CN109766698A - Data prevention method and device - Google Patents

Data prevention method and device Download PDF

Info

Publication number
CN109766698A
CN109766698A CN201811645681.1A CN201811645681A CN109766698A CN 109766698 A CN109766698 A CN 109766698A CN 201811645681 A CN201811645681 A CN 201811645681A CN 109766698 A CN109766698 A CN 109766698A
Authority
CN
China
Prior art keywords
operation behavior
safety
matching
storehouse
key element
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811645681.1A
Other languages
Chinese (zh)
Inventor
游勇
杨晓东
王明广
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
360 Enterprise Safety Technology (zhuhai) Co Ltd
Beijing Qianxin Technology Co Ltd
Original Assignee
360 Enterprise Safety Technology (zhuhai) Co Ltd
Beijing Qianxin Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 360 Enterprise Safety Technology (zhuhai) Co Ltd, Beijing Qianxin Technology Co Ltd filed Critical 360 Enterprise Safety Technology (zhuhai) Co Ltd
Publication of CN109766698A publication Critical patent/CN109766698A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Abstract

The invention discloses a kind of data prevention method and devices, it is related to security technology area, main purpose, which is to can be realized, carries out data protection according to allocating stack feature more fine-grained than process, thread, it avoids by hacker attack, so as to avoid terminal device data from being leaked and damage, the described method includes: capture application program to the corresponding allocating stack feature of the operation behavior of terminal device and parses, the key element of the allocating stack feature is obtained;The key element is input to the storehouse matching engine constructed in advance to match, to judge whether the operation behavior is safety operation behavior, the storehouse matching engine is to be constructed according to the safety-critical element of the corresponding allocating stack feature of safety operation behavior;If the operation behavior is safety operation behavior, clearance processing is carried out to the operation behavior;If the operation behavior is risky operation behavior, prevention processing is carried out to the operation behavior.The present invention is suitable for data protection.

Description

Data prevention method and device
Technical field
The present invention relates to security technology areas, more particularly to a kind of data prevention method and device.
Background technique
With the rapid development of internet technology, application program be in development in pluralism, such as E-mail address, Web bank, Instant messaging etc..These application programs are widely used in the various aspects of user's life and work.However, being answered in actual use With in program process, data safety leakage event emerges one after another, therefore the protection of terminal device data safety is very urgent.
Currently, generalling use the mode encrypted to the document itself where data carries out terminal device data protection, Or it is anti-using leakage prevention (Data leakage prevention, DLP) the system progress terminal device data of profession Shield.However, file encryption can not prevent encrypted application program by the leaking data after viral break through, it is also possible to number of users According to causing permanent destruction, while it can also interfere with user and the log of document used.Anti- divulge a secret mostly of DLP is to prevent letting out from outgoing channel It is close, and outgoing channel is early riddled with gaping wounds to be attacked by hacker, also not can avoid leaking data, it is therefore proposed that a kind of new data Protection method has become terminal device security fields technical problem urgently to be resolved.
Summary of the invention
In view of this, the present invention provides a kind of data prevention method and device, main purpose be to can be realized according to than The more fine-grained allocating stack feature of process, thread carries out data protection, avoids by hacker attack, so as to avoid terminal from setting Standby data are leaked and damage.
According to the present invention in a first aspect, providing a kind of data prevention method, comprising:
Capture application program to the corresponding allocating stack feature of the operation behavior of terminal device and parses, and obtains described The key element of allocating stack feature;
The key element is input to the storehouse matching engine constructed in advance to match, to judge the operation behavior It whether is safety operation behavior, the storehouse matching engine is the safety according to the corresponding allocating stack feature of safety operation behavior Key element building;
If the operation behavior is safety operation behavior, clearance processing is carried out to the operation behavior;
If the operation behavior is risky operation behavior, prevention processing is carried out to the operation behavior.
Second aspect according to the present invention provides a kind of data protection device, comprising:
Capturing unit, for capturing application program to the corresponding allocating stack feature of the operation behavior of terminal device;
Resolution unit obtains the tune for parsing to the allocating stack feature that the capturing unit captures With the key element of storehouse feature;
Matching unit is matched for the key element to be input to the storehouse constructed in advance matching engine, to sentence Whether the operation behavior of breaking is safety operation behavior, and the storehouse matching engine is according to the corresponding calling of safety operation behavior The safety-critical element building of storehouse feature;
Processing unit, if determining that the operation behavior is safety operation behavior for the matching unit, to the behaviour Clearance processing is carried out as behavior;
The processing unit, it is right if being also used to the matching unit determines that the operation behavior is risky operation behavior The operation behavior carries out prevention processing.
The third aspect according to the present invention provides a kind of computer readable storage medium, is above stored with computer program, should It is performed the steps of when program is executed by processor
Capture application program to the corresponding allocating stack feature of the operation behavior of terminal device and parses, and obtains described The key element of allocating stack feature;
The key element is input to the storehouse matching engine constructed in advance to match, to judge the operation behavior It whether is safety operation behavior, the storehouse matching engine is the safety according to the corresponding allocating stack feature of safety operation behavior Key element building;
If the operation behavior is safety operation behavior, clearance processing is carried out to the operation behavior;
If the operation behavior is risky operation behavior, prevention processing is carried out to the operation behavior.
Fourth aspect according to the present invention, provides a kind of computer equipment, including memory, processor and is stored in storage On device and the computer program that can run on a processor, the processor perform the steps of when executing described program
Capture application program to the corresponding allocating stack feature of the operation behavior of terminal device and parses, and obtains described The key element of allocating stack feature;
The key element is input to the storehouse matching engine constructed in advance to match, to judge the operation behavior It whether is safety operation behavior, the storehouse matching engine is the safety according to the corresponding allocating stack feature of safety operation behavior Key element building;
If the operation behavior is safety operation behavior, clearance processing is carried out to the operation behavior;
If the operation behavior is risky operation behavior, prevention processing is carried out to the operation behavior.
The present invention provides a kind of data prevention method and device, with current using adding to the document itself where data Close mode carries out terminal device data protection, or is compared using the DLP system progress terminal device data protection of profession, this Invention can capture application program to the corresponding allocating stack feature of the operation behavior of terminal device and parse, and obtain described The key element of allocating stack feature;And the key element can be input to the storehouse matching engine progress constructed in advance Match, to judge whether the operation behavior is safety operation behavior, the storehouse matching engine is according to safety operation behavior pair The safety-critical element building for the allocating stack feature answered.If the operation behavior is safety operation behavior, to the behaviour Clearance processing is carried out as behavior;If the operation behavior is risky operation behavior, prevention processing is carried out to the operation behavior, Data protection is carried out according to allocating stack feature more fine-grained than process, thread so as to realize, is avoided by hacker attack, And then it can be avoided terminal device data and be leaked and damage.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention, And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows a kind of flow diagram of data prevention method provided in an embodiment of the present invention;
Fig. 2 shows a kind of allocating stack feature schematic diagrames provided in an embodiment of the present invention;
Fig. 3 shows the flow diagram of another data prevention method provided in an embodiment of the present invention;
Fig. 4 shows a kind of schematic diagram in default storehouse characteristic matching library provided in an embodiment of the present invention;
Fig. 5 shows the flow diagram of another data prevention method provided in an embodiment of the present invention;
Fig. 6 shows a kind of structural schematic diagram of data protection device provided in an embodiment of the present invention;
Fig. 7 shows the structural schematic diagram of another data protection device provided in an embodiment of the present invention;
Fig. 8 shows a kind of entity structure schematic diagram of computer equipment provided in an embodiment of the present invention.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure It is fully disclosed to those skilled in the art.
As stated in the background art, terminal device is carried out by the way of encrypting to the document itself where data at present Data protection, or terminal device data protection is carried out using the DLP system of profession, encrypted application program quilt can not be prevented Virus or hacker break through after leaking data, it is therefore proposed that a kind of new data protection mode has become terminal device safety Field technical problem urgently to be resolved.
In order to solve the above-mentioned technical problem, the embodiment of the invention provides a kind of data prevention methods, as shown in Figure 1, institute The method of stating includes:
101, capture application program to the corresponding allocating stack feature of the operation behavior of terminal device and parses, and obtains The key element of the allocating stack feature.
Wherein, the terminal device can be computer, notebook or mobile phone etc..The allocating stack feature can be The application program executes the system function function interface sequence called when the operation behavior, belongs to dynamic memory data.It is right Different in the corresponding allocating stack feature of the different operation behavior of terminal device, same operation behavior is corresponding under different scenes Allocating stack feature is also different.As shown in Fig. 2, illustrating the corresponding allocating stack feature of File Open behavior.
For the embodiment of the present invention, default trapping module can be injected by process injection technique by the application program The process space in, then by hook technology link up with the operation behavior system call, finally recycle back trace technique pair The system calls the mode recalled, and obtains the corresponding allocating stack feature of the operation behavior.
It should be noted that the key element can according to important procedure, function from the allocating stack feature It parses, the key element can be identified for that the operation behavior.The key element be specifically as follows storehouse call serial number, Module name, function name, function offset.Since the different operating function for calling natural labor to realize of identical several functions is different, because This extracts storehouse and calls serial number.In addition, storehouse initial data is made of a series of Function return addresses, inside a function Operation can be carried out, multiple other functions can also be called, therefore extracts the function offset of return address.The return of function Location ought to be in some function, and the position of marker function is most directly expressed as function name, therefore extracts function name.Each function is again It is under the jurisdiction of some module, module is identified with module name, therefore extraction module name.For example, to the " shcore.dll in such as Fig. 2! SHCreateStreamFileW+0x38e (C: Windows System32 shcore.dll) " carry out parsing extraction key Element is [1, " shcore.dll ", " SHCreateStreamFileW ", 0x38e].1 calls serial number for storehouse, " shcore.dll " is module name, and " SHCreateStreamFileW " is function name, and 0x38e is function offset.
102, the key element is input to the storehouse matching engine constructed in advance to match, to judge the operation Whether behavior is safety operation behavior.If so, thening follow the steps 103;If it is not, thening follow the steps 104.
Wherein, the storehouse matching engine is to be wanted according to the safety-critical of the corresponding allocating stack feature of safety operation behavior Element building.The storehouse matching engine can determine that the key element is by matching operations such as logic, arithmetic, character strings It is no to be matched with the safety-critical element, to judge whether the operation behavior is safety operation behavior, if the key element It is matched with the safety-critical element, feeds back the matching result of successful match, then can be confirmed the operation behavior for safety behaviour Make behavior, if the key element and the safety-critical element mismatch, feeds back the matching result that it fails to match, then it can be true Recognize the operation behavior and non-secure operations behavior, and is risky operation behavior.
It should be noted that the primary interface of the storehouse matching engine can be acquisition storehouse matching result interface letter Number, such as BOOL GetStackMatchResult (PVOID*pStackArrayULONG uStackLen, const CHAR* pApiName,eunm&eResult).Wherein, the meaning of parameters can be such that
PStackArray: the return address list array of storehouse is inputted
UStackLen: the length of return address list array
PApiName: the monitoring point API of current behavior stack, such as: NtCreateFile
EResult: when function call successfully returns to TRUE, the value of enumeration type returns to E_STACKMATCH_ It fails to match by SUCCESS successful match, E_STACKMATCH_FAILED
Return value: function call successfully returns to TRUE, and the result that eResult is returned at this time is only effectively, otherwise returns FALSE。
103, clearance processing is carried out to the operation behavior.
For example, application program is the opening behavior of some file in terminal device to the operation behavior of terminal device, if will The key element that the opening behavior of some file corresponds to allocating stack feature is input in the storehouse matching engine, obtained It is successful match with result, it is determined that the opening behavior of some file is safety operation behavior, and application program belongs to normal opening Some file, therefore let pass to the opening behavior of some file, allow application program to open some file.
104, prevention processing is carried out to the operation behavior.
It should be noted that the accuracy in order to guarantee data protection, is determining that the operation behavior is risky operation row To be rear, safe operation personnel can also be notified further to judge the operation behavior, to protect terminal device data to be leaked And damage.
A kind of data prevention method provided in an embodiment of the present invention carries out the document itself where data with current use The mode of encryption carries out terminal device data protection, or is compared using the DLP system progress terminal device data protection of profession, The embodiment of the present invention can capture application program to the corresponding allocating stack feature of the operation behavior of terminal device and parse, Obtain the key element of the allocating stack feature;And the key element can be input to the storehouse matching constructed in advance and drawn It holds up and is matched, to judge whether the operation behavior is safety operation behavior, the storehouse matching engine is to be grasped according to safety Make the safety-critical element building of the corresponding allocating stack feature of behavior.If the operation behavior is safety operation behavior, Clearance processing is carried out to the operation behavior;If the operation behavior is risky operation behavior, the operation behavior is carried out Prevention processing carries out data protection according to allocating stack feature more fine-grained than process, thread so as to realize, avoid by Hacker attack, and then can be avoided terminal device data and be leaked and damage.
Further, in order to better illustrate the process of above-mentioned data protection, as the refinement and expansion to above-described embodiment Exhibition, the embodiment of the invention provides another data prevention methods, as shown in figure 3, but not limited to this, it is specific as follows shown:
201, capture application program to the corresponding allocating stack feature of the operation behavior of terminal device and parses, and obtains The key element of the allocating stack feature.
For the embodiment of the present invention, the capture application program is special to the corresponding allocating stack of the operation behavior of terminal device The process of sign may include: to be injected into default trapping module in the process of the application program, monitor the operation behavior;Benefit It is linked up with power function of the default hooking function to the system application layer of the terminal device, to intercept the operation behavior Corresponding system is called;The system is called using default stack information backtracking function and carries out the backtracking of stack information, obtains the behaviour Make the corresponding allocating stack feature of behavior.
Wherein, the default trapping module can be arranged for technical staff according to process injection technique, the default extension Hook function can be write for technical staff according to hook technology, and stack information backtracking function is preset described in the hook technology can be with It is write for technical staff according to back trace technique.Different trapping modules can be set for different operation behaviors, it is described to catch Obtaining module can be corresponding function dynamic link library, or write different default hooking functions, different default stack information Function is recalled, for example, the power function of the system application layer is NtCreateFile letter for the operation behavior for opening file Number, the default hooking function can be hook NtCreateFile function, and the default stack information backtracking function can be RtlCaptureStackBackTrace function.Utilize hook NtCreateFile function, hook monitoring File Open behavior Event NtCreateFile calls RtlCaptureStackBackTrace function to return when File Open behavior event occurs The corresponding allocating stack feature of File Open behavior of tracing back.
In addition, the key element can be used for identifying the operation behavior, it may include that storehouse calls serial number, module Name, function name and function offset.Specifically, it can extract and be abstracted from the allocating stack feature according to the operation behavior Storehouse calls serial number, module name, function name and function offset out.For example, to the " shcore.dll in such as Fig. 2! SHCreateMemStream+0x36f (C: Windows System32 shcore.dll) " carry out parsing extraction and be critical to Element is [2, " shcore.dll ", " SHCreateMemStream ", 0x36f].2 call serial number for storehouse, and " shcore.dll " is Module name, " SHCreateMemStream " are function name, and 0x36f is function offset.
202, the key element is input to the storehouse and matches engine, with judge the key element whether with it is default Safety-critical element matching rule matching in storehouse characteristic matching library.If successful match thens follow the steps 203;If matching is lost It loses, thens follow the steps 204.
Wherein, the safety-critical element matching rule is to be constructed according to the safety-critical element.The safety is closed Key element matching rule can also pass through program auxiliary and realize to be artificial constructed.As shown in Fig. 2, Fig. 2 is one subnormal Open the corresponding allocating stack feature of file, wherein USER32.dll!DispatchMessageW is after operating mouse, keyboard The Message Processing of sending, for the allocating stack feature safety-critical element [1, " user.dll ", " DispatchMessageW ", 0xf] building safety-critical element matching rule can be 1 (module_ of [0:-1] random Name==" user.dll " &&function_name==" DispatchMesssgeW " &&function_offset < 0x10), which can indicate, in this storehouse feature, as long as occurring a module name at random For USER32.dll and the entitled DispatchMessageW of function and the offset of the function at place is less than 0x10, that is, is regarded as normal File open operation.
In addition, the safety-critical element matching rule can also be as follows:
(1) first time return address may only be in the entitled mso.dll of module
[0:0] random 1 (module_name==" mso.dll ")
(2) first to the 5th return addresses may only fall in the entitled mso.dll, wwlib.dll of module, In the range of shcore.dll
[0:4] random 5 (module_name==" mso.dll " | | module_name==" Wwlib.dll " | | module_name==" shell32.dll ")
(3) range that all return addresses may only fall in module entitled mso.dll, wwlib.dll, shcore.dll is worked as In
[0:-1] random-1 (module_name==" mso.dll " | | module_name==" Wwlib.dll " | | module_name==" shcore.dll)
Must there are the entitled user.dll of module, the tune of the entitled dispatchmesssge of function in (4) first to the tenth layers With function is deviated less than 50.
[0:10] random 1 (module_name==" user.dll " &&function_name==" DispatchMesssgeW\"&&function_offset<50)
(5) there must be the continuous appearance entitled mso.dll of 5 secondary modules in all return addresses
[0:-1] sequent 6 (module_name==" mso.dll ")
(6) there must be the continuous appearance entitled mso.dll of 5 secondary modules in all return addresses
[0:-1] sequent 6 (module_name==" mso.dll ")
(7) from 6th reciprocal to the 1st return address reciprocal in must continuously occur the entitled chrome.dll of module, The entitled kernel32.dll of module and the entitled BaseThreadInitThunk of function
[- 6:-1] sequent 2 (module_name==" chrome.dll ")<>(module_name==" Kernel32.dll " &&function_name==" BaseThreadInitThunk ")
For the embodiment of the present invention, storehouse characteristic matching is preset described in the storehouse characteristic matching engine calling for convenience Library can construct storehouse characteristic matching library in advance, comprising: collect the corresponding allocating stack feature of safety operation behavior and go forward side by side Row parsing, obtains the safety-critical element;Safety-critical element matching rule, and root are constructed according to the safety-critical element According to the safety-critical element matching rule, the default storehouse characteristic matching library is generated.The safety operation behavior specifically may be used Think safety operation file behavior, since application program is limited in the way of operation file, the safety operation File behavior can enumerate completely.Specifically, step can be referred to by collecting the corresponding allocating stack feature of safety operation behavior 202, herein without repeating.In addition, after obtaining safety-critical element matching rule, it can be using process as described in unit generation Default storehouse characteristic matching library, as shown in Figure 4.
In concrete application scene, the step 202 be can specifically include: the key element is input to the storehouse Engine is matched, to carry out paraphrase processing to the safety-critical element matching rule in the default storehouse characteristic matching library, is obtained The paraphrase Dan Yuan of safety-critical element;By the paraphrase Dan Yuan of the paraphrase Dan Yuan of the key element and the safety-critical element into Row matching;If successful match, it is determined that the key element is matched with the safety-critical element in default storehouse characteristic matching library Rule match success;If it fails to match, it is determined that the key element is wanted with the safety-critical in default storehouse characteristic matching library It fails to match for plain matching rule.Wherein, single Yuan of the paraphrase can match the function list that engine can be identified and be executed for storehouse Member is specifically as follows binary data.By carrying out paraphrase processing to the safety-critical element matching rule, can be realized fast Speed index, the safety-critical element is matched with the key element of input, finally exports mating structure.
It should be noted that the safety-critical element matching rule in the default storehouse characteristic matching library carries out The step of paraphrase is handled, and obtains paraphrase single Yuan of safety-critical element specifically includes: the key element is input to the heap Stack matches engine, to carry out at sequentially scanning to the safety-critical element matching rule in the default storehouse characteristic matching library Reason, obtains the character string of safety-critical element;Morphology parsing is carried out to the character string using default morphological rule, obtains safety The composite symbol of key element;Syntax parsing is carried out to the composite symbol using default syntax rule, the safety is obtained and closes The paraphrase Dan Yuan of key element.
Wherein, the default morphological rule can be to identify safety-critical element from safety-critical element matching rule Symbol rule, the symbol of the key element can call serial number: module_number for storehouse;Module name: module_name;Function name: function_name;Function offset: function_offset;It is random to occur: random;Even It picks out existing: sequent.The default syntax rule can be that the composite symbol is parsed into releasing for the safety-critical element The rule of adopted Dan Yuan can specifically respectively obtain the corresponding paraphrase Dan Yuan of each key element symbol, and what is finally obtained each releases Adopted Dan Yuan is combined, and obtains the paraphrase Dan Yuan of the safety-critical element.
In order to better understand to obtain safety-critical element paraphrase Dan Yuan process, the embodiment of the present invention provide in the following example Son: the character obtained after being sequentially scanned for the safety-critical element matching rule in the default storehouse characteristic matching library String are as follows: " [0:4] random 5 (module_name==" mso.dll " | | module_name==" wwlib.dll " | | module_name==" shell32.dll ") ", the combined symbols of safety-critical element are parsed using default morphological rule Number for " [0:4] ", " random ", " 5 ", " module_name ", "==", " " mso.dll " " etc., recycle default grammer Rule parsing goes out the paraphrase Dan Yuan of safety-critical element.
203, it determines that the operation behavior is safety operation behavior, and clearance processing is carried out to the operation behavior.
204, it determines that the operation behavior is risky operation behavior, and prevention processing is carried out to the operation behavior.
Embodiment in order to better illustrate the present invention provides following application scenarios, including but not limited to this, such as Fig. 5 Shown, application program is file operation behavior to the operation behavior of terminal device, and data protection process is divided into: building storehouse feature Matching library stage and file operation behavior processing stage:
It constructs the storehouse characteristic matching library stage: collecting the allocating stack of secure file operation behavior first with hooking function Then feature formats storehouse allocating stack feature and obtains the key element of allocating stack feature, finally sorts out key element And it saves as storehouse characteristic matching library and exports.
File operation behavior processing stage: initialization storehouse matches engine first, and it is related that hooking function monitors file operation System is called, and the storehouse matching engine is then called to judge whether file operation behavior is secure file operation behavior, finally, If the storehouse matches engine successful match, the file operation behavior clearance is handled;If the storehouse matches engine With failure, then prevention processing is carried out to the file operation behavior.
Another kind data prevention method provided in an embodiment of the present invention, with it is current using to the document itself where data into The mode of row encryption carries out terminal device data protection, or carries out terminal device data protection phase using the DLP system of profession Than the embodiment of the present invention can capture application program to the corresponding allocating stack feature of the operation behavior of terminal device and solve Analysis, obtains the key element of the allocating stack feature;And the key element can be input to the storehouse constructed in advance It is matched with engine, to judge whether the operation behavior is safety operation behavior, the storehouse matching engine is according to peace The safety-critical element building of the corresponding allocating stack feature of full operation behavior.If the operation behavior is safety operation row Then to carry out clearance processing to the operation behavior;If the operation behavior is risky operation behavior, to the operation behavior Prevention processing is carried out, data protection is carried out according to allocating stack feature more fine-grained than process, thread so as to realize, is kept away Exempt from by hacker attack, and then can be avoided terminal device data and be leaked and damage.
Further, as the specific implementation of Fig. 1, the embodiment of the invention provides a kind of data protection devices, such as Fig. 6 institute Show, described device includes: capturing unit 31, resolution unit 32, matching unit 33 and processing unit 34.
The capturing unit 31 can be used for capturing application program to the corresponding allocating stack of the operation behavior of terminal device Feature.The capturing unit 31 is that application program is captured in the present apparatus to the operation behavior of terminal device corresponding allocating stack spy The functional module of sign.
The resolution unit 32 can be used for solving the allocating stack feature that the capturing unit 31 captures Analysis, obtains the key element of the allocating stack feature.The resolution unit 32 is that the allocating stack spy is captured in the present apparatus Sign is parsed, and the functional module of the key element of the allocating stack feature is obtained.The key element can be storehouse tune With one or more of serial number, module name, function name or function offset.
The matching unit 33 can be used for for the key element being input to the storehouse matching engine constructed in advance and carry out Matching, to judge whether the operation behavior is safety operation behavior, the storehouse matching engine is according to safety operation behavior The safety-critical element building of corresponding allocating stack feature.The matching unit 33 is in the present apparatus by the key element Be input to construct in advance storehouse matching engine matched, with judge the operation behavior whether be safety operation behavior master Want functional module and nucleus module.
The processing unit 34, if can be used for the matching unit 33 determines that the operation behavior is safety operation row Then to carry out clearance processing to the operation behavior.If the processing unit 34 is the present apparatus, the matching unit 33 determines institute Stating operation behavior is safety operation behavior, then the functional module of clearance processing is carried out to the operation behavior.
The processing unit 34, if being also used to the matching unit 33 determines that the operation behavior is risky operation behavior, Prevention processing then is carried out to the operation behavior.If the matching unit 33 determines institute in the processing unit 34 or the present apparatus Stating operation behavior is risky operation behavior, then prevent to the operation behavior functional module of processing.
In concrete application scene, the matching unit 33 includes: matching module 331 and determining module 332, such as Fig. 7 institute Show.
The matching module 331 can be used for for the key element being input to the storehouse matching engine, to judge State whether key element matches with the safety-critical element matching rule in default storehouse characteristic matching library, the safety-critical is wanted Plain matching rule is to be constructed according to the safety-critical element.
The determining module 332, if can be used for the matching module 331 determines that the key element and default storehouse are special Levy the safety-critical element matching rule successful match in matching library, it is determined that the operation behavior is safety operation behavior.
The determining module 332, if being also used to the matching module 331 determines the key element and default storehouse feature It fails to match for safety-critical element matching rule in matching library, it is determined that the operation behavior is risky operation behavior.
It should be noted that the matching module 331 includes: processing submodule, matched sub-block and determines submodule.
The processing submodule can be used for for the key element being input to the storehouse matching engine, to described Safety-critical element matching rule in default storehouse characteristic matching library carries out paraphrase processing, obtains the paraphrase of safety-critical element Dan Yuan.
The matched sub-block can be used for the paraphrase Dan Yuan of the key element and releasing for the safety-critical element Single of justice is matched.
The determining submodule, if can be used for paraphrase Dan Yuan and institute that the matched sub-block determines the key element State single Yuan successful match of paraphrase of safety-critical element, it is determined that the peace in the key element and default storehouse characteristic matching library Full key element matching rule matching;
The determining submodule, if can be also used for the matched sub-block determine the paraphrase Dan Yuan of the key element with Single Yuan successful match failure of paraphrase of the safety-critical element, it is determined that the key element and default storehouse characteristic matching library In safety-critical element matching rule it fails to match.
The processing submodule matches engine specifically for the key element is input to the storehouse, to described Safety-critical element matching rule in default storehouse characteristic matching library carries out sequentially scan process, obtains safety-critical element Character string;Morphology parsing is carried out to the character string using default morphological rule, obtains the composite symbol of safety-critical element;Benefit Syntax parsing is carried out to the composite symbol with default syntax rule, obtains the paraphrase Dan Yuan of the safety-critical element.
For the embodiment of the present invention, in order to obtain the default storehouse characteristic matching library, described device further include: collect single Member 35 and construction unit 36.
The collector unit 35 can be used for collecting the corresponding allocating stack feature of safety operation behavior.The collection is single Member 35 is that the functional module of the corresponding allocating stack feature of safety operation behavior is collected in the present apparatus.
The resolution unit 32 can be used for parsing the corresponding allocating stack feature of the safety operation behavior, Obtain the safety-critical element.The resolution unit 32 is in the present apparatus to the corresponding allocating stack of the safety operation behavior Feature is parsed, and the functional module of the safety-critical element is obtained.
The construction unit 36 can be used for constructing safety-critical element matching rule according to the safety-critical element, And according to the safety-critical element matching rule, the default storehouse characteristic matching library is generated.
In concrete application scene, the capturing unit 31 may include: monitoring module 311, Hooking module 312 and hook Module 313.
The monitoring module 311, in the process that can be used for for default trapping module being injected into the application program, monitoring The operation behavior.
The Hooking module 312 can be used for utilizing the system application layer for presetting hooking function to the terminal device Power function is linked up with, and is called with intercepting the corresponding system of the operation behavior.
The backtracking module 313 can be used for being recalled using default stack information function and call progress stack letter to the system Breath backtracking, obtains the corresponding allocating stack feature of the operation behavior.
It should be noted that other of each functional module involved by a kind of data protection device provided in an embodiment of the present invention Corresponding description, can be with reference to the corresponding description of method shown in Fig. 1, and details are not described herein.
Based on above-mentioned method as shown in Figure 1, correspondingly, the embodiment of the invention also provides a kind of computer-readable storage mediums Matter is stored thereon with computer program, which performs the steps of capture application program and set to terminal when being executed by processor The corresponding allocating stack feature of standby operation behavior is simultaneously parsed, and the key element of the allocating stack feature is obtained;By institute State key element be input to construct in advance storehouse matching engine matched, to judge whether the operation behavior is to grasp safely Make behavior, the storehouse matching engine is to construct according to the safety-critical element of the corresponding allocating stack feature of safety operation behavior 's;If the operation behavior is safety operation behavior, clearance processing is carried out to the operation behavior;If the operation behavior is Risky operation behavior then carries out prevention processing to the operation behavior.
Embodiment based on above-mentioned method as shown in Figure 1 and data protection device as shown in Figure 6, the embodiment of the present invention also mention A kind of entity structure diagram of computer equipment is supplied, as shown in figure 8, the equipment includes: processor 41, memory 42 and storage On memory 42 and the computer program that can run on a processor, wherein memory 42 and processor 41 are arranged at bus Capture application program is performed the steps of when the processor 41 executes described program on 43 to the operation behavior pair of terminal device The allocating stack feature answered simultaneously is parsed, and the key element of the allocating stack feature is obtained;The key element is inputted It is matched to the storehouse matching engine constructed in advance, to judge whether the operation behavior is safety operation behavior, the heap It is to be constructed according to the safety-critical element of the corresponding allocating stack feature of safety operation behavior that stack, which matches engine,;If the operation Behavior is safety operation behavior, then carries out clearance processing to the operation behavior;If the operation behavior is risky operation behavior, Prevention processing then is carried out to the operation behavior.The equipment further include: bus 43 is configured as coupling processor 41 and memory 42。
According to the technical solution of the present invention, application program can be captured to the corresponding calling heap of the operation behavior of terminal device Stack feature is simultaneously parsed, and the key element of the allocating stack feature is obtained;And the key element can be input to pre- The storehouse matching engine first constructed is matched, to judge whether the operation behavior is safety operation behavior, the storehouse It is to be constructed according to the safety-critical element of the corresponding allocating stack feature of safety operation behavior with engine.If the operation behavior For safety operation behavior, then clearance processing is carried out to the operation behavior;If the operation behavior is risky operation behavior, right The operation behavior carries out prevention processing, so as to realize according to allocating stack feature more fine-grained than process, thread into Row data protection, avoids by hacker attack, and then can be avoided terminal device data and be leaked and damage.
The embodiment of the present invention also provides the following technical solutions:
A1, a kind of data prevention method, comprising:
Capture application program to the corresponding allocating stack feature of the operation behavior of terminal device and parses, and obtains described The key element of allocating stack feature;
The key element is input to the storehouse matching engine constructed in advance to match, to judge the operation behavior It whether is safety operation behavior, the storehouse matching engine is the safety according to the corresponding allocating stack feature of safety operation behavior Key element building;
If the operation behavior is safety operation behavior, clearance processing is carried out to the operation behavior;
If the operation behavior is risky operation behavior, prevention processing is carried out to the operation behavior.
A2, method as described in a1, the storehouse matching engine constructed in advance that the key element is input to carry out Matching, to judge whether the operation behavior is safety operation behavior, comprising:
The key element is input to storehouse matching engine, with judge the key element whether with default storehouse Safety-critical element matching rule matching in characteristic matching library, the safety-critical element matching rule are according to the safety Key element building;
If successful match, it is determined that the operation behavior is safety operation behavior;
If it fails to match, it is determined that the operation behavior is risky operation behavior.
A3, as described in A2 method, it is described that the key element is input to the storehouse matching engine constructed in advance, to sentence Whether the key element that breaks matches with the safety-critical element matching rule in default storehouse characteristic matching library, comprising:
The key element is input to the storehouse matching engine, to the peace in the default storehouse characteristic matching library Full key element matching rule carries out paraphrase processing, obtains the paraphrase Dan Yuan of safety-critical element;
The paraphrase Dan Yuan of the key element is matched with paraphrase single Yuan of the safety-critical element;
If successful match, it is determined that the key element is matched with the safety-critical element in default storehouse characteristic matching library Rule match success;
If it fails to match, it is determined that the key element is matched with the safety-critical element in default storehouse characteristic matching library Rule match failure.
A4, the method as described in A3, it is described that the key element is input to the storehouse matching engine, to described pre- If the safety-critical element matching rule in storehouse characteristic matching library carries out paraphrase processing, the paraphrase list of safety-critical element is obtained Member, comprising:
The key element is input to the storehouse matching engine, to the peace in the default storehouse characteristic matching library Full key element matching rule carries out sequentially scan process, obtains the character string of safety-critical element;
Morphology parsing is carried out to the character string using default morphological rule, obtains the composite symbol of safety-critical element;
Syntax parsing is carried out to the composite symbol using default syntax rule, obtains the paraphrase of the safety-critical element Dan Yuan.
A5, as described in A2 method, the method also includes:
It collects the corresponding allocating stack feature of safety operation behavior and is parsed, obtain the safety-critical element;
Safety-critical element matching rule is constructed according to the safety-critical element, and according to the safety-critical element With rule, the default storehouse characteristic matching library is generated.
The described in any item methods of A6, such as A1-A5, the capture application program are corresponding to the operation behavior of terminal device Allocating stack feature, comprising:
Default trapping module is injected into the process of the application program, monitors the operation behavior;
It is linked up with using power function of the default hooking function to the system application layer of the terminal device, to intercept The corresponding system of operation behavior is stated to call;
The system is called using default stack information backtracking function and carries out the backtracking of stack information, obtains the operation behavior pair The allocating stack feature answered.
The described in any item methods of A7, such as A1-A5, the key element can call serial number, module name, function for storehouse One or more of name or function offset.
B8, a kind of data protection device, comprising:
Capturing unit, for capturing application program to the corresponding allocating stack feature of the operation behavior of terminal device;
Resolution unit obtains the tune for parsing to the allocating stack feature that the capturing unit captures With the key element of storehouse feature;
Matching unit is matched for the key element to be input to the storehouse constructed in advance matching engine, to sentence Whether the operation behavior of breaking is safety operation behavior, and the storehouse matching engine is according to the corresponding calling of safety operation behavior The safety-critical element building of storehouse feature;
Processing unit, if determining that the operation behavior is safety operation behavior for the matching unit, to the behaviour Clearance processing is carried out as behavior;
The processing unit, it is right if being also used to the matching unit determines that the operation behavior is risky operation behavior The operation behavior carries out prevention processing.
B9, the device as described in B8, the matching unit include:
Matching module matches engine for the key element to be input to the storehouse, to judge the key element Whether matched with the safety-critical element matching rule in default storehouse characteristic matching library, the safety-critical element matching rule For what is constructed according to the safety-critical element;
Determining module, if determining the peace in the key element and default storehouse characteristic matching library for the matching module Full key element matching rule successful match, it is determined that the operation behavior is safety operation behavior;
The determining module, if being also used to the matching module determines the key element and default storehouse characteristic matching library In safety-critical element matching rule it fails to match, it is determined that the operation behavior be risky operation behavior.
B10, the device as described in B9, the matching module include:
Submodule is handled, engine is matched for the key element to be input to the storehouse, to the default storehouse Safety-critical element matching rule in characteristic matching library carries out paraphrase processing, obtains the paraphrase Dan Yuan of safety-critical element;
Matched sub-block, for by the paraphrase Dan Yuan of the paraphrase Dan Yuan of the key element and the safety-critical element into Row matching;
Submodule is determined, if determining that the paraphrase Dan Yuan of the key element and the safety are closed for the matched sub-block Single Yuan successful match of the paraphrase of key element, it is determined that the key element is wanted with the safety-critical in default storehouse characteristic matching library Plain matching rule matching;
The determining submodule, if be also used to the matched sub-block determine the paraphrase Dan Yuan of the key element with it is described Single Yuan successful match failure of the paraphrase of safety-critical element, it is determined that in the key element and default storehouse characteristic matching library It fails to match for safety-critical element matching rule.
B11, the device as described in B10,
The processing submodule matches engine specifically for the key element is input to the storehouse, to described Safety-critical element matching rule in default storehouse characteristic matching library carries out sequentially scan process, obtains safety-critical element Character string;Morphology parsing is carried out to the character string using default morphological rule, obtains the composite symbol of safety-critical element;Benefit Syntax parsing is carried out to the composite symbol with default syntax rule, obtains the paraphrase Dan Yuan of the safety-critical element.
B12, the device as described in B10, described device further include: collector unit and construction unit,
The collector unit, for collecting the corresponding allocating stack feature of safety operation behavior;
The resolution unit obtains institute for parsing to the corresponding allocating stack feature of the safety operation behavior State safety-critical element;
The construction unit is used for according to safety-critical element building safety-critical element matching rule, and according to The safety-critical element matching rule generates the default storehouse characteristic matching library.
The described in any item devices of B13, such as B8-B12, the capturing unit include:
Monitoring module monitors the operation row for default trapping module to be injected into the process of the application program For;
Hooking module, for being carried out using power function of the default hooking function to the system application layer of the terminal device Hook is called with intercepting the corresponding system of the operation behavior;
Backtracking module is carried out the backtracking of stack information for being called using default stack information backtracking function to the system, obtained The corresponding allocating stack feature of the operation behavior.
The described in any item devices of B14, such as B8-B12, the key element can call serial number, module name, letter for storehouse One or more of several or function offset.
C15, a kind of computer readable storage medium, are stored thereon with computer program, and the computer program is processed The step of method as described in any one of A1 to A7 is realized when device executes.
D16, a kind of computer equipment, including memory, processor and storage can transport on a memory and on a processor Capable computer program, the processor realize the step such as any one of A1 to A7 the method when executing the computer program Suddenly.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment Point, reference can be made to the related descriptions of other embodiments.
It is understood that the correlated characteristic in the above method and device can be referred to mutually.In addition, in above-described embodiment " first ", " second " etc. be and not represent the superiority and inferiority of each embodiment for distinguishing each embodiment.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description, The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
Algorithm and display are not inherently related to any particular computer, virtual system, or other device provided herein. Various general-purpose systems can also be used together with teachings based herein.As described above, it constructs required by this kind of system Structure be obvious.In addition, the present invention is also not directed to any particular programming language.It should be understood that can use various Programming language realizes summary of the invention described herein, and the description done above to language-specific is to disclose this hair Bright preferred forms.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention Example can be practiced without these specific details.In some instances, well known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this specification.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of the various inventive aspects, Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the disclosed method should not be interpreted as reflecting the following intention: i.e. required to protect Shield the present invention claims features more more than feature expressly recited in each claim.More precisely, as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself All as a separate embodiment of the present invention.
Those skilled in the art will understand that can be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more devices different from this embodiment.It can be the module or list in embodiment Member or component are combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it can use any Combination is to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so disclosed All process or units of what method or apparatus are combined.Unless expressly stated otherwise, this specification is (including adjoint power Benefit require, abstract and attached drawing) disclosed in each feature can carry out generation with an alternative feature that provides the same, equivalent, or similar purpose It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments In included certain features rather than other feature, but the combination of the feature of different embodiments mean it is of the invention Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed Meaning one of can in any combination mode come using.
Various component embodiments of the invention can be implemented in hardware, or to run on one or more processors Software module realize, or be implemented in a combination thereof.It will be understood by those of skill in the art that can be used in practice Microprocessor or digital signal processor (DSP) come realize some in data protection device according to an embodiment of the present invention or The some or all functions of person's whole component.The present invention is also implemented as one for executing method as described herein Point or whole device or device programs (for example, computer program and computer program product).Such this hair of realization Bright program can store on a computer-readable medium, or may be in the form of one or more signals.It is such Signal can be downloaded from an internet website to obtain, and is perhaps provided on the carrier signal or is provided in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not Element or step listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real It is existing.In the unit claims listing several devices, several in these devices can be through the same hardware branch To embody.The use of word first, second, and third does not indicate any sequence.These words can be explained and be run after fame Claim.

Claims (10)

1. a kind of data prevention method characterized by comprising
Capture application program to the corresponding allocating stack feature of the operation behavior of terminal device and parses, and obtains the calling The key element of storehouse feature;
The key element is input to the storehouse matching engine constructed in advance to match, whether to judge the operation behavior For safety operation behavior, the storehouse matching engine is the safety-critical according to the corresponding allocating stack feature of safety operation behavior Element building;
If the operation behavior is safety operation behavior, clearance processing is carried out to the operation behavior;
If the operation behavior is risky operation behavior, prevention processing is carried out to the operation behavior.
2. the method according to claim 1, wherein described be input to the key element in the heap constructed in advance Stack matching engine is matched, to judge whether the operation behavior is safety operation behavior, comprising:
The key element is input to storehouse matching engine, with judge the key element whether with default storehouse feature Safety-critical element matching rule matching in matching library, the safety-critical element matching rule are according to the safety-critical Element building;
If successful match, it is determined that the operation behavior is safety operation behavior;
If it fails to match, it is determined that the operation behavior is risky operation behavior.
3. according to the method described in claim 2, it is characterized in that, described be input to the key element in the heap constructed in advance Stack matches engine, whether to judge the safety-critical element matching rule in the key element and default storehouse characteristic matching library Matching, comprising:
The key element is input to the storehouse matching engine, to close to the safety in the default storehouse characteristic matching library Key element matching rule carries out paraphrase processing, obtains the paraphrase Dan Yuan of safety-critical element;
The paraphrase Dan Yuan of the key element is matched with paraphrase single Yuan of the safety-critical element;
If successful match, it is determined that the safety-critical element matching rule in the key element and default storehouse characteristic matching library Successful match;
If it fails to match, it is determined that the safety-critical element matching rule in the key element and default storehouse characteristic matching library It fails to match.
4. according to the method described in claim 3, it is characterized in that, described be input to the storehouse matching for the key element Engine obtains safety to carry out paraphrase processing to the safety-critical element matching rule in the default storehouse characteristic matching library The paraphrase Dan Yuan of key element, comprising:
The key element is input to the storehouse matching engine, to close to the safety in the default storehouse characteristic matching library Key element matching rule carries out sequentially scan process, obtains the character string of safety-critical element;
Morphology parsing is carried out to the character string using default morphological rule, obtains the composite symbol of safety-critical element;
Syntax parsing is carried out to the composite symbol using default syntax rule, obtains the paraphrase list of the safety-critical element Member.
5. according to the method described in claim 2, it is characterized in that, the method also includes:
It collects the corresponding allocating stack feature of safety operation behavior and is parsed, obtain the safety-critical element;
Safety-critical element matching rule is constructed according to the safety-critical element, and is matched and is advised according to the safety-critical element Then, the default storehouse characteristic matching library is generated.
6. method according to claim 1-5, which is characterized in that the capture application program is to terminal device The corresponding allocating stack feature of operation behavior, comprising:
Default trapping module is injected into the process of the application program, monitors the operation behavior;
It is linked up with using power function of the default hooking function to the system application layer of the terminal device, to intercept the behaviour Make the corresponding system of behavior to call;
The system is called using default stack information backtracking function and carries out the backtracking of stack information, it is corresponding to obtain the operation behavior Allocating stack feature.
7. method according to claim 1-5, which is characterized in that the key element can call sequence for storehouse Number, module name, function name or function offset one or more of.
8. a kind of data protection device characterized by comprising
Capturing unit, for capturing application program to the corresponding allocating stack feature of the operation behavior of terminal device;
Resolution unit obtains the calling heap for parsing to the allocating stack feature that the capturing unit captures The key element of stack feature;
Matching unit is matched for the key element to be input to the storehouse constructed in advance matching engine, to judge State whether operation behavior is safety operation behavior, the storehouse matching engine is according to the corresponding allocating stack of safety operation behavior The safety-critical element building of feature;
Processing unit goes to the operation if determining that the operation behavior is safety operation behavior for the matching unit To carry out clearance processing;
The processing unit, if being also used to the matching unit determines that the operation behavior is risky operation behavior, to described Operation behavior carries out prevention processing.
9. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer program quilt The step of processor realizes method described in any one of claims 1 to 7 when executing.
10. a kind of computer equipment including memory, processor and stores the meter that can be run on a memory and on a processor Calculation machine program, which is characterized in that the processor realizes any one of claims 1 to 7 institute when executing the computer program The step of stating method.
CN201811645681.1A 2018-06-26 2018-12-29 Data prevention method and device Pending CN109766698A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810668277X 2018-06-26
CN201810668277.XA CN108846287A (en) 2018-06-26 2018-06-26 A kind of method and device of detection loophole attack

Publications (1)

Publication Number Publication Date
CN109766698A true CN109766698A (en) 2019-05-17

Family

ID=64202031

Family Applications (10)

Application Number Title Priority Date Filing Date
CN201810668277.XA Pending CN108846287A (en) 2018-05-04 2018-06-26 A kind of method and device of detection loophole attack
CN201811645578.7A Pending CN109711172A (en) 2018-06-26 2018-12-29 Data prevention method and device
CN201811645681.1A Pending CN109766698A (en) 2018-06-26 2018-12-29 Data prevention method and device
CN201811640471.3A Active CN109753806B (en) 2018-06-26 2018-12-29 Server protection method and device
CN201811640481.7A Active CN109711168B (en) 2018-06-26 2018-12-29 Behavior-based service identification method, behavior-based service identification device, behavior-based service identification equipment and readable storage medium
CN201811646131.1A Active CN109766701B (en) 2018-06-26 2018-12-29 Processing method and device for abnormal process ending operation and electronic device
CN201811640753.3A Pending CN109829309A (en) 2018-06-26 2018-12-29 Terminal device system protection method and device
CN201811640526.0A Pending CN109726560A (en) 2018-06-26 2018-12-29 Terminal device system protection method and device
CN201811640643.7A Pending CN109829307A (en) 2018-06-26 2018-12-29 Process behavior recognition methods and device
CN201811640231.3A Active CN109871691B (en) 2018-06-26 2018-12-29 Authority-based process management method, system, device and readable storage medium

Family Applications Before (2)

Application Number Title Priority Date Filing Date
CN201810668277.XA Pending CN108846287A (en) 2018-05-04 2018-06-26 A kind of method and device of detection loophole attack
CN201811645578.7A Pending CN109711172A (en) 2018-06-26 2018-12-29 Data prevention method and device

Family Applications After (7)

Application Number Title Priority Date Filing Date
CN201811640471.3A Active CN109753806B (en) 2018-06-26 2018-12-29 Server protection method and device
CN201811640481.7A Active CN109711168B (en) 2018-06-26 2018-12-29 Behavior-based service identification method, behavior-based service identification device, behavior-based service identification equipment and readable storage medium
CN201811646131.1A Active CN109766701B (en) 2018-06-26 2018-12-29 Processing method and device for abnormal process ending operation and electronic device
CN201811640753.3A Pending CN109829309A (en) 2018-06-26 2018-12-29 Terminal device system protection method and device
CN201811640526.0A Pending CN109726560A (en) 2018-06-26 2018-12-29 Terminal device system protection method and device
CN201811640643.7A Pending CN109829307A (en) 2018-06-26 2018-12-29 Process behavior recognition methods and device
CN201811640231.3A Active CN109871691B (en) 2018-06-26 2018-12-29 Authority-based process management method, system, device and readable storage medium

Country Status (1)

Country Link
CN (10) CN108846287A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113392416A (en) * 2021-06-28 2021-09-14 北京恒安嘉新安全技术有限公司 Method, device, equipment and storage medium for acquiring application program encryption and decryption data
US20220083644A1 (en) * 2020-09-16 2022-03-17 Cisco Technology, Inc. Security policies for software call stacks

Families Citing this family (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109711166B (en) * 2018-12-17 2020-12-11 北京知道创宇信息技术股份有限公司 Vulnerability detection method and device
CN109558730B (en) * 2018-12-29 2020-10-16 360企业安全技术(珠海)有限公司 Safety protection method and device for browser
CN109800576B (en) * 2018-12-29 2021-07-23 360企业安全技术(珠海)有限公司 Monitoring method and device for unknown program exception request and electronic device
CN112395585B (en) * 2019-08-15 2023-01-06 奇安信安全技术(珠海)有限公司 Database service login method, device, equipment and readable storage medium
CN112395604B (en) * 2019-08-15 2022-09-30 奇安信安全技术(珠海)有限公司 System monitoring login protection method, client, server and storage medium
CN112398789A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 Remote login control method, device, system, storage medium and electronic device
CN112398784B (en) * 2019-08-15 2023-01-06 奇安信安全技术(珠海)有限公司 Method and device for defending vulnerability attack, storage medium and computer equipment
CN112398787B (en) * 2019-08-15 2022-09-30 奇安信安全技术(珠海)有限公司 Mailbox login verification method and device, computer equipment and storage medium
CN112395617A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 Method and device for protecting docker escape vulnerability, storage medium and computer equipment
CN110610086B (en) * 2019-08-30 2021-06-18 北京卓识网安技术股份有限公司 Illegal code identification method, system, device and storage medium
WO2021046811A1 (en) * 2019-09-12 2021-03-18 奇安信安全技术(珠海)有限公司 Attack behavior determination method and apparatus, and computer storage medium
CN110505247B (en) * 2019-09-27 2022-05-17 百度在线网络技术(北京)有限公司 Attack detection method and device, electronic equipment and storage medium
CN111209559B (en) * 2019-12-23 2022-02-15 东软集团股份有限公司 Permission processing method and device of application program, storage medium and electronic equipment
CN111046377B (en) * 2019-12-25 2023-11-14 五八同城信息技术有限公司 Method and device for loading dynamic link library, electronic equipment and storage medium
CN111382076B (en) * 2020-03-10 2023-04-25 抖音视界有限公司 Application program testing method and device, electronic equipment and computer storage medium
CN111884884B (en) * 2020-07-31 2022-05-31 北京明朝万达科技股份有限公司 Method, system and device for monitoring file transmission
CN111859405A (en) * 2020-07-31 2020-10-30 深信服科技股份有限公司 Threat immunization framework, method, equipment and readable storage medium
CN112069505B (en) * 2020-09-15 2021-11-23 北京微步在线科技有限公司 Audit information processing method and electronic equipment
CN112910868A (en) * 2021-01-21 2021-06-04 平安信托有限责任公司 Enterprise network security management method and device, computer equipment and storage medium
CN113742726A (en) * 2021-08-27 2021-12-03 恒安嘉新(北京)科技股份公司 Program recognition model training and program recognition method, device, equipment and medium
CN113779561B (en) * 2021-09-09 2024-03-01 安天科技集团股份有限公司 Kernel vulnerability processing method and device, storage medium and electronic equipment
CN115051905A (en) * 2022-07-19 2022-09-13 广东泓胜科技股份有限公司 Port security monitoring and analyzing method, device and related equipment
CN116707929A (en) * 2023-06-16 2023-09-05 广州市玄武无线科技股份有限公司 Mobile phone photographing and faking detection method and device based on call stack information acquisition

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101373501A (en) * 2008-05-12 2009-02-25 公安部第三研究所 Method for capturing dynamic behavior aiming at computer virus
CN105224862A (en) * 2015-09-25 2016-01-06 北京北信源软件股份有限公司 A kind of hold-up interception method of office shear plate and device
CN107251513A (en) * 2014-11-25 2017-10-13 恩西洛有限公司 System and method for the accurate guarantee of Malicious Code Detection
CN107704356A (en) * 2017-06-12 2018-02-16 平安科技(深圳)有限公司 Exception stack information acquisition method, device and computer-readable recording medium

Family Cites Families (43)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7093239B1 (en) * 2000-07-14 2006-08-15 Internet Security Systems, Inc. Computer immune system and method for detecting unwanted code in a computer system
US7546587B2 (en) * 2004-03-01 2009-06-09 Microsoft Corporation Run-time call stack verification
US7891000B1 (en) * 2005-08-05 2011-02-15 Cisco Technology, Inc. Methods and apparatus for monitoring and reporting network activity of applications on a group of host computers
KR100843701B1 (en) * 2006-11-07 2008-07-04 소프트캠프(주) Confirmation method of API by the information at Call-stack
CN101059829A (en) * 2007-05-16 2007-10-24 珠海金山软件股份有限公司 Device and method for automatically analyzing course risk grade
US8117424B2 (en) * 2007-09-21 2012-02-14 Siemens Industry, Inc. Systems, devices, and/or methods for managing programmable logic controller processing
CN101286995B (en) * 2008-05-23 2010-12-08 北京锐安科技有限公司 Long-range control method and system
US9110801B2 (en) * 2009-02-10 2015-08-18 International Business Machines Corporation Resource integrity during partial backout of application updates
CN101753377B (en) * 2009-12-29 2011-11-09 吉林大学 p2p_botnet real-time detection method and system
CN103136472B (en) * 2011-11-29 2016-08-31 腾讯科技(深圳)有限公司 A kind of anti-application program steals method and the mobile device of privacy
CN102546624A (en) * 2011-12-26 2012-07-04 西北工业大学 Method and system for detecting and defending multichannel network intrusion
CN103368904B (en) * 2012-03-27 2016-12-28 百度在线网络技术(北京)有限公司 The detection of mobile terminal, questionable conduct and decision-making system and method
US10037212B2 (en) * 2012-04-20 2018-07-31 Nxp Usa, Inc. Information processing device and method for protecting data in a call stack
CN102750475B (en) * 2012-06-07 2017-08-15 中国电子科技集团公司第三十研究所 Malicious code behavioral value method and system are compared based on view intersection inside and outside virtual machine
CN103778375B (en) * 2012-10-24 2017-11-17 腾讯科技(深圳)有限公司 The apparatus and method for preventing user equipment from loading illegal dynamic link library file
US8990944B1 (en) * 2013-02-23 2015-03-24 Fireeye, Inc. Systems and methods for automatically detecting backdoors
US9558347B2 (en) * 2013-08-27 2017-01-31 Globalfoundries Inc. Detecting anomalous user behavior using generative models of user actions
CN103631712B (en) * 2013-10-23 2016-03-02 北京信息控制研究所 A kind of medelling software critical behavior tracking based on memory management
US9519758B2 (en) * 2014-02-04 2016-12-13 Pegasus Media Security, Llc System and process for monitoring malicious access of protected content
CN103761472B (en) * 2014-02-21 2017-05-24 北京奇虎科技有限公司 Application program accessing method and device based on intelligent terminal
US9652328B2 (en) * 2014-05-12 2017-05-16 International Business Machines Corporation Restoring an application from a system dump file
CN105335654B (en) * 2014-06-27 2018-12-14 北京金山安全软件有限公司 Android malicious program detection and processing method, device and equipment
CN104268471B (en) * 2014-09-10 2017-04-26 珠海市君天电子科技有限公司 Method and device for detecting return-oriented programming attack
US9721112B2 (en) * 2014-09-29 2017-08-01 Airwatch Llc Passive compliance violation notifications
CN104484599B (en) * 2014-12-16 2017-12-12 北京奇虎科技有限公司 A kind of behavior treating method and apparatus based on application program
US10614210B2 (en) * 2015-07-31 2020-04-07 Digital Guardian, Inc. Systems and methods of protecting data from injected malware
CN105279432B (en) * 2015-10-12 2018-11-23 北京金山安全软件有限公司 Software monitoring processing method and device
CN105678168A (en) * 2015-12-29 2016-06-15 北京神州绿盟信息安全科技股份有限公司 Method and apparatus for detecting Shellcode based on stack frame abnormity
WO2017166037A1 (en) * 2016-03-29 2017-10-05 深圳投之家金融信息服务有限公司 Data tampering detection device and method
CN107330320B (en) * 2016-04-29 2020-06-05 腾讯科技(深圳)有限公司 Method and device for monitoring application process
US9807104B1 (en) * 2016-04-29 2017-10-31 STEALTHbits Technologies, Inc. Systems and methods for detecting and blocking malicious network activity
CN105956462B (en) * 2016-06-29 2019-05-10 珠海豹趣科技有限公司 A kind of method, apparatus and electronic equipment preventing malicious loading driving
CN106203092B (en) * 2016-06-30 2019-12-10 珠海豹趣科技有限公司 Method and device for intercepting shutdown of malicious program and electronic equipment
CN106201811B (en) * 2016-07-06 2019-03-26 青岛海信宽带多媒体技术有限公司 The fault recovery method and terminal of application program
CN106411588B (en) * 2016-09-29 2019-10-25 锐捷网络股份有限公司 A kind of network device management method, main equipment and management server
CN107959595B (en) * 2016-10-14 2020-10-27 腾讯科技(深圳)有限公司 Method, device and system for anomaly detection
CN108171056A (en) * 2016-12-08 2018-06-15 武汉安天信息技术有限责任公司 It is a kind of to automate the malicious detection method of judgement sample and device
CN106708734B (en) * 2016-12-13 2020-01-10 腾讯科技(深圳)有限公司 Software anomaly detection method and device
CN108280346B (en) * 2017-01-05 2022-05-31 腾讯科技(深圳)有限公司 Application protection monitoring method, device and system
CN106991324B (en) * 2017-03-30 2020-02-14 兴华永恒(北京)科技有限责任公司 Malicious code tracking and identifying method based on memory protection type monitoring
CN107358071A (en) * 2017-06-07 2017-11-17 武汉斗鱼网络科技有限公司 Prevent the method and device that function illegally calls in Flash application programs
CN107483274A (en) * 2017-09-25 2017-12-15 北京全域医疗技术有限公司 Service item running state monitoring method and device
CN108052431A (en) * 2017-12-08 2018-05-18 北京奇虎科技有限公司 Terminal program exception closing information processing method, device, terminal

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101373501A (en) * 2008-05-12 2009-02-25 公安部第三研究所 Method for capturing dynamic behavior aiming at computer virus
CN107251513A (en) * 2014-11-25 2017-10-13 恩西洛有限公司 System and method for the accurate guarantee of Malicious Code Detection
CN105224862A (en) * 2015-09-25 2016-01-06 北京北信源软件股份有限公司 A kind of hold-up interception method of office shear plate and device
CN107704356A (en) * 2017-06-12 2018-02-16 平安科技(深圳)有限公司 Exception stack information acquisition method, device and computer-readable recording medium

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220083644A1 (en) * 2020-09-16 2022-03-17 Cisco Technology, Inc. Security policies for software call stacks
CN113392416A (en) * 2021-06-28 2021-09-14 北京恒安嘉新安全技术有限公司 Method, device, equipment and storage medium for acquiring application program encryption and decryption data
CN113392416B (en) * 2021-06-28 2024-03-22 北京恒安嘉新安全技术有限公司 Method, device, equipment and storage medium for acquiring application program encryption and decryption data

Also Published As

Publication number Publication date
CN109711168A (en) 2019-05-03
CN109753806A (en) 2019-05-14
CN109871691B (en) 2021-07-20
CN108846287A (en) 2018-11-20
CN109829307A (en) 2019-05-31
CN109766701B (en) 2021-04-27
CN109753806B (en) 2024-01-19
CN109711168B (en) 2021-01-15
CN109829309A (en) 2019-05-31
CN109871691A (en) 2019-06-11
CN109726560A (en) 2019-05-07
CN109711172A (en) 2019-05-03
CN109766701A (en) 2019-05-17

Similar Documents

Publication Publication Date Title
CN109766698A (en) Data prevention method and device
KR102306568B1 (en) Processor trace-based enforcement of control flow integrity in computer systems
CN111859375B (en) Vulnerability detection method and device, electronic equipment and storage medium
CN110602042B (en) APT attack behavior analysis and detection method and device based on cascade attack chain model
CN104050417B (en) A kind of method and device detected in mobile terminal to application state
CN111651754A (en) Intrusion detection method and device, storage medium and electronic device
CN103209173A (en) Vulnerability mining method of network protocols
CN110099044A (en) Cloud Host Security detection system and method
Liao et al. Smartdagger: a bytecode-based static analysis approach for detecting cross-contract vulnerability
CN115174279A (en) Real-time detection method, terminal and storage medium for intelligent Ether house contract vulnerability
CN113779578B (en) Intelligent confusion method and system for mobile terminal application
CN110505246A (en) Client network communication detecting method, device and storage medium
Zhou et al. Ui obfuscation and its effects on automated ui analysis for android apps
CN110717181B (en) Non-control data attack detection method and device based on novel program dependency graph
CN109740351A (en) A kind of leak detection method, device and the equipment of embedded firmware
CN104484608A (en) Application-based message processing method and application-based message processing device
Iffländer et al. Hands off my database: Ransomware detection in databases through dynamic analysis of query sequences
Xin et al. Replacement attacks on behavior based software birthmark
CN105590058B (en) The detection method and device of virtual machine escape
CN113672933A (en) Hongmen security vulnerability detection method and system
CN107169354A (en) Multi-layer android system malicious act monitoring method
CN113419960A (en) Seed generation method and system for kernel fuzzy test of trusted operating system
Tokhtabayev et al. Dynamic, resilient detection of complex malicious functionalities in the system call domain
Norboev et al. On the robustness of stochastic stealthy network against android app repackaging
CN109815696A (en) Terminal device system protection method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province

Applicant after: Qianxin Safety Technology (Zhuhai) Co.,Ltd.

Applicant after: Qianxin Technology Group Co., Ltd

Address before: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province

Applicant before: 360 ENTERPRISE SECURITY TECHNOLOGY (ZHUHAI) Co.,Ltd.

Applicant before: Beijing Qianxin Technology Co., Ltd

CB02 Change of applicant information