CN113190414A - Client security program monitoring method and device - Google Patents
Client security program monitoring method and device Download PDFInfo
- Publication number
- CN113190414A CN113190414A CN202110576439.9A CN202110576439A CN113190414A CN 113190414 A CN113190414 A CN 113190414A CN 202110576439 A CN202110576439 A CN 202110576439A CN 113190414 A CN113190414 A CN 113190414A
- Authority
- CN
- China
- Prior art keywords
- program
- security
- client
- monitoring
- security program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/302—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/3017—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is implementing multitasking
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
Abstract
The invention can be used in the technical field of information security, and provides a method and a device for monitoring a security program of a client, wherein the method for monitoring the security program of the client comprises the following steps: generating a monitoring program corresponding to a security program of the operating system in an operating system core layer; generating a plurality of subprocesses without identification degrees according to the monitoring program; a plurality of sub-processes are coupled to monitor the security program. The method and the device for monitoring the security program of the client have the following advantages that: a plurality of processes are generated among a plurality of client-side safety control programs, and the processes are monitored and recovered mutually, so that the client-side safety control programs are prevented from being closed manually by attackers or by misoperation of users. And the network switch is linked, and if the client security control program is closed, the network connection is synchronously closed, so that the risk expansion is avoided.
Description
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a method and a device for monitoring a security program of a client.
Background
At present, as network security attacks increase, attacks against clients also increase in severity. Generally, the client end installs various security control programs, such as: the system comprises anti-virus, document security and leakage prevention, equipment peripheral control, client access request source and target control and the like, so that the security of the client is guaranteed, the behavior of the client is controlled, and the security of enterprise general information is guaranteed. When an attacker tries to upload trojans or viruses to a client and attacks the client, the attacks are generally isolated by a client security program, and the attacker tries to close a security control program and a process of the client by inducing a user to operate or upload a backdoor program before the attack to break down the client protection capability, so that the trojans or viruses are uploaded to the client to control the client and attack other clients or application systems communicated with the client.
In summary, the client security protection and control method in the prior art has not been able to satisfy the requirements of protecting the security of the client and ensuring the behavior of the client comprehensively.
Disclosure of Invention
The invention belongs to the technical field of information security, and provides a method and a device for monitoring a security program of a client, which have the following advantages: a plurality of processes are generated among a plurality of client-side safety control programs, and the processes are monitored and recovered mutually, so that the client-side safety control programs are prevented from being closed manually by attackers or by misoperation of users. And the network switch is linked, and if the client security control program is closed, the network connection is synchronously closed, so that the risk expansion is avoided.
In order to solve the technical problems, the invention provides the following technical scheme:
in a first aspect, the present invention provides a method for monitoring a security program of a client, including:
generating a monitoring program corresponding to a security program of the operating system in an operating system core layer;
generating a plurality of subprocesses without identification degrees according to the monitoring program;
a plurality of sub-processes are coupled to monitor the security program.
In one embodiment, the coupling the plurality of sub-processes to monitor the security program comprises:
and when the security program is forcibly killed, starting the forcibly killed security program according to at least one of the plurality of sub-processes.
In one embodiment, the method for monitoring the security program of the client further includes:
installing an authentication package in a security program in a plurality of operating systems;
and monitoring the security program according to the authentication package.
In one embodiment, the secure program installation authentication package in the plurality of operating systems comprises:
installing an 802.1X authentication package in the security program by utilizing an 802.1X authentication protocol;
the monitoring the security program according to the authentication package includes:
continuously transmitting the 802.1X authentication packets among security programs in a plurality of operating systems;
and when a security program does not send the 802.1X authentication packet, closing the data exchange function of the operating system where the security program is positioned.
In one embodiment, the security program comprises: an anti-virus program, a document security and leakage prevention program and an equipment peripheral control program.
In a second aspect, the present invention provides a security program monitoring apparatus for a client, including:
the monitoring program generating module is used for generating a monitoring program corresponding to the security program of the operating system in the core layer of the operating system;
the subprocess generating module is used for generating a plurality of subprocesses without identification degrees according to the monitoring program;
and the subprocess coupling module is used for coupling a plurality of subprocesses so as to monitor the security program.
In one embodiment, the sub-process coupling module includes:
the safety program starting unit is used for starting the forcibly killed safety program according to at least one of the plurality of sub-processes when the safety program is forcibly killed;
the security program monitoring device of the client further comprises:
the authentication package installation module is used for installing authentication packages in security programs in a plurality of operating systems;
and the safety program monitoring module is used for monitoring the safety program according to the authentication package.
In one embodiment, the authentication package installation module comprises:
820 authentication package installation unit, which is used to install 802.1X authentication package in the security program by using 802.1X authentication protocol;
the security program monitoring module includes:
an authentication packet sending unit, configured to continuously send the 802.1X authentication packet among security programs in multiple operating systems;
a data exchange closing unit, configured to close a data exchange function of an operating system in which a security program is located when the security program does not send the 802.1X authentication packet;
the security program includes: an anti-virus program, a document security and leakage prevention program and an equipment peripheral control program.
In a third aspect, the present invention provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the steps of the security program monitoring method of the client when executing the program.
In a fourth aspect, the present invention provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of a method for security program monitoring of a client.
As can be seen from the above description, in the method and apparatus for monitoring a security program of a client according to the embodiments of the present invention, a monitoring program corresponding to the security program of an operating system is first generated in an operating system core layer; then, generating a plurality of subprocesses without identification degrees according to the monitoring program; and finally, coupling a plurality of sub-processes to monitor the security program. The invention provides a system and a method for guarding a client security program, and mainly aims to prevent an attacker from inducing a user to close or upload a backdoor program to the client, guard a client security control program and prevent the attacker from closing the client security control program and process. The guarding method ensures the safety of the accessed client through two mutually coupled guarding modes. Specifically, the invention has the following beneficial effects: a plurality of processes are generated among a plurality of client-side safety control programs, and the processes are monitored and recovered mutually, so that the client-side safety control programs are prevented from being closed manually by attackers or by misoperation of users. And the network switch is linked, and if the client security control program is closed, the network connection is synchronously closed, so that the risk expansion is avoided.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a first flowchart illustrating a security program monitoring method of a client according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a step 300 of a security program monitoring method of a client according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a security program monitoring method of a client according to an embodiment of the present invention;
FIG. 4 is a flowchart illustrating a step 400 in a security program monitoring method of a client according to an embodiment of the present invention;
FIG. 5 is a flowchart illustrating a step 500 of a security program monitoring method of a client according to an embodiment of the present invention;
FIG. 6 is a network structure diagram of a security program monitoring method for a client in an embodiment of the present invention;
FIG. 7 is a flowchart illustrating a security program monitoring method of a client according to an embodiment of the present invention;
FIG. 8 is a first schematic structural diagram of a security program monitoring apparatus of a client according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of a subprocess coupling module 30 in an embodiment of the present invention;
FIG. 10 is a second schematic structural diagram of a security program monitor device of a client in an embodiment of the present invention;
fig. 11 is a schematic structural diagram of the authentication package installation module 40 in an embodiment of the present invention;
FIG. 12 is a schematic diagram of a security program monitoring module 50 according to an embodiment of the present invention;
fig. 13 is a schematic structural diagram of an electronic device in an embodiment of the invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
It should be noted that the terms "comprises" and "comprising," and any variations thereof, in the description and claims of this application and the above-described drawings, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
An embodiment of the present invention provides a specific implementation of a security program monitoring method for a client, and referring to fig. 1, the method specifically includes the following steps:
step 100: and generating a monitoring program corresponding to the security program of the operating system in an operating system core layer.
An Operating System (OS) is a computer program for managing and controlling hardware and software resources of a computer, and is the most basic System software directly running on a bare computer, and any other software must be run under the support of the Operating System. The operating system is the interface between the user and the computer, as well as the computer hardware and other software. The operating system functions include managing hardware, software and data resources of the computer system, controlling program operation, improving human-computer interface, providing support for other application software, making all resources of the computer system function to the maximum extent, providing various forms of user interfaces, making the user have a good working environment, providing necessary services and corresponding interfaces for the development of other software, etc. In fact, the user does not need to touch the operating system, which manages the hardware resources of the computer and allocates the resources according to the resource request of the application program, such as: dividing CPU time, opening up memory space, calling printer, etc.
It is understood that the monitoring program in step 100 may not only supervise the operation of the safety program, but also start or stop the corresponding safety program and its execution.
The operating system is composed of a Kernel layer and a Shell layer, wherein the Kernel layer is responsible for all actual work including CPU task scheduling, memory allocation management, device management, file operation and the like, and the Shell is an interface which exists based on an interaction function provided by the Kernel layer and is responsible for instruction transmission and interpretation. Since the kernel layer and the shell are responsible for different tasks and different processing environments, the processor provides a plurality of different processing environments, which are called running levels (Ring), and Ring sequentially and gradually reduces the computer resources accessible to program instructions, so as to protect the computer from accidental damage, namely the kernel layer runs at Ring 0 level and has the management function of the most complete bottom layer, and the shell part only has Ring 3 level, the operation function of the level is very few, almost all instructions need to be transmitted to the kernel layer to determine whether the instructions can be executed, once the instruction transmission (such as memory read-write beyond a specified range) causing damage to the system is discovered, the kernel layer returns an 'illegal override' mark, the program sending the instruction can be terminated, and the 'illegal operation' is caused by most common 'illegal operation', this is done to protect the computer from damage, and if the shell and kernel layers are running at the same level, the user may damage the entire system with an inadvertent click.
Step 200: and generating a plurality of subprocesses without identification degrees according to the monitoring program.
Specifically, a plurality of programs such as anti-virus programs, document security and leakage prevention programs, equipment peripheral control programs and the like are subjected to security control, a plurality of processes penetrating to the bottom layer of an operating system are generated, a plurality of sub-processes without identification degrees are generated respectively, and a plurality of processes of the programs are monitored mutually.
PID (Process identification) refers to a process ID, i.e., a process identifier, in an operating system. Each time a program is opened in the operating system, a process ID, i.e., PID, is created. The PID is the code number of each process, and each process has a unique PID number. It is randomly assigned by the system at process runtime and does not represent a dedicated process. The PID does not change the identifier at run time, but the run PID identifier is recycled by the system after you terminate the program and may continue to be assigned to the newly running program. The system automatically assigns an identifier whenever a program is run. Is temporally unique: after the process is terminated, this number is reclaimed and may be assigned to another new process. This PID will continue to be assigned to the program currently being run as long as the other program is not being run successfully. If one program is run successfully and then another program is run, the system will automatically assign another PID. Is temporally unique: after the process is terminated, this number is reclaimed and may be assigned to another new process. This PID will continue to be assigned to the program currently being run as long as the other program is not being run successfully. If one program is run successfully and then another program is run, the system will automatically assign another PID.
Three basic states of the process: the process is a dynamic concept, and returns to the principle of a time-sharing system. The time-sharing system allocates a time slice to one process, allows the process to execute, and allocates the time slice to the next process when the time slice of the process is used up. When the process is blocked in the process of executing, the CPU control right is given out actively to give other process execution opportunities. Analyzing the above process, only one process is in the state of execution at a time. While there are multiple processes waiting for an allocated time slice, the multiple processes should follow a certain order. In fact in a queue. This state of waiting for an allocated time slice is referred to as the ready state, and the queue holding ready processes is referred to as the ready queue. When the CPU is in an idle state, the scheduler will take a process from the ready queue and execute it. When the process time slice is exhausted, the scheduling information will place the process into the ready queue. Except for the time slice is used up, when the process IO requests, the process can not be executed continuously until the IO requests are finished, and the situations are called process blocking (IO requests blocked by the process, buffer space application and the like can occur). How should the scheduler handle when process blocking occurs? First, the process must not be put into the ready state because it may be allocated a time slice when the process cannot continue to execute, wasting CPU resources. The scheduler handles this by placing it in a blocking queue and, when the IO is complete, placing it back in the ready queue to wait for an allocated time slice.
From the above analysis, it can be seen that step 200 requires the PID of the sub-process in step 200 to be hidden when it is implemented.
Step 300: a plurality of sub-processes are coupled to monitor the security program.
It is understood that Coupling, also called degree of Coupling, is a measure of the degree of correlation between modules. The strength of the coupling depends on the complexity of the interface between the modules, the manner in which the modules are called, and how much data is transferred across the interface. The coupling degree between the modules refers to the dependency relationship between the modules, including a control relationship, a call relationship and a data transfer relationship. The more the modules are linked, the stronger their coupling and the less their independence (the lower the coupling, the better the independence). Couplings exist in various domains, not exclusively in software design, but we only discuss couplings in software engineering. In software engineering, coupling refers to dependencies between objects. The higher the coupling between objects, the higher the maintenance cost. The design of the object should therefore minimize the coupling between the classes and the building blocks. The degree of coupling and cohesion are commonly used as criteria for measuring the degree of independence of modules in software design. One criterion for partitioning the modules is high coherence low coupling. The concrete classification is as follows:
(1) coupling multiple sub-processes content coupling when one module directly modifies or manipulates data of another module, or when one module transfers to another module without normal entry, such coupling is referred to as content coupling. Content coupling is the highest degree of coupling and should be avoided.
(2) Coupling multiple sub-processes in common coupling two or more modules coupling multiple sub-processes collectively refer to a global data item, this coupling being referred to as common coupling. In architectures with a large number of common couplings, it is difficult to determine which module has assigned a particular value to the global variable.
(3) Coupling a plurality of sub-processes and coupling a plurality of sub-processes externally, wherein a group of modules coupling the plurality of sub-processes all access the same global simple variable instead of the same global data structure, and information of the global variable is not transmitted through a parameter table, so that the coupling is called as external coupling.
(4) Coupling a plurality of sub-process control coupling a plurality of sub-processes, coupling a module of the plurality of sub-processes to pass a control signal to another module via an interface, the module receiving the signal performing an appropriate action based on the value of the signal, the coupling being referred to as control coupling.
(5) Coupling a plurality of sub-process tags coupling a plurality of sub-processes, coupling a plurality of sub-processes is said to exist a tag coupling between modules B and C if a module a passes a common parameter to both modules B and C through an interface.
(6) Coupling a plurality of sub-process data couplings coupling a plurality of sub-process modules to communicate data via parameters is referred to as a data coupling. Data coupling is the lowest form of coupling and this type of coupling is generally present in systems because it is often necessary to use the output data of some modules as input data to other modules in order to perform some meaningful function.
(7) Coupling the plurality of sub-processes is not directly coupling the plurality of sub-processes. There is no direct relationship between the two modules and the connection between them is achieved entirely through the control and invocation of the master module.
Step 300 is illustrated below, if the client side has 4 programs for security control, and each generates 3 different processes, there are 12 processes of 4 × 3, which are woven into an intersecting monitoring process grid, and when the client side performs a forced killing on one of the processes through the highest system authority, the security control program processes monitored with each other immediately alarm and start the forced killing process at the same time. Because the process cannot be forcibly killed in the same time no matter the process is closed manually or in a script mode, the method can ensure that the client security control mechanism cannot be closed unless the client is in shutdown operation.
As can be seen from the above description, in the method for monitoring a security program of a client according to the embodiment of the present invention, first, a monitoring program corresponding to the security program of an operating system is generated in a kernel layer of the operating system; then, generating a plurality of subprocesses without identification degrees according to the monitoring program; and finally, coupling a plurality of sub-processes to monitor the security program. The invention provides a system and a method for guarding a client security program, and mainly aims to prevent an attacker from inducing a user to close or upload a backdoor program to the client, guard a client security control program and prevent the attacker from closing the client security control program and process. The guarding method ensures the safety of the accessed client through two mutually coupled guarding modes. Specifically, the invention has the following beneficial effects: a plurality of processes are generated among a plurality of client-side safety control programs, and the processes are monitored and recovered mutually, so that the client-side safety control programs are prevented from being closed manually by attackers or by misoperation of users. And the network switch is linked, and if the client security control program is closed, the network connection is synchronously closed, so that the risk expansion is avoided.
In one embodiment, referring to fig. 2, step 300 further comprises:
step 301: and when the security program is forcibly killed, starting the forcibly killed security program according to at least one of the plurality of sub-processes.
Because the multiple sub-processes are coupled with each other, the multiple sub-processes supervise each other, when a security program is killed, the corresponding sub-process of the monitor program will inform other sub-processes, and the other sub-processes will start the killed security program immediately.
In an embodiment, referring to fig. 3, the method for monitoring a security program of a client further includes:
step 400: installing an authentication package in a security program in a plurality of operating systems;
step 500: and monitoring the security program according to the authentication package.
It should be noted that, steps 400 and 500 may be implemented on the basis of steps 100 to 300, or may be implemented separately, specifically, an 802.1X authentication protocol is enabled on an intranet network switch, a mandatory 802.1X authentication requirement is enabled for a client accessing a network, a client security program process continuously sends a customized 802.1X authentication packet, and after the client security program process passes the authentication, the client management server notifies the switch to open a data exchange function of a port where the client is located. When the client security program is completely killed, the client loses the ability of sending the 802.1X authentication packet, the intranet network switch closes the data exchange function of the port where the client is located, and the client breaks the connection with other devices and service systems in the enterprise.
In one embodiment, referring to fig. 4, step 400 further comprises:
step 401: installing an 802.1X authentication package in the security program by utilizing an 802.1X authentication protocol;
in one embodiment, referring to fig. 5, step 500 further comprises:
step 501: continuously transmitting the 802.1X authentication packets among security programs in a plurality of operating systems;
step 502: and when a security program does not send the 802.1X authentication packet, closing the data exchange function of the operating system where the security program is positioned.
The 802.1x protocol is a Client/Server based access control and authentication protocol. It may restrict unauthorized users/devices from accessing the LAN/WLAN through an access port (access port). 802.1x authenticates users/devices connected to switch ports before obtaining various services provided by the switch or LAN. Before authentication passes, 802.1x only allows EAPOL (extended authentication protocol over local area network) data to pass through the switch port to which the device is connected; after the authentication is passed, normal data can smoothly pass through the ethernet port.
The basic principle of the 802.1x protocol, a popular access control protocol based on ports, and a specific authentication application scheme based on the 802.1x protocol are provided, and the application model of Windows XP + Cisco3550+ Freeraius + MySQL is adopted. This authentication scheme has proven to be simple and efficient in practical applications. [1]
The architecture of the 802.1x protocol includes 3 important parts: a client (supplicant system), an authentication system (authenticator system), and an authentication server (authentication server system). As an advanced broadband network access authentication method, 802.1x has been widely regarded and applied. With the continuous development of wireless network technology and wireless network products and the continuous popularization of wireless networks, the 802.1x specially designed for the wireless local area network has the advantages of high security, stronger data encryption, low cost, high performance and the like, and the influence and the application of the wireless network are increasingly large.
In steps 401 to 404, an 802.1X authentication protocol is started on the intranet network switch, a mandatory 802.1X authentication requirement is started on the client accessing the network, a self-defined 802.1X authentication packet is continuously sent by the client security program process, and after the client security program process passes the authentication, the client management server notifies the switch to open the data exchange function of the port where the client is located. When the client security program is completely killed, the client loses the ability of sending the 802.1X authentication packet, the intranet network switch closes the data exchange function of the port where the client is located, and the client breaks the connection with other devices and service systems in the enterprise.
In one embodiment, the system includes an anti-virus program, a document security and leakage prevention program, and an equipment peripheral control program.
To further illustrate the present solution, the present invention further provides a specific application example of the security program monitoring method of the client, see fig. 6 and fig. 7.
S1: and installing a client security program.
S2: the client security control program penetrates into the operating system process to perform self-protection.
Firstly, a plurality of processes penetrating to the bottom layer of an operating system are generated through a security control program, such as a plurality of programs of anti-virus, document security and leakage prevention, equipment peripheral control and the like, a plurality of subprocesses without identification degree are respectively generated, a plurality of processes of the programs are mutually monitored, for example, a client security control has 4 programs, each process generates 3 different processes, and then 12 processes with 4 multiplied by 3 are woven into a mutually crossed monitoring process grid, when the client side carries out forced killing on a certain process through the highest system authority, the mutually monitored security control program processes immediately alarm and simultaneously start the forced killed processes. Because the process cannot be forcibly killed in the same time no matter the process is closed manually or in a script mode, the method can ensure that the client security control mechanism cannot be closed unless the client is in shutdown operation.
S3: the client security control program generates a plurality of sub-programs, sends 802.1X authentication, and monitors each other.
Meanwhile, an 802.1X authentication protocol is started on an intranet network switch, a mandatory 802.1X authentication requirement is started on a client side accessed to the network, a self-defined 802.1X authentication packet is sent uninterruptedly by a client side security program process, and after the client side security program process passes the authentication, the client side management server side informs the switch to open the data exchange function of a port where the client side is located. When the client security program is completely killed, the client loses the ability of sending the 802.1X authentication packet, the intranet network switch closes the data exchange function of the port where the client is located, and the client breaks the connection with other devices and service systems in the enterprise.
S4: and judging whether the client safety control program normally runs or not.
S5: if the system is accidentally closed, the process is started immediately.
S6: and judging whether the starting process is normal or not.
S7: if the process is abnormally shut down or fails to send 802.1X authentication, the network switch shuts down the interface.
Through the two coupled guard modes, the operation of the client-side security program is ensured, an attacker is prevented from inducing a user to close or upload a backdoor program to the client side, the client-side security control program is guarded, and the attacker is prevented from closing the security control program and the process of the client side. And finally, if the client security program is completely killed, disconnecting the client from other equipment and business systems in the enterprise.
As can be seen from the above description, in the method for monitoring a security program of a client according to the embodiment of the present invention, first, a monitoring program corresponding to the security program of an operating system is generated in a kernel layer of the operating system; then, generating a plurality of subprocesses without identification degrees according to the monitoring program; and finally, coupling a plurality of sub-processes to monitor the security program. The invention provides a system and a method for guarding a client security program, and mainly aims to prevent an attacker from inducing a user to close or upload a backdoor program to the client, guard a client security control program and prevent the attacker from closing the client security control program and process. The guarding method ensures the safety of the accessed client through two mutually coupled guarding modes. Specifically, the invention has the following beneficial effects: a plurality of processes are generated among a plurality of client-side safety control programs, and the processes are monitored and recovered mutually, so that the client-side safety control programs are prevented from being closed manually by attackers or by misoperation of users. And the network switch is linked, and if the client security control program is closed, the network connection is synchronously closed, so that the risk expansion is avoided.
Based on the same inventive concept, the embodiment of the present application further provides a security program monitoring apparatus of a client, which can be used to implement the method described in the foregoing embodiment, such as the following embodiments. Because the principle of the client-side security program monitoring device for solving the problem is similar to the client-side security program monitoring method, the implementation of the client-side security program monitoring device can refer to the implementation of the client-side security program monitoring method, and repeated details are not repeated. As used hereinafter, the term "unit" or "module" may be a combination of software and/or hardware that implements a predetermined function. While the system described in the embodiments below is preferably implemented in software, implementations in hardware, or a combination of software and hardware are also possible and contemplated.
An embodiment of the present invention provides a specific implementation of a security program monitoring apparatus of a client, which is capable of implementing a security program monitoring method of the client, and referring to fig. 8, the security program monitoring apparatus of the client specifically includes the following contents:
a monitor program generating module 10, configured to generate a monitor program corresponding to a security program of an operating system in an operating system core layer;
a subprocess generating module 20, configured to generate multiple subprocesses without identification degrees according to the monitoring program;
and a sub-process coupling module 30, configured to couple multiple sub-processes to monitor the security program.
In one embodiment, referring to fig. 9, the sub-process coupling module 30 includes:
a security program starting unit 301, configured to start a forced-killed security program according to at least one of the plurality of sub-processes when the security program is forced-killed;
in an embodiment, referring to fig. 10, the security program monitoring apparatus of the client further includes:
an authentication package installation module 40 for installing authentication packages in security programs in a plurality of operating systems;
and a security program monitoring module 50, configured to monitor the security program according to the authentication packet.
In one embodiment, referring to fig. 11, the authentication package installation module 40 includes:
820 authentication package installation unit 401, configured to install an 802.1X authentication package in the security program by using an 802.1X authentication protocol;
in one embodiment, referring to fig. 12, the security program monitoring module 50 includes:
an authentication packet sending unit 501, configured to continuously send the 802.1X authentication packet among security programs in multiple operating systems;
a data exchange closing unit 502, configured to close a data exchange function of an operating system in which a security program is located when the security program does not send the 802.1X authentication packet;
the security program includes: an anti-virus program, a document security and leakage prevention program and an equipment peripheral control program.
As can be seen from the above description, in the security program monitoring apparatus of the client according to the embodiment of the present invention, first, a monitoring program corresponding to a security program of an operating system is generated in an operating system core layer; then, generating a plurality of subprocesses without identification degrees according to the monitoring program; and finally, coupling a plurality of sub-processes to monitor the security program. The invention provides a system and a method for guarding a client security program, and mainly aims to prevent an attacker from inducing a user to close or upload a backdoor program to the client, guard a client security control program and prevent the attacker from closing the client security control program and process. The guarding method ensures the safety of the accessed client through two mutually coupled guarding modes. Specifically, the invention has the following beneficial effects: a plurality of processes are generated among a plurality of client-side safety control programs, and the processes are monitored and recovered mutually, so that the client-side safety control programs are prevented from being closed manually by attackers or by misoperation of users. And the network switch is linked, and if the client security control program is closed, the network connection is synchronously closed, so that the risk expansion is avoided.
Referring now to FIG. 13, shown is a schematic diagram of an electronic device 600 suitable for use in implementing embodiments of the present application.
As shown in fig. 13, the electronic apparatus 600 includes a Central Processing Unit (CPU)601 that can perform various appropriate works and processes according to a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage section 608 into a Random Access Memory (RAM)) 603. In the RAM603, various programs and data necessary for the operation of the system 600 are also stored. The CPU601, ROM602, and RAM603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
The following components are connected to the I/O interface 605: an input portion 606 including a keyboard, a mouse, and the like; an output portion 607 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The driver 610 is also connected to the I/O interface 605 as needed. A removable medium 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 610 as necessary, so that a computer program read out therefrom is mounted as necessary on the storage section 608.
In particular, according to an embodiment of the present invention, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, an embodiment of the present invention includes a computer-readable storage medium, on which a computer program is stored, the computer program, when being executed by a processor, implementing the steps of the above-mentioned method for determining a distance to a person in a data-based room scenario, the steps including:
step 100: generating a monitoring program corresponding to a security program of the operating system in an operating system core layer;
step 200: generating a plurality of subprocesses without identification degrees according to the monitoring program;
step 300: a plurality of sub-processes are coupled to monitor the security program.
In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 609, and/or installed from the removable medium 611.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (10)
1. A method for monitoring a security program of a client is characterized by comprising the following steps:
generating a monitoring program corresponding to a security program of the operating system in an operating system core layer;
generating a plurality of subprocesses without identification degrees according to the monitoring program;
a plurality of sub-processes are coupled to monitor the security program.
2. The method of claim 1, wherein the coupling the plurality of sub-processes to monitor the security program comprises:
and when the security program is forcibly killed, starting the forcibly killed security program according to at least one of the plurality of sub-processes.
3. The client security program monitoring method according to claim 1, further comprising:
installing an authentication package in a security program in a plurality of operating systems;
and monitoring the security program according to the authentication package.
4. The client security program monitoring method of claim 3, wherein the security program installation authentication package in the plurality of operating systems comprises:
installing an 802.1X authentication package in the security program by utilizing an 802.1X authentication protocol;
the monitoring the security program according to the authentication package includes:
continuously transmitting the 802.1X authentication packets among security programs in a plurality of operating systems;
and when a security program does not send the 802.1X authentication packet, closing the data exchange function of the operating system where the security program is positioned.
5. The client security program monitoring method according to claim 1, wherein the security program comprises: an anti-virus program, a document security and leakage prevention program and an equipment peripheral control program.
6. A client security program monitoring apparatus, comprising:
the monitoring program generating module is used for generating a monitoring program corresponding to the security program of the operating system in the core layer of the operating system;
the subprocess generating module is used for generating a plurality of subprocesses without identification degrees according to the monitoring program;
and the subprocess coupling module is used for coupling a plurality of subprocesses so as to monitor the security program.
7. The client security program monitoring apparatus according to claim 6, wherein the sub-process coupling module comprises:
the safety program starting unit is used for starting the forcibly killed safety program according to at least one of the plurality of sub-processes when the safety program is forcibly killed;
the security program monitoring device of the client further comprises:
the authentication package installation module is used for installing authentication packages in security programs in a plurality of operating systems;
and the safety program monitoring module is used for monitoring the safety program according to the authentication package.
8. The client security program monitoring apparatus according to claim 7, wherein the authentication package installation module comprises:
820 authentication package installation unit, which is used to install 802.1X authentication package in the security program by using 802.1X authentication protocol;
the security program monitoring module includes:
an authentication packet sending unit, configured to continuously send the 802.1X authentication packet among security programs in multiple operating systems;
a data exchange closing unit, configured to close a data exchange function of an operating system in which a security program is located when the security program does not send the 802.1X authentication packet;
the security program includes: an anti-virus program, a document security and leakage prevention program and an equipment peripheral control program.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the method for secure program monitoring of a client according to any one of claims 1 to 5 are implemented when the program is executed by the processor.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method for security program monitoring of a client as claimed in any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110576439.9A CN113190414A (en) | 2021-05-26 | 2021-05-26 | Client security program monitoring method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110576439.9A CN113190414A (en) | 2021-05-26 | 2021-05-26 | Client security program monitoring method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113190414A true CN113190414A (en) | 2021-07-30 |
Family
ID=76985043
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110576439.9A Pending CN113190414A (en) | 2021-05-26 | 2021-05-26 | Client security program monitoring method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113190414A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114816546A (en) * | 2022-04-28 | 2022-07-29 | 合肥高维数据技术有限公司 | Client application program multi-keep-alive method and system |
-
2021
- 2021-05-26 CN CN202110576439.9A patent/CN113190414A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114816546A (en) * | 2022-04-28 | 2022-07-29 | 合肥高维数据技术有限公司 | Client application program multi-keep-alive method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Berger et al. | TVDc: managing security in the trusted virtual datacenter | |
| CN109076063B (en) | Protecting dynamic and short-term virtual machine instances in a cloud environment | |
| EP2318975B1 (en) | Protecting a virtual guest machine from attacks by an infected host | |
| US9503475B2 (en) | Self-adaptive and proactive virtual machine images adjustment to environmental security risks in a cloud environment | |
| KR101535502B1 (en) | System and method for controlling virtual network including security function | |
| US8966578B1 (en) | Intelligent system for enabling automated secondary authorization for service requests in an agile information technology environment | |
| US10565378B1 (en) | Exploit of privilege detection framework | |
| US9235705B2 (en) | Secure virtualization system software | |
| US20170005983A1 (en) | Computer security architecture and related computing method | |
| EP2939390B1 (en) | Processing device and method of operation thereof | |
| US20070266433A1 (en) | System and Method for Securing Information in a Virtual Computing Environment | |
| US9940181B2 (en) | System and method for reacting to system calls made to a kernal of the system | |
| CN109861972B (en) | Safety architecture system of industrial information control integrated platform | |
| US20120066765A1 (en) | System and method for improving security using intelligent base storage | |
| WO2014102526A1 (en) | Processing device and method of operation thereof | |
| Khan et al. | Silver lining: Enforcing secure information flow at the cloud edge | |
| CN113190414A (en) | Client security program monitoring method and device | |
| KR20180130631A (en) | Vulnerability checking system based on cloud service | |
| JP2001014239A (en) | Security system by multiplex system parallel operated computers | |
| Micro | DEEP SECURITY™ SOFTWARE | |
| Kumar et al. | Ensuring security for virtualization in cloud services | |
| EP2840755A1 (en) | Processing device and method of operation thereof | |
| EP3243313B1 (en) | System and method for monitoring a computer system using machine interpretable code | |
| EP3270544A1 (en) | Hypervisor monitoring | |
| KR102571542B1 (en) | Closed-network blockchain system allowing outsiders to participate and processing method of the work of external participants of there |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |