Background technology
With the fast development of the communication technology, the terminal such as terminating machine, client, smart mobile phone, tablet personal computer should
With also increasingly popular, these terminals become the platform of loading application, and being continuously increased for these platforms promotes market
Application on prosperity, platform is greatly enriched the cultural life of people, while the life given people provides traversal, also brings
The problem of safe.In order to reach illegal objective, some illegal molecules can issue Malware in a network, or actively should
With in implantation platform, or launch a offensive to platform.These applications are by beating again bag, and the normal application that disguises oneself as appears in network
Or on platform, or malice author is attached to some attack codes in several different valid applications, in this way not only
Malicious code can be hidden in and seemed in normal application, automatically can also make and issue substantial amounts of rogue program.
Its illegal act includes stealing short message and personal information, sends payment information, remote control etc..For example, platform black clouds was once reported,
Once there is extensive application to infect the virus for being named as XcodeGhost on mobile platform.This virus can not only be stolen in application operation
User profile is taken, or even can also simulate charge or account number pop-up to steal the password of user.In addition, what is loaded on platform includes height
The money domestic application more than 20 such as moral map, straight flush, all by the malicious application of this " steal user profile, snatch password "
Influence.The AKU user cheating upgrading for also once having the mobile terminal Chrome browsers for the Google that disguises oneself as is downloaded, software attachment
Among webpage, these webpage appearances are very alike with Google official Internet page.
The safety problem and leak of platform include communication system, using, privacy and equipment safety;May be to user profile
Such as account password is revealed, serious to threaten the personal safety as well as the property safety of user, therefore, how Malware is detected,
It is a particularly important problem.
In the prior art, platform typically uses relatively simple detection mode, and the condition code for application is carried out
It is binary to scan to determine whether it is Malware.Sensitive field would generally be encrypted yet with application, thus it is existing
This detection mode having can not often be detected exactly, easily failure.Platform also is matched by static scanning
The malicious code known, and perform application to judge whether potentially malicious behavior.But its problem is that static scanning can not
The unknown malicious act of detection.Application on platform can be by environment-identification feature, so as to be hidden when Dynamic Execution
Malicious act.And analysis is generally difficult to cover using all execution routes.
Except the platform safety strategy started with from the angle kept, also there is the platform safety strategy started with from the angle attacked.
But the specific aim of the means is not sometimes strong, from the point of view of efficiency, may not necessarily reach the effect of effective protective platform.In addition,
With the variation of malicious application, its latent mode is more and more hidden, and eavesdropping means are increasingly difficult to it is anticipated that being brought to the strategy attacked
Increasing difficulty.
Therefore in the urgent need to one kind is directed to platform safety guard method.
The content of the invention
An object of the present invention is to provide a kind of operating method of computer platform data, and it is lifted by the angle attacked
Computing power, can obtain the information for the malicious application for running or attempting operation on a computer platform and by it in time, it is accurate
Really, intactly killing, so as to protect the security of system, can additionally further enhance safety analysis accuracy and
Integrality, reduces judgment step, reduces occupancy and power consumption to platform processes resource, and enhance the security of data
And integrality.
The present invention is to solve the technical scheme taken of above-mentioned technical problem:A kind of operating method bag of platform data
Include:In step sl, feature is obtained in the operation of the application on platform;In step s 2, Platform Analysis ProfileType, and with
Remote equipment is interacted, and determines uniformity;In step s3, for not meeting the intended application of uniformity, platform is by locally comparing
Relatively carry out the preliminary screening of suspicious object application;In step s 4, for not meeting the intended application of preliminary examination, platform is carried out
The behavior evaluation of application;In step s 5, determine after malicious application, local killing simultaneously puts remote equipment on record;In step s 6, it is right
Verified and repaired in impaired platform data;In the step s 7, the platform data that operation is repaired, whether verification has is looked into
The profile for the application killed;In step s 8, if by the profile of the application of killing, then repeating step S5 to S7, directly
To there is no by the profile of the application of killing;If there is no by the profile of the application of killing, setting timing, subsequently after
It is continuous to repeat step S1 to S7.
According to another aspect of the present invention, in step sl, feature is obtained in the operation of the application on platform includes:
In the application start-up course of platform, start monitoring process according to internal memory loading, collect the startup item of application, running environment,
Loader information, the recalls information to physical layer interface, handle, the profile produced in the same period is applied, and record its path and document
Name, type, time;Wherein startup item includes the offset address and length information of verification and other structures;Loader information includes
With context-sensitive information and coupling parameter configuration information;The profile had both been included in the information in main storage, also included
Information in additional storage, and terminated for a period of time including temporary file and in end of run and after end of run
The file for performing or deleting.
According to another aspect of the present invention, in step s 2, Platform Analysis ProfileType, and interacted with remote equipment,
Determine that uniformity includes:According to the collection of profile information, for suspicious object application, first decompressed, then carry out filename
With the examination of type;The suspicious object, which is applied, includes the application related to mounted valid application on platform;For with conjunction
Method applies similar filename, the profile of extension name, then is sent the suspicious information to remotely setting by wired or wireless link
It is standby;The remote equipment is stored with the different type and different classes of history profile of suspicious information, and the different type includes:
The malicious application of determination, malicious application and valid application to be determined, malicious application to be determined include having for each platform convergence
Application that is potential threat and can not determining;It is different of all categories including different extension name;Wherein the remote equipment first to
Family information is identified and certification, and the user profile includes ID, IP, timestamp, suspicious application profile information, if passed through
Identification and certification then allow to determine by inquiring about, if can not by identification and certification if beam back refusal respond;Remote equipment
Interaction determines that uniformity includes:The different classes of history profile of traversal, verifies suspicious application profile information and history profile one by one
Uniformity, if the corresponding type of matched and searched device then export, if mismatch if direct output result.
According to another aspect of the present invention, in step s3, for not meeting the intended application of uniformity, platform passes through
The local preliminary screening for comparing progress suspicious object application includes:Suspicious application message is carried out decompiling to generate first pair
As the first object of analysis is called, and carries out vector quantization, obtains vector, and the difference of two squares of analysis and each element value of reference point is most
Small vector, analyzes the suspicious application and the degree of approximation of valid application, if the quantized value of degree of approximation is more than or waited accordingly
In first threshold, then into next step;If the quantized value of degree of approximation is less than first threshold, it is determined that the suspicious application is
Non-malicious application.
According to another aspect of the present invention, in step s 4, for not meeting the intended application of preliminary examination, platform enters
The behavior evaluation of row application includes:The data flow and controlling stream of the suspicious application are generated, its information flow direction is determined, and analysis can
Doubtful application is interacted with user, whether has signal flow or control bi-directionally or uni-directionally with RF receiving/transmission device, if new
The file for building folder path to preserve generation and generated, carries out assignment according to these situations respectively, and according to default
Weighted value is weighted to it sums and obtains behavior evaluation parameter, and is compared with Second Threshold, if greater than or equal to second
Threshold value, it is determined that the suspicious application is malicious application really;If less than Second Threshold, it is determined that the suspicious application is non-malicious
Using.
According to another aspect of the present invention, in step s 5, determine after malicious application, local killing and putting on record is remotely set
It is standby to include:Query procedure list, the enable instruction generated after determining terminates the process automatically, transfers the profile of the malicious application
To folder location, related generation file and compressed package, deleted, and check whether and regenerate after preset time value
Or update, the step is if so then performed, until no longer existing;And by all information transfers of the malicious application to far
Journey equipment is put on record, and its remote device by examining request and the identity of user terminal again, by then receiving the transmission
Information is simultaneously classified and stored.
According to another aspect of the present invention, in step s 6, for impaired platform data verified and repaired with
And in the step s 7, the platform data repaired is run, whether verification has the profile by the application of killing to include:If former malice
There are replacement, damage using the data to the valid application on platform or cover, then search the configuration file of valid application, pass through chain
The recovery that address carries out data file is connected to, starts the thread of valid application, data is verified, under entering if
One step, if not repeating the step if, until verification passes through.
According to another aspect of the present invention, in step s 6, for impaired platform data verified and repaired with
And in the step s 7, the platform data repaired is run, whether verification has the profile by the application of killing to include:By redundancy come
Recover and repair data, including recovered by redundancy, the generating process of the redundancy is:Storage device is divided into multiple areas
Block, memory block, redundant area, map section are assigned as according to function, after storage terminates, are given birth to using the redundancy inside storage device
Grow up to be a useful person, data are subjected to redundant operation, and correspondingly in the mapping table of map section formation data storage and redundant data
Lattice;CRC is added in the adjacent domain of storage region, and closes the key passage of storage medium.
According to another aspect of the present invention, among step S6 and S7, after the recovery of data file, behaviour is also performed
Make:Cover is carried out to data, length is mended, constant is defined, function is determined, identifying code is calculated;And in step s 2, Platform Analysis
Profile further comprises:Synchronization and the asynchronous refresh fileinfo of suspicious application are obtained, its newly-built and store path is determined, extracted
The configuration parameter wherein retained, analyzes its information flow to extract the complete information of suspicious application.
According to another aspect of the present invention, in step s 4, after behavior evaluation, in order to further confirm that suspicious application
For malicious application, the also following operation of suspicious use:By opening valid application, then terminate it after the defined period and enter
Journey, observation obtains its communication information and and radio frequency herein between the defined period to the application message of the access of the valid application
The signal stream of module, if there is the application of access then is defined as into malicious application;The same period file of malicious application generation is got over
Many, its malice degree is stronger, and puts this information on record remote equipment in subsequent step.
Embodiment
In the following description, refer to the attached drawing and several specific embodiments are diagrammatically shown.It will be appreciated that:
It is contemplated that and other embodiments can be made without departing from the scope of the present disclosure or spirit.Therefore, it is described in detail below should not be by
Think in a limiting sense.
According to an exemplary embodiment of the invention, Fig. 1 illustrates a kind of flow chart of the operating method of platform data.
In step sl, feature is obtained in the operation of the application on platform;
In step s 2, Platform Analysis ProfileType, and interacted with remote equipment, determine uniformity;
In step s3, for not meeting the intended application of uniformity, platform by locally compare carry out suspicious object should
Preliminary screening;
In step s 4, for not meeting the intended application of preliminary examination, the behavior evaluation that platform is applied;
In step s 5, determine after malicious application, local killing simultaneously puts remote equipment on record;
In step s 6, verified and repaired for impaired platform data;
In the step s 7, whether the platform data that operation is repaired, verification has by the profile of the application of killing;
In step s 8, if by the profile of the application of killing, then repeating step S5 to S7, until there is no
By the profile of the application of killing;If follow-up to continue to repeat to hold there is no timing by the profile of the application of killing, is set
Row step S1 to S7.
Specifically, in step sl, feature is obtained in the operation of the application on platform includes:Start in the application of platform
During, start monitoring process according to internal memory loading, collect the startup item of application, running environment, loader information, to bottom
The recalls information of interface, handle, the profile produced in the same period is applied, and record its path and document name, type, time;Wherein
Startup item includes the offset address and length information of verification and other structures;Loader information includes and context-sensitive letter
Breath and coupling parameter configuration information;The profile had both been included in the information in main storage, was also included within the letter in additional storage
Breath, additionally includes temporary file, and terminate the text for performing or deleting in end of run and after end of run for a period of time
Part.By the operation and setting of the step, can comprehensively, it is accurate, in time, pointedly obtain and apply feature, be accurate, safety
Ground carries out subsequent operation and is ready.
Specifically, in step s 2, Platform Analysis ProfileType, and interacted with remote equipment, determine that uniformity includes:Root
According to the collection of profile information, for suspicious object application, first decompressed, then carry out the examination of filename and type.It is described
Suspicious object, which is applied, includes the application related to mounted valid application on platform.For filename similar with valid application,
The profile of extension name, then sent the suspicious information to remote equipment by wired or wireless link;The remote equipment is stored
There are the different type and different classes of history profile of suspicious information, the different type includes:Fixed malicious application, treat
The malicious application and valid application of determination, potential threat that what malicious application to be determined included that each platform converges have and can not be true
Fixed application;It is different of all categories including different extension name.Wherein the remote equipment is identified and recognized to user profile first
Card, the user profile includes ID, IP, timestamp, suspicious application profile information, allows to lead to if by identification and certification
Inquiry is crossed to determine, if can not by identification and certification if beam back refusal respond.Remote equipment interaction determines that uniformity includes:
The different classes of history profile of traversal, verifies suspicious application profile information and the uniformity of history profile one by one, if matching is looked into
Look for the corresponding type of device and then output, the direct output result if mismatching.
Specifically, in step s3, for not meeting the intended application of uniformity, platform by locally compare carry out it is suspicious
The preliminary screening of intended application includes:Suspicious application message is subjected to decompiling to generate the first object, the first object of analysis
Call, and carry out vector quantization, obtain vector, the analysis vector minimum with the difference of two squares of reference point analyzes the suspicious application accordingly
With the degree of approximation of valid application, if the quantized value of degree of approximation be more than or equal to first threshold, into next step;Such as
The quantized value of fruit degree of approximation is less than first threshold, it is determined that the suspicious application is non-malicious application.
Specifically, in step s 4, for not meeting the intended application of preliminary examination, the behavior evaluation that platform is applied
Including:The data flow and controlling stream of the suspicious application are generated, its information flow direction is determined, and analyzing suspicious application is entered with user
Whether row interaction, have signal flow or control bi-directionally or uni-directionally with RF receiving/transmission device, if new folder path is protected
Generation and the file generated are deposited, assignment is carried out according to these situations respectively, and according to default weighted value come weighted sum
Behavior evaluation parameter is obtained, and is compared with Second Threshold, if greater than or equal to Second Threshold, it is determined that the suspicious application is certain
For malicious application;If less than Second Threshold, it is determined that the suspicious application is non-malicious application.
Specifically, in step s 5, determine after malicious application, local killing is simultaneously put remote equipment on record and included:Query procedure
List, the enable instruction generated after determining terminates the process automatically, transfers profile and folder location, the phase of the malicious application
Generation file and compressed package is closed, is deleted, and is checked whether after preset time value and is regenerated or update, if
Words then perform the step, until no longer existing.And all information transfers of the malicious application are put on record to remote equipment,
Its remote device by examining request and the identity of user terminal again, by then receive the information of the transmission and carry out classification and
Storage.
Specifically, in step s 6, verified and repaired for impaired platform data and in the step s 7, run
Whether the platform data of reparation, verification has the profile by the application of killing to include:If former malicious application is to the conjunction on platform
The data of method application have replacement, damage or covered, then search the configuration file of valid application, and data are carried out by being linked to address
The recovery of file, starts the thread of valid application, data is verified, if entering next step if, if obstructed
Cross, repeat the step, until verification passes through.
Alternately, in step s 6, verified and repaired for impaired platform data and in the step s 7, transported
Whether the platform data that row is repaired, verification has the profile by the application of killing to include:Recovered by redundancy and repair data
Including:Recovered by redundancy, the generating process of the redundancy is:Storage device is divided into multiple blocks, will according to function
It is assigned as memory block, redundant area, map section, and after storage terminates, using the redundancy maker inside storage device, data are entered
Row redundant operation, and correspondingly in map section formation data storage and the correspondence table of redundant data.In storage region
Adjacent domain addition CRC, and close the key passage of storage medium.
Preferably, among step S6 and S7, after the recovery of data file, operation is also performed:Cover is carried out to data,
Length is mended, constant is defined, function is determined, identifying code is calculated.By the operation, the securities of data can be further enhanced and complete
Whole property.
Preferably, in step s 2, Platform Analysis profile further comprises:Obtain synchronization and the asynchronous refresh of suspicious application
Fileinfo, determines its newly-built and store path, extracts the configuration parameter wherein retained, analyzes its information flow to extract suspicious answer
Complete information.By the operation, the accuracy and integrality of safety analysis can be further enhanced, reduces and judges step
Suddenly, the occupancy and power consumption to platform processes resource are reduced.
Preferably, in step s 4, after behavior evaluation, in order to further confirm that suspicious application is malicious application, may be used also
Doubt and use following operation:By opening valid application, its process is then terminated after the defined period, is observed defined herein
To the application message of the access of the valid application between period, its communication information and the signal stream with radio-frequency module are obtained, if
In the presence of the application of access then is defined as into malicious application;The same period file of malicious application generation is more, and its malice degree is stronger,
And put this information on record remote equipment in subsequent step.
To sum up, in the inventive solutions, by using a kind of operating method of platform data, it can obtain
The information of the malicious application of operation is run or attempted on computer platform and by its timely, accurate, intactly killing, so as to protect
The security of system, can additionally further enhance the accuracy and integrality of safety analysis, reduce judgment step, subtract
Few occupancy and power consumption to platform processes resource, and enhance the security and integrality of data.
It will be appreciated that:The example and reality of the present invention can be realized in the form of the combination of hardware, software or hardware and software
Apply example.As described above, any main body for performing this method can be stored, in the form of volatility or non-volatile holographic storage, for example
No matter storage device, as ROM, can erase or whether rewritable, or in the form of a memory, such as RAM, storage core
Piece, equipment or integrated circuit or on the readable medium of light or magnetic, such as CD, DVD, disk or tape.It will be appreciated that:
Storage device and storage medium are suitable for storing the example of the machine readable storage of one or more programs, upon being performed,
One or more of programs realize the example of the present invention.Via any medium, such as couple what is be loaded with by wired or wireless
Signal of communication, can electronically transmit the example of the present invention, and example suitably includes identical content.
It should be noted that:Should because the present invention solves malice timely, accurate, intactly on killing computer platform
The technical problem of information, employs technical staff in field of computer technology and is instructed after reading this description according to it
Technological means to understand, and obtain the security for protecting system, further enhance safety analysis accuracy and
Integrality, reduces judgment step, reduces to the occupancy and power consumption of platform processes resource, enhances the securities of data and complete
The advantageous effects of whole property, so the technical side that claimed scheme belongs on patent law purposes in the following claims
Case.In addition, because the technical scheme that appended claims are claimed can be made or used in industry, therefore the program has
Standby practicality.
It is described above, it is only the preferably embodiment of the present invention, but protection scope of the present invention is not limited to
This, any one skilled in the art the invention discloses technical scope in, the change that can readily occur in or replace
Change, should all be encompassed within protection scope of the present invention.It is expressly recited unless otherwise, otherwise disclosed each feature is only
It is equivalent or similar characteristics a example for general series.Therefore, protection scope of the present invention should be with claims
Protection domain is defined.