CN111368293B - Process management method, device, system and computer readable storage medium - Google Patents
Process management method, device, system and computer readable storage medium Download PDFInfo
- Publication number
- CN111368293B CN111368293B CN202010150711.2A CN202010150711A CN111368293B CN 111368293 B CN111368293 B CN 111368293B CN 202010150711 A CN202010150711 A CN 202010150711A CN 111368293 B CN111368293 B CN 111368293B
- Authority
- CN
- China
- Prior art keywords
- mode
- white list
- identification information
- target terminal
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
Abstract
The invention discloses a process management method, which comprises the following steps: determining the operation mode of each terminal based on the operation instruction of each terminal; if the operation mode of the target terminal is detected to be the standard mode, monitoring whether a creation event of a first process exists in the target terminal; if the creation event is detected, determining first identification information of the first process; determining whether the first identification information exists in a white list; and if the first identification information does not exist in the white list, stopping the starting of the first process. The invention also discloses a process management device, a system and a computer readable storage medium. According to the invention, through monitoring each terminal, when the process creation event exists in the target terminal, whether the process is allowed to be started or not is determined, and if the process is not allowed, the process is prevented from being started, so that the target terminal is prevented from being attacked by an untrusted program, the safety of the terminal is improved, and the process of each terminal is uniformly managed.
Description
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a process management method, apparatus, system, and computer-readable storage medium.
Background
Safety protection is always the key work of internet enterprises, for important server equipment, because the server equipment is generally only responsible for a small amount of services, the operating environment is relatively fixed, and the processes/applications cannot change, the traditional method is to limit the operation of non-white list processes/applications by setting a white list, and can prevent unknown virus threats and lasso damage to a greater extent.
However, the existing white list technology aims at the function of a single terminal, that is, the existing white list-based security protection is single-point protection, and for the processes of multiple terminals, because the software and hardware environments are different, it is difficult to use a unified management platform for management, so how to implement unified management of the processes of multiple terminals is a technical problem to be solved urgently.
Disclosure of Invention
The invention mainly aims to provide a process management method, a device, a system and a computer readable storage medium, aiming at realizing the unified management of processes of multiple terminals.
In order to achieve the above object, the present invention provides a process management method, which comprises the following steps:
determining the operation mode of each terminal based on the operation instruction of each terminal;
if the operation mode of the target terminal is detected to be the standard mode, monitoring whether a creation event of a first process exists in the target terminal;
if the creation event is detected, determining first identification information of the first process;
determining whether the first identification information exists in a white list;
and if the first identification information does not exist in the white list, preventing the first process from being started.
Preferably, if the creation event is detected, the step of determining the first identification information of the first process includes:
if the creation event is detected, determining a path of the first process, and determining a process file of the first process based on the path;
and extracting file information of the process file, and generating first identification information corresponding to the first process based on the file information.
Preferably, after the step of preventing the first process from starting if it is determined that the first identification information does not exist in the white list, the process management method further includes:
generating a reporting task corresponding to the first process, and delivering the reporting task to a reporting queue;
recording the detail information corresponding to the first process based on the reporting queue, and generating an alarm popup corresponding to the first process.
Preferably, after the step of determining the operation mode of each terminal based on the operation instruction of each terminal, the process management method further includes:
if the operation mode of the target terminal is detected to be the standard mode, traversing and determining second identification information of a second process in which the target terminal is operating;
determining whether the second identification information exists in the white list;
and if the second identification information does not exist in the white list, ending the second process.
Preferably, after the step of determining the operation mode of each terminal based on the operation instruction of each terminal, the process management method further includes:
if the operation mode of the target terminal is detected to be the learning mode, traversing and determining second identification information of a second process in which the target terminal is operating;
updating the white list based on the second identification information.
Preferably, the process management method further includes:
determining a learning time of the learning mode;
and if the learning time reaches a first preset threshold value, sending a mode exit instruction to the target terminal so that the target terminal can exit the learning mode based on the mode exit instruction.
Preferably, after the step of determining the operation mode of each terminal based on the operation instruction of each terminal, the process management method further includes:
if the operation mode of the target terminal is detected to be the operation and maintenance mode, closing the white list, and determining the operation and maintenance time of the operation and maintenance mode;
and if the operation and maintenance time reaches a second preset threshold, switching the operation mode of the target terminal to a standard mode to start the white list.
In addition, to achieve the above object, the present invention provides a process management apparatus, including:
the determining module is used for determining the operation mode of each terminal based on the operation instruction of each terminal;
the file filtering driving module is used for monitoring whether a creating event of a first process exists in the target terminal or not if the operation mode of the target terminal is detected to be a standard mode;
a white list filtering module, configured to determine first identification information of the first process if the creation event is detected;
the white list filtering module is further configured to determine whether the first identification information exists in a white list;
the white list filtering module is further configured to prevent the first process from being started if it is determined that the first identification information does not exist in the white list.
Preferably, the white list filtering module is further configured to:
if the creation event is detected, determining a path of the first process, and determining a process file of the first process based on the path;
and extracting file information of the process file, and generating first identification information corresponding to the first process based on the file information.
Preferably, the process management device further includes a process detail acquiring module, and the process detail acquiring module is configured to:
generating a reporting task corresponding to the first process, and delivering the reporting task to a reporting queue;
recording the detail information corresponding to the first process based on the reporting queue, and generating an alarm popup corresponding to the first process.
Preferably, the white list filtering module is further configured to:
if the operation mode of the target terminal is detected to be the standard mode, traversing and determining second identification information of a second process in which the target terminal is operating;
determining whether the second identification information exists in the white list;
and if the second identification information does not exist in the white list, ending the second process.
Preferably, the process management apparatus further comprises a learning module, the learning module is configured to:
if the operation mode of the target terminal is detected to be the learning mode, traversing and determining second identification information of a second process in which the target terminal is operating;
updating the white list based on the second identification information.
Preferably, the learning module is further configured to:
determining a learning time of the learning mode;
and if the learning time reaches a first preset threshold value, sending a mode exit instruction to the target terminal so that the target terminal can exit the learning mode based on the mode exit instruction.
Preferably, the process management apparatus further includes an operation and maintenance module, where the operation and maintenance module is configured to:
if the operation mode of the target terminal is detected to be the operation and maintenance mode, closing the white list, and determining the operation and maintenance time of the operation and maintenance mode;
and if the operation and maintenance time reaches a second preset threshold value, switching the operation mode of the target terminal to a standard mode to open the white list.
In addition, to achieve the above object, the present invention further provides a process management system, including: a memory, a processor and a process management program stored on the memory and executable on the processor, the process management program when executed by the processor implementing the steps of the process management method as described above.
Furthermore, to achieve the above object, the present invention also provides a computer readable storage medium having stored thereon a process management program, which when executed by a processor, implements the steps of the process management method as described above.
The process management method provided by the invention determines the operation mode of each terminal based on the operation instruction of each terminal; if the operation mode of the target terminal is detected to be the standard mode, monitoring whether a creation event of a first process exists in the target terminal; if the creation event is detected, determining first identification information of the first process; determining whether the first identification information exists in a white list; and if the first identification information does not exist in the white list, stopping the starting of the first process. The invention monitors each terminal, determines whether the process is allowed to be started or not when the process creating event exists in the target terminal, and stops the starting if the process is not allowed, thereby avoiding the target terminal from being attacked by an untrusted program, improving the safety of the terminal and realizing the unified management of the process of each terminal.
Drawings
Fig. 1 is a schematic diagram of a system architecture of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a process management method according to a first embodiment of the present invention;
fig. 3 is a schematic diagram of a framework of a process management system according to a first embodiment of the process management method of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the invention.
As shown in fig. 1, fig. 1 is a system structural diagram of a hardware operating environment according to an embodiment of the present invention.
The system of the embodiment of the invention can comprise a PC or a server device.
As shown in fig. 1, the system may include: a processor 1001, e.g. a CPU, a network interface 1004, a user interface 1003, a memory 1005, a communication bus 1002. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the system architecture shown in FIG. 1 is not intended to be limiting of the system, and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, the memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a process management program.
The operating system is a program for managing and controlling a process management system and software resources, and supports the running of a network communication module, a user interface module, a process management program and other programs or software; the network communication module is used for managing and controlling the network interface 1002; the user interface module is used to manage and control the user interface 1003.
In the process management system shown in fig. 1, the process management system calls a process management program stored in a memory 1005 by a processor 1001 and performs operations in the respective embodiments of the process management method described below.
Based on the hardware structure, the embodiment of the process management method is provided.
Referring to fig. 2, fig. 2 is a flowchart illustrating a process management method according to a first embodiment of the present invention, where the method includes:
step S10, determining the operation mode of each terminal based on the operation instruction of each terminal;
step S20, if the operation mode of the target terminal is detected to be a standard mode, monitoring whether a creation event of a first process exists in the target terminal;
step S30, if the creation event is detected, determining first identification information of the first process;
step S40, determining whether the first identification information exists in a white list or not;
step S50, if the first identification information does not exist in the white list, the first process is prevented from being started.
The process management method is applied to a process management system, and referring to fig. 3, the process management system comprises a file filter driving module, a driving management plug-in, a white list process filtering module, a process detail acquiring module, a communication management module, a configuration management module and a management platform, and is connected with terminals through the management platform, wherein the file filter driving module is used for monitoring process creation events on the process management system, namely process creation events of each terminal, and throwing detected process callbacks to the white list process filtering module, and when receiving the processes thrown on the callbacks, the white list process filtering module disposes the processes according to corresponding operation modes and synchronous configuration of the configuration management module, and adds the processes as a reporting task to a reporting queue; the process detail acquisition module can acquire a reporting task from the reporting queue, acquire detailed information of a process, specifically including a process name, an original program name, copyright information and the like, and call an interface of the communication management module to report data to the management platform; the configuration management module is used for processing the distribution and synchronization of the configuration and is responsible for the verification of the configuration and the actual application configuration; the communication management module is used for processing external communication logic, opening an external configuration interface, processing communication requests of other modules to the management platform and the UI, and driving the management plug-in to manage the file filtering driving module.
In this embodiment, whether the process of each terminal is in the white list is detected, so that the starting of the non-white list process is limited, and the unified management of the processes of the multiple terminals is realized.
The respective steps will be described in detail below:
and step S10, determining the operation mode of each terminal based on the operation instruction of each terminal.
In this embodiment, the process management system is connected to a plurality of terminals through a management platform, and monitors the operation mode of each terminal in real time, where the operation mode of the terminal includes a standard mode, a learning mode, an operation and maintenance mode, and a shutdown mode.
The standard mode is also called an effective mode, when the operation mode of the terminal is the effective mode, the callback upper throwing switch is driven to be started, the process white list inquiry switch is started, the process detail acquisition switch is started, and the non-white process operation switch is started; if the operation mode of the terminal is a learning mode, the upper throwing switch is driven to be turned back on, the white list switch is inquired and turned off, the progress detail switch is obtained to be turned on, and the non-white progress operation switch is turned off; when the operation mode of the terminal is the operation and maintenance mode, the drive callback upper rejection switch is closed, the inquiry progress white list switch is closed, the acquisition progress detail switch is closed, and the non-white progress operation switch is closed; and when the operation mode of the terminal is a closing mode, the drive callback upper rejection switch is closed, the inquiry progress white list switch is closed, the acquisition progress detail switch is closed, and the non-white progress operation switch is closed.
The drive callback upper throwing switch is used for throwing the progress to the white list filtering module; the query process white list switch is used for controlling whether to walk a white list filtering process or not; acquiring a process detail switch for controlling whether to analyze the details of the program; the non-white process operation switch is used for controlling whether the non-white process is operated according to the configuration.
It should be noted that the states of the shutdown mode and the operation and maintenance mode are consistent, and the difference is that the operation and maintenance mode has a bottom-binding mechanism for automatically switching to the standard mode. In addition, when any mode is switched to the learning mode, the learning mode collection data table needs to be emptied.
There is a stop time node for the learning mode and the operation and maintenance mode. To avoid permanently staying in the learning mode after disconnection from the management platform, a stop bottom time is set.
After the system is switched to the standard mode, the running process needs to be traversed, and the non-white process is killed; and after the mode is switched to the learning mode, the running process is required to be traversed, and the running process is added into the queue to be reported.
During specific implementation, each terminal operates in an operation mode corresponding to the operation instruction according to the operation instruction given by the user, so that the operation mode of each terminal can be determined according to the operation instruction of each terminal.
Step S20, if it is detected that the operation mode of the target terminal is the standard mode, monitoring whether a creation event of the first process exists in the target terminal.
In this embodiment, if it is detected that the operation mode of the target terminal in the terminal is the standard mode, the file filter driver module monitors whether a creation event of the first process exists in the target terminal, that is, whether the target terminal has a new process created, where it is to be noted that, in the standard mode, the file filter driver module is in an open state, and therefore, the file filter driver module can monitor whether the creation event of the first process exists in the target terminal, that is, whether a new process is created in the process system.
In a specific implementation, all data sources are obtained from a callback function registered in the communication management module, wherein the process registers a callback with the file filter driver module to obtain an event for creating the process CreateProcess, and the file filter driver module can obtain and throw up all user mode process creation events.
Step S30, if the creation event is detected, determining first identification information of the first process.
In this embodiment, if a creation event is detected, which indicates that a new process is to be started, first identification information of the first process is determined, where the identification information is used to represent a unique identifier of the process.
And step S40, determining whether the first identification information exists in a white list.
In this embodiment, the generated first identification information is compared with the identification information in the white list, and it is determined whether the white list has the first identification information, that is, the white list stores the identification information of the trusted process, and if the white list has the first identification information, it is determined that the first process is the trusted process; otherwise, the result is not.
Step S50, if the first identification information does not exist in the white list, the first process is prevented from being started.
In this embodiment, if it is determined that the first identification information does not exist in the white list, which indicates that the application corresponding to the first process is an untrusted application, the first process is prevented from being started, and an attack of an unknown virus is avoided. And if the first identification information is determined to exist in the white list, the application program corresponding to the first process is indicated as a trusted application program, the first process is allowed to be started, and the application program corresponding to the first process is normally started and operated.
Further, in another embodiment, step S30 includes:
step a1, if the creation event is detected, determining a path of the first process, and determining a process file of the first process based on the path;
in this step, if the detected creation event is detected, the path of the first process is determined first, so as to determine the process file of the first process according to the path, that is, to determine which process file the first process of the target terminal is started by, or to say, which program or application process the first process is.
Step a2, extracting file information of the process file, and generating first identification information corresponding to the first process based on the file information.
In this step, after determining a process file of the first process, file information of the process file is extracted, where the file information includes a process name, an original program name, and copyright information, and first identification information corresponding to the first process is generated according to the extracted file information, specifically, according to the process name, the original program name, and the copyright information, the file information is subjected to MD5 information Digest (Message Digest Algorithm, fifth version) to generate a program _ id, which is identification information of the process.
In the embodiment, it is considered that the storage paths of the processes of the same application program may be different in different terminals, and therefore, when generating the first identification information, the identification information is generated based on the process name, the original program name, the copyright information, and the like, which is different from the conventional way of distinguishing through the path where the process is located.
Further, in another embodiment, after step S50, the process management method further includes:
step S60, generating a reporting task corresponding to the first process, and delivering the reporting task to a reporting queue;
in another embodiment, after the process is handled, the process management system further uses the process as a reporting task and delivers the reporting task to a reporting queue, so that the subsequent process detail acquisition module can acquire the detail information of the process and can perform asynchronous processing when generating the alarm popup window.
And step S70, recording the detail information corresponding to the first process based on the reporting queue, and generating an alarm popup corresponding to the first process.
In the step, the process management system acquires the processes in the reporting queue through the process detail acquisition module based on the reporting queue, acquires the detail information of the processes, wherein the detail information comprises the process names of the processes, original program names, copyright information, log information, processing results and the like, reports the detail information to the management platform for recording, generates an alarm popup window corresponding to the first process, and displays an alarm on a UI (user interface) of the target terminal.
The embodiment determines the operation mode of each terminal based on the operation instruction of each terminal; if the operation mode of the target terminal is detected to be the standard mode, monitoring whether a creation event of a first process exists in the target terminal; if the creation event is detected, determining first identification information of the first process; determining whether the first identification information exists in a white list; and if the first identification information does not exist in the white list, preventing the first process from being started. The invention monitors each terminal, determines whether the process is allowed to be started or not when the process creating event exists in the target terminal, and stops the starting if the process is not allowed, thereby avoiding the target terminal from being attacked by an untrusted program, improving the safety of the terminal and realizing the unified management of the process of each terminal.
Further, a second embodiment of the process management method of the present invention is proposed based on the first embodiment of the process management method of the present invention.
The second embodiment of the process management method differs from the first embodiment of the process management method in that, after step S10, the process management method further includes:
step b1, traversing and determining second identification information of a second process in which the target terminal is running if the running mode of the target terminal is detected to be a standard mode;
b2, determining whether the white list has the second identification information;
and b3, if the second identification information does not exist in the white list, ending the second process.
In this embodiment, when it is determined that the operation mode of the target terminal is the standard mode, it is determined whether the second process being operated is allowed to start operation, and if not, the second process is ended.
The respective steps will be described in detail below:
step b1, traversing and determining second identification information of a second process in which the target terminal is running if the operation mode of the target terminal is detected to be a standard mode.
In this embodiment, if it is detected that the operation mode of the target terminal is the standard mode, the process management system needs to determine, in a traversal manner, whether the second process running in the target terminal is allowed to start running, that is, determine whether the second process running in the target terminal is a trusted process in a white list, and therefore, the identification information of the current process running in the target terminal needs to be determined sequentially first until the second identification information of all the second processes is determined, where the determination of the second identification information is similar to the determination of the first identification information, and the description is not repeated here.
And b2, determining whether the white list has the second identification information.
In this embodiment, after determining the second identification information of the second process, it is determined whether the white list has the second identification information, and in specific implementation, the identification information of the process currently running on the target terminal may be sequentially compared with the identification information in the white list, so as to determine whether the identification information of the process currently running is in the white list until all running process degrees are traversed.
And b3, if the white list is determined not to have the second identification information, ending the second process.
In this embodiment, if it is determined that the white list does not include the second identification information, the second process is terminated, that is, the second process is terminated to continue running, that is, all running non-white list processes are killed.
Further, step b3 comprises:
if the white list is determined not to have the second identification information, determining a directory path corresponding to the second process;
if the directory path is a safe path, ending the second process;
and if the directory path is a common path, allowing the second process to continue running.
The security path means that the process under the directory path has virus attack which affects other processes, and the normal path means that the process under the directory path has virus attack which does not affect other processes, so that the security path is left alone.
If the target terminal is in the standard mode, the running non-white list process is killed, the terminal is prevented from being attacked by an untrusted application program, the security of the terminal is improved, and the process of the terminal is uniformly managed.
Further, a third embodiment of the process management method of the present invention is proposed based on the first and second embodiments of the process management method of the present invention.
The third embodiment of the process management method is different from the first and second embodiments of the process management method in that after step S10, the process management method further includes:
step c1, traversing and determining second identification information of a second process in which the target terminal is running if the running mode of the target terminal is detected to be a learning mode;
and c2, updating the white list based on the second identification information.
If the target terminal is detected to be in the learning mode, the white list is updated through learning, so that the white list has the capability of updating learning, and the intelligence of the terminal is improved.
The respective steps will be described in detail below:
step c1, traversing and determining second identification information of a second process in which the target terminal is running if the running mode of the target terminal is detected to be a learning mode.
In this embodiment, if it is detected that the operation mode of the target terminal is the learning mode, the white list is cleared first, so that the white list is updated with new identification information when new identification information is subsequently obtained.
After the white list is cleared, second identification information of a second process which is operated by the target terminal is determined in a traversing mode, wherein the determination of the second identification information is similar to the determination of the first identification information, and the details are not repeated here.
And c2, updating the white list based on the second identification information.
In this embodiment, the white list is updated according to the determined second identification information, and since the white list is emptied before that, the second identification information can be directly used as a data basis for the white list.
It can be understood that, when the operation mode of the target terminal is determined to be the learning mode, the white list may not be cleared, but after the second identification information of the second process in which the target terminal is determined to be operating is traversed, the second identification information is compared with the white list, the target identification information of the white list does not exist in the second identification information is determined, and finally the target identification information is added into the white list to complete the update of the white list.
Further, the process management method further comprises the following steps:
determining a learning time of the learning mode;
in this step, the learning mode has a learning time, and the process management system performs learning based on the learning mode within the learning time, so that the learning time of the learning mode, that is, the duration of the learning mode, is also determined in real time after the operation mode of the target terminal is detected as the learning mode.
And if the learning time reaches a first preset threshold value, sending a mode exit instruction to the target terminal so that the target terminal can exit the learning mode based on the mode exit instruction.
In this step, if it is determined that the learning time of the learning mode reaches the first preset threshold, a mode exit instruction is sent to the target terminal, so that the target terminal exits the learning mode based on the mode exit instruction.
Meanwhile, in order to avoid the terminal from staying in the learning mode permanently after being disconnected from the management platform, the terminal sets a stopping bottom-trapping time, namely, if the terminal does not receive a mode exit instruction sent by the process management system through the management platform within the bottom-trapping time, the terminal exits the learning mode automatically.
In the embodiment, if the target terminal is detected to be in the learning mode state, the white list is learned again, so that the white list can be automatically updated and learned, the intelligence is improved, and a learning time threshold value is preset, so that the terminal cannot stay in the learning mode permanently, the safety of the terminal is improved, and the unified management of the terminal process is realized.
Further, a fourth embodiment of the process management method of the present invention is proposed based on the first, second or third embodiment of the process management method of the present invention.
The fourth embodiment of the process management method differs from the first, second or third embodiment of the process management method in that, after step S10, the process management method further comprises:
step d1, if the operation mode of the target terminal is detected to be the operation and maintenance mode, closing the white list, and determining the operation and maintenance time of the operation and maintenance mode;
and d2, if the operation and maintenance time reaches a second preset threshold, switching the operation mode of the target terminal to a standard mode to start the white list.
In this embodiment, when the target terminal is detected to be in the operation and maintenance mode, the white list is temporarily closed, and when the operation and maintenance time reaches a second preset threshold, the operation and maintenance mode is switched to the standard mode, so as to open the white list and check and kill the non-white list process.
The respective steps will be described in detail below:
and d1, if the operation mode of the target terminal is detected to be the operation and maintenance mode, closing the white list and determining the operation and maintenance time of the operation and maintenance mode.
In this embodiment, if it is detected that the operation mode of the target terminal is the operation and maintenance mode, the white list function is closed, and the operation and maintenance time of the operation and maintenance mode, that is, the duration time of the operation and maintenance mode is determined, and in the operation and maintenance mode, the non-white list process is not killed.
And d2, if the operation and maintenance time reaches a second preset threshold, switching the operation mode of the target terminal to a standard mode to start the white list.
In this embodiment, if the operation and maintenance time reaches the second preset threshold, the operation mode of the target terminal is switched to the standard mode, so as to open the white list, and in specific implementation, the operation and maintenance mode is a temporarily closed mode, that is, the file filtering driving module and the white list are temporarily closed, and when the operation and maintenance time reaches the second preset threshold, the operation and maintenance mode is automatically switched to the standard mode, so that the detected process thrown by the file filtering driving module is opened, and then the process of the non-white list is checked and killed by the white list.
Further, the operation mode of the target terminal further includes a closing mode, in the closing mode, the file filtering driving module and the white list and the like are all in a closing state, and the operation and maintenance mode is similar to the operation and maintenance mode, and the difference between the operation and maintenance mode and the white list is that the operation and maintenance mode has a bottom-holding mechanism for automatically switching to the standard mode, and when the operation and maintenance time reaches a second preset threshold, the operation and maintenance mode is automatically switched to the standard mode.
In specific implementation, there are four kinds of operation switches, which are respectively a drive callback upper throwing switch, a process white list query switch, a process detail acquisition switch and a non-white process operation switch. The drive callback up-cast switch is used for controlling the file filtering drive module to be turned on and off, namely controlling whether to up-cast the detected process; the inquiry process white list switch is used for controlling whether the white list filtering process is carried out or not; the process detail acquiring switch is used for controlling whether to acquire the detail information of the program corresponding to the process; the non-white process operation switch is used for controlling whether to operate the non-white list process according to configuration, and the specific configuration can be killing or allowing to start running and the like.
When the process is in the standard mode, the back-off upper throwing switch is driven to be turned on, the process white list inquiring switch is turned on, the process detail acquiring switch is turned on, and the non-white process operating switch is turned on; in the learning mode. The upper throwing switch is driven to be turned back on, the inquiry progress white list switch is turned off, the detail switch is turned on, and the non-white progress operation switch is turned off; in the operation and maintenance mode, the callback upper rejection switch is driven to be closed, the inquiry progress white list switch is closed, the acquisition progress detail switch is closed, and the non-white progress operation switch is closed; in the closing mode, the drive callback upper rejection switch is closed, the inquiry progress white list switch is closed, the process detail acquiring switch is closed, and the non-white progress operation switch is closed.
It should be noted that the states of the shutdown mode and the operation and maintenance mode are the same, and the difference is that the operation and maintenance mode has a bottom-pocketing mechanism for automatically switching to the standard mode, which is not described herein again. In addition, in the process of mode switching, when any mode is switched to the learning mode, the data table acquired by the learning mode needs to be cleared, that is, the white list needs to be cleared. In addition, in order to avoid that the terminal stays in the learning mode permanently after being disconnected from the management platform, the terminal itself sets a stopping lingering time, and details are not repeated herein. After the system is switched to the standard mode, the running process needs to be traversed, and the non-white process is killed; after the learning mode is switched, the running process needs to be traversed, and the running process is added into the queue to be reported so as to be added into a white list later, and the details of the corresponding program can be obtained and processed asynchronously, so that excessive thread blocking is avoided.
In this embodiment, when the target terminal is detected to be in the operation and maintenance mode, the white list is temporarily closed, and when the operation and maintenance time reaches a second preset threshold, the operation and maintenance mode is switched to the standard mode to open the white list and check and kill the processes of the non-white list, that is, different management means are adopted according to different operation modes to perform unified management on the processes of the terminal, so that the intelligence is improved.
The invention also provides a process management device. The process management device of the invention comprises:
the determining module is used for determining the operation mode of each terminal based on the operation instruction of each terminal;
the file filtering driving module is used for monitoring whether a creating event of a first process exists in the target terminal or not if the operation mode of the target terminal is detected to be a standard mode;
a white list filtering module, configured to determine first identification information of the first process if the creation event is detected;
the white list filtering module is further configured to determine whether the first identification information exists in a white list;
the white list filtering module is further configured to prevent the first process from being started if it is determined that the first identification information does not exist in the white list.
Further, the white list filtering module is further configured to:
if the creation event is detected, determining a path of the first process, and determining a process file of the first process based on the path;
and extracting file information of the process file, and generating first identification information corresponding to the first process based on the file information.
Further, the process management apparatus further includes a process detail acquiring module, where the process detail acquiring module is configured to:
generating a reporting task corresponding to the first process, and delivering the reporting task to a reporting queue;
recording the detail information corresponding to the first process based on the reporting queue, and generating an alarm popup window corresponding to the first process.
Further, the white list filtering module is further configured to:
if the operation mode of the target terminal is detected to be the standard mode, traversing and determining second identification information of a second process in which the target terminal is operating;
determining whether the second identification information exists in the white list;
and if the second identification information does not exist in the white list, ending the second process.
Further, the process management device further comprises a learning module, wherein the learning module is configured to:
if the operation mode of the target terminal is detected to be a learning mode, traversing and determining second identification information of a second process in which the target terminal is operating;
updating the white list based on the second identification information.
Further, the learning module is further configured to:
determining a learning time of the learning mode;
and if the learning time reaches a first preset threshold value, sending a mode exit instruction to the target terminal so that the target terminal can exit the learning mode based on the mode exit instruction.
Further, the process management apparatus further includes an operation and maintenance module, where the operation and maintenance module is configured to:
if the operation mode of the target terminal is detected to be the operation and maintenance mode, closing the white list, and determining the operation and maintenance time of the operation and maintenance mode;
and if the operation and maintenance time reaches a second preset threshold, switching the operation mode of the target terminal to a standard mode to start the white list.
The invention also provides a computer readable storage medium.
The computer readable storage medium of the present invention has stored thereon a process management program which, when executed by a processor, implements the steps of the process management method as described above.
The method implemented when the process management program running on the processor is executed may refer to each embodiment of the process management method of the present invention, and details are not described here.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of other like elements in a process, method, article, or system comprising the element.
The above-mentioned serial numbers of the embodiments of the present invention are only for description, and do not represent the advantages and disadvantages of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (7)
1. A process management method is characterized by comprising the following steps:
determining the operation mode of each terminal based on the operation instruction of each terminal;
if the operation mode of the target terminal is detected to be the standard mode, monitoring whether a creation event of a first process exists in the target terminal;
if the creation event is detected, determining first identification information of the first process;
determining whether the first identification information exists in a white list;
if the first identification information does not exist in the white list, the first process is prevented from being started;
wherein, if the creation event is detected, the step of determining the first identification information of the first process includes:
if the creation event is detected, determining a path of the first process, and determining a process file of the first process based on the path;
extracting file information of the process file, and generating first identification information corresponding to the first process based on the file information;
if the operation mode of the target terminal is detected to be a learning mode, traversing and determining second identification information of a second process in which the target terminal is operating;
updating the white list based on the second identification information;
if the operation mode of the target terminal is detected to be the operation and maintenance mode, closing the white list, and determining the operation and maintenance time of the operation and maintenance mode;
and if the operation and maintenance time reaches a second preset threshold, switching the operation mode of the target terminal to a standard mode to start the white list.
2. The process management method according to claim 1, wherein after the step of preventing the first process from starting if it is determined that the first identification information does not exist in the white list, the process management method further comprises:
generating a reporting task corresponding to the first process, and delivering the reporting task to a reporting queue;
recording the detail information corresponding to the first process based on the reporting queue, and generating an alarm popup corresponding to the first process.
3. The process management method according to claim 1, wherein after the step of determining the operation mode of each terminal based on the operation instruction of each terminal, the process management method further comprises:
if the operation mode of the target terminal is detected to be the standard mode, traversing and determining second identification information of a second process in which the target terminal is operating;
determining whether the second identification information exists in the white list;
and if the second identification information does not exist in the white list, ending the second process.
4. The process management method according to claim 1, wherein said process management method further comprises:
determining a learning time of the learning mode;
and if the learning time reaches a first preset threshold value, sending a mode exit instruction to the target terminal so that the target terminal can exit the learning mode based on the mode exit instruction.
5. A process management apparatus, comprising:
the determining module is used for determining the operation mode of each terminal based on the operation instruction of each terminal;
the file filtering driving module is used for monitoring whether a creating event of a first process exists in the target terminal or not if the operation mode of the target terminal is detected to be a standard mode;
a white list filtering module, configured to determine first identification information of the first process if the creation event is detected;
the white list filtering module is further configured to determine whether the first identification information exists in a white list;
the white list filtering module is further configured to prevent the first process from being started if it is determined that the first identification information does not exist in the white list;
the white list filtering module is further configured to determine a path of the first process if the creation event is detected, determine a process file of the first process based on the path, extract file information of the process file, and generate first identification information corresponding to the first process based on the file information;
the learning module is used for traversing and determining second identification information of a second process in which the target terminal is running if the running mode of the target terminal is detected to be the learning mode; updating the white list based on the second identification information;
the operation and maintenance module is used for closing the white list and determining the operation and maintenance time of the operation and maintenance mode if the operation mode of the target terminal is detected to be the operation and maintenance mode; and if the operation and maintenance time reaches a second preset threshold, switching the operation mode of the target terminal to a standard mode to start the white list.
6. A process management system, comprising: memory, a processor and a process management program stored on the memory and executable on the processor, the process management program when executed by the processor implementing the steps of the process management method according to any of claims 1 to 4.
7. A computer-readable storage medium, having stored thereon a process management program which, when executed by a processor, implements the steps of the process management method of any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010150711.2A CN111368293B (en) | 2020-03-05 | 2020-03-05 | Process management method, device, system and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010150711.2A CN111368293B (en) | 2020-03-05 | 2020-03-05 | Process management method, device, system and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111368293A CN111368293A (en) | 2020-07-03 |
| CN111368293B true CN111368293B (en) | 2022-11-22 |
Family
ID=71211757
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010150711.2A Active CN111368293B (en) | 2020-03-05 | 2020-03-05 | Process management method, device, system and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111368293B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113505351A (en) * | 2021-06-23 | 2021-10-15 | 湖南惠而特科技有限公司 | Identity authentication-based process industry white list access method and system |
| CN114089891A (en) * | 2021-10-28 | 2022-02-25 | 北京字节跳动网络技术有限公司 | Display control method and device and electronic equipment |
| CN117098131A (en) * | 2022-05-12 | 2023-11-21 | 中兴通讯股份有限公司 | Port control method of terminal equipment, network equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102855430A (en) * | 2012-08-23 | 2013-01-02 | 福建升腾资讯有限公司 | Process blacklist and whitelist control method based on Windows system |
| CN104573516A (en) * | 2014-12-25 | 2015-04-29 | 中国科学院软件研究所 | Industrial control system trusted environment control method and platform based on safety chip |
| WO2015196714A1 (en) * | 2014-06-24 | 2015-12-30 | 小米科技有限责任公司 | Permission management method, device and system |
| CN109766694A (en) * | 2018-12-29 | 2019-05-17 | 北京威努特技术有限公司 | Program protocol white list linkage method and device of industrial control host |
| CN110516443A (en) * | 2019-07-19 | 2019-11-29 | 苏州浪潮智能科技有限公司 | A kind of application program management-control method and system based on offline intelligence learning |
-
2020
- 2020-03-05 CN CN202010150711.2A patent/CN111368293B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102855430A (en) * | 2012-08-23 | 2013-01-02 | 福建升腾资讯有限公司 | Process blacklist and whitelist control method based on Windows system |
| WO2015196714A1 (en) * | 2014-06-24 | 2015-12-30 | 小米科技有限责任公司 | Permission management method, device and system |
| CN104573516A (en) * | 2014-12-25 | 2015-04-29 | 中国科学院软件研究所 | Industrial control system trusted environment control method and platform based on safety chip |
| CN109766694A (en) * | 2018-12-29 | 2019-05-17 | 北京威努特技术有限公司 | Program protocol white list linkage method and device of industrial control host |
| CN110516443A (en) * | 2019-07-19 | 2019-11-29 | 苏州浪潮智能科技有限公司 | A kind of application program management-control method and system based on offline intelligence learning |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111368293A (en) | 2020-07-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111368293B (en) | Process management method, device, system and computer readable storage medium | |
| CN109688097B (en) | Website protection method, website protection device, website protection equipment and storage medium | |
| CN104239786B (en) | Exempt from ROOT Initiative Defenses collocation method and device | |
| CN109635523B (en) | Application program detection method and device and computer readable storage medium | |
| CN104376256B (en) | Program process hatching control and device | |
| KR20060042149A (en) | Method and system for filtering communications to prevent exploitation of a software vulnerability | |
| CN104239797B (en) | Active defense method and device | |
| CN111831275B (en) | Method, server, medium and computer equipment for arranging micro-scene script | |
| CN102508768B (en) | Monitoring method and monitoring device | |
| CN104375494A (en) | Security sandbox construction method and security sandbox construction device | |
| CN111818069A (en) | Method, device, medium and computer equipment for presenting security event processing flow | |
| US11928449B2 (en) | Information processing method, device, apparatus and system, medium, andprogram | |
| CN111651754A (en) | Intrusion detection method and device, storage medium and electronic device | |
| KR101974989B1 (en) | Method and apparatus for determining behavior information corresponding to a dangerous file | |
| CN103810420A (en) | Application uninstall preventing method and system | |
| CN111385308A (en) | Security management method, device, equipment and computer readable storage medium | |
| CN101854359A (en) | Access control method based on virtualized calculation | |
| CN112528296B (en) | Vulnerability detection method and device, storage medium and electronic equipment | |
| CN108494749B (en) | Method, device and equipment for disabling IP address and computer readable storage medium | |
| CN115941224A (en) | Network access information management method and device and computer readable storage medium | |
| CN115086081B (en) | Escape prevention method and system for honeypots | |
| CN114896592B (en) | Universal detection method, device, equipment and storage medium for WMI malicious codes | |
| CN107818260B (en) | Method and device for guaranteeing system safety | |
| CN115544507A (en) | Memory horse searching and killing method, device, equipment and medium | |
| CN106713215B (en) | Information processing method, terminal and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |