CN115952474A - Application program control and management method based on file attribute characteristics - Google Patents
Application program control and management method based on file attribute characteristics Download PDFInfo
- Publication number
- CN115952474A CN115952474A CN202111170248.9A CN202111170248A CN115952474A CN 115952474 A CN115952474 A CN 115952474A CN 202111170248 A CN202111170248 A CN 202111170248A CN 115952474 A CN115952474 A CN 115952474A
- Authority
- CN
- China
- Prior art keywords
- file
- program
- white list
- certificate
- application program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Stored Programmes (AREA)
Abstract
The invention discloses an application program control and management method based on file attribute characteristics, which comprises the following steps: setting an application program control and management characteristic on a server, wherein the characteristic comprises a first part of file attributes; comparing the first part file attribute with a second part file attribute of a file or a program through the server; and if the first part of file attributes accord with the second part of file attributes according to the comparison result, the file or the program is marked as an executable white list.
Description
Technical Field
The invention relates to the technical field of application program control and management, in particular to an application program control and management method based on file attribute characteristics.
Background
With the development of informatization, a large number of Applications (APPs) have emerged. Multiple applications may be provided by the same vendor. Similar functionality may exist even for different applications, especially for multiple applications provided by the same vendor. To accommodate technological development or business needs, applications often need to be upgraded or updated, e.g., new versions of applications may be released more often than 1/week. When an error occurs in the released new version application program or a service fails, the application program of the user side needs to return to the application program of the specified version urgently, and the basic use requirements of the user can be met.
The existing application program usually limits the computer device which can legally use the application program, and the application program is prevented from being copied to other computer devices which are not legally authorized to use. To achieve this, a protection mechanism for binding hardware information is available. In this mechanism, once the application program is started, it first reads and verifies hardware information, such as cpu code, hard disk serial number, etc., in the computer device in which it is installed, and only when the verification is passed, allows the computer device to normally execute it. Although the mechanism can bind the application program with the legal computer device which can normally execute the application program, the mechanism is easy to crack because the hardware information lacks dynamic change.
In addition, under the circumstance of internet popularization, connection with internet is usually established in enterprises to obtain various applications. However, various information or applications retrieved from the internet may also receive malicious programs. Once a malicious program enters the information processing device, the software in the information processing device can be damaged or information in the information processing device can be stolen, and the information security in an enterprise can be harmed badly.
On the other hand, for enterprises, while enjoying convenience of the internet, threats to such malicious programs that may exist should be excluded as much as possible. In connection with the restrictions imposed by the application, blacklist governance approaches are traditionally used for implementation. Because of the plethora of programs, blacklisting is undesirable.
Recently, hackers often use native programs on their own as attack programs, rather than using self-written programs of hackers. This causes a problem, for example, the built-in program in Windows is a program that is often used by users, but is also the most popular program for hackers; thus, whether these built-in programs can be set as application program control or not is also a big problem.
Furthermore, application governance has strong protection, but users in an enterprise often suffer from the following three situations: (1) Windows Update; (2) The user installs a new program (e.g., autoCAD) that is known and safe by himself; (3) Programs that are updated daily (e.g., teams, chrome often update in the background) create a dilemma in which programs cannot be executed. This not only affects the work efficiency of the employees of the enterprise, but also increases the workload of Information Technology (IT) personnel.
Disclosure of Invention
In view of the above problems, the present invention provides an application control method based on file attribute features to improve the application control function.
The invention discloses an application program control and management method based on file attribute characteristics, which comprises the following steps: setting an application program control and management characteristic in a server, wherein the characteristic comprises a first part of file attributes; comparing the first part file attribute with a second part file attribute of a file or a program through the server; and if the first part of file attributes accord with the second part of file attributes according to the comparison result, the file or the program is marked as an executable white list.
Wherein the first part of file attributes comprise original file name, product version and copyright.
The application-managed feature further comprises a complete credential. If the complete certificate is compared with a second complete certificate of the file or the program, the file or the program is an executable white list. The integrity certificate includes a digital signature, and the digital signature includes a signature thumbprint.
The application control feature further includes a partial credential. Wherein if the partial certificate matches a second partial certificate of the document or program, the document or program is an executable white list.
Wherein the partial certificate comprises a signer, a certificate issuer, or a combination thereof.
The application program control and management feature further includes a path/file name, wherein if the path/file name is matched with a second path/file name of the file or program, the file or program is an executable white list.
Drawings
FIG. 1 is a schematic diagram showing the basic features of application control according to the present invention.
FIG. 2 is a diagram illustrating the full credential and partial credential features managed by the application of the present invention.
FIG. 3 is a diagram illustrating the full credential and partial credential features managed by the application of the present invention.
FIG. 4 is a diagram illustrating a portion of the document attribute features managed by the application program according to the present invention.
Description of the symbols
102. Executing files
104. Dynamic link function library (DLL) files
106. Document
108. Complete certificate
110. Partial certificate
112. Hash (Hash)
114. Path/file name
116. Partial document attributes
118. Signer
120. Certificate issuer
122. Combination of signer and credential issuer
202. Digital signature
204. Signer information
206. Certificate issuer
302. Thumb print of signature
304. Voucher signer keyword
306. Signer keywords
402. Original file name
404. Product edition
406. Copyright of work
Detailed Description
Various embodiments of the present invention will now be described. The following description provides specific implementation details of the invention to provide a thorough understanding of the manner in which the embodiments are implemented. However, it will be apparent to one skilled in the art that the present invention may be practiced without these specific details. Furthermore, no attempt is made to show structural or functional details of the invention in more detail than is necessary for a fundamental understanding of the invention, the description taken with the drawings making apparent to those skilled in the art how the several forms of the invention may be embodied in practice.
The invention provides an application program control and management method based on file attribute characteristics. Wherein, the white list is used as the control scheme to replace the traditional black list control method. In practice, the application governs the mechanism that is white-listing. For example, the client (personal computer, tablet computer, or various computer devices) or the server performs a virus-scanning procedure, and after the virus-scanning procedure is completed, the document, program or software without problems is recorded as the white list. In other words, after a scanning (virus scanning) procedure, all files or programs that have no problem are white listed. The white list can be executed in the local computer, and the black list can not be executed in the local computer. Therefore, it is problematic if the white list is not available, and execution in a computer is prohibited. As for how to identify whether a program is a white list, the invention provides a method based on file attribute characteristics so as to obtain the white list identification characteristics controlled and managed by an application program; after the application program control and management function is executed, whether a file or a program is a white list or not can be known through the identification of the file attribute characteristics.
FIG. 1 depicts a schematic diagram of an application-managed white list identification feature of the present invention. As shown in FIG. 1, the management of application hosting includes three aspects of programs or files, an execution file 102, a Dynamic-link library (DLL) file 104, and a file 106. These three aspects are for the application to control the objects to be managed. The execution files 102, dynamic Link Library (DLL) files 104, and 106 each have their essential characteristics to facilitate application control to identify whether a file is white listed. The dynamic link is to make a DLL file 104 from a program code (statically linked OBJ library) that is frequently shared. When the execution file 102 calls a function in the DLL file 104, the Windows operating system will load the DLL file 104 into the memory. The DLL file 104 itself is an executable file, and functions are linked when the program has a need. By the dynamic linking mode, the situation of memory waste can be greatly reduced. The file format of the DLL file 104 is the same as the Windows EXE file. As an EXE format, a DLL can include various combinations of source code, profiles, and resources.
For example, word is designated or defined as a white list and Excel is defined as a black list by a designated unit of a server. AutoCAD, which is not specified or defined by a specified element, automatically becomes a grey list because it is neither a white list nor a black list. In addition, in one embodiment, after the document is scanned by the server (console), all words existing in the client are marked as Word whitelist, and Excel is marked as Excel blacklist. Wherein Word whitelisting can be performed locally at the user end. Excel blacklisting cannot be performed locally at the user end. In addition, the AutoCAD grey list may not be executed in the local computer of the user end, but may be uploaded to block records to a certain folder or a certain storage path.
In one embodiment, the blacklist is set by the console personnel and therefore must be blocked; on the contrary, the white list is mostly obtained by scanning, and a small amount of white list is set by the console personnel for the whole company.
Referring to fig. 1, as described above, the basic features managed by the application include features of programs and files. Wherein the characteristics of the program, the file, for example, include characteristics of the execution file 102, characteristics of the Dynamic Link Library (DLL) file 104, and characteristics of the file 106. The application program control and management confirms whether the programs and the files are white lists or not by identifying the characteristics. The basic features of the execution file 102 may include five parts, a full credential 108, a partial credential 110, a Hash (Hash) 112, a path/file name 114, and a partial file attribute 116. The basic features of the executable file 102 may select at least one of the five parts as the features for comparison. The application program controls and manages the comparison of the basic features of the execution file 102 through a server (console). Firstly, comparing the characteristics of the complete certificate 108; if the comparison accords with the complete certificate characteristics of the blacklist, the result is the blacklist; if the comparison accords with the complete certificate characteristics of the white list, the result is the white list. For one embodiment, the full credential characteristic of the white list includes a digital signature 202, as shown in FIG. 2. The digital signature 202 includes, for example, a signature thumb print, which is a record of thumb prints, such as the signature thumb print 302 in the underlying field of the document information of FIG. 3, and the signature thumb print 302 in the underlying field of the rule. Therefore, if the comparison result matches the record of the signature thumbprint, the file is a white list.
Then, through feature comparison of the partial certificate 110, if the comparison matches the partial certificate feature of the blacklist, the result is the blacklist; if the comparison matches the partial certificate characteristics of the white list, the result is the white list. For one embodiment, the white listed partial certificate features include a signer 118, a certificate issuer 120, a combination of the signer and the certificate issuer 122, as shown in FIG. 1. Wherein the signer information 204 is, for example, microsoft Windows, and the credential issuer 206 information is, for example, microsoft Windows Production, as shown in FIG. 2. These credential features are represented by trusted credentials issued by Microsoft corporation to the user's end. In one example, the signer's characteristics include a signer keyword 306 and the credential issuer's characteristics include a credential issuer keyword 304, as shown in FIG. 3. Where the signer keyword 306 or the credential issuer keyword 304 may comprise part of a string. In other words, if the comparison result matches the signer keyword 306, the document is a white list. In a second example, if the comparison result matches the keyword 304 of the certificate issuer, the document is a white list. In a third example, if the comparison result matches the setter of both the signer keyword 306 and the certificate issuer keyword 304, the document is a white list.
Then, comparing the characteristics of the Hash (Hash) 112, and if the comparison accords with the Hash characteristics of the blacklist, determining that the result is the blacklist; and if the comparison accords with the Hash characteristics of the white list, the result is the white list. For example, the full document Hash is, for example, the document Hash in the bottom field of the document information of fig. 3, and the document Hash in the regular bottom field. Therefore, if the comparison result matches the settings of the above-mentioned file hash, the file is a white list.
Then, through the feature comparison of the Path/File Name 114, if the comparison conforms to the Path/File Name (Path/File Name) features of the blacklist, the result is the blacklist; if the comparison accords with the path/file name characteristics of the white list, the result is the white list. For example, the path/file name of the complete file is, for example, the file name and file path in the bottom field of the file information of fig. 3, and the file name and file path in the bottom field of the rule. Therefore, if the comparison result matches the setting of the file name and the file path, the file is a white list.
Finally, through the feature comparison of the partial file attributes 116, if the comparison conforms to the partial file attribute features of the blacklist, the result is the blacklist; if the attribute characteristics of the partial files which are in line with the white list are compared, the result is the white list. Part of the file attribute features are the features of the program itself. For one embodiment, the file attribute format is "original filename (product version) copyright"; that is, the partial document attribute feature includes three parts, original document name, product version and copyright. For example, the partial file attribute is characterized as "EXPLORER. EXE (10.0.19041.844)
All rights reserved, "wherein original filename 402 is characterized as EXPLORER EXE, product version 404 is characterized as (10.0.19041.844), and copyright 406 is characterized as @>
All rights reserved, file version 408 is characterized by 10.0.19041.844 and product name (file name) 410 is characterized by
Operating System, as shown in FIG. 4. Therefore, if the comparison result matches the setting of the attribute feature of the partial file, the file is a white list. It is usually the whitelist that is the newer version, so the older version can be distinguished.
In addition, by performing the above feature comparison of the complete document 108, the partial document 110, the Hash (Hash) 112, the path/file name 114 and the partial document attribute 116 of the document 102, if the comparison result does not match the features of the black list or the white list, the document is the gray list. After the comparison process managed by the application, the grey list is in principle prohibited from being executed. The matching order of the characteristics of the full certificate 108, the partial certificate 110, the Hash (Hash) 112, the path/file name 114, and the partial file attribute 116 of the executable file 102 may be adjusted according to the situation.
After the comparison process of the white list managed by the application program, the user finds that the program is blocked, and the program is basically a gray list. The black list is executed because it has uploaded blocking records and is not executed, while the white list is executed.
Referring to FIG. 1, as described above, the basic features of application hosting also include features of Dynamic Link Library (DLL) file 104 and features of file 106. The basic features of the Dynamic Link Library (DLL) file 104 include three aspects, a full credential 108, a Hash (Hash) 112, and a path/file name 114. Similarly, the application program also performs a comparison of the basic features of the Dynamic Link Library (DLL) file 104 via the server (console). Firstly, comparing the characteristics of the complete certificate 108; if the comparison accords with the complete certificate characteristics of the blacklist, the result is the blacklist; if the comparison accords with the complete certificate characteristics of the white list, the result is the white list. In one embodiment, the full credential signature of the white list includes a digital signature, as shown in FIG. 2. The digital signature is, for example, a signature thumb print, which is a record of thumb prints, such as the signature thumb print 302 in the underlying field of the document information of FIG. 3, and the signature thumb print 302 in the regular underlying field. Therefore, if the comparison result matches the record of the signature thumbprint, the file is a white list.
Then, comparing the characteristics of the Hash (Hash) 112, and if the comparison conforms to the Hash characteristics of the blacklist, the result is the blacklist; and if the comparison accords with the Hash characteristics of the white list, the result is the white list. For example, the complete document Hash is, for example, the document Hash in the underlying field of the document information of fig. 3, and the document Hash in the underlying field of the rule. Therefore, if the comparison result matches the settings of the file hash, the file is a white list.
Then, through the feature comparison of the Path/File Name 114, if the comparison conforms to the Path/File Name (Path/File Name) feature of the blacklist, the result is the blacklist; if the comparison accords with the path/file name characteristics of the white list, the result is the white list. For example, the path/file name of the complete file is, for example, the file name and file path in the bottom field of the file information of fig. 3, and the file name and file path in the regular bottom field. Therefore, if the comparison result matches the file name and the file path, the file is a white list.
Referring to FIG. 1, as described above, the basic features of application hosting also include features of a Dynamic Link Library (DLL) file 104 and features of a file 106. The basic features of the Dynamic Link Library (DLL) file 104 include three aspects, a full credential 108, a Hash (Hash) 112, and a path/file name 114. Similarly, the application program control also performs a comparison of the basic features of the Dynamic Link Library (DLL) file 104 via the server (console). Firstly, comparing the characteristics of the complete voucher 108; if the comparison accords with the complete certificate characteristics of the blacklist, the result is the blacklist; if the comparison accords with the complete certificate characteristics of the white list, the result is the white list. For one embodiment, the full credential attribute of the white list includes a digital signature, as shown in FIG. 2. The digital signature is, for example, a signature thumbprint, and is a record of thumbprints, such as the signature thumbprint 302 in the underlying field of the document information of FIG. 3, and the signature thumbprint 302 in the regular underlying field. Therefore, if the comparison result matches the record of the signature thumbprint, the file is a white list.
Similar to performing the feature matching of the file 102, the Dynamic Link Library (DLL) files 104 and 106 also perform the feature matching of the Hash 112 and the path/file name 114. The file 106 contains a text file that cannot be executed by itself, such as. If the Hash features are matched with the blacklist, the result is the blacklist; and if the comparison accords with the Hash characteristics of the white list, the result is the white list. For example, the full document Hash is, for example, the document Hash in the bottom field of the document information of fig. 3, and the document Hash in the regular bottom field. Therefore, if the comparison result matches the settings of the file hash, the file is a white list. Similarly, if the comparison accords with the path/file name characteristics of the blacklist, the result is the blacklist; if the comparison accords with the path/file name characteristics of the white list, the result is the white list. For example, the path/file name of the complete file is, for example, the file name and file path in the bottom field of the file information of fig. 3, and the file name and file path in the regular bottom field. Therefore, if the comparison result matches the file name and the file path, the file is a white list.
Compared with the conventional blacklist control and management mode, the invention provides an application program control and management method based on the file attribute characteristics. The application program control and management characteristic comparison scheme of the invention comprises the following characteristics:
(1) Complete voucher: the same credential program can be updated;
(2) Partial certificate: the partial certificate identity program may be updated (e.g., signer contains a string of Microsoft words, which may be arbitrary, words, or strings);
(3) Hash: the comparison condition is most strict, but the execution cannot be performed after the program is updated (for example, chrome can be updated every day in the background, and Chrome cannot be performed in the next second when the application program is tested and managed, which causes user trouble);
(4) Path + filename: the comparison condition is most loose, and the protection force is poorer;
(5) According to the investigation, many Windows built-in programs do not have certificates at present, so that only Hash or path + file name can be used, and better or more reasonable control and management characteristics of the application program cannot be obtained;
(6) The invention uses the file attribute of the program, and uses the certificate and partial file attribute as the characteristics of the control and management of the application program, so as to take the purposes of reasonable, safe, convenient and the like into consideration.
Changes may be made to the above-described application hosting method based on file attribute features without departing from the scope hereof. It is therefore to be noted that the matter contained in the above description and shown in the accompanying drawings should be interpreted in an illustrative and not a limiting sense. The following claims are intended to cover all generic and specific features described herein, as well as all statements of the scope of the present application-controlled method based on the attribute of a file, which, as a matter of language, might be said to fall therebetween.
Claims (10)
1. An application program control and management method based on file attribute characteristics is characterized by comprising the following steps:
setting an application program control and management characteristic in a server, wherein the characteristic comprises a first part of file attributes; comparing the first part file attribute with a second part file attribute of a file or a program through the server; and
if the first part of file attribute matches the second part of file attribute, the file or program is marked as executable white list.
2. The method as claimed in claim 1, wherein the first part of the file attributes include original file name, product version and copyright.
3. The method as claimed in claim 1, wherein the application program control and management features further comprise a complete certificate, wherein the file or program is an executable white list if the complete certificate matches a second complete certificate of the file or program.
4. The method as claimed in claim 3, wherein the full certificate comprises a digital signature.
5. The method of claim 4, wherein the digital signature comprises a signature thumbprint.
6. The method as claimed in claim 1, wherein the application program control feature further comprises a partial certificate, wherein the file or program is an executable white list if the partial certificate matches a second partial certificate of the file or program.
7. The method as claimed in claim 6, wherein the partial certificate comprises a signer, a certificate issuer, or a combination thereof.
8. The method as claimed in claim 1, wherein the application control feature further comprises hash.
9. The method as claimed in claim 8, wherein the file or program is an executable white list if the hash matches a second hash of the file or program.
10. The method as claimed in claim 1, wherein the application control feature further comprises a path/file name, and wherein the file or program is an executable white list if the path/file name matches a second path/file name of the file or program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111170248.9A CN115952474A (en) | 2021-10-08 | 2021-10-08 | Application program control and management method based on file attribute characteristics |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111170248.9A CN115952474A (en) | 2021-10-08 | 2021-10-08 | Application program control and management method based on file attribute characteristics |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115952474A true CN115952474A (en) | 2023-04-11 |
Family
ID=87295493
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111170248.9A Pending CN115952474A (en) | 2021-10-08 | 2021-10-08 | Application program control and management method based on file attribute characteristics |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115952474A (en) |
-
2021
- 2021-10-08 CN CN202111170248.9A patent/CN115952474A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8082442B2 (en) | Securely sharing applications installed by unprivileged users | |
| EP2441026B1 (en) | Anti-virus trusted files database | |
| RU2430413C2 (en) | Managing user access to objects | |
| US8646044B2 (en) | Mandatory integrity control | |
| US8171547B2 (en) | Method and system for real time classification of events in computer integrity system | |
| US8001596B2 (en) | Software protection injection at load time | |
| US8291493B2 (en) | Windows registry modification verification | |
| US7496576B2 (en) | Isolated access to named resources | |
| US20060236122A1 (en) | Secure boot | |
| JP2005129066A (en) | Operating system resource protection | |
| US20240095402A1 (en) | Methods and Systems for Recursive Descent Parsing | |
| TWI765690B (en) | Method of application control based on observation mode | |
| CN115952474A (en) | Application program control and management method based on file attribute characteristics | |
| TWI802040B (en) | Method of application control based on file attributes | |
| JP6355657B2 (en) | Process execution device, process execution method, and control program | |
| CN115964698A (en) | Application program control and management method based on different scanning schemes | |
| TWI789944B (en) | Method of application control based on different scanning schemes | |
| KR101265887B1 (en) | Renewable and individualizable elements of a protected computing environment | |
| CN115270101A (en) | Application program control and management method executed on user side | |
| TWI796683B (en) | Method of client-side application control | |
| CN115270102A (en) | Application program control and management method based on observation mode | |
| Griffiths et al. | Fireguard-A secure browser with reduced forensic footprint | |
| Lambert | Software Restriction Policies in Windows XP | |
| Sun | Practical information flow based techniques to safeguard host integrity |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |