Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
It is fully disclosed to those skilled in the art.
As stated in the background art, terminal device is carried out by the way of encrypting to the document itself where data at present
Data protection, or terminal device data protection is carried out using the DLP system of profession, encrypted application program quilt can not be prevented
Virus or hacker break through after leaking data, it is therefore proposed that a kind of new data protection mode has become terminal device safety
Field technical problem urgently to be resolved.
In order to solve the above-mentioned technical problem, the embodiment of the invention provides a kind of data prevention methods, as shown in Figure 1, institute
The method of stating includes:
101, capture application program to the corresponding allocating stack feature of the operation behavior of terminal device and parses, and obtains
The key element of the allocating stack feature.
Wherein, the terminal device can be computer, notebook or mobile phone etc..The allocating stack feature can be
The application program executes the system function function interface sequence called when the operation behavior, belongs to dynamic memory data.It is right
Different in the corresponding allocating stack feature of the different operation behavior of terminal device, same operation behavior is corresponding under different scenes
Allocating stack feature is also different.As shown in Fig. 2, illustrating the corresponding allocating stack feature of File Open behavior.
For the embodiment of the present invention, default trapping module can be injected by process injection technique by the application program
The process space in, then by hook technology link up with the operation behavior system call, finally recycle back trace technique pair
The system calls the mode recalled, and obtains the corresponding allocating stack feature of the operation behavior.
It should be noted that the key element can according to important procedure, function from the allocating stack feature
It parses, the key element can be identified for that the operation behavior.The key element be specifically as follows storehouse call serial number,
Module name, function name, function offset.Since the different operating function for calling natural labor to realize of identical several functions is different, because
This extracts storehouse and calls serial number.In addition, storehouse initial data is made of a series of Function return addresses, inside a function
Operation can be carried out, multiple other functions can also be called, therefore extracts the function offset of return address.The return of function
Location ought to be in some function, and the position of marker function is most directly expressed as function name, therefore extracts function name.Each function is again
It is under the jurisdiction of some module, module is identified with module name, therefore extraction module name.For example, to the " shcore.dll in such as Fig. 2!
SHCreateStreamFileW+0x38e (C: Windows System32 shcore.dll) " carry out parsing extraction key
Element is [1, " shcore.dll ", " SHCreateStreamFileW ", 0x38e].1 calls serial number for storehouse,
" shcore.dll " is module name, and " SHCreateStreamFileW " is function name, and 0x38e is function offset.
102, the key element is input to the storehouse matching engine constructed in advance to match, to judge the operation
Whether behavior is safety operation behavior.If so, thening follow the steps 103;If it is not, thening follow the steps 104.
Wherein, the storehouse matching engine is to be wanted according to the safety-critical of the corresponding allocating stack feature of safety operation behavior
Element building.The storehouse matching engine can determine that the key element is by matching operations such as logic, arithmetic, character strings
It is no to be matched with the safety-critical element, to judge whether the operation behavior is safety operation behavior, if the key element
It is matched with the safety-critical element, feeds back the matching result of successful match, then can be confirmed the operation behavior for safety behaviour
Make behavior, if the key element and the safety-critical element mismatch, feeds back the matching result that it fails to match, then it can be true
Recognize the operation behavior and non-secure operations behavior, and is risky operation behavior.
It should be noted that the primary interface of the storehouse matching engine can be acquisition storehouse matching result interface letter
Number, such as BOOL GetStackMatchResult (PVOID*pStackArrayULONG uStackLen, const CHAR*
pApiName,eunm&eResult).Wherein, the meaning of parameters can be such that
PStackArray: the return address list array of storehouse is inputted
UStackLen: the length of return address list array
PApiName: the monitoring point API of current behavior stack, such as: NtCreateFile
EResult: when function call successfully returns to TRUE, the value of enumeration type returns to E_STACKMATCH_
It fails to match by SUCCESS successful match, E_STACKMATCH_FAILED
Return value: function call successfully returns to TRUE, and the result that eResult is returned at this time is only effectively, otherwise returns
FALSE。
103, clearance processing is carried out to the operation behavior.
For example, application program is the opening behavior of some file in terminal device to the operation behavior of terminal device, if will
The key element that the opening behavior of some file corresponds to allocating stack feature is input in the storehouse matching engine, obtained
It is successful match with result, it is determined that the opening behavior of some file is safety operation behavior, and application program belongs to normal opening
Some file, therefore let pass to the opening behavior of some file, allow application program to open some file.
104, prevention processing is carried out to the operation behavior.
It should be noted that the accuracy in order to guarantee data protection, is determining that the operation behavior is risky operation row
To be rear, safe operation personnel can also be notified further to judge the operation behavior, to protect terminal device data to be leaked
And damage.
A kind of data prevention method provided in an embodiment of the present invention carries out the document itself where data with current use
The mode of encryption carries out terminal device data protection, or is compared using the DLP system progress terminal device data protection of profession,
The embodiment of the present invention can capture application program to the corresponding allocating stack feature of the operation behavior of terminal device and parse,
Obtain the key element of the allocating stack feature;And the key element can be input to the storehouse matching constructed in advance and drawn
It holds up and is matched, to judge whether the operation behavior is safety operation behavior, the storehouse matching engine is to be grasped according to safety
Make the safety-critical element building of the corresponding allocating stack feature of behavior.If the operation behavior is safety operation behavior,
Clearance processing is carried out to the operation behavior;If the operation behavior is risky operation behavior, the operation behavior is carried out
Prevention processing carries out data protection according to allocating stack feature more fine-grained than process, thread so as to realize, avoid by
Hacker attack, and then can be avoided terminal device data and be leaked and damage.
Further, in order to better illustrate the process of above-mentioned data protection, as the refinement and expansion to above-described embodiment
Exhibition, the embodiment of the invention provides another data prevention methods, as shown in figure 3, but not limited to this, it is specific as follows shown:
201, capture application program to the corresponding allocating stack feature of the operation behavior of terminal device and parses, and obtains
The key element of the allocating stack feature.
For the embodiment of the present invention, the capture application program is special to the corresponding allocating stack of the operation behavior of terminal device
The process of sign may include: to be injected into default trapping module in the process of the application program, monitor the operation behavior;Benefit
It is linked up with power function of the default hooking function to the system application layer of the terminal device, to intercept the operation behavior
Corresponding system is called;The system is called using default stack information backtracking function and carries out the backtracking of stack information, obtains the behaviour
Make the corresponding allocating stack feature of behavior.
Wherein, the default trapping module can be arranged for technical staff according to process injection technique, the default extension
Hook function can be write for technical staff according to hook technology, and stack information backtracking function is preset described in the hook technology can be with
It is write for technical staff according to back trace technique.Different trapping modules can be set for different operation behaviors, it is described to catch
Obtaining module can be corresponding function dynamic link library, or write different default hooking functions, different default stack information
Function is recalled, for example, the power function of the system application layer is NtCreateFile letter for the operation behavior for opening file
Number, the default hooking function can be hook NtCreateFile function, and the default stack information backtracking function can be
RtlCaptureStackBackTrace function.Utilize hook NtCreateFile function, hook monitoring File Open behavior
Event NtCreateFile calls RtlCaptureStackBackTrace function to return when File Open behavior event occurs
The corresponding allocating stack feature of File Open behavior of tracing back.
In addition, the key element can be used for identifying the operation behavior, it may include that storehouse calls serial number, module
Name, function name and function offset.Specifically, it can extract and be abstracted from the allocating stack feature according to the operation behavior
Storehouse calls serial number, module name, function name and function offset out.For example, to the " shcore.dll in such as Fig. 2!
SHCreateMemStream+0x36f (C: Windows System32 shcore.dll) " carry out parsing extraction and be critical to
Element is [2, " shcore.dll ", " SHCreateMemStream ", 0x36f].2 call serial number for storehouse, and " shcore.dll " is
Module name, " SHCreateMemStream " are function name, and 0x36f is function offset.
202, the key element is input to the storehouse and matches engine, with judge the key element whether with it is default
Safety-critical element matching rule matching in storehouse characteristic matching library.If successful match thens follow the steps 203;If matching is lost
It loses, thens follow the steps 204.
Wherein, the safety-critical element matching rule is to be constructed according to the safety-critical element.The safety is closed
Key element matching rule can also pass through program auxiliary and realize to be artificial constructed.As shown in Fig. 2, Fig. 2 is one subnormal
Open the corresponding allocating stack feature of file, wherein USER32.dll!DispatchMessageW is after operating mouse, keyboard
The Message Processing of sending, for the allocating stack feature safety-critical element [1, " user.dll ",
" DispatchMessageW ", 0xf] building safety-critical element matching rule can be 1 (module_ of [0:-1] random
Name==" user.dll " &&function_name==" DispatchMesssgeW " &&function_offset <
0x10), which can indicate, in this storehouse feature, as long as occurring a module name at random
For USER32.dll and the entitled DispatchMessageW of function and the offset of the function at place is less than 0x10, that is, is regarded as normal
File open operation.
In addition, the safety-critical element matching rule can also be as follows:
(1) first time return address may only be in the entitled mso.dll of module
[0:0] random 1 (module_name==" mso.dll ")
(2) first to the 5th return addresses may only fall in the entitled mso.dll, wwlib.dll of module,
In the range of shcore.dll
[0:4] random 5 (module_name==" mso.dll " | | module_name=="
Wwlib.dll " | | module_name==" shell32.dll ")
(3) range that all return addresses may only fall in module entitled mso.dll, wwlib.dll, shcore.dll is worked as
In
[0:-1] random-1 (module_name==" mso.dll " | | module_name=="
Wwlib.dll " | | module_name==" shcore.dll)
Must there are the entitled user.dll of module, the tune of the entitled dispatchmesssge of function in (4) first to the tenth layers
With function is deviated less than 50.
[0:10] random 1 (module_name==" user.dll " &&function_name=="
DispatchMesssgeW\"&&function_offset<50)
(5) there must be the continuous appearance entitled mso.dll of 5 secondary modules in all return addresses
[0:-1] sequent 6 (module_name==" mso.dll ")
(6) there must be the continuous appearance entitled mso.dll of 5 secondary modules in all return addresses
[0:-1] sequent 6 (module_name==" mso.dll ")
(7) from 6th reciprocal to the 1st return address reciprocal in must continuously occur the entitled chrome.dll of module,
The entitled kernel32.dll of module and the entitled BaseThreadInitThunk of function
[- 6:-1] sequent 2 (module_name==" chrome.dll ")<>(module_name=="
Kernel32.dll " &&function_name==" BaseThreadInitThunk ")
For the embodiment of the present invention, storehouse characteristic matching is preset described in the storehouse characteristic matching engine calling for convenience
Library can construct storehouse characteristic matching library in advance, comprising: collect the corresponding allocating stack feature of safety operation behavior and go forward side by side
Row parsing, obtains the safety-critical element;Safety-critical element matching rule, and root are constructed according to the safety-critical element
According to the safety-critical element matching rule, the default storehouse characteristic matching library is generated.The safety operation behavior specifically may be used
Think safety operation file behavior, since application program is limited in the way of operation file, the safety operation
File behavior can enumerate completely.Specifically, step can be referred to by collecting the corresponding allocating stack feature of safety operation behavior
202, herein without repeating.In addition, after obtaining safety-critical element matching rule, it can be using process as described in unit generation
Default storehouse characteristic matching library, as shown in Figure 4.
In concrete application scene, the step 202 be can specifically include: the key element is input to the storehouse
Engine is matched, to carry out paraphrase processing to the safety-critical element matching rule in the default storehouse characteristic matching library, is obtained
The paraphrase Dan Yuan of safety-critical element;By the paraphrase Dan Yuan of the paraphrase Dan Yuan of the key element and the safety-critical element into
Row matching;If successful match, it is determined that the key element is matched with the safety-critical element in default storehouse characteristic matching library
Rule match success;If it fails to match, it is determined that the key element is wanted with the safety-critical in default storehouse characteristic matching library
It fails to match for plain matching rule.Wherein, single Yuan of the paraphrase can match the function list that engine can be identified and be executed for storehouse
Member is specifically as follows binary data.By carrying out paraphrase processing to the safety-critical element matching rule, can be realized fast
Speed index, the safety-critical element is matched with the key element of input, finally exports mating structure.
It should be noted that the safety-critical element matching rule in the default storehouse characteristic matching library carries out
The step of paraphrase is handled, and obtains paraphrase single Yuan of safety-critical element specifically includes: the key element is input to the heap
Stack matches engine, to carry out at sequentially scanning to the safety-critical element matching rule in the default storehouse characteristic matching library
Reason, obtains the character string of safety-critical element;Morphology parsing is carried out to the character string using default morphological rule, obtains safety
The composite symbol of key element;Syntax parsing is carried out to the composite symbol using default syntax rule, the safety is obtained and closes
The paraphrase Dan Yuan of key element.
Wherein, the default morphological rule can be to identify safety-critical element from safety-critical element matching rule
Symbol rule, the symbol of the key element can call serial number: module_number for storehouse;Module name:
module_name;Function name: function_name;Function offset: function_offset;It is random to occur: random;Even
It picks out existing: sequent.The default syntax rule can be that the composite symbol is parsed into releasing for the safety-critical element
The rule of adopted Dan Yuan can specifically respectively obtain the corresponding paraphrase Dan Yuan of each key element symbol, and what is finally obtained each releases
Adopted Dan Yuan is combined, and obtains the paraphrase Dan Yuan of the safety-critical element.
In order to better understand to obtain safety-critical element paraphrase Dan Yuan process, the embodiment of the present invention provide in the following example
Son: the character obtained after being sequentially scanned for the safety-critical element matching rule in the default storehouse characteristic matching library
String are as follows: " [0:4] random 5 (module_name==" mso.dll " | | module_name==" wwlib.dll " |
| module_name==" shell32.dll ") ", the combined symbols of safety-critical element are parsed using default morphological rule
Number for " [0:4] ", " random ", " 5 ", " module_name ", "==", " " mso.dll " " etc., recycle default grammer
Rule parsing goes out the paraphrase Dan Yuan of safety-critical element.
203, it determines that the operation behavior is safety operation behavior, and clearance processing is carried out to the operation behavior.
204, it determines that the operation behavior is risky operation behavior, and prevention processing is carried out to the operation behavior.
Embodiment in order to better illustrate the present invention provides following application scenarios, including but not limited to this, such as Fig. 5
Shown, application program is file operation behavior to the operation behavior of terminal device, and data protection process is divided into: building storehouse feature
Matching library stage and file operation behavior processing stage:
It constructs the storehouse characteristic matching library stage: collecting the allocating stack of secure file operation behavior first with hooking function
Then feature formats storehouse allocating stack feature and obtains the key element of allocating stack feature, finally sorts out key element
And it saves as storehouse characteristic matching library and exports.
File operation behavior processing stage: initialization storehouse matches engine first, and it is related that hooking function monitors file operation
System is called, and the storehouse matching engine is then called to judge whether file operation behavior is secure file operation behavior, finally,
If the storehouse matches engine successful match, the file operation behavior clearance is handled;If the storehouse matches engine
With failure, then prevention processing is carried out to the file operation behavior.
Another kind data prevention method provided in an embodiment of the present invention, with it is current using to the document itself where data into
The mode of row encryption carries out terminal device data protection, or carries out terminal device data protection phase using the DLP system of profession
Than the embodiment of the present invention can capture application program to the corresponding allocating stack feature of the operation behavior of terminal device and solve
Analysis, obtains the key element of the allocating stack feature;And the key element can be input to the storehouse constructed in advance
It is matched with engine, to judge whether the operation behavior is safety operation behavior, the storehouse matching engine is according to peace
The safety-critical element building of the corresponding allocating stack feature of full operation behavior.If the operation behavior is safety operation row
Then to carry out clearance processing to the operation behavior;If the operation behavior is risky operation behavior, to the operation behavior
Prevention processing is carried out, data protection is carried out according to allocating stack feature more fine-grained than process, thread so as to realize, is kept away
Exempt from by hacker attack, and then can be avoided terminal device data and be leaked and damage.
Further, as the specific implementation of Fig. 1, the embodiment of the invention provides a kind of data protection devices, such as Fig. 6 institute
Show, described device includes: capturing unit 31, resolution unit 32, matching unit 33 and processing unit 34.
The capturing unit 31 can be used for capturing application program to the corresponding allocating stack of the operation behavior of terminal device
Feature.The capturing unit 31 is that application program is captured in the present apparatus to the operation behavior of terminal device corresponding allocating stack spy
The functional module of sign.
The resolution unit 32 can be used for solving the allocating stack feature that the capturing unit 31 captures
Analysis, obtains the key element of the allocating stack feature.The resolution unit 32 is that the allocating stack spy is captured in the present apparatus
Sign is parsed, and the functional module of the key element of the allocating stack feature is obtained.The key element can be storehouse tune
With one or more of serial number, module name, function name or function offset.
The matching unit 33 can be used for for the key element being input to the storehouse matching engine constructed in advance and carry out
Matching, to judge whether the operation behavior is safety operation behavior, the storehouse matching engine is according to safety operation behavior
The safety-critical element building of corresponding allocating stack feature.The matching unit 33 is in the present apparatus by the key element
Be input to construct in advance storehouse matching engine matched, with judge the operation behavior whether be safety operation behavior master
Want functional module and nucleus module.
The processing unit 34, if can be used for the matching unit 33 determines that the operation behavior is safety operation row
Then to carry out clearance processing to the operation behavior.If the processing unit 34 is the present apparatus, the matching unit 33 determines institute
Stating operation behavior is safety operation behavior, then the functional module of clearance processing is carried out to the operation behavior.
The processing unit 34, if being also used to the matching unit 33 determines that the operation behavior is risky operation behavior,
Prevention processing then is carried out to the operation behavior.If the matching unit 33 determines institute in the processing unit 34 or the present apparatus
Stating operation behavior is risky operation behavior, then prevent to the operation behavior functional module of processing.
In concrete application scene, the matching unit 33 includes: matching module 331 and determining module 332, such as Fig. 7 institute
Show.
The matching module 331 can be used for for the key element being input to the storehouse matching engine, to judge
State whether key element matches with the safety-critical element matching rule in default storehouse characteristic matching library, the safety-critical is wanted
Plain matching rule is to be constructed according to the safety-critical element.
The determining module 332, if can be used for the matching module 331 determines that the key element and default storehouse are special
Levy the safety-critical element matching rule successful match in matching library, it is determined that the operation behavior is safety operation behavior.
The determining module 332, if being also used to the matching module 331 determines the key element and default storehouse feature
It fails to match for safety-critical element matching rule in matching library, it is determined that the operation behavior is risky operation behavior.
It should be noted that the matching module 331 includes: processing submodule, matched sub-block and determines submodule.
The processing submodule can be used for for the key element being input to the storehouse matching engine, to described
Safety-critical element matching rule in default storehouse characteristic matching library carries out paraphrase processing, obtains the paraphrase of safety-critical element
Dan Yuan.
The matched sub-block can be used for the paraphrase Dan Yuan of the key element and releasing for the safety-critical element
Single of justice is matched.
The determining submodule, if can be used for paraphrase Dan Yuan and institute that the matched sub-block determines the key element
State single Yuan successful match of paraphrase of safety-critical element, it is determined that the peace in the key element and default storehouse characteristic matching library
Full key element matching rule matching;
The determining submodule, if can be also used for the matched sub-block determine the paraphrase Dan Yuan of the key element with
Single Yuan successful match failure of paraphrase of the safety-critical element, it is determined that the key element and default storehouse characteristic matching library
In safety-critical element matching rule it fails to match.
The processing submodule matches engine specifically for the key element is input to the storehouse, to described
Safety-critical element matching rule in default storehouse characteristic matching library carries out sequentially scan process, obtains safety-critical element
Character string;Morphology parsing is carried out to the character string using default morphological rule, obtains the composite symbol of safety-critical element;Benefit
Syntax parsing is carried out to the composite symbol with default syntax rule, obtains the paraphrase Dan Yuan of the safety-critical element.
For the embodiment of the present invention, in order to obtain the default storehouse characteristic matching library, described device further include: collect single
Member 35 and construction unit 36.
The collector unit 35 can be used for collecting the corresponding allocating stack feature of safety operation behavior.The collection is single
Member 35 is that the functional module of the corresponding allocating stack feature of safety operation behavior is collected in the present apparatus.
The resolution unit 32 can be used for parsing the corresponding allocating stack feature of the safety operation behavior,
Obtain the safety-critical element.The resolution unit 32 is in the present apparatus to the corresponding allocating stack of the safety operation behavior
Feature is parsed, and the functional module of the safety-critical element is obtained.
The construction unit 36 can be used for constructing safety-critical element matching rule according to the safety-critical element,
And according to the safety-critical element matching rule, the default storehouse characteristic matching library is generated.
In concrete application scene, the capturing unit 31 may include: monitoring module 311, Hooking module 312 and hook
Module 313.
The monitoring module 311, in the process that can be used for for default trapping module being injected into the application program, monitoring
The operation behavior.
The Hooking module 312 can be used for utilizing the system application layer for presetting hooking function to the terminal device
Power function is linked up with, and is called with intercepting the corresponding system of the operation behavior.
The backtracking module 313 can be used for being recalled using default stack information function and call progress stack letter to the system
Breath backtracking, obtains the corresponding allocating stack feature of the operation behavior.
It should be noted that other of each functional module involved by a kind of data protection device provided in an embodiment of the present invention
Corresponding description, can be with reference to the corresponding description of method shown in Fig. 1, and details are not described herein.
Based on above-mentioned method as shown in Figure 1, correspondingly, the embodiment of the invention also provides a kind of computer-readable storage mediums
Matter is stored thereon with computer program, which performs the steps of capture application program and set to terminal when being executed by processor
The corresponding allocating stack feature of standby operation behavior is simultaneously parsed, and the key element of the allocating stack feature is obtained;By institute
State key element be input to construct in advance storehouse matching engine matched, to judge whether the operation behavior is to grasp safely
Make behavior, the storehouse matching engine is to construct according to the safety-critical element of the corresponding allocating stack feature of safety operation behavior
's;If the operation behavior is safety operation behavior, clearance processing is carried out to the operation behavior;If the operation behavior is
Risky operation behavior then carries out prevention processing to the operation behavior.
Embodiment based on above-mentioned method as shown in Figure 1 and data protection device as shown in Figure 6, the embodiment of the present invention also mention
A kind of entity structure diagram of computer equipment is supplied, as shown in figure 8, the equipment includes: processor 41, memory 42 and storage
On memory 42 and the computer program that can run on a processor, wherein memory 42 and processor 41 are arranged at bus
Capture application program is performed the steps of when the processor 41 executes described program on 43 to the operation behavior pair of terminal device
The allocating stack feature answered simultaneously is parsed, and the key element of the allocating stack feature is obtained;The key element is inputted
It is matched to the storehouse matching engine constructed in advance, to judge whether the operation behavior is safety operation behavior, the heap
It is to be constructed according to the safety-critical element of the corresponding allocating stack feature of safety operation behavior that stack, which matches engine,;If the operation
Behavior is safety operation behavior, then carries out clearance processing to the operation behavior;If the operation behavior is risky operation behavior,
Prevention processing then is carried out to the operation behavior.The equipment further include: bus 43 is configured as coupling processor 41 and memory
42。
According to the technical solution of the present invention, application program can be captured to the corresponding calling heap of the operation behavior of terminal device
Stack feature is simultaneously parsed, and the key element of the allocating stack feature is obtained;And the key element can be input to pre-
The storehouse matching engine first constructed is matched, to judge whether the operation behavior is safety operation behavior, the storehouse
It is to be constructed according to the safety-critical element of the corresponding allocating stack feature of safety operation behavior with engine.If the operation behavior
For safety operation behavior, then clearance processing is carried out to the operation behavior;If the operation behavior is risky operation behavior, right
The operation behavior carries out prevention processing, so as to realize according to allocating stack feature more fine-grained than process, thread into
Row data protection, avoids by hacker attack, and then can be avoided terminal device data and be leaked and damage.
The embodiment of the present invention also provides the following technical solutions:
A1, a kind of data prevention method, comprising:
Capture application program to the corresponding allocating stack feature of the operation behavior of terminal device and parses, and obtains described
The key element of allocating stack feature;
The key element is input to the storehouse matching engine constructed in advance to match, to judge the operation behavior
It whether is safety operation behavior, the storehouse matching engine is the safety according to the corresponding allocating stack feature of safety operation behavior
Key element building;
If the operation behavior is safety operation behavior, clearance processing is carried out to the operation behavior;
If the operation behavior is risky operation behavior, prevention processing is carried out to the operation behavior.
A2, method as described in a1, the storehouse matching engine constructed in advance that the key element is input to carry out
Matching, to judge whether the operation behavior is safety operation behavior, comprising:
The key element is input to storehouse matching engine, with judge the key element whether with default storehouse
Safety-critical element matching rule matching in characteristic matching library, the safety-critical element matching rule are according to the safety
Key element building;
If successful match, it is determined that the operation behavior is safety operation behavior;
If it fails to match, it is determined that the operation behavior is risky operation behavior.
A3, as described in A2 method, it is described that the key element is input to the storehouse matching engine constructed in advance, to sentence
Whether the key element that breaks matches with the safety-critical element matching rule in default storehouse characteristic matching library, comprising:
The key element is input to the storehouse matching engine, to the peace in the default storehouse characteristic matching library
Full key element matching rule carries out paraphrase processing, obtains the paraphrase Dan Yuan of safety-critical element;
The paraphrase Dan Yuan of the key element is matched with paraphrase single Yuan of the safety-critical element;
If successful match, it is determined that the key element is matched with the safety-critical element in default storehouse characteristic matching library
Rule match success;
If it fails to match, it is determined that the key element is matched with the safety-critical element in default storehouse characteristic matching library
Rule match failure.
A4, the method as described in A3, it is described that the key element is input to the storehouse matching engine, to described pre-
If the safety-critical element matching rule in storehouse characteristic matching library carries out paraphrase processing, the paraphrase list of safety-critical element is obtained
Member, comprising:
The key element is input to the storehouse matching engine, to the peace in the default storehouse characteristic matching library
Full key element matching rule carries out sequentially scan process, obtains the character string of safety-critical element;
Morphology parsing is carried out to the character string using default morphological rule, obtains the composite symbol of safety-critical element;
Syntax parsing is carried out to the composite symbol using default syntax rule, obtains the paraphrase of the safety-critical element
Dan Yuan.
A5, as described in A2 method, the method also includes:
It collects the corresponding allocating stack feature of safety operation behavior and is parsed, obtain the safety-critical element;
Safety-critical element matching rule is constructed according to the safety-critical element, and according to the safety-critical element
With rule, the default storehouse characteristic matching library is generated.
The described in any item methods of A6, such as A1-A5, the capture application program are corresponding to the operation behavior of terminal device
Allocating stack feature, comprising:
Default trapping module is injected into the process of the application program, monitors the operation behavior;
It is linked up with using power function of the default hooking function to the system application layer of the terminal device, to intercept
The corresponding system of operation behavior is stated to call;
The system is called using default stack information backtracking function and carries out the backtracking of stack information, obtains the operation behavior pair
The allocating stack feature answered.
The described in any item methods of A7, such as A1-A5, the key element can call serial number, module name, function for storehouse
One or more of name or function offset.
B8, a kind of data protection device, comprising:
Capturing unit, for capturing application program to the corresponding allocating stack feature of the operation behavior of terminal device;
Resolution unit obtains the tune for parsing to the allocating stack feature that the capturing unit captures
With the key element of storehouse feature;
Matching unit is matched for the key element to be input to the storehouse constructed in advance matching engine, to sentence
Whether the operation behavior of breaking is safety operation behavior, and the storehouse matching engine is according to the corresponding calling of safety operation behavior
The safety-critical element building of storehouse feature;
Processing unit, if determining that the operation behavior is safety operation behavior for the matching unit, to the behaviour
Clearance processing is carried out as behavior;
The processing unit, it is right if being also used to the matching unit determines that the operation behavior is risky operation behavior
The operation behavior carries out prevention processing.
B9, the device as described in B8, the matching unit include:
Matching module matches engine for the key element to be input to the storehouse, to judge the key element
Whether matched with the safety-critical element matching rule in default storehouse characteristic matching library, the safety-critical element matching rule
For what is constructed according to the safety-critical element;
Determining module, if determining the peace in the key element and default storehouse characteristic matching library for the matching module
Full key element matching rule successful match, it is determined that the operation behavior is safety operation behavior;
The determining module, if being also used to the matching module determines the key element and default storehouse characteristic matching library
In safety-critical element matching rule it fails to match, it is determined that the operation behavior be risky operation behavior.
B10, the device as described in B9, the matching module include:
Submodule is handled, engine is matched for the key element to be input to the storehouse, to the default storehouse
Safety-critical element matching rule in characteristic matching library carries out paraphrase processing, obtains the paraphrase Dan Yuan of safety-critical element;
Matched sub-block, for by the paraphrase Dan Yuan of the paraphrase Dan Yuan of the key element and the safety-critical element into
Row matching;
Submodule is determined, if determining that the paraphrase Dan Yuan of the key element and the safety are closed for the matched sub-block
Single Yuan successful match of the paraphrase of key element, it is determined that the key element is wanted with the safety-critical in default storehouse characteristic matching library
Plain matching rule matching;
The determining submodule, if be also used to the matched sub-block determine the paraphrase Dan Yuan of the key element with it is described
Single Yuan successful match failure of the paraphrase of safety-critical element, it is determined that in the key element and default storehouse characteristic matching library
It fails to match for safety-critical element matching rule.
B11, the device as described in B10,
The processing submodule matches engine specifically for the key element is input to the storehouse, to described
Safety-critical element matching rule in default storehouse characteristic matching library carries out sequentially scan process, obtains safety-critical element
Character string;Morphology parsing is carried out to the character string using default morphological rule, obtains the composite symbol of safety-critical element;Benefit
Syntax parsing is carried out to the composite symbol with default syntax rule, obtains the paraphrase Dan Yuan of the safety-critical element.
B12, the device as described in B10, described device further include: collector unit and construction unit,
The collector unit, for collecting the corresponding allocating stack feature of safety operation behavior;
The resolution unit obtains institute for parsing to the corresponding allocating stack feature of the safety operation behavior
State safety-critical element;
The construction unit is used for according to safety-critical element building safety-critical element matching rule, and according to
The safety-critical element matching rule generates the default storehouse characteristic matching library.
The described in any item devices of B13, such as B8-B12, the capturing unit include:
Monitoring module monitors the operation row for default trapping module to be injected into the process of the application program
For;
Hooking module, for being carried out using power function of the default hooking function to the system application layer of the terminal device
Hook is called with intercepting the corresponding system of the operation behavior;
Backtracking module is carried out the backtracking of stack information for being called using default stack information backtracking function to the system, obtained
The corresponding allocating stack feature of the operation behavior.
The described in any item devices of B14, such as B8-B12, the key element can call serial number, module name, letter for storehouse
One or more of several or function offset.
C15, a kind of computer readable storage medium, are stored thereon with computer program, and the computer program is processed
The step of method as described in any one of A1 to A7 is realized when device executes.
D16, a kind of computer equipment, including memory, processor and storage can transport on a memory and on a processor
Capable computer program, the processor realize the step such as any one of A1 to A7 the method when executing the computer program
Suddenly.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment
Point, reference can be made to the related descriptions of other embodiments.
It is understood that the correlated characteristic in the above method and device can be referred to mutually.In addition, in above-described embodiment
" first ", " second " etc. be and not represent the superiority and inferiority of each embodiment for distinguishing each embodiment.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
Algorithm and display are not inherently related to any particular computer, virtual system, or other device provided herein.
Various general-purpose systems can also be used together with teachings based herein.As described above, it constructs required by this kind of system
Structure be obvious.In addition, the present invention is also not directed to any particular programming language.It should be understood that can use various
Programming language realizes summary of the invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention
Example can be practiced without these specific details.In some instances, well known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this specification.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of the various inventive aspects,
Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the disclosed method should not be interpreted as reflecting the following intention: i.e. required to protect
Shield the present invention claims features more more than feature expressly recited in each claim.More precisely, as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself
All as a separate embodiment of the present invention.
Those skilled in the art will understand that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more devices different from this embodiment.It can be the module or list in embodiment
Member or component are combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or
Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it can use any
Combination is to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so disclosed
All process or units of what method or apparatus are combined.Unless expressly stated otherwise, this specification is (including adjoint power
Benefit require, abstract and attached drawing) disclosed in each feature can carry out generation with an alternative feature that provides the same, equivalent, or similar purpose
It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included certain features rather than other feature, but the combination of the feature of different embodiments mean it is of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed
Meaning one of can in any combination mode come using.
Various component embodiments of the invention can be implemented in hardware, or to run on one or more processors
Software module realize, or be implemented in a combination thereof.It will be understood by those of skill in the art that can be used in practice
Microprocessor or digital signal processor (DSP) come realize some in data protection device according to an embodiment of the present invention or
The some or all functions of person's whole component.The present invention is also implemented as one for executing method as described herein
Point or whole device or device programs (for example, computer program and computer program product).Such this hair of realization
Bright program can store on a computer-readable medium, or may be in the form of one or more signals.It is such
Signal can be downloaded from an internet website to obtain, and is perhaps provided on the carrier signal or is provided in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability
Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real
It is existing.In the unit claims listing several devices, several in these devices can be through the same hardware branch
To embody.The use of word first, second, and third does not indicate any sequence.These words can be explained and be run after fame
Claim.