TWI801855B - System and method of application control based on root node - Google Patents

System and method of application control based on root node Download PDF

Info

Publication number
TWI801855B
TWI801855B TW110115774A TW110115774A TWI801855B TW I801855 B TWI801855 B TW I801855B TW 110115774 A TW110115774 A TW 110115774A TW 110115774 A TW110115774 A TW 110115774A TW I801855 B TWI801855 B TW I801855B
Authority
TW
Taiwan
Prior art keywords
node
unit
root node
parent
level
Prior art date
Application number
TW110115774A
Other languages
Chinese (zh)
Other versions
TW202244721A (en
Inventor
蔡宜霖
劉新玫
Original Assignee
精品科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 精品科技股份有限公司 filed Critical 精品科技股份有限公司
Priority to TW110115774A priority Critical patent/TWI801855B/en
Publication of TW202244721A publication Critical patent/TW202244721A/en
Application granted granted Critical
Publication of TWI801855B publication Critical patent/TWI801855B/en

Links

Images

Abstract

A system of application control based on a root node includes a check unit; and hierarchical nodes including a root node and a first layer node, in which the root node is the parent node of the first layer node. The check unit is used to check whether the root node is a specified application control unit. If so, the first layer node will be executed.

Description

基於根節點之應用程式控管系統及方法 Root node-based application program control system and method

本發明涉及一種應用程式控管之技術領域,特別是一種基於根節點之應用程式控管系統及方法。 The present invention relates to the technical field of application program control, in particular to a root node-based application program control system and method.

隨著資訊化的發展,出現了大量的應用程式(APP)。同一個廠商可以提供多個應用程式。即使是不同的應用程式,尤其是同一個廠商提供的多個應用程式,可能存在相似的功能。為了適應技術發展或業務需要,常常需要對應用程式進行升級或換代,例如,新版本應用程式的發佈頻率可能大於1次/周。當發佈的新版本應用程式出現了錯誤或者業務出現故障時,需要用戶端的應用程式緊急回到指定版本的應用程式,才能夠滿足用戶的基本使用需求。 With the development of informatization, a large number of application programs (APP) have appeared. Multiple applications can be provided by the same vendor. Even different applications, especially multiple applications provided by the same vendor, may have similar functions. In order to adapt to technological development or business needs, it is often necessary to upgrade or replace the application program. For example, the release frequency of a new version of the application program may be greater than once per week. When an error occurs in the released new version of the application or the business fails, the user-side application needs to return to the specified version of the application in an emergency to meet the basic needs of the user.

現有的應用程式通常會限定可合法使用它的電腦裝置,避免應用程式被複製到其它未經合法授權的電腦裝置上使用。為達到這個目的,目前已有綁定硬體資訊的保護機制。在此機制中,應用程式一旦被啟動就會先讀取並驗證安裝它的電腦裝置中的硬體資訊,例如中央處理器編碼、硬碟序號等等,並只在驗證通過時才允許該電腦裝置正常執行它。這種機制雖可將應用程式與可正常 執行它的合法電腦裝置綁定在一起,但因硬體資訊缺乏動態變化,故容易遭到破解。 Existing application programs usually limit the computer devices that can legally use it to prevent the application program from being copied to other computer devices that are not legally authorized. To achieve this goal, there is currently a protection mechanism for binding hardware information. In this mechanism, once the application is started, it will first read and verify the hardware information in the computer device where it is installed, such as the CPU code, hard disk serial number, etc., and only allow the computer to The device executes it normally. Although this mechanism can connect the application program with the normal The legitimate computer devices that execute it are bound together, but due to the lack of dynamic changes in hardware information, it is easy to be cracked.

此外,在網際網路普及的情形之下,在企業內通常都會建構與網際網路的連接,以取得各式各樣的應用程式。然而,從網際網路擷取的各種資訊或應用程式,可能也會有接收到惡意程式的情形發生。一旦惡意程式進入到資訊處理裝置,將會破壞其中的軟體或者是盜取其中的資訊,對於企業內的資訊安全造成莫大的傷害。 In addition, with the popularity of the Internet, connections to the Internet are usually established in enterprises to obtain various applications. However, various information or application programs retrieved from the Internet may also receive malicious programs. Once the malicious program enters the information processing device, it will destroy the software or steal the information therein, causing great harm to the information security in the enterprise.

另一方面,對於企業而言,在享受網際網路便利性的同時也應盡可能地將這些可能存在的惡意程式的威脅排除。關連於應用程式所實行的限制,傳統上係使用黑名單的控管方式來實施。因為全球的程式太多,因此以黑名單的控管方式已不符使用。 On the other hand, for enterprises, while enjoying the convenience of the Internet, they should also eliminate the threats of these possible malicious programs as much as possible. Restrictions related to the implementation of applications have traditionally been implemented using blacklist controls. Because there are too many programs in the world, the blacklist control method is no longer suitable for use.

再者,近來駭客常使用本機上原有的程式,做為攻擊的程式,而不是使用駭客自己寫的程式。這樣會造成一個問題,例如Windows上內建的程式是常會被使用者使用的程式,但也是駭客最愛用的程式;如此,這些內建的程式是否可以設為應用程式控管,也是一大問題所在。 Furthermore, recently, hackers often use the original programs on the machine as attack programs instead of using programs written by hackers themselves. This will cause a problem. For example, the built-in programs on Windows are programs that are often used by users, but they are also favorite programs for hackers; so, whether these built-in programs can be set as application control is also a big problem problem lies in.

針對上述缺點,本發明提供一新穎的應用程式控管方法,以解決上述缺點。 In view of the above shortcomings, the present invention provides a novel application program control method to solve the above shortcomings.

本發明之目的在於提供一種基於根節點之應用程式控管系統與方法。 The purpose of the present invention is to provide a root node-based application program control system and method.

本發明的基於根節點之應用程式控管方法可以大大地降低檢測的時間成本與提高資訊安全的檢測效率。 The application program control method based on the root node of the present invention can greatly reduce the time cost of detection and improve the detection efficiency of information security.

本發明之基於根節點之應用程式控管系統,包括:一檢查單元;以及一階層式節點,包含一根節點與一第一層節點,其中根節點為第一層節點之父節點。其中檢查單元係用以檢查根節點是否為一指定的應用程式控管單元,若是則執行該第一層節點。 The application program control system based on the root node of the present invention includes: a checking unit; and a hierarchical node including a root node and a first-level node, wherein the root node is the parent node of the first-level node. The checking unit is used to check whether the root node is a designated application program control unit, and if so, execute the first layer node.

其中檢查單元所檢查的根節點非為該指定的應用程式控管單元,則禁止執行第一層節點。 Wherein the root node checked by the checking unit is not the specified application program control unit, then the execution of the first layer node is prohibited.

其中該階層式節點更包含一第二層節點,而第一層節點為第二層節點之第二父節點。其中檢查單元檢查第一層節點是否為該指定的應用程式控管單元,若是則執行第二層節點;若否,則禁止執行該第二層節點。 The hierarchical node further includes a second-level node, and the first-level node is the second parent node of the second-level node. The checking unit checks whether the first layer node is the specified application program control unit, and if so, executes the second layer node; if not, prohibits the execution of the second layer node.

其中階層式節點包含根節點與N個層的節點,該檢查單元檢查N個層的父節點是否皆為該指定的應用程式控管單元。 Wherein the hierarchical node includes a root node and nodes of N layers, the checking unit checks whether the parent nodes of the N layers are all the specified application control unit.

本發明之基於根節點之應用程式控管方法,包括:提供一檢查單元;提供一階層式節點,包含一根節點與一第一層節點,其中根節點為第一層節點之父節點;以及,檢查該根節點是否為一指定的應用程式控管單元,若是則執行第一層節點,若否則禁止執行該第一層節點。 The root node-based application program control method of the present invention includes: providing a check unit; providing a hierarchical node, including a root node and a first-level node, wherein the root node is the parent node of the first-level node; and , check whether the root node is a specified application program control unit, if so, execute the first-level node, otherwise prohibit the execution of the first-level node.

102,404,420:Explorer 102,404,420:Explorer

104,108,206,210,410,412,414,418,424,430:Microsoft PowerShell 104, 108, 206, 210, 410, 412, 414, 418, 424, 430: Microsoft PowerShell

106:DOS Command 106: DOS Command

202,406,408,426:Microsoft Word 202, 406, 408, 426: Microsoft Word

204:VB巨集程式 204: VB macro program

208:駭客程式 208: Hacker program

300:檢查單元 300: check unit

302:根節點 302: root node

304:第一層節點 304: first layer node

306:第二層節點 306:Second layer node

308:第三層節點 308: The third layer node

310:第N層節點 310: Layer N node

402,416,422,428:Cmd 402,416,422,428: Cmd

〔第一圖〕顯示本發明之應用程式控管單元執行Microsoft PowerShell之示意圖。 [Fig. 1] shows a schematic diagram of the application control unit of the present invention executing Microsoft PowerShell.

〔第二圖〕顯示駭客巨集、駭客程式執行Microsoft PowerShell之示意圖。 [Picture 2] shows a schematic diagram of hacker macros and hacker programs executing Microsoft PowerShell.

〔第三圖〕顯示本發明之應用程式控管系統之階層式節點之示意圖。 [Figure 3] shows a schematic diagram of hierarchical nodes of the application program control system of the present invention.

〔第四圖〕顯示正常使用者及駭客的使用行為之示意圖。 [Figure 4] A schematic diagram showing the behavior of normal users and hackers.

此處本發明將針對發明具體實施例及其觀點加以詳細描述,此類描述為解釋本發明之結構或步驟流程,其係供以說明之用而非用以限制本發明之申請專利範圍。因此,除說明書中之具體實施例與較佳實施例外,本發明亦可廣泛施行於其他不同的實施例中。以下藉由特定的具體實施例說明本發明之實 施方式,熟悉此技術之人士可藉由本說明書所揭示之內容輕易地瞭解本發明之功效性與其優點。且本發明亦可藉由其他具體實施例加以運用及實施,本說明書所闡述之各項細節亦可基於不同需求而應用,且在不悖離本發明之精神下進行各種不同的修飾或變更。 Herein, the present invention will be described in detail with respect to specific embodiments of the invention and its viewpoints. Such descriptions are for explaining the structure or step flow of the present invention, and are for illustration rather than limiting the patent scope of the present invention. Therefore, except for the specific embodiments and preferred embodiments in the description, the present invention can also be widely implemented in other different embodiments. Illustrate the reality of the present invention below by specific specific embodiment Embodiments, those skilled in the art can easily understand the effectiveness and advantages of the present invention from the content disclosed in this specification. Moreover, the present invention can also be used and implemented through other specific embodiments, and various details described in this specification can also be applied based on different needs, and various modifications or changes can be made without departing from the spirit of the present invention.

本發明提出一種基於根節點之應用程式控管方法,其中透過指定父行程(Parent Process)、父節點為應用程式控管單元,以防止駭客使用應用程式控管的白名單程式(例如Windows上內建的程式,PowerShell.Exe)做為攻擊工具。在電腦領域之中,父行程係指已建立一個或多個子行程的行程。利用檢查父行程可以禁止駭客所植入的程式去執行本機(資訊處理裝置,電腦)上原有的白名單程式。本發明之應用程式控管系統可以包含一階層式節點,多層節點構成的多層結構或樹狀結構,其中該結構的最上層包含一根節點,最底層節點為被執行的程式,且其層的數目沒有限制。上下層節點為父行程(父節點)和子行程(子節點)的關係。在執行上,每一層父節點均需檢查其是否為指定的應用程式控管單元,或者是其他非指定的執行程式。 The present invention proposes a root node-based application program control method, in which the parent process (Parent Process) and the parent node are designated as the application program control unit to prevent hackers from using the white list program controlled by the application program (such as on Windows) The built-in program, PowerShell.Exe) is used as an attack tool. In computing, a parent journey is one that has created one or more child journeys. Checking the parent process can prohibit the program implanted by the hacker from executing the original white list program on the local machine (information processing device, computer). The application program control system of the present invention may include a hierarchical node, a multi-layer structure or a tree structure composed of multi-layer nodes, wherein the top layer of the structure contains a node, the bottom node is the program to be executed, and its layer There is no limit to the number. The upper and lower nodes are the relationship between the parent trip (parent node) and the child trip (child node). In execution, each parent node needs to check whether it is a designated application program control unit or other non-designated execution programs.

本發明係以白名單做為控管方案,以取代傳統的黑名單控管方式。在實際上的操作上而言,我們可以利用使用者的行為,去判別、分別執行的程式是正常使用的程式或者是駭客的程式。若是正常使用的程式即為應用程式控管的白名單,反之即為黑名單。 The present invention uses a white list as a control solution to replace the traditional black list control method. In terms of actual operation, we can use the user's behavior to judge whether the programs to be executed are normal programs or hacker programs. If the program is in normal use, it is the white list controlled by the application, otherwise it is the black list.

第一圖描繪了本發明的應用程式控管單元執行Microsoft PowerShell之示意圖。舉例而言,本實施例之中應用程式控管單元為Explorer 102,其係為Microsoft PowerShell 104之父節點(父行程)。在本例子中,父代為Explorer.Exe,因此只需檢查父代。以父節點Explorer 102可以執行Microsoft PowerShell 104。Microsoft PowerShell 104為電腦可執行的白名單檔案或程式。PowerShell為微軟公司開發的任務自動化和組態管理框架,由.NET Framework和.NET Core構建的命令行介面殼層相關手稿語言組成。舉一實施例而言,上述父節點Explorer 102係透過伺服器(IT端)的一指定單元所指定之應用程式控管單元。當然在執行上,父節點Explorer 102是經過伺服器(IT端)的檢查單元(未圖示)的檢查之後,確定其為指定的應用程式控管單元,所以可執行Microsoft PowerShell 104。在正常行為之下,Microsoft PowerShell 104即被標示為白名單(圖中的打勾符號

Figure 110115774-A0305-02-0008-1
)。 The first figure depicts a schematic diagram of the application control unit of the present invention executing Microsoft PowerShell. For example, the application control unit in this embodiment is Explorer 102 , which is the parent node (parent process) of Microsoft PowerShell 104 . In this example, the parent is Explorer.Exe, so just check the parent. As parent node Explorer 102 can execute Microsoft PowerShell 104 . Microsoft PowerShell 104 is a whitelisted file or program executable by a computer. PowerShell is a task automation and configuration management framework developed by Microsoft Corporation. It consists of a command-line interface shell-related script language built with .NET Framework and .NET Core. As an example, the above-mentioned parent node Explorer 102 is an application program control unit designated by a designated unit of the server (IT end). Of course, in terms of execution, the parent node Explorer 102 is determined to be the specified application program control unit after being checked by the checking unit (not shown) of the server (IT side), so the Microsoft PowerShell 104 can be executed. Under normal behavior, Microsoft PowerShell 104 is marked as whitelisted (the tick symbol in the figure
Figure 110115774-A0305-02-0008-1
).

參考第一圖,在另一例子中,應用程式控管單元為DOS Command 106,其係為Microsoft PowerShell 108之父節點(父行程)。在本例子中,父代為DOS.Exe,而只需檢查父代。以父節點DOS Command 106可以執行Microsoft PowerShell 108。父節點DOS Command 106也是透過本機的指定單元所指定之應用程式控管單元。同樣地,在執行上,父節點DOS Command 106也是經過檢查單元的檢查之後,確定其為指定的應用程式控管單元,可以執行Microsoft PowerShell 108。在正常行為之下,Microsoft PowerShell 108即被標示為白名單。在Microsoft PowerShell中,管理任務通常由cmdlets(command-lets:Cmd.exe)執行,這是執行特定操作的專用.NET類。可以將cmdlet集合至指令碼、可執行檔(一般是獨立應用程式)中,或通過常規.NET類(或WMI/COM物件)實例化。通過存取 不同資料儲存中的資料由Microsoft PowerShell執行,如檔案總管或登錄檔。 Referring to the first figure, in another example, the application control unit is DOS Command 106, which is the parent node (parent process) of Microsoft PowerShell 108. In this example, the parent is DOS.Exe, but just check the parent. With parent node DOS Command 106 Microsoft PowerShell 108 can be executed. The parent node DOS Command 106 is also the application program control unit specified by the specified unit of this machine. Similarly, in terms of execution, the parent node DOS Command 106 is also determined to be the specified application program control unit after being checked by the checking unit, and can execute Microsoft PowerShell 108 . Under normal behavior, Microsoft PowerShell 108 is marked as whitelisted. In Microsoft PowerShell, administrative tasks are usually performed by cmdlets (command-lets: Cmd.exe), which are specialized .NET classes that perform specific actions. Cmdlets can be assembled into scripts, executables (typically stand-alone applications), or instantiated through regular .NET classes (or WMI/COM objects). via access Data in various data stores are executed by Microsoft PowerShell, such as File Explorer or Registry.

第二圖描繪了駭客巨集、駭客程式執行Microsoft PowerShell之示意圖。在第二圖之中,Microsoft Word 202和Visual Basic(VB)巨集程式(病毒)204為父子節點,以Microsoft Word 202程式執行其VB巨集程式204。巨集是一種抽象(Abstraction),它根據一系列預先定義的規則而替換一定的文字模式。直譯器或編譯器在遇到巨集時會自動進行此一模式替換。VB巨集程式204和Microsoft PowerShell 206為父子節點,而VB巨集程式204被禁止執行Microsoft PowerShell 206。由於Microsoft Word 202和VB巨集程式204均不是本發明所指定的應用程式控管單元,所以均無法執行Microsoft PowerShell 206。亦即,在執行上,父節點Microsoft Word 202和VB巨集程式204經過檢查單元的檢查之後,確定其非為指定的應用程式控管單元,所以被禁止執行Microsoft PowerShell 206。在駭客行為之下,Microsoft PowerShell 206即被標示為黑名單(圖中的禁止符號),禁止在本機中執行,進一步可以刪除之。 The second figure depicts a hacker macro, a schematic diagram of a hacker program executing Microsoft PowerShell. In the second figure, Microsoft Word 202 and Visual Basic (VB) macro program (virus) 204 are parent-child nodes, and the VB macro program 204 is executed by Microsoft Word 202 program. A macro is an abstraction that replaces certain text patterns according to a series of predefined rules. This pattern substitution is done automatically by the interpreter or compiler when it encounters a macro. VB macro program 204 and Microsoft PowerShell 206 are parent and child nodes, and VB macro program 204 is prohibited from executing Microsoft PowerShell 206 . Because Microsoft Word 202 and VB macro program 204 are not the specified application program control units of the present invention, they cannot execute Microsoft PowerShell 206 . That is to say, in terms of execution, after the parent node Microsoft Word 202 and VB macro program 204 are checked by the checking unit, it is determined that they are not designated application program control units, so they are prohibited from executing Microsoft PowerShell 206 . Under the hacking behavior, Microsoft PowerShell 206 is marked as a blacklist (the prohibition symbol in the figure), and it is prohibited to execute in this machine, and it can be further deleted.

在第二圖之中,駭客程式208和Microsoft PowerShell 210為父子節點。亦即,以Microsoft PowerShell 210作為駭客程式208攻擊對象。在執行時,駭客程式208經過檢查單元的檢查之後,確定其非為指定的應用程式控管單元,所以被禁止執行Microsoft PowerShell 210。在駭客行為之下,Microsoft PowerShell 210即被標示為黑名單,禁止在本機中執行,進一步可以刪除之。 In the second figure, hacker program 208 and Microsoft PowerShell 210 are parent and child nodes. That is, the Microsoft PowerShell 210 is used as the attack object of the hacker program 208 . During execution, after the hacker program 208 is inspected by the checking unit, it is determined that it is not a specified application program control unit, so the execution of the Microsoft PowerShell 210 is prohibited. Under the hacking behavior, Microsoft PowerShell 210 will be marked as a blacklist, and it is forbidden to execute in this machine, and it can be deleted further.

參考第三圖,其顯示本發明之應用程式控管系統之階層式節點之 示意圖。本發明之應用程式控管系統可以包含複數節點所構成的多層結構或樹狀結構,其層的數目沒有限制。在本實施例之中,以N層作為例子。應用程式控管系統包含一根節點(最上層)302、第一層節點304、第二層節點306、第三層節點308...第N層節點310。根節點302為第一層節點304之父節點,第一層節點304為第二層節點306之父節點,第二層節點306為第三層節點308之父節點,其他各代的父子節點關係依此類推。第N層節點310為最底層被執行的程式。在執行時,需檢查N層(代)的父節點,包含根節點302、第一層節點304、第二層節點306、第三層節點308....和第(N-1)層節點,均需經過檢查單元300的檢查。若檢查結果,確定根節點302、第一層節點304、第二層節點306、第三層節點308....和第(N-1)層節點均為指定的應用程式控管單元(X.Exe),則可以執行第N層節點310的程式。舉例而言,第N層節點310的父代為PowerShell.Exe,祖代為Dos.Exe,曾祖代為Explorer.Exe...根節點(X.Exe),需檢查N代的父節點。由此可知,其祖先各代都有可能列入控管,不是只有父代及祖代兩層,而需要檢查不同層的父代。在正常行為之下,被執行的第N層節點310即被標示為白名單。若檢查結果,只要根節點302、第一層節點304、第二層節點306、第三層節點308....和第(N-1)層節點其中有一個(或以上)非為指定的應用程式控管單元,則被禁止執行第N層節點310的程式。在駭客行為之下,被執行的第N層節點310即被標示為黑名單,禁止在本機中執行,進一步可以刪除之。由此可知,駭客程式有可能被安排於(隱藏於)階層式的某一層(或多層)節點之中。 Referring to the third figure, it shows the hierarchical nodes of the application program control system of the present invention schematic diagram. The application program control system of the present invention may include a multi-layer structure or a tree structure composed of a plurality of nodes, and the number of layers is not limited. In this embodiment, N layers are taken as an example. The application program control system includes a node (uppermost layer) 302 , a first layer node 304 , a second layer node 306 , a third layer node 308 . . . an Nth layer node 310 . The root node 302 is the parent node of the first layer node 304, the first layer node 304 is the parent node of the second layer node 306, the second layer node 306 is the parent node of the third layer node 308, and the parent-child node relationship of other generations So on and so forth. The Nth layer node 310 is the program executed at the bottom layer. During execution, it is necessary to check the parent nodes of the N layer (generation), including the root node 302, the first layer node 304, the second layer node 306, the third layer node 308.... and the (N-1) layer node , all need to be inspected by the inspection unit 300 . If the result of the check is determined, the root node 302, the first layer node 304, the second layer node 306, the third layer node 308.... and the (N-1)th layer node are all designated application program control units (X .Exe), the program of the node 310 at the Nth layer can be executed. For example, the parent of the node 310 at level N is PowerShell.Exe, the grandparent is Dos.Exe, the great-grandfather is Explorer.Exe...the root node (X.Exe), and the parent node of the Nth generation needs to be checked. It can be seen from this that all generations of his ancestors may be included in the control, not only the parents and ancestors, but the parents of different layers need to be checked. Under normal behavior, the executed N-th layer nodes 310 are marked as whitelisted. If the check results, as long as one (or more) of the root node 302, the first layer node 304, the second layer node 306, the third layer node 308... and the (N-1) layer node is not specified The application program control unit is prohibited from executing the program of the node 310 in the Nth layer. Under the hacking behavior, the executed Nth layer node 310 is marked as a blacklist, which is prohibited from being executed in the local machine, and can be further deleted. It can be seen from this that the hacking program may be arranged (hidden) in a certain layer (or layers) of hierarchical nodes.

參考第四圖,其顯示正常使用者及駭客的使用行為之示意圖。在本實施例之中,每一例子均以Microsoft PowerShell作為被執行程式的例子。然而, 需要知道的是Microsoft PowerShell只是一個例子,也可以是其他任一程式作為例子。在第一例子之中,Cmd 402為Microsoft PowerShell 410之父節點。因為Cmd 402為指定的應用程式控管單元,可以執行Microsoft PowerShell 410。在正常行為之下,Microsoft PowerShell 410即被標示為白名單。在第二例子之中,Explorer 404為Microsoft PowerShell 412之父節點。因為Explorer 404為指定的應用程式控管單元,可以執行Microsoft PowerShell 412。在正常行為之下,Microsoft PowerShell 412即被標示為白名單。換言之,由Cmd(command-lets:Cmd.exe)402或Explorer 404去執行Microsoft PowerShell 410、412,係在正常行為之下,所以Microsoft PowerShell 410、412是應用程式控管的白名單。一般而言,分析父節點A執行子節點B(亦即B的父節點是A),來判斷同樣的B;因為父節點A不同,則變成不同的應用程式控管。例如,上述同樣的Microsoft PowerShell,因為父節點Cmd或Explorer的不同,其應用程式控管也會不同。 Refer to the fourth figure, which shows a schematic diagram of the usage behavior of normal users and hackers. In this embodiment, each example uses Microsoft PowerShell as an example of the executed program. However, What you need to know is that Microsoft PowerShell is just an example, and any other program can also be used as an example. In the first example, Cmd 402 is the parent node of Microsoft PowerShell 410 . Because Cmd 402 is the designated application program control unit, Microsoft PowerShell 410 can be executed. Under normal behavior, Microsoft PowerShell 410 is marked as whitelisted. In the second example, Explorer 404 is the parent node of Microsoft PowerShell 412 . Since the Explorer 404 is the designated application control unit, the Microsoft PowerShell 412 can be executed. Under normal behavior, Microsoft PowerShell 412 is marked as whitelisted. In other words, the execution of Microsoft PowerShell 410, 412 by Cmd (command-lets: Cmd.exe) 402 or Explorer 404 is under normal behavior, so Microsoft PowerShell 410, 412 is a whitelist for application control. Generally speaking, analyze the parent node A to execute the child node B (that is, the parent node of B is A) to judge the same B; because the parent node A is different, it becomes a different application control. For example, the same Microsoft PowerShell mentioned above, because the parent node Cmd or Explorer is different, its application control will be different.

如第四圖所示,在第三例子之中,Microsoft Word 202為Microsoft PowerShell 414之父節點。因為Microsoft Word 202非為指定的應用程式控管單元,則Microsoft PowerShell 414被禁止於本機之中。在駭客行為之下,Microsoft PowerShell 414即被標示為黑名單,禁止在本機中執行,進一步可以刪除之。 As shown in the fourth figure, in the third example, Microsoft Word 202 is the parent node of Microsoft PowerShell 414 . Because Microsoft Word 202 is not a designated application control unit, Microsoft PowerShell 414 is prohibited in this machine. Under the hacking behavior, Microsoft PowerShell 414 is marked as a blacklist, and it is forbidden to execute in this machine, and it can be deleted further.

參考第四圖,在第四例子之中,此例子為誤判的情形。Microsoft Word 408為Cmd 416之父節點。Cmd 416為Microsoft PowerShell 418之父節點。其中Microsoft Word 408非指定單元所指定之應用程式控管單元,而Cmd 416為指定單元所指定之應用程式控管單元。前面已敘述,在執行上,每一層父節點均需檢 查其是否為指定的應用程式控管單元。在本例子中,因為檢查單元只檢查Cmd 416這一層父節點,而未檢查Microsoft Word 408這一層父節點(根節點),因此造成誤判。由於Microsoft Word 408非為指定的應用程式控管單元,仍有可能影響到下二層的Microsoft PowerShell 418的執行,所以Microsoft PowerShell 418應被禁止於本機之中執行。然而,由於未檢查Microsoft Word 408這一層父節點,所以標示Microsoft PowerShell 418為白名單,這將使駭客行為影響到本機,造成資安上的危機。由此可以說明,本案之每一層父節點均需檢查其是否為指定的應用程式控管單元,以避免上述誤判的情形發生。 Referring to the fourth figure, in the fourth example, this example is a case of misjudgment. Microsoft Word 408 is the parent node of Cmd 416. Cmd 416 is the parent node of Microsoft PowerShell 418 . Among them, Microsoft Word 408 is not the application program control unit specified by the specified unit, and Cmd 416 is the application program control unit specified by the specified unit. As mentioned above, in terms of execution, each layer of parent nodes needs to check Check if it is the specified application control unit. In this example, because the checking unit only checks the parent node at the level of Cmd 416, but does not check the parent node (root node) at the level of Microsoft Word 408, thus causing a misjudgment. Because Microsoft Word 408 is not a designated application program control unit, it may still affect the execution of Microsoft PowerShell 418 in the second layer below, so Microsoft PowerShell 418 should be prohibited from being executed in the local machine. However, because the parent node of Microsoft Word 408 is not checked, Microsoft PowerShell 418 is marked as a white list, which will make hackers affect the local machine and cause a crisis in information security. It can thus be explained that in this case, each layer of parent node needs to check whether it is a specified application program control unit, so as to avoid the occurrence of the above-mentioned misjudgment.

繼續參考第四圖,在第五例子之中,Explorer 420為Cmd 422之父節點。Cmd 422為Microsoft PowerShell 424之父節點。其中Explorer 420係指定單元所指定之應用程式控管單元,且Cmd 422亦為指定單元所指定之應用程式控管單元。在本例子中,父代為DOS.Exe,而祖代為Explorer.Exe,因此需檢查2代。在執行上,每一層父節點均需檢查其是否為指定的應用程式控管單元。在本例子中,檢查單元先行檢查Cmd 422這一層父節點,之後再檢查Explorer 420這一層父節點(根節點)。由於檢查到的Cmd 422與Explorer 420皆為指定的應用程式控管單元,所以Cmd 422可以執行Microsoft PowerShell 424。在正常行為之下,Microsoft PowerShell 424即被標示為白名單。綜合上述,由Explorer\Cmd或Explorer去執行Microsoft PowerShell,於正常行為中,Microsoft PowerShell是應用程式控管的白名單。 Continuing to refer to the fourth figure, in the fifth example, Explorer 420 is the parent node of Cmd 422 . Cmd 422 is the parent node of Microsoft PowerShell 424 . Among them, Explorer 420 is the application program control unit specified by the specified unit, and Cmd 422 is also the application program control unit specified by the specified unit. In this example, the parent is DOS.Exe and the grandparent is Explorer.Exe, so check 2 generations. In execution, each parent node needs to check whether it is the specified application control unit. In this example, the checking unit first checks the parent node at the level of Cmd 422 , and then checks the parent node at the level of Explorer 420 (root node). Since the detected Cmd 422 and the Explorer 420 are designated application control units, the Cmd 422 can execute the Microsoft PowerShell 424 . Under normal behavior, Microsoft PowerShell 424 is marked as whitelisted. To sum up the above, Microsoft PowerShell is executed by Explorer\Cmd or Explorer. In normal behavior, Microsoft PowerShell is a whitelist controlled by the application.

參考第四圖,在第六例子之中,Microsoft Word 426為Cmd 428之 父節點。Cmd 428為Microsoft PowerShell 430之父節點。其中Microsoft Word 426非指定單元所指定之應用程式控管單元,而Cmd 428為指定單元所指定之應用程式控管單元。在本例子中,檢查單元先行檢查Cmd 428這一層父節點,之後再檢查Microsoft Word 426這一層父節點(根節點)。由於檢查到Microsoft Word 426非為指定的應用程式控管單元,其將影響到下二層的Microsoft PowerShell 430的執行,所以Microsoft PowerShell 430被禁止於本機之中執行。Microsoft PowerShell 430即標示為黑名單。因此,對於Microsoft PowerShell 430而言,檢查更早的祖父節點Microsoft Word 426是有必要的。 With reference to the fourth figure, in the sixth example, Microsoft Word 426 is one of Cmd 428 parent node. Cmd 428 is the parent node of Microsoft PowerShell 430 . Among them, Microsoft Word 426 is not the application program control unit specified by the specified unit, and Cmd 428 is the application program control unit specified by the specified unit. In this example, the checking unit first checks the parent node of the level of Cmd 428, and then checks the parent node of the level of Microsoft Word 426 (root node). Since it is detected that Microsoft Word 426 is not a designated application program control unit, it will affect the execution of the Microsoft PowerShell 430 in the lower two layers, so Microsoft PowerShell 430 is prohibited from being executed in the local machine. Microsoft PowerShell 430 is marked as blacklisted. Therefore, it is necessary for Microsoft PowerShell 430 to check the earlier grandparent Microsoft Word 426.

相較於習知的黑名單控管方式,本發明提出基於根節點之應用程式控管方法,利用指定的應用程式控管單元來確定可執行的白名單,對於資訊安全的檢測效率大大地得到提升。 Compared with the conventional blacklist control method, the present invention proposes a root node-based application program control method, using a specified application program control unit to determine the executable white list, which greatly improves the detection efficiency of information security. promote.

在不脫離本文範疇之情況下,可對上述基於根節點之應用程式控管方法及其控制方法做出改變。因此,應當注意,包含在以上描述中並且在附圖中示出之內容應當被解釋為說明性的而非限制性之意義。以下申請專利範圍旨在涵蓋本文中所描述之所有一般特徵及特定特徵,以及本發明基於根節點之應用程式控管方法及其控制方法之範疇的所有陳述,其在語言上可被說成落在其間。 Without departing from the scope of this paper, changes can be made to the above-mentioned root node-based application program control method and its control method. It is therefore to be noted that all matter contained in the above description and shown in the accompanying drawings shall be interpreted in an illustrative rather than a restrictive sense. The scope of the following patent application is intended to cover all the general and specific features described herein, as well as all statements in the scope of the root node-based application program control method and its control method of the present invention, which can be said to be implemented in language in between.

300:檢查單元 300: check unit

302:根節點 302: root node

304:第一層節點 304: first layer node

306:第二層節點 306:Second layer node

308:第三層節點 308: The third layer node

310:第N層節點 310: Layer N node

Claims (10)

一種基於根節點之應用程式控管系統,包括:一伺服器端,包含一檢查單元與一指定單元;以及一階層式節點配置於一資訊處理裝置,包含一根節點與一第一層節點,其中該根節點為該第一層節點之父節點;其中該伺服器端之該指定單元係用以指定該根節點為一應用程式控管單元,而該伺服器端之該檢查單元係用以檢查該根節點是否為該指定單元所指定的該應用程式控管單元,若是則於該資訊處理裝置執行該第一層節點。 A root node-based application program control system, including: a server end, including a check unit and a designation unit; and a hierarchical node configured on an information processing device, including a node and a first-level node, Wherein the root node is the parent node of the first layer node; wherein the specified unit on the server side is used to designate the root node as an application program control unit, and the checking unit on the server side is used to Check whether the root node is the application control unit specified by the specified unit, and if so, execute the first layer node on the information processing device. 如請求項1所述的基於根節點之應用程式控管系統,其中該檢查單元所檢查的該根節點非為該指定的應用程式控管單元,則禁止執行該第一層節點。 In the root node-based application control system described in Claim 1, wherein the root node checked by the inspection unit is not the specified application control unit, the execution of the first layer node is prohibited. 如請求項1或2所述的基於根節點之應用程式控管系統,其中該階層式節點更包含一第二層節點,而該第一層節點為該第二層節點之第二父節點。 In the root node-based application control system as described in claim 1 or 2, the hierarchical node further includes a second-level node, and the first-level node is a second parent node of the second-level node. 如請求項3所述的基於根節點之應用程式控管系統,其中該檢查單元檢查該第一層節點是否為該指定的應用程式控管單元,若是則執行該第二層節點,若否,則禁止執行該第二層節點。 The application control system based on the root node as described in claim 3, wherein the checking unit checks whether the first-level node is the designated application control unit, and if so, executes the second-level node; if not, Then the execution of the second layer node is prohibited. 如請求項1所述的基於根節點之應用程式控管系統,其中該階層 式節點包含該根節點與N個層的節點,該檢查單元檢查N個層的父節點是否皆為該指定的應用程式控管單元。 The application control system based on the root node as described in claim 1, wherein the layer The formula node includes the root node and nodes of N layers, and the checking unit checks whether the parent nodes of the N layers are all the specified application program control units. 一種基於根節點之應用程式控管方法,包括:提供伺服器端之一檢查單元與一指定單元;提供一資訊處理裝置之一階層式節點,包含一根節點與一第一層節點,其中該根節點為該第一層節點之父節點;以及利用該伺服器端之該指定單元以指定該根節點為一應用程式控管單元,該伺服器端之該檢查單元以檢查該根節點是否為該指定單元所指定的該應用程式控管單元,若是則於該資訊處理裝置執行該第一層節點,若否則禁止於該資訊處理裝置執行該第一層節點。 A root node-based application program control method, including: providing a checking unit and a specifying unit on the server side; providing a hierarchical node of an information processing device, including a node and a first-level node, wherein the The root node is the parent node of the first-level node; and the specifying unit on the server side is used to designate the root node as an application program control unit, and the checking unit on the server side checks whether the root node is If the application program control unit specified by the specifying unit is yes, execute the first-level node on the information processing device; otherwise, prohibit the execution of the first-level node on the information processing device. 如請求項6所述的基於根節點之應用程式控管方法,其中該階層式節點更包含一第二層節點,而該第一層節點為該第二層節點之第二父節點。 The root node-based application program control method as described in Claim 6, wherein the hierarchical node further includes a second-level node, and the first-level node is a second parent node of the second-level node. 如請求項7所述的基於根節點之應用程式控管方法,其中該檢查單元檢查該第一層節點是否為該指定的應用程式控管單元,若是則執行該第二層節點。 The root node-based application control method as described in claim 7, wherein the checking unit checks whether the first-level node is the designated application control unit, and if so, executes the second-level node. 如請求項8所述的基於根節點之應用程式控管方法,其中該檢查單元所檢查的該第一層節點非為該指定的應用程式控管單元,則禁止執行該第二層節點。 The root node-based application control method as described in Claim 8, wherein the first-level node checked by the checking unit is not the specified application control unit, and the execution of the second-level node is prohibited. 如請求項6所述的基於根節點之應用程式控管方法,其中該階層式節點包含該根節點與N個層的節點,該檢查單元檢查N個層的父節點是否皆為該指定的應用程式控管單元。 The application control method based on the root node as described in claim 6, wherein the hierarchical node includes the root node and N layers of nodes, and the checking unit checks whether the parent nodes of the N layers are all the specified applications program control unit.
TW110115774A 2021-04-30 2021-04-30 System and method of application control based on root node TWI801855B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW110115774A TWI801855B (en) 2021-04-30 2021-04-30 System and method of application control based on root node

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW110115774A TWI801855B (en) 2021-04-30 2021-04-30 System and method of application control based on root node

Publications (2)

Publication Number Publication Date
TW202244721A TW202244721A (en) 2022-11-16
TWI801855B true TWI801855B (en) 2023-05-11

Family

ID=85793025

Family Applications (1)

Application Number Title Priority Date Filing Date
TW110115774A TWI801855B (en) 2021-04-30 2021-04-30 System and method of application control based on root node

Country Status (1)

Country Link
TW (1) TWI801855B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201349008A (en) * 2012-02-16 2013-12-01 Samsung Electronics Co Ltd Method and apparatus for protecting digital content using device authentication
WO2016070623A1 (en) * 2014-11-05 2016-05-12 中兴通讯股份有限公司 Sensitive information security protection method and device
TW201617955A (en) * 2014-11-07 2016-05-16 財團法人工業技術研究院 Management server and method and user client device and monitoring method thereof
US20200081752A1 (en) * 2018-09-12 2020-03-12 Avecto Limited Controlling applications by an application control system in a computer device
US20200344067A1 (en) * 2019-04-26 2020-10-29 Beyondtrust Software, Inc. Root-level application selective configuration
US20210075626A1 (en) * 2019-09-05 2021-03-11 Portshift Software Technologies LTD. Identity-based application and file verification

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201349008A (en) * 2012-02-16 2013-12-01 Samsung Electronics Co Ltd Method and apparatus for protecting digital content using device authentication
WO2016070623A1 (en) * 2014-11-05 2016-05-12 中兴通讯股份有限公司 Sensitive information security protection method and device
TW201617955A (en) * 2014-11-07 2016-05-16 財團法人工業技術研究院 Management server and method and user client device and monitoring method thereof
US20200081752A1 (en) * 2018-09-12 2020-03-12 Avecto Limited Controlling applications by an application control system in a computer device
US20200344067A1 (en) * 2019-04-26 2020-10-29 Beyondtrust Software, Inc. Root-level application selective configuration
US20210075626A1 (en) * 2019-09-05 2021-03-11 Portshift Software Technologies LTD. Identity-based application and file verification

Also Published As

Publication number Publication date
TW202244721A (en) 2022-11-16

Similar Documents

Publication Publication Date Title
Landwehr et al. A taxonomy of computer program security flaws
Bishop A taxonomy of unix system and network vulnerabilities
US5956481A (en) Method and apparatus for protecting data files on a computer from virus infection
Pistoia et al. A survey of static analysis methods for identifying security vulnerabilities in software systems
US7788730B2 (en) Secure bytecode instrumentation facility
Liu et al. Shielding heterogeneous MPSoCs from untrustworthy 3PIPs through security-driven task scheduling
JP5420734B2 (en) Software system with controlled access to objects
Krstić et al. Security of SoC firmware load protocols
JP2005129066A (en) Operating system resource protection
JP2011526387A (en) Granting least privilege access for computing processes
CN106934282A (en) The system and method to the access of data are controlled using the API for disabled user
CN109558207B (en) System and method for forming log for anti-virus scanning of file in virtual machine
CN106326731A (en) System and method of preventing installation and execution of undesirable programs
RU2645265C2 (en) System and method of blocking elements of application interface
Bratus et al. Implementing a vertically hardened DNP3 control stack for power applications
RU2649794C1 (en) System and method for log forming in virtual machine for anti-virus file checking
Knittel et al. Xsinator. com: From a formal model to the automatic evaluation of cross-site leaks in web browsers
US7784101B2 (en) Identifying dependencies of an application upon a given security context
Landwehr et al. A taxonomy of computer program security flaws, with examples
Kim et al. {FuzzOrigin}: Detecting {UXSS} vulnerabilities in browsers through origin fuzzing
US7779480B2 (en) Identifying dependencies of an application upon a given security context
JP4363214B2 (en) Access policy generation system, access policy generation method, and access policy generation program
TWI801855B (en) System and method of application control based on root node
Huang et al. Web application security—past, present, and future
Chen et al. Towards analyzing complex operating system access control configurations