CN110688653A - Client security protection method and device and terminal equipment - Google Patents
Client security protection method and device and terminal equipment Download PDFInfo
- Publication number
- CN110688653A CN110688653A CN201910936996.XA CN201910936996A CN110688653A CN 110688653 A CN110688653 A CN 110688653A CN 201910936996 A CN201910936996 A CN 201910936996A CN 110688653 A CN110688653 A CN 110688653A
- Authority
- CN
- China
- Prior art keywords
- target
- client
- protection
- target client
- software
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Abstract
The invention discloses a safety protection method and device for a client and terminal equipment. Wherein, the method comprises the following steps: after a target client is detected to start system basic service, acquiring a target file to be protected, wherein the target file is an installation file corresponding to trusted protection software installed in the target client, and the trusted protection software is used for providing active safety protection service for the target client; determining first authority information corresponding to a target file; and performing security protection on the target file and/or the process corresponding to the trusted protection software based on the first permission information. The invention solves the technical problem that the security protection software adopted by the client in the related technology can only carry out passive defense and can not ensure the security of the internally stored files.
Description
Technical Field
The invention relates to the technical field of client information processing, in particular to a client security protection method and device and terminal equipment.
Background
In the related technology, with the continuous development of information technology, a plurality of files are stored on a client, in order to ensure the safety of the files, passive defense is often performed by adopting externally installed safety antivirus software, the safety antivirus software can perform antivirus identification under the condition of virus attack, and if the identification fails, the client is paralyzed and cannot normally operate; the passive defense mode by adopting the safety antivirus software cannot effectively ensure the safety of the files stored in the client.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the invention provides a client security protection method and device and terminal equipment, and aims to at least solve the technical problem that security protection software adopted by a client in related technologies can only perform passive defense and cannot ensure the security of internally stored files.
According to an aspect of the embodiments of the present invention, there is provided a security protection method for a client, which is applied to a target client, and includes: after a target client is detected to start system basic service, acquiring a target file to be protected, wherein the target file is an installation file corresponding to trusted protection software installed in the target client, and the trusted protection software is used for providing active security protection service for the target client; determining first authority information corresponding to the target file; and performing security protection on the target file and/or the process corresponding to the trusted protection software based on the first authority information.
Optionally, the safety protection method further includes: after the trusted protection software is started, acquiring a key resource file in the target client; acquiring second authority information corresponding to the key resource file; and performing security protection on the key resource file based on the second authority information.
Optionally, the safety protection method further includes: intercepting a registry access behavior when the target client detects the registry access behavior; comparing the path of accessing the registry corresponding to the registry access behavior with the registry access strategy; if the registry access policy does not specify the path for accessing the registry corresponding to the registry access behavior, allowing the registry access behavior to be executed; and if the registry access policy specifies a path for accessing the registry corresponding to the registry access behavior, prohibiting the registry access behavior from being executed.
Optionally, the safety protection method further includes: after the trusted protection software is started, traversing the disks on the target client to obtain all disk files; identifying executable files and supporting scripts in the current operating environment of the target client from all the disk files; storing the executable file and the hash value corresponding to the supporting script into a system white list; and realizing active safety protection for the target client based on the system white list.
Optionally, the safety protection method further includes: after the trusted defense software is started, receiving a software installation strategy transmitted by a management center remotely connected with the target client; installing the software package transmitted by the management center according to the software installation strategy, and collecting a white list generated in the software package installation process; and sending the collected white list to the management center, wherein the management center is used for correspondingly storing the white list and the software installation strategy.
Optionally, the safety protection method further includes: the target client sends heartbeat data to a management center remotely connected with the target client at intervals of a preset time period, wherein the heartbeat data carries relevant information of the target client; the target client receives a notification message returned by the management center after receiving the heartbeat data, wherein the notification message is used for notifying the target client to acquire a target policy from the management center; the target client acquires and analyzes the target strategy from the management center and configures the target strategy to a kernel; the target client sends a confirmation message to the management center, wherein the confirmation message is used for notifying the management center that the target policy is effective.
Optionally, the safety protection method further includes: encrypting the communication data between the target client and the management center, wherein an encryption algorithm during encryption at least comprises: and (4) a SM algorithm of the state secret.
According to another aspect of the embodiments of the present invention, there is also provided a security protection apparatus for a client, including: the system comprises an acquisition unit, a processing unit and a protection unit, wherein the acquisition unit is used for acquiring a target file to be protected after detecting that a target client starts system basic service, the target file is an installation file corresponding to trusted protection software installed in the target client, and the trusted protection software is used for providing active safety protection service for the target client; the determining unit is used for determining first authority information corresponding to the target file; and the protection unit is used for carrying out security protection on the target file and/or the process corresponding to the trusted protection software based on the first authority information.
Optionally, the client security protection device further includes: the first determining module is used for acquiring a key resource file in the target client after the trusted protection software is started; the first acquisition module is used for acquiring second authority information corresponding to the key resource file; and the first protection module is used for carrying out security protection on the key resource file based on the second authority information.
Optionally, the safety shield apparatus further comprises: the intercepting module is used for intercepting the registry access behavior when the target client detects the registry access behavior; the comparison module is used for comparing the path of accessing the registry corresponding to the registry access behavior with the registry access strategy; the permission module is used for permitting the registry access behavior to be executed when the registry access strategy does not stipulate the path of the access registry corresponding to the registry access behavior; and the forbidding module is used for forbidding the registry access behavior from being executed when the registry access policy specifies the path for accessing the registry corresponding to the registry access behavior.
Optionally, the client security protection device further includes: the first traversal module is used for traversing the disks on the target client after the trusted protection software is started to obtain all the disk files; the first identification module is used for identifying the executable file and the supporting script in the current running environment of the target client from all the disk files; the first storage module is used for storing the executable file and the hash value corresponding to the supporting script into a system white list; and the second protection module is used for realizing active safety protection on the target client based on the system white list.
Optionally, the client security protection device further includes: the first receiving module is used for receiving a software installation strategy transmitted by a management center remotely connected with the target client after the trusted defense software is started; the first acquisition module is used for installing the software package transmitted by the management center according to the software installation strategy and acquiring a white list generated in the software package installation process; and the first sending module is used for sending the collected white list to the management center, and the management center is used for correspondingly storing the white list and the software installation strategy.
Optionally, the client security protection device further includes: the second sending module is used for sending heartbeat data to a management center remotely connected with the target client at intervals of a preset time period by the target client, wherein the heartbeat data carries relevant information of the target client; a second receiving module, configured to receive, by the target client, a notification message returned by the management center after receiving the heartbeat data, where the notification message is used to notify the target client to obtain a target policy from the management center; the configuration module is used for the target client to acquire and analyze the target strategy from the management center and configure the target strategy to the kernel; a third sending module, configured to send, by the target client, a confirmation message to the management center, where the confirmation message is used to notify the management center that the target policy is in effect.
Optionally, the client security protection device further includes: an encryption module, configured to encrypt communication data between the target client and the management center, where an encryption algorithm in the encryption process at least includes: and (4) a SM algorithm of the state secret.
According to another aspect of the embodiments of the present invention, there is also provided a terminal device, including: a memory, a processor coupled with the memory, the memory and the processor communicating over a bus system; the memory is used for storing a program, wherein the program, when executed by the processor, controls the device in which the memory is located to execute the client security protection method, and the processor is used for executing the program, wherein the program executes the client security protection method when running.
According to another aspect of the embodiments of the present invention, there is further provided a processor, where the processor is configured to execute a program, where the program executes a security protection method of a client as described in any one of the above.
