CN107330322A - File safety protection method, device and equipment - Google Patents
File safety protection method, device and equipment Download PDFInfo
- Publication number
- CN107330322A CN107330322A CN201710419661.1A CN201710419661A CN107330322A CN 107330322 A CN107330322 A CN 107330322A CN 201710419661 A CN201710419661 A CN 201710419661A CN 107330322 A CN107330322 A CN 107330322A
- Authority
- CN
- China
- Prior art keywords
- file
- trap
- traversal
- malicious
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The embodiments of the invention provide a kind of file safety protection method, device and equipment, wherein methods described includes:Interception process is asked for the traversal of file;The information of trap file is carried in the corresponding result of the traversal request;If monitoring preset operation of the process for the trap file, it is determined that the process is malicious process.Pass through file safety protection method provided in an embodiment of the present invention, it is possible to increase the accuracy and objectivity of the safety detection result of process, and the coverage rate of malicious process can be improved.Due to by being carried out to process after safety detection, only allowing security procedure to operate document, therefore document can be provided better protection against.
Description
Technical field
The present invention relates to field of information security technology, more particularly to a kind of file safety protection method, device and set
It is standby.
Background technology
With continuing to develop for social informatization, malicious process is that rogue program is also being continuously increased, at present some malice
Process is directed to the almost all kinds of texts such as picture, document, compressed package, audio, the video in terminal device used in user
Shelves are encrypted to ask for ransom money to user.In order to prevent malicious process from being attacked terminal devices such as computers, it is necessary to right
Easily it is monitored in terminal device by the route of transmission that rogue program infects.
The process that existing scheme is monitored to the malicious process in terminal device is specially:Treat within a predetermined period of time
Editor's number of times of detection document is added up, and accumulative frequency exceeds preset dangerous number of times, then whether output display prevents to continue to compile
The dialog box of document to be detected is collected, if receiving prevention instruction, determines to deposit in terminal device by preset process blacklist
In malicious process.For example:The type of document to be detected includes:.doc document .rar documents .psd documents etc., if monitoring one
5 documents in document to be detected are edited in minute, the editor's number of times that adds up is beyond preset dangerous number of times, it is determined that
The process of executive editor's document to be detected is malicious process.
However, existing scheme need to rely on process blacklist, and because malicious process is continuously increased therefore can not be ensured
Process blacklist covers all malicious process, and ultimately resulting in comprehensively malicious process to be identified.
The content of the invention
In view of the problem of existing scheme to malicious process monitoring malicious process can not be identified comprehensively, it is proposed that
The present invention is to provide a kind of file safety protection method for overcoming above mentioned problem, device and equipment.
According to one aspect of the present invention there is provided a kind of file safety protection method, including:Interception process is for file
Traversal request;The information of trap file is carried in the corresponding result of the traversal request;If monitoring the process
For the preset operation of the trap file, it is determined that the process is malicious process.
According to another aspect of the present invention there is provided a kind of document security protector, including:Ask blocking module,
Asked for intercepting process for the traversal of file;As a result module is returned to, in the corresponding result of the traversal request
The middle information for carrying trap file;Process detection module, if for monitoring the process for the preset of the trap file
Operation, it is determined that the process is malicious process.
According to another aspect of the present invention there is provided a kind of equipment protected for document security, including:One or many
Individual processor;With the one or more machine readable medias for being stored thereon with instruction, held when by one or more of processors
During row so that the equipment performs one or more file safety protection methods shown in the embodiment of the present invention.
According to another aspect of the invention there is provided one or more machine readable medias, instruction is stored thereon with, when
When being performed by one or more processors so that one or more document securities that equipment performs shown in the embodiment of the present invention are prevented
Maintaining method.
File safety protection method provided in an embodiment of the present invention, device and equipment, for malicious process " by for text
Enumerating for file is realized in the traversal request of part, and carries out batch malicious operation to file " behavioural characteristic, carry out the safety of process
Property detection, no matter process blacklist covering or unlapped malicious process there may be above-mentioned behavioural characteristic, therefore, this hair
Bright embodiment can improve the accuracy and objectivity of the safety detection result of process, and can improve the covering of malicious process
Rate.Due to by being carried out to process after safety detection, only allowing security procedure to operate document, therefore can preferably prevent
Protect document.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention,
And can be practiced according to the content of specification, and in order to allow above and other objects of the present invention, feature and advantage can
Become apparent, below especially exemplified by the embodiment of the present invention.
Brief description of the drawings
By reading the detailed description of hereafter optional embodiment, various other advantages and benefit is common for this area
Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of optional embodiment, and is not considered as to the present invention
Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings:
Fig. 1 shows a kind of step schematic flow sheet of file safety protection method according to an embodiment of the invention;
Fig. 2 shows a kind of step schematic flow sheet of file safety protection method according to an embodiment of the invention;
Fig. 3 shows a kind of step schematic flow sheet of file safety protection method according to an embodiment of the invention;
Fig. 4 shows a kind of structural representation of document security protector according to an embodiment of the invention;
Fig. 5 shows a kind of structural representation of document security protector according to an embodiment of the invention;And
Fig. 6 shows a kind of block diagram of equipment protected for document security according to an exemplary embodiment.
Embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
Limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
Complete conveys to those skilled in the art.
In actual applications, when a malicious process encrypted document, generally in the file first in reading disk
Hold internal memory, then file content is rewritten in internal memory according to its AES, finally by revised file content
Write back file or a newly-built file.The embodiment of the present invention is it has been investigated that the following behavioural characteristic of above-mentioned malicious process:Right
What file was done first before being encrypted is to enumerate multiple files on disk, then for enumerating the execution batch of obtained listed files
Amount encryption, and for malicious process, it generally realizes enumerating for file by the traversal request for file.
The one of the inventive concepts of the embodiment of the present invention is that the traversal for intercepting process for file is asked;In the traversal
Ask the information of carrying trap file in corresponding result;If monitoring the process for the preset of the trap file
Operation, it is determined that the process is malicious process.Wherein, trap file can be profile, and process is for trap file
Preset operation can be directed to the operation performed by file, such as modification, deletion, the mobile behaviour for changing file present situation for malicious process
Make etc.;Because the embodiment of the present invention " can realize text according to the behavioural characteristic of malicious process by the traversal request for file
Part is enumerated, and carries out batch malicious operation to file ", carry out the safety detection of process, no matter the covering of process blacklist or
The unlapped malicious process of person may have above-mentioned behavioural characteristic, therefore, and the embodiment of the present invention can improve the safety of process
The accuracy and objectivity of property testing result, and the coverage rate of malicious process can be improved.
Embodiment one
Reference picture 1, shows a kind of step flow chart of file safety protection method of the embodiment of the present invention one.
The file safety protection method of the embodiment of the present invention specifically may comprise steps of:
Step 101:Interception process is asked for the traversal of file.
The file safety protection method of the embodiment of the present invention can be performed in terminal equipment side.Alternatively, the present invention is implemented
The terminal device of example can be the terminal in LAN and/or wide area network, and the example of LAN can include:Enterprise network.
Be stored with multiple files in disk, in actual applications, and process can travel through all files stored in disk,
Can be by setting search condition to travel through the partial document stored in disk.When process travels through file, traversal documentation function is called
(traveling through file interface) obtains listed files, and the embodiment of the present invention can intercept process please to calling for traversal documentation function
Ask, so as to reach purpose of the interception process for the traversal request of file.
Specifically, HookAPI (Hook Application can be based on when intercepting traversal documentation function
Programming Interface, link up with application programming interface) principle, documentation function will be traveled through using Hook Function and hung
Hook, when traversal documentation function is called by process, Hook Function can be called to this and intercepted.
Step 102:The information of trap file is carried in the corresponding result of traversal request.
Wherein, the trap file can be differently configured from the user file or operating system file in terminal device, this area
Technical staff can be according to practical application request, preset trap file of pre-set path in disk.Alternatively, trap text
Part can be hidden file, user operate terminal device when can not see trap file, with avoid the trap file for
The interference at family.The information of trap file can be the handle of trap file.
Trap file can be conventional Doctype, for example:Entitled .doc .docx .docb .docm are extended,
.dot,.dotm,.dotx,.xls,.xlsx,.xlsm,.xlsb,.xlw,.xlt,.xlm,.xlc,.xltx,.xltm,
.ppt,.pptx,.pptm,.pot,.pps,.ppsm,.ppsx,.ppam,.potx,.p otm,.pst,.ost,.msg,
.eml,.edb,.vsd,.vsdx,.txt,.csv,.rtf,.123,.wks,.wk1,.pdf,.dwg,.onetoc2,.snt,
.hwp,.602,.sxi,.sti,.sldx,.sldm,.sldm,.vdi,.vmdk,.vmx,.g pg,.aes,.ARC,.PAQ,
.bz2,.tbk,.bak,.tar,.tgz,.gz,.7z,.rar,.zip,.backup,.iso,.v cd,.jpeg,.jpg,
.bmp,.png,.gif,.raw,.cgm,.GIF,.GIFf,.nef,.psd,.ai,.svg,.djvu,.m4u,.m3u,.mid,
.wma,.flv,.3g2,.mkv,.3gp,.mp4,.mov,.avi,.asf,.mpeg,.vob,.m pg,.wmv,.fla,
.swf,.wav,.mp3,.sh,.class,.jar,.java,.rb,.asp,.php,.jsp,.brd,.sc h,.dch,
.dip,.pl,.vb,.vbs,.ps1,.bat,.cmd,.js,.asm,.h,.pas,.cpp,.c,.cs,.suo,.sl n,
.ldf,.mdf,.ibd,.myi,.myd,.frm,.odb,.dbf,.db,.mdb,.accdb,.sql,.sqlitedb,.s
qlite3,.asc,.lay6,.lay,.mml,.sxm,.otg,.odg,.uop,.std,.sxd,.otp,.odp,.wb2,.sl
k,.dif,.stc,.sxc,.ots,.ods,.3dm,.max,.3ds,.uot,.stw,.sxw,.ott,.odt,.pem,
.p12, the document of the types such as .csr .crt .key .pfx .der, certainly, the embodiment of the present invention are specific for trap file
Type is not any limitation as.
The embodiment of the present invention intercept process for file traversal request after, can according to practical application request, it is determined that
The traversal asks corresponding result, specifically, in the traversal corresponding result can be asked to carry trap file
Information.The user file or operating system file in terminal device are can be differently configured from due to the trap file, therefore can be one
Determine the malicious operation for avoiding malicious process for user file or operating system file in degree.Also, can also be by entering
Journey is for the operation of trap file, and whether judge the process is malicious process.
In the embodiment of the present invention, the information of trap file is being carried after intercepting result in result.Carry
Trap fileinfo can include but is not limited to:Before the information that result is included insert trap file information or
The information included in result is replaced using the information of trap file.Wherein, the information of trap file can be trap file
Handle, certainly, the embodiment of the present invention is not any limitation as the specifying information of trap file.
Step 103:If monitoring preset operation of the process for trap file, it is determined that process is malicious process.
The embodiment of the present invention can be by operation of the process for trap file, and whether judge the process is malicious process.
Specifically, if monitoring preset operation of the process for trap file, it is determined that process is malicious process.Alternatively, it is above-mentioned pre-
Putting operation can include but is not limited to:Deletion action, modification operation, moving operation, cryptographic operation etc..It is appreciated that it is determined that
After process is malicious process, the behavior of the process can be intercepted, therefore, it can to avoid to a certain extent malicious process for
The malicious operation of family file or operating system file.
Alternatively, monitoring process can include for the process of the preset operation of trap file:Whether monitoring process is directed to
The trap file triggers the corresponding file process function of preset operation, and (such as file reads function, file and writes function, file to delete
Function etc.) call request, certainly, the embodiment of the present invention is for specific monitoring side of the process for the preset operation of trap file
Formula is not any limitation as.
If it should be noted that not monitoring preset operation of the process for trap file, can let pass process
Behavior.Or, it can also judge whether the process is malicious process using other process detection modes, and according to corresponding detection
As a result the behavior of the clearance process is determined whether.
To sum up, file safety protection method provided in an embodiment of the present invention, " time for file is passed through for malicious process
Go through request and realize enumerating for file, and batch malicious operation is carried out to file " behavioural characteristic, carry out the security inspection of process
Survey, no matter the covering of process blacklist or unlapped malicious process may have above-mentioned behavioural characteristic, and therefore, the present invention is real
The accuracy and objectivity of safety detection result of process can be improved by applying example, and can improve the coverage rate of malicious process.
Due to by being carried out to process after safety detection, only allowing security procedure to operate document, therefore can provide better protection against
Document.
Embodiment two
Reference picture 2, shows a kind of step flow chart of file safety protection method of the embodiment of the present invention two.
The file safety protection method of the embodiment of the present invention specifically includes following steps:
Step 201:Trap file is created on disk directory.
Trap file can be located at any appropriate position in disk directory, and alternatively, trap file can be hidden
Tibetan language part, user can not see trap file when operating terminal device.
Step 202:There is the Hook Function of traversal documentation function by hook, intercept tune of the process for traversal documentation function
With request.
Traversal documentation function can include:Header searches function, and the header is used to search designated disk or file
First catalogue or header in folder.Alternatively, Hook Function can link up with header and search function, in the embodiment of the present invention with
Illustrated exemplified by this.In addition traversal documentation function can also include next ff function, next ff function
It is located at next file that identical file is pressed from both sides with specified file for searching.
In actual applications, process can be traveled through by calling traversal documentation function to the file stored in disk
Final to get required file directory, file directory can include the information of multiple files.The information of file can be file
Handle.
Step 203:By Hook Function, insertion trap is literary before header searches the information for the header that function is returned
The information of part.
In the embodiment of the present invention, when traversal documentation function is called by process, execution header is called to search function first,
Function is searched due to header to be linked up with by Hook Function, therefore the information of header lookup function lookup to header is processing knot
Process is returned to after fruit, Hook Function intercepts header and searches the result of function, and obtains the information of trap file, in head
The information of insertion trap file and return before the information for the header that ff function is returned;It is determined that header searches letter
Count and successfully return after result, perform information and the return of next second file of ff function lookup, repeat
Next ff function searches the information of the 3rd file, the information of the 4th file until traveling through all texts to be found successively
Untill part, now process can obtain the listed files generated after file traversal.
It should be noted that trap file can not also be being inserted during implementing before the information of header,
But use the information of trap file to replace the information of header.
A kind of set-up mode of optional traversal documentation function is in the embodiment of the present invention:Traversal documentation function is set to include
Function FindFirstFile (), FindNextFile () and GetLastError ();By hook in this optional implementation
Function is linked up with FindFirstFile ().
When traversal documentation function is called by process, FindFirstFile () is first carried out, FindFirstFile () is looked into
Look for first file or catalogue and the handle i.e. return value for returning to institute's locating file of assigned catalogue, due to Hook Function with
FindFirstFile () is linked up with, therefore Hook Function intercepts FindFirstFile () return value, and is taken in its return value
Handle with trap file.
File or the handle of catalogue are found if it succeeds, returning, is continued executing with FindNextFile () function lookup
The handle of one file;If it fails, returning to INVALID_HANDLE_VALUE, now then to need with calling GetLastError
Function.
FindFirstFile function prototypes are as follows:
HANDLE FindFirstFile (LPCTSTR lpFileName, // directory name
LPWIN32_FIND_DATA lpFindFileData//data buffer zone);
Parameter lpFileName is that [input] points to the pointer of character string for specifying an effective catalogue.
LpFileName is directory name, and directory name typically uses asterisk wildcard.For example:The form of assigned catalogue for " ..
Abc * .* " be exactly first file or catalogue are looked in abc catalogues, specifically can pass through keyword * .doc search for word
Document.
LpFindFileData is the pointer that [output] points to a WIN32_FIND_DATA, and file is found for depositing
Or the information of catalogue.
Step 204:If monitoring preset operation of the process for trap file, it is determined that process is malicious process.
Because user can not see trap file when operating terminal device, if therefore trap file be triggered preset behaviour
Make, it is believed that the preset operation is triggered by malicious process.
Step 205:When process is malicious process, the behavior of process is intercepted.
The process of the behavior of interception process can specifically include:This document loading internal memory is intercepted in operating system nucleus
Request, so that operation behavior of the process to trap file is effectively intercepted, because trap file is the header operated by process,
Process has been intercepted to its operation behavior, therefore process can not also be carried out to enumerating the subsequent file in obtained listed files
Operation, therefore process can be intercepted to the behavior of the batch documents traveled through.
Step 206:Killing is carried out to the process and/or the associated chain of processes of the process.
After the behavior of the process of interception, killing is carried out to process and/or the associated chain of processes of process, so as to avoid this from entering
Derivative malicious process is subsequently launched a offensive to system again in journey and/or chain of processes.It should be noted that this step is can
Step is selected, those skilled in the art can choose whether to perform this step according to the actual requirements.
To sum up, file safety protection method provided in an embodiment of the present invention, intercepts header by Hook Function and searches letter
The information of the header of several returns, and before the information of header insert trap file information, then return process text
The information of trap file is then located at first in part list, if high-volume file of the process by malicious process inherently to traveling through
Operated, therefore must trigger the preset operation to trap file, thus in the embodiment of the present invention by determinating processes whether
The preset operation to trap file is triggered, to determine whether process is malicious process, it is possible to increase the safety detection knot of process
The accuracy and objectivity of fruit.
In addition, in the embodiment of the present invention when it is determined that process is malicious process, to process and/or the associated process of process
Chain carries out killing, and derivative malicious process in the process and/or chain of processes can be avoided subsequently to be launched a offensive again to system.
Embodiment three
Reference picture 3, shows a kind of step flow chart of file safety protection method of the embodiment of the present invention three.
The file safety protection method of the embodiment of the present invention specifically includes following steps:
Step 301:Trap file is created on disk directory.
Wherein, trap file can be hidden file.
Step 302:There is the Hook Function of traversal documentation function by hook, intercept tune of the process for traversal documentation function
With request.
Traversal documentation function can include:Header searches function, and Hook Function hook header searches function.
In the embodiment of the present invention, the header of Hook Function hook traversal documentation function searches function, without linking up with traversal
Other functions in documentation function, therefore Hook Function only intercepts the return value that header searches function, and header is searched
The return value of function is modified.
Step 303:By Hook Function, insertion trap is literary before header searches the information for the header that function is returned
The information of part.
Wherein, the information of header or the information of trap file can be the handle of file.
The information that trap file is inserted before the information of header eventually returns to process, then the traversal obtained by process
Ask in corresponding result, trap file is then the header in the listed files that is traversed.Due to malicious process example
Such as extorting virus, do first is to enumerate the All Files on disk before illegal operation is carried out to file, then according to list batch
Amount performs illegal operation, if therefore the process is that the trap file that malicious process is inherently pointed to first of listed files performs behaviour
Make.
Step 304:If monitoring process for the preset operation of trap file and the process source of process having malice
Property, it is determined that process is malicious process.
In the present embodiment, in preset operation of the process that monitors for trap file, and indirect determination process is
Malicious process, but determine whether the process is malicious process, Neng Gouti by being determined whether to its process source
Rise the accuracy to process safety detection.
Current process may be not the process that system is carried on terminal device, and it may be from third party website or application
Download and obtain on platform, for example:Qq platforms, malice network address, fishing website etc., it is therefore desirable to determine the process source of process.If
Process source then can determine that the process for malicious process with malicious;If, can conversely, process source is without malicious
Judge the process as security procedure.
Only be in step 304 with based on process originate this Process Attributes information, the security of process is carried out it is further
Illustrated exemplified by judgement, during implementing, acceptable other attribute informations according to process are for example:Process signature,
Chain of processes etc. is determined whether to the security of process.
A kind of optional mode is:
If monitoring process for the preset operation of trap file and the parent process of process being malicious process, it is determined that enter
Journey is malicious process.
Specifically, the parent process of process can be determined by the corresponding chain of processes of process;Whether judge parent process is malice
Process;If, it is determined that the process is malicious process;If not, it is determined that the process is security procedure.
Chain of processes is one and derives from subprocess by parent process, and subprocess derives from the relation chain of subprocess again.Therefore, it is determined that
Parent process be malicious process after, due to subprocess be by parent process derive from, therefore subprocess also be malicious process.
It should be noted that be not limited to during implementing by the parent process of process come it is indirect determine into
The security of journey, can also determine the security of process indirectly, specifically, when it is determined that subprocess is by the subprocess of process
During malicious process, then can determine that the process is malicious process.
Another optional mode is:
If monitoring process for the preset operation of trap file and the process signature of process being insincere, it is determined that process
For malicious process.
Specifically when it is determined that whether the process signature of process is credible, it can be determined that whether process is to that should have process signature;
If not, it is determined that process is malicious process;If so, then determining whether whether process signature is trusted signature;If credible label
Name, it is determined that process is security procedure, if untrusted is signed, it is determined that process is malicious process.
Malicious process is generally not present signature, therefore whether first determines whether process to that should have process signature, if it is not, then direct
It is malicious process to determine the process.In the optional mode of the embodiment of the present invention, trusted signature list can be prestored, judge into
Process signature can be compared with each signature in trusted signature list when whether journey signature is credible, if there is same signature
It is trusted signature then to determine process signature, and on the contrary then determination process signature is untrusted signature.
Step 305:When process is malicious process, the behavior of process is intercepted, and enter to process and/or process are associated
Journey chain carries out killing.
When carrying out killing to process, the information of process can be sent to killing software, be received by killing software foundation
To process information determine process carry out killing.
When carrying out killing to the chain of processes that process is associated, the information of chain of processes can be sent to killing software, by looking into
Kill software and determine that chain of processes carries out killing according to the information of received chain of processes.
To sum up, file safety protection method provided in an embodiment of the present invention, when the process that monitors is for the pre- of trap file
When putting operation, the security of process is determined whether with reference to the attribute information of process, in particular by the process of process
Source, process signature or chain of processes determine whether process is malicious process, it is possible to increase the safety detection result of process
Accuracy.
Example IV
Reference picture 4, shows a kind of structural representation of document security protector of the embodiment of the present invention four.
The document security protector of the embodiment of the present invention can include:Blocking module 401 is asked, for intercepting process pair
Asked in the traversal of file;As a result module 402 is returned to, for carrying trap text in the corresponding result of the traversal request
The information of part;Process detection module 403, if for monitoring preset operation of the process for the trap file, really
The fixed process is malicious process.
To sum up, document security protector provided in an embodiment of the present invention, is typically in high volume to text for malicious process
Part carries out the situation of malicious operation, intercepts process and the traversal of file is asked, and is taken in the corresponding result of traversal request
Information with trap file, if process, which is malicious process, must trigger the preset operation to trap file, therefore the present invention is implemented
The preset operation to trap file whether is triggered by determinating processes in example, to determine whether process is malicious process, Neng Gouti
The accuracy and objectivity of the safety detection result of high process.
Embodiment five
Reference picture 5, shows a kind of structural representation of document security protector of the embodiment of the present invention five.
The document security protector of the embodiment of the present invention is the further optimization to device in example IV, after optimization
Document security protector can include:Blocking module 501 is asked, is asked for intercepting process for the traversal of file;As a result
Module 502 is returned to, the information for carrying trap file in the corresponding result of the traversal request;Process detection module
503, if for monitoring preset operation of the process for the trap file, it is determined that the process is malicious process.
Alternatively, it is described request blocking module 501 specifically for:There is the Hook Function of traversal documentation function by hook,
Call request of the interception process for the traversal documentation function.
Alternatively, the traversal documentation function includes:Header searches function, and the Hook Function links up with the header
Search function.
Alternatively, the result return module 502 specifically for:Letter is searched in the header by the Hook Function
The information of the trap file is inserted before the information for the header that number is returned.
Alternatively, the document security protector in the embodiment of the present invention can also include:Creation module 504, for
Trap file is created on disk directory, wherein, the trap file is hidden file.
Alternatively, the process detection module 503 can include:First determination sub-module, if for monitor it is described enter
Journey is for the preset operation of the trap file and the parent process of the process is malicious process, it is determined that the process is evil
Meaning process.
Alternatively, the process detection module 503 can include:Second determination sub-module, if for monitor it is described enter
Journey has malicious for the preset operation of the trap file and the process source of the process, it is determined that the process is
Malicious process.
Alternatively, the process detection module 503 can include:3rd determination sub-module, if for monitor it is described enter
Journey is for the preset operation of the trap file and the process signature of the process is insincere, it is determined that the process is malice
Process.
Alternatively, the document security protector in the embodiment of the present invention can also include:Behavior blocking module 505, is used
In when the process is malicious process, the behavior of the process is intercepted;Or killing module 506, for being when the process
During malicious process, the behavior of the process is intercepted, and the process and/or the associated chain of processes of the process are looked into
Kill.
The document security protector of the present embodiment is used to realize the corresponding safety into embodiment three of previous embodiment one
Property detection method, and with corresponding embodiment of the method beneficial effect, will not be repeated here.
Embodiment six
Reference picture 6, shows a kind of structured flowchart of equipment protected for document security of the embodiment of the present invention six.
The equipment for being used for document security protection of the embodiment of the present invention can include:One or more processors;Thereon
Be stored with one or more machine readable medias of instruction, when by one or more of computing devices so that described to set
The standby embodiment one that performs is to one or more file safety protection methods described in embodiment three.
Fig. 6 is a kind of block diagram of equipment protected for document security according to an exemplary embodiment.In reality
In, the equipment can be located at server side, can also be located at terminal equipment side.
Reference picture 6, equipment can include following one or more assemblies:Processing assembly 602, memory 604, power supply module
606, multimedia groupware 608, audio-frequency assembly 610, the interface 612 of input/output (I/O), sensor cluster 614, and communication
Component 616.
The integrated operation of the usual control device of processing assembly 602, such as with display, data communication, camera operation and record
The associated operation of operation.Treatment element 602 can carry out execute instruction including one or more processors 620, above-mentioned to complete
Method all or part of step.In addition, processing assembly 602 can include one or more modules, it is easy to processing assembly 602
Interaction between other assemblies.For example, processing component 602 can include multi-media module, to facilitate the He of multimedia groupware 608
Interaction between processing assembly 602.
Memory 604 is configured as storing various types of data supporting the operation in equipment.The example of these data
Include the instruction of any application program or method for being operated in equipment, contact data, telephone book data, message, figure
Piece, video etc..Memory 604 can be real by any kind of volatibility or non-volatile memory device or combinations thereof
It is existing, such as static RAM (SRAM), Electrically Erasable Read Only Memory (EEPROM), erasable programmable is only
Read memory (EPROM), programmable read only memory (PROM), read-only storage (ROM), magnetic memory, flash memory, magnetic
Disk or CD.
Power supply module 606 provides electric power for the various assemblies of terminal device.Power supply module 606 can include power management system
System, one or more power supplys, and other components associated with generating, managing and distributing electric power for terminal device 600.
Multimedia groupware 608 is included in the screen of one output interface of offer between the terminal device and user.
In some embodiments, screen can include liquid crystal display (LCD) and touch panel (TP).If screen includes touch panel,
Screen may be implemented as touch-screen, to receive the input signal from user.Touch panel includes one or more touch and passed
Sensor is with the gesture on sensing touch, slip and touch panel.The touch sensor can not only sensing touch or slip be dynamic
The border of work, but also the detection duration related to the touch or slide and pressure.In certain embodiments, it is many
Media component 608 includes a front camera and/or rear camera.When terminal device is in operator scheme, mould is such as shot
When formula or video mode, front camera and/or rear camera can receive the multi-medium data of outside.Each preposition shooting
Head and rear camera can be a fixed optical lens systems or with focusing and optical zoom capabilities.
Audio-frequency assembly 610 is configured as output and/or input audio signal.For example, audio-frequency assembly 610 includes a Mike
Wind (MIC), when terminal device be in operator scheme, when such as call model, logging mode and speech recognition mode, microphone by with
It is set to reception external audio signal.The audio signal received can be further stored in memory 604 or via communication set
Part 616 is sent.In certain embodiments, audio-frequency assembly 810 also includes a loudspeaker, for exports audio signal.
I/O interfaces 612 is provide interface between processing assembly 602 and peripheral interface module, above-mentioned peripheral interface module can
To be keyboard, click wheel, button etc..These buttons may include but be not limited to:Home button, volume button, start button and lock
Determine button.
Sensor cluster 614 includes one or more sensors, the state for providing various aspects for terminal device 600
Assess.For example, sensor cluster 614 can detect opening/closed mode of equipment 600, the relative positioning of component, such as institute
Display and keypad that component is equipment are stated, sensor cluster 614 can be with the position of one component of detection device or equipment
Change, the existence or non-existence that user contacts with equipment, terminal device orientation or acceleration/deceleration and the temperature of terminal device become
Change.Sensor cluster 614 can include proximity transducer, be configured in not any physical contact thing near detection
The presence of body.Sensor cluster 614 can also include optical sensor, such as CMOS or ccd image sensor, in imaging applications
In use.In certain embodiments, the sensor cluster 614 can also include acceleration transducer, and gyro sensor, magnetic is passed
Sensor, pressure sensor or temperature sensor.
Communication component 616 is configured to facilitate the communication of wired or wireless way between equipment and other equipment.Equipment can
To access the wireless network based on communication standard, such as WiFi, 2G or 3G, or combinations thereof.In one exemplary embodiment,
Communication component 616 receives broadcast singal or broadcast related information from external broadcasting management system via broadcast channel.One
In individual exemplary embodiment, the communication component 616 also includes near-field communication (NFC) module, to promote junction service.For example,
Radio frequency identification (RFID) technology, Infrared Data Association (IrDA) technology, ultra wide band (UWB) technology, bluetooth can be based in NFC module
(BT) technology and other technologies are realized.
In the exemplary embodiment, terminal device can be by one or more application specific integrated circuits (ASIC), numeral
Signal processor (DSP), digital signal processing appts (DSPD), PLD (PLD), field programmable gate array
(FPGA), controller, microcontroller, microprocessor or other electronic components are realized, for performing the above method.
In the exemplary embodiment, a kind of machinable medium including instructing is additionally provided, such as including instruction
Memory 604, above-mentioned instruction can be performed to complete the above method by the one or more processors 620 of equipment.For example, machine
Readable storage medium storing program for executing can be ROM, random access memory (RAM), CD-ROM, tape, floppy disk and optical data storage devices etc..
Each embodiment in this specification is described by the way of progressive, what each embodiment was stressed be with
Between the difference of other embodiment, each embodiment identical similar part mutually referring to.For system embodiment
For, because it is substantially similar to embodiment of the method, so description is fairly simple, referring to the portion of embodiment of the method in place of correlation
Defend oneself bright.
Provided herein file safety protection method, device and equipment not with any certain computer, virtual system or
Person's miscellaneous equipment is inherently related.Various general-purpose systems can also be used together with based on teaching in this.As described above,
It is obvious to construct with the structure required by the system of the present invention program.In addition, the present invention is not also for any specific
Programming language.It is understood that, it is possible to use various programming languages realize the content of invention described herein, and above to spy
Attribute says that done description is to disclose the preferred forms of the present invention.
In the specification that this place is provided, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention
Example can be put into practice in the case of these no details.In some instances, known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help to understand one or more of each inventive aspect, exist
Above in the description of the exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:It is i.e. required to protect
The application claims of shield features more more than the feature being expressly recited in each claim.More precisely, such as right
As claim reflects, inventive aspect is all features less than single embodiment disclosed above.Therefore, it then follows tool
Thus claims of body embodiment are expressly incorporated in the embodiment, wherein the conduct of each claim in itself
The separate embodiments of the present invention.
Those skilled in the art, which are appreciated that, to be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment
Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit exclude each other, it can use any
Combination is disclosed to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so to appoint
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power
Profit is required, summary and accompanying drawing) disclosed in each feature can or similar purpose identical, equivalent by offer alternative features come generation
Replace.
Although in addition, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments
In included some features rather than further feature, but the combination of the feature of be the same as Example does not mean in of the invention
Within the scope of and form different embodiments.For example, in detail in the claims, embodiment claimed it is one of any
Mode it can use in any combination.
The present invention all parts embodiment can be realized with hardware, or with one or more processor run
Software module realize, or realized with combinations thereof.It will be understood by those of skill in the art that can use in practice
Microprocessor or digital signal processor (DSP) realize file safety protection method according to embodiments of the present invention, device
And some or all functions of some or all parts in equipment.The present invention is also implemented as being used to perform here
The some or all equipment or program of device of described method are (for example, computer program and computer program production
Product).Such program for realizing the present invention can be stored on a computer-readable medium, or can have one or more
The form of signal.Such signal can be downloaded from internet website and obtained, and either be provided or on carrier signal to appoint
What other forms is provided.
It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" is not excluded the presence of not
Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of some different elements and coming real by means of properly programmed computer
It is existing.In if the unit claim of equipment for drying is listed, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame
Claim.
The invention discloses A1 file safety protection methods, including:
Interception process is asked for the traversal of file;
The information of trap file is carried in the corresponding result of the traversal request;
If monitoring preset operation of the process for the trap file, it is determined that the process is malicious process.
A2, the method according to A1, wherein, the interception process is asked for the traversal of file, including:
There is the Hook Function of traversal documentation function by hook, interception process please for the calling for traversal documentation function
Ask.
A3, the method according to A2, it is characterised in that the traversal documentation function includes:Header searches function, institute
State Hook Function and link up with the header lookup function.
4th, method according to claim 3, wherein, it is described to be carried in the corresponding result of the traversal request
The information of trap file, including:
Described fall into is inserted before the header searches the information for the header that function is returned by the Hook Function
The information of trap file.
A5, according to A2 into A4 any described method, wherein, methods described also includes:
Trap file is created on disk directory, wherein, the trap file is hidden file.
A6, the method according to A1, wherein, if the preset behaviour for monitoring the process for the trap file
Make, it is determined that the process is malicious process, including:
If monitoring the process for the preset operation of the trap file and the parent process of the process being that malice is entered
Journey, it is determined that the process is malicious process.
A7, the method according to A1, wherein, if the preset behaviour for monitoring the process for the trap file
Make, it is determined that the process is malicious process, including:
If monitoring the process for the preset operation of the trap file and the process source of the process having evil
Meaning property, it is determined that the process is malicious process.
A8, the method according to A1, wherein, if the preset behaviour for monitoring the process for the trap file
Make, it is determined that the process is malicious process, including:
If monitoring the process for the preset operation of the trap file and the process signature of the process can not
Letter, it is determined that the process is malicious process.
A9, the method according to A1 or A2 or A3 or A4 or A6 or A7 or A8, wherein, methods described also includes:
When the process is malicious process, the behavior of the process is intercepted;Or
When the process is malicious process, the behavior of the process is intercepted, and to the process and/or the process phase
The chain of processes of association carries out killing.
The invention discloses B10, a kind of document security protector, including:
Blocking module is asked, is asked for intercepting process for the traversal of file;
As a result module is returned to, the information for carrying trap file in the corresponding result of the traversal request;
Process detection module, if for monitoring preset operation of the process for the trap file, it is determined that institute
Process is stated for malicious process.
B11, the device according to B10, wherein, it is described request blocking module specifically for:
There is the Hook Function of traversal documentation function by hook, interception process please for the calling for traversal documentation function
Ask.
B12, the device according to B11, wherein, the traversal documentation function includes:Header searches function, the hook
Subfunction links up with the header and searches function.
B13, the device according to B12, wherein, the result return module specifically for:
Described fall into is inserted before the header searches the information for the header that function is returned by the Hook Function
The information of trap file.
B14, according to B11 into B13 any described device, wherein, described device also includes:
Creation module, for creating trap file on disk directory, wherein, the trap file is hidden file.
B15, the device according to B10, wherein, the process detection module includes:
First determination sub-module, if for monitoring the process for the preset operation of the trap file and described
The parent process of process is malicious process, it is determined that the process is malicious process.
B16, the device according to B10, wherein, the process detection module includes:
Second determination sub-module, if for monitoring the process for the preset operation of the trap file and described
The process source of process has malicious, it is determined that the process is malicious process.
B17, the device according to B10, wherein, the process detection module includes:
3rd determination sub-module, if for monitoring the process for the preset operation of the trap file and described
The process signature of process is insincere, it is determined that the process is malicious process.
B18, the device according to B10 or B11 or B12 or B13 or B15 or B16 or B17, wherein, described device is also wrapped
Include:
Behavior blocking module, for when the process is malicious process, intercepting the behavior of the process;Or
Killing module, for when the process is malicious process, intercepting the behavior of the process, and to the process
And/or the associated chain of processes of the process carries out killing.
The invention discloses C19, a kind of equipment protected for document security, wherein, including:
One or more processors;With the one or more machine readable medias for being stored thereon with instruction, when by described one
During individual or multiple computing devices so that the equipment perform A1 into A9 it is one or more as described in method.
The invention also discloses D20, one or more machine readable medias, instruction is stored thereon with, when by one or many
During individual computing device so that equipment perform A1 into A9 it is one or more as described in method.
Claims (10)
1. a kind of file safety protection method, including:
Interception process is asked for the traversal of file;
The information of trap file is carried in the corresponding result of the traversal request;
If monitoring preset operation of the process for the trap file, it is determined that the process is malicious process.
2. according to the method described in claim 1, it is characterised in that the interception process is asked for the traversal of file, including:
There is the Hook Function of traversal documentation function by hook, intercept call request of the process for the traversal documentation function.
3. method according to claim 2, it is characterised in that the traversal documentation function includes:Header searches function,
The Hook Function links up with the header and searches function.
4. method according to claim 3, it is characterised in that described to be taken in the corresponding result of the traversal request
Information with trap file, including:
The trap text is inserted before the header searches the information for the header that function is returned by the Hook Function
The information of part.
5. according to any described method in claim 2 to 4, it is characterised in that methods described also includes:
Trap file is created on disk directory, wherein, the trap file is hidden file.
6. according to the method described in claim 1, it is characterised in that if described monitor the process for the trap file
Preset operation, it is determined that the process be malicious process, including:
If monitoring the process for the preset operation of the trap file and the parent process of the process being malicious process,
It is malicious process then to determine the process.
7. according to the method described in claim 1, it is characterised in that if described monitor the process for the trap file
Preset operation, it is determined that the process be malicious process, including:
If monitoring the process for the preset operation of the trap file and the process source of the process having malice
Property, it is determined that the process is malicious process.
8. a kind of document security protector, including:
Blocking module is asked, is asked for intercepting process for the traversal of file;
As a result module is returned to, the information for carrying trap file in the corresponding result of the traversal request;
Process detection module, if for monitoring preset operation of the process for the trap file, it is determined that it is described enter
Journey is malicious process.
9. a kind of equipment protected for document security, it is characterised in that including:
One or more processors;With the one or more machine readable medias for being stored thereon with instruction, when by one or
During multiple computing devices so that the equipment performs the method as described in one or more in claim 1 to 7.
10. one or more machine readable medias, are stored thereon with instruction, when executed by one or more processors so that
Equipment performs the method as described in one or more in claim 1 to 7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710419661.1A CN107330322A (en) | 2017-06-06 | 2017-06-06 | File safety protection method, device and equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710419661.1A CN107330322A (en) | 2017-06-06 | 2017-06-06 | File safety protection method, device and equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107330322A true CN107330322A (en) | 2017-11-07 |
Family
ID=60194293
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710419661.1A Pending CN107330322A (en) | 2017-06-06 | 2017-06-06 | File safety protection method, device and equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107330322A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110647744A (en) * | 2018-06-27 | 2020-01-03 | 国际商业机器公司 | Identifying and extracting key hazard forensic indicators using object-specific file system views |
CN110717180A (en) * | 2018-07-13 | 2020-01-21 | 北京安天网络安全技术有限公司 | Malicious document detection method and system based on self-positioning behaviors and storage medium |
CN112527302A (en) * | 2019-09-19 | 2021-03-19 | 北京字节跳动网络技术有限公司 | Error detection method and device, terminal and storage medium |
WO2022032950A1 (en) * | 2020-08-10 | 2022-02-17 | 华为技术有限公司 | Defense method, defense apparatus and defense system for malicious software |
CN114077735A (en) * | 2020-08-10 | 2022-02-22 | 华为技术有限公司 | Malicious software defense method, device and system |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106096397A (en) * | 2016-05-26 | 2016-11-09 | 倪茂志 | A kind of prevention method extorting software and system |
WO2017053745A1 (en) * | 2015-09-23 | 2017-03-30 | University Of Florida Research Foundation, Incorporated | Malware detection via data transformation monitoring |
CN106611123A (en) * | 2016-12-02 | 2017-05-03 | 哈尔滨安天科技股份有限公司 | Method and system for detecting 'Harm. Extortioner. a' virus |
-
2017
- 2017-06-06 CN CN201710419661.1A patent/CN107330322A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2017053745A1 (en) * | 2015-09-23 | 2017-03-30 | University Of Florida Research Foundation, Incorporated | Malware detection via data transformation monitoring |
CN106096397A (en) * | 2016-05-26 | 2016-11-09 | 倪茂志 | A kind of prevention method extorting software and system |
CN106611123A (en) * | 2016-12-02 | 2017-05-03 | 哈尔滨安天科技股份有限公司 | Method and system for detecting 'Harm. Extortioner. a' virus |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110647744A (en) * | 2018-06-27 | 2020-01-03 | 国际商业机器公司 | Identifying and extracting key hazard forensic indicators using object-specific file system views |
US11775638B2 (en) | 2018-06-27 | 2023-10-03 | International Business Machines Corporation | Identification and extraction of key forensics indicators of compromise using subject-specific filesystem views |
CN110717180A (en) * | 2018-07-13 | 2020-01-21 | 北京安天网络安全技术有限公司 | Malicious document detection method and system based on self-positioning behaviors and storage medium |
CN112527302A (en) * | 2019-09-19 | 2021-03-19 | 北京字节跳动网络技术有限公司 | Error detection method and device, terminal and storage medium |
CN112527302B (en) * | 2019-09-19 | 2024-03-01 | 北京字节跳动网络技术有限公司 | Error detection method and device, terminal and storage medium |
WO2022032950A1 (en) * | 2020-08-10 | 2022-02-17 | 华为技术有限公司 | Defense method, defense apparatus and defense system for malicious software |
CN114077735A (en) * | 2020-08-10 | 2022-02-22 | 华为技术有限公司 | Malicious software defense method, device and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US12052272B2 (en) | Forensic analysis of computing activity | |
US11741222B2 (en) | Sandbox environment for document preview and analysis | |
US11494490B2 (en) | Endpoint detection and response utilizing machine learning | |
US11637851B2 (en) | Cyber security posture validation platform | |
US20230032874A1 (en) | Realtime event detection | |
CN107330322A (en) | File safety protection method, device and equipment | |
US20200242239A1 (en) | Mitigation of return-oriented programming attacks | |
KR101373986B1 (en) | Method and apparatus to vet an executable program using a model | |
US10476894B2 (en) | Evaluating installers and installer payloads | |
WO2018130904A1 (en) | Early runtime detection and prevention of ransomware | |
CN105793862A (en) | Directed execution of dynamic programs in isolated environments | |
CN108932428B (en) | Lesog software processing method, device, equipment and readable storage medium | |
US20230118204A1 (en) | Tracking malicious software movement with an event graph | |
CN105095758B (en) | Screen locking applied program processing method, device and mobile terminal | |
EP3497917A1 (en) | Detection of bulk operations associated with remotely stored content | |
Wu et al. | Overprivileged permission detection for android applications | |
CN106203125A (en) | Operating system and safety detection method, safety detection device and terminal | |
CN109376529A (en) | Application program operation method and device | |
CN107292173A (en) | File safety protection method, device and equipment | |
CN107169359A (en) | Utilize the document means of defence and device, electronic equipment for triggering file realization | |
Mahan | Exploring ransomware on the oculus quest 2 | |
Ahmad et al. | A Review on Methods for Managing the Risk of Android Ransomware | |
KR20190109619A (en) | Permission management process and permission management apparatus | |
van Rijn | An In-depth Analysis of the AZORult Infostealer Malware Capabilities | |
Faruki | Techniques For Analysis And Detection Of Android Malware... |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171107 |