CN109558730B - Safety protection method and device for browser - Google Patents
Safety protection method and device for browser Download PDFInfo
- Publication number
- CN109558730B CN109558730B CN201811645503.9A CN201811645503A CN109558730B CN 109558730 B CN109558730 B CN 109558730B CN 201811645503 A CN201811645503 A CN 201811645503A CN 109558730 B CN109558730 B CN 109558730B
- Authority
- CN
- China
- Prior art keywords
- behavior
- type
- browser
- system behavior
- protection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
Abstract
The invention discloses a safety protection method and device for a browser, relates to the technical field of browser safety, and aims to solve the problem that effective protection on the browser cannot be realized in the prior art. The method mainly comprises the following steps: monitoring whether a browser sends a system behavior, wherein the system behavior comprises loading DDL, reading and writing a disk, opening a process or accessing a network; if the browser sends the system behavior, searching a behavior type to which the system behavior belongs, wherein the behavior type comprises a program calling type and a file processing type; acquiring a protection dependent factor corresponding to the system behavior according to the behavior type, wherein the protection dependent factor refers to the system behavior or a stack calling sequence of the system behavior; judging whether the protection dependent factors exist in a browser behavior permission set corresponding to the behavior type or not; and if the judgment result is negative, intercepting the system behavior. The method is mainly applied to the browser safety protection process.
Description
Technical Field
The present invention relates to the field of browser security technologies, and in particular, to a browser security protection method and apparatus.
Background
The browser is used for retrieving and displaying world wide web information resources, is a common tool for business processing such as web browsing and searching, and is one of the most widely used software. The browser is installed on the operating system, and an attacker may attack the operating system by using a vulnerability of the browser, execute a malicious instruction on the operating system, steal sensitive data files, and even control the operating system.
In the prior art, in order to solve the problem that the browser crashes or even personal information of a user is leaked due to the use of an extension component, operation permissions of various operations are set in the browser, then operation permissions corresponding to operation requests in the extension component are examined, and if the operations are restricted permission operations, the extension component is prevented from being operated. The scheme can only protect the safety of the browser, but cannot protect the attack to the operating system where the browser is located by using the browser, and if the operating system is attacked, a single browser protection strategy is similar to a nominal one to an attacker.
Disclosure of Invention
In view of this, the present invention provides a method and an apparatus for browser security protection, and mainly aims to solve the problem in the prior art that effective protection of a browser cannot be achieved.
According to an aspect of the present invention, there is provided a browser security protection method, including:
monitoring whether a browser sends a system behavior, wherein the system behavior comprises loading DDL, reading and writing a disk, opening a process or accessing a network;
if the browser sends the system behavior, searching a behavior type to which the system behavior belongs, wherein the behavior type comprises a program calling type and a file processing type;
acquiring a protection dependent factor corresponding to the system behavior according to the behavior type, wherein the protection dependent factor refers to the system behavior or a stack calling sequence of the system behavior;
judging whether the protection dependent factors exist in a browser behavior permission set corresponding to the behavior type or not;
and if the judgment result is negative, intercepting the system behavior.
Further, the finding the behavior type to which the system behavior belongs includes:
detecting an operation object of the system behavior;
if the operation object is the link information, determining that the behavior type to which the system behavior belongs is the program calling type;
and if the operation object is file information, determining that the behavior type to which the system behavior belongs is the file processing type.
Further, the obtaining of the protection dependent factor corresponding to the system behavior according to the behavior type includes:
if the behavior type is the program calling type, determining that the protection dependent factor corresponding to the system behavior is the system behavior;
if the behavior type is the file processing type, determining that the protection dependence factor corresponding to the system behavior is a stack call sequence of the system behavior;
and selecting the system behavior or a stack calling sequence of the system behavior according to the determination result.
Further, before the determining whether the protection dependent factor exists in the browser behavior permission set corresponding to the behavior type, the method further includes:
and establishing a browser behavior permission set corresponding to the behavior type, wherein the browser behavior permission set comprises a calling behavior permission set corresponding to the program calling type and a processing behavior permission set corresponding to the file processing type, the calling behavior permission set refers to system behaviors generated in the process that the browser calls a self program, a third-party program and a system program, and the processing behavior permission set comprises stack calling sequences corresponding to the system behaviors of the file processing type.
Further, after determining whether the protection dependent factor exists in the browser behavior permission set corresponding to the behavior type, the method further includes:
and if the behavior type is the file processing type, setting a behavior identifier of the system behavior according to the judgment result.
Further, the setting a behavior identifier of the system behavior according to the determination result includes:
if the judgment result is that the protection dependence factor exists in the browser behavior permission set corresponding to the behavior type, setting the behavior identifier of the system behavior as an active system behavior;
and if the judgment result is that the protection dependence factor does not exist in the browser behavior permission set corresponding to the behavior type, setting the behavior identifier of the system behavior as a passive system behavior.
Further, the method further comprises:
intercepting the system behavior if the behavior identification of the system behavior is a passive system behavior.
According to another aspect of the present invention, there is provided a browser security device, including:
the receiving module is used for monitoring whether the browser sends a system behavior, wherein the system behavior comprises DDL loading, disk reading and writing, process opening or network access;
the search module is used for searching the behavior type to which the system behavior belongs if the browser sends the system behavior, wherein the behavior type comprises a program calling type and a file processing type;
an obtaining module, configured to obtain a protection dependent factor corresponding to the system behavior according to the behavior type, where the protection dependent factor is the system behavior or a stack call sequence of the system behavior;
the judging module is used for judging whether the protection dependence factors exist in the browser behavior permission set corresponding to the behavior type;
and the intercepting module is used for intercepting the system behavior if the judgment result is negative.
According to another aspect of the present invention, a storage medium is provided, where at least one executable instruction is stored, and the executable instruction causes a processor to perform an operation corresponding to the security protection method for a browser.
According to still another aspect of the present invention, there is provided a computer apparatus including: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the safety protection method of the browser.
By the technical scheme, the technical scheme provided by the embodiment of the invention at least has the following advantages:
the invention provides a safety protection method and a safety protection device for a browser, which are characterized by firstly monitoring whether the browser sends a system behavior, wherein the system behavior comprises DDL loading, disk reading and writing, process opening or network access; and the searching module is used for searching the behavior type to which the system behavior belongs if the browser sends the system behavior, acquiring the protection dependence factor corresponding to the system behavior according to the behavior type, finally judging whether the protection dependence factor exists in the browser behavior permission set corresponding to the behavior type, and intercepting the system behavior if the judgment result is negative. Compared with the prior art, the embodiment of the invention adopts the system behaviors with different behavior types to use different judgment bases, refines the judgment bases, can accurately identify the behaviors of the browser, improves the interception accuracy rate, further improves the quality of safety protection of the browser, and protects against malicious attack on an operating system by utilizing the loopholes of the browser.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a flowchart illustrating a method for securing a browser according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating another browser security protection method according to an embodiment of the present invention;
FIG. 3 is a block diagram illustrating a browser safeguard apparatus according to an embodiment of the present invention;
FIG. 4 is a block diagram illustrating an alternative browser safeguard apparatus according to an embodiment of the present invention;
fig. 5 shows a schematic structural diagram of a computer device according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
An embodiment of the present invention provides a security protection method for a browser, as shown in fig. 1, the method includes:
101. and monitoring whether the browser transmits system behaviors.
The system behaviors comprise loading DDL, reading and writing a disk, opening a process or accessing a network and the like, the browser is used for retrieving and displaying world wide web information resources, so that a user needs to enter or paste retrieval contents, determine whether to start retrieval and open certain specific webpages in the process of using the browser on a terminal, and the system behaviors sent by the browser corresponding to the use requirements comprise reading and writing a disk, opening a process, loading DDL or accessing a network. The browser receives and responds to the system behaviors input by the user, searches and displays information resources required by the user, monitors the system behaviors and judges whether the system behaviors need to be intercepted or not in order to prevent an operating system or a system file from being damaged by the browser loopholes.
102. And if the browser sends the system behavior, searching the behavior type to which the system behavior belongs.
The system behavior comprises loading DDL, reading and writing a disk, opening a process, accessing a network and the like, and the implementation objects comprise files and links. The system behavior is divided according to different implementation objects, and the behavior types comprise a program calling type and a file processing type. And finding the behavior type of the system behavior, namely judging the implementation object of the system behavior.
103. And acquiring protection dependent factors corresponding to the system behaviors according to the behavior types.
A protection dependency refers to a system behavior or a stack call order of system behaviors. The protection dependence factor is a judgment basis for judging whether the system behavior can be executed. The system behavior can achieve a specific purpose, and the representation form can be instructions, shortcut keys, mouse key operations and the like, and corresponding instructions are actually generated before execution, so that the system behavior as a protection dependent factor can be acquired. Stack call order refers to the order of all stacks that need to be called when executing. The stack calling sequence is related to the installation position of the browser in the terminal, the operating system used by the terminal and the system version of the operating system. For program call types where the implementation object is a link, the protection dependency of the system behavior is the system behavior itself. For a file handling type where the implementation object is a file, the guard dependency object of the system behavior is the order of calls on its stack.
104. And judging whether the protection dependent factors exist in the browser behavior permission set corresponding to the behavior type.
The behavior types are different, and the behavior characteristics are different, so that the behavior types correspond to the browser behavior permission sets one by one. And protection dependent factors are searched and stored in the browser behavior permission set corresponding to the behavior type of the system behavior. For the characteristic, if the system behavior is the download-type behavior, the behavior authority set corresponding to the system behavior needs to include the behavior of connecting to the internet and cannot include other permissions of accessing to the intranet and writing an operating system.
The browser behavior authority set is stored locally, judgment is directly carried out locally in the judging process, and the time for acquiring data in the judging process can be controlled by judging locally so as to ensure that the time for using the judging process is in a controllable range. In the process of protecting the safety of the browser, the behavior permission set of the browser is updated along with the updating of the software environment in the using process, and the behavior permission set of the browser can be updated along with the updating of the browser or can be independently updated. In the updating process, browser behavior permission sets of various versions are stored in the cloud, and the central controller controls which version of browser behavior permission set stored in the cloud is updated to the browser. And the different versions of browser behavior permission sets are adaptive to different versions of browsers or browsers installed in different software environments.
In the judging process of the step, a judging result is obtained through one-time judgment, and all protection dependence factors corresponding to the behavior types are set and stored in the behavior authority set of the browser as a judging basis. In the judging process, the judging result can be obtained through two times of judgment, the specific process is that whether the protection dependent factors corresponding to the system behaviors are stored in the minimum behavior authority set is judged firstly, if the judging result is not, whether the system behaviors are stored in the browser behavior authority set is judged again, and the judging process takes the protection dependent factors which are set in the browser behavior authority set and only correspond to the behavior types and belong to the sensitive behaviors of the browser as the judging basis. The judgment results are the same whether the judgment is carried out once or twice, and the difference is that the type of the system behavior is not distinguished in the first judgment, and the judgment basis is the minimum behavior authority set. All protection dependence factors which avoid uncontrollable dangers to the maximum extent, influence the normal operation of the system and the browser to the minimum extent and do not cause troubles to the normal operation and use of the system and the browser of a user are saved in the minimum behavior permission set.
105. And if the judgment result is negative, intercepting the system behavior.
System behavior is intercepted, i.e., a response to the system behavior is stopped. After the interception is successful, the user can be prompted for the reason for the interception.
The invention provides a safety protection method of a browser, which comprises the steps of firstly receiving a system behavior input by a user, then searching a behavior type to which the system behavior belongs, then obtaining a protection dependence factor corresponding to the system behavior according to the behavior type, finally judging whether the protection dependence factor exists in a browser behavior permission set corresponding to the behavior type, and if not, intercepting the system behavior. Compared with the prior art, the embodiment of the invention adopts the system behaviors with different behavior types to use different judgment bases, refines the judgment bases, can accurately identify the behaviors of the browser, improves the interception accuracy rate, further improves the quality of safety protection of the browser, and protects against malicious attack on an operating system by utilizing the loopholes of the browser.
An embodiment of the present invention provides another browser security protection method, as shown in fig. 2, the method includes:
201. and monitoring whether the browser transmits system behaviors.
202. And if the browser sends the system behavior, searching the behavior type to which the system behavior belongs.
The behavior types include a program calling type and a file processing type. The specific searching mode comprises the following steps: detecting an operation object of system behavior; if the operation object is the link information, determining that the behavior type to which the system behavior belongs is a program calling type; and if the operation object is file information, determining that the behavior type to which the system behavior belongs is a file processing type. No matter the system behavior is loading DDL, reading and writing a disk, opening a process or accessing a network, the system behavior has an operation object, and the behavior type can be found according to the operation object.
203. And acquiring protection dependent factors corresponding to the system behaviors according to the behavior types.
A protection dependency refers to a system behavior or a stack call order of system behaviors. The obtaining of the dependent protection factors specifically includes: if the behavior type is a program calling type, determining that the protection dependence factor corresponding to the system behavior is the system behavior; if the behavior type is a file processing type, determining that the protection dependence factor corresponding to the system behavior is a stack call sequence of the system behavior; and selecting the system behavior itself or a stack calling sequence of the system behavior according to the determination result.
204. And establishing a browser behavior authority set corresponding to the behavior type.
The browser behavior permission set comprises a calling behavior permission set corresponding to a program calling type and a processing behavior permission set corresponding to a file processing type, the calling behavior permission set refers to system behaviors generated in the process that all browsers call self programs, third-party programs and system programs, and the processing behavior permission set comprises stack calling sequences corresponding to the system behaviors of all the file processing types.
205. And judging whether the protection dependent factors exist in the browser behavior permission set corresponding to the behavior type.
206. And if the judgment result is negative, intercepting the system behavior.
207. And if the behavior type is the file processing type, setting the behavior identifier of the system behavior according to the judgment result.
Specifically, if the judgment result is that the protection dependence factor exists in the browser behavior permission set corresponding to the behavior type, the behavior identifier of the system behavior is set as the active system behavior; and if the judgment result is that the protection dependence factor does not exist in the browser behavior permission set corresponding to the behavior type, setting the behavior identifier of the system behavior as a passive system behavior.
Further, the embodiment of the present invention further includes: intercepting the system behavior if the behavior identification of the system behavior is a passive system behavior.
The invention provides a safety protection method of a browser, which comprises the steps of firstly receiving a system behavior input by a user, then searching a behavior type to which the system behavior belongs, then obtaining a protection dependence factor corresponding to the system behavior according to the behavior type, finally judging whether the protection dependence factor exists in a browser behavior permission set corresponding to the behavior type, and if not, intercepting the system behavior. Compared with the prior art, the embodiment of the invention adopts the system behaviors with different behavior types to use different judgment bases, refines the judgment bases, can accurately identify the behaviors of the browser, improves the interception accuracy rate, further improves the quality of safety protection of the browser, and protects against malicious attack on an operating system by utilizing the loopholes of the browser.
Further, as an implementation of the method shown in fig. 1, an embodiment of the present invention provides a security device for a browser, as shown in fig. 3, where the security device includes:
the monitoring module 31 is configured to monitor whether the browser sends a system behavior, where the system behavior includes loading a DDL, reading and writing a disk, opening a process, or accessing a network;
the searching module 32 is configured to search a behavior type to which the system behavior belongs if the browser sends the system behavior, where the behavior type includes a program call type and a file processing type;
an obtaining module 33, configured to obtain a protection dependent factor corresponding to the system behavior according to the behavior type, where the protection dependent factor is the system behavior or a stack call sequence of the system behavior;
a judging module 34, configured to judge whether the protection dependency factor exists in a browser behavior permission set corresponding to the behavior type;
and the intercepting module 35 is configured to intercept the system behavior if the determination result is negative.
The invention provides a safety protection device of a browser, which is characterized by firstly receiving a system behavior input by a user, then searching a behavior type to which the system behavior belongs, then acquiring a protection dependence factor corresponding to the system behavior according to the behavior type, finally judging whether the protection dependence factor exists in a browser behavior permission set corresponding to the behavior type, and if not, intercepting the system behavior. Compared with the prior art, the embodiment of the invention adopts the system behaviors with different behavior types to use different judgment bases, refines the judgment bases, can accurately identify the behaviors of the browser, improves the interception accuracy rate, further improves the quality of safety protection of the browser, and protects against malicious attack on an operating system by utilizing the loopholes of the browser.
Further, as an implementation of the method shown in fig. 2, an embodiment of the present invention provides another browser security protection apparatus, as shown in fig. 4, where the apparatus includes:
a monitoring module 41, configured to monitor whether a browser sends a system behavior, where the system behavior includes loading a DDL, reading and writing a disk, opening a process, or accessing a network;
the searching module 42 is configured to search a behavior type to which the system behavior belongs if the browser sends the system behavior, where the behavior type includes a program call type and a file processing type;
an obtaining module 43, configured to obtain a protection dependent factor corresponding to the system behavior according to the behavior type, where the protection dependent factor refers to the system behavior or a stack call sequence of the system behavior;
a judging module 44, configured to judge whether the protection dependency factor exists in a browser behavior permission set corresponding to the behavior type;
and the intercepting module 45 is used for intercepting the system behavior if the judgment result is negative.
Further, the searching module 42 includes:
a detection unit 421, configured to detect an operation object of the system behavior;
a determining unit 422, configured to determine, if the operation object is link information, that a behavior type to which the system behavior belongs is the program call type;
the determining unit 422 is further configured to determine, if the operation object is file information, that the behavior type to which the system behavior belongs is the file processing type.
Further, the obtaining module 43 includes:
a determining unit 431, configured to determine, if the behavior type is the program call type, that the protection dependent factor corresponding to the system behavior is the system behavior itself;
the determining unit 431 is further configured to determine that the protection dependent factor corresponding to the system behavior is a stack call sequence of the system behavior if the behavior type is the file processing type;
a selecting unit 432, configured to select the system behavior itself or a stack call sequence of the system behavior according to the determination result.
Further, the apparatus further comprises:
an establishing module 46, configured to establish a browser behavior permission set corresponding to the behavior type before determining whether the protection dependency factor exists in the browser behavior permission set corresponding to the behavior type, where the browser behavior permission set includes a call behavior permission set corresponding to the program call type and a processing behavior permission set corresponding to the file processing type, the call behavior permission set is a system behavior generated in a process where the browser calls a self program, a third-party program, and a system program, and the processing behavior permission set includes a stack call sequence corresponding to the system behavior of the file processing type.
Further, the apparatus further comprises:
a setting module 47, configured to set a behavior identifier of the system behavior according to the determination result if the behavior type is the file processing type after determining whether the protection dependency factor exists in the browser behavior permission set corresponding to the behavior type.
Further, the setting module 47 is configured to:
if the judgment result is that the protection dependence factor exists in the browser behavior permission set corresponding to the behavior type, setting the behavior identifier of the system behavior as an active system behavior;
and if the judgment result is that the protection dependence factor does not exist in the browser behavior permission set corresponding to the behavior type, setting the behavior identifier of the system behavior as a passive system behavior.
Further, the apparatus further comprises:
the intercepting module 45 is further configured to intercept the system behavior if the behavior identifier of the system behavior is a passive system behavior.
The invention provides a safety protection device of a browser, which comprises the steps of monitoring whether the browser sends a system behavior, searching a behavior type to which the system behavior belongs if the browser sends the system behavior, acquiring a protection dependence factor corresponding to the system behavior according to the behavior type, judging whether the protection dependence factor exists in a browser behavior permission set corresponding to the behavior type, and intercepting the system behavior if the judgment result is negative. Compared with the prior art, the embodiment of the invention adopts the system behaviors with different behavior types to use different judgment bases, refines the judgment bases, can accurately identify the behaviors of the browser, improves the interception accuracy rate, further improves the quality of safety protection of the browser, and protects against malicious attack on an operating system by utilizing the loopholes of the browser.
According to an embodiment of the present invention, a storage medium is provided, where the storage medium stores at least one executable instruction, and the computer executable instruction may execute the method for securing a browser in any of the above method embodiments.
Fig. 5 is a schematic structural diagram of a computer device according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the computer device.
As shown in fig. 5, the computer apparatus may include: a processor (processor)502, a Communications Interface 504, a memory 506, and a communication bus 508.
Wherein: the processor 502, communication interface 504, and memory 506 communicate with one another via a communication bus 508.
A communication interface 504 for communicating with network elements of other devices, such as clients or other servers.
The processor 502 is configured to execute the program 510, and may specifically execute relevant steps in the above-described browser security protection method embodiment.
In particular, program 510 may include program code that includes computer operating instructions.
The processor 502 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement an embodiment of the invention. The computer device includes one or more processors, which may be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 506 for storing a program 510. The memory 506 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 510 may specifically be used to cause the processor 502 to perform the following operations:
monitoring whether a browser sends a system behavior, wherein the system behavior comprises loading DDL, reading and writing a disk, opening a process or accessing a network;
if the browser sends the system behavior, searching a behavior type to which the system behavior belongs, wherein the behavior type comprises a program calling type and a file processing type;
acquiring a protection dependent factor corresponding to the system behavior according to the behavior type, wherein the protection dependent factor refers to the system behavior or a stack calling sequence of the system behavior;
judging whether the protection dependent factors exist in a browser behavior permission set corresponding to the behavior type or not;
and if the judgment result is negative, intercepting the system behavior.
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
The embodiment of the invention provides the following technical scheme:
a1, a browser security protection method, comprising:
monitoring whether a browser sends a system behavior, wherein the system behavior comprises loading DDL, reading and writing a disk, opening a process or accessing a network;
if the browser sends the system behavior, searching a behavior type to which the system behavior belongs, wherein the behavior type comprises a program calling type and a file processing type;
acquiring a protection dependent factor corresponding to the system behavior according to the behavior type, wherein the protection dependent factor refers to the system behavior or a stack calling sequence of the system behavior;
judging whether the protection dependent factors exist in a browser behavior permission set corresponding to the behavior type or not;
and if the judgment result is negative, intercepting the system behavior.
A2, the method according to A1, wherein the finding the behavior type to which the system behavior belongs comprises:
detecting an operation object of the system behavior;
if the operation object is the link information, determining that the behavior type to which the system behavior belongs is the program calling type;
and if the operation object is file information, determining that the behavior type to which the system behavior belongs is the file processing type.
A3, the method as claimed in A1, wherein the obtaining the protection dependent factors corresponding to the system behavior according to the behavior type includes:
if the behavior type is the program calling type, determining that the protection dependent factor corresponding to the system behavior is the system behavior;
if the behavior type is the file processing type, determining that the protection dependence factor corresponding to the system behavior is a stack call sequence of the system behavior;
and selecting protection dependent factors corresponding to the system behaviors according to the determination result.
A4, the method as in A1, wherein the method further comprises, before the determining whether the protection dependency exists in the browser behavior permission set corresponding to the behavior type:
and establishing a browser behavior permission set corresponding to the behavior type, wherein the browser behavior permission set comprises a calling behavior permission set corresponding to the program calling type and a processing behavior permission set corresponding to the file processing type, the calling behavior permission set refers to system behaviors generated in the process that the browser calls a self program, a third-party program and a system program, and the processing behavior permission set comprises stack calling sequences corresponding to the system behaviors of the file processing type.
A5, the method as in A1, wherein the method further comprises, after the determining whether the defending dependency factor exists in the set of browser behavior permissions corresponding to the behavior type:
and if the behavior type is the file processing type, setting a behavior identifier of the system behavior according to the judgment result.
A6, the method as recited in a5, wherein the setting the behavior identifier of the system behavior according to the determination result includes:
if the judgment result is that the protection dependence factor exists in the browser behavior permission set corresponding to the behavior type, setting the behavior identifier of the system behavior as an active system behavior;
and if the judgment result is that the protection dependence factor does not exist in the browser behavior permission set corresponding to the behavior type, setting the behavior identifier of the system behavior as a passive system behavior.
A7, the method according to A6, wherein the method further comprises:
intercepting the system behavior if the behavior identification of the system behavior is a passive system behavior.
B8, a safety protection device for browsers, comprising:
the monitoring module is used for monitoring whether the browser sends a system behavior, wherein the system behavior comprises DDL loading, disk reading and writing, process opening or network access;
the search module is used for searching the behavior type to which the system behavior belongs if the browser sends the system behavior, wherein the behavior type comprises a program calling type and a file processing type;
an obtaining module, configured to obtain a protection dependent factor corresponding to the system behavior according to the behavior type, where the protection dependent factor is the system behavior or a stack call sequence of the system behavior;
the judging module is used for judging whether the protection dependence factors exist in the browser behavior permission set corresponding to the behavior type;
and the intercepting module is used for intercepting the system behavior if the judgment result is negative.
B9, the apparatus as claimed in B8, wherein the searching module includes:
the detection unit is used for detecting an operation object of the system behavior;
a determining unit, configured to determine, if the operation object is link information, that a behavior type to which the system behavior belongs is the program call type;
the determining unit is further configured to determine, if the operation object is file information, that the behavior type to which the system behavior belongs is the file processing type.
B10, the device as claimed in B8, wherein the obtaining module includes:
a determining unit, configured to determine, if the behavior type is the program call type, that a protection dependent factor corresponding to the system behavior is the system behavior itself;
the determining unit is further configured to determine that the protection dependent factor corresponding to the system behavior is a stack call sequence of the system behavior if the behavior type is the file processing type;
and the selection unit is used for selecting the system behavior or the stack call sequence of the system behavior according to the determination result.
B11, the device according to B8, characterized in that the device further comprises:
the establishing module is used for establishing a browser behavior permission set corresponding to the behavior type before judging whether the protection dependence factor exists in the browser behavior permission set corresponding to the behavior type, wherein the browser behavior permission set comprises a calling behavior permission set corresponding to the program calling type and a processing behavior permission set corresponding to the file processing type, the calling behavior permission set refers to system behaviors generated in the process that the browser calls a self program, a third-party program and a system program, and the processing behavior permission set comprises stack calling sequences corresponding to the system behaviors of the file processing type.
B12, the device according to B8, characterized in that the device further comprises:
and the setting module is used for setting the behavior identifier of the system behavior according to the judgment result if the behavior type is the file processing type after judging whether the protection dependence factor exists in the browser behavior authority set corresponding to the behavior type.
B13, the apparatus according to B12, wherein the setting module is configured to:
if the judgment result is that the protection dependence factor exists in the browser behavior permission set corresponding to the behavior type, setting the behavior identifier of the system behavior as an active system behavior;
and if the judgment result is that the protection dependence factor does not exist in the browser behavior permission set corresponding to the behavior type, setting the behavior identifier of the system behavior as a passive system behavior.
B14, the apparatus according to B13, wherein the intercepting module is further configured to:
intercepting the system behavior if the behavior identification of the system behavior is a passive system behavior.
C15, a storage medium having at least one executable instruction stored therein, the executable instruction causing a processor to perform operations corresponding to the browser security protection method as described in any one of a1-a 7.
D16, a computer device comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the safety protection method of the browser in any one of A1-A7.
Claims (14)
1. A safety protection method for a browser is characterized by comprising the following steps:
monitoring whether a browser sends a system behavior, wherein the system behavior comprises loading DDL, reading and writing a disk, opening a process or accessing a network;
if the browser sends the system behavior, searching a behavior type to which the system behavior belongs, wherein the behavior type comprises a program calling type and a file processing type;
acquiring a protection dependent factor corresponding to the system behavior according to the behavior type, wherein the protection dependent factor refers to the system behavior or a stack calling sequence of the system behavior;
judging whether the protection dependent factors exist in a browser behavior permission set corresponding to the behavior type or not;
if the judgment result is negative, intercepting the system behavior;
before the determining whether the protection dependent factor exists in the browser behavior permission set corresponding to the behavior type, the method further includes:
and establishing a browser behavior permission set corresponding to the behavior type, wherein the browser behavior permission set comprises a calling behavior permission set corresponding to the program calling type and a processing behavior permission set corresponding to the file processing type, the calling behavior permission set refers to system behaviors generated in the process that the browser calls a self program, a third-party program and a system program, and the processing behavior permission set comprises stack calling sequences corresponding to the system behaviors of the file processing type.
2. The method of claim 1, wherein said finding the behavior type to which the system behavior belongs comprises:
detecting an operation object of the system behavior;
if the operation object is the link information, determining that the behavior type to which the system behavior belongs is the program calling type;
and if the operation object is file information, determining that the behavior type to which the system behavior belongs is the file processing type.
3. The method according to claim 1, wherein the obtaining of the protection dependent factors corresponding to the system behavior according to the behavior type includes:
if the behavior type is the program calling type, determining that the protection dependent factor corresponding to the system behavior is the system behavior;
if the behavior type is the file processing type, determining that the protection dependence factor corresponding to the system behavior is a stack call sequence of the system behavior;
and selecting protection dependent factors corresponding to the system behaviors according to the determination result.
4. The method of claim 1, wherein after determining whether the protection dependency exists in a set of browser behavior permissions corresponding to the behavior type, the method further comprises:
and if the behavior type is the file processing type, setting a behavior identifier of the system behavior according to the judgment result.
5. The method of claim 4, wherein the setting the behavior flag of the system behavior according to the determination result comprises:
if the judgment result is that the protection dependence factor exists in the browser behavior permission set corresponding to the behavior type, setting the behavior identifier of the system behavior as an active system behavior;
and if the judgment result is that the protection dependence factor does not exist in the browser behavior permission set corresponding to the behavior type, setting the behavior identifier of the system behavior as a passive system behavior.
6. The method of claim 5, further comprising:
intercepting the system behavior if the behavior identification of the system behavior is a passive system behavior.
7. A browser security device, comprising:
the monitoring module is used for monitoring whether the browser sends a system behavior, wherein the system behavior comprises DDL loading, disk reading and writing, process opening or network access;
the search module is used for searching the behavior type to which the system behavior belongs if the browser sends the system behavior, wherein the behavior type comprises a program calling type and a file processing type;
an obtaining module, configured to obtain a protection dependent factor corresponding to the system behavior according to the behavior type, where the protection dependent factor is the system behavior or a stack call sequence of the system behavior;
the judging module is used for judging whether the protection dependence factors exist in the browser behavior permission set corresponding to the behavior type;
the intercepting module is used for intercepting the system behavior if the judgment result is negative;
the establishing module is used for establishing a browser behavior permission set corresponding to the behavior type before judging whether the protection dependence factor exists in the browser behavior permission set corresponding to the behavior type, wherein the browser behavior permission set comprises a calling behavior permission set corresponding to the program calling type and a processing behavior permission set corresponding to the file processing type, the calling behavior permission set refers to system behaviors generated in the process that the browser calls a self program, a third-party program and a system program, and the processing behavior permission set comprises stack calling sequences corresponding to the system behaviors of the file processing type.
8. The apparatus of claim 7, wherein the lookup module comprises:
the detection unit is used for detecting an operation object of the system behavior;
a determining unit, configured to determine, if the operation object is link information, that a behavior type to which the system behavior belongs is the program call type;
the determining unit is further configured to determine, if the operation object is file information, that the behavior type to which the system behavior belongs is the file processing type.
9. The apparatus of claim 7, wherein the acquisition module comprises:
a determining unit, configured to determine, if the behavior type is the program call type, that a protection dependent factor corresponding to the system behavior is the system behavior itself;
the determining unit is further configured to determine that the protection dependent factor corresponding to the system behavior is a stack call sequence of the system behavior if the behavior type is the file processing type;
and the selection unit is used for selecting the system behavior or the stack call sequence of the system behavior according to the determination result.
10. The apparatus of claim 7, wherein the apparatus further comprises:
and the setting module is used for setting the behavior identifier of the system behavior according to the judgment result if the behavior type is the file processing type after judging whether the protection dependence factor exists in the browser behavior authority set corresponding to the behavior type.
11. The apparatus of claim 10, wherein the setup module is to:
if the judgment result is that the protection dependence factor exists in the browser behavior permission set corresponding to the behavior type, setting the behavior identifier of the system behavior as an active system behavior;
and if the judgment result is that the protection dependence factor does not exist in the browser behavior permission set corresponding to the behavior type, setting the behavior identifier of the system behavior as a passive system behavior.
12. The apparatus of claim 11, wherein the intercept module is further configured to:
intercepting the system behavior if the behavior identification of the system behavior is a passive system behavior.
13. A storage medium having at least one executable instruction stored therein, the executable instruction causing a processor to perform operations corresponding to the browser security protection method according to any one of claims 1 to 6.
14. A computer device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the safety protection method of the browser according to any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811645503.9A CN109558730B (en) | 2018-12-29 | 2018-12-29 | Safety protection method and device for browser |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811645503.9A CN109558730B (en) | 2018-12-29 | 2018-12-29 | Safety protection method and device for browser |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109558730A CN109558730A (en) | 2019-04-02 |
| CN109558730B true CN109558730B (en) | 2020-10-16 |
Family
ID=65872146
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811645503.9A Active CN109558730B (en) | 2018-12-29 | 2018-12-29 | Safety protection method and device for browser |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109558730B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113836097A (en) * | 2021-09-29 | 2021-12-24 | 上海掌门科技有限公司 | Local file security protection method and device |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104268476A (en) * | 2014-09-30 | 2015-01-07 | 北京奇虎科技有限公司 | Application running method |
| CN105488398A (en) * | 2015-12-04 | 2016-04-13 | 北京航空航天大学 | Web application program behavior extraction method and malicious behavior detection method |
| CN105760761A (en) * | 2016-02-04 | 2016-07-13 | 中国联合网络通信集团有限公司 | Software behavior analyzing method and device |
| WO2017049287A1 (en) * | 2015-09-17 | 2017-03-23 | OnSystem Logic, LLC | Using assured calling sequences in micro-sandboxes |
| CN106919581A (en) * | 2015-12-24 | 2017-07-04 | 北京奇虎科技有限公司 | The means of defence and device of a kind of browser |
| CN108846287A (en) * | 2018-06-26 | 2018-11-20 | 北京奇安信科技有限公司 | A kind of method and device of detection loophole attack |
| CN108932427A (en) * | 2018-05-18 | 2018-12-04 | 华中科技大学 | A kind of Android is using the control method and system for limiting access in more open loop borders |
-
2018
- 2018-12-29 CN CN201811645503.9A patent/CN109558730B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104268476A (en) * | 2014-09-30 | 2015-01-07 | 北京奇虎科技有限公司 | Application running method |
| WO2017049287A1 (en) * | 2015-09-17 | 2017-03-23 | OnSystem Logic, LLC | Using assured calling sequences in micro-sandboxes |
| CN105488398A (en) * | 2015-12-04 | 2016-04-13 | 北京航空航天大学 | Web application program behavior extraction method and malicious behavior detection method |
| CN106919581A (en) * | 2015-12-24 | 2017-07-04 | 北京奇虎科技有限公司 | The means of defence and device of a kind of browser |
| CN105760761A (en) * | 2016-02-04 | 2016-07-13 | 中国联合网络通信集团有限公司 | Software behavior analyzing method and device |
| CN108932427A (en) * | 2018-05-18 | 2018-12-04 | 华中科技大学 | A kind of Android is using the control method and system for limiting access in more open loop borders |
| CN108846287A (en) * | 2018-06-26 | 2018-11-20 | 北京奇安信科技有限公司 | A kind of method and device of detection loophole attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109558730A (en) | 2019-04-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3430556B1 (en) | System and method for process hollowing detection | |
| JP6317434B2 (en) | System and method for facilitating malware scanning using reputation indicators | |
| US10291634B2 (en) | System and method for determining summary events of an attack | |
| EP3430557B1 (en) | System and method for reverse command shell detection | |
| EP2839406B1 (en) | Detection and prevention of installation of malicious mobile applications | |
| US8353033B1 (en) | Collecting malware samples via unauthorized download protection | |
| US7665139B1 (en) | Method and apparatus to detect and prevent malicious changes to tokens | |
| US8214900B1 (en) | Method and apparatus for monitoring a computer to detect operating system process manipulation | |
| EP2860657B1 (en) | Determining a security status of potentially malicious files | |
| RU2723665C1 (en) | Dynamic reputation indicator for optimization of computer security operations | |
| US9659173B2 (en) | Method for detecting a malware | |
| WO2019222261A1 (en) | Cloud based just in time memory analysis for malware detection | |
| US11314864B2 (en) | Memory layout based monitoring | |
| US20130239214A1 (en) | Method for detecting and removing malware | |
| US8230499B1 (en) | Detecting and blocking unauthorized downloads | |
| US9910983B2 (en) | Malware detection | |
| US20180026986A1 (en) | Data loss prevention system and data loss prevention method | |
| CN109815700B (en) | Application program processing method and device, storage medium and computer equipment | |
| CN109558730B (en) | Safety protection method and device for browser | |
| CN112395603B (en) | Vulnerability attack identification method and device based on instruction execution sequence characteristics and computer equipment | |
| CN112597492B (en) | Binary executable file modification monitoring method based on Windows kernel | |
| CN115996152B (en) | Security protection method, device, equipment and storage medium | |
| US20230214479A1 (en) | Method and system for detecting and preventing unauthorized access to a computer | |
| CN114329540A (en) | File distribution processing method and device, storage medium and terminal | |
| CN117113334A (en) | Method, device and system for intercepting operation command and computer storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province Patentee after: Qianxin Safety Technology (Zhuhai) Co.,Ltd. Patentee after: Qianxin Technology Group Co., Ltd Address before: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province Patentee before: 360 ENTERPRISE SECURITY TECHNOLOGY (ZHUHAI) Co.,Ltd. Patentee before: Beijing Qianxin Technology Co., Ltd |