CN107292173A - File safety protection method, device and equipment - Google Patents

File safety protection method, device and equipment Download PDF

Info

Publication number
CN107292173A
CN107292173A CN201710418996.1A CN201710418996A CN107292173A CN 107292173 A CN107292173 A CN 107292173A CN 201710418996 A CN201710418996 A CN 201710418996A CN 107292173 A CN107292173 A CN 107292173A
Authority
CN
China
Prior art keywords
security
document
determined
malicious
attribute information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710418996.1A
Other languages
Chinese (zh)
Inventor
何博
王亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201710418996.1A priority Critical patent/CN107292173A/en
Publication of CN107292173A publication Critical patent/CN107292173A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection

Abstract

The embodiments of the invention provide a kind of file safety protection method, device and equipment, methods described includes:In operation of the process that monitors to document, judge that the type of the document whether there is in the corresponding operation Doctype white list of the process, obtain corresponding judged result;According to the judged result, the security of the process is determined.Pass through file safety protection method provided in an embodiment of the present invention, it is possible to increase the accuracy and objectivity of the safety detection result of process.Due to by being carried out to process after safety detection, only allowing security procedure to operate document, therefore document can be provided better protection against.

Description

File safety protection method, device and equipment
Technical field
The present invention relates to field of information security technology, more particularly to a kind of file safety protection method, device and set It is standby.
Background technology
With continuing to develop for social informatization, malicious process is that rogue program is also being continuously increased, and malicious process is directed to The almost all kinds of documents such as picture, document, compressed package, audio, video in terminal device used in user are added It is close to ask for ransom money to user.In order to prevent malicious process from being attacked terminal devices such as computers, it is necessary to terminal device In be easily monitored by the route of transmission that rogue program infects.
The scheme that the existing malicious process in terminal device is monitored is:Within a predetermined period of time to text to be detected Editor's number of times of shelves is added up, and accumulative frequency exceeds preset dangerous number of times, then whether output display prevents to continue to edit to be checked The dialog box of document is surveyed, if receiving prevention instruction, determines there is malice in terminal device by preset process blacklist Process.For example:The type of document to be detected includes:.doc document .rar documents .psd documents etc., if monitoring in one minute 5 documents in document to be detected are edited, the editor's number of times that adds up is beyond preset dangerous number of times, it is determined that perform volume The process for collecting document to be detected is malicious process.
It is existing it is this process blacklist need to rely on to the scheme that malicious process is monitored, and due to malicious process It is continuously increased therefore can not ensures there are all malicious process in process blacklist, ultimately result in comprehensively enters to malice Journey is identified.
The content of the invention
In view of the problem of existing scheme to malicious process monitoring malicious process can not be identified comprehensively, it is proposed that The present invention is to provide a kind of file safety protection method for overcoming above mentioned problem, device and terminal.
According to one aspect of the present invention there is provided a kind of file safety protection method, including:Monitoring process to text During the operation of shelves, judge that the type of the document whether there is in the corresponding operation Doctype white list of the process, obtain To corresponding judged result;According to the judged result, the security of the process is determined.
According to another aspect of the present invention there is provided a kind of document security protector, including:First judge module, For in operation of the process that monitors to document, judging that the type of the document whether there is in the corresponding operation of the process In Doctype white list, corresponding judged result is obtained;Determining module, for according to the judged result, it is determined that it is described enter The security of journey.
According to it is still another aspect of the present invention to provide it is a kind of for document security protect equipment, including:One or many Individual processor;With the one or more machine readable medias for being stored thereon with instruction, held when by one or more of processors During row so that the equipment performs one or more file safety protection methods described in the embodiment of the present invention.
According to another aspect of the invention there is provided one or more machine readable medias, instruction is stored thereon with, when When being performed by one or more processors so that one or more document securities that equipment performs described in the embodiment of the present invention are prevented Maintaining method.
File safety protection method provided in an embodiment of the present invention, device and equipment, for the preset corresponding operation of process Doctype white list, will determine that granularity refinement to process and the corresponding relation of Doctype, due to judging granularity refinement therefore Safety detection to process is more accurate.
In addition, can be safe comprising the process in the corresponding operation Doctype white list of process in the embodiment of the present invention Operation each Doctype, when operation of the process that monitors to document, only when in the corresponding white list of process exist operated Document type when, just determine process be security procedure, it is possible to increase the accuracy of the safety detection result of process and visitor The property seen.Due to only allowing security procedure to operate document, therefore document can be provided better protection against.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, And can be practiced according to the content of specification, and in order to allow above and other objects of the present invention, feature and advantage can Become apparent, below especially exemplified by the embodiment of the present invention.
Brief description of the drawings
By reading the detailed description of hereafter optional embodiment, various other advantages and benefit is common for this area Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of optional embodiment, and is not considered as to the present invention Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings:
Fig. 1 shows a kind of step schematic flow sheet of file safety protection method according to an embodiment of the invention;
Fig. 2 shows a kind of step schematic flow sheet of file safety protection method according to an embodiment of the invention;
Fig. 3 shows a kind of step schematic flow sheet of file safety protection method according to an embodiment of the invention;
Fig. 4 shows a kind of structural representation of document security protector according to an embodiment of the invention;
Fig. 5 shows a kind of structural representation of document security protector according to an embodiment of the invention;And
Fig. 6 shows a kind of structural representation of equipment according to an embodiment of the invention.
Embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here Limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure Complete conveys to those skilled in the art.
Embodiment one
Reference picture 1, shows a kind of step flow chart of file safety protection method of the embodiment of the present invention one.
The file safety protection method of the embodiment of the present invention comprises the following steps:
Step 101:In operation of the process that monitors to document, judge the type of document with the presence or absence of corresponding in process Operate in Doctype white list, obtain corresponding judged result.
The file safety protection method of the embodiment of the present invention can be performed in end side and can also performed in Cloud Server side. Alternatively, the terminal of the embodiment of the present invention can be the terminal in LAN and/or wide area network, and the example of LAN can be wrapped Include:Enterprise network.
It can include one or more Doctypes in the white list of the corresponding operation Doctype of process.Process is corresponding Operation Doctype white list can be stored in end side, can also be stored in Cloud Server side.For example, Cloud Server can profit With the advantage of calculation resources, set up and preserve the corresponding operation Doctype white list of process, and process is periodically issued to terminal Corresponding operation Doctype white list.
When monitoring process is to the operation of document, document function interface can be hung using Hook Function based on HOOK principles Hook, when the document operate interface is called by process, Hook Function can monitor operation of the process to document.
Step 102:According to judged result, the security of process is determined.
Specifically, if the type of the document operated is present in the white list, the process that can determine is security procedure. If the type of the document operated is not existed in white list, the process that can directly determine is malicious process, or, can also Its security is judged according further to the attribute information of process, or, can also be by the information reporting cloud service of process Device is judged the security of the process by Cloud Server.
To sum up, safety detection method provided in an embodiment of the present invention is white for the preset corresponding operation Doctype of process List, will determine that granularity refinement to process and the corresponding relation of Doctype, due to judging peace of the granularity refinement therefore to process Full property detection is more accurate.Should in addition, can be included in the corresponding operation Doctype white list of process in the embodiment of the present invention Process can safety operation each Doctype, when operation of the process that monitors to document, only when in the corresponding white list of process In the presence of the document operated type when, just determine process be security procedure, it is possible to increase the safety detection result of process Accuracy and objectivity.Due to only allowing security procedure to operate document, therefore document can be provided better protection against.
Embodiment two
Reference picture 2, shows a kind of step flow chart of file safety protection method of the embodiment of the present invention two.
The file safety protection method of the embodiment of the present invention specifically includes following steps:
Step 201:In operation of the process that monitors to document, judge the type of document with the presence or absence of corresponding in process Operate in Doctype white list, obtain corresponding judged result.
In actual applications, the type of document can include but is not limited to such as Types Below:
Conventional Office documents (extension entitled .ppt .doc .docx .xlsx .sxi);
The office documents (extension entitled .sxw .odt .hwp) that some particular countries are used;
Condensed document and media document (extension entitled .zip .rar .tar .mp4 .mkv);
Email and mail database (extension entitled .eml .msg .ost .pst .deb);
Database document (extension entitled .sql .accdb .mdb .dbf .odb .myd);
Source code and project document (extension entitled .php .java .cpp .asp .asm) that developer uses;
Secret key and certificate (extension entitled .key .pfx .pem .p12 .csr .gpg .aes);
Document that art designer, artist and photographer use (the entitled .vsd of extension .odg .raw .nef, .svg、.psd);
Virtual machine document (extension entitled .vmx .vmdk .vdi) etc..
Document operated by current process can be the type of above-mentioned any one cited document.
Process it is corresponding operation Doctype white list can be manually generated, safeguarded by technical staff and be uploaded to terminal or Cloud Server;It can also be automatically generated, safeguarded according to historical operating data by Cloud Server or terminal.It is a kind of optional automatic raw Mode into the white list of the corresponding operation Doctype of process can include:According to document function data, determine process for The historical operation frequency of Doctype;The Doctype that historical operation frequency is met into prerequisite is corresponding added to the process Operate in Doctype white list.
For example:Terminal monitoring in preset time A processes be X to the historical operation cumulative number of the document of B types, and And X operation is safety operation, and X is more than the threshold value included in prerequisite, therefore, in the corresponding operation document of A processes B types are added in type white list.Wherein, there is not malicious act when safety operation fingering journey is operated to document.In advance It can be any appropriate value to put the threshold value included in condition, such as 500,1000,2000.It should be noted that preset bar In part in addition to comprising threshold value, ratio can also be included, the ratio is used for the ratio for indicating Successful Operation number of times and total cumulative number.
Again for example:Cloud Server is directed to C processes, and monitoring C processes add up in each terminal to the historical operation of D type documents Number of times is Y, and determines that Y operation is safety operation, and Y is more than the threshold value included in prerequisite, therefore, in C processes D types are added in corresponding operation Doctype white list.If monitoring operation of the C processes to D type documents in certain terminal And non-secure operations, it is determined that without D types in the corresponding operation Doctype white list of C processes.
Step 202:When judged result is to be, it is security procedure to determine the process;Then step 205 is performed.
When it is determined that there is the type of the document currently operated in the corresponding operation Doctype white list of process, then may be used It is security procedure to determine the process, therefore responds this operation of the process to document.When it is determined that the corresponding operation document of process When the type of the document currently operated being not present in type white list, then can the preliminary judgement process not security procedure, need To judge according to security of the attribute information further to the process of process.
Step 203:When judged result is no, the attribute information according to the process determines the security of the process.
The present invention a kind of alternative embodiment in, the attribute information according to the process determine the process security it Before, it can first determine whether to be operated whether document is preset kind;If so, step 203 is then performed, if it is not, then directly determining to be somebody's turn to do Process is malicious process.Wherein preset kind can be corresponding to the type corresponding to media document, conventional office documents Type etc..Attribute information judgement only is carried out to the document of preset kind, rather than the document of all types is subjected to attribute information Judge, the calculated load of equipment can be mitigated.
For example:If being currently picture by the document of process operation, it is determined that the white name of the corresponding operation Doctype of process When picture/mb-type is not present in list, security of the attribute information further to process according to process judges.If current quilt When the document of process operation is database document, it is determined that data are not present in the white list of the corresponding operation Doctype of process During database documents type, then it is malicious process directly to determine the process.
Wherein, the attribute information of process can include at least one of following information:Process source, process signature and Chain of processes.During implementing, the security of process can be determined according to the attribute information of any one above-mentioned process.
When the process according to process originates the security of determination process, a kind of optional mode is as follows:
