CN109873804B - Behavior-based service identification method, behavior-based service identification device, behavior-based service identification equipment and readable storage medium - Google Patents

Behavior-based service identification method, behavior-based service identification device, behavior-based service identification equipment and readable storage medium Download PDF

Info

Publication number
CN109873804B
CN109873804B CN201811640217.3A CN201811640217A CN109873804B CN 109873804 B CN109873804 B CN 109873804B CN 201811640217 A CN201811640217 A CN 201811640217A CN 109873804 B CN109873804 B CN 109873804B
Authority
CN
China
Prior art keywords
behavior
service
executed
main body
flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811640217.3A
Other languages
Chinese (zh)
Other versions
CN109873804A (en
Inventor
谢文聪
陈俊儒
刘明
杨小波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qax Technology Group Inc
Qianxin Safety Technology Zhuhai Co Ltd
Original Assignee
360 Enterprise Security Technology Zhuhai Co ltd
Beijing Qianxin Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 360 Enterprise Security Technology Zhuhai Co ltd, Beijing Qianxin Technology Co Ltd filed Critical 360 Enterprise Security Technology Zhuhai Co ltd
Publication of CN109873804A publication Critical patent/CN109873804A/en
Application granted granted Critical
Publication of CN109873804B publication Critical patent/CN109873804B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Information Transfer Between Computers (AREA)
  • Debugging And Monitoring (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Stored Programmes (AREA)

Abstract

The invention discloses a behavior-based service identification method, a behavior-based service identification device, behavior-based service identification equipment and a readable storage medium, relates to the technical field of Internet, and can limit the service behaviors of a behavior main body through a permission set and a flow set, so that malicious behaviors of an attacker can be easily identified, the malicious operations of the attacker are prevented from causing great damage to an operating system, and the operating system has good safety. The method comprises the following steps: when receiving a service behavior to be executed, determining an authority set and a flow set of a target behavior main body requesting to execute the service behavior to be executed, wherein the authority set comprises at least one service behavior allowed to be executed by the target behavior main body, and the flow set comprises a flow of the target behavior main body executing the service behavior; if at least one service behavior of the permission set does not comprise a service behavior to be executed, determining a behavior flow of the service behavior to be executed; and if the action flow of the service action to be executed is consistent with the flow shown by the flow set, allowing the service action to be executed.

Description

Behavior-based service identification method, behavior-based service identification device, behavior-based service identification equipment and readable storage medium
Technical Field
The invention relates to the technical field of internet, in particular to a service identification method, a device, equipment and a readable storage medium based on behaviors.
Background
With the rapid development of internet technology and the increasing popularity of terminals, more and more users choose to use terminals to perform various activities in daily life, such as social contact, communication, photographing, games, shopping, and the like. When a user performs various activities in a terminal, the activities are usually realized based on services in the terminal, and in order to ensure normal operation of the services, an operating system is installed in the terminal, and the services are an indispensable part in the operating system. At present, a terminal receives a service behavior requested by a user, identifies the service behavior, and implements an operation requested by the user by executing the service behavior.
In the related art, when a terminal receives a service behavior, it usually collects common trusted software features of the service behavior, and the features include: digital signature, binary feature string, text feature string, MD5(Message Digest Algorithm 5), hash value, checksum, etc. of trusted company, and establishes a white feature library including these trusted software features, and during normal operation of the system, performs feature matching on a file requested to be executed by a service in the system with the white feature library, and a file that does not match the features in the white feature library is considered suspicious software, and various restrictions are performed.
In the process of implementing the invention, the inventor finds that the related art has at least the following problems:
some services in the system belong to trusted services, such as printer services, which are allowed no matter what kind of behavior or what kind of file is requested to be executed, so that an attacker can easily utilize the service behavior to carry out malicious operation on the operating system, and further, the operating system is seriously damaged, and the security of the operating system is poor.
Disclosure of Invention
In view of the above, the present invention provides a behavior-based service identification method, apparatus, device and readable storage medium, and mainly aims to solve the problems that an attacker can easily perform malicious operation on an operating system by using a service behavior, and further, the operating system is seriously damaged, and the security of the operating system is poor.
According to a first aspect of the present invention, there is provided a behavior-based service identification method, the method comprising:
when receiving a service behavior to be executed, determining an authority set and a flow set of a target behavior main body requesting to execute the service behavior to be executed, wherein the authority set comprises at least one service behavior allowed to be executed by the target behavior main body, and the flow set comprises a flow of the target behavior main body executing the service behavior;
if at least one service behavior of the permission set does not comprise the service behavior to be executed, determining a behavior flow of the service behavior to be executed;
and if the behavior flow of the service behavior to be executed is consistent with the flow shown by the flow set, allowing the service behavior to be executed.
In another embodiment, when receiving a service behavior to be executed, determining that a set of permissions and a set of flows of a target behavior body requesting execution of the service behavior to be executed are before, includes:
starting the target behavior main body, monitoring the service behavior of the target behavior main body, and acquiring the at least one service behavior;
generating the permission set comprising the at least one service behavior, extracting a subject identification of the target behavior subject, and correspondingly storing the subject identification and the permission set;
monitoring the process of executing the service behaviors by the target behavior main body, and collecting the running state and running environment of the target behavior main body;
and sorting the running state and the running environment according to a time sequence to generate a flow of the target behavior main body, taking the flow as the flow set, and correspondingly storing the flow set and the main body identification.
In another embodiment, the starting the target behavior entity, monitoring the service behavior of the target behavior entity, and acquiring the at least one service behavior includes:
receiving a starting instruction, and determining the target behavior subject according to a subject mark to be started carried by the starting instruction;
starting the target behavior main body and starting a behavior acquisition program, wherein the behavior acquisition program is at least a Hook program;
and monitoring the service behavior of the target behavior main body after starting based on the behavior acquisition program, and acquiring the at least one service behavior of the target behavior main body.
In another embodiment, the determining, when the service behavior to be executed is received, a set of permissions and a set of flows of a target behavior body requesting execution of the service behavior to be executed includes:
when the service behavior to be executed is received, taking a behavior main body requesting to execute the service behavior to be executed as the target behavior main body;
and acquiring a main body identifier of the target behavior main body, and determining an authority set and a flow set indicated by the main body identifier.
In another embodiment, the determining, when the service behavior to be executed is received, after the determining the authority set and the flow set of the target behavior body requesting to execute the service behavior to be executed includes:
and if at least one service behavior of the permission set comprises the service behavior to be executed, allowing the service behavior to be executed.
In another embodiment, the method further comprises:
and if the behavior flow of the service behavior to be executed is not consistent with the flow shown by the flow set, prohibiting the service behavior to be executed from being executed.
According to a second aspect of the present invention, there is provided a behavior-based service identification apparatus, the apparatus comprising:
the system comprises a first determination module, a second determination module and a third determination module, wherein the first determination module is used for determining an authority set and a flow set of a target behavior main body requesting to execute a service behavior to be executed when the service behavior to be executed is received, the authority set comprises at least one service behavior allowing the target behavior main body to execute, and the flow set comprises a flow of the target behavior main body executing the service behavior;
a second determining module, configured to determine a behavior flow of the service behavior to be executed if at least one service behavior of the permission set does not include the service behavior to be executed;
and the execution module is used for allowing the service behavior to be executed if the behavior flow of the service behavior to be executed is consistent with the flow shown by the flow set.
In another embodiment, the apparatus further comprises:
the monitoring module is used for starting the target behavior main body, monitoring the service behaviors of the target behavior main body and acquiring the at least one service behavior;
the generation module is used for generating the permission set comprising the at least one service behavior, extracting a main body identifier of the target behavior main body, and correspondingly storing the main body identifier and the permission set;
the acquisition module is used for monitoring the process of executing the service behaviors by the target behavior main body and acquiring the running state and running environment of the target behavior main body;
and the storage module is used for sorting the running state and the running environment according to a time sequence to generate a flow of the target behavior main body, taking the flow as the flow set, and correspondingly storing the flow set and the main body identification.
In another embodiment, the monitoring module includes:
the monitoring module comprises:
the determining submodule is used for receiving a starting instruction and determining the target behavior main body according to a main body mark to be started carried by the starting instruction;
the starting submodule is used for starting the target behavior main body and starting a behavior acquisition program, and the behavior acquisition program is at least a Hook program;
and the monitoring submodule is used for monitoring the service behavior of the target behavior main body after the target behavior main body is started based on the behavior acquisition program and acquiring the at least one service behavior of the target behavior main body.
In another embodiment, the determining module includes:
the first determining module includes:
the first determining submodule is used for taking a behavior main body requesting to execute the service behavior to be executed as the target behavior main body when the service behavior to be executed is received;
and the second determining submodule is used for acquiring a main body identifier of the target behavior main body and determining the authority set and the flow set indicated by the main body identifier.
In another embodiment, the executing module is further configured to allow the service action to be executed if the service action to be executed is included in the at least one service action of the permission set.
In another embodiment, the apparatus further comprises:
and the forbidding module is used for forbidding to execute the service behavior to be executed if the behavior flow of the service behavior to be executed is inconsistent with the flow shown by the flow set.
According to a third aspect of the present invention, there is provided an apparatus comprising a memory storing a computer program and a processor implementing the steps of the method of the first aspect when the processor executes the computer program.
According to a fourth aspect of the present invention, there is provided a readable storage medium having stored thereon a computer program which, when executed by a processor, carries out the steps of the method of the first aspect described above.
By the technical scheme, the invention provides a service identification method, a device, equipment and a readable storage medium based on behaviors, compared with the current mode of identifying the service behaviors by adopting the white feature library, the invention can realize that when the service behaviors to be executed are received, determining a set of permissions and a set of flows of a target behavior principal requesting execution of a service behavior to be executed, if at least one service behavior of the permission set does not comprise the service behavior to be executed, determining the behavior flow of the service behavior to be executed, and if the action flow of the service action to be executed is consistent with the flow shown by the flow set, the service action to be executed is allowed to be executed, therefore, the service behavior which is the main body is restricted by the permission set and the flow set, so that the malicious behavior of the attacker is easily identified, the severe damage to the operating system caused by the malicious operation of the attacker is avoided, and the safety of the operating system is better.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a schematic flow chart illustrating a behavior-based service identification method according to an embodiment of the present invention;
FIG. 2A is a flow chart of a behavior-based service identification method according to an embodiment of the present invention;
FIG. 2B is a flow chart of a behavior-based service identification method according to an embodiment of the present invention;
fig. 3A is a schematic structural diagram illustrating a behavior-based service identification apparatus according to an embodiment of the present invention;
fig. 3B is a schematic structural diagram illustrating a behavior-based service identification apparatus according to an embodiment of the present invention;
fig. 3C is a schematic structural diagram illustrating a behavior-based service identification apparatus according to an embodiment of the present invention;
fig. 3D is a schematic structural diagram illustrating a behavior-based service identification apparatus according to an embodiment of the present invention;
fig. 3E is a schematic structural diagram illustrating a behavior-based service identification apparatus according to an embodiment of the present invention;
fig. 4 is a schematic diagram illustrating an apparatus structure of an apparatus according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
The embodiment of the invention provides a behavior-based service identification method, which can determine an authority set and a flow set of a target behavior main body requesting to execute a service behavior to be executed when receiving the service behavior to be executed, determine a behavior flow of the service behavior to be executed if at least one service behavior of the authority set does not include the service behavior to be executed, and allow the service behavior to be executed if the behavior flow of the service behavior to be executed is consistent with a flow shown by the flow set, so that the service behavior taking the authority set and the flow set as the main body is limited, malicious behaviors of an attacker are easily identified, and the aims of avoiding the malicious operations of the attacker from causing serious damage to an operating system and ensuring better safety of the operating system are fulfilled, as shown in fig. 1, and the method comprises the following steps:
101. when the service behaviors to be executed are received, a permission set and a flow set of a target behavior main body requesting to execute the service behaviors to be executed are determined, the permission set comprises at least one service behavior allowing the target behavior main body to execute, and the flow set comprises flows of the target behavior main body executing the service behaviors.
In the embodiment of the present invention, when receiving a service behavior to be executed, since each service behavior is requested to be executed by a behavior principal, a behavior principal that issues the service behavior to be executed may be determined, and the behavior principal may be used as a target behavior principal. And the operating system sets a corresponding authority set and flow set for each behavior main body, wherein the authority set and the flow set comprise at least one service behavior which is allowed to be executed by the behavior main body, so that after the target behavior main body is determined, the authority set and the flow set corresponding to the target behavior main body can be acquired, the service behavior to be executed of the target behavior main body is identified based on the authority set and the flow set in the follow-up process, and whether the target behavior main body can execute the service behavior to be executed is determined.
102. And if at least one service behavior of the permission set does not comprise the service behavior to be executed, determining a behavior flow of the service behavior to be executed.
In the embodiment of the present invention, after the authority set of the target behavior body is determined, since the authority set includes at least one service behavior that is allowed to be executed, at least one service behavior may be compared with the service to be executed, and whether the service behavior to be executed can be executed is determined by querying whether the authority set includes the service behavior to be executed.
103. And if the action flow of the service action to be executed is consistent with the flow shown by the flow set, allowing the service action to be executed.
In the embodiment of the present invention, if the to-be-executed service behavior is not included in the permission set, it indicates that the to-be-executed service behavior is not within the range specified by the permission set. In order to avoid interception of normal service behaviors caused by the fact that the related range of the authority set is not wide enough, when the service behavior to be executed is determined not to belong to the authority set, the behavior flow of the service behavior to be executed is obtained, when the behavior flow of the service behavior to be executed is consistent with the flow shown by the flow set, the service behavior to be executed is determined to be the normal behavior of the target behavior main body, and the service behavior to be executed is allowed to be executed.
According to the method provided by the embodiment of the invention, when the service behaviors to be executed are received, the authority set and the flow set of the target behavior main body which requests to execute the service behaviors to be executed are determined, if at least one service behavior of the authority set does not include the service behaviors to be executed, the behavior flow of the service behaviors to be executed is determined, and if the behavior flow of the service behaviors to be executed is consistent with the flow shown by the flow set, the service behaviors to be executed are allowed to be executed, so that the service behaviors which are the main body are limited through the authority set and the flow set, the malicious behaviors of an attacker are easy to identify, the malicious operations of the attacker are prevented from causing great damage to an operating system, and the safety of the operating system is better.
The embodiment of the invention provides a behavior-based service identification method, which can determine an authority set and a flow set of a target behavior main body requesting to execute a service behavior to be executed when receiving the service behavior to be executed, determine a behavior flow of the service behavior to be executed if at least one service behavior of the authority set does not include the service behavior to be executed, and allow the service behavior to be executed if the behavior flow of the service behavior to be executed is consistent with a flow shown by the flow set, so that the service behavior taking the authority set and the flow set as the main body is limited, malicious behaviors of an attacker are easily identified, and the aims of avoiding the malicious operations of the attacker from causing serious damage to an operating system and ensuring better safety of the operating system are fulfilled, as shown in fig. 2A, and the method comprises the following steps:
201. and receiving a starting instruction, and determining a target behavior main body according to a main body mark to be started carried by the starting instruction.
The inventor realizes that the behavior action executed by a behavior body after being started is usually fixed, that is, the behavior action relied on by the behavior body when providing service for a user is fixed, and a behavior body does not request to execute the behavior action which is never executed before in normal operation, so that in order to limit the behavior action of the behavior body, avoid the behavior body from executing the behavior action which is not executed, and realize the identification of malicious behavior of an attacker, the embodiment of the invention sets a permission set and a flow set for each behavior body, and defines the behavior action executable by the behavior body based on the permission set and the flow set, thereby restricting the operation of the behavior body. It should be noted that, because there are many behavior bodies in the system, it is impossible to set an authority set and a flow set for all behavior bodies at the same time, in the embodiment of the present invention, a "minimum authority set" common to all behavior bodies may also be set, and the behavior body without the authority set and the flow set is identified based on the "minimum authority set".
Since the authority set and the flow set are generated according to the behavior operation executed by the behavior agent in the actual running process, the behavior operation executed by the behavior agent in the actual running process needs to be collected. Considering that there are too many behavior bodies to be existed in the operating system, in order to specify which behavior body generates the behavior library, the program start instruction needs to carry the identification of the behavior body to be started. Thus, when a program starting instruction is received, firstly, the main body identifier to be started is extracted from the program starting instruction; and then, searching the behavior body indicated by the body identifier to be started in the operating system, and taking the behavior body as a target behavior body so as to generate an authority set and a flow set for the target behavior body subsequently. It should be noted that, in order to set a corresponding authority set and a flow set for each behavior body in the operating system, as long as there is no behavior body with the corresponding authority set and flow set, the behavior body may be a target behavior body. Specifically, the to-be-started subject identifier may be a program name or a program number of the target program, and the content of the to-be-started subject identifier is not specifically limited in the embodiment of the present invention.
202. Starting a target behavior body and starting a behavior acquisition program, wherein the behavior acquisition program is at least a Hook program, and monitoring the service behavior of the target behavior body after starting based on the behavior acquisition program.
In the embodiment of the invention, after the target behavior body is determined, the target behavior body can be started so as to obtain at least one service behavior of the target behavior body, and further, an authority set is generated for the target program based on the at least one service behavior. In order to collect the service behavior of the target behavior body, the collection may be based on a collection behavior program. In this way, when the target behavior body is started, the behavior collection program is also started, so that the behavior collection program monitors and collects all service behaviors after the target behavior body is started, and the behavior collection program can be a Hook program.
In the actual application process, in order to make the collected service behaviors meaningful and not to make the quantity too large to cause the overload of the operating system, a collection period may be set, only the service behaviors executed by the target behavior main body in the collection period are collected, and an authority set is subsequently generated for the target behavior main body according to the service behaviors collected in the collection period. For example, the collection period may be 7 days, so that the service behavior of the target service period within 7 days may be collected.
203. And generating an authority set comprising at least one service behavior, extracting a main body identifier of a target behavior main body, and correspondingly storing the main body identifier and the authority set.
In the embodiment of the invention, after at least one service behavior of the target behavior main body is collected, the at least one service behavior can be stored, so that the permission set is generated. When the authority set is generated, in order to ensure that the format of the authority set of each behavior main body is consistent, the authority set is convenient to manage, a preset template can be set, and at least one service behavior is arranged according to the preset template, so that the authority set which comprises at least one service behavior and meets the requirement of the preset template in format is generated.
In the permission set in which the target behavior body is generated, each behavior body in the operating system has a corresponding permission set, so that a large number of permission sets exist. In order to manage the authority set and avoid confusion of the corresponding relation between the behavior main body and the authority set, so that errors occur in subsequent identification of service behaviors, after the authority set is generated, the main body identification of the target behavior main body can be extracted and stored correspondingly with the authority set, so that the corresponding relation between each behavior main body and the corresponding authority set is clear. In the process of practical application, after the authority set is generated, the authority set can be marked by adopting the subject identifier, so that the target behavior subject corresponds to the authority set.
204. Monitoring the process of executing the service behaviors by the target behavior main body, collecting the running state and the running environment of the target behavior main body, sorting the running state and the running environment according to the time sequence to generate the flow of the target behavior main body, taking the flow as a flow set, and correspondingly storing the flow set and the main body identification.
In the embodiment of the present invention, when a behavior entity executes a service behavior in a system, the execution of a legal service behavior corresponds to a legal flow, and the execution of an illegal service behavior also corresponds to an obviously different illegal flow, so that a flow set corresponding to the target behavior entity can be generated for the target behavior entity, so as to identify the flow of the target behavior entity executing the service behavior based on the flow set, thereby determining whether the flow executed by the target behavior entity is legal. For example, the spools · exe is a service process of Print spooller for managing all local and network Print queues and controlling all Print jobs, and there is no reason why the spools · exe starts Shell programs, and even the spools · exe should not have the capability of starting any program, so as long as the start program is involved in the flow of the spools · exe, the flow is illegal.
When a flow set is set for a target behavior main body, firstly, the process of executing a service behavior by the target behavior main body can be monitored, and the running state and the running environment of the target behavior main body are collected; and then, sorting the running state and the running environment according to the time sequence to generate a flow of the target behavior main body, taking the flow as a flow set, and correspondingly storing the flow set and the main body identification.
By executing the processes in step 201 to step 204, a set of rights and a set of processes related to the service behavior actually executed by the target behavior principal can be generated. It should be noted that, because the operating system is updated, the service behaviors that can be executed by each behavior principal in the updated operating system may change, for example, the behavior principal may add some new executable service behaviors, so as to ensure that the authority set and the flow set of the behavior principal can meet the requirements of the behavior principal at the present stage, an update cycle may be set in the operating system, and the processes in the above step 201 to step 203 are repeatedly executed every update cycle, the authority set and the flow set are newly generated for each behavior principal, and the newly generated authority set and the flow set are used to replace the previous authority set and flow set, thereby ensuring the normal operation of the behavior principal.
After the authority set and the flow set of the target behavior body are generated, and when a request for execution of the target behavior body is subsequently received, the behavior action of the target behavior body can be identified based on the authority set and the flow set, so as to determine whether the behavior action of the target behavior body is allowed to be executed, referring to fig. 2B, the method includes:
205. when the service behavior to be executed is received, the authority set and the flow set of the target behavior main body requesting to execute the service behavior to be executed are determined.
In the embodiment of the present invention, when receiving a service behavior to be executed, since the service behavior to be executed is usually requested to be executed by a behavior principal, an object requesting to execute the service behavior to be executed is determined, and the object is taken as a target behavior principal, that is, the behavior principal requesting to execute the service behavior to be executed is taken as a target behavior principal. When the operating system stores the authority sets and the process sets, the authority sets and the process sets are stored according to the main body identifications, each main body identification corresponds to one authority set and one process set, and inquiry of the authority sets and the process sets can be achieved based on the main body identifications.
It should be noted that, if obtaining the authority set and the flow set of the target behavior main body of the service behavior to be executed fails, it indicates that the authority set and the flow set may not be set for the target behavior main body at this time, and at this time, the "minimum authority set" may be obtained, and the service behavior to be executed is identified based on the "minimum authority set" in the following.
206. Comparing the service behaviors to be executed with the authority set, inquiring whether the authority set comprises the service behaviors to be executed, and if the authority set does not comprise the service behaviors to be executed, executing the following step 207; if the rights set includes the service action to be performed, step 208 described below is performed.
In the embodiment of the present invention, after the authority set of the target behavior body is determined, since the authority set of the target behavior body specifies the service behaviors that the target behavior body can execute, and the service behaviors that exceed the authority set, that is, the service behaviors that are not included in the authority set are not allowed to be executed by the target behavior body, the service behaviors to be executed are compared with at least one service behavior in the authority set, so as to determine whether the service behaviors to be executed are allowed to be executed. Specifically, when the service behavior to be executed is compared with at least one service behavior and whether the authority set comprises the service behavior to be executed is inquired, firstly, a behavior identifier to be executed of the service behavior to be executed is extracted, and at least one service behavior identifier of the at least one service behavior is extracted; and then, comparing the to-be-executed behavior identifier with the at least one service behavior identifier, and inquiring whether the service behavior identifier consistent with the to-be-executed behavior identifier exists in the at least one service behavior identifier, so that the to-be-executed service behavior is identified.
If the right set does not include the service behavior to be executed, it indicates that the service behavior to be executed is not allowed to be executed, and at this time, a further determination needs to be performed based on the flow set, so as to avoid a false determination caused by the fact that the right set does not include the service behavior, and therefore, the following steps 207 to 209 are performed; if the authority set includes the service behavior to be executed, it indicates that the service behavior to be executed is the service behavior that can be executed by the target behavior body, and the service behavior to be executed is allowed to be executed by the target behavior body, does not belong to the unauthorized operation, and meets the requirement of the authority set on the target behavior body, that is, the following step 210 is executed.
207. If the authority set does not include the service behavior to be executed, determining the behavior flow of the service behavior to be executed, and if the behavior flow of the service behavior to be executed is consistent with the flow shown in the flow set, executing the following step 208; if the flow of the action of the service action to be performed does not coincide with the flow shown in the flow set, the following step 209 is performed.
208. And if the action flow of the service action to be executed is consistent with the flow shown by the flow set, allowing the service action to be executed.
In the embodiment of the present invention, if the behavior flow of the service behavior to be executed is consistent with the flow shown in the flow set, it indicates that the behavior flow of the service behavior to be executed satisfies the limitation of the flow set, and the target behavior entity requests that the service behavior to be executed is executed without being an unauthorized behavior, and allows the target behavior entity to execute the service behavior to be executed, so that the target behavior entity is allowed to execute the service behavior to be executed.
209. And if the behavior flow of the service behavior to be executed is inconsistent with the flow shown by the flow set, prohibiting the execution of the service behavior to be executed.
In the embodiment of the present invention, if the behavior flow of the service behavior to be executed is not consistent with the flow shown in the flow set, it indicates that the behavior flow of the service behavior to be executed does not satisfy the limitation of the flow set, and the target behavior entity requests that the service behavior to be executed belongs to an override behavior, and does not allow the target behavior entity to execute the service behavior to be executed, so that the target behavior entity is prohibited from executing the service behavior to be executed.
210. And if the service behaviors to be executed are included in the permission set, allowing the target behavior body to execute the service behaviors to be executed.
In the embodiment of the present invention, if the to-be-executed service behavior is included in the permission set, it indicates that the to-be-executed service behavior is within the range specified by the permission set, and the target behavior entity requests that the to-be-executed service behavior is executed, but the target behavior entity does not belong to an unauthorized behavior, and is allowed to execute the to-be-executed service behavior, so the target behavior entity is allowed to execute the to-be-executed service behavior.
According to the method provided by the embodiment of the invention, when the service behaviors to be executed are received, the authority set and the flow set of the target behavior main body requesting to execute the service behaviors to be executed are determined, if at least one service behavior of the authority set does not include the service behaviors to be executed, the behavior flow of the service behaviors to be executed is determined, and if the behavior flow of the service behaviors to be executed is consistent with the flow shown by the flow set, the service behaviors to be executed are allowed to be executed, so that the service behaviors which are the main body are limited by the authority set and the flow set, the malicious behaviors of an attacker are easy to identify, the malicious operations of the attacker are prevented from causing great damage to an operating system, and the safety of the operating system is better.
Further, as a specific implementation of the method shown in fig. 1, an embodiment of the present invention provides a device for identifying a service based on a behavior, where as shown in fig. 3A, the device includes: a first determining module 301, a second determining module 302 and an executing module 303.
The first determining module 301 is configured to determine, when receiving a service behavior to be executed, a permission set and a flow set of a target behavior main body that requests execution of the service behavior to be executed, where the permission set includes at least one service behavior that the target behavior main body is allowed to execute, and the flow set includes a flow in which the target behavior main body executes the service behavior;
the second determining module 302 is configured to determine a behavior flow of the service behavior to be executed if at least one service behavior of the permission set does not include the service behavior to be executed;
the executing module 303 is configured to allow the service behavior to be executed if the behavior flow of the service behavior to be executed is consistent with the flow shown in the flow set.
In a specific application scenario, as shown in fig. 3B, the apparatus further includes a monitoring module 304, a generating module 305, an acquiring module 306, and a storing module 307.
The monitoring module 304 is configured to start a target behavior body, monitor a service behavior of the target behavior body, and obtain at least one service behavior;
the generating module 305 is configured to generate a permission set including at least one service behavior, extract a subject identifier of a subject of a target behavior, and store the subject identifier in correspondence with the permission set;
the acquisition module 306 is configured to monitor a process of executing a service behavior by a target behavior body, and acquire an operating state and an operating environment of the target behavior body;
the storage module 307 is configured to sort the operation states and the operation environments according to a time sequence, generate a flow of the target behavior body, use the flow as a flow set, and store the flow set and the body identifier correspondingly.
In a specific application scenario, as shown in fig. 3C, the monitoring module 304 includes a determining submodule 3041, an initiating submodule 3042 and a monitoring submodule 3043.
The determining submodule 3041 is configured to receive a starting instruction, and determine a target behavior body according to a to-be-started body identifier carried by the starting instruction;
the promoter module 3042 is used to start the target behavior body and start the behavior collection program, and the behavior collection program is at least Hook program;
the monitoring submodule 3043 is configured to monitor a service behavior of the target behavior main body after being started based on the behavior collection program, and obtain at least one service behavior of the target behavior main body.
In a specific application scenario, as shown in fig. 3D, the first determining module 301 includes a first determining sub-module 3011 and a second determining sub-module 3012.
The first determining submodule 3011 is configured to, when receiving a service behavior to be executed, use a behavior body that requests execution of the service behavior to be executed as a target behavior body;
the second determining submodule 3012 is configured to obtain a subject identifier of the target behavior subject, and determine an authority set and a flow set indicated by the subject identifier.
In a specific application scenario, the executing module 303 is further configured to allow the service behavior to be executed if at least one service behavior of the permission set includes the service behavior to be executed.
In a specific application scenario, as shown in fig. 3E, the apparatus further includes a disabling module 308.
The prohibiting module 308 is configured to prohibit the service behavior to be executed from being executed if the behavior flow of the service behavior to be executed is inconsistent with the flow shown in the flow set.
The device provided by the embodiment of the invention can determine the authority set and the flow set of the target behavior main body requesting to execute the service behavior to be executed when receiving the service behavior to be executed, if at least one service behavior in the authority set does not include the service behavior to be executed, the behavior flow of the service behavior to be executed is determined, and if the behavior flow of the service behavior to be executed is consistent with the flow shown by the flow set, the service behavior to be executed is allowed to be executed, so that the malicious behavior of an attacker is easily identified by limiting the service behavior of the main body through the authority set and the flow set, the malicious operation of the attacker is prevented from causing great damage to an operating system, and the safety of the operating system is better.
It should be noted that other corresponding descriptions of the functional units related to the behavior-based service identification apparatus provided in the embodiment of the present invention may refer to the corresponding descriptions in fig. 1 and fig. 2A to fig. 2B, and are not described herein again.
In an exemplary embodiment, referring to fig. 4, there is further provided a device, where the device 400 includes a communication bus, a processor, a memory, and a communication interface, and may further include an input/output interface and a display device, where the functional units may communicate with each other through the bus. The memory stores a computer program and the processor executes the program stored in the memory to perform the … method of the above embodiments.
A readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the behavior based service identification method.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present application can be implemented by hardware, and also by software plus a necessary general hardware platform. Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the implementation scenarios of the present application.
Those skilled in the art will appreciate that the figures are merely schematic representations of one preferred implementation scenario and that the blocks or flow diagrams in the figures are not necessarily required to practice the present application.
Those skilled in the art will appreciate that the modules in the devices in the implementation scenario may be distributed in the devices in the implementation scenario according to the description of the implementation scenario, or may be located in one or more devices different from the present implementation scenario with corresponding changes. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The above application serial numbers are for description purposes only and do not represent the superiority or inferiority of the implementation scenarios.
The above disclosure is only a few specific implementation scenarios of the present application, but the present application is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present application.

Claims (14)

1. A method for behavior-based service identification, comprising:
when receiving a service behavior to be executed, determining an authority set and a flow set of a target behavior main body requesting to execute the service behavior to be executed, wherein the authority set comprises at least one service behavior which is obtained by monitoring the started service behavior of the target behavior main body and allows the target behavior main body to execute, the flow set comprises a flow of the target behavior main body executing the service behavior, and the flow is obtained by sorting running states and running environments collected in the process of executing the service behavior by the target behavior main body according to a time sequence;
if at least one service behavior of the permission set does not comprise the service behavior to be executed, determining a behavior flow of the service behavior to be executed;
and if the behavior flow of the service behavior to be executed is consistent with the flow shown by the flow set, allowing the service behavior to be executed.
2. The method of claim 1, wherein determining, when the service behavior to be executed is received, whether the set of permissions and the set of flows of a target behavior body requesting execution of the service behavior to be executed are preceded by:
starting the target behavior main body, monitoring the service behavior of the target behavior main body, and acquiring the at least one service behavior;
generating the permission set comprising the at least one service behavior, extracting a subject identification of the target behavior subject, and correspondingly storing the subject identification and the permission set;
monitoring the process of executing the service behaviors by the target behavior main body, and collecting the running state and running environment of the target behavior main body;
and sorting the running state and the running environment according to a time sequence to generate a flow of the target behavior main body, taking the flow as the flow set, and correspondingly storing the flow set and the main body identification.
3. The method of claim 2, wherein the initiating the target behavior entity, monitoring the service behavior of the target behavior entity, and obtaining the at least one service behavior comprises:
receiving a starting instruction, and determining the target behavior subject according to a subject mark to be started carried by the starting instruction;
starting the target behavior main body and starting a behavior acquisition program, wherein the behavior acquisition program is at least a Hook program;
and monitoring the service behavior of the target behavior main body after starting based on the behavior acquisition program, and acquiring the at least one service behavior of the target behavior main body.
4. The method of claim 1, wherein determining, when the to-be-executed service behavior is received, a set of permissions and a set of flows of a target behavior principal requesting execution of the to-be-executed service behavior comprises:
when the service behavior to be executed is received, taking a behavior main body requesting to execute the service behavior to be executed as the target behavior main body;
and acquiring a main body identifier of the target behavior main body, and determining an authority set and a flow set indicated by the main body identifier.
5. The method of claim 1, wherein after determining the set of permissions and the set of flows of the target behavior body requesting to execute the service behavior to be executed when the service behavior to be executed is received, the method comprises:
and if at least one service behavior of the permission set comprises the service behavior to be executed, allowing the service behavior to be executed.
6. The method of claim 1, further comprising:
and if the behavior flow of the service behavior to be executed is not consistent with the flow shown by the flow set, prohibiting the service behavior to be executed from being executed.
7. A behavior-based service identification apparatus, comprising:
the system comprises a first determining module, a second determining module and a processing module, wherein the first determining module is used for determining an authority set and a flow set of a target behavior main body requesting to execute a service behavior to be executed when the service behavior to be executed is received, the authority set comprises at least one service behavior which is obtained after the service behavior of the target behavior main body after starting is monitored and allows the target behavior main body to execute, the flow set comprises a flow of the target behavior main body executing the service behavior, and the flow is obtained by sorting running states and running environments collected in the process of executing the service behavior by the target behavior main body according to time sequence;
a second determining module, configured to determine a behavior flow of the service behavior to be executed if at least one service behavior of the permission set does not include the service behavior to be executed;
and the execution module is used for allowing the service behavior to be executed if the behavior flow of the service behavior to be executed is consistent with the flow shown by the flow set.
8. The apparatus of claim 7, further comprising:
the monitoring module is used for starting the target behavior main body, monitoring the service behaviors of the target behavior main body and acquiring the at least one service behavior;
the generation module is used for generating the permission set comprising the at least one service behavior, extracting a main body identifier of the target behavior main body, and correspondingly storing the main body identifier and the permission set;
the acquisition module is used for monitoring the process of executing the service behaviors by the target behavior main body and acquiring the running state and running environment of the target behavior main body;
and the storage module is used for sorting the running state and the running environment according to a time sequence to generate a flow of the target behavior main body, taking the flow as the flow set, and correspondingly storing the flow set and the main body identification.
9. The apparatus of claim 8, wherein the monitoring module comprises:
the determining submodule is used for receiving a starting instruction and determining the target behavior main body according to a main body mark to be started carried by the starting instruction;
the starting submodule is used for starting the target behavior main body and starting a behavior acquisition program, and the behavior acquisition program is at least a Hook program;
and the monitoring submodule is used for monitoring the service behavior of the target behavior main body after the target behavior main body is started based on the behavior acquisition program and acquiring the at least one service behavior of the target behavior main body.
10. The apparatus of claim 7, wherein the first determining module comprises:
the first determining submodule is used for taking a behavior main body requesting to execute the service behavior to be executed as the target behavior main body when the service behavior to be executed is received;
and the second determining submodule is used for acquiring a main body identifier of the target behavior main body and determining the authority set and the flow set indicated by the main body identifier.
11. The apparatus of claim 7, wherein the execution module is further configured to allow the service action to be executed if the service action to be executed is included in at least one service action of the set of permissions.
12. The apparatus of claim 7, further comprising:
and the forbidding module is used for forbidding to execute the service behavior to be executed if the behavior flow of the service behavior to be executed is inconsistent with the flow shown by the flow set.
13. An apparatus comprising a memory and a processor, the memory storing a computer program, wherein the processor implements the steps of the method of any one of claims 1 to 6 when executing the computer program.
14. A readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 6.
CN201811640217.3A 2018-05-04 2018-12-29 Behavior-based service identification method, behavior-based service identification device, behavior-based service identification equipment and readable storage medium Active CN109873804B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810420369.6A CN108683652A (en) 2018-05-04 2018-05-04 A kind of method and device of the processing attack of Behavior-based control permission
CN2018104203696 2018-05-04

Publications (2)

Publication Number Publication Date
CN109873804A CN109873804A (en) 2019-06-11
CN109873804B true CN109873804B (en) 2021-07-23

Family

ID=63802917

Family Applications (9)

Application Number Title Priority Date Filing Date
CN201810420369.6A Pending CN108683652A (en) 2018-05-04 2018-05-04 A kind of method and device of the processing attack of Behavior-based control permission
CN201811640613.6A Active CN109831420B (en) 2018-05-04 2018-12-29 Method and device for determining kernel process permission
CN201811640483.6A Active CN109743315B (en) 2018-05-04 2018-12-29 Behavior identification method, behavior identification device, behavior identification equipment and readable storage medium for website
CN201811645263.2A Active CN109714350B (en) 2018-05-04 2018-12-29 Permission control method and device of application program, storage medium and computer equipment
CN201811645260.9A Pending CN109818935A (en) 2018-05-04 2018-12-29 User authority control method and device, storage medium, computer equipment
CN201811640216.9A Active CN109873803B (en) 2018-05-04 2018-12-29 Permission control method and device of application program, storage medium and computer equipment
CN201811646168.4A Pending CN109818937A (en) 2018-05-04 2018-12-29 For the control method of Android permission, device and storage medium, electronic device
CN201811640611.7A Active CN109831419B (en) 2018-05-04 2018-12-29 Method and device for determining permission of shell program
CN201811640217.3A Active CN109873804B (en) 2018-05-04 2018-12-29 Behavior-based service identification method, behavior-based service identification device, behavior-based service identification equipment and readable storage medium

Family Applications Before (8)

Application Number Title Priority Date Filing Date
CN201810420369.6A Pending CN108683652A (en) 2018-05-04 2018-05-04 A kind of method and device of the processing attack of Behavior-based control permission
CN201811640613.6A Active CN109831420B (en) 2018-05-04 2018-12-29 Method and device for determining kernel process permission
CN201811640483.6A Active CN109743315B (en) 2018-05-04 2018-12-29 Behavior identification method, behavior identification device, behavior identification equipment and readable storage medium for website
CN201811645263.2A Active CN109714350B (en) 2018-05-04 2018-12-29 Permission control method and device of application program, storage medium and computer equipment
CN201811645260.9A Pending CN109818935A (en) 2018-05-04 2018-12-29 User authority control method and device, storage medium, computer equipment
CN201811640216.9A Active CN109873803B (en) 2018-05-04 2018-12-29 Permission control method and device of application program, storage medium and computer equipment
CN201811646168.4A Pending CN109818937A (en) 2018-05-04 2018-12-29 For the control method of Android permission, device and storage medium, electronic device
CN201811640611.7A Active CN109831419B (en) 2018-05-04 2018-12-29 Method and device for determining permission of shell program

Country Status (1)

Country Link
CN (9) CN108683652A (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108683652A (en) * 2018-05-04 2018-10-19 北京奇安信科技有限公司 A kind of method and device of the processing attack of Behavior-based control permission
WO2020132877A1 (en) * 2018-12-25 2020-07-02 奇安信安全技术(珠海)有限公司 Operation detection method and system, and electronic device
CN110781491B (en) * 2019-10-25 2022-02-18 苏州浪潮智能科技有限公司 Method and device for controlling process to access file
CN110990844B (en) * 2019-10-25 2022-04-08 浙江大华技术股份有限公司 Cloud data protection method based on kernel, cloud server and system
CN110930234B (en) * 2019-11-18 2024-03-12 河南城建学院 Financial management method with remote access function
CN111444118B (en) * 2020-03-23 2022-04-05 数网金融有限公司 Process protection method, device, terminal equipment and storage medium
CN111756808A (en) * 2020-05-28 2020-10-09 西安万像电子科技有限公司 Data processing method and system
CN111783082A (en) * 2020-06-08 2020-10-16 Oppo广东移动通信有限公司 Process tracing method, device, terminal and computer readable storage medium
CN112003835B (en) * 2020-08-03 2022-10-14 奇安信科技集团股份有限公司 Security threat detection method and device, computer equipment and storage medium
CN114237630A (en) * 2020-09-09 2022-03-25 中国电信股份有限公司 Privacy permission detection method and device
CN112689002B (en) * 2020-12-18 2023-06-20 北京易车互联信息技术有限公司 app behavior monitoring system
CN112738100B (en) * 2020-12-29 2023-09-01 北京天融信网络安全技术有限公司 Authentication method, device, authentication equipment and authentication system for data access
CN113190836A (en) * 2021-03-29 2021-07-30 贵州电网有限责任公司 Web attack behavior detection method and system based on local command execution
CN113505351A (en) * 2021-06-23 2021-10-15 湖南惠而特科技有限公司 Identity authentication-based process industry white list access method and system
CN113672974A (en) * 2021-07-29 2021-11-19 北京奇艺世纪科技有限公司 Authority management method, device, equipment and storage medium
CN115114148B (en) * 2022-06-15 2024-07-19 马上消费金融股份有限公司 Compliance detection method and device for application program and electronic equipment
CN115118476B (en) * 2022-06-21 2023-02-28 拉扎斯网络科技(上海)有限公司 User permission verification method and device, electronic equipment and readable storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102970299A (en) * 2012-11-27 2013-03-13 西安电子科技大学 File safe protection system and method thereof
CN103679007A (en) * 2013-12-19 2014-03-26 深圳全智达通信股份有限公司 Method and device for managing application program permission and mobile device
CN105491063A (en) * 2015-12-30 2016-04-13 深圳市深信服电子科技有限公司 Network intrusion prevention method and device
CN105516055A (en) * 2014-09-23 2016-04-20 腾讯科技(深圳)有限公司 Data access method, data access device, target device, and management server
CN107506646A (en) * 2017-09-28 2017-12-22 努比亚技术有限公司 Detection method, device and the computer-readable recording medium of malicious application

Family Cites Families (44)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1763710A (en) * 2004-10-22 2006-04-26 中国人民解放军国防科学技术大学 Privilege minimizing method based on capability
US8286243B2 (en) * 2007-10-23 2012-10-09 International Business Machines Corporation Blocking intrusion attacks at an offending host
CN101246536A (en) * 2008-03-06 2008-08-20 北京鼎信高科信息技术有限公司 Method for encrypting and decrypting computer files based on process monitoring
CN101504604A (en) * 2009-03-13 2009-08-12 张昊 Authority management validation application method
CN101872397B (en) * 2010-06-08 2012-05-23 用友软件股份有限公司 Authorization role succession method
CN101917448A (en) * 2010-08-27 2010-12-15 山东中创软件工程股份有限公司 Control method for realizing RBAC access permission in application on basis of.NET
CN101997912A (en) * 2010-10-27 2011-03-30 苏州凌霄科技有限公司 Mandatory access control device based on Android platform and control method thereof
CN102542182A (en) * 2010-12-15 2012-07-04 苏州凌霄科技有限公司 Device and method for controlling mandatory access based on Windows platform
CN102147845A (en) * 2011-04-18 2011-08-10 北京思创银联科技股份有限公司 Process monitoring method
WO2013111331A1 (en) * 2012-01-27 2013-08-01 株式会社日立製作所 Computer system
CN102663318B (en) * 2012-03-22 2015-04-08 百度在线网络技术(北京)有限公司 Browser Process Privilege control method
CN103516680A (en) * 2012-06-25 2014-01-15 上海博腾信息科技有限公司 Authority management system of office system and realizing method thereof
CN102915417A (en) * 2012-09-18 2013-02-06 鸿富锦精密工业(深圳)有限公司 Application monitoring system and application monitoring method
CN102930205A (en) * 2012-10-10 2013-02-13 北京奇虎科技有限公司 Monitoring unit and method
CN103812958B (en) * 2012-11-14 2019-05-07 中兴通讯股份有限公司 Processing method, NAT device and the BNG equipment of NAT technology
CN103268451B (en) * 2013-06-08 2017-12-05 上海斐讯数据通信技术有限公司 A kind of dynamic permission management system based on mobile terminal
CN103617381B (en) * 2013-11-21 2018-03-16 北京奇安信科技有限公司 The authority configuring method and authority configuration system of equipment
CN103778006B (en) * 2014-02-12 2017-02-08 成都卫士通信息安全技术有限公司 Method for controlling progress of operating system
US9614851B1 (en) * 2014-02-27 2017-04-04 Open Invention Network Llc Security management application providing proxy for administrative privileges
CN104008337B (en) * 2014-05-07 2019-08-23 广州华多网络科技有限公司 A kind of active defense method and device based on linux system
CN103927476B (en) * 2014-05-07 2017-09-15 上海联彤网络通讯技术有限公司 Realize the intelligence system and method for application program rights management
CN104125219B (en) * 2014-07-07 2017-06-16 四川中电启明星信息技术有限公司 For authorization management method in the identity set of power information system
US9916475B2 (en) * 2014-08-11 2018-03-13 North Carolina State University Programmable interface for extending security of application-based operating system
US9026840B1 (en) * 2014-09-09 2015-05-05 Belkin International, Inc. Coordinated and device-distributed detection of abnormal network device operation
CN104268470B (en) * 2014-09-26 2018-02-13 酷派软件技术(深圳)有限公司 Method of controlling security and safety control
CN104484594B (en) * 2014-11-06 2017-10-31 中国科学院信息工程研究所 A kind of franchise distribution method of the Linux system based on capability mechanism
CN104503880A (en) * 2014-12-16 2015-04-08 新余兴邦信息产业有限公司 Method and device for realizing MySQL database monitoring option script
CN104484599B (en) * 2014-12-16 2017-12-12 北京奇虎科技有限公司 A kind of behavior treating method and apparatus based on application program
KR101619414B1 (en) * 2015-01-06 2016-05-10 한국인터넷진흥원 System for detecting abnomal behaviors using personalized early use behavior pattern analsis
CN104820791B (en) * 2015-05-19 2017-12-15 大唐网络有限公司 The authority control method and system of application software
CN105049592B (en) * 2015-05-27 2020-02-14 中国科学院信息工程研究所 Mobile intelligent terminal voice safety protection method and system
CN106650438A (en) * 2015-11-04 2017-05-10 阿里巴巴集团控股有限公司 Method and device for detecting baleful programs
JP2019507412A (en) * 2015-12-31 2019-03-14 サイバー 2.0 (2015) リミテッド Monitor traffic in computer networks
CN106127031A (en) * 2016-06-23 2016-11-16 北京金山安全软件有限公司 Method and device for protecting process and electronic equipment
CN106228059A (en) * 2016-07-22 2016-12-14 南京航空航天大学 Based on three Yuans management and the role access control method of expansion
CN106603509B (en) * 2016-11-29 2020-07-07 中科曙光信息技术无锡有限公司 Enterprise document management method
CN106778345B (en) * 2016-12-19 2019-10-15 网易(杭州)网络有限公司 The treating method and apparatus of data based on operating right
CN106650418A (en) * 2016-12-21 2017-05-10 天津大学 Android access control system and method based onmulti-strategy
CN106650435A (en) * 2016-12-28 2017-05-10 郑州云海信息技术有限公司 Method and apparatus of protecting system
CN107018140B (en) * 2017-04-24 2021-06-04 深信服科技股份有限公司 Authority control method and system
CN113328861B (en) * 2017-08-23 2022-11-01 重庆京像微电子有限公司 Authority verification method, device and system
CN107832590A (en) * 2017-11-06 2018-03-23 珠海市魅族科技有限公司 Terminal control method and device, terminal and computer-readable recording medium
CN108280349A (en) * 2018-01-10 2018-07-13 维沃移动通信有限公司 Protect method, mobile terminal and the computer readable storage medium of system kernel layer
CN108683652A (en) * 2018-05-04 2018-10-19 北京奇安信科技有限公司 A kind of method and device of the processing attack of Behavior-based control permission

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102970299A (en) * 2012-11-27 2013-03-13 西安电子科技大学 File safe protection system and method thereof
CN103679007A (en) * 2013-12-19 2014-03-26 深圳全智达通信股份有限公司 Method and device for managing application program permission and mobile device
CN105516055A (en) * 2014-09-23 2016-04-20 腾讯科技(深圳)有限公司 Data access method, data access device, target device, and management server
CN105491063A (en) * 2015-12-30 2016-04-13 深圳市深信服电子科技有限公司 Network intrusion prevention method and device
CN107506646A (en) * 2017-09-28 2017-12-22 努比亚技术有限公司 Detection method, device and the computer-readable recording medium of malicious application

Also Published As

Publication number Publication date
CN109831420A (en) 2019-05-31
CN109873803B (en) 2021-07-20
CN109818935A (en) 2019-05-28
CN109714350A (en) 2019-05-03
CN109714350B (en) 2021-11-23
CN109831420B (en) 2021-10-22
CN109873803A (en) 2019-06-11
CN109831419B (en) 2021-10-01
CN109818937A (en) 2019-05-28
CN109873804A (en) 2019-06-11
CN108683652A (en) 2018-10-19
CN109831419A (en) 2019-05-31
CN109743315B (en) 2021-10-22
CN109743315A (en) 2019-05-10

Similar Documents

Publication Publication Date Title
CN109873804B (en) Behavior-based service identification method, behavior-based service identification device, behavior-based service identification equipment and readable storage medium
CN109711168B (en) Behavior-based service identification method, behavior-based service identification device, behavior-based service identification equipment and readable storage medium
Viennot et al. A measurement study of google play
CN103826215B (en) A kind of method and apparatus for carrying out Root authority management on the terminal device
US9697382B2 (en) Method and system for providing security policy for Linux-based security operating system
CN110856126B (en) Information reporting and receiving method, terminal equipment and storage medium
US20180307832A1 (en) Information processing device, information processing method, and computer readable medium
US9386024B1 (en) System and method for detecting modified or corrupted external devices
CN106254528A (en) A kind of resource downloading method and buffer memory device
CN115242434A (en) Application program interface API identification method and device
CN113886803A (en) Object storage system of instant messaging, object storage request method and device
CN109740328B (en) Authority identification method and device, computer equipment and storage medium
CN111783082A (en) Process tracing method, device, terminal and computer readable storage medium
CN115499487B (en) Updating method and device of server configuration file, storage medium and equipment
CN114035812B (en) Application software installation and/or operation method and device, electronic equipment and storage medium
CN104951715A (en) Information processing method and electronic equipment
CN111093186B (en) eSIM card operator file management method and system
CN112311551B (en) Protecting provable resource ownership
CN111190858B (en) Method, device, equipment and storage medium for storing software information
CN114861160A (en) Method, device, equipment and storage medium for improving non-administrator account authority
CN111008395B (en) Method and device for protecting USB flash disk
CN109784037B (en) Security protection method and device for document file, storage medium and computer equipment
KR101374345B1 (en) Resource security method, master server performing the same and storage media storing the same
CN114491653A (en) Data content tamper-proof system, method and device
CN106485104A (en) The self-repairing method of terminal security strategy and device, system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province

Patentee after: Qianxin Safety Technology (Zhuhai) Co.,Ltd.

Patentee after: QAX Technology Group Inc.

Address before: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province

Patentee before: 360 ENTERPRISE SECURITY TECHNOLOGY (ZHUHAI) Co.,Ltd.

Patentee before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd.

CP01 Change in the name or title of a patent holder