WO2015081900A1 - 基于云安全拦截广告程序的方法、装置和系统 - Google Patents

基于云安全拦截广告程序的方法、装置和系统 Download PDF

Info

Publication number
WO2015081900A1
WO2015081900A1 PCT/CN2014/093286 CN2014093286W WO2015081900A1 WO 2015081900 A1 WO2015081900 A1 WO 2015081900A1 CN 2014093286 W CN2014093286 W CN 2014093286W WO 2015081900 A1 WO2015081900 A1 WO 2015081900A1
Authority
WO
WIPO (PCT)
Prior art keywords
browser
parent
parent process
server
module
Prior art date
Application number
PCT/CN2014/093286
Other languages
English (en)
French (fr)
Inventor
赵龙
邹贵强
Original Assignee
北京奇虎科技有限公司
奇智软件(北京)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京奇虎科技有限公司, 奇智软件(北京)有限公司 filed Critical 北京奇虎科技有限公司
Publication of WO2015081900A1 publication Critical patent/WO2015081900A1/zh

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Definitions

  • the present invention relates to the field of computer security, and in particular, to a method, device and system for intercepting an advertisement program based on a cloud security.
  • browser-based applications are becoming more and more popular. For example, people can query bank accounts, online shopping, e-commerce, query information, acquire knowledge, and entertain through browsers.
  • Browser-based applications provide people with Convenient and fast way to interact.
  • people browse the Internet and browse the web they often encounter browser pages that pop up automatically without clicking, such as advertisements, games, and shopping webpages.
  • the content of these webpages is usually meaningless to the user, only The user's browsing behavior causes interference.
  • the more serious problem is that some pop-up pages may also come from malicious websites, such as phishing websites, or fraudulent or fake websites. These pages usually display false information and malicious scripts embedded in the page code.
  • the program is used to illegally obtain personal information such as an account number and password input by the user, which may cause damage to the user's interests.
  • the present invention has been made in order to provide a cloud security interception advertising program-based method, apparatus and system that overcomes the above problems or at least partially solves the above problems.
  • a method for intercepting an advertisement program based on a cloud security includes: monitoring the creation behavior of the browser process; acquiring the information of the parent process of the browser process when monitoring the creation request of the browser process; detecting the parent by traversing all the visualization windows according to the information of the parent process of the browser process Whether the process corresponds to the visualization window; the creation behavior of the browser process is processed according to the detection result.
  • an apparatus for intercepting an advertisement program based on a cloud security includes: a monitoring module adapted to monitor a creation behavior of a browser process; and an acquisition module adapted to monitor a browser process when the monitoring module monitors
  • the information of the parent process of the browser process is obtained;
  • the detecting module is adapted to detect whether the parent process corresponds to the visualization window by traversing all the visualization windows according to the information of the parent process of the browser process;
  • the processing module is adapted to The creation process of the browser process is processed according to the detection result.
  • a system based on a cloud security interception advertisement program including the above-described cloud security interception advertisement program-based device, further includes a server that provides a cloud query service to the device.
  • a computer program comprising computer readable code, when the computer readable code is run on an electronic device, causing the electronic device to perform a cloud security based interception advertisement according to the above The method of the program.
  • a computer readable medium storing a computer program as described above is provided.
  • the cloud security interception advertisement program when the creation request of the browser process is monitored, information of the parent process to create the browser process is acquired, and whether the parent process and at least one visualization window in the current interface are detected Corresponding to determine the security of the parent process, and according to the detection result, the behavior of creating the browser process is processed accordingly.
  • the background process that can effectively block the hidden window pops up a browser page such as an advertisement or a phishing website without the user's consent, so that the user can avoid the interference of invalid information such as advertisements and the fraudulent information of various malicious websites in the operation. , improve the security of user network operations.
  • FIG. 1 shows a flow chart of a method for intercepting an advertisement program based on a cloud security, in accordance with one embodiment of the present invention
  • FIG. 2 shows a flow chart of a method for intercepting an advertisement program based on a cloud security according to another embodiment of the present invention
  • FIG. 3 shows a flow chart of a method for intercepting an advertisement program based on a cloud security according to another embodiment of the present invention
  • FIG. 4 shows a flow chart of a method for intercepting an advertisement program based on a cloud security according to another embodiment of the present invention
  • FIG. 5 is a structural block diagram of an apparatus for intercepting an advertisement program based on a cloud security according to another embodiment of the present invention.
  • FIG. 6 is a block diagram showing the structure of an apparatus for intercepting an advertisement program based on a cloud security according to another embodiment of the present invention.
  • FIG. 7 is a structural block diagram of a system based on a cloud security interception advertisement program according to another embodiment of the present invention.
  • Figure 8 shows a block diagram of an electronic device for performing the method according to the invention
  • Figure 9 shows a storage unit for holding or carrying program code implementing the method according to the invention.
  • FIG. 1 shows a flow chart of a method for intercepting an advertisement program based on a cloud security according to an embodiment of the present invention. As shown in FIG. 1, the method includes the following steps:
  • Step S110 monitoring the creation behavior of the browser process.
  • monitoring of browser processes is usually based on API interface functions or system calls provided by the operating system.
  • the browsers mentioned in this step include, but are not limited to, independent kernel browsers such as IE, Firefox, Chrome, Safari, etc. running on various computer systems, as well as common IE-based kernels or multi-core based browsers, such as 360 browsers, Sogou browsers, etc., also include browsers that are commonly found in various mobile terminal operating systems.
  • independent kernel browsers such as IE, Firefox, Chrome, Safari, etc.
  • common IE-based kernels or multi-core based browsers such as 360 browsers, Sogou browsers, etc.
  • browsers that are commonly found in various mobile terminal operating systems.
  • a common situation is that more than one type of browser is installed in the system.
  • users may install and use by default due to rich functions, higher security and personal preference.
  • monitoring of the browser process should include monitoring of the IE process and all other browser processes.
  • Step S120 When the creation request of the browser process is detected, the information of the parent process of the browser process is obtained.
  • the parent process of the browser process is the process that requests the creation of the browser process. Take the Windows operating system as an example.
  • Various application layer applications are implemented by calling various API functions.
  • the parent process creates a browser process and needs to call the corresponding API function.
  • the detection request of the browser process is also the monitoring creation process.
  • the API function can be parsed out from the parameters carried by the API function to determine whether the created process is a browser process.
  • the process requesting to call the function is the parent process of the browser process, and the process information of the parent process may include, but is not limited to, the process name, the process identifier, the path information of the process file, and the related dynamic link library file.
  • Step S130 Detecting whether the parent process corresponds to the visualization window by traversing all the visualization windows according to the information of the parent process of the browser process.
  • the user typically interacts with the system through the visualization window provided by the program.
  • the invention determines whether the creation behavior of the browser process is triggered by the user by detecting whether the parent process corresponds to the visualization window. Traverse all visualization windows if there is at least one viewable
  • the window corresponds to the parent process of the browser process, and the creation behavior of the browser process is that the application corresponding to the visualization window is initiated in response to the user's triggering action such as clicking, inputting, etc. in the window, for example, the user clicks QQ.
  • the space picture on the interface pops up the space page, which belongs to the security behavior allowed by the user. If the parent process of the browser process does not correspond to the visualization window, it is considered that the creation process is requested by the background process without the user's permission. Suspicious malicious behavior.
  • Step S140 processing the creation behavior of the browser process according to the detection result.
  • the parent process corresponding to the visualization window it is allowed to create a browser process; for the parent process that does not correspond to the visualization window, intercept, give a prompt message or further confirm its security.
  • the creation behavior of the browser process is monitored in real time, and the process that initiates the creation request is found, as the parent process of the browser process, the information of the parent process is obtained, and all the visualizations are traversed.
  • the window detects whether the parent process corresponds to the visualization window, thereby determining whether the creation behavior of the browser process is the active selection of the user, and correspondingly processing the creation behavior according to the detection result.
  • the background process that can effectively block the hidden window pops up the interference or threat of the browser page such as advertisement, game, shopping, phishing website, etc. without the user's consent, thereby improving the security of the user network operation.
  • FIG. 2 is a flowchart of a method for intercepting an advertisement program based on a cloud security according to another embodiment of the present invention. As shown in FIG. 2, the method includes the following steps:
  • Step S210 monitoring the creation behavior of the browser process.
  • the creation behavior of the monitoring browser process is actually monitoring the call request to the corresponding API function.
  • the application needs to create a Win32 process, and the API functions that may need to be called are CreateProcess, CreateProcessAsUser, etc., and the created new process runs the specified executable file.
  • the path of the executable file and the file name are specified by parameters of the API function, for example,
  • the parameter lpApplicationName specifies the path of the executable module, captures the function, obtains the path of the executable file, the file name and other information from its parameters, and can determine whether the process created by the API call is a browser process.
  • Step S220 obtaining parent process information of the browser process.
  • the process information of the parent process may include, but is not limited to, the process name, the process identifier, and the process file. Path information and related dynamic link library files, etc.
  • obtaining the process name, the process identifier, and the like may also be implemented by calling an API function, for example, acquiring a process name by using multiple functions under the Process Status API function; obtaining a process ID by using GetCurrentProcessId.
  • an API function for example, acquiring a process name by using multiple functions under the Process Status API function; obtaining a process ID by using GetCurrentProcessId.
  • Step S230 traversing all the visualization windows and obtaining the process identifier of the corresponding process of each visualization window.
  • a process ID is assigned until the process aborts.
  • the identifier is valid and does not change.
  • the process ID of each process is unique during the time when the process is valid. Therefore, it can be used.
  • the EnumWindows function can be used to traverse the window, obtain the handle of the window, and then use the GetWindowThreadProcessId function to obtain the process identifier corresponding to each window handle.
  • step S240 the parent process identifier of the browser process is queried in the process identifier of all the visualization windows. If the parent process identifier can be queried, it is determined that the parent process corresponds to the visualization window, and step S250 is performed; otherwise, step S260 is performed.
  • the process identifier is unique. Therefore, if there is at least one visualization window whose process identifier is consistent with the process ID of the parent process of the browser process, the parent process is considered to correspond to the visualization window, that is, the browser process can be considered.
  • the creation behavior is that the application corresponding to the visualization window is initiated in response to a user's triggering behavior such as clicks, inputs, and the like in the window.
  • Step S250 allowing the execution of the behavior of the browser process by the parent process, ending the process.
  • a method of intercepting a process is implemented by intercepting an API function that must be called by a hook function at any step of the creation process. Therefore, After the execution of the hook function of the embodiment of the present invention is completed, the jump to the original entry address of the corresponding API of the file behavior request may be executed to execute the corresponding instruction.
  • Step S260 giving risk prompt information, and intercepting the creation behavior of the browser process according to the user's selection according to the risk prompt information.
  • the parent process ID is not queried in the process ID of the entire visualization window, it is considered that the behavior of the parent process to create the browser process is initiated by the background process without the user's permission. It is a suspicious malicious behavior, such as an advertisement program behavior, possibly This behavior needs to be intercepted.
  • the user is provided with the risk prompt information.
  • the message window may be popped up in the designated area of the desktop, and the parent process information obtained in step S220, such as the process name, the process path, and the corresponding executable file name, are displayed to the user.
  • the parent process information obtained in step S220 such as the process name, the process path, and the corresponding executable file name, are displayed to the user.
  • the process and the corresponding application's hazard level, safety score and other information can be given and the corresponding suggestions can be provided to the user.
  • the parent process does not correspond to the visualization window
  • the behavior of the parent process to create the browser process is not malicious. For example, when installing and uninstalling the software, after the installation and uninstallation process ends, some pop-ups are often used.
  • the browser page for feedback is not harmful. If the user needs it, he can choose not to intercept the creation process of the browser process. You can also set a security list locally, add the process that the user chooses not to intercept to the list, and no longer prompt the next time.
  • Interception of process creation behavior can be implemented as follows. Usually, a process is created as follows: open the file image to be executed, create the execution process object, create the initial thread and stack and context, notify the Windows subsystem about the process, start the execution of the initial thread, and execute the new process context. The process is initialized. In any of these steps, the API function that must be called is intercepted by the hook function to achieve the purpose of the interception process creation. For example, by executing the interception of the Native API function ZwCreateProcess in the system service schedule table before the step of starting the initial thread execution, that is, when the system calls ZwCreateProcess, it is transferred to the hook program for processing. Or by intercepting API functions called in other steps, such as the NtCreateSection function, which is used to open the file image to be executed.
  • FIG. 3 shows a flow of a method based on a cloud security interception advertisement program according to another embodiment of the present invention. As shown in FIG. 3, the method includes the following steps:
  • Step S310 monitoring the creation behavior of the browser process
  • Step S320 acquiring parent process information of the browser process
  • Step S330 traversing all the visualization windows and obtaining the process identifier of the corresponding process of each visualization window
  • the steps S310-S330 are the same as the steps S210-S230 in the previous embodiment, and details are not described herein again.
  • step S340 the parent process identifier of the browser process is queried in the process identifier of all the visualization windows. If the parent process identifier can be queried, it is determined that the parent process corresponds to the visualization window, and step S350 is performed; otherwise, step S360 is performed.
  • Step S350 the execution of the behavior of the browser process by the parent process is allowed to end the process.
  • step S360 the process information of the parent process that does not correspond to the visualization window is queried in the preset local process whitelist. If the query is successful, step S350 is performed; otherwise, step S370 is performed.
  • the creation behavior of the parent process that does not correspond to the visualization window may be safe.
  • the user's judgment may not be accurate.
  • a more accurate judgment is made by the user's judgment in combination with the black and white list.
  • the parent process information is queried in the locally preset process whitelist.
  • the local whitelist stores common security processes, for example, processes related to installation and uninstallation of common software. Similar to step S260, a message window pops up in the desktop designated area.
  • the prompt information window can also receive user feedback for maintenance and update of the local process whitelist. For example, if a user has a special requirement for a process that is not in the whitelist, you can choose to allow it to create a browser process, record the user's selection of the process, and add the process to the local process whitelist.
  • Step S370 Upload the process information of the parent process to the server, so that the server knows whether the parent process belongs to the process blacklist saved by the server through the cloud query, and receives the query result from the server. If the query result indicates that the parent process belongs to the process blacklist saved by the server, step S380 is performed.
  • the server-side blacklist database stores more complete information and enables more rigorous and accurate judgment.
  • the client uploads the detected process information of the suspicious process to the server, and the server performs antivirus on the corresponding executable file or application according to the process information.
  • the blacklist on the server can also be generated by manual operation.
  • the server periodically counts the virus or malicious program data from the client, and passes the process with the highest number of users or the top growth rate or the risk ranking. Analyze the content of the pop-up web page to determine its security and put it into the blacklist.
  • Step S380 giving risk prompt information, and intercepting the creation behavior of the browser process according to the user's selection according to the risk prompt information.
  • step S260 the analysis result of the server can be further given.
  • FIG. 4 is a flow chart showing a method of cloud security interception advertising program according to another embodiment of the present invention. As shown in FIG. 4, the method includes the following steps:
  • Step S410 monitoring the creation behavior of the browser process
  • Step S420 acquiring parent process information of the browser process
  • Step S430 traversing all the visualization windows and obtaining the process identifier of the corresponding process of each visualization window
  • Steps S410-S430 are the same as steps S210-S230 in the foregoing embodiment, and details are not described herein again.
  • step S440 the parent process identifier of the browser process is queried in the process identifier of all the visualization windows. If the parent process identifier can be queried, it is determined that the parent process corresponds to the visualization window, and step S450 is performed; otherwise, step S460 is performed.
  • step S450 the behavior of the parent process to create a browser process is allowed, and the process ends.
  • Step S460 Obtain a page URL to be accessed by a browser process created by the parent process.
  • the URL currently loaded by the IE can be obtained by responding to the "BeforeNavigate2" event.
  • NPAPI Netscape Plugin Application Programming Interface
  • Step S470 the page URL is packaged into a ciphertext and uploaded to the server, so that the server knows whether the URL of the page belongs to the URL blacklist or whitelist saved by the server through the cloud query, and receives the query result from the server. If the query result indicates that the page URL belongs to the URL blacklist, step S480 is performed; if the query result indicates that the page URL belongs to the URL whitelist, step S450 is performed.
  • the server collects the URLs of common advertisements, games, and the like, and adds them to the blacklist; creates a behavior for the browser that the user allows to release, collects the URL opened by the browser page created by the behavior, analyzes the content of the URL page, or counts a large number of statistics
  • the user intercepts the URL page, determines whether the page is a normal page, and adds the determined normal page to the white list.
  • the page URL When the page URL is uploaded to the server, the page URL is first encrypted into a ciphertext and then sent to the server.
  • the page URL may be encrypted by a reversible encryption method, or the page URL may be encrypted by an irreversible encryption method.
  • the feature value of the page URL is calculated as ciphertext.
  • the eigenvalue may be a hash value calculated according to MD5 (Message Digest Algorithm, fifth edition), or a SHA1 (Secure Hash Algorithm) code, or a CRC (Cyclic Redundancy Check, A cyclic redundancy check code or the like that uniquely identifies the signature of the original information.
  • MD5 Message Digest Algorithm, fifth edition
  • SHA1 Secure Hash Algorithm
  • CRC Cyclic Redundancy Check
  • Step S480 giving risk prompt information, and intercepting the creation behavior of the browser process according to the user's selection according to the risk prompt information.
  • step S370 preferably, the risk alert information is given first.
  • monitoring the browser process creation behavior by capturing an API function necessary for creating a process, finding a parent process that initiates the creation request, obtaining a process identifier of the parent process, and traversing all the visualizations.
  • the window obtains the process identifier of the corresponding process of each visualization window, and queries the parent process identifier of the browser process in the process identifier of all the visualization windows, thereby determining whether the browser process creation behavior is the active selection of the user,
  • the suspicious process that the user actively chooses gives the risk prompt information, or further confirms through the cloud blacklist or the URL black and white list in the cloud.
  • the background process that can effectively block the hidden window pops up the interference or threat of the browser page such as advertisement, game, shopping, phishing website, etc. without the user's consent, and reduces the behavior and security of the malicious program through the cloud query method.
  • the probability of misjudgment of behavior further improves the security of the system and the user's operating experience.
  • FIG. 5 is a block diagram showing an apparatus for cloud-based interception of an advertisement program according to another embodiment of the present invention. As shown in Figure 5, the device includes:
  • the monitoring module 500 is adapted to monitor the creation behavior of the browser process.
  • the obtaining module 502 is configured to acquire information about the parent process of the browser process when the monitoring module 500 detects the creation request of the browser process, and the detecting module 504 Suitable for detecting, according to the information of the parent process of the browser process, whether the parent process corresponds to the visualization window by traversing all the visualization windows; the processing module 506 is adapted to create the behavior of the browser process according to the detection result. Process it.
  • the device based on the cloud security interception advertisement program monitors the creation behavior of the browser process in real time, and finds the process that initiates the creation request, as the parent process of the browser process, acquires the parent process.
  • the information traverses all the visualization windows to detect whether the parent process corresponds to the visualization window, thereby determining whether the creation behavior of the browser process is the active selection of the user, and correspondingly processing the creation behavior according to the detection result.
  • the background process that can effectively block the hidden window pops up the interference or threat of the browser page such as advertisement, game, shopping, phishing website, etc. without the user's consent, thereby improving the security of the user network operation.
  • FIG. 6 is a block diagram of an apparatus for cloud-based interception of an advertisement program in accordance with another embodiment of the present invention.
  • the device based on the cloud security interception advertisement program of the embodiment further optimizes the device shown in FIG. 5, and the optimized device based on the cloud security interception advertisement program is as shown in FIG. 6, the device includes:
  • the monitoring module 510 is adapted to monitor the creation behavior of the browser process.
  • the monitoring module 510 implements monitoring of the creation behavior by calling a call request of an API function that monitors the creation process.
  • the application needs to create a Win32 process, and the API functions that may need to be called are CreateProcess, CreateProcessAsUser, etc., and the created new process runs the specified executable file.
  • the path of the executable file and the file name are specified by parameters of the API function, for example, The parameter lpApplicationName specifies the path of the executable module.
  • the monitoring module 540 captures the function, obtains the path and file name of the executable file from its parameters, and determines whether the process created by the API call is a browser process.
  • the obtaining module 520 is adapted to obtain information about a parent process of the browser process when the monitoring module 510 monitors the creation request of the browser process.
  • the obtaining module 520 acquires an application requesting to call an API function such as CreateProcess, thereby acquiring parent process information.
  • the obtaining module 520 obtains the process information of the parent process, which may include, but is not limited to, obtaining the process name, the process identifier, the path information of the process file, and the related dynamic link library file.
  • the obtaining module 520 is adapted to obtain a parent process identifier of the browser process when the monitoring module 510 monitors the creation request of the browser process.
  • the obtaining module 520 obtains the process name, the process identifier, and the like, and can also be implemented by calling an API function.
  • the process name is obtained by multiple functions under the Process Status API function; the process ID is obtained by using GetCurrentProcessId.
  • the detecting module 530 is adapted to detect whether the parent process corresponds to the visualization window by traversing all the visualization windows according to the information of the parent process of the browser process.
  • a process ID is assigned when a process is created. Until the process is aborted, the identifier is valid and does not change. The process identifier of each process is unique during the time when the process is valid. Therefore, the detection module 530 can detect whether the parent process corresponds to the visualization window by using the process identifier. .
  • the detecting module 530 includes: a traversing module 5302 and a querying module 5304.
  • the traversing module 5302 is adapted to traverse all the visualization windows and obtain the process identifier of the corresponding process of each visualization window; the traversal module 5302 can traverse the window with the EnumWindows function, obtain the handle of the window, and then use the GetWindowThreadProcessId function to obtain the corresponding window handle. Process ID.
  • the querying module 5304 is configured to query the parent process identifier of the browser process in the process identifier of the entire visualization window. If the parent process identifier of the browser process is queried, determine that the parent process corresponds to the visualization window; if no query is found The parent process ID of the browser process determines that the parent process does not correspond to the visualization window.
  • the device for the cloud security interception advertisement program of the embodiment further includes: a processing module 540, configured to process the creation behavior of the browser process according to the detection result.
  • the processing module 540 may include: a first intercepting module 5402, adapted to create a behavior of the browser process for a parent process that does not correspond to the visual window, and provide risk prompt information according to the user's selection according to the risk prompt information. The creation behavior of the browser process is intercepted.
  • the interception of the process creation behavior by the processing module 540 can be implemented as follows. Usually, a process is created as follows: open the file image to be executed, create the execution process object, create the initial thread and stack and context, notify the Windows subsystem about the process, start the execution of the initial thread, and execute the new process context. The process is initialized. Therefore, the processing module 540 can intercept the API function that it must call in any one of the steps to achieve the purpose of the interception process creation. For example, the processing module 540 intercepts the Native API function ZwCreateProcess in the system service schedule before starting the step of the initial thread.
  • the processing module 540 provides the risk prompting information to the user: the pop-up message window is displayed in the specified area of the desktop, and the parent process information acquired by the obtaining module 520, such as the process name, the process path, and the corresponding executable file name, is displayed to the user for the user.
  • the processing module 540 can also provide information such as the hazard level and security score of the process and the corresponding application according to the existing statistical results, and provide corresponding suggestions to the user.
  • the processing module 540 may further include: a first cloud query interface module 5404, configured to query process information of a parent process that does not correspond to the visualization window in the preset local process whitelist; the first execution module 5406, If the query result of the first cloud query interface module 5404 is that the query is successful, the parent process is allowed to create a behavior of the browser process; otherwise, the process information of the parent process is uploaded to the server for the server to learn through the cloud query.
  • a first cloud query interface module 5404 configured to query process information of a parent process that does not correspond to the visualization window in the preset local process whitelist
  • the first execution module 5406 If the query result of the first cloud query interface module 5404 is that the query is successful, the parent process is allowed to create a behavior of the browser process; otherwise, the process information of the parent process is uploaded to the server for the server to learn through the cloud query.
  • the second intercepting module 5408 is adapted to give the risk prompt information if the query result indicates that the parent process belongs to the process blacklist, and The creation behavior of the browser process is intercepted according to the user's selection according to the risk prompt information. .
  • the first cloud query interface module 5404 uploads the process information of the suspicious process detected by the detection module 530 to the server, and the server performs anti-virus analysis on the corresponding executable file or application according to the process information, for example, a traditional signature matching method. Or use active defense methods to analyze the behavior characteristics of the application. Find the application whose signature matches the virus database or malicious program, or the application whose behavior triggers the default security rule, and add the corresponding process information to the process blacklist.
  • the blacklist on the server can also be generated by manual operation.
  • the server periodically counts the virus or malicious program data from the client, and passes the process with the highest number of users or the top growth rate or the risk ranking. Analyze the content of the pop-up web page to determine its security and put it into the blacklist.
  • the processing module 540 of the embodiment may further include: a page URL extraction module 5410, a second cloud query interface module 5412, and a third interception module 5414.
  • the page URL extraction module 5410 is adapted to obtain a page URL to be accessed by a browser process created by the parent process for a parent process that does not correspond to the visualization window.
  • the page URL extraction module 570 obtains the URL through a plugin mechanism provided in the browser.
  • the page URL extraction module 5410 obtains the currently loaded URL of the IE by responding to the "BeforeNavigate2" event, in Firefox.
  • the (Firefox) browser page URL extraction module 5410 uses the specified response event interface provided by the Firefox extension mechanism to obtain the URL currently loaded by the Firefox browser.
  • NPAPI Netscape Plugin Application Programming Interface
  • the second cloud query interface module 5412 is adapted to package the page URL obtained by the page URL extraction module 570 into a cipher text and upload it to the server, so that the server can know whether the page URL belongs to the URL blacklist or white list saved by the server through the cloud query. And receive the query results from the server.
  • the third intercepting module 5414 is adapted to indicate that the page URL belongs to the URL if the query result indicates
  • the blacklist provides risk warning information and intercepts the creation behavior of the browser process according to the user's selection according to the risk prompt information.
  • the function implementations of the foregoing various processing modules may be combined, or some of the settings may be separately set or selected.
  • multiple intercepting modules in the foregoing processing module may be separately configured to implement respective intercepting functions, or may be combined to implement multiple corresponding intercepting functions.
  • the first cloud query interface module and the second cloud query interface module in the foregoing processing module may be separately set or combined to implement corresponding functions.
  • the cloud security interception advertisement program-based device of the present embodiment is used to implement the corresponding cloud security interception advertisement program-based method in the foregoing multiple method embodiments, and has the beneficial effects of the corresponding method embodiments, and details are not described herein again.
  • FIG. 7 is a diagram of a cloud security interception advertisement program-based system according to another embodiment of the present invention. As shown in FIG. 7, the system includes the cloud security interception advertisement program-based device in the previous embodiment, and further includes: The device provides a server for cloud query services.
  • the monitoring module monitors the browser process creation behavior by capturing an API function necessary for the creation process, finds the parent process that initiated the creation request, and acquires the module to acquire the process of the parent process.
  • the traversal module traverses all the visualization windows and obtains the process identifier of the corresponding process of each visualization window, and the query module queries the parent process identifier of the browser process in the process identifier of all the visualization windows, thereby judging Whether the creation behavior of the browser process is the active selection of the user, and for the suspicious process that is not actively selected by the user, the processing module gives the risk prompt information through the corresponding intercepting module, or further, the process information and the corresponding cloud query interface module / or the URL of the page to be accessed is sent to the server, confirmed by the process black and white list and / or URL black and white list in the cloud.
  • the background process that can effectively block the hidden window pops up the interference or threat of the browser page such as the advertisement, the game, the shopping, the phishing website, etc. without the user's consent, and reduces the behavior of the malicious program through the cloud query method.
  • the probability of misjudgment of security behavior further improves the security of the system and the user's operating experience.
  • modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment.
  • the modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components.
  • any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined.
  • Each feature disclosed in this specification (including the accompanying claims, the abstract and the drawings) may be replaced by alternative features that provide the same, equivalent or similar purpose.
  • the various component embodiments of the present invention may be implemented in hardware, or in a program module running on one or more processors, or in a combination thereof.
  • a microprocessor or digital signal processor can be used in practice to implement the present invention.
  • the invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein.
  • a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
  • Figure 8 illustrates an electronic device, such as a client device, that can implement a cloud security interception advertising program based method in accordance with the present invention.
  • the client device traditionally includes a processor 610 and a computer program product or computer readable medium in the form of a memory 620.
  • the memory 620 may be an electronic memory such as a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), an EPROM, a hard disk, or a ROM.
  • Memory 620 has a memory space 630 for program code 631 for performing any of the method steps described above.
  • storage space 630 for program code may include various program code 631 for implementing various steps in the above methods, respectively.
  • the program code can be read from or written to one or more computer program products.
  • Such computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks.
  • Such a computer program product is typically a portable or fixed storage unit as described with reference to FIG.
  • the storage unit may have a storage section, a storage space, and the like arranged similarly to the storage 620 in the electronic device of FIG.
  • the program code can be compressed, for example, in an appropriate form.
  • the storage unit includes computer readable code 631', ie, code that can be read by a processor, such as 610, that when executed by an electronic device causes the electronic device to perform each of the methods described above step.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)

Abstract

本发明公开了一种基于云安全拦截广告程序的方法、装置和系统,其中,所述方法包括:监控浏览器进程的创建行为;当监测到浏览器进程的创建请求时,获取浏览器进程的父进程的信息;根据浏览器进程的父进程的信息,通过遍历全部的可视化窗口,检测父进程是否对应于可视化窗口;根据检测结果对浏览器进程的创建行为进行处理。根据本发明提供的方案,可以有效拦截隐藏窗口的后台进程未经用户同意而弹出广告、钓鱼网站等浏览器页面,使用户在操作中避免受到广告等无效信息的干扰和各种恶意网站上虚假信息的欺骗,提高了用户网络操作的安全性。

Description

基于云安全拦截广告程序的方法、装置和系统 技术领域
本发明涉及计算机安全领域,具体涉及一种基于云安全拦截广告程序的方法、装置和系统。
背景技术
随着互联网的发展,基于浏览器的应用日益普及,比如,人们通过浏览器可以查询银行账户、网上购物、电子商务、查询信息、获取知识、进行娱乐等,基于浏览器的应用为人们提供了方便和快捷的交互方式。然而,人们在上网冲浪浏览网页的同时,经常会遇到未经点击而自动弹出的浏览器页面,例如广告、游戏、购物网页,这些网页的内容通常对用户来说毫无意义,只会对用户的浏览行为造成干扰,更严重的问题是,部分弹出页面还可能来自恶意网站,如钓鱼网站,或者欺诈、假冒网站等,这些页面上通常显示有虚假信息并且页面代码内嵌入有恶意的脚本程序,用于非法获取用户输入的账号、密码等个人信息,对用户利益造成损害。
其中,部分未经许可而打开的浏览器页面是由在后台运行的恶意程序的进程开启的,这些恶意进程通常不具有窗口,或隐藏自身窗口以达到不被用户发现的目的。对于这类恶意程序,现有技术中仍然采用通用的方法,例如基于特征库来分析、匹配程序的特征码,这种方式通常具有滞后性,无法应对新的情况,运营成本也较大。因此,对于这类恶意程序,现有技术中缺乏一种具有针对性的检测和拦截方法。
发明内容
鉴于上述问题,提出了本发明以便提供一种克服上述问题或者至少部分地解决上述问题的基于云安全拦截广告程序的方法、装置和系统。
根据本发明的一个方面,提供了一种基于云安全拦截广告程序的方法, 包括:监控浏览器进程的创建行为;当监测到浏览器进程的创建请求时,获取浏览器进程的父进程的信息;根据浏览器进程的父进程的信息,通过遍历全部的可视化窗口,检测父进程是否对应于可视化窗口;根据检测结果对浏览器进程的创建行为进行处理。
根据本发明的另一方面,提供了一种基于云安全拦截广告程序的装置,包括:监控模块,适于监控浏览器进程的创建行为;获取模块,适于当监控模块监测到浏览器进程的创建请求时,获取浏览器进程的父进程的信息;检测模块,适于根据浏览器进程的父进程的信息,通过遍历全部的可视化窗口,检测父进程是否对应于可视化窗口;处理模块,适于根据检测结果对浏览器进程的创建行为进行处理。
根据本发明的另一方面,提供了一种基于云安全拦截广告程序的系统,包括上述基于云安全拦截广告程序的装置,还包括向该装置提供云查询服务的服务器。
根据本发明的又一个方面,提供了一种计算机程序,其包括计算机可读代码,当所述计算机可读代码在电子设备上运行时,导致所述电子设备执行根据上述的基于云安全拦截广告程序的方法。
根据本发明的再一个方面,提供了一种计算机可读介质,其中存储了如上所述的计算机程序。
根据本发明的基于云安全拦截广告程序的方案,监控到浏览器进程的创建请求时,获取要创建该浏览器进程的父进程的信息,检测该父进程是否与当前界面中的至少一个可视化窗口对应,从而判断出父进程的安全性,根据检测结果对其创建浏览器进程的行为进行相应的处理。根据该方案,可以有效拦截隐藏窗口的后台进程未经用户同意而弹出广告、钓鱼网站等浏览器页面,使用户在操作中避免受到广告等无效信息的干扰和各种恶意网站上虚假信息的欺骗,提高了用户网络操作的安全性。
上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段,而可依照说明书的内容予以实施,并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方式。
附图说明
通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的,而并不认为是对本发明的限制。而且在整个附图中,用相同的参考符号表示相同的部件。在附图中:
图1示出了根据本发明一个实施例的基于云安全拦截广告程序的方法的流程图;
图2示出了根据本发明另一实施例的基于云安全拦截广告程序的方法的流程图;
图3示出了根据本发明另一实施例的基于云安全拦截广告程序的方法的流程图;
图4示出了根据本发明另一实施例的基于云安全拦截广告程序的方法的流程图;
图5示出了根据本发明另一个实施例的基于云安全拦截广告程序的装置的结构框图;
图6示出了根据本发明另一个实施例的基于云安全拦截广告程序的装置的结构框图;
图7示出了根据本发明另一实施例的基于云安全拦截广告程序的系统的结构框图;
图8示出了用于执行根据本发明的方法的电子设备的框图;以及
图9示出了用于保持或者携带实现根据本发明的方法的程序代码的存储单元。
具体实施方式
下面将参照附图更详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例,然而应当理解,可以以各种形式实现本公开而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地 理解本公开,并且能够将本公开的范围完整的传达给本领域的技术人员。
图1示出了根据本发明一个实施例的基于云安全拦截广告程序的方法的流程图,如图1所示,该方法包括如下步骤:
步骤S110,监控浏览器进程的创建行为。
在常见的计算机系统,如Windows系统,对浏览器进程的监控通常是基于操作系统提供的API接口函数或系统调用来实现的。
该步骤中所说的浏览器包括但不限于运行在各类计算机系统中的IE、Firefox、Chrome、Safari等独立内核浏览器,以及常见的基于IE内核的,或基于多内核的浏览器,如360浏览器,搜狗浏览器等,还包括运行于各种移动终端操作系统中常见的浏览器。一种常见的情况是,系统中安装有一种以上的浏览器,例如,Windows系统中除了自带的IE浏览器,用户出于丰富功能、更高的安全性和个人喜好,可能安装并默认使用上述其他浏览器。这时,对浏览器进程的监控就应该包括对IE进程,及其他全部浏览器进程的监控。
步骤S120,当监测到浏览器进程的创建请求时,获取浏览器进程的父进程的信息。
浏览器进程的父进程就是请求创建该浏览器进程的进程。以Windows操作系统为例,各种应用层应用程序都是通过调用各种API函数来实现的,父进程创建浏览器进程需要调用相应的API函数,检测浏览器进程的创建请求也就是监控创建进程的API函数的调用请求,通过捕获该API函数,可以从该API函数携带的参数中解析出指向的应用程序,判断出创建的是否为浏览器进程。请求调用该函数的进程就是浏览器进程的父进程,父进程的进程信息可以包括但不限于进程名称,进程标识,进程文件的路径信息以及相关的动态链接库文件等。
步骤S130,根据浏览器进程的父进程的信息,通过遍历全部的可视化窗口,检测父进程是否对应于可视化窗口。
对大多数的应用程序,用户一般通过该程序提供的可视化窗口与系统进行交互。本发明通过检测父进程是否对应于可视化窗口来判断浏览器进程的创建行为是否为用户触发。遍历全部的可视化窗口,如果存在至少一个可视 化窗口与浏览器进程的父进程相对应,认为浏览器进程的创建行为是该可视化窗口对应的应用程序响应于用户在该窗口中的点击、输入等触发行为而发起的,例如,用户点击QQ界面上的空间图片,弹出了空间页面,这属于用户允许的安全行为,而如果浏览器进程的父进程不对应于可视化窗口,认为该次创建行为是后台进程未经用户允许而请求的,是可疑的恶意行为。
步骤S140,根据检测结果对所述浏览器进程的创建行为进行处理。
对于对应于可视化窗口的父进程,允许其创建浏览器进程;对于不对应可视化窗口的父进程,进行拦截,给出提示信息或进一步确认其安全性。
根据本发明上述实施例提供的方法,对浏览器进程的创建行为进行实时的监控,并找到发起该创建请求的进程,作为浏览器进程的父进程,获取该父进程的信息,遍历全部的可视化窗口,检测父进程是否对应于可视化窗口,以此来判断浏览器进程的创建行为是否为用户的主动选择,根据检测的结果对创建行为做相应的处理。根据该方案可以有效拦截隐藏窗口的后台进程未经用户同意而弹出广告、游戏、购物、钓鱼网站等浏览器页面的干扰或威胁,提高了用户网络操作的安全性。
图2示出了本发明另一个实施例的基于云安全拦截广告程序的方法的流程图,如图2所示,该方法包括如下步骤:
步骤S210,监控浏览器进程的创建行为。
如同在步骤S120中所述的,Windows系统中,监控浏览器进程的创建行为实际上是监控对相应的API函数的调用请求。具体地,应用程序要创建一个Win32进程,可能需要调用的API函数有CreateProcess、CreateProcessAsUser等,创建的新进程运行指定的可执行文件,可执行文件的路径、文件名由API函数的参数指定,例如,参数lpApplicationName指定了可执行模块的路径,捕获该函数,从其参数中获得可执行文件的路径,文件名等信息,即可判断出本次API调用创建的进程是否为浏览器进程。
步骤S220,获取浏览器进程的父进程信息。
获取请求调用CreateProcess等API函数的应用程序,从而获取父进程信息。父进程的进程信息可以包括但不限于进程名称,进程标识,进程文件的 路径信息以及相关的动态链接库文件等。
在获取父进程信息时,一种可能的情况是,一些恶意程序为了更好地隐藏自己,可能会通过其进程A调用进程B,然后进程B请求调用API函数创建浏览器进程,甚至经过更多级的调用。这时,在后续步骤中,仅根据进程B的信息并不能做出准确的判断。因此,还要获取进程B所在的进程链的多个进程的信息。这可以通过NtQueryInformationProcess函数实现,利用该函数逐级查找,获取全部相关进程。
具体地,获取进程名称、进程标识等信息也可以通过调用API函数实现,例如,通过Process Status(进程状态)API函数下的多个函数获取进程名称;通过GetCurrentProcessId获取进程ID等。当然,也可以选择其他的API函数或者通过高级语言实现。
步骤S230,遍历全部的可视化窗口并获取每个可视化窗口对应进程的进程标识。
进程被创建时会被分配一个进程标识,直到进程中止这个标识都是有效的,并且不会改变,在进程有效的时间内,每个进程的进程标识都是唯一的,因此,它可以被用来唯一标识这个进程。具体地,该步骤中可以用EnumWindows函数遍历窗口,获取窗口的句柄,然后用GetWindowThreadProcessId函数获得每个窗口句柄对应的进程标识。
步骤S240,在全部的可视化窗口的进程标识中查询浏览器进程的父进程标识,如果能查询到父进程标识,则确定父进程对应于可视化窗口,执行步骤S250,否则,执行步骤S260。
在同一时刻,进程标识唯一,因此,如果存在至少一个可视化窗口,其进程标识与浏览器进程的父进程的进程标识一致,则认为该父进程对应于该可视化窗口,即可以认为浏览器进程的创建行为是该可视化窗口对应的应用程序响应于用户在该窗口中的点击、输入等触发行为而发起的。
步骤S250,允许执行父进程创建浏览器进程的行为,结束本次流程。
由下文中步骤S260描述可知,一种拦截进程的方法是,在创建进程的任意一个步骤通过钩子函数的方法拦截其所必须调用的API函数实现的。因此, 对于允许所监控到的创建行为请求的情形,在本发明实施例的钩子函数执行完毕后,跳转到该文件行为请求对应API的原始入口地址去执行相应的指令即可。
步骤S260,给出风险提示信息,并按照用户根据风险提示信息的选择对所述浏览器进程的创建行为进行拦截。
如果在全部的可视化窗口的进程标识中未查询到父进程标识,认为该父进程创建浏览器进程的行为是后台进程未经用户允许而发起的,是可疑的恶意行为,如广告程序行为,可能需要对该行为进行拦截。
这时,向用户提供风险提示信息,具体地,可以在桌面指定区域弹出消息窗口,将步骤S220中获取的父进程信息,如进程名称,进程路径,相应的可执行文件名称等展示给用户,供用户分析以做出决定,还可以根据现有的统计结果,给出进程及相应的应用程序的危险等级、安全评分等信息并向用户提供相应的建议。
在一些情况下,虽然父进程不对应可视化窗口,但该父进程创建浏览器进程的行为并不属于恶意行为,例如,安装、卸载软件时,在安装、卸载程序结束后,经常弹出一些用于信息反馈的浏览器页面,并不具有危害性,如果用户需要,可以选择不对该浏览器进程的创建行为进行拦截。还可以在本地设置一个安全名单,将用户选择不拦截的进程加入该名单中,下次不再提示。
对进程创建行为的拦截可以按如下方式实现。通常,一个进程的创建过程如下:打开要被执行的文件映像,创建执行进程对象,创建初始线程及堆栈及上下文,通知Windows子系统有关进程的信息,开始初始线程的执行,执行新进程上下文中的进程初始化。可以在其中任意一个步骤通过钩子函数的方法拦截其所必须调用的API函数,达到拦截进程创建的目的。例如,通过在开始初始线程的步骤执行之前,通过对系统服务调度表中的Native API函数ZwCreateProcess的拦截来实现,即在系统调用ZwCreateProcess时,转到钩子程序中进行处理。或者通过拦截其他步骤中调用的API函数实现,如NtCreateSection函数,该函数用于打开要被执行的文件映像。
图3示出了本发明另一个实施例的基于云安全拦截广告程序的方法的流 程图,如图3所示,该方法包括如下步骤:
步骤S310,监控浏览器进程的创建行为;
步骤S320,获取浏览器进程的父进程信息;
步骤S330,遍历全部的可视化窗口并获取每个可视化窗口对应进程的进程标识;
其中,步骤S310-S330与上一实施例中的步骤S210-S230相同,此处不再赘述。
步骤S340,在全部的可视化窗口的进程标识中查询浏览器进程的父进程标识,如果能查询到父进程标识,则确定父进程对应于可视化窗口,执行步骤S350,否则,执行步骤S360。
步骤S350,允许执行父进程创建浏览器进程的行为,结束本次流程。
步骤S360,在预置的本地进程白名单中查询不对应于可视化窗口的父进程的进程信息,如果查询成功,执行步骤S350,否则,执行步骤S370。
如同在上一实施例中步骤S260里所述的,不对应于可视化窗口的父进程的创建行为可能是安全的。然而,用户的判断未必准确。在本实施例中,通过用户判断与黑白名单的方式结合进行更准确的判断。
首先在本地预置的进程白名单中查询父进程信息,本地白名单保存有常见的安全进程,例如,常用软件的安装、卸载相关的进程。与步骤S260类似地,在桌面指定区域弹出消息窗口。提示信息窗口还可以接收用户反馈,用于本地进程白名单的维护和更新。例如,用户对某一不在白名单中的进程有特殊需求,可以选择允许其创建浏览器进程,记录用户对该进程的选择,将进程加入到本地进程白名单中,下次不再提示。
步骤S370,将父进程的进程信息上传至服务器,以供服务器通过云查询获知父进程是否属于服务器保存的进程黑名单,并从服务器接收查询结果。如果查询结果指示该父进程属于服务器保存的进程黑名单,执行步骤S380。
与本地名单相比,服务器端的黑名单数据库保存有更完整的信息,能够进行更严格准确的判断。具体地,客户端将检测到的可疑进程的进程信息上传至服务器,服务器根据进程信息对相应的可执行文件或应用程序进行杀毒 分析,可以采用传统的特征码匹配方式,或者采用主动防御的方法分析应用程序包含的行为特点。找出特征码与病毒库,或恶意程序相匹配的应用程序,或行为动作触发预设安全规则的应用程序,将相应的进程信息加入到进程黑名单中。
服务器上的黑名单也可以通过人工运营的方式产生,服务器端定期对来自客户端的病毒或恶意程序数据进行统计,对使用数量排名靠前或者增长速度靠前或者危险性排名靠前的进程,通过分析其弹出网页的内容等方式判断其安全性,放入黑名单中。
步骤S380,给出风险提示信息,并按照用户根据风险提示信息的选择对浏览器进程的创建行为进行拦截。
实际中,也可以选择直接拦截创建行为。但考虑用户可能对某些进程存在特殊需求,通常先给出风险提示信息,接收用户反馈。该步骤与S260相似,在步骤S260的基础上,还可以进一步给出服务器的分析结果。
对于属于白名单的进程,可以允许其创建浏览器的行为。
图4示出了本发明另一个实施例的基于云安全拦截广告程序的方法的流程图。如图4所示,该方法包括如下步骤:
步骤S410,监控浏览器进程的创建行为;
步骤S420,获取浏览器进程的父进程信息;
步骤S430,遍历全部的可视化窗口并获取每个可视化窗口对应进程的进程标识;
其中,步骤S410-S430与前述实施例中的步骤S210-S230相同,此处不再赘述
步骤S440,在全部的可视化窗口的进程标识中查询浏览器进程的父进程标识,如果能查询到父进程标识,则确定父进程对应于可视化窗口,执行步骤S450,否则,执行步骤S460。
步骤S450,允许执行父进程创建浏览器进程的行为,结束本次流程。
步骤S460,获取父进程创建的浏览器进程所要访问的页面URL。
一种可能方式是通过浏览器中提供的插件机制,例如,在IE浏览器中,通过响应“BeforeNavigate2”事件可以获取IE当前加载的URL。在火狐(Firefox)浏览器中使用火狐扩展机制提供的指定响应事件接口,获取火狐浏览器当前加载的URL。在谷歌(chrome)浏览器中使用网景插件应用程序编程接口(Netscape Plugin Application Programming Interface,简称:NPAPI)插件机制,获取谷歌浏览器当前加载的URL。
步骤S470,将该页面URL打包成密文后上传至服务器,以供服务器通过云查询获知该页面URL是否属于服务器保存的URL黑名单或白名单,并从服务器接收查询结果。如果查询结果指示该页面URL属于URL黑名单,执行步骤S480;如果查询结果指示该页面URL属于URL白名单,执行步骤S450。
服务器收集常见的广告、游戏等页面的URL,加入黑名单中;对用户允许放行的浏览器创建行为,收集该行为创建的浏览器页面所打开的URL,分析该URL页面的内容,或者统计大量用户对该URL页面的拦截情况,判断该页面是否为正常页面,将判断出的正常页面加入白名单中。
页面URL上传至服务器时,先将页面URL加密成密文,然后发送给服务器。这里,可以采用可逆加密方法对页面URL进行加密,也可以采用不可逆加密方法对页面URL进行加密。举例来说,计算页面URL的特征值作为密文。可选地,特征值可以为根据MD5(Message Digest Algorithm,消息摘要算法第五版)计算得到的哈希值,或SHA1(Secure Hash Algorithm,安全哈希算法)码,或CRC(Cyclic Redundancy Check,循环冗余校验)码等可唯一标识原信息的特征码。需要说明的是,在上传页面URL的密文到服务器的时候,需要首先屏蔽可能带有用户密码的网址字符串,不上传此类信息,以便保证用户信息的安全。
步骤S480,给出风险提示信息,并按照用户根据风险提示信息的选择对浏览器进程的创建行为进行拦截。
出于与步骤S370相同的理由,优选地,先给出风险提示信息。
对于属于白名单的URL对应的父进程,可以允许其创建浏览器的行为。
根据本发明上述实施例提供的方法,通过捕获创建进程所必须的API函数实现对浏览器进程创建行为的监控,找到发起该创建请求的父进程,获取该父进程的进程标识,遍历全部的可视化窗口并获取每个可视化窗口对应进程的进程标识,在全部的可视化窗口的进程标识中查询浏览器进程的父进程标识,以此来判断浏览器进程的创建行为是否为用户的主动选择,对于非用户主动选择的可疑进程,给出风险提示信息,或者进一步通过云端的进程黑白名单或URL黑白名单确认。根据该方案可以有效拦截隐藏窗口的后台进程未经用户同意而弹出广告、游戏、购物、钓鱼网站等浏览器页面的干扰或威胁,并且,通过云查询的方式,降低了对恶意程序行为和安全行为误判的概率,进一步提高系统的安全性和用户的操作体验。
图5示出了本发明另一个实施例的基于云安全拦截广告程序的装置的框图。如图5所示,该装置包括:
监控模块500,适于监控浏览器进程的创建行为;获取模块502,适于当监控模块500监测到浏览器进程的创建请求时,获取所述浏览器进程的父进程的信息;检测模块504,适于根据所述浏览器进程的父进程的信息,通过遍历全部的可视化窗口,检测所述父进程是否对应于可视化窗口;处理模块506,适于根据检测结果对所述浏览器进程的创建行为进行处理。
根据本发明上述实施例提供的基于云安全拦截广告程序的装置,对浏览器进程的创建行为进行实时的监控,并找到发起该创建请求的进程,作为浏览器进程的父进程,获取该父进程的信息,遍历全部的可视化窗口,检测父进程是否对应于可视化窗口,以此来判断浏览器进程的创建行为是否为用户的主动选择,根据检测的结果对创建行为做相应的处理。根据该方案可以有效拦截隐藏窗口的后台进程未经用户同意而弹出广告、游戏、购物、钓鱼网站等浏览器页面的干扰或威胁,提高了用户网络操作的安全性。
图6示出了本发明另一个实施例的基于云安全拦截广告程序的装置的框图。本实施例的基于云安全拦截广告程序的装置对图5所示的装置进行了进一步的优化,优化后的基于云安全拦截广告程序的装置如图6所示,该装置包括:
监控模块510,适于监控浏览器进程的创建行为。
可选地,监控模块510通过监控创建进程的API函数的调用请求实现对创建行为的监控。具体地,应用程序要创建一个Win32进程,可能需要调用的API函数有CreateProcess、CreateProcessAsUser等,创建的新进程运行指定的可执行文件,可执行文件的路径、文件名由API函数的参数指定,例如,参数lpApplicationName指定了可执行模块的路径,监控模块540捕获该函数,从其参数中获得可执行文件的路径及文件名,即可判断出本次API调用创建的进程是否为浏览器进程。
获取模块520,适于当监控模块510监测到浏览器进程的创建请求时,获取浏览器进程的父进程的信息。
例如,获取模块520获取请求调用CreateProcess等API函数的应用程序,从而获取父进程信息。获取模块520获取父进程的进程信息可以包括但不限于获取进程名称,进程标识,进程文件的路径信息以及相关的动态链接库文件等。
可选地,获取模块520适于当监控模块510监测到浏览器进程的创建请求时,获取浏览器进程的父进程标识。获取模块520获取进程名称、进程标识等信息也可以通过调用API函数实现,例如,通过Process Status(进程状态)API函数下的多个函数获取进程名称;通过GetCurrentProcessId获取进程ID等。
检测模块530,适于根据浏览器进程的父进程的信息,通过遍历全部的可视化窗口,检测父进程是否对应于可视化窗口。
进程被创建时会被分配一个进程标识。直到进程中止这个标识都是有效的,并且不会改变,在进程有效的时间内,每个进程的进程标识都是唯一的,因此,检测模块530可以通过进程标识检测父进程是否对应于可视化窗口。
可选地,检测模块530包括:遍历模块5302和查询模块5304。
其中:
遍历模块5302,适于遍历全部的可视化窗口并获取每个可视化窗口对应进程的进程标识;遍历模块5302可以用EnumWindows函数遍历窗口,获取窗口的句柄,然后用GetWindowThreadProcessId函数获得每个窗口句柄对应 的进程标识。
查询模块5304,适于在全部的可视化窗口的进程标识中查询浏览器进程的父进程标识,如果查询到浏览器进程的父进程标识,则确定所述父进程对应于可视化窗口;如果没有查询到浏览器进程的父进程标识,则确定所述父进程不对应于可视化窗口。
本实施例的基于云安全拦截广告程序的装置还包括:处理模块540,适于根据检测结果对浏览器进程的创建行为进行处理。
可选地,处理模块540可以包括:第一拦截模块5402,适于对于不对应于可视化窗口的父进程创建浏览器进程的行为,给出风险提示信息,并按照用户根据风险提示信息的选择对所述浏览器进程的创建行为进行拦截。
处理模块540对进程创建行为的拦截可以按如下方式实现。通常,一个进程的创建过程如下:打开要被执行的文件映像,创建执行进程对象,创建初始线程及堆栈及上下文,通知Windows子系统有关进程的信息,开始初始线程的执行,执行新进程上下文中的进程初始化。因此,处理模块540可以在其中任意一个步骤拦截其所必须调用的API函数,达到拦截进程创建的目的。例如,处理模块540在开始初始线程的步骤执行之前,对系统服务调度表中的Native API函数ZwCreateProcess的拦截。
处理模块540向用户提供风险提示信息可以为:在桌面指定区域弹出消息窗口,将获取模块520获取的父进程信息,如进程名称,进程路径,相应的可执行文件名称等展示给用户,供用户分析以做出决定,处理模块540还可以根据现有的统计结果,给出进程及相应的应用程序的危险等级、安全评分等信息并向用户提供相应的建议。
可选地,处理模块540也可以包括:第一云查询接口模块5404,适于在预置的本地进程白名单中查询不对应于可视化窗口的父进程的进程信息;第一执行模块5406,适于如果第一云查询接口模块5404的查询结果为查询成功,则允许所述父进程创建浏览器进程的行为;否则,将所述父进程的进程信息上传至服务器,以供服务器通过云查询获知父进程是否属于服务器保存的进程黑名单,并从服务器接收查询结果;以及,第二拦截模块5408,适于如果查询结果指示所述父进程属于所述进程黑名单,给出风险提示信息,并 按照用户根据风险提示信息的选择对所述浏览器进程的创建行为进行拦截。。
例如,第一云查询接口模块5404将检测模块530检测到的可疑进程的进程信息上传至服务器,服务器根据进程信息对相应的可执行文件或应用程序进行杀毒分析,例如传统的特征码匹配方式,或者采用主动防御的方法,分析应用程序包含的行为特点。找出特征码与病毒库,或恶意程序相匹配的应用程序,或行为动作触发预设安全规则的应用程序,将相应的进程信息加入到进程黑名单中。
服务器上的黑名单也可以通过人工运营的方式产生,服务器端定期对来自客户端的病毒或恶意程序数据进行统计,对使用数量排名靠前或者增长速度靠前或者危险性排名靠前的进程,通过分析其弹出网页的内容等方式判断其安全性,放入黑名单中。
可选地,本实施例的处理模块540也可以包括:页面URL提取模块5410、第二云查询接口模块5412和第三拦截模块5414。
其中:
页面URL提取模块5410,适于对于不对应于可视化窗口的父进程,获取父进程创建的浏览器进程所要访问的页面URL。
页面URL提取模块570获取URL的一种可能方式是通过浏览器中提供的插件机制,例如,在IE浏览器中,页面URL提取模块5410通过响应“BeforeNavigate2”事件获取IE当前加载的URL,在火狐(Firefox)浏览器中页面URL提取模块5410使用火狐扩展机制提供的指定响应事件接口,获取火狐浏览器当前加载的URL。在谷歌(chrome)浏览器中使用网景插件应用程序编程接口(Netscape Plugin Application Programming Interface,简称:NPAPI)插件机制,获取谷歌浏览器当前加载的URL。
第二云查询接口模块5412适于将页面URL提取模块570所获取的页面URL打包成密文后上传至服务器,以供服务器通过云查询获知页面URL是否属于服务器保存的URL黑名单或白名单,并从服务器接收查询结果。
第三拦截模块5414适于如果查询结果指示所述页面URL属于所述URL 黑名单,给出风险提示信息,并按照用户根据风险提示信息的选择对所述浏览器进程的创建行为进行拦截。
需要说明的是,上述多种处理模块的功能实现可以合并设置,也可以单独设置或者选择其中部分设置。同样,上述处理模块中的多个拦截模块可以单独设置实现各自的拦截功能,也可以合并设置实现多种对应的拦截功能。此外,上述处理模块中的第一云查询接口模块和第二云查询接口模块可以单独设置也可以合并设置,以实现相应的功能。
本实施例的基于云安全拦截广告程序的装置用于实现前述多个方法实施例中相应的基于云安全拦截广告程序的方法,并具有相应的方法实施例的有益效果,在此不再赘述。
图7示出了本发明另一实施例提供的基于云安全拦截广告程序的系统,如图7所示,该系统包括上一实施例中的基于云安全拦截广告程序的装置,还包括:向该装置提供云查询服务的服务器。
根据本发明上述实施例提供的装置和系统,监控模块通过捕获创建进程所必须的API函数实现对浏览器进程创建行为的监控,找到发起该创建请求的父进程,获取模块获取该父进程的进程信息,其中包括进程标识,遍历模块遍历全部的可视化窗口并获取每个可视化窗口对应进程的进程标识,查询模块在全部的可视化窗口的进程标识中查询浏览器进程的父进程标识,以此来判断浏览器进程的创建行为是否为用户的主动选择,对于非用户主动选择的可疑进程,处理模块通过相应的拦截模块给出风险提示信息,或者进一步地,通过相应的云查询接口模块将进程信息和/或待访问页面的URL发送至服务器,通过云端的进程黑白名单和/或URL黑白名单确认。根据该方案,可以有效拦截隐藏窗口的后台进程未经用户同意而弹出广告、游戏、购物、钓鱼网站等浏览器页面的干扰或威胁,并且,通过云查询的方式,降低了对恶意程序行为和安全行为误判的概率,进一步提高系统的安全性和用户的操作体验。
在此提供的算法和显示不与任何特定计算机、虚拟系统或者其它设备固有相关。各种通用系统也可以与基于在此的示教一起使用。根据上面的描述, 构造这类系统所要求的结构是显而易见的。此外,本发明也不针对任何特定编程语言。应当明白,可以利用各种编程语言实现在此描述的本发明的内容,并且上面对特定语言所做的描述是为了披露本发明的最佳实施方式。
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。
类似地,应当理解,为了精简本公开并帮助理解各个发明方面中的一个或多个,在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如下面的权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发明的单独实施例。
本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。
此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如,在下面的权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。
本发明的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的程序模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本 发明实施例的基于云安全拦截广告程序的装置和系统中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。这样的实现本发明的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。
例如,图8示出了可以实现根据本发明的基于云安全拦截广告程序的方法的电子设备,例如客户端设备。该客户端设备传统上包括处理器610和以存储器620形式的计算机程序产品或者计算机可读介质。存储器620可以是诸如闪存、EEPROM(电可擦除可编程只读存储器)、EPROM、硬盘或者ROM之类的电子存储器。存储器620具有用于执行上述方法中的任何方法步骤的程序代码631的存储空间630。例如,用于程序代码的存储空间630可以包括分别用于实现上面的方法中的各种步骤的各个程序代码631。这些程序代码可以从一个或者多个计算机程序产品中读出或者写入到这一个或者多个计算机程序产品中。这些计算机程序产品包括诸如硬盘,紧致盘(CD)、存储卡或者软盘之类的程序代码载体。这样的计算机程序产品通常为如参考图9所述的便携式或者固定存储单元。该存储单元可以具有与图8的电子设备中的存储器620类似布置的存储段、存储空间等。程序代码可以例如以适当形式进行压缩。通常,存储单元包括计算机可读代码631’,即可以由例如诸如610之类的处理器读取的代码,这些代码当由电子设备运行时,导致该电子设备执行上面所描述的方法中的各个步骤。
本文中所称的“一个实施例”、“实施例”或者“一个或者多个实施例”意味着,结合实施例描述的特定特征、结构或者特性包括在本发明的至少一个实施例中。此外,请注意,这里“在一个实施例中”的词语例子不一定全指同一个实施例。
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下被实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。
应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施 例。在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。
此外,还应当注意,本说明书中使用的语言主要是为了可读性和教导的目的而选择的,而不是为了解释或者限定本发明的主题而选择的。因此,在不偏离所附权利要求书的范围和精神的情况下,对于本技术领域的普通技术人员来说许多修改和变更都是显而易见的。对于本发明的范围,对本发明所做的公开是说明性的,而非限制性的,本发明的范围由所附权利要求书限定。

Claims (13)

  1. 一种基于云安全拦截广告程序的方法,包括:
    监控浏览器进程的创建行为;
    当监测到浏览器进程的创建请求时,获取所述浏览器进程的父进程的信息;
    根据所述浏览器进程的父进程的信息,通过遍历全部的可视化窗口,检测所述父进程是否对应于可视化窗口;
    根据检测结果对所述浏览器进程的创建行为进行处理。
  2. 根据权利要求1所述的方法,其中,所述获取浏览器进程的父进程的信息的步骤包括:获取浏览器进程的父进程标识;
    所述通过遍历全部的可视化窗口,检测父进程是否对应于可视化窗口的步骤包括:
    遍历全部的可视化窗口并获取每个可视化窗口对应进程的进程标识;
    在全部的可视化窗口的进程标识中查询所述浏览器进程的父进程标识,如果查询到所述浏览器进程的父进程标识,则确定所述父进程对应于可视化窗口;如果没有查询到所述浏览器进程的父进程标识,则确定所述父进程不对应于可视化窗口。
  3. 根据权利要求1或2所述的方法,其中,所述根据检测结果对浏览器进程的创建行为进行处理的步骤包括:
    对于不对应于可视化窗口的父进程创建浏览器进程的行为,给出风险提示信息,并按照用户根据所述风险提示信息的选择对所述浏览器进程的创建行为进行拦截。
  4. 根据权利要求1或2所述的方法,其中,所述根据检测结果对浏览器进程的创建行为进行处理的步骤包括:
    在预置的本地进程白名单中查询所述不对应于可视化窗口的父进程的进程信息,如果查询成功,允许所述父进程创建浏览器进程的行为;
    否则,将所述父进程的进程信息上传至服务器,以供所述服务器通过云查询获知所述父进程是否属于服务器保存的进程黑名单,并从服务器接收查询结果;
    如果查询结果指示所述父进程属于所述进程黑名单,给出风险提示信息,并按照用户根据所述风险提示信息的选择对所述浏览器进程的创建行为进行拦截。
  5. 根据权利要求1或2所述的方法,其中,所述根据检测结果对浏览器进程的创建行为进行处理的步骤包括:
    对于不对应于可视化窗口的父进程,获取所述父进程创建的浏览器进程所要访问的页面URL,将该页面URL打包成密文后上传至服务器,以供服务器通过云查询获知所述页面URL是否属于服务器保存的URL黑名单或白名单,并从服务器接收查询结果;
    如果查询结果指示所述页面URL属于所述URL黑名单,给出风险提示信息,并按照用户根据所述风险提示信息的选择对所述浏览器进程的创建行为进行拦截。
  6. 一种基于云安全拦截广告程序的装置,包括:
    监控模块,适于监控浏览器进程的创建行为;
    获取模块,适于当所述监控模块监测到浏览器进程的创建请求时,获取所述浏览器进程的父进程的信息;
    检测模块,适于根据所述浏览器进程的父进程的信息,通过遍历全部的可视化窗口,检测所述父进程是否对应于可视化窗口;
    处理模块,适于根据检测结果对所述浏览器进程的创建行为进行处理。
  7. 根据权利要求6所述的装置,其中,所述获取模块,适于当所述监控模块监测到浏览器进程的创建请求时,获取浏览器进程的父进程标识;
    所述检测模块包括:
    遍历模块,适于遍历全部的可视化窗口并获取每个可视化窗口对应进程的进程标识;
    查询模块,适于在全部的可视化窗口的进程标识中查询所述浏览器进程的父进程标识,如果查询到所述浏览器进程的父进程标识,则确定所述父进程对应于可视化窗口;如果没有查询到所述浏览器进程的父进程标识,则确定所述父进程不对应于可视化窗口。
  8. 根据权利要求6或7所述的装置,其中,所述处理模块包括:第一拦截模块,适于对于不对应于可视化窗口的父进程创建浏览器进程的行为,给出风险提示信息,并按照用户根据所述风险提示信息的选择对所述浏览器进程的创建行为进行拦截。
  9. 根据权利要求6或7所述的装置,其中,所述处理模块包括:
    第一云查询接口模块,适于在预置的本地进程白名单中查询不对应于可视化窗口的父进程的进程信息;
    第一执行模块,适于如果所述第一云查询接口模块的查询结果为查询成功,则允许所述父进程创建浏览器进程的行为;否则,将所述父进程的进程信息上传至服务器,以供所述服务器通过云查询获知所述父进程是否属于服务器保存的进程黑名单,并从服务器接收查询结果;
    第二拦截模块,适于如果查询结果指示所述父进程属于所述进程黑名单,给出风险提示信息,并按照用户根据所述风险提示信息的选择对所述浏览器进程的创建行为进行拦截。
  10. 根据权利要求6或7所述的装置,其中,所述处理模块包括:
    页面URL提取模块,适于对于不对应于可视化窗口的父进程,获取所述父进程创建的浏览器进程所要访问的页面URL;
    第二云查询接口模块,适于将所述页面URL提取模块所获取的页面URL打包成密文后上传至服务器,以供服务器通过云查询获知所述页面URL是否属于服务器保存的URL黑名单或白名单,并从服务器接收查询结果;
    第三拦截模块,适于如果查询结果指示所述页面URL属于所述URL黑名单,给出风险提示信息,并按照用户根据所述风险提示信息的选择对所述浏览器进程的创建行为进行拦截。
  11. 一种基于云安全拦截广告程序的系统,包括权利要求6-10任一项所 述的基于云安全拦截广告程序的装置,还包括:向所述装置提供云查询服务的服务器。
  12. 一种计算机程序,包括计算机可读代码,当所述计算机可读代码在电子设备上运行时,导致所述电子设备执行根据权利要求1-5中的任一个所述的基于云安全拦截广告程序的方法。
  13. 一种计算机可读介质,其中存储了如权利要求12所述的计算机程序。
PCT/CN2014/093286 2013-12-06 2014-12-08 基于云安全拦截广告程序的方法、装置和系统 WO2015081900A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310656591.3 2013-12-06
CN201310656591.3A CN103617395B (zh) 2013-12-06 2013-12-06 一种基于云安全拦截广告程序的方法、装置和系统

Publications (1)

Publication Number Publication Date
WO2015081900A1 true WO2015081900A1 (zh) 2015-06-11

Family

ID=50168098

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/093286 WO2015081900A1 (zh) 2013-12-06 2014-12-08 基于云安全拦截广告程序的方法、装置和系统

Country Status (2)

Country Link
CN (1) CN103617395B (zh)
WO (1) WO2015081900A1 (zh)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111444508A (zh) * 2018-12-27 2020-07-24 北京奇虎科技有限公司 基于虚拟机实现的cpu漏洞检测装置及方法
CN114071213A (zh) * 2021-11-15 2022-02-18 深圳小湃科技有限公司 机顶盒弹框拦截方法、设备及存储介质
CN114782942A (zh) * 2022-04-29 2022-07-22 深圳市致远优学教育科技有限公司 一种风险内容显示检测方法

Families Citing this family (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103617395B (zh) * 2013-12-06 2017-01-18 北京奇虎科技有限公司 一种基于云安全拦截广告程序的方法、装置和系统
CN103902292B (zh) * 2014-03-27 2017-08-01 广东欧珀移动通信有限公司 显示窗口的屏蔽方法和系统
CN104036014B (zh) * 2014-06-24 2020-06-26 腾讯科技(深圳)有限公司 一种网页过滤方法及终端
CN104102743B (zh) * 2014-07-31 2017-11-03 可牛网络技术(北京)有限公司 一种过滤网页广告的方法及装置
CN104239794B (zh) * 2014-09-10 2017-08-25 广东欧珀移动通信有限公司 一种拦截应用恶意打开浏览器的方法及装置
CN104268193B (zh) * 2014-09-19 2017-12-29 北京金山安全软件有限公司 一种广告网页的拦截方法及装置
CN104468551B (zh) * 2014-11-28 2016-06-15 北京奇虎科技有限公司 一种基于广告拦截节省流量的方法及装置
CN104363247A (zh) * 2014-11-28 2015-02-18 北京奇虎科技有限公司 一种具有免节省应用的节省流量方法及装置
CN104539584B (zh) * 2014-12-05 2018-01-19 北京奇虎科技有限公司 浏览器防注入方法、浏览器客户端和装置
CN105791221B (zh) * 2014-12-22 2020-06-05 北京奇虎科技有限公司 规则下发方法及装置
CN104615491B (zh) * 2015-02-13 2018-04-27 联想(北京)有限公司 一种消息处理方法及电子设备
CN104881291B (zh) * 2015-06-03 2018-05-25 北京金山安全软件有限公司 默认浏览器的控制方法、装置及终端
CN105117258A (zh) * 2015-09-07 2015-12-02 青岛海信移动通信技术股份有限公司 一种应用程序卸载的方法及装置
CN105243632A (zh) * 2015-10-26 2016-01-13 深圳荣亚物联科技有限公司 基于云管理空气污染监控系统及方法
CN106897618A (zh) * 2015-12-21 2017-06-27 珠海市君天电子科技有限公司 一种网页访问方法及装置
CN106909262A (zh) * 2015-12-22 2017-06-30 北京奇虎科技有限公司 一种数据处理方法和装置
CN106909544A (zh) * 2015-12-22 2017-06-30 北京奇虎科技有限公司 一种数据处理方法和装置
CN106909546A (zh) * 2015-12-22 2017-06-30 北京奇虎科技有限公司 一种数据处理方法和装置
CN105787302B (zh) * 2016-02-23 2019-05-17 珠海豹趣科技有限公司 一种应用程序的处理方法、装置及电子设备
CN107729753A (zh) * 2017-09-22 2018-02-23 郑州云海信息技术有限公司 一种计算机未知病毒的防御方法及系统
CN109815700B (zh) * 2018-12-29 2021-10-01 360企业安全技术(珠海)有限公司 应用程序的处理方法及装置、存储介质、计算机设备
CN109992386B (zh) * 2019-03-31 2021-10-22 联想(北京)有限公司 一种信息处理方法和电子设备
CN111597554A (zh) * 2020-05-07 2020-08-28 上海二三四五网络科技有限公司 一种基于浏览器对可疑软件进行检测的控制方法及装置
CN112083974B (zh) * 2020-09-18 2024-08-20 珠海豹趣科技有限公司 一种广告窗口关闭方法、装置及电子设备
CN112800337B (zh) * 2021-02-08 2024-07-23 联想(北京)有限公司 一种信息处理方法、装置、电子设备和计算机存储介质
CN117762889B (zh) * 2024-02-20 2024-04-19 成都融见软件科技有限公司 同文件多窗口状态同步方法、电子设备和介质

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1925494A (zh) * 2006-09-28 2007-03-07 北京理工大学 一种基于行为特征的网页木马检测方法
CN101350053A (zh) * 2007-10-15 2009-01-21 北京瑞星国际软件有限公司 防止网页浏览器被漏洞利用的方法和装置
CN103077353A (zh) * 2013-01-24 2013-05-01 北京奇虎科技有限公司 主动防御恶意程序的方法和装置
CN103279707A (zh) * 2013-06-08 2013-09-04 北京奇虎科技有限公司 一种用于主动防御恶意程序的方法、设备及系统
CN103617395A (zh) * 2013-12-06 2014-03-05 北京奇虎科技有限公司 一种基于云安全拦截广告程序的方法、装置和系统

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102932329B (zh) * 2012-09-26 2016-03-30 北京奇虎科技有限公司 一种对程序的行为进行拦截的方法、装置和客户端设备
CN103034727A (zh) * 2012-12-19 2013-04-10 北京奇虎科技有限公司 对网页中的弹窗进行拦截处理的系统
CN103150513B (zh) * 2013-03-20 2015-12-09 北京奇虎科技有限公司 拦截应用程序中的植入信息的方法及装置

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1925494A (zh) * 2006-09-28 2007-03-07 北京理工大学 一种基于行为特征的网页木马检测方法
CN101350053A (zh) * 2007-10-15 2009-01-21 北京瑞星国际软件有限公司 防止网页浏览器被漏洞利用的方法和装置
CN103077353A (zh) * 2013-01-24 2013-05-01 北京奇虎科技有限公司 主动防御恶意程序的方法和装置
CN103279707A (zh) * 2013-06-08 2013-09-04 北京奇虎科技有限公司 一种用于主动防御恶意程序的方法、设备及系统
CN103617395A (zh) * 2013-12-06 2014-03-05 北京奇虎科技有限公司 一种基于云安全拦截广告程序的方法、装置和系统

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111444508A (zh) * 2018-12-27 2020-07-24 北京奇虎科技有限公司 基于虚拟机实现的cpu漏洞检测装置及方法
CN114071213A (zh) * 2021-11-15 2022-02-18 深圳小湃科技有限公司 机顶盒弹框拦截方法、设备及存储介质
CN114782942A (zh) * 2022-04-29 2022-07-22 深圳市致远优学教育科技有限公司 一种风险内容显示检测方法
CN114782942B (zh) * 2022-04-29 2024-05-28 深圳市致远优学教育科技有限公司 一种风险内容显示检测方法

Also Published As

Publication number Publication date
CN103617395A (zh) 2014-03-05
CN103617395B (zh) 2017-01-18

Similar Documents

Publication Publication Date Title
WO2015081900A1 (zh) 基于云安全拦截广告程序的方法、装置和系统
US11240262B1 (en) Malware detection verification and enhancement by coordinating endpoint and malware detection systems
US10872151B1 (en) System and method for triggering analysis of an object for malware in response to modification of that object
US10834107B1 (en) Launcher for setting analysis environment variations for malware detection
US10164993B2 (en) Distributed split browser content inspection and analysis
US10482260B1 (en) In-line filtering of insecure or unwanted mobile device software components or communications
US9306968B2 (en) Systems and methods for risk rating and pro-actively detecting malicious online ads
US9582668B2 (en) Quantifying the risks of applications for mobile devices
US10079854B1 (en) Client-side protective script to mitigate server loading
Liu et al. A novel approach for detecting browser-based silent miner
US9734332B2 (en) Behavior profiling for malware detection
US9509714B2 (en) Web page and web browser protection against malicious injections
US9438631B2 (en) Off-device anti-malware protection for mobile devices
US9336389B1 (en) Rapid malware inspection of mobile applications
US20180084003A1 (en) Method and system for injecting javascript into a web page
US20160224787A1 (en) Methods and systems for identifying potential enterprise software threats based on visual and non-visual data
US8176556B1 (en) Methods and systems for tracing web-based attacks
JP5752642B2 (ja) 監視装置および監視方法
Taylor et al. Cache, Trigger, Impersonate: Enabling Context-Sensitive Honeyclient Analysis On-the-Wire.
JP6169497B2 (ja) 接続先情報判定装置、接続先情報判定方法、及びプログラム
US8266704B1 (en) Method and apparatus for securing sensitive data from misappropriation by malicious software
JP2017168146A (ja) 接続先情報判定装置、接続先情報判定方法、及びプログラム
JP5425980B2 (ja) バグ判定装置およびバグ判定方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14867770

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14867770

Country of ref document: EP

Kind code of ref document: A1