Judge the process source of the process whether with malicious;If, it is determined that process is malicious process;If it is not, then It is security procedure to determine process.
The currently monitored process to document function arrived, may be not the process that system is carried on terminal device, it can It can download and obtain from third party website or application platform, for example:Qq platforms, malice network address, fishing website etc., it is therefore desirable to Determine the process source of process.If process source can determine that the process for malicious process with malicious;If conversely, process Source then can determine that the process for security procedure without malicious.
When the process according to process signs the security of determination process, a kind of optional mode is as follows:
Judge process whether to that there should be process signature;If not, it is determined that process is malicious process;If so, then judging process Whether signature is trusted signature;If trusted signature, it is determined that process is security procedure, if untrusted is signed, it is determined that enter Journey is malicious process.
Malicious process is generally not present signature, therefore whether first determines whether process to that should have process signature, if it is not, then direct It is malicious process to determine the process.In the embodiment of the present invention, trusted signature list can be prestored, is in determinating processes signature When no credible can by process signature be compared with each signature in trusted signature list, determined if it there is same signature into Journey signature is trusted signature, and the on the contrary then process signature of determination is untrusted signature.
When the chain of processes according to process determines the security of process, a kind of optional mode is as follows:
The parent process of process is determined by the corresponding chain of processes of process;Whether judge parent process is malicious process;If so, then It is malicious process to determine the process;If not, it is determined that the process is security procedure.
Chain of processes is one and derives from subprocess by parent process, and subprocess derives from the relation chain of subprocess again.Therefore, it is determined that Parent process be malicious process after, due to subprocess be by parent process derive from, therefore subprocess also be malicious process.
It should be noted that be not limited to during implementing by the parent process of process come it is indirect determine into The security of journey, can also determine the security of process indirectly, specifically, when it is determined that subprocess is by the subprocess of process During malicious process, then can determine that the process is malicious process.
Step 204:When it is determined that process is malicious process, the process that the corresponding chain of processes of clean up process includes.
When it is determined that there is a malicious process in chain of processes, whole processes included in the chain of processes are cleared up, with Avoid deriving malicious process in the chain of processes again and subsequently system is launched a offensive.
Step 204 be optional implementation, during implementing when it is determined that process be malicious process when, can also The process is only intercepted, without clearing up its chain of processes process.
Step 205:When it is determined that the process is security procedure, it is allowed to operation of the process to document.
When it is determined that process is security procedure, then the process is not intercepted but allow the process to the behaviour of document Make.
Wherein, the operation to document can include but is not limited to:Replicate operation, deletion action, opening operation etc..
To sum up, file safety protection method provided in an embodiment of the present invention, when operation of the process that monitors to document, when When there is the type of the document operated in the corresponding white list of process, it is security procedure just to determine process;When process is corresponding When the type of the document operated being not present in white list, the attribute information according to process carries out further to the security of process Judge, determine whether process is security procedure, Neng Gouti in particular by the process source of process, process signature or chain of processes Rise the accuracy to process safety detection.
Embodiment three
Reference picture 3, shows a kind of step flow chart of file safety protection method of the embodiment of the present invention three.
The security of process is judged in end side first in the embodiment of the present invention, treats that end side can not determine process After security procedure, then decision request reported into Cloud Server, exemplified by Cloud Server is judged the security of process Illustrate, the file safety protection method of the embodiment of the present invention specifically includes following steps:
Step 301:In operation of the process that monitors to document, judge that the type of document whether there is in process correspondence Operation Doctype white list in, obtain corresponding judged result.
Wherein, judged result can be yes/no.
The specific generation for operating Doctype white list corresponding for process, maintenance mode are with reference to the phase in embodiment two Speak on somebody's behalf bright, this is repeated no more in the embodiment of the present invention.
Step 302:When judged result is to be, it is security procedure to determine the process;Then step 306 is performed.
The Doctype operated be present in the process it is corresponding operation Doctype white list in, terminal be can determine that into Journey is security procedure.
Step 303:When judged result is no, the information of the process and the information of document are sent to Cloud Server, so that Cloud Server judges the security of the process.
Have because Cloud Server can be known with it in each terminal of interconnecting relation, the practice condition of each process, cloud clothes Business device can be judged the security process of the process based on these big datas, can lift the accurate of the safe sex determination of process Property.
For example:After Cloud Server knows that A terminal-pair X processes are let pass, X processes carry out malicious operation to the document in A terminals, X processes then be can determine that for malicious process and the information is recorded.When this report when process is judged for X processes, then can determine that The process is malicious process.
In addition, Cloud Server is when judging the security of the process, it can also be pacified according to the attribute information of the process Full property is judged.In related description in specific decision procedure reference embodiment two, the embodiment of the present invention to this no longer Repeat.
Step 304:Receive the response message that cloud server is returned.
Wherein, carried in response message for indicating that process is security procedure or the information of malicious process.
For example:It can indicate that process is security procedure with " 1 ", indicate that process is malicious process with " 0 ".
Step 305:The security of the process is determined according to response message.
The response message that terminal is returned according to the Cloud Server received, you can determine the security of the process.
Step 306:When it is determined that process is security procedure, it is allowed to operation of the process to document.
When it is determined that process is security procedure, then the process is not intercepted but allow the process to the behaviour of document Make.
Wherein, the operation to document can include but is not limited to:Replicate operation, deletion action, opening operation etc..
Step 307:When it is determined that process is malicious process, the process that the corresponding chain of processes of clean up process includes.
Chain of processes is one and derives from subprocess by parent process, and subprocess derives from the relation chain of subprocess again.It is determined that process When having a malicious process in chain, whole processes included in the chain of processes are cleared up, to avoid in the chain of processes again Malicious process is derived subsequently to launch a offensive to system.
It is appreciated that the mode of above-mentioned clean up process chain is optional mode, when it is determined that process is during implementing During malicious process, the process can also be only intercepted, without clearing up its chain of processes process.
To sum up, the corresponding operation Doctype white list of process in file safety protection method provided in an embodiment of the present invention In can comprising the process can safety operation each Doctype, when operation of the process that monitors to document, only when process pair When there is the type of the document operated in the white list answered, it is security procedure just to determine process, it is on the contrary then by the letter of the process The information of breath and document is uploaded to Cloud Server, judges the security of the process according to big data by Cloud Server, it is possible to increase The accuracy of process safety detection result.In addition, file safety protection method provided in an embodiment of the present invention is it is determined that process During for malicious process, the process that the corresponding chain of processes of the process includes will be cleared up, to avoid deriving evil in the chain of processes again Meaning process is subsequently launched a offensive to system.
Example IV
Reference picture 4, shows a kind of structural representation of document security protector of the embodiment of the present invention four.
The document security protector of the embodiment of the present invention can include:First judge module 401, for monitor into When journey is to the operation of document, judge that the type of the document whether there is operation Doctype white list corresponding in the process In, obtain corresponding judged result;Determining module 402, for according to the judged result, determining the security of the process.
By document security protector provided in an embodiment of the present invention, for the preset corresponding operation Doctype of process White list, will determine that granularity refinement to process and the corresponding relation of Doctype, due to judging granularity refinement therefore to process Safety detection is more accurate.In addition, can be included in the corresponding operation Doctype white list of process in the embodiment of the present invention The process can safety operation each Doctype, when operation of the process that monitors to document, only when the corresponding white list of process During the type for the document that middle presence is operated, it is security procedure just to determine process, it is possible to increase the safety detection result of process Accuracy and objectivity.
Embodiment five
Reference picture 5, shows a kind of structural representation of document security protector of the embodiment of the present invention five.
The document security protector of the embodiment of the present invention is the further optimization to device in example IV, after optimization Document security protector can include:First judge module 501, in operation of the process that monitors to document, judging The type of the document whether there is in the corresponding operation Doctype white list of the process, obtain corresponding judgement knot Really;Determining module 502, for according to the judged result, determining the security of the process.
Alternatively, described device can also include frequency determining module 503, for according to document function data, it is determined that entering Historical operation frequency of the journey for Doctype;Add module 504, the document for historical operation frequency to be met to prerequisite Type is operated in Doctype white list added to the process is corresponding.
Alternatively, the determining module 502 specifically for:When the judged result is no, the category according to the process Property information determines the security of the process.
Alternatively, described device can also include:Second judge module 505, in the determining module 502 according to institute State process attribute information determine the security of the process before, whether judge the document is preset kind;If so, then holding The row attribute information according to the process determines the security of the process.
Alternatively, the attribute information can include:Process is originated, and the determining module 502 includes:Process source judges Submodule 5021, for judging that whether the process of the process originates with malicious;If, it is determined that the process is malice Process;If not, it is determined that the process is security procedure.
Alternatively, the attribute information can include:Process is signed, and the determining module 502 includes:Signature judges submodule Block 5022, for judging the process whether to that should have process signature;If not, it is determined that the process is malicious process;If so, Then judge whether the process signature is trusted signature;If trusted signature, it is determined that the process is security procedure, if non- Trusted signature, it is determined that the process is malicious process.
Alternatively, the attribute information can include:Chain of processes, the determining module 502 includes:Chain of processes judges submodule Block 5023, the parent process for determining the process by the corresponding chain of processes of the process;Judge the parent process whether be Malicious process;If, it is determined that the process is malicious process;If not, it is determined that the process is security procedure.
Alternatively, the determining module 502 specifically for:When the judged result is no, institute is sent to Cloud Server The information of process and the information of the document are stated, so that the Cloud Server judges the security of the process;Receive the cloud The response message for holding server to return;The security of the process is determined according to the response message.
Alternatively, the determining module 502 specifically for:When the judged result is no, it is evil to determine the process Meaning process.
Alternatively, described device can also include cleaning modul 506, for when the determining module 502 determine it is described enter When journey is malicious process, the process that the corresponding chain of processes of the process includes is cleared up.
The document security protector of the present embodiment is used to realize the corresponding document into embodiment three of previous embodiment one Safety protecting method, and the beneficial effect with corresponding embodiment of the method, will not be repeated here.
Embodiment six
Reference picture 6, shows a kind of structured flowchart of equipment protected for document security of the embodiment of the present invention six.
The equipment for being used for document security protection of the embodiment of the present invention includes:One or more processors;Store thereon There are one or more machine readable medias of instruction, when by one or more of computing devices so that the equipment is held Row embodiment one is to one or more file safety protection methods described in embodiment three.
Fig. 6 is a kind of block diagram of equipment protected for document security according to an exemplary embodiment.
Reference picture 6, equipment can include following one or more assemblies:Processing assembly 602, memory 604, power supply module 606, multimedia groupware 608, audio-frequency assembly 610, the interface 612 of input/output (I/O), sensor cluster 614, and communication Component 616.
The integrated operation of the usual control device of processing assembly 602, such as with display, data communication, camera operation and record The associated operation of operation.Treatment element 602 can carry out execute instruction including one or more processors 620, above-mentioned to complete Method all or part of step.In addition, processing assembly 602 can include one or more modules, it is easy to processing assembly 602 Interaction between other assemblies.For example, processing component 602 can include multi-media module, to facilitate the He of multimedia groupware 608 Interaction between processing assembly 602.
Memory 604 is configured as storing various types of data supporting the operation in equipment.The example of these data Include the instruction of any application program or method for being operated in equipment, contact data, telephone book data, message, figure Piece, video etc..Memory 604 can be real by any kind of volatibility or non-volatile memory device or combinations thereof It is existing, such as static RAM (SRAM), Electrically Erasable Read Only Memory (EEPROM), erasable programmable is only Read memory (EPROM), programmable read only memory (PROM), read-only storage (ROM), magnetic memory, flash memory, magnetic Disk or CD.
Power supply module 606 provides electric power for the various assemblies of terminal.Power supply module 606 can include power-supply management system, One or more power supplys, and other components associated with generating, managing and distributing electric power for terminal 600.
Multimedia groupware 608 is included in the screen of one output interface of offer between the terminal and user.At some In embodiment, screen can include liquid crystal display (LCD) and touch panel (TP).If screen includes touch panel, screen Touch-screen is may be implemented as, to receive the input signal from user.Touch panel includes one or more touch sensors With the gesture on sensing touch, slip and touch panel.The touch sensor can not only sensing touch or sliding action Border, but also the detection duration related to the touch or slide and pressure.In certain embodiments, multimedia Component 608 includes a front camera and/or rear camera.When terminal is in operator scheme, such as screening-mode or video During pattern, front camera and/or rear camera can receive the multi-medium data of outside.Each front camera and rearmounted Camera can be a fixed optical lens system or with focusing and optical zoom capabilities.
Audio-frequency assembly 610 is configured as output and/or input audio signal.For example, audio-frequency assembly 610 includes a Mike Wind (MIC), when terminal is in operator scheme, when such as call model, logging mode and speech recognition mode, microphone is configured as Receive external audio signal.The audio signal received can be further stored in memory 604 or via communication component 616 Send.In certain embodiments, audio-frequency assembly 810 also includes a loudspeaker, for exports audio signal.
I/O interfaces 612 is provide interface between processing assembly 602 and peripheral interface module, above-mentioned peripheral interface module can To be keyboard, click wheel, button etc..These buttons may include but be not limited to:Home button, volume button, start button and lock Determine button.
Sensor cluster 614 includes one or more sensors, and the state for providing various aspects for terminal 600 is commented Estimate.For example, sensor cluster 614 can detect opening/closed mode of equipment 600, the relative positioning of component is for example described Component is the display and keypad of equipment, and sensor cluster 614 can be changed with the position of one component of detection device or equipment Become, the existence or non-existence that user contacts with equipment, the temperature change of terminal orientation or acceleration/deceleration and terminal.Sensor group Part 614 can include proximity transducer, be configured to the presence of the object near detection in not any physical contact.Pass Sensor component 614 can also include optical sensor, such as CMOS or ccd image sensor, for being used in imaging applications.One In a little embodiments, the sensor cluster 614 can also include acceleration transducer, and gyro sensor, Magnetic Sensor, pressure is passed Sensor or temperature sensor.
Communication component 616 is configured to facilitate the communication of wired or wireless way between equipment and other equipment.Equipment can To access the wireless network based on communication standard, such as WiFi, 2G or 3G, or combinations thereof.In one exemplary embodiment, Communication component 616 receives broadcast singal or broadcast related information from external broadcasting management system via broadcast channel.One In individual exemplary embodiment, the communication component 616 also includes near-field communication (NFC) module, to promote junction service.For example, Radio frequency identification (RFID) technology, Infrared Data Association (IrDA) technology, ultra wide band (UWB) technology, bluetooth can be based in NFC module (BT) technology and other technologies are realized.
In the exemplary embodiment, terminal can be by one or more application specific integrated circuits (ASIC), data signal Processor (DSP), digital signal processing appts (DSPD), PLD (PLD), field programmable gate array (FPGA), controller, microcontroller, microprocessor or other electronic components are realized, for performing the above method.
In the exemplary embodiment, a kind of machinable medium including instructing is additionally provided, such as including instruction Memory 604, above-mentioned instruction can be performed to complete the above method by the one or more processors 620 of equipment.For example, machine Readable storage medium storing program for executing can be ROM, random access memory (RAM), CD-ROM, tape, floppy disk and optical data storage devices etc..
Each embodiment in this specification is described by the way of progressive, what each embodiment was stressed be with Between the difference of other embodiment, each embodiment identical similar part mutually referring to.For system embodiment For, because it is substantially similar to embodiment of the method, so description is fairly simple, referring to the portion of embodiment of the method in place of correlation Defend oneself bright.
Provided herein file safety protection method, device and equipment not with any certain computer, virtual system or Person's miscellaneous equipment is inherently related.Various general-purpose systems can also be used together with based on teaching in this.As described above, It is obvious to construct with the structure required by the system of the present invention program.In addition, the present invention is not also for any specific Programming language.It is understood that, it is possible to use various programming languages realize the content of invention described herein, and above to spy Attribute says that done description is to disclose the preferred forms of the present invention.
In the specification that this place is provided, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention Example can be put into practice in the case of these no details.In some instances, known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help to understand one or more of each inventive aspect, exist Above in the description of the exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:It is i.e. required to protect The application claims of shield features more more than the feature being expressly recited in each claim.More precisely, such as right As claim reflects, inventive aspect is all features less than single embodiment disclosed above.Therefore, it then follows tool Thus claims of body embodiment are expressly incorporated in the embodiment, wherein the conduct of each claim in itself The separate embodiments of the present invention.
Those skilled in the art, which are appreciated that, to be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or Sub-component.In addition at least some in such feature and/or process or unit exclude each other, it can use any Combination is disclosed to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so to appoint Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power Profit is required, summary and accompanying drawing) disclosed in each feature can or similar purpose identical, equivalent by offer alternative features come generation Replace.
Although in addition, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments In included some features rather than further feature, but the combination of the feature of be the same as Example does not mean in of the invention Within the scope of and form different embodiments.For example, in detail in the claims, embodiment claimed it is one of any Mode it can use in any combination.
The present invention all parts embodiment can be realized with hardware, or with one or more processor run Software module realize, or realized with combinations thereof.It will be understood by those of skill in the art that can use in practice Microprocessor or digital signal processor (DSP) realize file safety protection method according to embodiments of the present invention, device And some or all functions of some or all parts in equipment.The present invention is also implemented as being used to perform here The some or all equipment or program of device of described method are (for example, computer program and computer program production Product).Such program for realizing the present invention can be stored on a computer-readable medium, or can have one or more The form of signal.Such signal can be downloaded from internet website and obtained, and either be provided or on carrier signal to appoint What other forms is provided.
It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" is not excluded the presence of not Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of some different elements and coming real by means of properly programmed computer It is existing.In if the unit claim of equipment for drying is listed, several in these devices can be by same hardware branch To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame Claim.
The invention discloses A1 file safety protection methods, including:
In operation of the process that monitors to document, judge the type of the document with the presence or absence of corresponding in the process Operate in Doctype white list, obtain corresponding judged result;
According to the judged result, the security of the process is determined.
A2, the method according to A1, wherein, methods described also includes:
According to document function data, historical operation frequency of the process for Doctype is determined;
The Doctype that historical operation frequency meets prerequisite is added to the corresponding operation Doctype of the process In white list.
A3, the method according to A1, wherein, it is described according to the judged result, the security of the process is determined, is wrapped Include:
When the judged result is no, the attribute information according to the process determines the security of the process.
A4, the method according to A3, wherein, determine the peace of the process in the attribute information according to the process Before full property, methods described also includes:
Whether judge the document is preset kind;Determined if so, then performing the attribute information according to the process The security of the process.
A5, the method according to A3, wherein, the attribute information includes:Process originates, described according to the process Attribute information determines the security of the process, including:
Judge the process source of the process whether with malicious;
If, it is determined that the process is malicious process;
If not, it is determined that the process is security procedure.
A6, the method according to A3, wherein, the attribute information includes:Process signs, described according to the process Attribute information determines the security of the process, including:
Judge the process whether to that there should be process signature;
If not, it is determined that the process is malicious process;
If so, then judging whether the process signature is trusted signature;If trusted signature, it is determined that the process is peace Full process, if untrusted is signed, it is determined that the process is malicious process.
A7, the method according to A3, wherein, the attribute information includes:Chain of processes, the category according to the process Property information determines the security of the process, including:
The parent process of the process is determined by the corresponding chain of processes of the process;
Whether judge the parent process is malicious process;If, it is determined that the process is malicious process;If it is not, then true The fixed process is security procedure.
A8, the method according to A1, wherein, it is described according to the judged result, the security of the process is determined, is wrapped Include:
When the judged result is no, the information of the process and the information of the document are sent to Cloud Server, with The Cloud Server is set to judge the security of the process;
Receive the response message that the cloud server is returned;
The security of the process is determined according to the response message.
A9, the method according to A1, wherein, it is described according to the judged result, the security of the process is determined, is wrapped Include:
When the judged result is no, it is malicious process to determine the process.
A10, according to A1 into A9 any described method, wherein, methods described also includes:
When it is determined that the process is malicious process, the process that the corresponding chain of processes of the process includes is cleared up.
The invention discloses B11, a kind of document security protector, including:
First judge module, in operation of the process that monitors to document, judging whether the type of the document deposits It is in the corresponding operation Doctype white list of the process, obtains corresponding judged result;
Determining module, for according to the judged result, determining the security of the process.
B12, the device according to B11, wherein, described device also includes:
Frequency determining module, for according to document function data, determining historical operation frequency of the process for Doctype;
Add module, the Doctype for historical operation frequency to be met to prerequisite is corresponding added to the process Operate in Doctype white list.
B13, the device according to B11, wherein, the determining module specifically for:
When the judged result is no, the attribute information according to the process determines the security of the process.
B14, the device according to B13, wherein, described device also includes:
Second judge module, the peace for determining the process according to the attribute information of the process in the determining module Whether before full property, it is preset kind to judge the document;Determined if so, then performing the attribute information according to the process The security of the process.
B15, the device according to B13, wherein, the attribute information includes:Process is originated, the determining module bag Include:
Process source judging submodule, for judging that whether the process of the process originates with malicious;If so, then true The fixed process is malicious process;If not, it is determined that the process is security procedure.
B16, the device according to B13, wherein, the attribute information includes:Process is signed, the determining module bag Include:
Signature judging submodule, for judging the process whether to that should have process signature;If not, it is determined that the process For malicious process;If so, then judging whether the process signature is trusted signature;If trusted signature, it is determined that the process For security procedure, if untrusted is signed, it is determined that the process is malicious process.
B17, the device according to B13, wherein, the attribute information includes:Chain of processes, the determining module includes:
Chain of processes judging submodule, the parent process for determining the process by the corresponding chain of processes of the process;Sentence Whether the parent process of breaking is malicious process;If, it is determined that the process is malicious process;If not, it is determined that the process For security procedure.
B18, the device according to B11, wherein, the determining module specifically for:
When the judged result is no, the information of the process and the information of the document are sent to Cloud Server, with The Cloud Server is set to judge the security of the process;
Receive the response message that the cloud server is returned;
The security of the process is determined according to the response message.
B19, the device according to B11, wherein, the determining module specifically for:
When the judged result is no, it is malicious process to determine the process.
B20, according to B11 into B19 any described device, wherein, described device also includes:
Cleaning modul, for when it is malicious process that the determining module, which determines the process, clearing up the process correspondence The process that includes of chain of processes.
The invention discloses a kind of equipment protected for document security of C21, including:
One or more processors;With the one or more machine readable medias for being stored thereon with instruction, when by described one During individual or multiple computing devices so that the equipment performs the method as described in one or more in A1-A10.
The invention also discloses D22, one or more machine readable medias, instruction is stored thereon with, when by one or many During individual computing device so that equipment performs the method as described in one or more in A1-A10.

Claims (10)

1. a kind of file safety protection method, including:
In operation of the process that monitors to document, judge that the type of the document whether there is in the corresponding operation of the process In Doctype white list, corresponding judged result is obtained;
According to the judged result, the security of the process is determined.
2. according to the method described in claim 1, it is characterised in that methods described also includes:
According to document function data, historical operation frequency of the process for Doctype is determined;
The Doctype that historical operation frequency meets prerequisite is added to the corresponding operation white name of Doctype of the process Dan Zhong.
3. according to the method described in claim 1, it is characterised in that described according to the judged result, determine the process Security, including:
When the judged result is no, the attribute information according to the process determines the security of the process.
4. method according to claim 3, it is characterised in that determined in the attribute information according to the process described Before the security of process, methods described also includes:
Whether judge the document is preset kind;If so, it is described then to perform the attribute information determination according to the process The security of process.
5. method according to claim 3, it is characterised in that the attribute information includes:Process is originated, described according to institute The attribute information for stating process determines the security of the process, including:
Judge the process source of the process whether with malicious;
If, it is determined that the process is malicious process;
If not, it is determined that the process is security procedure.
6. method according to claim 3, it is characterised in that the attribute information includes:Process is signed, described according to institute The attribute information for stating process determines the security of the process, including:
Judge the process whether to that there should be process signature;
If not, it is determined that the process is malicious process;
If so, then judging whether the process signature is trusted signature;If trusted signature, it is determined that the process is entered for safety Journey, if untrusted is signed, it is determined that the process is malicious process.
7. method according to claim 3, it is characterised in that the attribute information includes:Chain of processes, described in the foundation The attribute information of process determines the security of the process, including:
The parent process of the process is determined by the corresponding chain of processes of the process;
Whether judge the parent process is malicious process;If, it is determined that the process is malicious process;If not, it is determined that institute Process is stated for security procedure.
8. a kind of document security protector, including:
First judge module, in operation of the process that monitors to document, judge the document type whether there is in The process is corresponding to be operated in Doctype white list, obtains corresponding judged result;
Determining module, for according to the judged result, determining the security of the process.
9. a kind of equipment protected for document security, it is characterised in that including:
One or more processors;With the one or more machine readable medias for being stored thereon with instruction, when by one or During multiple computing devices so that the equipment performs the method as described in one or more in claim 1-7.
10. one or more machine readable medias, are stored thereon with instruction, when executed by one or more processors so that Equipment performs the method as described in one or more in claim 1-7.
CN201710418996.1A 2017-06-06 2017-06-06 File safety protection method, device and equipment Pending CN107292173A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710418996.1A CN107292173A (en) 2017-06-06 2017-06-06 File safety protection method, device and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710418996.1A CN107292173A (en) 2017-06-06 2017-06-06 File safety protection method, device and equipment

Publications (1)

Publication Number Publication Date
CN107292173A true CN107292173A (en) 2017-10-24

Family

ID=60094381

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710418996.1A Pending CN107292173A (en) 2017-06-06 2017-06-06 File safety protection method, device and equipment

Country Status (1)

Country Link
CN (1) CN107292173A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108234469A (en) * 2017-12-28 2018-06-29 江苏通付盾信息安全技术有限公司 Mobile terminal application safety protecting method, apparatus and system
CN109829270A (en) * 2018-12-27 2019-05-31 北京奇安信科技有限公司 Application program means of defence and device
CN111125721A (en) * 2019-12-31 2020-05-08 奇安信科技集团股份有限公司 Control method for process starting, computer equipment and readable storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101256570A (en) * 2008-02-22 2008-09-03 山东中创软件工程股份有限公司 File protection technique based on Windows system files filtering drive
CN102938039A (en) * 2011-09-09 2013-02-20 微软公司 Selective file access for applications
CN104036197A (en) * 2014-06-05 2014-09-10 哈尔滨工程大学 Vector map data protection and access control method based on file filter driver
CN106407799A (en) * 2016-10-26 2017-02-15 北京金山安全软件有限公司 Malicious file installation detection method and device, terminal and server
CN106682495A (en) * 2016-11-11 2017-05-17 腾讯科技(深圳)有限公司 Safety protection method and safety protection device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101256570A (en) * 2008-02-22 2008-09-03 山东中创软件工程股份有限公司 File protection technique based on Windows system files filtering drive
CN102938039A (en) * 2011-09-09 2013-02-20 微软公司 Selective file access for applications
CN104036197A (en) * 2014-06-05 2014-09-10 哈尔滨工程大学 Vector map data protection and access control method based on file filter driver
CN106407799A (en) * 2016-10-26 2017-02-15 北京金山安全软件有限公司 Malicious file installation detection method and device, terminal and server
CN106682495A (en) * 2016-11-11 2017-05-17 腾讯科技(深圳)有限公司 Safety protection method and safety protection device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108234469A (en) * 2017-12-28 2018-06-29 江苏通付盾信息安全技术有限公司 Mobile terminal application safety protecting method, apparatus and system
CN109829270A (en) * 2018-12-27 2019-05-31 北京奇安信科技有限公司 Application program means of defence and device
CN109829270B (en) * 2018-12-27 2022-04-15 奇安信科技集团股份有限公司 Application program protection method and device
CN111125721A (en) * 2019-12-31 2020-05-08 奇安信科技集团股份有限公司 Control method for process starting, computer equipment and readable storage medium

Similar Documents

Publication Publication Date Title
US10915659B2 (en) Privacy detection of a mobile application program
US8689336B2 (en) Tiered exposure model for event correlation
US11128655B2 (en) Method and system for managing security vulnerability in host system using artificial neural network
US11297024B1 (en) Chat-based systems and methods for data loss prevention
CN108932428B (en) Lesog software processing method, device, equipment and readable storage medium
US10529152B2 (en) Detecting unauthorized physical access via wireless electronic device identifiers
CN106203125A (en) Operating system and safety detection method, safety detection device and terminal
CN110933104A (en) Malicious command detection method, device, equipment and medium
CN107292173A (en) File safety protection method, device and equipment
CN107330322A (en) File safety protection method, device and equipment
US10419876B2 (en) Secure mobile device recovery
Alexakos et al. Enabling digital forensics readiness for internet of vehicles
CN103839008A (en) Immune safety service for one-word script backdoors and PHP variable function backdoors
CN105095758B (en) Screen locking applied program processing method, device and mobile terminal
EP3477522B1 (en) Scanning files using antivirus software
CN106778132B (en) Control method, device and the mobile terminal of file process
CN106604206A (en) Bluetooth lock state monitoring method and device for electronic device, and electronic device
KR20140077405A (en) Method and apparatus for detecting cyber target attack
Fassl et al. Comparing User Perceptions of {Anti-Stalkerware} Apps with the Technical Reality
US9930031B2 (en) Multi-factor user authentication based on user credentials and entry timing
CN116707965A (en) Threat detection method and device, storage medium and electronic equipment
CN113672925B (en) Method and device for preventing lux software attack, storage medium and electronic equipment
WO2016180134A1 (en) Method and apparatus for managing information security specification library
JP5999191B2 (en) Security function design support device, security function design support method, and program
CN113936833B (en) Automatic control method and device for permanent change state of nuclear power plant

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20171024

RJ01 Rejection of invention patent application after publication