CN111737690A - Method and device for preventing malicious software from carrying out sensitive operation on data - Google Patents
Method and device for preventing malicious software from carrying out sensitive operation on data Download PDFInfo
- Publication number
- CN111737690A CN111737690A CN202010700864.XA CN202010700864A CN111737690A CN 111737690 A CN111737690 A CN 111737690A CN 202010700864 A CN202010700864 A CN 202010700864A CN 111737690 A CN111737690 A CN 111737690A
- Authority
- CN
- China
- Prior art keywords
- software
- data
- space
- type
- types
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Abstract
The embodiment of the invention provides a method, a device, a readable storage medium and a computing device for preventing malicious software from carrying out sensitive operation on data. The method comprises the following steps: intercepting sensitive operation of software on data; acquiring information of a first software space corresponding to the software, and acquiring storage position information of the data; performing a sensitivity operation of the software on the data if and only if the data is determined to be within the first software space; the data storage space is divided into a plurality of software spaces in advance, and each software space corresponds to one piece of software or one or more pieces of software with the same editable data type.
Description
Technical Field
The invention relates to the technical field of computer security, in particular to a method and a device for defending malicious software from carrying out sensitive operation on data, a readable storage medium and computing equipment.
Background
At present, the defense scheme for the lasso software adopts a technology based on an access control list, such as a white list or a black and white list mixed technology, and is mainly characterized in that the processing is carried out after the authority is identified on a certain position of the access of data at the bottom layer of a system or equipment, and the processing result can only be one of passing or refusing; for example, if the software is authorized, the software is not regarded as lasso software or malicious software and therefore passes. The main idea of the scheme is as follows: 1. using a global API hook of the user layer; 2. using a system-level data storage filtering mechanism, such as Minifilter by Windows, etc.; 3. identifying and judging the identity of a program performing data operation; 4. judging whether the program is lasso software or not; 5. and performing subsequent processing after judgment.
The core of the prior art scheme is to identify the program of the operation data and identify whether the program is malicious Lesog software, and then process the program according to the identification result. This process is not error-prone and the result must be determined; the misjudgment or the release of the lasso software can cause irreparable loss of data on the system or the equipment, or prevent normal operation, so that the work of a client cannot be carried out or the function of the equipment is damaged, and also can cause serious loss. In reality, the change of malicious software and lasso software is endless, and it is impossible to judge the nature of the processed program or device completely accurately and in real time.
Disclosure of Invention
To this end, the present invention provides a method, apparatus, readable storage medium and computing device for protecting against data sensitive operations by malware in an attempt to solve or at least mitigate at least one of the problems identified above.
According to an aspect of the embodiments of the present invention, there is provided a method for protecting data from malicious software, including:
intercepting sensitive operation of software on data;
acquiring information of a first software space corresponding to the software, and acquiring storage position information of the data;
performing a sensitivity operation of the software on the data if and only if the data is determined to be within the first software space;
the data storage space is divided into a plurality of software spaces in advance, and each software space corresponds to one piece of software or one or more pieces of software with the same editable data type.
Optionally, dividing the data storage space into a plurality of software spaces, where each software space corresponds to one or more pieces of software with the same editable data type, includes:
determining a plurality of software types and one or more pieces of software associated with each software type according to the editable data types of the plurality of pieces of software;
and respectively creating software spaces for the software types from the data storage space, wherein each software space corresponds to one or more pieces of software with the same editable data type.
Optionally, determining, according to a data type editable by each of the plurality of pieces of software, one or more pieces of software of the plurality of software types associated with each of the plurality of software types, includes:
determining a plurality of software types and one or more pieces of software associated with each software type according to extension name association information of a host operating system;
alternatively, the first and second electrodes may be,
detecting the editing operation of any software on a file of any data type, and determining a new software type and a software associated with the new software type according to the any software and the any data type;
alternatively, the first and second electrodes may be,
and determining a plurality of software types and one or more software associated with each software type by an operator according to the data types which can be edited by the software, and inputting the software into the host.
Optionally, either software is associated with one or more software types.
Optionally, any software type corresponds to one or more data types.
Optionally, the method further comprises:
and when the data is determined to be outside the first software space, rejecting sensitive operation of the software on the data, or establishing a copy of the data in the first software space and executing the sensitive operation of the software on the copy.
Further, the method further comprises:
when the data is determined to be outside the first software space and not within any software space, establishing a copy of the data in the first software space and performing sensitive operations of the software on the copy.
Further, the method further comprises:
rejecting sensitive operations of the software on the data when the data is determined to be located in a second software space outside the first software space.
Optionally, the method further comprises:
creating a special software space that does not allow any software to perform sensitive operations on data within the special software space;
data not located in any software space is moved to the special software space.
Optionally, before the obtaining the information of the first software space corresponding to the software, the method further includes:
judging whether the software has a corresponding software space, if so, directly executing the step of acquiring the information of the first software space corresponding to the software; otherwise, creating a first software space corresponding to the software.
According to another aspect of the present invention, there is provided an apparatus for protecting data from malicious software, comprising:
the operation interception unit is used for intercepting sensitive operation of software on data;
the operation analysis unit is used for acquiring information of a first software space corresponding to the software and acquiring storage position information of the data;
an operation processing unit for performing sensitive operations of the software on the data if and only if it is determined that the data is located within the first software space;
the space allocation unit is used for dividing the data storage space into a plurality of software spaces in advance, wherein each software space corresponds to one piece of software, or corresponds to one or more pieces of software with the same editable data types.
According to yet another aspect of the present invention, there is provided a readable storage medium having executable instructions thereon that, when executed, cause a computer to perform the above-described method of protecting against data susceptibility by malware.
According to yet another aspect of the present invention, there is provided a computing device comprising: one or more processors; a memory; and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors to perform the above-described method of protecting against data susceptibility by malware.
According to the technical scheme provided by the invention, sensitive operation of software on data is intercepted, information of a first software space corresponding to the software is acquired, storage position information of the data is acquired, and sensitive operation of the software on the data is executed if and only if the data is determined to be located in the first software space, wherein the data storage space is divided into a plurality of software spaces in advance, each software space corresponds to one piece of software, or the software spaces correspond to one or more pieces of software with the same editable data type. The invention utilizes the software space technology to protect the data which can be processed by one or a class of software, only allows the software or the class of software to carry out sensitive operation, and the malicious software cannot carry out sensitive operation on the data, thereby ensuring the data security. According to one embodiment of the invention, even if the malicious software has the software space of the malicious software, the data processing flow can be performed smoothly all the time without judging the malicious software which is likely to make mistakes, and a user can check and process data in the own space of each software and verify whether the data in the software space achieves the operation purpose of the user, namely, only the malicious software needs to be processed afterwards. According to practical experience, the technical scheme of the embodiment of the invention has a good effect on the aspect of defending the Lesog software.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate exemplary embodiments of the invention and together with the description serve to explain the principles of the invention.
FIG. 1 is a block diagram of an exemplary computing device.
FIG. 2 is a flowchart illustrating a method for protecting data against sensitive operations of malware according to an embodiment of the present invention.
FIG. 3 is a flow diagram of a method of creating a software space according to an embodiment of the invention.
FIG. 4 is a schematic diagram of a software space structure according to an embodiment of the present invention.
Fig. 5 is a flowchart of processing requests for operations on data by software, according to a specific embodiment of the present invention.
Fig. 6 is a schematic structural diagram of an apparatus for protecting data from malicious software according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
FIG. 1 is a block diagram of an example computing device 100 arranged to implement a method of protecting against data sensitive operations by malware in accordance with the present invention. In a basic configuration 102, computing device 100 typically includes system memory 106 and one or more processors 104. A memory bus 108 may be used for communication between the processor 104 and the system memory 106.
Depending on the desired configuration, the processor 104 may be any type of processing, including but not limited to: a microprocessor (μ P), a microcontroller (μ C), a digital information processor (DSP), or any combination thereof. The processor 104 may include one or more levels of cache, such as a level one cache 110 and a level two cache 112, a processor core 114, and registers 116. The example processor core 114 may include an Arithmetic Logic Unit (ALU), a Floating Point Unit (FPU), a digital signal processing core (DSP core), or any combination thereof. The example memory controller 118 may be used with the processor 104, or in some implementations the memory controller 118 may be an internal part of the processor 104.
