repaired, and whether verification has by the profile of the application of killing Including:Recovered by redundancy and repair data, including recovered by redundancy, the generating process of the redundancy is:It will deposit Storage equipment is divided into multiple blocks, memory block, redundant area, map section is assigned as according to function, after storage terminates, using storage Data are carried out redundant operation by the redundancy maker of device interior, and correspondingly in map section formation data storage and redundancy The correspondence table of data;CRC is added in the adjacent domain of storage region, and closes the close of storage medium Key passage.
9. the operating method of platform data as claimed in claim 8, wherein among step S6 and S7, the recovery of data file Afterwards, operation is also performed:Cover is carried out to data, length is mended, constant is defined, function is determined, identifying code is calculated;And in step In S2, Platform Analysis profile further comprises:Obtain synchronization and the asynchronous refresh fileinfo of suspicious application, determine its it is newly-built and Store path, extracts the configuration parameter wherein retained, analyzes its information flow to extract the complete information of suspicious application.
10. the operating method of platform data as claimed in claim 9, wherein in step s 4, after behavior evaluation, in order to enter One step confirms that suspicious application is malicious application, also suspicious to use following operation:By opening valid application, then when defined Its process is terminated after section, and observation obtains it and led to herein between the defined period to the application message of the access of the valid application Letter information and the signal stream with radio-frequency module, if there is the application of access then is defined as into malicious application;The same period, the malice should More with the file of generation, its malice degree is stronger, and puts this information on record remote equipment in subsequent step.
CN201710342424.XA 2017-05-16 2017-05-16 Operation method of platform data Active CN107085685B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710342424.XA CN107085685B (en) 2017-05-16 2017-05-16 Operation method of platform data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710342424.XA CN107085685B (en) 2017-05-16 2017-05-16 Operation method of platform data

Publications (2)

Publication Number Publication Date
CN107085685A true CN107085685A (en) 2017-08-22
CN107085685B CN107085685B (en) 2020-06-30

Family

ID=59608000

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710342424.XA Active CN107085685B (en) 2017-05-16 2017-05-16 Operation method of platform data

Country Status (1)

Country Link
CN (1) CN107085685B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101820449A (en) * 2010-04-20 2010-09-01 江苏电力调度通信中心 Cross-safety zone application service isolation platform
CN102664875A (en) * 2012-03-31 2012-09-12 华中科技大学 Malicious code type detection method based on cloud mode
CN102810138A (en) * 2012-06-19 2012-12-05 北京奇虎科技有限公司 Method and system for restoring files of clients
CN103281325A (en) * 2013-06-04 2013-09-04 北京奇虎科技有限公司 Method and device for processing file based on cloud security
CN104462968A (en) * 2014-12-16 2015-03-25 北京奇虎科技有限公司 Malicious application program scanning method, device and system
CN105631334A (en) * 2015-12-25 2016-06-01 北京奇虎科技有限公司 Application security detecting method and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101820449A (en) * 2010-04-20 2010-09-01 江苏电力调度通信中心 Cross-safety zone application service isolation platform
CN102664875A (en) * 2012-03-31 2012-09-12 华中科技大学 Malicious code type detection method based on cloud mode
CN102810138A (en) * 2012-06-19 2012-12-05 北京奇虎科技有限公司 Method and system for restoring files of clients
CN103281325A (en) * 2013-06-04 2013-09-04 北京奇虎科技有限公司 Method and device for processing file based on cloud security
CN104462968A (en) * 2014-12-16 2015-03-25 北京奇虎科技有限公司 Malicious application program scanning method, device and system
CN105631334A (en) * 2015-12-25 2016-06-01 北京奇虎科技有限公司 Application security detecting method and system

Also Published As

Publication number Publication date
CN107085685B (en) 2020-06-30

Similar Documents

Publication Publication Date Title
US8522349B2 (en) Detecting and defending against man-in-the-middle attacks
CN103150511B (en) Safety protection system
CN108449319A (en) A kind of method and device of identification swindle website and the evidence obtaining of long-range wooden horse
CN112685682B (en) Method, device, equipment and medium for identifying forbidden object of attack event
US20060101047A1 (en) Method and system for fortifying software
CN103577323B (en) Based on the software plagiarism detection method of dynamic keyword instruction sequence birthmark
Sheen et al. Ransomware detection by mining API call usage
CN105471842B (en) A kind of Network Security Analysis Method under big data environment
CN110912855A (en) Block chain architecture security assessment method and system based on permeability test case set
CN113496033A (en) Access behavior recognition method and device and storage medium
CN107347057A (en) Intrusion detection method, detected rule generation method, apparatus and system
CN108965251B (en) A kind of safe mobile phone guard system that cloud combines
CN103957217A (en) Internet-electronic-business-transaction-oriented method and system
CN108200095A (en) The Internet boundaries security strategy fragility determines method and device
KR102022058B1 (en) Method and system for detecting counterfeit of web page
CN115185823A (en) Information security testing method and system for vehicle-mounted information interaction system
Buhan et al. The state of the art in abuse of biometrics
KR101372906B1 (en) Method and system to prevent malware code
CN107122664A (en) Safety protecting method and device
CN107085685A (en) A kind of operating method of platform data
Goicoechea-Telleria et al. Analysis of the attack potential in low cost spoofing of fingerprints
Sijan et al. A review on e-banking security in Bangladesh: An empirical study
Sangle et al. Data security system in cloud by using fog computing and data mining
KR102249758B1 (en) Artificial intelligence personal privacy data security system applying case based reasoning technology and block chain method and server thereof
KR20210053844A (en) Server of artificial intelligence personal privacy data security system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information

Inventor after: Wang Dalin

Inventor after: Liu Ying

Inventor before: Liu Ying

CB03 Change of inventor or designer information
TA01 Transfer of patent application right

Effective date of registration: 20200522

Address after: 010000 1st floor, building 3, University Science Park, Genghis Khan East Street, new urban area, Hohhot City, Inner Mongolia Autonomous Region

Applicant after: Huaxun High Tech Co., Ltd

Address before: 610000 Sichuan city of Chengdu province high tech Zone Kyrgyzstan Road No. 666 Building 2 floor 13 No. 2

Applicant before: CHENGDU HUIZHI YUANJING TECHNOLOGY Co.,Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant