CN116661975B - Process running control method and device, electronic equipment and storage medium - Google Patents
Process running control method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN116661975B CN116661975B CN202310898719.0A CN202310898719A CN116661975B CN 116661975 B CN116661975 B CN 116661975B CN 202310898719 A CN202310898719 A CN 202310898719A CN 116661975 B CN116661975 B CN 116661975B
- Authority
- CN
- China
- Prior art keywords
- feature
- target
- current
- type
- matching
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 151
- 238000011112 process operation Methods 0.000 claims abstract description 23
- 238000004364 calculation method Methods 0.000 claims abstract description 15
- 238000004590 computer program Methods 0.000 claims description 13
- 230000015654 memory Effects 0.000 claims description 10
- 238000005516 engineering process Methods 0.000 claims description 7
- 239000002131 composite material Substances 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000012512 characterization method Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 239000003086 colorant Substances 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/48—Program initiating; Program switching, e.g. by interrupt
- G06F9/4806—Task transfer initiation or dispatching
- G06F9/4843—Task transfer initiation or dispatching by program, e.g. task dispatcher, supervisor, operating system
- G06F9/4881—Scheduling strategies for dispatcher, e.g. round robin, multi-level priority queues
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2209/00—Indexing scheme relating to G06F9/00
- G06F2209/48—Indexing scheme relating to G06F9/48
- G06F2209/484—Precedence
Abstract
The application provides a process operation control method, a device, electronic equipment and a storage medium, and relates to the technical field of computers; the process characteristic information comprises characteristic information corresponding to at least two characteristic types; then, according to the preset feature type matching priority, performing feature matching on the process feature information and a preset feature library to obtain a target matching result; in the feature type matching priority, the shorter the feature value calculation time is, the higher the matching priority corresponding to the feature type is; the feature library comprises a plurality of preset feature values corresponding to each feature type; and further, according to the target matching result, performing operation control on the target process. Therefore, feature matching is performed based on the composite features, and feature calculation time is minimized on the premise of ensuring safety, so that user experience is improved.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a process running control method and apparatus, an electronic device, and a storage medium.
Background
The Windows process black-and-white list refers to whether the starting is allowed or not by acquiring the characteristics of the process and checking whether the characteristics are matched with the existing preset characteristics before or just before the process is started. If the starting is not allowed, intercepting the process starting technology through the Hook technology. The technique is mainly used for intercepting the operation of unauthorized application programs.
Related prior art and products for realizing a black-and-white list of Windows processes on the market at present have the problem of poor user experience.
Disclosure of Invention
The application aims to provide a process running control method, a device, electronic equipment and a storage medium, so as to improve user experience.
In a first aspect, an embodiment of the present application provides a process running control method, including:
acquiring process characteristic information of a target process to be processed; the process characteristic information comprises characteristic information corresponding to at least two characteristic types;
performing feature matching on the process feature information and a preset feature library according to a preset feature type matching priority to obtain a target matching result; in the feature type matching priority, the matching priority corresponding to the feature type with shorter feature value calculation time is higher; the feature library comprises a plurality of preset feature values corresponding to each feature type;
and controlling the operation of the target process according to the target matching result.
Further, the at least two feature types include a plurality of a first feature type, a second feature type, and a third feature type; the feature information corresponding to the first feature type is a target executable file corresponding to the target process, the feature information corresponding to the second feature type is attribute information of the target executable file, and the feature information corresponding to the third feature type is an icon of the target executable file; the second feature type has a higher matching priority than the first feature type, and the first feature type has a higher matching priority than the third feature type.
Further, the step of performing feature matching on the process feature information and a preset feature library according to a preset feature type matching priority to obtain a target matching result includes:
traversing each feature type in turn according to the feature type matching priority;
for the traversed current feature type, determining a current feature value corresponding to the current feature type according to feature information corresponding to the current feature type;
performing feature matching on the current feature value and a plurality of preset feature values corresponding to the current feature type in the feature library to obtain a current matching result;
when the current matching result is successful, determining that the target matching result is successful;
when the current matching result is that the matching fails, judging whether the traversal is completed or not;
when the traversal is not completed, continuing to traverse the next feature type;
and when the traversing is completed, determining the target matching result as matching failure.
Further, the current feature type is a first feature type, and the feature information corresponding to the first feature type is a target executable file corresponding to the target process; the determining the current feature value corresponding to the current feature type according to the feature information corresponding to the current feature type includes:
when the size of the target executable file is larger than or equal to a preset size, intercepting a plurality of pieces of content from the target executable file;
splicing the multiple pieces of content to obtain spliced content;
performing hash operation on the spliced content to obtain a first characteristic value;
and determining the first characteristic value as a current characteristic value corresponding to the current characteristic type.
Further, the current feature type is a second feature type, and feature information corresponding to the second feature type is attribute information of a target executable file corresponding to the target process; the determining the current feature value corresponding to the current feature type according to the feature information corresponding to the current feature type includes:
selecting target information from the attribute information of the target executable file; wherein the target information includes one or more of a file description, a type, a product name, a copyright, a language, and an original file name;
determining a second characteristic value according to the target information;
and determining the second characteristic value as a current characteristic value corresponding to the current characteristic type.
Further, the current feature type is a third feature type, and the feature information corresponding to the third feature type is an icon of a target executable file corresponding to the target process; the determining the current feature value corresponding to the current feature type according to the feature information corresponding to the current feature type includes:
sequentially reading the color information of each pixel point in the icon of the target executable file;
splicing the color information of each pixel point to obtain an initial color characteristic;
performing hash operation on the initial color characteristics to obtain a third characteristic value;
and determining the third characteristic value as a current characteristic value corresponding to the current characteristic type.
Further, the performing operation control on the target process according to the target matching result includes:
judging whether the target process is allowed to be started or not according to the target matching result and a rule mode corresponding to the feature library; wherein the rule pattern includes a blacklist pattern or a whitelist pattern;
and when the target process is not allowed to be started, intercepting the target process through a Hook technology.
In a second aspect, an embodiment of the present application further provides a process running control apparatus, including:
the information acquisition module is used for acquiring process characteristic information of a target process to be processed; the process characteristic information comprises characteristic information corresponding to at least two characteristic types;
the feature matching module is used for carrying out feature matching on the process feature information and a preset feature library according to the preset feature type matching priority to obtain a target matching result; in the feature type matching priority, the matching priority corresponding to the feature type with shorter feature value calculation time is higher; the feature library comprises a plurality of preset feature values corresponding to each feature type;
and the operation control module is used for performing operation control on the target process according to the target matching result.
In a third aspect, an embodiment of the present application further provides an electronic device, including a memory, and a processor, where the memory stores a computer program that can be executed on the processor, and the processor implements the process running control method according to the first aspect when executing the computer program.
In a fourth aspect, an embodiment of the present application further provides a storage medium, where a computer program is stored, where the computer program when executed by a processor performs the process running control method according to the first aspect.
The embodiment of the application provides a process operation control method, a device, electronic equipment and a storage medium, wherein when process operation control is carried out, process characteristic information of a target process to be processed is acquired; the process characteristic information comprises characteristic information corresponding to at least two characteristic types; then, according to the preset feature type matching priority, performing feature matching on the process feature information and a preset feature library to obtain a target matching result; in the feature type matching priority, the shorter the feature value calculation time is, the higher the matching priority corresponding to the feature type is; the feature library comprises a plurality of preset feature values corresponding to each feature type; and further, according to the target matching result, performing operation control on the target process. Therefore, feature matching is performed based on the composite features, and feature calculation time is minimized on the premise of ensuring safety, so that user experience is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present application, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of a process operation control method according to an embodiment of the present application;
FIG. 2 is a schematic flow chart of feature matching in a process operation control method according to an embodiment of the present application;
FIG. 3 is a schematic structural diagram of a process running control device according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions of the present application will be clearly and completely described in connection with the embodiments, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Related prior art and products for realizing a black-and-white list of Windows processes on the market are characterized by matching the features in the following ways:
1) Whether the process is in the black/white list path is judged by the path. This scheme may fail because the user copies the unauthorized application into the path execution, or may fail because the unauthorized application is copied to a designated location and renamed.
2) And checking whether the signature attributes match through the digital signature of the process. This approach may result in a miskilling, such as a user only wishing to disable certain manufacturer's entertainment class software, but needs to pass the communications class software. Once the digital signature is imported, all software of the vendor cannot run. Second, the reading of the digital signature of the larger-sized executable file is time consuming and can affect the user experience.
3) And judging whether the process files are matched or not through the feature codes of the process files. This approach requires the feature code of the executable to be calculated first. And then judging whether the feature codes are matched or not by checking whether the feature codes exist in the feature library. The disadvantage of this solution is that for larger-sized executable files, the computation time is long, the user experience is affected, and the upgrade and update of the application software can lead to feature code changes, thus resulting in inoperability.
Based on the above, the method, the device, the electronic device and the storage medium for controlling process operation provided by the embodiment of the application optimize and add the feature calculation mode based on the existing feature matching, thereby reducing the feature calculation time, increasing the release policy selection direction and improving the user experience.
For the sake of understanding the present embodiment, a detailed description will be first given of a process running control method disclosed in the present embodiment.
The embodiment of the application provides a process running control method which can be executed by electronic equipment with data processing capability. The method is a Windows process black-and-white list realization method based on composite characteristics, and the main process is as follows: firstly, calculating a feature value of a preset executable file, and establishing a feature library based on the obtained preset feature value; then intercepting the process just started or before starting the process by a Hook means; then, according to the complete path of the process to be started, calculating at least two characteristic values, and comparing the characteristic values with corresponding preset characteristic values in a characteristic library in sequence; and finally, determining whether to allow the process to start according to the comparison result and whether the rule is a blacklist or a white list. Specifically, if the comparison result is that a matched preset characteristic value is found and the preset characteristic value is located in the blacklist, the process is not allowed to be started, namely the process is intercepted; if the comparison result is that the matched preset characteristic value is found and the preset characteristic value is positioned in the white list, the process is allowed to start; if the comparison result is that the matched preset characteristic value is not found and the preset characteristic value is positioned in the blacklist, the process is allowed to start; if the comparison result is that the matched preset characteristic value is not found and the preset characteristic value is located in the white list, the process is not allowed to start.
Referring to a flow chart of a process operation control method shown in fig. 1, the method mainly includes the following steps S102 to S106:
step S102, process characteristic information of a target process to be processed is obtained; the process characteristic information comprises characteristic information corresponding to at least two characteristic types.
The embodiment of the application provides three selectable feature types, which are used for calculating the feature value based on the target executable file corresponding to the target process, the attribute information of the target executable file and the icon of the target executable file respectively. That is, the at least two feature types include a plurality of a first feature type, a second feature type, and a third feature type; the feature information corresponding to the first feature type is a target executable file corresponding to the target process, the feature information corresponding to the second feature type is attribute information of the target executable file, and the feature information corresponding to the third feature type is an icon of the target executable file.
Step S104, performing feature matching on the process feature information and a preset feature library according to a preset feature type matching priority to obtain a target matching result; in the feature type matching priority, the shorter the feature value calculation time is, the higher the matching priority corresponding to the feature type is; the feature library comprises a plurality of preset feature values corresponding to each feature type.
In some possible embodiments, as shown in fig. 2, step S104 may be implemented by the following procedure:
step S202, according to the feature type matching priority, traversing each feature type in turn.
For the three feature types, the feature type matching priority includes that the matching priority of the second feature type is higher than the matching priority of the first feature type, and the matching priority of the first feature type is higher than the matching priority of the third feature type.
Step S204, for the traversed current feature type, determining a current feature value corresponding to the current feature type according to the feature information corresponding to the current feature type.
How to obtain the corresponding feature values is described below for the three feature types described above, respectively.
(1) The current feature type is a first feature type, and the feature information corresponding to the first feature type is a target executable file corresponding to a target process
When the size of the target executable file is smaller than the preset size, carrying out hash operation on the target executable file to obtain a first characteristic value, and determining the first characteristic value as a current characteristic value corresponding to the current characteristic type. When the size of the target executable file is larger than or equal to the preset size, intercepting a plurality of pieces of content from the target executable file; splicing the multiple pieces of content to obtain spliced content; performing hash operation on the spliced content to obtain a first characteristic value; and determining the first characteristic value as a current characteristic value corresponding to the current characteristic type. Wherein the hash operation may be performed using a hash algorithm such as MD5 or SHAR 56; the preset size can be set according to actual requirements, and is not limited herein. The multi-section content can be intercepted from the target executable file according to a preset intercepting mode, for example, the first number of bytes before and the second number of bytes after interception, the middle multi-section byte can be intercepted, and the length of each section of byte can be set according to actual requirements. The multiple pieces of content can be spliced according to the sequence in the target executable file, and can also be spliced according to the self-defined sequence.
For example, for an executable file that is smaller than P bytes in size, its signature is computed in its entirety. And the executable file with the length greater than or equal to P bytes is not read completely, the characteristic codes of the executable file are calculated, the first M bytes and the last N bytes of the file are taken, then Q sections of the executable file are intercepted and selected according to the total length of the file, samples with the length of R bytes of each section are spliced together to calculate hash values, and therefore quick calculation is achieved, and waiting time is reduced.
(2) The current feature type is a second feature type, and feature information corresponding to the second feature type is attribute information of a target executable file corresponding to a target process
Target information can be selected from the attribute information of the target executable file; wherein the target information includes one or more of file description, type, product name, copyright, language, and original file name; then determining a second characteristic value according to the target information; and further determining the second characteristic value as the current characteristic value corresponding to the current characteristic type. The target information may be directly determined as the second feature value, or the target information may be processed (for example, a splicing process or a hash operation, for example, if the target information includes a product name and an original file name, the product name and the original file name may be spliced into a string), so as to obtain the second feature value.
This way, the detailed information in the right key attribute of the executable file is used as the feature code. The acquisition of the right key detailed information of the executable file is not affected by the file size, and even if one executable file is very large, for example, more than 10GB, the detailed information can still be easily and quickly acquired through the Windows API. The detailed information contains a plurality of attributes such as file description, type, file version, product name, product version, copyright, size, modification date, language, original file name and the like, and a plurality of items are flexibly selected as characteristics (the file version, the product version, the size and the modification date are not selected), so that the software upgrading influence can be avoided.
(3) The current feature type is a third feature type, and feature information corresponding to the third feature type is an icon of a target executable file corresponding to a target process
Sequentially reading the color information of each pixel point in the icon of the target executable file; splicing the color information of each pixel point to obtain an initial color characteristic; performing hash operation on the initial color characteristics to obtain a third characteristic value; and determining the third characteristic value as the current characteristic value corresponding to the current characteristic type. The color information may be information of Red, green, blue, alpha transparency, or may be converted into information of other color spaces (i.e. other color characterization methods may also be used). The RGBA color characterization mode can be directly read, and is simple and convenient. The hash operation may be performed using a hash algorithm such as MD5 or SHAR 56.
This way, the icon of the executable file is used as the feature code. And reading icons icon of the executable file through the Windows API, sequentially reading all pixel points, splicing the colors of the pixel points in a character string mode, and then calculating a hash value as a feature code. The mode has high execution speed, is not generally influenced by program upgrading, and is easy to maintain.
Step S206, performing feature matching on the current feature value and a plurality of preset feature values corresponding to the current feature type in the feature library to obtain a current matching result. When the current matching result is that the matching is successful, executing step S208; when the current matching result is a matching failure, step S210 is performed.
The specific feature matching process may refer to the related art, and is not limited herein.
Step S208, determining that the target matching result is successful.
Step S210, judging whether the traversal is completed. When the traversal is not completed, re-executing the step S202, and continuing to traverse the next feature type; when the traversal is completed, step S212 is performed.
Step S212, determining the target matching result as the matching failure.
Thus, a target matching result is obtained.
And step S106, performing operation control on the target process according to the target matching result.
Whether the target process is allowed to be started or not can be judged according to the target matching result and the rule mode corresponding to the feature library; wherein the rule pattern includes a blacklist pattern or a whitelist pattern; when the target process is not allowed to start, intercepting the target process through the Hook technology.
In the process operation control method provided by the embodiment of the application, when the process operation control is performed, the process characteristic information of the target process to be processed is acquired; the process characteristic information comprises characteristic information corresponding to at least two characteristic types; then, according to the preset feature type matching priority, performing feature matching on the process feature information and a preset feature library to obtain a target matching result; in the feature type matching priority, the shorter the feature value calculation time is, the higher the matching priority corresponding to the feature type is; the feature library comprises a plurality of preset feature values corresponding to each feature type; and further, according to the target matching result, performing operation control on the target process. Therefore, feature matching is performed based on the composite features, and feature calculation time is minimized on the premise of ensuring safety, so that user experience is improved.
Corresponding to the above-mentioned process operation control method, the embodiment of the application also provides a process operation control device. Referring to fig. 3, a schematic structure of a process operation control apparatus is shown, which includes:
an information obtaining module 301, configured to obtain process feature information of a target process to be processed; the process characteristic information comprises characteristic information corresponding to at least two characteristic types;
the feature matching module 302 is configured to match the process feature information with a preset feature library according to a preset feature type matching priority, so as to obtain a target matching result; in the feature type matching priority, the shorter the feature value calculation time is, the higher the matching priority corresponding to the feature type is; the feature library comprises a plurality of preset feature values corresponding to each feature type;
and the operation control module 303 is configured to perform operation control on the target process according to the target matching result.
Further, the at least two feature types include a plurality of a first feature type, a second feature type, and a third feature type; the feature information corresponding to the first feature type is a target executable file corresponding to the target process, the feature information corresponding to the second feature type is attribute information of the target executable file, and the feature information corresponding to the third feature type is an icon of the target executable file; the second feature type has a higher matching priority than the first feature type, and the first feature type has a higher matching priority than the third feature type.
Further, the feature matching module 302 is specifically configured to: traversing each feature type in turn according to the feature type matching priority; for the traversed current feature type, determining a current feature value corresponding to the current feature type according to feature information corresponding to the current feature type; performing feature matching on the current feature value and a plurality of preset feature values corresponding to the current feature type in the feature library to obtain a current matching result; when the current matching result is successful, determining that the target matching result is successful; when the current matching result is that the matching fails, judging whether the traversal is completed or not; when the traversal is not completed, continuing to traverse the next feature type; and when the traversal is completed, determining that the target matching result is a matching failure.
Optionally, the current feature type is a first feature type, and feature information corresponding to the first feature type is a target executable file corresponding to a target process; based on this, the feature matching module 302 is further configured to: when the size of the target executable file is larger than or equal to the preset size, intercepting a plurality of pieces of content from the target executable file; splicing the multiple pieces of content to obtain spliced content; performing hash operation on the spliced content to obtain a first characteristic value; and determining the first characteristic value as a current characteristic value corresponding to the current characteristic type.
Optionally, the current feature type is a second feature type, and feature information corresponding to the second feature type is attribute information of a target executable file corresponding to the target process; based on this, the feature matching module 302 is further configured to: selecting target information from attribute information of a target executable file; wherein the target information includes one or more of file description, type, product name, copyright, language, and original file name; determining a second characteristic value according to the target information; and determining the second characteristic value as the current characteristic value corresponding to the current characteristic type.
Optionally, the current feature type is a third feature type, and feature information corresponding to the third feature type is an icon of a target executable file corresponding to the target process; the feature matching module 302 is further configured to: sequentially reading the color information of each pixel point in the icon of the target executable file; splicing the color information of each pixel point to obtain an initial color characteristic; performing hash operation on the initial color characteristics to obtain a third characteristic value; and determining the third characteristic value as the current characteristic value corresponding to the current characteristic type.
Further, the operation control module 303 is specifically configured to: judging whether to allow the target process to start or not according to the target matching result and the rule mode corresponding to the feature library; wherein the rule pattern includes a blacklist pattern or a whitelist pattern; when the target process is not allowed to start, intercepting the target process through the Hook technology.
The implementation principle and the generated technical effects of the process operation control device provided in this embodiment are the same as those of the foregoing process operation control method embodiment, and for brevity description, reference may be made to corresponding contents in the foregoing process operation control method embodiment where the embodiment portion of the process operation control device is not mentioned.
As shown in fig. 4, an electronic device 400 provided in an embodiment of the present application includes: the electronic device 400 includes a processor 401, a memory 402, and a bus, the memory 402 storing a computer program executable on the processor 401, and when the electronic device 400 is operated, the processor 401 and the memory 402 communicate with each other through the bus, and the processor 401 executes the computer program to implement the above-described process operation control method.
Specifically, the memory 402 and the processor 401 described above can be general-purpose memories and processors, and are not particularly limited herein.
The embodiment of the application also provides a storage medium, and a computer program is stored on the storage medium, and when the computer program is executed by a processor, the process running control method in the previous method embodiment is executed. The storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a RAM, a magnetic disk, or an optical disk, etc., which can store program codes.
Any particular values in all examples shown and described herein are to be construed as merely illustrative and not a limitation, and thus other examples of exemplary embodiments may have different values.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the application.
Claims (8)
1. A process operation control method, comprising:
acquiring process characteristic information of a target process to be processed; the process characteristic information comprises characteristic information corresponding to at least two characteristic types;
performing feature matching on the process feature information and a preset feature library according to a preset feature type matching priority to obtain a target matching result; in the feature type matching priority, the matching priority corresponding to the feature type with shorter feature value calculation time is higher; the feature library comprises a plurality of preset feature values corresponding to each feature type;
performing operation control on the target process according to the target matching result;
and performing feature matching on the process feature information and a preset feature library according to the preset feature type matching priority to obtain a target matching result, wherein the method comprises the following steps:
traversing each feature type in turn according to the feature type matching priority;
for the traversed current feature type, determining a current feature value corresponding to the current feature type according to feature information corresponding to the current feature type;
performing feature matching on the current feature value and a plurality of preset feature values corresponding to the current feature type in the feature library to obtain a current matching result;
when the current matching result is successful, determining that the target matching result is successful;
when the current matching result is that the matching fails, judging whether the traversal is completed or not;
when the traversal is not completed, continuing to traverse the next feature type;
when traversing is completed, determining the target matching result as matching failure;
the current feature type is a first feature type, and the feature information corresponding to the first feature type is a target executable file corresponding to the target process; the determining the current feature value corresponding to the current feature type according to the feature information corresponding to the current feature type includes:
when the size of the target executable file is larger than or equal to a preset size, intercepting a plurality of pieces of content from the target executable file;
splicing the multiple pieces of content to obtain spliced content;
performing hash operation on the spliced content to obtain a first characteristic value;
and determining the first characteristic value as a current characteristic value corresponding to the current characteristic type.
2. The process run control method according to claim 1, wherein the at least two feature types include a plurality of a first feature type, a second feature type, and a third feature type; the feature information corresponding to the first feature type is a target executable file corresponding to the target process, the feature information corresponding to the second feature type is attribute information of the target executable file, and the feature information corresponding to the third feature type is an icon of the target executable file; the second feature type has a higher matching priority than the first feature type, and the first feature type has a higher matching priority than the third feature type.
3. The process operation control method according to claim 1, wherein the current feature type is a second feature type, and feature information corresponding to the second feature type is attribute information of a target executable file corresponding to the target process; the determining the current feature value corresponding to the current feature type according to the feature information corresponding to the current feature type includes:
selecting target information from the attribute information of the target executable file; wherein the target information includes one or more of a file description, a type, a product name, a copyright, a language, and an original file name;
determining a second characteristic value according to the target information;
and determining the second characteristic value as a current characteristic value corresponding to the current characteristic type.
4. The process operation control method according to claim 1, wherein the current feature type is a third feature type, and feature information corresponding to the third feature type is an icon of a target executable file corresponding to the target process; the determining the current feature value corresponding to the current feature type according to the feature information corresponding to the current feature type includes:
sequentially reading the color information of each pixel point in the icon of the target executable file;
splicing the color information of each pixel point to obtain an initial color characteristic;
performing hash operation on the initial color characteristics to obtain a third characteristic value;
and determining the third characteristic value as a current characteristic value corresponding to the current characteristic type.
5. The process operation control method according to claim 1, wherein the performing operation control on the target process according to the target matching result comprises:
judging whether the target process is allowed to be started or not according to the target matching result and a rule mode corresponding to the feature library; wherein the rule pattern includes a blacklist pattern or a whitelist pattern;
and when the target process is not allowed to be started, intercepting the target process through a Hook technology.
6. A process operation control apparatus, comprising:
the information acquisition module is used for acquiring process characteristic information of a target process to be processed; the process characteristic information comprises characteristic information corresponding to at least two characteristic types;
the feature matching module is used for carrying out feature matching on the process feature information and a preset feature library according to the preset feature type matching priority to obtain a target matching result; in the feature type matching priority, the matching priority corresponding to the feature type with shorter feature value calculation time is higher; the feature library comprises a plurality of preset feature values corresponding to each feature type;
the operation control module is used for performing operation control on the target process according to the target matching result;
the feature matching module is specifically configured to: traversing each feature type in turn according to the feature type matching priority; for the traversed current feature type, determining a current feature value corresponding to the current feature type according to feature information corresponding to the current feature type; performing feature matching on the current feature value and a plurality of preset feature values corresponding to the current feature type in the feature library to obtain a current matching result; when the current matching result is successful, determining that the target matching result is successful; when the current matching result is that the matching fails, judging whether the traversal is completed or not; when the traversal is not completed, continuing to traverse the next feature type; when traversing is completed, determining the target matching result as matching failure;
the current feature type is a first feature type, and the feature information corresponding to the first feature type is a target executable file corresponding to the target process; the feature matching module is further configured to: when the size of the target executable file is larger than or equal to a preset size, intercepting a plurality of pieces of content from the target executable file; splicing the multiple pieces of content to obtain spliced content; performing hash operation on the spliced content to obtain a first characteristic value; and determining the first characteristic value as a current characteristic value corresponding to the current characteristic type.
7. An electronic device comprising a memory, a processor, the memory having stored therein a computer program executable on the processor, characterized in that the processor implements the process run control method of any of claims 1-5 when the computer program is executed by the processor.
8. A storage medium having a computer program stored thereon, wherein the computer program when executed by a processor performs the process operation control method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310898719.0A CN116661975B (en) | 2023-07-21 | 2023-07-21 | Process running control method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310898719.0A CN116661975B (en) | 2023-07-21 | 2023-07-21 | Process running control method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116661975A CN116661975A (en) | 2023-08-29 |
| CN116661975B true CN116661975B (en) | 2023-10-13 |
Family
ID=87728213
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310898719.0A Active CN116661975B (en) | 2023-07-21 | 2023-07-21 | Process running control method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116661975B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7191436B1 (en) * | 2001-03-08 | 2007-03-13 | Microsoft Corporation | Computer system utility facilitating dynamically providing program modifications for identified programs |
| CN103235912A (en) * | 2013-04-12 | 2013-08-07 | 福建伊时代信息科技股份有限公司 | Device and method for recognizing trusted processes |
| BR102014027053A2 (en) * | 2013-11-19 | 2016-09-27 | Baidu Internat Technology Shenzhen Co Ltd | virus processing method, virus processing apparatus and computer readable storage media comprising a computer readable program |
| CN107122663A (en) * | 2017-04-28 | 2017-09-01 | 成都梆梆信息科技有限公司 | A kind of detection method for injection attack and device |
| CN110765090A (en) * | 2019-10-31 | 2020-02-07 | 泰康保险集团股份有限公司 | Log data management method and device, storage medium and electronic equipment |
| CN111125417A (en) * | 2019-12-30 | 2020-05-08 | 深圳云天励飞技术有限公司 | Data searching method and device, electronic equipment and storage medium |
| CN112560952A (en) * | 2020-12-16 | 2021-03-26 | 珠海格力电器股份有限公司 | Supplier assessment method and device, electronic equipment and storage medium |
| CN113052197A (en) * | 2019-12-28 | 2021-06-29 | 中移(成都)信息通信科技有限公司 | Method, apparatus, device and medium for identity recognition |
| CN116302964A (en) * | 2023-02-08 | 2023-06-23 | 超聚变数字技术有限公司 | Safety test method, test equipment and medium of software system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103685151B (en) * | 2012-09-03 | 2018-05-22 | 腾讯科技(深圳)有限公司 | The guard method of account single-sign-on and device |
| US11308029B2 (en) * | 2016-04-28 | 2022-04-19 | Huawei Technologies Co., Ltd. | File saving method and electronic device |
-
2023
- 2023-07-21 CN CN202310898719.0A patent/CN116661975B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7191436B1 (en) * | 2001-03-08 | 2007-03-13 | Microsoft Corporation | Computer system utility facilitating dynamically providing program modifications for identified programs |
| CN103235912A (en) * | 2013-04-12 | 2013-08-07 | 福建伊时代信息科技股份有限公司 | Device and method for recognizing trusted processes |
| BR102014027053A2 (en) * | 2013-11-19 | 2016-09-27 | Baidu Internat Technology Shenzhen Co Ltd | virus processing method, virus processing apparatus and computer readable storage media comprising a computer readable program |
| CN107122663A (en) * | 2017-04-28 | 2017-09-01 | 成都梆梆信息科技有限公司 | A kind of detection method for injection attack and device |
| CN110765090A (en) * | 2019-10-31 | 2020-02-07 | 泰康保险集团股份有限公司 | Log data management method and device, storage medium and electronic equipment |
| CN113052197A (en) * | 2019-12-28 | 2021-06-29 | 中移(成都)信息通信科技有限公司 | Method, apparatus, device and medium for identity recognition |
| CN111125417A (en) * | 2019-12-30 | 2020-05-08 | 深圳云天励飞技术有限公司 | Data searching method and device, electronic equipment and storage medium |
| CN112560952A (en) * | 2020-12-16 | 2021-03-26 | 珠海格力电器股份有限公司 | Supplier assessment method and device, electronic equipment and storage medium |
| CN116302964A (en) * | 2023-02-08 | 2023-06-23 | 超聚变数字技术有限公司 | Safety test method, test equipment and medium of software system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116661975A (en) | 2023-08-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6345211B2 (en) | Method and apparatus for creating snapshot of virtual machine system disk | |
| US9201642B2 (en) | Extending platform trust during program updates | |
| CN105786538B (en) | software upgrading method and device based on android system | |
| US9032173B2 (en) | Automated migration to a new copy services target storage system to manage multiple relationships simultaneously while maintaining disaster recovery consistency | |
| CN103235912B (en) | Trusted process recognition device and trusted process recognition methods | |
| US10983718B2 (en) | Method, device and computer program product for data backup | |
| CN111008034A (en) | Patch generation method and device | |
| WO2022078366A1 (en) | Application protection method and apparatus, device and medium | |
| KR20050004097A (en) | Method and device for authenticating digital data by means of an authentication extension module | |
| CN116661975B (en) | Process running control method and device, electronic equipment and storage medium | |
| CN113452710B (en) | Unauthorized vulnerability detection method, device, equipment and computer program product | |
| CN107786644B (en) | Channel package downloading method, device and equipment | |
| CN113378093A (en) | Method and device for determining resource release strategy, electronic equipment and storage medium | |
| CN112214287B (en) | Service control method and device of application software and electronic equipment | |
| CN110896391B (en) | Message processing method and device | |
| CN110555307B (en) | Method, apparatus, device and medium for recognizing and processing dynamic library of masquerading system | |
| CN114417347A (en) | Vulnerability detection method, device, equipment, storage medium and program of application program | |
| CN114258525A (en) | Data updating method and device, terminal equipment and computer readable storage medium | |
| CN113541987A (en) | Method and device for updating configuration data | |
| CN113064601A (en) | Method, device, terminal and storage medium for determining dynamic loading file | |
| CN110795408A (en) | Data processing method and device based on object storage, server and storage medium | |
| CN110231953B (en) | Method and system for executing remote code by APP | |
| CN115562754A (en) | Key module identification method and device, electronic equipment and computer readable medium | |
| CN113986311A (en) | Software upgrading method and device, electronic equipment and computer readable storage medium | |
| CN117857209A (en) | Mail security detection method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |