CN109873804A - Service identification method, device, equipment and the readable storage medium storing program for executing of Behavior-based control - Google Patents

Service identification method, device, equipment and the readable storage medium storing program for executing of Behavior-based control Download PDF

Info

Publication number
CN109873804A
CN109873804A CN201811640217.3A CN201811640217A CN109873804A CN 109873804 A CN109873804 A CN 109873804A CN 201811640217 A CN201811640217 A CN 201811640217A CN 109873804 A CN109873804 A CN 109873804A
Authority
CN
China
Prior art keywords
behavior
main body
service behavior
service
goal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811640217.3A
Other languages
Chinese (zh)
Other versions
CN109873804B (en
Inventor
谢文聪
陈俊儒
刘明
杨小波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Qianxin Safety Technology Zhuhai Co Ltd
Original Assignee
360 Enterprise Safety Technology (zhuhai) Co Ltd
Beijing Qianxin Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 360 Enterprise Safety Technology (zhuhai) Co Ltd, Beijing Qianxin Technology Co Ltd filed Critical 360 Enterprise Safety Technology (zhuhai) Co Ltd
Publication of CN109873804A publication Critical patent/CN109873804A/en
Application granted granted Critical
Publication of CN109873804B publication Critical patent/CN109873804B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The invention discloses a kind of service identification method of Behavior-based control, device, equipment and readable storage medium storing program for executing, it is related to Internet technical field, the service behavior of behavioral agent can be limited by the authority set and process collection, so that the malicious act of attacker is easily identified, the malicious operation of attacker is avoided to cause significant damage to operating system, the safety of operating system is preferable.The described method includes: when receiving pending service behavior, determine that request executes the authority set and process collection of the goal behavior main body of pending service behavior, authority set includes at least one service behavior for allowing goal behavior main body to execute, and process collection includes the process that goal behavior main body executes service behavior;If not including pending service behavior at least one service behavior of authority set, it is determined that the behavior process of pending service behavior;If the behavior process of pending service behavior is consistent with process shown in process collection, allow to execute pending service behavior.

Description

Service identification method, device, equipment and the readable storage medium storing program for executing of Behavior-based control
Technical field
The present invention relates to Internet technical fields, more particularly to a kind of service identification method of Behavior-based control, device, set Standby and readable storage medium storing program for executing.
Background technique
With the rapid development of Internet technology and becoming increasingly popular for terminal, more and more users select using terminal Execute the Activities in daily life, for example, it is social, communicate, take pictures, game, shopping etc..User carries out items in the terminal When movable, what the service being normally based in terminal was realized, in order to guarantee the normal operation of service, operation system is equipped in terminal System, service is part indispensable in operating system.Currently, terminal, which receives user, requests the service behavior carried out, and to this The operation that service behavior is identified, and then carried out by realizing user's request to the execution of service behavior.
In the related technology, terminal usually collects the common trusted software feature of service behavior when receiving service behavior, This feature includes: the digital signature of credible company, binary features string, text feature string, MD5 (Message Digest Algorithm 5, Message Digest 5), cryptographic Hash, verification and etc., and establish include these trusted software features white spy Levy library, and system during normal operation, by system service request execute file and white feature database carry out characteristic matching, The file not matched that with the feature in white feature database is considered as suspect software, will carry out various limitations.
In the implementation of the present invention, inventor find the relevant technologies the prior art has at least the following problems:
Some services in system are to belong to trusted service, such as printer service, and no matter these trusted services, which request, is held Which kind of behavior of row or which kind of file are all allowed, so that attacker is readily available service behavior and carries out to operating system Malicious operation, and then significant damage is caused to operating system, the safety of operating system is poor.
Summary of the invention
In view of this, the present invention provides a kind of service identification method of Behavior-based control, device, equipment and readable storage mediums Matter, main purpose are to solve current attacker and are readily available service behavior to carry out malicious operation to operating system, and then right Operating system causes significant damage, the poor problem of the safety of operating system.
According to the present invention in a first aspect, providing a kind of service identification method of Behavior-based control, this method comprises:
When receiving pending service behavior, determine that request executes the goal behavior main body of the pending service behavior Authority set and process collection, the authority set includes at least one service behavior for allowing the goal behavior main body to execute, institute Stating process collection includes the process that the goal behavior main body executes service behavior;
If at least one service behavior of the authority set not including the pending service behavior, it is determined that described The behavior process of pending service behavior;
If the behavior process of the pending service behavior is consistent with process shown in the process collection, allow to execute The pending service behavior.
In another embodiment, described when receiving pending service behavior, it is described pending to determine that request executes Before the authority set and process collection of the goal behavior main body of service behavior, comprising:
Start the goal behavior main body, the service behavior of the goal behavior main body is monitored, acquisition is described extremely A few service behavior;
The authority set for generating at least one service behavior described in including, extracts the main body mark of the goal behavior main body Know, by the storage corresponding with the authority set of main body mark;
The process for executing service behavior to the goal behavior main body is monitored, and acquires the fortune of the goal behavior main body Row state and operation bad border;
The operating status and the running environment are arranged sequentially in time, generated based on the target line The process of body, using the process as the process collection, by process collection storage corresponding with main body mark.
In another embodiment, the starting goal behavior main body, to the service rows of the goal behavior main body To be monitored, at least one described service behavior is obtained, comprising:
Enabled instruction is received, is identified, is determined based on the target line according to the main body to be launched that the enabled instruction carries Body;
Start the goal behavior main body, and start behavior capture program, the behavior capture program is at least hook Hook program;
Based on the behavior capture program, the service behavior of the goal behavior main body after actuation is monitored, described in acquisition At least one described service behavior of goal behavior main body.
In another embodiment, described when receiving pending service behavior, it is described pending to determine that request executes The authority set and process collection of the goal behavior main body of service behavior, comprising:
When receiving the pending service behavior, the behavioral agent that request executes the pending service behavior is made For the goal behavior main body;
The main body mark for obtaining the goal behavior main body determines the authority set and process collection of the main body mark instruction.
In another embodiment, described when receiving pending service behavior, it is described pending to determine that request executes After the authority set and process collection of the goal behavior main body of service behavior, comprising:
If at least one service behavior of the authority set including the pending service behavior, allow to execute institute State pending service behavior.
In another embodiment, the method also includes:
If the behavior process of the pending service behavior and process shown in the process collection are inconsistent, forbid holding The row pending service behavior.
Second aspect according to the present invention, provides a kind of service identification device of Behavior-based control, which includes:
First determining module, for when receiving pending service behavior, determining that request executes the pending service The authority set and process collection of the goal behavior main body of behavior, the authority set include that the goal behavior main body is allowed to execute extremely A few service behavior, the process collection include the process that the goal behavior main body executes service behavior;
Second determining module, if for not including the pending clothes at least one service behavior of the authority set Business behavior, it is determined that the behavior process of the pending service behavior;
Execution module, if for process one shown in the behavior process of the pending service behavior and the process collection It causes, then allows to execute the pending service behavior.
In another embodiment, described device further include:
Monitoring module supervises the service behavior of the goal behavior main body for starting the goal behavior main body Control obtains at least one described service behavior;
Generation module extracts the target line for generating the authority set including at least one service behavior Based on main body mark, by the main body mark it is corresponding with the authority set store;
Acquisition module, the process for executing service behavior to the goal behavior main body are monitored, and acquire the mesh Mark operating status and the operation bad border of behavioral agent;
Memory module is generated for arranging sequentially in time to the operating status and the running environment The process of the goal behavior main body, using the process as the process collection, by the process collection and main body mark pair It should store.
In another embodiment, the monitoring module, comprising:
The monitoring module, comprising:
It determines submodule, for receiving enabled instruction, is identified, determined according to the main body to be launched that the enabled instruction carries The goal behavior main body;
Promoter module for starting the goal behavior main body, and starts behavior capture program, and the behavior acquires journey Sequence is at least hook Hook program;
Monitoring submodule monitors the clothes of the goal behavior main body after actuation for being based on the behavior capture program Business behavior obtains at least one described service behavior of the goal behavior main body.
In another embodiment, the determining module, comprising:
First determining module, comprising:
First determines submodule, for request being executed described pending when receiving the pending service behavior The behavioral agent of service behavior is as the goal behavior main body;
Second determines submodule, and the main body for obtaining the goal behavior main body identifies, and determines that the main body mark refers to The authority set and process collection shown.
In another embodiment, the execution module, if being also used at least one service behavior of the authority set In include the pending service behavior, then allow to execute the pending service behavior.
In another embodiment, described device further include:
Disabled module, if not for process shown in the behavior process of the pending service behavior and the process collection Unanimously, then forbid executing the pending service behavior.
The third aspect according to the present invention, provides a kind of equipment, including memory and processor, and the memory is stored with The step of computer program, the processor realizes above-mentioned first aspect the method when executing the computer program.
Fourth aspect according to the present invention provides a kind of readable storage medium storing program for executing, is stored thereon with computer program, the meter The step of calculation machine program realizes the method for above-mentioned first aspect when being executed by processor.
By above-mentioned technical proposal, a kind of service identification method of Behavior-based control provided by the invention, device, equipment and can Storage medium is read, compared with white feature database identifies by the way of service behavior, the present invention can be pending when receiving at present When service behavior, determine that request executes the authority set and process collection of the goal behavior main body of pending service behavior, if permission It does not include pending service behavior at least one service behavior of collection, it is determined that the behavior process of pending service behavior, and And if the behavior process of pending service behavior is consistent with process shown in process collection, allow to execute pending service rows For, thus by the authority set and process collection restrict driving based on service behavior so that the malicious act of attacker is easy to It is identified, avoid the malicious operation of attacker from causing significant damage to operating system, the safety of operating system is preferable.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention, And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows a kind of service identification method flow diagram of Behavior-based control provided in an embodiment of the present invention;
Fig. 2A shows a kind of service identification method flow diagram of Behavior-based control provided in an embodiment of the present invention;
Fig. 2 B shows a kind of service identification method flow diagram of Behavior-based control provided in an embodiment of the present invention;
Fig. 3 A shows a kind of structural schematic diagram of the service identification device of Behavior-based control provided in an embodiment of the present invention;
Fig. 3 B shows a kind of structural schematic diagram of the service identification device of Behavior-based control provided in an embodiment of the present invention;
Fig. 3 C shows a kind of structural schematic diagram of the service identification device of Behavior-based control provided in an embodiment of the present invention;
Fig. 3 D shows a kind of structural schematic diagram of the service identification device of Behavior-based control provided in an embodiment of the present invention;
Fig. 3 E shows a kind of structural schematic diagram of the service identification device of Behavior-based control provided in an embodiment of the present invention;
Fig. 4 shows a kind of apparatus structure schematic diagram of equipment provided in an embodiment of the present invention.
Specific embodiment
The exemplary embodiment that the present invention will be described in more detail below with reference to accompanying drawings.Although showing the present invention in attached drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the present invention without should be by embodiments set forth here It is limited.It is to be able to thoroughly understand the present invention on the contrary, providing these embodiments, and can be by the scope of the present invention It is fully disclosed to those skilled in the art.
The embodiment of the invention provides a kind of service identification methods of Behavior-based control, can work as and receive pending service rows For when, determine that request executes the authority set and process collection of the goal behavior main body of pending service behavior, if authority set is extremely It does not include pending service behavior in a few service behavior, it is determined that the behavior process of pending service behavior, and if The behavior process of pending service behavior is consistent with process shown in process collection, then allows to execute pending service behavior, thus By the service behavior based on the authority set and the restricted driving of process collection, so that the malicious act of attacker is easily identified, Reach and the malicious operation of attacker is avoided to cause significant damage to operating system, the preferable purpose of the safety of operating system, such as Shown in Fig. 1, this method comprises:
101, when receiving pending service behavior, determine that request executes the goal behavior main body of pending service behavior Authority set and process collection, authority set includes at least one service behavior for allowing goal behavior main body to execute, and process collection includes The process of goal behavior main body execution service behavior.
In embodiments of the present invention, when receiving pending service behavior, since each service behavior is behavior What subject requests executed, hence, it can be determined that the behavioral agent of the pending service behavior is issued, using behavior main body as mesh Mark behavioral agent.And being provided with corresponding in operating system for each behavioral agent includes that behavioral agent is allowed to execute The authority set and process collection of at least one service behavior after goal behavior main body has been determined, this therefore can be got The corresponding authority set of goal behavior main body and process collection, so as to it is subsequent based on the authority set and process collection to goal behavior main body Pending service behavior identified, so that it is determined that whether goal behavior main body can execute the pending service behavior.
If not including 102, pending service behavior at least one service behavior of authority set, it is determined that pending clothes The behavior process of business behavior.
In embodiments of the present invention, after the authority set that goal behavior main body has been determined, due to including allowing in authority set Therefore at least one service behavior can be compared, pass through inquiry by least one service behavior executed by pending service It whether include pending service behavior in the authority set, to determine whether the pending service behavior can execute.
If 103, the behavior process of pending service behavior is consistent with process shown in process collection, allow to execute wait hold Row service behavior.
In embodiments of the present invention, if in authority set not including the pending service behavior, then it represents that the pending clothes Business behavior is not in the range of authority set defined.In order to avoid the range that authority set is related to not enough causes normal extensively Service behavior is intercepted, after being determined that the pending service behavior is not belonging to authority set, just obtains the pending service behavior Behavior process, and when the behavior process of the pending service behavior is consistent with process shown in process collection, determining should be wait hold Row service behavior is the normal behaviour of goal behavior main body, and allows to execute the pending service behavior.
Method provided in an embodiment of the present invention can determine described in request execution when receiving pending service behavior The authority set and process collection of the goal behavior main body of pending service behavior, if at least one service behavior of the authority set In do not include the pending service behavior, it is determined that the behavior process of the pending service behavior, and if it is described to The behavior process for executing service behavior is consistent with process shown in the process collection, then allows to execute the pending service rows For, thus by the authority set and process collection restrict driving based on service behavior so that the malicious act of attacker is easy to It is identified, avoid the malicious operation of attacker from causing significant damage to operating system, the safety of operating system is preferable.
The embodiment of the invention provides a kind of service identification methods of Behavior-based control, can work as and receive pending service rows For when, determine that request executes the authority set and process collection of the goal behavior main body of pending service behavior, if authority set is extremely It does not include pending service behavior in a few service behavior, it is determined that the behavior process of pending service behavior, and if The behavior process of pending service behavior is consistent with process shown in process collection, then allows to execute pending service behavior, thus By the service behavior based on the authority set and the restricted driving of process collection, so that the malicious act of attacker is easily identified, Reach and the malicious operation of attacker is avoided to cause significant damage to operating system, the preferable purpose of the safety of operating system, such as Shown in Fig. 2A, this method comprises:
201, enabled instruction is received, is identified according to the main body to be launched that enabled instruction carries, determines goal behavior main body.
It was recognized by the inventor that the behavior act executed after behavioral agent starting is usually fixed namely behavior main body By user provide the behavior act relied on when service be it is fixed, behavioral agent can't request in normal operation Therefore the behavior act being not carried out before executing in order to which the behavior act to behavioral agent limits, avoids behavior master Body executes the behavior act that should not be executed, and realizes the identification to the malicious act of attacker, and the embodiment of the present invention is each row Based on be provided with authority set and process collection, and provide that the executable behavior of behavioral agent is moved based on the authority set and process collection Make, and then the operation of behavioral agent is constrained.It should be noted that since the behavioral agent in system is more, it is impossible to The same time is that whole behavioral agents sets authority set and process collection, therefore, in embodiments of the present invention, can also be arranged The behavioral agent of one whole general " least privilege collection ", and based on should " least privilege collection " to being not provided with authority set and stream The behavioral agent of journey collection carries out the identification of behavior.
Wherein, since authority set and process collection are the behavior operations executed during actual motion according to behavioral agent It generates, therefore, it is necessary to the behavior executed during actual motion to behavioral agent operations to be acquired.In view of operation The behavioral agent stayed in system is excessive, in order to clearly be which behavioral agent generates behavior library, needs in program enabled instruction Carry main body mark to be launched.In this way, when receiving program enabled instruction, firstly, extracting in program enabled instruction should Main body mark to be launched;Then, the behavioral agent of main body to be launched mark instruction is searched in an operating system, and by the behavior Main body generates authority set and process collection as goal behavior main body, so as to subsequent for the goal behavior main body.It should be noted that In order to be respectively provided with corresponding authority set and process collection to each behavioral agent in operating system, as long as there is no corresponding Authority set and the behavioral agent of process collection can be used as goal behavior main body.Specifically, main body mark to be launched can be mesh Program name or program number of beacon course sequence etc., the content that the embodiment of the present invention identifies main body to be launched is without specifically limiting It is fixed.
202, start goal behavior main body, and start behavior capture program, behavior capture program is at least hook Hook journey Sequence, Behavior-based control capture program, the service behavior of monitoring objective behavioral agent after actuation.
In embodiments of the present invention, after goal behavior main body has been determined, goal behavior main body can be started, to obtain At least one service behavior of goal behavior main body is taken, and then is that target program generates permission based at least one service behavior Collection.Wherein, in order to realize that the service behavior to goal behavior main body is acquired, acquisition behavior programmed acquisition can be based on.This Sample just also starts behavior capture program after starting goal behavior main body, so that the behavior, capture program was to goal behavior Whole service behaviors after main body starting are monitored and acquire, behavior capture program concretely Hook (hook) program.
During practical application, in order to make the quantity of collected service behavior that there is convincingness, and it is unlikely to several Amount excessively causes the overload of operating system, and collection period can be set, and only acquires goal behavior main body in collection period The service behavior of execution, and generated according to service behavior collected in collection period subsequent for goal behavior main body Authority set.For example, collection period can be 7 days, in this way, service behavior of the acquisition destination service period in 7 days.
203, the authority set including at least one service behavior is generated, the main body mark of goal behavior main body is extracted, will lead The storage corresponding with authority set of body mark.
It in embodiments of the present invention, can be near after collecting at least one service behavior of goal behavior main body Few service behavior storage, to generate authority set.Wherein, when generating authority set, in order to guarantee each behavioral agent The format of authority set is consistent, and convenient for being managed to authority set, default template can be set, and according to default template to extremely A few service behavior is arranged, so that generating includes at least one service behavior, and format meets what default template required Authority set.
In the authority set for generating the goal behavior main body, since each of operating system behavioral agent exists Corresponding authority set, in this way, will have a large amount of authority set.In order to be managed to authority set, behavioral agent and power are avoided Corresponding relationship between limit collection is obscured, thus cause the subsequent identification to service behavior that mistake occurs, after generating authority set, The main body mark of extractable goal behavior main body, and by the storage corresponding with authority set of main body mark, to guarantee each behavior Corresponding relationship between the corresponding authority set of main body is clearly.During practical application, authority set is being generated Afterwards, authority set can also be marked using main body mark, so that realizing will be mutual between goal behavior main body and authority set It is corresponding.
204, the process for executing service behavior to goal behavior main body is monitored, and acquires the operation shape of goal behavior main body State and operation bad border, sequentially in time arrange operating status and running environment, generate goal behavior main body Process, using process as process collection, by the storage corresponding with main body mark of process collection.
In embodiments of the present invention, when behavioral agent executes service behavior in systems, executing legal service behavior is Legal process can be corresponded to, and executing illegal service behavior is also to have visibly different illegal process, therefore, Its corresponding process collection can be generated for goal behavior main body, clothes are executed to goal behavior main body based on the process collection so as to subsequent The process of business behavior is identified, so that it is determined that whether the process that goal behavior main body executes is legal.For example, spoolsv.exe (print routine) is the service processes of Print Spooler (print service), for managing all locals and network printing queue And all print jobs of control, spoolsv.exe do not have the reasons why any starting Shell (shell side sequence) or even spoolsv.exe Should not just have the ability for starting any program, therefore, as long as being related to startup program in the process of spoolsv.exe, The process is as illegal.
Wherein, when for goal behavior main body setting procedure collection, it is possible, firstly, to execute service behavior to goal behavior main body Process be monitored, acquire goal behavior main body operating status and operation bad border;Then, sequentially in time to operation State and running environment are arranged, and the process of goal behavior main body are generated, using process as process collection, by process collection and master The corresponding storage of body mark.
It, can be to generate one and its for goal behavior main body by execution above-mentioned steps 201 to the process in step 204 Itself practical relevant authority set of service behavior and process collection executed.It should be noted that since operating system is to exist more New, the service behavior that each behavioral agent can execute in updated operating system may change, such as behavior Main body may increase some service behaviors that can be executed newly, therefore, in order to guarantee that authority set and the process collection of behavioral agent can To be suitable for the demand of behavioral agent at this stage, the update cycle can be set in operating system, and just repeat every the update cycle It executes above-mentioned steps 201 and generates authority set and process collection again to the process in step 203 for each behavioral agent, and adopt With newly-generated authority set and process collection to before authority set and process collection be replaced, to guarantee the normal of behavioral agent Operation.
After the authority set and process collection for generating goal behavior main body, in the subsequently received goal behavior subject requests When execution, the behavior act of the goal behavior main body can be identified based on the authority set and process collection, so that it is determined that Whether the behavior act of goal behavior main body, which allows, executes, referring to fig. 2 B, this method comprises:
205, when receiving pending service behavior, determine that request executes the goal behavior main body of pending service behavior Authority set and process collection.
In embodiments of the present invention, when receiving pending service behavior, since pending service behavior is usually to go Based on request execute, accordingly, it is determined that request execute the pending service behavior object, using the object as goal behavior Main body will also request the behavioral agent for executing pending service behavior as goal behavior main body.Wherein, due to operating system Storing authority set and be to identify to store according to main body when process collection, each main body mark can correspond to an authority set and Therefore process collection, namely based on main body mark may be implemented to return the inquiry of authority set and process collection is determining based on target line After body, the main body mark of the goal behavior main body is extracted, and then determines the authority set and process collection of main body mark instruction.
It should be noted that if obtaining authority set and the mistake of process collection of the goal behavior main body of pending service behavior Lose, then it represents that may unpromising at this time goal behavior main body setting authority set and process collection, at this point, can obtain " most Small authority set ", and pending service behavior is identified based on " the least privilege collection " subsequent.
206, pending service behavior is compared with authority set, whether it includes pending service rows that search access right is concentrated To execute following step 207 if in authority set not including pending service behavior;If including pending in authority set Service behavior then executes following step 208.
In embodiments of the present invention, after the authority set of the goal behavior main body has been determined, due to the goal behavior main body Authority set in define the service behavior that goal behavior main body can execute, service behavior namely permission beyond authority set Collecting service behavior not to be covered is that goal behavior main body is not allowed to execute, therefore, will be in pending service behavior and authority set At least one service behavior be compared, so that it is determined that whether the pending service behavior allows to execute.Specifically, will be to Service behavior is executed to be compared at least one service behavior, when whether search access right is concentrated including pending service behavior, Firstly, extracting the pending behavior mark of pending service behavior, and extract at least one service of at least one service behavior Behavior mark;Then, pending behavior mark and at least one service behavior mark are compared, inquire at least one service Consistent service behavior mark is identified with the presence or absence of with pending behavior in behavior mark, to realize to pending service behavior Identification.
Wherein, if in authority set not including pending service behavior, then it represents that the possible pending service behavior is not Allow to execute, needs further to be judged based on process collection at this time, to avoid not including the service due to authority set It is judged by accident caused by behavior, therefore, executes following step 207 to step 209;If in authority set including pending service rows For, then it represents that the pending service behavior is the service behavior that the goal behavior main body can execute, the pending service behavior Allow the goal behavior main body to execute, and be not belonging to unauthorized operation, is the requirement for meeting authority set to goal behavior main body , namely execute following step 210.
If 207, in authority set not including pending service behavior, it is determined that the behavior process of pending service behavior, If the behavior process of pending service behavior is consistent with process shown in process collection, following step 208 is executed;If wait hold The behavior process and process shown in process collection of row service behavior are inconsistent, then execute following step 209.
If 208, the behavior process of pending service behavior is consistent with process shown in process collection, allow to execute wait hold Row service behavior.
In embodiments of the present invention, if the behavior process of pending service behavior is consistent with process shown in process collection, The behavior process for then indicating the pending service behavior is to meet the limitation of process collection, which executes should Pending service behavior is not belonging to ultra vires act, and the goal behavior main body is allowed to execute the pending service behavior, therefore, The goal behavior main body is allowed to execute the pending service behavior.
If 209, process shown in the behavior process of pending service behavior and process collection is inconsistent, forbid executing to Execute service behavior.
In embodiments of the present invention, if the behavior process and process shown in process collection of pending service behavior are different It causes, then it represents that the behavior process of the pending service behavior is to be unsatisfactory for the limitation of process collection, the goal behavior subject requests It executes the pending service behavior and belongs to ultra vires act, be that the goal behavior main body is not allowed to execute the pending service behavior , therefore, the goal behavior main body is forbidden to execute the pending service behavior.
If 210, in authority set including pending service behavior, goal behavior main body is allowed to execute pending service rows For.
In embodiments of the present invention, if in authority set including pending service behavior, then it represents that the pending service rows To be in the range of authority set regulation, which executes the pending service behavior and is not belonging to row of going beyond one's commission To allow the goal behavior main body to execute the pending service behavior, therefore, allowing the goal behavior main body to execute should be to Execute service behavior.
It is described wait hold to determine that request executes when receiving pending service behavior for method provided in an embodiment of the present invention The authority set and process collection of the goal behavior main body of row service behavior, if at least one service behavior of the authority set not Including the pending service behavior, it is determined that the behavior process of the pending service behavior, and if it is described pending The behavior process of service behavior is consistent with process shown in the process collection, then allows to execute the pending service behavior, from And by the authority set and process collection restrict driving based on service behavior so that the malicious act of attacker is easy to be known Not, the malicious operation of attacker is avoided to cause significant damage to operating system, the safety of operating system is preferable.
Further, the specific implementation as Fig. 1 the method, the embodiment of the invention provides a kind of clothes of Behavior-based control Business identification device, as shown in Figure 3A, described device includes: the first determining module 301, the second determining module 302 and execution module 303。
First determining module 301, for when receiving pending service behavior, determining that request executes pending service The authority set and process collection of the goal behavior main body of behavior, authority set include that at least one for allowing goal behavior main body to execute takes Business behavior, process collection include the process that goal behavior main body executes service behavior;
Second determining module 302, if for not including pending service at least one service behavior of authority set Behavior, it is determined that the behavior process of pending service behavior;
The execution module 303, if the behavior process for pending service behavior is consistent with process shown in process collection, Then allow to execute pending service behavior.
In specific application scenarios, as shown in Figure 3B, which further includes monitoring module 304, and generation module 305 is adopted Collect module 306 and memory module 307.
The monitoring module 304 is monitored the service behavior of goal behavior main body for starting goal behavior main body, Obtain at least one service behavior;
The generation module 305 extracts goal behavior main body for generating the authority set including at least one service behavior Main body mark, by the storage corresponding with authority set of main body mark;
The acquisition module 306, the process for executing service behavior to goal behavior main body are monitored, and acquire target line Based on operating status and operation bad border;
The memory module 307 generates target for arranging sequentially in time to operating status and running environment The process of behavioral agent, using process as process collection, by the storage corresponding with main body mark of process collection.
In specific application scenarios, as shown in Figure 3 C, the monitoring module 304, including determine submodule 3041, promoter Module 3042 and monitoring submodule 3043.
The determination submodule 3041 identifies, really for receiving enabled instruction according to the main body to be launched that enabled instruction carries Set the goal behavioral agent;
The promoter module 3042 for starting goal behavior main body, and starts behavior capture program, behavior capture program At least hook Hook program;
The monitoring submodule 3043 is used for Behavior-based control capture program, the service of monitoring objective behavioral agent after actuation Behavior obtains at least one service behavior of goal behavior main body.
In specific application scenarios, as shown in Figure 3D, first determining module 301, including the first determining submodule 3011 and second determine submodule 3012.
The first determining submodule 3011, for when receiving pending service behavior, request to be executed pending clothes The behavioral agent of business behavior is as goal behavior main body;
The second determining submodule 3012, the main body for obtaining goal behavior main body identify, and determine main body mark instruction Authority set and process collection.
In specific application scenarios, the execution module 303, if be also used at least one service behavior of authority set Including pending service behavior, then allow to execute pending service behavior.
In specific application scenarios, as shown in FIGURE 3 E, which further includes disabled module 308.
The disabled module 308, if different for the behavior process of pending service behavior and process shown in process collection It causes, then forbids executing pending service behavior.
Device provided in an embodiment of the present invention can determine that request is executed wait hold when receiving pending service behavior The authority set and process collection of the goal behavior main body of row service behavior, if not including at least one service behavior of authority set Pending service behavior, it is determined that the behavior process of pending service behavior, and if pending service behavior behavior stream Journey is consistent with process shown in process collection, then allows to execute pending service behavior, to pass through the authority set and process collection Service behavior based on restricted driving avoids the malicious operation pair of attacker so that the malicious act of attacker is easily identified Operating system causes significant damage, and the safety of operating system is preferable.
It should be noted that each function involved by a kind of service identification device of Behavior-based control provided in an embodiment of the present invention Other corresponding descriptions of unit, can be with reference to the corresponding description in Fig. 1 and Fig. 2A to Fig. 2 B, and details are not described herein.
In the exemplary embodiment, referring to fig. 4, a kind of equipment is additionally provided, which includes communication bus, processing Device, memory and communication interface, can also include, input/output interface and display equipment, wherein can between each functional unit To complete mutual communication by bus.The memory is stored with computer program, processor, for executing institute on memory The program of storage executes in above-described embodiment ... method.
A kind of readable storage medium storing program for executing is stored thereon with computer program, real when the computer program is executed by processor The step of service identification method of the existing Behavior-based control.
Through the above description of the embodiments, those skilled in the art can be understood that the application can lead to Hardware realization is crossed, the mode of necessary general hardware platform can also be added to realize by software.Based on this understanding, this Shen Technical solution please can be embodied in the form of software products, which can store in a non-volatile memories In medium (can be CD-ROM, USB flash disk, mobile hard disk etc.), including some instructions are used so that a computer equipment (can be Personal computer, server or network equipment etc.) execute method described in each implement scene of the application.
It will be appreciated by those skilled in the art that the accompanying drawings are only schematic diagrams of a preferred implementation scenario, module in attached drawing or Process is not necessarily implemented necessary to the application.
It will be appreciated by those skilled in the art that the module in device in implement scene can be described according to implement scene into Row is distributed in the device of implement scene, can also be carried out corresponding change and is located at the one or more dresses for being different from this implement scene In setting.The module of above-mentioned implement scene can be merged into a module, can also be further split into multiple submodule.
Above-mentioned the application serial number is for illustration only, does not represent the superiority and inferiority of implement scene.
Disclosed above is only several specific implementation scenes of the application, and still, the application is not limited to this, Ren Heben What the technical staff in field can think variation should all fall into the protection scope of the application.

Claims (10)

1. a kind of service identification method of Behavior-based control characterized by comprising
When receiving pending service behavior, determine that request executes the power of the goal behavior main body of the pending service behavior Limit collection and process collection, the authority set include at least one service behavior for allowing the goal behavior main body to execute, the stream Journey collection includes the process that the goal behavior main body executes service behavior;
If at least one service behavior of the authority set not including the pending service behavior, it is determined that described wait hold The behavior process of row service behavior;
If the behavior process of the pending service behavior is consistent with process shown in the process collection, allow described in execution Pending service behavior.
2. determination is asked the method according to claim 1, wherein described when receiving pending service behavior Before the authority set and process collection of seeking the goal behavior main body for executing the pending service behavior, comprising:
Start the goal behavior main body, the service behavior of the goal behavior main body is monitored, obtains described at least one A service behavior;
The authority set for generating at least one service behavior described in including extracts the main body mark of the goal behavior main body, By the storage corresponding with the authority set of main body mark;
The process for executing service behavior to the goal behavior main body is monitored, and acquires the operation shape of the goal behavior main body State and operation bad border;
The operating status and the running environment are arranged sequentially in time, generate the goal behavior main body Process, using the process as the process collection, by process collection storage corresponding with main body mark.
3. according to the method described in claim 2, it is characterized in that, described start the goal behavior main body, to the target The service behavior of behavioral agent is monitored, and obtains at least one described service behavior, comprising:
Enabled instruction is received, is identified according to the main body to be launched that the enabled instruction carries, determines the goal behavior main body;
Start the goal behavior main body, and start behavior capture program, the behavior capture program is at least hook Hook journey Sequence;
Based on the behavior capture program, the service behavior of the goal behavior main body after actuation is monitored, the target is obtained At least one described service behavior of behavioral agent.
4. determination is asked the method according to claim 1, wherein described when receiving pending service behavior Seek the authority set and process collection for executing the goal behavior main body of the pending service behavior, comprising:
When receiving the pending service behavior, request is executed into the behavioral agent of the pending service behavior as institute State goal behavior main body;
The main body mark for obtaining the goal behavior main body determines the authority set and process collection of the main body mark instruction.
5. determination is asked the method according to claim 1, wherein described when receiving pending service behavior After the authority set and process collection of seeking the goal behavior main body for executing the pending service behavior, comprising:
If at least one service behavior of the authority set including the pending service behavior, allow to execute it is described to Execute service behavior.
6. the method according to claim 1, wherein the method also includes:
If the behavior process of the pending service behavior and process shown in the process collection are inconsistent, forbid executing institute State pending service behavior.
7. a kind of service identification device of Behavior-based control characterized by comprising
First determining module, for when receiving pending service behavior, determining that request executes the pending service behavior Goal behavior main body authority set and process collection, the authority set includes allow the goal behavior main body to execute at least one A service behavior, the process collection include the process that the goal behavior main body executes service behavior;
Second determining module, if for not including the pending service rows at least one service behavior of the authority set For, it is determined that the behavior process of the pending service behavior;
Execution module, if the behavior process for the pending service behavior is consistent with process shown in the process collection, Then allow to execute the pending service behavior.
8. device according to claim 7, which is characterized in that described device further include:
Monitoring module is monitored the service behavior of the goal behavior main body, obtains for starting the goal behavior main body Take at least one described service behavior;
Generation module extracts based on the target line for generating the authority set including at least one service behavior The main body of body identifies, by the storage corresponding with the authority set of main body mark;
Acquisition module, the process for executing service behavior to the goal behavior main body are monitored, and acquire the target line Based on operating status and operation bad border;
Memory module, for being arranged sequentially in time to the operating status and the running environment, described in generation The process of goal behavior main body is deposited using the process as the process collection by the process collection is corresponding with main body mark Storage.
9. a kind of equipment, including memory and processor, the memory are stored with computer program, which is characterized in that described The step of processor realizes any one of claims 1 to 6 the method when executing the computer program.
10. a kind of readable storage medium storing program for executing, is stored thereon with computer program, which is characterized in that the computer program is processed The step of device realizes method described in any one of claims 1 to 6 when executing.
CN201811640217.3A 2018-05-04 2018-12-29 Behavior-based service identification method, behavior-based service identification device, behavior-based service identification equipment and readable storage medium Active CN109873804B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810420369.6A CN108683652A (en) 2018-05-04 2018-05-04 A kind of method and device of the processing attack of Behavior-based control permission
CN2018104203696 2018-05-04

Publications (2)

Publication Number Publication Date
CN109873804A true CN109873804A (en) 2019-06-11
CN109873804B CN109873804B (en) 2021-07-23

Family

ID=63802917

Family Applications (9)

Application Number Title Priority Date Filing Date
CN201810420369.6A Pending CN108683652A (en) 2018-05-04 2018-05-04 A kind of method and device of the processing attack of Behavior-based control permission
CN201811640217.3A Active CN109873804B (en) 2018-05-04 2018-12-29 Behavior-based service identification method, behavior-based service identification device, behavior-based service identification equipment and readable storage medium
CN201811640613.6A Active CN109831420B (en) 2018-05-04 2018-12-29 Method and device for determining kernel process permission
CN201811640483.6A Active CN109743315B (en) 2018-05-04 2018-12-29 Behavior identification method, behavior identification device, behavior identification equipment and readable storage medium for website
CN201811646168.4A Pending CN109818937A (en) 2018-05-04 2018-12-29 For the control method of Android permission, device and storage medium, electronic device
CN201811645263.2A Active CN109714350B (en) 2018-05-04 2018-12-29 Permission control method and device of application program, storage medium and computer equipment
CN201811640216.9A Active CN109873803B (en) 2018-05-04 2018-12-29 Permission control method and device of application program, storage medium and computer equipment
CN201811645260.9A Pending CN109818935A (en) 2018-05-04 2018-12-29 User authority control method and device, storage medium, computer equipment
CN201811640611.7A Active CN109831419B (en) 2018-05-04 2018-12-29 Method and device for determining permission of shell program

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN201810420369.6A Pending CN108683652A (en) 2018-05-04 2018-05-04 A kind of method and device of the processing attack of Behavior-based control permission

Family Applications After (7)

Application Number Title Priority Date Filing Date
CN201811640613.6A Active CN109831420B (en) 2018-05-04 2018-12-29 Method and device for determining kernel process permission
CN201811640483.6A Active CN109743315B (en) 2018-05-04 2018-12-29 Behavior identification method, behavior identification device, behavior identification equipment and readable storage medium for website
CN201811646168.4A Pending CN109818937A (en) 2018-05-04 2018-12-29 For the control method of Android permission, device and storage medium, electronic device
CN201811645263.2A Active CN109714350B (en) 2018-05-04 2018-12-29 Permission control method and device of application program, storage medium and computer equipment
CN201811640216.9A Active CN109873803B (en) 2018-05-04 2018-12-29 Permission control method and device of application program, storage medium and computer equipment
CN201811645260.9A Pending CN109818935A (en) 2018-05-04 2018-12-29 User authority control method and device, storage medium, computer equipment
CN201811640611.7A Active CN109831419B (en) 2018-05-04 2018-12-29 Method and device for determining permission of shell program

Country Status (1)

Country Link
CN (9) CN108683652A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114237630A (en) * 2020-09-09 2022-03-25 中国电信股份有限公司 Privacy permission detection method and device

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108683652A (en) * 2018-05-04 2018-10-19 北京奇安信科技有限公司 A kind of method and device of the processing attack of Behavior-based control permission
WO2020132877A1 (en) * 2018-12-25 2020-07-02 奇安信安全技术(珠海)有限公司 Operation detection method and system, and electronic device
CN110781491B (en) * 2019-10-25 2022-02-18 苏州浪潮智能科技有限公司 Method and device for controlling process to access file
CN110990844B (en) * 2019-10-25 2022-04-08 浙江大华技术股份有限公司 Cloud data protection method based on kernel, cloud server and system
CN110930234B (en) * 2019-11-18 2024-03-12 河南城建学院 Financial management method with remote access function
JP7424028B2 (en) * 2019-12-16 2024-01-30 株式会社デンソーウェーブ robot operation terminal
CN111444118B (en) * 2020-03-23 2022-04-05 数网金融有限公司 Process protection method, device, terminal equipment and storage medium
CN111783082A (en) * 2020-06-08 2020-10-16 Oppo广东移动通信有限公司 Process tracing method, device, terminal and computer readable storage medium
CN112003835B (en) * 2020-08-03 2022-10-14 奇安信科技集团股份有限公司 Security threat detection method and device, computer equipment and storage medium
CN112689002B (en) * 2020-12-18 2023-06-20 北京易车互联信息技术有限公司 app behavior monitoring system
CN112738100B (en) * 2020-12-29 2023-09-01 北京天融信网络安全技术有限公司 Authentication method, device, authentication equipment and authentication system for data access
CN113190836A (en) * 2021-03-29 2021-07-30 贵州电网有限责任公司 Web attack behavior detection method and system based on local command execution
CN113505351A (en) * 2021-06-23 2021-10-15 湖南惠而特科技有限公司 Identity authentication-based process industry white list access method and system
CN113672974A (en) * 2021-07-29 2021-11-19 北京奇艺世纪科技有限公司 Authority management method, device, equipment and storage medium
CN115118476B (en) * 2022-06-21 2023-02-28 拉扎斯网络科技(上海)有限公司 User permission verification method and device, electronic equipment and readable storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102970299A (en) * 2012-11-27 2013-03-13 西安电子科技大学 File safe protection system and method thereof
CN103679007A (en) * 2013-12-19 2014-03-26 深圳全智达通信股份有限公司 Method and device for managing application program permission and mobile device
US20160072832A1 (en) * 2014-09-09 2016-03-10 Belkin International, Inc. Coordinated and device-distributed detection of abnormal network device operation
CN105491063A (en) * 2015-12-30 2016-04-13 深圳市深信服电子科技有限公司 Network intrusion prevention method and device
CN105516055A (en) * 2014-09-23 2016-04-20 腾讯科技(深圳)有限公司 Data access method, data access device, target device, and management server
CN107506646A (en) * 2017-09-28 2017-12-22 努比亚技术有限公司 Detection method, device and the computer-readable recording medium of malicious application

Family Cites Families (43)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1763710A (en) * 2004-10-22 2006-04-26 中国人民解放军国防科学技术大学 Privilege minimizing method based on capability
US8286243B2 (en) * 2007-10-23 2012-10-09 International Business Machines Corporation Blocking intrusion attacks at an offending host
CN101246536A (en) * 2008-03-06 2008-08-20 北京鼎信高科信息技术有限公司 Method for encrypting and decrypting computer files based on process monitoring
CN101504604A (en) * 2009-03-13 2009-08-12 张昊 Authority management validation application method
CN101872397B (en) * 2010-06-08 2012-05-23 用友软件股份有限公司 Authorization role succession method
CN101917448A (en) * 2010-08-27 2010-12-15 山东中创软件工程股份有限公司 Control method for realizing RBAC access permission in application on basis of.NET
CN101997912A (en) * 2010-10-27 2011-03-30 苏州凌霄科技有限公司 Mandatory access control device based on Android platform and control method thereof
CN102542182A (en) * 2010-12-15 2012-07-04 苏州凌霄科技有限公司 Device and method for controlling mandatory access based on Windows platform
CN102147845A (en) * 2011-04-18 2011-08-10 北京思创银联科技股份有限公司 Process monitoring method
WO2013111331A1 (en) * 2012-01-27 2013-08-01 株式会社日立製作所 Computer system
CN102663318B (en) * 2012-03-22 2015-04-08 百度在线网络技术(北京)有限公司 Browser Process Privilege control method
CN103516680A (en) * 2012-06-25 2014-01-15 上海博腾信息科技有限公司 Authority management system of office system and realizing method thereof
CN102915417A (en) * 2012-09-18 2013-02-06 鸿富锦精密工业(深圳)有限公司 Application monitoring system and application monitoring method
CN102930205A (en) * 2012-10-10 2013-02-13 北京奇虎科技有限公司 Monitoring unit and method
CN103812958B (en) * 2012-11-14 2019-05-07 中兴通讯股份有限公司 Processing method, NAT device and the BNG equipment of NAT technology
CN103268451B (en) * 2013-06-08 2017-12-05 上海斐讯数据通信技术有限公司 A kind of dynamic permission management system based on mobile terminal
CN103617381B (en) * 2013-11-21 2018-03-16 北京奇安信科技有限公司 The authority configuring method and authority configuration system of equipment
CN103778006B (en) * 2014-02-12 2017-02-08 成都卫士通信息安全技术有限公司 Method for controlling progress of operating system
US9614851B1 (en) * 2014-02-27 2017-04-04 Open Invention Network Llc Security management application providing proxy for administrative privileges
CN103927476B (en) * 2014-05-07 2017-09-15 上海联彤网络通讯技术有限公司 Realize the intelligence system and method for application program rights management
CN104008337B (en) * 2014-05-07 2019-08-23 广州华多网络科技有限公司 A kind of active defense method and device based on linux system
CN104125219B (en) * 2014-07-07 2017-06-16 四川中电启明星信息技术有限公司 For authorization management method in the identity set of power information system
US9916475B2 (en) * 2014-08-11 2018-03-13 North Carolina State University Programmable interface for extending security of application-based operating system
CN104268470B (en) * 2014-09-26 2018-02-13 酷派软件技术(深圳)有限公司 Method of controlling security and safety control
CN104484594B (en) * 2014-11-06 2017-10-31 中国科学院信息工程研究所 A kind of franchise distribution method of the Linux system based on capability mechanism
CN104484599B (en) * 2014-12-16 2017-12-12 北京奇虎科技有限公司 A kind of behavior treating method and apparatus based on application program
CN104503880A (en) * 2014-12-16 2015-04-08 新余兴邦信息产业有限公司 Method and device for realizing MySQL database monitoring option script
KR101619414B1 (en) * 2015-01-06 2016-05-10 한국인터넷진흥원 System for detecting abnomal behaviors using personalized early use behavior pattern analsis
CN104820791B (en) * 2015-05-19 2017-12-15 大唐网络有限公司 The authority control method and system of application software
CN105049592B (en) * 2015-05-27 2020-02-14 中国科学院信息工程研究所 Mobile intelligent terminal voice safety protection method and system
CN106650438A (en) * 2015-11-04 2017-05-10 阿里巴巴集团控股有限公司 Method and device for detecting baleful programs
JP2019507412A (en) * 2015-12-31 2019-03-14 サイバー 2.0 (2015) リミテッド Monitor traffic in computer networks
CN106127031A (en) * 2016-06-23 2016-11-16 北京金山安全软件有限公司 Method and device for protecting process and electronic equipment
CN106228059A (en) * 2016-07-22 2016-12-14 南京航空航天大学 Based on three Yuans management and the role access control method of expansion
CN106603509B (en) * 2016-11-29 2020-07-07 中科曙光信息技术无锡有限公司 Enterprise document management method
CN106778345B (en) * 2016-12-19 2019-10-15 网易(杭州)网络有限公司 The treating method and apparatus of data based on operating right
CN106650418A (en) * 2016-12-21 2017-05-10 天津大学 Android access control system and method based onmulti-strategy
CN106650435A (en) * 2016-12-28 2017-05-10 郑州云海信息技术有限公司 Method and apparatus of protecting system
CN107018140B (en) * 2017-04-24 2021-06-04 深信服科技股份有限公司 Authority control method and system
CN113328861B (en) * 2017-08-23 2022-11-01 重庆京像微电子有限公司 Authority verification method, device and system
CN107832590A (en) * 2017-11-06 2018-03-23 珠海市魅族科技有限公司 Terminal control method and device, terminal and computer-readable recording medium
CN108280349A (en) * 2018-01-10 2018-07-13 维沃移动通信有限公司 Protect method, mobile terminal and the computer readable storage medium of system kernel layer
CN108683652A (en) * 2018-05-04 2018-10-19 北京奇安信科技有限公司 A kind of method and device of the processing attack of Behavior-based control permission

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102970299A (en) * 2012-11-27 2013-03-13 西安电子科技大学 File safe protection system and method thereof
CN103679007A (en) * 2013-12-19 2014-03-26 深圳全智达通信股份有限公司 Method and device for managing application program permission and mobile device
US20160072832A1 (en) * 2014-09-09 2016-03-10 Belkin International, Inc. Coordinated and device-distributed detection of abnormal network device operation
CN105516055A (en) * 2014-09-23 2016-04-20 腾讯科技(深圳)有限公司 Data access method, data access device, target device, and management server
CN105491063A (en) * 2015-12-30 2016-04-13 深圳市深信服电子科技有限公司 Network intrusion prevention method and device
CN107506646A (en) * 2017-09-28 2017-12-22 努比亚技术有限公司 Detection method, device and the computer-readable recording medium of malicious application

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114237630A (en) * 2020-09-09 2022-03-25 中国电信股份有限公司 Privacy permission detection method and device

Also Published As

Publication number Publication date
CN109873803B (en) 2021-07-20
CN109818935A (en) 2019-05-28
CN109831419B (en) 2021-10-01
CN109714350A (en) 2019-05-03
CN108683652A (en) 2018-10-19
CN109831420B (en) 2021-10-22
CN109743315A (en) 2019-05-10
CN109831419A (en) 2019-05-31
CN109743315B (en) 2021-10-22
CN109873804B (en) 2021-07-23
CN109714350B (en) 2021-11-23
CN109873803A (en) 2019-06-11
CN109831420A (en) 2019-05-31
CN109818937A (en) 2019-05-28

Similar Documents

Publication Publication Date Title
CN109873804A (en) Service identification method, device, equipment and the readable storage medium storing program for executing of Behavior-based control
CN109711168A (en) Service identification method, device, equipment and the readable storage medium storing program for executing of Behavior-based control
US11611586B2 (en) Systems and methods for detecting a suspicious process in an operating system environment using a file honeypots
US9183383B1 (en) System and method of limiting the operation of trusted applications in presence of suspicious programs
CN109074452B (en) System and method for generating tripwire files
US8863284B1 (en) System and method for determining a security status of potentially malicious files
US8732587B2 (en) Systems and methods for displaying trustworthiness classifications for files as visually overlaid icons
CN105760787B (en) System and method for the malicious code in detection of random access memory
WO2015023093A1 (en) Method for verifying integrity of dynamic code using hash
CN109583202A (en) System and method for the malicious code in the address space of detection procedure
CN109992956A (en) The processing method and relevant apparatus of the security strategy of container
CN110619022B (en) Node detection method, device, equipment and storage medium based on block chain network
CN111597553A (en) Process processing method, device, equipment and storage medium in virus searching and killing
US9154519B1 (en) System and method for antivirus checking of objects from a plurality of virtual machines
CN108256351B (en) File processing method and device, storage medium and terminal
CN109710609A (en) Generate the method and device of tables of data mark
CN114417397A (en) Behavior portrait construction method and device, storage medium and computer equipment
CN105809074B (en) USB data transmission control method, device, control assembly and system
CN110489253A (en) Data processing method, device, equipment and computer readable storage medium
JP6010672B2 (en) Security setting system, security setting method and program
CN113409051B (en) Risk identification method and device for target service
RU2750642C2 (en) System and method for registering a unique mobile device identifier
JP5814138B2 (en) Security setting system, security setting method and program
US9213842B2 (en) Tracing data block operations
US20230101198A1 (en) Computer-implemented systems and methods for application identification and authentication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province

Patentee after: Qianxin Safety Technology (Zhuhai) Co.,Ltd.

Patentee after: Qianxin Technology Group Co., Ltd

Address before: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province

Patentee before: 360 ENTERPRISE SECURITY TECHNOLOGY (ZHUHAI) Co.,Ltd.

Patentee before: Beijing Qianxin Technology Co., Ltd

CP01 Change in the name or title of a patent holder