Depending on the desired configuration, system memory 106 may be any type of memory, including but not limited to: volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.), or any combination thereof. System memory 106 may include an operating system 120, one or more programs 122, and program data 124. In some implementations, the program 122 can be configured to execute instructions on an operating system by one or more processors 104 using program data 124.
Computing device 100 may also include an interface bus 140 that facilitates communication from various interface devices (e.g., output devices 142, peripheral interfaces 144, and communication devices 146) to the basic configuration 102 via the bus/interface controller 130. The example output device 142 includes a graphics processing unit 148 and an audio processing unit 150. They may be configured to facilitate communication with various external devices, such as a display terminal or speakers, via one or more a/V ports 152. Example peripheral interfaces 144 may include a serial interface controller 154 and a parallel interface controller 156, which may be configured to facilitate communication with external devices such as input devices (e.g., keyboard, mouse, pen, voice input device, touch input device) or other peripherals (e.g., printer, scanner, etc.) via one or more I/O ports 158. An example communication device 146 may include a network controller 160, which may be arranged to facilitate communications with one or more other computing devices 162 over a network communication link via one or more communication ports 164.
A network communication link may be one example of a communication medium. Communication media may typically be embodied by computer readable instructions, data structures, program modules, and may include any information delivery media, such as carrier waves or other transport mechanisms, in a modulated data signal. A "modulated data signal" may be a signal that has one or more of its data set or its changes made in such a manner as to encode information in the signal. By way of non-limiting example, communication media may include wired media such as a wired network or private-wired network, and various wireless media such as acoustic, Radio Frequency (RF), microwave, Infrared (IR), or other wireless media. The term computer readable media as used herein may include both storage media and communication media.
Computing device 100 may be implemented as part of a small-form factor portable (or mobile) electronic device such as a cellular telephone, a Personal Digital Assistant (PDA), a personal media player device, a wireless web-watch device, a personal headset device, an application specific device, or a hybrid device that include any of the above functions. Computing device 100 may also be implemented as a personal computer, a server, a cluster of multiple computers, including both desktop and notebook computer configurations.
Among other things, one or more programs 122 of computing device 100 include instructions for performing a method of protecting against data sensitive operations by malware in accordance with the present invention.
Fig. 2 illustrates a flowchart of a method 200 of protecting against malware sensitive operations on data according to one embodiment of the present invention, the method 200 of protecting against malware sensitive operations on data beginning at step S210.
In step S210, the data storage space is divided into a plurality of software spaces in advance, where each software space corresponds to one software, or corresponds to one or more pieces of software with the same editable data type.
Software space technology is a technology that has some degree of similarity to sandboxing technology, but there are essential differences between them. A sandbox is a created isolated environment in which software runs, closed and virtual with respect to a host system, while a software space is a created resource space of software on a current system, which belongs to the system running thereon and may be operated by the system, i.e., is a part of the system, not isolated outside the system. The software space technology is an extension of the management mode of the resource or data management system of the system: in the prior art, the system belongs the management authority of the data to a certain account, which is taken as the starting point of management, and the software space technology adds a management level, namely, the management authority of the data is also belonging to software or equipment with certain characteristic or certain type of characteristic, so as to manage and distribute the authority.
Optionally, each piece of software is configured with a separate software space; or, configuring a software space for each type of software, wherein the software with the same editable data type is classified into one type of software.
The corresponding relation between the software space and the software is realized through a white list technology, the white list technology is a technology for authority management, and the core idea is that software or equipment with certain characteristics under specific scenes is taken as a specific role, and the role is granted with certain authority under certain specific scenes, generally forward or high authority. In the invention, the white list is used for judging whether the software is in the requirement of the symbol white list or not, or judging whether the software belongs to the white list or not.
After the software space is established, the editable data in the data storage space can be moved into the software space, and the editable data of the same type of software can be moved into the same software space.
Specifically, as shown in fig. 3, when a software space is configured for each type of software, step S210 includes:
s310, determining a plurality of software types and one or more pieces of software related to each software type according to the editable data types of the plurality of pieces of software.
Specifically, step S310 includes:
determining a plurality of software types and one or more pieces of software associated with each software type according to extension name association information of a host operating system; or, detecting the editing operation of any software on the file of any data type, and determining a new software type and a software associated with the new software type according to the any software and the any data type; or, the operator determines a plurality of software types and one or more software associated with each software type according to the data types editable by the software and inputs the software into the host. In the embodiment of the invention, an automatic mode and a manual mode are simultaneously provided for determining a plurality of software types and one or more pieces of software associated with each software type. In order to further improve the security of the user host, the determined multiple software types and one or more pieces of software associated with each software type can be verified, and malicious software is prevented from attempting to add to a white list of the software space by locally tampering with the extension association information and the like on the host.
Optionally, any software is associated with one or more software types, and any software type corresponds to one or more data types. Determining the software type is a process of classifying the software according to the type of data, the software type is an attribute of the software, one software can have a plurality of software types, and the software can correspond to a plurality of function points of the software; for example, Word can process doc files and can also edit rtf files, and each type of file corresponds to one software type. The software type may also be a composite type; for example, the word software type may be a software type capable of processing doc and docx files, and may also be a software type capable of processing rtf files.
And S320, respectively creating software spaces for the software types from the data storage space, wherein each software space corresponds to one or more pieces of software with the same editable data type.
The architecture of the software space is as shown in fig. 4, N software spaces are partitioned from the data space, each software space records a white list, and software recorded by the white list can operate data in the software space.
Subsequently, in step S220, sensitive operations of the software on the data are intercepted.
Specifically, the operations may be captured and intercepted at each system level involved in the operation of the software on the data, and whether the operations are sensitive operations is identified, for example, a Hook mechanism is used to perform Hook on the operation of the global file system at an application level, and a kernel level capture may also be performed by using a Minifilter mechanism of a kernel under Windows.
Alternatively, the sensitive operation may be defined from two dimensions, a data type and an operation type, the data type of the sensitive operation includes editable files that may be important, for example, files with suffix names exe, doc, and the operation type of the sensitive operation includes operations that may have serious consequences, for example, deletion, modification, and encryption of files. When the data type and the operation type involved in the captured operation simultaneously conform to the preset specification, the captured operation can be confirmed as a sensitive operation.
Subsequently, in step S230, information of the first software space corresponding to the software is acquired, and storage location information of the data is acquired.
Specifically, the information of the first software space corresponding to the software is acquired by traversing a white list of the query software space.
Subsequently, in step S240, a sensitivity operation of the software on the data is performed if and only if the data is determined to be located within the first software space.
For example, if a software space is established for each piece of software, then the doc file is stored in the software space of the word software, and any other piece of software cannot perform sensitive operations on the doc file in the software space of the word software.
For another example, if a software space is established for each type of software, then the doc file is stored in a software space commonly used by the word software and the wps software, and any other software cannot perform sensitive operation on the doc file in the software space.
The embodiment of the invention also provides a processing mode when the data is positioned outside the first software space, which comprises the following steps: and when the data is determined to be outside the first software space, rejecting sensitive operation of the software on the data, or establishing a copy of the data in the first software space and executing the sensitive operation of the software on the copy. The method for establishing the copy of the data in the first software space and executing the sensitive operation of the software on the copy can ensure that the data processing operation of the host computer keeps smooth operation, does not influence user experience and simultaneously guarantees the data security.
Another embodiment of the present invention provides a processing method when data is located outside a first software space, including:
when the data is determined to be located outside the first software space and not located in any software space, establishing a copy of the data in the first software space, and executing sensitive operation of the software on the copy; when the data is determined to be located in a second software space outside the first software space, sensitive operation of the software on the data is denied. When it is determined that the data is located outside the first software space and not located in any software space, it may be considered that the user has no high requirement on the security of the data, and thus, the software is allowed to access the copy of the data; when it is determined that the data is located in a second software space outside the first software space, the software may be considered to be performing high-risk operations, and thus access to the data is directly denied.
According to another embodiment of the present invention, if it is determined that the software has no corresponding software space before step S230, the software space may be temporarily created, and the method includes: judging whether the software has a corresponding software space, if so, directly executing the step of acquiring the information of the first software space corresponding to the software; otherwise, a first software space corresponding to the software is created. In particular, for software whose editable data type is unknown or not authentic, a dedicated software space can be created whose white list only includes the software.
According to another embodiment of the present invention, there is provided a method for protecting data outside a software space, including: creating a special software space which does not allow any software to perform sensitive operation on data in the special software space; data that is not located in any software space is moved to a particular software space. The method improves the data security to a certain extent.
According to another embodiment of the present invention, software outside the white list of the software space may perform insensitive operations on the software space, such as read operations, create operations, and the like.
The following describes in detail the embodiments of the present invention.
Firstly, creating a software type.
After the editing software is classified according to the type of the data, a processable data type, namely a software type, is allocated to the software. One software type is an attribute of software, and one software may have a plurality of software types.
The methods for creating software types may be as follows:
1. the software type is automatically created.
The automatic creation of software types is a method for creating software types without the help of resources outside the system during the operation of the system, and exemplarily comprises the following steps:
1.1, creating different software types according to extension associated information of a host system, wherein a white list of the software types comprises software associated with extensions;
1.2, when the software edits a file, a software type can be automatically created, and the white list of the software type is the software.
2. The software type is created manually.
The method for manually creating the software type refers to a method for inputting the summarized software type into the system by a system user or a maintainer through an interface, an interactive interface and the like of the system, and exemplarily comprises the following steps:
2.1, the software user can add the software type;
2.2 the developer of the system can add the software type.
And secondly, creating a software space according to the software type.
The software space is where the host system actually stores data (files or other forms), and initialization of the software space is required at the same time as initialization of the system of the present invention.
Creating a software space comprises the steps of:
step a, setting the position of a software space.
And b, setting the capacity limit of the software space.
And c, traversing all the current software types and creating a software space.
And d, storing all data operated or sensitively operated by the type of software, a white list of each piece of software protected by the type of software and the attributes of each piece of software in the white list, such as the name of the software, the type, the size, the developer information, the identification of the software, the version of the software, each component of the software, the name and the identification of each component and the like.
And thirdly, protecting the sensitive operation (such as modification and deletion) of the malicious software.
The main method for defending against malicious software is to create a software space for editing software (in advance or automatically), and move data related to sensitive operations into the software space of the software for operation. If the software is malicious, sensitive operations are carried out in the own software space, the object is data in the own software space, all modifications are carried out on the data, and any malicious operation on the data or the file cannot influence the data or the file in other software spaces. If the normal software carries out sensitive operations, the operations are carried out in the software space of the normal software, and other software cannot carry out sensitive operations on data in the software space of the normal software, so that the data in the software space of the normal software is protected, and the tampering of malicious software is prevented. The process is shown in fig. 5, and comprises the following steps:
and S1, capturing the operation of the software on the data.
When a sensitive operation on data occurs in the system, it is first necessary to capture the sensitive operation. The capturing methods are many, and capturing can be performed at each level within the operation occurrence range, for example, a Hook mechanism is used, a Hook is performed on the operation of the global file system at an application level, and a kernel-level capturing can also be performed under Windows by using a Minifilter mechanism of a kernel.
S2, judging whether the operation type is a sensitive operation type, if so, executing a step S3; otherwise, step S10 is executed.
The judgment of the sensitivity operation comprises the judgment of the sensitivity of the data type and the operation type. If one of the above two determinations is a negative result, it is classified as a non-sensitive operation. The data type may be a read of a docx file, create an exe file, etc. The operation type includes a modifying or destructive operation on the data that needs to be protected, including adding content, modifying content, or deleting content, such as writes to doc and docx files, and so forth.
And S3, judging whether the currently operated software main body belongs to the white lists of all the current software spaces or not, wherein the judging method is to traverse all the software spaces, obtain the white list of each software space, and compare the white lists one by one. If the software agent of the current operation has no software space, performing step S4; if there is a corresponding software space, step S5 is performed.
S4, automatically creating a software space corresponding to the current software.
S5, judging whether the data of the software operation is located in the software space of the software; if yes, go to step S8; otherwise, step S6 is executed.
S6, judging whether the position of the data of the software operation belongs to other software spaces; if yes, go to step S9; otherwise, step S7 is executed.
S7, copying the data to the software space of the operation subject, and performing the subsequent operations on the copied data.
S8, carrying out sensitivity operation in the software space; go to S11.
S9, refusing to carry out sensitivity operation locally; go to S11.
And S10, allowing the system to continue the operation and the following operations.
And S11, finishing the operation request of the software on the data.
After the method and the system are used, the data processing flow can be smoothly carried out, and the condition of interruption caused by judgment can not occur. During data processing, a user can check whether data are processed according to the purpose of the user in the space of each software, and the user does not need to judge whether the software is malicious software or not by the user or a third-party system, so that the problem that the malicious software is difficult to accurately judge at present and the user suffers great loss once the judgment is wrong is solved.
Referring to fig. 6, an apparatus for protecting data from malicious software according to an embodiment of the present invention includes:
the operation intercepting unit 610 is used for intercepting sensitive operations of software on data;
an operation analysis unit 620, configured to obtain information of a first software space corresponding to the software, and obtain storage location information of the data;
an operation processing unit 630 for performing sensitive operations of the software on the data if and only if it is determined that the data is located in the first software space;
the space allocation unit 640 is configured to divide the data storage space into a plurality of software spaces in advance, where each software space corresponds to one software, or corresponds to one or more pieces of software with the same editable data type.
Optionally, the space allocation unit 640 is specifically configured to:
determining a plurality of software types and one or more pieces of software associated with each software type according to the editable data types of the plurality of pieces of software;
and respectively creating software spaces for the software types from the data storage space, wherein each software space corresponds to one or more pieces of software with the same editable data type.
Optionally, the operation processing unit 630 is further configured to:
rejecting sensitive operations of the software on the data when the data is determined to be located in a second software space outside the first software space.
Optionally, the operation processing unit 630 is further configured to:
when the data is determined to be outside the first software space and not within any software space, establishing a copy of the data in the first software space and performing sensitive operations of the software on the copy.
Optionally, the space allocation unit 640 is further configured to:
creating a special software space that does not allow any software to perform sensitive operations on data within the special software space;
data not located in any software space is moved to the special software space.
For specific limitations of the device for protecting data from being sensitive to malware, reference may be made to the above limitations of the method for protecting data from being sensitive to malware, and details thereof are not described herein again.
It should be understood that the various techniques described herein may be implemented in connection with hardware or software or, alternatively, with a combination of both. Thus, the methods and apparatus of the present invention, or certain aspects or portions thereof, may take the form of program code (i.e., instructions) embodied in tangible media, such as floppy diskettes, CD-ROMs, hard drives, or any other machine-readable storage medium, wherein, when the program is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the invention.
In the case of program code execution on programmable computers, the computing device will generally include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device. Wherein the memory is configured to store program code; the processor is configured to perform the various methods of the present invention according to instructions in the program code stored in the memory.
By way of example, and not limitation, computer readable media may comprise computer storage media and communication media. Computer-readable media includes both computer storage media and communication media. Computer storage media store information such as computer readable instructions, data structures, program modules or other data. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of computer readable media.
It should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the invention and aiding in the understanding of one or more of the various inventive aspects. However, the method of the invention should not be construed to reflect the intent: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing inventive embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules or units or components of the apparatus in the examples invented herein may be arranged in an apparatus as described in this embodiment or alternatively may be located in one or more apparatuses different from the apparatus in this example. The modules in the foregoing examples may be combined into one module or may be further divided into multiple sub-modules.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features of the invention in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so invented, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature of the invention in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
Furthermore, some of the described embodiments are described herein as a method or combination of method elements that can be performed by a processor of a computer system or by other means of performing the described functions. A processor having the necessary instructions for carrying out the method or method elements thus forms a means for carrying out the method or method elements. Further, the elements of the apparatus embodiments described herein are examples of the following apparatus: the apparatus is used to implement the functions performed by the elements for the purpose of carrying out the invention.
As used herein, unless otherwise specified the use of the ordinal adjectives "first", "second", "third", etc., to describe a common object, merely indicate that different instances of like objects are being referred to, and are not intended to imply that the objects so described must be in a given sequence, either temporally, spatially, in ranking, or in any other manner.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this description, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as described herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the appended claims. The present invention is to be considered as illustrative and not restrictive in character, with the scope of the invention being indicated by the appended claims.
Claims (10)
1. A method of protecting against data sensitive operations by malware, comprising:
intercepting sensitive operation of software on data;
acquiring information of a first software space corresponding to the software, and acquiring storage position information of the data;
performing a sensitivity operation of the software on the data if and only if the data is determined to be within the first software space;
the data storage space is divided into a plurality of software spaces in advance, and each software space corresponds to one piece of software or one or more pieces of software with the same editable data type.
2. The method of claim 1, wherein dividing the data storage space into a plurality of software spaces, each software space corresponding to one or more pieces of software of the same type of editable data, comprises:
determining a plurality of software types and one or more pieces of software associated with each software type according to the editable data types of the plurality of pieces of software;
and respectively creating software spaces for the software types from the data storage space, wherein each software space corresponds to one or more pieces of software with the same editable data type.
3. The method of claim 2, wherein determining one or more software associated with each of the plurality of software types based on the data types editable by each of the plurality of software types comprises:
determining a plurality of software types and one or more pieces of software associated with each software type according to extension name association information of a host operating system;
alternatively, the first and second electrodes may be,
detecting the editing operation of any software on a file of any data type, and determining a new software type and a software associated with the new software type according to the any software and the any data type;
alternatively, the first and second electrodes may be,
and determining a plurality of software types and one or more software associated with each software type by an operator according to the data types which can be edited by the software, and inputting the software into the host.
4. The method of claim 2, wherein any software is associated with one or more software types, and wherein any software type is associated with one or more data types.
5. The method of claim 1, further comprising:
and when the data is determined to be outside the first software space, rejecting sensitive operation of the software on the data, or establishing a copy of the data in the first software space and executing the sensitive operation of the software on the copy.
6. The method of claim 1, further comprising:
creating a special software space that does not allow any software to perform sensitive operations on data within the special software space;
data not located in any software space is moved to the special software space.
7. The method of claim 1, wherein before obtaining the information of the first software space corresponding to the software, further comprising:
judging whether the software has a corresponding software space, if so, directly executing the step of acquiring the information of the first software space corresponding to the software; otherwise, creating a first software space corresponding to the software.
8. An apparatus for protecting against data sensitive operations by malware, comprising:
the operation interception unit is used for intercepting sensitive operation of software on data;
the operation analysis unit is used for acquiring information of a first software space corresponding to the software and acquiring storage position information of the data;
an operation processing unit for performing sensitive operations of the software on the data if and only if it is determined that the data is located within the first software space;
the space allocation unit is used for dividing the data storage space into a plurality of software spaces in advance, wherein each software space corresponds to one piece of software, or corresponds to one or more pieces of software with the same editable data types.
9. A readable storage medium having executable instructions thereon that, when executed, cause a computer to perform the method as included in any one of claims 1-7.
10. A computing device, comprising:
one or more processors;
a memory; and
one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors to perform the method as recited in any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010700864.XA CN111737690B (en) | 2020-07-20 | 2020-07-20 | Method and device for preventing malicious software from carrying out sensitive operation on data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010700864.XA CN111737690B (en) | 2020-07-20 | 2020-07-20 | Method and device for preventing malicious software from carrying out sensitive operation on data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111737690A true CN111737690A (en) | 2020-10-02 |
| CN111737690B CN111737690B (en) | 2020-12-01 |
Family
ID=72655167
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010700864.XA Active CN111737690B (en) | 2020-07-20 | 2020-07-20 | Method and device for preventing malicious software from carrying out sensitive operation on data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111737690B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113238760A (en) * | 2021-05-28 | 2021-08-10 | 统信软件技术有限公司 | Software migration method and device, computing equipment and readable storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1707387A (en) * | 2004-06-11 | 2005-12-14 | 株式会社Ntt都科摩 | Mobile communication terminal and data access control method |
| CN101719977A (en) * | 2009-11-17 | 2010-06-02 | 四川长虹电器股份有限公司 | Method for updating functional modules of set-top box |
| US7886162B2 (en) * | 2007-05-29 | 2011-02-08 | International Business Machines Corporation | Cryptographic secure program overlays |
| CN102520944A (en) * | 2011-12-06 | 2012-06-27 | 北京航空航天大学 | Method for realizing virtualization of Windows application program |
| CN104008063A (en) * | 2013-02-27 | 2014-08-27 | 联想(北京)有限公司 | Addressing method and electronic device |
| CN107438109A (en) * | 2017-09-15 | 2017-12-05 | 湖南新云网科技有限公司 | Wearable device method for managing security, transparent service device end and cloud framework system |
| US10129267B1 (en) * | 2014-05-27 | 2018-11-13 | Support Intelligence, Inc. | Using space-filling curves to fingerprint data |
| CN111428240A (en) * | 2020-03-20 | 2020-07-17 | 安芯网盾(北京)科技有限公司 | Method and device for detecting illegal access of memory of software |
-
2020
- 2020-07-20 CN CN202010700864.XA patent/CN111737690B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1707387A (en) * | 2004-06-11 | 2005-12-14 | 株式会社Ntt都科摩 | Mobile communication terminal and data access control method |
| US7886162B2 (en) * | 2007-05-29 | 2011-02-08 | International Business Machines Corporation | Cryptographic secure program overlays |
| CN101719977A (en) * | 2009-11-17 | 2010-06-02 | 四川长虹电器股份有限公司 | Method for updating functional modules of set-top box |
| CN102520944A (en) * | 2011-12-06 | 2012-06-27 | 北京航空航天大学 | Method for realizing virtualization of Windows application program |
| CN104008063A (en) * | 2013-02-27 | 2014-08-27 | 联想(北京)有限公司 | Addressing method and electronic device |
| US10129267B1 (en) * | 2014-05-27 | 2018-11-13 | Support Intelligence, Inc. | Using space-filling curves to fingerprint data |
| CN107438109A (en) * | 2017-09-15 | 2017-12-05 | 湖南新云网科技有限公司 | Wearable device method for managing security, transparent service device end and cloud framework system |
| CN111428240A (en) * | 2020-03-20 | 2020-07-17 | 安芯网盾(北京)科技有限公司 | Method and device for detecting illegal access of memory of software |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113238760A (en) * | 2021-05-28 | 2021-08-10 | 统信软件技术有限公司 | Software migration method and device, computing equipment and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111737690B (en) | 2020-12-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10614233B2 (en) | Managing access to documents with a file monitor | |
| EP3123311B1 (en) | Malicious code protection for computer systems based on process modification | |
| CN108763951B (en) | Data protection method and device | |
| CN107622203A (en) | Guard method, device, storage medium and the electronic equipment of sensitive information | |
| WO2017137804A1 (en) | Automated classification of exploits based on runtime environmental features | |
| US9418232B1 (en) | Providing data loss prevention for copying data to unauthorized media | |
| US9516031B2 (en) | Assignment of security contexts to define access permissions for file system objects | |
| CN111737690B (en) | Method and device for preventing malicious software from carrying out sensitive operation on data | |
| US10205732B2 (en) | Method, apparatus, system, and non-transitory medium for protecting a file | |
| WO2018049883A1 (en) | File operation method and device | |
| JP7445017B2 (en) | Mobile application forgery/alteration detection method using user identifier and signature collection, computer program, computer readable recording medium, and computer device | |
| WO2019184230A1 (en) | Information masking method and device, terminal, and computer readable storage medium | |
| CN113254917B (en) | Recording permission management method, computing device and storage medium | |
| US20190318101A1 (en) | Managing the loading of sensitive modules | |
| CN112989427B (en) | File protection method, computing device and storage medium | |
| CN114510706A (en) | Permission control method and device based on physical interface and computing equipment | |
| CN114254346A (en) | Data storage processing method, system, equipment and medium | |
| US11010346B2 (en) | Methods and apparatus for managing access to file content | |
| US11567684B1 (en) | Constant time updates after memory deduplication | |
| US11921874B2 (en) | Method and system for protecting file using class distribution and sequential memory loading | |
| US20230133938A1 (en) | Real-time modification of application programming interface behavior | |
| US20240143805A1 (en) | Document protection mechanism | |
| US20210294895A1 (en) | Method and system for detecting malware using memory map | |
| CN114153801A (en) | File opening method, computing device and storage medium | |
| CN115795457A (en) | Trojan horse program monitoring method and device, computing equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |