TWI328179B - Controlling module for programs and method for the same - Google Patents

Description

1328179 \ IX, invention description: [Technical field of the invention] ^ The present invention is a module and method for controlling an application program, and more specifically as a module for restricting the operation authority of a client application. And method. ... [Prior Art] Because of the development of information technology, companies are increasingly relying on computers to help them promote their popularity. However, the popularity of poor technology is also accompanied by risks, such as threats such as viruses, backdoors, and system exploits. Therefore, information protection of enterprises has become an important issue. (4) All threats In addition to attacks from outside, it is more likely that the threat source comes from: 1 phase: f 5 weeks found that for corporate information security, therefore, the internal control of the two:: thinking behavior and non-malicious mistakes, real In order to hide the threat of security, how to solve the problem of internal exploitation, enterprises must face important security issues. ^Beixun Queen's problem is the end of the composition: the whole management 'more control by the server and the customer; is the market soft: service two for the operation of the client system, for multiple client computers _ 'Two-level management and control level, for the corresponding limited function day 2: ', according to the client authorization layer to the internal access to the external information of the enterprise ^ Hai type control module, can only be needle or self-specific The URL downloading program is limited to accessing external web pages, extreme program operations or webpage access, and can only be blocked, and can only be used to restrict specific functions. 5 1328179 ί At present, the monitoring module is not able to perform the function of restricting the operation of the specific webpage information, the scrapbooking webpage, and the like. Therefore, how to manage the user's operation behavior when the user is using the internal information of the enterprise, for example, the enterprise=using the enterprise resource planning (fine erprise Re following rce piannmg, ERp), to prevent the user from maliciously operating the knowledge, The loopholes in information security management are urgently needed to be resolved.

Therefore, the present invention discloses an operability and management and update related authority to solve the above problems. SUMMARY OF THE INVENTION A control module and method for restricting applications and webpages on a client is disclosed in order to disclose a method for controlling client program and webpage operations in February. The present invention includes at least one input terminal. Le), a server crying

Client (ciient); the function of the input terminal is negative '=delivery change permission command; the function of the feed server includes: changing the permission data stored on the server end according to the instruction of the incoming charge, = change permission The event 'and the update stored in the client's right ^ can be updated according to the notification message on the server side: to:: the operating rights of the client application. With the above model, . = 'The invention can achieve the purpose of limiting the operation of the client program. The invention still discloses a method for the application of the soft-sports in the semi-centralized control client of the module, and the method for realizing the unified and unified control of the present invention. All include - database; the above database contains a set of permission data = 6 1328179 (ft and fine correction and control indicators' by the interaction between the records on the permission data storage table and the control indicators, you can use the servo The device end uniformly manages and updates the rights information of the plurality of clients regarding the operation of the application. [Embodiment] The present invention will be described in conjunction with the preferred embodiments and the accompanying drawings, which should be understood as all of the present invention. The preferred embodiments are merely illustrative, and thus the present invention may be applied to other embodiments in addition to the preferred embodiments described in the specification and the reference drawings, and the invention is not limited to any implementation. For example, the present invention should be based on the scope of the accompanying patent application and its equivalent. The first figure shows an embodiment of the present invention. The control module includes an input terminal 100, a server terminal 2 and a server. The client terminal 3, wherein the input terminal 100 functions to receive and transmit the controlled pipe application operation permission command; the server terminal 200 can store the foregoing permission data, and transfer the operation permission between the input terminal 1 and the client terminal 300. The data and update client # 300 ± stored operating authority data; the client 3〇〇 can update the operating authority data stored on the client according to the change permission event message sent by the feeding device, and thereby limit the customer The operation permission of the application on the side. With the above structure, the control module can limit the operation of the application of the client. The control module of the invention can be applied to the internal network, such as the home and office environment, but The module is not limited to this; the module can be applied to any network environment that requires the operation of the client application, such as a library road cafe, etc. The function of the control module in the above embodiment can be more detailed. As described below. 7 1328179 Material (4) Repair replacement page lk_ _ _ |_ ^ The input module in the control module _, reduced to the input and the user input instructions Servo end 200 of the right to change the store information database sun; above the input command contains add, modify, delete (iv) limit on open by the Control Manager application-specific functions and query the status of the project

= order. More specifically, in the above-mentioned change permission command, the items related to the restriction Ξ & application operation function include: prohibiting the specific resource H Γ 'disable the keyboard, disable the save new file and disable the mouse: 3 special... special function; In another embodiment, the method further includes limiting webpage accessibility access 35, the items of which include: prohibiting printing, copying specific information, disabling the keyboard, disabling the saving of new files, and disabling the mouse dragging data for mail transmission. Webpage, it is forbidden to view the original file. In the specific embodiment of the present invention, the input terminal is a user interface, and the user can control the specific application by using an option on the interface: The user can click on the function key of the user interface. The second function can be opened by using the specific function option. The window partition (4) The tool number block contains the name, type and function options of the controlled pipe software. The user can click the modification option at the top of the screen to enter the controlled control program in the window, that is, open the permission function setting window, the input permission function setting ^ Λ the above permission function setting window includes a plurality of pre-designed blocks Bits, 2 can be selected according to the function corresponding to each block, can open or close specific functions, complete the input of the input. Another embodiment of the present invention relates to a limit control operation. In the specific embodiment, the operation interface is similar to the operation interface of the control specific application, but the control target input by the user is a network 8 ^ 28179 Monthly Correction Replacement Page 〇-- In the specific embodiment of the present invention, the server terminal 2〇〇 includes the following functions: receiving the change permission command input input, storing, updating and transmitting = about the controlled tube of the client Application permission data. ^ 'π〇 server 200 includes a data receiving and transmitting unit 201, a processing unit 202 and a database unit 2〇3. The data receiving and transmitting unit 2〇1 can receive the change authority information from the input terminal 100, and then transfer the data to the processing unit 202, and the processing unit 202 according to the changed authority information, in addition to the rights of the shell library 203 The data is sent through the data receiving receipt tl 201 to notify the client 3 of the occurrence of the permission change event. After receiving the client 3〇〇 permission data download request, the server terminal 200 transmits the change permission data to the client 300 ’ to update the application software permission data stored on the client 3〇〇. In addition, the server 200 also includes other components such as a memory, an operating system, a hard disk, and a display device. However, those skilled in the art should understand that it is not necessary to clarify the focus of the disclosure. The input terminal and the client are also specifically described. In a specific embodiment of the present invention, the above-mentioned receiving and transmitting unit 2〇1 uses the Tcp communication protocol to notify the client 2 300 to download the permission data, and The system code is used to represent the application permissions and the URL permissions. The event that informs the client that the data is updated is the UDP protocol. In another embodiment of the present invention, the authority data transmitted from the data receiving and transmitting unit 201 includes index data corresponding to an application or webpage of the client controller to enable the client to determine the required update. Permission information. 9 1328179 ‘Forming Pages The above database 203 for storing permission data contains a set of data sheets and control indicators for recording and updating information about the application permissions stored on the client. In a specific embodiment of the present invention, the above data table includes at least two data tables: security-acti〇n and securityjolicy execution authority data operation restriction function, wherein security behavior (security) An action is a record or a mode that includes, but is not limited to, a controlled application, a program, an instruction, a web address, or a web page. The security-policy record includes, but is not limited to, a specific application, instruction, or URL. Or the permission information of the webpage. The Guardian Behavior sub-database contains at least the following blocks: the identification table (id) is an indicator ' ' used to associate with other jobs ^, the category table (categ〇ry) is used to record applications, instructions, URLs or The type of the URL and the name of the target (target-name) are used to record the controlled file application executable file name or the controlled pipe URL, and the type of the target is used to record the type of the official document. The Security_p〇licy table is a permission limit for recording a managed application or web address. The quantitative parameter in the security policy table is recorded as an indicator data, and the indicator is associated with the indicator data in the software behavior) (d), so that the two data tables have an association relationship; Behavior (Disabled is a button that records the permissions of the application or web site to be restricted. This field can be written to a special value, indicating that the behavior is controlled and cannot be used. A client module is 3 At least the following functions are included: the server terminates the message, downloads the permission data from the server, and sets the permission data. In the specific embodiment, the client includes a permission control unit, such as an additional permission control program. In order to implement the above-mentioned functions of the client. In another - 1328179. In the embodiment, the client includes a database for storing client permissions. ^Complete data library includes - group data table and control Indicators, in which the application data of the data terminal controlled by the data, and the control of the subject of the Beco package control (four) mark and the ship's H end are subject to the same control of the (four) target _, so the guest The terminal can find out the corresponding controlled application permission data and add new after downloading the server new permission. - In another embodiment of the present invention, the control module can be the above-mentioned poor example The plurality of control modules are combined to complete the multi-level control module. The multi-level control module can limit the permission data of each feeding device according to different authorization levels to achieve the purpose of hierarchical management. The specific implementation of the 'contains the central feeding device and the plurality of peripheral feeding devices and the = terminal computer. The database of the medium oil service device stores the permissions of each peripheral feeding device; the peripheral server of the beryllium material stores the permission information of the surrounding server The privilege data of the application on the client in the fixed area is stored. Under the above multi-layer structure, the status and update of the privilege data on each peripheral server are uniformly managed by a central server, and the peripheral feeding device is different. Requirements, different authorization levels, open different permissions data change permissions, to manage the client = application, as a control structure can achieve the classification, partition authorization The information management system is used to manage the operation of the application on the client computer. In addition to quickly updating the number of clients #, it is possible to avoid manually updating the server permission data by region. The second figure is a specific embodiment for displaying the permission update process; the user can input the change permission through the input terminal in step S101 and change the server 11 to correct the permission information of the purchase terminal this month, and then 1^^·^ Ends the change permission information event. Step S2〇=Through the server to the above-mentioned change authority%% recognition table does not send the server end 200 to notify the client 兮...~ In step S202, the message is received.仞服哭# The flat ten is in the client at step S301, step S3 (after the J is issued), that is, in the subsequent step; the cow: the suffocation request to download the new permission setting from the self-feeding device. In the following step = step S203, the database is transmitted to the client according to the rights information of the above-mentioned update by the step and the step is followed by the if new = permission data. After the client has sent the new permission data in the (4) coffee service, the user's permission setting is set in step s3. The specific implementation of the invention is based on (4) updating the case for a plurality of peripheral feeding devices. In this embodiment, the update flow: the flow shown in the figure is similar, but the peripheral servers can be - central words月艮益官理,于太g Λ-t. t » , in the body-body embodiment, the server-side change authority refers to 2 downloaded by the central server, but according to the sweat of each server or user The permission from ' can also be entered from the input of each server. The text 2 is set by the central server, and a plurality of the same as the second picture Ί «•轾 are combined with each other to achieve layered and partitioned application software management. The invention is described above by way of a preferred embodiment, but it is not intended to limit the scope of patent rights claimed herein. The scope of patent protection is subject to the scope of the patent application and its equivalent. Anyone who is familiar with the field's changes or refinements without departing from the spirit or scope of this patent, 12, μΛ'ΜΤΤΓ-一 ::::

It should be included in the scope of the patent application below. U only [Simplified description of the drawing] The first figure shows the application control module relating to the present invention. The second figure shows the two-process flow of the control application of the present invention. [Main component symbol description] Input terminal 100 Server terminal 200 Data receiving and transmitting unit 2 0 1 Processing unit 202 Database unit 203 Client 300 S1 (H, S102, S2 (H, S202, S203, S204, S301, S302, S303, S304 steps)

13

Claims (1)

Ten, the scope of application for patents, the year of the month, the revised version of the application control module, including: an input, used to enter permission information; a server end, engage in $ 兮 private λ A mountain m _ to 5H input, the server end contains a virtual server, a server-side database, coupled to the memory information and a servo test, for storing and transferring to the f_ ;--output unit 'person~ 兀, and a server-side storage media, store deduction eight for the processing unit to perform reception-::, to update the permission information, use the feeder control ί π to find δ Update the permission information corresponding to the notification to the customer Lugu, the household transport, the update right, the client receives an update permission request, and communicates the updated permission information to the client; and; the account, lightly connects to the server On the client side, the client includes a - permission control..., a client database, which is lightly coupled to the permission control unit, with the operation authority and the client control indicator; and - the client storage command is provided for The permission control list (10) line receives the update and is restricted. According to the money new permission notification, the (f) server device end proposes the more f permission request, uses the client control indicator to find out the corresponding response authority, uses the knowledge formula, and updates the application operation according to the update permission information. Permissions. The application control module according to the first aspect of the patent application, wherein the wheel end is an operation terminal, and at least one user interface is available for the user to input data. 1328179 3. If the patent application scope s 权限 privilege control unit can print the data. 4. If the scope of the patent application is § 玄 privilege control unit can copy the data. The application control module described in the above, wherein the application control module described in the application soft application on the client is restricted, wherein the user is restricted from the client: soft If you apply for a special round. The privilege control unit can restrict the user from using the input and output instructions for the input and output of the client on the client. ~ Use soft 6· The privilege control unit, as described in the scope of the patent application, may limit the user's own storage of data. The application control module, wherein the application security module on the 5H client is as described in the application scope control module described in the scope of the patent application, the permission control unit can limit the user to the client The application uses the indicator device to drag the data. ^人 8. The application control model described in the scope of the patent application scope, and the permission control unit can be restricted to use | view the client's web page original 15 1328179 9. As claimed in the first item The application control module is described, wherein the permission control unit can restrict the user to use the communication software.八 〇 〇 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 Eight--a method for restricting the operation permission of the application, comprising: receiving the permission information in the feeding service and stealing the permission information; 2 changing the permission information in the information database of the feeding device according to the change permission information to generate an update authority information Using the server-side control indicator to find out one of the clients corresponding to the updated permission information; ~ transmitting an update permission notification to the client by using the server; and the client is notified to the feed according to the update authority The server end updates the permission request; 2 uses the server to send information to the client according to the update permission request; 4: a client control indicator finds one of the application corresponding to the update permission information; and: ::Update permission information to update the operation permission of the application, to produce the operation authority, and store the update operation authority on a client 12. As described in claim 11, the application operation permission Ht*, , _ _ / /, the 5 hai client contains at least one privilege control unit to limit the application operation authority, the privilege control unit, can be restricted • The print application owned by the method of item 12 patentable scope of the eye, wherein the material. 14. = Please limit the application operation permissions described in item 12 of the scope. The method of the privilege control unit may limit the user's copying of the capital. 15. The method for restricting the operation of the application as described in item 12 of the patent scope of the claim is as follows: wherein the privilege control unit 'limits the user's use The input and output of the split input contains the instructions of the character. 16. The method for restricting the operation authority of an application as described in claim 12 (4), wherein the authority control unit limits the user to store the data. Drag the data.如 The method for restricting the operation rights of the application as described in the application for patent scope '12, wherein the privilege control unit can restrict the user from dragging with the mouse 18. The restricted application described in the patent application 帛12 item The method of operating permission 'where the permission control list it' can restrict the user to view the web page and the 17 1328179 source code. 19. A method of restricting application operation rights as described in claim § 2, wherein the rights control unit limits the user to use the communication software. . 20. The method for restricting the operation rights of an application as described in claim 19, wherein the communication software includes at least an email, instant messaging 1 1328179 Year of the month (X-day correction replacement page I328179 month f邙 correction potential change ^ VII, designated representative map: (a) The representative representative of the case is: (2) map. (2) Simple description of the symbol of the representative figure: S1 (H, S102, S2 (H, S202, S203, S204, S3 (H, S302, S303, S304 Step 8. If there is a chemical formula in this case, please reveal the best Chemical formula showing the characteristics of the invention: 4