CN110457871A - A kind of finger daemon method and apparatus based on filter Driver on FSD frame - Google Patents
A kind of finger daemon method and apparatus based on filter Driver on FSD frame Download PDFInfo
- Publication number
- CN110457871A CN110457871A CN201910743675.8A CN201910743675A CN110457871A CN 110457871 A CN110457871 A CN 110457871A CN 201910743675 A CN201910743675 A CN 201910743675A CN 110457871 A CN110457871 A CN 110457871A
- Authority
- CN
- China
- Prior art keywords
- application program
- daemon
- newly
- active signal
- driver
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 97
- 238000004891 communication Methods 0.000 claims description 21
- 238000001914 filtration Methods 0.000 claims description 20
- 230000000694 effects Effects 0.000 abstract description 11
- 230000006870 function Effects 0.000 description 15
- 238000005516 engineering process Methods 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 238000011112 process operation Methods 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 2
- 102000019034 Chemokines Human genes 0.000 description 1
- 108010012236 Chemokines Proteins 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 235000013399 edible fruits Nutrition 0.000 description 1
- 235000012907 honey Nutrition 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000008450 motivation Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/48—Program initiating; Program switching, e.g. by interrupt
- G06F9/4806—Task transfer initiation or dispatching
- G06F9/4843—Task transfer initiation or dispatching by program, e.g. task dispatcher, supervisor, operating system
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention provides a kind of finger daemon method and apparatus based on filter Driver on FSD frame, it is related to the technical field of network security, applied to guarding driver, guarding driver can determine after daemon application program, whether the newly-increased active signal in real-time judge operating system is for the limitation operation carried out to daemon application program, if it is determined that being, above-mentioned newly-increased active signal will be filtered by so guarding driver, it realizes and intercepts the function of limitation operation in driving layer, so that invader actually active can not treat daemon application program and operate, reach and has guarded program effect to be applied, thus the technical problem that the method safety grade for alleviating finger daemon in the prior art is low.
Description
Technical field
The present invention relates to the technical fields of network security, more particularly, to a kind of guarding based on filter Driver on FSD frame
Proceeding method and device.
Background technique
In the prior art, application program is maliciously exited or is suspended in order to prevent, it will usually be created finger daemon, be guarded
Process (daemon) is one kind in running background and not by the special processing of any terminal control, for executing specific system
Task.Most finger daemons start when System guides, terminate when system is closed.Finger daemon can be to target application
Process guarded, when the process for monitoring target application is out of service, start the process of the target application immediately.But
It is that, if attacker has higher system permission, finger daemon can be exited together, finger daemon just cannot achieve effectively
It guards.
In conclusion the method for the finger daemon technical problem low there are security level in the prior art.
Summary of the invention
The purpose of the present invention is to provide a kind of finger daemon method and apparatus based on filter Driver on FSD frame, with slow
The low technical problem of security level existing for the method for finger daemon in the prior art is solved.
In a first aspect, the embodiment of the present invention provides a kind of finger daemon method based on filter Driver on FSD frame, application
In guarding driver, which comprises determine step, determine to daemon application program;Judgment step judges operating system
In newly-increased active signal whether be to it is described to daemon application program carry out limitation operation signal;Filtration step, if so,
Filter the newly-increased active signal.
In alternative embodiments, after the judgment step, further includes: if so, by the newly-increased active signal
Limitation operation recorded, and notify described to daemon application program.
In alternative embodiments, it determines to daemon application program, comprising: establish with described to daemon application program
Communication connection;Receive the process identification (PID) to daemon application program.
In alternative embodiments, judge whether the newly-increased active signal in operating system is to described to daemon application
Program carries out the signal of limitation operation, comprising: whether the action type for judging the newly-increased active signal is limitation action type;
If so, judge the operation object of the newly-increased active signal process identification (PID) whether with the process to daemon application program
Mark matches.
In alternative embodiments, whether the action type for judging the newly-increased active signal is limitation action type,
It include: the flag bit for obtaining the newly-increased active signal;The newly-increased activity letter is determined based on the enumeration type of the flag bit
Number action type;Judge whether the action type of the newly-increased active signal matches with the limitation action type.
Second aspect, the embodiment of the present invention provide a kind of finger daemon method based on filter Driver on FSD frame, application
In to daemon application program, which comprises establish and guard the communication connection of driver;It will be described to daemon application journey
The process identification (PID) of sequence be sent to it is described guard driver so that the driver of guarding judges new chemokine in operating system
Whether dynamic signal is to the signal for carrying out limitation operation to daemon application program, if so, the filtering newly-increased activity letter
Number.
The third aspect, the embodiment of the present invention provide a kind of finger daemon device based on filter Driver on FSD frame, application
In guarding driver, described device comprises determining that module, for determining to daemon application program;Judgment module, for judging
Whether the newly-increased active signal in operating system is to the signal for carrying out limitation operation to daemon application program;Filter module
Block, if so, the filtering newly-increased active signal.
In alternative embodiments, described device further include: record notification module, if so, by the newly-increased activity
The limitation operation of signal is recorded, and is notified described to daemon application program.
In alternative embodiments, determining module includes: communication unit, is used to establish and described to daemon application program
Communication connection;Receiving unit, for receiving the process identification (PID) to daemon application program.
Fourth aspect, the embodiment of the present invention provide a kind of finger daemon device based on filter Driver on FSD frame, application
In to daemon application program, described device includes: communication module, for establishing and guarding the communication connection of driver;It sends
Module, for by the process identification (PID) to daemon application program be sent to it is described guard driver so that described guard drive
Dynamic program judges whether the newly-increased active signal in operating system is to the letter for carrying out limitation operation to daemon application program
Number, if so, the filtering newly-increased active signal.
Finger daemon method provided by the invention based on filter Driver on FSD frame, applied to driver is guarded, just
Method comprises determining that step, determines to daemon application program;Judgment step judges whether is newly-increased active signal in operating system
To treat the signal that daemon application program carries out limitation operation;Filtration step, if so, filtering newly-increased active signal.
Traditional finger daemon scheme is easy to appear the case where demons are attacked and exited together with to demons,
The method safety grade of this finger daemon is lower, and compared with prior art, the present invention provides one kind to be driven based on file filter
The finger daemon method of dynamic frame, applied to driver is guarded, this is guarded driver and can determine to daemon application journey
After sequence, whether the newly-increased active signal in real-time judge operating system is to operate for the limitation carried out to daemon application program,
If it is determined that being, then above-mentioned newly-increased active signal will be filtered by guarding driver, to realize and intercept limitation operation in driving layer
Function reached so that invader actually active can not treat daemon application program and operate and guarded program to be applied
Effect, thus the technical problem that the method safety grade for alleviating finger daemon in the prior art is low.
Detailed description of the invention
It, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical solution in the prior art
Embodiment or attached drawing needed to be used in the description of the prior art be briefly described, it should be apparent that, it is described below
Attached drawing is some embodiments of the present invention, for those of ordinary skill in the art, before not making the creative labor
It puts, is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of process of the finger daemon method based on filter Driver on FSD frame provided in an embodiment of the present invention
Figure;
Fig. 2 is the process of another finger daemon method based on filter Driver on FSD frame provided in an embodiment of the present invention
Figure;
Fig. 3 is a kind of function mould of the finger daemon device based on filter Driver on FSD frame provided in an embodiment of the present invention
Block figure;
Fig. 4 is the function of another finger daemon device based on filter Driver on FSD frame provided in an embodiment of the present invention
Module map.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.The present invention being usually described and illustrated herein in the accompanying drawings is implemented
The component of example can be arranged and be designed with a variety of different configurations.
Therefore, the detailed description of the embodiment of the present invention provided in the accompanying drawings is not intended to limit below claimed
The scope of the present invention, but be merely representative of selected embodiment of the invention.Based on the embodiments of the present invention, this field is common
Technical staff's every other embodiment obtained without creative efforts belongs to the model that the present invention protects
It encloses.
With reference to the accompanying drawing, it elaborates to some embodiments of the present invention.In the absence of conflict, following
Feature in embodiment and embodiment can be combined with each other.
Honeypot Techniques are substantially the technologies that a kind of couple of attacker is cheated, and are mainly used for by arranging some conducts
Host, network service or the information of bait provide the true operating system environment of simulation, lure that attacker invades into, and
Operating system environment is monitored, all behaviors and operation information of attacker are recorded, so as to carry out to attack
Capture and analysis, understand attacker used in tool and method, thus it is speculated that attack intension and motivation, can allow defender clearly
Understand the security threat that they are faced, and enhances the security protection ability of operating system by technology and management means.
But the needs due to traping environment, the operating system under honey jar environment tend not to patch installing, are full of loophole,
Attacker is easy for be promoted oneself by loophole to system highest permission, once it is found in the operating system by attacker
Program be carrying out the monitoring to environment, which may be by attacker's compulsory withdrawal.
Traditional finger daemon scheme mostly realizes in application layer, is not avoided that and is exited the program by attacker is artificial,
Father and son's process that attacker can find traditional finger daemon by process relationship exits together.
In order to solve the problems, such as that process is guarded, invention introduces filter Driver on FSD frames, provide a kind of based on text
The finger daemon method of part filtration drive frame guards application layer program in driving layer realization, intercepts and filter all move back
The system signal of high interactive application layer program out.
Embodiment one
Fig. 1 is a kind of process of finger daemon method based on filter Driver on FSD frame according to an embodiment of the present invention
Figure, applied to driver is guarded, as shown in Figure 1, this method comprises the following steps:
It determines step S11, determines to daemon application program.
The embodiment of the present invention provides a kind of finger daemon method based on filter Driver on FSD frame, and guarding driver is
Based on the specific implementation of filter Driver on FSD frame, i.e., the driver run in kernel is being applied to daemon application program
Layer is responsible for the normal business of processing, guards driver and is responsible for guarding to daemon application program in driving layer, so, in operation
Just, it guards driver to need to determine that it specifically guards object first: to daemon application program.
Judgment step S12 judges whether the newly-increased active signal in operating system is to treat daemon application program to be limited
Make the signal of operation.
If so, executing filtration step S13;If it is not, S14 is thened follow the steps, above-mentioned newly-increased active signal of letting pass.
Filtration step S13 filters newly-increased active signal.
After determining to daemon application program, guards driver and need the real-time newly-increased activity letter captured in operating system
Number, and judge whether the newly-increased active signal is the signal treated daemon application program and carry out limitation operation.Optionally, Yong Huke
To capture the semaphore in operating system in the way of registered callbacks function, to realize accurately signal intercept and capture,
The embodiment of the present invention does not carry out concrete restriction to the mode for capturing newly-increased active signal, and user can use other way to newly-increased
Signal is captured.
If it is determined that above-mentioned newly-increased active signal is the signal treated daemon application program and carry out limitation operation, then drive is guarded
The signal operated to above-mentioned limitation is filtered by dynamic program, the function of intercepting signal is equivalent to, in this way to daemon application program
The signal of above-mentioned limitation operation can't be received, would not also enter corresponding execution process, and then realize to treat and guard
The guard feature of application program, optionally, if user captures the letter in operating system in the way of registered callbacks function
Signal that this limitation operates, is filtered by number amount then can use the returns function of call back function.The embodiment of the present invention
Concrete restriction is not carried out to the mode of trap signal, user can use the function that other way realizes filtering.
Traditional finger daemon scheme is easy to appear the case where demons are attacked and exited together with to demons,
The method safety grade of this finger daemon is lower, and compared with prior art, the present invention provides one kind to be driven based on file filter
The finger daemon method of dynamic frame, applied to driver is guarded, this is guarded driver and can determine to daemon application journey
After sequence, whether the newly-increased active signal in real-time judge operating system is to operate for the limitation carried out to daemon application program,
If it is determined that being, then above-mentioned newly-increased active signal will be filtered by guarding driver, to realize and intercept limitation operation in driving layer
Function reached so that invader actually active can not treat daemon application program and operate and guarded program to be applied
Effect, thus the technical problem that the method safety grade for alleviating finger daemon in the prior art is low.
Further include following steps after judgment step in an optional embodiment:
If so, the limitation operation of newly-increased active signal is recorded, and notify to daemon application program.
Specifically, being guarded after determining that increasing active signal newly is to treat the signal that daemon application program carries out limitation operation
Driver also records current operation, while will specifically operate informing to daemon application program, to daemon application program
It determines after having the signal for being limited operation, some other counter-measures can also be taken.
In an optional embodiment, determines to daemon application program, include the following steps:
Step S21 is established and the communication connection to daemon application program.
Specifically, guard driver starting and other general programs startings it is different, guard driver needs
A service is first registered in systems, is then started this service and is equal to be to start this to guard driver, guards drive
After dynamic program starting, it can be accessed by the driving equipment descriptor of hard coded to daemon application program and guard driving journey
Sequence establishes communication connection with to daemon application program that is, guarding driver.Operating system bottom is provided to daemon application
Program and the communication mode for guarding driver, usually some communication functions, such as I/O control.
Step S22 receives the process identification (PID) to daemon application program.
Each process has the unique number of a nonnegative integer form, i.e. process identification (PID) PID (processID), and PID exists
Any moment is all unique, so in order to determine that guards driver guards object, it will only to daemon application program needs
One process identification (PID), which is sent to, guards driver, guards so as to guard driver and open corresponding process.
In an optional embodiment, judge whether the newly-increased active signal in operating system is to treat daemon application
Program carries out the signal of limitation operation, includes the following steps:
Step S121 judges whether the action type of newly-increased active signal is limitation action type.
Specifically, each signal there can be it specifically to operate intention, newly-increased activity letter is got when guarding driver
After number, first determine whether the action type of the signal is limitation action type, the action type packet of above-mentioned newly-increased active signal
It includes but is not limited to: exiting process, creation process, pause process, write-in file, Rename file and delete file, ordinary circumstance
Under, driver is guarded in finger daemon, and limitation action type is the process that exits, and the embodiment of the present invention is not believed newly-increased activity
Number limitation action type limited, user can set according to actual needs.
If so, S122 is thened follow the steps, if it is not, above-mentioned newly-increased active signal of then letting pass.
Step S122, judge the operation object of newly-increased active signal process identification (PID) whether with to daemon application program into
Journey mark matches.
If it have been determined that the action type of newly-increased active signal is limitation action type, then also need further to sentence
Break this newly-increased active signal operation object whether to daemon application program, specifically, in practical applications, obtaining first
To the process identification (PID) of the operation object of newly-increased active signal, above it has already been indicated that process identification (PID) is unique mark of application program
Know, so only needing to carry out the process identification (PID) of the operation object of newly-increased active signal and the process identification (PID) to daemon application program
Comparison, if the two matches, it is determined that the object of limitation operation is exactly to daemon application program.
Above-mentioned deterministic process is illustrated below: assuming that the process identification (PID) to daemon application program is " 123 ", limit
Action type processed is to exit process, if newly-increased active signal is " TerminateProcess123 ", wherein
" TerminateProcess " is exactly to exit process signals, belongs to limitation action type, and " 123 " are the behaviour of the limitation operation signal
The process identification (PID) for making object due to the process identification (PID) " 123 " to daemon application program and limits the operation object of operation signal
Process identification (PID) " 123 " matches, so determining that the operation object of the limitation operation signal is exactly to daemon application program, then should
Newly-increased active signal just will be filtered, whereas if the two process identification (PID) mismatches, then newly-increased active signal will not
It does not filter.
In an optional embodiment, judge whether the action type of newly-increased active signal is limitation action type,
Include the following steps:
Step S31 obtains the flag bit of newly-increased active signal.
Specifically, the action type in order to determine newly-increased active signal, it is necessary first to obtain the mark of newly-increased active signal
Position, flag bit can be that user is customized, and it is process operation, file that flag bit, which can take different values to represent the active signal,
Operation either other operations, such as it is process operation that " 0S01 ", which represents the active signal,;" 0S02 " represents the active signal
File operation.
Step S32 determines the action type of newly-increased active signal based on the enumeration type of flag bit.
The enumeration type of flag bit is also possible to that user is customized, can determine the behaviour according to the enumeration type got
The concrete operations type of work, for example, process operation includes: to exit, create and suspend, then above-mentioned three kinds of operations should correspond to not
With enumerated value, such as respectively correspond as " 01 ", " 02 " and " 03 ", if the flag bit and enumeration type that get are " 0S01 "
" 01 ", then process can be exited according to the action type of newly-increased active signal is determined.
Step S33, judges whether the action type of newly-increased active signal matches with limitation action type.
The embodiment of the invention provides a kind of finger daemon methods based on filter Driver on FSD frame, to daemon application journey
Sequence can be protected from driving layer, realize the effect for not executing limitation operation, even if the malice invader with system permission,
Also limitation operation signal can not be effectively transmitted, ensure that the stable operation of operating system.
Embodiment two
Fig. 2 is the process of another finger daemon method based on filter Driver on FSD frame according to an embodiment of the present invention
Figure is applied to daemon application program, as shown in Fig. 2, this method comprises the following steps:
Step S41 establishes and guards the communication connection of driver.
Specifically, the process for guarding driver in order to obtain is guarded, first has to active to daemon application program and guard
Driver establishes connection, after guarding driver starting, can be retouched by the driving equipment of hard coded to daemon application program
It states symbol and guards driver to access, establish communication connection with to daemon application program that is, guarding driver.
Process identification (PID) to daemon application program is sent to and guards driver by step S42, so as to guard driver
Judge whether the newly-increased active signal in operating system is the signal treated daemon application program and carry out limitation operation, if so,
Filter newly-increased active signal.
The specific object guarded is confirmed in order to make to guard driver, is also needed to daemon application program by the process of itself
Mark active transmission is to driver is guarded, then, in system operation, once guarding driver detects operation system
When there is newly-increased active signal in system, just judge whether the newly-increased active signal is to be limited to daemon application program above-mentioned
The signal of operation is made, the process of the judgement is described in detail in above-described embodiment one, and details are not described herein again, such as
The newly-increased active signal of fruit determination is to the above-mentioned signal for carrying out limitation operation to daemon application program, and guarding driver will incite somebody to action
Above-mentioned newly-increased active signal filtering, prevents it from treating daemon application program and carries out limitation operation.
Embodiment three
The embodiment of the invention also provides a kind of finger daemon device based on filter Driver on FSD frame, applied to guarding
Driver is somebody's turn to do the finger daemon device based on filter Driver on FSD frame and is mainly used for executing provided by above-described embodiment one
Finger daemon method based on filter Driver on FSD frame is based on filter Driver on FSD frame to provided in an embodiment of the present invention below
The finger daemon device of frame makees specific introduce.
Fig. 3 is a kind of function mould of finger daemon device based on filter Driver on FSD frame according to an embodiment of the present invention
Block figure, as shown in figure 3, the device mainly includes: determining module 11, judgment module 12, filtering module 13, in which:
Determining module 11, for determining to daemon application program.
Judgment module 12, for judging whether the newly-increased active signal in operating system is to treat daemon application program to carry out
Limit the signal of operation.
Filtering module 13, if so, filtering newly-increased active signal.
Traditional finger daemon scheme is easy to appear the case where demons are attacked and exited together with to demons,
The method safety grade of this finger daemon is lower, and compared with prior art, the present invention provides one kind to be driven based on file filter
The finger daemon device of dynamic frame, applied to driver is guarded, this is guarded driver and can determine to daemon application journey
After sequence, whether the newly-increased active signal in real-time judge operating system is to operate for the limitation carried out to daemon application program,
If it is determined that being, then above-mentioned newly-increased active signal will be filtered by guarding driver, to realize and intercept limitation operation in driving layer
Function reached so that invader actually active can not treat daemon application program and operate and guarded program to be applied
Effect, thus the technical problem that the method safety grade for alleviating finger daemon in the prior art is low.
Optionally, device further include:
Notification module is recorded, if so, the limitation operation of newly-increased active signal is recorded, and is notified to daemon application
Program.
Optionally, determining module includes:
Communication unit, for establishing and the communication connection to daemon application program.
Receiving unit, for receiving the process identification (PID) to daemon application program.
Optionally, judgment module is also used to:
Whether the action type for judging newly-increased active signal is limitation action type.
If so, judge the operation object of newly-increased active signal process identification (PID) whether with the process to daemon application program
Mark matches.
Optionally, judgment module is also used to:
Obtain the flag bit of newly-increased active signal.
The action type of newly-increased active signal is determined based on the enumeration type of flag bit.
Judge whether the action type of newly-increased active signal matches with limitation action type.
Example IV
The embodiment of the invention also provides a kind of finger daemon devices based on filter Driver on FSD frame, applied to wait keep
Application program is protected, which is mainly used for execution above-described embodiment two and is provided
The finger daemon method based on filter Driver on FSD frame, below to it is provided in an embodiment of the present invention be based on filter Driver on FSD
The finger daemon device of frame makees specific introduce.
Fig. 4 is a kind of function mould of finger daemon device based on filter Driver on FSD frame according to an embodiment of the present invention
Block figure, as shown in figure 4, the device mainly includes communication module 21, sending module 22, in which:
Communication module 21, for establishing and guarding the communication connection of driver.
Sending module 22 guards driver for the process identification (PID) to daemon application program to be sent to, so as to guard
Driver judges whether the newly-increased active signal in operating system is the signal treated daemon application program and carry out limitation operation,
If so, filtering newly-increased active signal.
It, can be with if the function is realized in the form of SFU software functional unit and when sold or used as an independent product
It is stored in the executable non-volatile computer-readable storage medium of a processor.Based on this understanding, of the invention
Technical solution substantially the part of the part that contributes to existing technology or the technical solution can be with software in other words
The form of product embodies, which is stored in a storage medium, including some instructions use so that
One computer equipment (can be personal computer, server or the network equipment etc.) executes each embodiment institute of the present invention
State all or part of the steps of method.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read-
Only Memory), random access memory (RAM, Random Access Memory), magnetic or disk etc. are various can be with
Store the medium of program code.
In the description of the present invention, it is also necessary to which explanation is unless specifically defined or limited otherwise, term " setting ",
" installation ", " connected ", " connection " shall be understood in a broad sense, for example, it may be fixedly connected, may be a detachable connection or one
Connect to body;It can be mechanical connection, be also possible to be electrically connected;It can be directly connected, it can also be indirect by intermediary
It is connected, can be the connection inside two elements.For the ordinary skill in the art, on being understood with concrete condition
State the concrete meaning of term in the present invention.
Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent
Pipe present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: its according to
So be possible to modify the technical solutions described in the foregoing embodiments, or to some or all of the technical features into
Row equivalent replacement;And these are modified or replaceed, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution
The range of scheme.
Claims (10)
1. a kind of finger daemon method based on filter Driver on FSD frame, which is characterized in that applied to guarding driver, institute
The method of stating includes:
It determines step, determines to daemon application program;
Judgment step judges whether the newly-increased active signal in operating system is to carry out limitation behaviour to daemon application program to described
The signal of work;
Filtration step, if so, the filtering newly-increased active signal.
2. finger daemon method according to claim 1, which is characterized in that after the judgment step, further includes:
If so, the limitation operation of the newly-increased active signal is recorded, and notify described to daemon application program.
3. finger daemon method according to claim 1, which is characterized in that determine to daemon application program, comprising:
It establishes and the communication connection to daemon application program;
Receive the process identification (PID) to daemon application program.
4. finger daemon method according to claim 3, which is characterized in that judge the newly-increased active signal in operating system
It whether is to the signal for carrying out limitation operation to daemon application program, comprising:
Whether the action type for judging the newly-increased active signal is limitation action type;
If so, judge the operation object of the newly-increased active signal process identification (PID) whether with described to daemon application program
Process identification (PID) matches.
5. finger daemon method according to claim 4, which is characterized in that judge the operation class of the newly-increased active signal
Whether type is limitation action type, comprising:
Obtain the flag bit of the newly-increased active signal;
The action type of the newly-increased active signal is determined based on the enumeration type of the flag bit;
Judge whether the action type of the newly-increased active signal matches with the limitation action type.
6. a kind of finger daemon method based on filter Driver on FSD frame, which is characterized in that it is applied to daemon application program,
The described method includes:
Establish and guard the communication connection of driver;
By the process identification (PID) to daemon application program be sent to it is described guard driver so that described guard driver
Judge the newly-increased active signal in operating system whether be to it is described to daemon application program carry out limitation operation signal, if
It is then to filter the newly-increased active signal.
7. a kind of finger daemon device based on filter Driver on FSD frame, which is characterized in that applied to guarding driver, institute
Stating device includes:
Determining module, for determining to daemon application program;
Judgment module, for judging whether the newly-increased active signal in operating system is to be limited to daemon application program described
Make the signal of operation;
Filtering module, if so, the filtering newly-increased active signal.
8. finger daemon device according to claim 7, which is characterized in that described device further include:
Notification module is recorded, if so, the limitation operation of the newly-increased active signal is recorded, and is notified described wait guard
Application program.
9. finger daemon device according to claim 7, which is characterized in that determining module includes:
Communication unit, for establishing and the communication connection to daemon application program;
Receiving unit, for receiving the process identification (PID) to daemon application program.
10. a kind of finger daemon device based on filter Driver on FSD frame, which is characterized in that be applied to daemon application journey
Sequence, described device include:
Communication module, for establishing and guarding the communication connection of driver;
Sending module, for by the process identification (PID) to daemon application program be sent to it is described guard driver so that institute
It states and guards driver and judge whether the newly-increased active signal in operating system is to be limited to daemon application program described
The signal of operation, if so, the filtering newly-increased active signal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910743675.8A CN110457871A (en) | 2019-08-13 | 2019-08-13 | A kind of finger daemon method and apparatus based on filter Driver on FSD frame |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910743675.8A CN110457871A (en) | 2019-08-13 | 2019-08-13 | A kind of finger daemon method and apparatus based on filter Driver on FSD frame |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110457871A true CN110457871A (en) | 2019-11-15 |
Family
ID=68486139
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910743675.8A Pending CN110457871A (en) | 2019-08-13 | 2019-08-13 | A kind of finger daemon method and apparatus based on filter Driver on FSD frame |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110457871A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102932329A (en) * | 2012-09-26 | 2013-02-13 | 北京奇虎科技有限公司 | Method and device for intercepting behaviors of program, and client equipment |
| CN105590060A (en) * | 2015-12-21 | 2016-05-18 | 北京金山安全软件有限公司 | Target application program protection method and device |
| CN106650435A (en) * | 2016-12-28 | 2017-05-10 | 郑州云海信息技术有限公司 | Method and apparatus of protecting system |
| CN106708643A (en) * | 2016-11-14 | 2017-05-24 | 武汉斗鱼网络科技有限公司 | Abnormal information processing method and apparatus |
| WO2019119850A1 (en) * | 2017-12-21 | 2019-06-27 | 中兴通讯股份有限公司 | Application software deployment method and device, and virtual machine |
-
2019
- 2019-08-13 CN CN201910743675.8A patent/CN110457871A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102932329A (en) * | 2012-09-26 | 2013-02-13 | 北京奇虎科技有限公司 | Method and device for intercepting behaviors of program, and client equipment |
| CN105590060A (en) * | 2015-12-21 | 2016-05-18 | 北京金山安全软件有限公司 | Target application program protection method and device |
| CN106708643A (en) * | 2016-11-14 | 2017-05-24 | 武汉斗鱼网络科技有限公司 | Abnormal information processing method and apparatus |
| CN106650435A (en) * | 2016-12-28 | 2017-05-10 | 郑州云海信息技术有限公司 | Method and apparatus of protecting system |
| WO2019119850A1 (en) * | 2017-12-21 | 2019-06-27 | 中兴通讯股份有限公司 | Application software deployment method and device, and virtual machine |
Non-Patent Citations (1)
| Title |
|---|
| 李军华: "软件运行保护系统研究及实现", 《中国优秀硕士学位论文全文数据库》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113661693B (en) | Detecting sensitive data exposure via log | |
| CN110381045B (en) | Attack operation processing method and device, storage medium and electronic device | |
| US10893068B1 (en) | Ransomware file modification prevention technique | |
| JP6212548B2 (en) | Kernel-level security agent | |
| US9935972B2 (en) | Emulator-based malware learning and detection | |
| EP3799385A1 (en) | Method of data-efficient threat detection in a computer network | |
| CN111931166B (en) | Application program anti-attack method and system based on code injection and behavior analysis | |
| US11070570B2 (en) | Methods and cloud-based systems for correlating malware detections by endpoint devices and servers | |
| US11811788B2 (en) | Method of threat detection in a computer network security system | |
| CN109450893B (en) | Network protection software method and system based on linux kernel | |
| CN112671807A (en) | Threat processing method, threat processing device, electronic equipment and computer readable storage medium | |
| CN116032629A (en) | Classification treatment method, system electronic equipment and storage medium for alarm traffic | |
| CN113971288A (en) | Big data technology-based smart campus security management and control platform | |
| CN115086081B (en) | Escape prevention method and system for honeypots | |
| CN101286986B (en) | Active defense method, device and system | |
| CN110457871A (en) | A kind of finger daemon method and apparatus based on filter Driver on FSD frame | |
| CN115801305B (en) | Network attack detection and identification method and related equipment | |
| CN106951779A (en) | A kind of USB security protection systems for selecting to analyze with equipment behavior based on user | |
| US20200036681A1 (en) | Method for Data Reduction in a Computer Network Security System | |
| JP2023050189A (en) | Threat control method and system | |
| CN115587357A (en) | Threat scene analysis method and system based on big data | |
| CN107070913B (en) | Webshell attack-based detection and protection method and system | |
| CN103679015A (en) | Attacking control method for protecting kernel system | |
| CN115577369B (en) | Source code leakage behavior detection method and device, electronic equipment and storage medium | |
| KR20200054495A (en) | Method for security operation service and apparatus therefor |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191115 |
|
| RJ01 | Rejection of invention patent application after publication |