WO2016095671A1 - Method and device for processing application-based message - Google Patents

Method and device for processing application-based message Download PDF

Info

Publication number
WO2016095671A1
WO2016095671A1 PCT/CN2015/095452 CN2015095452W WO2016095671A1 WO 2016095671 A1 WO2016095671 A1 WO 2016095671A1 CN 2015095452 W CN2015095452 W CN 2015095452W WO 2016095671 A1 WO2016095671 A1 WO 2016095671A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
message
tag
feature
type
Prior art date
Application number
PCT/CN2015/095452
Other languages
French (fr)
Chinese (zh)
Inventor
张皓秋
Original Assignee
北京奇虎科技有限公司
奇智软件(北京)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京奇虎科技有限公司, 奇智软件(北京)有限公司 filed Critical 北京奇虎科技有限公司
Publication of WO2016095671A1 publication Critical patent/WO2016095671A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a message processing method for an application and a message processing device for the application.
  • Windows is a Message-driven system that provides a means of communicating between an application and an application, and between an application and a Windows system.
  • the functionality that the application is to implement is triggered by the message and is done by responding to and processing the message.
  • a system management program that functions to delete arbitrary files has no problem in itself and can be authenticated by a secure application. If the malicious program sends a settext message to it to modify the path of the file to be deleted to the main program of the secure application, and then sends a command message to simulate the click of the "Crush" button, the main application of the secure application may be deleted.
  • the present invention has been made in order to provide an application-based message processing method and a corresponding application-based message processing apparatus that overcome the above problems or at least partially solve or alleviate the above problems.
  • an application-based message processing apparatus comprising:
  • a detection module adapted to detect a message passed between applications, wherein the message has a type
  • a first determining module configured to determine whether the application that receives the message is a feature application
  • a second determining module configured to determine, when the application receiving the message is a feature application, whether the type of the message is a feature type
  • the security processing module is adapted to perform corresponding security processing when the type of the message is a feature type.
  • a computer program comprising computer readable code, when the computer readable code is run on a computing device, causing the computing device to perform an application based application as described above Message handling method.
  • a computer readable medium wherein the computer program described above is stored.
  • the embodiment of the present invention detects a message transmitted between applications, and when the application that receives the message is a feature application, and the type of the message is a feature type, it may indicate that the application may have a message vulnerability, and the current message may utilize the message. Vulnerabilities require corresponding security processing. By calling the corresponding processing method for security processing, layer filtering is not required, and the processing of messages is simple, and the application development threshold is not improved, and the protection of the application is realized.
  • the embodiments of the present invention further ensure the security processing is fast and convenient by dividing the risk level, calling the security prompt information corresponding to the application label, removing the security token, and the server detection, and providing accurate and comprehensive security for the application. protection of.
  • FIG. 1 is a schematic flow chart showing the steps of Embodiment 1 of an application-based message processing method according to an embodiment of the present invention
  • FIG. 2 is a schematic flow chart showing the steps of Embodiment 2 of an application-based message processing method according to an embodiment of the present invention
  • FIG. 3 is a block diagram schematically showing an embodiment of an application-based message processing apparatus according to an embodiment of the present invention
  • Figure 4 shows schematically a block diagram of a computing device for performing the method according to the invention
  • Fig. 5 schematically shows a storage unit for holding or carrying program code implementing the method according to the invention.
  • FIG. 1 a flow chart of a step 1 of an application-based message processing method according to an embodiment of the present invention is shown, which may specifically include the following steps:
  • Step 101 Detect a message delivered between applications, wherein the message has a type
  • Step 102 Determine whether an application that receives the message is a feature application.
  • Step 103 When the application of the message is a feature application, determine whether the type of the message is a feature type;
  • Step 104 When the type of the message is a feature type, perform corresponding security processing.
  • the embodiment of the present invention detects a message transmitted between applications, and when the application that receives the message is a feature application, and the type of the message is a feature type, it may indicate that the application may have a message vulnerability, and the current message may utilize the message. Vulnerabilities require corresponding security processing. By calling the corresponding processing method for security processing, layer filtering is not required, and the processing of messages is simple, and the application development threshold is not improved, and the protection of the application is realized.
  • Embodiment 2 of the application-based message processing method may specifically include the following steps:
  • Step 201 When detecting that the application is started, extracting first feature information of the application;
  • the currently launched application may be triggered by the operation of the user.
  • the user triggers the startup of the application by double-clicking the shortcut of the mouse; or may be triggered by other applications or services, for example, when downloading
  • the security tool may be invoked to perform a security scan on the file; the booting may be triggered by other means, which is not limited in the embodiment of the present invention.
  • system function specified in the operating system such as PsSetCreateProcessNotifyRoutine, can be called to let the operating system notify the system function to know the start and exit of the application process.
  • the system function of the Hook and the like can be used to obtain the timing and information of the process start of the application, which is not limited by the embodiment of the present invention.
  • the client can extract its first feature information when detecting the application launch, and the first feature information is used to detect whether the application is an application that needs to be protected.
  • the first feature information may be information that characterizes the currently started application, and may include a process name, a parent process name, a process file summary information (Message-Digest Algorithm 5, MD5), a process file version information, and a fuzzy Hash (hash) and so on.
  • Step 202 Send the first feature information to a server.
  • the application may have a message vulnerability
  • it is determined to be a feature application, that is, an application program that may have a message vulnerability; and the second feature information is extracted. , stored in the server's database for subsequent testing.
  • the message vulnerability may refer to a defect caused by a message, may be illegally used by other applications such as a malicious program, and pose a security risk to the current application, system, user data, and the like.
  • the application itself is secure and does not necessarily mean that its behavior is safe. It may have unsafe behaviors caused by message vulnerabilities, such as connecting to the network, turning on the camera, etc., which may be exploited by other malicious programs. .
  • a payment instrument is secure, it has a bank transfer function, the phishing program can send a normal message to the payment instrument, the payment instrument trusts the message to process the related business, and transfers the funds to the account of the illegal person, resulting in User loss.
  • the client may send the first feature information to the server, and the server detects whether the current application is an application that needs to be protected.
  • Step 203 Receive an application label and a message type label returned by the server when determining that the first feature information matches the second feature information, where the second feature information is feature information of the feature application.
  • the server may receive the first feature information sent by the client, and may be matched with the second feature information that is collected in advance.
  • the second feature information may be information that represents a feature of the feature application, and may include a process name, a parent process name, and Process file summary information (Message-Digest Algorithm 5, MD5), process file version information, fuzzy hash (hash value), and so on.
  • the currently launched application may be considered as a feature application, that is, an application that may have a message vulnerability, and the application may be risky by other applications at runtime.
  • the use of messages that is, message types of a specified type) is harmful to the performance and personal privacy of the device and needs to be protected.
  • a message of the command copydata type may instruct the application to copy data, and may be exploited by a malicious program to steal important data such as an account number and a password.
  • a settext type message can instruct the application to set textual information that may be exploited by a malicious program to delete a local security tool.
  • the hole's application is divided into one or more hazard levels. For example, an application with a message vulnerability that completely removes other applications is at the first level, and an application with a message vulnerability that modifies other applications belongs to the second level and has a temporary shutdown. Applications for other applications' message vulnerabilities are at the third level.
  • Each hazard level can be configured with a corresponding application tag and a message type tag configured for the specified message type that needs to be monitored.
  • the server match confirms that the currently launched application is a feature application, and can return the application tag and message type tag that the currently launched application matches to the client.
  • the server can return msg1:1, 2, 3, msg2:4,5,6, msg3:7,8,9 to the client; where msg1, msg2, msg3 can be application tags, followed by a comma after the colon Separated can be a message type tag.
  • the msg1 tag contains 1, 2, and 3, which can indicate that the three types of messages 1, 2, and 3 are monitored.
  • Step 204 Configure the application label to the application.
  • the application tag when the client receives the application tag returned by the server, the application tag may be configured for the application to implement monitoring and protection thereof.
  • Step 205 detecting a message delivered between applications, wherein the message has a type
  • the message can be defined by a structure called MSG, including window handle (HWND), message ID (UINT), parameters (WPARAM, LPARAM), and so on.
  • HWND window handle
  • UINT message ID
  • WPARAM WPARAM
  • LPARAM LPARAM
  • An example of a message can be as follows:
  • the message itself is passed to the application as a record that contains the type of message and other information.
  • the message ID is the type identifier of the message, defined by the system or application, and the message ID is typed for the message.
  • the type in the above message example is message.
  • Messages can be sent by the Windows system or by the application itself.
  • the sending of the message can be implemented by a message function call.
  • PostMessage(), SendMessage() are commonly used, and some Post* or Send* functions are also used.
  • the caller of the message function can be an application that sends a message.
  • kernel hook functions such as postmessage, sendmessage, etc.
  • Step 206 it is determined whether the application receiving the message has an application tag; if yes, step 207 is performed;
  • Step 207 Determine that the application that receives the message is a feature application.
  • the application receiving the message has an application tag, it can indicate that the application receiving the message may have a message vulnerability.
  • Step 208 it is determined whether the type of the message matches the message type tag; if yes, step 209 is performed;
  • Step 209 Determine that the type of the message is a feature type.
  • the message may be considered to exploit the message vulnerability of the application receiving the message, which may be dangerous and requires secure processing.
  • Step 210 Perform corresponding security processing according to an application tag of an application that receives the message.
  • a corresponding security processing manner can be configured in advance for each dangerous level application.
  • the security process can be performed according to a preset security processing method.
  • step 210 may include the following sub-steps:
  • Sub-step S11 when the application tag of the application receiving the message is the first tag, A security alert message is generated for an application that receives the message and an application that sends the message.
  • the first tag identifies a lower risk level, and accordingly, the user may be prompted that other applications may be exploiting the message vulnerability of the current application.
  • step 210 may include the following sub-steps:
  • Sub-step S21 when the application tag of the application that receives the message is the second tag, the security tag of the application that receives the message is removed.
  • the application may be scanned by a firewall, a security tool, or the like.
  • a security token may be configured for the application itself to indicate that the application itself is secure.
  • the second tag identifies a higher level of danger, and accordingly, the security flag of the current application can be removed to enhance its monitoring.
  • step 210 may include the following sub-steps:
  • Sub-step S31 when the application tag of the application that receives the message is the third tag, the information of the application that receives the message, the information of the application that sends the message, and the message are sent to the server;
  • Sub-step S32 receiving information returned by the server, for an application that receives the message, information of an application that sends the message, and operation information of the message;
  • Sub-step S33 security processing is performed in accordance with the operation information.
  • the hazard level identified by the third tag is unknown, and the corresponding security processing mode is not set locally, and the information of the application that receives the message, the information of the application that sends the message, and the message are required.
  • the content is sent to the server, which is analyzed by the server based on big data, analyzes the results of most behaviors, and returns operational information based on the analysis results.
  • the server analyzes that obtaining the current message may read the user's account password, which is highly dangerous, it may return a block (an example of freezing, locking behavior), and the client blocks the message according to the block.
  • a block an example of freezing, locking behavior
  • the above security processing is only an example.
  • other security processing may be set according to actual conditions, for example, an application for sending a black message, and a virus scanning is started.
  • the embodiment of the present invention does not limit this.
  • other security processes may be employed by those skilled in the art according to actual needs, and the embodiments of the present invention do not limit this.
  • the embodiments of the present invention further ensure the security processing is fast and convenient by dividing the risk level, calling the security prompt information corresponding to the application label, removing the security token, and the server detection, and providing accurate and comprehensive security for the application. protection of.
  • FIG. 3 a block diagram of an application-based message processing apparatus according to an embodiment of the present invention is shown. Specifically, the following modules may be included:
  • the detecting module 301 is adapted to detect a message delivered between applications, wherein the message has a type;
  • the first determining module 302 is adapted to determine whether the application that receives the message is a feature application
  • the second determining module 303 is adapted to determine, when the application of the message is a feature application, whether the type of the message is a feature type;
  • the security processing module 304 is adapted to perform corresponding security processing when the type of the message is a feature type.
  • An extracting module configured to extract first feature information of the application when detecting that the application is started
  • a sending module configured to send the first feature information to a server
  • a receiving module configured to receive an application tag and a message type tag returned by the server when determining that the first feature information matches the second feature information; the second feature information is feature information of the feature application;
  • a configuration module adapted to configure the application tag for the application.
  • the first determining module 302 is further adapted to:
  • the second determining module 303 is further configured to:
  • the security processing module 304 is further adapted to:
  • Corresponding security processing is performed in accordance with the application tag of the application that receives the message.
  • the security processing module 304 is further adapted to:
  • security prompt information is generated for the application that receives the message and the application that sends the message.
  • the security processing module 304 is further adapted to:
  • the security tag of the application receiving the message is removed.
  • the security processing module 304 is further adapted to:
  • the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
  • the various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof.
  • a microprocessor or digital signal processor may be used in practice to implement some or all of the functionality of some or all of the components of the application-based message processing device in accordance with embodiments of the present invention.
  • the invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein.
  • Such a program implementing the present invention may be stored on a computer readable medium or may have one or The form of multiple signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
  • Figure 4 illustrates an application-based message processing computing device, such as an application server, in accordance with the present invention.
  • the computing device conventionally includes a processor 410 and a computer program product or computer readable medium in the form of a memory 420.
  • the memory 420 may be an electronic memory such as a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), an EPROM, a hard disk, or a ROM.
  • the memory 420 has a storage space 430 that stores program code 431 for performing any of the method steps described above.
  • storage space 430 storing program code may include various program code 431 for implementing various steps in the above methods, respectively.
  • the program code can be read from or written to one or more computer program products.
  • These computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks.
  • Such computer program products are typically portable or fixed storage units such as those shown in FIG.
  • the storage unit may have storage segments, storage spaces, and the like that are similarly arranged to memory 420 in the computing device of FIG.
  • the program code can be compressed, for example, in an appropriate form.
  • the storage unit comprises computer readable code 431' for performing the steps of the method according to the invention, ie code that can be read by a processor such as 410, which causes the calculation when the code is run by the computing device The device performs the various steps in the methods described above.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

A method and a device for processing an application-based message. The method comprises: detecting a message transmitted among applications, the message having types (101); determining whether an application that receives the message is a characteristic application (102); determining, when the application that receives the message is the characteristic application, whether the message type is a characteristic type (103); when the message type is the characteristic type, performing corresponding security processing (104). By calling a corresponding processing method to perform security processing, layer-by-layer filtrations are not required; processing a message is simple; difficulties for the application development are not increased and protection on applications is meanwhile achieved.

Description

一种应用程序的消息处理方法和装置Message processing method and device for application 技术领域Technical field
本发明涉及通讯技术领域,尤其涉及一种应用程序的消息处理方法和一种应用程序的消息处理装置。The present invention relates to the field of communications technologies, and in particular, to a message processing method for an application and a message processing device for the application.
背景技术Background technique
Windows是一消息(Message)驱动式系统,Windows消息提供了应用程序与应用程序之间、应用程序与Windows系统之间进行通讯的手段。应用程序要实现的功能由消息来触发,并藉由对消息的响应和处理来完成。Windows is a Message-driven system that provides a means of communicating between an application and an application, and between an application and a Windows system. The functionality that the application is to implement is triggered by the message and is done by responding to and processing the message.
Windows系统中有两种消息队列,一种是系统消息队列,另一种是应用程序消息队列。There are two kinds of message queues in Windows, one is system message queue, and the other is application message queue.
很多应用程序使用消息来进行运作,例如部分程序使用消息中的″copydata″类型的消息来发送代码进行执行,或者根据特定消息来执行特定的操作,并且控件的点击也都是依赖于消息。Many applications use messages to operate, for example, some programs use a "copydata" type message in a message to send code for execution, or perform a specific operation based on a particular message, and the control's click is also dependent on the message.
如果应用程序存在消息漏洞,其他恶意应用程序伪装向其发送消息,则有可能会出现预计外的行为,给应用程序的运行带来安全隐患。If an application has a message vulnerability and other malicious applications masquerade to send messages to it, there may be unexpected behavior that poses a security risk to the application.
例如,某个系统管理程序,功能为删除任意的文件,其本身没有问题,可以得到安全应用的认证。如果恶意程序向其发送settext消息将待删除的文件的路径修改为安全应用的主程序,然后发送command消息模拟点击了“粉碎”按钮,那么安全应用的主程序就可能会被删除了。For example, a system management program that functions to delete arbitrary files has no problem in itself and can be authenticated by a secure application. If the malicious program sends a settext message to it to modify the path of the file to be deleted to the main program of the secure application, and then sends a command message to simulate the click of the "Crush" button, the main application of the secure application may be deleted.
如果不信任此类带有消息漏洞的应用程序,对所有消息进行过滤,会导致操作系统变慢,并且需要使用繁琐的消息机制,提高了编程门槛。If you do not trust such an application with a message vulnerability, filtering all messages will cause the operating system to slow down and require a cumbersome message mechanism to increase the programming threshold.
但是如果不加防护,那么使用消息驱动的带有漏洞的应用程序就可能被利用,安全性低。But without protection, message-driven, vulnerable applications can be exploited with low security.
发明内容Summary of the invention
鉴于上述问题,提出了本发明以便提供一种克服上述问题或者至少部分地解决或减缓上述问题的一种基于应用程序的消息处理方法和相应的一种基于应用程序的消息处理装置。In view of the above problems, the present invention has been made in order to provide an application-based message processing method and a corresponding application-based message processing apparatus that overcome the above problems or at least partially solve or alleviate the above problems.
根据本发明的一个方面,提供了一种基于应用程序的消息处理方法,包 括步骤:According to an aspect of the present invention, an application-based message processing method, package Steps:
检测在应用程序之间传递的消息,其中所述消息具有类型;Detecting messages passed between applications, wherein the messages have a type;
判断接收所述消息的应用程序是否为特征应用程序;Determining whether the application receiving the message is a feature application;
当接收所述消息的应用程序为特征应用程序时,判断所述消息的类型是否为特征类型;以及Determining whether the type of the message is a feature type when the application receiving the message is a feature application;
当所述消息的类型为特征类型时,进行对应的安全处理。When the type of the message is a feature type, corresponding security processing is performed.
根据本发明的另一方面,提供了一种基于应用程序的消息处理装置,包括:According to another aspect of the present invention, an application-based message processing apparatus is provided, comprising:
检测模块,适于检测在应用程序之间传递的消息,其中所述消息具有类型;a detection module adapted to detect a message passed between applications, wherein the message has a type;
第一判断模块,适于判断接收所述消息的应用程序是否为特征应用程序;a first determining module, configured to determine whether the application that receives the message is a feature application;
第二判断模块,适于在接收所述消息的应用程序为特征应用程序时,判断所述消息的类型是否为特征类型;以及a second determining module, configured to determine, when the application receiving the message is a feature application, whether the type of the message is a feature type;
安全处理模块,适于在所述消息的类型为特征类型时,进行对应的安全处理。The security processing module is adapted to perform corresponding security processing when the type of the message is a feature type.
根据本发明的又一个方面,提供了一种计算机程序,其包括计算机可读代码,当所述计算机可读代码在计算设备上运行时,导致所述计算设备执行如上文所述的基于应用程序的消息处理方法。According to still another aspect of the present invention, a computer program is provided, comprising computer readable code, when the computer readable code is run on a computing device, causing the computing device to perform an application based application as described above Message handling method.
根据本发明的再一个方面,提供了一种计算机可读介质,其中存储了上述的计算机程序。According to still another aspect of the present invention, a computer readable medium is provided, wherein the computer program described above is stored.
本发明的有益效果为:The beneficial effects of the invention are:
本发明实施例检测在应用程序之间传递的消息,在接收消息的应用程序为特征应用程序,该消息的类型为特征类型时,可以表示该应用程序可能存在消息漏洞,当前消息可能利用该消息漏洞,需要进行对应的安全处理,通过调用对应的处理方法进行安全处理,不需要层层过滤,处理消息简单,并不会提高应用程序的开发门槛,同时实现了对应用程序的防护。 The embodiment of the present invention detects a message transmitted between applications, and when the application that receives the message is a feature application, and the type of the message is a feature type, it may indicate that the application may have a message vulnerability, and the current message may utilize the message. Vulnerabilities require corresponding security processing. By calling the corresponding processing method for security processing, layer filtering is not required, and the processing of messages is simple, and the application development threshold is not improved, and the protection of the application is realized.
本发明实施例在检测到应用程序启动时,提取所述应用程序的第一特征信息,接收服务器在判断所述第一特征信息与第二特征信息匹配时返回的应用程序标签和消息类型标签,对应用程序配置应用程序标签,有效保证了应用程序在运行时的安全性,为应用程序提供了全面的安全保护,使应用程序安全地启动、运行。In the embodiment of the present invention, when detecting that the application is started, extracting the first feature information of the application, and receiving, by the receiving server, the application tag and the message type tag returned when the first feature information matches the second feature information, Configuring the application tag for the application effectively ensures the security of the application at runtime, providing the application with comprehensive security protection, enabling the application to be safely launched and running.
本发明实施例通过划分危险等级,调用应用程序标签对应的生成安全提示信息、去除安全标记、服务器检测等不同层次的安全处理,进一步保证了安全处理的快捷、方便,为应用程序提供准确、全面的保护。The embodiments of the present invention further ensure the security processing is fast and convenient by dividing the risk level, calling the security prompt information corresponding to the application label, removing the security token, and the server detection, and providing accurate and comprehensive security for the application. protection of.
上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段,而可依照说明书的内容予以实施,并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方式。The above description is only an overview of the technical solutions of the present invention, and the above-described and other objects, features and advantages of the present invention can be more clearly understood. Specific embodiments of the invention are set forth below.
附图说明DRAWINGS
通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的,而并不认为是对本发明的限制。而且在整个附图中,用相同的参考符号表示相同的部件。在附图中:Various other advantages and benefits will become apparent to those skilled in the art from a The drawings are only for the purpose of illustrating the preferred embodiments and are not to be construed as limiting. Throughout the drawings, the same reference numerals are used to refer to the same parts. In the drawing:
图1示意性地示出了根据本发明一个实施例的一种基于应用程序的消息处理方法实施例1的步骤流程示意图;FIG. 1 is a schematic flow chart showing the steps of Embodiment 1 of an application-based message processing method according to an embodiment of the present invention; FIG.
图2示意性地示出了根据本发明一个实施例的一种基于应用程序的消息处理方法实施例2的步骤流程示意图;FIG. 2 is a schematic flow chart showing the steps of Embodiment 2 of an application-based message processing method according to an embodiment of the present invention; FIG.
图3示意性地示出了根据本发明一个实施例的一种基于应用程序的消息处理装置实施例的方块示意图;3 is a block diagram schematically showing an embodiment of an application-based message processing apparatus according to an embodiment of the present invention;
图4示意性地示出了用于执行根据本发明的方法的计算设备的框图;以及Figure 4 shows schematically a block diagram of a computing device for performing the method according to the invention;
图5示意性地示出了用于保持或者携带实现根据本发明的方法的程序代码的存储单元。Fig. 5 schematically shows a storage unit for holding or carrying program code implementing the method according to the invention.
具体实施例Specific embodiment
下面结合附图和具体的实施方式对本发明作进一步的描述。The invention is further described below in conjunction with the drawings and specific embodiments.
参照图1,示出了根据本发明一个实施例的一种基于应用程序的消息处理方法实施例1的步骤流程图,具体可以包括如下步骤: Referring to FIG. 1 , a flow chart of a step 1 of an application-based message processing method according to an embodiment of the present invention is shown, which may specifically include the following steps:
步骤101,检测在应用程序之间传递的消息,其中所述消息具有类型;Step 101: Detect a message delivered between applications, wherein the message has a type;
步骤102,判断接收所述消息的应用程序是否为特征应用程序;Step 102: Determine whether an application that receives the message is a feature application.
步骤103,当所述消息的应用程序为特征应用程序时,判断所述消息的类型是否为特征类型;以及Step 103: When the application of the message is a feature application, determine whether the type of the message is a feature type;
步骤104,当所述消息的类型为特征类型时,进行对应的安全处理。Step 104: When the type of the message is a feature type, perform corresponding security processing.
本发明实施例检测在应用程序之间传递的消息,在接收消息的应用程序为特征应用程序,该消息的类型为特征类型时,可以表示该应用程序可能存在消息漏洞,当前消息可能利用该消息漏洞,需要进行对应的安全处理,通过调用对应的处理方法进行安全处理,不需要层层过滤,处理消息简单,并不会提高应用程序的开发门槛,同时实现了对应用程序的防护。The embodiment of the present invention detects a message transmitted between applications, and when the application that receives the message is a feature application, and the type of the message is a feature type, it may indicate that the application may have a message vulnerability, and the current message may utilize the message. Vulnerabilities require corresponding security processing. By calling the corresponding processing method for security processing, layer filtering is not required, and the processing of messages is simple, and the application development threshold is not improved, and the protection of the application is realized.
参照图2,示出了根据本发明一个实施例的一种基于应用程序的消息处理方法实施例2的步骤流程图,具体可以包括如下步骤:Referring to FIG. 2, a flow chart of the steps of Embodiment 2 of the application-based message processing method according to an embodiment of the present invention is shown, which may specifically include the following steps:
步骤201,当检测到应用程序启动时,提取所述应用程序的第一特征信息;Step 201: When detecting that the application is started, extracting first feature information of the application;
本发明实施例中,当前启动的应用程序可以是由用户的操作进行触发的,例如,用户通过鼠标双击快捷方式触发应用程序的启动;也可以由其他应用程序或服务所触发,例如,当下载工具下载文件完成时,可以调用安全工具对该文件进行安全扫描;还可以通过其他方式触发启动,本发明实施例对此不加以限制。In the embodiment of the present invention, the currently launched application may be triggered by the operation of the user. For example, the user triggers the startup of the application by double-clicking the shortcut of the mouse; or may be triggered by other applications or services, for example, when downloading When the tool download file is completed, the security tool may be invoked to perform a security scan on the file; the booting may be triggered by other means, which is not limited in the embodiment of the present invention.
在具体实现中,可以通过回调操作系统中指定的系统函数,如PsSetCreateProcessNotifyRoutine等,让操作系统通知该系统函数,以获知应用程序的进程启动、退出等信息。In a specific implementation, the system function specified in the operating system, such as PsSetCreateProcessNotifyRoutine, can be called to let the operating system notify the system function to know the start and exit of the application process.
当然,本发明实施例中还可以挂钩(Hook)CreateProcess等系统函数获取到应用程序的进程启动的时机和信息,本发明实施例对此不加以限制。Of course, in the embodiment of the present invention, the system function of the Hook and the like can be used to obtain the timing and information of the process start of the application, which is not limited by the embodiment of the present invention.
客户端在检测应用程序启动,可以提取其第一特征信息,该第一特征信息用于检测该应用程序是否为需要保护的应用程序。The client can extract its first feature information when detecting the application launch, and the first feature information is used to detect whether the application is an application that needs to be protected.
其中,第一特征信息,可以为表征当前启动的应用程序的特征的信息,具体可以包括进程名、父进程名、进程文件摘要信息(Message-Digest Algorithm 5,MD5)、进程文件版本信息、模糊hash(哈希值)等等。The first feature information may be information that characterizes the currently started application, and may include a process name, a parent process name, a process file summary information (Message-Digest Algorithm 5, MD5), a process file version information, and a fuzzy Hash (hash) and so on.
步骤202,将所述第一特征信息发送至服务器; Step 202: Send the first feature information to a server.
应用本发明实施例,可以预先对不同的应用程序进行分析,当分析出该应用程序可能存在消息漏洞时,判断其为特征应用程序,即可能存在消息漏洞的应用程序;提取其第二特征信息,存储在服务器的数据库中,以供后续检测使用。Applying the embodiment of the present invention, different applications may be analyzed in advance. When it is analyzed that the application may have a message vulnerability, it is determined to be a feature application, that is, an application program that may have a message vulnerability; and the second feature information is extracted. , stored in the server's database for subsequent testing.
需要说明的是,消息漏洞可以指基于消息引起的缺陷,可能被恶意程序等其他应用程序非法利用,对当前应用程序、系统、用户数据等造成安全隐患。It should be noted that the message vulnerability may refer to a defect caused by a message, may be illegally used by other applications such as a malicious program, and pose a security risk to the current application, system, user data, and the like.
在很多情景中,应用程序本身是安全的,不一定代表其行为也是安全的,其可能存在基于消息漏洞引发的不安全的行为,如连接网络、开启摄像头等,这些行为可能被其他恶意程序利用。In many scenarios, the application itself is secure and does not necessarily mean that its behavior is safe. It may have unsafe behaviors caused by message vulnerabilities, such as connecting to the network, turning on the camera, etc., which may be exploited by other malicious programs. .
例如,某个支付工具是安全的,其具有银行转账功能,钓鱼程序可以向该支付工具发送正常的消息,该支付工具信任该消息处理了相关业务,将资金转账到非法人员的账户上,造成了用户损失。For example, a payment instrument is secure, it has a bank transfer function, the phishing program can send a normal message to the payment instrument, the payment instrument trusts the message to process the related business, and transfers the funds to the account of the illegal person, resulting in User loss.
本发明实施例中,客户端可以将第一特征信息发送至服务器,由服务器检测当前应用程序是否为需要保护的应用程序。In the embodiment of the present invention, the client may send the first feature information to the server, and the server detects whether the current application is an application that needs to be protected.
步骤203,接收所述服务器在判断所述第一特征信息与第二特征信息匹配时,返回的应用程序标签和消息类型标签;所述第二特征信息为特征应用程序的特征信息;Step 203: Receive an application label and a message type label returned by the server when determining that the first feature information matches the second feature information, where the second feature information is feature information of the feature application.
服务器接收客户端发送的第一特征信息,则可以与预先采集的第二特征信息进行匹配,该第二特征信息可以为表征特征应用程序的特征的信息,具体可以包括进程名、父进程名、进程文件摘要信息(Message-Digest Algorithm 5,MD5)、进程文件版本信息、模糊hash(哈希值)等等。The server may receive the first feature information sent by the client, and may be matched with the second feature information that is collected in advance. The second feature information may be information that represents a feature of the feature application, and may include a process name, a parent process name, and Process file summary information (Message-Digest Algorithm 5, MD5), process file version information, fuzzy hash (hash value), and so on.
当第一特征信息与第二特征信息匹配时,可以认为当前启动的应用程序为特征应用程序,即可能存在消息漏洞的应用程序,该应用程序在运行时,可能被其他应用程序通过具有风险的消息(即指定类型的消息类型)利用,对设备的性能和个人隐私有危害,需要对其进行保护。When the first feature information matches the second feature information, the currently launched application may be considered as a feature application, that is, an application that may have a message vulnerability, and the application may be risky by other applications at runtime. The use of messages (that is, message types of a specified type) is harmful to the performance and personal privacy of the device and needs to be protected.
例如,command Copydata类型的消息可以指示应用程序复制数据,可能被恶意程序利用盗取账号、密码等重要数据。For example, a message of the command copydata type may instruct the application to copy data, and may be exploited by a malicious program to steal important data such as an account number and a password.
又例如,settext类型的消息可以指示应用程序设置文本信息,可能被恶意程序利用来删除本地的安全工具。As another example, a settext type message can instruct the application to set textual information that may be exploited by a malicious program to delete a local security tool.
在本发明实施例中,可以根据消息漏洞的危险程度,对可能具有消息漏 洞的应用程序划分一个或多个危险级别,例如,具有彻底删除其他应用程序的消息漏洞的应用程序属于第一等级,具有修改其他应用程序的消息漏洞的应用程序属于第二等级,具有暂时关闭其他应用程序的消息漏洞的应用程序属于第三等级。In the embodiment of the present invention, according to the danger degree of the message vulnerability, there may be a message leak. The hole's application is divided into one or more hazard levels. For example, an application with a message vulnerability that completely removes other applications is at the first level, and an application with a message vulnerability that modifies other applications belongs to the second level and has a temporary shutdown. Applications for other applications' message vulnerabilities are at the third level.
每个危险级别可以配置对应的应用程序标签,并对需要监控的指定的消息类型配置消息类型标签。Each hazard level can be configured with a corresponding application tag and a message type tag configured for the specified message type that needs to be monitored.
服务器匹配确认当前启动的应用程序为特征应用程序,则可以向客户端返回当前启动的应用程序匹配的应用程序标签和消息类型标签。The server match confirms that the currently launched application is a feature application, and can return the application tag and message type tag that the currently launched application matches to the client.
例如,服务器可以向客户端返回msg1:1,2,3、msg2:4,5,6、msg3:7,8,9;其中,msg1,msg2,msg3可以是应用程序标签,冒号后面的以逗号分隔的可以是消息类型标签。For example, the server can return msg1:1, 2, 3, msg2:4,5,6, msg3:7,8,9 to the client; where msg1, msg2, msg3 can be application tags, followed by a comma after the colon Separated can be a message type tag.
在本示例中msg1标记包含1,2,3,则可以表示对1,2,3这三种类型的消息进行监控。In this example, the msg1 tag contains 1, 2, and 3, which can indicate that the three types of messages 1, 2, and 3 are monitored.
步骤204,对所述应用程序配置所述应用程序标签;Step 204: Configure the application label to the application.
在本发明实施例中,客户端接收到服务器返回的应用程序标签,则可以对该应用程序配置该应用程序标签,以实现对其监控、保护。In the embodiment of the present invention, when the client receives the application tag returned by the server, the application tag may be configured for the application to implement monitoring and protection thereof.
本发明实施例在检测到应用程序启动时,提取所述应用程序的第一特征信息,接收服务器在判断所述第一特征信息与第二特征信息匹配时返回的应用程序标签和消息类型标签,对应用程序配置应用程序标签,有效保证了应用程序在运行时的安全性,为应用程序提供了全面的安全保护,使应用程序安全地启动、运行。In the embodiment of the present invention, when detecting that the application is started, extracting the first feature information of the application, and receiving, by the receiving server, the application tag and the message type tag returned when the first feature information matches the second feature information, Configuring the application tag for the application effectively ensures the security of the application at runtime, providing the application with comprehensive security protection, enabling the application to be safely launched and running.
步骤205,检测在应用程序之间传递的消息,其中所述消息具有类型; Step 205, detecting a message delivered between applications, wherein the message has a type;
消息,可以由一个名为MSG的结构体定义,包括窗口句柄(HWND),消息ID(UINT),参数(WPARAM,LPARAM)等等。The message can be defined by a structure called MSG, including window handle (HWND), message ID (UINT), parameters (WPARAM, LPARAM), and so on.
消息的示例可以如下:An example of a message can be as follows:
Figure PCTCN2015095452-appb-000001
Figure PCTCN2015095452-appb-000001
Figure PCTCN2015095452-appb-000002
Figure PCTCN2015095452-appb-000002
在实际应用中,消息本身是作为一个记录传递给应用程序的,这个记录中包含了消息的类型以及其他信息。In practice, the message itself is passed to the application as a record that contains the type of message and other information.
消息ID是消息的类型标识符,由系统或应用程序定义,消息ID为消息划分了类型,上述消息示例中的类型为message。The message ID is the type identifier of the message, defined by the system or application, and the message ID is typed for the message. The type in the above message example is message.
消息可以由Windows系统发送,也可以由应用程序本身发送。Messages can be sent by the Windows system or by the application itself.
进一步地,消息的发送可以通过消息函数调用实现,比较常用的有PostMessage()、SendMessage(),另外还有一些Post*或Send*的函数,消息函数的调用者可以为发送消息的应用程序。Further, the sending of the message can be implemented by a message function call. PostMessage(), SendMessage() are commonly used, and some Post* or Send* functions are also used. The caller of the message function can be an application that sends a message.
在本发明实施例中,可以在内核挂钩(Hook)消息函数,例如,postmessage、sendmessage等等,根据系统服务呼叫ID来分发到不同的函数处理,以拦截在应用程序之间传递的消息。In an embodiment of the invention, kernel hook functions, such as postmessage, sendmessage, etc., may be distributed to different function handlers based on the system service call ID to intercept messages passed between applications.
步骤206,判断接收所述消息的应用程序是否具有应用程序标签;若是,则执行步骤207; Step 206, it is determined whether the application receiving the message has an application tag; if yes, step 207 is performed;
步骤207,判断接收所述消息的应用程序为特征应用程序。Step 207: Determine that the application that receives the message is a feature application.
若接收消息的应用程序具有应用程序标签,则可以表示接收消息的应用程序可能具有消息漏洞。If the application receiving the message has an application tag, it can indicate that the application receiving the message may have a message vulnerability.
步骤208,判断所述消息的类型是否与所述消息类型标签匹配;若是,则执行步骤209; Step 208, it is determined whether the type of the message matches the message type tag; if yes, step 209 is performed;
步骤209,判断所述消息的类型为特征类型。Step 209: Determine that the type of the message is a feature type.
若消息的类型与消息类型标签匹配,则可以认为该消息可能利用接收消息的应用程序的消息漏洞,可能进行危险行为,需要进行安全处理。If the type of the message matches the message type tag, the message may be considered to exploit the message vulnerability of the application receiving the message, which may be dangerous and requires secure processing.
步骤210,按照接收所述消息的应用程序的应用程序标签进行对应的安全处理。Step 210: Perform corresponding security processing according to an application tag of an application that receives the message.
应用本发明实施例,可以预先为每个危险级别的应用程序配置对应的安全处理方式。当检测出与危险级别对应的应用程序标签时,可以按照预先设定的安全处理方式进行安全处理。With the embodiment of the present invention, a corresponding security processing manner can be configured in advance for each dangerous level application. When the application tag corresponding to the danger level is detected, the security process can be performed according to a preset security processing method.
在本发明的一种可选实施例中,步骤210可以包括如下子步骤:In an optional embodiment of the present invention, step 210 may include the following sub-steps:
子步骤S11,当接收所述消息的应用程序的应用程序标签为第一标签时, 生成针对接收所述消息的应用程序和发送所述消息的应用程序的安全提示信息。Sub-step S11, when the application tag of the application receiving the message is the first tag, A security alert message is generated for an application that receives the message and an application that sends the message.
在本发明实施例中,第一标签所标识的危险级别较低,相应地,可以提示用户,其他应用程序可能正在利用当前应用程序的消息漏洞。In the embodiment of the present invention, the first tag identifies a lower risk level, and accordingly, the user may be prompted that other applications may be exploiting the message vulnerability of the current application.
例如,可以提示“某软件想要修改计算机配置,是否允许?”For example, you can prompt "A software wants to modify the computer configuration, is it allowed?"
在本发明的一种可选实施例中,步骤210可以包括如下子步骤:In an optional embodiment of the present invention, step 210 may include the following sub-steps:
子步骤S21,当接收所述消息的应用程序的应用程序标签为第二标签时,去除接收所述消息的应用程序的安全标记。Sub-step S21, when the application tag of the application that receives the message is the second tag, the security tag of the application that receives the message is removed.
在本发明实施例中,可以通过防火墙、安全工具等对应用程序进行安全扫描,当该应用程序通过安全扫描时,可以为其配置安全标记,表示该应用程序本身安全。In the embodiment of the present invention, the application may be scanned by a firewall, a security tool, or the like. When the application passes the security scan, a security token may be configured for the application itself to indicate that the application itself is secure.
一般地,当应用程序具有安全标记,防火墙、安全工具等认为其可信,对其监控的频次、力度较少,以减少终端的资源占用。Generally, when an application has a security token, a firewall, a security tool, and the like consider it to be trusted, and the frequency and strength of monitoring it are small, so as to reduce the resource occupation of the terminal.
第二标签所标识的危险级别较高,相应地,可以去除当前应用程序的安全标记,以加强对其监控。The second tag identifies a higher level of danger, and accordingly, the security flag of the current application can be removed to enhance its monitoring.
在本发明的一种可选实施例中,步骤210可以包括如下子步骤:In an optional embodiment of the present invention, step 210 may include the following sub-steps:
子步骤S31,当接收所述消息的应用程序的应用程序标签为第三标签时,将接收所述消息的应用程序的信息、发送所述消息的应用程序的信息和所述消息发送至服务器;Sub-step S31, when the application tag of the application that receives the message is the third tag, the information of the application that receives the message, the information of the application that sends the message, and the message are sent to the server;
子步骤S32,接收所述服务器返回的,针对接收所述消息的应用程序的信息、发送所述消息的应用程序的信息和所述消息的操作信息;Sub-step S32, receiving information returned by the server, for an application that receives the message, information of an application that sends the message, and operation information of the message;
子步骤S33,按照所述操作信息进行安全处理。Sub-step S33, security processing is performed in accordance with the operation information.
在本发明实施例中,第三标签所标识的危险等级为未知,本地在先并未设置相应的安全处理方式,需要将接收消息的应用程序的信息、发送消息的应用程序的信息和消息的内容发送至服务器,由服务器基于大数据进行分析,分析大多数行为的结果,根据分析结果返回操作信息。In the embodiment of the present invention, the hazard level identified by the third tag is unknown, and the corresponding security processing mode is not set locally, and the information of the application that receives the message, the information of the application that sends the message, and the message are required. The content is sent to the server, which is analyzed by the server based on big data, analyzes the results of most behaviors, and returns operational information based on the analysis results.
例如,当服务器分析获得当前消息可能读取用户的账号密码,具有较高的危险性,则可以返回block(冻结、锁定行为的示例),客户端根据该block阻断该消息。For example, when the server analyzes that obtaining the current message may read the user's account password, which is highly dangerous, it may return a block (an example of freezing, locking behavior), and the client blocks the message according to the block.
当然,上述安全处理只是作为示例,在实施本发明实施例时,可以根据实际情况设置其他安全处理,例如,拉黑发送消息的应用程序、启动病毒扫 描等等,本发明实施例对此不加以限制。另外,除了上述安全处理外,本领域技术人员还可以根据实际需要采用其它安全处理,本发明实施例对此也不加以限制。Certainly, the above security processing is only an example. When implementing the embodiment of the present invention, other security processing may be set according to actual conditions, for example, an application for sending a black message, and a virus scanning is started. The embodiment of the present invention does not limit this. In addition, in addition to the security processing described above, other security processes may be employed by those skilled in the art according to actual needs, and the embodiments of the present invention do not limit this.
本发明实施例通过划分危险等级,调用应用程序标签对应的生成安全提示信息、去除安全标记、服务器检测等不同层次的安全处理,进一步保证了安全处理的快捷、方便,为应用程序提供准确、全面的保护。The embodiments of the present invention further ensure the security processing is fast and convenient by dividing the risk level, calling the security prompt information corresponding to the application label, removing the security token, and the server detection, and providing accurate and comprehensive security for the application. protection of.
对于方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本发明实施例并不受所描述的动作顺序的限制,因为依据本发明实施例,某些步骤可以采用其他顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作并不一定是本发明实施例所必须的。For the method embodiments, for the sake of simple description, they are all expressed as a series of action combinations, but those skilled in the art should understand that the embodiments of the present invention are not limited by the described action sequence, because the embodiment according to the present invention Some steps can be performed in other orders or at the same time. In the following, those skilled in the art should also understand that the embodiments described in the specification are all preferred embodiments, and the actions involved are not necessarily required by the embodiments of the present invention.
参照图3,示出了根据本发明一个实施例的一种基于应用程序的消息处理装置实施例的方块图,具体可以包括如下模块:Referring to FIG. 3, a block diagram of an application-based message processing apparatus according to an embodiment of the present invention is shown. Specifically, the following modules may be included:
检测模块301,适于检测在应用程序之间传递的消息,其中所述消息具有类型;The detecting module 301 is adapted to detect a message delivered between applications, wherein the message has a type;
第一判断模块302,适于判断接收所述消息的应用程序是否为特征应用程序;The first determining module 302 is adapted to determine whether the application that receives the message is a feature application;
第二判断模块303,适于在所述消息的应用程序为特征应用程序时,判断所述消息的类型是否为特征类型;以及The second determining module 303 is adapted to determine, when the application of the message is a feature application, whether the type of the message is a feature type;
安全处理模块304,适于在所述消息的类型为特征类型时,进行对应的安全处理。The security processing module 304 is adapted to perform corresponding security processing when the type of the message is a feature type.
在本发明的一种可选实施例中,还可以包括如下模块:In an optional embodiment of the present invention, the following modules may also be included:
提取模块,适于当检测到应用程序启动时,提取所述应用程序的第一特征信息;An extracting module, configured to extract first feature information of the application when detecting that the application is started;
发送模块,适于将所述第一特征信息发送至服务器;a sending module, configured to send the first feature information to a server;
接收模块,适于接收所述服务器在判断所述第一特征信息与第二特征信息匹配时,返回的应用程序标签和消息类型标签;所述第二特征信息为特征应用程序的特征信息;以及a receiving module, configured to receive an application tag and a message type tag returned by the server when determining that the first feature information matches the second feature information; the second feature information is feature information of the feature application;
配置模块,适于对所述应用程序配置所述应用程序标签。 A configuration module adapted to configure the application tag for the application.
在本发明的一种可选实施例中,所述第一判断模块302还可以适于:In an optional embodiment of the present invention, the first determining module 302 is further adapted to:
判断接收所述消息的应用程序是否具有应用程序标签;若是,则判断接收所述消息的应用程序为特征应用程序。Determining whether the application receiving the message has an application tag; if so, determining that the application receiving the message is a feature application.
在本发明的一种可选实施例中,所述第二判断模块303还可以适于:In an optional embodiment of the present invention, the second determining module 303 is further configured to:
判断所述消息的类型是否与所述消息类型标签匹配;若是,则判断所述消息的类型为特征类型。Determining whether the type of the message matches the message type tag; if yes, determining that the type of the message is a feature type.
在本发明的一种可选实施例中,所述安全处理模块304还可以适于:In an optional embodiment of the present invention, the security processing module 304 is further adapted to:
按照接收所述消息的应用程序的应用程序标签进行对应的安全处理。Corresponding security processing is performed in accordance with the application tag of the application that receives the message.
在本发明的一种可选实施例中,所述安全处理模块304还可以适于:In an optional embodiment of the present invention, the security processing module 304 is further adapted to:
当接收所述消息的应用程序的应用程序标签为第一标签时,生成针对接收所述消息的应用程序和发送所述消息的应用程序的安全提示信息。When the application tag of the application receiving the message is the first tag, security prompt information is generated for the application that receives the message and the application that sends the message.
在本发明的一种可选实施例中,所述安全处理模块304还可以适于:In an optional embodiment of the present invention, the security processing module 304 is further adapted to:
当接收所述消息的应用程序的应用程序标签为第二标签时,去除接收所述消息的应用程序的安全标记。When the application tag of the application receiving the message is the second tag, the security tag of the application receiving the message is removed.
在本发明的一种可选实施例中,所述安全处理模块304还可以适于:In an optional embodiment of the present invention, the security processing module 304 is further adapted to:
当接收所述消息的应用程序的应用程序标签为第三标签时,将接收所述消息的应用程序的信息、发送所述消息的应用程序的信息和所述消息发送至服务器;When the application tag of the application receiving the message is the third tag, sending information of the application that receives the message, information of the application that sends the message, and the message to the server;
接收所述服务器返回的,针对接收所述消息的应用程序的信息、发送所述消息的应用程序的信息和所述消息的操作信息;Receiving, by the server, information about an application that receives the message, information of an application that sends the message, and operation information of the message;
按照所述操作信息进行安全处理。Perform security processing according to the operation information.
对于装置实施例而言,由于其与方法实施例基本相似,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。For the device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
本发明的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例的基于应用程序的消息处理设备中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。这样的实现本发明的程序可以存储在计算机可读介质上,或者可以具有一个或 者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。The various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or digital signal processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components of the application-based message processing device in accordance with embodiments of the present invention. . The invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein. Such a program implementing the present invention may be stored on a computer readable medium or may have one or The form of multiple signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
例如,图4示出了可以实现根据本发明的基于应用程序的消息处理计算设备,例如应用服务器。该计算设备传统上包括处理器410和以存储器420形式的计算机程序产品或者计算机可读介质。存储器420可以是诸如闪存、EEPROM(电可擦除可编程只读存储器)、EPROM、硬盘或者ROM之类的电子存储器。存储器420具有存储用于执行上述方法中的任何方法步骤的程序代码431的存储空间430。例如,存储程序代码的存储空间430可以包括分别用于实现上面的方法中的各种步骤的各个程序代码431。这些程序代码可以从一个或者多个计算机程序产品中读出或者写入到这一个或者多个计算机程序产品中。这些计算机程序产品包括诸如硬盘,紧致盘(CD)、存储卡或者软盘之类的程序代码载体。这样的计算机程序产品通常为例如图5所示的便携式或者固定存储单元。该存储单元可以具有与图4的计算设备中的存储器420类似布置的存储段、存储空间等。程序代码可以例如以适当形式进行压缩。通常,存储单元包括用于执行根据本发明的方法步骤的计算机可读代码431’,即可以由例如诸如410之类的处理器读取的代码,当这些代码由计算设备运行时,导致该计算设备执行上面所描述的方法中的各个步骤。For example, Figure 4 illustrates an application-based message processing computing device, such as an application server, in accordance with the present invention. The computing device conventionally includes a processor 410 and a computer program product or computer readable medium in the form of a memory 420. The memory 420 may be an electronic memory such as a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), an EPROM, a hard disk, or a ROM. The memory 420 has a storage space 430 that stores program code 431 for performing any of the method steps described above. For example, storage space 430 storing program code may include various program code 431 for implementing various steps in the above methods, respectively. The program code can be read from or written to one or more computer program products. These computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks. Such computer program products are typically portable or fixed storage units such as those shown in FIG. The storage unit may have storage segments, storage spaces, and the like that are similarly arranged to memory 420 in the computing device of FIG. The program code can be compressed, for example, in an appropriate form. Typically, the storage unit comprises computer readable code 431' for performing the steps of the method according to the invention, ie code that can be read by a processor such as 410, which causes the calculation when the code is run by the computing device The device performs the various steps in the methods described above.
本文中所称的“一个实施例”、“实施例”或者“一个或者多个实施例”意味着,结合实施例描述的特定特征、结构或者特性包括在本发明的至少一个实施例中。此外,请注意,这里“在一个实施例中”的词语例子不一定全指同一个实施例。"an embodiment," or "an embodiment," or "an embodiment," In addition, it is noted that the phrase "in one embodiment" is not necessarily referring to the same embodiment.
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下被实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the description provided herein, numerous specific details are set forth. However, it is understood that the embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures, and techniques are not shown in detail so as not to obscure the understanding of the description.
应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一 个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。It is to be noted that the above-described embodiments are illustrative of the invention and are not intended to be limiting, and that the invention may be devised without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as a limitation. The word "comprising" does not exclude the presence of the elements or steps that are not recited in the claims. The word "a" or "an" The invention can be implemented by means of hardware comprising several distinct elements and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be the same A hardware item is embodied. The use of the words first, second, and third does not indicate any order. These words can be interpreted as names.
此外,还应当注意,本说明书中使用的语言主要是为了可读性和教导的目的而选择的,而不是为了解释或者限定本发明的主题而选择的。因此,在不偏离所附权利要求书的范围和精神的情况下,对于本技术领域的普通技术人员来说许多修改和变更都是显而易见的。对于本发明的范围,对本发明所做的公开是说明性的,而非限制性的,本发明的范围由所附权利要求书限定。 In addition, it should be noted that the language used in the specification has been selected for the purpose of readability and teaching, and is not intended to be construed or limited. Therefore, many modifications and changes will be apparent to those skilled in the art without departing from the scope of the invention. The disclosure of the present invention is intended to be illustrative, and not restrictive, and the scope of the invention is defined by the appended claims.

Claims (18)

  1. 一种基于应用程序的消息处理方法,包括步骤:An application-based message processing method comprising the steps of:
    检测在应用程序之间传递的消息,其中所述消息具有类型;Detecting messages passed between applications, wherein the messages have a type;
    判断接收所述消息的应用程序是否为特征应用程序;Determining whether the application receiving the message is a feature application;
    当接收所述消息的应用程序为特征应用程序时,判断所述消息的类型是否为特征类型;以及Determining whether the type of the message is a feature type when the application receiving the message is a feature application;
    当所述消息的类型为特征类型时,进行对应的安全处理。When the type of the message is a feature type, corresponding security processing is performed.
  2. 如权利要求1所述的方法,其中,在所述检测在应用程序之间传递的消息之前,所述的方法还包括步骤:The method of claim 1 wherein said method further comprises the step of: before said detecting a message passed between the applications:
    当检测到应用程序启动时,提取所述应用程序的第一特征信息;Extracting first feature information of the application when detecting that the application is started;
    将所述第一特征信息发送至服务器;Sending the first feature information to a server;
    接收所述服务器在判断所述第一特征信息与第二特征信息匹配时,返回的应用程序标签和消息类型标签,其中所述第二特征信息为特征应用程序的特征信息;以及Receiving, by the server, the returned application tag and the message type tag when determining that the first feature information matches the second feature information, wherein the second feature information is feature information of the feature application;
    对所述应用程序配置所述应用程序标签。Configuring the application tag for the application.
  3. 如权利要求1或2所述的方法,其中,所述判断接收所述消息的应用程序是否为特征应用程序的步骤包括:The method of claim 1 or 2, wherein the step of determining whether the application receiving the message is a feature application comprises:
    判断接收所述消息的应用程序是否具有应用程序标签;以及Determining whether the application receiving the message has an application tag;
    若是,则判断接收所述消息的应用程序为特征应用程序。If so, it is determined that the application receiving the message is a feature application.
  4. 如权利要求1或2所述的方法,其中,所述判断所述消息的类型是否为特征类型的步骤包括:The method according to claim 1 or 2, wherein the step of determining whether the type of the message is a feature type comprises:
    判断所述消息的类型是否与所述消息类型标签匹配;以及Determining whether the type of the message matches the message type tag;
    若是,则判断所述消息的类型为特征类型。If yes, it is determined that the type of the message is a feature type.
  5. 如权利要求1或2所述的方法,其中,所述进行对应的安全处理的步骤包括:The method of claim 1 or 2, wherein the step of performing a corresponding security process comprises:
    按照接收所述消息的应用程序的应用程序标签进行对应的安全处理。Corresponding security processing is performed in accordance with the application tag of the application that receives the message.
  6. 如权利要求5所述的方法,其中,所述按照接收所述消息的应用程序的应用程序标签进行对应的安全处理的步骤包括:The method of claim 5 wherein said step of performing corresponding security processing in accordance with an application tag of an application receiving said message comprises:
    当接收所述消息的应用程序的应用程序标签为第一标签时,生成针对接收所述消息的应用程序和发送所述消息的应用程序的安全提示信息。When the application tag of the application receiving the message is the first tag, security prompt information is generated for the application that receives the message and the application that sends the message.
  7. 如权利要求5所述的方法,其中,所述按照接收所述消息的应用程 序的应用程序标签进行对应的安全处理的步骤包括:The method of claim 5 wherein said application in accordance with said receiving said message The steps of the corresponding application tag for corresponding security processing include:
    当接收所述消息的应用程序的应用程序标签为第二标签时,去除接收所述消息的应用程序的安全标记。When the application tag of the application receiving the message is the second tag, the security tag of the application receiving the message is removed.
  8. 如权利要求5所述的方法,其中,所述按照接收所述消息的应用程序的应用程序标签进行对应的安全处理的步骤包括:The method of claim 5 wherein said step of performing corresponding security processing in accordance with an application tag of an application receiving said message comprises:
    当接收所述消息的应用程序的应用程序标签为第三标签时,将接收所述消息的应用程序的信息、发送所述消息的应用程序的信息和所述消息发送至服务器;When the application tag of the application receiving the message is the third tag, sending information of the application that receives the message, information of the application that sends the message, and the message to the server;
    接收所述服务器返回的,针对接收所述消息的应用程序的信息、发送所述消息的应用程序的信息和所述消息的操作信息;以及Receiving, by the server, information about an application that receives the message, information of an application that sends the message, and operation information of the message;
    按照所述操作信息进行安全处理。Perform security processing according to the operation information.
  9. 一种基于应用程序的消息处理装置,包括:An application-based message processing apparatus comprising:
    检测模块,适于检测在应用程序之间传递的消息,其中所述消息具有类型;a detection module adapted to detect a message passed between applications, wherein the message has a type;
    第一判断模块,适于判断接收所述消息的应用程序是否为特征应用程序;a first determining module, configured to determine whether the application that receives the message is a feature application;
    第二判断模块,适于在接收所述消息的应用程序为特征应用程序时,判断所述消息的类型是否为特征类型;以及a second determining module, configured to determine, when the application receiving the message is a feature application, whether the type of the message is a feature type;
    安全处理模块,适于在所述消息的类型为特征类型时,进行对应的安全处理。The security processing module is adapted to perform corresponding security processing when the type of the message is a feature type.
  10. 如权利要求9所述的装置,还包括:The apparatus of claim 9 further comprising:
    提取模块,适于当检测到应用程序启动时,提取所述应用程序的第一特征信息;An extracting module, configured to extract first feature information of the application when detecting that the application is started;
    发送模块,适于将所述第一特征信息发送至服务器;a sending module, configured to send the first feature information to a server;
    接收模块,适于接收所述服务器在判断所述第一特征信息与第二特征信息匹配时,返回的应用程序标签和消息类型标签;所述第二特征信息为特征应用程序的特征信息;以及a receiving module, configured to receive an application tag and a message type tag returned by the server when determining that the first feature information matches the second feature information; the second feature information is feature information of the feature application;
    配置模块,适于对所述应用程序配置所述应用程序标签。A configuration module adapted to configure the application tag for the application.
  11. 如权利要求9或10所述的装置,其中,所述第一判断模块还适于:The apparatus according to claim 9 or 10, wherein the first determining module is further adapted to:
    判断接收所述消息的应用程序是否具有应用程序标签;若是,则判断接 收所述消息的应用程序为特征应用程序。Determining whether the application receiving the message has an application tag; if so, determining The application that receives the message is a feature application.
  12. 如权利要求9或10所述的装置,其中,所述第二判断模块还适于:The apparatus of claim 9 or 10, wherein the second determining module is further adapted to:
    判断所述消息的类型是否与所述消息类型标签匹配;若是,则判断所述消息的类型为特征类型。Determining whether the type of the message matches the message type tag; if yes, determining that the type of the message is a feature type.
  13. 如权利要求9或10所述的装置,其中,所述安全处理模块还适于:The device of claim 9 or 10, wherein the security processing module is further adapted to:
    按照接收所述消息的应用程序的应用程序标签进行对应的安全处理。Corresponding security processing is performed in accordance with the application tag of the application that receives the message.
  14. 如权利要求13所述的装置,其中,所述安全处理模块还适于:The apparatus of claim 13 wherein said security processing module is further adapted to:
    当接收所述消息的应用程序的应用程序标签为第一标签时,生成针对接收所述消息的应用程序和发送所述消息的应用程序的安全提示信息。When the application tag of the application receiving the message is the first tag, security prompt information is generated for the application that receives the message and the application that sends the message.
  15. 如权利要求13所述的装置,其中,所述安全处理模块还适于:The apparatus of claim 13 wherein said security processing module is further adapted to:
    当接收所述消息的应用程序的应用程序标签为第二标签时,去除接收所述消息的应用程序的安全标记。When the application tag of the application receiving the message is the second tag, the security tag of the application receiving the message is removed.
  16. 如权利要求13所述的装置,其中,所述安全处理模块还适于:The apparatus of claim 13 wherein said security processing module is further adapted to:
    当接收所述消息的应用程序的应用程序标签为第三标签时,将接收所述消息的应用程序的信息、发送所述消息的应用程序的信息和所述消息发送至服务器;When the application tag of the application receiving the message is the third tag, sending information of the application that receives the message, information of the application that sends the message, and the message to the server;
    接收所述服务器返回的,针对接收所述消息的应用程序的信息、发送所述消息的应用程序的信息和所述消息的操作信息;Receiving, by the server, information about an application that receives the message, information of an application that sends the message, and operation information of the message;
    按照所述操作信息进行安全处理。Perform security processing according to the operation information.
  17. 一种计算机程序,包括计算机可读代码,当所述计算机可读代码在计算设备上运行时,导致所述计算设备执行根据权利要求1-8中的任一个所述的基于应用程序的消息处理方法。A computer program comprising computer readable code, when said computer readable code is run on a computing device, causing said computing device to perform application based message processing according to any of claims 1-8 method.
  18. 一种计算机可读介质,其中存储了如权利要求17所述的计算机程序。 A computer readable medium storing the computer program of claim 17.
PCT/CN2015/095452 2014-12-16 2015-11-24 Method and device for processing application-based message WO2016095671A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410784718.4A CN104484608A (en) 2014-12-16 2014-12-16 Application-based message processing method and application-based message processing device
CN201410784718.4 2014-12-16

Publications (1)

Publication Number Publication Date
WO2016095671A1 true WO2016095671A1 (en) 2016-06-23

Family

ID=52759149

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/095452 WO2016095671A1 (en) 2014-12-16 2015-11-24 Method and device for processing application-based message

Country Status (2)

Country Link
CN (1) CN104484608A (en)
WO (1) WO2016095671A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104484608A (en) * 2014-12-16 2015-04-01 北京奇虎科技有限公司 Application-based message processing method and application-based message processing device
CN109471804A (en) * 2018-11-14 2019-03-15 苏州科达科技股份有限公司 Application detection method, device and storage medium in iOS
CN109788353A (en) * 2018-12-05 2019-05-21 安徽站乾科技有限公司 A kind of set-top box encryption copy prevention method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050198110A1 (en) * 2004-02-24 2005-09-08 Microsoft Corporation Method and system for filtering communications to prevent exploitation of a software vulnerability
US20060048220A1 (en) * 2004-08-24 2006-03-02 Jahromi Babak G Securely inspecting electronic messages
CN102752730A (en) * 2012-07-19 2012-10-24 腾讯科技(深圳)有限公司 Method and device for message handling
CN103198255A (en) * 2013-04-03 2013-07-10 武汉大学 Method and system for monitoring and intercepting sensitive behaviour of Android software
CN104484608A (en) * 2014-12-16 2015-04-01 北京奇虎科技有限公司 Application-based message processing method and application-based message processing device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7099663B2 (en) * 2001-05-31 2006-08-29 Qualcomm Inc. Safe application distribution and execution in a wireless environment
CN100429668C (en) * 2006-06-23 2008-10-29 北京飞天诚信科技有限公司 Electronic file automatic protection method and system
CN101414341B (en) * 2007-10-15 2014-12-10 北京瑞星信息技术有限公司 Software self-protection method
CN102521548B (en) * 2011-11-24 2014-11-05 中兴通讯股份有限公司 Method for managing using rights of function and mobile terminal
CN104036194B (en) * 2014-05-16 2017-02-15 北京金山安全软件有限公司 Vulnerability detection method and device for revealing private data in application program

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050198110A1 (en) * 2004-02-24 2005-09-08 Microsoft Corporation Method and system for filtering communications to prevent exploitation of a software vulnerability
US20060048220A1 (en) * 2004-08-24 2006-03-02 Jahromi Babak G Securely inspecting electronic messages
CN102752730A (en) * 2012-07-19 2012-10-24 腾讯科技(深圳)有限公司 Method and device for message handling
CN103198255A (en) * 2013-04-03 2013-07-10 武汉大学 Method and system for monitoring and intercepting sensitive behaviour of Android software
CN104484608A (en) * 2014-12-16 2015-04-01 北京奇虎科技有限公司 Application-based message processing method and application-based message processing device

Also Published As

Publication number Publication date
CN104484608A (en) 2015-04-01

Similar Documents

Publication Publication Date Title
US11936666B1 (en) Risk analyzer for ascertaining a risk of harm to a network and generating alerts regarding the ascertained risk
US11210390B1 (en) Multi-version application support and registration within a single operating system environment
US11240262B1 (en) Malware detection verification and enhancement by coordinating endpoint and malware detection systems
US10872151B1 (en) System and method for triggering analysis of an object for malware in response to modification of that object
US10956477B1 (en) System and method for detecting malicious scripts through natural language processing modeling
US10291634B2 (en) System and method for determining summary events of an attack
US10169585B1 (en) System and methods for advanced malware detection through placement of transition events
US10462160B2 (en) Method and system for identifying uncorrelated suspicious events during an attack
US9781144B1 (en) Determining duplicate objects for malware analysis using environmental/context information
US9251343B1 (en) Detecting bootkits resident on compromised computers
WO2016095673A1 (en) Application-based behavior processing method and device
EP3420489B1 (en) Cybersecurity systems and techniques
US9619649B1 (en) Systems and methods for detecting potentially malicious applications
US9158915B1 (en) Systems and methods for analyzing zero-day attacks
WO2015188788A1 (en) Method and apparatus for protecting mobile terminal payment security, and mobile terminal
US10216934B2 (en) Inferential exploit attempt detection
JP2014038596A (en) Method for identifying malicious executable
WO2014071867A1 (en) Program processing method and system, and client and server for program processing
WO2017012241A1 (en) File inspection method, device, apparatus and non-volatile computer storage medium
US10237285B2 (en) Method and apparatus for detecting macro viruses
CN106415577B (en) System and method for identifying the source of a suspicious event
US10678917B1 (en) Systems and methods for evaluating unfamiliar executables
US20180341770A1 (en) Anomaly detection method and anomaly detection apparatus
US9552481B1 (en) Systems and methods for monitoring programs
WO2016095671A1 (en) Method and device for processing application-based message

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15869179

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15869179

Country of ref document: EP

Kind code of ref document: A1