In the embodiment of the invention, after a target client is detected to start system basic service, a target file to be protected is obtained, wherein the target file is an installation file corresponding to trusted protection software installed in the target client, the trusted protection software is used for providing active security protection service for the target client, determining first authority information corresponding to the target file, and then performing security protection on the target file and/or a process corresponding to the trusted protection software based on the first authority information. In the embodiment, comprehensive and stable security protection of the client can be realized through the trusted protection software, active security protection is performed on files needing to be stored, self protection is performed on own software processes, illegal tampering or deletion is prevented, the security of the files is improved, a user can know the security state of the client used by the user in real time, the satisfaction degree of the user in using the trusted protection software is improved, and the technical problem that the security protection software adopted by the client in the related technology can only perform passive defense and cannot guarantee the security of the files stored inside is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a flow chart of an alternative method for securing a client in accordance with an embodiment of the present invention;
FIG. 2 is a schematic diagram of an alternative client security guard in accordance with an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The execution main body of the client safety protection method and the device in each embodiment of the invention is a target client, the target client can be understood as a terminal or a trusted computing platform which is commonly used by a user, and when active safety defense is carried out, a trusted safety management platform (running in a server) is adopted to carry out data processing on each target client or trusted computing platform, and an active defense task is issued; the system operated by the target client comprises a computing subsystem and a protection subsystem which are parallel, wherein the computing subsystem is used for completing computing tasks, the protection subsystem is used for using trusted protection software to actively measure the computing subsystem according to a trusted strategy, and the target client is responsible for acquiring access behavior data of an application program and reporting the access behavior data to a target server, so that the trusted strategy and the trusted protection software are updated in real time, and the safety protection performance is improved.
The target clients mentioned above may include, but are not limited to: tablet, mobile terminal, PC, IPAD, etc.
In accordance with an embodiment of the present invention, there is provided a client security method embodiment, it should be noted that the steps illustrated in the flowchart of the drawings may be performed in a computer system such as a set of computer executable instructions, and that while a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than here.
The embodiment of the invention can be applied to a target client, can realize self-protection on the software process of the trusted protection software, and can carry out active safety protection on files needing to be protected on the client, place illegal modification or deletion and the like.
Fig. 1 is a flowchart of an optional client security protection method according to an embodiment of the present invention, and as shown in fig. 1, the method includes the following steps:
step S102, after detecting that a target client starts a system basic service, acquiring a target file to be protected, wherein the target file is an installation file corresponding to trusted protection software installed in the target client, and the trusted protection software is used for providing an active security protection service for the target client.
The above trusted protection software may be downloaded and installed by the target client, and after the target client is started, the control system starts the system basic service, which may refer to starting the basic running software of the client, such as starting Windows and starting the trusted protection software. The target file to be protected may be a file (e.g., a word file, an installation package of software) that the client control system indicates needs to be protected.
When the trusted defense software is installed in the target client, the method may include: the target client copies the installation program/installation package to a target file directory through a management center or an external tool such as a USB flash disk; installing a common operation library set of the system; running the installation program/decompressing the compressed packet; the installation program automatically scans the white list and reports the installation information to the management center; and registering the target client to the management center and reporting the installation completion of the program. Optionally, the installation package in the embodiment of the present invention may be in an EXE format.
Step S104, determining first authority information corresponding to the target file.
The first authority information is used for indicating whether operations such as modification, deletion and the like can be performed on the target file or the software process of the trusted protection software, if the software process of the trusted protection software and the authority of the target file are configured to be read-only authorities, when a modification instruction exists, the target file or the software process is subjected to security protection, and the target file or the software process is placed to be modified. Therefore, the external instruction cannot kill the software process at will and cannot modify or delete the target file.
And S106, performing safety protection on the target file and/or the process corresponding to the trusted protection software based on the first permission information.
Through the steps, after the target client is detected to start the system basic service, the target file to be protected is obtained, wherein the target file is an installation file corresponding to trusted protection software installed in the target client, the trusted protection software is used for providing active security protection service for the target client, determining first authority information corresponding to the target file, and then performing security protection on the target file and/or a process corresponding to the trusted protection software based on the first authority information. In the embodiment, comprehensive and stable security protection can be realized through the trusted protection software, active security protection is performed on files to be stored, self protection is performed on own software processes, illegal tampering or deletion is prevented, the security of the files is improved, a user can know the security state of a client used by the user in real time, and the satisfaction degree of the user in using the trusted protection software is improved, so that the technical problem that the security protection software adopted by the client in the related technology can only perform passive defense and cannot guarantee the security of the files stored inside is solved.
As an optional embodiment of the present invention, when security protection is performed on a client, security protection may be performed in other manners besides protection performed by using permission information. Optionally, the safety protection method further includes: after the trusted protection software is started, acquiring a key resource file in a target client; acquiring second authority information corresponding to the key resource file; based on the resource authority, carrying out authority configuration on the key resource file; and performing security protection on the key resource file based on the second authority information.
In an alternative embodiment, the key resource file includes at least one of: a system registry and a system core file. The key resource file may define the input file (which may carry an absolute path) to be protected for the system administrator.
The second authority information can perform authority protection on the key resource file, prevent tampering and prevent deleting the key resource file, for example, only read authority and no write authority are set for the key resource file, and no modification and deletion authority is set; meanwhile, after the control system of the client is restarted, the second authority information protection of the key resource file is not invalid.
Optionally, when performing security protection, after the trusted protection software is started, traversing the disk on the target client to obtain all disk files; identifying an executable file and a supporting script in the current operating environment of a target client from all disk files; storing the executable file and the hash value corresponding to the support script into a system white list; and realizing active safety protection for the target client based on the system white list.
The safety protection function can be understood as white list collection, and the white list can be understood as an abstract value obtained by calculating an application program or software through a specific algorithm, wherein the abstract value is a white name single value of the software or the program, and is called the white list for short; collecting all executable files and supporting scripts in the current operating environment of a control system or an operating system of a client into a system white list, wherein the file format of the collected white list is as follows: windows system support (file judgment PE header, all files with PE header support): EXE, DLL, OCX, SYS, COM and script (. msi,. msu,. bat,. cmd), among other formats. After the trusted protection software is installed and operated, the white list collection operation can be started, meanwhile, a user can be informed on a client interface that the white list is being scanned, hash value calculation can be carried out on the whole executable file by using an encryption algorithm, the hash value obtained through calculation is stored as a reference value into a system white list or written into a preset white list database, meanwhile, the management center can be informed that the white list collection is completed, and active safety protection is carried out on a target client through the system white list (the hash value can be calculated firstly during protection, then the hash value is verified with the reference value in the database, and the verification can be carried out normally).
As an optional embodiment of the present invention, when performing security protection on a target client, registry protection may also be performed, including: intercepting the registry access behavior when the target client detects the registry access behavior; comparing the path of accessing the registry corresponding to the registry access behavior with the registry access strategy; if the registry access strategy does not stipulate the path for accessing the registry corresponding to the registry access behavior, the registry access behavior is allowed to be executed; and if the registry access policy specifies a path for accessing the registry corresponding to the registry access behavior, prohibiting the registry access behavior from being executed.
Namely, in the embodiment of the present invention, the registry access control function is to make a release decision according to the registry access policy, initialize the access policy table when the driver is loaded, register its own communication interface, and finally register a hook for registry operation with the system, intercept the registry access behavior through the hook, intercept the registry access information to the registry input/output module, then query the access policy table, and select release or intercept (i.e., prohibit the registry access behavior from being executed) according to the policy table determination result.
The registry protection can refer to that before registry access, authority check is carried out, and processes and users of each software in a control system only have read authority on protected registry resources and cannot modify and delete the protected registry resources; the registry protection policy is not invalidated even after the control system is restarted.
As an optional embodiment of the present invention, when performing security protection on a target client, after trusted protection software is started, a software installation policy transmitted by a management center remotely connected to the target client may be received; installing a software package transmitted by a management center according to a software installation strategy, and collecting a white list generated in the software package installation process; and sending the collected white list to a management center, wherein the management center is used for correspondingly storing the white list and the software installation strategy.
Optionally, when performing security protection on the target client, heartbeat data may also be uploaded, including: the method comprises the steps that a target client sends heartbeat data to a management center remotely connected with the target client every other preset time period, wherein the heartbeat data carries relevant information of the target client; the target client receives a notification message returned by the management center after receiving the heartbeat data, wherein the notification message is used for notifying the target client to acquire a target strategy from the management center; the target client acquires and analyzes a target strategy from the management center and configures the target strategy to the kernel; the target client sends a confirmation message to the management center, wherein the confirmation message is used for informing the management center that the target policy is effective.
The predetermined time period may be set by itself, for example, 10 seconds. The client sends heartbeat data to the management center every 10 seconds. The heartbeat data includes, but is not limited to: client CPU running state, memory ratio, disk information and process list.
Optionally, the safety protection method further includes: encrypting the communication data between the target client and the management center, wherein the encryption algorithm in the encryption process at least comprises the following steps: and (4) a SM algorithm of the state secret.
As an optional embodiment of the present invention, when performing security protection on a target client, audit information may also be processed, including: acquiring all audit information generated by a database in a recent period of time; carrying out duplicate removal processing on the repeated content in the audit information; filtering audit information; reporting the filtered audit information to a management center; recording the position and the quantity of the currently processed audit information to avoid repeated processing; and reporting an audit information processing log.
By the embodiment, the active safety protection can be performed on each target client by using the trusted protection software, and the method comprises the steps of realizing software self-protection, file active safety protection, data encryption, audit information processing, heartbeat data reporting, key resource protection and white list acquisition.
FIG. 2 is a schematic diagram of an alternative client security appliance according to an embodiment of the present invention, and as shown in FIG. 2, the security appliance may include: an acquisition unit 21, a determination unit 23, a protection unit 25, wherein,
the acquiring unit 21 is configured to acquire a target file to be protected after detecting that a target client starts a system basic service, where the target file is an installation file corresponding to trusted protection software installed in the target client, and the trusted protection software is used to provide an active security protection service for the target client;
a determining unit 23, configured to determine first permission information corresponding to the target file;
and the protection unit 25 is configured to perform security protection on the target file and/or the process corresponding to the trusted protection software based on the first permission information.
The security protection device of the client can acquire a target file to be protected by the acquisition unit 21 after detecting that a target client starts a system basic service, wherein the target file is an installation file corresponding to trusted protection software installed in the target client, the trusted protection software is used for providing an active security protection service for the target client, determining first authority information corresponding to the target file by the determination unit 23, and then performing security protection on the target file and/or a process corresponding to the trusted protection software by the protection unit 25 based on the first authority information. In the embodiment, active security protection can be realized through trusted protection software, comprehensive and stable security protection can be realized for files needing to be stored, self protection can be performed on own software process, illegal tampering or deletion is prevented, the security of the files is improved, a user can know the security state of a client used by the user in real time, and the satisfaction degree of the user in using the trusted protection software is improved, so that the technical problems that security protection software adopted by the client in the related technology can only perform passive defense, and the security of the files stored inside cannot be guaranteed are solved.
Optionally, the safety protection device of the client further includes: the first determining module is used for acquiring a key resource file in a target client after the trusted protection software is started; the first acquisition module is used for acquiring second authority information corresponding to the key resource file; the first configuration module is used for carrying out authority configuration on the key resource file based on the resource authority; and the first protection module is used for carrying out security protection on the key resource file based on the second authority information.
Optionally, the key resource file includes at least one of: a system registry and a system core file.
Optionally, the safety shield apparatus further comprises: the intercepting module is used for intercepting the registry access behavior when the target client detects the registry access behavior; the comparison module is used for comparing the path of accessing the registry corresponding to the registry access behavior with the registry access strategy; the permission module is used for permitting the registry access behavior to be executed when the registry access strategy does not stipulate the path of the access registry corresponding to the registry access behavior; and the forbidding module is used for forbidding the execution of the registry access behavior when the registry access policy specifies a path for accessing the registry corresponding to the registry access behavior.
Optionally, the client security protection apparatus further includes: the first traversal module is used for traversing the disks on the target client after the trusted protection software is started to obtain all the disk files; the first identification module is used for identifying an executable file and a support script in the current operating environment of the target client from all the disk files; the first storage module is used for storing the executable file and the hash value corresponding to the support script into a system white list; and the second protection module is used for realizing active safety protection on the target client based on the system white list.
As an optional embodiment of the present invention, the security protection device of the client further includes: the first receiving module is used for receiving a software installation strategy transmitted by a management center remotely connected with a target client after the trusted protection software is started; the first acquisition module is used for installing the software package transmitted by the management center according to the software installation strategy and acquiring a white list generated in the software package installation process; and the first sending module is used for sending the collected white list to a management center, and the management center is used for correspondingly storing the white list and the software installation strategy.
Optionally, the safety protection device of the client further includes: the second sending module is used for sending heartbeat data to a management center remotely connected with the target client at intervals of a preset time period by the target client, wherein the heartbeat data carries relevant information of the target client; the second receiving module is used for receiving a notification message returned by the management center after the heartbeat data is received by the target client, wherein the notification message is used for notifying the target client to acquire a target policy from the management center; the second configuration module is used for the target client to acquire and analyze the target strategy from the management center and configure the target strategy to the kernel; and the third sending module is used for sending a confirmation message to the management center by the target client, wherein the confirmation message is used for notifying the management center that the target policy is effective.
Optionally, the safety protection device of the client further includes: the encryption module is used for encrypting the communication data between the target client and the management center, wherein the encryption algorithm during encryption at least comprises the following steps: and (4) a SM algorithm of the state secret.
The client security protection device may further include a processor and a memory, where the obtaining unit 21, the determining unit 23, the protecting unit 25, and the like are stored in the memory as program units, and the processor executes the program units stored in the memory to implement corresponding functions.
The processor comprises a kernel, and the kernel calls a corresponding program unit from the memory. The kernel can be set to be one or more, and active safety protection is carried out on the target client by adjusting kernel parameters.
The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip.
According to another aspect of the embodiments of the present invention, there is also provided a terminal device, including: a memory, a processor coupled to the memory, the memory and the processor communicating via a bus system; the memory is used for storing a program, wherein the program is used for controlling the equipment where the memory is located to execute the safety protection method of the client side, and the processor is used for running the program, wherein the safety protection method of the client side is executed when the program runs.
According to another aspect of the embodiments of the present invention, there is further provided a processor, where the processor is configured to execute a program, where the program executes a security protection method of a client according to any one of the above.
The present application further provides a computer program product adapted to perform a program for initializing the following method steps when executed on a data processing device: after a target client is detected to start system basic service, acquiring a target file to be protected, wherein the target file is an installation file corresponding to trusted protection software installed in the target client, and the trusted protection software is used for providing active safety protection service for the target client; determining first authority information corresponding to a target file; and performing security protection on the target file and/or the process corresponding to the trusted protection software based on the first permission information.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units may be a logical division, and in actual implementation, there may be another division, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (10)
1. A client security protection method is applied to a target client, and comprises the following steps:
after a target client is detected to start system basic service, acquiring a target file to be protected, wherein the target file is an installation file corresponding to trusted protection software installed in the target client, and the trusted protection software is used for providing active security protection service for the target client;
determining first authority information corresponding to the target file;
and performing security protection on the target file and/or the process corresponding to the trusted protection software based on the first authority information.
2. The security protection method of claim 1, further comprising:
after the trusted protection software is started, acquiring a key resource file in the target client;
acquiring second authority information corresponding to the key resource file;
and performing security protection on the key resource file based on the second authority information.
3. The security protection method of claim 1, further comprising:
intercepting a registry access behavior when the target client detects the registry access behavior;
comparing the path of accessing the registry corresponding to the registry access behavior with the registry access strategy;
if the registry access policy does not specify the path for accessing the registry corresponding to the registry access behavior, allowing the registry access behavior to be executed;
and if the registry access policy specifies a path for accessing the registry corresponding to the registry access behavior, prohibiting the registry access behavior from being executed.
4. The security protection method of claim 1, further comprising:
after the trusted protection software is started, traversing the disks on the target client to obtain all disk files;
identifying executable files and supporting scripts in the current operating environment of the target client from all the disk files;
storing the executable file and the hash value corresponding to the supporting script into a system white list;
and realizing active safety protection for the target client based on the system white list.
5. The method of claim 1, wherein the security method further comprises:
after the trusted defense software is started, receiving a software installation strategy transmitted by a management center remotely connected with the target client;
installing the software package transmitted by the management center according to the software installation strategy, and collecting a white list generated in the software package installation process;
and sending the collected white list to the management center, wherein the management center is used for correspondingly storing the white list and the software installation strategy.
6. The method of claim 1, wherein the security method further comprises:
the target client sends heartbeat data to a management center remotely connected with the target client at intervals of a preset time period, wherein the heartbeat data carries relevant information of the target client;
the target client receives a notification message returned by the management center after receiving the heartbeat data, wherein the notification message is used for notifying the target client to acquire a target policy from the management center;
the target client acquires and analyzes the target strategy from the management center and configures the target strategy to a kernel;
the target client sends a confirmation message to the management center, wherein the confirmation message is used for notifying the management center that the target policy is effective.
7. The method of claim 6, wherein the security method further comprises:
encrypting the communication data between the target client and the management center, wherein an encryption algorithm during encryption at least comprises: and (4) a SM algorithm of the state secret.
8. A client security guard, comprising:
the system comprises an acquisition unit, a processing unit and a protection unit, wherein the acquisition unit is used for acquiring a target file to be protected after detecting that a target client starts system basic service, the target file is an installation file corresponding to trusted protection software installed in the target client, and the trusted protection software is used for providing active safety protection service for the target client;
the determining unit is used for determining first authority information corresponding to the target file;
and the protection unit is used for carrying out security protection on the target file and/or the process corresponding to the trusted protection software based on the first authority information.
9. A terminal device, comprising:
a memory, a processor coupled with the memory, the memory and the processor communicating over a bus system;
the memory is used for storing a program, wherein the program when executed by the processor controls the device in which the memory is located to execute the client security protection method of any one of claims 1 to 7,
the processor is used for running a program, wherein the program runs to execute the security protection method of the client side according to any one of claims 1 to 7.
10. A processor, configured to execute a program, wherein the program executes to perform the method for securing a client according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910936996.XA CN110688653A (en) | 2019-09-29 | 2019-09-29 | Client security protection method and device and terminal equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910936996.XA CN110688653A (en) | 2019-09-29 | 2019-09-29 | Client security protection method and device and terminal equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110688653A true CN110688653A (en) | 2020-01-14 |
Family
ID=69111176
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910936996.XA Pending CN110688653A (en) | 2019-09-29 | 2019-09-29 | Client security protection method and device and terminal equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110688653A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111741078A (en) * | 2020-05-29 | 2020-10-02 | 深圳市伟众信息技术有限公司 | White list platform message system and method |
| CN113051550A (en) * | 2021-03-30 | 2021-06-29 | 深信服科技股份有限公司 | Terminal equipment, protection method and device thereof and readable storage medium |
| CN113452718A (en) * | 2021-07-07 | 2021-09-28 | 北京泰立鑫科技有限公司 | Active defense method and system for exclusive storage space |
| CN114866532A (en) * | 2022-04-25 | 2022-08-05 | 安天科技集团股份有限公司 | Method, device, equipment and medium for uploading security check result information of endpoint file |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101414341A (en) * | 2007-10-15 | 2009-04-22 | 北京瑞星国际软件有限公司 | Software self-protection method |
| CN101650768A (en) * | 2009-07-10 | 2010-02-17 | 深圳市永达电子股份有限公司 | Security guarantee method and system for Windows terminals based on auto white list |
| CN104298925A (en) * | 2014-10-14 | 2015-01-21 | 北京可信华泰信息技术有限公司 | Design and implementation method of active immunity platform of operating system |
| US8943546B1 (en) * | 2012-01-27 | 2015-01-27 | Symantec Corporation | Method and system for detecting and protecting against potential data loss from unknown applications |
| CN104376257A (en) * | 2014-12-12 | 2015-02-25 | 北京奇虎科技有限公司 | Application self-protection and active defense method and application self-protection and active defense device |
| CN105138901A (en) * | 2015-08-03 | 2015-12-09 | 浪潮电子信息产业股份有限公司 | White list based realization method for active defense of cloud host |
| CN106326699A (en) * | 2016-08-25 | 2017-01-11 | 广东七洲科技股份有限公司 | Method for reinforcing server based on file access control and progress access control |
| CN109271787A (en) * | 2018-07-03 | 2019-01-25 | 中国银联股份有限公司 | A kind of operating system security active defense method and operating system |
-
2019
- 2019-09-29 CN CN201910936996.XA patent/CN110688653A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101414341A (en) * | 2007-10-15 | 2009-04-22 | 北京瑞星国际软件有限公司 | Software self-protection method |
| CN101650768A (en) * | 2009-07-10 | 2010-02-17 | 深圳市永达电子股份有限公司 | Security guarantee method and system for Windows terminals based on auto white list |
| US8943546B1 (en) * | 2012-01-27 | 2015-01-27 | Symantec Corporation | Method and system for detecting and protecting against potential data loss from unknown applications |
| CN104298925A (en) * | 2014-10-14 | 2015-01-21 | 北京可信华泰信息技术有限公司 | Design and implementation method of active immunity platform of operating system |
| CN104376257A (en) * | 2014-12-12 | 2015-02-25 | 北京奇虎科技有限公司 | Application self-protection and active defense method and application self-protection and active defense device |
| CN105138901A (en) * | 2015-08-03 | 2015-12-09 | 浪潮电子信息产业股份有限公司 | White list based realization method for active defense of cloud host |
| CN106326699A (en) * | 2016-08-25 | 2017-01-11 | 广东七洲科技股份有限公司 | Method for reinforcing server based on file access control and progress access control |
| CN109271787A (en) * | 2018-07-03 | 2019-01-25 | 中国银联股份有限公司 | A kind of operating system security active defense method and operating system |
Non-Patent Citations (1)
| Title |
|---|
| 汪锋: "白名单主动防御系统的设计与实现", 《计算机工程与设计》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111741078A (en) * | 2020-05-29 | 2020-10-02 | 深圳市伟众信息技术有限公司 | White list platform message system and method |
| CN113051550A (en) * | 2021-03-30 | 2021-06-29 | 深信服科技股份有限公司 | Terminal equipment, protection method and device thereof and readable storage medium |
| CN113452718A (en) * | 2021-07-07 | 2021-09-28 | 北京泰立鑫科技有限公司 | Active defense method and system for exclusive storage space |
| CN113452718B (en) * | 2021-07-07 | 2022-07-01 | 何小林 | Active defense method and system for exclusive storage space |
| CN114866532A (en) * | 2022-04-25 | 2022-08-05 | 安天科技集团股份有限公司 | Method, device, equipment and medium for uploading security check result information of endpoint file |
| CN114866532B (en) * | 2022-04-25 | 2023-11-10 | 安天科技集团股份有限公司 | Method, device, equipment and medium for uploading security check result information of endpoint file |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10235524B2 (en) | Methods and apparatus for identifying and removing malicious applications | |
| CN109831420B (en) | Method and device for determining kernel process permission | |
| US9467465B2 (en) | Systems and methods of risk based rules for application control | |
| AU2019246773B2 (en) | Systems and methods of risk based rules for application control | |
| CN110688653A (en) | Client security protection method and device and terminal equipment | |
| RU2568295C2 (en) | System and method for temporary protection of operating system of hardware and software from vulnerable applications | |
| US20140201843A1 (en) | Systems and methods for identifying and reporting application and file vulnerabilities | |
| KR20180097527A (en) | Dual Memory Introspection to Protect Multiple Network Endpoints | |
| KR101266037B1 (en) | Method and apparatus for treating malicious action in mobile terminal | |
| CN111131221B (en) | Interface checking device, method and storage medium | |
| US20150033004A1 (en) | Processing Device | |
| CN110245495B (en) | BIOS checking method, configuration method, device and system | |
| US10339307B2 (en) | Intrusion detection system in a device comprising a first operating system and a second operating system | |
| US9785775B1 (en) | Malware management | |
| CN108038380A (en) | Inoculator and antibody for computer security | |
| CN110677483B (en) | Information processing system and trusted security management system | |
| CN106856477B (en) | Threat processing method and device based on local area network | |
| CN110704849B (en) | Client information processing method and device | |
| Powers et al. | Whitelist malware defense for embedded control system devices | |
| CN110990873A (en) | Illegal operation monitoring method, computer equipment and storage medium | |
| CN111259389A (en) | Operating system protection method, device and storage medium | |
| CN112398784A (en) | Method and device for defending vulnerability attack, storage medium and computer equipment | |
| CN115168908B (en) | File protection method, device, equipment and storage medium | |
| KR20140047518A (en) | Black box apparatus and method for supporting reconfiguration of smart grid system | |
| CN109784037B (en) | Security protection method and device for document file, storage medium and computer equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200114 |
|
| RJ01 | Rejection of invention patent application after publication |