CN115048643A - Data processing method and device, electronic equipment and storage medium - Google Patents
Data processing method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115048643A CN115048643A CN202210796166.3A CN202210796166A CN115048643A CN 115048643 A CN115048643 A CN 115048643A CN 202210796166 A CN202210796166 A CN 202210796166A CN 115048643 A CN115048643 A CN 115048643A
- Authority
- CN
- China
- Prior art keywords
- zero
- target process
- trust
- data
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The application provides a data processing method, a data processing device, an electronic device and a storage medium. The method comprises the following steps: judging whether the target process is a zero-trust process or not; and redirecting the data resource of the target process to a data isolation area under the condition that the target process is a zero-trust process, so that the data resource is processed by the target process subsequently, and the generated associated data is isolated in the data isolation area, thereby being capable of being used for carrying out safety protection on the data.
Description
Technical Field
The present application relates to the field of internet technologies, and in particular, to a data processing method and apparatus, an electronic device, and a storage medium.
Background
With the continuous development of internet technology, how to perform security protection on data becomes a focus problem which people pay more and more attention to.
Disclosure of Invention
An embodiment of the present application aims to provide a data processing method, an apparatus, an electronic device, and a storage medium, which are used for solving the problem of security protection on data in the prior art.
A first aspect of an embodiment of the present application provides a data processing method, where the method includes:
judging whether the target process is a zero-trust process;
and redirecting the data resource of the target process to a data isolation area under the condition that the target process is a zero-trust process.
In an embodiment, redirecting the data resource of the target process to a data isolation area specifically includes:
performing Hook on an operating system API associated with the data resource;
and redirecting associated data generated by the data processing of the data resource to a data isolation area under the condition that the target process calls the API of the operating system to process the data of the data resource.
In an embodiment, the determining whether the target process is a zero-trust process specifically includes:
and judging whether the target process is a zero trust process or not according to whether the target process is a known zero trust process registered in a file driver of an operating system or not.
In an embodiment, the determining whether the target process is a zero-trust process specifically includes:
and judging whether the target process is a zero-trust process or not according to whether the application program corresponding to the target process is the application program under the zero-trust architecture or not.
In an embodiment, the determining whether the target process is a zero-trust process specifically includes:
and judging whether the target process is a zero-trust process or not according to whether the process starting mode of the target process is starting through a virtual desktop or not.
In one embodiment, the method further comprises:
and under the condition that the target process is a zero-trust process, registering the target process as a known zero-trust process in a file driver of an operating system.
In an embodiment, the data resources specifically include any one or more of the following: process registry, events, interprocess communication semaphores, communication network.
A second aspect of the embodiments of the present application provides a data processing apparatus, including:
the judging unit is used for judging whether the target process is a zero-trust process;
and the redirection unit is used for redirecting the data processing result of the target process to the data isolation area under the condition that the target process is a zero-trust process.
A third aspect of embodiments of the present application provides an electronic device, including:
a processor;
a memory for storing processor-executable instructions; wherein the processor is configured to perform the method of any of the first aspect above.
A fourth aspect of embodiments of the present application provides a computer-readable storage medium, which stores a computer program, the computer program being executable by a processor to perform the method of any one of the first aspect.
The data processing method provided by the embodiment of the application comprises the steps of judging whether the target process is a zero trust process or not, and redirecting the data resource of the target process to the data isolation area under the condition that the target process is the zero trust process, so that the data resource is processed by the target process subsequently, the generated associated data is isolated in the data isolation area, and the data processing method can be used for carrying out safety protection on the data.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart illustrating a data processing method according to an embodiment of the present application;
fig. 2 is a schematic specific flowchart of a data processing method in a specific application scenario according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a data processing apparatus according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. In the description of the present application, the terms "first," "second," and the like are used solely to distinguish one from another and are not intended to indicate or imply relative importance or precedence.
As described above, the current data protection method mainly performs virus searching and killing on files downloaded by a process, but the method has low efficiency and is difficult to apply to scenes with a large number of files.
Based on this, the present application proposes a data processing method that can be used to solve the technical problem.
Fig. 1 shows a flow chart of the data processing method, which includes the following steps:
step S11: and judging whether the target process is a zero-trust process.
The target process may be any one of the processes that have been started or run, or may be a specific process. For example, for a plurality of processes which are started or running, each process is sequentially used as the target process, and whether the target process is a zero-trust process is judged; or, for a certain specific process, for example, a process of frequently downloading a file, a process of accessing a network address blacklist, a process of which the running time after starting does not exceed a preset threshold, and the like, the specific process may be used as a target process, so as to determine whether the target process is a zero-trust process.
It should be noted that the Zero Trust process specifically includes a process of an application program under a Zero Trust Architecture (ZTA), where the Zero Trust Architecture is an enterprise network security Architecture based on a Zero Trust principle, and is intended to prevent data leakage and limit horizontal movement of data inside a network, so that the network based on the Zero Trust Architecture can be widely applied to the current network environment. Therefore, when the target process is a zero-trust process, it is indicated that the target process belongs to a process of an application under ZTA, so that there may be certain risks including information leakage, file poisoning, and the like in data processing of the target process.
In practical applications, there are various ways to determine whether the target process is a zero-trust process, and several specific ways are listed here for description.
The first method is as follows: and judging whether the target process is a zero-trust process or not according to the process starting mode of the target process.
For example, a process started by some process starting modes may be preset to be a zero-trust process, for example, a process started by a virtual desktop. Therefore, whether the target process is a zero-trust process can be judged according to whether the process starting mode of the target process is starting through a virtual desktop, wherein if the process starting mode of the target process is starting through the virtual desktop, the target process can be determined to be the zero-trust process; and if the process starting mode of the target process is not through virtual desktop starting, determining that the target process is not a zero-trust process.
In practical application, in order to determine whether a target process is a zero-trust process, a process start monitoring module and a desktop environment detection module may be provided, where the process start monitoring module may be used to monitor the target process, including monitoring start, operation, and shutdown of the target process; for example, in the process of monitoring the start of the target process or the running process after the start of the target process by the process start monitoring module, the desktop environment detection module may be called to check whether the process start mode of the target process is started through a virtual desktop, including acquiring configuration information of a desktop to which the target process belongs, and then determining whether the desktop is a virtual desktop according to the configuration information, and further determining whether the process start mode of the target process is started through the virtual desktop, thereby determining whether the target process is a zero-trust process.
For example, if the desktop is judged to be a virtual desktop according to the configuration information of the desktop to which the target process belongs, it is indicated that the starting mode of the target process is starting through the virtual desktop, and the target process can be determined to be a zero-trust process; or, if the desktop is judged not to be the virtual desktop according to the configuration information of the desktop to which the target process belongs, it is indicated that the starting mode of the target process is not started through the virtual desktop, and thus it can be determined that the target process is not a zero-trust process.
The second method comprises the following steps: and judging whether the target process is a zero-trust process or not according to whether the application program corresponding to the target process is the application program under the zero-trust architecture or not.
If the application program corresponding to the target process is the application program under the zero trust architecture, determining that the target process is the zero trust process; or if the application program corresponding to the target process is not the application program under the zero trust architecture, determining that the target process is not the zero trust process.
In order to generally facilitate determining whether the application corresponding to the target process is an application under the zero trust architecture, a program list may be set in advance for the application under the zero trust architecture, and the program list is used to record a program identifier of the application under the zero trust architecture, where the program identifier may be a name, a version number, and the like of the application.
In this way, in the process of determining whether the application corresponding to the target process is the application under the zero trust architecture, a program identifier (referred to as a first program identifier) of the application corresponding to the target process may be obtained first, then the first program identifier may be compared with the program identifiers recorded in the program list, and in the case that the first program identifier is recorded in the program list, it is determined that the application corresponding to the target process is the application under the zero trust architecture, and thus the target process may be determined to be the zero trust process; under the condition that the first program identifier is not recorded in the program list, the application program corresponding to the target process under the trust architecture which is not zero is described, and then the target process can be determined to be the trust process which is not zero.
The third method comprises the following steps: and judging whether the target process is a zero trust process or not according to whether the target process is a known zero trust process registered in a file driver of the operating system or not.
Usually, a known zero-trust process may be registered in a file driver of an operating system in advance, so that it may be determined whether the target process is a known zero-trust process registered in the file driver, and thus, whether the target process is a zero-trust process may be determined. For example, if the target process is a known zero-trust process registered in the file driver, it is indicated that the target process is a zero-trust process; or, if the target process is not a known zero-trust process registered in the file driver, it indicates that the target process is not a zero-trust process.
The specific way of registering for the known zero-trust process may be to record relevant information of the known zero-trust process, including a process identifier, into a file driver of the operating system. Therefore, the process identification of the target process can be compared with the process identification recorded in the file driver, so that whether the target process is the known zero-trust process registered in the file driver or not can be judged.
It should be noted that, the above-mentioned first to third modes may also be combined to determine whether the target process is a zero-trust process, for example, the determination may be performed by the third mode first, and if the third mode determines that the target process is a zero-trust process, the target process is a zero-trust process; or, if the third mode judges that the target process is not a zero trust process, further using the first mode and/or the second mode to judge whether the target process is a zero trust process, thereby judging through the combination of the multiple modes. Particularly, if the target process is determined to be a zero-trust process by the first or second method, the target process may be further determined to be a known zero-trust process and registered in a file driver of the operating system, so that when it is determined again whether the target process is a zero-trust process (for example, the target process is restarted after being closed), the determination can be performed quickly by the third method, where, since the third method only needs to compare the process identifier of the target process with the process identifier recorded in the file driver, and can determine whether the target process is a registered known zero-trust process in the file driver, the third method has higher efficiency with the first and second methods, so that the third method can perform quick determination.
Step S12: and redirecting the data resource of the target process to the data isolation area under the condition that the target process is a zero-trust process.
The target process usually needs to rely on the data resource for starting, normal operation and data processing, and the data resource may include any one or more of the following: a Process registry, an interprocess Communication semaphore, a Process event, interprocess Communication (IPC), a Communication network, etc.
Therefore, when the target process is determined to be the zero-trust process in step S11, the data resource of the target process may be further redirected to the data isolation region, so that the associated data generated by the subsequent target process performing data processing on the data resource is also isolated to the data isolation region because the data resource is redirected to the data isolation region. The associated data may include a new file generated by reading and writing the data resource, and the like, and the target process depends on the file downloaded or generated by the data resource.
In the embodiment of the application, the data storage space comprises a data isolation area and a non-data isolation area, the data isolation area and the non-data isolation area are isolated from each other, and for a non-zero trust process, only the non-data isolation area can be accessed usually, and only the data isolation area can be accessed by a zero trust process. Thus, under the condition that the target process is a zero-trust process, the data resource of the target process can be redirected to the data isolation area, and under the condition that the target process is not a zero-trust process, the non-data isolation area can be accessed.
The data isolation area can be a virtual storage area constructed through a virtual disk technology, and can also be a cloud storage area arranged in a cloud end, and the specific form and the generation mode of the data isolation area are not limited.
In addition, the data resource is typically associated with an operating system API, so that the target process can perform data processing on the data resource by calling the operating system API, such as reading and writing a process registry by calling the operating system API, processing a process event by calling the operating system API, and the like.
It should be further noted that, when the target process is determined to be a zero-trust process through the step S11, Hook (Hook) may be performed on an Application Programming Interface (API) associated with the data resource of the target process; in this way, redirecting the data resource of the target process to the data isolation area may specifically include: in the case where the target process calls the operating system API (i.e., the Hook-oriented operating system API) to perform data processing on the data resource, the associated data resulting from the data processing on the data resource may be redirected to a data quarantine area. Among them, in an operating system such as Windows, a system mechanism to replace "interrupt" under DOS can be provided by Hook.
For example, the data resource is a process registry, and at this time, when the target process is a zero-trust process, Hook may be performed on an operating system API associated with the process registry first, and then, when the target process calls the Hook-related operating system API and performs data processing such as reading and writing on the process registry, associated data generated by the data processing such as reading and writing on the process registry, including generated new files (e.g., HIVE files, etc.) may be redirected to the data isolation region.
The data processing method provided by the embodiment of the application comprises the steps of judging whether a target process is a zero trust process, and redirecting the data resource of the target process to a data isolation area under the condition that the target process is the zero trust process, so that the data resource is processed by the target process subsequently, and the generated associated data is isolated in the data isolation area and can be used for carrying out safety protection on the data.
In addition, in the current data protection method, a virus is generally checked and killed on a file after the file is downloaded by a process, but when the file downloaded by the process is large or the number of the files is large, the current data protection method is low in efficiency. In the embodiment of the application, whether the target process is a zero trust process is firstly distinguished, and under the condition of the zero trust process, the data resource of the target process is redirected to the data isolation region, so that the subsequent data processing of the target process on the data resource is realized, and the generated associated data is isolated in the data isolation region, so that the efficiency can be improved, and the method is suitable for scenes with a large number of files. In addition, the data in the data isolation region (for example, the related data mentioned above) may also be virus-killed, so as to further perform security protection on the data in the data isolation region.
The foregoing is a detailed description of the data processing method provided in the embodiments of the present application, and for convenience of understanding, the method may be further described with reference to specific examples. In this example, the data resource is embodied as a process registry, and the data storage space includes data isolation regions and non-data isolation regions. As shown in fig. 2, the method comprises the steps of:
step S21: the target process is started.
Step S22: and judging whether the target process is a zero-trust process or not according to whether the process starting mode of the target process is the virtual desktop starting mode or not, if not, executing the step S23, and if so, executing the steps S24-S25.
Step S23: and under the condition that the target process is not a zero trust process, storing a new file generated by the target process for processing the process registry data into a non-data isolation area.
Step S24: and under the condition that the target process is a zero-trust process, performing Hook on an operating system API (application program interface) associated with the process registry.
Step S25: and redirecting the generated new file to a data isolation area under the condition that the target process calls an operating system API (application program interface) of Hook to perform data processing on the process registry.
Obviously, the method in this example can also solve the problems in the prior art, and is not described here again.
Based on the same inventive concept as the data processing method provided by the embodiment of the present application, the embodiment of the present application also provides a data processing apparatus, and for the embodiment of the apparatus, if it is unclear, the corresponding content of the embodiment of the method can be referred to. As shown in fig. 3, which is a schematic diagram of a specific structure of the data processing apparatus, the apparatus 30 includes a determining unit 301 and a redirecting unit 302, wherein:
a judging unit 301, configured to judge whether a target process is a zero-trust process;
a redirecting unit 302, configured to redirect the data resource of the target process to a data isolation area if the target process is a zero-trust process.
With the device 30 provided in the embodiment of the present application, since the device 30 adopts the same inventive concept as the data processing method provided in the embodiment of the present application, on the premise that the data processing method can solve the technical problem, the device 30 can also solve the technical problem, and details thereof are not repeated here.
In addition, in practical applications, the technical effect obtained by combining the apparatus 30 with specific hardware devices is also within the protection scope of the present application, for example, different units in the apparatus 30 are arranged in different nodes in a distributed cluster by adopting a distributed cluster manner, so as to further improve the processing efficiency and the like; or, for example, the data isolation area is set as the data isolation area of the cloud end in combination with the cloud technology and the like, so that the cost is reduced.
In practical applications, the redirection unit 302 may specifically include a hook subunit and a redirection subunit, where:
the Hook subunit is used for taking Hook to the operating system API associated with the data resource;
and the redirection subunit is configured to redirect, to a data isolation area, associated data generated by performing data processing on the data resource, when the target process calls the operating system API and performs data processing on the data resource.
The determining unit 301 may specifically include: and the first judgment subunit is configured to judge whether the target process is a zero trust process according to whether the target process is a known zero trust process registered in a file driver of the operating system.
The determining unit 301 may further specifically include: and the second judgment subunit is configured to judge whether the target process is a zero trust process according to whether the application corresponding to the target process is an application under a zero trust architecture.
The determining unit 301 may further specifically include: and the third judging subunit is configured to judge whether the target process is a zero-trust process according to whether the process starting manner of the target process is starting through a virtual desktop.
The apparatus 30 may further include a registration unit, configured to register the target process as a known zero-trust process in a file driver of an operating system if the target process is a zero-trust process.
The data resource specifically includes any one or more of the following: process registry, events, interprocess communication semaphores.
Based on the same inventive concept as the embodiment of the present application, as shown in fig. 4, the present embodiment further provides an electronic device 40, where the electronic device 40 includes: at least one processor 41 and a memory 42, one processor being exemplified in fig. 4. The processor 41 and the memory 42 may be connected through a bus, and the memory 42 stores instructions executable by the processor 41, and the instructions are executed by the processor 41, so that the electronic device 40 may execute all or part of the flow of the method in the embodiment of the present application.
The electronic device 40 may be a notebook computer, a desktop computer, a server or a server cluster formed by the notebook computer and the desktop computer, and the like.
An embodiment of the present invention further provides a computer-readable storage medium, where the storage medium stores a computer program, and the computer program is executable by a processor to perform all or part of the processes of the method in the foregoing embodiments. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD), a Solid State Drive (SSD), or the like. The storage medium may also comprise a combination of memories of the kind described above.
Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.
Claims (10)
1. A method of data processing, the method comprising:
judging whether the target process is a zero-trust process;
and redirecting the data resource of the target process to a data isolation area under the condition that the target process is a zero-trust process.
2. The method of claim 1, wherein redirecting the data resource of the target process to a data quarantine area specifically comprises:
performing Hook on an operating system API associated with the data resource;
and redirecting the associated data generated by the data processing of the data resource to a data isolation area under the condition that the target process calls the API of the operating system to perform the data processing of the data resource.
3. The method of claim 1, wherein determining whether the target process is a zero trust process specifically comprises:
and judging whether the target process is a zero trust process or not according to whether the target process is a known zero trust process registered in a file driver of an operating system or not.
4. The method of claim 1, wherein determining whether the target process is a zero-trust process comprises:
and judging whether the target process is a zero trust process or not according to whether the application program corresponding to the target process is the application program under the zero trust architecture or not.
5. The method of claim 1, wherein determining whether the target process is a zero trust process specifically comprises:
and judging whether the target process is a zero-trust process or not according to whether the process starting mode of the target process is starting through a virtual desktop or not.
6. The method of claim 5, further comprising:
and under the condition that the target process is a zero-trust process, registering the target process as a known zero-trust process in a file driver of an operating system.
7. The method according to claim 1, wherein the data resource specifically comprises any one or more of: process registry, events, interprocess communication semaphores, communication network.
8. A data processing apparatus, comprising:
the judging unit is used for judging whether the target process is a zero-trust process;
and the redirection unit is used for redirecting the data resource of the target process to a data isolation area under the condition that the target process is a zero-trust process.
9. An electronic device, comprising:
a processor;
a memory for storing processor-executable instructions; wherein the processor is configured to perform the method of any one of claims 1-7.
10. A computer-readable storage medium, characterized in that the storage medium stores a computer program executable by a processor for performing the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210796166.3A CN115048643A (en) | 2022-07-07 | 2022-07-07 | Data processing method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210796166.3A CN115048643A (en) | 2022-07-07 | 2022-07-07 | Data processing method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115048643A true CN115048643A (en) | 2022-09-13 |
Family
ID=83166136
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210796166.3A Pending CN115048643A (en) | 2022-07-07 | 2022-07-07 | Data processing method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115048643A (en) |
-
2022
- 2022-07-07 CN CN202210796166.3A patent/CN115048643A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10235524B2 (en) | Methods and apparatus for identifying and removing malicious applications | |
| US10169585B1 (en) | System and methods for advanced malware detection through placement of transition events | |
| US10242186B2 (en) | System and method for detecting malicious code in address space of a process | |
| US8844038B2 (en) | Malware detection | |
| US9171157B2 (en) | Method and system for tracking access to application data and preventing data exploitation by malicious programs | |
| KR101122646B1 (en) | Method and device against intelligent bots by masquerading virtual machine information | |
| KR101122787B1 (en) | Security-related programming interface | |
| US8806625B1 (en) | Systems and methods for performing security scans | |
| CN105814577A (en) | Segregating executable files exhibiting network activity | |
| EP2417551B1 (en) | Providing information to a security application | |
| JP2019079492A (en) | System and method for detection of anomalous events on the basis of popularity of convolutions | |
| CN106203092B (en) | Method and device for intercepting shutdown of malicious program and electronic equipment | |
| CN114065196A (en) | Java memory horse detection method and device, electronic equipment and storage medium | |
| CN103428212A (en) | Malicious code detection and defense method | |
| CN112818307A (en) | User operation processing method, system, device and computer readable storage medium | |
| CN110505246B (en) | Client network communication detection method, device and storage medium | |
| CN106997313B (en) | Signal processing method and system of application program and terminal equipment | |
| CN104426836A (en) | Invasion detection method and device | |
| CN109784054B (en) | Behavior stack information acquisition method and device | |
| CN115048643A (en) | Data processing method and device, electronic equipment and storage medium | |
| CN115828256A (en) | Unauthorized and unauthorized logic vulnerability detection method | |
| CN106354602A (en) | Service monitoring method and equipment | |
| CN114662098A (en) | Attack code detection method, apparatus, electronic device, program, and storage medium | |
| CN111221628A (en) | Method and device for detecting safety of virtual machine file on virtualization platform | |
| JP7255681B2 (en) | Execution control system, execution control method, and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |